We’re all busy people with busy lives. We only have so much time and energy. So when security people dole out to-do lists, we really need to focus on the tips with the most bang for the buck. Conversely, we need to avoid wasting people’s precious resources on advice that is no longer valid or worth the effort. Today, we’ll debunk several of these “Hacklore” tips with security guru Bob Lord.

There exist many interesting technical tools which can greatly improve our privacy while still allowing us to use very personal data. In the next installment of my series on Privacy Enhancing Technologies, we’ll look at zero-knowledge proofs – what they are, how they work and what types of privacy problems they can address. Specifically, we’ll show how you can prove that you know a secret without actually revealing the secret.

In other news: Florida may be implementing an age-gating law; the UK government is now considering a ban on VPNs; 17 more people browser plugins that steal your data; popular apps used to harvest data using real-time bidding; police unmask millions of surveillance targets due to Flock redaction failures; AI company sued for secretly scoring job seekers; Microsoft gives BitLocker keys to FBI; and the FTC finalizes restrictions on GM car data gathering and sharing.

Having data privacy laws are great. But if those laws can’t be practically enforced or your rights easily asserted, they’re not very useful. Modern cars are chock full of sensors, many of which are used to monitor the passengers and collect personal data. But cars are subject to privacy laws, too. Opting out of data collection or requesting data deletion should be straightforward. Andrea Amico and Merry Marwig from Privacy4Cars just completed a massive study on this, and the vast majority of auto brands had horrible user experiences for data management. They will share their findings with us on today’s show.

AI has many problems, but also has promise. Today I’m going to focus on one particular problem that has some viable solutions: privacy. Chat bots like ChatGPT, Gemini and Claude all require your queries to be processed in the cloud. All the personal questions we ask are probably being logged against our identity and could be used to train future AI models or to present us with targeted ads. But there are alternatives that protect your data – I’ll give you a handful of solid options.

In other news: a Texas court has blocked the app store age verification law; Flock’s people-tracking cameras have horrible security; PornHub confirms data leak due to third party; stalkerware maker pleads guilty; Texas sues 5 TV makers over data collection; Wegman’s grocery using facial recognition in NYC; New York’s surveillance pricing transparency law goes into effect; DROP tool debuts in California for deleting broker data; two Chrome extensions caught stealing chat bot session text; ChatGPT rolls out new Health tool.

There are a ton of messaging apps on the market – and there are actually quite a few that are very secure and private. I would argue that there is no such thing as a “perfect” secure messaging app. There are several threat models to account for, each with different requirements. Today we’re going to talk about the pros and cons of decentralized messaging with the co-founder of Session, Kee Jeffreys. These messaging apps don’t rely on a set of servers hosted by the provider, but rather on a mesh of nodes run by hundreds or thousands of others. We’ll also discuss the importance of protecting metadata and the notion of “permissionless access”. Session just announced support for key features in the upcoming version 2 of their protocol, including Perfect Forward Secrecy (PFS) and post-quantum encryption.

Every week, I record a special, private bonus podcast for my patrons. Normally all of that content is restricted to my supporters. But today I’ve got a sampler platter of some of the best snippets from my bonus Q&A with my interview guests. You’ll hear from Yael Grauer (Consumer Reports), Josh Summers (All Things Secured), Lisa LeVasseur (Internet Safety Labs), Josh Corman (UnDisruptable27), Andy Liddell (EdTech Law Center), Carissa Véliz (author, professor), Eamonn Maguire (Proton), Grace Menna & Adrien Ogee (Cyber Resilience Corps). Enjoy!

I’m digging into the vault for a classic interview – a blast from the past! I’ve done 460 episodes over the last nearly 9 years, and some of the best old episodes still hold up well today. I first interviewed Troy Hunt, creator of Have I Been Pwned, in February of 2019. It was Episode 102 and it was entitled “You Must Stop Reusing Passwords”. In this episode we talk a little about the origins of HIBP, password security, data breaches and brokers, and how to keep our accounts secure. I’ve added some new commentary, but the original episode is preserved in all of its glory!

I’ve had some truly amazing interviews this past year. For your listening enjoyment, I’ve curated a set of clips from some of the best shows, creating a sampler platter of stellar audio content from some amazing guests! If you’ve never listened to my podcast, this will give you a taste of what you’re missing! If you’re a regular listener, this will be a fun trip down memory lane, complete with new commentary. You’ll hear from Dr Paul Ashley (CEO/Founder of MySudo), Yael Grauer (Consumer Reports), Weld Pond (L0pht), Lisa LaVasseur (Internet Safety Labs), Zach Edwards (Silent Push), Bruce & Heidi Potter (Shmoocon), Deviant (physical security expert), Cory Doctorow (author, activist, EFF), Monique Priestley (VT State Rep), Carissa Véliz (author, professor), Adrian Ogee (CyberPeace Builders).Enjoy!

Way before the world wide web, computer enthusiasts were sharing information via digital bulletin board systems (BBS). This amounted to attaching a modem to your home computer and allowing other people to dial in from their computers (one at a time) to download “textfiles” and share “warez” – or cracked software applications, often games. This scene gave rise to several electronic “zines” that published articles on hacking and phone phreaking techniques. One of the most popular zines, Phrack, was started in 1985 and is still going strong forty years later. Today we’ll discuss the colorful and storied history of this pioneering zine with two Phrack editors, skyper and TMZ.

With the holiday season come holiday scams – and honestly, just more scammer activity across the board, in general. People are busy and buying lots of stuff, and it’s a time when we’re more vulnerable to schemes to take our money and infect our devices. Today we’ll talk about a few current scams going around and give some solid advice to avoid becoming a victim.

In the news: FCC scraps cybersecurity rules for telcos; WhatsApp flaw exposed 3.5B phone numbers; ClickFix scam update; Border Patrol is monitoring US drivers for ‘suspicious’ travel patterns; a tricky Apple Support scam; USPS and EZ-Pass scams; a cool new tool for monitoring your home network for rogue devices; state and local cyber grant program to be renewed; airlines shut down program that sold your flight records; CA court ends electricity surveillance program; also, a few more holiday gift ideas!