Security Now Episode 1059: Code Signing Certificates, AI Ads, PyPI Security, and Critical MongoDB Flaw

In this first episode of Security Now for the year 2026, Steve Gibson and Leo Laporte cover a range of crucial cybersecurity topics, from changes in code-signing certificate policies to major vulnerabilities in widely used systems, along with reflections on the future of artificial intelligence and health advice.

The episode begins with a discussion on the reduced lifespan of code-signing certificates. Steve Gibson expresses his dissatisfaction with the CA/Browser Forum’s decision to shorten the maximum validity of code-signing certificates from 39 months to just 15 months starting March 1, 2026. This decision, made without apparent justification, seems driven more by the financial interests of certificate authorities than security concerns. Gibson highlights that this measure complicates developers' lives, forcing them to renew certificates more frequently, and could lead to greater reliance on cloud-based code-signing services, increasing costs and reducing developers' control over their private keys. He advises developers to acquire a 39-month certificate before the deadline to avoid frequent and costly renewals.

Next, the episode addresses the potential introduction of ads in ChatGPT. Steve and Leo discuss the implications for users, noting that while AI is highly useful, it requires revenue to sustain operations. They consider the possibility that users might accept higher subscription fees to avoid ads, while acknowledging that poorly integrated ads could degrade the user experience.

Another key topic is the improved security of the Python Package Index (PyPI). PyPI has implemented enhanced security measures, including phishing-resistant two-factor authentication (2FA). This initiative aims to protect developer accounts from compromise, which could lead to software supply chain attacks. Steve emphasizes the importance of these measures, given PyPI’s popularity and the billions of annual downloads it handles.

The discussion continues with Microsoft’s announcement about hardware-accelerated BitLocker in Windows 11. This new feature aims to reduce CPU load during encryption and decryption operations on NVMe drives, improving overall system performance. Steve explains that without hardware acceleration, BitLocker can significantly slow down NVMe drives, which are becoming increasingly fast. He also notes that this feature will only be available on newer Intel processors, potentially encouraging users to upgrade their hardware.

A lighter but intriguing topic is the ban on Raspberry Pi and Flipper Zero devices at the inauguration of New York’s mayor. Steve and Leo find this decision odd and speculate on possible reasons, suggesting it may stem from a misunderstanding of these devices' capabilities. They argue that the ban appears arbitrary and could result from poorly informed security policies.

Steve then recommends the British TV series The Lazarus Project. He describes this time-travel sci-fi show as highly engaging and intelligent, with a complex plot requiring close attention. He urges viewers to watch it soon, as it may disappear from streaming platforms.

The episode concludes with a discussion on the importance of magnesium alongside vitamin D for health. Steve shares detailed information on different forms of magnesium, their benefits, and how to incorporate them effectively into one’s diet. He explains that magnesium is crucial for many enzymatic reactions in the body and that many people are deficient due to declining natural sources in modern diets. He particularly recommends magnesium glycinate and bisglycinate for better absorption.

Finally, the episode covers a major vulnerability in MongoDB, dubbed "Mongo Bleed." This flaw, present in all MongoDB versions since 2017, allows unauthenticated attackers to read server memory, exposing sensitive data such as passwords, API keys, and customer information. Steve details the vulnerability’s mechanism and stresses the importance of not exposing MongoDB databases directly to the internet. He also criticizes over-reliance on remote authentication, noting that many vulnerabilities stem from this practice.

In summary, this episode of Security Now provides an in-depth analysis of the latest cybersecurity trends and vulnerabilities, along with practical advice and reflections on topics ranging from technology to health.