![FCC Blocks Foreign-Made Routers – 2026-03-30 - Talkin' Bout [Infosec] News cover](/_next/image?url=https%3A%2F%2Fimg.transistorcdn.com%2FnT94AVlzoDeGBN3SZCVkdLjnZ10xhZFJYRvkgT2iXI0%2Frs%3Afill%3A0%3A0%3A1%2Fw%3A1400%2Fh%3A1400%2Fq%3A60%2Fmb%3A500000%2FaHR0cHM6Ly9pbWct%2FdXBsb2FkLXByb2R1%2FY3Rpb24udHJhbnNp%2Fc3Rvci5mbS9kYzM5%2FNGM3OGE4N2ZhNDdh%2FMmM2OWE3YzY2ZDYx%2FYWMyNy5qcGc.jpg&w=1920&q=75)
Talkin' Bout [Infosec] News – "FCC Blocks Foreign-Made Routers – 2026-03-30"
Podcast by Black Hills Information Security (BHIS) | Date: April 1, 2026
Overview
This episode dives into the FCC’s controversial move to ban foreign-made consumer routers, exploring the move’s technical, political, and supply chain implications. The roundtable covers the fine print of FCC regulations, the cybersecurity ecosystem's response, supply chain bottlenecks, and touches on several other infosec news stories. The tone is irreverent, insightful, and full of industry banter, with notable asides about supply chain attacks, state-sponsored espionage, AI’s impact on security, and more.
Key Discussion Points & Insights
1. FCC Bans Foreign-Made Routers
- Summary: The FCC expanded its "covered list" to ban all consumer-grade routers produced in foreign countries, aiming to address national security concerns.
- Details:
- What’s Banned: All consumer-grade routers with components or manufacturing origins outside the US. If a device is on the “covered list” (now including these routers), it can’t receive FCC approval, effectively banning its sale or use in the US ([07:58]).
- Grandfather Clauses: Existing routers and current retail stock are grandfathered in ([09:22] John).
- Exemptions: Some companies can apply for conditional approval from Homeland Security or DoD, leading to a likely loophole.
- Scope: Applies to consumer-grade devices; enterprise gear like Fortinet appears exempt ([10:15] Corey).
- Major Challenge: No current routers fully meet this new requirement; even US-branded products often depend on foreign components.
- Real-World Impact: Expect little immediate effect; encourages users to keep existing, likely-outdated devices longer, which might weaken security, not improve it ([10:51] John).
Notable Quotes:
- John [07:58]: “If your router has any components manufactured overseas, or [is] produced in a foreign country, it's on the covered list—means it's not allowed.”
- Wade [10:40]: “This has nothing to do with security though. That's the dude.”
- Andrew [15:18]: “As a vendor, you're going to be able to buy a green check mark… effectively like a tariff on routers.”
- Wade [13:45]: “Cautionary tale about 3D printing and having AI write all your code is you still need a board… all of that is from China.”
Timestamps:
- Explaining the FCC move: [06:54]–[09:22]
- Supply chain and manufacturing challenges: [09:22]–[15:55]
2. Supply Chain Security and DIY Workarounds
- Summary: Discussion of possible workarounds, like using Raspberry Pi devices as routers, and pitfalls with trying to source everything domestically.
- Key Insights:
- Building hardware “in America” is cost- and skill-prohibitive; US fabs are rare and expensive; major chip manufacturing is still dominated by China ([13:45] Wade).
- Even 3D printing or home assembly can’t escape the overseas dependency for key components ([14:53] John).
3. Incident: Cash Patel Gmail Hack
- Summary: Iranian hackers compromised a Gmail account belonging to Cash Patel, leaking non-government, mainly personal info ([17:13] Wade).
- Discussion:
- Shows attackers go after personal accounts of high-profile individuals.
- Highlights the importance (and sometimes lack) of MFA and strong password hygiene even for public figures ([18:12] Wade).
4. Fancy Bear (APT28) OPSEC Fail: Open Directory Leak
- Summary: Researchers discovered an open directory revealing BEC (Business Email Compromise) operations, including a trove of stolen credentials ([20:22] John).
- Insight: Reveals common poor OPSEC and sheds light on advanced persistent threats still making basic mistakes ([22:47] John).
- Best Practice: Limit forwarding rules; enforce 2FA; many organizations ignore these basics ([23:50] John).
5. Trivy / Team PCP Software Supply Chain Attack
- Summary: Massive supply chain attack via the compromise of the Trivy vulnerability scanner and associated packages/libraries.
- Key Points:
- Several package ecosystems (npm, PyPI, Docker, VSX) were compromised ([28:07] Andy).
- Stole secrets, harvested credentials at large scale—potentially affecting up to 500,000 corporate identities ([32:58] John).
- Attackers openly solicited ransomware affiliates, overwhelmed by stolen data ([31:33] Corey).
- The GitHub Actions ecosystem vulnerabilities, including lack of version pinning, were major enablers ([29:32] Andrew).
- Discussed best defenses: robust secrets rotation, least privilege, monitoring for abuse, and canary tokens for detection ([35:36] John, Bronwyn).
Notable Quotes:
- Andrew [25:52]: “Most companies, when they saw this, just completely stopped building everything.”
- Corey [31:43]: “They were soliciting ransomware affiliates because they just—too many creds, come help us use these creds.”
- John [35:36]: “Least privilege applies here … if they compromise the key that can only read an S3 bucket, that's better than a key that can write.”
Timestamps:
- Supply chain breach deep-dive: [24:23]–[34:49]
6. AI Model News – Anthropic "Mythos" Leak and AI as a Security Arms Race
- Summary: Discussion of Anthropic’s accidental pre-release/leak of Claude Mythos models and the broader rapid-fire escalation of AI in infosec attack/defense.
- Security Impact: Anthropic wants more time to study “defensive” AI, but everyone (including attackers) is already using these models for both attack and defense ([47:13] Wade, [48:01] John).
- Models are being used to find vulnerabilities live and at scale.
- Access Disparities: Call for open source projects to have subsidized access for running AI-based security scans ([52:41] John).
Notable Quotes:
- John [48:01]: “Right now, we are burning massive stacks of cash to try to use AI to attack our customers.”
- Bronwyn [49:08]: “There was a talk at Anthropic … Claude finding zero day vulnerability live at a conference.”
- John [54:15]: “Why we're all feening for Claude tokens—the biggest reason is context length. That million context means you can go significantly further and deeper.”
Timestamps:
- Anthropic Mythos leak/AI arms race: [45:51]–[54:15]
7. AI in the Browser & Google’s Web MCP
- Summary: Google released Web MCP, allowing websites to expose functions for direct AI agent use, and patented a system for AI-generated web pages.
- Implications: Raises (humorously grim) questions about malvertising and typo squatting supercharged by AI rewrites ([59:38] John).
- Concerns: New automation may make various forms of fraud and deception easier, while challenging attack detection ([60:22] John, Andy).
8. Espionage News: Florida "Space Coast" as a Hotbed
- Summary: Espionage activity near the "Space Coast" (Cape Canaveral/Florida) is ramping up, with Chinese and Russian actors buying property, running social engineering campaigns ([43:22] Bronwyn).
- Unique Tactics: Use of real estate as a vector for proximity access/collection; social engineering at bars.
Memorable Quotes & Banter
- John [15:55]: “It’s just another day where the government drops a big turd in the punch bowl and we’re all going to have to figure out what happens.”
- Wade [32:46]: “Maybe have a plan for how to quickly rotate your keys without having a pants on fire moment.”
- John [61:16]: “Watching Claude click through a website is worse than watching a professor fumble for the start menu.”
- Bronwyn [44:01]: “If you ever want to date a spy, go down in Florida.”
Timestamps for Important Segments
| Segment | Timestamp | |-------------------------------------|--------------| | FCC router ban explainer | [06:54]-[09:22] | | Supply chain/manufacturing talk | [09:22]-[14:53] | | Cash Patel Gmail hack & lessons | [17:06]-[19:44] | | Fancy Bear OPSEC fail/deep-dive | [20:22]-[24:23] | | Trivy/team PCP supply chain attack | [24:23]-[34:49] | | AI, Claude Mythos model leak | [45:51]-[54:15] | | Google Web MCP & AI rewriting web | [57:40]-[62:08] | | Space Coast espionage in Florida | [42:42]-[45:09] |
Other Noteworthy Moments
- Robo-Slap Video Banter: Article on a robot accidentally slapping a kid at a demo ([01:36]-[03:52]).
- Conference Shout-Outs: “Hack SpaceCon,” B-Sides Tampa and Orlando, and the value in regional cons ([66:12]-[66:47]).
- Incident Response Tips: Stay on top of secrets, build canary tokens, prepare rapid rotation playbooks ([34:33]-[36:13]).
- GitHub Actions Security Lament: Open source security features too often locked behind paywalls ([39:47] Andrew).
Conclusion & Calls to Action
The episode encapsulated a week where regulation, supply chain insecurity, AI disruption, and classic espionage collided with the usual dark wit and practical wisdom. The hosts urge listeners to:
- Stay vigilant against supply chain and credential attacks.
- Rotate keys/secrets regularly and have a plan for crisis response.
- Keep up with AI’s impact: Use it for defense, and watch out for its misuse.
- Get involved in the community: Attend regional security conferences, and, if you’re open source, push for fair access to security tools.
For full incident breakdowns, tactical tips, and fresh banter, listen in Mondays at 4:30PM ET on YouTube.