Firewalls Don't Stop Dragons Podcast

Generic security advice is good, but tailored advice is much better. Everyone's situation is a little different. What are you trying to protect? Who or what are you trying to protect it from? What are the consequences of failure? This is called threat modeling. And thankfully, the wonderful folks at Consumer Reports have a free, easy-to-use Security Planner tool that will help anyone do this assessment and provide custom solutions. My guest today is Yael Grauer, who will help us understand how to think about our security and how the CR tool can help you protect your data and devices. Interview Notes Consumer Reports Security Planner tool: https://securityplanner.consumerreports.org/  Yael’s website: https://yaelwrites.com/  Big Ass Data Broker Opt Out List (BADBOOL): https://github.com/yaelwrites/Big-Ass-Data-Broker-Opt-Out-List  Consumer Reports advocacy: https://advocacy.consumerreports.org/  CR’s Digital Standard: https://thedigitalstandard.org/  CR’s Consumer Readiness Report 2024 (P

Privacy is a human right - and you don't have to justify rights, you just have them. That's kinda the whole point. But you do need to exercise them and defend them sometimes. It has been leaked that the UK is telling Apple to reveal the encrypted data of every single one of their users to the UK government under the auspices of the Investigatory Powers Act (and its recent controversial Amendment). This would be a privacy and security disaster, and we were not even supposed to know about it. In other news: Netgear warns of serious router bugs (so update your firmware now); DeepSeek AI app has serious security and privacy problems, but the AI model has real promise in other ways; AngelSense personal customer data exposed; Cybercrime groups exploit 7-Zip app flaws to bypass Windows protections; some clever Mac and iOS malware making the rounds; new Android Identity Check feature released, and I introduce some Privacy Enhancing Technologies. Article Links [Bleeping Computer] Netgear warns users to patch

In the real world, we present different aspects of ourselves in different environments: home, work, family, friends, school, etc. Why can't we do this in the virtual world, as well? While marketers love to identify us with unique identifiers so they can track us mercilessly, there are tools we can use that will allow us to compartmentalize our digital lives just like we can in the real world. Today we'll discuss the notion of decentralized identity with Dr. Paul Ashley, CTO of Anonyome Labs who runs the MySudo service. Interview Notes MySudo: https://anonyome.com/individuals/mysudo/  Anonyome Labs: https://anonyome.com/  Open Wallet Foundation: https://openwallet.foundation/  Verifiable Credentials (W3C): https://www.w3.org/TR/vc-data-model/  Privacy is Power interview: https://podcast.firewallsdontstopdragons.com/2024/11/25/privacy-is-power-2/  EFF on digital wallets: https://www.eff.org/deeplinks/2024/09/digital-id-isnt-everybody-and-thats-okay Further Info Recommend news stor

Software plugins allow you to add functionality to existing applications. Web browsers commonly use these extensions to add functionality like shopping helpers, password managers, ad blockers and much, much more. In a way, these add-ons are like "apps" for the browser. Like apps, they can view and manipulate your data. In the browser, they may alter the web page, track pages you visit, and even mine any data you might enter into web forms. Also like apps, plugins can have permissions which you must agree to when you install them. Therefore, we need to be very careful which plugins we install and make sure we trust the maker. Today I'll explain how to audit your plugins. In other news: The TikTok ban has been given a 75-day reprieve; the Trump administration fires scores of cybersecurity experts; Apple Intelligence will soon be enabled by default on iPhones and Macs; some clever researchers have hacked the iPhone USB-C connection; a tricky new smishing campaign tricks users into bypassing Apple protections;

There are way too many data brokers and they have way too much of our data. We've talked a lot lately about what you can do to reclaim your privacy and claw back some of that data and today I'm going to give you yet another interesting tool for your privacy toolbox: Permission Slip. This app and the related service, brought to you by Consumer Reports, will work on your behalf to request that these data brokers relinquish your information, or at least suppress the sharing of that data to the extent that's legally possible. The tool has some helpful and interesting features that you may not find on other, similar services. Sukhi Gulati GIlbert is my guest today and will explain why you should consider using this tool and how it supports the overall effort to rein in dangerous business of data mining. Interview Notes Permission Slip app: https://permissionslipcr.com/  Protecting Your Privacy Online: https://www.consumerreports.org/electronics/privacy/from-our-president-protecting-your-privacy-online-a1

The start of a new year is always a good time to add some big juicy goals to your to-do list - call them New Year's Resolutions, if that works for you, but really it's just about making up your mind to tackle some important personal objectives. Today I'll give you several ideas to improve your privacy and security in 2025, and those around you. In the news: dozens of malicious Chrome Browser extensions identified; net neutrality is dead, again, and probably for good this time; Apple to pay a meager $95M to settle a Siri privacy class action suit; Apple's new Enhanced Visual Search is enabled by default and sending data to Apple; proposed ban on TP-Link routers is missing the real problem; Google's change in its Privacy Sandbox policy seems to now allow the use of device fingerprinting; proposed HIPAA amendments will close major health data security gaps. Article Links [Ars Technica] Time to check if you ran any of these 33 malicious Chrome extensions https://arstechnica.com/security/2025/01/dozens-

There are many ways in which we are tracked in the real world, but one of the most ubiquitous and insidious technologies is Automated License Plate Readers. These camera systems are deployed in just about every city by both public and private organizations. Furthermore, the third parties who sell and operate these systems collect and collate data from around the country, making it available to law enforcement and marketing firms. Because these systems capture images of your car, they can also document the make, model and color, any distinguishing marks, and even bumper stickers. Today we'll discuss how and where these systems are deployed, who has access to the data, the repercussions of this mass surveillance and how it can go horribly wrong with my guests Adam Schwartz and Gowri Nayar from the Electronic Frontier Foundation. Interview Notes Donate to the EFF: https://supporters.eff.org/donate/join-eff-today  The Human Toll of ALPR Errors: https://www.eff.org/deeplinks/2024/11/human-toll-alpr-error

Every week, I record a special, private bonus podcast for my patrons. Until today, all of that content was restricted to my supporters. But today I’ve got a sampler platter of some of the best snippets from my bonus Q&A with my interview guests. You’ll hear from Micah Lee (author, journalist), Nick Weaver (cybersecurity researcher), Kate Black (health data specialist), Jason Edison (OSINT expert), Dani Cronce and Lizzie Moratti (TunnelVision hack), Bruce Schneier (cryptographer, author), and Carissa Véliz (author, professor). Original Interview Links Ep358: Micah Lee https://podcast.firewallsdontstopdragons.com/2024/01/08/investigating-data-leaks/  Ep360: Nick Weaver https://podcast.firewallsdontstopdragons.com/2024/01/22/rise-of-the-slaughterbots/  Ep368: Kate Black https://podcast.firewallsdontstopdragons.com/2024/03/18/health-data-privacy/  Ep386: Jason Edison https://podcast.firewallsdontstopdragons.com/2024/07/22/open-source-intelligence/  Ep388: Jack Daniel https://podcast.firewallsdo

I'm digging into the vault for a classic replay! I first interviewed Phil Zimmermann, creator of Pretty Good Privacy (PGP), on May 7, 2018. It was Episode 63 (we're now at 408) and it was entitled "We Now Live in the Golden Age of Surveillance". In this episode we talk a little about the origins of PGP in the 1990's and what he feels about the FBI's claims that we're "going dark" due to strong end-to-end encrypted communications. I've added some new commentary, but the original episode is preserved in all of its original glory! Interview Notes Original Ep63 interview: https://podcast.firewallsdontstopdragons.com/2018/05/07/we-now-live-in-the-golden-age-of-surveillance/ Ep214: Social Media is Ruining Society https://podcast.firewallsdontstopdragons.com/2021/04/05/social-media-is-ruining-society/  Ep243: Through the Past, Privately: PGP Turns 30 https://podcast.firewallsdontstopdragons.com/2021/10/25/through-the-past-privately-pgp-turns-30/  Phil Zimmermann’s website: https://philzimmermann.com/

I've had some truly amazing interviews this past year. For your listening enjoyment, I've curated a set of clips from some of the best shows, creating a sampler platter of stellar audio content from some amazing guests! If you've never listened to my podcast, this will give you a taste of what you're missing! If you're a regular listener, this will be a fun trip down memory lane, complete with a little new commentary. Enjoy! Original Interview Links Ep362: Patrick Wardle https://podcast.firewallsdontstopdragons.com/2024/02/05/securing-your-mac/  Ep364: Jen Caltrider https://podcast.firewallsdontstopdragons.com/2024/02/19/car-privacy-is-horrid/  Ep366: 404 Media https://podcast.firewallsdontstopdragons.com/2024/03/04/how-our-data-is-abused/    Ep375: Dina Temple-Raston https://podcast.firewallsdontstopdragons.com/2024/05/13/inside-ukraines-it-army/  Ep378: Naomi Brockwell https://podcast.firewallsdontstopdragons.com/2024/05/27/why-privacy-matters/  Ep380: Joseph Cox https://podcast.firewa

Have you ever searched for your personal information online? There are dozens of "people search sites" out there, but a simple Google search can also find information about you, too. Behind the scenes, there are hundreds if not thousands of data brokers who are scouring the web constantly for your info creating dossiers on all of us, for sale to anyone willing to pay. We have no federal privacy laws in the US, but even if you live in the EU (with GDPR) or a US state with some privacy protections (like California), you still may find your data online - because much it comes from public records, including voting records, property tax records, and legal filings. How do you find your data? Where did it come from? And more important, what can you do about it? Today will discuss this and more with Ben and Tyler, the founders of data deletion service EasyOptOuts. Interview Notes EasyOptOuts: https://easyoptouts.com/  Consumer Reports study: https://www.consumerreports.org/electronics/personal-information/s

It's been too long since I've dipped into the listener mailbag, so today I'm going to answer a small selection of your questions on the air! Topics include privacy-respecting baby monitors, the "IoT network" on some Orbi routers, why you can't really use a computer monitor as a "dumb" TV, and whether browser privacy plugins work on first party tracking. We'll also cover some news stories: why you shouldn't upload medical images to AI chatbots; the Fancy Bear "nearest neighbor" attack; Google's new website link overlays; the curious case of cutting undersea internet cables; Microsoft's new Windows Resiliency Initiative; mobile pay apps coming under regulatory scrutiny; iPhone's new tool to strip metadata from shared photos; and Google now warning you about suspicious apps. Article Links [techcrunch.com] PSA: You shouldn’t upload your medical images to AI chatbots https://techcrunch.com/2024/11/19/psa-you-shouldnt-upload-your-medical-images-to-ai-chatbots/ [darkreading.com] Fancy Bear 'Nearest Neig

Privacy has been defined in many ways. The right to tell your story your own way. The right to have control over your personal information. The right to be left alone. There's a reason we have T-shirts that say "dance like no one is watching". We sensor ourselves when we're being watched. But if knowledge is power, then asymmetries in knowledge must lead to asymmetries in power. Privacy is a human right but it's also a collective good - something we need to respect and support, even if we do not personally feel the need to exercise it. Today I'll explore why privacy is essential, how it is being threatened, and what we can do to reclaim it with Carissa Véliz, a professor of philosophy and author of the wonderful and important book, Privacy is Power. Interview Notes Carissa’s website: https://www.carissaveliz.com/ Privacy is Power: https://www.penguinrandomhouse.com/books/673341/privacy-is-power-by-carissa-veliz/  My review of her book: https://firewallsdontstopdragons.com/privacy-is-power-review/

Holiday shopping season is here! And today I'll give you the highlights of my annual Best & Worst Gift Guide for 2024, with regard to privacy and security. The worst offenders may not surprise you, though some have actually gotten worse since just last year. And I have a few new suggestions for people on your nice list! In the news this week: another popular browser extension has gone rogue; Mozilla laid off 30% of their staff; FBI warns that bad guys are filing fraudulent emergency data requests to steal your private info; Apple quietly introduces a brilliant security feature that is frustrating cops; Microsoft will stop providing security updates for Windows 10 next October; a free decryptor was released for ShrinkLocker ransomware; Signal offers new call link feature; an air fryer app is sending your data to China; and Apple announces feature to share AirTag location with others including airlines to help find lost luggage. Article Links [cyberinsider.com] Popular Chrome Extension to Hide YouTube

Device manufacturers are breathing new life into old mundane products by connecting them to the internet, giving us the ability to monitor and control them from anywhere. However, this connection to the cloud works both ways. Not only do device makers now have unprecedented access to our usage and personal information, but they can hobble or limit our use of these devices at their whim. Today I'll speak with IoT expert Stacey Higginbotham who is working with Consumer Reports and other consumer rights groups to bring more transparency to the smart device industry, and hopefully allow us to regain control over the devices we purchase. Interview Notes Stacey Higginbotham: https://www.linkedin.com/in/staceyhigginbotham/  Consumer Reports’ FTC filing on software tethering: https://advocacy.consumerreports.org/press_release/ftc-software-tethering/  Who Ya Gonna Call? https://innovation.consumerreports.org/who-ya-gonna-call/  Spotify Cancels Car Thing: https://innovation.consumerreports.org/how-to-ki

Our location is being tracked mercilessly today, in several ways. In the digital age, location data is among the most sensitive information we share, providing a record of our daily lives that can reveal where we live, who we associate with, and our personal routines. For app developers, marketers, and even law enforcement, this data is a goldmine for the ‘app economy’. Today I’ll talk about the most common sources of location data and give you some tips for limiting the tracking. In other news: the FTC files rule that requires canceling be just as easy as subscribing; CFPB takes action against worker surveillance; macOS Sequoia's tightened app security may be annoying to some; it's now legal to hack McFlurry machines to fix them; the EU makes vendors liable for software bugs; city sues Flock saying license plate readers are Unconstitutional; tracking world leaders with a fitness app; smartphone location tracking is out of control. Article Links [theverge.com] The FTC is finally making it easier to

The first episode of Firewalls Don't Stop Dragons Podcast aired on March 8, 2017 - almost 8 years ago now. Over that time, I've interviewed over 135 unique and amazing people, covered countless cybersecurity and privacy stories, and offered 100's of tips for protecting your devices and data. To celebrate this momentous occasion, world-renowned cryptography guru Bruce Schneier has returned to for our traditional Podcentennial interview! We discuss several timely topics including the Crowdstrike incident, the pager bombing and supply attacks more generally, US election security, the open market for cyber vulnerabilities, US intelligence agencies' focus on offense versus defense, how AI might actually benefit democracy and much more! Interview Notes Bruce Schneier’s blog:https://www.schneier.com/  Inrupt’s Solid concept: https://www.inrupt.com/solid  Data and Goliath (book): https://www.schneier.com/books/data-and-goliath/  Bruce’s NY Time article on pager bombs: https://www.schneier.com/essays/a

Artificial Intelligence (AI) is the buzzword of the day. There are many types of AI, but one particular flavor is getting a lot of press these days: chatbots. Formally referred to as Large Language Models (LLMs), chatbots like ChatGPT, Claude and Gemini are everywhere - either directly or integrated with other popular apps. This technology is real and it's here to stay, so it's important that we understand what it is, how it works, and what the limitations are. Today I'll explore some aspects of LLMs that you probably weren't aware of. In other news: critical, exploited Firefox bug is fixed (update now!); National Public Data files for bankruptcy after massive breach; hackers target Qualcomm chip zero-day used in many Android phones; China attackers exploit legally-mandated wiretapping backdoor in major telecom systems; new FIDO standard proposed for allowing passkeys to be exported and backed up; a PSA on why you shouldn't share personal information with AI chatbots. Article Links [The Hacker News]

L0pht Heavy Industries (pronounced "loft") was one of the most influential hacker groups in history. Unlike many others, L0pht carefully cultivated a relationship with mass media, sold profitable products, started businesses, and even testified before the US Senate. Cris Thomas, aka Space Rogue, was one of the earliest members of the L0pht and he recently published a book chronicling the groups long and storied history called Space Rogue: How the Hackers Known As L0pht Changed the World. Today I sit down with Cris to discuss that history and the impacts that the L0pht and other hacker groups have had on all of us. Interview Notes Space Rogue’s website: https://www.spacerogue.net/ L0pht homepage: https://l0pht.com/  L0phtCrack: https://www.l0phtcrack.com/  Textfiles.com: http://textfiles.com/  L0phy testimony: https://www.youtube.com/watch?v=VVJldn_MmMY  Charlie Rose “Hackers” interview: https://www.youtube.com/watch?v=zbTkOuPv2fo  PicoCTF: https://www.picoctf.org/  Hack the Box: ht

Sometimes it’s obvious when your accounts are hacked. Maybe your money is gone. Maybe you can no longer log in using the password you know is correct. Maybe everyone you know has gotten a scam email from you that you didn’t send. But sometimes bad guys aren’t so obvious. They may lurk around in your accounts to gather information for identity theft or in hopes of gaining access to other more lucrative accounts. I'll tell you how to find out. In other news: CA governor vetoes opt-out signal bill but signs car privacy bill; 23andMe is in trouble and your data may be, too; PayPal opted you into data sharing without asking; Kaspersky deletes itself and installs UltraAV without asking; 100 million Americans had background data leaked; researchers add facial recognition tech to Meta's smart glasses; NIST updates password rules to with common sense changes; US & Microsoft seize 100+ web domains used by Russian hackers. Article Links [Ars Technica] Calif. Governor vetoes bill requiring opt-out signals for s