VPNs were not invented for privacy, despite the name - they were invented for security. Nevertheless, in recent years, they have been touted as privacy tools to thwart rampant and fanatical data gathering. With a regular VPN, this really just means you're shifting your trust from your internet service provider to your VPN provider. But what if your encrypted data traffic was actually divided between two separate companies? The split trust model is a powerful way to protect your privacy and it's the key technology behind new services like Apple's Private Relay and Obscura VPN. Today we'll discuss the benefits of this approach with Obscura's founder, Carl Dong.
Interview Notes
Obscura VPN: https://obscura.net/
Wireguard: https://en.wikipedia.org/wiki/WireGuard
Obscura Wireguard configuration tool: https://obscura.net/#faq-wireguard-config
QUIC explainer video: https://www.youtube.com/watch?v=HnDsMehSSY4
Masque: https://datatracker.ietf.org/wg/masque/about/
Privacy Pass: https://privacypass.github.io/
Anubis: https://anubis.techaro.lol/docs/design/how-anubis-works/
How Onion Routing Works: https://firewallsdontstopdragons.com/how-onion-routing-works/
Further Info
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support the mission: https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
0:00:00: Intro
0:01:16: Interview setup
0:04:46: Lingo definitions
0:09:48: Why do we need yet another VPN?
0:15:00: How does Obscura differ from Apple Private Relay and Tor?
0:21:59: How little info can you give to set up an Obscura account?
0:25:33: What is the Bitcoin Lightning Network?
0:27:30: How can we know how much logging a VPN provider is doing?
0:35:04: Does Obscura have the same quirks as regular VPNs?
0:42:10: How vulnerable are you to being taken down by governments?
0:46:11: What are the core technologies in Obscura?
0:50:49: What do you think about Safing's IP-per-connection idea?
0:54:00: Are you planning to expand your partner VPNs?
0:56:41: How does Obscura handle the TunnelVision problem?
0:59:57: What is the roadmap for supporting other operating systems?
1:03:14: What's next for Obscura?
1:04:32: Interview wrap-up
1:09:19: Patron podcast preview
1:09:50: Looking ahead
--------
1:10:19
Slay Message Snoopers
There are way too many messenger apps today. It's a sad state of affairs and I don't see it getting better anytime soon. But the real problem (for me) is that almost all of the popular messenger apps aren't really that secure and private. Most do not have end-to-end encryption (E2EE) at all or it's not turned on by default. And frankly even the apps with E2EE are run by companies whose revenue model is based on monetizing your personal data. I'm going to suggest you try Signal.
In other news: study finds Canadian's health data being sold to drug makers; DOGE worker's computer has been hacked; airlines are selling your data to ICE; a massive proxy botnet has been shut down; Google pays $1.4B to Texas over unauthorized tracking and data collection; Denver decides to stop using license plate readers of privacy concerns; jury orders NSO Group to pay hundreds of millions of dollars for hacking WhatsApp users.
Article Links
[cbc.ca] Millions of Canadians' health data available for sale to pharmaceutical industry, study shows https://www.cbc.ca/news/health/health-data-records-pharmaceutical-private-clinics-1.7529955
[micahflee.com] DOGE bro Kyle Schutt's computer infected by malware, credentials found in stealer logs https://micahflee.com/doge-bro-kyle-schutts-computer-infected-by-malware-credentials-found-in-stealer-logs/
[jacobin.com] Airlines Are Selling Your Data to ICE https://jacobin.com/2025/05/airlines-data-ice-trump-immigration/
[The Hacker News] BREAKING: 7,000-Device Proxy Botnet Using IoT, EoL Systems Dismantled in U.S. - Dutch Operation https://thehackernews.com/2025/05/breaking-7000-device-proxy-botnet-using.html
[The Hacker News] Google Pays $1.375 Billion to Texas Over Unauthorized Tracking and Biometric Data Collection https://thehackernews.com/2025/05/google-pays-1375-billion-to-texas-over.html
[9news.com] Denver will stop using license plate reader cameras amid privacy worries https://www.9news.com/article/news/local/local-politics/license-plate-reader-camera-data-security-concerns/73-9c570252-9d1c-4e5c-b042-c12392aa1081
[arstechnica.com] Jury orders NSO to pay $167 million for hacking WhatsApp users https://arstechnica.com/security/2025/05/jury-orders-nso-to-pay-167-million-for-hacking-whatsapp-users/
Tip of the Week: Slay Snoopers: https://firewallsdontstopdragons.com/dragon-hacks-slay-snoopers/
Further Info
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support our mission! https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
0:00:00: Intro
0:00:43: News preview
0:02:53: Millions of Canadians' health data available for sale to pharmaceutical industry
0:08:39: DOGE engineer's computer infected by malware
0:14:38: Airlines Are Selling Your Data to ICE
0:22:05: 7,000-Device Proxy Botnet Using IoT, EoL Systems Dismantled in US, Dutch Operation
0:28:04: Google Pays $1.375 Billion to Texas Over Unauthorized Tracking and Biometric Data Collection
0:30:21: Denver will stop using license plate reader cameras amid privacy worries
0:34:54: Jury orders NSO to pay $167 million for hacking WhatsApp users
0:39:17: Tip of the Week: Slay Snoopers
0:44:31: Wrap-up
--------
45:24
Shelter from the Storm
Almost exactly two years ago, "Five Eyes" intelligence agencies discovered a successful and ongoing cyber attack on critical US infrastructure by a state-sponsored actor based in China. This group, associated with the People's Liberation Army and known as Volt Typhoon, was tasked with quietly gaining persistent remote access to critical systems including water, power, communications, and transportation systems, as well as ports and government networks. The goal was to deter the US from interfering with a future invasion of Taiwan by China, either by crippling the US infrastructure or threatening to. Despite dire warnings from the four top cyber officials in a Jan 2024 Congressional hearing, the US is still woefully unprepared for such attacks. Josh Corman is leading an effort labeled UnDisruptable27 to greatly improve the resilience of our critical systems before 2027, the year China seems to be targeting to make their move.
Interview Notes
UnDisruptable27: https://securityandtechnology.org/undisruptable27/
Critical Effect conference (DC): http://critical-effect.org/
Congressional hearing, CCP cyber threat to national security: https://selectcommitteeontheccp.house.gov/committee-activity/hearings/hearing-notice-ccp-cyber-threat-american-homeland-and-national-security
Josh’s RSA talk (2024): https://www.youtube.com/watch?v=dhJvslRRlFc
UnDisruptable27 video 1: https://www.youtube.com/watch?v=GnozKc3gFsM
UnDisruptable27 video 2: https://www.youtube.com/watch?v=d8UsrMRvt14
Cyber Resilience Corps: https://cltc.berkeley.edu/program/cyber-resilience-corps/
Cyber Volunteer Resource Center: https://www.cisa.gov/audiences/high-risk-communities/cybervolunteerresourcecenter
Further Info
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support the mission: https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
0:00:00: Intro
0:03:49: Lingo explanations
0:07:26: What is UnDisruptable27 and why did you start it?
0:16:47: How does this relate to China's intention to invade Taiwan?
0:22:00: What at the psychological impacts of this sort of attack?
0:25:31: How long might it take to recover from this sort of attacK?
0:33:12: If this threat is so dire, why aren't we scrambling to address it?
0:37:24: Do Russia, Iran and North Korea pose similar threats?
0:41:32: How can we surface single points of failure from secondary sources?
0:49:21: Can't we also do this to our adversaries? Is that a deterrence?
0:53:45: What should our government be doing about this?
0:58:39: How can we incentivze private companies to take action?
1:01:55: What can we do, at home and in our communities?
1:07:19: What's next for UnDisruptable27?
1:10:47: Some final thoughts
1:15:03: Patron bonus content
1:15:29: Looking ahead
--------
1:16:42
Disable Your MAID
As we learned last week from Zach Edwards, our smartphones have a globally unique mobile ad ID, or MAID, that is automatically associated with everything we do on our phones... unless we take explicit steps to turn this off. Today I'll tell you how this works and why you should disable this insidious form of tracking.
In other news: the FTC warns us about a new type of scam; dating app Raw exposed sensitive user data; a determined reporter documents his efforts to disable all the AI features in his Google phone; "juice jacking" is back with a tricky twist; Apple's AirPlay has a vulnerability whose fix may not reach all devices; Microsoft is pushing hard for passwordless accounts; Google Wallet allows you to verify your age without giving up personal info; and there's a new and troubling update to the Signalgate saga.
Article Links
[lifehacker.com] The FTC Is Warning Consumers About a Scam on Discounted Monthly Bills https://lifehacker.com/money/ftc-monthly-services-scam
[techcrunch.com] Dating app Raw exposed users’ location data and personal information https://techcrunch.com/2025/05/02/dating-app-raw-exposed-users-location-data-personal-information/
[cnet.com] I Tried to Turn Off the AI on My Pixel 9. It Wasn't Easy https://www.cnet.com/tech/mobile/i-tried-to-turn-off-the-ai-on-my-pixel-9-it-wasnt-easy/
[arstechnica.com] iOS and Android juice jacking defenses have been trivial to bypass for years https://arstechnica.com/security/2025/04/ios-and-android-juice-jacking-defenses-have-been-trivial-to-bypass-for-years/
[wired.com] Millions of Apple Airplay-Enabled Devices Can Be Hacked via Wi-Fi https://www.wired.com/story/airborne-airplay-flaws/
[Bleeping Computer] Microsoft makes all new accounts passwordless by default https://www.bleepingcomputer.com/news/microsoft/microsoft-makes-all-new-accounts-passwordless-by-default/
[blog.google] It’s now easier to prove age and identity with Google Wallet https://blog.google/products/google-pay/google-wallet-age-identity-verifications/
[404media.co] Mike Waltz Accidentally Reveals Obscure App the Government Is Using to Archive Signal Messages https://www.404media.co/mike-waltz-accidentally-reveals-obscure-app-the-government-is-using-to-archive-signal-messages/
Tip of the Week: Disable your Mobile Ad ID: https://firewallsdontstopdragons.com/disable-your-mobile-ad-id/
Bonus Links
[consumerreports.org] Using Contactless Payments on Your Phone? Take These Smart Steps. https://www.consumerreports.org/money/digital-payments/using-contactless-payments-on-phone-take-these-smart-steps-a1152343770/
Micah Lee’s TM SGNL blogs:
https://micahflee.com/tm-sgnl-the-obscure-unofficial-signal-app-mike-waltz-uses-to-text-with-trump-officials/
https://micahflee.com/heres-the-source-code-for-the-unofficial-signal-app-used-by-trump-officials/
Further Info
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support our mission! https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
Use these timestamps to jump to a particular section of the show.
0:00:00: Intro
0:01:09: News preview
0:03:38: FTC Warning Consumers About a Scam on Discounted Monthly Bills
0:06:51: Dating app Raw exposed users’ location data and personal information
0:13:31: I Tried to Turn Off the AI on My Pixel 9. It Wasn't Easy
0:20:30: iOS and Android juice jacking defenses have been trivial to bypass for years
0:29:07: Millions of Apple Airplay-Enabled Devices Can Be Hacked via Wi-Fi
0:35:06: Microsoft makes all new accounts passwordless by default
0:40:35: It’s now easier to prove age and identity with Google Wallet
0:47:42: Mike Waltz Accidentally Reveals Obscure App ...
--------
1:06:23
Riding the Data Gravy Train
Data brokers are out of control. While we think of them gathering data in order to target us with ads, they can actually use the targeted ad system (real-time bidding) to collect vast quantities of personal information. It's a very shady business and the primary players are trying hard to obfuscate what they're doing. Thankfully, we have people like my guest, Zach Edwards, whose investigations are ripping the cover off of these unscrupulous practices.
Interview Notes
Zach Edwards: https://www.linkedin.com/in/zedwards/
Zach at Silent Push: https://www.silentpush.com/team/zach-edwards/
Using email aliases: https://firewallsdontstopdragons.com/how-to-use-email-aliases-part-1/
Disable mobile ad ID (iOS): https://ssd.eff.org/module/how-to-get-to-know-iphone-privacy-and-security-settings#disable-ad-tracking
Disable mobile ad ID (Android): https://ssd.eff.org/module/how-to-get-to-know-android-privacy-and-security-settings#disable-ad-tracking
Further Info
Dragon Coin Promo!! https://fdsd.me/promo425
Generate passphrases with a d20: https://d20key.com/#/
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support the mission: https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
Use these timestamps to jump to a particular section of the show.
0:00:00: Intro
0:01:15: Last call for dragon coins!
0:01:57: Interview setup
0:03:01: Lingo definitions
0:05:05: How did you get into ad tracking as a profession?
0:12:57: How does Real-Time Bidding work?
0:16:16: Who are the big players in this space?
0:28:25: How does RTB leak data about us?
0:42:47: How much info about us is actually inferred rather than explicit?
0:46:09: Who else is looking to get hold of this ad data?
0:50:33: How else is our data being abused?
0:54:13: How does my data being leaked impact other people?
0:56:04: Are government agencies doing enough to protect our data?
0:57:53: Have we managed to fix any of the RTB system problems?
0:59:56: Is there a way to have targeted ads AND privacy?
1:05:31: So what can we do about this?
1:09:26: Wrap-up: revisiting email aliases
1:12:51: Patron bonus content preview
1:13:33: Looking ahead
Ireland