Today we'll wrap up my series of tips for enumerating all your old online accounts and deciding whether to delete them or just dumb down the personal data they have on you. There are several things to consider - we'll go through them all! In other news: a study ranks the most private AI chatbots; LinkedIn is set to use your personal data to train their AI; ChatGPT has released an AI browser; new phishing scam for password manager creds; Gmail did not leak 183M passwords; man discovers his robot vacuum sharing lots of personal data; more info on Cellebrite's mobile hacking abilities; Flock expanded its surveillance with Ring and drones; and group finds that half of our satellite communications are not encrypted. Article Links Which Generative AI Is Most Privacy-Respecting? https://www.obscureiq.com/which-generative-ai-is-most-privacy-respecting/ LinkedIn will use your data to train AI – how to opt out https://proton.me/blog/linkedin-ai-training Chatgpt Atlas Browser https://www.washingtonpost.com/technology/2025/10/22/chatgpt-atlas-browser/ Phishing scam uses fake death notices to trick LastPass users https://www.malwarebytes.com/blog/news/2025/10/phishing-scam-uses-fake-death-notices-to-trick-lastpass-users No, Gmail has not suffered a massive 183 million passwords breach https://www.techradar.com/pro/security/no-gmail-has-not-suffered-a-massive-183-million-passwords-breach-but-you-should-still-look-after-your-data Man Alarmed to Discover His Smart Vacuum Was Broadcasting a Secret Map of His House https://futurism.com/robots-and-machines/robot-vacuum-broadcasting Someone Snuck Into a Cellebrite Microsoft Teams Call and Leaked Phone Unlocking Details https://www.404media.co/someone-snuck-into-a-cellebrite-microsoft-teams-call-and-leaked-phone-unlocking-details/ Ring cameras are about to get increasingly chummy with law enforcement https://arstechnica.com/gadgets/2025/10/ring-cameras-are-about-to-get-increasingly-chummy-with-law-enforcement/ Exclusive: Flock Safety paid over $300 million for 17-month-old drone startup Aerodome https://techcrunch.com/2024/10/23/flock-safety-paid-over-300-million-for-17-month-old-drone-startup-aerodome/ Leak From the Sky: It Turns Out a Lot of Satellite Data Is Unencrypted” https://www.pcmag.com/news/leak-from-the-sky-it-turns-out-a-lot-of-satellite-data-is-unencrypted Tip of the Week: https://firewallsdontstopdragons.com/removing-old-accounts/  Further Info Data Diet series: https://firewallsdontstopdragons.com/data-diet-introduction/  Backing up 2FA seed codes: https://firewallsdontstopdragons.com/how-to-backup-2fa-seed-codes/  Using email aliases: https://firewallsdontstopdragons.com/how-to-use-email-aliases-part-1/  Claudito: https://github.com/micahflee/claudito  LM Studio: https://lmstudio.ai/  Dark Wire book: https://www.hachettebookgroup.com/titles/joseph-cox/dark-wire/9781541702691/  My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support our mission! https://fdsd.me/support  Give the gift of privacy and security: https://fdsd.me/coupons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Table of Contents 0:00:07: Intro 0:00:27: News briefs 0:01:49: News preview 0:03:53: Which AI Is Most Privacy-Respecting? 0:09:21: LinkedIn will use your data to train AI 0:14:23: ChatGPT's new Altas browser 0:21:46: Phishing scam uses fake death notices 0:25:32: Gmail has NOT suffered a massive password breach 0:27:57: Man finds smart vacuum sending maps of home 0:33:41: More Cellebrite capability details leak 0:38:28: Flock inks deal with Ring cameras 0:42:57: Flock Safety buys drone company 0:46:52: Half of satellite comms are unencrypted 0:51:26: Tip of the Week 1:00:01: Patron podcast preview 1:00:18: Looking ahead 1:01:39: New patron promotion coming?

AI chatbots like ChatGPT have made quiet a splash. Companies are tripping all over themselves in a rush to add "AI" to everything, heedless of the security risks. But perhaps more insidious are the privacy risks. Most AI processing is done in the cloud, meaning that your queries and chats are subject to inspection, sharing, storing and monetizing. These AI systems are incredibly expensive to train and operate. And AI companies are desperate to feed them every scrap of data they can find. It's a recipe for privacy disaster. But there are ways to make it more private and today we'll discuss these approaches with Proton's head of AI, Eamonn Maguire. Interview Notes Lumo privacy and security model: https://proton.me/blog/lumo-security-model  AI privacy concerns: https://proton.me/blog/ai-privacy-concerns  How to build a private AI: https://proton.me/blog/how-to-build-privacy-first-ai  LaTeX: https://en.wikipedia.org/wiki/LaTeX  Further Info My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support the mission: https://fdsd.me/support  Give the gift of privacy and security: https://fdsd.me/coupons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Table of Contents 0:00:00: Intro 0:12:22: Defining some terms 0:15:29: What are the main privacy issues with modern AI? 0:22:53: What are the dangers of training AI models on personal data? 0:27:57: How do we make AI chatbots safer to use? 0:35:31: What are Proton's goals with Lumo? 0:42:41: How can Lumo protect a user's privacy? 0:52:19: Can we do more to anoymize cloud LLM queries? 0:56:50: What can we do to increase trust and transparency with AI? 1:02:55: Where does Proton store and process AI data? 1:10:35: Which LLM models does Lumo use? 1:15:38: Will Proton offer a local-only version of Lumo? 1:20:36: What's next for Lumo and AI at Proton? 1:27:59: Will Lumo ever be part of Proton pricing bundles? 1:31:24: Wrap-up 1:35:14: Patron podcast preview 1:36:04: Looking ahead

The world wide web, as we know it today, has been around for over 30 years. In that time, most of us have created many dozens, perhaps hundreds, of online accounts. How many of those accounts are still alive somewhere? What data do they hold? And how good are the passwords you used? Today we're going to start on the path to finding all those accounts which could drastically improve our privacy and security. In the news: millions of Dell laptops have critical security flaws you need to patch now; Facebook may be secretly scanning your phone's images; National Public Data is back and you should delete your data; data brokers are flouting privacy laws; Ionic 5 owners in the UK will have to pay for a security fix; Flipper Zero devices are being (wrongly) blamed for auto thefts; the US Supreme Court allows Mississippi social media law to go into effect; data brokers are hiding their opt-out pages; app TeaOnHer exposed users' data; UK backs down from Apple backdoor demand; and now is the time for EU residents to speak out against Chat Control. Article Links Millions of Dell laptops hit by ‘critical’ security vulnerability https://www.pcworld.com/article/2870014/millions-of-dell-laptops-hit-by-critical-security-vulnerability.html Meta might be secretly scanning your phone's camera roll - how to check and turn it off https://www.zdnet.com/article/meta-might-be-secretly-scanning-your-phones-camera-roll-how-to-check-and-turn-it-off/ You Should Remove Your Info From the Rebooted National Public Data Site https://lifehacker.com/tech/remove-your-info-from-rebooted-national-public-data-site Data Brokers Are Ignoring Privacy Law. We Deserve Better. https://www.eff.org/deeplinks/2025/08/data-brokers-are-ignoring-privacy-law-we-deserve-better Hyundai wants Ioniq 5 owners to pay to fix a keyless entry security hole https://www.theverge.com/news/757205/hyundai-ioniq-5-security-upgrade-fix-game-boy-device-attacks Can Flipper Zero really steal your car? (Spoiler: NO) https://blog.flipper.net/can-flipper-zero-steal-your-car/ Supreme Court allows Mississippi social media law to go into effect https://www.npr.org/2025/08/14/nx-s1-5482925/scotus-netchoice Data Brokers Are Hiding Their Opt-Out Pages From Google Search https://www.wired.com/story/data-brokers-hiding-opt-out-pages-google-search/ How we found TeaOnHer spilling users' driver's licenses in less than 10 minutes | TechCrunch https://techcrunch.com/2025/08/13/how-we-found-teaonher-spilling-users-drivers-licenses-in-less-than-10-minutes/ UK blinks, backs down from its Apple backdoor encryption demand https://appleinsider.com/articles/25/08/19/uk-blinks-backs-down-from-its-apple-backdoor-encryption-demand Worried about Chat Control? This website can help you get your say https://www.techradar.com/computing/cyber-security/worried-about-chat-control-this-website-can-help-you-get-your-say Tip of the Week: Data Diet Introduction: https://firewallsdontstopdragons.com/data-diet-introduction/  Further Info Cory Doctorow on age verification: https://pluralistic.net/2025/08/14/bellovin/#wont-someone-think-of-the-cryptographers  Fight EU’s Chat Control: https://fightchatcontrol.eu/  My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support our mission! https://fdsd.me/support  Give the gift of privacy and security: https://fdsd.me/coupons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Table of Contents 0:00:00: Intro 0:01:37: News preview 0:05:00: Millions of Dell laptops hit by ‘critical’ security vulnerability 0:06:44: Meta might be secretly scanning your phone's camera roll 0:12:00: You Should Remove Your Info From National Public Data 0:15:39: Data Brokers Are Ignoring Privacy Law 0:19:06: Hyundai wants Ioniq 5 owners to pay for security fix 0:22:43: Can Flipper Zero really steal your car? (No.) 0:30:38: Supreme Court allows Mississippi social media law ...

Your online account credentials have two parts: a user name and a password. Today, most online providers force you to use your email address for your user name. This gives the service provider a guaranteed way to contact (and spam) their users, but it also means that bad guys know half of all your credentials and data brokers have a unique ID to track you across all your accounts. Today I'll explain the value of using email aliases for your online user names. In other news: Iranian hackers attack US water plant; CISA launches program to address critical infrastructure threats; Google Drive users report missing data; Plex users fear new feature will leak p0rn watching habits; several articles on the ease of using data broker tools to spy on just about anyone, creating privacy and national security problems; smart mattress company CEO inadvertently reveals extent of data collection; concerns about IoT device sold with a home; overblown fears over Apple's new NameDrop feature; Zelle offering refunds to some scam victims; and Malwarebyte's survey of people's security practices (spoiler: it's bad). Article Links [The Hacker News] Iranian Hackers Exploit PLCs in Attack on Water Authority in U.S. https://thehackernews.com/2023/11/iranian-hackers-exploit-plcs-in-attack.html [Dark Reading] CISA Launches Pilot Program to Address Critical Infrastructure Threats https://www.darkreading.com/ics-ot/cisa-launches-pilot-program-critical-infrastructure-threats [AppleInsider] Google Drive users complain of missing files, months of data disappearing https://appleinsider.com/articles/23/11/27/google-drive-users-complain-of-missing-files-months-of-data-disappearing [404media.co] Plex Users Fear New Feature Will Leak Porn Habits to Their Friends and Family https://www.404media.co/plex-users-fear-discover-together-week-in-review-feature-will-leak-porn-habits-to-their-friends-and-family/ [Rolling Stone] We Spied on Trump’s ‘Southern White House’ From Our Couches https://www.rollingstone.com/culture/culture-features/data-brokers-trump-tech-spying-privacy-threat-1234897098/ [9to5mac.com] Data brokers selling even more sensitive info; national security risk, says report https://9to5mac.com/2023/11/14/data-brokers-sensitive-info/ [MIT Technology Review] The US military’s privacy problem in three charts https://www.technologyreview.com/2023/11/13/1083262/the-us-militarys-privacy-problem-in-three-charts/ [therecord.media] Court rules automakers can record and intercept owner text messages https://therecord.media/class-action-lawsuit-cars-text-messages-privacy [404media.co] CEO Reminds Everyone His Company Collects Customers' Sleep Data to Make Zeitgeisty Point About OpenAI Drama https://www.404media.co/ceo-reminds-everyone-eightsleep-pod-collects-sleep-data-to-make-zeitgeisty-point-about-openai-drama/ [sdmmag.com] Who Is Gonna “Own” the IoT? https://www.sdmmag.com/articles/93730-who-is-gonna-own-the-iot [TechRadar] NameDrop in iOS 17 doesn’t have to be a privacy nightmare – here’s how to control it https://www.techradar.com/phones/ios/namedrop-in-ios-17-doesnt-have-to-be-a-privacy-nightmare-heres-how-to-control-it [9to5mac.com] Zelle scams: App now starting limited refunds, under pressure from lawmakers https://9to5mac.com/2023/11/13/zelle-scams/ [malwarebytes.com] 3 crucial security steps people should do, but don't https://www.malwarebytes.com/blog/news/2023/10/the-3-crucial-security-steps-people-should-do-but-dont OwnCloud hack: https://www.helpnetsecurity.com/2023/11/28/cve-2023-49103/  Pros & Cons of Antivirus Software: https://firewallsdontstopdragons.com/the-pros-and-cons-of-anti-virus-software/  Tip of the Week: https://firewallsdontstopdragons.com/how-to-use-email-aliases-part-1/ Further Info Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support 

City governments are relying more and more on a vast network of sensors to tell them what's going on: stop light cameras, gunshot detectors, air quality sensors, license plate readers, automated toll booths, and much more. While these technologies can help the powers that be allocate precious resources and gain helpful insights, they can also lead to over-policing, chilling of free speech and mass warrantless surveillance. Today I'll discuss the dangers of smart cities with Eleni Manis from the Surveillance Technology Oversight Project (STOP). Interview Notes Surveillance Technology Oversight Project: https://www.stopspying.org/  S.T.O.P.'s Beginner’s Guide to the All-Too-Dumb World of Smart Cities: www.justcities.tech  CCOPS laws: https://www.eff.org/issues/community-control-police-surveillance-ccops  Further Info Best & Worst Gifts for 2023: https://firewallsdontstopdragons.com/best-worst-gifts-2023/ Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:04:38: What got you into researching smart cities? 0:09:03: What are the positive aspects of smart cities? 0:13:06: How ubiquitous are these smart city technologies? 0:15:32: What are some of the most concerning smart city technologies? 0:16:45: is this data being shared between local and federal agencies? 0:19:14: Can students opt out of school surveillance? 0:20:48: How can the police access footage from video doorbells? 0:24:20: How is this tech used for predictive policing? 0:26:31: Do these predictive policing systems actually work? 0:27:29: How does this mass surveillance affect people? 0:28:58: What about use of surveillance tech in neighborhoods? 0:33:56: Who operates these sensor networks? Who can access the data? 0:37:49: Is it possible to anonymize this data properly? 0:42:06: Can government agencies access our cellular data? 0:45:22: Can you refuse to hand your cell phone over to authorities? 0:48:04: Can we find ways to collect this data without ruining privacy? 0:49:42: How do I find out what smart city tech is being used in my area? 0:53:29: Wrap-up 0:54:57: Preview of upcoming shows

The holiday gift-giving season is upon us - and therefore it's time for my annual guide on the best and worst gifts for your loved ones, at least in terms of security and privacy. There are some perennial favs on the nice and naughty lists, but there are some newcomers, as well. And I've got some top tips for how to shop for privacy-respecting, security-protecting products! I've even got some ideas for free and helpful stocking stuffers. In the news: FCC tried to protect consumers from SIM-swap attacks; cheap children's tablet came with malware and data mining software; medical transcription service has data of 9M patients exposed; hackers hold data from plastic surgeon patients for ransom, including nude photos; FTC filing in Kochava case unsealed showing 'staggering' amount of data for sale; Bitwarden announces support for passkeys; Article 45 of eIDAS 2.0 bill will completely undermine internet security in the EU. Article Links [The Hacker News] FCC Enforces Stronger Rules to Protect Customers Against SIM Swapping Attacks https://thehackernews.com/2023/11/fcc-enforces-stronger-rules-to-protect.html [TechCrunch] Children’s tablet has malware and exposes kid’s data, researcher finds https://techcrunch.com/2023/11/16/childrens-tablet-has-malware-and-exposes-kids-data-researcher-finds/ [BleepingComputer] PJ&A says cyberattack exposed data of nearly 9 million patients https://www.bleepingcomputer.com/news/security/pj-and-a-says-cyberattack-exposed-data-of-nearly-9-million-patients/ [8newsnow.com] Hackers target Las Vegas plastic surgeons, post patient information, naked photos online https://www.8newsnow.com/investigators/hackers-target-las-vegas-plastic-surgeons-post-patient-information-naked-photos-online/ [Ars Technica] Data broker’s “staggering” sale of sensitive info exposed in unsealed FTC filing https://arstechnica.com/tech-policy/2023/11/data-brokers-staggering-sale-of-sensitive-info-exposed-in-unsealed-ftc-filing/ [bitwarden.com] Bitwarden launches passkey management https://bitwarden.com/blog/bitwarden-launches-passkey-management/ [Electronic Frontier Foundation] Article 45 Will Roll Back Web Security by 12 Years https://www.eff.org/deeplinks/2023/11/article-45-will-roll-back-web-security-12-years Best & Worst Gifts for 2023: https://firewallsdontstopdragons.com/best-worst-gifts-2023/  Further Info Give Thanks!: https://firewallsdontstopdragons.com/give-thanks-donate/  Consumer Reports Naughty List: https://foundation.mozilla.org/en/privacynotincluded/articles/our-longest-naughty-list-ever-the-2023-holiday-buyers-guide-is-here/  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:37: News run-down 0:03:18: FCC Enforces Stronger Rules to Protect Against SIM Swapping 0:06:39: Children’s tablet has malware and exposes kid’s data 0:11:22: Cyberattack exposed data of nearly 9 million patients 0:15:16: Hackers target plastic surgeons, post patient info, naked photos online 0:22:37: Data broker’s “staggering” sale of sensitive info exposed in unsealed FTC filing 0:27:10: Bitwarden launches passkey management 0:30:45: Article 45 Will Roll Back Web Security by 12 Years 0:39:00: Best & Worst Gifts for 2023 0:42:38: The Naughty List 0:47:50: The Nice List 0:59:14: Give thanks! 1:00:03: FDSD Merch sale! 1:00:25: Upcoming shows & promotion

Today there is a thriving market for legal, for-profit smartphone spyware (aka mercenary spyware). Companies like the NSO Group are free to create and sell highly sophisticated, zero-click malware such as Pegasus which has been used to spy on dissidents, politicians, activists and journalists around the world. There are also several apps available to parents to track their children, but are often used to abuse or stalk adult partners or ex-lovers. Today I'll discuss the state of these malicious apps, ways to protect our smartphones and even detect such spyware after the fact with the co-founders of iVerify, Danny Rogers and Rocky Cole. Interview Notes iVerify app: https://www.iverify.io/consumer xkcd “Security” cartoon: https://xkcd.com/538/  Moxie Marlinspike (Signal) on Cellebrite tool: https://signal.org/blog/cellebrite-vulnerabilities/  Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:38: Interview setup 0:03:08: How does iVerify work and why did you create it? 0:07:10: What sort of people need protection like iVerify? 0:11:07: How do you know that you can trust a security app? 0:14:54: What do MDM profiles do to my phone? Is it reversible? 0:20:37: How dangerous are third-party app stores, compared to Apple/Google? 0:27:37: If an app I've installed is pulled from the app store, will I be notified? 0:28:50: How hard is it today to jailbreak a phone? 0:31:49: How do you tell if a phone has been hacked? 0:33:21: Can you detect if an app has escaped its sandbox? 0:38:09: What is the marketplace like for spyware? 0:41:36: Are phones getting harder to hack? 0:44:16: Is it possible to detect or prevent hacking via physical access? 0:49:11: How do Apple and Google phones compare on security? 0:52:08: How does Apple's Lockdown Mode work? 0:54:47: Should governments outlaw the sale of mercenary spyware? 1:01:10: Should governments hoard 0-days or disclose them? 1:03:31: What are your top security tips for regular users? 1:05:44: What's next for iVerify? 1:07:28: Wrap-up

Connecting all our stuff to the internet – making devices “smart” – brings with it a lot of risks. Besides the more obvious cybersecurity vulnerabilities, these devices are also collecting a lot of personal data, offsetting razor thin profit margins by monetizing our data. In most cases, we can limit this data exfiltration using outbound firewalls and DNS services, or just by disconnecting the devices from the internet altogether. But lately I've been seeing devices coming configured with cellular data connections, which would effectively bypass your home network entirely - and therefore your ability to block or control the data flow. In other news: 1Passwords discloses security breach; Drug makers to pay 23andMe for access to your DNA; EFF publishes guidance for 23andMe customers after further data breach; Apple's private Wi-Fi MAC address feature has never worked right, until now; Hackers find side-channel attack on Apple Silicon to pull private data from Safari browsers; Windows PCs targeted with new malware; YouTube is waging a new way on ad blockers; Apple's iMessage has new method to thwart 'ghost' listeners; the White House releases sweeping executive order on AI; Pew publishes new study on data privacy views. Article Links [BleepingComputer] 1Password discloses security incident linked to Okta breach https://www.bleepingcomputer.com/news/security/1password-discloses-security-incident-linked-to-okta-breach/ [Bloomberg] Drugmakers Are Set to Pay 23andMe Millions to Access Consumer DNA https://www.bloomberg.com/news/articles/2023-10-30/23andme-will-give-gsk-access-to-consumer-dna-data [Electronic Frontier Foundation] What to Do If You're Concerned About the 23andMe Breach https://www.eff.org/deeplinks/2023/10/what-do-if-youre-concerned-about-23andme-breach [AppleInsider] Apple's private Wi-Fi MAC addresses were security theater until iOS 17.1 https://appleinsider.com/articles/23/10/27/apples-private-wi-fi-mac-addresses-were-security-theater-until-ios-171 [Ars Technica] Hackers can force iOS and macOS browsers to divulge passwords and much more https://arstechnica.com/security/2023/10/hackers-can-force-ios-and-macos-browsers-to-divulge-passwords-and-a-whole-lot-more/ [TechRadar] Windows PCs are being targeted with a nasty new malware - here's what you need to know https://www.techradar.com/pro/security/windows-pcs-are-being-targeted-with-a-nasty-new-malware-heres-what-you-need-to-know [404media.co] YouTube's 'War' on Adblockers Shows How Google Controls the Internet https://www.404media.co/youtubes-war-on-adblockers-shows-how-google-controls-the-internet/ [9to5mac.com] iMessage Contact Key Verification blocks the ‘ghost proposal’ plan by government spy agency https://9to5mac.com/2023/10/30/imessage-contact-key-verification-reason/ [Mashable] White House drops an AI regulation bombshell: 10 new mandates that'll shake up the industry https://mashable.com/article/white-house-drops-ai-regulation-bombshell [pewresearch.org] How Americans View Data Privacy https://www.pewresearch.org/internet/2023/10/18/how-americans-view-data-privacy/ Tip of the Week: The Rise of Cellular IoT https://firewallsdontstopdragons.com/the-rise-of-cellular-iot/   Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:56: News rundown 0:03:11: 1Password discloses security incident linked to Okta breach 0:06:09: Drugmakers Are Set to Pay 23andMe Millions to Access Consumer DNA 0:10:08: What to Do If You're Concerned About t...

What happened to the internet? It had so much promise. Social media and search results are full of stuff we never wanted to see. Surveillance capitalism is monetizing our most private information to serve us so many ads that we can never seem to consume the actual content. And if we're all so unhappy with the incumbents, where are the competitors offering better service? Cory Doctorow helps us understand how the internet got so crappy and what we can do to fix it. Cory Doctorow is a science fiction author, activist, journalist and blogger at the site Pluralistic. He has written a bunch of great books, both fiction and non, including Little Brother, Red Team Blues and Chokepoint Capitalism. Interview Notes TikTok’s Ensh*tification: https://pluralistic.net/2023/01/21/potemkin-ai/#hey-guys  Cory’s blog: https://pluralistic.net/ Cory at DEF CON 31: https://www.youtube.com/watch?v=rimtaSgGz_4  The Internet Con: https://craphound.com/category/internetcon/  Chokepoint Capitalism: https://chokepointcapitalism.com/  Red Team Blues: https://craphound.com/category/novels/redteamblues/   Saving the News from Big Tech: https://www.eff.org/deeplinks/2023/04/saving-news-big-tech  Tracking Exposed: https://tracking.exposed/  Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:55: Defining some terms 0:03:57: Swear warning 0:04:25: What have you been up to since we last had you on the show? 0:07:58: What is ensh*tification? How does it work? 0:18:26: Have any companies actually completed the ensh*tification cycle? 0:22:36: Do we have concrete examples of interoperability breaking this cycle? 0:29:07: What percentage of oday are not what we asked for? 0:37:04: What happens to DRM'd content when the licencing company goes away? 0:39:19: How can we reverse engineer these algorithms? 0:41:04: How is social media promotion like a big carnival teddy bear? 0:44:28: Whatever happened to the Amazon Smile program? 0:45:58: What do you mean by the End-to-End Principle? 0:51:53: Isn't ensh*tification just a natural result of modern capitalism? 0:54:02: Doesn't capitalism require rules (aka regulations)? 0:57:18: So what are the solutions? How do we fix the internet? 1:02:46: Did we undermine antitrust by lowering the bar of consumer harm? 1:04:25: What can we do to help, as consumers and citizens? 1:07:06: Wrap-up 1:07:50: Looking ahead

Email is old and was never built for security and privacy. Thankfully there are several modern secure email services. My personal favorite is Proton Mail and I'll explain to you today why you should really give it a try. I will also (finally) answer several interesting "Dear Carey" questions from listeners. In other news: If you use WinRAR, you need to update right away; hackers are targeting a company that brokers Emergency Data Requests between law enforcement and Big Tech companies; Google is forced to reveal user search history in a CO court case; Google is making passkeys the default, but you may want to wait; EFF asks MasterCard to stop selling our data; and Bruce Schneier has an insightful article around the rather heated discussions over the benefits and dangers of artificial intelligence. Article Links [Gizmodo] You Need to Update WinRAR, Right Now https://gizmodo.com/you-need-to-update-winrar-right-now-1850939201 [404media.co] Hackers Target Company That Vets Police Data Requests for Tech Giants https://www.404media.co/hackers-target-kodex-accounts-edrs/ [TechSpot] Google forced to reveal user search history in Colorado court ruling https://www.techspot.com/news/100529-google-forced-reveal-users-search-queries-colorado-court.html [blog.google] Passwordless by default: Make the switch to passkeys https://blog.google/technology/safety-security/passkeys-default-google-accounts/ [Electronic Frontier Foundation] Mastercard Should Stop Selling Our Data https://www.eff.org/deeplinks/2023/10/mastercard-should-stop-selling-our-data [Schneier Blog] AI Risks https://www.schneier.com/blog/archives/2023/10/ai-risks.html Tip of the Week: Try Proton https://firewallsdontstopdragons.com/its-time-to-try-proton/  Further Info De-Googling Your Life: https://firewallsdontstopdragons.com/reducing-my-google-footprint/  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:12: News rundown 0:02:38: You Need to Update WinRAR, Right Now 0:05:10: Hackers Target Company That Vets Police Data Requests for Tech Giants 0:11:22: Google forced to reveal user search history in Colorado court ruling 0:15:59: Google: Passwordless by default 0:21:48: EFF: Mastercard Should Stop Selling Our Data 0:25:59: Bruce Schneier: AI Risks 0:33:12: Mailbag!! 0:42:28: Tip of the Week: Try Proton 0:54:25: Wrap up, look ahead

There are several privacy-focused services available today. And the products we use have a dizzying array of privacy and security settings. How do you know which products you need and which vendors you can trust? How do you know which protections you need and which ones you don't? It comes down to understanding your personal threat model. We each have different things to protect and different consequences for failure. Today I'll speak with Andy Yen, CEO and founder of Proton, to help us figure out what we need. Interview Notes Proton Sentinel: https://proton.me/blog/sentinel-high-security-program  Privacy Decrypted #1: https://proton.me/blog/what-is-a-threat-model?ref=instantsearch  Private from Everyone (But Us):  https://podcast.firewallsdontstopdragons.com/2022/04/25/private-from-everyone-but-us/ Security Planner (threat model tool): https://innovation.consumerreports.org/initiatives/security-planner/  Ars Technica threat model series: https://arstechnica.com/features/2021/10/securing-your-digital-life-part-1/  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:03: Show preview0:01:44: Delete Act passes0:02:36: What new at Proton since we last spoke?0:07:00: How do you determine your personal threat model?0:09:21: How does Proton decide which threat models to address?0:13:40: How do you learn about all the possible security settings?0:15:37: How do you know which companies and products you can trust?0:18:11: How should VC money and buyouts affect our trust?0:22:30: What should tech reviewers be focusing on with privacy products?0:26:24: How important is a company's location for privacy?0:28:47: Are technological solutions sufficient to protect our data?0:30:22: Has Proton received any pressure from governments to weaken privacy?0:33:27: Does Proton actively market to government officials?0:34:43: How can larger companies protect against insider threats?0:37:05: What's your take on the LastPass breach?0:41:32: What is Proton Sentinel and who is it for?0:46:09: Will Sentinel be able to scale?0:47:31: Proton asks Sentinel users for personal information - is that safe?0:51:04: Can you share any specific Sentinel success stories?0:53:39: What other features would you like to add to Proton?0:58:30: Wrap-up1:00:11: Look ahead

October is national Cybersecurity Awareness Month here in the US. One of the four key themes this year is Recognizing and Reporting Phishing. We just discussed this at length with Nick Oles, but I wanted to give my perspective and tell you how to report phishing emails to the proper authorities. In other news: cheap Android TV boxes come laced with malware and fraud software; 23andMe investigating massive data breach; US agencies caught using location data illegally; Meta proposes subscription plans in Europe for Facebook and Instagram; FBI warns of 'phantom hacker' scams targeting elderly; new Microsoft AI tool can simulate any voice with just 3 seconds of audio; attackers don't bother brute-forcing long passwords; free upgrade from Windows 7/8 to 10 is going away soon; FCC details plans to reinstate net neutrality; how to turn off Google's new Topics tracking system; new app from Consumer Reports to delete personal data; new privacy-respecting URL shortening tool from Panquake. Article Links [WIRED] Your Cheap Android TV Streaming Box May Have a Dangerous Backdoor https://www.wired.com/story/android-tv-streaming-boxes-china-backdoor/ [cyberscoop.com] DNA testing service 23andMe investigating theft of user data https://cyberscoop.com/23andme-user-data-theft/ [404media.co] ICE, CBP, Secret Service All Illegally Used Smartphone Location Data https://www.404media.co/ice-cbp-secret-service-all-broke-law-with-smartphone-location-data/ [9to5mac.com] Meta proposing ad-free Facebook and Instagram plans for up to $17/month https://9to5mac.com/2023/10/03/facebook-instagram-no-ads-plan/ [BleepingComputer] FBI warns of surge in 'phantom hacker' scams impacting elderly https://www.bleepingcomputer.com/news/security/fbi-warns-of-surge-in-phantom-hacker-scams-impacting-elderly/ [futurism.com] New Microsoft AI Can Clone Your Voice From Three Seconds of Audio https://futurism.com/the-byte/new-microsoft-ai-clone-your-voice [therecord.media] Attackers don’t bother brute-forcing long passwords, Microsoft engineer says https://therecord.media/attackers-dont-bother-brute-forcing-long-passwords-microsoft-engineer-says/ [TechRadar] Been putting off that free Windows 11 or 10 upgrade? Windows 7 and 8 diehards need to move fast https://www.techradar.com/computing/windows/been-putting-off-that-free-windows-11-or-10-upgrade-windows-7-and-8-diehards-need-to-move-fast [Ars Technica] FCC details plan to restore the net neutrality rules repealed by Ajit Pai https://arstechnica.com/tech-policy/2023/09/fcc-details-plan-to-restore-the-net-neutrality-rules-repealed-by-ajit-pai/ [Electronic Frontier Foundation] How To Turn Off Google’s “Privacy Sandbox” Ad Tracking—and Why You Should https://www.eff.org/deeplinks/2023/09/how-turn-googles-privacy-sandbox-ad-tracking-and-why-you-should [CNET] This App Can Delete Your Personal History from Websites. And It's Simple https://www.cnet.com/tech/services-and-software/this-app-can-delete-your-personal-history-from-websites-and-its-simple-heres-how-to-use/ [talkliberation.substack.com] NOW SERVING: An early release of the Panquake Pie! https://talkliberation.substack.com/p/panquake-early-release-pnqk-now-available Tip of the Week: Catching Phish: https://firewallsdontstopdragons.com/how-to-catch-a-phish/  Further Info Win a copy of “How to Catch a Phish”! https://fdsd.me/catchaphish  National Cybersecurity Awareness Month: https://www.cisa.gov/cybersecurity-awareness-month  Microsoft’s VALL-E voice-gen tool: https://www.microsoft.com/en-us/research/project/vall-e-x/  Panquake URL shortener: https://pnqk.me/  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Generate secure passphrases! https://d20key.

The weakest link in most cybersecurity systems is you - that is, human beings. And one of the primary ways that people are tricked into infecting their devices (and potentially then threatening other devices on the network) is through phishing. We've all seen the Nigerian Prince scams, but with AI tools like ChatGPT, scam emails are going to get a lot harder to spot. On today's show, author and cybersecurity expert Nick Oles will teach us how to recognize phishing emails, introduce us to tools for detecting and protecting against phishing, and detail other techniques for defending against these sorts of attacks. All of this is just a taste of the top notch advice contained in his new book, "How to Catch a Phish". Interview Notes How to Catch a Phish: https://www.amazon.com/How-Catch-Phish-Practical-Detecting/dp/1484293606  Win a free copy!! https://fdsd.me/catchaphish  Nick Oles on LinkedIn: https://www.linkedin.com/in/nick-o-8b5b6349/ National Cybersecurity Awareness Month: https://www.cisa.gov/cybersecurity-awareness-month  Virustotal URL scanner: https://www.virustotal.com/gui/home/url  URLscan.io: https://urlscan.io/ SANS PICERL Incident Response model (PDF): https://www.sans.org/media/score/504-incident-response-cycle.pdf  Malwarebytes personal: https://www.malwarebytes.com/getprotection  Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:45: Patron book club update0:02:11: Nat'l Cybersecurity Awareness Month0:02:48: What drove you to write the book?0:06:57: What really happens behind the scenes when I send an email?0:13:37: What are email headers and why would I want to look at them?0:17:13: How are email senders spoofed and can we prevent this?0:23:35: Do email clients have indicators for vetted senders?0:25:40: What is phishing and how can we recognize it?0:32:06: How has phishing evolved over the years?0:37:01: What are spearphishing and business email compromise?0:40:24: Do spam filters help at all with phishing emails?0:42:50: How do I know if I can trust any link or URL in an email?0:48:34: Are web email clients safer than dedicated email apps?0:51:35: How can we know which email attachments are safe to open?0:54:48: If I accidentally click a bad link or attachment, what then?0:59:11: How will AI impact phishing campaigns?1:01:13: Are things getting better or getting worse?1:04:08: Interview wrap-up1:07:44: Book giveaway details

Why don't we have meaningful privacy laws in the US? While we haven't been able to pass federal privacy legislation, many states have managed to pass laws protecting our data and establishing some basic privacy rights. Vermont House Representative Monique Priestley led a Herculean effort to pass privacy legislation in her state last year. While managing to get a solid bill through the House and Senate, the bill was ultimately vetoed by the governor and the Senate failed to override it. But along the way, Monique learned valuable lessons about dealing with Big Tech lobbyists. Today we'll follow the journey of the Vermont Data Privacy Act of 2024 and what lessons we should learn for future attempts at privacy legislation. Interview Notes Monique Priestley: https://mepriestley.com/  Vermont State Representative site: https://priestleyvt.com/  Vermont Committee Zoom call: https://www.youtube.com/watch?v=RfvAteuwRCA  Age Appropriate Design Code: https://epic.org/epic-applauds-passage-of-vermont-age-appropriate-design-code/  Big Tech Tried to Kill My State’s Privacy Bill. Here’s What I Learned. https://www.techpolicy.press/big-tech-tried-to-kill-my-states-privacy-bill-heres-what-i-learned/  The man quietly rewriting American privacy law https://www.politico.com/news/2024/09/17/andrew-kingman-data-privacy-lobbying-00179630  Further Info My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support the mission: https://fdsd.me/support  Give the gift of privacy and security: https://fdsd.me/coupons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Table of Contents 0:00:00: Intro 0:01:36: Interview setup 0:05:45: How did you get into privacy politics? 0:08:44: Who drafts the initial bill? 0:12:25: How are initial bills modified during this process? 0:17:08: When and how do lobbyists get involved? 0:22:34: Are lobbyists transparent about who they represent? 0:30:42: What are the most controversial elements of a privacy bill? 0:34:16: How are privacy laws limited by scope? 0:39:11: Why is the privacy right of action so important? 0:43:37: How do lobbyists kill privacy bills? 0:49:05: Do legislators collaborate across states? 0:55:19: How did the Vermont privacy bill get killed? 0:57:55: What are your key takeaways from this experience? 1:02:12: What's the current status of privacy legislation? 1:04:57: How can we help? 1:06:57: Wrap-up 1:09:38: Patron podcast preview 1:10:18: Looking ahead

Apple has just released a major update to its mobile operating system: iOS 17. There are tons of fun new features, but today I'll walk you through some of the security and privacy enhancements. These include new protections in Lockdown Mode, the Check In feature which can alert loves ones if you fail to arrive at your destination, some privacy-enhancing web browser features, and support for securely sharing passwords and passkeys with others. In other news: a critical WebP vulnerability means we have to update most of our apps and devices; credit bureaus in the US now allow free weekly access to your credit reports; Proton announces a new, privacy-focused CAPTCHA service; the FTC puts data brokers on notice; LastPass is requiring their users to make their master passwords longer; password managers are still your best bet for web security, despite the LastPass debacle; Hyundai Pay seeks to make in-car payments a thing; and an interesting article from a privacy advocate claiming that privacy tools are too difficult to use. Article Links [MakeUseOf] Update Everything: This Critical WebP Vulnerability Affects Major Browsers and Apps https://www.makeuseof.com/critical-webp-vulnerability-affects-major-browsers-apps/ [Consumer Reports] Credit Bureaus Equifax, Experian, and TransUnion Announce Permanent, Free Weekly Access to Credit Reports https://www.consumerreports.org/money/credit-scores-reports/credit-bureaus-permanent-free-weekly-credit-report-access-a2226546788/ [proton.me] Introducing Proton CAPTCHA https://proton.me/blog/proton-captcha [The Washington Post] FTC consumer protection chief puts data brokers on notice https://www.washingtonpost.com/politics/2023/09/21/ftc-consumer-protection-chief-puts-data-brokers-notice/ [briankrebs] LastPass: ‘Horse Gone Barn Bolted’ is Strong Password https://krebsonsecurity.com/2023/09/lastpass-horse-gone-barn-bolted-is-strong-password/ [ZDNet] Why you can still trust (other) password managers, even after that LastPass mess https://www.zdnet.com/article/why-you-can-still-trust-other-password-managers-even-after-that-lastpass-mess/ [The Verge] ‘Hyundai Pay’ is the latest effort by car companies to make in-car payments a thing https://www.theverge.com/2023/9/6/23861412/hyundai-pay-parkopedia-in-car-payment [theprivacydad.com] Privacy Tools Are Not Worth the Hassle https://theprivacydad.com/privacy-tools-are-not-worth-the-hassle/ [TechCrunch] iOS 17 includes these new security and privacy features https://techcrunch.com/2023/09/18/ios-17-includes-these-new-security-and-privacy-features/ Tip of the Week: iOS 17 Security & Privacy: https://firewallsdontstopdragons.com/ios-17-security-privacy/ Further Info Secure Your Home Network article series: https://firewallsdontstopdragons.com/secure-your-network-part-1-scan/   Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:27: Delete Act update 0:00:59: BSides RDU 0:01:54: News rundown 0:04:20: Critical WebP Vulnerability Affects Major Browsers and Apps 0:12:22: Credit Bureaus Announce Permanent, Free Weekly Access to Credit Reports 0:17:24: Introducing Proton CAPTCHA 0:22:07: FTC consumer protection chief puts data brokers on notice 0:26:19: LastPass requiring users to create longer passwords 0:32:58: Why you can still trust (non-LastPass) password managers 0:43:01: ‘Hyundai Pay’ in-car payments coming 0:45:38: "Privacy Tools Are Not Worth the Hassle" 0:54:57: Tip of the Week: iOS 17 security & priv...

When the New York Times broke the Clearview AI story in 2020, we suddenly had to face the reality that no one could truly be anonymous in public any more. This powerful app could take a picture of any face and find dozens of public images on the internet that they were in - even just in the background. And if those pictures were associated with a social media profile, we could identify the owner of the face along with their friends and family - all in an instant. Today I speak with Kashmir Hill about her investigation of this company and the sobering impacts of facial recognition technology in a world full of cameras, chronicled in her new book "Your Face Belongs to Us". Interview Notes Your Face Belongs to Us: https://www.kashmirhill.com/book  Kashmir Hill facial recognition stories: https://www.kashmirhill.com/stories/face-recognition  Clearview AI, delete dead links: https://www.clearview.ai/privacy-and-requests  FRT used to track activity in coffee shop: https://www.linkedin.com/posts/endritrestelica_ai-tech-activity-7098293527951851520-Mejy/ PimEyes: https://pimeyes.com/  Fawkes masking tool: https://sandlab.cs.uchicago.edu/fawkes/  Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:37: Tell us about your beat at the New York Times 0:02:17: What is the Clearview app and what does it do? 0:05:12: How did you come to write about Clearview AI? 0:07:40: What happened when you first investigated this company? 0:11:46: How did Clearview AI obtain all these images of our faces? 0:14:24: Why are privacy advocates calling for a ban on this technology? 0:16:36: Do the makers of Clearview appreciate the privacy implications of their tool? 0:18:56: How did 9/11 influence our views on surveillance technology? 0:22:33: Who has access to the Clearview app? 0:24:14: How do we know who is using this tool? 0:25:22: How has Clearview tried to win approval for this tool? 0:27:37: What's to stop others from copying this technology? 0:31:05: Wasn't Clearview used to ban lawyers from venues in NYC? 0:33:13: Didn't Illinois sue Clearview AI and win? 0:34:09: Where else is facial recognition being used today? 0:38:05: How often is FRT used in solving crimes in the US? 0:41:26: What about cases where FRT identifies the wrong person? 0:43:23: How accurate are these tools? What causes them to fail? 0:45:59: How accurate is Clearview compared to other tools? 0:47:02: How well does Clearview deal with facial hair, masks, etc? 0:50:01: What can we do to protect our faces online? 0:52:33: How well can Clearview pick out faces in the background? 0:54:41: What's the future of privacy in a world full of cameras? 0:56:24: What can we do to rein in abuse of FRT? 0:58:00: Wrap up and a look ahead

Today I wrap up my four-part series on how to secure your home network. We've enumerated our devices, gotten rid of stuff we don't need, assessed the state of our devices and now it's time to actually remediate any vulnerabilities we found. I'll walk you through everything you need to do. In other news: Chrome's Topics API has rolled out (and I'll tell you how to shut it off); Apple fixes two zero-day, zero-click exploits; FBI dismantles and even fixes the Qakbot malware network; the UK backs down on requirements to undermine end-to-end encryption; Macs are being targeted with a malvertising campaign; LastPass breach seems to be behind crypto wallet stealing; Apple reveals why it abandoned its CSAM scanning feature; Kias and Hyundais are being stolen left and right and are being sued; new cars are a privacy nightmare; Chrome extensions are able to steal private data from web pages. Article Links [The Verge] How to disable Chrome’s new targeted ad tracking https://www.theverge.com/23860050/chrome-ads-topics-sandbox [citizenlab.ca] NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/ [TechCrunch] FBI operation tricked thousands of computers infected by Qakbot into uninstalling the malware https://techcrunch.com/2023/08/29/fbi-operation-qakbot-uninstall/ [AppleInsider] UK backs down from nonsensical law after threats from Apple, WhatsApp https://appleinsider.com/articles/23/09/06/uk-backs-down-from-nonsensical-law-after-threats-from-apple-whatsapp [Tom's Guide] Macs under threat from malicious ads spreading malware — don’t fall for this https://www.tomsguide.com/news/macs-under-threat-from-malicious-ads-spreading-malware-dont-fall-for-this [briankrebs] Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/ [WIRED] Apple’s Decision to Kill Its CSAM Photo-Scanning Tool Sparks Fresh Controversy https://www.wired.com/story/apple-csam-scanning-heat-initiative-letter/ [VICE] Kias and Hyundais Keep Getting Stolen by the Thousands and Cities Are Suing https://www.vice.com/en/article/93kdmp/kias-and-hyundais-keep-getting-stolen-by-the-thousands-and-cities-are-suing [Gizmodo] If You’ve Got a New Car, It’s a Data Privacy Nightmare https://gizmodo.com/mozilla-new-cars-data-privacy-report-1850805416 [techxplore.com] Researchers issue warning over Chrome extensions that access private data https://techxplore.com/news/2023-09-issue-chrome-extensions-access-private.html Tip of the Week: Remediate Your Network: https://firewallsdontstopdragons.com/secure-your-network-4-remediate/ Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:29: Kashmir Hill interview coming 0:01:40: News rundown 0:04:32: How to disable Chrome’s new targeted ad tracking 0:07:12: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild 0:10:36: FBI operation dismantles Qakbot botnet 0:13:51: UK backs down from nonsensical law after threats from Apple, WhatsApp 0:17:10: Macs under threat from malicious ads spreading malware 0:23:03: Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach

In the US today we're dealing with a completely unfettered free-for-all of data harvesting. Without meaningful privacy regulations like the EU's GDPR, our private information is being collected, collated, packaged and sold by data brokers to all comers. Ad companies like Google and Facebook collect and hoard our data to sell targeted ads for high profits without commensurate benefits to the people placing the ads. How does it all work? What's our data worth? And how can we protect it? I'll discuss all of this and more with my guest, Tom Kemp. Tom Kemp is a Silicon Valley-based entrepreneur, investor, and policy advisor. Tom is also the author of Containing Big Tech: How to Protect Our Civil Rights, Economy, and Democracy. Interview Notes Containing Big Tech:: https://www.tomkemp.ai/containing-big-tech  Let’s Make Privacy Easy: https://techpolicy.press/lets-make-privacy-easy/  LinkedIn panel discussion on AI and privacy regulation in the US: https://www.linkedin.com/events/thestateofusprivacy-airegulatio7087548531820941312/  SB362 (Delete Act): https://www.darkreading.com/endpoint/why-the-california-delete-act-matters  Tom’s post on SB362: https://www.linkedin.com/posts/tomkemp_sb362-databrokers-privacy-activity-7103448636260302848-Qg6p Global Privacy Control: https://firewallsdontstopdragons.com/how-to-enable-global-privacy-control/  Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:20: Follow me on Bluesky? 0:01:32: Interview preview 0:02:59: What are data brokers? Would we recognize their names? 0:06:07: How big is the data broker industry? 0:08:35: You say there are 5 different types of data brokers - what are they? 0:12:10: Are there financial data brokers outside the US? 0:15:53: Are we granting permission for data collection without realizing it? 0:18:44: Who is making money off our data and what is it really worth? 0:21:56: Who is selling our data out the back door? 0:26:50: Why is location data so valuable? 0:28:40: How much of my data is raw and how much is inferred or extrapolated? 0:33:06: How often do data records contain errors? 0:36:24: How much of our personal data is publicly available? 0:38:46: Can we have an ad-based web economy and privacy, too? 0:44:56: Our behavior ads really worth more than contextual ads? 0:48:08: Can antitrust laws be leveraged against data collection? 0:50:46: Can laws requiring transparency in data collection be a stepping stone? 0:56:14: Why can't we pass a federal privacy law? 0:58:25: What can we do right now to limit data collection? 1:01:50: What else does your book cover? 1:05:28: Interview wrap-up 1:06:01: Delete Act (SB362) Udpate 1:06:58: A note on warranty registrations 1:08:11: Global Privacy Control article 1:08:28: Patron podcast teaser 1:08:50: Look ahead

In the third part of my series on securing your home network, we'll assess your security and privacy vulnerabilities. In prior weeks, we've exhaustively listed our network devices (Scan) and removed any devices that we no longer need or don't need to be "smart" (Simplify). Now it's time to investigate the remaining devices and think about what we need to do to secure them. In other news: an old Mac malware info stealer is back; thousands of Android apps are evading detection using an interesting technique; Illinois just passed a law allowing doxing victims to sue perpetrators for damages; Meta plans to roll out end-to-end encryption for Messenger by year's end; LinkedIn accounts are being targeted for takeover; Intel's GPU driver collects personal info by default; Tesla suffers data breach of 75,000 current and former employees; police are accessing DNA databases even for people who opted out of this access; Pennsylvania court says police been to be transparent about social media monitoring; Kansas newspaper raid by police teaches us how better to encrypt our data; hackers are selling credit report info on just about any American; NSA director tells employees to spy "with dignity and respect". Article Links [TechRadar] One of the worst Mac malware strains is back and hiding as a productivity app - so beware https://www.techradar.com/pro/security/one-of-the-worst-mac-malware-strains-is-back-and-hiding-as-a-productivity-app-so-beware [Tom's Guide] Thousands of Android malware apps use stealthy APKs to bypass security, study finds https://www.tomsguide.com/news/thousands-of-android-malware-apps-use-stealthy-apks-to-bypass-security-study-finds [Ars Technica] Illinois just made it possible to sue people for doxxing attacks https://arstechnica.com/tech-policy/2023/08/illinois-just-made-it-possible-to-sue-people-for-doxxing-attacks/ [TechCrunch] Meta plans to roll out default end-to-end encryption for Messenger by the end of the year https://techcrunch.com/2023/08/22/meta-plans-to-roll-out-default-end-to-end-encryption-for-messenger-by-the-end-of-the-year/ [TechRadar] LinkedIn user accounts have been taken over in huge hacking campaign https://www.techradar.com/pro/security/linkedin-user-accounts-have-been-taken-over-in-huge-hacking-campaign [extremetech.com] Intel's GPU Drivers Now Collect Telemetry https://www.extremetech.com/gaming/intels-gpu-drivers-now-collect-telemetry-including-how-you-use-your-computer [TechCrunch] Tesla says data breach impacting 75,000 employees was an insider job https://techcrunch.com/2023/08/21/tesla-breach-employee-insider/ [BBC] Why US tech giants are threatening to quit the UK https://www.bbc.com/news/technology-66304002 [The Intercept] Police Are Getting DNA Data From People Who Think They Opted Out https://theintercept.com/2023/08/18/gedmatch-dna-police-forensic-genetic-genealogy/ [The Associated Press] A Pennsylvania court says state police can’t hide how it monitors social media https://apnews.com/article/pennsylvania-police-aclu-social-media-monitoring-1508189aba86cc776e19892b4a2b358a [freedom.press] What a newsroom police raid teaches us about encrypting our devices https://freedom.press/training/blog/marion-record-police-raid/ [404media.co] The Secret Weapon Hackers Can Use to Dox Nearly Anyone in America for $15 https://www.404media.co/the-secret-weapon-hackers-can-use-to-dox-nearly-anyone-in-america-for-15-tlo-usinfosearch-transunion/ [The Intercept] NSA Orders Employees to Spy on the World “With Dignity and Respect” https://theintercept.com/2023/08/25/nsa-spy-dignity-respect/ Tip of the Week: Securing Your Network 3: Assess: https://firewallsdontstopdragons.com/secure-your-network-3-assess/  Further Info Dragon Challenge Coin promotion: https://fdsd.me/promo823 Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions!

Unless you've been living under a rock, you've seen several news stories about AI, machine learning and so-called Large Language Models. While tools like ChatGPT hold a lot of promise, many are deeply concerned about AI replacing jobs, generating potent malware, and being used in phishing and disinformation campaigns. Today I will ask AI expert Michael Littman to explain clearly what AI is and what it isn't, how the technology actually works, and what we should and maybe shouldn't be worried about. Michael Littman is a computer science professor at Brown University who has won several prestigious teaching awards while studying machine learning and the implications of artificial intelligence. He serves as division director for Information and Intelligent Systems at the National Science Foundation and is also a Fellow of the Association for the Advancement of Artificial Intelligence and the Association for Computing Machinery. Interview Notes Gathering Strength, Gathering Storms: The One Hundred Year Study on Artificial Intelligence https://ai100.stanford.edu/gathering-strength-gathering-storms-one-hundred-year-study-artificial-intelligence-ai100-2021-study  Code to Joy book preorder: https://www.amazon.com/Code-Joy-Everyone-Should-Programming/dp/0262546396/  Michael Littman’s website: https://www.littmania.com/  Gandalf AI challenge: https://gandalf.lakera.ai/ ChatGPT: https://openai.com/blog/chatgpt  Stable Diffusion: https://stability.ai/stablediffusion  Canva Image Generator online: https://www.canva.com/ai-image-generator/  Paperclip Maximizer: https://en.wikipedia.org/wiki/Instrumental_convergence#Paperclip_maximizer  Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:56: Dragon coin promo update 0:01:51: Interview preview 0:03:15: What is Artificial Intelligence, really? 0:05:36: Is it a mistake to anthropomorphize AI? 0:08:50: What is AI versus machine learning? 0:11:59: How does AI differ from normal computer code? 0:14:49: What is a large language model or LLM? 0:18:45: What does it take to create an LLM? 0:22:04: Why are these AI models limited to certain points in time? 0:26:46: How are these chat bots leading people to believe they're sentient? 0:28:54: What was behind the AI explosion in late 2022? 0:32:29: How to AI systems generate images from text prompts? 0:35:36: How are AI systems affected by their training data? 0:40:24: Which concerns about AI are justified and which are overblown? 0:44:55: What sorts of jobs may be impacted by AI? 0:47:15: Is there an art to creating AI prompts? 0:48:43: Can you trick AI systems? 0:51:42: How do we detect AI output? How should we restrict this technology? 0:56:19: How can we try out these AI systems to learn more? 0:59:26: What's the next big thing in AI? 1:02:12: Why should people learn to do a little coding? 1:05:27: Wrap-up 1:07:01: Gandalf AI game 1:08:19: Upcoming interviews

Every summer, hackers from around the US and around the globe descend on Las Vegas, Nevada, for a series of computer security conferences which are lovingly referred to as hacker summer camp. These conferences - BSides Las Vegas, BlackHat and DEF CON - run for over a week, each overlapping the other. They bring top tier security researchers, government and industry leaders, and eager hackers to learn about new vulnerabilities, new defense mechanisms, and everything in between. There are contests and parties galore, allowing hackers to test their skills and network with others. Today I'll tell you about my trip to BSides and DEF CON in 2023. Article Links [securityweek.com] Downfall: New Intel CPU Attack Exposing Sensitive Information https://www.securityweek.com/downfall-new-intel-cpu-attack-exposing-sensitive-information/ [9to5mac.com] Mac malware can easily bypass Apple’s Background Task Manager, says security researcher https://9to5mac.com/2023/08/14/mac-malware-background-task-manager/ [whitehouse.gov] Biden-⁠Harris Administration Launches Artificial Intelligence Cyber Challenge to Protect America’s Critical Software https://www.whitehouse.gov/briefing-room/statements-releases/2023/08/09/biden-harris-administration-launches-artificial-intelligence-cyber-challenge-to-protect-americas-critical-software/ Donate to Maui wildfire relief fund: https://www.gofundme.com/f/5auw5q-maui-wildfire-relief-fund  Veilid project (cDc): https://veilid.com/  Back Orifice: https://en.wikipedia.org/wiki/Back_Orifice  Namecheck from Steve Gibson: https://youtu.be/hGyVuszu0F8?t=6240  CalyxOS mention: https://en.wikipedia.org/wiki/CalyxOS Tom Kemp on LinkedIn Live: https://www.tomkemp.ai/blog/2023/7/19/live-event-the-state-of-us-privacy-and-ai-regulation  Further Info Dragon Challenge Coin promotion: https://fdsd.me/promo823  Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:04: Preview 0:01:27: Look ma, I'm on Wikipedia! 0:02:16: Steve Gibson reads FDSD 0:03:16: Show overview 0:04:29: What is Hacker Summer Camp? 0:06:21: Using Lockdown Mode on Apple 0:07:20: BSides Las Vegas 2023, Josh Corman, et al 0:08:28: BSides pool party 0:09:44: I skipped out on linecon 0:11:36: I skipped the merch line, too 0:12:36: Darknet Diaries meets FDSD 0:13:13: r00t party! 0:15:14: cDc announces Veilid platform 0:18:48: Voting Village, brush with Chris Krebs 0:20:34: Interview with Nick Oles 0:22:49: Meet Joe Gray ("Practical Social Engineering" author) 0:23:22: cDc Veilid launch party 0:24:19: Checking in the the Hack-a-Sat team 0:38:00: EFF Tech Trivia 0:38:37: Hacker Jeopardy 0:40:11: Evacuation of Caesar's Forum 0:41:50: Closing ceremonies 0:42:48: No swag or amulet sightings 0:43:31: Downfall: New Intel CPU Attack Exposing Sensitive Information 0:47:24: Mac malware can easily bypass Apple’s Background Task Manager 0:52:22: Maui wildfire relief fund 0:53:01: DARPA Launches AI Cyber Challenge 0:54:07: Looking ahead 0:55:28: Dragon coin promotion is ending soon

In the early 1980s, personal computers started entering our homes. Prior to the internet and services like America On Line (AOL), there were online bulletin board systems (BBS) where people could share text files via phone modem connections. Of course, if you wanted to connect to a BBS outside your home area code, you would have to dial long distance - which at the time could be prohibitively expensive. Necessity is the mother of invention and it's no coincidence that some of the earliest hacking was of the phone system to get free long distance calls. One of the first named groups of hackers was The Cult of the Dead Cow (aka, cDc). Today I'll reminisce about the old days with two prominent members of cDc: Deth Veggie and Omega. We'll talk about what it was like in the days prior to the internet, how hackers think, and how hacking has evolved over the years. We'll talk about how cDc pioneered the hactivist movement and how their group overlapped and interacted with other famous groups like L0pht Heavy Industries, Masters of Deception (MOD), Legion of Doom (LOD) and much, much more. Interview Notes The Cult of the Dead Cow: https://cultdeadcow.com/ "The Cult of the Dead Cow" book: https://www.hachettebookgroup.com/titles/joseph-menn/cult-of-the-dead-cow/9781549169991/ cDc text files: http://textfiles.com/groups/CDC/ The Hacker’s Manifesto: http://phrack.org/issues/7/3.html  Hactivismo Declaration: https://web.archive.org/web/20090502054355/http://www.cultdeadcow.com/cDc_files/declaration.html  cDc’s unofficial suggested reading/viewing list: https://fdsd.me/cdclist  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:43: Interview prep 0:03:51: How did cDc start and where did it get its name? 0:08:11: How did you get involved with cDc? 0:11:15: What is a BBS? What are textfiles? 0:15:36: What sort of information did these textfiles contain? 0:23:46: What really happened in the Hacker Wars? 0:25:28: How did phone phreaking work? 0:29:43: How did you choose your handle? When did you first use it in public? 0:37:47: Two things War Games got right 0:38:38: Blue boxes and red boxes 0:40:26: What did your friends & family think? How have perceptions of hackers changed? 0:45:16: What is hacktivism? What sort of hactivist behavior is acceptable? 0:51:58: What are some examples of hactivism? 0:55:19: What are some signs that I might enjoy hacking? 1:01:49: Hacking in the real world, questioning everything. 1:04:38: Books and movies with accurate portrayals of hackers & hacking? 1:11:14: Interview wrap-up 1:12:46: Patron bonus material & promo 1:16:04: Next week's show may be delayed

Last time, I told you how to enumerate all the devices on your home network. Before we go to the trouble of analyzing and mitigating their vulnerabilities, we should take the opportunity to cull the inventory. Do you really need all of these devices? Or could you forego the "smart" features that require them to be connected to your network? Today we'll talk about reducing your attack surface before we bother trying to secure it. In other news: the White House announces new cybersecurity labeling program; the SEC mandates a 4-day reporting window for cyber attacks; EFF opposes a bill that threatens our privacy; stolen Microsoft signing keys behind a set of targeted US government email hacks; more details emerge about Facebook mining Onano VPN for user data; TETRA radios used for decades revealed to have deliberately weakened encryption; ALPR data now being used with AI algorithms to guess which cars might contain criminals; Apple threatens to pull Facetime, Messages from UK over proposed surveillance law changes; Google's Web Integrity API causes a stir; Apple to require justification for use of some APIs that might compromise user privacy. Article Links [whitehouse.gov] Biden-⁠Harris Administration Announces Cybersecurity Labeling Program for Smart Devices to Protect American Consumers https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/18/biden-harris-administration-announces-cybersecurity-labeling-program-for-smart-devices-to-protect-american-consumers/ [The Hacker News] New SEC Rules Require U.S. Companies to Reveal Cyber Attacks Within 4 Days https://thehackernews.com/2023/07/new-sec-rules-require-us-companies-to.html [Electronic Frontier Foundation] Amended Cooper Davis Act Is a Direct Threat to Encryption https://www.eff.org/deeplinks/2023/07/amended-cooper-davis-act-direct-threat-encryption [TechCrunch] Microsoft lost its keys, and the government got hacked https://techcrunch.com/2023/07/17/microsoft-lost-keys-government-hacked/ [Financial Review] Facebook admits it used app to ‘know nearly everything’ about users https://www.afr.com/companies/media-and-marketing/facebook-admits-it-used-app-to-know-nearly-everything-about-users-20230713-p5do2a [WIRED] Code Kept Secret for Years Reveals Its Flaw—a Backdoor https://www.wired.com/story/tetra-radio-encryption-backdoor/ [Forbes] This AI Watches Millions Of Cars Daily And Tells Cops If You’re Driving Like A Criminal https://www.forbes.com/sites/thomasbrewster/2023/07/17/license-plate-reader-ai-criminal/ [MacRumors] Apple Threatens to Pull FaceTime and iMessage in the UK Over Proposed Surveillance Law Changes https://www.macrumors.com/2023/07/20/apple-threatens-to-pull-facetime-and-imessage-uk/ [Ars Technica] Google’s nightmare “Web Integrity API” wants a DRM gatekeeper for the web https://arstechnica.com/gadgets/2023/07/googles-web-integrity-api-sounds-like-drm-for-the-web/ [MacRumors] Apple Developers Required to Justify Use of Some APIs in Latest Move to Boost Privacy https://www.macrumors.com/2023/07/28/developers-required-to-justify-api-use/ Tip of the Week: Less is More: https://firewallsdontstopdragons.com/secure-your-network-2-simplify/ Further Info Stop the bad bills: https://www.eff.org/deeplinks/2023/07/you-can-help-stop-these-bad-internet-bills  Dragon Challenge Coin Promo! https://fdsd.me/promo823  Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Table of Contents Add time-based list of markers.

Despite growing demand from US citizens for privacy protections, the federal government has failed repeatedly to enact basic privacy laws. However, one US state - California - has led the charge on privacy and passed regulations that have benefited people outside the state. Today I'll speak with Ernesto Falcon who is currently running for California State Senate in District 7. He has decades of experience in public policy, particularly in the realm of privacy rights, both in politics and with the Electronic Frontier Foundation. We'll talk about how the legislative sausage is made, why we can't seem to pass privacy regulations, how lobbyists influence policy, and much more. Disclaimer: Views, opinions, or statements expressed are solely those of the candidate and not of his employer at the Electronic Frontier Foundation. Interview Notes Ernesto Falcon’s campaign website: https://www.ernestofalcon.com/  California Consumer Privacy Act: https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act  California Privacy Rights Act: https://en.wikipedia.org/wiki/California_Privacy_Rights_Act  Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:16: Interview prep 0:02:40: Tell us about your CA Senate campaign 0:10:56: How have CA privacy laws impacted the greater US? 0:15:45: How do we regain control over our data? 0:17:59: What is preventing a good federal privacy law? 0:24:36: What are the dangers of all this personal data being hoarded? 0:31:01: How does HIPAA actually work? What doesn't it cover? 0:33:01: What is the EARN IT Act and why does EFF oppose it? 0:37:58: How do child safety laws undermine privacy? 0:40:41: How are legal wire taps different from backdoors in encryption? 0:43:10: Won't repressive regimes abuse encryption backdoors? 0:44:45: Is on-device scanning a valid compromise solution? 0:47:07: Will we ever win the Crypto Wars? 0:48:59: How can we best support the privacy cause? 0:52:00: Would more privacy transparency be a good first step? 0:54:35: Are monopolies part of the problem here? 0:58:53: What's next for you and your senate campaign? 1:00:42: Post interview wrap-up 1:01:46: Go talk to your representative! 1:02:55: Dragon Challenge Coin Promotion!

It's early August, which means it's time for BSides Las Vegas and DEF CON, part of the trio of conferences that make up "hacker summer camp" (the other being Black Hat, which I don't attend). It's been a crazy, chaotic week - as usual - but in almost completely good ways. After the regular news, I've got some mini interviews with Jake Braun (DEF CON Franklin), Stacey Higginbotham (Consumer Reports), Cooper Quitin (EFF) and The Gibson (Veilid and hackers.town). In other news: Tea app users file a class action lawsuit over massive breach; ChatGPT sessions may be searchable by anyone; US government launches initiative to centralize health data for use by tech companies; Australia rolls out age verification for search engines; Grok AI is now in Teslas; China-backed hackers exploit horrific Microsoft bug; Dropbox ends its password manager service. Article Links Tea User Files Class Action After Women’s Safety App Exposes Data https://www.404media.co/tea-user-files-class-action-after-womens-safety-app-exposes-data/ ChatGPT users shocked to learn their chats were in Google search results https://arstechnica.com/tech-policy/2025/08/chatgpt-users-shocked-to-learn-their-chats-were-in-google-search-results/ Trump administration is launching a new private health tracking system with Big Tech's help https://apnews.com/article/trump-ai-rfk-jr-health-tech-fa73703bd1fd557c787ef0b590e151f1 Australia is quietly rolling out age checks for search engines like Google https://www.abc.net.au/news/2025-07-11/age-verification-search-engines/105516256 Grok is now in Tesla cars, but not in the way you think https://mashable.com/article/grok-tesla China-backed hackers used Microsoft flaw in attacks https://www.washingtonpost.com/technology/2025/07/21/china-hackers-microsoft-sharepoint/ Users left scrambling for a plan B as Dropbox drops Dropbox Passwords https://www.theregister.com/2025/07/30/dropbox_drops_dropbox_passwords/ Tip of the Week: https://firewallsdontstopdragons.com/how-to-backup-cloud-data/  Further Info Top hacker interviews: https://fdsd.me/hackers   DEF CON Franklin: https://defconfranklin.com/ EFF: https://www.eff.org/ Veilid: https://veilid.com/ Consumer Reports: https://securityplanner.consumerreports.org/ My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support our mission! https://fdsd.me/support  Give the gift of privacy and security: https://fdsd.me/coupons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Table of Contents 0:00:00: Intro 0:02:24: News preview 0:03:31: Tea User Files Class Action Lawsuit 0:06:24: ChatGPT users shocked to learn their chats were in Google search results 0:11:11: Trump administration is launching a new private health tracking system 0:17:52: Australia is quietly rolling out age checks for search engines 0:22:56: Grok is now in Tesla cars, but not in the way you think 0:25:29: China-backed hackers used Microsoft flaw in attacks 0:29:50: Dropbox drops Dropbox Passwords 0:32:20: Tip of the Week 0:36:27: Hacker Summer Camp Extras! 0:42:53: SNIPPET: Stacey Higginbotham 0:47:03: SNIPPET: Jack Braun 0:50:18: SNIPPET: Cooper Quintin and Gibson 0:55:04: Wrapup

The Internet of Things (IoT) has added internet connections to lots of home devices. Each and every one of those devices runs software on a computer chip. Almost all software has bugs and those bugs may be exploitable by bad guys. We're going to take another look at protecting our home networks using a simple, logical methodology. Step one: SCAN. That is, first of all, we need to understand the scope of the problem by enumerating all of the devices on your home network. I'll explain how to do that. In other news: Apple re-releases security update after web glitch; EV chargers are vulnerable to hacking which could have significant impacts; tax prep firms shared 'extraordinarily sensitive' data with Meta; Meta's new Threads service collects tons of personal info and employs dark patterns to hook you in; France passes law giving law enforcement access to private device cameras, mics and locations; police are collecting and selling personal info, bypassing the 4th Amendment and sharing across state lines; Massachusetts weighs outright ban on selling user location data; printers and printing services may be mining your documents for data. Article Links [MacRumors] Apple Releases Revised iOS and macOS Security Updates to Fix Actively Exploited Vulnerability and Safari Bug https://www.macrumors.com/2023/07/12/apple-releases-revised-security-updates/ [WIRED] EV Charger Hacking Poses a ‘Catastrophic’ Risk https://www.wired.com/story/electric-vehicle-charging-station-hacks/ [The Associated Press] 3 tax prep firms shared ‘extraordinarily sensitive’ data about taxpayers with Meta, lawmakers say https://apnews.com/article/irs-taxpayer-tax-preparation-meta-congress-9315cfca7a0942ab89f765d183fbf822 [Ars Technica] How Threads’ privacy policy compares to Twitter’s (and its rivals’) https://arstechnica.com/security/2023/07/how-threads-privacy-policy-compares-to-twitters-and-its-rivals/ [Yanko Design] The ‘Threads’ App is FILLED With Deceptive Dark Design Patterns – We Spotted More Than TEN https://www.yankodesign.com/2023/07/07/the-threads-app-is-filled-with-deceptive-dark-design-patterns-we-spotted-more-than-ten/ [Gizmodo] France Passes New Bill Allowing Police to Remotely Activate Cameras on Citizens' Phones https://gizmodo.com/france-bill-allows-police-access-phones-camera-gps-1850609772 [Tampa Bay Times] Hillsborough, Clearwater police monitoring private security cameras https://www.tampabay.com/news/hillsborough/2023/07/10/hillsborough-clearwater-police-monitoring-private-security-cameras/ [New York Daily News] NYPD seeks to grab cell phone IDs from people under arrest or in custody; push for IMEI numbers raises concerns https://www.nydailynews.com/new-york/nyc-crime/ny-nypd-campaign-cellphone-idenfiication-numbers-controversy-20230708-yltabdlozfbppeoodxymyub3zq-story.html [The Sacramento Bee] California cops illegally share data with anti-abortion states https://www.sacbee.com/news/politics-government/capitol-alert/article275795726.html [Engadget] Massachusetts weighs outright ban on selling user location data https://www.engadget.com/massachusetts-weighs-outright-ban-on-selling-user-location-data-191637974.html [The Washington Post] Your printing service might read your documents. Here’s what to know. https://www.washingtonpost.com/technology/2023/07/10/printing-privacy-security-printed-documents/ Tip of the Week: IoT Inventory https://firewallsdontstopdragons.com/secure-your-network-part-1-scan/ Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about sec...

After lengthy negotiations and revisions, the White House has finally released its National Cybersecurity Strategy document, outlining it's priorities and goals. It's a wide-ranging and ambitious document consisting of five major areas of focus, or "pillars". What's new here? What will it mean for businesses and critical infrastructure? And what does this mean for you and I? Today I'll cover all of that and more with Josh Corman from I Am the Cavalry and formerly with the US Cybersecurity and Infrastructure Security Agency (CISA). Interview Notes National Security Strategy doc: https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf Consequential Cybersecurity: https://claroty.com/blog/consequential-cybersecurity-brace-yourself-for-the-white-house-national-cybersecurity-strategy  PPD-21: https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil  Known Exploited Vulnerabilities catalog : https://www.cisa.gov/known-exploited-vulnerabilities-catalog  Swimming with Sharks TED talk: https://www.youtube.com/watch?v=rZ6xoAtdF3o  I Am the Cavalry: https://iamthecavalry.org/  CISA Secure by Design: https://www.cisa.gov/securebydesign Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:55: Interview setup 0:04:00: What is this strategy document, at a high level? 0:14:02: What are some of the more important or novels aspects? 0:18:05: Do agencies have the budget and authority to implement these strategies? 0:22:11: Will having a gov't backstop actually encourage attacks or discourage preparation? 0:30:40: Should the gov't actively scan US firms/orgs for vulnerabilities? 0:36:56: What should we do about the marketplace for zero-day hacks? 0:39:52: How aggressive should the US be against hackers? 0:41:03: What is NOT addressed by this strategy? 0:45:55: How should be manage our dependencies on foreign software and hardware? 0:52:59: What can everyday people take away from these strategies? 0:59:50: Has this document already had impacts? How do we monitor progress? 1:03:56: Interview wrap-up 1:07:40: Looking ahead

You're using a password manager. You're even using two-factor authentication. Great! When done properly, this will keep the bad guys out. Unfortunately, if you're not careful, it may also keep you out. If you forget your master password or lose access to your 2FA device, you'll be in real trouble... unless you have an access backup plan. This same plan can also help your spouse or next of kin to access your accounts should you die or become incapacitated. In the news: CISA issues a DDoS warning after multiple attacks; LetMeSpy stalkerware maker suffers a data breach of collected data; researchers use LED power light flicker to break cryptographic keys; Australian PM recommends citizens to power cycle their phones once a day; several artists boycott venues that use facial recognition; Brave browser introduces new localhost access permission; Proton unveils new password manager; Dear Carey questioner asks about PDF readers. Article Links [BleepingComputer] CISA issues DDoS warning after attacks hit multiple US orgs https://www.bleepingcomputer.com/news/security/cisa-issues-ddos-warning-after-attacks-hit-multiple-us-orgs/ [TechCrunch] LetMeSpy, a phone tracking app spying on thousands, says it was hacked https://techcrunch.com/2023/06/27/letmespy-hacked-spyware-thousands/ [The Hacker News] Researchers Find Way to Recover Cryptographic Keys by Analyzing LED Flickers https://thehackernews.com/2023/06/researchers-find-way-to-recover.html [9to5mac.com] Why tips like ‘turn off your iPhone for five minutes’ don’t actually help users https://9to5mac.com/2023/06/26/turn-off-your-iphone-for-5-minutes-advice/ [Rolling Stone] Tom Morello, Zack de la Rocha, and Boots Riley Boycotting Venues That Use Face-Scanning Technology https://www.rollingstone.com/music/music-features/tom-morello-zack-de-la-rocha-facial-recognition-concerts-boycott-1234775909/ [BleepingComputer] Brave Browser boosts privacy with new local resources restrictions https://www.bleepingcomputer.com/news/security/brave-browser-boosts-privacy-with-new-local-resources-restrictions/ [9to5mac.com] Proton Pass end-to-end encrypted password manager is here and free for everyone https://9to5mac.com/2023/06/28/proton-pass-encrypted-password-manager-free/ Tip of the Week - Access Backup Plan: https://firewallsdontstopdragons.com/craft-your-access-backup-plan/  Further Info Saving your Apple Photo Stream pics: https://support.apple.com/en-us/HT210705  Securityzed podcast: https://www.securityzed.com/podcast-test/securityzed-ltfyn-7xm5l-b8c8s-km25d-jbagp-6k9d4-39cr9-z5nhw-w4jwm  Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:00: Photo Stream, Securityzed podcast 0:03:21: News rundown 0:05:10: CISA issues DDoS warning after attacks hit multiple US orgs 0:09:29: LetMeSpy stalkerware maker says it was hacked 0:16:43: Researchers Recover Crypto Keys from LED Flickers 0:24:07: Turn your iPhone off every day for 5 mins? 0:29:39: Artists boycotting venues that Use Face-Scanning Technology 0:34:02: Brave Browser boosts privacy with localhost restrictions 0:41:28: Proton debuts new password manager 0:45:56: Dear Carey question 0:50:05: Tip of the Week 1:00:32: Wrap-up

Right now there are thousands of satellites orbiting above our heads performing crucial tasks. At the end of the day, they're just computers running software - albeit at thousands of miles up and thousands of miles per hour. Can they be hacked? What are the dangers? Aaron Myrick and the Hack-A-Sat team are trying to answer those questions. And they're doing it by launching an actual satellite into low earth orbit for this year's DEF CON hacking contest and asking talented hackers from around the world to take their best shot. Interview Notes Moonlighter Fact Sheet: https://aerospace.org/fact-sheet/moonlighter-fact-sheet Hack-A-Sat 4: https://hackasat.com/moonlighter/  Hack-A-Sat GitHub resources: https://github.com/deptofdefense/hack-a-sat-library  Space-Track.org: https://www.space-track.org/  Moonlighter launch: https://vimeo.com/833432259/4ba9b0927b  Further Info Amulet of Entropy (DEF CON badge): https://amuletofentropy.com/  Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:36: Update Apple devices, ASUS routers 0:01:03: Misc updates 0:03:08: Interview setup 0:04:19: What is Aerospace Corp and what do you do there? 0:08:25: What are things satellites do that we might not think about? 0:13:42: Break down some key stats on satellites for us. 0:17:27: How might we be affected by loss of satellites? 0:21:31: How do you hack an orbiting satellite, logistically? 0:24:38: What sorts of attacks are we worried about? 0:26:58: How do we debug problems in orbiting satellites? 0:30:55: How is hacking a satellite different from a computer? 0:35:23: What happens to old satellites? 0:41:26: What is the Hack-A-Sat program about? 0:43:35: How did the target systems work, prior to this year? 0:46:39: What have we learned so far from past contests? 0:51:24: What's new with Hack-a-Sat 4? 0:52:43: When and how will Moonlighter launch? 0:58:30: What kinds of things can I hack on Moonlighter? 1:00:43: What's the future for Hack-a-Sat? 1:03:26: Wrap-up

I launched my mission to improve people’s privacy and security almost ten years ago now. It’s been quite a journey and I’ve learned a lot in that time. One thing I’ve realized is that there’s only so much I can do on my own. And so I’ve encouraged the more technically savvy members of my audience to help others where they can. One downside to being a podcaster is that I don’t have much insight into the effectiveness of my exhortations. I have no idea how many people are going forth to do good deeds nor what those deeds are. So today I'm launching a new campaign to solicit stirring stories of good deeds and every quarter or so I will select the most inspiring deed-doers and reward them with one of my dragon challenge coins! In the news: Clop ransomware gang lists first victims of MOVEit supply chain hacks; firmware bug in Gigabyte motherboards has a fix now; US Congress and intelligence agencies debate reform for mass surveillance program; tissue and fluid samples are being abused by law enforcement for DNA scans; check washing scams are on the rise; how to avoid being scammed by virtual kidnapping schemes; 1Password announces beta support for browser passkey extension; bold new plan for 311 cyber support line. Article Links [TechCrunch] Ransomware gang lists first victims of MOVEit mass-hacks, including US banks and universities https://techcrunch.com/2023/06/15/moveit-clop-mass-hacks-banks-universities/ [restoreprivacy.com] Hackers Stole Millions of Driver’s Licenses and IDs from U.S. States https://restoreprivacy.com/hackers-stole-millions-of-drivers-licenses-and-ids-from-u-s-states/ [Tom's Hardware] Firmware Backdoor Discovered in Gigabyte Motherboards, 250+ Models Affected https://www.tomshardware.com/news/gigabyte-motherboards-come-with-a-firmware-backdoor [cyberscoop.com] Congress and intelligence officials spar over surveillance reforms https://cyberscoop.com/congress-fbi-section-702/ Senate hearing: https://www.judiciary.senate.gov/oversight-of-section-702-of-the-foreign-intelligence-surveillance-act-and-related-surveillance-authorities  [aclu.org] Donated Blood or an Organ? Police Shouldn’t Have Easy Access to Your DNA https://www.aclu.org/news/privacy-technology/donated-blood-or-an-organ-police-shouldnt-have-easy-access-to-your-dna [Lifehacker] Why You Should Stop Sending Checks in the Mail, Especially Now https://lifehacker.com/why-you-should-stop-sending-checks-in-the-mail-especia-1850543113 [connectsafely.org] Quick-Guide to Virtual Kidnapping Scams https://connectsafely.org/virtualkidnapping/ [9to5mac.com] 1Password passkey support for the web launches in public beta on the Mac https://9to5mac.com/2023/06/06/1password-passkey-browser-extension/ [WIRED] The Bold Plan to Create Cyber 311 Hotlines https://www.wired.com/story/ut-austin-cybersecurity-clinic-311/ Tip of the Week: Go Forth, Do Good Deeds: https://fdsd.me/quest  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:47: News preview 0:03:01: Clop Ransomware hits several public and privacy organizations 0:11:32: Firmware Backdoor Discovered in Gigabyte Motherboards 0:17:04: Congress and intelligence officials spar over surveillance reforms 0:24:13: Police Shouldn’t Have Easy Access to Your DNA 0:28:03: Why You Should Stop Sending Checks in the Mail 0:31:43: Quick-Guide to Virtual Kidnapping Scams

At some point, when you care enough about a particular cause, you shift from following the issue to actually trying to advance the issue - to make a difference. The easiest way to do this is to find groups that are already working for this cause and supporting them with donations of your time and/or money. But what do you do if you can't find such a group, or maybe there's no local chapter? Well, you can start your own! It's not as hard as it sounds - and in fact, there exist organizations that can help you. Today I'll speak with Rory Mir from the Electronic Frontier Alliance along with leaders from two successful EFA-affiliated groups: Freddy Martinez from Lucy Parsons Labs and Chris Bushick from PDX Privacy. Interview Notes Reach out to EFF organizing team: organizing@eff.org  Electronic Frontier Alliance (EFA): https://www.eff.org/efa  Meetup groups: https://meetup.com  Lucy Parsons Labs: https://lucyparsonslabs.com/ PDX Privacy: https://www.pdxprivacy.org/ EFF on the EARN IT Act: https://www.eff.org/deeplinks/2023/05/dangerous-earn-it-bill-advances-out-committee-several-senators-offer-objections  Further Info Dragon Coins! https://fdsd.me/coin2  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Generate secure passphrases! https://d20key.com/#/ Table of Contents 0:00:25: Interview setup 0:04:32: Introductions and overview of EFA 0:09:12: Lucy Parsons Project overview 0:10:52: PDX Privacy overview 0:12:28: How has the EFA helped you with your projects? 0:15:33: What other types of groups work with the EFA? 0:17:49: What did you do before? What was it like starting your group? 0:23:02: How can you go about finding sources of funding? 0:25:25: What sorts of grants are available? 0:30:09: What accomplishments are you most proud of? 0:34:48: What were some of your biggest challenges? 0:38:51: Do you ever feel like you're David versus Goliath? 0:42:26: How can I find existing groups that I can support or join? 0:45:58: What's the first step in starting my own group? 0:49:31: If you were starting over again, what would you have done differently? 0:49:56: Do I need to incorporate or create a legal entity? 0:53:02: Can a non-profit organization make money? 0:57:32: Any parting thoughts you'd like to share? 1:00:32: Wrap-up 1:03:11: Looking ahead 1:04:09: Upcoming challenge coin campaign

Two weeks ago, I told you about the availability of two new top-level domains that also happen to be popular file name extensions: .zip and .mov. The ambiguity will undoubtedly be exploited by ne'er-do-wells to trick people into doing something they shouldn't do. There are clever ways to manipulate website addresses that would trick even tech-savvy people into clicking malicious links. Today I'll tell you how these tricks work and explain you can avoid all of these issues by simply blocking these new domains. In other news: iTunes for Windows patches a nasty bug; Android malware downloaded over 420 million times; Android phones vulnerable to fingerprint brute-force attacks; Luxottica exposes 300 million customer records; free VPN service SuperVPN exposes 360 million user records; Amazon gets slap on the wrist for Ring video doorbell private data access; KeePass "master password crack" not as bad as it sounds; Twitter adding Content Notes 'fact checks' to images; Microsoft now scanning inside password-protected zip files; drone pilot is NOT killed by drone; AI is NOT likely to cause human extinction; and Brave introduces new Off The Record browsing mode. Plus my Dear Carey question: recommended cheat sheet for computer safety. Article Links [MacRumors] PSA: If You Run Windows, Make Sure to Update iTunes to Fix Security Vulnerability https://www.macrumors.com/2023/06/01/itunes-windows-vulnerability/ [Lifehacker] This Android Malware Was Downloaded Over 420 Million Times https://lifehacker.com/this-android-malware-was-downloaded-over-420-million-ti-1850492306 [BleepingComputer] Android phones are vulnerable to fingerprint brute-force attacks https://www.bleepingcomputer.com/news/security/android-phones-are-vulnerable-to-fingerprint-brute-force-attacks/ [bitdefender.com] Luxottica 2021 breach: 300 million customer records up for grabs online https://www.bitdefender.com/blog/hotforsecurity/luxottica-2021-breach-300-million-customer-records-up-for-grabs-online/ [hackread.com] Free VPN Service SuperVPN Exposes 360 Million User Records https://www.hackread.com/free-vpn-service-supervpn-leaks-user-records/ [AppleInsider] Amazon gets slap on the wrist over privacy violations with Ring cameras https://appleinsider.com/articles/23/05/31/amazon-gets-slap-on-the-wrist-over-privacy-violations-with-ring-cameras [Naked Security] Serious Security: That KeePass “master password crack”, and what we can learn from it https://nakedsecurity.sophos.com/2023/05/31/serious-security-that-keepass-master-password-crack-and-what-we-can-learn-from-it/ [Mashable] Twitter will now put Community Notes 'fact checks' on images https://mashable.com/article/twitter-notes-on-media-images [Ars Technica] Microsoft is scanning the inside of password-protected zip files for malware https://arstechnica.com/information-technology/2023/05/microsoft-is-scanning-the-inside-of-password-protected-zip-files-for-malware/ [VICE] USAF Official Says He ‘Misspoke’ About AI Drone Killing Human Operator in Simulated Test https://www.vice.com/en/article/4a33gj/ai-controlled-drone-goes-rogue-kills-human-operator-in-usaf-simulated-test [Schneier Blog] On the Catastrophic Risk of AI https://www.schneier.com/blog/archives/2023/06/on-the-catastrophic-risk-of-ai.html [brave.com] Request "Off the Record" https://brave.com/privacy-updates/26-request-off-the-record/ Tip of the Week: Blocking .zip Domains: https://firewallsdontstopdragons.com/how-to-block-the-new-zip-domain/ Further Info How to send files securely: https://firewallsdontstopdragons.com/how-to-send-files-securely-like-tax-info/  Checklist of Tips for my book: https://firewallsdontstopdragons.com/wp-content/uploads/2023/02/FDSDv5-workbook-v1.pdf 10 Years After Snowden: https://www.eff.org/deeplinks/2023/05/10-years-after-snowden-some-things-are-better-some-were-still-fighting  The Wayback Machine: https://web.archive.org/ 

Modern cars are more like smartphones on wheels. Like our cell phones, they are chock full of sensors, computer chips and software, and they're connected to the internet 24/7 via cellular modems. What data is being collected? Who owns this data? How secure is your data? Who is it being shared with? And most importantly, what - if anything - can you do about it? Since we last spoke with Privacy4Car's Andrea Amico, his company has released a powerful new Vehicle Privacy Report tool that aims to answer at least some of these questions and help you to be a more informed car buyer. Today we'll delve into the murky world of car data collection and privacy. Andrea Amico is one of the nation’s leading authorities on vehicle privacy and cybersecurity. He is also the founder of Privacy4Cars, the first and only privacy-tech company focused on identifying the challenges posed by vehicle data. Interview Notes Privacy4Cars: https://privacy4cars.com/  Vehicle Privacy Report tool: https://vehicleprivacyreport.com/  Assert your data rights: https://privacy4cars.com/personal-use/assert-your-data-rights/  Previous interview: Driving Data Privacy for Cars https://podcast.firewallsdontstopdragons.com/2021/09/13/driving-data-privacy-for-cars/  New privacy rules will impact your shop: https://www.autoserviceworld.com/new-privacy-rules-will-impact-your-shop/  Who Is Collecting Data From Your Car? https://themarkup.org/the-breakdown/2022/07/27/who-is-collecting-data-from-your-car  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:04:38: What has happened with Privacy4Cars since we last spoke? 0:06:17: Why are cars collecting so much data? How private is this data? 0:09:31: You say cars are "cell phones on wheels" - what does that mean? 0:10:24: Are cars connected even when turned off? 0:11:55: What types of data is my car collecting? 0:14:16: Do electric cars gather more data than regular cars? 0:16:54: Do cameras built into your car represent a privacy risk? 0:21:51: Who can access my car's data? Can I access it myself? 0:27:25: Who owns the data in rental or fleet cars? What about wrecked cars? 0:32:24: Cars now have smartphone apps - what data are they collecting? 0:37:18: How do I know if I've opted in to data collection? 0:40:42: Can I opt of of data collection? If so, how? 0:44:20: What about Apple's CarPlay or Google's Android Auto? 0:49:37: How do I know which cars best respect my privacy? 0:55:08: How does the Vehicle Privacy Report tool work? 0:57:14: What does this tool tell me about a car? 1:00:43: What's the value of this tool for car makers and dealerships? 1:06:09: What's next for your company and the reporting tool? 1:09:49: Interview follow-up notes

Everyone hates dealing with passwords. This has led to a mad search for 'password-killer' technology. After several failed attempts, there's finally a worthy contender: passkeys. The technology has been around for years - it's the basis for hardware keys like YubiKey. But no one wanted to have to carry the little things all the time. With passkeys, you get the same phishing-proof, passwordless goodness but tied to a device you always have: your smartphone. Websites are slowly rolling out the ability to secure your accounts with passkeys, and Apple, Google and Microsoft are building support for passkeys into their operating systems. But I would caution you to wait a bit before jumping on the bandwagon - I'll explain why in today's show. In other news: update all your Apple devices; FBI and NSA break the notorious Snake malware; Intel deploys microcode security update; location data on 2M Toyoya customers exposed for years; new .zip and .mov domains are dangerously ambiguous; new crafty Chinese router malware; online age verification will cause serious problems; Apple will allow you to 'bank' your voice soon. Article Links [Tom's Guide] Apple issues urgent fix to block zero-day attacks — update your iPhone and Mac now https://www.tomsguide.com/news/apple-issues-urgent-fix-to-block-zero-day-attacks-update-your-iphone-and-mac-now [tech.co] FBI & NSA Cut the Head Off Notorious Russian Snake Malware https://tech.co/news/nsa-fbi-russian-snake-malware [Tom's Hardware] Intel Deploys Undisclosed Microcode Security Update For CPUs Going Back To Coffee Lake https://www.tomshardware.com/news/intel-microcode-security-update [BleepingComputer] Toyota: Car location data of 2 million customers exposed for ten years https://www.bleepingcomputer.com/news/security/toyota-car-location-data-of-2-million-customers-exposed-for-ten-years/ [Digital Trends] Hackers are using a devious new trick to infect your devices https://www.digitaltrends.com/computing/hackers-are-abusing-zip-mov-domain-names/ [9to5mac.com] Researchers find security flaw in Wemo Smart Plug, Belkin says it won’t release a patch https://9to5mac.com/2023/05/16/wemo-smart-plug-security-flaw-no-patch-coming/ [Ars Technica] Malware turns home routers into proxies for Chinese state-sponsored hackers https://arstechnica.com/information-technology/2023/05/malware-turns-home-routers-into-proxies-for-chinese-state-sponsored-hackers/ [Electronic Frontier Foundation] Age Verification Mandates Would Undermine Anonymity Online https://www.eff.org/deeplinks/2023/03/age-verification-mandates-would-undermine-anonymity-online [9to5mac.com] Everyone should use Personal Voice; it does in 15 minutes what currently takes several weeks https://9to5mac.com/2023/05/19/everyone-should-use-personal-voice/ Tip of the Week: The Pros & Cons of Passkeys https://firewallsdontstopdragons.com/the-pros-and-cons-of-passkeys/ Further Info Meross MSS115 Matter-enabled smart plug: https://shop.meross.com/products/meross-matter-smart-wi-fi-plug-mini-mss115 Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:10: Update on new location tracker spec 0:02:52: News preview 0:05:30: FBI & NSA Cut the Head Off Notorious Russian Snake Malware 0:07:27: Intel Deploys Undisclosed Microcode Security Update 0:11:12: Toyota location data of 2M customers exposed for years

In the book "1984" (published in 1949), George Orwell envisioned a Big Brother that would control the media and dictate what was "truth". But Orwell didn't predict that "telescreens" would fit in our pockets or that we would willingly carry them with us 24/7, even to the bathroom. He also didn't foresee that we would willingly subscribe to sources of mis- and disinformation in the form of social media. Today I speak with the co-author of the book "Ministry of Truth", Vincent Hendricks, about the current state of social media and its influence on democracy and society. Vincent F. Hendricks, author of THE MINISTRY OF TRUTH: BigTech's Influence On Facts, Feelings And Fictions, is Professor of Formal Philosophy at the University of Copenhagen. He is the Director of the Center for Information and Bubble Studies (CIBS) funded by the Carlsberg Foundation. Interview Notes “Ministry of Truth” book: https://www.vince-inc.com/vincent/?p=7625  “1984” by George Orwell: https://en.wikipedia.org/wiki/Nineteen_Eighty-Four "Reality Lost" (free PDF book): https://link.springer.com/book/10.1007/978-3-030-00813-0 Vincent Hendricks website: https://www.vince-inc.com/vincent/ More from Vincent: https://www.oecd-forum.org/users/vincent-f-hendricks Blocking Google popups (and other annoyances): https://firewallsdontstopdragons.com/how-to-block-google-popups/ Further Info Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest   Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:23: Pre-inteview notes 0:03:51: Why did you write this book? 0:06:06: What is the current state of social media content moderation? 0:10:41: How equally are moderation rules applied to all users? 0:12:44: Do algorithms just feed our desire for stuff that's not good for us? 0:16:39: Are things really worse today or just different? 0:21:21: Do private companies have a moral duty to support a "public square"? 0:26:23: Are social media companies warping the public discourse? 0:28:58: Is TikTok really more of a threat than Facebook or Twitter? 0:31:15: Are any of the proposed TikTok solutions viable? 0:35:41: Why can't the US Congress pass a real privacy law? 0:38:00: Can we fix some key social media ills by adding some friction? 0:41:10: How will AI systems like ChatGPT impact disinformation? 0:44:15: Can AI also have positive impacts on social media? 0:48:10: How are social media platforms like casinos? 0:50:28: How are social media platforms like Orwell's Ministry of Truth? 0:51:34: How much responsibility do we have here? 0:57:42: What tips do you have for using social media today? 1:02:59: Interview wrap-up 1:03:28: Privacy and security book club 1:04:37: Patron perks 1:05:02: Preview of upcoming shows

Cory Doctorow has garnered a lot of needed attention to the decline of modern online platforms, including Google Search, Facebook and Twitter. Much of this is a result of coining the now-viral term Enshittification. Today we'll talk about how the internet was broken and who's to blame. We'll also discuss the lack of privacy laws and the threats of AI to tech workers and copyrighted works. Finally, we'll discuss Cory's novel proposal for how countries could respond to US tariffs by ripping up intellectual property agreements, changing the power dynamic of the Big Tech industry and hopefully benefiting consumers in the process. Interview Notes Cory’s blog (Pluralistic): https://pluralistic.net/  Canada shouldn't retaliate with US tariffs: https://pluralistic.net/2025/01/15/beauty-eh/#its-the-only-war-the-yankees-lost-except-for-vietnam-and-also-the-alamo-and-the-bay-of-ham  Who Broke the Internet? https://www.cbc.ca/listen/cbc-podcasts/1353-the-naked-emperor  Enshittification book (coming Oct 2025): https://us.macmillan.com/books/9780374619329/enshittification/  Regex: https://en.wikipedia.org/wiki/Regular_expression  Copyright and AI: https://www.technologyreview.com/2025/07/01/1119486/ai-copyright-meta-anthropic/  Further Info Humble Bundle: https://www.humblebundle.com/books/security-apress-books  My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support the mission: https://fdsd.me/support  Give the gift of privacy and security: https://fdsd.me/coupons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Table of Contents 0:00:00: Intro 0:02:07: Humble Bundle! 0:03:09: Interview preview 0:06:52: Has coining the term Enshittification helped to raise awareness? 0:11:08: Who broke the internet? 0:20:15: Will AI reduce tech workers' power? 0:27:21: Why can we not get privacy laws? 0:35:21: How should countries respond to US tariffs? 0:39:57: Do DRM protections incentize creators? 0:44:37: What's your take on the Anthropic AI copyright decision? 0:55:03: What's next for you? 0:56:04: Interview wrap-up 0:57:27: Hacker summer camp 0:59:28: Patron podcast preview 1:00:24: Looking ahead

Have you noticed Google getting really pushy lately with offers to "sign in with Google"? You're not alone. Many websites offer the ability to create a free account so that you can "personalize your experience", but lately Google has been popping up an very annoying window to prompt you to create this account by signing in with your Google account. First of all, you almost never need to create an account to view the site. But second, even if you do want to create an account, you shouldn't be linking that account with Google. You're creating a data sharing arrangement that is completely unnecessary and not in your best interests. I'll explain how to block these irritating popups (and many like them) for good. In other news: 1Password was not hacked, but recent messages might have worried you; new macOS malware stealer app; five things scammers hope you search for; Microsoft Edge is recording your web surfing data; Windows 10 will never receive another feature update; Microsoft is rewriting core Windows software in a memory-safe language; study claims 83% of passwords can be hacked in one second; Google adds support for passkeys; Apple issues first Rapid Security Response with confusing messages; NYPD hands out 500 free AirTags to combat auto thefts; Apple and Google partner on industry spec to thwart unwanted tracking devices; Google adds cloud backup for 2FA without end-to-end encryption; Amazon Clinic requires you to sign away privacy rights; Washington State pass health data privacy law; my take on recent efforts to undermine encryption and restrict access to social media. Article Links [Digital Trends] No, 1Password wasn’t hacked – here’s what really happened https://www.digitaltrends.com/computing/1password-secret-keys-not-hacked/ [9to5mac.com] PSA: ‘Atomic macOS Stealer’ malware can compromise iCloud Keychain passwords, credit cards, crypto wallets https://9to5mac.com/2023/04/28/atomic-macos-stealer-malware-steal-passwords/ [Lifehacker] Five Things Scammers Are Hoping You Google https://lifehacker.com/five-things-scammers-are-hoping-you-google-1850405964 [The Verge] Microsoft Edge is leaking the sites you visit to Bing https://www.theverge.com/2023/4/25/23697532/microsoft-edge-browser-url-leak-bing-privacy [Lifehacker] Microsoft Will Never Update Windows 10 Again (But You Can Keep Using It) https://lifehacker.com/microsoft-will-never-update-windows-10-again-but-you-c-1850386188 [theregister.com] Microsoft is busy rewriting core Windows code in memory-safe Rust https://www.theregister.com/2023/04/27/microsoft_windows_rust/ [9to5mac.com] Study reveals top 20 most used passwords; 83% can be cracked in a second https://9to5mac.com/2023/05/02/most-used-passwords-report/ [The Hacker News] Google Introduces Passwordless Secure Sign-In with Passkeys for Google Accounts https://thehackernews.com/2023/05/google-introduces-passwordless-secure.html [AppleInsider] Apple issues Rapid Security Response update for iOS 16.4.1, macOS 13.3.1 https://appleinsider.com/articles/23/05/01/apple-issues-rapid-security-response-update-for-ios-1641-macos-1331 [AppleInsider] New York hands out 500 AirTags in car theft crackdown https://appleinsider.com/articles/23/05/01/new-york-hands-out-500-airtags-in-car-theft-crackdown [Apple] Apple, Google partner on an industry specification to address unwanted tracking https://www.apple.com/newsroom/2023/05/apple-google-partner-on-an-industry-specification-to-address-unwanted-tracking/ [Gizmodo] Google’s New Two-Factor Authentication Isn’t End-to-End Encrypted, Tests Show https://gizmodo.com/google-authenticator-two-factor-not-end-encrypted-1850377102 [The Washington Post] To become an Amazon Clinic patient, first you sign away some privacy https://www.washingtonpost.com/technology/2023/05/01/amazon-clinic-hipaa-privacy/ [The Verge] Washington passes law requiring consent before companies collect health data https://www.theverge.

There's a big difference between mass surveillance and targeted surveillance based on a court-approved, limited-scope search warrant. But advances in technology have made warrant-less, dragnet surveillance exceptionally easy and stunningly effective. Local law enforcement agencies have deployed several types of surveillance systems in our communities, but have strongly resisted calls for transparency and oversight. Furthermore, police have simply bypassed the need for a warrant and pesky Fourth Amendment rights by just buying surveillance data from private companies. My guests today - Albert Fox Cahn and Evan Enzer, from the Surveillance Technology Oversight Project (S.T.O.P.) - will explain what's going on, why it's a danger to our privacy rights and democratic principles, and what we can do to fix it. Interview Notes Surveillance Technology Oversight Project: https://www.stopspying.org/  STOP on Twitter & TikTok: @STOPSpyingNY Donate to S.T.O.P.  https://www.stopspying.org/donate  STOP Trojan House report: https://www.stopspying.org/the-trojan-house  Public Oversight of Surveillance Technology (POST) Act: https://www.nyc.gov/site/nypd/about/about-nypd/policy/post-act.page  Community Control of Police Surveillance (CCOPS): https://www.eff.org/issues/community-control-police-surveillance-ccops  Electronic Frontier Alliance: https://www.eff.org/fight  EFF’s Atlas of Surveillance: https://atlasofsurveillance.org/  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:33: Interview setup 0:03:26: What is the Surveillance Technology Oversight Project? 0:07:57: What are the most common mass surveillance technologies? 0:10:15: How does Shot Spotter work and what are the dangers? 0:13:02: Do these technologies actually reduce crime? 0:14:38: Is law enforcement required to disclose info on these systems? 0:17:35: How transparent is the funding around these projects? 0:19:21: Who has access to this surveillance data? 0:21:20: 9/11 revealed a lack of data sharing - what's the right balance? 0:22:42: Is privately obtained surveillance data subject to 4th Amendment rights? 0:23:53: What is the "third party doctrine" and how does it apply here? 0:26:15: How does purchased data differ from data obtained via warrant? 0:27:56: How does the practice of "parallel construction" work? 0:29:22: What is my legal right to privacy when in public spaces? 0:31:09: What are my legal rights to "surveil" law enforcement? 0:32:44: How are police using copyright law to curtail video taping? 0:34:13: Who watches the watchers? Is there any oversight of mass surveillance? 0:36:52: How do you uncover surveillance use and abuse? 0:38:45: How can we mitigate consumer surveillance tech? 0:41:53: Are there any tools or techniques to mitigate public surveillance? 0:46:22: What's the solution here? How do we rein in mass surveillance? 0:50:06: How can people get involved in the fight against mass surveillance? 0:51:51: Interview wrap-up 0:54:51: Looking ahead

Our smartphones have become indispensable tools for our daily lives - so seeing that dreaded red battery indicator can induce some serious anxiety. But before you jack your phone into some public USB charging port, think twice. Those USB connections can pass data as well as power, and it's actually possible to hack your phone using those ubiquitous and innocent-looking ports. Is this common? Probably not. But it's also very easy to avoid. I'll give you several tips for staying safe, particularly while traveling. In other news: Mullvad VPN was subjected to a search warrant (but had no data to give up); Proton has announced that it has created a password manager; YubiCo is merging with another company and going public; Facebook probably owes you some money; Apple HomePods can tell you if your house is on fire; one of several Israeli spyware makers is shutting down; the US and several partner countries are urging device makers to adopt Security by Design principles; hackers use fake Chrome updates to install malware; the much-hyped Florida water treatment plant hack wasn't really a hack; clever thieves are stealing modern cars through headlamp connectors; and health care portal check-in vendors are tricking patients into allowing them to monetize very sensitive health data. Article Links [mullvad.net] Mullvad VPN was subject to a search warrant. Customer data not compromised https://mullvad.net/en/blog/2023/4/20/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised/ [proton.me] Proton Pass is now in beta https://proton.me/blog/proton-pass-beta [yubico.com] Yubico is merging with ACQ Bure: merged company intends to go public on Nasdaq First North Growth Market in Stockholm https://www.yubico.com/blog/yubico-is-merging-with-acq-bure/ [Lifehacker] Facebook Probably Owes You Money https://lifehacker.com/facebook-probably-owes-you-money-1850350640 [MacRumors] HomePod Can Now Alert You If Your Smoke Alarm Goes Off https://www.macrumors.com/2023/04/18/homepod-alert-smoke-alarm/ [The Hacker News] Israeli Spyware Vendor QuaDream to Shut Down Following Citizen Lab and Microsoft Expose https://thehackernews.com/2023/04/israeli-spyware-vendor-quadream-to-shut.html [cisa.gov] U.S. and International Partners Publish Secure-by-Design and -Default Principles and Approaches    https://www.cisa.gov/news-events/news/us-and-international-partners-publish-secure-design-and-default-principles-and-approaches [Tom's Guide] Hackers are using fake Chrome updates to spread malware — don’t fall for this https://www.tomsguide.com/news/hackers-are-using-fake-chrome-updates-to-spread-malware-dont-fall-for-this  [VICE] Much-Hyped Water Plant Hack Wasn't a Hack, Was Actually User Error, Official Says https://www.vice.com/en/article/y3wddv/much-hyped-water-plant-hack-wasnt-a-hack-was-actually-user-error-official-says [theregister.com] CAN do attitude: How thieves steal cars using network bus https://www.theregister.com/2023/04/06/can_injection_attack_car_theft/ [statnews.com] I declined to share my medical data with advertisers at my doctor’s office. One company claimed otherwise https://www.statnews.com/2023/04/07/medical-data-privacy-phreesia/ Tip of the Week: How to Avoid Juice Jacking https://firewallsdontstopdragons.com/how-to-avoid-juice-jacking/ Further Info Facebook settlement form: https://www.facebookuserprivacysettlement.com/#submit-claim  CISA Secure by Design, Secure by Default: https://www.cisa.gov/securebydesign  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.

As cybersecurity experts love to say, the "S" in "IoT" stands for security... meaning there is none. I've seen estimates that say there were almost 30 billion IoT devices on the internet in 2022. I have dozens of them on my home network alone. Each of these devices contains at least one computer, which is running potentially hackable software. And because these devices have internet connections, they are vulnerable to cyber attacks from anywhere on the planet. Today I'll ask Bill Niefert from Corellium how IoT devices differ from regular computers, how secure they are, what the risks are of insecure smart devices, and how we can make them better. Interview Notes Corellium: https://www.corellium.com/  Interesting IoT statistics: https://techjury.net/blog/internet-of-things-statistics/  Raspberry Pi: https://www.raspberrypi.org/  Fun RPi projects: https://www.pcworld.com/article/420028/10-practical-raspberry-pi-projects-anyone-can-do.html  Matter IoT standard: https://en.wikipedia.org/wiki/Matter_(standard)  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:40: Interview terminology preview 0:04:49: Tell us about Corellium and what you do there 0:09:34: What is an ARM processor? 0:12:23: How do IoT devices compare to regular computers? 0:16:03: How do you design for security in cheap, slow IoT devices? 0:20:10: Are IoT devices fundamentally more hackable than regular computers? 0:25:07: Does your home Wi-Fi router adequately shield IoT devices from hacking? 0:28:31: Should you put IoT devices on your guest network? 0:34:35: What are the real-world dangers of having compromised IoT devices? 0:37:34: What is the new Matter IoT framework all about? 0:43:47: Does the Matter standard come with improved cybersecurity? 0:45:30: What are the privacy concerns for IoT devices? 0:53:19: Should IoT manufacturers be held liable for security failures? 0:58:18: Wrap-up 0:59:16: What is a Raspberry Pi and what can I do with it? 1:01:25: Matter security and privacy 1:02:16: Bonus content

Right after releasing my episode on web fingerprinting, highly-respected VPN provider Mullvad teamed up with Tor to release a new web browser, specifically designed to protect your privacy - including attempting to block fingerprinting! Great timing, so I thought I'd give you my review of the Mullvad Browser - the good, the bad, and (yes) the ugly. In other news: Timely tips on spotting IRS phone scams; ultrasound attacks can hijack your smart speakers; brace yourself for a wave of more sophisticated AI-based scams; alcohol recover startups shared patients' data with advertisers; Google to require app developers to let you delete your account data; FBI's Operation Cookie Monster shuts down popular cybercrime forum; Facebook will grudgingly offer users in Europe to opt out of all tracking; the FDA is requiring medical device manufacturers to improve cybersecurity and support; and I answer a Dear Carey question about how to use a Mac mini as a server to host private versions of cloud apps. Article Links [NPR] No, the IRS isn't calling you. It isn't texting or emailing you, either https://www.npr.org/2023/04/07/1168353969/irs-scam-tax-day-imposter-how-to-avoid [Gizmodo] Ultrasound Attack Can Secretly Hijack Phones and Smart Speakers, Researchers Find https://gizmodo.com/ultrasound-attack-hacks-phones-siri-alexa-usenix-1850273055 [WIRED] Brace Yourself for a Tidal Wave of ChatGPT Email Scams https://www.wired.com/story/large-language-model-phishing-scams/ [TechCrunch] Alcohol recovery startups Monument and Tempest shared patients’ private data with advertisers https://techcrunch.com/2023/04/04/monument-tempest-alcohol-data-breach/ [Engadget] Google will require that Android apps let you delete your account and data https://www.engadget.com/google-will-require-that-android-apps-let-you-delete-your-account-and-data-170618841.html [CNN] ‘Operation Cookie Monster’: FBI seizes popular cybercrime forum used for large-scale identity theft https://www.cnn.com/2023/04/04/politics/genesis-market-fbi-seizure/index.html [BGR] Facebook and Instagram users can now opt out of tracking, but only in Europe https://bgr.com/tech/facebook-and-instagrams-users-can-now-opt-out-of-tracking-but-only-in-europe/ [scmagazine.com] FDA will refuse new medical devices for cybersecurity reasons on Oct. 1 https://www.scmagazine.com/news/device-security/fda-will-refuse-new-medical-devices-for-cybersecurity-reasons-on-oct-1 Tip of the Week: Mullvad Browser https://firewallsdontstopdragons.com/new-privacy-tool-mullvad-browser/ Further Info Watchman Privacy interview: https://www.youtube.com/watch?v=fByagxDetVI  Using ultrasound to drive away teens: https://www.today.com/news/controversial-mosquito-sonic-devices-deter-young-people-high-pitched-sounds-t157801  Train Siri to recognize your voice: https://support.apple.com/en-us/HT204753  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:22: Important software updates 0:01:13: Watchman Privacy interview 0:01:44: News preview 0:04:38: Beware IRS phone scams 0:09:42: New ultrasound attacks against digital assistants 0:17:51: Brace yourself for AI-enhanced email scams 0:27:45: Alcohol recovery startups shared patients' private data with advertisers 0:30:28: Google will require that Android apps delete your account and data 0:35:00: FBI Operation Cookie Monster shuts down popular...

On today's show, I'll take you behind the scenes of not one, not two, but three different privacy websites. I ask Nate from The New Oil and Niek from Privacy Guides how they deal with being a public figures advocating for privacy, how they set their personal standards for privacy products, and how they cope with people and product makers who complain about their recommendations (or lack thereof). I ask them about some favorite products that they've had to remove from their recommended lists and where they go to keep up to date on privacy topics and products. Finally, I ask them what gives them hope about the future of privacy and what keeps them up at night. Interview Notes The New Oil: https://thenewoil.org/  Privacy Guides: https://www.privacyguides.org/ Techlore: https://techlore.tech/  Panopticon: https://en.wikipedia.org/wiki/Panopticon Naomi Brockwell on VPNs: https://www.youtube.com/watch?v=8MHBMdTBlok  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:02: Transcriptions coming! 0:04:25: Introductions 0:05:55: As a private person, what's it like putting yourself out there? 0:09:13: How do you handle the haters? 0:12:09: How do you keep up to date on privacy and related products? 0:15:29: How often have you had to reverse product recommendations? 0:20:33: How do you set the threshold for how private a product should be? 0:26:10: Where do YOU go to learn about privacy products and topics? 0:31:19: A little humility goes a long way 0:33:25: Choosing a good VPN provider 0:37:44: Should people use antivirus software? If so, which ? 0:40:57: How do you set and enforce your product recommendation criteria? 0:47:27: Do you think your standards help to improve the market? 0:49:08: What gives you hope about the future? And what keeps you up at night? 0:55:10: What can I do to further the cause of privacy? 0:59:05: Interview wrap-up 1:00:32: Dear Carey: Top privacy guidelines and topics for discussion?

Marketers are desperately trying to follow us as we traverse the web. Tracking where we go and what we do allows them to better target us with ads. Browsers have built in protections to block older tracking techniques like cookies and tracking pixels, and so ad companies have had find new methods for identifying us across websites. Unfortunately, they've settled on a technique that is extremely difficult to defeat: fingerprinting. I'll explain what is, how it works, and what you can do to mitigate it. In other news: Google is warning Android users to update their devices right away in order to fix some truly nasty bugs; hackers are using malicious Chrome extensions to read your Gmail and potentially hack your Android device; popular fertility apps are collecting ridiculous amounts of highly personal data and sharing it with partners; scammers are using AI to simulate voices of people you know to steal your money; CISA has launched a great new ransomware vulnerability pilot program; I'll tell you why you should opt out of sharing your data with your mobile service provider; America's threatening to ban TikTok but this won't fix the real problem; the IRS is supposed to be moving away from ID.me authentication. Article Links [Naked Security] Dangerous Android phone 0-day bugs revealed – patch or work around them now! https://nakedsecurity.sophos.com/2023/03/17/dangerous-android-phone-0-day-bugs-revealed-patch-or-work-around-them-now/ [Tom's Guide] Hackers are stealing Gmail messages — delete this extension right now https://www.tomsguide.com/news/hackers-are-stealing-gmail-messages-delete-this-extension-right-now [The Conversation] Popular fertility apps are engaging in widespread misuse of data, including on sex, periods and pregnancy https://theconversation.com/popular-fertility-apps-are-engaging-in-widespread-misuse-of-data-including-on-sex-periods-and-pregnancy-202127 [consumer.ftc.gov] Scammers use AI to enhance their family emergency schemes https://consumer.ftc.gov/consumer-alerts/2023/03/scammers-use-ai-enhance-their-family-emergency-schemes [cisa.gov] CISA Establishes Ransomware Vulnerability Warning Pilot Program https://www.cisa.gov/news-events/news/cisa-establishes-ransomware-vulnerability-warning-pilot-program [briankrebs] Why You Should Opt Out of Sharing Data With Your Mobile Provider https://krebsonsecurity.com/2023/03/why-you-should-opt-out-of-sharing-data-with-your-mobile-provider/ [The Washington Post] America’s online privacy problems are much bigger than TikTok https://www.washingtonpost.com/technology/2023/03/24/tiktok-online-privacy-laws/ Dear Carey: IRS plans to approve use of Login-dot-gov as Tax Day nears https://www.fcw.com/it-modernization/2023/03/plans-approve-use-login-dot-gov-tax-day-nears/383934/  Tip of the Week: https://firewallsdontstopdragons.com/how-to-block-web-fingerprinting/  Further Info Syncthing: https://syncthing.net/  KeePassXC: https://keepassxc.org/  IP address black list check: https://whatismyipaddress.com/blacklist-check  EFF on TikTok: https://www.eff.org/deeplinks/2023/03/government-hasnt-justified-tiktok-ban Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:49: Local password vault sync solution 0:05:07: News preview 0:06:47: Dangerous Android Baseband Bugs Patched 0:18:19: Hackers stealing Gmail messages via browser plugin 0:22:29: Popular fertility apps are engaging in widespread misuse of data

If for some reason you haven't started using a password manager yet, it's time to make the move. But how can you trust all these important secrets to some unknown company? How can you be sure that your password vault will be safe in a cloud-based service? And finally, how do you figure out which service is best for you? Today I'll ask Kasey Babcock from Bitwarden all those questions. We'll also talk about two-factor authentication and newer "passkeys" technology, Argon2 vs PBKDF2, and even how you might self-host a solution like Bitwarden if you want to have full control. Kasey Babcock is a Product Marketing Manager at Bitwarden, and she has many years of experience working at software start-ups in the cybersecurity and project portfolio management industries, working with product and engineering teams to communicate meaningful cybersecurity information and product updates. Interview Notes Bitwarden Personal: https://bitwarden.com/products/personal/  Bitwarden Secrets Manager: https://bitwarden.com/products/secrets-manager/  Bitwarden blog article: https://bitwarden.com/blog/accelerating-value-for-bitwarden-users-bitwarden-raises-usd100-million/  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:02: Pre-interview notes 0:02:21: Why should people entrust their credentials to a password manager? 0:07:49: What is Argon2 and how does it compare to PBKDF2? 0:09:15: How can regular people evaluate the security of software products? 0:14:34: How important is it for security software to be open-source? 0:16:32: How do third party security audits work? 0:18:48: What is "pen testing"? 0:19:16: How much control do audited companies have over releasing audit results? 0:20:35: What are the benefits of self-hosting a solution like Bitwarden? 0:23:55: Should we trust cloud-based password vault storage? 0:25:29: What are some red flags to look for when evaluating security companies? 0:27:36: Bitwarden recently received $100M in funding - has this changed your focus? 0:30:57: What is "secrets management" for software developers? 0:33:31: What is "passwordless" and is it phishing-proof? 0:39:18: How do I set up and use passkeys? 0:44:09: How long before we can use passkeys? 0:45:42: Will passwordless systems still require two-factor auth? 0:48:22: What's next for Bitwarden? What features can we look forward to? 0:50:06: Interview wrap-up

Our devices are connected to the Internet 24/7 and the only thing separating them from the bad guys is usually your home router. In the era of smart devices and the Internet of Things (IoT), we also now have many more doohickeys connected to the Internet - most of them with crappy security. If one of those devices is compromised, the bad guys now have a beachhead from which to probe and attack all your other devices. In today's show, we'll review some important cybersecurity tips for our home network and connected devices. In other news: police raid homes of alleged ransomware gang; locally exploitable TPM 2.0 security flaws found; White House unveils comprehensive cybersecurity strategy; new LastPass breach details show specific employee was targeted at home; browser synchronization features may compromise employer systems; Catholic group buys data to target gay priests; private home webcams are a goldmine for police evidence gathering; telehealth companies leak sensitive patient data; ICE and Secret Service admit to using cell-site simulators to collect mass surveillance data. Article Links [The Verge] Police raid homes of alleged hackers who attacked hospital systems https://www.theverge.com/2023/3/6/23627238/hackers-ransomware-raid-german-ukrainian-police [TechSpot] Two security flaws in the TPM 2.0 specs put cryptographic keys at risk https://www.techspot.com/news/97824-two-security-flaws-tpm-20-specs-put-cryptographic.html [The Washington Post] Biden unveils cyber strategy that takes more aggressive regulatory approach https://www.washingtonpost.com/national-security/2023/03/02/cybersecurity-biden/ [Ars Technica] LastPass says employee’s home computer was hacked and corporate vault taken https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/ [Kaspersky] Disable browser synchronization in the office https://www.kaspersky.com/blog/disable-browser-sync-enterprise/47460/ [The Washington Post] Catholic group spent millions on app data that tracked gay priests https://www.washingtonpost.com/dc-md-va/2023/03/09/catholics-gay-priests-grindr-data-bishops/ [Electronic Frontier Foundation] Report: ICE and the Secret Service Conducted Illegal Surveillance of Cell Phones https://www.eff.org/deeplinks/2023/03/report-ice-and-secret-service-conducted-illegal-surveillance-cell-phones [POLITICO] The privacy loophole in your doorbell https://www.politico.com/news/2023/03/07/privacy-loophole-ring-doorbell-00084979 [TechCrunch] Telehealth startup Cerebral shared millions of patients’ data with advertisers https://techcrunch.com/2023/03/10/cerebral-shared-millions-patient-data-advertisers/ [NPR] Personal information of members of Congress exposed in health data breach https://www.npr.org/2023/03/09/1162191035/personal-information-of-u-s-house-members-exposed-in-health-data-breach Securing Your Home Network: https://firewallsdontstopdragons.com/how-to-secure-your-home-network/  Further Info Apple’s HomeKit Secure Video: https://support.apple.com/en-us/HT210538 Shodan: https://www.shodan.io/ What’s My IP? https://www.whatismyip.com/ NSA home network security (PDF): https://media.defense.gov/2023/Feb/22/2003165170/-1/-1/0/CSI_BEST_PRACTICES_FOR_SECURING_YOUR_HOME_NETWORK.PDF What a VPN Is (and Isn't): https://firewallsdontstopdragons.com/what-a-vpn-is-and-isnt/ Get your Dragon Swag! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show.

Privacy advocates like me implore people to use secure apps that protect their data. But how difficult is it to actually create those apps? How do you balance security and privacy against sharing features and ease of use? How do you earn the trust of your users and how do you keep that trust? When does being private begin to negatively impact your ability to participate in society? Today I'll ask Mo, the creator of the secure note-taking app Standard Notes, all of these questions and more - including his personal thoughts for how best to organize and back up your notes and other data. Interview Notes Standard Notes: https://standardnotes.com/  Write Fearlessly (blog article): https://standardnotes.com/why-encrypted  Standard Notes YouTube channel: https://www.youtube.com/@standardnotes  Second Brain note taking styles: https://fortelabs.com/blog/the-4-notetaking-styles-how-to-choose-a-digital-notes-app-as-your-second-brain/  Tresosit secure cloud storage: https://tresorit.com/individuals Sync.com secure cloud storage: https://sync.com/  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:19: What is Standard Notes and how is it different? 0:06:19: What is true end-to-end encryption? 0:08:35: What does privacy mean to you? 0:14:14: What do people misunderstand most about privacy? 0:17:43: How do you secure a web app? 0:23:08: Does security preclude any popular app features? 0:27:31: Should we really encrypt everything? 0:33:30: How do you earn and keep your users' trust? 0:37:57: How important is humility and honesty in security marketing? 0:39:42: What is your note taking organizational strategy? 0:47:03: How do you figure out what organizational style works for you? 0:50:43: How do you make sure all your data is backed up and findable? 0:56:17: What does the future hold for privacy? 1:01:04: What's next for Standard Notes? 1:05:06: Interview wrap-up

We take our phones with us everywhere. And they contain, or have cloud access to, pretty much all of our personal information and online accounts. While phone makers have made it difficult for thieves to resell a stolen phone, anyone with physical access to your device may be able to extract its data or access all your accounts. Thankfully, Apple (iOS) and Google (Android) have recently introduced several features that can significantly increase your device's physical security and privacy. We'll discuss some of them today. In the news: VPN signups in UK spike after age verification law kicks in; Tea app data breach includes IDs; Amazon buys Bee AI wearable; your power meter is a surveillance tool; Amazon's Ring returns to sharing video with police; startup sells hacked data to debt collectors; Gemini AI on Android to get third party app access; Brave blocks Windows Recall; UK backs down on Apple back door; Apple to make passkeys portable; two new AI chatbots that are truly open and private. Article Links Proton VPN Signups in UK Surge 1,400% After Online Safety Act Comes Into Force https://cyberinsider.com/proton-vpn-signups-in-uk-surge-1400-after-online-safety-act-comes-into-force/ I Knew the Viral 'Tea' App Was Trouble, but I Didn't Expect a Data Breach https://lifehacker.com/tech/i-knew-the-viral-tea-app-was-trouble-but-i-didnt-expect-a-data-breach  Amazon buys Bee AI wearable that listens to everything you say https://www.theverge.com/news/711621/amazon-bee-ai-wearable-acquisition When Your Power Meter Becomes a Tool of Mass Surveillance https://www.eff.org/deeplinks/2025/07/when-your-power-meter-becomes-tool-mass-surveillance Amazon's Ring goes full founder mode, taking the company back to its crime-fighting roots https://www.businessinsider.com/amazon-ring-founder-mode-jamie-siminoff-crime-fighting-roots-2025-7 A Startup is Selling Data Hacked from Peoples’ Computers to Debt Collectors https://www.404media.co/a-startup-is-selling-data-hacked-from-peoples-computers-to-debt-collectors/ Unless users take action, Android will let Gemini access third-party apps https://arstechnica.com/security/2025/07/unless-users-take-action-android-will-let-gemini-access-third-party-apps/ Brave blocks Windows Recall from screenshotting your browsing activity https://www.bleepingcomputer.com/news/security/brave-blocks-windows-recall-from-screenshotting-your-browsing-activity/ UK backing down on Apple encryption backdoor after pressure from US https://arstechnica.com/tech-policy/2025/07/uk-backing-down-on-apple-encryption-backdoor-after-pressure-from-us/ Passkey portability is finally here in iOS 26 and macOS Tahoe 26 https://9to5mac.com/2025/07/12/passkey-portability-is-finally-here-in-ios-26-and-macos-tahoe-26/ Introducing Lumo, the AI where every conversation is confidential https://proton.me/blog/lumo-ai A language model built for the public good https://ethz.ch/en/news-and-events/eth-news/news/2025/07/a-language-model-built-for-the-public-good.html Tip of the Week: https://firewallsdontstopdragons.com/physical-phone-security/  Further Info Hacker Plants Computer 'Wiping' Commands in Amazon's AI Coding Agent https://www.404media.co/hacker-plants-computer-wiping-commands-in-amazons-ai-coding-agent/  My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support our mission! https://fdsd.me/support  Give the gift of privacy and security: https://fdsd.me/coupons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Table of Contents 0:00:00: Intro 0:00:47: DEF CON update 0:01:47: News preview 0:04:06: Proton VPN use surges in UK 0:08:13: Data breach at viral Tea app 0:19:36: Amazon buys Bee AI wearable 0:26:47: Using power meters for surveillance 0:30:48: Ring again sharing video with police 0:34:57: Startup selling hacked data to debt collectors 0:42:29: Android lets Gemini access 3rd party apps

Web links are great, when you're on the web. But if you need to read off or write down a web address, or URL, to someone else, anything beyond a simple domain name is going to be way too complicated. Ideally, you want something short and memorable. Enter link-shortening services like Bitly, Owly and others. These services convert long, ugly URLs to short, simple, memorable links. Unfortunately, this also obscures the actual link. When you click a shortened link, you have no idea where it will take you. Today, I'll give you some tools that will allow you to determine the final destination and even see an image of the site without actually going there. In other news: TikTok group teaches people how to hot-wire Kia and Hyundai cars; Twitter charges users for the least-secure two-factor authentication method; scam authenticator apps proliferation on the app store; Apple devices are being stolen after surreptitiously learning the lock codes; Google to launch Android Privacy Sandbox beta; Mozilla discovers huge discrepancies between actual privacy policies and the 'nutrition label' summaries on top Android apps; supermarkets track tons of user data via loyalty cards and apps; we need to create a much more robust and resilient internet; and the CEO of Safing answers a user question about Portmaster and SPN. Article Links [Lifehacker] TikTokers Are Hot-Wiring These Hyundai and Kia Cars https://lifehacker.com/tiktokers-are-hot-wiring-these-hyundai-and-kia-cars-1850113943 [Mashable] Twitter to charge users for SMS two-factor authentication https://mashable.com/article/twitter-removes-sms-2fa [9to5mac.com] Scam authenticator app advertising on App Store: Sends all your QR codes to the developer https://9to5mac.com/2023/02/21/scam-authenticator-app/ [MacRumors] Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life' https://www.macrumors.com/2023/02/24/iphone-stolen-passcodes-report/ [The Verge] Google launches first Android beta for ad-tracking overhaul https://www.theverge.com/2023/2/14/23599027/google-android-privacy-sandbox-beta-advertising-tracking [foundation.mozilla.org] Mozilla Study: Data Privacy Labels for Most Top Apps in Google Play Store are False or Misleading [The Markup] Forget Milk and Eggs: Supermarkets Are Having a Fire Sale on Data About You https://themarkup.org/privacy/2023/02/16/forget-milk-and-eggs-supermarkets-are-having-a-fire-sale-on-data-about-you [Schneier Blog] What Will It Take? https://www.schneier.com/blog/archives/2023/02/what-will-it-take.html How to Reveal Shortened URLs: https://firewallsdontstopdragons.com/how-to-reveal-shortened-urls/ Further Info 2FA apps: https://lifehacker.com/the-best-authenticator-apps-for-iphone-and-android-1850140802  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:47: Book out of stock? 0:01:45: News rundown 0:04:09: Hot-Wiring Hyundai and Kia Cars 0:09:11: Twitter to charge users for SMS 2FA 0:12:58: Scam authenticator apps 0:18:13: Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life' 0:24:22: Google launches first Android beta for Privacy Sandbox 0:27:52: Data Privacy Labels in Google Play Store are False or Misleading 0:34:59: Supermarkets Are Having a Fire Sale on Data About You 0:44:41: Schneier: What Will It Take? 0:52:38: Dear Carey 0:55:53: Tip of the Week 1:01:21: Wrap up: merch store, previews

Social media wasn't always so bad. It didn't use to collect so much information. It didn't use to feed us content we didn't ask for in an attempt to maintain our attention. Doom scrolling, virtue signaling, algorithmic feeds and misinformation bots are not natural extensions of social media. So what went wrong? And better yet, how can we fix it? Today I'll discuss all of these topics and more with Suzie Dawson, the founder of Panquake.com. She's on a mission to solve all of these problems and restore the promise of social media to be a positive force for society and serve the users, not corporations or governments. Interview Notes Panquake: https://panquake.com/ A Personal Message from our Founder (Suzie): https://vimeo.com/770524936  What is Panquake? https://vimeo.com/503223746  The Social Dilemma (documentary): https://www.thesocialdilemma.com/  Mastodon: https://joinmastodon.org/  Fediverse: https://www.eff.org/deeplinks/2022/11/fediverse-could-be-awesome-if-we-dont-screw-it  Microsoft’s Decentralized Identity: https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/decentralized-identifier-overview Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:18: interview preview 0:05:24: What is Panquake.com and why did you create it? 0:06:25: When and why did social media platforms go wrong? 0:07:55: Why is our relationship with Big Tech such an abusive one? 0:10:09: Are algorithmic feeds inherently bad or just exposing human nature? 0:15:25: How does Facebook learn so much about us? 0:16:24: Without algorithmic feeds, how do I discover new content? 0:17:51: How do you convince people to pay for their social media platform? 0:21:27: What other things do people hate about modern social media platforms? 0:25:53: What does it mean to be 'shadow banned'? 0:27:32: How can we stop malicious bot behavior? 0:30:39: What's the best way to implement account verification? 0:34:59: How do we spark a backwards paradigm shift? 0:36:44: What is the role of social media platforms in moderating content? 0:40:00: How does moderation vary globally? 0:41:23: Is TikTok more dangerous to society than Twitter or Facebook? 0:47:21: What is the "Fediverse" and how does it work? 0:53:40: How important is data portability or ownership? 0:58:34: What's next for Panquake? 1:03:19: Suzie asks ME a question! 1:04:56: Interview wrap-up 1:05:41: patron bonus content and benefits 1:06:43: Swag Shop is OPEN! 1:08:43: Upcoming interviews

As a general rule, I would normally advise people to minimize the number of online accounts they have, including avoiding creating unnecessary accounts and closing accounts they no longer need. However, as a regular citizen, there are a handful of governmental accounts that exist for you already, whether you use them or not. And you should claim those accounts for yourself before bad guys do this on your behalf. Furthermore, as a home owner or modern consumer, you probably have several other accounts that you may never have claimed: utilities, financial institutions, medical portals, and more. Today I'll tell you where and why to plant your flag. In other news: Booking.com reservation data being used to scam customers; top background check service customers' data leaked; Finnish psychotherapy extortion suspect arrested; FTC takes on telehealth data sharing; the ACLU lobbies court to restrict Google geofence warrant data; Anker admits to Eufy camera security bugs; fake, malicious Bitwarden ads deliver malware; maker of stalkerware fined and forced to notify victims; NIST proposes security protocols for low-power IoT devices. I also answer a listener question about IPv4 vs IPv6. Article Links [Ars Technica] Mysterious leak of Booking.com reservation data is being used to scam customers https://arstechnica.com/information-technology/2023/02/mysterious-leak-of-booking-com-reservation-data-is-being-used-to-scam-customers/ [TechRadar] Top background check services hit by data breach https://www.techradar.com/news/top-background-check-services-hit-by-data-breach [Naked Security] Finnish psychotherapy extortion suspect arrested in France https://nakedsecurity.sophos.com/2023/02/06/finnish-psychotherapy-extortion-suspect-arrested-in-france/ [The Markup] The FTC Is Taking on Telehealth’s Data Sharing Problem—​Starting with GoodRx – The Markup https://themarkup.org/pixel-hunt/2023/02/01/the-ftc-is-taking-on-telehealths-data-sharing-problem-starting-with-goodrx [Computerworld] ACLU, public defenders push back against Google giving police your mobile data https://www.computerworld.com/article/3686535/aclu-public-defenders-push-back-against-google-giving-police-your-mobile-data.html [9to5mac.com] Anker admits to lying about Eufy security camera encryption; describes future plans https://9to5mac.com/2023/02/01/eufy-security-camera-encryption/ [PCWorld] Phony, malicious Bitwarden ads slip past Google’s watch https://www.pcworld.com/article/1487690/phony-bitwarden-ads-are-the-latest-to-slip-through-on-googles-watch.html [Electronic Frontier Foundation] Stalkerware Maker Fined $410k and Compelled to Notify Victims https://www.eff.org/deeplinks/2023/02/stalkerware-maker-fined-410k-and-compelled-notify-victims [ZDNet] Tiny IoT devices are getting their own special encryption algorithms https://www.zdnet.com/article/tiny-iot-devices-are-getting-their-own-special-encryption-algorithms/ Further Info Order the new 5th edition of my book! https://fdsd.me/book  OSINT Tools: https://inteltechniques.com/tools/index.html  WireGuard IPv6 help: https://stanislas.blog/2019/01/how-to-setup-vpn-server-wireguard-nat-ipv6/  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:29: News preview 0:03:58: Booking.com users being targeted with convincing scams 0:09:11: Top background check services hit by data breach 0:12:16: Finnish psychotherapy extortion suspect arrested 0:18:48: FTC Is Taking on Telehealth’s Data Sharing Problem 0:23:23: ACLU pushes back against Google geofence warrants 0:31:07: Anker admits to lying about Eufy security camera e...