Security Now Episode 1060: Code Signing Challenges, AI Innovations, and Cybersecurity Trends

In this episode of Security Now, Steve Gibson and Leo Laporte discuss several crucial topics related to cybersecurity, code signing certificates, AI advancements, personal anecdotes, and reflections on current technological practices. The episode begins with a discussion on the challenges of code signing certificates. Steve shares developers' growing frustrations with the increasing complexity and costs of obtaining these certificates. Certificate authorities (CAs) have shortened certificate validity periods and now require storage in hardware security modules (HSMs) or cloud services, significantly raising costs. For example, a code signing certificate that previously cost around $180 for three years can now cost up to $1,000 per year. Steve notes this trend appears driven more by financial interests than security improvements. He also mentions a detailed blog post by Rick Straw explaining how to configure Microsoft's cloud-based code signing solution, Azure Trusted Signing, despite its complexities. Leo Laporte recounts a personal phishing experience where he fell victim to an SMS scam impersonating T-Mobile, illustrating the growing sophistication of phishing attacks and the difficulty in distinguishing legitimate communications from scams. Steve and Leo discuss the importance of user awareness about security risks while acknowledging even tech-savvy individuals can be deceived. A major topic is California's new "Delete Request and Opt-Out Platform" (DROP) law, allowing residents to request deletion of their personal data held by data brokers. Effective January 1, 2026, this law aims to give individuals more control over their personal information. Both Steve and Leo used the platform and share their experiences, emphasizing the need to protect data in a world where it is constantly collected and sold. Steve also shares a humorous anecdote about an AI error by the National Weather Service, which generated a map of Idaho including two fictional cities, "Whatabad" and "Orangeotil," highlighting the limitations and risks of AI technologies even in serious institutions. Another highlight is the discussion on AI for software development. Leo Laporte shares his experience with Claude Code, an AI tool that helped him develop a custom RSS feed reader app quickly. He explains how AI can accelerate development, reduce errors, and enable non-developers to create tailored tools. Steve mentions a free 30-minute beginner coding course with AI by Andrew Ng, founder of DeepLearning.AI. The episode also covers technical questions about code signing certificates and their expiration. Steve details how code signing certificates differ from TLS certificates used to secure web connections. Unlike TLS certificates, which must be valid in real-time for each connection, code signing certificates only need to be valid at the time of signing. This allows Microsoft to use very short-lived certificates (three days) for its cloud-based code signing solution, as they are immediately timestamped by a timestamping authority (TSA), ensuring permanent signature validity. Finally, Steve and Leo discuss the practical implications of these topics, emphasizing the importance of vigilance against phishing attacks, protecting personal data, and adopting modern security tools. They encourage listeners to explore AI's potential for software development while remaining aware of its limitations and risks. In summary, this episode of Security Now provides a comprehensive and accessible overview of current cybersecurity challenges, technological innovations, and best practices for navigating an increasingly digital and interconnected world.