Security Now Episode 1073: FCC Router Ban, Apple Age Verification, and LinkedIn's BrowserGate

This episode of Security Now covers several pressing cybersecurity and privacy issues, beginning with the Federal Communications Commission's (FCC) controversial decision to ban new consumer-grade routers. The hosts discuss the reasoning behind the ban, which targets devices that fail to meet updated security standards. The argument centers on whether this move is a necessary step to improve network security or an overreach that limits consumer choice. The FCC's policy does not affect existing routers, only new models entering the market, which has sparked debate about its effectiveness. Critics argue that the ban could stifle innovation and leave consumers with fewer options, while proponents believe it will reduce vulnerabilities in home networks. The discussion highlights the tension between regulation and consumer freedom in technology. Another major topic is Apple's implementation of age verification in its latest iOS update, version 26.4. The update requires users in certain regions, particularly the UK, to verify their age to access restricted content. This change stems from new legal requirements aimed at protecting minors online. The hosts explain how Apple is handling this by using credit card information, account age, or government-issued IDs to confirm adulthood. However, the system has faced criticism for being cumbersome, especially for users without credit cards or photo IDs. The episode delves into the technical challenges of age verification, such as maintaining user privacy while complying with legal mandates. The hosts also explore the broader implications of such policies, including the potential for increased surveillance and the difficulty of balancing privacy with regulatory demands. The episode then shifts to LinkedIn's invasive data collection practices, dubbed "BrowserGate." The hosts reveal that LinkedIn's website injects a 2.7-megabyte JavaScript file into users' browsers, which scans for over 6,000 installed extensions and collects detailed hardware and software information. This data is then encrypted and sent back to LinkedIn's servers, where it is used to track user behavior. The hosts explain how this practice goes beyond traditional tracking pixels, which were originally simple image files used for monitoring but have evolved into complex scripts that execute code on users' devices. The episode highlights the privacy risks of such practices, including the potential for LinkedIn to infer sensitive information like political affiliations, religious beliefs, or job-seeking activity. The discussion also touches on the legal and ethical concerns, particularly in regions like the EU, where such data collection may violate privacy laws like the GDPR. The hosts also discuss Microsoft's forced update of Windows 11 from version 24H2 to 25H2, raising concerns about user control over software updates. This move reflects a broader trend of companies pushing updates without explicit user consent, which can lead to compatibility issues or unwanted changes. The episode briefly mentions Cisco's loss of source code due to a supply chain attack involving the Trivy vulnerability, underscoring the risks of third-party dependencies in software development. Additionally, the hosts cover Proton's new privacy-focused video conferencing service, Proton Meet, which aims to provide a secure alternative to mainstream platforms. The episode concludes with a discussion about GitHub's plans to improve the security of its Actions feature, which was exploited in recent supply chain attacks, and Cloudflare's efforts to enhance WordPress security through a recoded version of the platform.