Paul's Security Weekly (Audio)

In the security news this week:
FCC router bans and the hidden firmware update problem
Why extending support timelines actually improves security
Github supply chain concerns and the evolving SBOM ecosystem
CRA and NIS2 compliance deadlines are getting very real
The EU Cyber Resilience Act's 24-hour vulnerability disclosure requirement
Security regulation: vertical vs horizontal compliance models
Vehicle-to-load EV systems powering homes during outages
Solar, batteries, AI farms, and the future economics of electricity
Data centers consuming regional power grids
BitLocker "Yellow Key" fallout and large-scale remediation challenges
AI-generated PowerShell fixes and the rise of vibe scripting
Linux kernel exploits, module jail, and default deny strategies
Medical biometric data theft and why fingerprints are terrible passwords
Interpol cybercrime operations across the MENA region
OT security, connected vehicles, and accepting real-world risk
The crew also discusses threat intelligence obligations under the CRA, the operational realities of patching at enterprise scale, the economics of secure-by-default systems, and why making security cheaper than insecurity might finally move the industry forward.
Visit https://www.securityweekly.com/psw for all the latest episodes!
Show Notes: https://securityweekly.com/psw-927

This week:
New Yellowkey bitlocker bypass and what it means for you
Hackers can run you over with a robot lawnmower
FCC says new things about routers, again
Glitching with AI
almost no false positives
AI thought it was evil
DirtyFrag and the sad state of Linux LPEs
You can buy better tools, perfect security, and other lies
The Canvas breach
Hackers can still take over trains
Baby monitors, on the Internet!
dnsmasq flaws I am now paying attention to
Swordfish
A neat vulnerability for ransomware
Mythos, Curl, and how to do secure software
Various ways to use AI to find bugs, spoiler, you don't need Mythos
Visit https://www.securityweekly.com/psw for all the latest episodes!
Show Notes: https://securityweekly.com/psw-926

Rob Allen from Threatlocker joins us to discuss the risks associated with VPN appliances and how to implement better security solutions that don't leave you hanging out on the open Internet. The interview segment is sponsored by ThreatLocker. Visit https://securityweekly.com/threatlockerrsac to learn more about them!
In the Security News:
Less details about the FCC router ban
Canary traps that work
Hacking trains and getting arrested
You can be an adult if you have a mustache
cPanel is being exploited
Pro-Iran group takes down Ubuntu
Anthropic's new security solution
Safe AI Agents and other lies
People still use screensavers?
CISA and operating for weeks or months in isolation
Paramiko issues fixes
Find security research
Copy/Fail and AI slop debate
ESP32 simulator
Spotting vibe coded malware
Fast16 - Stuxnet before Stuxnet
Visit https://www.securityweekly.com/psw for all the latest episodes!
Show Notes: https://securityweekly.com/psw-925

This week in the security news:
Are you a FIRESTARTER?
Eavesdropping via fiber-optic cables
Copy Fail - more Linux LPE
Github RCE
Running Linux on a PS5
BadUSB tricks
SilentGlass and HDMI threats
Sonicwall and vague details
Universities are for porn?
The Banshee
Before CVEs comes scanning
Vendor addresses AirSnitch
GitHub and not serious work
Routers have country-specific backdoors
Phones with Hotspot are fine
Visit https://www.securityweekly.com/psw for all the latest episodes!
Show Notes: https://securityweekly.com/psw-924

This week:
Larry's in the host seat and chaos ensues. We dig into:
A very questionable story about tracking a warship with a $5 Bluetooth tracker
Serial-to-IP devices quietly sitting in critical infrastructure… and full of holes
New York regulators mandating MFA and asset inventory—aka CIS Control #1 is now breaking news
A ransomware negotiator who decided to double-dip (and landed in prison)
"Brand new" hard drives that come preloaded… with someone else's data
The Vercel breach: no zero-day, just shadow IT, stolen tokens, and bad decisions
AI-driven vulnerability discovery and the looming "vulnpocalypse"
Quantum crypto debates: real threat or just another security boogeyman?
Mirai is STILL alive—because apparently we still don't patch routers
And yes… Flipper Zero makes an appearance (no, you're not hacking airplanes… calm down)
Then, we rebroadcast an interview from RSAC.
Breach Readiness for Measurable Risk Reduction in the Age of AI Cyber leaders no longer debate whether a breach will occur. What has changed is the speed and scale at which AI now enables those breaches. The real question is how far an attacker can move once inside. In this conversation, Rajesh Khazanchi explores why breach readiness, including AI-assisted containment, measurable blast radius reduction, and pervasive microsegmentation, has become mission-critical for business continuity in 2026.
This segment is sponsored by ColorTokens. Visit https://securityweekly.com/colortokensrsac to learn more about them!
Visit https://www.securityweekly.com/psw for all the latest episodes!
Show Notes: https://securityweekly.com/psw-923