Firewalls Don't Stop Dragons Podcast

Holiday shopping season is here! And today I’ll give you the highlights of my annual Best & Worst Gift Guide for 2024, with regard to privacy and security. The worst offenders may not surprise you, though some have actually gotten worse since just last year. And I have a few new suggestions for people on your nice list!

In the news this week: another popular browser extension has gone rogue; Mozilla laid off 30% of their staff; FBI warns that bad guys are filing fraudulent emergency data requests to steal your private info; Apple quietly introduces a brilliant security feature that is frustrating cops; Microsoft will stop providing security updates for Windows 10 next October; a free decryptor was released for ShrinkLocker ransomware; Signal offers new call link feature; an air fryer app is sending your data to China; and Apple announces feature to share AirTag location with others including airlines to help find lost luggage.

Use these timestamps to jump to a particular section of the show.

Device manufacturers are breathing new life into old mundane products by connecting them to the internet, giving us the ability to monitor and control them from anywhere. However, this connection to the cloud works both ways. Not only do device makers now have unprecedented access to our usage and personal information, but they can hobble or limit our use of these devices at their whim. Today I’ll speak with IoT expert Stacey Higginbotham who is working with Consumer Reports and other consumer rights groups to bring more transparency to the smart device industry, and hopefully allow us to regain control over the devices we purchase.

Use these timestamps to jump to a particular section of the show.

Our location is being tracked mercilessly today, in several ways. In the digital age, location data is among the most sensitive information we share, providing a record of our daily lives that can reveal where we live, who we associate with, and our personal routines. For app developers, marketers, and even law enforcement, this data is a goldmine for the ‘app economy’. Today I’ll talk about the most common sources of location data and give you some tips for limiting the tracking.

In other news: the FTC files rule that requires canceling be just as easy as subscribing; CFPB takes action against worker surveillance; macOS Sequoia’s tightened app security may be annoying to some; it’s now legal to hack McFlurry machines to fix them; the EU makes vendors liable for software bugs; city sues Flock saying license plate readers are Unconstitutional; tracking world leaders with a fitness app; smartphone location tracking is out of control.

Use these timestamps to jump to a particular section of the show.

The first episode of Firewalls Don’t Stop Dragons Podcast aired on March 8, 2017 – almost 8 years ago now. Over that time, I’ve interviewed over 135 unique and amazing people, covered countless cybersecurity and privacy stories, and offered 100’s of tips for protecting your devices and data. To celebrate this momentous occasion, world-renowned cryptography guru Bruce Schneier has returned to for our traditional Podcentennial interview! We discuss several timely topics including the Crowdstrike incident, the pager bombing and supply attacks more generally, US election security, the open market for cyber vulnerabilities, US intelligence agencies’ focus on offense versus defense, how AI might actually benefit democracy and much more!

Use these timestamps to jump to a particular section of the show.

Artificial Intelligence (AI) is the buzzword of the day. There are many types of AI, but one particular flavor is getting a lot of press these days: chatbots. Formally referred to as Large Language Models (LLMs), chatbots like ChatGPT, Claude and Gemini are everywhere – either directly or integrated with other popular apps. This technology is real and it’s here to stay, so it’s important that we understand what it is, how it works, and what the limitations are. Today I’ll explore some aspects of LLMs that you probably weren’t aware of.

In other news: critical, exploited Firefox bug is fixed (update now!); National Public Data files for bankruptcy after massive breach; hackers target Qualcomm chip zero-day used in many Android phones; China attackers exploit legally-mandated wiretapping backdoor in major telecom systems; new FIDO standard proposed for allowing passkeys to be exported and backed up; a PSA on why you shouldn’t share personal information with AI chatbots.

Use these timestamps to jump to a particular section of the show.

L0pht Heavy Industries (pronounced “loft”) was one of the most influential hacker groups in history. Unlike many others, L0pht carefully cultivated a relationship with mass media, sold profitable products, started businesses, and even testified before the US Senate. Cris Thomas, aka Space Rogue, was one of the earliest members of the L0pht and he recently published a book chronicling the groups long and storied history called Space Rogue: How the Hackers Known As L0pht Changed the World. Today I sit down with Cris to discuss that history and the impacts that the L0pht and other hacker groups have had on all of us.

Use these timestamps to jump to a particular section of the show.

Sometimes it’s obvious when your accounts are hacked. Maybe your money is gone. Maybe you can no longer log in using the password you know is correct. Maybe everyone you know has gotten a scam email from you that you didn’t send. But sometimes bad guys aren’t so obvious. They may lurk around in your accounts to gather information for identity theft or in hopes of gaining access to other more lucrative accounts. I’ll tell you how to find out.

In other news: CA governor vetoes opt-out signal bill but signs car privacy bill; 23andMe is in trouble and your data may be, too; PayPal opted you into data sharing without asking; Kaspersky deletes itself and installs UltraAV without asking; 100 million Americans had background data leaked; researchers add facial recognition tech to Meta’s smart glasses; NIST updates password rules to with common sense changes; US & Microsoft seize 100+ web domains used by Russian hackers.

Use these timestamps to jump to a particular section of the show.

Two security researchers showed how many modern VPN services are vulnerable to malicious misconfiguration, exposing some or all of your internet traffic. While this is not likely to impact most of us, it does expose the limitations of Virtual Private Networks and why they are not silver bullets for security of privacy – despite many marketing claims to the contrary. Today we’ll discuss how TunnelVision works, how it can be mitigated, and how this affects different privacy threat models with the two researchers from Leviathan Security, Dani Cronce and Lizzie Moratti.

Use these timestamps to jump to a particular section of the show.

We often think of malware as a problem for our computers and perhaps our smartphones. But bad guys love to hack our home routers and IoT devices, as well. Thankfully, purging malware from those types of devices can usually be done just by rebooting them. (There’s a reason tech support always asks you to try turning your device off and back on again.) I’ll explain why this works and what you should do to protect your connected devices.

In other news: I explain why most people are not in danger of their devices blowing up; a new Windows phishing campaign uses fake CAPTCHAs and PowerShell; LinkedIn started training their AI on your data before telling you how to opt out; Oracle’s CEO touts his vision of ubiquitous AI surveillance; Ford seeks a patent to show you ads in your vehicle based on your conversations and other private data; Meta admits to scraping public Instagram and Facebook posts to train its AI; four great new iOS 18 privacy and security features; Apple Intelligence servers are very basic, for a reason; and the FBI shuts down a massive Chinese botnet.

Use these timestamps to jump to a particular section of the show.

You may be vaguely aware of the term ‘quantum computing’ from media reports. But what you may not have picked up on is that one of the primary uses for quantum computers may be to break data encryption. Furthermore, you may not realize that if three-letter agencies can save off our encrypted emails and messages now, this could mean they could read them in the future when sufficiently powerful quantum computing becomes viable. How does this work? And what can we do about it now to protect our privacy in the future? We’ll dig into all of this today with Brandon Sundh from Tuta (formerly Tutanota), a prominent secure email company, who is already deploying such protections.

Use these timestamps to jump to a particular section of the show.