Firewalls Don't Stop Dragons Podcast

Privacy risks are bad enough for adults - but it's much worse for our kids, particularly as students. Who provides notice and obtains consent for minors at school? In many cases it's not the parents, let alone the students - it's the school system. Not only are they opting the students into invasive data collection by profit-driven third parties, but they often also bind them to mandatory arbitration clauses, neutering their ability to seek legal redress for the inevitable violations. Today I'll discuss this horrid state of affairs with someone who is on the front lines of this battle for our children's right to privacy: co-founder of the EdTech Law Center, Andy Liddell. Interview Notes EdTech Law Center: https://edtech.law/about-us/  EdTech current cases: https://edtech.law/cases/  Internet Safety Labs: https://internetsafetylabs.org/  The Right to Oblivion (book): https://www.hup.harvard.edu/books/9780674260528  ACLU, Digital Dystopia: https://www.aclu.org/publications/digital-dystopia-th

Do you realize that you're not always using your chosen mobile web browser or your network privacy features? Many mobile apps have their own in-app browser that can gather your data and even inject ads and trackers into any web links you click. I'll explain how this works and what you can do about it. In the news: 23andMe bankruptcy ombudsman argues for user consent to data; Meta AI app privacy nightmare; Amazon, Roku sharing users for ads; WhatsApp launches in-app ads; healthcare sites are sharing your data; ICE seeks powerful new surveillance tool; Austrian government wants your encrypted data; new US visa rules require social media posts; Scattered Spider targeting insurance info; VT governor signs child data privacy law; Flock blocks access to some US states; Microsoft offers 1-year security updates for Win10 users; new Android 16 security features; Denmark's answer to deepfakes; cleaner Google search results; ChatGPT user info reports. Article Links [therecord.media] 23andMe privacy ombudsman r

On January 12th, 2025, the ShmooCon hacker conference held it's 20th and final gathering. I was lucky enough to be able to not only attend the final show but also to interview the founders, Heidi and Bruce Potter. We talk about how it all got started, what made this hacker con so special and beloved, and hear some hilarious stories from the past twenty years of hacker shenanigans in Washington D.C. Interview Notes ShmooCon: https://www.shmoocon.org/  ShmooCon 2025 sessions: https://www.youtube.com/playlist?list=PLnKSfJ5rXw95HSPVl5L7dqhKpVAx3q_j0  Turngate: https://www.turngate.io/  HOPE conference: https://www.hope.net/  BSides: https://bsides.org/  Cackalackycon: https://cackalackycon.org/  Thotcon: https://www.thotcon.org/  SummerCon: https://www.summercon.org/  PancakesCon: https://pancakescon.com/  Further Info My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support the mission: https://fdsd.me/support  Give the gift of privacy and

Artificial Intelligence is taking over. But I don't mean that in a Skynet kinda way. It's simply becoming ubiquitous because companies are insisting on inserting the technology into all their products, even if it's not useful - or not even safe. Unfortunately, the breathless reporting on dangers of AI is also getting way out of hand, including stories of AI systems 'blackmailing' their designers. Today I'll try to bring us back to reality a bit. Also in the news: Billions of session login cookies up for grabs; Meta and Yandex cheat in order to track you around the web; Qualcomm fixes three zero-day bugs being actively exploited; Apple releases transparency report on push notification data requests; LAPD using Waymo for gathering video evidence; another massive AT&T user data leak includes SSNs; AI system appears to try to blackmail its owner; judge grants preliminary injunction on DOGE data grab; and we'll check in on your 2025 New Year's Resolutions! Article Links [theregister.com] Billions of cook

Debbie Reynolds (aka, The Data Diva) has been working in the privacy realm for many years, as a privacy consultant, speaker, advisor and podcaster. She and I have been running in the same circles on LinkedIn for a while now, and we finally decided it was time to be a guest on each other's shows. Today Debbie and I will discuss the dangers of privacy in the realm of IoT devices (including her contributions on the US Department of Commerce's IoT Advisory Board), vehicles, and AI. I'll ask about her experiences advising corporations on privacy issues with emerging technologies and how she advocates for less data gathering and more transparency. Interview Notes Debbie Reynolds consulting: https://www.debbiereynoldsconsulting.com/  Data Diva podcast: https://www.debbiereynoldsconsulting.com/podcast  My interview on Debbie’s podcast: https://www.debbiereynoldsconsulting.com/podcast/e228-carey-parker  The Right to Privacy book (1995): https://www.amazon.com/Right-Privacy-Caroline-Kennedy/dp/067941986

Tracking our faces and whereabouts is getting out of control. It's a mass surveillance infrastructure that keeps growing in Borg-like fashion. Facial recognition and license plate readers are proliferating at a stupefying pace and companies like Flock are consolidating the collected data and packaging it up for sale to law enforcement agencies. Even if no human in these agencies were to abuse this data, it's creating an irresistible target for scheming hackers and nation states keen on espionage. The longer we let this go, the harder it will be to stop. In today's news: Asus routers are being hacked and you need to take action; 23andMe has been sold, along with its users' genetic data; AI-generated videos have just become way more realistic; US government taps surveillance company to centralize all its citizen data; CFPB regulation limiting data brokers is axed; Kroger is packaging and selling its customer loyalty data; automated license plate reader data use is expanding in scary ways; Android phones gain

VPNs were not invented for privacy, despite the name - they were invented for security. Nevertheless, in recent years, they have been touted as privacy tools to thwart rampant and fanatical data gathering. With a regular VPN, this really just means you're shifting your trust from your internet service provider to your VPN provider. But what if your encrypted data traffic was actually divided between two separate companies? The split trust model is a powerful way to protect your privacy and it's the key technology behind new services like Apple's Private Relay and Obscura VPN. Today we'll discuss the benefits of this approach with Obscura's founder, Carl Dong. Interview Notes Obscura VPN: https://obscura.net/ Wireguard: https://en.wikipedia.org/wiki/WireGuard  Obscura Wireguard configuration tool: https://obscura.net/#faq-wireguard-config  QUIC explainer video: https://www.youtube.com/watch?v=HnDsMehSSY4  Masque: https://datatracker.ietf.org/wg/masque/about/  Privacy Pass: https://privacy

There are way too many messenger apps today. It's a sad state of affairs and I don't see it getting better anytime soon. But the real problem (for me) is that almost all of the popular messenger apps aren't really that secure and private. Most do not have end-to-end encryption (E2EE) at all or it's not turned on by default. And frankly even the apps with E2EE are run by companies whose revenue model is based on monetizing your personal data. I'm going to suggest you try Signal. In other news: study finds Canadian's health data being sold to drug makers; DOGE worker's computer has been hacked; airlines are selling your data to ICE; a massive proxy botnet has been shut down; Google pays $1.4B to Texas over unauthorized tracking and data collection; Denver decides to stop using license plate readers of privacy concerns; jury orders NSO Group to pay hundreds of millions of dollars for hacking WhatsApp users. Article Links [cbc.ca] Millions of Canadians' health data available for sale to pharmaceutical i

Almost exactly two years ago, "Five Eyes" intelligence agencies discovered a successful and ongoing cyber attack on critical US infrastructure by a state-sponsored actor based in China. This group, associated with the People's Liberation Army and known as Volt Typhoon, was tasked with quietly gaining persistent remote access to critical systems including water, power, communications, and transportation systems, as well as ports and government networks. The goal was to deter the US from interfering with a future invasion of Taiwan by China, either by crippling the US infrastructure or threatening to. Despite dire warnings from the four top cyber officials in a Jan 2024 Congressional hearing, the US is still woefully unprepared for such attacks. Josh Corman is leading an effort labeled UnDisruptable27 to greatly improve the resilience of our critical systems before 2027, the year China seems to be targeting to make their move. Interview Notes UnDisruptable27: https://securityandtechnology.org/undisruptab

As we learned last week from Zach Edwards, our smartphones have a globally unique mobile ad ID, or MAID, that is automatically associated with everything we do on our phones... unless we take explicit steps to turn this off. Today I'll tell you how this works and why you should disable this insidious form of tracking. In other news: the FTC warns us about a new type of scam; dating app Raw exposed sensitive user data; a determined reporter documents his efforts to disable all the AI features in his Google phone; "juice jacking" is back with a tricky twist; Apple's AirPlay has a vulnerability whose fix may not reach all devices; Microsoft is pushing hard for passwordless accounts; Google Wallet allows you to verify your age without giving up personal info; and there's a new and troubling update to the Signalgate saga. Article Links [lifehacker.com] The FTC Is Warning Consumers About a Scam on Discounted Monthly Bills https://lifehacker.com/money/ftc-monthly-services-scam [techcrunch.com] Dating ap

Data brokers are out of control. While we think of them gathering data in order to target us with ads, they can actually use the targeted ad system (real-time bidding) to collect vast quantities of personal information. It's a very shady business and the primary players are trying hard to obfuscate what they're doing. Thankfully, we have people like my guest, Zach Edwards, whose investigations are ripping the cover off of these unscrupulous practices. Interview Notes Zach Edwards: https://www.linkedin.com/in/zedwards/  Zach at Silent Push: https://www.silentpush.com/team/zach-edwards/  Using email aliases: https://firewallsdontstopdragons.com/how-to-use-email-aliases-part-1/  Disable mobile ad ID (iOS): https://ssd.eff.org/module/how-to-get-to-know-iphone-privacy-and-security-settings#disable-ad-tracking Disable mobile ad ID (Android): https://ssd.eff.org/module/how-to-get-to-know-android-privacy-and-security-settings#disable-ad-tracking Further Info Dragon Coin Promo!! https://fds

Going through border security today - even just returning to your own country - is not at simple and stress-free as it should be. The likelihood of our digital devices being searched by a border agent has increased in recent years and political sensitivities today can be high. Our devices have access to a ridiculous amount of extremely personal information. How can we protect ourselves? The answers aren't great, but I'll give the current best advice from immigration lawyers and civil rights groups. In other news: the Apple-UK data privacy court case will be at least partially public; some companies are ignoring automated opt-out signals; Waymo may use interior car video to train its AI; data breaches at Hertz and a Planned Parenthood medical lab; air travel group paints a picture of future use of facial recognition; San Francisco police have a new surveillance center; Ukraine drones come with anti-Russian malware; judge rules that 'cell tower dumps' require a warrant. Article Links [bbc.com] Apple-U

It's easy to be a Monday morning quarterback, even with cybersecurity. But defending a business, of any size, against cyber threats today is hard. Like, really hard. Defenders have to succeed every single time; attackers only need to succeed once. And then your company makes the headlines. Today we'll delve into the world of the "blue team" - the defenders who are charged with protecting your data and the services you depend on - with cyber expert Oz Jones. Along the way, we'll learn valuable lessons for everyone. Interview Notes Oz Jones on LinkedIn: https://www.linkedin.com/in/4f5a/  Troy Hunt got pwned: https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/  CIS Controls: https://www.cisecurity.org/controls  Marsh’s Top 12 controls: https://www.marsh.com/en-gb/services/cyber-risk/insights/cyber-resilience-twelve-key-controls-to-strengthen-your-security.html  Further Info Dragon Coin Promo!! https://fdsd.me/promo425 Generate passphrases with a d20: https:/

When we collect a lot of personal data, say via the US Census, the goal is to glean important aggregate information and statistics, while somehow preserving the anonymity and privacy of the individual respondents. There's a rigorous mathematical process for doing this - that's actually not that hard to understand - called Differential Privacy. I'll explain how it works. In the news: iOS has a new location privacy setting; Google confirms it's rolling out AI to Gmail; Windows makes it much harder to avoid creating a Microsoft Account; WhatsApp is rolling out AI in Europe with no way to opt out; Switzerland is considering undermining encrypted communications; 23andMe is going bankrupt - it's time to delete your data; France rejects a backdoor mandate; and finally, I have a lot to say about the US officials' Signal chat debacle. Article Links [9to5mac.com] iOS 18.4 includes a new location services privacy setting for your iPhone https://9to5mac.com/2025/04/02/ios-iphone-new-location-services-privacy-to

We've been installing apps on our smartphones for almost two decades now. The iPhone and Android app stores kicked off in 2008 and we still, to this day, have no real way to know what's in them. It turns out that most apps are an amalgamation of software libraries and development kits from various third party vendors, so often even the makers of apps don't fully understand the makeup of their products. Lisa LeVasseur from Internet Safety Labs has worked to build tools to dissect and inspect our apps and help us understand what they're really doing. Interview Notes Internet Safety Labs: https://internetsafetylabs.org/ App Microscope: https://appmicroscope.org/  Interview with Dr. Johnny Ryan on real-time bidding: https://podcast.firewallsdontstopdragons.com/2021/08/02/selling-you-out-to-the-highest-bidder/  Dark Patterns interview: https://podcast.firewallsdontstopdragons.com/2020/11/16/dark-patterns-part-1/  Using Burp Suite to intercept HTTP traffic: https://portswigger.net/burp/documenta

Tax time is once again upon us here in the USA, which means that the tax scammers are coming out of the woodwork. Many will claim to be representing the IRS, claiming that there is an urgent need to fix a problem with your return, threatening penalties if you don't pay them money. Others will simply try to file fake returns in your name, but send the massive false refund checks to themselves. I'll help you spot and avoid these scams. In other news: Apple's Passwords app was vulnerable to phishing attacks (now fixed); Amazon is forcing Echo owners to share voice recordings; the Bluetooth chip "backdoor" that wasn't; Captchas were used by Google to translate books and Street View images; ICE uses third party tool to scrape tons of your data; beware of online file converters; Clearview AI attempted to buy millions of mugshots; RCS messaging will soon allow end-to-end encrypted chats between iPhones and Android phones. Article Links [9to5mac.com] Apple’s Passwords app was vulnerable to phishing attacks

Josh Summers lived in China for many years and learned a lot about privacy and security. Since he left, he's made it his mission to share this knowledge through his website and YouTube channel called All Things Secured - helping regular, everyday people like you and me to protect our data and devices. Today we'll talk specifically about improving your security and privacy on iPhones and Android phones, and even some alternatives outside the Apple and Google ecosystems. Interview Notes All Things Secured: https://www.allthingssecured.com/  All Things Secured YouTube: https://www.youtube.com/@AllThingsSecured  Apple iPhone Lockdown Mode: https://support.apple.com/en-us/105120  Apple Stolen Device Protection: https://support.apple.com/en-us/120340  Apple Advanced Data Protection: https://support.apple.com/en-us/108756  Android Theft Protection: https://blog.google/products/android/android-theft-protection/  Google Advanced Protection Program: https://landing.google.com/advancedprotection

Google's Chrome browser is rolling out changes that will hamstring ad blockers - so there's never been a better time to try a better browser. There are a handful of good options, but I'm going to recommend that you try Firefox with a fantastic ad blocker called uBlock Origin. If you've never tried this powerful combination, you won't believe what you've been missing. In other news: the UK scrubs all encryption advice from government sites; Signal's CEO threatens to leave Sweden over backdoor demands; UK private health services hit by Medusa ransomware; Australian IVF provider has patient data stolen; Brazil gives Apple 90 days to allow side loading of apps; millions of Android TVs hijacked by a botnet; Qualcomm and Google team up to offer 8 years of Android updates; Google rolls out AI voice call scam detector; and confusion over Trump admin orders regarding Russia cyber threats. Article Links [techcrunch.com] UK quietly scrubs encryption advice from government websites https://techcrunch.com/2025/0

Today, we travel back in time and back to The L0pht with one of the original founders of L0pht Heavy Industries, Weld Pond (aka Chris Wysopal). We'll talk about how hacker culture has impacted modern technology, cybersecurity practices and digital rights, while sprinkling in some classic and hilarious stories from hacker history by someone who lived them. Interview Notes Veracode: https://www.veracode.com/  L0pht.com: https://l0pht.com/  L0pht Congressional testimony 1998: https://www.youtube.com/watch?v=VVJldn_MmMY  DEF CON 26 reunion panel: https://archive.org/details/youtube-noE4o-roAWM  MIT Lockpicking guide: https://archive.org/details/mit-guide-to-lock-picking-v05/mode/2up  The Open Organisation Of Lockpickers (TOOOL): https://toool.us/  2600: https://www.2600.com/  Classic engineering references: https://bitsavers.org/  Further Info Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to t

Not all Privacy Enhancing Technologies are new - but this one is probably new to you. Onion routing was developing in the 1990's by the US government and is the basis for the Tor Network. Onion routing does one thing very well: it masks your actual IP address. While you can use a VPN for this purpose, onion routing adds a different layer of anonymity - and it's just a cool technology. Today I'll explain how it works, how to use it, and the pros and cons of doing so. In other news: Bitly is leveraging its URL-shortening empire to monetize your links; a major car company is experimenting with in-car pop up ads; a cautionary tale about law enforcement's access to private phone data; Russian spies are using a clever new phishing technique to gain access to Microsoft 365 accounts; Apple pulls its Advanced Data Protection feature from the UK market in response to demands to 'backdoor' its encryption; and whatever your political beliefs, the chaos and careless changes made by the DOGE group are seriously undermin