Firewalls Don't Stop Dragons Podcast

With the rise of IoT and tracking technologies (both online and in the real word), we are generating staggering amounts of highly personal information. This massive trove of juicy data has drawn the attention of several interested parties outside the realm of consumer marketing. Like chum in the water, it's created a feeding frenzy from data aggregators as well as from law enforcement and intelligence agencies, both foreign and domestic. The journalists at 404 Media have published several blockbuster articles on this data ecosystem which have triggered backlashes from lawmakers and consumers alike. Today I'll speak with two of the founders: Joseph Cox and Jason Koebler. Interview Notes 404 Media: https://www.404media.co/ 404 Media podcast: https://www.404media.co/the-404-media-podcast/ 404 Media support: https://www.404media.co/faq/ Formation of 404 Media: https://www.nytimes.com/2023/08/22/business/media/404-media-vice-motherboard.html Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:03: Interview setup 0:02:45: How did 404 Media come to be? 0:12:00: When do we think law enforcement started buying our data? 0:15:39: What's up with companies listening to our conversations? 0:23:01: Where does law enforcement go to get our data? 0:27:46: How are video feeds being gathered and sold? 0:34:23: Can't all this data also be used by "bad guys"? 0:39:13: Is it legal for law enforcement to buy data from foreign sources? 0:44:28: Have your stories triggered responses from the US government? 0:50:01: Trust in media is low these days - how can we fix that? 0:59:37: How can we support good work like yours? 1:03:22: Wrap-up

Artificial Intelligence (AI) is the buzzword of the day. There are many types of AI, but one particular flavor is getting a lot of press these days: chatbots. Formally referred to as Large Language Models (LLMs), chatbots like ChatGPT, Claude and Gemini are everywhere - either directly or integrated with other popular apps. This technology is real and it's here to stay, so it's important that we understand what it is, how it works, and what the limitations are. Today I'll explore some aspects of LLMs that you probably weren't aware of. In other news: critical, exploited Firefox bug is fixed (update now!); National Public Data files for bankruptcy after massive breach; hackers target Qualcomm chip zero-day used in many Android phones; China attackers exploit legally-mandated wiretapping backdoor in major telecom systems; new FIDO standard proposed for allowing passkeys to be exported and backed up; a PSA on why you shouldn't share personal information with AI chatbots. Article Links [The Hacker News] Mozilla Warns of Active Exploitation in Firefox, Urges Users to Update Immediately https://thehackernews.com/2024/10/mozilla-warns-of-active-exploitation-in.html [therecord.media] National Public Data files for bankruptcy, citing fallout from cyberattack https://therecord.media/national-public-data-bankruptcy-cyberattack [techcrunch.com] Hackers were targeting Android users with Qualcomm zero-day https://techcrunch.com/2024/10/09/hackers-were-targeting-android-users-with-qualcomm-zero-day/ [pluralistic.net] China hacked Verizon, AT&T and Lumen using the FBI’s backdoor https://pluralistic.net/2024/10/07/foreseeable-outcomes/ [appleinsider.com] Future Passkeys will be able to be shared across platforms & password vaults https://appleinsider.com/articles/24/10/15/future-passkeys-will-be-able-to-be-shared-across-platforms-password-vaults [9to5mac.com] PSA: Here’s another reason not to include personal details in AI chats https://9to5mac.com/2024/10/17/psa-heres-another-reason-not-to-include-personal-details-in-ai-chats/ Tip of the Week: Understanding AI Chatbots Further Info Help me reach more people! https://fdsd.me/awareness2 Privacy Not Included chatbot privacy guide: https://foundation.mozilla.org/en/privacynotincluded/articles/how-to-protect-your-privacy-from-chatgpt-and-other-ai-chatbots/ Gandalf AI game: https://gandalf.lakera.ai/baseline Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:01: Google finally killing uBlock Origin 0:04:07: News preview 0:05:54: Mozilla Warns of Active Exploitation in Firefox 0:08:55: National Public Data files for bankruptcy 0:14:42: Hackers were targeting Android users with Qualcomm zero-day 0:19:14: China hacked Verizon, AT&T and Lumen using the FBI’s backdoor 0:26:10: Future Passkeys will be able to be shared across platforms & password vaults 0:31:08: Here’s another reason not to include personal details in AI chats 0:37:40: Tip of the Week: Understanding Chatbots 0:55:55: Wrapping up 0:56:35: Celebrating 400 episodes!

Every week, I record a special, private bonus podcast for my patrons. Until today, all of that content was restricted to my supporters. But today I’ve got a sampler platter of some of the best snippets from my bonus Q&A with my interview guests. You’ll hear from Micah Lee (author, journalist), Nick Weaver (cybersecurity researcher), Kate Black (health data specialist), Jason Edison (OSINT expert), Dani Cronce and Lizzie Moratti (TunnelVision hack), Bruce Schneier (cryptographer, author), and Carissa Véliz (author, professor).

Original Interview Links

1. Ep358: Micah Lee https://podcast.firewallsdontstopdragons.com/2024/01/08/investigating-data-leaks/
2. Ep360: Nick Weaver https://podcast.firewallsdontstopdragons.com/2024/01/22/rise-of-the-slaughterbots/
3. Ep368: Kate Black https://podcast.firewallsdontstopdragons.com/2024/03/18/health-data-privacy/
4. Ep386: Jason Edison https://podcast.firewallsdontstopdragons.com/2024/07/22/open-source-intelligence/
5. Ep388: Jack Daniel https://podcast.firewallsdontstopdragons.com/2024/08/05/catch-you-on-the-bside/
6. Ep396: Dani Cronce & Lizzie Moratti https://podcast.firewallsdontstopdragons.com/2024/09/30/tunnelvision-vpns-and-you/
7. Ep400: Bruce Schneier https://podcast.firewallsdontstopdragons.com/2024/10/28/episode-400-special/
8. Ep404: Carissa Véliz https://podcast.firewallsdontstopdragons.com/2024/11/25/privacy-is-power-2/

Related Links

1. Micah’s book: https://hacksandleaks.com/
2. Nick Weaver: https://www1.icsi.berkeley.edu/~nweaver/
3. Security BSides: https://bsides.org/w/page/12194156/FrontPage
4. Frankie’s Tiki Room (Las Vegas): https://frankiestikiroom.com/
5. Intel Techniques: https://inteltechniques.com/
6. TunnelVision: https://www.tunnelvisionbug.com/
7. Schneier Blog: https://www.schneier.com/
8. Privacy is Power: https://www.penguinrandomhouse.com/books/673341/privacy-is-power-by-carissa-veliz/

Further Info

• Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book
• Subscribe to the newsletter: https://fdsd.me/newsletter
• Become a patron! https://www.patreon.com/FirewallsDontStopDragons
• Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
• Give the gift of privacy and security: https://fdsd.me/coupons
• Support our mission! https://fdsd.me/support

Table of Contents

Use these timestamps to jump to a particular section of the show.

• 0:00:24: New Years coming up
• 0:00:48: Show preview
• 0:02:33: Ep358: Micah Lee – the Snowden docs
• 0:11:48: Ep360: Nick Weaver – other types of killer drones
• 0:18:02: Ep368: Kate Black – how do you know if a site or app respects health privacy?
• 0:20:22: Ep386: Jason Edison – what’s it like trying to protect the privacy of celebrities?
• 0:26:53: Ep388: Jack Daniel – the story of the Les Pukelele
• 0:33:39: Ep396: Dani Cronce & Lizzie Moratti – getting into hacking
• 0:42:08: Ep400: Bruce Schneier – can we ever make our devices secure out of the box?
• 0:48:01: Ep404: Cariss Veliz – should STEM students be required to take ethics classes?
• 0:53:05: Wrap-up

It's tax time here again in the USA, and therefore it's also time for tax scams. I'll explain how to recognize common tax scams, how to respond to them, how to prevent scammers from taking over your IRS account and even filing fraudulent tax returns in your name. In other news: the Mother of All Breaches (MOAB) contains 26 billion records; 23andMe is in trouble after massive data breach and pending class action lawsuits; a viral story about a smart toothbrush botnet isn't true... but could have been; a clever hack of older computer TPM modules could expose encrypted hard drive data (but it's not easy to do); Malwarebytes has issued their 2024 malware report; the FBI and CISA are raising the alarm over Chinese hackers and key US infrastructure, as well as taking action to prevent it; you might want to consider creating a family password to defeat voice clone scams; Mozilla has released a new data deletion service; and Privacy4Cars has an interesting new mechanism for universally opting out of data collection. Article Links [cybernews] Mother of all breaches reveals 26 billion records https://cybernews.com/security/billions-passwords-credentials-leaked-mother-of-all-breaches/ [Fast Company] 23andMe at risk of being delisted from the Nasdaq as lawsuits mount https://www.fastcompany.com/91020738/23andme-risk-delisted-nasdaq-class-action-lawsuits [404media.co] The Viral Smart Toothbrush Botnet Story Almost Certainly Isn't Real https://www.404media.co/the-viral-toothbrush-ddos-botnet-story-almost-certainly-isnt-real/ [Tom's Hardware] YouTuber breaks BitLocker encryption in less than 43 seconds with sub-$10 Raspberry Pi Pico https://www.tomshardware.com/pc-components/cpus/youtuber-breaks-bitlocker-encryption-in-less-than-43-seconds-with-sub-dollar10-raspberry-pi-pico [9to5Mac] Report: Mac security threats on the rise, here’s what to watch out for https://9to5mac.com/2024/02/06/report-mac-security-threats-on-the-rise/ [NBC News] FBI director to warn Chinese hackers aim to 'wreak havoc' on US critical infrastructure https://www.nbcnews.com/politics/national-security/fbi-director-warn-chinese-hackers-aim-wreak-havoc-us-critical-infrastr-rcna136524 [Ars Technica] Chinese malware removed from SOHO routers after FBI issues covert commands https://arstechnica.com/security/2024/01/chinese-malware-removed-from-soho-routers-after-fbi-issues-covert-commands/ [cisa.gov] CISA and FBI Release Secure by Design Alert Urging Manufacturers to Eliminate Defects in SOHO Routers https://www.cisa.gov/news-events/alerts/2024/01/31/cisa-and-fbi-release-secure-design-alert-urging-manufacturers-eliminate-defects-soho-routers [9to5Mac] FCC outlaws voice cloning robocalls after AI-generated voice claimed to be President Biden https://9to5mac.com/2024/02/08/voice-cloning-robocalls/ [Electronic Frontier Foundation] Worried about AI voice clone scams? Create a family password https://www.eff.org/deeplinks/2024/01/worried-about-ai-voice-clone-scams-create-family-password [The Verge] Firefox maker Mozilla has a new subscription to keep your info out of data brokers’ clutches https://www.theverge.com/2024/2/6/24062765/mozilla-monitor-plus-firefox-paid-subscription-privacy-data-broker-removal-requests [optoutcode.com] A Privacy4Cars Universal Opt-Out Concept https://optoutcode.com/ Tip of the Week: Avoiding Tax Scams https://firewallsdontstopdragons.com/how-to-avoid-tax-scams/ Further Info Secure Your Network: https://firewallsdontstopdragons.com/secure-your-network-part-1-scan/ Davos speech, original: https://www.youtube.com/watch?v=fJoEPRQMBuY Davos speech, translated: https://www.youtube.com/live/6Fwv9Cek2F4?feature=shared&t=98 How to enable Global Privacy Control: https://firewallsdontstopdragons.com/how-to-enable-global-privacy-control/ How to send files securely: https://firewallsdontstopdragons.com/how-to-send-files-securely-like-tax-info/ Send me your questions! https://fdsd.

Apple has just released a major update to its mobile operating system: iOS 17. There are tons of fun new features, but today I'll walk you through some of the security and privacy enhancements. These include new protections in Lockdown Mode, the Check In feature which can alert loves ones if you fail to arrive at your destination, some privacy-enhancing web browser features, and support for securely sharing passwords and passkeys with others. In other news: a critical WebP vulnerability means we have to update most of our apps and devices; credit bureaus in the US now allow free weekly access to your credit reports; Proton announces a new, privacy-focused CAPTCHA service; the FTC puts data brokers on notice; LastPass is requiring their users to make their master passwords longer; password managers are still your best bet for web security, despite the LastPass debacle; Hyundai Pay seeks to make in-car payments a thing; and an interesting article from a privacy advocate claiming that privacy tools are too difficult to use. Article Links [MakeUseOf] Update Everything: This Critical WebP Vulnerability Affects Major Browsers and Apps https://www.makeuseof.com/critical-webp-vulnerability-affects-major-browsers-apps/ [Consumer Reports] Credit Bureaus Equifax, Experian, and TransUnion Announce Permanent, Free Weekly Access to Credit Reports https://www.consumerreports.org/money/credit-scores-reports/credit-bureaus-permanent-free-weekly-credit-report-access-a2226546788/ [proton.me] Introducing Proton CAPTCHA https://proton.me/blog/proton-captcha [The Washington Post] FTC consumer protection chief puts data brokers on notice https://www.washingtonpost.com/politics/2023/09/21/ftc-consumer-protection-chief-puts-data-brokers-notice/ [briankrebs] LastPass: ‘Horse Gone Barn Bolted’ is Strong Password https://krebsonsecurity.com/2023/09/lastpass-horse-gone-barn-bolted-is-strong-password/ [ZDNet] Why you can still trust (other) password managers, even after that LastPass mess https://www.zdnet.com/article/why-you-can-still-trust-other-password-managers-even-after-that-lastpass-mess/ [The Verge] ‘Hyundai Pay’ is the latest effort by car companies to make in-car payments a thing https://www.theverge.com/2023/9/6/23861412/hyundai-pay-parkopedia-in-car-payment [theprivacydad.com] Privacy Tools Are Not Worth the Hassle https://theprivacydad.com/privacy-tools-are-not-worth-the-hassle/ [TechCrunch] iOS 17 includes these new security and privacy features https://techcrunch.com/2023/09/18/ios-17-includes-these-new-security-and-privacy-features/ Tip of the Week: iOS 17 Security & Privacy: https://firewallsdontstopdragons.com/ios-17-security-privacy/ Further Info Secure Your Home Network article series: https://firewallsdontstopdragons.com/secure-your-network-part-1-scan/ Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:27: Delete Act update 0:00:59: BSides RDU 0:01:54: News rundown 0:04:20: Critical WebP Vulnerability Affects Major Browsers and Apps 0:12:22: Credit Bureaus Announce Permanent, Free Weekly Access to Credit Reports 0:17:24: Introducing Proton CAPTCHA 0:22:07: FTC consumer protection chief puts data brokers on notice 0:26:19: LastPass requiring users to create longer passwords 0:32:58: Why you can still trust (non-LastPass) password managers 0:43:01: ‘Hyundai Pay’ in-car payments coming 0:45:38: "Privacy Tools Are Not Worth the Hassle" 0:54:57: Tip of the Week: iOS 17 security & priv...