This Week in Tech (Audio)

TWiT 1056: The Big Sleep - The Great Router Ban

November 3, 2025

Key Takeaways Copied to clipboard!

  • The failure to pass the Sunshine Protection Act, which would have made Daylight Saving Time permanent, was single-handedly blocked by Senator Tom Cotton of Arkansas. 
  • The widespread adoption of AI coding tools is rapidly escalating the capabilities of cyber adversaries, forcing defenders to level up their security practices to match this new threat landscape. 
  • Despite strong financial performance from major tech companies, layoffs are occurring across the sector, which some panelists attribute to a broader 'hunkered down' mentality in anticipation of economic tightening, rather than solely AI replacement. 
  • Consumer routers, particularly TP-Link models, are frequently criticized for poor security practices like transmitting SSIDs and passwords in plain text, necessitating automatic updates managed by the manufacturer. 
  • The US telecommunications infrastructure remains highly vulnerable due to unpatched Huawei equipment embedded in core networks, a situation exacerbated by the disbanding of the Cybersecurity Review Board (CSRB) under the Trump administration. 
  • The discussion highlights a significant erosion of US cybersecurity posture, evidenced by the FCC voting to scrap telecom cybersecurity requirements and the dismantling of key cyber defense agencies like CISA and Cyber Command leadership. 
  • The use of AI bug-hunting tools like Google's 'Big Sleep' is creating friction with open-source maintainers who are overwhelmed by detailed, unpatched vulnerability reports, highlighting a systemic issue in open-source maintenance. 
  • The F5 breach, where hackers were present for at least a year, underscores the risk of state actors exploiting existing vulnerabilities in widely used software rather than needing to plant backdoors. 
  • The controversy surrounding AI-generated expense fraud reports highlights a larger corporate focus on trivial employee reimbursement policing rather than addressing significant issues like wage theft. 

Segments

Panel Introduction and Time Change
Copied to clipboard!
(00:00:00)
  • Key Takeaway: Senator Tom Cotton single-handedly blocked the Sunshine Protection Act, preventing permanent Daylight Saving Time.
  • Summary: The panel for This Week in Tech, episode 1056, included Stacey Higginbotham, Jill Duffy, and Alex Stamos. A key initial topic was the recent time change, which was allowed to proceed because Senator Tom Cotton blocked the bill to make Daylight Saving Time permanent. Cotton argued that permanent DST would result in excessively dark winter mornings, with sunrises occurring after (8:30) AM in places like Arkansas.
AI Coding and Security Risks
Copied to clipboard!
(00:10:17)
  • Key Takeaway: Adversaries are using AI tools to automate the entire intrusion kill chain, including zero-day exploit creation, which was previously limited to highly skilled state actors.
  • Summary: The use of AI coding assistants like Claude Code is seen as a positive force for amateurs, but professional engineers must use frameworks to manage security risks, as AI does not inherently understand compliance or architecture. Adversaries are leveraging open-source AI models tuned for exploit creation, allowing less skilled actors to develop zero-day exploits, forcing defenders to rapidly advance their capabilities.
Cybersecurity Investment and AI Defense
Copied to clipboard!
(00:19:16)
  • Key Takeaway: AI can make it economically feasible to refactor large amounts of legacy code (like C to Rust) to improve security, addressing historical underinvestment in cybersecurity.
  • Summary: Jen Easterly’s article suggests AI can help secure software because it lowers the cost of finding and patching flaws, which is necessary since companies often only invest in security reactively. AI tools are becoming capable enough to find vulnerabilities, and in the future, rewriting old codebases might become more economical than patching them incrementally. Professional engineers are evolving into technical product managers, focusing on architecture while AI handles much of the coding.
Amazon Layoffs and Economic Outlook
Copied to clipboard!
(00:26:02)
  • Key Takeaway: Amazon’s planned layoffs of up to 30,000 corporate jobs are officially attributed to ‘culture’ and layering, despite massive CapEx spending on AWS suggesting preparation for an economic downturn.
  • Summary: Amazon CEO Andy Jassy stated the cuts were not financially or AI-driven but aimed at reducing layers and strengthening ownership, though the timing suggests preparation for tighter economic conditions. The company’s free cash flow has significantly dropped due to massive investment in AWS infrastructure, which may signal a cautious outlook based on their unique visibility into both consumer and business sentiment.
AI Bubble Financialization Concerns
Copied to clipboard!
(00:34:03)
  • Key Takeaway: The AI boom may be creating a precarious financial bubble characterized by complex, non-transparent securitization of data center loans and an over-concentration of market value in a few tech giants.
  • Summary: The current AI investment structure involves complex financial packaging (securitization) of data center contracts, making debt ownership opaque, similar to past financial crises. Furthermore, the massive valuation of the Magnificent Seven companies, which now dominate the S&P 500, raises concerns about systemic risk if they were to fail. The short lifespan of AI hardware (chips lasting ~18 months) challenges traditional accounting depreciation schedules, adding to financial uncertainty.
Router Security and FCC Action
Copied to clipboard!
(00:58:18)
  • Key Takeaway: The FCC is moving to ban TP-Link routers, the market leader, due to poor security history, highlighting that auto-updating cloud-managed systems like Eero are preferred for consumer security.
  • Summary: The U.S. government is tightening restrictions on Chinese tech companies, specifically targeting TP-Link routers which hold a 52% market share. Consumer routers generally have poor security because users rarely check or update firmware after initial setup. Cloud-managed systems like Eero are recommended because they auto-update, ensuring flaws are patched without user intervention.
Router Security and Auto-Updates
Copied to clipboard!
(00:59:29)
  • Key Takeaway: Cloud-connected routers like Eero are preferred because they offer automatic firmware updates, which is crucial since consumers rarely check router firmware manually.
  • Summary: Consumer routers are generally considered awful, leading to recommendations for cloud-connected options like Eero that auto-update. This mechanism ensures flaws are fixed without user intervention, as normal users typically set up their router once and never touch the firmware again. Ubiquiti gear is mentioned as a prosumer/SME alternative, though its mesh capabilities are considered less effective than Eero’s.
Telecom Infrastructure and Huawei Backdoors
Copied to clipboard!
(01:01:07)
  • Key Takeaway: Huawei equipment is deeply embedded in US core telecom networks (Verizon, T-Mobile), and removing it would require shutting down infrastructure for several days due to unpatched vulnerabilities like those from the SALT Typhoon campaign.
  • Summary: The discussion contrasts TP-Link issues with the more severe threat posed by Huawei equipment in US core networks, which remains despite the SALT Typhoon hacking incident. The Cybersecurity Review Board (CSRB), which was investigating these issues, was disbanded early in the Trump administration. Telecoms claim removing the compromised equipment would necessitate days of infrastructure downtime, citing cost as the primary barrier to remediation.
SS7 Signaling Vulnerabilities
Copied to clipboard!
(01:02:39)
  • Key Takeaway: The SS7 signaling protocol, used for SMS messaging, is a decade-old, unpatched vulnerability that allows foreign adversaries to track Americans globally via signaling attacks.
  • Summary: SS7 remains a persistent problem because every mobile device utilizes the SS7 stack for functions like SMS. This protocol was never designed for untrusted devices and has been hackable for over a decade. SS7 signaling attacks are a mechanism foreign adversaries use to track US citizens worldwide, including known location tracking exploits demonstrated years ago.
TP-Link Ban Context and NIST Standards
Copied to clipboard!
(01:03:33)
  • Key Takeaway: The potential ban on TP-Link routers is viewed as a political bargaining chip, while NIST developed a secure router framework emphasizing over-the-air updates that few companies adopted.
  • Summary: The potential ban on TP-Link is seen as potentially political, similar to the DJI drone situation, rather than solely based on security severity. Consumer routers often lack necessary security features, and many companies ignored a 2021 executive order effort for a secure router standard developed by NIST. Key NIST recommendations included mandatory over-the-air updates (opt-in for experts) and declaring a router’s end-of-life date.
Consumer Router Security Flaws
Copied to clipboard!
(01:05:23)
  • Key Takeaway: Even in 2025, many consumer routers exhibit ‘stupid bugs’ like transmitting SSIDs and passwords in plain text, requiring consumers to take proactive steps like updating firmware and disabling WAN administration.
  • Summary: Consumer Reports tests reveal persistent, basic security flaws across multiple router brands, such as sending setup credentials unencrypted over the network. Listeners with TP-Link routers are advised to update firmware, change default passwords, turn off WAN administration, and use WPA3 encryption. Checking external exposure using tools like Shodan is recommended for advanced users.
FCC Dismantling Cybersecurity Rules
Copied to clipboard!
(01:22:09)
  • Key Takeaway: The FCC, under Chairman Brendan Carr, is moving to scrap cybersecurity requirements for telecom carriers that were implemented following the SALT Typhoon breach, citing ineffectiveness and exceeding authority.
  • Summary: The FCC is set to vote on eliminating cybersecurity requirements for telecom carriers, rules enacted after the SALT Typhoon incident which compromised high-level US communications. Commissioner Carr argues these rules were rushed, ineffective, and exceeded the agency’s authority. The market is unlikely to enforce cybersecurity standards without regulation, making this move concerning given ongoing Chinese infrastructure threats.
US Cyber Defense Deterioration
Copied to clipboard!
(01:24:03)
  • Key Takeaway: The US cyber defense apparatus has been severely weakened by political purges, leading to a lack of staff at CISA and the National Security Council, leaving critical infrastructure vulnerable to Chinese preparatory attacks.
  • Summary: The dismantling of cyber defense structures—including the closure of the CSRB, staff reductions at CISA and the National Security Council, and the firing of the Cyber Command director—is seen as a complete surrender on the cyber front to China. Chinese hacking efforts have shifted from financial theft to planting access capabilities in US infrastructure (power, water, rail) in preparation for potential conflict. This leaves critical infrastructure companies feeling isolated in their defense efforts.
Digital Swedish Death Cleaning
Copied to clipboard!
(01:37:00)
  • Key Takeaway: Swedish Death Cleaning extends to digital assets, requiring proactive organization of photos, diaries, and account access to prevent leaving a burdensome digital mess for survivors.
  • Summary: Swedish Death Cleaning is the concept of slowly decluttering throughout life to avoid burdening others after death, now applied to digital life, including organizing photos and deciding on the disposition of personal writings. Password managers like Bitwarden offer emergency legacy features that act as a dead man’s switch, but users must be educated that financial logins should generally pass through legal channels like a trust, not direct password sharing. Creating a pre-written email notification list for acquaintances is suggested to ensure timely communication of one’s passing.
F5 Source Code Theft and Microsoft Patches
Copied to clipboard!
(01:54:37)
  • Key Takeaway: An advanced persistent threat (APT) stole source code from security vendor F5, potentially allowing them to implant exploits into future patches, mirroring past incidents where Microsoft’s outsourced patch engineering in China led to immediate exploitation.
  • Summary: F5, a major provider of network load balancers, suffered a breach where source code was stolen by a Chinese APT, who were reportedly inside the network for at least a year. This access allows the attackers to find vulnerabilities before patches are released, similar to when Microsoft’s SharePoint engineering in China allowed exploits to be used against US targets immediately after patches were issued. A Thinkst Canary honeypot could have detected the initial intrusion into F5’s network.
F5 Breach Details and Source Code Risk
Copied to clipboard!
(01:57:10)
  • Key Takeaway: Hackers maintained access to F5’s network for at least 12 months before the breach was known.
  • Summary: The F5 breach involved hackers exfiltrating data after gaining access, potentially using source code access to find unknown vulnerabilities. State actors prioritize obtaining source code to implant exploits or discover zero-day bugs. F5 recently patched 40 vulnerabilities, indicating significant existing code weakness.
AI in Vulnerability Hunting
Copied to clipboard!
(01:59:05)
  • Key Takeaway: AI agents like OpenAI’s ‘Ardverk’ and Google’s ‘Big Sleep’ are highly effective at finding code vulnerabilities.
  • Summary: AI tools are being developed specifically to scan codebases for security flaws, with Google’s ‘Big Sleep’ actively finding bugs in open-source libraries like FFmpeg and ImageMagic. The effectiveness of these tools is high, but they present challenges when maintainers lack the resources to fix the volume of reported issues.
Google’s AI Bug Reporting Controversy
Copied to clipboard!
(02:01:27)
  • Key Takeaway: Google’s AI-driven vulnerability reporting process is criticized for overwhelming volunteer open-source developers without providing patches.
  • Summary: FFmpeg developers labeled the detailed, AI-generated bug reports as ‘AI slop CVEs’ because they lacked accompanying fixes. Google’s 90-day disclosure policy, inherited from Project Zero, is deemed insufficient for volunteer teams facing numerous complex bugs. The panel argues Google should provide proposed patches or utilize their paid engineers to assist in remediation.
AI and Expense Report Fraud
Copied to clipboard!
(02:07:22)
  • Key Takeaway: AI is enabling a surge in believable expense report fraud, but this distracts from corporate overreach in expense policing.
  • Summary: AI can generate highly convincing fake receipts, leading to increased expense fraud reports. Panelists expressed greater frustration with corporations demanding excessive documentation for minor expenses, which is often unnecessary by IRS standards. The focus on minor employee fraud is seen as misdirected corporate energy.
Proton Data Breach Observatory Launch
Copied to clipboard!
(02:12:38)
  • Key Takeaway: Proton is launching the Data Breach Observatory to proactively search the dark web for breaches, competing with Troy Hunt’s ‘Have I Been Pwned’.
  • Summary: Proton claims their service searches the dark web in near real-time, unlike ‘Have I Been Pwned,’ which relies on reported breaches. Intelligence firms already offer similar dark web monitoring services, often selling the data to companies for mass password resets. Troy Hunt’s service is praised for its careful verification and privacy-preserving password checking feature.
X Security Key Domain Change
Copied to clipboard!
(02:17:17)
  • Key Takeaway: Users with hardware security keys (YubiKey) tied to the Twitter.com domain must re-enroll them for X.com functionality.
  • Summary: FIDO security tokens are cryptographically tied to the specific domain they were registered with, meaning they will fail if X abandons twitter.com. This domain change necessitates re-enrollment for users relying on hardware keys for two-factor authentication. Hardware tokens are superior to TOTP because they resist phishing and Unicode spoofing attacks.
YouTube Tutorial Removals and Lock Picking Lawsuit
Copied to clipboard!
(02:27:39)
  • Key Takeaway: YouTube reinstated tech tutorials flagged by AI, while a lock company’s lawsuit against a popular lock-picking YouTuber failed on fair use grounds.
  • Summary: YouTube apologized after AI incorrectly flagged educational videos, including guides on bypassing Microsoft account requirements, and promised human review would prevent recurrence. Lock company Proven Industries sued YouTuber Trevor McNally for demonstrating how to shim their lock, but the judge ruled his video transformative fair use. The lawsuit’s dismissal demonstrated that established creators can successfully defend against aggressive copyright claims.
Appliance Ads and WhatsApp Passkeys
Copied to clipboard!
(02:33:20)
  • Key Takeaway: Samsung’s decision to place ads on $2,000 smart fridges exemplifies the loss of product ownership due to software tethering.
  • Summary: The inclusion of ads on high-cost appliances like Samsung fridges is seen as a consequence of products being tied to cloud services rather than being fully owned by the consumer. WhatsApp is now supporting passkeys for end-to-end encrypted backups, addressing a major security gap where previous backups were unencrypted. Passkeys offer better security than traditional methods, though complexity arises with syncable versus hardware-only passkey implementations.