Subscribe Share Full episode and show notes Critical Infrastructure Security , Supply chain , Government Regulations FCC, Github, MiniShai-hulud, Stated of Supply Chain, Itron, CRA, NIS2, and more!! – PSW #927 In the security news this week: FCC router bans and the hidden firmware update problem Why extending support timelines actually improves security Github supply chain concerns and the evolving SBOM ecosystem CRA and NIS2 compliance deadlines are getting very real The EU Cyber Resilience Act’s 24-hour vulnerability disclosure requirement Security regulation: vertical vs horizontal compliance models Vehicle-to-load EV systems powering homes during outages Solar, batteries, AI farms, and the future economics of electricity Data centers consuming regional power grids BitLocker “Yellow Key” fallout and large-scale remediation challenges AI-generated PowerShell fixes and the rise of vibe scripting... May 21, 2026 Full Segment Notes In the security news this week: FCC router bans and the hidden firmware update problem Why extending support timelines actually improves security Github supply chain concerns and the evolving SBOM ecosystem CRA and NIS2 compliance deadlines are getting very real The EU Cyber Resilience Act’s 24-hour vulnerability disclosure requirement Security regulation: vertical vs horizontal compliance models Vehicle-to-load EV systems powering homes during outages Solar, batteries, AI farms, and the future economics of electricity Data centers consuming regional power grids BitLocker “Yellow Key” fallout and large-scale remediation challenges AI-generated PowerShell fixes and the rise of vibe scripting Linux kernel exploits, module jail, and default deny strategies Medical biometric data theft and why fingerprints are terrible passwords Interpol cybercrime operations across the MENA region OT security, connected vehicles, and accepting real-world risk The crew also discusses threat intelligence obligations under the CRA, the operational realities of patching at enterprise scale, the economics of secure-by-default systems, and why making security cheaper than insecurity might finally move the industry forward. Hosts David Johnson Jeff Man https://www.obsglobal.com/ Joshua Marpet https://www.cyturus.com Lee Neely Sam Bowne https://samsclass.info/ List of Articles David Johnson Sure you could “nuke all routers”, but this ESP32-C5 wireless postage stamp is far more useful for other things. I saw this GitHub project mentioned in Hacker News and it's a pretty standard deauther program program. I haven't investigated it to determine if it's better or worse than others in the past. But then I spotted the hardware it runs on. I immediately lost interest in the deauther program and dug into this new (to me) hardware. The ESP32-C5 (and C6 I learned) runs in minimal power, has built in Usb-c (10+ points in my book) and has wifi6, BT 5 BLE, thread, and ZigBee and its only $8. The C6 (a lower powered version) is only $6. It also is built to support IOT software. In the days where the cost of RAM is as much as a car, this was a refreshing find with lots of potential. It's immediately applicable to all sorts of small cheap projects. https://www.seeedstudio.com/Seeed-Studio-XIAO-ESP32C5-Pre-Soldered-p-6610.html Big Eval board for those interested https://www.olimex.com/Products/IoT/ESP32-C5/ESP32-C5-EVB/ Really nice ExpressIF explainer chart of all their different similar SoC products. https://products.espressif.com/static/Espressif%20SoC%20Product%20Portfolio.pdf Virtual OS Museum Tour There have been lots of different operating systems over the history of computing. Some have stuck around, some haven't. The VirtualOS Museum is an app with more than 570 preinstalled virtual OS's ready for you to use. Anna’s Archive smacked with nearly $20M lawsuit Fans of the XTEink e-reader products have probably stumbled across mention of "Anna's archive" in the search for eBooks to download. One of the major drawbacks of non-kindle devices is that you don't have access to many eBooks due to licensing. The team of Anna's archive created their library to get around this. And they are being sued, again... Copyright Free/Public Domain alternatives for ebooks: Standardebooks.com Guttenberg.com Say goodbye to those insightly watermarks A handy tool for removing watermarks in AI generated images. MIT licensed project. Remove visible and invisible AI watermarks from images generated by Google Gemini (Nano Banana), ChatGPT / DALL-E, Stable Diffusion, Adobe Firefly, Midjourney, and other AI models. Strips SynthID, C2PA Content Credentials, EXIF/XMP "Made with AI" labels, and visible sparkle overlays — all in one command. Also includes a legal logic diagram of when this is likely to be legal/illegal. This may also help with privacy, assuming you are using it for lawful purposes. Jeff Man Peter G. Neumann, Who Warned of Computer Security Risks, Dies at 93 I've often here his name bandied about, but what was he known for, really? Definitely one of the pioneers of computer security, but if he is best known for tolling the bell for computer security risks is that really all that special? GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos Source code for sale, but no client data has been released. Whew. L0phtDay 2026 I mean, wasn't the L0pht also warning of computer/internet security risks? Microsoft surprises with its first server Linux distribution: Azure Linux 4.0 Probably should save this for Paul but w00t!?! The 4th Linux kernel flaw this month can lead to stolen SSH host keys Before you get too excited, buried in the article on the Azure linux distribution is a link to this article. "The good news is there's already a patch. The bad news is that the fix isn't available for all Linux distributions yet." 7-Eleven Data Breach Confirmed After ShinyHunters Ransom Demand What is wrong with this world where the badguys even go after Slurpees??? Vulnerability exploitation top breach entry point, 2026 industry-wide DBIR finds The new Verizon DBIR report is here! What a surprise - "the Data Breach Investigations Report (DBIR) confirms AI-driven speed as a new challenge, pushing security strategy toward fundamental resilience." Weren't we just talking about the [lack of] security fundamentals a few weeks ago??? Anthropic workshop on how to actually do prompts for Claude If you still have a Twitter account, you might find this interesting. I didn't, but you might. "27-minute workshop on how to actually do prompts for Claude." Taught by the people who built it. Free. No registration. No paywall. Joshua Marpet FCC Router Waiver Extension to 2029 The FCC reversed course on its March 2026 ruling that prohibited foreign-made consumer routers in the US. Waivers issued in January and March public notices have been extended at least until January 1, 2029. Updates now include "all software and firmware updates to ensure the continued functionality of the devices, such as those that patch vulnerabilities." The point: Regulators acknowledged that completely blocking software support could create a worse cybersecurity problem than the ban was solving. Pulling security patches to enforce a procurement ban leaves millions of existing devices unpatched. This is the regulators learning the lesson the security community has been arguing for years. Foxconn Cyberattack (5/12) "While this is undoubtedly a blow to Foxconn, the damage this could cause to the general public is immensely greater. Fake iPhones, fake laptops, fake merchandise of any kind, with sub-standard build quality, is not going to do the original corporate reputations any good. Plus, with the firmware and code running around, we've got an issue where any flaws in that firmware and software will be exploited quickly." The story: Foxconn confirmed a cyberattack on North American factories. Nitrogen ransomware group claimed it stole 8TB of data and over 11 million files, including allegedly Apple and NVIDIA-related material. Industrial Cyber covered it alongside West Pharmaceutical as part of a manufacturing-sector cyber risk pattern. Connected Cars Data — WSJ Data harvested from drivers — geolocation, in-cabin biometrics, telematics — is enticing to both OEMs (for monetization) and attackers (for surveillance). FTC reached a settlement with GM/OnStar finalized January 2026 including a five-year ban on disclosing geolocation and driver behavior data to consumer reporting agencies. Northeastern University researchers published research on Tesla Model 3 and Cybertruck wireless system exploitation. Australia's OAIC has launched a landmark investigation into in-cabin biometrics collection. The structural point: Auto OEMs are becoming OT vendors with privacy law on top. The cybersecurity surface and the privacy surface are converging into one problem class. CRA Mandatory 24-Hour Vulnerability Reporting Starts Sept 11 2026 Manufacturers of connected products must report actively exploited vulnerabilities to ENISA within 24 hours starting Sept 11. This is a big operational change. GitHub Breach of 3,800 Internal Repos GitHub confirmed in a five-post thread on X (May 20) that approximately 3,800 internal repositories were breached after one of its employees installed a malicious Visual Studio Code extension. Threat group TeamPCP claimed responsibility on underground forums and is asking $50K+ for the stolen dataset. GitHub has removed the trojanized extension from the VS Code marketplace, isolated the compromised endpoint, and begun incident response. GitHub states there is currently no evidence of impact to customer data, enterprise accounts, or user repositories. The point: This is the third major GitHub-related security event in six weeks (also CVE-2026-3854 RCE in late April, see B3). GitHub is the substrate the entire software industry rests on. Three different attack vectors in 45 days. Mini Shai-Hulud — TanStack + 160+ npm/PyPI Packages Mass supply chain campaign affect