Going through border security today - even just returning to your own country - is not at simple and stress-free as it should be. The likelihood of our digital devices being searched by a border agent has increased in recent years and political sensitivities today can be high. Our devices have access to a ridiculous amount of extremely personal information. How can we protect ourselves? The answers aren't great, but I'll give the current best advice from immigration lawyers and civil rights groups.
In other news: the Apple-UK data privacy court case will be at least partially public; some companies are ignoring automated opt-out signals; Waymo may use interior car video to train its AI; data breaches at Hertz and a Planned Parenthood medical lab; air travel group paints a picture of future use of facial recognition; San Francisco police have a new surveillance center; Ukraine drones come with anti-Russian malware; judge rules that 'cell tower dumps' require a warrant.
Article Links
[bbc.com] Apple-UK data privacy row should not be secret, court rules https://www.bbc.com/news/articles/cvgn1lz3v4no
[innovation.consumerreports.org] New Report: Many Companies May Be Ignoring Opt-Out Requests Under State Privacy Laws https://innovation.consumerreports.org/new-report-many-companies-may-be-ignoring-opt-out-requests-under-state-privacy-laws/
[techcrunch.com] Waymo may use interior camera data to train generative AI models, but riders will be able to opt out https://techcrunch.com/2025/04/08/waymo-may-use-interior-camera-data-to-train-generative-ai-models-sell-ads/
[Bleeping Computer] US lab testing provider exposed health data of 1.6 million people https://www.bleepingcomputer.com/news/security/us-lab-testing-provider-exposed-health-data-of-16-million-people/
[9to5mac.com] PSA: Hertz belatedly says customer personal data stolen, inc credit card details https://9to5mac.com/2025/04/15/psa-hertz-belatedly-says-customer-personal-data-stolen-inc-credit-card-details/
[theguardian.com] Boarding Passes and Check in to Be Scrapped in Air Travel Shake-up Plans https://www.theguardian.com/world/2025/apr/11/boarding-passes-and-check-in-to-be-scrapped-in-air-travel-shake-up-plans
[cbsnews.com] San Francisco Police's new surveillance hub being credited with 20% drop in crime https://www.cbsnews.com/sanfrancisco/news/san-francisco-police-surveillance-hub-real-time-investigation-center/
[forbes.com] Russians Capture Ukrainian Drones Which Infect Their Systems With Malware https://www.forbes.com/sites/vikrammittal/2025/04/02/russians-capture-ukrainian-drones-which-infect-their-systems-with-malware/
[404media.co] Judge Rules Blanket Search of Cell Tower Data Unconstitutional https://www.404media.co/judge-rules-blanket-search-of-cell-tower-data-unconstitutional/
Tip of the Week: https://firewallsdontstopdragons.com/border-insecurity/
Further Info
Dragon Coin Promo!! https://fdsd.me/promo425
Generate passphrases with a d20: https://d20key.com/#/
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
How to enable Global Privacy Control: https://firewallsdontstopdragons.com/how-to-enable-global-privacy-control/
How and why to freeze your credit: https://firewallsdontstopdragons.com/credit-freeze-now-is-the-time/
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
0:00:00: Intro
0:00:24: Update Apple stuff
0:00:42: Dragon coin promo!
0:01:32: News preview
0:04:11: Apple-UK data privacy row should not be secret, court rules
0:08:14: Many Companies May Be Ignoring Opt-Out Requests
0:14:20: Waymo may use interior camera data to train generative AI models
0:19:56: US lab testing provider exposed health data of 1.
--------
1:05:30
Life on the Blue Team
It's easy to be a Monday morning quarterback, even with cybersecurity. But defending a business, of any size, against cyber threats today is hard. Like, really hard. Defenders have to succeed every single time; attackers only need to succeed once. And then your company makes the headlines. Today we'll delve into the world of the "blue team" - the defenders who are charged with protecting your data and the services you depend on - with cyber expert Oz Jones. Along the way, we'll learn valuable lessons for everyone.
Interview Notes
Oz Jones on LinkedIn: https://www.linkedin.com/in/4f5a/
Troy Hunt got pwned: https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/
CIS Controls: https://www.cisecurity.org/controls
Marsh’s Top 12 controls: https://www.marsh.com/en-gb/services/cyber-risk/insights/cyber-resilience-twelve-key-controls-to-strengthen-your-security.html
Further Info
Dragon Coin Promo!! https://fdsd.me/promo425
Generate passphrases with a d20: https://d20key.com/#/
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support the mission: https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
0:00:00: Intro
0:00:29: Patron promo is LIVE!
0:01:16: Correction
0:01:49: Interview setup
0:04:44: Jargon definitions
0:06:39: How did you get into cyber incident response?
0:09:56: What does it mean to be on the Blue Team?
0:13:25: What are the most impactful cyber threats to companies today?
0:16:34: Are people or companies most as risk for ransomware attacks?
0:19:57: What impact has cyber insurance had on cyber security?
0:21:02: What are the most common types of attacks on companies?
0:23:59: How should companies educate their employees about cyber threats?
0:30:48: How does working from home or using personal devices impact cyber attacks?
0:35:22: How can you protect your company against supply chain attacks?
0:38:45: What resources are available to help companies prepare?
0:41:07: How can we detect attacks and malware infections?
0:44:22: After an attack, how do you respond?
0:48:05: What are my legal obligations for notifying my customers?
0:50:25: Are table top simulations useful?
0:52:07: Are there incident response consultants you can hire?
0:53:05: Can you recommend some helpful resources?
0:56:11: As consumers, how can we make better choices?
0:58:22: Interview wrap-up
1:01:51: Troy Hunt was pwned
1:03:04: Patron bonus preview
1:04:32: Looking ahead
--------
1:05:18
Differential Privacy
When we collect a lot of personal data, say via the US Census, the goal is to glean important aggregate information and statistics, while somehow preserving the anonymity and privacy of the individual respondents. There's a rigorous mathematical process for doing this - that's actually not that hard to understand - called Differential Privacy. I'll explain how it works.
In the news: iOS has a new location privacy setting; Google confirms it's rolling out AI to Gmail; Windows makes it much harder to avoid creating a Microsoft Account; WhatsApp is rolling out AI in Europe with no way to opt out; Switzerland is considering undermining encrypted communications; 23andMe is going bankrupt - it's time to delete your data; France rejects a backdoor mandate; and finally, I have a lot to say about the US officials' Signal chat debacle.
Article Links
[9to5mac.com] iOS 18.4 includes a new location services privacy setting for your iPhone https://9to5mac.com/2025/04/02/ios-iphone-new-location-services-privacy-toggle/
[forbes.com] Google Confirms Gmail Upgrade—3 Billion Users Must Now Decide https://www.forbes.com/sites/zakdoffman/2025/03/22/google-confirms-gmail-upgrade-3-billion-users-must-now-decide/
[windowscentral.com] Microsoft will force Windows 11 installs to use a Microsoft Account — confirms removal of popular setup bypass https://www.windowscentral.com/software-apps/windows-11/microsoft-will-force-windows-11-installs-to-use-a-microsoft-account-confirms-removal-of-popular-setup-bypass
[Bleeping Computer] WhatsApp's Meta AI is now rolling out in Europe, and it can't be turned off https://www.bleepingcomputer.com/news/artificial-intelligence/whatsapps-meta-ai-is-now-rolling-out-in-europe-and-it-cant-be-turned-off/
[techradar.com] Secure encryption and online anonymity are now at risk in Switzerland – here's what you need to know https://www.techradar.com/vpn/vpn-privacy-security/secure-encryption-and-online-anonymity-are-now-at-risk-in-switzerland-heres-what-you-need-to-know
[arstechnica.com] FTC: 23andMe buyer must honor firm’s privacy promises for genetic data https://arstechnica.com/tech-policy/2025/04/ftc-watching-23andme-bankruptcy-sale-for-impact-on-users-genetic-data/
[schneier.com] The Signal Chat Leak and the NSA https://www.schneier.com/blog/archives/2025/03/the-signal-chat-leak-and-the-nsa.html
[eff.org] A Win for Encryption: France Rejects Backdoor Mandate https://www.eff.org/deeplinks/2025/03/win-encryption-france-rejects-backdoor-mandate
How Differential Privacy Works: https://firewallsdontstopdragons.com/how-differential-privacy-works/
Further Info
Dragon Coin Promo!! https://fdsd.me/promo425
Generate passphrases with a d20: https://d20key.com/#/
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support our mission! https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
0:00:00: Intro
0:00:28: Coin promo teaser
0:02:47: News preview
0:05:21: iOS 18.4 includes a new location services privacy setting
0:10:09: Google Confirms Gmail AI Upgrade
0:16:41: Microsoft will force Windows 11 installs to use a Microsoft Account
0:20:57: WhatsApp's Meta AI is now rolling out in Europe
0:23:32: Secure encryption and online anonymity are now at risk in Switzerland
0:27:33: FTC: 23andMe buyer must honor firm’s privacy promises for genetic data
0:35:09: The Signal Chat Leak
0:53:05: A Win for Encryption: France Rejects Backdoor Mandate
0:56:14: Tip of the Week: Differential Privacy
1:06:20: Coin promo details
1:11:04: Merlin's Musings topic
1:11:29: Looking ahead
--------
1:12:05
Microscoping Our Apps
We've been installing apps on our smartphones for almost two decades now. The iPhone and Android app stores kicked off in 2008 and we still, to this day, have no real way to know what's in them. It turns out that most apps are an amalgamation of software libraries and development kits from various third party vendors, so often even the makers of apps don't fully understand the makeup of their products. Lisa LeVasseur from Internet Safety Labs has worked to build tools to dissect and inspect our apps and help us understand what they're really doing.
Interview Notes
Internet Safety Labs: https://internetsafetylabs.org/
App Microscope: https://appmicroscope.org/
Interview with Dr. Johnny Ryan on real-time bidding: https://podcast.firewallsdontstopdragons.com/2021/08/02/selling-you-out-to-the-highest-bidder/
Dark Patterns interview: https://podcast.firewallsdontstopdragons.com/2020/11/16/dark-patterns-part-1/
Using Burp Suite to intercept HTTP traffic: https://portswigger.net/burp/documentation/desktop/getting-started/intercepting-http-traffic
Exodus Privacy: https://exodus-privacy.eu.org/en/
Henrietta Lacks: https://en.wikipedia.org/wiki/Henrietta_Lacks
Further Info
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support the mission: https://fdsd.me/support
My social media: https://firewallsdontstopdragons.com/contact/
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
0:00:00: Intro
0:00:31: Note on 23andMe
0:01:35: Follow my social media
0:01:58: Signal debacle
0:02:39: Interview setup
0:07:06: What is Internet Safety Labs and what do you do there?
0:09:49: What are the privacy risks with EdTech?
0:16:31: How did the pandemic impact EdTech software?
0:19:02: How does the "notice and consent" model work with EdTech software?
0:25:26: Do app makers even know what's in their own software?
0:28:11: How do ads inside our apps get there?
0:30:45: How does App Microscope work?
0:32:33: How does safety differ from security?
0:34:37: What can you learn from the data and metadata an app generates?
0:37:22: Do you study "dark patterns" in apps?
0:41:42: How do you determine the software makeup of a given app?
0:47:10: How accurate are the app privacy "nutrition" labels?
0:51:58: How important are the non-technical aspects of an app for safety?
0:56:33: How do I use the App Microscope tool?
1:00:38: How can we support your efforts?
1:04:41: Interview follow-up
1:08:51: Burp Suite info
1:09:32: Patron bonus preview
1:10:27: Looking ahead
--------
1:10:56
It’s Tax (Scam) Time Again
Tax time is once again upon us here in the USA, which means that the tax scammers are coming out of the woodwork. Many will claim to be representing the IRS, claiming that there is an urgent need to fix a problem with your return, threatening penalties if you don't pay them money. Others will simply try to file fake returns in your name, but send the massive false refund checks to themselves. I'll help you spot and avoid these scams.
In other news: Apple's Passwords app was vulnerable to phishing attacks (now fixed); Amazon is forcing Echo owners to share voice recordings; the Bluetooth chip "backdoor" that wasn't; Captchas were used by Google to translate books and Street View images; ICE uses third party tool to scrape tons of your data; beware of online file converters; Clearview AI attempted to buy millions of mugshots; RCS messaging will soon allow end-to-end encrypted chats between iPhones and Android phones.
Article Links
[9to5mac.com] Apple’s Passwords app was vulnerable to phishing attacks for nearly three months after launch https://9to5mac.com/2025/03/18/apples-passwords-app-was-vulnerable-to-phishing-attacks-for-nearly-three-months-after-launch/
[arstechnica.com] Everything You Say to Your Echo Will Soon Be Sent to Amazon, and You Can’t Opt Out https://arstechnica.com/gadgets/2025/03/everything-you-say-to-your-echo-will-be-sent-to-amazon-starting-on-march-28/
[darkmentor.com] The ESP32 "backdoor" that wasn't https://darkmentor.com/blog/esp32_non-backdoor/
[techradar.com] Captcha if you can: how you’ve been training AI for years without realising it https://www.techradar.com/news/captcha-if-you-can-how-youve-been-training-ai-for-years-without-realising-it
[404media.co] The 200+ Sites an ICE Surveillance Contractor is Monitoring https://www.404media.co/the-200-sites-an-ice-surveillance-contractor-is-monitoring/
[malwarebytes.com] Warning over free online file converters that actually install malware https://www.malwarebytes.com/blog/news/2025/03/warning-over-free-online-file-converters-that-actually-install-malware
[404media.co] Facial Recognition Company Clearview Attempted to Buy Social Security Numbers and Mugshots for its Database https://www.404media.co/facial-recognition-company-clearview-attempted-to-buy-social-security-numbers-and-mugshots-for-its-database/
[appleinsider.com] RCS messaging will get end-to-end encryption on iPhone https://appleinsider.com/articles/25/03/14/rcs-messaging-will-get-end-to-end-encryption-on-iphone
Tip of the Week: https://firewallsdontstopdragons.com/its-tax-scam-time/
Further Info
Data Diva interview: https://www.debbiereynoldsconsulting.com/podcast/e228-carey-parker
Malwarebytes interview: https://www.malwarebytes.com/blog/podcast/2025/03/what-google-chrome-knows-about-you-with-carey-parker-lock-and-code-s06e06
Amazon Mechanical Turk: https://en.wikipedia.org/wiki/Amazon_Mechanical_Turk
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support our mission! https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
Use these timestamps to jump to a particular section of the show.
0:00:00: Intro
0:00:21: Guest appearances
0:01:22: News preview
0:03:50: Apple’s Passwords app was vulnerable to phishing attacks for nearly three months
0:10:41: Everything You Say to Your Echo Will Soon Be Sent to Amazon, and You Can’t Opt Out
0:21:30: The ESP32 "backdoor" that wasn't
0:29:16: Captcha if you can: how you’ve been training AI for years without realising it
0:35:08: The 200+ Sites an ICE Surveillance Contractor is Monitoring
0:43:10: Warning over free online file converters that actually install malware
Ireland