SN 1073: The FCC Bans New Consumer Routers - LinkedIn's JavaScript Bombshell Summary — Security Now (Audio)

Summary

The main focus is an extensive analysis of the FCC's sudden ban on all new consumer routers manufactured outside the US. Gibson explains how this ban is fundamentally flawed because virtually all consumer routers are manufactured overseas, even those from American companies like Netgear and Eero. The ban only applies to new models while allowing existing 'vulnerable' routers to continue being sold, making it ineffective for actual security. Gibson contrasts this with the deliberative, targeted approach used for the Huawei/ZTE ban in 2019-2022, which followed proper procedures, provided transition funding, and was legally durable. The current ban was implemented in just three days without public comment or analysis. The show also examines LinkedIn's massive JavaScript surveillance operation that downloads 2.7MB of code to scan users' systems for over 6,000 specific browser extensions and collect 48 hardware characteristics. This data is encrypted and sent to LinkedIn servers, potentially violating EU privacy laws. Gibson explains how this differs from traditional fingerprinting by preserving individual data points rather than hashing them. Other topics include Apple's age verification rollout in the UK following new regulations, Microsoft forcing Windows 11 upgrades, the Trivi supply chain attack affecting Cisco, and Cloudflare's new WordPress replacement called M-Dash that promises better security through sandboxed plugins.

Key Insights

The FCC banned all new foreign-made consumer routers despite virtually no domestic alternatives existing, making the ban practically meaningless

LinkedIn deploys 2.7MB of JavaScript code that scans users' computers for over 6,000 specific browser extensions without disclosure in their privacy policy

LinkedIn's scanning expanded from 38 extensions in 2017 to over 6,000 by February 2026, representing a 1,252% increase in two years

The FCC's router ban was implemented in three days without public comment, contrasting sharply with the deliberative two-year process for the Huawei/ZTE ban

LinkedIn's surveillance system creates 'super fingerprints' by encrypting data instead of hashing it, allowing individual characteristics to remain recoverable

The router vulnerabilities exploited by Chinese hacking groups were primarily due to discontinued security updates and weak credentials, not manufacturing origin

Apple's age verification system in the UK can verify accounts older than 18 years automatically, but struggles with users lacking traditional identification methods

Microsoft is forcing Windows 11 upgrades from 24H2 to 25H2 using 'machine learning-based intelligent rollout' for unmanaged devices

The Trivi supply chain attack affected major companies including Cisco, leading to theft of source code and AWS credentials from hundreds of GitHub repositories

Anthropic's new Mythos AI model can autonomously find and exploit vulnerabilities, including discovering bugs that have existed for 25+ years

Cloudflare's M-Dash WordPress replacement uses sandboxed plugins running in isolated workers to solve WordPress's fundamental security architecture problems

The FCC router ban treats devices from all countries identically, making no distinction between routers from Finland versus China

LinkedIn's surveillance includes scanning for extensions related to religious practices, political orientation, neurodivergent conditions, and job searching tools

The only widely cited exception to foreign router manufacturing is some SpaceX Starlink routers allegedly made in Texas

IoT devices inside home networks pose greater security risks than router country of origin, as they maintain persistent connections to foreign servers

SN 1073: The FCC Bans New Consumer Routers - LinkedIn's JavaScript Bombshell

Summary

Key Insights

Topics

Get AI summaries delivered to your inbox