Your cell phone number uniquely identifies you. Many companies rely on this 1-to-1 relationship to authenticate you to their systems. So if someone were to somehow manage to steal your mobile phone number - a hack called SIM swapping - they could use that to impersonate you and compromise any of your accounts that are validated via SMS or phone call. There's a new tool to combat this scam that's better than the old-style account PIN codes. I'll explain how it works.
In the news: many Brother printers have serious cyber vulnerabilities; Belkin in abandoning Wemo smart devices next January; Xfinity's WiFi routers can detect motion in your entire home; Bluesky is rolling out age verification in the UK; California is using drones to catch the use of illegal fireworks; McDonald's AI hiring bot was hacked to expose millions of applicants' data; Mexican drug cartel hacked FBI phone to catch informants; US strikes blow against North Korean fake worker scams; Denmark is looking to ditch Microsoft products.
Article Links
New Vulnerabilities Expose Millions of Brother Printers to Hacking https://www.securityweek.com/new-vulnerabilities-expose-millions-of-brother-printers-to-hacking/
Belkin pulls the plug on Wemo smart home products which will stop working in 2026 https://9to5google.com/2025/07/10/belkin-wemo-smart-home-shutdown-list/
Using WiFi Motion in the Xfinity app https://www.xfinity.com/support/articles/wifi-motion
Bluesky is rolling out age verification in the UK https://www.theverge.com/news/704468/bluesky-age-verification-uk-online-safety-act
Huge fines coming for Californians caught by drone with illegal fireworks https://www.sfgate.com/bayarea/article/california-drones-illegal-fireworks-20629637.php
McDonald’s AI Hiring Bot Exposed Millions of Applicants’ Data https://www.wired.com/story/mcdonalds-ai-hiring-chat-bot-paradoxai/
Drug cartel hacked FBI official’s phone to track and kill informants https://arstechnica.com/security/2025/06/mexican-drug-cartel-hacked-fbi-officials-phone-to-track-informant-report-says/
Identities of More Than 80 Americans Stolen for North Korean IT Worker Scams https://www.wired.com/story/identities-of-80-plus-americans-stolen-for-north-korean-it-worker-scams/
Why Denmark is dumping Microsoft Office and Windows for LibreOffice and Linux https://www.zdnet.com/article/why-denmark-is-dumping-microsoft-office-and-windows-for-libreoffice-and-linux/
Tip of the Week: https://firewallsdontstopdragons.com/freezing-your-mobile-account/
Further Info
Tom’s Hardware on WiFi Motion: https://www.tomshardware.com/networking/routers/new-xfinity-router-motion-detecting-feature-stokes-privacy-fears-feature-powered-by-wi-fi-signals
RockYou password list: https://cybernews.com/security/rockyou2024-largest-password-compilation-leak/
LibreOffice: https://www.libreoffice.org/discover/libreoffice/
Eurostack: https://eurostack.eu/
Running Linux in a VM on Windows: https://itsfoss.com/install-linux-mint-in-virtualbox/
Age verification: https://www.privacyguides.org/articles/2025/05/06/age-verification-wants-your-face/
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support our mission! https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
0:00:00: Intro
0:00:17: DEF CON coming up fast
0:03:34: News preview
0:06:31: New Vulnerabilities Expose Millions of Brother Printers to Hacking
0:11:51: Belkin pulls the plug on Wemo smart home products
0:14:25: Using WiFi Motion in the Xfinity app
0:21:19: Bluesky is rolling out age verification in the UK
0:26:49: Huge fines coming for Californians caught by drone with illegal fireworks
0:29:36: McDonald’s AI Hiring Bot Exposed Millions of Applicants’ Data
0:35:31: Drug cartel hacked FBI official’s phone to track and k...
--------
1:04:02
--------
1:04:02
Defending Student Privacy
Privacy risks are bad enough for adults - but it's much worse for our kids, particularly as students. Who provides notice and obtains consent for minors at school? In many cases it's not the parents, let alone the students - it's the school system. Not only are they opting the students into invasive data collection by profit-driven third parties, but they often also bind them to mandatory arbitration clauses, neutering their ability to seek legal redress for the inevitable violations. Today I'll discuss this horrid state of affairs with someone who is on the front lines of this battle for our children's right to privacy: co-founder of the EdTech Law Center, Andy Liddell.
Interview Notes
EdTech Law Center: https://edtech.law/about-us/
EdTech current cases: https://edtech.law/cases/
Internet Safety Labs: https://internetsafetylabs.org/
The Right to Oblivion (book): https://www.hup.harvard.edu/books/9780674260528
ACLU, Digital Dystopia: https://www.aclu.org/publications/digital-dystopia-the-danger-in-buying-what-the-edtech-surveillance-industry-is-selling
The Markup, College Prep Software Naviance Is Selling Advertising Access to Millions of Students: https://themarkup.org/machine-learning/2022/01/13/college-prep-software-naviance-is-selling-advertising-access-to-millions-of-students
Proton blog on EdTech and privacy: https://proton.me/blog/ed-tech-trackers
Further Info
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support the mission: https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
0:00:00: Intro
0:02:48: What's your mission at the EdTech Law Center?
0:05:20: What are the unique privacy threats for students?
0:09:46: What privacy laws are there for minors?
0:12:05: How are these laws enforced and litigated?
0:18:21: How does notice and consent work for students?
0:27:05: What rights do the kids have in these situations?
0:29:38: How are these EdTech companies?
0:31:40: Which apps and tools are most problematic and why?
0:37:20: Should minors's data be deleted when they reach adulthood?
0:40:15: Are school systems equipped to understand these contracts?
0:42:35: What about privacy issues with EdTech hardware?
0:45:50: What have we already learned via discovery or reporting?
0:50:01: As a parent, who do I talk to about my child's privacy risks at school?
0:54:16: What are some red flags to look out for?
0:57:10: What responsibilities do school systems have here?
1:00:57: So what can we do? When should we reach out to you?
1:05:02: Interview follow-up
1:06:26: Patron podcast preview
1:07:19: Looking ahead
--------
1:09:43
--------
1:09:43
The In-App Switcheroo
Do you realize that you're not always using your chosen mobile web browser or your network privacy features? Many mobile apps have their own in-app browser that can gather your data and even inject ads and trackers into any web links you click. I'll explain how this works and what you can do about it.
In the news: 23andMe bankruptcy ombudsman argues for user consent to data; Meta AI app privacy nightmare; Amazon, Roku sharing users for ads; WhatsApp launches in-app ads; healthcare sites are sharing your data; ICE seeks powerful new surveillance tool; Austrian government wants your encrypted data; new US visa rules require social media posts; Scattered Spider targeting insurance info; VT governor signs child data privacy law; Flock blocks access to some US states; Microsoft offers 1-year security updates for Win10 users; new Android 16 security features; Denmark's answer to deepfakes; cleaner Google search results; ChatGPT user info reports.
Article Links
[therecord.media] 23andMe privacy ombudsman recommends company obtains consent for sale of customer data https://therecord.media/23andme-privacy-ombudsman-recommends-consent-sale
[techcrunch.com] The Meta AI app is a privacy disaster https://techcrunch.com/2025/06/12/the-meta-ai-app-is-a-privacy-disaster/
[variety.com] Amazon, Roku Strike Deal to Pool Connected-TV Audiences for Advertisers https://variety.com/2025/tv/news/amazon-roku-pool-connected-tv-audiences-advertising-deal-1236432579/
[9to5mac.com] WhatsApp just launched ads for all users https://9to5mac.com/2025/06/16/whatsapp-just-launched-ads-for-all-users-here-are-the-details/
[The Markup] This Is How You Stop Data Trackers From Sucking up Your Health Data https://themarkup.org/the-breakdown/2025/06/17/this-is-how-you-stop-data-trackers-from-sucking-up-your-health-data
[fedscoop.com] ICE seeks proprietary data and tech to monitor up to a million people https://fedscoop.com/ice-seeks-proprietary-data-and-tech-to-monitor-up-to-a-million-people/
[reuters.com] Austrian government agrees on plan to allow monitoring of secure messaging https://www.reuters.com/world/austrian-government-agrees-plan-allow-monitoring-secure-messaging-2025-06-18/
[The Hacker News] New U.S. Visa Rule Requires Applicants to Set Social Media Account Privacy to Public https://thehackernews.com/2025/06/new-us-visa-rule-requires-applicants-to.html
[therecord.media] Scattered Spider hackers targeting insurance industry following retail hits, Google warns https://therecord.media/scattered-spider-targeting-insurance-sector-following-retail-attacks
[epic.org] EPIC Applauds Vermont Governor Phil Scott for Signing Age-Appropriate Design Code into Law https://epic.org/epic-applauds-vermont-governor-phil-scott-for-signing-age-appropriate-design-code-into-law/
[404media.co] Flock Removes States From National Lookup Tool After ICE and Abortion Searches Revealed https://www.404media.co/flock-removes-states-from-national-lookup-tool-after-ice-and-abortion-searches-revealed/
[techradar.com] Windows 10 users who don’t want to upgrade to Windows 11 get new lifeline from Microsoft https://www.techradar.com/computing/windows/windows-10-users-who-dont-want-to-upgrade-to-windows-11-get-new-lifeline-from-microsoft
[androidauthority.com] Android 16 introduces Advanced Protection mode to fortify your phone against threats https://www.androidauthority.com/android-16-advanced-protection-mode-2-3566064/
[theguardian.com] Denmark to tackle deepfakes by giving people copyright to their own features https://www.theguardian.com/technology/2025/jun/27/deepfakes-denmark-copyright-law-artificial-intelligence
[tedium.co] Does One Line Fix Google? https://tedium.co/2024/05/17/google-web-search-make-default/
[schneier.com] What LLMs Know About Their Users https://www.schneier.com/blog/archives/2025/06/what-llms-know-about-their-users.html
Tip of the Week: https://firewallsdontstopdragons.com/the-in-app-switcheroo/
--------
1:12:28
--------
1:12:28
ShmooCon: Moose You Already
On January 12th, 2025, the ShmooCon hacker conference held it's 20th and final gathering. I was lucky enough to be able to not only attend the final show but also to interview the founders, Heidi and Bruce Potter. We talk about how it all got started, what made this hacker con so special and beloved, and hear some hilarious stories from the past twenty years of hacker shenanigans in Washington D.C.
Interview Notes
ShmooCon: https://www.shmoocon.org/
ShmooCon 2025 sessions: https://www.youtube.com/playlist?list=PLnKSfJ5rXw95HSPVl5L7dqhKpVAx3q_j0
Turngate: https://www.turngate.io/
HOPE conference: https://www.hope.net/
BSides: https://bsides.org/
Cackalackycon: https://cackalackycon.org/
Thotcon: https://www.thotcon.org/
SummerCon: https://www.summercon.org/
PancakesCon: https://pancakescon.com/
Further Info
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support the mission: https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
0:00:00: Intro
0:03:43: How and why did you start ShmooCon?
0:11:05: Why are hacker conferences so different from regular trade shows?
0:17:19: Why limit attendence and how did this give rise to LobbyCon?
0:21:52: What makes a good con? What's your post-con recovery like?
0:27:26: Why did you decide to end the con?
0:29:54: How have other cons influenced ShmooCon?
0:33:16: Why is it important to be so transparent about your con?
0:37:38: What are your favorite ShmooCon stories?
0:44:54: What's it like running a conference as a married couple?
0:49:39: What are you most proud of with ShmooCon?
0:52:13: Was there anything you wish you had done but didn't?
0:56:07: Did you ever consider handing ShmooCon off to someone else?
0:58:13: So what now?
1:00:58: What are some ShmooCon alternatives?
1:06:36: Wrap-up
1:08:07: Attend a hacker con!
1:09:35: Patron bonus preview
1:10:24: Looking ahead
--------
1:11:09
--------
1:11:09
Rogue AI?
Artificial Intelligence is taking over. But I don't mean that in a Skynet kinda way. It's simply becoming ubiquitous because companies are insisting on inserting the technology into all their products, even if it's not useful - or not even safe. Unfortunately, the breathless reporting on dangers of AI is also getting way out of hand, including stories of AI systems 'blackmailing' their designers. Today I'll try to bring us back to reality a bit.
Also in the news: Billions of session login cookies up for grabs; Meta and Yandex cheat in order to track you around the web; Qualcomm fixes three zero-day bugs being actively exploited; Apple releases transparency report on push notification data requests; LAPD using Waymo for gathering video evidence; another massive AT&T user data leak includes SSNs; AI system appears to try to blackmail its owner; judge grants preliminary injunction on DOGE data grab; and we'll check in on your 2025 New Year's Resolutions!
Article Links
[theregister.com] Billions of cookies up for grabs as experts warn over session security https://www.theregister.com/2025/05/29/billions_of_cookies_available/
[arstechnica.com] Meta and Yandex are de-anonymizing Android users’ web browsing identifiers https://arstechnica.com/security/2025/06/meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/
More info: https://www.zeropartydata.es/p/localhost-tracking-explained-it-could
[techcrunch.com] Phone chipmaker Qualcomm fixes three zero-days exploited by hackers https://techcrunch.com/2025/06/03/phone-chipmaker-qualcomm-fixes-three-zero-days-exploited-by-hackers/
[404media.co] Apple Gave Governments Data on Thousands of Push Notifications https://www.404media.co/apple-gave-governments-data-on-thousands-of-push-notifications/
[404media.co] LAPD Publishes Crime Footage It Got From a Waymo Driverless Car https://www.404media.co/lapd-publishes-crime-footage-it-got-from-a-waymo-driverless-car/
[cyberinsider.com] AT&T Investigating New Leak of 86 Million Customer Records with Decrypted SSNs https://cyberinsider.com/att-investigating-new-leak-of-86-million-customer-records-with-decrypted-ssns/
[bbc.com] AI system resorts to blackmail if told it will be removed https://www.bbc.com/news/articles/cpqeng9d20go
[eff.org] Privacy Victory! Judge Grants Preliminary Injunction in OPM/DOGE Lawsuit https://www.eff.org/press/releases/privacy-victory-judge-grants-preliminary-injunction-opmdoge-lawsuit
Tip of the Week: https://firewallsdontstopdragons.com/2025-resolutions-check-in/
Further Info
2025 New Year’s Resolutions: https://firewallsdontstopdragons.com/new-years-resolutions-2025/
Privacy Guides: https://www.privacyguides.org/articles/
EFF’s Rayhunter project: https://www.eff.org/deeplinks/2025/03/meet-rayhunter-new-open-source-tool-eff-detect-cellular-spying
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support our mission! https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
0:00:00: Intro
0:00:50: A note on protest privacy
0:04:32: News preview
0:06:43: Billions of cookies up for grabs as experts warn over session security
0:18:27: Meta and Yandex are de-anonymizing Android users’ web browsing identifiers
0:25:59: Phone chipmaker Qualcomm fixes three zero-days exploited by hackers
0:27:51: Apple Gave Governments Data on Thousands of Push Notifications
0:33:25: LAPD Publishes Crime Footage It Got From a Waymo Driverless Car
0:37:39: AT&T Investigating New Leak of 86 Million Customer Records with Decrypted SSNs
0:41:51: AI system resorts to blackmail if told it will be removed
0:51:40: Privacy Victory! Judge Grants Preliminary Injunction in OPM/DOGE Lawsuit
0:56:04: Tip of the Week
0:58:13: Wrapup
Ireland