ies and cybercriminal groups.?

TechCrunch reports that Coruna is definitely of US origin:

Two former employees of government contractor L3Harris told TechCrunch that Coruna was, at least in part, developed by the company?s hacking and surveillance tech division, Trenchant. The two former employees both had knowledge of the company?s iPhone hacking tools. Both spoke on condition of anonymity because they weren?t authorized to talk about their work for the company.

It?s always super interesting to see what malware looks like when it?s created through a professional software development process. And the TechCrunch article has some speculation as to how the US lost control of it. It seems that an employee of L3Harris?s surviellance tech division, Trenchant, sold it to the Russian government.

** *** ***** ******* *********** *************
US Bans All Foreign-Made Consumer Routers

[2026.04.02] This is for new routers; you don?t have to throw away your existing ones:

The Executive Branch determination noted that foreign-produced routers (1) introduce ?a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense? and (2) pose ?a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.?

More information:

Any new router made outside the US will now need to be approved by the FCC before it can be imported, marketed, or sold in the country.

In order to get that approval, companies manufacturing routers outside the US must apply for conditional approval in a process that will require the disclosure of the firm?s foreign investors or influence, as well as a plan to bring the manufacturing of the routers to the US.

Certain routers may be exempted from the list if they are deemed acceptable by the Department of Defense or the Department of Homeland Security, the FCC said. Neither agency has yet added any specific routers to its list of equipment exceptions.

[...]

Popular brands of router in the US include Netgear, a US company, which manufactures all of its products abroad.

One exception to the general absence of US-made routers is the newer Starlink WiFi router. Starlink is part of Elon Musk?s company SpaceX.

Presumably US companies will start making home routers, if they think this policy is stable enough to plan around. But they will be more expensive than routers made in China or Taiwan. Security is never free, but policy determines who pays for it.

** *** ***** ******* *********** *************
Company that Secretly Records and Publishes Zoom Meetings

[2026.04.03] WebinarTV searches the internet for public Zoom invites, joins the meetings, secretly records them, and publishes (alternate link) the recordings. It doesn?t use the Zoom record feature, so Zoom can?t do anything about it.

EDITED TO ADD (4/13): 404 Media has a follow-on article.

** *** ***** ******* *********** *************
Google Wants to Transition to Post-Quantum Cryptography by 2029

[2026.04.06] Google says that it will fully transition to post-quantum cryptography by 2029. I think this is a good move, not because I think we will have a useful quantum computer anywhere near that year, but because crypto-agility is always a good thing.

Slashdot thread.

** *** ***** ******* *********** *************
New Mexico?s Meta Ruling and Encryption

[2026.04.06] Mike Masnick points out that the recent New Mexico court ruling against Meta has some bad implications for end-to-end encryption, and security in general:

If the ?design choices create liability? framework seems worrying in the abstract, the New Mexico case provides a concrete example of where it leads in practice.

One of the key pieces of evidence the New Mexico attorney general used against Meta was the company?s 2023 decision to add end-to-end encryption to Facebook Messenger. The argument went like this: predators used Messenger to groom minors and exchange child sexual abuse material. By encrypting those messages, Meta made it harder for law enforcement to access evidence of those crimes. Therefore, the encryption was a design choice that enabled harm.

The state is now seeking court-mandated changes including ?protecting minors from encrypted communications that shield bad actors.?

Yes, the end result of the New Mexico ruling might be that Meta is ordered to make everyone?s communications less secure. That should be terrifying to everyone. Even those cheering on the verdict.

End-to-end encryption protects billions of people from surveillance, data breaches, authoritarian governments, stalkers, and domestic abusers. It?s one of the most important privacy and security tools ordinary people have. Every major security expert and civil liberties organization in the world has argued for stronger encryption, not weaker.

But under the ?design liability? theory, implementing encryption becomes evidence of negligence, because a small number of bad actors also use encrypted communications. The logic applies to literally every communication tool ever invented. Predators also use the postal service, telephones, and in-person conversation. The encryption itself harms no one. Like infinite scroll and autoplay, it is inert without the choices of bad actors - choices made by people, not by the platform?s design.

The incentive this creates goes far beyond encryption, and it?s bad. If any product improvement that protects the majority of users can be held against you because a tiny fraction of bad actors exploit it, companies will simply stop making those improvements. Why add encryption if it becomes Exhibit A in a future lawsuit? Why implement any privacy-protective feature if a plaintiff?s lawyer will characterize it as ?shielding bad actors??

And it gets worse. Some of the most damaging evidence in both trials came from internal company documents where employees raised concerns about safety risks and discussed tradeoffs. These were played up in the media (and the courtroom) as ?smoking guns.? But that means no company is going to allow anyone to raise concerns ever again. That?s very, very bad.

In a sane legal environment, you want companies to have these internal debates. You want engineers and safety teams to flag potential risks, wrestle with difficult tradeoffs, and document their reasoning. But when those good-faith deliberations become plaintiff?s exhibits presented to a jury as proof that ?they knew and did it anyway,? the rational corporate response is to stop putting anything in writing. Stop doing risk assessments. Stop asking hard questions internally.

The lesson every general counsel in Silicon Valley is learning right now: ignorance is safer than inquiry. That makes everyone less safe, not more.

The essay has a lot more: about Section 230, about competition in this space, about the myopic nature of the ruling. Go read it.

** *** ***** ******* *********** *************
Hong Kong Police Can Force You to Reveal Your En
--- FMail-lnx 2.3.2.6-B20251227
* Origin: TCOB1 A Mail Only System (21:1/229)