Tracking our faces and whereabouts is getting out of control. It's a mass surveillance infrastructure that keeps growing in Borg-like fashion. Facial recognition and license plate readers are proliferating at a stupefying pace and companies like Flock are consolidating the collected data and packaging it up for sale to law enforcement agencies. Even if no human in these agencies were to abuse this data, it's creating an irresistible target for scheming hackers and nation states keen on espionage. The longer we let this go, the harder it will be to stop.
In today's news: Asus routers are being hacked and you need to take action; 23andMe has been sold, along with its users' genetic data; AI-generated videos have just become way more realistic; US government taps surveillance company to centralize all its citizen data; CFPB regulation limiting data brokers is axed; Kroger is packaging and selling its customer loyalty data; automated license plate reader data use is expanding in scary ways; Android phones gain key new security feature; EU court rules that real-time bidding data gathering is illegal; Montana is first state to plug data broker loophole; and I relate my recent privacy experience at the US border.
Article Links
[LifeHacker.com] If You Have an Asus Router, You Need to Check If It's Been Hacked https://lifehacker.com/tech/asus-routers-hacked
[404media.co] 23andMe Sale Shows Your Genetic Data Is Worth $17 https://www.404media.co/23andme-sale-shows-your-genetic-data-is-worth-17/
[lifehacker.com] You Are Not Prepared for This Terrifying New Wave of AI-Generated Videos https://lifehacker.com/tech/you-are-not-prepared-for-this-new-wave-of-ai-generated-videos
[nytimes.com] Trump Taps Palantir to Compile Data on Americans https://www.nytimes.com/2025/05/30/technology/trump-palantir-data-americans.html
[techcrunch.com] White House scraps plan to block data brokers from selling Americans’ sensitive data https://techcrunch.com/2025/05/14/white-house-scraps-plan-to-block-data-brokers-from-selling-americans-sensitive-data/
[therecord.media] Consumer Reports: Kroger using loyalty program to package, sell customer data https://therecord.media/kroger-using-loyalty-program-to-sell-customer-data
[404media.co] A Texas Cop Searched License Plate Cameras Nationwide for a Woman Who Got an Abortion https://www.404media.co/a-texas-cop-searched-license-plate-cameras-nationwide-for-a-woman-who-got-an-abortion/
[404media.co] License Plate Reader Company Flock Is Building a Massive People Lookup Tool, Leak Shows https://www.404media.co/license-plate-reader-company-flock-is-building-a-massive-people-lookup-tool-leak-shows/
[arstechnica.com] Android phones will soon reboot themselves after sitting unused for 3 days https://arstechnica.com/gadgets/2025/04/android-phones-will-soon-reboot-themselves-after-sitting-unused-for-3-days/
[signal.org] By Default, Signal Doesn't Recall https://signal.org/blog/signal-doesnt-recall/
[therecord.media] EU court rules that tracking-based online ads are illegal https://therecord.media/eu-court-rules-tracking-based-ads-illegal
[eff.org] Montana Becomes First State to Close the Law Enforcement Data Broker Loophole https://www.eff.org/deeplinks/2025/05/montana-becomes-first-state-close-law-enforcement-data-broker-loophole
Tip of the Week: https://firewallsdontstopdragons.com/border-insecurity-update/
The Atlantic: How to Disappear https://www.theatlantic.com/ideas/archive/2025/05/extreme-personal-data-privacy-protection/682867/
BADBOOL data removal service list: https://docs.google.com/spreadsheets/d/115L6LpQg_UX638IyUfdwGhRS7dIU3lKwz6fjAcDtE-0/edit?gid=0#gid=0
Further Info
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support our mission! https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
--------
1:26:01
Dividing Trust
VPNs were not invented for privacy, despite the name - they were invented for security. Nevertheless, in recent years, they have been touted as privacy tools to thwart rampant and fanatical data gathering. With a regular VPN, this really just means you're shifting your trust from your internet service provider to your VPN provider. But what if your encrypted data traffic was actually divided between two separate companies? The split trust model is a powerful way to protect your privacy and it's the key technology behind new services like Apple's Private Relay and Obscura VPN. Today we'll discuss the benefits of this approach with Obscura's founder, Carl Dong.
Interview Notes
Obscura VPN: https://obscura.net/
Wireguard: https://en.wikipedia.org/wiki/WireGuard
Obscura Wireguard configuration tool: https://obscura.net/#faq-wireguard-config
QUIC explainer video: https://www.youtube.com/watch?v=HnDsMehSSY4
Masque: https://datatracker.ietf.org/wg/masque/about/
Privacy Pass: https://privacypass.github.io/
Anubis: https://anubis.techaro.lol/docs/design/how-anubis-works/
How Onion Routing Works: https://firewallsdontstopdragons.com/how-onion-routing-works/
Further Info
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support the mission: https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
0:00:00: Intro
0:01:16: Interview setup
0:04:46: Lingo definitions
0:09:48: Why do we need yet another VPN?
0:15:00: How does Obscura differ from Apple Private Relay and Tor?
0:21:59: How little info can you give to set up an Obscura account?
0:25:33: What is the Bitcoin Lightning Network?
0:27:30: How can we know how much logging a VPN provider is doing?
0:35:04: Does Obscura have the same quirks as regular VPNs?
0:42:10: How vulnerable are you to being taken down by governments?
0:46:11: What are the core technologies in Obscura?
0:50:49: What do you think about Safing's IP-per-connection idea?
0:54:00: Are you planning to expand your partner VPNs?
0:56:41: How does Obscura handle the TunnelVision problem?
0:59:57: What is the roadmap for supporting other operating systems?
1:03:14: What's next for Obscura?
1:04:32: Interview wrap-up
1:09:19: Patron podcast preview
1:09:50: Looking ahead
--------
1:10:19
Slay Message Snoopers
There are way too many messenger apps today. It's a sad state of affairs and I don't see it getting better anytime soon. But the real problem (for me) is that almost all of the popular messenger apps aren't really that secure and private. Most do not have end-to-end encryption (E2EE) at all or it's not turned on by default. And frankly even the apps with E2EE are run by companies whose revenue model is based on monetizing your personal data. I'm going to suggest you try Signal.
In other news: study finds Canadian's health data being sold to drug makers; DOGE worker's computer has been hacked; airlines are selling your data to ICE; a massive proxy botnet has been shut down; Google pays $1.4B to Texas over unauthorized tracking and data collection; Denver decides to stop using license plate readers of privacy concerns; jury orders NSO Group to pay hundreds of millions of dollars for hacking WhatsApp users.
Article Links
[cbc.ca] Millions of Canadians' health data available for sale to pharmaceutical industry, study shows https://www.cbc.ca/news/health/health-data-records-pharmaceutical-private-clinics-1.7529955
[micahflee.com] DOGE bro Kyle Schutt's computer infected by malware, credentials found in stealer logs https://micahflee.com/doge-bro-kyle-schutts-computer-infected-by-malware-credentials-found-in-stealer-logs/
[jacobin.com] Airlines Are Selling Your Data to ICE https://jacobin.com/2025/05/airlines-data-ice-trump-immigration/
[The Hacker News] BREAKING: 7,000-Device Proxy Botnet Using IoT, EoL Systems Dismantled in U.S. - Dutch Operation https://thehackernews.com/2025/05/breaking-7000-device-proxy-botnet-using.html
[The Hacker News] Google Pays $1.375 Billion to Texas Over Unauthorized Tracking and Biometric Data Collection https://thehackernews.com/2025/05/google-pays-1375-billion-to-texas-over.html
[9news.com] Denver will stop using license plate reader cameras amid privacy worries https://www.9news.com/article/news/local/local-politics/license-plate-reader-camera-data-security-concerns/73-9c570252-9d1c-4e5c-b042-c12392aa1081
[arstechnica.com] Jury orders NSO to pay $167 million for hacking WhatsApp users https://arstechnica.com/security/2025/05/jury-orders-nso-to-pay-167-million-for-hacking-whatsapp-users/
Tip of the Week: Slay Snoopers: https://firewallsdontstopdragons.com/dragon-hacks-slay-snoopers/
Further Info
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support our mission! https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
0:00:00: Intro
0:00:43: News preview
0:02:53: Millions of Canadians' health data available for sale to pharmaceutical industry
0:08:39: DOGE engineer's computer infected by malware
0:14:38: Airlines Are Selling Your Data to ICE
0:22:05: 7,000-Device Proxy Botnet Using IoT, EoL Systems Dismantled in US, Dutch Operation
0:28:04: Google Pays $1.375 Billion to Texas Over Unauthorized Tracking and Biometric Data Collection
0:30:21: Denver will stop using license plate reader cameras amid privacy worries
0:34:54: Jury orders NSO to pay $167 million for hacking WhatsApp users
0:39:17: Tip of the Week: Slay Snoopers
0:44:31: Wrap-up
--------
45:24
Shelter from the Storm
Almost exactly two years ago, "Five Eyes" intelligence agencies discovered a successful and ongoing cyber attack on critical US infrastructure by a state-sponsored actor based in China. This group, associated with the People's Liberation Army and known as Volt Typhoon, was tasked with quietly gaining persistent remote access to critical systems including water, power, communications, and transportation systems, as well as ports and government networks. The goal was to deter the US from interfering with a future invasion of Taiwan by China, either by crippling the US infrastructure or threatening to. Despite dire warnings from the four top cyber officials in a Jan 2024 Congressional hearing, the US is still woefully unprepared for such attacks. Josh Corman is leading an effort labeled UnDisruptable27 to greatly improve the resilience of our critical systems before 2027, the year China seems to be targeting to make their move.
Interview Notes
UnDisruptable27: https://securityandtechnology.org/undisruptable27/
Critical Effect conference (DC): http://critical-effect.org/
Congressional hearing, CCP cyber threat to national security: https://selectcommitteeontheccp.house.gov/committee-activity/hearings/hearing-notice-ccp-cyber-threat-american-homeland-and-national-security
Josh’s RSA talk (2024): https://www.youtube.com/watch?v=dhJvslRRlFc
UnDisruptable27 video 1: https://www.youtube.com/watch?v=GnozKc3gFsM
UnDisruptable27 video 2: https://www.youtube.com/watch?v=d8UsrMRvt14
Cyber Resilience Corps: https://cltc.berkeley.edu/program/cyber-resilience-corps/
Cyber Volunteer Resource Center: https://www.cisa.gov/audiences/high-risk-communities/cybervolunteerresourcecenter
Further Info
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support the mission: https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
0:00:00: Intro
0:03:49: Lingo explanations
0:07:26: What is UnDisruptable27 and why did you start it?
0:16:47: How does this relate to China's intention to invade Taiwan?
0:22:00: What at the psychological impacts of this sort of attack?
0:25:31: How long might it take to recover from this sort of attacK?
0:33:12: If this threat is so dire, why aren't we scrambling to address it?
0:37:24: Do Russia, Iran and North Korea pose similar threats?
0:41:32: How can we surface single points of failure from secondary sources?
0:49:21: Can't we also do this to our adversaries? Is that a deterrence?
0:53:45: What should our government be doing about this?
0:58:39: How can we incentivze private companies to take action?
1:01:55: What can we do, at home and in our communities?
1:07:19: What's next for UnDisruptable27?
1:10:47: Some final thoughts
1:15:03: Patron bonus content
1:15:29: Looking ahead
--------
1:16:42
Disable Your MAID
As we learned last week from Zach Edwards, our smartphones have a globally unique mobile ad ID, or MAID, that is automatically associated with everything we do on our phones... unless we take explicit steps to turn this off. Today I'll tell you how this works and why you should disable this insidious form of tracking.
In other news: the FTC warns us about a new type of scam; dating app Raw exposed sensitive user data; a determined reporter documents his efforts to disable all the AI features in his Google phone; "juice jacking" is back with a tricky twist; Apple's AirPlay has a vulnerability whose fix may not reach all devices; Microsoft is pushing hard for passwordless accounts; Google Wallet allows you to verify your age without giving up personal info; and there's a new and troubling update to the Signalgate saga.
Article Links
[lifehacker.com] The FTC Is Warning Consumers About a Scam on Discounted Monthly Bills https://lifehacker.com/money/ftc-monthly-services-scam
[techcrunch.com] Dating app Raw exposed users’ location data and personal information https://techcrunch.com/2025/05/02/dating-app-raw-exposed-users-location-data-personal-information/
[cnet.com] I Tried to Turn Off the AI on My Pixel 9. It Wasn't Easy https://www.cnet.com/tech/mobile/i-tried-to-turn-off-the-ai-on-my-pixel-9-it-wasnt-easy/
[arstechnica.com] iOS and Android juice jacking defenses have been trivial to bypass for years https://arstechnica.com/security/2025/04/ios-and-android-juice-jacking-defenses-have-been-trivial-to-bypass-for-years/
[wired.com] Millions of Apple Airplay-Enabled Devices Can Be Hacked via Wi-Fi https://www.wired.com/story/airborne-airplay-flaws/
[Bleeping Computer] Microsoft makes all new accounts passwordless by default https://www.bleepingcomputer.com/news/microsoft/microsoft-makes-all-new-accounts-passwordless-by-default/
[blog.google] It’s now easier to prove age and identity with Google Wallet https://blog.google/products/google-pay/google-wallet-age-identity-verifications/
[404media.co] Mike Waltz Accidentally Reveals Obscure App the Government Is Using to Archive Signal Messages https://www.404media.co/mike-waltz-accidentally-reveals-obscure-app-the-government-is-using-to-archive-signal-messages/
Tip of the Week: Disable your Mobile Ad ID: https://firewallsdontstopdragons.com/disable-your-mobile-ad-id/
Bonus Links
[consumerreports.org] Using Contactless Payments on Your Phone? Take These Smart Steps. https://www.consumerreports.org/money/digital-payments/using-contactless-payments-on-phone-take-these-smart-steps-a1152343770/
Micah Lee’s TM SGNL blogs:
https://micahflee.com/tm-sgnl-the-obscure-unofficial-signal-app-mike-waltz-uses-to-text-with-trump-officials/
https://micahflee.com/heres-the-source-code-for-the-unofficial-signal-app-used-by-trump-officials/
Further Info
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support our mission! https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
Use these timestamps to jump to a particular section of the show.
0:00:00: Intro
0:01:09: News preview
0:03:38: FTC Warning Consumers About a Scam on Discounted Monthly Bills
0:06:51: Dating app Raw exposed users’ location data and personal information
0:13:31: I Tried to Turn Off the AI on My Pixel 9. It Wasn't Easy
0:20:30: iOS and Android juice jacking defenses have been trivial to bypass for years
0:29:07: Millions of Apple Airplay-Enabled Devices Can Be Hacked via Wi-Fi
0:35:06: Microsoft makes all new accounts passwordless by default
0:40:35: It’s now easier to prove age and identity with Google Wallet
0:47:42: Mike Waltz Accidentally Reveals Obscure App ...
México