JJ and Drew unpack an overstuffed suitcase of infosec stories in today’s News Roundup. Microsoft’s Edge password manager stores credentials in plaintext and Microsoft says “Yup”, the Linux kernel takes a one-two punch from Dirty Frag and Fragnesia, and a new industry coalition takes critical infrastructure protection private.
A Taiwanese radio enthusiast allegedly brings high-speed trains to a halt with cloned emergency signals, the FCC realizes not allowing firmware patches and security updates is bad for protecting consumer routers, and Google forces a sticky AI model on Chrome users without asking (we have details on how to unstick it).

Threat actors school ed-tech giant Canvas with a successful ransomware attack, Google adds forensic intrusion logging in Android to help investigators spot sophisticated spyware, and MoveIT users need to get a move-on to deal with critical patches.
Google shortens its timeline for post-quantum migration, NIST updates DNS security guidelines, ham radio operators tune into an abundance of IPv6 addresses, and Apple goes all the back to 2015 with security updates.
AdSpot Sponsor: Meter
Meter delivers full-stack networking—wired, wireless, and cellular—to leading enterprises. It’s a single integrated solution with everything included. Meter has designed the hardware, written the firmware, and built the software. Meter deploys and manages everything required at your site, or sites, so that you get performant, reliable, and secure connectivity. If you’re ready for fast, secure, and scalable connectivity without the complexity of managing multiple providers or tools, it’s time to check out Meter. Go to meter.com/packetprotector to book a demo now!
Episode Links:
EdgeSavedPasswordsDumper – GitHub
PoC tool extracts cleartext passwords from Microsoft Edge memory – Cyber Insider
Why Edge stores your passwords in plaintext, according to Microsoft – ZD Net
New Linux ‘Dirty Frag’ zero-day gives root on all major distros – Bleeping Computer
Dirtyfrag – GitHub
Fragnesia: Linux Kernel Local Privilege Escalation via ESP-in-TCP – Wiz
Dirty Frag gets a sequel as Fragnesia hands Linux attackers root-level access – The Register
New cybersecurity industry coalition aims to lead US critical infrastructure protection – Cybersecurity Dive
Alliance for Critical Infrastructure
Taiwan cops say student’s radio kit brought bullet trains to a standstill – The Register
Student who allegedly disrupted rail network on bail – Taipei Times
College student hacks Taiwan high-speed rail line with software defined radios, stopping four trains – Toms Hardware
FCC pushes ban on security updates for foreign-made routers, drones to 2029 – The Record
After banning foreign routers, FCC says existing ones can get updates until 2029 – Ars Technica
FCC Covered List Addition — Routers Produced in Foreign Countries (DA 26-278) – FCC
OET Announces Extension and Expansion of Waiver (PDF) – FCC
Google Chrome silently installs a 4 GB AI model on your device without consent. At a billion-device scale the climate costs are insane – That Privacy Guy
Chrome silently installs a 4 GB local LLM on your computer – The Register
Canvas’ parent company reaches agreement with hacking group behind breach – Reuters
Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak – The Hacker News
Instructure reaches ‘agreement’ with ShinyHunters to stop data leak – Bleeping Computer
Double Canvas breach acknowledged as ShinyHunters sets new pay-or-leak deadline – The Register
Android Intrusion Logging as a new source of data for consensual forensic analysis – Amnesty International Security Lab
What’s New in Android Security and Privacy in 2026 – Google
Google launches new Android security feature to help uncover spyware attacks – Tech Crunch
PP082: Building a Workable Mobile Security Strategy In a World of Risky Apps – Packet Pushers
PP072: Mobile Device Threat Management – Packet Pushers
New MOVEit vulnerabilities prompt urgent patch warning – Cybersecurity Dive
Quantum frontiers may be closer than they appear – Google
Secure Domain Name System (DNS) Deployment Guide (PDF) – NIST
Unofficial IETF draft calls for grant of five nonillion IPv6 addresses to ham radio operators – The Register
Apple Security Releases – Apple
Apple just pushed dozens of critical security updates, going all the way back to 2015 iPhones – MacWorld
