Firewalls Don't Stop Dragons Podcast

On January 12th, 2025, the ShmooCon hacker conference held it’s 20th and final gathering. I was lucky enough to be able to not only attend the final show but also to interview the founders, Heidi and Bruce Potter. We talk about how it all got started, what made this hacker con so special and beloved, and hear some hilarious stories from the past twenty years of hacker shenanigans in Washington D.C. Interview Notes ShmooCon: https://www.shmoocon.org/ ShmooCon 2025 sessions: https://www.youtube.com/playlist?list=PLnKSfJ5rXw95HSPVl5L7dqhKpVAx3q_j0 Turngate: https://www.turngate.io/ HOPE conference: https://www.hope.net/ BSides: https://bsides.org/ Cackalackycon: https://cackalackycon.org/ Thotcon: https://www.thotcon.org/ SummerCon: https://www.summercon.org/ PancakesCon: https://pancakescon.com/ Further Info My book: https://fdsd.me/book My newsletter: https://fdsd.me/newsletter Support the mission: https://fdsd.me/support Give the gift of privacy and security: https://fdsd.me/coupons Recommend news stories: send to news [at] firewallsdontstopdragons.com Send me your questions! https://fdsd.me/qna Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Table of Contents 0:00:00: Intro 0:03:43: How and why did you start ShmooCon? 0:11:05: Why are hacker conferences so different from regular trade shows? 0:17:19: Why limit attendence and how did this give rise to LobbyCon? 0:21:52: What makes a good con? What’s your post-con recovery like? 0:27:26: Why did you decide to end the con? 0:29:54: How have other cons influenced ShmooCon? 0:33:16: Why is it important to be so transparent about your con? 0:37:38: What are your favorite ShmooCon stories? 0:44:54: What’s it like running a conference as a married couple? 0:49:39: What are you most proud of with ShmooCon? 0:52:13: Was there anything you wish you had done but didn’t? 0:56:07: Did you ever consider handing ShmooCon off to someone else? 0:58:13: So what now? 1:00:58: What are some ShmooCon alternatives? 1:06:36: Wrap-up 1:08:07: Attend a hacker con! 1:09:35: Patron bonus preview 1:10:24: Looking ahead

Artificial Intelligence is taking over. But I don’t mean that in a Skynet kinda way. It’s simply becoming ubiquitous because companies are insisting on inserting the technology into all their products, even if it’s not useful – or not even safe. Unfortunately, the breathless reporting on dangers of AI is also getting way out of hand, including stories of AI systems ‘blackmailing’ their designers. Today I’ll try to bring us back to reality a bit. Also in the news: Billions of session login cookies up for grabs; Meta and Yandex cheat in order to track you around the web; Qualcomm fixes three zero-day bugs being actively exploited; Apple releases transparency report on push notification data requests; LAPD using Waymo for gathering video evidence; another massive AT&T user data leak includes SSNs; AI system appears to try to blackmail its owner; judge grants preliminary injunction on DOGE data grab; and we’ll check in on your 2025 New Year’s Resolutions! Article Links [theregister.com] Billions of cookies up for grabs as experts warn over session security https://www.theregister.com/2025/05/29/billions_of_cookies_available/ [arstechnica.com] Meta and Yandex are de-anonymizing Android users’ web browsing identifiers https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/ More info: https://www.zeropartydata.es/p/localhost-tracking-explained-it-could [techcrunch.com] Phone chipmaker Qualcomm fixes three zero-days exploited by hackers https://techcrunch.com/2025/06/03/phone-chipmaker-qualcomm-fixes-three-zero-days-exploited-by-hackers/ [404media.co] Apple Gave Governments Data on Thousands of Push Notifications https://www.404media.co/apple-gave-governments-data-on-thousands-of-push-notifications/ [404media.co] LAPD Publishes Crime Footage It Got From a Waymo Driverless Car https://www.404media.co/lapd-publishes-crime-footage-it-got-from-a-waymo-driverless-car/ [cyberinsider.com] AT&T Investigating New Leak of 86 Million Customer Records with Decrypted SSNs https://cyberinsider.com/att-investigating-new-leak-of-86-million-customer-records-with-decrypted-ssns/ [bbc.com] AI system resorts to blackmail if told it will be removed https://www.bbc.com/news/articles/cpqeng9d20go [eff.org] Privacy Victory! Judge Grants Preliminary Injunction in OPM/DOGE Lawsuit https://www.eff.org/press/releases/privacy-victory-judge-grants-preliminary-injunction-opmdoge-lawsuit Tip of the Week: https://firewallsdontstopdragons.com/2025-resolutions-check-in/ Further Info 2025 New Year’s Resolutions: https://firewallsdontstopdragons.com/new-years-resolutions-2025/ Privacy Guides: https://www.privacyguides.org/articles/ EFF’s Rayhunter project: https://www.eff.org/deeplinks/2025/03/meet-rayhunter-new-open-source-tool-eff-detect-cellular-spying My book: https://fdsd.me/book My newsletter: https://fdsd.me/newsletter Support our mission! https://fdsd.me/support Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Table of Contents 0:00:00: Intro 0:00:50: A note on protest privacy 0:04:32: News preview 0:06:43: Billions of cookies up for grabs as experts warn over session security 0:18:27: Meta and Yandex are de-anonymizing Android users’ web browsing identifiers 0:25:59: Phone chipmaker Qualcomm fixes three zero-days exploited by hackers 0:27:51: Apple Gave Governments Data on Thousands of Push Notifications 0:33:25: LAPD Publishes Crime Footage It Got From a Waymo Driverless Car 0:37:39: AT&T Investigating New Leak of 86 Million Customer Records with Decrypted SSNs 0:41:51: AI system resorts to blackmail if told it will be removed 0:51:40: Privacy Victory! Judge Grants Preliminary Injunction in OPM/DOGE Lawsuit 0:56:04: Tip of the Week 0:58:13: Wrapup 0:58:30: Merlin’s Musings preview 0:59:10: Looking ahead

Debbie Reynolds (aka, The Data Diva) has been working in the privacy realm for many years, as a privacy consultant, speaker, advisor and podcaster. She and I have been running in the same circles on LinkedIn for a while now, and we finally decided it was time to be a guest on each other’s shows. Today Debbie and I will discuss the dangers of privacy in the realm of IoT devices (including her contributions on the US Department of Commerce’s IoT Advisory Board), vehicles, and AI. I’ll ask about her experiences advising corporations on privacy issues with emerging technologies and how she advocates for less data gathering and more transparency. Interview Notes Debbie Reynolds consulting: https://www.debbiereynoldsconsulting.com/ Data Diva podcast: https://www.debbiereynoldsconsulting.com/podcast My interview on Debbie’s podcast: https://www.debbiereynoldsconsulting.com/podcast/e228-carey-parker The Right to Privacy book (1995): https://www.amazon.com/Right-Privacy-Caroline-Kennedy/dp/0679419861 IoT Advisory Board report: https://www.debbiereynoldsconsulting.com/iot-advisory-board Shodan search: https://www.shodan.io/ Further Info My book: https://fdsd.me/book My newsletter: https://fdsd.me/newsletter Support the mission: https://fdsd.me/support Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Table of Contents 0:00:00: Intro 0:01:27: During your privacy career, how have privacy changed? 0:05:59: How do you define privacy? 0:08:51: What were your contributions on the IoT Advisory Board? 0:12:54: Who was the primary audience for that report? 0:15:49: Which IoT devices have the worst privacy? 0:19:33: How bad are modern cars in terms of privacy? 0:29:50: How does AI threaten our privacy today? 0:33:30: How can we mitigate AI privacy risks? 0:40:11: How can we convince companies to truly embrace user privacy? 0:45:36: What are some of the biggest privacy mistakes companies make? 0:49:34: Why can’t we have a global tracking opt-out signal? 0:53:52: What can we learn from the EU’s GDPR? 0:58:35: So what can we do to improve our privacy? 1:00:50: Patron preview 1:01:21: Looking ahead

Tracking our faces and whereabouts is getting out of control. It’s a mass surveillance infrastructure that keeps growing in Borg-like fashion. Facial recognition and license plate readers are proliferating at a stupefying pace and companies like Flock are consolidating the collected data and packaging it up for sale to law enforcement agencies. Even if no human in these agencies were to abuse this data, it’s creating an irresistible target for scheming hackers and nation states keen on espionage. The longer we let this go, the harder it will be to stop. In today’s news: Asus routers are being hacked and you need to take action; 23andMe has been sold, along with its users’ genetic data; AI-generated videos have just become way more realistic; US government taps surveillance company to centralize all its citizen data; CFPB regulation limiting data brokers is axed; Kroger is packaging and selling its customer loyalty data; automated license plate reader data use is expanding in scary ways; Android phones gain key new security feature; EU court rules that real-time bidding data gathering is illegal; Montana is first state to plug data broker loophole; and I relate my recent privacy experience at the US border. Article Links [LifeHacker.com] If You Have an Asus Router, You Need to Check If It’s Been Hacked https://lifehacker.com/tech/asus-routers-hacked [404media.co] 23andMe Sale Shows Your Genetic Data Is Worth $17 https://www.404media.co/23andme-sale-shows-your-genetic-data-is-worth-17/ [lifehacker.com] You Are Not Prepared for This Terrifying New Wave of AI-Generated Videos https://lifehacker.com/tech/you-are-not-prepared-for-this-new-wave-of-ai-generated-videos [nytimes.com] Trump Taps Palantir to Compile Data on Americans https://www.nytimes.com/2025/05/30/technology/trump-palantir-data-americans.html [techcrunch.com] White House scraps plan to block data brokers from selling Americans’ sensitive data https://techcrunch.com/2025/05/14/white-house-scraps-plan-to-block-data-brokers-from-selling-americans-sensitive-data/ [therecord.media] Consumer Reports: Kroger using loyalty program to package, sell customer data https://therecord.media/kroger-using-loyalty-program-to-sell-customer-data [404media.co] A Texas Cop Searched License Plate Cameras Nationwide for a Woman Who Got an Abortion https://www.404media.co/a-texas-cop-searched-license-plate-cameras-nationwide-for-a-woman-who-got-an-abortion/ [404media.co] License Plate Reader Company Flock Is Building a Massive People Lookup Tool, Leak Shows https://www.404media.co/license-plate-reader-company-flock-is-building-a-massive-people-lookup-tool-leak-shows/ [arstechnica.com] Android phones will soon reboot themselves after sitting unused for 3 days https://arstechnica.com/gadgets/2025/04/android-phones-will-soon-reboot-themselves-after-sitting-unused-for-3-days/ [signal.org] By Default, Signal Doesn’t Recall https://signal.org/blog/signal-doesnt-recall/ [therecord.media] EU court rules that tracking-based online ads are illegal https://therecord.media/eu-court-rules-tracking-based-ads-illegal [eff.org] Montana Becomes First State to Close the Law Enforcement Data Broker Loophole https://www.eff.org/deeplinks/2025/05/montana-becomes-first-state-close-law-enforcement-data-broker-loophole Tip of the Week: https://firewallsdontstopdragons.com/border-insecurity-update/ The Atlantic: How to Disappear https://www.theatlantic.com/ideas/archive/2025/05/extreme-personal-data-privacy-protection/682867/ BADBOOL data removal service list: https://docs.google.com/spreadsheets/d/115L6LpQg_UX638IyUfdwGhRS7dIU3lKwz6fjAcDtE-0/edit?gid=0#gid=0 Further Info My book: https://fdsd.me/book My newsletter: https://fdsd.me/newsletter Support our mission! https://fdsd.me/support Give the gift of privacy and security: https://fdsd.me/coupons Recommend news stories: send to news [at] firewallsdontstopdragons.com Send me your questions! https://fdsd.me/qna Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Table of Contents 0:00:00: Intro 0:01:50: Josh Corman interview promotion 0:03:04: How to Disappear 0:03:49: News rundown 0:07:32: If You Have an Asus Router, You Need to Check If It’s Been Hacked 0:19:01: 23andMe Sale Shows Your Genetic Data Is Worth $17 0:23:22: You Are Not Prepared for This Terrifying New Wave of AI-Generated Videos 0:28:42: Trump Taps Palantir to Compile Data on Americans 0:35:04: White House scraps plan to block data brokers from selling Americans’ sensitive data 0:38:08: Kroger using loyalty program to package, sell customer data 0:46:23: A Texas Cop Searched License Plate Cameras Nationwide for a Woman Who Got an Abortion 0:49:43: License Plate Reader Company Flock Is Building a Massive People Lookup Tool 0:55:15: Android phones will soon reboot themselves after sitting unused for 3 days 0:59:25: By Default, Signal Doesn’t Recall 1:03:13: EU court rules that tracking-based online ads are illegal 1:06:07

VPNs were not invented for privacy, despite the name – they were invented for security. Nevertheless, in recent years, they have been touted as privacy tools to thwart rampant and fanatical data gathering. With a regular VPN, this really just means you’re shifting your trust from your internet service provider to your VPN provider. But what if your encrypted data traffic was actually divided between two separate companies? The split trust model is a powerful way to protect your privacy and it’s the key technology behind new services like Apple’s Private Relay and Obscura VPN. Today we’ll discuss the benefits of this approach with Obscura’s founder, Carl Dong. Interview Notes Obscura VPN: https://obscura.net/ Wireguard: https://en.wikipedia.org/wiki/WireGuard Obscura Wireguard configuration tool: https://obscura.net/#faq-wireguard-config QUIC explainer video: https://www.youtube.com/watch?v=HnDsMehSSY4 Masque: https://datatracker.ietf.org/wg/masque/about/ Privacy Pass: https://privacypass.github.io/ Anubis: https://anubis.techaro.lol/docs/design/how-anubis-works/ How Onion Routing Works: https://firewallsdontstopdragons.com/how-onion-routing-works/ Further Info My book: https://fdsd.me/book My newsletter: https://fdsd.me/newsletter Support the mission: https://fdsd.me/support Give the gift of privacy and security: https://fdsd.me/coupons Recommend news stories: send to news [at] firewallsdontstopdragons.com Send me your questions! https://fdsd.me/qna Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Table of Contents 0:00:00: Intro 0:01:16: Interview setup 0:04:46: Lingo definitions 0:09:48: Why do we need yet another VPN? 0:15:00: How does Obscura differ from Apple Private Relay and Tor? 0:21:59: How little info can you give to set up an Obscura account? 0:25:33: What is the Bitcoin Lightning Network? 0:27:30: How can we know how much logging a VPN provider is doing? 0:35:04: Does Obscura have the same quirks as regular VPNs? 0:42:10: How vulnerable are you to being taken down by governments? 0:46:11: What are the core technologies in Obscura? 0:50:49: What do you think about Safing’s IP-per-connection idea? 0:54:00: Are you planning to expand your partner VPNs? 0:56:41: How does Obscura handle the TunnelVision problem? 0:59:57: What is the roadmap for supporting other operating systems? 1:03:14: What’s next for Obscura? 1:04:32: Interview wrap-up 1:09:19: Patron podcast preview 1:09:50: Looking ahead

There are way too many messenger apps today. It’s a sad state of affairs and I don’t see it getting better anytime soon. But the real problem (for me) is that almost all of the popular messenger apps aren’t really that secure and private. Most do not have end-to-end encryption (E2EE) at all or it’s not turned on by default. And frankly even the apps with E2EE are run by companies whose revenue model is based on monetizing your personal data. I’m going to suggest you try Signal. In other news: study finds Canadian’s health data being sold to drug makers; DOGE worker’s computer has been hacked; airlines are selling your data to ICE; a massive proxy botnet has been shut down; Google pays $1.4B to Texas over unauthorized tracking and data collection; Denver decides to stop using license plate readers of privacy concerns; jury orders NSO Group to pay hundreds of millions of dollars for hacking WhatsApp users. Article Links [cbc.ca] Millions of Canadians’ health data available for sale to pharmaceutical industry, study shows https://www.cbc.ca/news/health/health-data-records-pharmaceutical-private-clinics-1.7529955 [micahflee.com] DOGE bro Kyle Schutt’s computer infected by malware, credentials found in stealer logs https://micahflee.com/doge-bro-kyle-schutts-computer-infected-by-malware-credentials-found-in-stealer-logs/ [jacobin.com] Airlines Are Selling Your Data to ICE https://jacobin.com/2025/05/airlines-data-ice-trump-immigration/ [The Hacker News] BREAKING: 7,000-Device Proxy Botnet Using IoT, EoL Systems Dismantled in U.S. – Dutch Operation https://thehackernews.com/2025/05/breaking-7000-device-proxy-botnet-using.html [The Hacker News] Google Pays $1.375 Billion to Texas Over Unauthorized Tracking and Biometric Data Collection https://thehackernews.com/2025/05/google-pays-1375-billion-to-texas-over.html [9news.com] Denver will stop using license plate reader cameras amid privacy worries https://www.9news.com/article/news/local/local-politics/license-plate-reader-camera-data-security-concerns/73-9c570252-9d1c-4e5c-b042-c12392aa1081 [arstechnica.com] Jury orders NSO to pay $167 million for hacking WhatsApp users https://arstechnica.com/security/2025/05/jury-orders-nso-to-pay-167-million-for-hacking-whatsapp-users/ Tip of the Week: Slay Snoopers: https://firewallsdontstopdragons.com/dragon-hacks-slay-snoopers/ Further Info My book: https://fdsd.me/book My newsletter: https://fdsd.me/newsletter Support our mission! https://fdsd.me/support Give the gift of privacy and security: https://fdsd.me/coupons Recommend news stories: send to news [at] firewallsdontstopdragons.com Send me your questions! https://fdsd.me/qna Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Table of Contents 0:00:00: Intro 0:00:43: News preview 0:02:53: Millions of Canadians’ health data available for sale to pharmaceutical industry 0:08:39: DOGE engineer’s computer infected by malware 0:14:38: Airlines Are Selling Your Data to ICE 0:22:05: 7,000-Device Proxy Botnet Using IoT, EoL Systems Dismantled in US, Dutch Operation 0:28:04: Google Pays $1.375 Billion to Texas Over Unauthorized Tracking and Biometric Data Collection 0:30:21: Denver will stop using license plate reader cameras amid privacy worries 0:34:54: Jury orders NSO to pay $167 million for hacking WhatsApp users 0:39:17: Tip of the Week: Slay Snoopers 0:44:31: Wrap-up

Almost exactly two years ago, “Five Eyes” intelligence agencies discovered a successful and ongoing cyber attack on critical US infrastructure by a state-sponsored actor based in China. This group, associated with the People’s Liberation Army and known as Volt Typhoon, was tasked with quietly gaining persistent remote access to critical systems including water, power, communications, and transportation systems, as well as ports and government networks. The goal was to deter the US from interfering with a future invasion of Taiwan by China, either by crippling the US infrastructure or threatening to. Despite dire warnings from the four top cyber officials in a Jan 2024 Congressional hearing, the US is still woefully unprepared for such attacks. Josh Corman is leading an effort labeled UnDisruptable27 to greatly improve the resilience of our critical systems before 2027, the year China seems to be targeting to make their move. Interview Notes UnDisruptable27: https://securityandtechnology.org/undisruptable27/ Critical Effect conference (DC): http://critical-effect.org/  Congressional hearing, CCP cyber threat to national security: https://selectcommitteeontheccp.house.gov/committee-activity/hearings/hearing-notice-ccp-cyber-threat-american-homeland-and-national-security  Josh’s RSA talk (2024): https://www.youtube.com/watch?v=dhJvslRRlFc UnDisruptable27 video 1: https://www.youtube.com/watch?v=GnozKc3gFsM UnDisruptable27 video 2: https://www.youtube.com/watch?v=d8UsrMRvt14 Cyber Resilience Corps: https://cltc.berkeley.edu/program/cyber-resilience-corps/  Cyber Volunteer Resource Center: https://www.cisa.gov/audiences/high-risk-communities/cybervolunteerresourcecenter  Further Info My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support the mission: https://fdsd.me/support  Give the gift of privacy and security: https://fdsd.me/coupons  Recommend news stories: send to news [at] firewallsdontstopdragons.com  Send me your questions! https://fdsd.me/qna  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Table of Contents 0:00:00: Intro 0:03:49: Lingo explanations 0:07:26: What is UnDisruptable27 and why did you start it? 0:16:47: How does this relate to China’s intention to invade Taiwan? 0:22:00: What at the psychological impacts of this sort of attack? 0:25:31: How long might it take to recover from this sort of attacK? 0:33:12: If this threat is so dire, why aren’t we scrambling to address it? 0:37:24: Do Russia, Iran and North Korea pose similar threats? 0:41:32: How can we surface single points of failure from secondary sources? 0:49:21: Can’t we also do this to our adversaries? Is that a deterrence? 0:53:45: What should our government be doing about this? 0:58:39: How can we incentivze private companies to take action? 1:01:55: What can we do, at home and in our communities? 1:07:19: What’s next for UnDisruptable27? 1:10:47: Some final thoughts 1:15:03: Patron bonus content 1:15:29: Looking ahead

As we learned last week from Zach Edwards, our smartphones have a globally unique mobile ad ID, or MAID, that is automatically associated with everything we do on our phones… unless we take explicit steps to turn this off. Today I’ll tell you how this works and why you should disable this insidious form of tracking. In other news: the FTC warns us about a new type of scam; dating app Raw exposed sensitive user data; a determined reporter documents his efforts to disable all the AI features in his Google phone; “juice jacking” is back with a tricky twist; Apple’s AirPlay has a vulnerability whose fix may not reach all devices; Microsoft is pushing hard for passwordless accounts; Google Wallet allows you to verify your age without giving up personal info; and there’s a new and troubling update to the Signalgate saga. Article Links [lifehacker.com] The FTC Is Warning Consumers About a Scam on Discounted Monthly Bills https://lifehacker.com/money/ftc-monthly-services-scam [techcrunch.com] Dating app Raw exposed users’ location data and personal information https://techcrunch.com/2025/05/02/dating-app-raw-exposed-users-location-data-personal-information/ [cnet.com] I Tried to Turn Off the AI on My Pixel 9. It Wasn’t Easy https://www.cnet.com/tech/mobile/i-tried-to-turn-off-the-ai-on-my-pixel-9-it-wasnt-easy/ [arstechnica.com] iOS and Android juice jacking defenses have been trivial to bypass for years https://arstechnica.com/security/2025/04/ios-and-android-juice-jacking-defenses-have-been-trivial-to-bypass-for-years/ [wired.com] Millions of Apple Airplay-Enabled Devices Can Be Hacked via Wi-Fi https://www.wired.com/story/airborne-airplay-flaws/ [Bleeping Computer] Microsoft makes all new accounts passwordless by default https://www.bleepingcomputer.com/news/microsoft/microsoft-makes-all-new-accounts-passwordless-by-default/ [blog.google] It’s now easier to prove age and identity with Google Wallet https://blog.google/products/google-pay/google-wallet-age-identity-verifications/ [404media.co] Mike Waltz Accidentally Reveals Obscure App the Government Is Using to Archive Signal Messages https://www.404media.co/mike-waltz-accidentally-reveals-obscure-app-the-government-is-using-to-archive-signal-messages/ Tip of the Week: Disable your Mobile Ad ID: https://firewallsdontstopdragons.com/disable-your-mobile-ad-id/ Bonus Links [consumerreports.org] Using Contactless Payments on Your Phone? Take These Smart Steps. https://www.consumerreports.org/money/digital-payments/using-contactless-payments-on-phone-take-these-smart-steps-a1152343770/ Micah Lee’s TM SGNL blogs: https://micahflee.com/tm-sgnl-the-obscure-unofficial-signal-app-mike-waltz-uses-to-text-with-trump-officials/ https://micahflee.com/heres-the-source-code-for-the-unofficial-signal-app-used-by-trump-officials/ Further Info My book: https://fdsd.me/book My newsletter: https://fdsd.me/newsletter Support our mission! https://fdsd.me/support Give the gift of privacy and security: https://fdsd.me/coupons Recommend news stories: send to news [at] firewallsdontstopdragons.com Send me your questions! https://fdsd.me/qna Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:00: Intro 0:01:09: News preview 0:03:38: FTC Warning Consumers About a Scam on Discounted Monthly Bills 0:06:51: Dating app Raw exposed users’ location data and personal information 0:13:31: I Tried to Turn Off the AI on My Pixel 9. It Wasn’t Easy 0:20:30: iOS and Android juice jacking defenses have been trivial to bypass for years 0:29:07: Millions of Apple Airplay-Enabled Devices Can Be Hacked via Wi-Fi 0:35:06: Microsoft makes all new accounts passwordless by default 0:40:35: It’s now easier to prove age and identity with Google Wallet 0:47:42: Mike Waltz Accidentally Reveals Obscure App the Government Is Using to Archive Signal Messages 0:57:06: CR report on payment apps 0:57:54: Tip of the Week: Disable Your MAID 1:04:05: Looking ahead 1:05:00: Patron podcast preview

Data brokers are out of control. While we think of them gathering data in order to target us with ads, they can actually use the targeted ad system (real-time bidding) to collect vast quantities of personal information. It’s a very shady business and the primary players are trying hard to obfuscate what they’re doing. Thankfully, we have people like my guest, Zach Edwards, whose investigations are ripping the cover off of these unscrupulous practices. Interview Notes Zach Edwards: https://www.linkedin.com/in/zedwards/  Zach at Silent Push: https://www.silentpush.com/team/zach-edwards/  Using email aliases: https://firewallsdontstopdragons.com/how-to-use-email-aliases-part-1/  Disable mobile ad ID (iOS): https://ssd.eff.org/module/how-to-get-to-know-iphone-privacy-and-security-settings#disable-ad-tracking Disable mobile ad ID (Android): https://ssd.eff.org/module/how-to-get-to-know-android-privacy-and-security-settings#disable-ad-tracking Further Info Dragon Coin Promo!! https://fdsd.me/promo425 Generate passphrases with a d20: https://d20key.com/#/  My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support the mission: https://fdsd.me/support  Give the gift of privacy and security: https://fdsd.me/coupons  Recommend news stories: send to news [at] firewallsdontstopdragons.com  Send me your questions! https://fdsd.me/qna  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:00: Intro 0:01:15: Last call for dragon coins! 0:01:57: Interview setup 0:03:01: Lingo definitions 0:05:05: How did you get into ad tracking as a profession? 0:12:57: How does Real-Time Bidding work? 0:16:16: Who are the big players in this space? 0:28:25: How does RTB leak data about us? 0:42:47: How much info about us is actually inferred rather than explicit? 0:46:09: Who else is looking to get hold of this ad data? 0:50:33: How else is our data being abused? 0:54:13: How does my data being leaked impact other people? 0:56:04: Are government agencies doing enough to protect our data? 0:57:53: Have we managed to fix any of the RTB system problems? 0:59:56: Is there a way to have targeted ads AND privacy? 1:05:31: So what can we do about this? 1:09:26: Wrap-up: revisiting email aliases 1:12:51: Patron bonus content preview 1:13:33: Looking ahead

Going through border security today – even just returning to your own country – is not at simple and stress-free as it should be. The likelihood of our digital devices being searched by a border agent has increased in recent years and political sensitivities today can be high. Our devices have access to a ridiculous amount of extremely personal information. How can we protect ourselves? The answers aren’t great, but I’ll give the current best advice from immigration lawyers and civil rights groups. In other news: the Apple-UK data privacy court case will be at least partially public; some companies are ignoring automated opt-out signals; Waymo may use interior car video to train its AI; data breaches at Hertz and a Planned Parenthood medical lab; air travel group paints a picture of future use of facial recognition; San Francisco police have a new surveillance center; Ukraine drones come with anti-Russian malware; judge rules that ‘cell tower dumps’ require a warrant. Article Links [bbc.com] Apple-UK data privacy row should not be secret, court rules https://www.bbc.com/news/articles/cvgn1lz3v4no [innovation.consumerreports.org] New Report: Many Companies May Be Ignoring Opt-Out Requests Under State Privacy Laws https://innovation.consumerreports.org/new-report-many-companies-may-be-ignoring-opt-out-requests-under-state-privacy-laws/ [techcrunch.com] Waymo may use interior camera data to train generative AI models, but riders will be able to opt out https://techcrunch.com/2025/04/08/waymo-may-use-interior-camera-data-to-train-generative-ai-models-sell-ads/ [Bleeping Computer] US lab testing provider exposed health data of 1.6 million people https://www.bleepingcomputer.com/news/security/us-lab-testing-provider-exposed-health-data-of-16-million-people/ [9to5mac.com] PSA: Hertz belatedly says customer personal data stolen, inc credit card details https://9to5mac.com/2025/04/15/psa-hertz-belatedly-says-customer-personal-data-stolen-inc-credit-card-details/ [theguardian.com] Boarding Passes and Check in to Be Scrapped in Air Travel Shake-up Plans https://www.theguardian.com/world/2025/apr/11/boarding-passes-and-check-in-to-be-scrapped-in-air-travel-shake-up-plans [cbsnews.com] San Francisco Police’s new surveillance hub being credited with 20% drop in crime https://www.cbsnews.com/sanfrancisco/news/san-francisco-police-surveillance-hub-real-time-investigation-center/ [forbes.com] Russians Capture Ukrainian Drones Which Infect Their Systems With Malware https://www.forbes.com/sites/vikrammittal/2025/04/02/russians-capture-ukrainian-drones-which-infect-their-systems-with-malware/ [404media.co] Judge Rules Blanket Search of Cell Tower Data Unconstitutional https://www.404media.co/judge-rules-blanket-search-of-cell-tower-data-unconstitutional/ Tip of the Week: https://firewallsdontstopdragons.com/border-insecurity/  Further Info Dragon Coin Promo!! https://fdsd.me/promo425 Generate passphrases with a d20: https://d20key.com/#/  My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  How to enable Global Privacy Control: https://firewallsdontstopdragons.com/how-to-enable-global-privacy-control/  How and why to freeze your credit: https://firewallsdontstopdragons.com/credit-freeze-now-is-the-time/  Give the gift of privacy and security: https://fdsd.me/coupons  Recommend news stories: send to news [at] firewallsdontstopdragons.com  Send me your questions! https://fdsd.me/qna  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Table of Contents 0:00:00: Intro 0:00:24: Update Apple stuff 0:00:42: Dragon coin promo! 0:01:32: News preview 0:04:11: Apple-UK data privacy row should not be secret, court rules 0:08:14: Many Companies May Be Ignoring Opt-Out Requests 0:14:20: Waymo may use interior camera data to train generative AI models 0:19:56: US lab testing provider exposed health data of 1.6 million people 0:24:22: Hertz belatedly says customer personal data stolen, inc credit card details 0:27:18: Boarding Passes and Check in to Be Scrapped in Air Travel Shake-up Plans 0:30:58: San Francisco Police’s new surveillance hub being credited with 20% drop in crime 0:38:06: Russians Capture Ukrainian Drones Which Infect Their Systems With Malware 0:42:34: Judge Rules Blanket Search of Cell Tower Data Unconstitutional 0:46:31: Tip of the Week: Travel Insecurity 1:03:57: Wrap-up 1:04:17: Merlin’s Musings preview 1:04:59: Looking ahead

It’s easy to be a Monday morning quarterback, even with cybersecurity. But defending a business, of any size, against cyber threats today is hard. Like, really hard. Defenders have to succeed every single time; attackers only need to succeed once. And then your company makes the headlines. Today we’ll delve into the world of the “blue team” – the defenders who are charged with protecting your data and the services you depend on – with cyber expert Oz Jones. Along the way, we’ll learn valuable lessons for everyone. Interview Notes Oz Jones on LinkedIn: https://www.linkedin.com/in/4f5a/ Troy Hunt got pwned: https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/ CIS Controls: https://www.cisecurity.org/controls Marsh’s Top 12 controls: https://www.marsh.com/en-gb/services/cyber-risk/insights/cyber-resilience-twelve-key-controls-to-strengthen-your-security.html Further Info Dragon Coin Promo!! https://fdsd.me/promo425 Generate passphrases with a d20: https://d20key.com/#/ My book: https://fdsd.me/book My newsletter: https://fdsd.me/newsletter Support the mission: https://fdsd.me/support Give the gift of privacy and security: https://fdsd.me/coupons Recommend news stories: send to news [at] firewallsdontstopdragons.com Send me your questions! https://fdsd.me/qna Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Table of Contents 0:00:00: Intro 0:00:29: Patron promo is LIVE! 0:01:16: Correction 0:01:49: Interview setup 0:04:44: Jargon definitions 0:06:39: How did you get into cyber incident response? 0:09:56: What does it mean to be on the Blue Team? 0:13:25: What are the most impactful cyber threats to companies today? 0:16:34: Are people or companies most as risk for ransomware attacks? 0:19:57: What impact has cyber insurance had on cyber security? 0:21:02: What are the most common types of attacks on companies? 0:23:59: How should companies educate their employees about cyber threats? 0:30:48: How does working from home or using personal devices impact cyber attacks? 0:35:22: How can you protect your company against supply chain attacks? 0:38:45: What resources are available to help companies prepare? 0:41:07: How can we detect attacks and malware infections? 0:44:22: After an attack, how do you respond? 0:48:05: What are my legal obligations for notifying my customers? 0:50:25: Are table top simulations useful? 0:52:07: Are there incident response consultants you can hire? 0:53:05: Can you recommend some helpful resources? 0:56:11: As consumers, how can we make better choices? 0:58:22: Interview wrap-up 1:01:51: Troy Hunt was pwned 1:03:04: Patron bonus preview 1:04:32: Looking ahead

When we collect a lot of personal data, say via the US Census, the goal is to glean important aggregate information and statistics, while somehow preserving the anonymity and privacy of the individual respondents. There’s a rigorous mathematical process for doing this – that’s actually not that hard to understand – called Differential Privacy. I’ll explain how it works. In the news: iOS has a new location privacy setting; Google confirms it’s rolling out AI to Gmail; Windows makes it much harder to avoid creating a Microsoft Account; WhatsApp is rolling out AI in Europe with no way to opt out; Switzerland is considering undermining encrypted communications; 23andMe is going bankrupt – it’s time to delete your data; France rejects a backdoor mandate; and finally, I have a lot to say about the US officials’ Signal chat debacle. Article Links [9to5mac.com] iOS 18.4 includes a new location services privacy setting for your iPhone https://9to5mac.com/2025/04/02/ios-iphone-new-location-services-privacy-toggle/ [forbes.com] Google Confirms Gmail Upgrade—3 Billion Users Must Now Decide https://www.forbes.com/sites/zakdoffman/2025/03/22/google-confirms-gmail-upgrade-3-billion-users-must-now-decide/ [windowscentral.com] Microsoft will force Windows 11 installs to use a Microsoft Account — confirms removal of popular setup bypass https://www.windowscentral.com/software-apps/windows-11/microsoft-will-force-windows-11-installs-to-use-a-microsoft-account-confirms-removal-of-popular-setup-bypass [Bleeping Computer] WhatsApp’s Meta AI is now rolling out in Europe, and it can’t be turned off https://www.bleepingcomputer.com/news/artificial-intelligence/whatsapps-meta-ai-is-now-rolling-out-in-europe-and-it-cant-be-turned-off/ [techradar.com] Secure encryption and online anonymity are now at risk in Switzerland – here’s what you need to know https://www.techradar.com/vpn/vpn-privacy-security/secure-encryption-and-online-anonymity-are-now-at-risk-in-switzerland-heres-what-you-need-to-know [arstechnica.com] FTC: 23andMe buyer must honor firm’s privacy promises for genetic data https://arstechnica.com/tech-policy/2025/04/ftc-watching-23andme-bankruptcy-sale-for-impact-on-users-genetic-data/ [schneier.com] The Signal Chat Leak and the NSA https://www.schneier.com/blog/archives/2025/03/the-signal-chat-leak-and-the-nsa.html [eff.org] A Win for Encryption: France Rejects Backdoor Mandate https://www.eff.org/deeplinks/2025/03/win-encryption-france-rejects-backdoor-mandate How Differential Privacy Works: https://firewallsdontstopdragons.com/how-differential-privacy-works/ Further Info Dragon Coin Promo!! https://fdsd.me/promo425 Generate passphrases with a d20: https://d20key.com/#/ My book: https://fdsd.me/book My newsletter: https://fdsd.me/newsletter Support our mission! https://fdsd.me/support Give the gift of privacy and security: https://fdsd.me/coupons Recommend news stories: send to news [at] firewallsdontstopdragons.com Send me your questions! https://fdsd.me/qna Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Table of Contents 0:00:00: Intro 0:00:28: Coin promo teaser 0:02:47: News preview 0:05:21: iOS 18.4 includes a new location services privacy setting 0:10:09: Google Confirms Gmail AI Upgrade 0:16:41: Microsoft will force Windows 11 installs to use a Microsoft Account 0:20:57: WhatsApp’s Meta AI is now rolling out in Europe 0:23:32: Secure encryption and online anonymity are now at risk in Switzerland 0:27:33: FTC: 23andMe buyer must honor firm’s privacy promises for genetic data 0:35:09: The Signal Chat Leak 0:53:05: A Win for Encryption: France Rejects Backdoor Mandate 0:56:14: Tip of the Week: Differential Privacy 1:06:20: Coin promo details 1:11:04: Merlin’s Musings topic 1:11:29: Looking ahead

We’ve been installing apps on our smartphones for almost two decades now. The iPhone and Android app stores kicked off in 2008 and we still, to this day, have no real way to know what’s in them. It turns out that most apps are an amalgamation of software libraries and development kits from various third party vendors, so often even the makers of apps don’t fully understand the makeup of their products. Lisa LeVasseur from Internet Safety Labs has worked to build tools to dissect and inspect our apps and help us understand what they’re really doing. Interview Notes Internet Safety Labs: https://internetsafetylabs.org/ App Microscope: https://appmicroscope.org/  Interview with Dr. Johnny Ryan on real-time bidding: https://podcast.firewallsdontstopdragons.com/2021/08/02/selling-you-out-to-the-highest-bidder/  Dark Patterns interview: https://podcast.firewallsdontstopdragons.com/2020/11/16/dark-patterns-part-1/  Using Burp Suite to intercept HTTP traffic: https://portswigger.net/burp/documentation/desktop/getting-started/intercepting-http-traffic  Exodus Privacy: https://exodus-privacy.eu.org/en/  Henrietta Lacks: https://en.wikipedia.org/wiki/Henrietta_Lacks  Further Info My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support the mission: https://fdsd.me/support  My social media: https://firewallsdontstopdragons.com/contact/  Give the gift of privacy and security: https://fdsd.me/coupons  Recommend news stories: send to news [at] firewallsdontstopdragons.com  Send me your questions! https://fdsd.me/qna  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Table of Contents 0:00:00: Intro 0:00:31: Note on 23andMe 0:01:35: Follow my social media 0:01:58: Signal debacle 0:02:39: Interview setup 0:07:06: What is Internet Safety Labs and what do you do there? 0:09:49: What are the privacy risks with EdTech? 0:16:31: How did the pandemic impact EdTech software? 0:19:02: How does the “notice and consent” model work with EdTech software? 0:25:26: Do app makers even know what’s in their own software? 0:28:11: How do ads inside our apps get there? 0:30:45: How does App Microscope work? 0:32:33: How does safety differ from security? 0:34:37: What can you learn from the data and metadata an app generates? 0:37:22: Do you study “dark patterns” in apps? 0:41:42: How do you determine the software makeup of a given app? 0:47:10: How accurate are the app privacy “nutrition” labels? 0:51:58: How important are the non-technical aspects of an app for safety? 0:56:33: How do I use the App Microscope tool? 1:00:38: How can we support your efforts? 1:04:41: Interview follow-up 1:08:51: Burp Suite info 1:09:32: Patron bonus preview 1:10:27: Looking ahead

Tax time is once again upon us here in the USA, which means that the tax scammers are coming out of the woodwork. Many will claim to be representing the IRS, claiming that there is an urgent need to fix a problem with your return, threatening penalties if you don’t pay them money. Others will simply try to file fake returns in your name, but send the massive false refund checks to themselves. I’ll help you spot and avoid these scams. In other news: Apple’s Passwords app was vulnerable to phishing attacks (now fixed); Amazon is forcing Echo owners to share voice recordings; the Bluetooth chip “backdoor” that wasn’t; Captchas were used by Google to translate books and Street View images; ICE uses third party tool to scrape tons of your data; beware of online file converters; Clearview AI attempted to buy millions of mugshots; RCS messaging will soon allow end-to-end encrypted chats between iPhones and Android phones. Article Links [9to5mac.com] Apple’s Passwords app was vulnerable to phishing attacks for nearly three months after launch https://9to5mac.com/2025/03/18/apples-passwords-app-was-vulnerable-to-phishing-attacks-for-nearly-three-months-after-launch/ [arstechnica.com] Everything You Say to Your Echo Will Soon Be Sent to Amazon, and You Can’t Opt Out https://arstechnica.com/gadgets/2025/03/everything-you-say-to-your-echo-will-be-sent-to-amazon-starting-on-march-28/ [darkmentor.com] The ESP32 “backdoor” that wasn’t https://darkmentor.com/blog/esp32_non-backdoor/ [techradar.com] Captcha if you can: how you’ve been training AI for years without realising it https://www.techradar.com/news/captcha-if-you-can-how-youve-been-training-ai-for-years-without-realising-it [404media.co] The 200+ Sites an ICE Surveillance Contractor is Monitoring https://www.404media.co/the-200-sites-an-ice-surveillance-contractor-is-monitoring/ [malwarebytes.com] Warning over free online file converters that actually install malware https://www.malwarebytes.com/blog/news/2025/03/warning-over-free-online-file-converters-that-actually-install-malware [404media.co] Facial Recognition Company Clearview Attempted to Buy Social Security Numbers and Mugshots for its Database https://www.404media.co/facial-recognition-company-clearview-attempted-to-buy-social-security-numbers-and-mugshots-for-its-database/ [appleinsider.com] RCS messaging will get end-to-end encryption on iPhone https://appleinsider.com/articles/25/03/14/rcs-messaging-will-get-end-to-end-encryption-on-iphone Tip of the Week: https://firewallsdontstopdragons.com/its-tax-scam-time/ Further Info Data Diva interview: https://www.debbiereynoldsconsulting.com/podcast/e228-carey-parker Malwarebytes interview: https://www.malwarebytes.com/blog/podcast/2025/03/what-google-chrome-knows-about-you-with-carey-parker-lock-and-code-s06e06 Amazon Mechanical Turk: https://en.wikipedia.org/wiki/Amazon_Mechanical_Turk My book: https://fdsd.me/book My newsletter: https://fdsd.me/newsletter Support our mission! https://fdsd.me/support Give the gift of privacy and security: https://fdsd.me/coupons Recommend news stories: send to news [at] firewallsdontstopdragons.com Send me your questions! https://fdsd.me/qna Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:00: Intro 0:00:21: Guest appearances 0:01:22: News preview 0:03:50: Apple’s Passwords app was vulnerable to phishing attacks for nearly three months 0:10:41: Everything You Say to Your Echo Will Soon Be Sent to Amazon, and You Can’t Opt Out 0:21:30: The ESP32 “backdoor” that wasn’t 0:29:16: Captcha if you can: how you’ve been training AI for years without realising it 0:35:08: The 200+ Sites an ICE Surveillance Contractor is Monitoring 0:43:10: Warning over free online file converters that actually install malware 0:46:00: Clearview Attempted to Buy Social Security Numbers and Mugshots for its Database 0:49:31: RCS messaging will get end-to-end encryption on iPhone 0:53:02: Tip of the Week 0:57:26: Wrap-up

Josh Summers lived in China for many years and learned a lot about privacy and security. Since he left, he’s made it his mission to share this knowledge through his website and YouTube channel called All Things Secured – helping regular, everyday people like you and me to protect our data and devices. Today we’ll talk specifically about improving your security and privacy on iPhones and Android phones, and even some alternatives outside the Apple and Google ecosystems. Interview Notes All Things Secured: https://www.allthingssecured.com/ All Things Secured YouTube: https://www.youtube.com/@AllThingsSecured Apple iPhone Lockdown Mode: https://support.apple.com/en-us/105120 Apple Stolen Device Protection: https://support.apple.com/en-us/120340 Apple Advanced Data Protection: https://support.apple.com/en-us/108756 Android Theft Protection: https://blog.google/products/android/android-theft-protection/ Google Advanced Protection Program: https://landing.google.com/advancedprotection/faq/ iPhone hide/lock apps: https://support.apple.com/guide/iphone/lock-or-hide-or-an-app-iph00f208d05/ios Cryptomator: https://cryptomator.org/ OsmAnd maps: https://osmand.net/ Jitsi video conferencing: https://jitsi.org/ Hoody AI: https://hoody.com/ai DuckDuckGo AI: https://duck.ai/ GrapheneOS: https://grapheneos.org/ Further Info Recommend news stories: send to news [at] firewallsdontstopdragons.com Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents 0:00:14: intro 0:00:27: Couple quick news items 0:01:59: Interview setup 0:02:47: How did you come to start All Things Secured? 0:04:41: What’s is like living in China, from a privacy perspective? 0:07:26: What are the basic security and privacy risks with a smartphone? 0:11:21: How do iPhones compare to Android phones? 0:13:35: How does Android’s multi-level ecosystem impact security? 0:16:42: How secure are smartphones against remote attacks? 0:19:39: Can you protect your smartphone against direct physical access? 0:25:20: What are some of the latest and greatest smartphone security features? 0:35:51: What if we don’t trust Apple or Google’s security? 0:40:05: If we don’t trust Apple or Google apps, which ones should we consider using? 0:45:35: How can we protect our privacy with AI? 0:53:08: Are there better smartphone options beyond iOS and Android? 0:56:27: What worries you most? What gives you hope? 0:58:54: How can we learn more from you? 1:00:01: Interview wrap-up 1:00:55: Patron bonus content 1:01:55: Guest appearances 1:02:47: Looking ahead

Google’s Chrome browser is rolling out changes that will hamstring ad blockers – so there’s never been a better time to try a better browser. There are a handful of good options, but I’m going to recommend that you try Firefox with a fantastic ad blocker called uBlock Origin. If you’ve never tried this powerful combination, you won’t believe what you’ve been missing. In other news: the UK scrubs all encryption advice from government sites; Signal’s CEO threatens to leave Sweden over backdoor demands; UK private health services hit by Medusa ransomware; Australian IVF provider has patient data stolen; Brazil gives Apple 90 days to allow side loading of apps; millions of Android TVs hijacked by a botnet; Qualcomm and Google team up to offer 8 years of Android updates; Google rolls out AI voice call scam detector; and confusion over Trump admin orders regarding Russia cyber threats. Article Links [techcrunch.com] UK quietly scrubs encryption advice from government websites https://techcrunch.com/2025/03/06/uk-quietly-scrubs-encryption-advice-from-government-websites/ [swedenherald.com] Signal’s CEO: Then We’re Leaving Sweden https://swedenherald.com/article/signals-ceo-then-were-leaving-sweden [theregister.com] Medusa ransomware gang demands $2M from UK private health services provider https://www.theregister.com/2025/02/20/medusa_hcrg_ransomware/ [techcrunch.com] Hackers publish sensitive patient data allegedly stolen from Australian IVF provider Genea https://techcrunch.com/2025/02/26/hackers-publish-sensitive-patient-data-allegedly-stolen-from-australian-ivf-provider-genea/ [9to5mac.com] Brazilian court gives Apple 90 days to allow sideloading on iOS https://9to5mac.com/2025/03/06/brazilian-court-apple-sideloading-ios/ [tomsguide.com] Millions of Android TVs hijacked in massive botnet https://www.tomsguide.com/computing/online-security/millions-of-android-tvs-hijacked-in-massive-botnet-how-to-see-if-yours-is-at-risk [arstechnica.com] Qualcomm and Google team up to offer 8 years of Android updates https://arstechnica.com/gadgets/2025/02/qualcomm-and-google-team-up-to-offer-8-years-of-android-updates/ [The Hacker News] Google Rolls Out AI Scam Detection for Android to Combat Conversational Fraud https://thehackernews.com/2025/03/google-rolls-out-ai-scam-detection-for.html [zetter-zeroday.com] Did Trump Admin Order U.S. Cyber Command and CISA to Stand Down on Russia? https://www.zetter-zeroday.com/did-trump-admin-order-u-s-cyber-command-and-cisa-to-stand-down-on-russia/ [theregister.com] uBlock Origin dead for many as Google purges Manifest v2 extensions https://www.theregister.com/2025/02/24/google_v2_eol_v3_rollout/ Tip of the Week: Slay Browser Ads: https://firewallsdontstopdragons.com/dragon-hacks-slay-browser-ads/ Further Info My book: https://fdsd.me/book My newsletter: https://fdsd.me/newsletter Support our mission! https://fdsd.me/support Check out my dragon challenge coin: https://fdsd.me/coin2 Give the gift of privacy and security: https://fdsd.me/coupons Recommend news stories: send to news [at] firewallsdontstopdragons.com Send me your questions! https://fdsd.me/qna Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:07: Intro 0:00:26: Update your Android devices 0:00:47: News rundown 0:02:50: UK quietly scrubs encryption advice from government websites 0:08:45: Signal’s CEO: Then We’re Leaving Sweden 0:11:01: Medusa ransomware gang hits UK health services provider 0:15:32: Hackers publish patient data allegedly from Australian IVF provider 0:19:13: Brazilian court gives Apple 90 days to allow sideloading on iOS 0:22:32: Millions of Android TVs hijacked in massive botnet 0:32:17: Qualcomm and Google offer 8 years of Android updates 0:39:18: Google Rolls Out AI Scam Detection for Android 0:45:09: Did Trump Admin Order U.S. to Stand Down on Russia? 0:54:39: uBlock Origin dead for many as Google purges Manifest v2 extensions 0:59:53: Tip of the Week: Slay Browser Ads 1:04:06: Looking ahead 1:04:54: Patron info

Today, we travel back in time and back to The L0pht with one of the original founders of L0pht Heavy Industries, Weld Pond (aka Chris Wysopal). We’ll talk about how hacker culture has impacted modern technology, cybersecurity practices and digital rights, while sprinkling in some classic and hilarious stories from hacker history by someone who lived them. Interview Notes Veracode: https://www.veracode.com/ L0pht.com: https://l0pht.com/ L0pht Congressional testimony 1998: https://www.youtube.com/watch?v=VVJldn_MmMY DEF CON 26 reunion panel: https://archive.org/details/youtube-noE4o-roAWM MIT Lockpicking guide: https://archive.org/details/mit-guide-to-lock-picking-v05/mode/2up The Open Organisation Of Lockpickers (TOOOL): https://toool.us/ 2600: https://www.2600.com/ Classic engineering references: https://bitsavers.org/ Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:16: intro 0:00:40: Interview setup 0:03:19: How did you come to be in The L0pht? 0:08:36: How did meeting in real life as well as online affect L0pht’s dynamics? 0:09:34: How did you find so much free and adandoned computer hardware? 0:13:44: How did you manage to just drive your van in the NSA parking lot? 0:19:20: What has been the lasting impact of your Congressional testimony in 1998? 0:21:45: How did you come to invite cyber czar Richard Clarke to The L0pht? 0:27:17: How have hackers pushed back against overreach from corporations? 0:36:05: Why are lockpicking and computer hacking so closely related? 0:40:55: Is it easier or harder to be a hacker today versus when you started? 0:45:56: Are we still fighing the Crypto Wars of the 90s? Are we winning? 0:51:17: Are there any glaring misconceptions about The L0pht you’d like to fix? 0:55:16: Where are The L0pht folks now and what are they up to? 0:57:51: Interview wrap-up 1:00:59: Patron bonus preview 1:01:35: Looking ahead

Not all Privacy Enhancing Technologies are new – but this one is probably new to you. Onion routing was developing in the 1990’s by the US government and is the basis for the Tor Network. Onion routing does one thing very well: it masks your actual IP address. While you can use a VPN for this purpose, onion routing adds a different layer of anonymity – and it’s just a cool technology. Today I’ll explain how it works, how to use it, and the pros and cons of doing so. In other news: Bitly is leveraging its URL-shortening empire to monetize your links; a major car company is experimenting with in-car pop up ads; a cautionary tale about law enforcement’s access to private phone data; Russian spies are using a clever new phishing technique to gain access to Microsoft 365 accounts; Apple pulls its Advanced Data Protection feature from the UK market in response to demands to ‘backdoor’ its encryption; and whatever your political beliefs, the chaos and careless changes made by the DOGE group are seriously undermining national security. Article Links [tedium.co] Broken Bits https://tedium.co/2025/02/07/bitly-terms-of-service-change/ [techstory.in] Stellantis Introduces Pop-Up Ads in Vehicles, Sparking Outrage Among Owners https://techstory.in/stellantis-introduces-pop-up-ads-in-vehicles-sparking-outrage-among-owners/ [arstechnica.com] No warrant or crimes—but Oregon woman’s nudes were shared after illegal phone search https://arstechnica.com/tech-policy/2025/02/no-warrant-or-crimes-but-oregon-womans-nudes-were-shared-after-illegal-phone-search/ [arstechnica.com] Russian spies use device code phishing to hijack Microsoft accounts https://arstechnica.com/information-technology/2025/02/russian-spies-use-device-code-phishing-to-hijack-microsoft-accounts/ [bbc.com] Apple pulls data protection tool after UK government security row https://www.bbc.com/news/articles/cgj54eq4vejo [schneier.com] DOGE as a National Cyberattack https://www.schneier.com/blog/archives/2025/02/doge-as-a-national.html Tip of the Week: How Onion Routing Works: https://firewallsdontstopdragons.com/how-onion-routing-works/ Further Info Safe link shortener: https://kutt.it/ Read before using the Tor Browser: https://www.privacyguides.org/en/tor/ Tor Browser: https://www.torproject.org/download/ Onion sites that don’t suck: https://github.com/neilzone/onion-sites-that-dont-suck My book: https://fdsd.me/book My newsletter: https://fdsd.me/newsletter Support our mission! https://fdsd.me/support Give the gift of privacy and security: https://fdsd.me/coupons Recommend news stories: send to news [at] firewallsdontstopdragons.com Send me your questions! https://fdsd.me/qna Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:07: News preview 0:02:19: Broken Bits 0:13:50: Stellantis Introduces Pop-Up Ads in Vehicles 0:20:28: Oregon woman’s nudes were shared after illegal phone search 0:28:03: Russian spies use device code phishing to hijack Microsoft accounts 0:35:07: Apple pulls data protection tool after UK government security row 0:45:58: DOGE as a National Cyberattack 0:59:54: Tip of the Week: Onion Routing 1:11:53: Wrap-up

Generic security advice is good, but tailored advice is much better. Everyone’s situation is a little different. What are you trying to protect? Who or what are you trying to protect it from? What are the consequences of failure? This is called threat modeling. And thankfully, the wonderful folks at Consumer Reports have a free, easy-to-use Security Planner tool that will help anyone do this assessment and provide custom solutions. My guest today is Yael Grauer, who will help us understand how to think about our security and how the CR tool can help you protect your data and devices. Interview Notes Consumer Reports Security Planner tool: https://securityplanner.consumerreports.org/ Yael’s website: https://yaelwrites.com/ Big Ass Data Broker Opt Out List (BADBOOL): https://github.com/yaelwrites/Big-Ass-Data-Broker-Opt-Out-List Consumer Reports advocacy: https://advocacy.consumerreports.org/ CR’s Digital Standard: https://thedigitalstandard.org/ CR’s Consumer Readiness Report 2024 (PDF): https://innovation.consumerreports.org/wp-content/uploads/2024/09/2024-Consumer-Cyber-Readiness-Report.pdf How to choose a PIN code: https://firewallsdontstopdragons.com/how-to-choose-a-pin/ Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:07: Intro 0:01:07: Interview setup 0:02:35: Yael introduction 0:04:19: What questions should we answer to get useful security advice? 0:06:41: How does Security Planner work? 0:08:03: How does Security Planner tailor its suggestions? 0:10:58: How do you decide what the most important factors are for security? 0:15:11: What might trigger me to re-run this tool and get a fresh report? 0:17:18: How does Consumer Reports research its recommendations? 0:19:59: How does CR vet the products and services that it recommends? 0:23:18: How do you weight things like convenience and ease of use? 0:27:34: Is it okay to make people pay for basic security features? 0:35:08: What role should government play in pushing for better security? 0:36:55: How important is transparency for driving better security? 0:39:15: What did the CR Cyber Readiness survey reveal? 0:43:22: Why do we choose bad passwords? 0:45:55: Why don’t companies provider better support for security problems? 0:51:39: What’s next for you and CR? How do we get updates? 0:53:43: Interview wrap-up 0:56:20: Patron bonus content preview 0:57:06: Looking ahead

Privacy is a human right – and you don’t have to justify rights, you just have them. That’s kinda the whole point. But you do need to exercise them and defend them sometimes. It has been leaked that the UK is telling Apple to reveal the encrypted data of every single one of their users to the UK government under the auspices of the Investigatory Powers Act (and its recent controversial Amendment). This would be a privacy and security disaster, and we were not even supposed to know about it. In other news: Netgear warns of serious router bugs (so update your firmware now); DeepSeek AI app has serious security and privacy problems, but the AI model has real promise in other ways; AngelSense personal customer data exposed; Cybercrime groups exploit 7-Zip app flaws to bypass Windows protections; some clever Mac and iOS malware making the rounds; new Android Identity Check feature released, and I introduce some Privacy Enhancing Technologies. Article Links [Bleeping Computer] Netgear warns users to patch critical WiFi router vulnerabilities https://www.bleepingcomputer.com/news/security/netgear-warns-users-to-patch-critical-wifi-router-vulnerabilities/ [krebsonsecurity.com] Experts Flag Security, Privacy Risks in DeepSeek AI App https://krebsonsecurity.com/2025/02/experts-flag-security-privacy-risks-in-deepseek-ai-app/ [techcrunch.com] AngelSense exposed location data and personal information of tracked users https://techcrunch.com/2025/01/30/angelsense-exposed-location-data-and-personal-information-of-tracked-users/ [The Hacker News] Russian Cybercrime Groups Exploiting 7-Zip Flaw to Bypass Windows MotW Protections https://thehackernews.com/2025/02/russian-cybercrime-groups-exploiting-7.html [appleinsider.com] New macOS malware disguises itself as Chrome & Zoom installers https://appleinsider.com/articles/25/02/04/new-macos-malware-disguises-itself-as-chrome-zoom-installers [macrumors.com] Apple Removed Apps Infested With Screen Reading Malware https://www.macrumors.com/2025/02/06/apple-removed-screen-reading-malware-apps/ [Bleeping Computer] New Android Identity Check locks settings outside trusted locations https://www.bleepingcomputer.com/news/security/new-android-identity-check-locks-settings-outside-trusted-locations/ [theverge.com] Apple ordered to open encrypted user accounts globally to UK spying https://www.theverge.com/news/608145/apple-uk-icloud-encrypted-backups-spying-snoopers-charter Tip of the Week: https://firewallsdontstopdragons.com/privacy-enhancing-technologies-pet/ Further Info Securing your router: https://firewallsdontstopdragons.com/secure-your-network-4-remediate/ Objective-See tools: https://objective-see.org/ Recommend news stories: send to news [at] firewallsdontstopdragons.com Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:06: Intro 0:00:20: Tax scams, ID.me 0:02:54: News preview 0:05:01: Netgear router vulnerabilities 0:08:17: DeepSeek AI has security problems, but also shows promise 0:19:36: AngelSense exposed personal information of tracked users 0:26:23: Russian Cybercrime Groups Exploiting 7-Zip Flaw 0:35:44: macOS stealer malware disguises itself as fake installer 0:42:30: New Apple malware uses OCR to mine secrets 0:46:00: New Android Identity Check locks settings outside trusted locations 0:49:10: Apple ordered to open encrypted user accounts globally to UK spying 1:04:56: Tip of the Week: Privacy Enhancing Technologies 1:06:36: Looking ahead

In the real world, we present different aspects of ourselves in different environments: home, work, family, friends, school, etc. Why can’t we do this in the virtual world, as well? While marketers love to identify us with unique identifiers so they can track us mercilessly, there are tools we can use that will allow us to compartmentalize our digital lives just like we can in the real world. Today we’ll discuss the notion of decentralized identity with Dr. Paul Ashley, CTO of Anonyome Labs who runs the MySudo service. Interview Notes MySudo: https://anonyome.com/individuals/mysudo/  Anonyome Labs: https://anonyome.com/  Open Wallet Foundation: https://openwallet.foundation/  Verifiable Credentials (W3C): https://www.w3.org/TR/vc-data-model/  Privacy is Power interview: https://podcast.firewallsdontstopdragons.com/2024/11/25/privacy-is-power-2/  EFF on digital wallets: https://www.eff.org/deeplinks/2024/09/digital-id-isnt-everybody-and-thats-okay Further Info Recommend news stories: send to news [at] firewallsdontstopdragons.com  Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:14: Intro 0:00:38: Getting more non-US news stories 0:02:44: Still waiting on big winner to reply 0:03:15: Intervew setup 0:05:23: How did Anonyome Labs get started? 0:12:20: Which identifiers are most valuable for tracking people? 0:15:19: Can you explain “de-centralized IDs ” and “identity wallets”? 0:24:28: Are there open standards for digital ID? 0:29:20: Can digital ID be used to privately verify your age online? 0:32:18: Can email relay companies see all your emails? 0:36:31: How about using a custom domain for creating email aliases? 0:38:50: Don’t a lot of sites reject email and phone numbers from alias services? 0:43:17: Do social media companies allow you to have multiple accounts? 0:46:37: What about ad ID’s and fingerprinting? 0:51:21: What happens if your virtual ID company goes bad or goes dark? 0:55:36: Can I trust the virtual ID companies with my privacy? 0:59:07: Are there downsides or gotchas to using services like these? 1:00:51: How can we convince companies to respect our privacy? 1:04:48: What else is MySudo working on? 1:07:41: Interview wrap-up 1:08:17: Patron preview 1:08:42: Looking ahead

Software plugins allow you to add functionality to existing applications. Web browsers commonly use these extensions to add functionality like shopping helpers, password managers, ad blockers and much, much more. In a way, these add-ons are like “apps” for the browser. Like apps, they can view and manipulate your data. In the browser, they may alter the web page, track pages you visit, and even mine any data you might enter into web forms. Also like apps, plugins can have permissions which you must agree to when you install them. Therefore, we need to be very careful which plugins we install and make sure we trust the maker. Today I’ll explain how to audit your plugins. In other news: The TikTok ban has been given a 75-day reprieve; the Trump administration fires scores of cybersecurity experts; Apple Intelligence will soon be enabled by default on iPhones and Macs; some clever researchers have hacked the iPhone USB-C connection; a tricky new smishing campaign tricks users into bypassing Apple protections; PowerSchool hack affects 62M students and 9M teachers; new AI took can identify where a photo was taken; Subaru hack exposes scary amount of location data collection; fuzzing tool find over 100 bugs in modern cellular network; Texas sues Allstate for using private car data; FTC to ban GM from sharing location info; exercise equipment collects lots of personal data; federal court finally rules that Section 702 FISA data access requires a warrant. Article Links [theverge.com] Trump signs order refusing to enforce TikTok ban for 75 days https://www.theverge.com/2025/1/20/24348213/trump-tiktok-ban-executive-order-sale-delay-china [techcrunch.com] Trump administration fires members of cybersecurity review board in “horribly shortsighted” decision https://techcrunch.com/2025/01/22/trump-administration-fires-members-of-cybersecurity-review-board-in-horribly-shortsighted-decision/ [macrumors.com] macOS Sequoia 15.3 and iOS 18.3 Enable Apple Intelligence Automatically https://www.macrumors.com/2025/01/21/macos-sequoia-15-3-apple-intelligence-opt-out/ [9to5mac.com] Security vulnerability in iPhone’s USB-C port, and a gotcha with iMessage scams https://9to5mac.com/2025/01/14/security-vulnerability-in-iphones-usb-c-port-and-a-gotcha-with-imessage-scams/ [Tech Radar] PowerSchool hack keeps getting worse – 62 million students now thought to be affected https://www.techradar.com/pro/security/powerschool-hack-keeps-getting-worse-62-million-students-now-thought-to-be-affected [404media.co] The Powerful AI Tool That Cops (or Stalkers) Can Use to Geolocate Photos in Seconds https://www.404media.co/the-powerful-ai-tool-that-cops-or-stalkers-can-use-to-geolocate-photos-in-seconds/ [wired.com] Subaru Security Flaws Exposed Its System for Tracking Millions of Cars https://www.wired.com/story/subaru-location-tracking-vulnerabilities/ [The Hacker News] RANsacked: Over 100 Security Flaws Found in LTE and 5G Network Implementations https://thehackernews.com/2025/01/ransacked-over-100-security-flaws-found.html [gizmodo.com] Texas Sues Allstate for Collecting Driver Data to Raise Premiums https://gizmodo.com/texas-sues-allstate-for-collecting-driver-data-to-raise-premiums-2000549878 [techcrunch.com] GM banned from sharing driving and location data with insurance companies https://techcrunch.com/2025/01/17/gm-banned-from-sharing-driving-and-location-data-with-insurance-companies/ [consumerreports.org] Your Exercise Bike Knows a Lot About You—and It Doesn’t Keep Every Secret https://www.consumerreports.org/health/health-privacy/exercise-machine-privacy-a3907557984/ [eff.org] VICTORY! Federal Court (Finally) Rules Backdoor Searches of 702 Data Unconstitutional https://www.eff.org/deeplinks/2025/01/victory-federal-court-finally-rules-backdoor-searches-702-data-unconstitutional Tip of the Week: Treat Extensions Like Apps: https://firewallsdontstopdragons.com/treat-extensions-like-apps/ Further Info Data Privacy Week 2025: https://firewallsdontstopdragons.com/data-privacy-week-2025/ Private TikTok web app: https://www.sticktock.com/ Enabling Apple’s Advanced Data Protection: https://support.apple.com/en-us/108756 OSINT location analysis examples: https://gralhix.com/list-of-osint-exercises/osint-exercise-001/ Claw Your Data Back tool: https://cyd.social/ Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:07: Intro 0:01:03: Listener survey ended 0:01:37: News preview 0:03:54: Trump signs order refusing to enforce TikTok ban for 75 days 0:10:02: Trump administration

There are way too many data brokers and they have way too much of our data. We’ve talked a lot lately about what you can do to reclaim your privacy and claw back some of that data and today I’m going to give you yet another interesting tool for your privacy toolbox: Permission Slip. This app and the related service, brought to you by Consumer Reports, will work on your behalf to request that these data brokers relinquish your information, or at least suppress the sharing of that data to the extent that’s legally possible. The tool has some helpful and interesting features that you may not find on other, similar services. Sukhi Gulati GIlbert is my guest today and will explain why you should consider using this tool and how it supports the overall effort to rein in dangerous business of data mining. Interview Notes Permission Slip app: https://permissionslipcr.com/ Protecting Your Privacy Online: https://www.consumerreports.org/electronics/privacy/from-our-president-protecting-your-privacy-online-a1603013649/ Digital Security & Privacy: https://www.consumerreports.org/digital-security-privacy/ CR Report on data deletion services (PDF): https://innovation.consumerreports.org/wp-content/uploads/2024/08/Data-Defense_-Evaluating-People-Search-Site-Removal-Services-.pdf California data broker registry: https://cppa.ca.gov/data_broker_registry/ How to download the Vermont data broker list (which doesn’t seem to work): https://www.muckrock.com/foi/vermont-80/vermont-data-broker-db-107096/ My article series on data deletion: https://firewallsdontstopdragons.com/osint-reconnaissance/ Further Info Annual listener survey!! https://fdsd.me/survey2025 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:12: Intro 0:00:51: Couple quick news notes 0:01:45: Last call: listener survey 0:02:47: Interview setup 0:03:48: What brought you to Consumer Reports and the Permission Slip app? 0:07:19: How does Permission Slip compare to other data deletion services? 0:14:17: Where are the data brokers getting so much of our personal info? 0:17:00: How do I use Permission Slip? 0:21:47: What info does Permission Slip give to brokers? 0:24:42: Is it more effective to request data deletion yourself versus using a service? 0:31:12: What level of success should I expect when deleting my data? 0:33:16: Are there any limitations or exclusions for data deletion? 0:38:19: What if you live in a state or country with no privacy laws? 0:39:44: Can we limit access to our public data records? 0:41:24: Does freezing your credit do anything to limit data sharing? 0:43:53: How broken is the ‘notice and consent’ model for privacy? 0:45:57: Would it help to actively spread incorrect personal info? 0:48:31: How else can we reduce our data footprint? 0:50:04: What’s next for Consumer Reports in terms of privacy? 0:53:46: What does Permission Slip Pro cost? 0:55:19: Interview wrap-up 0:59:11: Patron content preview 0:59:50: Looking ahead

The start of a new year is always a good time to add some big juicy goals to your to-do list – call them New Year’s Resolutions, if that works for you, but really it’s just about making up your mind to tackle some important personal objectives. Today I’ll give you several ideas to improve your privacy and security in 2025, and those around you. In the news: dozens of malicious Chrome Browser extensions identified; net neutrality is dead, again, and probably for good this time; Apple to pay a meager $95M to settle a Siri privacy class action suit; Apple’s new Enhanced Visual Search is enabled by default and sending data to Apple; proposed ban on TP-Link routers is missing the real problem; Google’s change in its Privacy Sandbox policy seems to now allow the use of device fingerprinting; proposed HIPAA amendments will close major health data security gaps. Article Links [Ars Technica] Time to check if you ran any of these 33 malicious Chrome extensions https://arstechnica.com/security/2025/01/dozens-of-backdoored-chrome-extensions-discovered-on-2-6-million-devices/ Terms of service study: https://www.helpnetsecurity.com/2016/07/14/agree-terms-conditions-lie/ [nytimes.com] Net Neutrality Rules Struck Down by Appeals Court https://www.nytimes.com/2025/01/02/technology/net-neutrality-rules-fcc.html [reuters.com] Apple to pay $95 million to settle Siri privacy lawsuit https://www.reuters.com/legal/apple-pay-95-million-settle-siri-privacy-lawsuit-2025-01-02/ [macrumors.com] Apple Says Siri Data Has Never Been Sold or Used for Marketing https://www.macrumors.com/2025/01/06/apple-siri-data-not-sold-for-marketing/ [9to5mac.com] Enhanced Visual Search shares your photos with Apple by default, to identify landmarks https://9to5mac.com/2024/12/30/enhanced-visual-search-shares-your-photos-with-apple-by-default-to-identify-landmarks/ [csoonline.com] No evidence that TP-Link routers are a Chinese security threat https://www.csoonline.com/article/3504775/no-evidence-that-tp-link-routers-are-a-chinese-security-threat.html [Lukasz Olejnik blog] Biggest Privacy Erosion in 10 Years? On Google’s Policy Change Towards Fingerprinting https://blog.lukaszolejnik.com/biggest-privacy-erosion-in-10-years-on-googles-policy-change-towards-fingerprinting/ [Dark Reading] Proposed HIPAA Amendments Will Close Healthcare Security Gaps https://www.darkreading.com/cyber-risk/proposed-hipaa-amendments-close-healthcare-security-gaps Tip of the Week: https://firewallsdontstopdragons.com/new-years-resolutions-2025/ Further Info Annual listener survey!! https://fdsd.me/survey2025 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:07: Intro 0:01:24: News preview 0:02:59: Time to check if you ran any of these 33 malicious Chrome extensions 0:12:51: Net Neutrality Rules Struck Down by Appeals Court 0:16:49: Apple to pay $95 million to settle Siri privacy lawsuit 0:19:02: Apple Says Siri Data Has Never Been Sold or Used for Marketing 0:26:29: Enhanced Visual Search shares your photos with Apple by default 0:35:23: No evidence that TP-Link routers are a Chinese security threat 0:47:01: Biggest Privacy Erosion in 10 Years? On Google’s Policy Change Towards Fingerprinting 0:53:08: Proposed HIPAA Amendments Will Close Healthcare Security Gaps 0:57:16: Tip of the Week: New Years Resolutions for 2025! 1:04:53: Wrap-up

There are many ways in which we are tracked in the real world, but one of the most ubiquitous and insidious technologies is Automated License Plate Readers. These camera systems are deployed in just about every city by both public and private organizations. Furthermore, the third parties who sell and operate these systems collect and collate data from around the country, making it available to law enforcement and marketing firms. Because these systems capture images of your car, they can also document the make, model and color, any distinguishing marks, and even bumper stickers. Today we’ll discuss how and where these systems are deployed, who has access to the data, the repercussions of this mass surveillance and how it can go horribly wrong with my guests Adam Schwartz and Gowri Nayar from the Electronic Frontier Foundation. Interview Notes Donate to the EFF: https://supporters.eff.org/donate/join-eff-today The Human Toll of ALPR Errors: https://www.eff.org/deeplinks/2024/11/human-toll-alpr-errors EFF’s Street Level Surveillance: https://sls.eff.org/ Community Control of Police Surveillance (CCOPS): https://www.eff.org/issues/community-control-police-surveillance-ccops US 100-mile “border zone” facts: https://www.aclu.org/know-your-rights/border-zone Flock camera map: https://www.404media.co/the-open-source-project-deflock-is-mapping-license-plate-surveillance-cameras-all-over-the-world/ DeFlock: https://deflock.me Flock transparency page example: https://transparency.flocksafety.com/riverside-county-ca-sd Further Info Annual listener survey!! https://fdsd.me/survey2025 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:20: Intro 0:01:24: Listener survey and book giveaway 0:03:16: ShmooCon in DC this weekend 0:04:21: Interview setup 0:05:27: What prompted you to write about ALPRs? 0:08:11: How do ALPRs work and what info can they capture? 0:10:14: How long have ALPRs been around and how is EFF tracking their use? 0:11:34: Where are these systems deployed? How do we recognize them? 0:14:19: How does mobile ALPR data collection work? 0:15:58: Are police departments transparent about the use of ALPRs? 0:18:09: Is there a way know where ALPR systems are deployed? 0:20:46: How accurate are ALPRs? What are the consequences of failure? 0:22:37: Are license plate “hot lists” shared across jurisdictions? 0:25:41: Where is ALPR data stored? For how long? Who has access? 0:27:40: Is ALPR data shared among local and federal agencies? How often is the data abused? 0:31:04: Do the ALPR system operators sell this data to anyone else? 0:36:04: What legal expectation of privacy do I have in public spaces? 0:42:57: How does the legal “third party doctrine” apply to ALPR data? 0:45:01: How do we balance the need to catch bad guys with the use of surveillance tech? 0:50:18: Is there any surveillance tech that EFF feels should be banned outright? 0:52:17: Does EFF consult with law enforcement on deployment of surveillance tech? 0:53:05: If we’re concerned about surveillance tech being deployed, what can we do? 0:58:19: Interview wrap-up 0:59:29: Notes on the “border zone” width in the US 1:01:09: Patron preview 1:02:01: Survey reminder 1:02:50: Looking ahead

Every week, I record a special, private bonus podcast for my patrons. Until today, all of that content was restricted to my supporters. But today I’ve got a sampler platter of some of the best snippets from my bonus Q&A with my interview guests. You’ll hear from Micah Lee (author, journalist), Nick Weaver (cybersecurity researcher), Kate Black (health data specialist), Jason Edison (OSINT expert), Dani Cronce and Lizzie Moratti (TunnelVision hack), Bruce Schneier (cryptographer, author), and Carissa Véliz (author, professor). Original Interview Links Ep358: Micah Lee https://podcast.firewallsdontstopdragons.com/2024/01/08/investigating-data-leaks/ Ep360: Nick Weaver https://podcast.firewallsdontstopdragons.com/2024/01/22/rise-of-the-slaughterbots/ Ep368: Kate Black https://podcast.firewallsdontstopdragons.com/2024/03/18/health-data-privacy/ Ep386: Jason Edison https://podcast.firewallsdontstopdragons.com/2024/07/22/open-source-intelligence/ Ep388: Jack Daniel https://podcast.firewallsdontstopdragons.com/2024/08/05/catch-you-on-the-bside/ Ep396: Dani Cronce & Lizzie Moratti https://podcast.firewallsdontstopdragons.com/2024/09/30/tunnelvision-vpns-and-you/ Ep400: Bruce Schneier https://podcast.firewallsdontstopdragons.com/2024/10/28/episode-400-special/ Ep404: Carissa Véliz https://podcast.firewallsdontstopdragons.com/2024/11/25/privacy-is-power-2/ Related Links Micah’s book: https://hacksandleaks.com/ Nick Weaver: https://www1.icsi.berkeley.edu/~nweaver/ Security BSides: https://bsides.org/w/page/12194156/FrontPage Frankie’s Tiki Room (Las Vegas): https://frankiestikiroom.com/ Intel Techniques: https://inteltechniques.com/ TunnelVision: https://www.tunnelvisionbug.com/ Schneier Blog: https://www.schneier.com/ Privacy is Power: https://www.penguinrandomhouse.com/books/673341/privacy-is-power-by-carissa-veliz/ Further Info Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:24: New Years coming up 0:00:48: Show preview 0:02:33: Ep358: Micah Lee – the Snowden docs 0:11:48: Ep360: Nick Weaver – other types of killer drones 0:18:02: Ep368: Kate Black – how do you know if a site or app respects health privacy? 0:20:22: Ep386: Jason Edison – what’s it like trying to protect the privacy of celebrities? 0:26:53: Ep388: Jack Daniel – the story of the Les Pukelele 0:33:39: Ep396: Dani Cronce & Lizzie Moratti – getting into hacking 0:42:08: Ep400: Bruce Schneier – can we ever make our devices secure out of the box? 0:48:01: Ep404: Cariss Veliz – should STEM students be required to take ethics classes? 0:53:05: Wrap-up

I’m digging into the vault for a classic replay! I first interviewed Phil Zimmermann, creator of Pretty Good Privacy (PGP), on May 7, 2018. It was Episode 63 (we’re now at 408) and it was entitled “We Now Live in the Golden Age of Surveillance”. In this episode we talk a little about the origins of PGP in the 1990’s and what he feels about the FBI’s claims that we’re “going dark” due to strong end-to-end encrypted communications. I’ve added some new commentary, but the original episode is preserved in all of its original glory! Interview Notes Original Ep63 interview: https://podcast.firewallsdontstopdragons.com/2018/05/07/we-now-live-in-the-golden-age-of-surveillance/ Ep214: Social Media is Ruining Society https://podcast.firewallsdontstopdragons.com/2021/04/05/social-media-is-ruining-society/ Ep243: Through the Past, Privately: PGP Turns 30 https://podcast.firewallsdontstopdragons.com/2021/10/25/through-the-past-privately-pgp-turns-30/ Phil Zimmermann’s website: https://philzimmermann.com/ Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:26: Flashback setup 0:02:18: Original intro 0:03:20: What drove you to create PGP? 0:06:32: Why were you prosecuted for PGP? 0:13:08: Isn’t banning cryptography like trying to ban math? 0:15:13: What’s the difference between security and privacy? 0:17:04: Is it possible to be truly anonymous online today? 0:19:06: How is the average person tracking online today? 0:21:49: What are the most private ways to communicate online? 0:24:44: How do we identify trustworthy attachments? 0:25:30: How secure is SMS (texting)? 0:29:41: Are we “going dark”? 0:32:44: Can we escape mass surveillance? 0:36:35: What’s next for you? 0:38:09: Original interview wrap-up 0:40:38: Flashback wrap-up 0:41:00: ShmooCon 2025 0:41:56: Looking ahead

I’ve had some truly amazing interviews this past year. For your listening enjoyment, I’ve curated a set of clips from some of the best shows, creating a sampler platter of stellar audio content from some amazing guests! If you’ve never listened to my podcast, this will give you a taste of what you’re missing! If you’re a regular listener, this will be a fun trip down memory lane, complete with a little new commentary. Enjoy! Original Interview Links Ep362: Patrick Wardle https://podcast.firewallsdontstopdragons.com/2024/02/05/securing-your-mac/ Ep364: Jen Caltrider https://podcast.firewallsdontstopdragons.com/2024/02/19/car-privacy-is-horrid/ Ep366: 404 Media https://podcast.firewallsdontstopdragons.com/2024/03/04/how-our-data-is-abused/ Ep375: Dina Temple-Raston https://podcast.firewallsdontstopdragons.com/2024/05/13/inside-ukraines-it-army/ Ep378: Naomi Brockwell https://podcast.firewallsdontstopdragons.com/2024/05/27/why-privacy-matters/ Ep380: Joseph Cox https://podcast.firewallsdontstopdragons.com/2024/06/10/anom-the-fbis-phone-company/ Ep382: Byron Tau https://podcast.firewallsdontstopdragons.com/2024/06/24/means-of-control/ Ep386: Jason Edison https://podcast.firewallsdontstopdragons.com/2024/07/22/open-source-intelligence/ Ep392: Andy Yen https://podcast.firewallsdontstopdragons.com/2024/09/02/crazy-proton-summer/ Ep398: Space Rogue (Cris Thomas) https://podcast.firewallsdontstopdragons.com/2024/10/14/l0pht-heavy-industries/ Ep400: Bruce Schneier https://podcast.firewallsdontstopdragons.com/2024/10/28/episode-400-special/ Ep402: Stacey Higginbotham https://podcast.firewallsdontstopdragons.com/2024/11/11/cutting-the-software-tether/ Ep404: Carissa Veliz https://podcast.firewallsdontstopdragons.com/2024/11/25/privacy-is-power-2/ Related Links Objective-See: https://objective-see.org/ 404 Media: https://www.404media.co/ Privacy Not Included: https://foundation.mozilla.org/en/privacynotincluded/ Click Here: https://therecord.media/podcast NBTV: https://www.nbtv.media/ Dark Wire: https://www.hachettebookgroup.com/titles/joseph-cox/dark-wire/9781541702691/ Means of Control: https://www.penguinrandomhouse.com/books/706321/means-of-control-by-byron-tau/ Intel Techniques: https://inteltechniques.com/ Proton: https://proton.me/ Space Rogue book: https://www.amazon.com/Space-Rogue-Hackers-Known-Changed-ebook/dp/B0BRQWPBGL Schneier Blog: https://www.schneier.com/ Privacy is Power: https://www.penguinrandomhouse.com/books/673341/privacy-is-power-by-carissa-veliz/ Further Info Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:26: Show preview 0:02:22: Ep362: Patrick Wardle – Mac hardening 0:05:55: Ep364: Jen Caltrider – Car privacy not included 0:11:13: Ep366: 404 Media – abuse of public camera data 0:21:35: Ep375: Dina Temple-Raston – what we should learn from the cyber war in Ukraine 0:30:41: Ep378: Naomi Brockwell – fighting for our privacy 0:36:40: Ep380: Joseph Cox – what did law enforcement learn from Anom? 0:39:22: Ep382: Byron Tau – how law enforcement hides their data gathering 0:45:43: Ep386: Jason Edison – how does law enforcement view mass surveillance? 0:57:10: Ep392: Andy Yen – why Proton embraced AI tech 1:04:08: Ep398: Space Rogue (Cris Thomas) – do you need a college degree to work in cybersecurity? 1:11:05: Ep400: Bruce Schneier – how AI will change politics and law 1:19:02: Ep402: Stacey Higginbotham – escrowing money to address IoT software tethering problems 1:22:50: Ep404: Carissa Veliz – will the younger generation every have privacy? 1:30:31: Looking ahead

Have you ever searched for your personal information online? There are dozens of “people search sites” out there, but a simple Google search can also find information about you, too. Behind the scenes, there are hundreds if not thousands of data brokers who are scouring the web constantly for your info creating dossiers on all of us, for sale to anyone willing to pay. We have no federal privacy laws in the US, but even if you live in the EU (with GDPR) or a US state with some privacy protections (like California), you still may find your data online – because much it comes from public records, including voting records, property tax records, and legal filings. How do you find your data? Where did it come from? And more important, what can you do about it? Today will discuss this and more with Ben and Tyler, the founders of data deletion service EasyOptOuts. Interview Notes EasyOptOuts: https://easyoptouts.com/  Consumer Reports study: https://www.consumerreports.org/electronics/personal-information/services-that-delete-data-from-people-search-sites-review-a2705843415/  Brian Krebs on Radaris: https://krebsonsecurity.com/2024/03/a-close-up-look-at-the-consumer-data-broker-radaris/  My blog series on data removal: https://firewallsdontstopdragons.com/osint-reconnaissance/  Jason Edison OSINT interview: https://podcast.firewallsdontstopdragons.com/2024/07/22/open-source-intelligence/  Big Ass Data Broker Opt Out List: https://github.com/yaelwrites/Big-Ass-Data-Broker-Opt-Out-List  Further Info Help me reach more people! https://fdsd.me/awareness2 Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:04: Staying up to date during December 0:01:45: NPR shout out? 0:02:25: Interview setup 0:04:11: Why did you get into the data deletion business? 0:05:58: How does EasyOptOuts differentiate its service? 0:09:35: Where do these data brokers get all my information? 0:13:37: How often do you find errors in people’s information on these sites? 0:15:36: What are the names of some of the top data brokers? Would we know them? 0:17:34: Will a credit freeze prevent data sharing? 0:19:02: What does it cost to get these people reports? 0:21:21: Have you tried deleting data from the recently breached National Public Data? 0:23:02: How do the various US state privacy laws impact our ability to delete our data? 0:27:52: How many data brokers operate in non-US/EU jurisdictions? 0:29:00: Who is selling my data that would surprise me? 0:31:26: How did we consent to this data sharing and can we opt out? 0:34:14: If I wanted to try to clean up my data myself, how would I go about that? 0:38:09: How do I avoid giving away more information while I try to prove my identity? 0:41:34: If I would rather use a deletion service, how does that work and what does it cost? 0:46:39: After deletion, will my data just be replenished after some amount of time? 0:48:01: Any final pro tips on reducing my public data? 0:51:02: Interview wrapup 0:53:26: Patron bonus content preview 0:54:05: Plan for December shows

It’s been too long since I’ve dipped into the listener mailbag, so today I’m going to answer a small selection of your questions on the air! Topics include privacy-respecting baby monitors, the “IoT network” on some Orbi routers, why you can’t really use a computer monitor as a “dumb” TV, and whether browser privacy plugins work on first party tracking. We’ll also cover some news stories: why you shouldn’t upload medical images to AI chatbots; the Fancy Bear “nearest neighbor” attack; Google’s new website link overlays; the curious case of cutting undersea internet cables; Microsoft’s new Windows Resiliency Initiative; mobile pay apps coming under regulatory scrutiny; iPhone’s new tool to strip metadata from shared photos; and Google now warning you about suspicious apps. Article Links [techcrunch.com] PSA: You shouldn’t upload your medical images to AI chatbots https://techcrunch.com/2024/11/19/psa-you-shouldnt-upload-your-medical-images-to-ai-chatbots/ [darkreading.com] Fancy Bear ‘Nearest Neighbor’ Attack Uses Nearby Wi-Fi Network https://www.darkreading.com/cyberattacks-data-breaches/fancy-bear-nearest-neighbor-attack-wi-fi [9to5google.com] Google’s iOS app now injects links on third-party websites that go back to Search https://9to5google.com/2024/11/25/google-ios-app-link-annotations-search/ [newsweek.com] Chinese Vessel Allegedly Drags Anchor, Severs Undersea Cable Links https://www.newsweek.com/chinese-vessel-allegedly-drags-anchor-severs-undersea-cable-links-1992580 [dw.com] Hybrid warfare on the seabed? https://www.dw.com/en/baltic-sea-underwater-cable-damage-highlights-hybrid-warfare-on-critical-infrastructure/a-70853706 [theverge.com] Microsoft’s new Windows Resiliency Initiative aims to avoid another CrowdStrike incident https://www.theverge.com/2024/11/19/24299873/microsoft-windows-resiliency-initiative-crowdstrike-incident [lifehacker.com] Venmo, Apple Pay, and Other Payment Apps Are About to Be More Regulated https://lifehacker.com/money/payment-apps-are-about-to-be-more-regulated [lifehacker.com] Your iPhone Can Now Automatically Remove Location Data From Photos You Share Online https://lifehacker.com/tech/your-iphone-can-now-automatically-remove-location-data-from-photos-online [lifehacker.com] The Google Play Store Will Soon Warn You Before You Download a Bad App https://lifehacker.com/tech/the-google-play-store-will-warn-you-bad-app Further Info ExifTool: https://exiftool.org/  Help me reach more people! https://fdsd.me/awareness2 Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:51: Holiday PSA 0:02:12: News preview 0:03:59: PSA: You shouldn’t upload your medical images to AI chatbots 0:07:22: Fancy Bear ‘Nearest Neighbor’ Attack Uses Nearby Wi-Fi Network 0:12:59: Google’s iOS app now injects links on third-party websites that go back to Search 0:15:10: Chinese Vessel Allegedly Drags Anchor, Severs Undersea Cable Links 0:18:17: Hybrid warfare on the seabed? 0:27:19: Microsoft’s new Windows Resiliency Initiative aims to avoid another CrowdStrike incident 0:33:11: Venmo, Apple Pay, and Other Payment Apps Are About to Be More Regulated 0:36:30: Your iPhone Can Now Automatically Remove Location Data From Photos You Share Online 0:42:23: The Google Play Store Will Soon Warn You Before You Download a Bad App 0:46:20: Finding a private, secure baby monitor 0:50:44: IoT Network on Netgear Orbi routers? 0:52:50: Using a computer monitor as a dumb TV? 0:55:47: Can browser plugins prevent first party tracking? 0:59:23: The plan for the rest of the year

Privacy has been defined in many ways. The right to tell your story your own way. The right to have control over your personal information. The right to be left alone. There’s a reason we have T-shirts that say “dance like no one is watching”. We censor ourselves when we’re being watched. But if knowledge is power, then asymmetries in knowledge must lead to asymmetries in power. Privacy is a human right but it’s also a collective good – something we need to respect and support, even if we do not personally feel the need to exercise it. Today I’ll explore why privacy is essential, how it is being threatened, and what we can do to reclaim it with Carissa Véliz, a professor of philosophy and author of the wonderful and important book, Privacy is Power. Interview Notes Carissa’s website: https://www.carissaveliz.com/ Privacy is Power: https://www.penguinrandomhouse.com/books/673341/privacy-is-power-by-carissa-veliz/  My review of her book: https://firewallsdontstopdragons.com/privacy-is-power-review/  The Ethics of Privacy and Surveillance: https://www.oxford-aiethics.ox.ac.uk/blog/new-book-ethics-privacy-and-surveillance  TEDx: The Case for Ending Data Economy: https://www.youtube.com/watch?v=luCXlPYrTP4  Google’s Don’t Be Evil motto history:  https://en.wikipedia.org/wiki/Don’t_be_evil  Give Thanks & Donate! https://firewallsdontstopdragons.com/give-thanks-donate/  Further Info Help me reach more people! https://fdsd.me/awareness2 Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:31: Give Thanks & Donate! 0:01:27: Follow me on Bluesky 0:02:06: Interview setup 0:04:17: What inspired you to write this book? 0:07:04: What impacts has your book had? Did any response surprise you? 0:10:01: When researching the book, what surveillance methods most surprised you? 0:13:31: How and when did all this surveillance start? 0:15:40: Are behavior ads really more effective than contextual ads? 0:19:04: Is it possible to have privacy and still target ads? 0:22:08: What’s your take on Google’s Privacy Sandbox concept? 0:23:57: Why is the ‘notice and consent’ model such a failure? 0:28:14: What’s your take on the notion of data sovereignty? 0:30:09: Why is privacy a collective good that we all need to protect? 0:32:12: How does asymmetry in knowledge lead to asymmetry in power? 0:34:06: Are we at risk of normalizing surveillance for future generations? 0:37:09: What will it take to trigger a surveillance backlash? 0:40:21: What can we learn from history about overzealous data collection? 0:43:35: How will AI technology impact our privacy? 0:49:30: Can we reap the benefits of our data without giving up privacy? 0:52:45: How do we manifest a society that values and respects privacy? 0:56:15: Interview wrap-up 0:58:36: Still celebrating 400th episode! 0:59:02: Looking ahead

Holiday shopping season is here! And today I’ll give you the highlights of my annual Best & Worst Gift Guide for 2024, with regard to privacy and security. The worst offenders may not surprise you, though some have actually gotten worse since just last year. And I have a few new suggestions for people on your nice list! In the news this week: another popular browser extension has gone rogue; Mozilla laid off 30% of their staff; FBI warns that bad guys are filing fraudulent emergency data requests to steal your private info; Apple quietly introduces a brilliant security feature that is frustrating cops; Microsoft will stop providing security updates for Windows 10 next October; a free decryptor was released for ShrinkLocker ransomware; Signal offers new call link feature; an air fryer app is sending your data to China; and Apple announces feature to share AirTag location with others including airlines to help find lost luggage. Article Links [cyberinsider.com] Popular Chrome Extension to Hide YouTube Shorts Turned Malicious https://cyberinsider.com/popular-chrome-extension-to-hide-youtube-shorts-turned-malicious/ [Tech Crunch] Mozilla Foundation lays off 30% staff, drops advocacy division https://techcrunch.com/2024/11/05/mozilla-foundation-lays-off-30-staff-drops-advocacy-division/  [Tech Crunch] FBI says hackers are sending fraudulent police data requests to tech giants to steal people’s private information https://techcrunch.com/2024/11/08/fbi-says-hackers-are-sending-fraudulent-police-data-requests-to-tech-giants-to-steal-peoples-private-information/ [404media.co] Apple Quietly Introduced iPhone Reboot Code Which is Locking Out Cops https://www.404media.co/apple-quietly-introduced-iphone-reboot-code-which-is-locking-out-cops/ [blog.0patch.com] Long Live Windows 10… With 0patch https://blog.0patch.com/2024/06/long-live-windows-10-with-0patch.html [The Hacker News] Free Decryptor Released for BitLocker-Based ShrinkLocker Ransomware Victims https://thehackernews.com/2024/11/free-decryptor-released-for-bitlocker.html [signal.org] Improving Private Signal Calls: Call Links & More https://signal.org/blog/call-links/ [malwarebytes.com] Air fryers are the latest surveillance threat you didn’t consider https://www.malwarebytes.com/blog/news/2024/11/air-fryers-are-the-latest-surveillance-threat-you-didnt-consider [macrumors.com] Apple Announces iOS 18.2’s New AirTag Location Sharing Feature Coming to These 15+ Airlines https://www.macrumors.com/2024/11/11/apple-announces-airtag-location-sharing/ Best & Worst Gift Guide 2024! https://firewallsdontstopdragons.com/best-worst-gifts-2024/  Further Info Help me reach more people! https://fdsd.me/awareness2 Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:50: Update Android phones 0:01:23: News preview 0:03:23: Popular Chrome Extension to Hide YouTube Shorts Turned Malicious 0:10:30: Mozilla Foundation lays off 30% staff, drops advocacy division 0:14:06: FBI says hackers are sending fraudulent police data requests to steal people’s private info 0:19:59: Apple Quietly Introduced iPhone Reboot Code Which is Locking Out Cops 0:29:46: Long Live Windows 10… With 0patch 0:39:54: Free Decryptor Released for BitLocker-Based ShrinkLocker Ransomware Victims 0:42:45: Improving Private Signal Calls: Call Links & More 0:45:23: Air fryers are the latest surveillance threat you didn’t consider 0:48:28: Apple Announces iOS 18.2’s New AirTag Location Sharing Feature 0:51:40: Tip of the Week: Best & Worst Gift Guide 0:56:38: Worst Gifts 0:59:31: Best Gifts 1:06:32: Dragon book and coupons 1:09:55: Wrapping up

Device manufacturers are breathing new life into old mundane products by connecting them to the internet, giving us the ability to monitor and control them from anywhere. However, this connection to the cloud works both ways. Not only do device makers now have unprecedented access to our usage and personal information, but they can hobble or limit our use of these devices at their whim. Today I’ll speak with IoT expert Stacey Higginbotham who is working with Consumer Reports and other consumer rights groups to bring more transparency to the smart device industry, and hopefully allow us to regain control over the devices we purchase. Interview Notes Stacey Higginbotham: https://www.linkedin.com/in/staceyhigginbotham/  Consumer Reports’ FTC filing on software tethering: https://advocacy.consumerreports.org/press_release/ftc-software-tethering/  Who Ya Gonna Call? https://innovation.consumerreports.org/who-ya-gonna-call/  Spotify Cancels Car Thing: https://innovation.consumerreports.org/how-to-kill-a-smart-device-spotify-car-thing-post-mortem/  When Will Your Smart Appliance Turn Dumb? https://innovation.consumerreports.org/when-will-your-smart-appliance-turn-dumb/  CR’s Permission Slip: https://www.permissionslipcr.com/  CR’s Security Planner: https://securityplanner.consumerreports.org/ My interview with Cory Doctorow on adversarial interoperability: https://podcast.firewallsdontstopdragons.com/2020/02/17/adversarial-interoperability-part-1/  Further Info Help me reach more people! https://fdsd.me/awareness2 Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:54: Chevron deference 0:01:48: US election impacts 0:03:15: Interview setup 0:03:55: What does it mean for devices to be ‘software tethered’? 0:09:23: How might software tethering affect resale of smart devices? 0:13:52: What are the impacts on security and privacy? 0:15:20: How did we agree to these limitations? 0:27:50: What devices might fail to work when offline? 0:39:05: What happened to Amazon Dash buttons? 0:46:28: Is it easier to get FTC rulings than new regulations? 0:51:29: Does the DMCA still apply to abandoned products? 0:53:13: Should we force companies to escrow software for release if they fail? 0:56:06: What should we be doing as consumers to further this cause? 0:57:39: What’s next for your FTC filing? 0:59:55: Interview wrap-up 1:01:28: Patron bonus preview 1:02:19: Looking ahead

Our location is being tracked mercilessly today, in several ways. In the digital age, location data is among the most sensitive information we share, providing a record of our daily lives that can reveal where we live, who we associate with, and our personal routines. For app developers, marketers, and even law enforcement, this data is a goldmine for the ‘app economy’. Today I’ll talk about the most common sources of location data and give you some tips for limiting the tracking. In other news: the FTC files rule that requires canceling be just as easy as subscribing; CFPB takes action against worker surveillance; macOS Sequoia’s tightened app security may be annoying to some; it’s now legal to hack McFlurry machines to fix them; the EU makes vendors liable for software bugs; city sues Flock saying license plate readers are Unconstitutional; tracking world leaders with a fitness app; smartphone location tracking is out of control. Article Links [theverge.com] The FTC is finally making it easier to cancel your gym membership https://www.theverge.com/2024/10/16/24271649/ftc-click-to-cancel-subscriptions-final-rule [consumerfinance.gov] CFPB Takes Action to Curb Unchecked Worker Surveillance https://www.consumerfinance.gov/about-us/newsroom/cfpb-takes-action-to-curb-unchecked-worker-surveillance/ [appleinsider.com] What’s changed in runtime protection for macOS Sequoia https://appleinsider.com/inside/macos-sequoia/tips/whats-changed-in-runtime-protection-for-macos-sequoia [404media.co] It Is Now Legal to Hack McFlurry Machines (and Medical Devices) to Fix Them https://www.404media.co/it-is-now-legal-to-hack-mcflurry-machines-and-medical-devices-to-fix-them/ [Risky Business] The EU will make vendors liable for bugs https://news.risky.biz/risky-biz-news-the-eu-will-make-vendors-liable-for-bugs/ [404media.co] Lawsuit Argues Warrantless Use of Flock Surveillance Cameras Is Unconstitutional https://www.404media.co/lawsuit-argues-warrantless-use-of-flock-surveillance-cameras-is-unconstitutional/ [schneier.com] Tracking World Leaders Using Strava https://www.schneier.com/blog/archives/2024/10/tracking-world-leaders-using-strava.html [arstechnica.com] Location tracking of phones is out of control. Here’s how to fight back. https://arstechnica.com/information-technology/2024/10/phone-tracking-tool-lets-government-agencies-follow-your-every-move/ Tip of the Week: https://firewallsdontstopdragons.com/how-to-curb-location-tracking/  Further Info Help me reach more people! https://fdsd.me/awareness2 Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:06: News preview 0:04:41: FTC is finally making it easier to cancel your gym membership 0:07:19: CFPB Takes Action to Curb Unchecked Worker Surveillance 0:14:23: What’s changed in runtime protection for macOS Sequoia 0:21:57: It Is Now Legal to Hack McFlurry Machines (and Medical Devices) to Fix Them 0:28:15: The EU will make vendors liable for bugs 0:33:00: Lawsuit Argues Warrantless Use of Flock Surveillance Cameras Is Unconstitutional 0:41:09: Tracking World Leaders Using Strava 0:42:38: Location tracking of phones is out of control. Here’s how to fight back. 0:49:56: Tip of the Week: Curbing Location Tracking 1:00:57: Looking ahead

The first episode of Firewalls Don’t Stop Dragons Podcast aired on March 8, 2017 – almost 8 years ago now. Over that time, I’ve interviewed over 135 unique and amazing people, covered countless cybersecurity and privacy stories, and offered 100’s of tips for protecting your devices and data. To celebrate this momentous occasion, world-renowned cryptography guru Bruce Schneier has returned to for our traditional Podcentennial interview! We discuss several timely topics including the Crowdstrike incident, the pager bombing and supply attacks more generally, US election security, the open market for cyber vulnerabilities, US intelligence agencies’ focus on offense versus defense, how AI might actually benefit democracy and much more! Interview Notes Bruce Schneier’s blog:https://www.schneier.com/ Inrupt’s Solid concept: https://www.inrupt.com/solid Data and Goliath (book): https://www.schneier.com/books/data-and-goliath/ Bruce’s NY Time article on pager bombs: https://www.schneier.com/essays/archives/2024/09/israels-pager-attacks-have-changed-the-world.html Joseph Cox “Anom” interview: https://podcast.firewallsdontstopdragons.com/2024/06/10/anom-the-fbis-phone-company/ WaPo detailed analysis of pager bomb attack: https://www.washingtonpost.com/world/2024/10/05/israel-mossad-hezbollah-pagers-nasrallah/ Restoring Trust in Elections: https://podcast.firewallsdontstopdragons.com/2023/12/11/restoring-trust-in-elections/ Hacking election systems w/ Harri Hursti: https://podcast.firewallsdontstopdragons.com/2021/11/08/restoring-trust-in-our-elections/ Hacker Halted conference info: https://hackerhalted.com/agenda/#day-two-october-31st Further Info Help me reach more people! https://fdsd.me/awareness2 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:53: Interview setup 0:06:21: What should we have learned from the Crowdstrike incident? 0:11:21: Why is it more profitable for products to be brittle? 0:13:59: Do regulations stifle innovation? 0:15:27: Should intelligence agencies focus more on cyber offense or defense? 0:22:29: Should it be legal to buy and sell zero-days on the open market? 0:26:44: How secure are our election systems today? How do we get people to trust the outcomes? 0:35:41: What’s your take on the arrest of Telegram’s CEO? 0:39:18: How do we convince lawmakers not to subvert encrypted communications? 0:43:48: How did the exploding pager attack change our views of supply chain security? 0:49:26: In what ways might AI actually benefit our democracy? 0:58:03: Should there be any guardrails on AI systems? 1:01:17: What’s next for you? What’s the latest on the Solid project? 1:03:49: Interview wrap-up 1:07:51: More info for new listeners 1:13:38: Meet me at Hacker Halted Conference! 1:14:14: Looking ahead

Artificial Intelligence (AI) is the buzzword of the day. There are many types of AI, but one particular flavor is getting a lot of press these days: chatbots. Formally referred to as Large Language Models (LLMs), chatbots like ChatGPT, Claude and Gemini are everywhere – either directly or integrated with other popular apps. This technology is real and it’s here to stay, so it’s important that we understand what it is, how it works, and what the limitations are. Today I’ll explore some aspects of LLMs that you probably weren’t aware of. In other news: critical, exploited Firefox bug is fixed (update now!); National Public Data files for bankruptcy after massive breach; hackers target Qualcomm chip zero-day used in many Android phones; China attackers exploit legally-mandated wiretapping backdoor in major telecom systems; new FIDO standard proposed for allowing passkeys to be exported and backed up; a PSA on why you shouldn’t share personal information with AI chatbots. Article Links [The Hacker News] Mozilla Warns of Active Exploitation in Firefox, Urges Users to Update Immediately https://thehackernews.com/2024/10/mozilla-warns-of-active-exploitation-in.html [therecord.media] National Public Data files for bankruptcy, citing fallout from cyberattack https://therecord.media/national-public-data-bankruptcy-cyberattack [techcrunch.com] Hackers were targeting Android users with Qualcomm zero-day https://techcrunch.com/2024/10/09/hackers-were-targeting-android-users-with-qualcomm-zero-day/ [pluralistic.net] China hacked Verizon, AT&T and Lumen using the FBI’s backdoor https://pluralistic.net/2024/10/07/foreseeable-outcomes/ [appleinsider.com] Future Passkeys will be able to be shared across platforms & password vaults https://appleinsider.com/articles/24/10/15/future-passkeys-will-be-able-to-be-shared-across-platforms-password-vaults [9to5mac.com] PSA: Here’s another reason not to include personal details in AI chats https://9to5mac.com/2024/10/17/psa-heres-another-reason-not-to-include-personal-details-in-ai-chats/ Tip of the Week: Understanding AI Chatbots Further Info Help me reach more people! https://fdsd.me/awareness2 Privacy Not Included chatbot privacy guide: https://foundation.mozilla.org/en/privacynotincluded/articles/how-to-protect-your-privacy-from-chatgpt-and-other-ai-chatbots/ Gandalf AI game: https://gandalf.lakera.ai/baseline  Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:01: Google finally killing uBlock Origin 0:04:07: News preview 0:05:54: Mozilla Warns of Active Exploitation in Firefox 0:08:55: National Public Data files for bankruptcy 0:14:42: Hackers were targeting Android users with Qualcomm zero-day 0:19:14: China hacked Verizon, AT&T and Lumen using the FBI’s backdoor 0:26:10: Future Passkeys will be able to be shared across platforms & password vaults 0:31:08: Here’s another reason not to include personal details in AI chats 0:37:40: Tip of the Week: Understanding Chatbots 0:55:55: Wrapping up 0:56:35: Celebrating 400 episodes!

L0pht Heavy Industries (pronounced “loft”) was one of the most influential hacker groups in history. Unlike many others, L0pht carefully cultivated a relationship with mass media, sold profitable products, started businesses, and even testified before the US Senate. Cris Thomas, aka Space Rogue, was one of the earliest members of the L0pht and he recently published a book chronicling the groups long and storied history called Space Rogue: How the Hackers Known As L0pht Changed the World. Today I sit down with Cris to discuss that history and the impacts that the L0pht and other hacker groups have had on all of us. Interview Notes Space Rogue’s website: https://www.spacerogue.net/ L0pht homepage: https://l0pht.com/  L0phtCrack: https://www.l0phtcrack.com/  Textfiles.com: http://textfiles.com/  L0phy testimony: https://www.youtube.com/watch?v=VVJldn_MmMY  Charlie Rose “Hackers” interview: https://www.youtube.com/watch?v=zbTkOuPv2fo  PicoCTF: https://www.picoctf.org/  Hack the Box: https://help.hackthebox.com/en/articles/5200851-introduction-to-ctfs  Further Info Help me reach more people! https://fdsd.me/awareness2 Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:23: Episode 400 coming soon! 0:01:16: Interview setup 0:03:49: Tell us about your book 0:04:52: What is your origin story? How’d you get into hacking? 0:08:15: How often did you meet your fellow hackers in person? 0:10:49: How did the L0pht get started? 0:15:39: What was the reaction when you “come out” as a hacker to friends and family? 0:20:02: How much did different hacker groups interact back in the day? 0:23:19: L0pht cultivated a relationship with the media – how did that affect the dynamic? 0:28:19: What’s the history behind the infamous L0phtCrack password tool? 0:35:36: What was it like testifying in front of the US Senate? 0:38:32: How did you get away with testifying under your hacker names? 0:45:29: How did Hacker News Network come to be? 0:52:06: How did we avoid a hacker cyber war against China in the late 90s? 0:57:15: Which of L0pht’s many achievements are you most proud of? 0:59:40: What advice would you give to someone wanting to get into cybersecurity? 1:05:39: What’s next for you? 1:06:23: Patron bonus content preview 1:06:52: Post-interview notes 1:08:36: Looking ahead

Sometimes it’s obvious when your accounts are hacked. Maybe your money is gone. Maybe you can no longer log in using the password you know is correct. Maybe everyone you know has gotten a scam email from you that you didn’t send. But sometimes bad guys aren’t so obvious. They may lurk around in your accounts to gather information for identity theft or in hopes of gaining access to other more lucrative accounts. I’ll tell you how to find out. In other news: CA governor vetoes opt-out signal bill but signs car privacy bill; 23andMe is in trouble and your data may be, too; PayPal opted you into data sharing without asking; Kaspersky deletes itself and installs UltraAV without asking; 100 million Americans had background data leaked; researchers add facial recognition tech to Meta’s smart glasses; NIST updates password rules to with common sense changes; US & Microsoft seize 100+ web domains used by Russian hackers. Article Links [Ars Technica] Calif. Governor vetoes bill requiring opt-out signals for sale of user data https://arstechnica.com/tech-policy/2024/09/calif-gov-vetoes-attempt-to-require-new-privacy-option-in-browsers-and-oses/ [Teach Privacy] Bankruptcy Sale of DNA Data: From Toysmart to 23andMe https://teachprivacy.com/bankruptcy-sale-of-dna-data-from-toysmart-to-23andme/ [404 Media] Paypal Opted You Into Sharing Data Without Your Knowledge https://www.404media.co/paypal-personalized-shopping-opt-out/ [Bleeping Computer] Kaspersky deletes itself, installs UltraAV antivirus without warning https://www.bleepingcomputer.com/news/security/kaspersky-deletes-itself-installs-ultraav-antivirus-without-warning/ [Tom’s Guide] 100 million Americans just had their background check data exposed https://www.tomsguide.com/computing/online-security/100-million-americans-just-had-their-background-check-data-exposed-online-how-to-stay-safe [404 Media] Someone Put Facial Recognition Tech onto Meta’s Smart Glasses to Instantly Dox Strangers https://www.404media.co/someone-put-facial-recognition-tech-onto-metas-smart-glasses-to-instantly-dox-strangers/ [Ars Technica] NIST proposes barring some of the most nonsensical password rules https://arstechnica.com/security/2024/09/nist-proposes-barring-some-of-the-most-nonsensical-password-rules/ [The Record] California passes car data privacy law to protect domestic abuse survivors https://therecord.media/california-car-data-privacy-law-domestic-abuse-tracking [Semafor] US, Microsoft seize more than 100 websites used by Russian hackers https://www.semafor.com/article/10/03/2024/us-microsoft-seize-more-than-100-websites-used-by-russian-hackers Tip of the Week: Indicators of Account Compromise: https://firewallsdontstopdragons.com/indicators-of-account-compromise/ Further Info Help me reach more people! https://fdsd.me/awareness2 Treasure Chest promotion: https://firewallsdontstopdragons.com/treasure-coin-promo/ How to enable Global Privacy Control: https://firewallsdontstopdragons.com/how-to-enable-global-privacy-control/ My article on removing your data from the web: https://firewallsdontstopdragons.com/osint-remediation/ CISA Cybersecurity Awareness Month resources: https://www.cisa.gov/resources-tools/resources/secure-our-world-resources-cybersecurity-awareness-month-2024-toolkit Stay Safe Online CAM site: https://staysafeonline.org/programs/cybersecurity-awareness-month/ Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:12: Cybersecurity Awareness Month! 0:01:51: Update Apple software 0:03:21: News rundown 0:05:41: CA Governor vetoes bill requiring opt-out signals for sale of user data 0:11:51: Potential Bankruptcy Sale of DNA Data from 23andMe 0:17:22: Paypal Opted You Into Sharing Data Without Your Knowledge 0:22:01: Kaspersky deletes itself, installs UltraAV antivirus without warning 0:28:14: 100 million Americans just had their background check data exposed 0:32:13: Someone Put Facial Recognition Tech onto Meta’s Smart Glasses to Instantly Dox Strangers 0:36:33: NIST proposes barring some of the most nonsensical password rules 0:42:21: California passes car data privacy law to protect domestic abuse survivors 0:45:36: US, Microsoft seize more than 100 websites used by Russian hackers 0:47:49: Tip of the Week 1:04:13: promoting the 400th episode 1:05:42: Patron perks! 1:09:08: Looking ahead

Two security researchers showed how many modern VPN services are vulnerable to malicious misconfiguration, exposing some or all of your internet traffic. While this is not likely to impact most of us, it does expose the limitations of Virtual Private Networks and why they are not silver bullets for security of privacy – despite many marketing claims to the contrary. Today we’ll discuss how TunnelVision works, how it can be mitigated, and how this affects different privacy threat models with the two researchers from Leviathan Security, Dani Cronce and Lizzie Moratti. Interview Notes Lizzie Moratti: https://www.linkedin.com/in/lmoratti/  Dani Cronce: https://www.linkedin.com/in/danicronce/  TunnelVision: https://www.tunnelvisionbug.com/  ProtonVPN threat model: https://protonvpn.com/blog/threat-model  Dani’s GitHub: https://github.com/superit23  Leviathan Security blog: https://www.leviathansecurity.com/blog  Veilid: https://veilid.com/  Willy Wonka scene: https://www.youtube.com/watch?v=pvS3j8VtanM  Linux network namespaces: https://blog.scottlowe.org/2013/09/04/introducing-linux-network-namespaces/  What is DeFi? https://www.investopedia.com/decentralized-finance-defi-5113835  Further Info Help me brainstorm ways to reach more people!: https://fdsd.me/awareness2 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:23: Reminder: brainstorming survey 0:01:47: Podcast chapter markers! 0:02:54: Interview setup 0:05:55: What is a VPN and what isits intended purpose? 0:10:27: If most connections are secured today, why do we need a VPN? 0:12:40: Why do we trust a VPN provider more than our internet access provider? 0:17:40: What are you trying to do with a VPN? 0:19:13: Who can see my internet traffic? 0:25:30: What is TunnelVision and what are the implications for VPN users? 0:29:42: What’s a less technical way to understand TunnelVision? 0:33:06: Why might I not want all my traffic to go through the VPN? 0:35:02: How dangerous is TunnelVision for the average person? 0:42:30: How did the VPN companies respond? 0:51:19: What VPN features can mitigate the risk? 0:57:42: Have any VPN makers fixed this problem? Do OS vendors have responsibility here? 1:02:11: Do you have recommendations for VPNs? Is there new tech that might help here? 1:04:00: Would privacy regulations help here? 1:06:24: What are you working on next? 1:08:51: Interview wrap-up 1:13:31: Looking ahead

We often think of malware as a problem for our computers and perhaps our smartphones. But bad guys love to hack our home routers and IoT devices, as well. Thankfully, purging malware from those types of devices can usually be done just by rebooting them. (There’s a reason tech support always asks you to try turning your device off and back on again.) I’ll explain why this works and what you should do to protect your connected devices. In other news: I explain why most people are not in danger of their devices blowing up; a new Windows phishing campaign uses fake CAPTCHAs and PowerShell; LinkedIn started training their AI on your data before telling you how to opt out; Oracle’s CEO touts his vision of ubiquitous AI surveillance; Ford seeks a patent to show you ads in your vehicle based on your conversations and other private data; Meta admits to scraping public Instagram and Facebook posts to train its AI; four great new iOS 18 privacy and security features; Apple Intelligence servers are very basic, for a reason; and the FBI shuts down a massive Chinese botnet. Article Links [WIRED] Your Phone Won’t Be the Next Exploding Pager https://www.wired.com/story/exploding-pagers-hezbollah-phones/ [briankrebs] This Windows PowerShell Phish Has Scary Potential https://krebsonsecurity.com/2024/09/this-windows-powershell-phish-has-scary-potential/ [404media.co] LinkedIn Is Training AI on User Data Before Updating Its Terms of Service https://www.404media.co/linkedin-is-training-ai-on-user-data-before-updating-its-terms-of-service/ [theregister.com] Ellison declares Oracle ‘all in’ on AI mass surveillance https://www.theregister.com/2024/09/16/oracle_ai_mass_surveillance_cloud/ [therecord.media] Ford seeks patent for tech that listens to driver conversations to serve ads https://therecord.media/ford-patent-application-in-vehicle-listening-advertising [9to5Mac] Meta scraped all public Facebook and Instagram posts since 2007 for AI training https://9to5mac.com/2024/09/11/meta-scraped-all-public-facebook-and-instagram-posts-since-2007-for-ai-training/ [TechRadar] I’m a privacy expert—here are the 4 iOS 18 features I’m excited about https://www.techradar.com/phones/im-a-privacy-experthere-are-the-4-ios-18-features-im-excited-about [9to5Mac] Apple Intelligence servers are really basic, says Craig Federighi – and that’s deliberate https://9to5mac.com/2024/09/12/apple-intelligence-servers-are-really-basic-says-craig-federighi-and-thats-deliberate/ [Gizmodo] FBI Shuts Down Botnet Run by Beijing-Backed Hackers That Hijacked Over 200,000 Devices https://gizmodo.com/fbi-shuts-down-botnet-run-by-beijing-backed-hackers-that-hijacked-over-200000-devices-2000500627 Tip of the Week: Malware Reboot Remedy Further Info Awareness Campaign Phase 2!: https://fdsd.me/awareness2 LinkedIn privacy settings: https://www.linkedin.com/mypreferences/d/categories/privacy Test your ad blocker(s): https://d3ward.github.io/toolz/adblock.html Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:31: Update Apple devices 0:01:36: Awareness Campaign teaser 0:02:04: News rundown 0:04:08: Your Phone Won’t Be the Next Exploding Pager 0:08:00: This Windows PowerShell Phish Has Scary Potential 0:12:34: LinkedIn Trains AI on Your Data Before Updating Its ToS 0:16:41: Ellison declares Oracle ‘all in’ on AI mass surveillance 0:20:15: Ford seeks patent for tech that listens to driver conversations to serve ads 0:26:32: Meta scraped all public Facebook and Instagram posts since 2007 for AI training 0:30:29: I’m a privacy expert—here are the 4 iOS 18 features I’m excited about 0:35:55: Apple Intelligence servers are really basic – and that’s deliberate 0:40:57: FBI Shuts Down Botnet Run by Beijing-Backed Hackers 0:45:02: Tip of the Week: Malware Reboot Remedy 0:54:29: Ad Block Tester 0:55:43: Awareness Campaign, Phase 2! 1:01:44: Looking ahead

You may be vaguely aware of the term ‘quantum computing’ from media reports. But what you may not have picked up on is that one of the primary uses for quantum computers may be to break data encryption. Furthermore, you may not realize that if three-letter agencies can save off our encrypted emails and messages now, this could mean they could read them in the future when sufficiently powerful quantum computing becomes viable. How does this work? And what can we do about it now to protect our privacy in the future? We’ll dig into all of this today with Brandon Sundh from Tuta (formerly Tutanota), a prominent secure email company, who is already deploying such protections. Interview Notes Try Tuta! https://tuta.com/  Tuta’s quantum-safe crypto: https://tuta.com/blog/post-quantum-cryptography  Quantum mechanics: https://en.wikipedia.org/wiki/Quantum_mechanics  Schrödinger’s cat:  https://en.wikipedia.org/wiki/Schr%C3%B6dinger’s_cat  NIST post-quantum standards: https://csrc.nist.gov/projects/post-quantum-cryptography NSA pays RSA to weaken encryption?: https://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220/ Longer passwords are better: https://firewallsdontstopdragons.com/need-a-bigger-password-haystack/  Privacy Guides on Proton Wallet: https://www.privacyguides.org/articles/2024/09/08/proton-wallet-review/#why-does-this-exist Further Info Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:50: Some terminology first 0:07:33: What is quantum computing and what’s it good for? 0:16:25: What are the currrent capabilities of quantum computers? 0:22:02: How long have we been working on quantum computers? 0:25:01: If QC is still so far off, why do we need to prepare now? 0:30:53: How do we design encryption to make it safe against quantum computers? 0:36:10: How can we be sure that the NSA isn’t buillding backdoors into these algorithms? 0:41:11: Will post-quantum algorithms replace current ones or augment them? 0:45:51: How soon will quantum-safe crypto be roled out? 0:52:42: Who will be able to own and operate these quantum computers? 0:54:45: Are law enforcement agencies pushing back against quantum-safe crypto? 1:00:34: Who is more likely to win: coder makers or code breakers? 1:04:24: Wrap-up 1:05:55: Looking ahead

Mis- and disinformation is just a fact of modern life, but certain events can cause the practice to significantly increase – like a big election. This is a good time to review this phenomenon, learning how to recognize it, how to avoid being drawn in, and perhaps most importantly how to reduce its spread. In other news: Telegram’s CEO was arrested in France; too many people keep saying Telegram is an secure messaging app when it’s really not; if you think ads and tracking are bad now, wait till you hear all the ways modern TVs are monetizing their users; sextortion scams are using some new techniques to scam their victims; consumer groups have lobbied the FTC to create clear guidance on ‘software tethering’; and California just approved a new privacy bill that will finally require companies to honor universal opt-out signals from apps and browsers. Article Links BBC] Telegram CEO Pavel Durov arrested at French airport https://www.bbc.com/news/articles/ckg2kz9kn93o [blog.cryptographyengineering.com] Is Telegram really an encrypted messaging app? https://blog.cryptographyengineering.com/2024/08/25/telegram-is-not-really-an-encrypted-messaging-app/ [Ars Technica] Your TV set has become a digital billboard. And it’s only getting worse. https://arstechnica.com/gadgets/2024/08/tv-industrys-ads-tracking-obsession-is-turning-your-living-room-into-a-store/ [briankrebs] Sextortion Scams Now Include Photos of Your Home https://krebsonsecurity.com/2024/09/sextortion-scams-now-include-photos-of-your-home/ [advocacy.consumerreports.org] Consumer Reports, U.S. PIRG, and 15 other groups call on FTC to create clear guidance for ‘software tethering’ https://advocacy.consumerreports.org/press_release/ftc-software-tethering/ [Dark Reading] California Approves Privacy Bill Requiring Opt-Out Tools https://www.darkreading.com/data-privacy/california-privacy-bill-require-opt-out-tools Tip of the Week: Spotting Fake News https://firewallsdontstopdragons.com/the-truth-is-out-there/  Further Info My series on deleting your public data online: https://firewallsdontstopdragons.com/osint-reconnaissance/ Enabling Global Privacy Control (GPC): https://firewallsdontstopdragons.com/how-to-enable-global-privacy-control/ Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:14: News preview 0:05:22: Telegram CEO Pavel Durov arrested at French airport 0:09:47: Is Telegram really an encrypted messaging app? 0:19:57: Your TV set has become a digital billboard. And it’s only getting worse. 0:41:25: Sextortion Scams Now Include Photos of Your Home 0:48:06: Consumer groups call on FTC to create clear guidance for ‘software tethering’ 0:54:33: California Approves Privacy Bill Requiring Opt-Out Tools 0:59:22: Tip of the Week: Dealing with Misinformation 1:11:36: Looking ahead

Proton released three major new products this summer, all within the span of about a couple months: Proton Docs, Proton Wallet and Proton Scribe. Given that Proton is a privacy-focused company, some of these offerings seemed almost at odds with that mission. So today I ask Andy Yen (Proton’s CEO) some questions about the privacy of their Bitcoin wallet and AI editing tool. We also discuss the new Proton Foundation and how it safeguards their privacy mission for the future. Finally, I ask Andy if they would consider acquiring Mozilla to save the Firefox browser and, in the wake of the blow back Signal received about protecting local access to messaging data, how Proton addresses the ‘compromised machine’ threat model. Interview Notes Proton Docs: https://proton.me/blog/docs-proton-drive  Proton Wallet: https://proton.me/blog/proton-wallet-launch  Proton Scribe: https://proton.me/blog/proton-scribe-writing-assistant  Proton Foundation: https://proton.me/blog/proton-non-profit-foundation  Techlore on Proton Wallet: https://www.youtube.com/watch?v=tESbBM2LZHM&t=1922s  Seth for Privacy’s Andy Yen interview: https://optoutpod.com/episodes/protonwallet-andy-yen/  My interview on Easy Prey Podcast: https://www.easyprey.com/firewalls-dont-stop-dragons-with-carey-parker/ Techlore: https://www.techlore.tech/ Privacy Guides: https://www.privacyguides.org/  The New Oil: https://thenewoil.org/  Further Info Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:18: Interview setup 0:04:18: Why did you release so many new products all at once? 0:05:53: Did you develop Proton Docs from scratch? Will we get Proton Sheets, too? 0:10:09: What drove you to add AI features? How do you maintain privacy with AI? 0:17:07: Why did Proton feel the need to create another cryptocurrency wallet? 0:21:37: Who is the target audience for Proton Wallet? 0:28:38: As a privacy company, why go with Bitcoin, which is not really private? 0:39:34: Will you support Monero or Zcash? 0:40:40: Why did you restructure Proton as a foundation? What’s the impact of this? 0:45:41: How is this new foundation different from others like Mozilla or Tor? 0:47:59: Would Proton ever consider acquiring Mozilla to save Firefox? 0:55:43: Does TunnelVision affect Proton VPN? How can we improve VPNs generally? 1:01:35: Signal was bashed for not encrypting local keys. How does Proton handle this? 1:05:25: What’s coming next from Proton? 1:07:48: Interview wrap-up 1:10:54: Couple updates on Wallet, Scribe availability 1:11:50: Recommending other great privacy resources and Proton discussions 1:12:53: Upcoming shows 1:14:29: Upcoming podcast awareness campaign

The headlines have been on fire with stories about 3 billion people’s data being leaked from a company you’ve never heard of. But like many such stories, the mainstream media gets a lot of the important details wrong and glosses over a lot of the important nuances. Today we’re going to dive into what really happened and what you should do about it, whether your data was part of the breach or not. In other news: Illinois waters down its landmark biometric information law; US court rules geofence warrants are unconstitutional; FTC to investigate :surveillance pricing” and files rule impacting shady product reviews; the CFPB cracks down on some types of consumer data sales; and Consumer Reports evaluates several top data deletion services. Article Links [Reuters] Illinois governor approves business-friendly overhaul of biometric privacy law https://www.reuters.com/legal/government/illinois-governor-approves-business-friendly-overhaul-biometric-privacy-law-2024-08-05/ [TechCrunch] US appeals court rules geofence warrants are unconstitutional https://techcrunch.com/2024/08/13/us-appeals-court-rules-geofence-warrants-are-unconstitutional/ [Electronic Frontier Foundation] To Fight Surveillance Pricing, We Need Privacy First https://www.eff.org/deeplinks/2024/08/fight-surveillance-pricing-we-need-privacy-first [ftc.gov] Federal Trade Commission Announces Final Rule Banning Fake Reviews and Testimonials https://www.ftc.gov/news-events/news/press-releases/2024/08/federal-trade-commission-announces-final-rule-banning-fake-reviews-testimonials [natlawreview.com] CFPB Forecasts New Rule Cracking Down on Consumer Data Sales https://natlawreview.com/article/cfpb-forecasts-new-rule-cracking-down-consumer-data-sales [Los Angeles Times] Hackers may have stolen the Social Security numbers of every American. How to protect yourself https://www.latimes.com/business/story/2024-08-13/hacker-claims-theft-of-every-american-social-security-number [troyhunt.com] Inside the “3 Billion People” National Public Data Breach https://www.troyhunt.com/inside-the-3-billion-people-national-public-data-breach/ [consumerreports.org] Evaluating People-Search Site Removal Services https://innovation.consumerreports.org/new-report-data-defense-evaluating-people-search-site-removal-services/ Tip of the Week: OSINT Final Steps https://firewallsdontstopdragons.com/osint-final-steps/ Other Helpful Links Have I Been Pwned: https://haveibeenpwned.com/ NPD Data Breach search tool: https://npd.pentester.com/ Privacy Guides data removal tools: https://www.privacyguides.org/en/data-broker-removals/ Techlore video on data removal: https://www.youtube.com/watch?v=tESbBM2LZHM Google’s Results About You: https://myactivity.google.com/results-about-you?pli=1 How to freeze your credit: https://firewallsdontstopdragons.com/credit-freeze-now-is-the-time/ How and why to plant your flag: https://firewallsdontstopdragons.com/why-you-need-to-plant-your-flag/ Strong passwords: https://firewallsdontstopdragons.com/need-a-bigger-password-haystack/ Backing up 2FA codes: https://firewallsdontstopdragons.com/how-to-backup-2fa-seed-codes/ Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:04:00: News preview 0:06:33: Illinois governor approves business-friendly overhaul of biometric privacy law 0:11:18: US appeals court rules geofence warrants are unconstitutional 0:14:51: To Fight Surveillance Pricing, We Need Privacy First 0:21:56: FTC Announces Final Rule Banning Fake Reviews and Testimonials 0:28:25: CFPB Forecasts New Rule Cracking Down on Consumer Data Sales 0:32:57: Hackers may have stolen the Social Security numbers of every American 0:44:25: Inside the “3 Billion People” National Public Data Breach 1:03:48: CR: Evaluating People-Search Site Removal Services 1:06:36: Tip of the Week: OSINT Final Steps 1:19:55: Wrap-up

Finding your soul mate or even just a one-night stand can all be done digitally now – there’s an app for that. Several, in fact. But in order to find the best match, you need to turn over a lot of extremely personal information. You probably also need to let the app track your location, so you’re only matching people within some acceptable distance. You would hope that dating apps would be better than other apps at securing your private data… but are they? And are these services selling my data to advertisers? Today I answer these questions and many more with Zoë MacDonald from Mozilla’s Privacy Not Included team who recently published a full report on this topic. Interview Notes Privacy Not Included report on dating apps: https://foundation.mozilla.org/en/privacynotincluded/articles/data-hungry-dating-apps-are-worse-than-ever-for-your-privacy/ Mozilla Foundation: https://foundation.mozilla.org/en/?form=donate-header Mozilla’s Privacy Not Included: https://foundation.mozilla.org/en/privacynotincluded/ Falling out of love with dating apps: https://www.theguardian.com/lifeandstyle/2023/oct/28/its-quite-soul-destroying-how-we-fell-out-of-love-with-dating-apps Using dating apps to locate someone: https://www.techradar.com/pro/privacy-flaw-in-top-dating-apps-could-have-revealed-user-location-down-to-2-metres How to freeze your credit: https://firewallsdontstopdragons.com/credit-freeze-now-is-the-time/ Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:57:02: Wrap-up and looking ahead 0:02:06: Freeze your credit! 0:04:19: How do modern dating apps work, exactly? 0:08:19: How do they find compatible matches? 0:10:34: Do these apps require constant access to your current location? 0:14:50: How much information used by these apps is inferred vs explicitly requested? 0:17:59: Do these apps use inferred data to weed out bad actors? 0:20:36: How did you decide which apps to evaluate? 0:23:54: What were your key takeaways and most alarming findings? 0:25:57: Do apps owned by the same parent company have similar privacy policies? 0:27:28: How transparent are these apps about sharing your data? 0:29:08: Was there any correlation between app cost and monetizing your data? 0:31:20: Are dating apps better about securing your personal data? 0:33:53: Do any of the dating apps offer end-to-end encryption of DMs? 0:35:40: Do these services try to keep you from leaving the app? 0:39:03: Once you find a match, can you get a refund for unused subscription time? 0:40:28: How do new AI features on dating apps affect your privacy? 0:43:30: Have there been any major dating service data breaches? 0:45:05: How bad are these apps for romance scams like ‘big butchering’? 0:47:10: If I still want to use a dating app, how do I maximize my privacy? 0:51:19: Can I use a service on the web only (no app)? Can I delete my data? 0:54:20: How well do dating apps actually work, in terms of finding a mate?

It’s time once again for cybersecurity professionals to make the pilgrimage to the scorching desert of Las Vegas, Nevada for a week of tech conferences that we lovingly refer to as Hacker Summer Camp. Today I’ll bring you my on-the-ground reporting from BSides and DEF CON. I’ll also bring you part 2 of my series on Open Source Intelligence (OSINT) and how to purge your personal data from the web. In the news this week: Vegas hotels search hacker’s rooms; Apple and others fix old but important browser bug; NFL rolls out more facial recognition at stadiums; Ford looks to patent car surveillance tech; automakers sold your data to brokers for pennies; border agents can no longer search your smartphone without a warrant; judge rules that Google is a monopoly. Article Links [404media.co] Hotel to Search Rooms During DEF CON Hacking Conference https://www.404media.co/hotel-to-search-rooms-during-def-con-hacking-conference/ [AppleInsider] Apple has closed an ancient macOS Safari security hole https://appleinsider.com/articles/24/08/07/apple-has-closed-an-ancient-macos-safari-security-hole [therecord.media] NFL to roll out facial authentication software league-wide https://therecord.media/nfl-to-roll-out-facial-authentication-league-wide [therecord.media] Ford wants patent for tech allowing cars to surveil and report speeding drivers https://therecord.media/ford-seeks-patent-cars-surveil-speeders-report-to-police [The New York Times] Automakers Sold Driver Data for Pennies, Senators Say https://www.nytimes.com/2024/07/26/technology/driver-data-sold-for-pennies.html [9to5Mac] Border agents cannot search smartphones without a warrant, rules federal court https://9to5mac.com/2024/07/29/cannot-search-smartphones-without-a-warrant/ [AppleInsider] Judge rules Google is a search and advertising monopoly https://appleinsider.com/articles/24/08/05/judge-rules-that-google-is-a-search-and-advertising-monopoly Tip of the Week: OSINT Remediation https://firewallsdontstopdragons.com/osint-remediation/  Further Info BSides Las Vegas: https://bsideslv.org/  DEF CON 32: https://defcon.org/html/defcon-32/dc-32-index.html UnDisruptible27: https://securityandtechnology.org/undisruptable27/ Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:26: Summer Camp Highlights 0:10:25: Hotel to Search Rooms During DEF CON 0:15:14: Apple has closed an ancient macOS Safari security hole 0:20:00: NFL to roll out facial authentication software league-wide 0:26:25: Ford wants patent for tech allowing cars to surveil and report speeding drivers 0:29:38: Automakers Sold Driver Data for Pennies, Senators Say 0:32:46: Border agents cannot search smartphones without a warrant, 0:36:44: Judge rules Google is a search and advertising monopoly 0:40:52: Tip of the Week: OSINT Remediation 0:54:25: EFF Tech Trivia update

Jack Daniel is a storyteller, wanderer, comic, bartender, blacksmith, luthier, historian, mechanic, and the world’s oldest millennial. He is also one of the founders of Security BSides. Jack has a colorful and interesting history, and today we’ll learn about how and why he started BSides, delve into a little hacker conference history, talk about modern hackers and cybersecurity conferences and how he’s seen them change over the years, and how hackers and their conferences are vastly different than the others. Interview Notes Jack Daniel: https://www.linkedin.com/in/jackadaniel/ BSides official site: https://bsides.org/ BSides Las Vegas (part of hacker summer camp): https://bsideslv.org/ InfoSecMap: https://infosecmap.com/ Cult of the Dead Cow interview: https://podcast.firewallsdontstopdragons.com/2023/08/07/cult-of-the-dead-cow/ Jeff Moss interview #1: https://podcast.firewallsdontstopdragons.com/2021/08/16/on-a-dark-tangent/ Jeff Moss interview #2: https://podcast.firewallsdontstopdragons.com/2022/08/29/the-night-the-lights-went-out-in-vegas/ CackalackyCon: https://cackalackycon.org/ Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:49: Interview lingo 0:04:05: How did you get into the world of cybersecurity and hacking? 0:12:40: Why did you start BSides? 0:17:43: What were some of the first BSides talks like? 0:21:42: What are the founding principles of BSides? 0:28:00: What approval do you need to start a BSides conference? 0:34:44: How have other hacker conferences influenced BSides and vice versa? 0:36:53: Is there a beef between BSides and Black Hat? 0:38:58: What’s your connection with ShmooCon? 0:42:42: How have hackers and these conferences changed since the old days? 0:47:40: Discussion on responsible disclosure 0:50:39: Two different kinds of presenters 0:54:02: You might be a hacker if… 1:01:30: What’s the best way to find a local hacker conference? 1:06:50: BSides is about community 1:08:29: Interview wrap-up 1:11:19: Patron content 1:11:53: Looking ahead

Last week, we all learned about a company called CrowdStrike that apparently has the capability to single-handedly bring multiple airlines, hospitals and other large companies to their knees in an instant. There are many lessons we should be learning from this incident, though I’m not going to hold my breath. I’ll tell you what happened and what I think we should be doing to avoid a repeat of this incident in the future. In other news: Google finally throws in the towel on blocking third-party cookies; a private organization claims to have gained access to advertising-based location data on Trump’s shooter; Republican VP candidate JD Vance forgets to make his Venmo data private; leaked docs show what phones Cellebrite can and can’t hack; Meta takes down thousands of accounts related to sextortion ring; and for my Tip of the Week, we’ll tackle part 1 of my article on deleting your public data from the web. Article Links [AppleInsider] Google gives up on Chrome plan to ditch third-party cookies https://appleinsider.com/articles/24/07/23/google-gives-up-on-chrome-plan-to-ditch-third-party-cookies [404media.co] Heritage Foundation Claims to Use Location Data to Track Trump Shooter’s Movements https://www.404media.co/heritage-foundation-claims-to-use-location-data-to-track-trump-shooters-movements/ [9to5Mac] J.D. Vance Venmo connections public, as privacy failing still in place six years later https://9to5mac.com/2024/07/19/jd-vance-venmo-connections-public/ [404media.co] Leaked Docs Show What Phones Cellebrite Can (and Can’t) Unlock https://www.404media.co/leaked-docs-show-what-phones-cellebrite-can-and-cant-unlock/ [The Washington Post] Meta takes down thousands of Facebook, Instagram accounts running sextortion scams from Nigeria https://www.washingtonpost.com/business/2024/07/24/meta-nigeria-sextortion-scam-instagram-facebook/fce496c6-49b8-11ef-9149-c75da5dd9201_story.html [Schneier Blog] The CrowdStrike Outage and Market-Driven Brittleness https://www.schneier.com/blog/archives/2024/07/the-crowdstrike-outage-and-market-driven-brittleness.html Tip of the Week:OSINT Reconnaissance: https://firewallsdontstopdragons.com/osint-reconnaissance/ Further Info Book surge results: https://fdsd.me/booksurge Moxie Marlinspike (Signal) on Cellebrite vulnerabilities: https://signal.org/blog/cellebrite-vulnerabilities/ Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:51: AT&T breach update 0:01:44: News rundown 0:03:56: Google gives up on Chrome plan to ditch third-party cookies 0:08:28: Group Claims to Use Location Data to Track Trump Shooter’s Movements 0:13:42: J.D. Vance Venmo connections public 0:19:28: Leaked Docs Show What Phones Cellebrite Can (and Can’t) Unlock 0:27:35: Meta takes down thousands of accounts running sextortion scams 0:31:21: Lessons from the CrowdStrike Outage 0:44:52: Tip of the Week: OSINT Reconnaissance 0:55:20: Book surge report 0:57:06: More help will be needed 0:58:10: Looking ahead

If someone decided to dig into your life – perhaps even try to ‘dox’ you – how might they go about doing that? What could they find about you right now on the internet? You might be surprised at how much information is readily available from public sources, including your local government agencies and state databases. Today I’ll be talking with Jason Edison from Intel Techniques whose day job is using open source intelligence, or OSINT, to find suspected criminals and whose night job is helping people remove that same information to protect their privacy and even personal security. Interview Notes Intel Techniques: https://inteltechniques.com/ Data Removal Guide: https://inteltechniques.com/workbook.html Data Removal Workbook (PDF): https://inteltechniques.com/data/workbook.pdf Credit Freeze Guide: https://inteltechniques.com/freeze.html MySudo privacy app: https://mysudo.com/ SimpleLogin (Proton) email aliases: https://simplelogin.io/ Private credit cards: https://privacy.com/ Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:41: Interview setup 0:02:34: What do you do for your day job in law enforcement? 0:05:17: What is open source intelligence, exactly? 0:08:41: What are your primary sources for OSINT? 0:12:01: What is doxing and how might it impact someone? 0:14:56: How does an OSINT specialist also value personal privacy? 0:22:36: How do others in law enforcement view data collection and privacy? 0:28:36: When emotional cases arise, do officials favor privacy rights over catching bad guys? 0:33:32: How do we balance privacy rights vs public safety? 0:39:19: How would you do a full workup on someone? 0:45:18: Where do people overshare or give away the most personal information? 0:52:31: How much of my personal information is available via public records? 0:56:43: Will tooks like AI help us find the needles in the haystacks? 1:00:56: What about data deletion services – are they worth it? 1:07:51: How useful are email and phone aliases for privacy? 1:11:17: How do you prove your identity to deletion sites without giving more info? 1:17:10: What tools can I find at Intel Techniques? 1:19:00: My data deletion journey

Ads on the web are beyond annoying – they are actually a threat to your privacy and sometimes even your security. Ads pay for a lot of the “free” web content we consume, but until ad networks stop tracking us and selling ad space to phishing and malware groups, we need tools to block them. Today I’ll give you two solid options for doing so. In the news: Australian man charged for WiFi scam on flights; Airbnb reveals 35,000 complaints about hidden cameras; Linksys routers expose WiFi credentials; a massive new hacker list contains 10 billion unique passwords; a new AT&T call and text records data breach; Signal gets flak for response to storing encryption keys in the clear; Mozilla launches “privacy-preserving” ad attribution system (on by default); Proton launches encrypted Google Docs competitor. Article Links [The Hacker News] Australian Man Charged for Fake Wi-Fi Scam on Domestic Flights https://thehackernews.com/2024/07/australian-man-charged-for-fake-wi-fi.html [9to5Mac] 35,000 complaints about hidden cameras in Airbnb properties https://9to5mac.com/2024/07/10/hidden-cameras-in-airbnb-properties/ [stackdiary.com] Linksys Velop routers send Wi-Fi passwords in plaintext to US servers https://stackdiary.com/linksys-velop-routers-send-wi-fi-passwords-in-plaintext-to-us-servers/ [cybernews.com] RockYou2024: 10 billion passwords leaked in the largest compilation of all time https://cybernews.com/security/rockyou2024-largest-password-compilation-leak/ [TechCrunch] What the AT&T call records data breach means for you https://techcrunch.com/2024/07/12/what-the-att-call-records-data-breach-means-for-you/ [stackdiary.com] Signal under fire for storing encryption keys in plaintext https://stackdiary.com/signal-under-fire-for-storing-encryption-keys-in-plaintext/ [Mozilla] Privacy-Preserving Attribution https://support.mozilla.org/en-US/kb/privacy-preserving-attribution [Lifehacker] Why You Should Consider Proton Docs Over Google https://lifehacker.com/tech/why-you-should-consider-proton-docs-over-google Tip of the Week: How & Why to Block Ads https://firewallsdontstopdragons.com/how-and-why-to-block-ads/ Further Info Enter the DEF CON 32 ticket raffle: send email to [email protected] Techlore NextDNS tutorial: https://www.youtube.com/watch?v=WUG57ynLb8I Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:21: Book surge report 0:03:00: News rundown 0:05:06: Australian Man Charged for Fake Wi-Fi Scam on Domestic Flights 0:09:50: 35,000 complaints about hidden cameras in Airbnb properties 0:15:31: Linksys Velop routers send Wi-Fi passwords in plaintext to US servers 0:20:29: 10 billion passwords leaked in the largest compilation of all time 0:26:51: What the AT&T call records data breach means for you 0:32:37: Signal under fire for storing encryption keys in plaintext 0:47:24: Mozilla’s new Privacy-Preserving Attribution 0:58:58: New: Proton Docs! 1:00:18: Tip of the Week: How & Why to Block Ads 1:12:41: Wrap up 1:13:01: Book surge report 1:15:25: DEF CON 32 ticket raffle! 1:17:48: Looking ahead