Security Now 1073 transcript

Please be advised that this transcript is AI-generated and may not be word-for-word. Time codes refer to the approximate times in the ad-free version of the show.

Leo Laporte [00:00:00]:
It's time for Security Now. Steve Gibson is here amazed at the Large Privacy Invading JavaScript blobbed LinkedIn is forcing on people. We'll talk about that. And what does Steve think of the FCC router ban?

Steve Gibson [00:00:14]:
Hmm.

Leo Laporte [00:00:15]:
That's coming up next on Security Now.

Steve Gibson [00:00:20]:
Podcasts you love from people you trust.

Leo Laporte [00:00:24]:
This is Twit. This is Security now with Steve Gibson. Episode 1073 recorded Tuesday, April 7, 2026. The FCC bans new consumer routers. It's time for Security now the show. We cover the latest security, privacy and other stuff with this guy, right? Yeah. Mr. Steven Gibson.

Steve Gibson [00:00:51]:
True, my friend. It is true. It is once again, once again Tuesday. Uh yeah.

Leo Laporte [00:00:58]:
How did that happen? Yeah, well, well Leo of 168 Hours

Steve Gibson [00:01:04]:
go by and it hasn't always been I like being here on Tuesday. It used to annoy me when we were on I think we're on Monday for a while and three day weekends would kill would cancel a podcast.

Leo Laporte [00:01:15]:
No, this is a good day.

Steve Gibson [00:01:17]:
Hey you know what?

Leo Laporte [00:01:17]:
If a Wednesday would work better you just let me know now. I'm here for you Steve.

Steve Gibson [00:01:21]:
We're good, we're good. I know that would upset everybody else's life.

Leo Laporte [00:01:25]:
You know it upsets Paul when we moved from Tuesday to Wednesday. He you talking about.

Steve Gibson [00:01:32]:
Okay so the big topic for actually from a week before from our listeners I just didn't have a chance to dig into it and get to it and look at it and talk about it was this bizarro sudden surprising FCC ban on new consumer routers. It's important that it's not existing consumer routers. No, it's like anyway we're going to talk about this and by the time we're done with today's podcast everybody listening will understand exactly what happened. Why it doesn't really make any sense. Lots of little what I think about it's laced in there. Several of our listeners did note that I did a poor job of wording the summary because in the little summary bullet points in the email that went out Sunday and is here at the top of the show notes I said the FCC drops a ban on all new consumer grade routes.

Leo Laporte [00:02:35]:
They adopted it rather than dropping it. I yes I understand your thinking is

Steve Gibson [00:02:40]:
they dropped a ban on them but of course that's got a, that's got a double meaning because they could there could have been a ban which they then dropped by the way stopping the ban.

Leo Laporte [00:02:51]:
I remember with the fortunately that I I, I left hanging before the show began has to do with this. Fortunately anybody who watches this show knows how to make their own router as you do. Yes, yes, I'm sure talk about that too.

Steve Gibson [00:03:05]:
Not concerned about that anyway, but we got a bunch of stuff to talk about as always. We got the fact that Apple's 20. It's sort of notorious now. 26.4. If you know, if you just say 26.4 to an Apple person, they go, oh yeah, it's caught many people by surprise. We've got LinkedIn's 20.

Leo Laporte [00:03:28]:
Okay.

Steve Gibson [00:03:28]:
2.7 megabyte privacy invading JavaScript blob which C. Yes. Microsoft has just gone off the rails with this. We also have micro. I want quick note about them forcing Windows 1124H2 to 25H2 and the consequences of that. Cisco losing their source code to they were another casualty of this Trivy supply chain mess that caught Light LLM that we talked about last week. Proton had a big fan, a big favorite of our. Of our listeners has introduced a what they're cons.

Steve Gibson [00:04:10]:
What they're calling a privacy first Voice and video service known as Meet. GitHub is going to respond to the other this whole Trivi Cisco Light LLM mess by taking a closer look at the security of its actions feature, which is what was abused to make this happen and change their rollout schedule. Cloudflare reaffirming the privacy of its DNS service and oh, Leo, they've recoded Cloudflare, that is recoded WordPress.

Leo Laporte [00:04:46]:
Oh, to fix its security.

Steve Gibson [00:04:49]:
Yeah. Yes. M Dash, which is a cute name for that. It is.

Leo Laporte [00:04:53]:
It's a little confusing, but now if

Steve Gibson [00:04:55]:
you weren't, if you weren't into, you know, like, I guess. Really? Yeah, exactly. Typography, En dash and M dash and so forth. So lots of stuff to talk about. We got a great picture of the week, which has been explained by a couple of our listeners. This was actually submitted by a listener who was walking by, saw this and thought, okay, I got to take a picture of this for Steve because, you know, this is. This is wacky.

Leo Laporte [00:05:21]:
I can't wait to see it.

Steve Gibson [00:05:22]:
And I love my caption if I do say so. So anyway, we will, we will talk about it. We will get there.

Leo Laporte [00:05:29]:
It is coming up next as we continue with security now for this Wednesday, April 7th. Now it's time for the picture of the week.

Steve Gibson [00:05:38]:
Okay, so the caption, you have to have the caption first because. Because I love this caption. I wrote in electronics, this symbol is a resistor which resists the flow of electrons when used as it is here. It also resists the flow of people.

Leo Laporte [00:05:58]:
So I'm thinking it's a line with like a. Like a spiral squiggle. Right. Is there. Is that a resistor?

Steve Gibson [00:06:03]:
I think that's a coil, actually.

Leo Laporte [00:06:04]:
That's a coil.

Steve Gibson [00:06:05]:
So what's the resistor? Oh, it's the zigz.

Leo Laporte [00:06:07]:
The zigzag.

Steve Gibson [00:06:08]:
Right, Right. Yep.

Leo Laporte [00:06:09]:
Right. Yep. Well, why is. I guess the question.

Steve Gibson [00:06:18]:
So the. And so this is not. I know it's so it's. It's a. Clearly, it's a resistor. Right. I mean, that's what it is. It is a.

Steve Gibson [00:06:27]:
Is a walking path resistor. This. Several people wrote saying, I think this is AI generated. This is nonsense. Well, of course, in this world, unfortunately, it could well be AI generated work. I'm afraid that's just going to be the standard response to anything that looks bizarre from now on. But this was actually. This is a photo taken by a listener who, as I said, was walking by, saw this and thought, oh, Steve's gonna have fun.

Steve Gibson [00:06:55]:
So. And this was Seth Smith, our listener sent it to me. Anyway, the. The best explanation I've had is that a straight line may have been too steep for getting by, like wheelchair or some. Some.

Leo Laporte [00:07:19]:
Because it is a little bit of a grade.

Steve Gibson [00:07:21]:
It looks like there is a grade.

Leo Laporte [00:07:23]:
So this is a switchback.

Steve Gibson [00:07:24]:
And so code might require. Yes, that. That they switch back and forth in order not to encounter a grade which is too steep in order to roll themselves if. If they were in some fashion handicapped up to that little table. So that, you know, sounds right, but it, it's not very well done either.

Leo Laporte [00:07:47]:
It feels like there was some. There's something missing. Like there might have been a reason for this at one time that. No longer.

Steve Gibson [00:07:53]:
And it's not rounded. It'd be nice if it, if, if. If the corners. The points were rounded and it looks like it's kind of pinchy up up there at the. The far right is like. It just doesn't look great. But anyway, it is indeed a path resistor.

Leo Laporte [00:08:12]:
So weird.

Steve Gibson [00:08:14]:
Yeah, very weird. Okay, so last week's Apple Upgrade to release 26.4 has sent age confirming shock waves through the UK and in fact, I even got one. I'm trying to think what it was I was doing. I was doing something. I was logging into some app. Oh. I think I might have been installing Claude on an iPhone and I got a short little pop up that just notified me that the app had been informed that I was over 18.

Leo Laporte [00:08:53]:
Oh, interesting.

Steve Gibson [00:08:54]:
Oh, yeah. And. And you know, I had occasion as a consequence of all this to go into my settings and I, you know, I am there. It shows my name under my Apple account for Steve Gibson shows my name and my birth date is, you know, it's in the phone. So the phone knows how old I am. So anyway, so a listener of ours, Dan Bright in Scotland, he sent an email, said Hi Steve, just FYI, although you likely already know I'm in the UK and updated my phone to 26.4 to be immediately presented with an age verification process which I'm instructed needs to be completed to enable age restricted content settings to be changed. Please find screenshot attached and he sent me a screenshot and this is you know an I clearly an iPhone and good for you Dan. It's your, your phone is being kept charged.

Steve Gibson [00:09:58]:
We know that our lithium ion batteries appreciate you keeping the phone charged. So it Sundays confirm your 18 plus UK law requires and I'll just note that it actually doesn't but okay, UK law requires you to confirm you are an adult to change content restrictions by continuing your ID or credit card may be used to confirm you're an adult and there's a, you know, a big group, a big blue click to continue or you can defer that and confirm later and or learn more about that. So also somebody using the handle red over in GRC's Security now newsgroup posted I am in the UK have had an Apple account for more than 18 years as I had an original ipod touch and he said electronic similar to original iPhone and after installing IPADOS 26.4 the system said quote your Apple account is older than 18 years. You are good, that's great. And he said, he said I wonder if that's a good method of doing age verification. Lots in the UK report problems. Lots of people don't have credit cards as you need to be 18 to have credit. So that's a common check.

Steve Gibson [00:11:22]:
He said and Apple system doesn't accept a UK passport as proof of age. And there was, I think that might have just changed app. Apple's been iterating on this because of the problems and the feedback that they've been receiving. Once this went out to a much wider audience, I poked around the Internet reading feedback on the Guardian 9-5 Mac and elsewhere. Nothing stood out as worth sharing in greater detail. If I were to sum it all up with a generalization, I'd sort of call the nature of the reactions get off my lawn. You know, normies who don't listen to this podcast and who have not had any reason to track the rapidly changing landscape of online age verification. Certainly as we have been, they'll be understandably surprised and annoyed by this apparently sudden need for their eye devices to need proof of their ages.

Steve Gibson [00:12:22]:
It's like, what? Why? What? Huh? So for those who've been paying attention, of course, or listening to this podcast. But this won't be any surprise at all. One way or another, it will be coming to every device we own. As I noted last week, even reliably re identifying an anonymous user remotely across a network known as authenticating has proven to be a challenge. Now we're needing to reliably and anonymously assert anyone's age, which is, you know, another like whole level in my opinion. As I've said what Apple I believe what Apple has done is exactly the right thing. You know, it's true. This will annoy some people.

Steve Gibson [00:13:09]:
9 to 5 Mac quoted a reader of theirs who commented on their coverage. This guy wrote, this is quite a big failure by Apple. I use a debit card rather than a credit card. I've had one from the same bank for almost 40 years. I don't have a photo driving license. My Apple account is about 14.5 years old, meaning not 18 like Reds was who I shared before. He said I can't verify my age despite being just over 60 years old. Even if they add a passport, which should have been usable from the start.

Steve Gibson [00:13:51]:
I don't have one of those either. As far as I understand, age verification is not required at device level, at least not yet. So Apple could either remove it or make it opt in. Whilst I can see how it's easier to have it on your device. So not having to verify age for all restricted websites and age related purchases, it needs to work for all or not be forced on us. Besides, kids will find ways around it. And for now, from what I've seen, you could still get separate age verification for websites outside of Apple unless they try to block people doing that, right? So as I said, get off my lawn. You know, he, he said it needs to work for all or not be forced on us.

Steve Gibson [00:14:44]:
Right? 100%, that would be great. But there's no magic solution, right? Partly people are freaked out over any perceived loss of their largely fictitious anonymity online. Partly people are upset over the imposition of any restriction of any kind over what they can do online. They've never had any before. So now why all of a sudden, you know, are some freedoms being taken away from us and some restrictions imposed? Yeah, they are but everyone should blame their democratically elected politicians. The old adage you know of I'm not shooting the messenger applies here. The technologies are just doing the best they can to implement what the emerging regional laws require. As societies, we want to protect our children from all the nastiness the world harbors.

Steve Gibson [00:15:39]:
The anonymity that the Internet offers to criminals means that the Internet is likely to always contain more than its fair share of bad actors, just as it does today. That's unlikely to change. So might some of us, like this guy who grumbled to 9 to 5 Mac, be inconvenienced by our collective desire to manage what kids can access online? Uh huh. Yes, that's going to happen. But that's the relatively small price we need to pay. I don't see any way around it, and I love the idea that Apple is finally stepping up to this challenge. Having our platforms able to make these assertions for us globally and anonymously is the way to go. All of this discussion of the age of our Apple accounts made me wonder whether there was any way for us to determine how long we've had our accounts.

Steve Gibson [00:16:34]:
Since I have a credit card register with Apple, they know I'm over 18. But since there are others who might be using debit cards like this 9 to 5 Mac guy and may not have photo IDs or not have one that Apple understands because there were some reports of that in in the uk. Also, it appears that it's possible to bring up a web page@privacy.apple.com you'll be asked to log in with your Apple credentials, then respond to a multi factor prompt on one of your Apple devices. Once you've done that, you'll be taken to a choose the data you wish to download page. I have a picture of that at the bottom of page three in the show notes. And this is I've never seen this page before. It's an amazingly comprehensive information request portal where you're able to download all sorts of information and data that Apple may have gathered and accumulated about you through the years of your account ownership with them. The one item you reportedly Because I haven't been I've started the process.

Steve Gibson [00:17:48]:
It hasn't finished because it takes it can take up to a week. The one item you need to select is Apple account and device information. But boy, there's a lot more if you want more. So I selected that one and pressed continue at the bottom of that very long and comprehensive page of things that I could request to receive from Apple. In fact, the list was so long and comprehensive that I was next asked how large a file I would be comfortable downloading. It defaulted to 1 gigabyte, in which case it sends you however many 1 gigabyte files you need. But I chose the maximum offering of 25 gigs because the file isn't emailed. Once Apple has assembled the information, I then receive another email.

Steve Gibson [00:18:37]:
I need to log in again to reprove my identity. Then I receive a link to download whatever Apple has to share with me. Since I initiated this just last Saturday afternoon, so three days ago, and it's expected to take as much as a week, I'm unsure, you know, when I'll have results to share. Probably by this time next week. And I'll just quickly let people know what I, what I got. But anyway, I just wanted to share all that in case anyone listening might also be curious to know how long they've had their account. I wasn't quick to jump on an iPhone. I don't think I had ever had an early ipod.

Steve Gibson [00:19:21]:
You know, I was in love with my BlackBerry. I was one of those pry this from my cold dead.

Leo Laporte [00:19:27]:
You know you still have some in your freezer.

Steve Gibson [00:19:31]:
No, I don't. And I actually did get. There is a physical keyboard for the iPhone.

Leo Laporte [00:19:36]:
Did you order that?

Steve Gibson [00:19:37]:
Yeah, I tried it. It's, it's, it's crap. It's no good. And besides it makes your phone about. I can't show it on the screen. Yeah, it's like, it's really like weird. It's like, you know, a foot long and sticks out of your pocket. So no, it's, it's not going to go.

Leo Laporte [00:19:53]:
I, I cannot use the iPhone keyboard.

Steve Gibson [00:19:56]:
I hate it. It is the, it is the biggest trade off that. Yeah, I mean I get it that that's what they want to do and remember of course it was meant to be a consumption device theoretically. But no, I know I do have a Bluetooth keyboard that is, you know, a full size keyboard. It's a cute little thing from Logitech, that guy.

Leo Laporte [00:20:19]:
Oh, that's nice.

Steve Gibson [00:20:20]:
Yeah, it is. And it allows you to associate itself with up to three different devices and you choose which one you want. So, so, so it can appear as one of three different keyboards. And so if I know I'm going to be typing something at length normally though, I'll just do. I'll like. I'm so annoyed. Also Leo, with this schism between iPhone and Windows, like Apple just refuses to accept the fact that Windows owns the desktop and they're only willing to connect to their Mac in a, in a seamless fashion. So I'll like write something long, then I'll email it to myself, get the email on my phone, select it all, drop it into message and send it.

Steve Gibson [00:21:03]:
It's. It's like God, really? This is what I'm being made. It's one of the reasons I'm so annoyed with Apple.

Leo Laporte [00:21:07]:
But yeah, anyway, apparently you can also look at your purchases on the, on the Apple ID and see when the oldest purchase you made.

Steve Gibson [00:21:17]:
Yes, apparently everything. I mean this, this page is so comprehensive. So I just thought it was cool. I didn't know I'd never gone to privacy.apple.com and done that. But if someone wants to know how long they've had their account, I'm. I don't remember when we began the podcast. That would be an interesting. I know that we began the podcast in 2005, but I don't remember whether I had an iPhone by that time

Leo Laporte [00:21:43]:
when I went on come out till 2006. So I know you didn't have an iPhone in 2005.

Steve Gibson [00:21:48]:
Oh, okay. Yeah, so I was still BlackBerry happily the most carrying my BlackBerry.

Leo Laporte [00:21:53]:
Most you could have would be 20 years worth of iPhone. Because actually next year is a 20th anniversary.

Steve Gibson [00:22:00]:
Oh, okay. And I probably waited a couple years because again I just like my little BlackBerry.

Leo Laporte [00:22:06]:
Well, you didn't know that you had to prove you were 18 until now.

Steve Gibson [00:22:11]:
Yeah, it's true. I want to this next piece LinkedIn and, and what Microsoft has done is long. Let's take a second break and then I'm going to plow into some research that a disgruntled add on developer posted. But despite of his disgruntlement, he's not wrong. And Leo, what Microsoft is doing is, you know, because they're the owner of LinkedIn, it's like what. Okay, so two weeks ago while you were at RSA, Leo Maika and I took a look at what we might term the super pixels being used by Meta and TikTok now which caused their own JavaScript code to be quietly run in the browsers of anyone visiting any website that hosted those pixels. Pixels. And I'm putting pixels in air quotes here because.

Steve Gibson [00:23:18]:
Well, I'm going to explain. I noted at the time two weeks ago that the use of the term pixel was almost catching in my throat because what has evolved over time has rendered that term laughable. So just, just so that we're all starting off on the same page here, the original idea was that a so called tracking pixel could be hosted by a website that a user was visiting that pixel was actually an HTML URL for a single true pixel size dot, you know, a one by one jpeg or GIF or PNG file. It might even be white or transparent. Since it didn't want to call any attention to itself, it just wanted to be on the page. Its entire purpose was to cause the user's browser to fetch that tiny little innocuous one by one image dot from some other third party's remote server. And so, just to be clear, it would be the visible website the user was visiting that would be delivering its pages to its visitors, which contained the reference to that off site third party pixel. And since that pixel was referencing an image resource from another hosting domain, the user's browser would quietly be making that request to retrieve that pixel on behalf of its user.

Steve Gibson [00:24:54]:
Now we might wonder why the site being visited by its users might wish to add someone else's invisible pixels to its own pages. And the somewhat distressing answer is that the site would be receiving payment by that third party site in return for the addition of those simple tiny pixels. So the obvious next question is why would some third party site be willing to pay first party sites who people visit all across the Internet in return for hosting their little all but invisible pixels? And the answer to that of course, is tracking. This was the emergence of the early Internet tracking economy. When the user's browser requested that tiny little invisible pixel from the remote third party server, its request contained a bunch of metadata information. The request's referrer header would identify the entire URL of the page the site's visitor was viewing. And the requests cookie header would dutifully return the unique third party cookie that the third party site may have previously given the user's browser to hold, assuming they encountered a little one of these little pixels from that same third party site anywhere in the past. And of course the request would come from the user's IP address.

Steve Gibson [00:26:28]:
So lots of information available to some random, unaffiliated, you know, not obviously affiliated third party site. And all these little tracking beacons scattered far and wide across the Internet would be gathered by this third party site, which could just sit back and, and aggregate all that data that was available to it. The final bit of horror which we've covered here at the time was that these tracking companies would create their own rewards and prizes and like sweep, kind of, you know, sketchy sweepstakes websites where they would advertise across the Internet in order to draw people in when signing up for their chance to win, you know, non existent or maybe, you know, prizes. Unwitting users would provide a ton of personal information to that site, you know, at least their names and email addresses and probably more, sometimes their phone numbers, you know, because hey, there's a chance to win. And since these bogus reward sites were being hosted by the same companies who were littering the Internet with their tracking pixels, all of that anonymous tracking data that had been aggregated over time, every website visited the IP address that had that it had been visited from. The user's IP address would then be all de anonymized when the user provided their name and email addresses in return for essentially nothing. Unfortunately, those early days now look quaint in retrospect, as users became aware that the sites they were visiting were secretly betraying them behind their backs, compromising their privacy by embedding a pixel in return for payment. Browser extensions such as our favorite one, UBlock, Origin, but also Privacy Badger, Ghostery, Adguard, Disconnect and NoScript were created to give users who cared some control over this egregious behavior.

Steve Gibson [00:28:37]:
The next thing to happen was the evolution of the embedded tracking object from a relatively benign now in retrospect, just a little jpeg, GIF or PNG image pixel into a reference to a remote host's HTML or JavaScript. Arranging to run a third party's remotely supplied JavaScript now is the ultimate goal. And that can be done simply by directly referencing a third party JavaScript resource in the hosting pages. HTML, you know, just whatever it is JS for JavaScript. Just like a site's own provided JavaScript, the third party JavaScript will be loaded into and run by every page the user displays. The problem we have now is that we've invited foreign code to run inside our web browser and the behavior of that code, the very code itself is subject to unilateral change by that third party at any time. And it is from such changes that the practice of web browser fingerprinting has evolved. Right? It should now be clear why the continued use of the term pixel, you know, for anything Meta or TikTok are doing, is laughable.

Steve Gibson [00:30:07]:
It's not a pixel any longer, although it still goes by that name now. What we have now is, is essentially hostile, uncontrolled, explicitly privacy compromising code execution by unseen third parties. That's the threat environment that users and their browsers face today. Completely changed over the course of the last two decades. The duration of this podcast we've seen all of this. One of the points I wanted to make before we turn to last Week's news about LinkedIn is just how much this behavior is completely hidden from anyone who's clicking links and wandering around the web. You know, the expression out of sight, out of mind has never applied more than it does here. This unseen behavior has been a problem since the first use of a third party cookie for surreptitiously tracking user movement across the web.

Steve Gibson [00:31:07]:
Through the intervening decades, such behavior has exploded. And the only thing that has any chance of reining it in on a wholesale level, not just like we who care running add ons like you block Origin, but like actually affecting everyone, is government legislation which will eventually wrestle this stuff to the ground, criminalizing it and, and just making it impossible to continue. And there we probably have the EU to thank because they tend to be pioneering this.

Leo Laporte [00:31:44]:
They use pixel now, pixels used kind of generically in the ad industry. Anything that's tracking. We're often asked to put pixels in our podcasts, which obviously you can't do. You can't put pixels in an audio, audio file. But it, but they, there were some,

Steve Gibson [00:32:00]:
there have been some audio beacons though, haven't there?

Leo Laporte [00:32:02]:
Well, and we, we do actually in the feed there are redirects and that's, that's as close as you can get. Right?

Steve Gibson [00:32:09]:
Bounces you through something and then, and then eventually.

Leo Laporte [00:32:12]:
Exactly.

Steve Gibson [00:32:12]:
Well, and in fact, POD Track, you, you, you were using POD Track in order to, to count downloads.

Leo Laporte [00:32:18]:
That's exactly how we were counting downloads. Exactly. We still do something similar. We don't do it with Podrack, but yeah, that's, that's exactly so. They call those pixels too. I always puzzle me when advertisers say, can you put a pixel in the podcast? And it's like, I don't think so.

Steve Gibson [00:32:33]:
Yeah, because they're not, you know, yeah,

Leo Laporte [00:32:35]:
it's not a pixel, but they just need tracking.

Steve Gibson [00:32:38]:
And it's interesting too, because it does demonstrate how much they've just come to take it for granted. It's like, oh, yeah, you know, we want, we want analytics. We want to gather as much. Yes. Yeah, well, talk about knowing everything. Leo, wait till you hear this. Okay, okay, so the, the examination of things that are going on behind people's back without their knowledge brings us to last week's LinkedIn revelation, which has been dubbed Browser Gate. Okay, now this is by the apparently disgruntled developer who has a beef with LinkedIn's owner, Microsoft.

Steve Gibson [00:33:16]:
The Browser Gate website is clearly passion driven, and its thesis raised some questions in my mind about its creator's motivations. Okay. But I'm getting ahead of the story. Let's first look at that website. It is@browsergate.eu b r o W S E R G A T E EU So going there, we're first confronted with the bold black headline, LinkedIn is illegally searching your computer. Okay. The site then elaborates writing, Microsoft is running one of the largest corporate espionage operations in modern history. And now that may seem like it's a little over the top, but I don't think anyone's going to think that once we're through looking at this closely.

Steve Gibson [00:34:11]:
He wrote, every time any of LinkedIn's 1 billion users visits LinkedIn.com hidden code. Well, okay, it's not really hidden. I mean all code is hidden, right? We don't look at the code. No one does. But, you know, so it's yes, it's de facto hidden. Hidden code searches their computer for installed software. That's true. Collects the results.

Steve Gibson [00:34:39]:
That's true. And trans them. Transmits them to LinkedIn server and to third party companies, including an American Israeli cybersecurity firm. The user is never asked, never told. LinkedIn's privacy policy doesn't mention it because LinkedIn knows each user's real name, employer and job title. It is not searching anonymous visitors. It is searching the computer's identified people at identified companies. Millions of companies every day, all over the world.

Steve Gibson [00:35:19]:
This, he writes, this is illegal and potentially a criminal offense in every jurisdiction we've examined. Okay, so I want to, I want to share what this author claims is the behavior of LinkedIn's downloaded code. And for the record, none of this behavior appears to be in dispute. All of the evidence that they have collected is available for download and and analysis and it has been subsequently verified by independent researchers, including by bleeping computer who has the advantage of objectivity and knowing their way around. So under the heading of what we found, this author writes, mass breach of personal data. LinkedIn's scan reveals the religious beliefs, political opinions, disabilities and job search activity of identified individuals. LinkedIn scans for extensions that identify practicing Muslims, extensions that reveal political orientation, extensions built for neurodivergent users, and 509 job search tools that expose who is secretly looking for work on the very platform where their current employer can see their profile. Under EU law, this category of data is not regulated.

Steve Gibson [00:36:51]:
It is prohibited. LinkedIn has no consent, no disclosure and no legal basis. Its privacy policy mentions none of this. LinkedIn scans for over 200 products that directly compete with its own sales tools, including Apollo, Lusha and ZoomInfo. Because LinkedIn knows each user's employer. It can map which companies use which competitors products. It is extracting the customer lists of thousands of software companies from their users browsers without anyone's knowledge. Then it uses what it finds.

Steve Gibson [00:37:36]:
LinkedIn has already sent enforcement threats to users of third party tools using data obtained through its covert scanning to identify its targets. In 2023, the EU designated LinkedIn a regulated gatekeeper under the Digital Markets act and ordered it to open its platform to third party tools. LinkedIn's response? It published two restricted APIs and presented them to the European Commission Commission as compliance. Together these APIs handle approximately 0.07 calls per second. Meanwhile, LinkedIn already operates a private internal API called Voyager that powers every LinkedIn web and mobile product at 163,000 calls per second. And Microsoft's 249 page compliant compliance report to the EU, the word API appears 533 times. Voyager appears 0 times. Meaning he's saying that they're not acknowledging the use of this internal, this other internal API.

Steve Gibson [00:38:49]:
At the same time, he writes, LinkedIn expanded its surveillance of the exact tools the regulation was designed to protect. The scan list grew from roughly 461 products in 2024 to over 6,000 by February of 2026. The EU told LinkedIn to let third party tools in. LinkedIn built a surveillance system to find and punish every user of these tools. LinkedIn ships your data to third parties. It loads an invisible tracking element from Human Security, formerly Premier X, an American Israeli cybersecurity firm. Zero pixels wide, hidden off screen that sets cookies on your browser without your knowledge. A separate fingerprinting script runs from LinkedIn's own servers.

Steve Gibson [00:39:43]:
A third script from Google executes silently on every page download. Well, many people have that, but he says all of it encrypted, none of it disclosed. But he finishes. Microsoft has 33,000 employees and a 15 billion legal budget. We have the evidence. What we need is people and funding to hold them accountable. Okay, so is this probably happening? As we'll see in a moment, apparently so. And thanks to the gdpr, much of what's being done behind the backs and without the explicit knowledge and permission of European Union citizens might well be illegal, as the creator of this website clearly believes.

Steve Gibson [00:40:25]:
But knowing Microsoft, I would expect it to be covered by some, you know, vague consent to business purposes language which anyone can mean to take, you know, can take to mean anything. As we've seen, the good news is European regulators are genuinely and generally unimpressed by such implied consent. Okay, so to help us through this, you know, through a far less biased lens than this guy has. 2 days ago on Sunday, the Next Web did some great reporting on this. Even lacking the original author's bias. The Next Web's headline was LinkedIn is secretly scanning your browser for 6,000 extensions and you weren't told. And just to give everyone so that we understand what we're talking about, it is actually reading searching for files on a user's hard drive. It is, it is looking through your file system when you go to a LinkedIn page which is what bleeping computer confirmed and showed, you know, happening in their report of this.

Leo Laporte [00:41:41]:
Is it part of its fingerprinting, you think? Or do they want that information there

Steve Gibson [00:41:45]:
there's actually different fingerprinting than this. They apparently actually want to know what browser Chromium browser extensions you have installed. So here's what and, and, and the Next Web makes this clear. They said every time you visit a Chromium based browser and actually Firefox users apparently are subjected to far less of this because it is very browser specific. Yeah. Which is nice. Every time you visit LinkedIn in a chromium based browser a hidden. Again, they use the word hidden.

Steve Gibson [00:42:19]:
But okay. JavaScript routine silently probes your browser for more than 6,000 installed extensions. Collects 48 hardware and software characteristics about your device. That's the fingerprinting part. Encrypts the resulting fingerprint and attaches it to every API request you make during your session. The practice, labeled browser gate by researchers is not disclosed in LinkedIn's privacy policy. Says the Next Web. You know who's you know doesn't have a cross to bear here or ax to grind.

Steve Gibson [00:42:57]:
LinkedIn says it's a security measure. Critics say it is covert surveillance of a billion users browsing behavior at industrial scale. There's a routine that runs on your computer every time you open LinkedIn. You cannot see it, you are not told about it and it is not described in the company's privacy policy. According to an investigation published in early April 2026, by Far Linked EV, a European association of commercial LinkedIn users the platform get this Leo Injects a 2.7 Megabyte JavaScript Bundle is like, it's like wow. 2.7 megabytes of JavaScript into its website that silently scans visitors browsers for the presence and actually it's the visitors PCs for the presence of more than 6,000 specific Chrome extensions assembles a detailed fingerprint of their hardware, encrypts it and transmits the result to LinkedIn servers where it's attached to every subsequent action taken during the session. The investigation the Next Web writes independently confirmed by bleeping computer, which verified the scanning behavior through its own testing, has been dubbed browser gate. LinkedIn disputes many of the report's characterizations.

Steve Gibson [00:44:31]:
The technical facts, however, are not in dispute. LinkedIn calls its scanning system spectroscopy. When a user loads the LinkedIn website, the script fires off up to 6,222 simultaneous requests, each one probing for a specific browser extension by attempting to access files on the user's file system associated with that extension's id. The presence or absence of a file in the response indicates whether the extension is installed. The entire operation runs silently in the background, without a visible prompt or notification of any kind beyond extent. Again, 6222 extensions like that it's checking for why. What business is it of LinkedIn? What extensions to that degree, more than 6,000 of them that a user has installed. Beyond extensions, the script collects 48 distinct characteristics of the user's device, CPU, core count, available memory, screen resolution, time zone, language settings, battery status, audio hardware information, and storage capacity, among others.

Steve Gibson [00:46:01]:
Now, those are traditional. Those are called like standard fingerprinting, right? They said if individually these attributes are unremarkable, combined they form a device fingerprint true specific enough to identify a user, even after cookies are cleared. Okay, we've all seen that before. However, they said Once compiled, the data is serialized to JSON and encrypted using an RRSA public key. LinkedIn's internal identifier for the key is APFC DFPK before being transmitted to telemetry endpoints, including LI track and platform telemetry, LI APFCDF. The fingerprint is then permanently injected as an HTTP header into every API request made during the session, meaning LinkedIn receives it with every search, every profile view, every message sent. Okay, now I'm going to pause here a minute. They haven't looked at the code.

Steve Gibson [00:47:11]:
I'm sorry, I haven't looked at the code, but what the Next Web described makes sense in an interesting way. They wrote that the data was compiled, serialized to JSON, and encrypted using an RSA public key. But my spidey sense tripped when I didn't see any mention of hashing. And I did see that mention of reversible encryption, thanks to the use of an RSA public key. As we all know, the widely accepted way of fingerprinting a browser is to collect all of that random yet very specific data, then hash it down into an information Lossy, thus irreversible hash. This creates a token that can be used to represent the user's browser as it moves about the web. But my first question is why Microsoft would need to have that at all. This sort of fingerprinting is only used by third parties who wish to track browsers as they move to other sites containing the same third party fingerprinting code.

Steve Gibson [00:48:31]:
But Microsoft's LinkedIn users are already logged in with a first party relationship to Microsoft. So why would Microsoft need to track them anywhere? Doesn't make any sense. There. It seems to me that this is not a fingerprint at all in the traditional sense. I think that it must be a form of what I will call a super fingerprint. Microsoft is assembling those 48 data points into a JSON object which is then serialized. A random symmetric key will be derived and used to reversibly encrypt that serialized JSON blob. That symmetric key will then be encrypted with the RSA public key contained within that massive 2.7 megabytes of JavaScript.

Steve Gibson [00:49:36]:
That means that at any later date, Microsoft or anyone else who might have the matching RSA private key, and they alone can decrypt the original symmetric key, then use that to decrypt and deserialize the JSON object to obtain the original 48 individual pieces of information. Why would that be useful? Well, the problem with using a hash to fingerprint is that thanks to the magic of cryptographic hashing, and deliberately so, if even one single bit of the hash's input data were to be changed, on average half of the resulting hashes bits will be inverted. The point is that if just a single characteristic bit changes an entirely new and untrackable hash results. But Microsoft's Super Fingerprint avoids the information lossy hash. So they've presumably retained all of the information contained within those 48 pieces of information individually. That means that Microsoft's Super Fingerprint can retain tracking or more likely a tight association with the user's browser. Even when some of the browser's data changes, they change screen resolution. They should their battery status changes, right? Because that's one of the things the battery percentage change would completely result in a different hash in the old school fingerprint mode.

Steve Gibson [00:51:30]:
Here the Microsoft can examine it, see that the battery charge changed but nothing else did and go okay, same person and then update the fingerprint to match the new battery status and continue tracking. So it is a literally a super fingerprint. And since all this is sent back to the Microsoft LinkedIn mothership. What Microsoft probably does is fully decrypt all of that browser parameter data and keep it on file for every LinkedIn user. Over time, this would allow Microsoft to, to identify exactly how many and which web browsers each of their 1 billion LinkedIn users were to log into, since they're logging into LinkedIn. And perhaps that information could be useful for some security purpose, so that I can believe. The other thing that would also be interesting to check would be what exactly those 48 pieces of information are. I didn't dig into it, you know, that there could be a wolf hiding among the sheep if the presumption was that everything was being hashed into a fingerprint, that none of the specific information that Microsoft was collecting could be a big deal since that information would be lost due to the hash.

Steve Gibson [00:52:57]:
Okay, you know, but if we assume that Microsoft is collecting and reversibly encrypting and forwarding all of that to their mothership, it would be interesting to see exactly what they're collecting and retaining. Because 48 individual things, that's a lot of things, you know, more than just screen resolution and battery charge and, you know, that kind of stuff, you know, browser user agent string and so forth. Anyway, the, the next web does have a bit more to say, they wrote. The question of which extensions LinkedIn is scanning for makes the surveillance more sensitive than simple fraud detection would require. According to the browser gate report, LinkedIn's list includes more than 200 products that compete directly with its own with LinkedIn's own sales tools. As noted before, Apollo, Lusha and ZoomInfo. Because LinkedIn knows the employer of each registered user, systematically scanning for the presence of a competitor's tools gives the platform visibility, LinkedIn visibility into which companies are evaluating or deploying rival products. Because again, they know who the LinkedIn person's employer is.

Steve Gibson [00:54:23]:
The list also reportedly includes tools associated with neurodivergent conditions, religious practices, political interests and job hunting activity. Categories that in the European Union qualify as sensitive personal data subject to heightened protection under the General Data Protection Regulation. You know, gdpr knowing that a user is running a job search extension, for instance, is a meaningful inference about their employment intentions drawn without their consent. The scale of the operation has grown substantially over time. In fact, this is really what's breathtaking. LinkedIn, they said, began scanning for 38 specific extensions in 2017. 38 extensions being scanned for in 2017. By 2024, that number had grown to 461.

Steve Gibson [00:55:22]:
Hey, if some is good, more is better. Nobody seems to be Minding or complaining. So let's just scan their hard disk more widely. By February of 2026 meaning a month and a half ago the list had reached 6167. Yes, 6167 individual extensions files being scanned for they wrote. Bleeping computers testing confirmed the scanning was active as of early April 2026.

Leo Laporte [00:56:00]:
I don't understand why they are looking for specific extensions instead of just saying what extensions are you running? I don't. Can't you ask the browser what extensions are running as part of the fingerprinting? I think you can.

Steve Gibson [00:56:14]:
Well they're probably going beyond extensions. I mean they're what, what they're doing.

Leo Laporte [00:56:20]:
They're looking for all applications.

Steve Gibson [00:56:22]:
They're looking for file names. They are doing file name queries in it is. And, and Leo, I don't think I have a link here to the bleeping computer report, but you might grab it while I'm, while I'm, I'm sharing this because it's bracing to actually see what. And I think it may have been Lawrence himself who did the research. So now we're at as of February 2026 we're at 6167 which they note is a 1252% increase in two years. Bleeping computers testing confirmed the scanning was active as I, as I noted as of early April 2026.

Leo Laporte [00:57:09]:
So is this.

Steve Gibson [00:57:10]:
Oh yep, that is that those and you can see the IDs and then the files that are actually being scanned for JavaScript, AVGs, HTMLs. So those are, those are actual.

Leo Laporte [00:57:25]:
Blame the browser for letting it do this.

Steve Gibson [00:57:28]:
I agree I. And that's where you're, you're going to see me reach that conclusion here in a minute. That we users need control over this completely out of control behavior.

Leo Laporte [00:57:38]:
Yeah huh.

Steve Gibson [00:57:42]:
So they wrote the next web wrote. LinkedIn's response to bleeping computer was pointed. A spokesperson said quote, the claims made on the website Linked here are plain wrong. The person behind them is subject to an account restriction for scraping and other violations of LinkedIn's terms of service. To protect the privacy of our members their data and to ensure site stability we do look for extensions that scrape data without members consent or otherwise violate LinkedIn's Terms of Service. So, so they're saying they're looking at more than 6,000 extensions because they're naughty and okay, they said that they do that they do not use the data to infer sensitive information about members. LinkedIn's the Next Web wrote. LinkedIn's characterization of the source matters.

Steve Gibson [00:58:46]:
Fairlinked EV is connected to Team Fluence Signal Systems OU, an Estonian company whose managing directors are Stephen Morell and Jan Lebling. Team Fluence makes a chrome extension also called team fluence that LinkedIn restricted for alleged terms of service violations. The company subsequently filed a preliminary injunction against LinkedIn Ireland Unlimited company and LinkedIn Germany at the Regional Court of Munich, alleging violations of the Digital Markets Act, EU Competition Law and German data protection rules. In January, the Munich court denied the injunction, finding that LinkedIn's actions did not constitute unlawful obstruction or discrimination. The financial dispute between the parties does not change the technical findings, however, which were verified independently. It does mean the framing of those findings is contested. The reader should weigh both the substance and the claim and its provenance. This is not LinkedIn's first serious encounter with European data protection enforcement.

Steve Gibson [00:59:58]:
In October 2024, the Irish Data Protection Commission, which regulates LinkedIn in the EU through its Irish subsidiary, fined the company 310 million euro, approximately $334 million at the moment for processing users personal data for targeted advertising without a valid legal basis. So LinkedIn was found to be using personal data for targeted advertising. The decision found that LinkedIn's consent mechanisms did not meet GDPR's requirement that consent be freely given. LinkedIn was ordered to bring its data processing into compliance. The browser gate investigation drops into that context. The legal question of whether scanning for 6,000 browser extensions constitutes processing of special category personal data and whether users lack of awareness of the practice renders any implied consent invalid is exactly the kind of question the Irish Data Protection Commission has already shown it's willing to adjoin in court. Europe's evolving digital regulation framework has been moving steadily toward requiring explicit disclosure of all significant data collection, and a scanning operation of this scale conducted without any mention of in a privacy policy appears difficult to square with that direction of travel. LinkedIn is a Microsoft subsidiary acquired in 2016 for $26.2 billion.

Steve Gibson [01:01:40]:
Microsoft has been aggressively expanding its AI capabilities in 2026, with LinkedIn's vast data set of professional identity and employment history forming a significant part of the data infrastructure of on which those capabilities rest. The relationship between LinkedIn's data collection practices and Microsoft's broader AI ambitions is not addressed in LinkedIn's privacy policy either. Anyway, so they talk about LinkedIn having more than 1 billion registered users. Oh, and they did note short of using a non chromium browser such as Firefox, which would limit but not necessarily eliminate LinkedIn's fingerprinting capabilities. There is no user facing setting that prevents the scanning. The platform does not offer an opt out because it does not disclose the practice in the first place. The 2026 push for governed and transparent AI and data practices is built on precisely the premise that that invisible data collection of this kind should not be the default okay, so. We began this topic by, you know, reminiscing over the quaint web browser pixel, which was literally a pixel image dot supplied by some other domains web server that has evolved or perhaps devolved into an astonishingly monstrous and invasive 2.7 megabyte unsolicited blob of code that does actually, as observed, confirmed and reported by bleeping computer, scan the mass storage file system of its website's visitors.

Steve Gibson [01:03:38]:
You go to LinkedIn.com that happens to you looking for the files belonging to at last count and this is rapidly increasing 6,236 web browser extensions which are arguably none of its business. As the Next Web stated, this may be illegal in the EU where thankfully privacy regulations are very strong and are only getting stronger. But whether or not this is illegal, it seems pretty clear that things, and I agree with you Leo, on this point, have gotten way out of hand. Apparently due to a complete lack of adult supervision. Something really bizarre is going on at Microsoft's LinkedIn property. So regardless of the motivations of these begrudging, you know, developers, I'm very glad that the world has just received an absurdly clear example of the need to perhaps give our web browsers some form of control over what the JavaScript that the browsers are hosting is allowed to do. It would be nice if some sort of an alert came up and said whoa, do you realize that the website that you have just gone to has made 6,232 queries of your file system, like for different files by name of your file system. And how do you feel about that anyway? You know, there, you know, this JavaScript is rummaging around inside users computers for a while searching for all those files.

Steve Gibson [01:05:29]:
Maybe we should be asked if we consent to having it do that. That just seems like, you know, crazy behavior on Microsoft's part and they are only getting away with it because it is, you know, these people use the word hidden or secret. You know, it just isn't obvious in the same way. The third party cookies have never been obvious. So you know, out of mind or out of sight out of mind. And this has been certainly something no one would be aware of otherwise. It's Crazy. But Leo.

Leo Laporte [01:06:03]:
Yes, I know.

Steve Gibson [01:06:04]:
You know what our listeners do want to know about?

Leo Laporte [01:06:08]:
They want more ads, right? Hey, I did want to mention this broke during the show Anthropic we know was working on a new model in the rumors Mythos and that the rumors were it was going to be so good that they were holding it back for fear it would be misused. Today they announced that they are going to allow a small number of people to use Mythos for security reasons. They say it is so good, strikingly capable a computer security tasks. They've already set it against existing browsers and operating systems and they say found tens of thousands of vulnerabilities including in operating systems that are in every operating system and every browser that is currently in use. So of course it could also be misused. Their fear is to find vulnerabilities that can be exploited. So they have announced something today called Project Glasswing which they are going to. Here, let me go full screen on this.

Leo Laporte [01:07:23]:
They're going to offer to a small number of companies it is not going to be in wide availability but they're

Steve Gibson [01:07:30]:
going to offer to offer it to

Leo Laporte [01:07:31]:
the good guys, the world's most critical software to find those vulnerabilities before the bad guys get access to, to this model.

Steve Gibson [01:07:40]:
Now Leo, we are living in a science fiction world.

Leo Laporte [01:07:44]:
Well, this could be just really good marketing. I, I mean understand what better way to say hey our model is good. But they, I think I, I think it's credible. And they say they've already found thousands of high severity vulnerabilities. They found Linux vulnerabilities have been around for 25 years free. They found a free BSD escalation exploit that was very severe. So they are giving this away to a broad number of companies who have, you know, mission critical software in the enterprise and hoping that they'll find those vulnerabilities before it becomes, they become public.

Steve Gibson [01:08:23]:
So it's going to be turned over to, you know, and I think I, what I read about this, a rumor at the time because it wasn't officially disclosed, is this would be a super high end model that would cost more to use.

Leo Laporte [01:08:39]:
Yeah, the rumor is it'll be very expensive. We don't know. That's not been confirmed yet. They are dedicating $100 million in token credits to these companies so they can use it, you know, kind of freely. I think this is a big security story. Again it could be just a very good marketing ploy but I tend to credit that this is possible and the scores on the software benchmarks for this thing are off the charts. Much better than their current 4.6 opus.

Steve Gibson [01:09:11]:
No kidding. Even more so than opus.

Leo Laporte [01:09:13]:
Yeah, much more so. Like 50% better than opus. Wow. So they found a 27 year old OpenBSD bug. They found a 16 year old FFmpeg bug. You know, I mean, we're going to see more and more of this, obviously, and the fear is that people will use it for, you know, to find those flaws and exploit them. So they want to give this away to people so that they can find them and fix them before they get exploited. So that remote code execution in the FreeBSD that's 17 years old.

Steve Gibson [01:09:45]:
I mean, remote code execution, I thought it was a privilege.

Leo Laporte [01:09:49]:
That's a different one. That's an OpenBSD. This is. In FreeBSD. This allows anyone to gain root on a machine running NFS from anywhere on the Internet. So it's a pretty. And it's been around for 17 years. So they say fully autonomously.

Leo Laporte [01:10:08]:
No human was evolved even in the discovery or exploitation of this vulnerability after the initial request to find the bug. So that's the concern. A bad guy will find it and suddenly you've got all of these FreeBSD distros completely vulnerable.

Steve Gibson [01:10:23]:
Yikes.

Leo Laporte [01:10:24]:
4.6 was able to exploit the vulnerability, but required human guidance. Mythos did not. It could be. And that's really scary, the idea that they could autonomously.

Steve Gibson [01:10:36]:
Well, I mean, there's no question that the bad guys will pay whatever that IT cost is and.

Leo Laporte [01:10:42]:
Sure.

Steve Gibson [01:10:42]:
And find exploits and jump on them. You know, we, we, you know, we talked about exactly this for a while. Remember that? I don't remember if it was open AI or anthropic. We're saying that the good news is the AI seems better at finding problems than it is at exploiting them. That's not apparently changed.

Leo Laporte [01:11:07]:
And the other thing that I thought was really telling is Mythos is able to chain exploits as many as six exploits. So that's a big deal. Because as we've talked about many, many times, it's not often that just a single exploit is enough. Often these exploits are chained.

Steve Gibson [01:11:26]:
Right.

Leo Laporte [01:11:27]:
And the fact that Mythos can do it autonomously, that's a little scary. So that's a big story. We'll hear a lot more about it. We'll talk about it tomorrow on Intelligent Machines. And I'm sure, in fact, if we can. We got a really good guest on Intelligent Machines tomorrow, Daniel Meisler, who's a security researcher, many years with security, worked at security at Apple and other companies and is an AI aficionado. So he'll have something to say about this for sure. Should be very interesting.

Leo Laporte [01:11:56]:
All right, let's take that break that you promised. I just wanted to mention this.

Steve Gibson [01:11:59]:
Yes, I'm glad you did that just happened. Yeah, that's gonna be and story. There will be people who didn't check their code or that weren't all. I mean that didn't qualify for Anthropic's initial offer and bad guys. There's just no question that we're going to see a, you know, on the, on the margins there will be new exploits that are found and, and I

Leo Laporte [01:12:23]:
think again, it could just be a marketing ploy. But I think, I think I want to give credit to Anthropic for doing the right thing to hold this back and release it this way so that people had a chance as otherwise, I'm afraid we don't have much of a chance in this modern world. All right, let's get back to Steve.

Steve Gibson [01:12:46]:
So while I was over at Bleeping Computer confirming that Lawrence Abrams had independently verified Microsoft's hard to believe JavaScript behavior. Wow. I encountered the news that Microsoft was also has now also begun forcing upgrades of unmanaged Windows 11 PCs from 24H2 to 25H2.

Leo Laporte [01:13:12]:
Yeah, saw that.

Steve Gibson [01:13:13]:
Yeah. Last Friday, Bleeping Computer reported. Starting this week, Microsoft has begun force upgrading unmanaged devices running Windows 1124H2 Home and Pro editions to Windows 1125H2. According to the company's lifecycle policy report, Windows 1124H2 will reach end of support in roughly six months on October 13, 2026. Also known as the Windows 112025 update. Windows 1125H2 began rolling out in September to eligible Windows 10 or 11 devices as a minor update installed through enablement packages less than 200k in size. Microsoft said in a Monday rollout to the Windows release Health Dashboard quote the machine learning the machine learning based intelligent rollout because of course, Leo, everything has to be machine learning, intelligent AI nonsense now. Otherwise it's no good, right? Humans, those I don't want dumb humans tell me what they're doing Smart.

Steve Gibson [01:14:20]:
Yeah, that's right. Has expanded to all devices running Home and Pro editions of Windows 11 version 24H2 that are not managed by IT departments. Devices running these editions will no longer receive fixes for known issues, time zone updates, technical support, or monthly security and preview updates containing protections from the last from the latest security threats. These devices will automatically receive the Update to Windows 11 version 25H2 when they're ready, no actions required, and you can choose when to restart your device or postpone the update. Yeah, right, we've been there before until they start saying do you want to do it now or later? They said. Those who don't want to wait for the automatic update can manually check whether the update is available in Settings Windows Update and click the link to download and install Windows 1125H2. If you're not ready to update, you can also pause updates from Settings Windows Update by selecting the amount of time you'd like to pause them. However, you must install the latest updates after the time limit has passed.

Steve Gibson [01:15:30]:
Microsoft also provides a support document and a step by step guide writes Bleeping Computer to help users resolve problems encountered during the Windows 1125 H2 upgrade process. Since the March 2026 Patch Tuesday updates were released last month, Microsoft has issued several emergency updates, including ones that address a known issue with breaking sign ins with Microsoft accounts across multiple Microsoft apps such AS teams and OneDrive that also pushed out of band updates for hot patch enabled Windows 11 Enterprise devices that fixed a Bluetooth device visibility issue and security vulnerabilities in the routing and Remote Access service management tool. So I wanted to mention this because GRC's in control, freeware can also be used to give users control over exactly this process. It configures Windows to appear as if it's under management. Thus it is not unmanaged and Microsoft will officially leave it alone. If you have used Incontrol to lock down your current Windows version and may wish to make the move to Windows 1125H2, control can just be as easily reversed. So I just saw that I wanted to give everybody reminder, you know, it's as as we know we had fun with it at the time. Leo Back in the Windows seven days where the first version of this was called Never ten, Never ten when I vowed to never be using Windows ten.

Steve Gibson [01:17:18]:
So Never ten. And then there was a there was a temptation to do never 11, but because they promised us that 10 would be the last version, I thought, nope, fool me once you know I'm not. It's Lucy pulling the the football out from under Charlie Brown. So I decided instead to create In Control, which would allow us, you know, once apparently there's going to be a Windows 12, right? So okay, I'm glad I called it In Control and not never, right?

Leo Laporte [01:17:50]:
Never 11, never 12. You could do it. You know what though? If you're really thinking you could get upgrade fees every year. Just, just think about it.

Steve Gibson [01:17:58]:
I'm just saying, actually it's free, so.

Leo Laporte [01:18:01]:
Oh shoot. No, you see, you see did did

Steve Gibson [01:18:05]:
want to mention that it's freeware and it was with no bugs known at the time of its release. So it's still at release one and it works perfectly and it's free and you can use it forever. So Last week's deep dive into the Light LLM mess revealed that the proximate cause of Light LLMs troubles was actually the use of a compromised free and open source vulnerability scanner called Trivi. It was widely expected that Light LLM would not be alone in this, and indeed we've since learned that none other than Cisco Systems became another victim. Bleeping Computer also reported on this. They explained Cisco has suffered a cyber attack after so Cisco has suffered a cyber attack after threat actors used stolen credentials from the recent Trivi supply chain attack to breach its internal development environment and steal source code steal Cisco's source code belonging to the company and its customers. A source who asked to remain anonymous told Bleeping Computer that Cisco's Unified Intelligence center, the CSIRT and EOC teams contained the breach involving a malicious and Here it is, GitHub Action Plugin from the recent Trivy compromise. We'll be talking about action in a minute, they wrote.

Steve Gibson [01:19:42]:
The attackers used the malicious GitHub action to steal credentials and data from the company's build and development environment, impacting dozens of devices, including some developer and lab workstations. While the initial breach has been contained, Bleeping Computer was told that the company expects continued fallout from the follow on Light LLM and Checkmark's supply chain attacks. As part of the breach, multiple AWS keys were reportedly stolen and later used to perform unauthorized activities across a small number of Cisco AWS accounts. Cisco has isolated affected systems, begun reimaging them, and is performing wide scale credential rotation. I wanted to mention that one of the things that we're seeing now is that the bad guys know how to take advantage of the things they steal. Back in the early days, you know, we were seeing like AWS credentials were stolen but then we didn't immediately hear that and they were used like to ill effect for those who from whom they were stolen. Now we're always seeing that. My point is that is another thing that seems to have changed is all the bad guys know how to take advantage of what it is they steal and they know that they're, they're that that their op, their window of opportunity will be very short, so they immediately jump on it and, and you know, their their attacks, the, the attacks go broad and and deep and wide so that they're getting the most bang they can for the buck to the detriment of the victims of these, they wrote Bleeping Computer has learned that more than 300 Cisco GitHub repositories 300 GitHub Cisco repositories were also cloned during the incident, including source code for its AI powered products.

Steve Gibson [01:21:50]:
Of course Cisco is going to have that. Why fix the old ones such as AI assistance, AI defense and unreleased products. Whoops. Yeah. A portion of the stolen repositories allegedly belong to corporate customers, including banks, BPOs and US government agencies. Multiple sources told Bleeping Computer that that more than one threat actor was involved in the Cisco CICD and AWS account breaches with varying degrees of activity. Bleeping Computer contacted Cisco with questions I bet they did regarding the breach, but has not received a reply to our emails, they wrote. Cisco's breach has caused was caused by this month's Trivi Vulnerability Scanner supply chain attack in which threat actors compromised the project's GitHub pipeline to distribute credential stealing malware through official releases and GitHub actions.

Steve Gibson [01:22:50]:
That attack enabled the theft of CICD credentials from organizations using the tool, giving actors access to thousands of internal build environments. Security researchers linked these supply chain attacks to the Team PCP Threat Group based on the use of their self titled Team PCP Cloud Stealer Info Stealer. Team PCP has been conducting a series of supply chain attacks targeting developer code platforms such as GitHub, PyPi, NPM and Docker. The group also compromised the Light LLM PyPi package which impacted tens of thousands of devices and the Checkmarks KICS project to deploy the same information stealing malware. So one One snarky but understandable comment I saw from someone commenting upon the fact that some of Cisco's source code had escaped. Somebody wrote maybe they can fix some bugs while they're in there.

Leo Laporte [01:23:57]:
Yeah, we can hope they probably could if they wanted to.

Steve Gibson [01:24:02]:
Wow. Wow. So I know from seeing the domains of our Security now listeners who have email subscriptions the the email domains in email subscriptions that the Proton family of products are very popular. Interesting among our listeners. Yeah I see a lot of app proton.com email in in our our subscriber base base. So I wanted to note that last Tuesday Proton announced Proton Meet, which Proton describes as a privacy first endtoend encrypted audio and video conferencing solution. They they Proton explained writing when meeting in person isn't an option. We turn to video calls for conversations too important for for email or chat.

Steve Gibson [01:24:56]:
Whether you're talking to a doctor, hosting an executive meeting, or checking in with your kids, you expect these interactions to be private and safe. But mainstream video conferencing services such as Zoom, Google and Microsoft can eavesdrop on your conversations. Proton Meet gives you back your privacy and peace of mind by protecting your calls with end to end encryption so nobody can listen in or use your conversations to sell ads, conduct surveillance or train AI. Okay, now I was I'll admit I was somewhat surprised by Proton's claim of eavesdropping and it appears that they're mostly referring to the leakage of metadata. Not that that's not a problem, but that's that seems to be their focus. Also their information may be a bit dated and skewed. Their claims included links to Zoom, Google and Microsoft. But for example the Microsoft link talked about Outlook.

Steve Gibson [01:26:02]:
It's like okay. And the Zoom link was a posting written six years ago in 2020. This is not to suggest that I would not be far more inclined to to trust Proton than Microsoft, Google or Zoom. I would without question. Anyway, I have the link to last week's Protons Meet announcement in the show notes for anyone who may be interested in following up. Although I'm sure if you just go to Proton me which is where the domain of this link that you probably comes up on their announcements and I mentioned we would be talking in the future about GitHub. Well that future is now. The recent Light LLM and now Cisco and now several other attacks that have all been attributable to the Trivi malware scanner also involve GitHub's actions feature.

Steve Gibson [01:26:59]:
In the wake of these various messes, GitHub has announced that it now plans to accelerate the development and rollout of some of the additional GitHub Actions security features it had originally planned to roll out later this year in otherwise in other words, whoops, maybe sooner rather than later. So since since Actions are now seeing some serious abuse, there's no time like the present to improve their security and that is happening. Also Cloudflare said that in their posting that sort of just sort of in passing that the use of the sort of checking back in 1.1.1.1 remains super private. They they and this was posted on the 8th anniversary of its launch. They said exactly 8 years ago today they posted this I guess Sunday we launched 1.1.1.1 public DNS resolver with the intention to build the world's fastest resolver and the most private one. We knew that trust is everything for a service that handles the phone book of the Internet. That's why at launch, we made a unique commitment to publicly confirm that we are doing what we said we would do with personal data in 2020. We hired an independent firm to check our work instead of just asking you to take our word for it.

Steve Gibson [01:28:38]:
We shared our intention to update such examinations in the future. We also called on other providers to do the same. But as far as we're aware, no other major public resolver has had their DNS privacy practices independently examined. So, anyway, their posting continues at some length, but they were just audited by one. And this is the point. They were. They, they just had an audit by one of the top four accounting firms and they again passed with flying colors. So they, they do not want to know who uses their service, nor what those users look up.

Steve Gibson [01:29:19]:
DNS querying source IPs are anonymized on use and deleted within 25 hours. So they are really doing everything they can to honor their privacy commitments. And Leo, we're at an hour and a half in. Let's take a break and then I'm going to talk about the other very cool thing that Cloudflare has just done by basically creating a WordPress replacement.

Leo Laporte [01:29:51]:
Yeah, very, very cool. Yeah. Yeah, I think it's very interesting. Yeah, we'll talk about the N dash in just a little bit. I think that's what Steve's aiming at.

Steve Gibson [01:30:01]:
Yep.

Leo Laporte [01:30:02]:
Okay, Steve, on we go.

Steve Gibson [01:30:04]:
Okay, so. Oh, I guess it was on April 1st, so. Because I. Because I'm starting this with. Also on April 1st, Cloudflare announced. So that must have been on April 1st that they. That they were talking about their 1.1.1.1 DNS. Also on April 1, Cloudflare announced their M-E M D A S H.

Steve Gibson [01:30:25]:
For those who don't know, there's the regular hyphen style dash, then there are dashes that are the width of an N and the width of an M. And so M dash is what they call this. I don't really know why, but it's kind of just a cool name. Anyway, it caught my eye and I'm sure it will. Actually, many of our listeners sent the announcement to me, so I knew they were aware of it because its goal, M Dash, the M Dash project's goal is to replace WordPress with a far more secure successor. And, you know, the express the expression far more secure in the case of WordPress is not a high bar, since every security now listener knows quite well what a complete security disaster WordPress has become. And it's not WordPress's fault. The problem is its creaky old architecture, which Cloudflare has just completely replaced.

Steve Gibson [01:31:36]:
The source of WordPress's trouble has been that it promises to allow anyone to author and offer an insecure WordPress plugin, and that its architecture doesn't allow security containment of those. Unfortunately, many people have taken them up on this and the result is a mess. So here's what we learned from cloudflare. They wrote the cost of building software has AI the cost of building software has drastically decreased. We recently rebuilt the most popular REACT framework Next JS in one week using AI coding agents. But for the past two months our agents have been working on an even more ambitious project, rebuilding the WordPress open source project from the ground up. They wrote WordPress powers over 40% of the Internet. It is a massive success that has enabled anyone to be a publisher and created a global community of WordPress developers.

Steve Gibson [01:32:49]:
But the WordPress open source project will be 24 years old this year. Hosting a website has changed dramatically. During that time when WordPress was born, AWS EC2 didn't exist. In the intervening years that task has gone from renting virtual private servers to uploading a JavaScript bundle to a globally distributed network at virtually no cost. It's time to upgrade the most popular content management system, CMS on the Internet to take advantage of this change. Our name for this new CMS is M Dash. We think of it as the spiritual successor to WordPress. It's written entirely in TypeScript.

Steve Gibson [01:33:39]:
It is serverless, but you can run it on your own hardware or any platform you choose. Plugins are securely sandboxed and can run in their own isolate via dynamic workers solving the fundamental security problem with the WordPress plugin architecture under the hood. M Dash is powered by Astro, the fastest web framework for content driven websites. MDASH is fully open source, MIT licensed and available on GitHub. While em Dash aims to be compatible with WordPress functionality, no WordPress code was used to create em Dash. That allows us to license the open source project under the more permissive MIT license as opposed to gpl. We hope that allows some that allows more developers to adapt, extend and participate in M Dash's development. You can deploy the EM Dash version 0.1.0 preview to your own Cloudflare account or to any Node JS server today as part of our early development beta.

Steve Gibson [01:34:54]:
Okay, so all of that is super interesting, but what about WordPress's security? Right before we get to that, Cloudflare felt the need to congratulate WordPress and kind of apologize, I think, a little bit for replacing it. So they wrote. The story of WordPress is a triumph of open source that enable publishing at a scale never before seen. Few projects have had the same recognizable impact on the generation raised on the Internet. The contributors to WordPress's core and its many thousands of plugin and theme developers have built a platform that democratized publishing for millions. Many lives and livelihoods being transformed by this ubiquitous software. There will always be a place for WordPress, but there's also a lot more space for the world of content publishing to grow. A decade ago, people picking up a keyboard universally learned to publish their blogs with WordPress.

Steve Gibson [01:35:54]:
Today, it's just as likely that person picks up astro or another TypeScript framework to learn and build with. The ecosystem needs an option that empowers a wide audience in the same way it needed WordPress 23 years ago. Emdash is committed to building upon what WordPress created an open source publishing stack that anyone can install and use at little cost, while fixing the core problems that WordPress cannot solve. And here it comes. WordPress's plugin architecture, they wrote, is fundamentally insecure. 96% of security issues for WordPress sites originate in plugins. In 2025, more high severity vulnerabilities were found in the WordPress ecosystem than in the previous two years combined. Okay, in other words, things with WordPress are getting worse, not better, they wrote.

Steve Gibson [01:37:03]:
Why, after over two decades, is WordPress plugin security so problematic? A WordPress plugin is a PHP script that hooks directly into WordPress to add or modify functionality. There is no isolation. A WordPress plugin has direct access to the WordPress site's database and file system. When you install a WordPress plugin, you are trusting it with access to nearly everything and trusting it to handle every malicious input or edge case perfectly. EM Dash solves this. In EM Dash, each plugin runs in its own isolated sandbox, a dynamic worker. Rather than giving direct access to underlying data, Emana provides the plugin with capabilities via bindings based on what the plugin explicitly declares it needs in its manifest. This security model has a strict guarantee.

Steve Gibson [01:38:13]:
An EM Dash plugin can only perform the actions explicitly declared in its manifest. You can know and trust up front before installing a plugin exactly what you are granting it permission to do, similar to going through an Oauth flow and granting a third party app a specific set of scoped permissions. WordPress plugin security is such a real risk that WordPress.org manually reviews and approves each plugin in its marketplace. At the time of writing, that review Queue is over 800 plugins long and takes at least two weeks to traverse. The vulnerability surface area of WordPress plugins is so large that in practice, all parties rely on marketplace reputation ratings and reviews. And because WordPress plugins run in the same execution context as WordPress itself and are so deeply intertwined with WordPress code, some argue they must carry forward WordPress's GPL license. These realities combine to create a chilling effect on developers building plugins and on platforms hosting Word WordPress sites. Plugin security is the root of this problem.

Steve Gibson [01:39:46]:
Marketplace businesses provide trust when parties otherwise cannot easily trust each other. In the case of the WordPress Marketplace, the plugin security risk is so large and probable that many of your customers can only reasonably trust your plugin via the marketplace. But in order to be part of the marketplace, your code must be licensed in a way that forces you to give it away for free everywhere other than that marketplace. In other words, you are locked in. So that's the gist of it. Their posting continues at much greater length, but everyone gets the idea right. Cloudflare has leveraged AI agency to take the conceptual promise that WordPress met and to dramatically overhaul its architecture for licensing freedom and security. Essentially it is a, it is a plug in architecture where your these dynamic workers are running as their own, as their own execution spaces.

Steve Gibson [01:40:55]:
They, they communicate to this new EM dash core via an API and the API calls that they are allowed to execute are, are strictly controlled by the manifest which they explicitly define and export right up front. So it is a, it is the architecture you would design today if you wanted to do what WordPress has been doing. But, but to do it in a secure Fashion and on GitHub all open, all open source MIT license means you can do much more with it if you wish. So another big home run I think for cloudflare.

Leo Laporte [01:41:41]:
Yeah, it's very interesting. I hope they support it and I mean clearly they want to take over the 40% of the Internet that's run by WordPress and they probably have pretty credible reason to taste it.

Steve Gibson [01:41:56]:
I think if we see a core of add ons emerge which solve the problems that people have and you look at the security model that it offers, why if you were starting from scratch, would you use a WordPress CMS as opposed to an EM Dash CMS.

Leo Laporte [01:42:18]:
There's another employee either reason for them doing this. They want to make something that is easily manipulated by AI, that an AI could build a website, easily build a website on. And while AI can certainly do that with WordPress, I think this is designed specifically with that.

Steve Gibson [01:42:34]:
I bet you are exactly right.

Leo Laporte [01:42:35]:
Yeah.

Steve Gibson [01:42:36]:
Okay, we're going to talk about the FCC ban on consumer routers. Let's take our final break and then we are going to. I'm going to take our listeners through what happened. What happened so that it's. Well, every, as I said at the top of the show, by the time we're done here, everyone will have a very clear sense and understanding for what it means and how it may change. We'll see.

Leo Laporte [01:43:11]:
Yeah.

Steve Gibson [01:43:12]:
And she'll see why it makes no sense. Yeah, I mean, it really, really, really doesn't.

Leo Laporte [01:43:18]:
Good. Well, I'm really, really interested in your take. All right. Speaking of behavior, this isn't exactly the right behavior. The FCC has banned all routers made

Steve Gibson [01:43:28]:
outside the us, which is to say all routers. So yes, anyone encountering the News which landed two weeks ago on March 23 would be correct in thinking that someone must have made a mistake somewhere. First of all, the reality of today's global electronics manufacturing sector is that U.S. domestically manufactured consumer grade routers do not exist. All routers purchased by and available to US consumers are manufactured elsewhere, typically in China, Taiwan or Vietnam. So the FCC's surprise edition of every consumer router to the so called covered list means that the likes of Asus, Linksys, Netgear, eero, TP Link, D Link, and Nest have all suddenly joined the likes of previously banned non consumer devices made by Huawei, zte, Highra and Hickvision. The headline that appeared in the afternoon 15 days ago read FCC Updates Covered List to Inc. This is the FCC's own press release.

Steve Gibson [01:44:49]:
They they so they. Their headline is FCC Updates Covered List to include foreign made Consumer routers. The press release explained that the full title was FCC Updates Covered List to include Foreign Made Consumer Routers. Prohibiting approval of new models. So all of the existing apparently attack prone and buggy routers can still be sold, but anything that's new and hopefully improved is banned. Yay for the US's national security. The official fact sheet that accompanied the press release included the helpful subhead update follow up. You know, this update follows determination by executive branch agencies that consumer grade routers produced in foreign countries threaten national security.

Steve Gibson [01:45:55]:
Okay, so I need, I need to share some more of what the FCC wrote. Because it's not even internally consistent, the press releases fact sheet says. Washington, March 23, 2026 Today, the Federal Communications Commission updated its covered list to include all consumer grade routers produced in foreign countries. Routers are the boxes in every home that connect computers, phones and smart devices to the Internet. This followed a determination by a White House convened executive branch interagency body with appropriate national security expertise that such routers pose unacceptable risks to the national security of the United States or the safety and security of United States persons. Unquote. It continues, the executive branch determination noted that foreign produced routers 1 introduce a supply chain vulnerability that could disrupt the US economy, critical infrastructure and national defense and 2 pose a severe cybersecurity risk that could be leveraged to immediately and severely disrupt US critical infrastructure and directly harm US persons. Unquote.

Steve Gibson [01:47:25]:
President Trump's 2025 National Security Strategy stated, quote, the United States must never be dependent on any outside power for core components from raw materials to parts to finished products necessary to the nation's defense or economy. We must re secure our own independent and reliable access to the goods we need to defend ourselves and preserve our way of life. Unquote. Malicious actors, they wrote, have exploited security gaps in foreign made routers, which again routers to attack American households, disrupt networks, enable espionage and facilitate intellectual property theft. Foreign made routers, again, all routers were also involved in the Volt, Flax and Salt Typhoon cyber attacks targeting vital US Infrastructure.

Leo Laporte [01:48:33]:
It wasn't my linksys. Okay, sorry.

Steve Gibson [01:48:39]:
As outlined below, today's action does not impact a consumer's. Guys, here it is a consumer's continued use of routers they previously acquired. Nor does it prevent retailers from continuing to sell import or market router models approved previously through the FCC's equipment authorization process. By operation of the FCC's covered list rules, the restrictions imposed today apply to new device models. Okay, wait. It just said today's action does not impact a consumer's continued use of routers they previously acquired. Nor does it prevent retailers from continuing to sell import or market router models approved previously through the FCC's equipment authorization process. So in other words, every single one of the existing apparently suddenly untrustworthy routers that everyone in the world already has are going to be left alone where they are.

Steve Gibson [01:49:58]:
After all, what else can be done? Consumers already own those. This means that foreign manufacturers, which again is to say all router manufacturers because they're all foreign, are prevented from introducing any new router models into the U.S. they're free to keep making the existing routers, and they're also presumably free to keep updating those routers firmware, which might be used to add new features or eliminate bugs, we would hope. But that would mean that as WI FI technologies continue advancing and requiring support from new chipsets and new radio hardware, newer routers cannot be obtained from traditional foreign suppliers. Okay, that happened Monday afternoon. Fifteen days ago. By the end of that week, the Technology Policy Institute, a Washington based non profit think tank, published an analysis of this action which I think is extremely useful and worth understanding because it compares what just happened to the previously enacted and outwardly similar ban on Huawei and ZTE equipment. For the policy that for the Technology Policy Institute, Scott Walston titled his piece the FCC Got the Router Ban Wrong.

Steve Gibson [01:51:36]:
It Knew Better. Here's what he explained and reminds us he wrote on March 23, the FCC effectively banned all new foreign made routers from the US Commercial market by adding them to its so called covered list. The action followed a White House convened interagency National Security Determination issued just three days earlier. The Commission took this action with no notice and comment proceeding, no published cost benefit analysis, and without providing a broad transition process for the affected industry. The only path forward for manufacturers is to apply for conditional approval from the Department of Defense or the Department of Homeland Security. I'll note that the the actual documentation about this which I read which requires this con this conditional approval to be obtained is from the US Department of War or the dhs. Scott appears to be choosing to use the Department's earlier name, so he continues. The security concerns, he writes, are real.

Steve Gibson [01:52:57]:
Chinese state sponsored hacking groups including Volt Typhoon, Salt Typhoon and Flax Typhoon have exploited vulnerabilities in consumer routers to penetrate American networks, conduct surveillance, and build botnets for attacks on critical infrastructure. Okay, now I'm I'm not taking issue with what Scott wrote here, but I do want to take the time to note that to the best of my knowledge, none of our current consumer grade routers ship in an inherently vulnerable state. It's true that in years past, meaning more than a decade ago, more than 10 years ago, we were encountering instances and we discussed them on the podcast where, for example, Intel's demonstration only source code for their UPNP implementation was unfortunately dropped directly into routers. This resulted in UPNP being bound to consumer routers wan facing network interfaces essentially by mistake. After delivering a podcast about that the next week, I announced that I had enhanced Shields UPS services to explicitly allow visitors to check for public UPNP exposure. But all of that was fixed back in 2013 and 201412 years ago at the time many people were exposed that we fixed that we as an industry fixed it. Also back then, as in more than 10 years ago, we encountered instances where ISP provided routers had open ISP admin ports. They were either using weak authentication credentials or known authentication credentials or contained remotely exploitable weaknesses.

Steve Gibson [01:55:01]:
But for quite some time now, it has only been when a router's user deliberately configures their router to allow external connections and thus to implicitly solicit external attacks, that any of the various Chinese typhoons, Volt, Salt or Flax might have been able to get into users networks through those routers. My point is for quite some time now, like for the past 10 years, it's been users who have been unwittingly causing these external open port exposure problems and none of what, none of that, none of those problems would be lessened by routers having domestic points of origin. Thus nothing the FCC is attempting to do will fix anything that is now broken. Scott continues writing Router security deserves serious attention, but in the past the FCC addressed threats like these in a way that was more targeted, more precisely designed, and better built to survive A legal challenge comparing the FCC's handling of the Huawei and ZTE threat in the 2019 through 2022 to the new router ban reveals what happens when an agency abandons the deliberative process that makes its expertise useful to respond to the national security risks posed by Huawei and zte. The FCC followed a deliberative process and produced a carefully constructed regulatory framework. Congress identified the specific companies as threats in section 889 of the Fiscal Year 2019 National Defense Authorization Act. The FCC designated Huawei and ZTE as national security threats in June of 2020, published its initial covered list in March of 2021, and adopted a Notice of Proposed Rulemaking and Notice of inquiry on June 17, 2021, initiating two separate dockets and inviting public comment. The Commission then adopted a Report and order in November of 2022 with a unanimous 40 vote, and simultaneously issued a further Notice of proposed rulemaking, seeking additional comment on issues it hadn't yet resolved.

Steve Gibson [01:57:46]:
That process took time, but it also produced outcomes that it could never have achieved in a weekend. Now, we could argue that's bureaucracy, and bureaucracy has overhead and it takes time, but what it does is it tends to keep it from making mistakes. And as he said, just deciding to do it over the weekend and then doing it well, you get the kind of things that we've been seeing from this administration for the last what, year and three months. The comment process, he writes, produced differentiated treatment based on actual risk. The FCC did not treat all five Chinese companies identically. It fully banned new Huawei and ZTE equipment, but took a more nuanced approach with Hick, Vision, Dawa, and Haitara. The FCC agreed with commenters who argued that these companies posed different levels and kinds of risks. The FCC required those three companies to document the safeguards they would put in place and froze their applications pending that review.

Steve Gibson [01:59:08]:
The router band, by contrast that is, this one treats a Netgear router assembled in Vietnam identically to a TP link router designed in China. The comment process identified a clear scope. The FCC had to define what counted as covered equipment. For example, it established that handset equipment designed for broadband operation with connection speeds of at least 200kbps fell within the scope of telecommunications equipment, while equipment below that threshold did not. That line was not in the original proposal. It emerged from the comment process as affected companies argued that basic radio equipment should not be treated the same as broadband capable devices. The FCC drew a principled boundary. The router band that we have now draws no such lines.

Steve Gibson [02:00:12]:
Its definition of produced in a foreign country encompasses any major stage in the process through which the device is made, including manufacturing, assembly, design, and development, potentially sweeping in routers designed by American companies and assembled overseas as they all are. The Huawei ZTE response included transition assistance. The FCC's decision imposed real costs on carriers. Rural carriers told the FCC they couldn't afford to remove Huawei and ZTE equipment without financial help. Congress responded by creating the Secure and Trusted Communications Networks reimbursement program, initially funded at a 1.9 billion dollar level, which removed which funded the removal and replacement of insecure equipment from carrier networks. The program has problems such as a lack of evaluation and careful tracking of funds. Okay, maybe some waste, fraud, and abuse, but if the cost imposed on a company is due to a government mandate, the government should at least consider how to pay for it. Fortunately, that doesn't apply here.

Steve Gibson [02:01:33]:
Nothing really changes for consumers, he wrote. The comment process produced legal durability. During the rulemaking, commenters raised constitutional challenges, including arguments that the rules were an unconstitutional bill of attainder, violated the Equal Protection Clause, and amounted to an unconstitutional taking of property. The FCC addressed each of these arguments in its order. Building a Legal Record When Huawei challenged the related NDAA restrictions in court, a federal district court found the restrictions lawful because the government had demonstrated they reasonably furthered non punitive national security goals. The router ban, meaning what's happened now has no comparable record, and former FCC officials have already predicted it will face legal challenge. Also, he writes, the process was iterative. The FCC recognized that its initial rules were a first step and continued refining them.

Steve Gibson [02:02:45]:
A second report and order clarified that covered equipment includes modular transmitters, proposed a definition of critical infrastructure, and sought further comment on the scope of marketing prohibitions. The agency learned from industry input how supply chains actually work, and adjusted its rules accordingly. None of this happened with the router ban. The White House convened a panel. The panel issued a determination, routers Bad. Three days later, the FCC implemented it. Although the Secure Networks act leaves the FCC little discretion over whether to add items to the covered list once the White House makes a qualifying determination, the FCC still retains substantial leeway over how to implement the resulting equipment authorization restrictions, including its scope, transition periods, and what guidance it issues for affected parties, meaning it still could have done more, he writes. In the Huawei ZTE proceeding, the covered list edition itself was relatively quick, but the FCC spent more than a year designing the designing the implementing rules through a public process.

Steve Gibson [02:04:05]:
Nothing in the Secure Networks act prevented the FCC from doing the same here. It chose not to. The router ban bears all the hallmarks of a policy that never faced serious analytical scrutiny. And to those who've been watching Washington recently, what a shock. The stated the stated jurisdiction is cybersecurity risk from foreign manufacturing. But the evidence the FCC itself cited undercuts the case for a foreign country of manufacturer approach. According to the Department of Justice, Volt Typhoon primarily targeted Cisco and Netgear routers devices designed by American companies. The routers were vulnerable not because of where they were manufactured, but because those companies had stopped providing security updates for the discontinued models.

Steve Gibson [02:05:13]:
And I'll just note that's true in the case of Netgear Volt Typhoon leveraged routers whose firmware had never been updated and was thus very old and also exposed management interfaces with with weak credentials. So again, it's nothing about country of origin, Scott continues. The FBI's own guidance urged router owners to replace end of life devices, and CIS's mitigation advice to manufacturers focused on secure design and automated updates, not supply chain origin. Salt Typhoon compromised major US Telecommunications carriers through network equipment made by Cisco, though Cisco's own security researchers reported that most intrusions it reviewed involved stolen credentials rather than software vulnerabilities. The national security determination includes supporting evidence from nist, cisa, and the FBI and other agencies on router vulnerabilities generally. But none of it perv persuasively establishes that country of production standing alone is a useful proxy for cyber security risk. An agency, basically the White House just, you know, waved the wand, you know, waved a hand and said, let's outlaw foreign made routers, period. All those bad consumer routers were, you know, we're outlawing them.

Steve Gibson [02:06:52]:
An agency, he writes, exercising careful judgment, would have noticed this disconnect. If the problem is that manufacturers abandon security updates for older devices, the solution might be to mandate some kind of software maintenance or to require vulnerability disclosures, not a blanket import ban. Organized around the country of manufacture, the FCC has an interdisciplinary expert staff who could have evaluated whether country of origin is actually a useful proxy for cybersecurity risk. Given the speedy timeline, it seems unlikely that meaning three days. It seems unlikely that that they were consulted in any meaningful way. In principle, country of manufacture could matter in hardware supply chains if a state actor could theoretically compromise hardware during production. This concern is real and deserves a serious policy response. But a blanket ban covering routers from every country on earth is not that response.

Steve Gibson [02:08:04]:
And a targeted action against manufacturers with documented ties to adversarial intelligence services, combined with supply chain integrity requirements for all manufacturers seeking FCC authorization would address the hardware concern far more precisely. That's roughly what the FCC did with Huawei and zte. But the current ban treats a router from Finland the same as one from China. Making the matter worse is that virtually no consumer grade routers are manufactured in the United States. That only widely cited. The only widely cited exception is some Starlink WI fi routers that SpaceX says are made in Texas. Even major American brands, including Netgear, Eero and Google, manufacture their products overseas. The conditional approval process, which is the supposed escape valve, requires companies to disclose their management structure, detail their supply chain, and present a plan for onshoring manufacturing to the United States.

Leo Laporte [02:09:25]:
That's what this really is. This is about manufacture, not security, Right?

Steve Gibson [02:09:29]:
What a shock.

Leo Laporte [02:09:30]:
Yes.

Steve Gibson [02:09:31]:
And he writes, that is not a security audit. It is industrial policy.

Leo Laporte [02:09:38]:
Yes.

Steve Gibson [02:09:39]:
Masquerading as a national security framework. No comment, period. Helped shape it. And while there are extensive submission requirements to there appears to be no public review timeline or clear decision standard. Meanwhile, the ban creates the very vulnerability it claims to address. Firmware and software updates for existing covered devices are permitted through at least March of 27, thanks to a blanket waiver from the FCC's Office of Engineering and Technology. But that waiver expires. A router that cannot receive security updates becomes exactly the kind of unpatched vulnerable device that Volt Typhoon and Salt Typhoon exploited.

Steve Gibson [02:10:33]:
Some may argue that the post salt typhoon threat environment necessitates faster action than the multi year Huawei process allowed. But if that is true, it becomes hard to justify an action that does nothing about the millions of foreign made routers already deployed in American homes and businesses which are the actual devices that Volt Typhoon and Salt Typhoon exploited. If the threat were urgent enough to justify bypassing all deliberation, one would expect the FCC to be making I'm sorry to be taking emergency action on the installed base. It is not. The ban addresses only future models making this a forward looking regulatory action for which a deliberative process was both feasible and appropriate. A serious response would combine targeted restrictions on specific manufacturers with supply chain integrity and software maintenance requirements for all manufacturers seeking FCC authorization. The FCC has the expertise to design such a framework and it did exactly that with Huawei and zte. In December testimony before the Senate Commerce Committee Chairman Carr, FCC Chairman Carr told lawmakers that the FCC quote is not an independent agency, formally speaking, unquote.

Steve Gibson [02:12:13]:
The router ban is a case study in what happens when that posture translates into skipping the processes that make regulation work. The comparison between the Huawei ZTE process and the router ban is not just a story about two different policy decisions. It is a controlled experiment in what deliberative process is worth same agency, same statutory framework, same category of threat. But the 2019 through 2022 process in which the FCC used its full deliberative toolkit, produced targeted bans, differentiated treatment based on risk, precise scoping informed by industry expertise, billions in transition funding, and a legal record durable enough to survive court challenge. The 2026 process in which the Commission used none of those tools, produced a blanket ban on an entire product category without differentiation, no scoping analysis, no transition assistance, and a legal record so thin that former FCC's officials are already predicting litigation. The Secure Networks act is the mechanism that enables this arrangement. Under the statute, the FCC says it cannot update the covered list on its own, but rather must implement determinations made by national security agencies when those determinations were narrow and entity specific. This was a manageable arrangement, and the FCC still exercised its own judgment in designing the implementation rules.

Steve Gibson [02:14:03]:
Now that the determinations have expanded to cover entire product categories and the FCC has chosen not to exercise its implementation authority, the agency is implementing sweeping trade and technology policy without the deliberation such decisions require. The same rapid implementation pattern produced the December 2025 ban on foreign made drones, which is already being challenged in court. In that case, Section 1709 of the Fiscal Year 2025 National Defense Authorization act gave national security agencies one year to complete an evidence based review of DJI drones with an automatic covered list addition. As a fallback, instead of a targeted review of dji, the Executive Branch again issued a broad national security determination covering all foreign made drones, which the FCC implemented immediately. DJI has since sued to challenge the action and he finishes Process is not bureaucratic waste of time. It is the mechanism through which an agency's expertise improves the quality of its decisions. The FCC demonstrated this in 2022 when it banned Huawei and ZTE equipment through a deliberative process that produced a more targeted, more durable and more precisely designed result. Whatever the reasons, the Commission did not follow the same approach here, meaning the FCC the outcome speaks for itself.

Steve Gibson [02:15:53]:
Congress should pay attention. The Secure Networks act created a mechanism that, when combined with sweeping Executive branch determinations and an FCC willing to implement them without deliberation, allows the President to ban entire categories of consumer technology without notice, without comment, without cost benefit analysis, and without any of the procedural safeguards that normally govern consequential regulatory action. If Congress intended the covered list to be used this way, it should say so. If it didn't, it should act before the next product category lands on the list. Okay, so where does this leave us? This apparently arbitrary and short sighted ban will do exactly nothing to actually improve the security of any existing routers whose current models may continue to be sold. Since new routers cannot be sold, one effect may be to freeze current model numbers where they are. Unfortunately, major generational router improvements have multi year design, development and manufacturing pipelines. This means that all of the router manufacturers will currently have their future planned models in the process of becoming ready for market next year later this year.

Steve Gibson [02:17:35]:
Next year. Except that now that market has just been killed for them. That suggests that Scott is probably correct about future lawsuits. Under the terms of this ban, even domestic manufacturers incur incorporated in the United States whose equipment is made offshore, which is to say all routers will need to appeal to the conditional approval process, which as Scott noted, requires companies to disclose their management structure, detail their supply chain and present a plan for onshoring manufacturing to the United States. What a mess. With any luck, saner heads will prevail or competent management of the FCC will will be installed. It doesn't appear that we currently have that. I'll finish off today's look at actual consumer Consumer security.

Steve Gibson [02:18:34]:
With a little, a little sanity check reminder, nearly everyone now has IoT network technology running inside their network security perimeter that's establishing, that establishes and maintains through their NAT router persistent connections. And many if not most of these phone home and maintain persistent connections are to servers located outside the US As I've been noting for many years now, these devices which we blithely invite into our homes to set up their own shops could do far more damage to, you know, actual damage to, to consumer security than any routers designed within the last decade. We have invited them inside our network. They can see our network's management interface at, at 192.168.0.1 or dot 1.1 or wherever it is and no one's monitoring them. For all we know they are busy right now trying to brute force that management interface. But you know, don't tell anyone in Washington or they might become the FCC's next misguided target.

Leo Laporte [02:19:54]:
Wow. It's just, I mean it's so frustrating.

Steve Gibson [02:19:57]:
I wanted to share this because it really puts in context how arbitrary this was, how it doesn't achieve anything. Whereas the, the previous ban on Huawei and ZTE actually did. It identified a problem, substantiated the problem and, and surgically excised what needed to be removed and then helped to, to, to pay for the removal and replacement of this Chinese gear that with good reason we decided we could not trust having inside the US infrastructure any longer. Instead this just says we're banning any new foreign made routers. Crazy. I mean it's absolutely does nothing.

Leo Laporte [02:20:45]:
Yeah.

Steve Gibson [02:20:46]:
And, and one hopes that it is so errant that it'll somehow get fixed. It's just hard to, it's hard to believe it will continue.

Leo Laporte [02:20:58]:
Meanwhile, I don't know what we're going to do. I guess built, you know, you, you got instructions don't you on your website to build like a pfsense router, right?

Steve Gibson [02:21:10]:
Yes, it is just not a problem any longer to get a little, a little fanless PC and use actually OpenSense. Opn sense is now the one is now the one to switch to pfsense is you know OpenSense grew out of it and is I think probably the better choice.

Leo Laporte [02:21:32]:
And you put it on. What is that little box that you put it on? I can't remember the name of that.

Steve Gibson [02:21:38]:
It's. It's. A cute little thing.

Leo Laporte [02:21:45]:
Yeah, it's a cute little thing. Somebody in the chat room will say

Steve Gibson [02:21:49]:
because I know they, yeah, there is a little, it's called the SG 1100, although it has nothing to do with Steve Gibson.

Leo Laporte [02:21:55]:
But. Well, that's it, that's all you need is the SG 1100. And you run Open Sense, I'm sure you can run up. It's from netgate.

Steve Gibson [02:22:02]:
Yes, netgate.

Leo Laporte [02:22:03]:
Netgate.

Steve Gibson [02:22:03]:
Right.

Leo Laporte [02:22:04]:
Yeah, yeah.

Steve Gibson [02:22:05]:
And that's a cute little guy.

Leo Laporte [02:22:07]:
Now they say PF Sense, but I, I suppose you.

Steve Gibson [02:22:10]:
Yes. And they are, they, they, they are still on with PF Sense and there's nothing wrong with PF Sense, but if I were the other. There's another little platform. I bought one on Amazon. It's the one I'm using over in my, at my place with Lori. It's got four network interfaces. I can't, I can't remember the name of it now, but I, oh, and on it, I'm also using PF Sense just because I know PF Sense. But if somebody were just starting out and, and, and this little guy is.

Steve Gibson [02:22:40]:
Now, this is not a radio router. There is no antenna there. So, so you need, you need to solve the, the radio connection problem separately. But.

Leo Laporte [02:22:50]:
Right.

Steve Gibson [02:22:51]:
It is a, it, you know, PF Sense is a very powerful little routing software.

Leo Laporte [02:22:55]:
Oh yeah. It has all the security features you could want. Really.

Steve Gibson [02:23:00]:
So I, you know, we're up to Wi Fi 7 now. I don't, and so what this is saying is we cannot ever get a Wi Fi 8 router because that would require a next.

Leo Laporte [02:23:13]:
Unless Elon decides to make it.

Steve Gibson [02:23:15]:
Yeah, I, I, I, you know, it's just nuts.

Leo Laporte [02:23:27]:
40% of all the routers in the United States are made by TP Link, a Chinese company. That's the one they were going to ban initially. Then they thought I said, well, what, you know, if we're going to ban them, let's just ban them all. Even if they're made in Sweden, it doesn't matter. I was at rsac and I went over to the Ubiquiti because I use Ubiquiti gear. I went over the Ubiquiti bottom booth. I said, hey, I'd just like you to comment on this FCC decision. It happened that morning and they did not want to talk about it.

Leo Laporte [02:23:55]:
There's no, it was a. And I understand why it's no win. What are they going to say? We don't like the idea? No, we like the idea.

Steve Gibson [02:24:04]:
No, no comment.

Leo Laporte [02:24:07]:
No comment's the only thing you can say, the only safe thing to say. Unless they had, you know, plans to build a factory in, you know, Piscataway. I don't know what else they're going to do. I think that's the plan, right is. Well, everybody just has to build a factory in the US And God knows there are lots of people out there who just dying to build routers in a router factory. They are just lining up and we're.

Steve Gibson [02:24:31]:
And all the consumers will be happy to pay an extra 100 bucks for.

Leo Laporte [02:24:35]:
Yeah.

Steve Gibson [02:24:35]:
Oh that. To domestic manufacturing.

Leo Laporte [02:24:37]:
Yeah.

Steve Gibson [02:24:39]:
To get nothing in return. I mean it's like.

Leo Laporte [02:24:41]:
Well, the statistical routers are no more secure. Just because they're made in the US doesn't mean anything. In fact, they're less frankly. Yeah. And I'm sure this Netgate is not made in the U.S. no, nothing is

Steve Gibson [02:24:58]:
made in the U.S. nothing. Nothing. We don't make things here.

Leo Laporte [02:25:02]:
Well, that's the mistake. I mean admittedly it probably should.

Steve Gibson [02:25:06]:
Well the, the mistake is being. Is like rattling sabers between us and China. We ought to recognize that it is a good relationship, it's mutually beneficial and, and we ought to just have a detente here and say, look, you know, you want us to buy your stuff, we want you to make the stuff that, that, that, that we're gonna buy.

Leo Laporte [02:25:26]:
So come on, let's wrap this up because in about half an hour we're about to bomb Iran into the stone age.

Steve Gibson [02:25:33]:
So I got pushed back by two weeks. Oh, what a shock. I know a taco. That's right. We got it. We got a two week. What a shocker happened during the podcast during one of. I got a little.

Leo Laporte [02:25:47]:
What a stunning, stunning development. Who would have thought? Okay, well I'm actually, I'm relieved to be honest, as I'm sure 90 million Iranians are as well dodged that bullet or cruise missile as the case may be. Well, thank you sir. You are a gentleman and a scholar and I appreciate everything you do. Mr. Steve Gibson. You'll find him@grc.com that is the place to go to get of course the things he makes for a living which include spinrite, the world's best mass storage maintenance, recovery and performance enhancing utility. Current version 6.1.

Leo Laporte [02:26:32]:
Awesome, awesome tool. Everybody who has mass storage needs it. Let's just say that. Also the DNS Benchmark Pro which just came out that's available at the same place. 9.99 Save a penny 999. Although there are no pennies anymore either. So they've gone the way of the American of the foreign made router. What else while you're there you might want to check out.

Leo Laporte [02:26:59]:
You can send Steve email if you want, but you got to get your email address whitelisted because he doesn't want spam by going to grc.comemail and when you give him your email, you'll notice there's two boxes below it that you can check. They're unchecked by default, but you can say, hey, I would like to get your weekly mailing of the show notes for the show or hey, I would like to know when you've got a new product. You might get something in the next hundred years, you might not. It's not exactly an active mailing list, but it is, it is a mailing list and you can get on it grc.com email there's lots of other great stuff. It's well worth browsing around a great site. Meanwhile, we have of course copies of the show at our website, Twitter TV SN. There's a YouTube channel you can go to with all the shows video of them. Great way to share a clip.

Leo Laporte [02:27:53]:
And of course you can subscribe in your favorite podcast client and get it automatically the minute we're done fixing it up. You can if you want it faster than that, you can watch live. We do the show every Tuesday right after Mac break weekly. That would be 1:30 Pacific, 4:30 Eastern, 20:30 UTC. We stream it live on YouTube, Twitch, X.com, facebook, LinkedIn and and Kick. Also club members get access to it behind the velvet rope. If it as it were in the club Twit Discord. So you know, sign up for the club.

Leo Laporte [02:28:29]:
That's a great way to get ad free versions of the show. Special access our AI user group. It's coming up this Friday. Micah's crafting Corner. Lots of special programming and you support this very important show and all the other ones? We do. So if you're not a member. Twit TV Club Twit. Steve, thank you so much.

Leo Laporte [02:28:47]:
Great to see you. We'll see you again next week.

Steve Gibson [02:28:50]:
Yes, sir. For the. But will that be the 14th?

Leo Laporte [02:28:54]:
We'll be back Taco Tuesday. Thank you, Steve. Take care. Bye. Security now.