Firewalls Don't Stop Dragons Podcast

The US is planning to ban all foreign-made or foreign-designed home WiFi routers… which is basically all routers. It’s true that many consumer routers are pretty crappy when it comes to security. TP-Link just fixed some bad vulnerabilities (which you need to patch ASAP). But what does this mean for anyone wanting to upgrade to a new router? I’ll try to explain. In other news: Walmart is buying TV-maker Vizio to gain access to user data and ads; a company is turning public Zoom meetings into AI podcasts for profit (without permission); a health company suffers a data breach exposing millions of clients’ information; H&R Block’s latest business tax prep software commits an egregious security mistake; AI companies are rolling out dangerous automation features; macOS 26.4 appears to block ClickFix-style attacks; and Facebook and Google lose in a landmark legal case. Article Links Walmart buying TV-brand Vizio for its ad-fueling customer data: https://arstechnica.com/gadgets/2024

Nate Bartram and Jonah Aragon have been advocating for privacy for a long time. Their sites, The New Oil and Privacy Guides, have a ton of fabulous resources for anyone interested in guarding their data and defending their digital rights. Ever wonder what it’s like being a privacy advocate in an increasingly privacy-hostile world? Today, I’ll take you behind the scenes of these sites and into the brains of two top-notch privacy warriors. Interview Notes Privacy Guides: https://www.privacyguides.org/  The New Oil: https://thenewoil.org/  Critical Thinking 101: https://ghost.thenewoil.org/critical-thinking-101/ This Week in Privacy podcast: https://podcasts.apple.com/us/podcast/this-week-in-privacy/id1726826455  Privacy Advocate Toolbox: https://www.privacyguides.org/en/activism/  Smartphone privacy guides: https://www.privacyguides.org/videos/2026/02/04/smartphone-security-course-lesson-1-beginners-2/  Further Info My book: https://fdsd.me/book  My newsletter: http

When we think about improving security and privacy, we tend to add things: password managers, VPNs, encrypted communication apps. But one of the most effective ways to protect yourself is much simpler: remove what you don’t need. Safety through subtraction. Every app you install exposes you to more data collection and security vulnerabilities. Over time, these apps can automatically update, collecting more data and adding new exploitable features. And with the current global unrest, the risk of attacks is greater than normal. I’ll give you several top tips for reducing your attack surface. Article Links Check Your Asus Router for Malware ASAP: https://lifehacker.com/tech/check-asus-router-for-malware Instagram drops end-to-end encrypted chats: https://proton.me/blog/instagram-end-to-end-encryption Viral ‘Quittr’ Porn Addiction App Exposed the Masturbation Habits of Hundreds of Thousands of Users: https://www.404media.co/viral-quittr-porn-addiction-app-exposed-the-masturbation-habits-of-hund

When you shop online or through an app, do you ever wonder if you’re being charged the same as someone else for the same thing? Even controlling for things like shipping address and local taxes, it turns out that today it’s not uncommon for pricing to dynamically change based on factors that may not seem fair. This is called surveillance pricing. Justin Brookman (Consumer Reports) and Eric Gardner (More Perfect Union) recently performed a study on this practice using Instacart, and the results were eye-opening. Interview Notes Surveillance pricing study: https://www.consumerreports.org/money/questionable-business-practices/instacart-ai-pricing-experiment-inflating-grocery-bills-a1142182490/  Study video (Instagram): https://www.instagram.com/reels/DSC1w_Hjng6/  Study video (YouTube): https://www.youtube.com/watch?v=osxr7xSxsGo  Consumer Reports: https://www.consumerreports.org/  More Perfect Union: https://perfectunion.us/  Get involved: https://action.consumerreports.org/  Instacart’s AI-Enable

Bad guys have found a willing accomplice for installing malware: YOU. This very effective malware delivery mechanism, dubbed ClickFix, accounted for over half of all infections last year. I’ll tell you how to avoid it, but also explain why you shouldn’t have to. In other news: Amazon’s change to wishlists may expose your address; a new government-grade iOS exploit kit is spreading to criminals; Israel hacked traffic cams to kill Iran’s leaders; Meta’s AI glasses are a privacy nightmare; new AirSnitch WiFi exploit is clever, but not a threat for most people; Microsoft Office bug allowed AI to read confidential emails; Discord walks back it’s plans for age verification; US Senators reintroduce surveillance transparency bill; CA privacy activists call for removing license plate readers; Ente releases new Locker app; Privacy Guides releases wonderful new privacy resource. Article Links Amazon Change Means Wishlists Might Expose Your Address https://www.404media.co/amazon-wishlist-address-

Cellular providers need to know your location in order to deliver calls and text message to your phone. But it turns out that they really don’t need to know who you are to give you that service. They only need to know how to bill you – and that information can be at little as knowing your ZIP+4 code. Why do we give so much personal information to our mobile service providers when we don’t have to? Today, Nick Merrill, founder of Phreeli, will explain how he can give you top notch cell service and know almost nothing about you. Interview Notes Phreeli: https://www.phreeli.com/  Double Blind Armadillo: https://www.phreeli.com/files/PhreeliDoubleBlindArmadilloWhitePaper.pdf  Wired article: https://www.wired.com/story/new-anonymous-phone-carrier-sign-up-with-nothing-but-a-zip-code/  Call Detail Record: https://en.wikipedia.org/wiki/Call_detail_record  2600 Magazine: https://www.2600.com/  Zero-Knowledge Proofs: https://firewallsdontstopdragons.com/how-zero-knowledge-proofs-work/  Further Info

In my seemingly never-ending quest to replace all things Google, I’ve finally found some solid, private alternatives to Google Sheets and Google Forms. And we’ll also talk about how the EU is looking to create competing products to reduce their dependence on Big Tech from Silicon Valley. In the news: Australian drivers’ info exposed in breach; school admissions website leaked student data; Discord is rolling out age verification; more countries move to ban social media for kids; Big Tech companies volunteer data to DHS on anti-ICE users; Meta wanted to sneak out facial recognition; researchers find tricky bugs in password managers; DJI robovacs were wide open on the internet; Ring’s mass surveillance efforts garner blow back; Russia blocks WhatsApp and Telegram. Article Links More than 200,000 Australian drivers exposed in massive data breach https://www.drive.com.au/news/over-200000-driver-licences-hacked-in-massive-data-breach/ Bug in student admissions website exposed children̵

Today I speak with Yahoo CISO Sean Zadig – aka, the Chief Paranoid. Sean has had a long and varied career in cybersecurity, working both in law enforcement (at NASA!) and working security for Big Tech. I’ll ask Sean how we can teach our kids about cybersecurity, and how to protect them from the worst of the internet without compromising anyone’s privacy. I’ll also get his perspective on the relationship between Big Tech, user data, law enforcement and the Fourth Amendment. Interview Notes The Paranoids (Yahoo): https://www.yahooinc.com/our-technology/paranoids  Suddenly a CISO: https://www.yahooinc.com/paranoids/suddenly-a-ciso-four-pieces-of-transitional-advice  Clipper Chip: https://en.wikipedia.org/wiki/Clipper_chip  Further Info My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support the mission: https://fdsd.me/support  Give the gift of privacy and security: https://fdsd.me/coupons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  T

The latest craze with artificial intelligence is agentic AI – exhibited most recently in the viral AI project called ClawdBot… or Moltbot… or OpenClaw. (The name has changed two times in less than a week.) You download this software, give it access to your AI chatbot accounts, and then give it full and complete access to your computer and online accounts. Why? So you can have an all-powerful assistant who can do real things in the real world as if they were you! What could go wrong? In other news: a new lawsuit claims Meta can read all your WhatsApp messages; an AI toy exposed chat transcripts of their toddler owners; another AI app leaks millions of private conversations; TikTok’s new terms of service are very scary; the US wants visitors to fork over tons of personal info; UK officials were hit by Volt Typhoon; the UK wants to increase facial recognition in public places; the FBI failed to unlock journalist’s iPhone with Lockdown Mode enabled; Google adds cool anti-theft featur

We’re all busy people with busy lives. We only have so much time and energy. So when security people dole out to-do lists, we really need to focus on the tips with the most bang for the buck. Conversely, we need to avoid wasting people’s precious resources on advice that is no longer valid or worth the effort. Today, we’ll debunk several of these “Hacklore” tips with security guru Bob Lord. Interview Notes Hacklore: https://www.hacklore.org/letter  Hacklore resources: https://www.hacklore.org/resources  Elevator (un)safety analogy: https://medium.com/@boblord/psa-elevator-un-safety-7ac69a9498de  DNC Security Checklist: https://democrats.org/security/  CISA Secure by Design: https://www.cisa.gov/securebydesign  MITRE’s 2007 Unforgivable Vulnerabilities (PDF): https://cwe.mitre.org/documents/unforgivable_vulns/unforgivable.pdf  Take 9: https://pausetake9.org/  Consumer Reports Security Planner tool: https://securityplanner.consumerreports.org/

There exist many interesting technical tools which can greatly improve our privacy while still allowing us to use very personal data. In the next installment of my series on Privacy Enhancing Technologies, we’ll look at zero-knowledge proofs – what they are, how they work and what types of privacy problems they can address. Specifically, we’ll show how you can prove that you know a secret without actually revealing the secret. In other news: Florida may be implementing an age-gating law; the UK government is now considering a ban on VPNs; 17 more people browser plugins that steal your data; popular apps used to harvest data using real-time bidding; police unmask millions of surveillance targets due to Flock redaction failures; AI company sued for secretly scoring job seekers; Microsoft gives BitLocker keys to FBI; and the FTC finalizes restrictions on GM car data gathering and sharing. Article Links Oppose Florida’s AI age verification bill, protect your privacy https://www.miamitech.

Having data privacy laws are great. But if those laws can’t be practically enforced or your rights easily asserted, they’re not very useful. Modern cars are chock full of sensors, many of which are used to monitor the passengers and collect personal data. But cars are subject to privacy laws, too. Opting out of data collection or requesting data deletion should be straightforward. Andrea Amico and Merry Marwig from Privacy4Cars just completed a massive study on this, and the vast majority of auto brands had horrible user experiences for data management. They will share their findings with us on today’s show. Interview Notes Privacy4Cars: https://privacy4cars.com/  California UX whitepaper: https://privacy4cars.com/ux-california/  Vehicle Privacy Report tool: https://vehicleprivacyreport.com/  Company auto info: https://Privacy4Cars.com/CISO  GDPR auto info: https://Privacy4Cars.com/GDPR  Opt Out Code: https://optoutcode.com/ IoT on Wheels talk: https://instituteofprivacydesign.org/2025/08/1

AI has many problems, but also has promise. Today I’m going to focus on one particular problem that has some viable solutions: privacy. Chat bots like ChatGPT, Gemini and Claude all require your queries to be processed in the cloud. All the personal questions we ask are probably being logged against our identity and could be used to train future AI models or to present us with targeted ads. But there are alternatives that protect your data – I’ll give you a handful of solid options. In other news: a Texas court has blocked the app store age verification law; Flock’s people-tracking cameras have horrible security; PornHub confirms data leak due to third party; stalkerware maker pleads guilty; Texas sues 5 TV makers over data collection; Wegman’s grocery using facial recognition in NYC; New York’s surveillance pricing transparency law goes into effect; DROP tool debuts in California for deleting broker data; two Chrome extensions caught stealing chat bot session text; ChatGPT

There are a ton of messaging apps on the market – and there are actually quite a few that are very secure and private. I would argue that there is no such thing as a “perfect” secure messaging app. There are several threat models to account for, each with different requirements. Today we’re going to talk about the pros and cons of decentralized messaging with the co-founder of Session, Kee Jeffreys. These messaging apps don’t rely on a set of servers hosted by the provider, but rather on a mesh of nodes run by hundreds or thousands of others. We’ll also discuss the importance of protecting metadata and the notion of “permissionless access”. Session just announced support for key features in the upcoming version 2 of their protocol, including Perfect Forward Secrecy (PFS) and post-quantum encryption. Interview Notes Get the Session app: https://getsession.org/  Session adds PFS, post-quantum crypto: https://getsession.org/blog/session-protocol-v2  xkcd

Every week, I record a special, private bonus podcast for my patrons. Normally all of that content is restricted to my supporters. But today I’ve got a sampler platter of some of the best snippets from my bonus Q&A with my interview guests. You’ll hear from Yael Grauer (Consumer Reports), Josh Summers (All Things Secured), Lisa LeVasseur (Internet Safety Labs), Josh Corman (UnDisruptable27), Andy Liddell (EdTech Law Center), Carissa Véliz (author, professor), Eamonn Maguire (Proton), Grace Menna & Adrien Ogee (Cyber Resilience Corps). Enjoy! Original Interview Links Ep416: Yael Grauer: https://podcast.firewallsdontstopdragons.com/2025/02/17/security-planner/  Ep420: Josh Summers: https://podcast.firewallsdontstopdragons.com/2025/03/17/all-things-secured/  Ep422: Lisa LeVasseur: https://podcast.firewallsdontstopdragons.com/2025/03/31/microscoping-our-apps/  Ep428: Josh Corman: https://podcast.firewallsdontstopdragons.com/2025/05/12/shelter-from-the-storm/  Ep426: Andy Liddell: http

I’m digging into the vault for a classic interview – a blast from the past! I’ve done 460 episodes over the last nearly 9 years, and some of the best old episodes still hold up well today. I first interviewed Troy Hunt, creator of Have I Been Pwned, in February of 2019. It was Episode 102 and it was entitled “You Must Stop Reusing Passwords”. In this episode we talk a little about the origins of HIBP, password security, data breaches and brokers, and how to keep our accounts secure. I’ve added some new commentary, but the original episode is preserved in all of its glory! Interview Notes Have I Been Pwned? https://haveibeenpwned.com/  NIST updated password guidelines:  https://pages.nist.gov/800-63-4/sp800-63c.html  Proton summary of NIST changes: https://proton.me/blog/nist-password-guidelines  Password haystacks: https://firewallsdontstopdragons.com/need-a-bigger-password-haystack/  Choosing a strong PIN: https://firewallsdontstopdragons.com/how-to-choose-a-pin/  U

I’ve had some truly amazing interviews this past year. For your listening enjoyment, I’ve curated a set of clips from some of the best shows, creating a sampler platter of stellar audio content from some amazing guests! If you’ve never listened to my podcast, this will give you a taste of what you’re missing! If you’re a regular listener, this will be a fun trip down memory lane, complete with new commentary. You’ll hear from Dr Paul Ashley (CEO/Founder of MySudo), Yael Grauer (Consumer Reports), Weld Pond (L0pht), Lisa LaVasseur (Internet Safety Labs), Zach Edwards (Silent Push), Bruce & Heidi Potter (Shmoocon), Deviant (physical security expert), Cory Doctorow (author, activist, EFF), Monique Priestley (VT State Rep), Carissa Véliz (author, professor), Adrian Ogee (CyberPeace Builders).Enjoy! Original Interview Links Ep414, Dr Paul Ashley: https://podcast.firewallsdontstopdragons.com/2025/02/03/controlling-your-digital-id/  Ep416: Yael Grauer: https://podcast.firewallsdontstopdragons.com/2025/02/1

Way before the world wide web, computer enthusiasts were sharing information via digital bulletin board systems (BBS). This amounted to attaching a modem to your home computer and allowing other people to dial in from their computers (one at a time) to download “textfiles” and share “warez” – or cracked software applications, often games. This scene gave rise to several electronic “zines” that published articles on hacking and phone phreaking techniques. One of the most popular zines, Phrack, was started in 1985 and is still going strong forty years later. Today we’ll discuss the colorful and storied history of this pioneering zine with two Phrack editors, skyper and TMZ. Interview Notes Phrack magazine: https://phrack.org  Phrack Wikipedia page: https://en.wikipedia.org/wiki/Phrack  Hacker Manifesto: https://phrack.org/issues/7/3 Smashing the Stack for Fun and Profit (Aleph One): https://phrack.org/issues/49/14 E911 Document Leak: https://phrack.org/issues/24/

With the holiday season come holiday scams – and honestly, just more scammer activity across the board, in general. People are busy and buying lots of stuff, and it’s a time when we’re more vulnerable to schemes to take our money and infect our devices. Today we’ll talk about a few current scams going around and give some solid advice to avoid becoming a victim. In the news: FCC scraps cybersecurity rules for telcos; WhatsApp flaw exposed 3.5B phone numbers; ClickFix scam update; Border Patrol is monitoring US drivers for ‘suspicious’ travel patterns; a tricky Apple Support scam; USPS and EZ-Pass scams; a cool new tool for monitoring your home network for rogue devices; state and local cyber grant program to be renewed; airlines shut down program that sold your flight records; CA court ends electricity surveillance program; also, a few more holiday gift ideas! Article Links Despite Chinese hacks, Trump’s FCC votes to scrap cybersecurity rules for phone and internet c

Holiday shopping season is here! And that must mean that it’s time again for my annual Best & Worst Gift Guide! But this time I’ve recruited some top minds from Consumer Reports to lend their expertise and enlighten us with their tech gift-giving strategies! Yael Grauer, Stacey Higginbotham and Jeff Landale join me for a round table discussion of how to give tech gifts that won’t ruin the security and privacy of your recipients! Interview Notes $10 off Consumer Reports!! https://www.consumerreports.org/fdsd/  Consumer Reports: https://www.consumerreports.org/  Cyber Readiness Report: https://innovation.consumerreports.org/new-report-2025-consumer-cyber-readiness/  Security Planner: https://securityplanner.consumerreports.org/  Vulnerability Disclosure Programs: https://innovation.consumerreports.org/who-ya-gonna-call/  Give Dragon Coupons! https://firewallsdontstopdragons.com/give-the-gift-of-security-and-privacy/  Library Freedom Project: https://libraryfreedom.org/  Yael on spyware an