Firewalls Don’t Stop Dragons Podcast

Software plugins allow you to add functionality to existing applications. Web browsers commonly use these extensions to add functionality like shopping helpers, password managers, ad blockers and much, much more. In a way, these add-ons are like “apps” for the browser. Like apps, they can view and manipulate your data. In the browser, they may alter the web page, track pages you visit, and even mine any data you might enter into web forms. Also like apps, plugins can have permissions which you must agree to when you install them. Therefore, we need to be very careful which plugins we install and make sure we trust the maker. Today I’ll explain how to audit your plugins.

In other news: The TikTok ban has been given a 75-day reprieve; the Trump administration fires scores of cybersecurity experts; Apple Intelligence will soon be enabled by default on iPhones and Macs; some clever researchers have hacked the iPhone USB-C connection; a tricky new smishing campaign tricks users into bypassing Apple protections; PowerSchool hack affects 62M students and 9M teachers; new AI took can identify where a photo was taken; Subaru hack exposes scary amount of location data collection; fuzzing tool find over 100 bugs in modern cellular network; Texas sues Allstate for using private car data; FTC to ban GM from sharing location info; exercise equipment collects lots of personal data; federal court finally rules that Section 702 FISA data access requires a warrant.

Article Links

1. [theverge.com] Trump signs order refusing to enforce TikTok ban for 75 days https://www.theverge.com/2025/1/20/24348213/trump-tiktok-ban-executive-order-sale-delay-china
2. [techcrunch.com] Trump administration fires members of cybersecurity review board in “horribly shortsighted” decision https://techcrunch.com/2025/01/22/trump-administration-fires-members-of-cybersecurity-review-board-in-horribly-shortsighted-decision/
3. [macrumors.com] macOS Sequoia 15.3 and iOS 18.3 Enable Apple Intelligence Automatically https://www.macrumors.com/2025/01/21/macos-sequoia-15-3-apple-intelligence-opt-out/
4. [9to5mac.com] Security vulnerability in iPhone’s USB-C port, and a gotcha with iMessage scams https://9to5mac.com/2025/01/14/security-vulnerability-in-iphones-usb-c-port-and-a-gotcha-with-imessage-scams/
5. [Tech Radar] PowerSchool hack keeps getting worse – 62 million students now thought to be affected https://www.techradar.com/pro/security/powerschool-hack-keeps-getting-worse-62-million-students-now-thought-to-be-affected
6. [404media.co] The Powerful AI Tool That Cops (or Stalkers) Can Use to Geolocate Photos in Seconds https://www.404media.co/the-powerful-ai-tool-that-cops-or-stalkers-can-use-to-geolocate-photos-in-seconds/
7. [wired.com] Subaru Security Flaws Exposed Its System for Tracking Millions of Cars https://www.wired.com/story/subaru-location-tracking-vulnerabilities/
8. [The Hacker News] RANsacked: Over 100 Security Flaws Found in LTE and 5G Network Implementations https://thehackernews.com/2025/01/ransacked-over-100-security-flaws-found.html
9. [gizmodo.com] Texas Sues Allstate for Collecting Driver Data to Raise Premiums https://gizmodo.com/texas-sues-allstate-for-collecting-driver-data-to-raise-premiums-2000549878
10. [techcrunch.com] GM banned from sharing driving and location data with insurance companies https://techcrunch.com/2025/01/17/gm-banned-from-sharing-driving-and-location-data-with-insurance-companies/
11. [consumerreports.org] Your Exercise Bike Knows a Lot About You—and It Doesn’t Keep Every Secret https://www.consumerreports.org/health/health-privacy/exercise-machine-privacy-a3907557984/
12. [eff.org] VICTORY! Federal Court (Finally) Rules Backdoor Searches of 702 Data Unconstitutional https://www.eff.org/deeplinks/2025/01/victory-federal-court-finally-rules-backdoor-searches-702-data-unconstitutional
13. Tip of the Week: Treat Extensions Like Apps: https://firewallsdontstopdragons.com/treat-extensions-like-apps/ 

Further Info

• Data Privacy Week 2025: https://firewallsdontstopdragons.com/data-privacy-week-2025/ 
• Private TikTok web app: https://www.sticktock.com/ 
• Enabling Apple’s Advanced Data Protection: https://support.apple.com/en-us/108756 
• OSINT location analysis examples: https://gralhix.com/list-of-osint-exercises/osint-exercise-001/ 
• Claw Your Data Back tool: https://cyd.social/ 
• Send me your questions! https://fdsd.me/qna 
• Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book 
• Subscribe to the newsletter: https://fdsd.me/newsletter 
• Become a patron! https://www.patreon.com/FirewallsDontStopDragons 
• Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch 
• Give the gift of privacy and security: https://fdsd.me/coupons 
• Generate secure passphrases! https://d20key.com/#/

Table of Contents

Use these timestamps to jump to a particular section of the show.

• 0:00:07: Intro
• 0:01:03: Listener survey ended
• 0:01:37: News preview
• 0:03:54: Trump signs order refusing to enforce TikTok ban for 75 days
• 0:10:02: Trump administration fires members of cybersecurity review board in “horribly shortsighted” decision
• 0:14:50: macOS Sequoia 15.3 and iOS 18.3 Enable Apple Intelligence Automatically
• 0:21:51: Security vulnerability in iPhone’s USB-C port, and a gotcha with iMessage scams
• 0:24:51: Clever iPhone Smishing attack
• 0:28:35: PowerSchool hack keeps getting worse
• 0:32:55: The Powerful AI Tool That Cops (or Stalkers) Can Use to Geolocate Photos in Seconds
• 0:43:37: Subaru Security Flaws Exposed Its System for Tracking Millions of Cars
• 0:49:28: 5G fuzzing
• 0:54:02: Allstate sued, FTC Bans GM data selling, fitness device data
• 0:56:52: FISA 702 court victory
• 1:01:23: Tip of the Week: Treat Plugins Like Apps
• 1:08:12: Wrap up and looking ahead

There are way too many data brokers and they have way too much of our data. We’ve talked a lot lately about what you can do to reclaim your privacy and claw back some of that data and today I’m going to give you yet another interesting tool for your privacy toolbox: Permission Slip. This app and the related service, brought to you by Consumer Reports, will work on your behalf to request that these data brokers relinquish your information, or at least suppress the sharing of that data to the extent that’s legally possible. The tool has some helpful and interesting features that you may not find on other, similar services. Sukhi Gulati GIlbert is my guest today and will explain why you should consider using this tool and how it supports the overall effort to rein in dangerous business of data mining.

Interview Notes

• Permission Slip app: https://permissionslipcr.com/ 
• Protecting Your Privacy Online: https://www.consumerreports.org/electronics/privacy/from-our-president-protecting-your-privacy-online-a1603013649/ 
• Digital Security & Privacy: https://www.consumerreports.org/digital-security-privacy/ 
• CR Report on data deletion services (PDF): https://innovation.consumerreports.org/wp-content/uploads/2024/08/Data-Defense_-Evaluating-People-Search-Site-Removal-Services-.pdf 
• California data broker registry: https://cppa.ca.gov/data_broker_registry/ 
• How to download the Vermont data broker list (which doesn’t seem to work): https://www.muckrock.com/foi/vermont-80/vermont-data-broker-db-107096/ 
• My article series on data deletion: https://firewallsdontstopdragons.com/osint-reconnaissance/ 

Further Info

• Annual listener survey!! https://fdsd.me/survey2025 
• Send me your questions! https://fdsd.me/qna 
• Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book 
• Subscribe to the newsletter: https://fdsd.me/newsletter 
• Become a patron! https://www.patreon.com/FirewallsDontStopDragons 
• Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch 
• Give the gift of privacy and security: https://fdsd.me/coupons 
• Support our mission! https://fdsd.me/support 
• Generate secure passphrases! https://d20key.com/#/ 

Table of Contents

Use these timestamps to jump to a particular section of the show.

• 0:00:12: Intro
• 0:00:51: Couple quick news notes
• 0:01:45: Last call: listener survey
• 0:02:47: Interview setup
• 0:03:48: What brought you to Consumer Reports and the Permission Slip app?
• 0:07:19: How does Permission Slip compare to other data deletion services?
• 0:14:17: Where are the data brokers getting so much of our personal info?
• 0:17:00: How do I use Permission Slip?
• 0:21:47: What info does Permission Slip give to brokers?
• 0:24:42: Is it more effective to request data deletion yourself versus using a service?
• 0:31:12: What level of success should I expect when deleting my data?
• 0:33:16: Are there any limitations or exclusions for data deletion?
• 0:38:19: What if you live in a state or country with no privacy laws?
• 0:39:44: Can we limit access to our public data records?
• 0:41:24: Does freezing your credit do anything to limit data sharing?
• 0:43:53: How broken is the ‘notice and consent’ model for privacy?
• 0:45:57: Would it help to actively spread incorrect personal info?
• 0:48:31: How else can we reduce our data footprint?
• 0:50:04: What’s next for Consumer Reports in terms of privacy?
• 0:53:46: What does Permission Slip Pro cost?
• 0:55:19: Interview wrap-up
• 0:59:11: Patron content preview
• 0:59:50: Looking ahead

The start of a new year is always a good time to add some big juicy goals to your to-do list – call them New Year’s Resolutions, if that works for you, but really it’s just about making up your mind to tackle some important personal objectives. Today I’ll give you several ideas to improve your privacy and security in 2025, and those around you.

In the news: dozens of malicious Chrome Browser extensions identified; net neutrality is dead, again, and probably for good this time; Apple to pay a meager $95M to settle a Siri privacy class action suit; Apple’s new Enhanced Visual Search is enabled by default and sending data to Apple; proposed ban on TP-Link routers is missing the real problem; Google’s change in its Privacy Sandbox policy seems to now allow the use of device fingerprinting; proposed HIPAA amendments will close major health data security gaps.

Article Links

1. [Ars Technica] Time to check if you ran any of these 33 malicious Chrome extensions https://arstechnica.com/security/2025/01/dozens-of-backdoored-chrome-extensions-discovered-on-2-6-million-devices/
2. Terms of service study: https://www.helpnetsecurity.com/2016/07/14/agree-terms-conditions-lie/ 
3. [nytimes.com] Net Neutrality Rules Struck Down by Appeals Court https://www.nytimes.com/2025/01/02/technology/net-neutrality-rules-fcc.html
4. [reuters.com] Apple to pay $95 million to settle Siri privacy lawsuit https://www.reuters.com/legal/apple-pay-95-million-settle-siri-privacy-lawsuit-2025-01-02/
5. [macrumors.com] Apple Says Siri Data Has Never Been Sold or Used for Marketing  https://www.macrumors.com/2025/01/06/apple-siri-data-not-sold-for-marketing/ 
6. [9to5mac.com] Enhanced Visual Search shares your photos with Apple by default, to identify landmarks https://9to5mac.com/2024/12/30/enhanced-visual-search-shares-your-photos-with-apple-by-default-to-identify-landmarks/
7. [csoonline.com] No evidence that TP-Link routers are a Chinese security threat https://www.csoonline.com/article/3504775/no-evidence-that-tp-link-routers-are-a-chinese-security-threat.html
8. [Lukasz Olejnik blog] Biggest Privacy Erosion in 10 Years? On Google’s Policy Change Towards Fingerprinting https://blog.lukaszolejnik.com/biggest-privacy-erosion-in-10-years-on-googles-policy-change-towards-fingerprinting/
9. [Dark Reading] Proposed HIPAA Amendments Will Close Healthcare Security Gaps https://www.darkreading.com/cyber-risk/proposed-hipaa-amendments-close-healthcare-security-gaps
10. Tip of the Week: https://firewallsdontstopdragons.com/new-years-resolutions-2025/ 

Further Info

• Annual listener survey!! https://fdsd.me/survey2025 
• Send me your questions! https://fdsd.me/qna 
• Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book 
• Subscribe to the newsletter: https://fdsd.me/newsletter 
• Become a patron! https://www.patreon.com/FirewallsDontStopDragons 
• Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch 
• Give the gift of privacy and security: https://fdsd.me/coupons 
• Support our mission! https://fdsd.me/support 
• Generate secure passphrases! https://d20key.com/#/ 

Table of Contents

Use these timestamps to jump to a particular section of the show.

• 0:00:07: Intro
• 0:01:24: News preview
• 0:02:59: Time to check if you ran any of these 33 malicious Chrome extensions
• 0:12:51: Net Neutrality Rules Struck Down by Appeals Court
• 0:16:49: Apple to pay $95 million to settle Siri privacy lawsuit
• 0:19:02: Apple Says Siri Data Has Never Been Sold or Used for Marketing
• 0:26:29: Enhanced Visual Search shares your photos with Apple by default
• 0:35:23: No evidence that TP-Link routers are a Chinese security threat
• 0:47:01: Biggest Privacy Erosion in 10 Years? On Google’s Policy Change Towards Fingerprinting
• 0:53:08: Proposed HIPAA Amendments Will Close Healthcare Security Gaps
• 0:57:16: Tip of the Week: New Years Resolutions for 2025!
• 1:04:53: Wrap-up

There are many ways in which we are tracked in the real world, but one of the most ubiquitous and insidious technologies is Automated License Plate Readers. These camera systems are deployed in just about every city by both public and private organizations. Furthermore, the third parties who sell and operate these systems collect and collate data from around the country, making it available to law enforcement and marketing firms. Because these systems capture images of your car, they can also document the make, model and color, any distinguishing marks, and even bumper stickers. Today we’ll discuss how and where these systems are deployed, who has access to the data, the repercussions of this mass surveillance and how it can go horribly wrong with my guests Adam Schwartz and Gowri Nayar from the Electronic Frontier Foundation.

Interview Notes

• Donate to the EFF: https://supporters.eff.org/donate/join-eff-today 
• The Human Toll of ALPR Errors: https://www.eff.org/deeplinks/2024/11/human-toll-alpr-errors 
• EFF’s Street Level Surveillance: https://sls.eff.org/ 
• Community Control of Police Surveillance (CCOPS): https://www.eff.org/issues/community-control-police-surveillance-ccops 
• US 100-mile “border zone” facts: https://www.aclu.org/know-your-rights/border-zone 
• Flock camera map: https://www.404media.co/the-open-source-project-deflock-is-mapping-license-plate-surveillance-cameras-all-over-the-world/ 
• DeFlock: https://deflock.me 
• Flock transparency page example: https://transparency.flocksafety.com/riverside-county-ca-sd 

Further Info

• Annual listener survey!! https://fdsd.me/survey2025 
• Send me your questions! https://fdsd.me/qna 
• Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book 
• Subscribe to the newsletter: https://fdsd.me/newsletter 
• Become a patron! https://www.patreon.com/FirewallsDontStopDragons 
• Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch 
• Give the gift of privacy and security: https://fdsd.me/coupons 
• Support our mission! https://fdsd.me/support 
• Generate secure passphrases! https://d20key.com/#/ 

Table of Contents

Use these timestamps to jump to a particular section of the show.

• 0:00:20: Intro
• 0:01:24: Listener survey and book giveaway
• 0:03:16: ShmooCon in DC this weekend
• 0:04:21: Interview setup
• 0:05:27: What prompted you to write about ALPRs?
• 0:08:11: How do ALPRs work and what info can they capture?
• 0:10:14: How long have ALPRs been around and how is EFF tracking their use?
• 0:11:34: Where are these systems deployed? How do we recognize them?
• 0:14:19: How does mobile ALPR data collection work?
• 0:15:58: Are police departments transparent about the use of ALPRs?
• 0:18:09: Is there a way know where ALPR systems are deployed?
• 0:20:46: How accurate are ALPRs? What are the consequences of failure?
• 0:22:37: Are license plate “hot lists” shared across jurisdictions?
• 0:25:41: Where is ALPR data stored? For how long? Who has access?
• 0:27:40: Is ALPR data shared among local and federal agencies? How often is the data abused?
• 0:31:04: Do the ALPR system operators sell this data to anyone else?
• 0:36:04: What legal expectation of privacy do I have in public spaces?
• 0:42:57: How does the legal “third party doctrine” apply to ALPR data?
• 0:45:01: How do we balance the need to catch bad guys with the use of surveillance tech?
• 0:50:18: Is there any surveillance tech that EFF feels should be banned outright?
• 0:52:17: Does EFF consult with law enforcement on deployment of surveillance tech?
• 0:53:05: If we’re concerned about surveillance tech being deployed, what can we do?
• 0:58:19: Interview wrap-up
• 0:59:29: Notes on the “border zone” width in the US
• 1:01:09: Patron preview
• 1:02:01: Survey reminder
• 1:02:50: Looking ahead

Every week, I record a special, private bonus podcast for my patrons. Until today, all of that content was restricted to my supporters. But today I’ve got a sampler platter of some of the best snippets from my bonus Q&A with my interview guests. You’ll hear from Micah Lee (author, journalist), Nick Weaver (cybersecurity researcher), Kate Black (health data specialist), Jason Edison (OSINT expert), Dani Cronce and Lizzie Moratti (TunnelVision hack), Bruce Schneier (cryptographer, author), and Carissa Véliz (author, professor).

Original Interview Links

1. Ep358: Micah Lee https://podcast.firewallsdontstopdragons.com/2024/01/08/investigating-data-leaks/ 
2. Ep360: Nick Weaver https://podcast.firewallsdontstopdragons.com/2024/01/22/rise-of-the-slaughterbots/ 
3. Ep368: Kate Black https://podcast.firewallsdontstopdragons.com/2024/03/18/health-data-privacy/ 
4. Ep386: Jason Edison https://podcast.firewallsdontstopdragons.com/2024/07/22/open-source-intelligence/ 
5. Ep388: Jack Daniel https://podcast.firewallsdontstopdragons.com/2024/08/05/catch-you-on-the-bside/ 
6. Ep396: Dani Cronce & Lizzie Moratti https://podcast.firewallsdontstopdragons.com/2024/09/30/tunnelvision-vpns-and-you/ 
7. Ep400: Bruce Schneier https://podcast.firewallsdontstopdragons.com/2024/10/28/episode-400-special/ 
8. Ep404: Carissa Véliz https://podcast.firewallsdontstopdragons.com/2024/11/25/privacy-is-power-2/ 

Related Links

1. Micah’s book: https://hacksandleaks.com/
2. Nick Weaver: https://www1.icsi.berkeley.edu/~nweaver/
3. Security BSides: https://bsides.org/w/page/12194156/FrontPage 
4. Frankie’s Tiki Room (Las Vegas): https://frankiestikiroom.com/ 
5. Intel Techniques: https://inteltechniques.com/ 
6. TunnelVision: https://www.tunnelvisionbug.com/
7. Schneier Blog: https://www.schneier.com/
8. Privacy is Power: https://www.penguinrandomhouse.com/books/673341/privacy-is-power-by-carissa-veliz/  

Further Info

• Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book 
• Subscribe to the newsletter: https://fdsd.me/newsletter 
• Become a patron! https://www.patreon.com/FirewallsDontStopDragons 
• Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch 
• Give the gift of privacy and security: https://fdsd.me/coupons 
• Support our mission! https://fdsd.me/support 

Table of Contents

Use these timestamps to jump to a particular section of the show.

• 0:00:24: New Years coming up
• 0:00:48: Show preview
• 0:02:33: Ep358: Micah Lee – the Snowden docs
• 0:11:48: Ep360: Nick Weaver – other types of killer drones
• 0:18:02: Ep368: Kate Black – how do you know if a site or app respects health privacy?
• 0:20:22: Ep386: Jason Edison – what’s it like trying to protect the privacy of celebrities?
• 0:26:53: Ep388: Jack Daniel – the story of the Les Pukelele
• 0:33:39: Ep396: Dani Cronce & Lizzie Moratti – getting into hacking
• 0:42:08: Ep400: Bruce Schneier – can we ever make our devices secure out of the box?
• 0:48:01: Ep404: Cariss Veliz – should STEM students be required to take ethics classes?
• 0:53:05: Wrap-up

I’m digging into the vault for a classic replay! I first interviewed Phil Zimmermann, creator of Pretty Good Privacy (PGP), on May 7, 2018. It was Episode 63 (we’re now at 408) and it was entitled “We Now Live in the Golden Age of Surveillance”. In this episode we talk a little about the origins of PGP in the 1990’s and what he feels about the FBI’s claims that we’re “going dark” due to strong end-to-end encrypted communications. I’ve added some new commentary, but the original episode is preserved in all of its original glory!

Interview Notes

• Original Ep63 interview: https://podcast.firewallsdontstopdragons.com/2018/05/07/we-now-live-in-the-golden-age-of-surveillance/
• Ep214: Social Media is Ruining Society https://podcast.firewallsdontstopdragons.com/2021/04/05/social-media-is-ruining-society/ 
• Ep243: Through the Past, Privately: PGP Turns 30 https://podcast.firewallsdontstopdragons.com/2021/10/25/through-the-past-privately-pgp-turns-30/ 
• Phil Zimmermann’s website: https://philzimmermann.com/ 

Further Info

• Send me your questions! https://fdsd.me/qna 
• Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book 
• Subscribe to the newsletter: https://fdsd.me/newsletter 
• Become a patron! https://www.patreon.com/FirewallsDontStopDragons 
• Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch 
• Give the gift of privacy and security: https://fdsd.me/coupons 
• Support our mission! https://fdsd.me/support 
• Generate secure passphrases! https://d20key.com/#/ 

Table of Contents

Use these timestamps to jump to a particular section of the show.

• 0:00:26: Flashback setup
• 0:02:18: Original intro
• 0:03:20: What drove you to create PGP?
• 0:06:32: Why were you prosecuted for PGP?
• 0:13:08: Isn’t banning cryptography like trying to ban math?
• 0:15:13: What’s the difference between security and privacy?
• 0:17:04: Is it possible to be truly anonymous online today?
• 0:19:06: How is the average person tracking online today?
• 0:21:49: What are the most private ways to communicate online?
• 0:24:44: How do we identify trustworthy attachments?
• 0:25:30: How secure is SMS (texting)?
• 0:29:41: Are we “going dark”?
• 0:32:44: Can we escape mass surveillance?
• 0:36:35: What’s next for you?
• 0:38:09: Original interview wrap-up
• 0:40:38: Flashback wrap-up
• 0:41:00: ShmooCon 2025
• 0:41:56: Looking ahead

I’ve had some truly amazing interviews this past year. For your listening enjoyment, I’ve curated a set of clips from some of the best shows, creating a sampler platter of stellar audio content from some amazing guests! If you’ve never listened to my podcast, this will give you a taste of what you’re missing! If you’re a regular listener, this will be a fun trip down memory lane, complete with a little new commentary. Enjoy!

Original Interview Links

1. Ep362: Patrick Wardle https://podcast.firewallsdontstopdragons.com/2024/02/05/securing-your-mac/ 
2. Ep364: Jen Caltrider https://podcast.firewallsdontstopdragons.com/2024/02/19/car-privacy-is-horrid/ 
3. Ep366: 404 Media https://podcast.firewallsdontstopdragons.com/2024/03/04/how-our-data-is-abused/   
4. Ep375: Dina Temple-Raston https://podcast.firewallsdontstopdragons.com/2024/05/13/inside-ukraines-it-army/ 
5. Ep378: Naomi Brockwell https://podcast.firewallsdontstopdragons.com/2024/05/27/why-privacy-matters/ 
6. Ep380: Joseph Cox https://podcast.firewallsdontstopdragons.com/2024/06/10/anom-the-fbis-phone-company/ 
7. Ep382: Byron Tau https://podcast.firewallsdontstopdragons.com/2024/06/24/means-of-control/ 
8. Ep386: Jason Edison https://podcast.firewallsdontstopdragons.com/2024/07/22/open-source-intelligence/ 
9. Ep392: Andy Yen https://podcast.firewallsdontstopdragons.com/2024/09/02/crazy-proton-summer/ 
10. Ep398: Space Rogue (Cris Thomas) https://podcast.firewallsdontstopdragons.com/2024/10/14/l0pht-heavy-industries/ 
11. Ep400: Bruce Schneier https://podcast.firewallsdontstopdragons.com/2024/10/28/episode-400-special/ 
12. Ep402: Stacey Higginbotham https://podcast.firewallsdontstopdragons.com/2024/11/11/cutting-the-software-tether/ 
13. Ep404: Carissa Veliz https://podcast.firewallsdontstopdragons.com/2024/11/25/privacy-is-power-2/ 

Related Links

1. Objective-See: https://objective-see.org/ 
2. 404 Media: https://www.404media.co/ 
3. Privacy Not Included: https://foundation.mozilla.org/en/privacynotincluded/ 
4. Click Here: https://therecord.media/podcast 
5. NBTV: https://www.nbtv.media/ 
6. Dark Wire: https://www.hachettebookgroup.com/titles/joseph-cox/dark-wire/9781541702691/ 
7. Means of Control: https://www.penguinrandomhouse.com/books/706321/means-of-control-by-byron-tau/ 
8. Intel Techniques: https://inteltechniques.com/ 
9. Proton: https://proton.me/ 
10. Space Rogue book: https://www.amazon.com/Space-Rogue-Hackers-Known-Changed-ebook/dp/B0BRQWPBGL
11. Schneier Blog: https://www.schneier.com/
12. Privacy is Power: https://www.penguinrandomhouse.com/books/673341/privacy-is-power-by-carissa-veliz/  

Further Info

• Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book 
• Subscribe to the newsletter: https://fdsd.me/newsletter 
• Become a patron! https://www.patreon.com/FirewallsDontStopDragons 
• Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch 
• Give the gift of privacy and security: https://fdsd.me/coupons 
• Support our mission! https://fdsd.me/support 

Table of Contents

Use these timestamps to jump to a particular section of the show.

• 0:00:26: Show preview
• 0:02:22: Ep362: Patrick Wardle – Mac hardening
• 0:05:55: Ep364: Jen Caltrider – Car privacy not included
• 0:11:13: Ep366: 404 Media – abuse of public camera data
• 0:21:35: Ep375: Dina Temple-Raston – what we should learn from the cyber war in Ukraine
• 0:30:41: Ep378: Naomi Brockwell – fighting for our privacy
• 0:36:40: Ep380: Joseph Cox – what did law enforcement learn from Anom?
• 0:39:22: Ep382: Byron Tau – how law enforcement hides their data gathering
• 0:45:43: Ep386: Jason Edison – how does law enforcement view mass surveillance?
• 0:57:10: Ep392: Andy Yen – why Proton embraced AI tech
• 1:04:08: Ep398: Space Rogue (Cris Thomas) – do you need a college degree to work in cybersecurity?
• 1:11:05: Ep400: Bruce Schneier – how AI will change politics and law
• 1:19:02: Ep402: Stacey Higginbotham – escrowing money to address IoT software tethering problems
• 1:22:50: Ep404: Carissa Veliz – will the younger generation every have privacy?
• 1:30:31: Looking ahead

Have you ever searched for your personal information online? There are dozens of “people search sites” out there, but a simple Google search can also find information about you, too. Behind the scenes, there are hundreds if not thousands of data brokers who are scouring the web constantly for your info creating dossiers on all of us, for sale to anyone willing to pay. We have no federal privacy laws in the US, but even if you live in the EU (with GDPR) or a US state with some privacy protections (like California), you still may find your data online – because much it comes from public records, including voting records, property tax records, and legal filings. How do you find your data? Where did it come from? And more important, what can you do about it? Today will discuss this and more with Ben and Tyler, the founders of data deletion service EasyOptOuts.

Interview Notes

• EasyOptOuts: https://easyoptouts.com/ 
• Consumer Reports study: https://www.consumerreports.org/electronics/personal-information/services-that-delete-data-from-people-search-sites-review-a2705843415/ 
• Brian Krebs on Radaris: https://krebsonsecurity.com/2024/03/a-close-up-look-at-the-consumer-data-broker-radaris/ 
• My blog series on data removal: https://firewallsdontstopdragons.com/osint-reconnaissance/ 
• Jason Edison OSINT interview: https://podcast.firewallsdontstopdragons.com/2024/07/22/open-source-intelligence/ 
• Big Ass Data Broker Opt Out List: https://github.com/yaelwrites/Big-Ass-Data-Broker-Opt-Out-List 

Further Info

• Help me reach more people! https://fdsd.me/awareness2
• Send me your questions! https://fdsd.me/qna 
• Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book 
• Subscribe to the newsletter: https://fdsd.me/newsletter 
• Become a patron! https://www.patreon.com/FirewallsDontStopDragons 
• Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch 
• Give the gift of privacy and security: https://fdsd.me/coupons 
• Support our mission! https://fdsd.me/support 
• Generate secure passphrases! https://d20key.com/#/ 

Table of Contents

Use these timestamps to jump to a particular section of the show.

• 0:01:04: Staying up to date during December
• 0:01:45: NPR shout out?
• 0:02:25: Interview setup
• 0:04:11: Why did you get into the data deletion business?
• 0:05:58: How does EasyOptOuts differentiate its service?
• 0:09:35: Where do these data brokers get all my information?
• 0:13:37: How often do you find errors in people’s information on these sites?
• 0:15:36: What are the names of some of the top data brokers? Would we know them?
• 0:17:34: Will a credit freeze prevent data sharing?
• 0:19:02: What does it cost to get these people reports?
• 0:21:21: Have you tried deleting data from the recently breached National Public Data?
• 0:23:02: How do the various US state privacy laws impact our ability to delete our data?
• 0:27:52: How many data brokers operate in non-US/EU jurisdictions?
• 0:29:00: Who is selling my data that would surprise me?
• 0:31:26: How did we consent to this data sharing and can we opt out?
• 0:34:14: If I wanted to try to clean up my data myself, how would I go about that?
• 0:38:09: How do I avoid giving away more information while I try to prove my identity?
• 0:41:34: If I would rather use a deletion service, how does that work and what does it cost?
• 0:46:39: After deletion, will my data just be replenished after some amount of time?
• 0:48:01: Any final pro tips on reducing my public data?
• 0:51:02: Interview wrapup
• 0:53:26: Patron bonus content preview
• 0:54:05: Plan for December shows

It’s been too long since I’ve dipped into the listener mailbag, so today I’m going to answer a small selection of your questions on the air! Topics include privacy-respecting baby monitors, the “IoT network” on some Orbi routers, why you can’t really use a computer monitor as a “dumb” TV, and whether browser privacy plugins work on first party tracking.

We’ll also cover some news stories: why you shouldn’t upload medical images to AI chatbots; the Fancy Bear “nearest neighbor” attack; Google’s new website link overlays; the curious case of cutting undersea internet cables; Microsoft’s new Windows Resiliency Initiative; mobile pay apps coming under regulatory scrutiny; iPhone’s new tool to strip metadata from shared photos; and Google now warning you about suspicious apps.

Article Links

1. [techcrunch.com] PSA: You shouldn’t upload your medical images to AI chatbots https://techcrunch.com/2024/11/19/psa-you-shouldnt-upload-your-medical-images-to-ai-chatbots/
2. [darkreading.com] Fancy Bear ‘Nearest Neighbor’ Attack Uses Nearby Wi-Fi Network https://www.darkreading.com/cyberattacks-data-breaches/fancy-bear-nearest-neighbor-attack-wi-fi
3. [9to5google.com] Google’s iOS app now injects links on third-party websites that go back to Search https://9to5google.com/2024/11/25/google-ios-app-link-annotations-search/
4. [newsweek.com] Chinese Vessel Allegedly Drags Anchor, Severs Undersea Cable Links https://www.newsweek.com/chinese-vessel-allegedly-drags-anchor-severs-undersea-cable-links-1992580
5. [dw.com] Hybrid warfare on the seabed? https://www.dw.com/en/baltic-sea-underwater-cable-damage-highlights-hybrid-warfare-on-critical-infrastructure/a-70853706
6. [theverge.com] Microsoft’s new Windows Resiliency Initiative aims to avoid another CrowdStrike incident https://www.theverge.com/2024/11/19/24299873/microsoft-windows-resiliency-initiative-crowdstrike-incident
7. [lifehacker.com] Venmo, Apple Pay, and Other Payment Apps Are About to Be More Regulated https://lifehacker.com/money/payment-apps-are-about-to-be-more-regulated
8. [lifehacker.com] Your iPhone Can Now Automatically Remove Location Data From Photos You Share Online https://lifehacker.com/tech/your-iphone-can-now-automatically-remove-location-data-from-photos-online
9. [lifehacker.com] The Google Play Store Will Soon Warn You Before You Download a Bad App https://lifehacker.com/tech/the-google-play-store-will-warn-you-bad-app

Further Info

• ExifTool: https://exiftool.org/ 
• Help me reach more people! https://fdsd.me/awareness2
• Send me your questions! https://fdsd.me/qna 
• Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book 
• Subscribe to the newsletter: https://fdsd.me/newsletter 
• Become a patron! https://www.patreon.com/FirewallsDontStopDragons 
• Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch 
• Give the gift of privacy and security: https://fdsd.me/coupons 

Table of Contents

Use these timestamps to jump to a particular section of the show.

• 0:00:51: Holiday PSA
• 0:02:12: News preview
• 0:03:59: PSA: You shouldn’t upload your medical images to AI chatbots
• 0:07:22: Fancy Bear ‘Nearest Neighbor’ Attack Uses Nearby Wi-Fi Network
• 0:12:59: Google’s iOS app now injects links on third-party websites that go back to Search
• 0:15:10: Chinese Vessel Allegedly Drags Anchor, Severs Undersea Cable Links
• 0:18:17: Hybrid warfare on the seabed?
• 0:27:19: Microsoft’s new Windows Resiliency Initiative aims to avoid another CrowdStrike incident
• 0:33:11: Venmo, Apple Pay, and Other Payment Apps Are About to Be More Regulated
• 0:36:30: Your iPhone Can Now Automatically Remove Location Data From Photos You Share Online
• 0:42:23: The Google Play Store Will Soon Warn You Before You Download a Bad App
• 0:46:20: Finding a private, secure baby monitor
• 0:50:44: IoT Network on Netgear Orbi routers?
• 0:52:50: Using a computer monitor as a dumb TV?
• 0:55:47: Can browser plugins prevent first party tracking?
• 0:59:23: The plan for the rest of the year

Privacy has been defined in many ways. The right to tell your story your own way. The right to have control over your personal information. The right to be left alone. There’s a reason we have T-shirts that say “dance like no one is watching”. We censor ourselves when we’re being watched. But if knowledge is power, then asymmetries in knowledge must lead to asymmetries in power. Privacy is a human right but it’s also a collective good – something we need to respect and support, even if we do not personally feel the need to exercise it. Today I’ll explore why privacy is essential, how it is being threatened, and what we can do to reclaim it with Carissa Véliz, a professor of philosophy and author of the wonderful and important book, Privacy is Power.

Interview Notes

• Carissa’s website: https://www.carissaveliz.com/
• Privacy is Power: https://www.penguinrandomhouse.com/books/673341/privacy-is-power-by-carissa-veliz/ 
• My review of her book: https://firewallsdontstopdragons.com/privacy-is-power-review/ 
• The Ethics of Privacy and Surveillance: https://www.oxford-aiethics.ox.ac.uk/blog/new-book-ethics-privacy-and-surveillance 
• TEDx: The Case for Ending Data Economy: https://www.youtube.com/watch?v=luCXlPYrTP4 
• Google’s Don’t Be Evil motto history:  https://en.wikipedia.org/wiki/Don’t_be_evil 
• Give Thanks & Donate! https://firewallsdontstopdragons.com/give-thanks-donate/ 

Further Info

• Help me reach more people! https://fdsd.me/awareness2
• Send me your questions! https://fdsd.me/qna 
• Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book 
• Subscribe to the newsletter: https://fdsd.me/newsletter 
• Become a patron! https://www.patreon.com/FirewallsDontStopDragons 
• Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch 
• Give the gift of privacy and security: https://fdsd.me/coupons 
• Support our mission! https://fdsd.me/support 
• Generate secure passphrases! https://d20key.com/#/ 

Table of Contents

Use these timestamps to jump to a particular section of the show.

• 0:00:31: Give Thanks & Donate!
• 0:01:27: Follow me on Bluesky
• 0:02:06: Interview setup
• 0:04:17: What inspired you to write this book?
• 0:07:04: What impacts has your book had? Did any response surprise you?
• 0:10:01: When researching the book, what surveillance methods most surprised you?
• 0:13:31: How and when did all this surveillance start?
• 0:15:40: Are behavior ads really more effective than contextual ads?
• 0:19:04: Is it possible to have privacy and still target ads?
• 0:22:08: What’s your take on Google’s Privacy Sandbox concept?
• 0:23:57: Why is the ‘notice and consent’ model such a failure?
• 0:28:14: What’s your take on the notion of data sovereignty?
• 0:30:09: Why is privacy a collective good that we all need to protect?
• 0:32:12: How does asymmetry in knowledge lead to asymmetry in power?
• 0:34:06: Are we at risk of normalizing surveillance for future generations?
• 0:37:09: What will it take to trigger a surveillance backlash?
• 0:40:21: What can we learn from history about overzealous data collection?
• 0:43:35: How will AI technology impact our privacy?
• 0:49:30: Can we reap the benefits of our data without giving up privacy?
• 0:52:45: How do we manifest a society that values and respects privacy?
• 0:56:15: Interview wrap-up
• 0:58:36: Still celebrating 400th episode!
• 0:59:02: Looking ahead

Holiday shopping season is here! And today I'll give you the highlights of my annual Best & Worst Gift Guide for 2024, with regard to privacy and security. The worst offenders may not surprise you, though some have actually gotten worse since just last year. And I have a few new suggestions for people on your nice list! In the news this week: another popular browser extension has gone rogue; Mozilla laid off 30% of their staff; FBI warns that bad guys are filing fraudulent emergency data requests to steal your private info; Apple quietly introduces a brilliant security feature that is frustrating cops; Microsoft will stop providing security updates for Windows 10 next October; a free decryptor was released for ShrinkLocker ransomware; Signal offers new call link feature; an air fryer app is sending your data to China; and Apple announces feature to share AirTag location with others including airlines to help find lost luggage. Article Links [cyberinsider.com] Popular Chrome Extension to Hide YouTube Shorts Turned Malicious https://cyberinsider.com/popular-chrome-extension-to-hide-youtube-shorts-turned-malicious/ [Tech Crunch] Mozilla Foundation lays off 30% staff, drops advocacy division https://techcrunch.com/2024/11/05/mozilla-foundation-lays-off-30-staff-drops-advocacy-division/  [Tech Crunch] FBI says hackers are sending fraudulent police data requests to tech giants to steal people’s private information https://techcrunch.com/2024/11/08/fbi-says-hackers-are-sending-fraudulent-police-data-requests-to-tech-giants-to-steal-peoples-private-information/ [404media.co] Apple Quietly Introduced iPhone Reboot Code Which is Locking Out Cops https://www.404media.co/apple-quietly-introduced-iphone-reboot-code-which-is-locking-out-cops/ [blog.0patch.com] Long Live Windows 10... With 0patch https://blog.0patch.com/2024/06/long-live-windows-10-with-0patch.html [The Hacker News] Free Decryptor Released for BitLocker-Based ShrinkLocker Ransomware Victims https://thehackernews.com/2024/11/free-decryptor-released-for-bitlocker.html [signal.org] Improving Private Signal Calls: Call Links & More https://signal.org/blog/call-links/ [malwarebytes.com] Air fryers are the latest surveillance threat you didn’t consider https://www.malwarebytes.com/blog/news/2024/11/air-fryers-are-the-latest-surveillance-threat-you-didnt-consider [macrumors.com] Apple Announces iOS 18.2's New AirTag Location Sharing Feature Coming to These 15+ Airlines https://www.macrumors.com/2024/11/11/apple-announces-airtag-location-sharing/ Best & Worst Gift Guide 2024! https://firewallsdontstopdragons.com/best-worst-gifts-2024/  Further Info Help me reach more people! https://fdsd.me/awareness2 Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:50: Update Android phones 0:01:23: News preview 0:03:23: Popular Chrome Extension to Hide YouTube Shorts Turned Malicious 0:10:30: Mozilla Foundation lays off 30% staff, drops advocacy division 0:14:06: FBI says hackers are sending fraudulent police data requests to steal people’s private info 0:19:59: Apple Quietly Introduced iPhone Reboot Code Which is Locking Out Cops 0:29:46: Long Live Windows 10... With 0patch 0:39:54: Free Decryptor Released for BitLocker-Based ShrinkLocker Ransomware Victims 0:42:45: Improving Private Signal Calls: Call Links & More 0:45:23: Air fryers are the latest surveillance threat you didn’t consider...

Device manufacturers are breathing new life into old mundane products by connecting them to the internet, giving us the ability to monitor and control them from anywhere. However, this connection to the cloud works both ways. Not only do device makers now have unprecedented access to our usage and personal information, but they can hobble or limit our use of these devices at their whim. Today I'll speak with IoT expert Stacey Higginbotham who is working with Consumer Reports and other consumer rights groups to bring more transparency to the smart device industry, and hopefully allow us to regain control over the devices we purchase. Interview Notes Stacey Higginbotham: https://www.linkedin.com/in/staceyhigginbotham/  Consumer Reports’ FTC filing on software tethering: https://advocacy.consumerreports.org/press_release/ftc-software-tethering/  Who Ya Gonna Call? https://innovation.consumerreports.org/who-ya-gonna-call/  Spotify Cancels Car Thing: https://innovation.consumerreports.org/how-to-kill-a-smart-device-spotify-car-thing-post-mortem/  When Will Your Smart Appliance Turn Dumb? https://innovation.consumerreports.org/when-will-your-smart-appliance-turn-dumb/  CR’s Permission Slip: https://www.permissionslipcr.com/  CR’s Security Planner: https://securityplanner.consumerreports.org/ My interview with Cory Doctorow on adversarial interoperability: https://podcast.firewallsdontstopdragons.com/2020/02/17/adversarial-interoperability-part-1/  Further Info Help me reach more people! https://fdsd.me/awareness2 Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:54: Chevron deference 0:01:48: US election impacts 0:03:15: Interview setup 0:03:55: What does it mean for devices to be 'software tethered'? 0:09:23: How might software tethering affect resale of smart devices? 0:13:52: What are the impacts on security and privacy? 0:15:20: How did we agree to these limitations? 0:17:13: 1. Require disclosure of guaranteed minimum support time 0:23:55: 2. Eensure core functionality will work offline or after support ends 0:27:50: What devices might fail to work when offline? 0:30:19: 3. Encourage tools that enable reuse if support ends 0:34:24: 4. Protect adversarial interoperability 0:39:05: What happened to Amazon Dash buttons? 0:40:03: 5. Educate manufacturers on ways to build longevity into designs 0:46:28: Is it easier to get FTC rulings than new regulations? 0:51:29: Does the DMCA still apply to abandoned products? 0:53:13: Should we force companies to escrow software for release if they fail? 0:56:06: What should we be doing as consumers to further this cause? 0:57:39: What's next for your FTC filing? 0:59:55: Interview wrap-up 1:01:28: Patron bonus preview 1:02:19: Looking ahead

Our location is being tracked mercilessly today, in several ways. In the digital age, location data is among the most sensitive information we share, providing a record of our daily lives that can reveal where we live, who we associate with, and our personal routines. For app developers, marketers, and even law enforcement, this data is a goldmine for the ‘app economy’. Today I’ll talk about the most common sources of location data and give you some tips for limiting the tracking. In other news: the FTC files rule that requires canceling be just as easy as subscribing; CFPB takes action against worker surveillance; macOS Sequoia's tightened app security may be annoying to some; it's now legal to hack McFlurry machines to fix them; the EU makes vendors liable for software bugs; city sues Flock saying license plate readers are Unconstitutional; tracking world leaders with a fitness app; smartphone location tracking is out of control. Article Links [theverge.com] The FTC is finally making it easier to cancel your gym membership https://www.theverge.com/2024/10/16/24271649/ftc-click-to-cancel-subscriptions-final-rule [consumerfinance.gov] CFPB Takes Action to Curb Unchecked Worker Surveillance https://www.consumerfinance.gov/about-us/newsroom/cfpb-takes-action-to-curb-unchecked-worker-surveillance/ [appleinsider.com] What's changed in runtime protection for macOS Sequoia https://appleinsider.com/inside/macos-sequoia/tips/whats-changed-in-runtime-protection-for-macos-sequoia [404media.co] It Is Now Legal to Hack McFlurry Machines (and Medical Devices) to Fix Them https://www.404media.co/it-is-now-legal-to-hack-mcflurry-machines-and-medical-devices-to-fix-them/ [Risky Business] The EU will make vendors liable for bugs https://news.risky.biz/risky-biz-news-the-eu-will-make-vendors-liable-for-bugs/ [404media.co] Lawsuit Argues Warrantless Use of Flock Surveillance Cameras Is Unconstitutional https://www.404media.co/lawsuit-argues-warrantless-use-of-flock-surveillance-cameras-is-unconstitutional/ [schneier.com] Tracking World Leaders Using Strava https://www.schneier.com/blog/archives/2024/10/tracking-world-leaders-using-strava.html [arstechnica.com] Location tracking of phones is out of control. Here’s how to fight back. https://arstechnica.com/information-technology/2024/10/phone-tracking-tool-lets-government-agencies-follow-your-every-move/ Tip of the Week: https://firewallsdontstopdragons.com/how-to-curb-location-tracking/  Further Info Help me reach more people! https://fdsd.me/awareness2 Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:06: News preview 0:04:41: FTC is finally making it easier to cancel your gym membership 0:07:19: CFPB Takes Action to Curb Unchecked Worker Surveillance 0:14:23: What's changed in runtime protection for macOS Sequoia 0:21:57: It Is Now Legal to Hack McFlurry Machines (and Medical Devices) to Fix Them 0:28:15: The EU will make vendors liable for bugs 0:33:00: Lawsuit Argues Warrantless Use of Flock Surveillance Cameras Is Unconstitutional 0:41:09: Tracking World Leaders Using Strava 0:42:38: Location tracking of phones is out of control. Here’s how to fight back. 0:49:56: Tip of the Week: Curbing Location Tracking 1:00:57: Looking ahead

The first episode of Firewalls Don't Stop Dragons Podcast aired on March 8, 2017 - almost 8 years ago now. Over that time, I've interviewed over 135 unique and amazing people, covered countless cybersecurity and privacy stories, and offered 100's of tips for protecting your devices and data. To celebrate this momentous occasion, world-renowned cryptography guru Bruce Schneier has returned to for our traditional Podcentennial interview! We discuss several timely topics including the Crowdstrike incident, the pager bombing and supply attacks more generally, US election security, the open market for cyber vulnerabilities, US intelligence agencies' focus on offense versus defense, how AI might actually benefit democracy and much more! Interview Notes Bruce Schneier’s blog:https://www.schneier.com/  Inrupt’s Solid concept: https://www.inrupt.com/solid  Data and Goliath (book): https://www.schneier.com/books/data-and-goliath/  Bruce’s NY Time article on pager bombs: https://www.schneier.com/essays/archives/2024/09/israels-pager-attacks-have-changed-the-world.html  Joseph Cox “Anom” interview: https://podcast.firewallsdontstopdragons.com/2024/06/10/anom-the-fbis-phone-company/  WaPo detailed analysis of pager bomb attack: https://www.washingtonpost.com/world/2024/10/05/israel-mossad-hezbollah-pagers-nasrallah/  Restoring Trust in Elections: https://podcast.firewallsdontstopdragons.com/2023/12/11/restoring-trust-in-elections/  Hacking election systems w/ Harri Hursti: https://podcast.firewallsdontstopdragons.com/2021/11/08/restoring-trust-in-our-elections/  Hacker Halted conference info: https://hackerhalted.com/agenda/#day-two-october-31st  Further Info Help me reach more people! https://fdsd.me/awareness2 Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:53: Interview setup 0:06:21: What should we have learned from the Crowdstrike incident? 0:11:21: Why is it more profitable for products to be brittle? 0:13:59: Do regulations stifle innovation? 0:15:27: Should intelligence agencies focus more on cyber offense or defense? 0:22:29: Should it be legal to buy and sell zero-days on the open market? 0:26:44: How secure are our election systems today? How do we get people to trust the outcomes? 0:35:41: What's your take on the arrest of Telegram's CEO? 0:39:18: How do we convince lawmakers not to subvert encrypted communications? 0:43:48: How did the exploding pager attack change our views of supply chain security? 0:49:26: In what ways might AI actually benefit our democracy? 0:58:03: Should there be any guardrails on AI systems? 1:01:17: What's next for you? What's the latest on the Solid project? 1:03:49: Interview wrap-up 1:07:51: More info for new listeners 1:13:38: Meet me at Hacker Halted Conference! 1:14:14: Looking ahead

Artificial Intelligence (AI) is the buzzword of the day. There are many types of AI, but one particular flavor is getting a lot of press these days: chatbots. Formally referred to as Large Language Models (LLMs), chatbots like ChatGPT, Claude and Gemini are everywhere - either directly or integrated with other popular apps. This technology is real and it's here to stay, so it's important that we understand what it is, how it works, and what the limitations are. Today I'll explore some aspects of LLMs that you probably weren't aware of. In other news: critical, exploited Firefox bug is fixed (update now!); National Public Data files for bankruptcy after massive breach; hackers target Qualcomm chip zero-day used in many Android phones; China attackers exploit legally-mandated wiretapping backdoor in major telecom systems; new FIDO standard proposed for allowing passkeys to be exported and backed up; a PSA on why you shouldn't share personal information with AI chatbots. Article Links [The Hacker News] Mozilla Warns of Active Exploitation in Firefox, Urges Users to Update Immediately https://thehackernews.com/2024/10/mozilla-warns-of-active-exploitation-in.html [therecord.media] National Public Data files for bankruptcy, citing fallout from cyberattack https://therecord.media/national-public-data-bankruptcy-cyberattack [techcrunch.com] Hackers were targeting Android users with Qualcomm zero-day https://techcrunch.com/2024/10/09/hackers-were-targeting-android-users-with-qualcomm-zero-day/ [pluralistic.net] China hacked Verizon, AT&T and Lumen using the FBI’s backdoor https://pluralistic.net/2024/10/07/foreseeable-outcomes/ [appleinsider.com] Future Passkeys will be able to be shared across platforms & password vaults https://appleinsider.com/articles/24/10/15/future-passkeys-will-be-able-to-be-shared-across-platforms-password-vaults [9to5mac.com] PSA: Here’s another reason not to include personal details in AI chats https://9to5mac.com/2024/10/17/psa-heres-another-reason-not-to-include-personal-details-in-ai-chats/ Tip of the Week: Understanding AI Chatbots Further Info Help me reach more people! https://fdsd.me/awareness2 Privacy Not Included chatbot privacy guide: https://foundation.mozilla.org/en/privacynotincluded/articles/how-to-protect-your-privacy-from-chatgpt-and-other-ai-chatbots/ Gandalf AI game: https://gandalf.lakera.ai/baseline  Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:01: Google finally killing uBlock Origin 0:04:07: News preview 0:05:54: Mozilla Warns of Active Exploitation in Firefox 0:08:55: National Public Data files for bankruptcy 0:14:42: Hackers were targeting Android users with Qualcomm zero-day 0:19:14: China hacked Verizon, AT&T and Lumen using the FBI’s backdoor 0:26:10: Future Passkeys will be able to be shared across platforms & password vaults 0:31:08: Here’s another reason not to include personal details in AI chats 0:37:40: Tip of the Week: Understanding Chatbots 0:55:55: Wrapping up 0:56:35: Celebrating 400 episodes!

L0pht Heavy Industries (pronounced "loft") was one of the most influential hacker groups in history. Unlike many others, L0pht carefully cultivated a relationship with mass media, sold profitable products, started businesses, and even testified before the US Senate. Cris Thomas, aka Space Rogue, was one of the earliest members of the L0pht and he recently published a book chronicling the groups long and storied history called Space Rogue: How the Hackers Known As L0pht Changed the World. Today I sit down with Cris to discuss that history and the impacts that the L0pht and other hacker groups have had on all of us. Interview Notes Space Rogue’s website: https://www.spacerogue.net/ L0pht homepage: https://l0pht.com/  L0phtCrack: https://www.l0phtcrack.com/  Textfiles.com: http://textfiles.com/  L0phy testimony: https://www.youtube.com/watch?v=VVJldn_MmMY  Charlie Rose “Hackers” interview: https://www.youtube.com/watch?v=zbTkOuPv2fo  PicoCTF: https://www.picoctf.org/  Hack the Box: https://help.hackthebox.com/en/articles/5200851-introduction-to-ctfs  Further Info Help me reach more people! https://fdsd.me/awareness2 Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:23: Episode 400 coming soon! 0:01:16: Interview setup 0:03:49: Tell us about your book 0:04:52: What is your origin story? How'd you get into hacking? 0:08:15: How often did you meet your fellow hackers in person? 0:10:49: How did the L0pht get started? 0:15:39: What was the reaction when you "come out" as a hacker to friends and family? 0:20:02: How much did different hacker groups interact back in the day? 0:23:19: L0pht cultivated a relationship with the media - how did that affect the dynamic? 0:28:19: What's the history behind the infamous L0phtCrack password tool? 0:35:36: What was it like testifying in front of the US Senate? 0:38:32: How did you get away with testifying under your hacker names? 0:45:29: How did Hacker News Network come to be? 0:52:06: How did we avoid a hacker cyber war against China in the late 90s? 0:57:15: Which of L0pht's many achievements are you most proud of? 0:59:40: What advice would you give to someone wanting to get into cybersecurity? 1:05:39: What's next for you? 1:06:23: Patron bonus content preview 1:06:52: Post-interview notes 1:08:36: Looking ahead

Sometimes it’s obvious when your accounts are hacked. Maybe your money is gone. Maybe you can no longer log in using the password you know is correct. Maybe everyone you know has gotten a scam email from you that you didn’t send. But sometimes bad guys aren’t so obvious. They may lurk around in your accounts to gather information for identity theft or in hopes of gaining access to other more lucrative accounts. I'll tell you how to find out. In other news: CA governor vetoes opt-out signal bill but signs car privacy bill; 23andMe is in trouble and your data may be, too; PayPal opted you into data sharing without asking; Kaspersky deletes itself and installs UltraAV without asking; 100 million Americans had background data leaked; researchers add facial recognition tech to Meta's smart glasses; NIST updates password rules to with common sense changes; US & Microsoft seize 100+ web domains used by Russian hackers. Article Links [Ars Technica] Calif. Governor vetoes bill requiring opt-out signals for sale of user data https://arstechnica.com/tech-policy/2024/09/calif-gov-vetoes-attempt-to-require-new-privacy-option-in-browsers-and-oses/  [Teach Privacy] Bankruptcy Sale of DNA Data: From Toysmart to 23andMe https://teachprivacy.com/bankruptcy-sale-of-dna-data-from-toysmart-to-23andme/  [404 Media] Paypal Opted You Into Sharing Data Without Your Knowledge https://www.404media.co/paypal-personalized-shopping-opt-out/  [Bleeping Computer] Kaspersky deletes itself, installs UltraAV antivirus without warning https://www.bleepingcomputer.com/news/security/kaspersky-deletes-itself-installs-ultraav-antivirus-without-warning/  [Tom’s Guide] 100 million Americans just had their background check data exposed https://www.tomsguide.com/computing/online-security/100-million-americans-just-had-their-background-check-data-exposed-online-how-to-stay-safe  [404 Media] Someone Put Facial Recognition Tech onto Meta's Smart Glasses to Instantly Dox Strangers https://www.404media.co/someone-put-facial-recognition-tech-onto-metas-smart-glasses-to-instantly-dox-strangers/  [Ars Technica] NIST proposes barring some of the most nonsensical password rules https://arstechnica.com/security/2024/09/nist-proposes-barring-some-of-the-most-nonsensical-password-rules/  [The Record] California passes car data privacy law to protect domestic abuse survivors https://therecord.media/california-car-data-privacy-law-domestic-abuse-tracking  [Semafor] US, Microsoft seize more than 100 websites used by Russian hackers https://www.semafor.com/article/10/03/2024/us-microsoft-seize-more-than-100-websites-used-by-russian-hackers  Tip of the Week: Indicators of Account Compromise: https://firewallsdontstopdragons.com/indicators-of-account-compromise/  Further Info Help me reach more people! https://fdsd.me/awareness2 Treasure Chest promotion: https://firewallsdontstopdragons.com/treasure-coin-promo/  How to enable Global Privacy Control: https://firewallsdontstopdragons.com/how-to-enable-global-privacy-control/  My article on removing your data from the web: https://firewallsdontstopdragons.com/osint-remediation/  CISA Cybersecurity Awareness Month resources: https://www.cisa.gov/resources-tools/resources/secure-our-world-resources-cybersecurity-awareness-month-2024-toolkit  Stay Safe Online CAM site: https://staysafeonline.org/programs/cybersecurity-awareness-month/  Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents

Two security researchers showed how many modern VPN services are vulnerable to malicious misconfiguration, exposing some or all of your internet traffic. While this is not likely to impact most of us, it does expose the limitations of Virtual Private Networks and why they are not silver bullets for security of privacy - despite many marketing claims to the contrary. Today we'll discuss how TunnelVision works, how it can be mitigated, and how this affects different privacy threat models with the two researchers from Leviathan Security, Dani Cronce and Lizzie Moratti. Interview Notes Lizzie Moratti: https://www.linkedin.com/in/lmoratti/  Dani Cronce: https://www.linkedin.com/in/danicronce/  TunnelVision: https://www.tunnelvisionbug.com/  ProtonVPN threat model: https://protonvpn.com/blog/threat-model  Dani’s GitHub: https://github.com/superit23  Leviathan Security blog: https://www.leviathansecurity.com/blog  Veilid: https://veilid.com/  Willy Wonka scene: https://www.youtube.com/watch?v=pvS3j8VtanM  Linux network namespaces: https://blog.scottlowe.org/2013/09/04/introducing-linux-network-namespaces/  What is DeFi? https://www.investopedia.com/decentralized-finance-defi-5113835  Further Info Help me brainstorm ways to reach more people!: https://fdsd.me/awareness2  Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:23: Reminder: brainstorming survey 0:01:47: Podcast chapter markers! 0:02:54: Interview setup 0:05:55: What is a VPN and what isits intended purpose? 0:10:27: If most connections are secured today, why do we need a VPN? 0:12:40: Why do we trust a VPN provider more than our internet access provider? 0:17:40: What are you trying to do with a VPN? 0:19:13: Who can see my internet traffic? 0:25:30: What is TunnelVision and what are the implications for VPN users? 0:29:42: What's a less technical way to understand TunnelVision? 0:33:06: Why might I not want all my traffic to go through the VPN? 0:35:02: How dangerous is TunnelVision for the average person? 0:42:30: How did the VPN companies respond? 0:51:19: What VPN features can mitigate the risk? 0:57:42: Have any VPN makers fixed this problem? Do OS vendors have responsibility here? 1:02:11: Do you have recommendations for VPNs? Is there new tech that might help here? 1:04:00: Would privacy regulations help here? 1:06:24: What are you working on next? 1:08:51: Interview wrap-up 1:13:31: Looking ahead

We often think of malware as a problem for our computers and perhaps our smartphones. But bad guys love to hack our home routers and IoT devices, as well. Thankfully, purging malware from those types of devices can usually be done just by rebooting them. (There's a reason tech support always asks you to try turning your device off and back on again.) I'll explain why this works and what you should do to protect your connected devices. In other news: I explain why most people are not in danger of their devices blowing up; a new Windows phishing campaign uses fake CAPTCHAs and PowerShell; LinkedIn started training their AI on your data before telling you how to opt out; Oracle's CEO touts his vision of ubiquitous AI surveillance; Ford seeks a patent to show you ads in your vehicle based on your conversations and other private data; Meta admits to scraping public Instagram and Facebook posts to train its AI; four great new iOS 18 privacy and security features; Apple Intelligence servers are very basic, for a reason; and the FBI shuts down a massive Chinese botnet. Article Links [WIRED] Your Phone Won’t Be the Next Exploding Pager https://www.wired.com/story/exploding-pagers-hezbollah-phones/ [briankrebs] This Windows PowerShell Phish Has Scary Potential https://krebsonsecurity.com/2024/09/this-windows-powershell-phish-has-scary-potential/ [404media.co] LinkedIn Is Training AI on User Data Before Updating Its Terms of Service https://www.404media.co/linkedin-is-training-ai-on-user-data-before-updating-its-terms-of-service/ [theregister.com] Ellison declares Oracle 'all in' on AI mass surveillance https://www.theregister.com/2024/09/16/oracle_ai_mass_surveillance_cloud/ [therecord.media] Ford seeks patent for tech that listens to driver conversations to serve ads https://therecord.media/ford-patent-application-in-vehicle-listening-advertising [9to5Mac] Meta scraped all public Facebook and Instagram posts since 2007 for AI training https://9to5mac.com/2024/09/11/meta-scraped-all-public-facebook-and-instagram-posts-since-2007-for-ai-training/ [TechRadar] I'm a privacy expert—here are the 4 iOS 18 features I'm excited about https://www.techradar.com/phones/im-a-privacy-experthere-are-the-4-ios-18-features-im-excited-about [9to5Mac] Apple Intelligence servers are really basic, says Craig Federighi – and that’s deliberate https://9to5mac.com/2024/09/12/apple-intelligence-servers-are-really-basic-says-craig-federighi-and-thats-deliberate/ [Gizmodo] FBI Shuts Down Botnet Run by Beijing-Backed Hackers That Hijacked Over 200,000 Devices https://gizmodo.com/fbi-shuts-down-botnet-run-by-beijing-backed-hackers-that-hijacked-over-200000-devices-2000500627 Tip of the Week: Malware Reboot Remedy Further Info Awareness Campaign Phase 2!: https://fdsd.me/awareness2  LinkedIn privacy settings: https://www.linkedin.com/mypreferences/d/categories/privacy  Test your ad blocker(s): https://d3ward.github.io/toolz/adblock.html  Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:31: Update Apple devices 0:01:36: Awareness Campaign teaser 0:02:04: News rundown 0:04:08: Your Phone Won’t Be the Next Exploding Pager 0:08:00: This Windows PowerShell Phish Has Scary Potential 0:12:34: LinkedIn Trains AI on Your Data Before Updating Its ToS 0:16:41: Ellison declares Oracle 'all in' on AI mass surveillance 0:20:15: Ford seeks patent for tech that listens to ...

You may be vaguely aware of the term 'quantum computing' from media reports. But what you may not have picked up on is that one of the primary uses for quantum computers may be to break data encryption. Furthermore, you may not realize that if three-letter agencies can save off our encrypted emails and messages now, this could mean they could read them in the future when sufficiently powerful quantum computing becomes viable. How does this work? And what can we do about it now to protect our privacy in the future? We'll dig into all of this today with Brandon Sundh from Tuta (formerly Tutanota), a prominent secure email company, who is already deploying such protections. Interview Notes Try Tuta! https://tuta.com/  Tuta’s quantum-safe crypto: https://tuta.com/blog/post-quantum-cryptography  Quantum mechanics: https://en.wikipedia.org/wiki/Quantum_mechanics  Schrödinger's cat:  https://en.wikipedia.org/wiki/Schr%C3%B6dinger's_cat  NIST post-quantum standards: https://csrc.nist.gov/projects/post-quantum-cryptography  NSA pays RSA to weaken encryption?: https://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220/  Longer passwords are better: https://firewallsdontstopdragons.com/need-a-bigger-password-haystack/  Privacy Guides on Proton Wallet: https://www.privacyguides.org/articles/2024/09/08/proton-wallet-review/#why-does-this-exist  Further Info Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:50: Some terminology first 0:07:33: What is quantum computing and what's it good for? 0:16:25: What are the currrent capabilities of quantum computers? 0:22:02: How long have we been working on quantum computers? 0:25:01: If QC is still so far off, why do we need to prepare now? 0:30:53: How do we design encryption to make it safe against quantum computers? 0:36:10: How can we be sure that the NSA isn't buillding backdoors into these algorithms? 0:41:11: Will post-quantum algorithms replace current ones or augment them? 0:45:51: How soon will quantum-safe crypto be roled out? 0:52:42: Who will be able to own and operate these quantum computers? 0:54:45: Are law enforcement agencies pushing back against quantum-safe crypto? 1:00:34: Who is more likely to win: coder makers or code breakers? 1:04:24: Wrap-up 1:05:55: Looking ahead