Security Now! #1078 — Key Points ================================= FCC ROUTER WAIVER EXTENDED TO 2029 Reversal of earlier policy that would have blocked firmware updates for foreign-made routers after March 2027. Already-authorized devices can now receive security/firmware updates through Jan 1, 2029. Steve's view: the restriction never made sense — if you don't trust the manufacturer, a one-year window doesn't help; if you do, no restriction is needed. Netgear separately got a full conditional pass. 21-YEAR-OLD FREEBSD RCE FOUND BY AI (CVE-2026-42511) AISLE's AI source-analysis pipeline found a wormable remote command execution flaw in dhclient, imported from OpenBSD in FreeBSD 6.0 (2005). Malicious DHCP reply -> root on any FreeBSD machine joining the network (laptops at coffee shops, PlayStation, etc.). AISLE took a swipe at Anthropic's Mythos hype ("not model mythology"). LET'S ENCRYPT BRIEF OUTAGE Gen Y (YE/YR) cross-certified intermediates were issued without the required serverAuth EKU extension (mandatory for CCADB since June 2025). They voluntarily halted issuance, fixed config, resumed. Textbook CA behavior. MALICIOUS AI MODELS — SUPPLY CHAIN COMPROMISE AT SCALE HuggingFace: ~352,000 unsafe issues across 51,700 models. "nullifAI" technique abuses pickle deserialization + 7z compression to bypass scanners. ClawHub (OpenClaw skill registry): 341 malicious skills out of 2,857, 335 from one coordinated "ClawHavoc" campaign. Snyk found ~36% of skills have security flaws. Related recent compromises: - LiteLLM (PyPI, ~500K creds exposed) - Bitwarden CLI on npm (90 min, targeted Claude Code/Cursor/Codex/Aider) - PyTorch Lightning (42 min) Core issue: AI models execute on load, consumers are automated agents, attack windows measured in minutes. CISA 2015 REAUTHORIZATION ON TRACK Long-term renewal expected before September expiration. Restores liability shield for private-sector threat-intel sharing. EDGE STORES ALL SAVED PASSWORDS IN CLEARTEXT IN RAM

Quick note on the Proton Meet pricing, since I was initially confused. Proton Meet is Proton's new video meeting product. If you're on the Proton Unlimited bundle, Meet is included, but with a cap: 60 minutes max per meeting. You can run unlimited meetings per day, just none longer than an hour each. The standalone paid Meet product removes that cap (unlimited meeting length) and adds extra features on top. So bundle members aren't locked out, they just hit the 60-minute ceiling per session. If you regularly run longer meetings, the standalone tier is what you'd want. I put together a quick infographic on the top three features of the paid tier below.

One of the things I’ve learned over the last year is that identifying AI opportunities is only the beginning. Recently, I secured a multi-month engagement with an enterprise client that is moving beyond the original AI Opportunity Mapping phase and into something equally important: AI Readiness Evaluation. In other words: “Are we actually ready to implement this opportunity successfully?” Because the reality is, a good AI idea does not automatically translate into a successful AI project. Before moving forward, we’re reviewing a set of high-level readiness criteria. If the conditions are there, we move. If not, we focus on preparing the environment first. Some of the key checkpoints include: - Clear and measurable ROI - Available and reliable data feeds, integrations, and system access - Existing process documentation and workflow maps - Existing training documents and operational knowledge capture - Real operational context: call recordings emails text conversations support interactions - Security, governance, and protocol requirements - Workforce readiness and adoption potential - Executive sponsor approval - Stakeholder alignment and buy-in - Willingness to redefine the role of humans in an AI-agent-supported workforce That last point is becoming increasingly important. AI readiness is not just technical readiness. It is also organizational readiness. Many organizations are still evaluating AI through the lens of traditional software implementation, when in reality AI often changes the structure of work itself. In many future-state environments, humans may spend less time manually executing repetitive tasks and more time: - supervising AI-supported workflows - managing exceptions - validating outputs - training systems - refining processes - handling edge cases and decision-making Most enterprise AI projects do not fail because the model is bad. They fail because the organization is not ready to support implementation at scale.

• A password is like a secret word you type that a website remembers; if someone tricks you into telling it to them, they can pretend to be you. • A passkey is more like a special key stored on your phone or computer that never leaves your device; the website only sees proof that your real key unlocked the door. • Bad guys can steal or guess passwords using fake emails, keyloggers, or leaked databases, but they cannot copy your passkey because it stays locked inside your device. • With passkeys, you usually just tap your fingerprint, look at your camera, or enter a short PIN, so it’s both easier and safer than remembering long, messy passwords. • Until every site uses passkeys, you still need strong, unique passwords in a manager plus MFA, but the goal is to move toward passkeys and stop using passwords over time.

TECH BRIEF: 2026-05-09 Athena generates a custom news brief designed for me specifically for my tool stack that I use and how it affects me. This is a great way to keep your tools up to date. ── RED: ACTION REQUIRED Cloudflare Workers AI -- 18 models deprecated May 30 Source: developers.cloudflare.com/changelog/post/2026-05-08-planned-model-depr ecations/ Impact: Any workflow calling Workers AI endpoints directly breaks on May 30. Action: Audit all automation workflows for Workers AI calls before May 30. --- YELLOW: WATCH Anthropic: Higher usage limits + SpaceX compute deal (May 6) Source: anthropic.com/news/higher-limits-spacex Why it matters: More headroom for heavy API workloads -- better story for client pitches on scale. Timeframe: Now. Already live. Cloudflare laid off 1,100 (20% of workforce), going AI-first (May 7-8) Source: TechCrunch / Bloomberg Why it matters: Platform direction is accelerating, not collapsing. No service risk -- but worth watching the product roadmap. Timeframe: Ongoing. Colorado SB 24-205 takes effect June 30 Why it matters: First comprehensive state AI law in the US. Covers AI making consequential decisions (employment, credit, housing) for Colorado consumers. Most chatbot/marketing/scheduling builds don't trigger it -- but hiring or credit-adjacent workflows do. Timeframe: June 30 hard deadline. --- GREEN: OPPORTUNITY Claude Opus 4.7 -- 1M token context at standard pricing Source: anthropic.com/news/claude-opus-4-7 Potential play: Document-heavy SMB automations (invoice processing, contract review, long-form analysis) are now viable at Opus quality without long-context surcharges. New tokenizer may cost 35% more on text-heavy prompts -- re-test before upselling. Anthropic launches "Agents for Financial Services" (May 5) Source: anthropic.com/news/finance-agents