Firewalls Don't Stop Dragons Podcast

Holiday shopping season is here! And that must mean that it’s time again for my annual Best & Worst Gift Guide! But this time I’ve recruited some top minds from Consumer Reports to lend their expertise and enlighten us with their tech gift-giving strategies! Yael Grauer, Stacey Higginbotham and Jeff Landale join me for a round table discussion of how to give tech gifts that won’t ruin the security and privacy of your recipients! Interview Notes $10 off Consumer Reports!! https://www.consumerreports.org/fdsd/  Consumer Reports: https://www.consumerreports.org/  Cyber Readiness Report: https://innovation.consumerreports.org/new-report-2025-consumer-cyber-readiness/  Security Planner: https://securityplanner.consumerreports.org/  Vulnerability Disclosure Programs: https://innovation.consumerreports.org/who-ya-gonna-call/  Give Dragon Coupons! https://firewallsdontstopdragons.com/give-the-gift-of-security-and-privacy/  Library Freedom Project: https://libraryfreedom.org/  Yael on spyware an

Data brokers are amassing tons of our personal information, often from public sources. You can try to find all of these brokers and request your data be deleted, but it's a lot easier to deputize a trustworthy and affordable service to do all that work for you - and to do so on a regular basis. I'll give you my easy button solution for this. Also in the news: Meta will use your AI sessions to target ads; Google is rolling out agentic AI shopping tools; OpenTable is gathering and sharing your dining habits; Amazon sues Perplexity over their agentic shopping tool; first ever reported AI-orchestrated hacking campaign; EU Commission looks to gut privacy laws; lawmakers want to ban all VPN use; US Senator uses opponents' can VIN info against them; and new health privacy bill seeks to protect data in apps, smart watches. Article Links Meta won’t allow users to opt out of targeted ads based on AI chats https://arstechnica.com/tech-policy/2025/10/meta-wont-allow-users-to-opt-out-of-targeted-ads-based-on-ai-

In the US alone, there are tens of thousands of small organizations that are responsible for critical infrastructure and vital community services. Most of them don't have an IT department let alone a cyber security expert on staff. And yet these organizations are being attacked by cyber criminal gangs with ransomware and are also being targeted by foreign adversaries who would like the ability to disrupt our very civilization. While the US federal cyber agencies have not properly responded to these threats, a handful of volunteer organizations have emerged, organized under the Cyber Resilience Corps, to address these needs. Today I'll speak with Michael Razeeq, Grace Menna, Adrien Ogee and Eric Franco about their much-needed efforts. Interview Notes Cyber Resilience Corps: https://cltc.berkeley.edu/program/cyber-resilience-corps/  Volunteer! https://cybervolunteers.us  Cyber Security Clinics: https://cybersecurityclinics.org/  The Ransomware Hunting Team: https://en.wikipedia.org/wiki/The_Rans

Today we'll wrap up my series of tips for enumerating all your old online accounts and deciding whether to delete them or just dumb down the personal data they have on you. There are several things to consider - we'll go through them all! In other news: a study ranks the most private AI chatbots; LinkedIn is set to use your personal data to train their AI; ChatGPT has released an AI browser; new phishing scam for password manager creds; Gmail did not leak 183M passwords; man discovers his robot vacuum sharing lots of personal data; more info on Cellebrite's mobile hacking abilities; Flock expanded its surveillance with Ring and drones; and group finds that half of our satellite communications are not encrypted. Article Links Which Generative AI Is Most Privacy-Respecting? https://www.obscureiq.com/which-generative-ai-is-most-privacy-respecting/ LinkedIn will use your data to train AI – how to opt out https://proton.me/blog/linkedin-ai-training Chatgpt Atlas Browser https://www.washingtonpost.c

AI chatbots like ChatGPT have made quiet a splash. Companies are tripping all over themselves in a rush to add "AI" to everything, heedless of the security risks. But perhaps more insidious are the privacy risks. Most AI processing is done in the cloud, meaning that your queries and chats are subject to inspection, sharing, storing and monetizing. These AI systems are incredibly expensive to train and operate. And AI companies are desperate to feed them every scrap of data they can find. It's a recipe for privacy disaster. But there are ways to make it more private and today we'll discuss these approaches with Proton's head of AI, Eamonn Maguire. Interview Notes Lumo privacy and security model: https://proton.me/blog/lumo-security-model  AI privacy concerns: https://proton.me/blog/ai-privacy-concerns  How to build a private AI: https://proton.me/blog/how-to-build-privacy-first-ai  LaTeX: https://en.wikipedia.org/wiki/LaTeX  Further Info My book: https://fdsd.me/book  My newsletter:

Now that we've tracked down all our old online accounts, it's time to make them more secure and review the data they contain. We should download a copy of that data for safe keeping before we ultimately delete or suspend the accounts. We'll discuss this next step in our journey of reducing our online data footprint - our Data Diet. In the news: Windows 10 support has officially ended; seniors targeted with malware from Facebook groups; Tile trackers can also track you; massive Salesforce data leaked after refusing to pay ransom; dangerous Discord breach; Apple, Google to reluctantly comply with new Texas age law; California enacts age-verification law; EU Chat Control defeated; California makes GPC universally available; largest CCPA fine to date levied against TSC. Article Links Windows 10 support “ends” today, but it’s just the first of many deaths https://arstechnica.com/gadgets/2025/10/windows-10-support-ends-today-but-its-just-the-first-of-many-deaths/ Seniors targeted in global Facebook sca

Our critical infrastructure is vulnerable and under attack by nation state actors, either for profit or perhaps even to establish a beachhead for future cyber conflict. During the pandemic, many of our core systems were automated and connected to the internet for remote administration, but this just created a larger attack surface. The federal government hasn't done nearly enough to protect these systems. Groups like DEF CON Franklin are working to find cyber volunteers to bring our national critical utilities above the 'cyber poverty line'. Today we'll explore the problems and solutions with Franklin co-founder Jake Braun, including what we can all do to help. Interview Notes DEF CON Franklin: https://defconfranklin.com/  For more info or help, email “defconfranklin” at gmail.com. Volt Typhoon: https://en.wikipedia.org/wiki/Volt_Typhoon  Initial Franklin trials: https://harris.uchicago.edu/news-events/news/first-water-utilities-take-volunteer-cyber-help  Franklin Almanac: https://defconfra

There are literally billions of devices connected to the internet today - many of them cheap, insecure IoT devices... smart thermostats, doorbell cameras, webcams, cheap WiFi routers and other smart appliances. As we like to say, the "S" in "IoT" is for security. And when insecure devices are no longer supported, the security bugs will never be fixed. We'll discuss the implications of this growing problem and potential solutions with a passionate right-to-repair advocate and the founder of the Secure Resilient Future Foundation, Paul Roberts. Interview Notes Secure Resilient Future Foundation: https://secure-resilient.org/  The Security Ledger: https://securityledger.com/  Tech Timebombs: https://www.youtube.com/watch?v=koZERADCyug  Secure Repairs: https://securepairs.org/  Paul’s Congressional testimony: https://judiciary.house.gov/committee-activity/hearings/there-right-repair   FULU Foundation: https://fulu.org/  US PIRG: https://pirg.org/  Institute for Security and Technology:

It's rare these days to find a well-designed and useful application that was made to be private from the get-go. Too many apps today view your personal data as a cash cow to be mercilessly milked, claiming to value your privacy when they really value the extra revenue they can make off of your private data. When I find useful apps that are private by design, especially ones that can replace more popular apps that harvest our data, I like to call attention to them: in this case, Ente Photos. Today I'll ask the founder and CEO why privacy is important to him and how it influenced his design approach. Interview Notes Ente Photo: https://ente.io/ Ente Auth: https://ente.io/auth/  Ente’s Machine Learning: https://ente.io/ml/  Ken Thompon’s lecture on trust: https://dl.acm.org/doi/10.1145/358198.358210  Further Info My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support the mission: https://fdsd.me/support  Give the gift of privacy and security: https://fd

In our quest to clean up and secure our data, today I will give you several clever and useful techniques for uncovering old, forgotten online accounts. We'll scrape the bottom of the barrel to complete our list of accounts so that we can upgrade their security, see what data they have, and remove anything we no longer want floating around out there, waiting to be stolen or abused. In the news: Chat Control is up for a vote in the EU (time to contact your MEPs); Samsung to show ads on their smart refrigerators; new automated sextortion spyware; a third of UK firms spying on employees; airlines sells 5B flight records for warrantless searching; ICE signs $3M contract for phone hacking tool; ChatGPT to guess your age or require ID; Swiss government looks to enable mass surveillance; Google Pixel 10 adds C2PA support; Apple iPhone 17 includes killer hardware security feature. Article Links Chat Control: Can the EU Parliament save our encrypted chats? https://www.techradar.com/vpn/vpn-privacy-security/ch

Artificial Intelligence (AI) is the Big Tech buzzword of the day. Every company who wants investment (public or private) is scrambling to have an "AI story", adding chatbots and 'agentic' features in their products wherever possible. The AI companies themselves are constantly expanding their models, ingesting as much data (including highly personal information) as possible. In this AI gold rush, companies are making flawed and often harmful products. Companies are firing workers and trying to replace them with AI bots. And it's forcing us all to question what's real, what has actual value, and what the impacts could and should be on society as a whole. Discussing deep questions like this is the purview of philosophers - and today I'll be welcoming back someone uniquely and supremely qualified to address them, Carissa Véliz. Interview Notes Carissa Véliz: https://www.carissaveliz.com/  Privacy is Power: https://www.carissaveliz.com/books  Carissa’s research: https://www.carissaveliz.com/research 

The next step in reducing our digital footprint is to identify all of our online accounts, including the long forgotten and unused ones. The easiest place to start is by using the tool we should already have: our password manager. By its very nature, it contains a list of all our accounts. You may have used your browser to remember your passwords, or you may have some other method... but it's time to move to a real password manager. In other news: update your Android devices ASAP; Android malware spreading via Facebook ads; Google to make it harder to sideload Android apps; dashcam company cloud storage hacked; Anthropic to train model based on your chats; OpenAI sharing some GPT chats with law enforcement; ChatGPT getting parental controls after teen suicide; Microsoft Word will auto-save to OneDrive; Chrome VPN extension caught taking screenshots of sites you visit; US tells BigTech not to comply with DSA; and Flock pauses work with federal agencies. Article Links This Android Malware Is Spreading

We take our cell phones with us everywhere - which makes them the perfect tracking device. Just walking around with your device will give your location away in multiple ways. But even if you had no apps on your phone, the cellular chips in our devices will constantly be interacting with every cell tower that's in range, negotiating the best tower to talk to, whether to use 5G or something else, and authenticating to the network - even in Airplane Mode. Cell site simulators (aka Stingrays or IMSI catchers) can be used to trick your phone into give away your location. The Electronic Frontier Foundation (EFF) has developed a cheap, easy-to-setup device that can try to discover and report these devices. Today I interview an expert panel about the clever Rayhunter project: Cooper Quintin, The Gibson, and OopsBagel. Interview Notes Rayhunter announcement: https://www.eff.org/deeplinks/2025/03/meet-rayhunter-new-open-source-tool-eff-detect-cellular-spying  EFF’s Rayhunter project: https://efforg.github.io/

The world wide web, as we know it today, has been around for over 30 years. In that time, most of us have created many dozens, perhaps hundreds, of online accounts. How many of those accounts are still alive somewhere? What data do they hold? And how good are the passwords you used? Today we're going to start on the path to finding all those accounts which could drastically improve our privacy and security. In the news: millions of Dell laptops have critical security flaws you need to patch now; Facebook may be secretly scanning your phone's images; National Public Data is back and you should delete your data; data brokers are flouting privacy laws; Ionic 5 owners in the UK will have to pay for a security fix; Flipper Zero devices are being (wrongly) blamed for auto thefts; the US Supreme Court allows Mississippi social media law to go into effect; data brokers are hiding their opt-out pages; app TeaOnHer exposed users' data; UK backs down from Apple backdoor demand; and now is the time for EU residents to

Why don't we have meaningful privacy laws in the US? While we haven't been able to pass federal privacy legislation, many states have managed to pass laws protecting our data and establishing some basic privacy rights. Vermont House Representative Monique Priestley led a Herculean effort to pass privacy legislation in her state last year. While managing to get a solid bill through the House and Senate, the bill was ultimately vetoed by the governor and the Senate failed to override it. But along the way, Monique learned valuable lessons about dealing with Big Tech lobbyists. Today we'll follow the journey of the Vermont Data Privacy Act of 2024 and what lessons we should learn for future attempts at privacy legislation. Interview Notes Monique Priestley: https://mepriestley.com/  Vermont State Representative site: https://priestleyvt.com/  Vermont Committee Zoom call: https://www.youtube.com/watch?v=RfvAteuwRCA  Age Appropriate Design Code: https://epic.org/epic-applauds-passage-of-vermont-age

It's early August, which means it's time for BSides Las Vegas and DEF CON, part of the trio of conferences that make up "hacker summer camp" (the other being Black Hat, which I don't attend). It's been a crazy, chaotic week - as usual - but in almost completely good ways. After the regular news, I've got some mini interviews with Jake Braun (DEF CON Franklin), Stacey Higginbotham (Consumer Reports), Cooper Quitin (EFF) and The Gibson (Veilid and hackers.town). In other news: Tea app users file a class action lawsuit over massive breach; ChatGPT sessions may be searchable by anyone; US government launches initiative to centralize health data for use by tech companies; Australia rolls out age verification for search engines; Grok AI is now in Teslas; China-backed hackers exploit horrific Microsoft bug; Dropbox ends its password manager service. Article Links Tea User Files Class Action After Women’s Safety App Exposes Data https://www.404media.co/tea-user-files-class-action-after-womens-safety-app-exp

Cory Doctorow has garnered a lot of needed attention to the decline of modern online platforms, including Google Search, Facebook and Twitter. Much of this is a result of coining the now-viral term Enshittification. Today we'll talk about how the internet was broken and who's to blame. We'll also discuss the lack of privacy laws and the threats of AI to tech workers and copyrighted works. Finally, we'll discuss Cory's novel proposal for how countries could respond to US tariffs by ripping up intellectual property agreements, changing the power dynamic of the Big Tech industry and hopefully benefiting consumers in the process. Interview Notes Cory’s blog (Pluralistic): https://pluralistic.net/  Canada shouldn't retaliate with US tariffs: https://pluralistic.net/2025/01/15/beauty-eh/#its-the-only-war-the-yankees-lost-except-for-vietnam-and-also-the-alamo-and-the-bay-of-ham  Who Broke the Internet? https://www.cbc.ca/listen/cbc-podcasts/1353-the-naked-emperor  Enshittification book (coming Oct 20

We take our phones with us everywhere. And they contain, or have cloud access to, pretty much all of our personal information and online accounts. While phone makers have made it difficult for thieves to resell a stolen phone, anyone with physical access to your device may be able to extract its data or access all your accounts. Thankfully, Apple (iOS) and Google (Android) have recently introduced several features that can significantly increase your device's physical security and privacy. We'll discuss some of them today. In the news: VPN signups in UK spike after age verification law kicks in; Tea app data breach includes IDs; Amazon buys Bee AI wearable; your power meter is a surveillance tool; Amazon's Ring returns to sharing video with police; startup sells hacked data to debt collectors; Gemini AI on Android to get third party app access; Brave blocks Windows Recall; UK backs down on Apple back door; Apple to make passkeys portable; two new AI chatbots that are truly open and private. Article Link

We talk a lot about digital or online security. Today we're going to focus on physical security and the general ethos of "be prepared". There are many situations in life when you will find yourself wishing you had had the foresight to acquire certain things or establish certain professional relationships before you actually needed them. Deviant Ollam is a physical penetration specialist. His job is to find and fix weaknesses in physical things... buildings, locks, safes, etc. And along the way he has learned some important lessons for all of us. Today he will share his wisdom with us. Interview Notes Deviant’s website: https://deviating.net/  Lawyer,Passport, Locksmith, Gun talk: https://www.youtube.com/watch?v=6ihrGNGesfI  Attacking Classified Safes & Vaults: https://www.youtube.com/watch?v=-Z_Jv7vuiqg  Red Team Alliance: https://shop.redteamalliance.com/  Red Team Tools: https://www.redteamtools.com/  CackalackyCon: https://www.cackalackycon.org/  Shut the F**k Up PSA: https://www.y

Your cell phone number uniquely identifies you. Many companies rely on this 1-to-1 relationship to authenticate you to their systems. So if someone were to somehow manage to steal your mobile phone number - a hack called SIM swapping - they could use that to impersonate you and compromise any of your accounts that are validated via SMS or phone call. There's a new tool to combat this scam that's better than the old-style account PIN codes. I'll explain how it works. In the news: many Brother printers have serious cyber vulnerabilities; Belkin in abandoning Wemo smart devices next January; Xfinity's WiFi routers can detect motion in your entire home; Bluesky is rolling out age verification in the UK; California is using drones to catch the use of illegal fireworks; McDonald's AI hiring bot was hacked to expose millions of applicants' data; Mexican drug cartel hacked FBI phone to catch informants; US strikes blow against North Korean fake worker scams; Denmark is looking to ditch Microsoft products. Artic