Firewalls Don't Stop Dragons Podcast

A deep dive into the US plan to ban foreign-made home WiFi routers and what that could mean for upgrades. A rundown of critical TP-Link flaws and why patching matters now. Coverage of Zoom links being scraped into AI podcasts and smart TVs being bought for ad data. Reports on a massive identity breach, a tax software certificate disaster, risky Mac automation features, and new macOS protections.

Jonah Aragon, Program Director at Privacy Guides who focuses on self-hosting and decentralization, and Nate Bartram, founder of The New Oil who makes beginner-friendly privacy guides. They trace their privacy origins, unpack the 'nothing to hide' myth, discuss tailoring advice with threat models, highlight red flags for services, and debate legal risks like age checks and Section 230 changes.

When we think about improving security and privacy, we tend to add things: password managers, VPNs, encrypted communication apps. But one of the most effective ways to protect yourself is much simpler: remove what you don’t need. Safety through subtraction. Every app you install exposes you to more data collection and security vulnerabilities. Over time, these apps can automatically update, collecting more data and adding new exploitable features. And with the current global unrest, the risk of attacks is greater than normal. I’ll give you several top tips for reducing your attack surface. Article Links Check Your Asus Router for Malware ASAP: https://lifehacker.com/tech/check-asus-router-for-malware Instagram drops end-to-end encrypted chats: https://proton.me/blog/instagram-end-to-end-encryption Viral ‘Quittr’ Porn Addiction App Exposed the Masturbation Habits of Hundreds of Thousands of Users: https://www.404media.co/viral-quittr-porn-addiction-app-exposed-the-masturbation-habits-of-hundreds-of-thousands-of-users/ Papers, please: Age verification laws threaten everyone’s online security and privacy: https://this.weekinsecurity.com/papers-please-age-verification-laws-threaten-everyones-online-security-and-privacy/ Federal Surveillance Tech Becomes Mandatory in New Cars by 2027: https://www.gadgetreview.com/federal-surveillance-tech-becomes-mandatory-in-new-cars-by-2027 Cyberattack on vehicle breathalyzer company leaves drivers stranded across the US: https://techcrunch.com/2026/03/20/cyberattack-on-vehicle-breathalyzer-company-leaves-drivers-stranded-across-the-us/ Large-Scale Online Deanonymization with LLMs: https://simonlermen.substack.com/p/large-scale-online-deanonymization EU votes to restrict mass scanning of people’s private messages: https://cyberinsider.com/eu-votes-to-restrict-mass-scanning-of-peoples-private-messages/ Mozilla to launch free built-in VPN in upcoming Firefox 149: https://cyberinsider.com/mozilla-to-launch-free-built-in-vpn-in-upcoming-firefox-149/ You Should Turn On This New Security Update Feature on Your iPhone and Mac: https://lifehacker.com/tech/apples-security-update-iphone-mac-setting Tip of the Week: https://firewallsdontstopdragons.com/spring-cleaning/  Further Info Greynoise IP Check: https://check.labs.greynoise.io/  Joint statement on age verification laws: https://csa-scientist-open-letter.org/ageverif-Feb2026  CISA Cyber Hygiene Service: https://www.cisa.gov/cyber-hygiene-services  CISA Bad Practices: https://www.cisa.gov/stopransomware/bad-practices  My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support our mission! https://fdsd.me/support  Give the gift of privacy and security: https://fdsd.me/coupons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Table of Contents 0:00:07: Intro 0:01:35: News rundown 0:03:41: Update your Asus routers 0:08:55: Instragram drops E2EE 0:12:57: Porn addiction app exposed user data 0:19:54: Dangers of age verification laws 0:30:45: Car surveillance mandatory in 2027 0:35:46: Cyberattack kills breathalizer-equipped cars 0:39:41: LLMs can deanonymize users 0:51:11: Chat Control defeated! 0:55:22: Firefox free VPN coming 0:59:05: New Apple security fix mechanism 1:03:14: Tip of the Week 1:09:09: More security tips 1:13:53: Patron podcast preview 1:14:17: Looking ahead

Eric Gardner, former grocery pricing consultant turned business reporter, and Justin Brookman, Consumer Reports marketplace policy director, dig into surveillance pricing on apps like Instacart. They describe how researchers tested price variation, the tech and patents behind targeted experiments, legal and regulatory pushback, and what shoppers can do to spot and respond to hidden price differences.

Bad guys have found a willing accomplice for installing malware: YOU. This very effective malware delivery mechanism, dubbed ClickFix, accounted for over half of all infections last year. I’ll tell you how to avoid it, but also explain why you shouldn’t have to. In other news: Amazon’s change to wishlists may expose your address; a new government-grade iOS exploit kit is spreading to criminals; Israel hacked traffic cams to kill Iran’s leaders; Meta’s AI glasses are a privacy nightmare; new AirSnitch WiFi exploit is clever, but not a threat for most people; Microsoft Office bug allowed AI to read confidential emails; Discord walks back it’s plans for age verification; US Senators reintroduce surveillance transparency bill; CA privacy activists call for removing license plate readers; Ente releases new Locker app; Privacy Guides releases wonderful new privacy resource. Article Links Amazon Change Means Wishlists Might Expose Your Address https://www.404media.co/amazon-wishlist-address-private-third-party/ Google and iVerify reveal government-grade iPhone exploit kit spreading to hackers https://9to5mac.com/2026/03/03/google-and-iverify-reveal-government-grade-iphone-exploit-kit-spreading-to-hackers/ Israel hacked Tehran’s traffic cameras, used AI to plan Khamenei’s assassination https://www.yahoo.com/news/articles/israel-hacked-tehrans-traffic-cameras-063114828.html What Privacy? As Expected Meta Ray Bans Are A Privacy Disaster https://appleinsider.com/articles/26/03/03/what-privacy-as-expected-meta-ray-bans-are-a-privacy-disaster New AirSnitch attack bypasses Wi-Fi encryption in homes, offices, and enterprises https://arstechnica.com/security/2026/02/new-airsnitch-attack-breaks-wi-fi-encryption-in-homes-offices-and-enterprises/ Microsoft says Office bug exposed customers’ confidential emails to Copilot AI https://techcrunch.com/2026/02/18/microsoft-says-office-bug-exposed-customers-confidential-emails-to-copilot-ai/ Discord just canceled its planned age verification rollout, for now https://9to5mac.com/2026/02/24/discord-just-canceled-its-planned-age-verification-rollout-for-now/ Senators Reintroduce Bill to Create Transparency for Court-Ordered Surveillance https://www.wyden.senate.gov/news/press-releases/wyden-daines-booker-and-lee-reintroduce-bill-to-create-transparency-for-court-ordered-surveillance Privacy activists call on California to remove covert license plate readers https://apnews.com/article/license-plate-readers-surveillance-ice-dhs-db848b1498c55f3c1b3ee1a107dacd10 Ente Locker – Safe space for your most important documents https://ente.io/locker/ Guides and Tools for Privacy Activists https://www.privacyguides.org/en/activism/ Tip of the Week: https://firewallsdontstopdragons.com/fixing-clickfix/  Further Info My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support our mission! https://fdsd.me/support  Give the gift of privacy and security: https://fdsd.me/coupons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Table of Contents 0:00:08: Intro 0:01:54: News rundown 0:03:36: Amazon wishlist change exposes your address 0:08:44: New iOS exploit kit leaks 0:14:21: Israel hacked traffic cams to kill Khamenei 0:17:19: Meta’s AI glasses privacy nightmware 0:22:32: AirSnitch WiFi attack 0:26:31: Microsoft AI bug exposes private emails 0:29:35: Discord backtracks on age verification 0:34:38: Senators reintroduce surveillance transparency bill 0:39:15: Call to remove hidden surveillance cameras 0:44:44: Ente Locker 0:47:51: Privacy Activist Toolbox 0:51:53: Tip of the Week 1:00:36: Patron podcast preview 1:02:15: Looking ahead

Nick Merrill, founder of Phreeli and privacy technologist building privacy-preserving telecom services. He explains how cell service can work with almost no personal data. Topics include using ZIP+4 for billing, eSIMs and prepaid models, unlinking identity from metadata with the Double Blind Armadillo approach, mixing/batching to reduce fingerprinting, and handling lawful intercept and recovery tradeoffs.

They hunt for private, non-Google replacements for spreadsheets and forms. They dissect a string of data breaches and explain why storing photo IDs is dangerous. They debate biometric age checks, country moves to restrict kids on social media, and Europe’s push for tech alternatives. They also examine IoT and camera privacy risks and new recommendations for safer devices.

Today I speak with Yahoo CISO Sean Zadig – aka, the Chief Paranoid. Sean has had a long and varied career in cybersecurity, working both in law enforcement (at NASA!) and working security for Big Tech. I’ll ask Sean how we can teach our kids about cybersecurity, and how to protect them from the worst of the internet without compromising anyone’s privacy. I’ll also get his perspective on the relationship between Big Tech, user data, law enforcement and the Fourth Amendment. Interview Notes The Paranoids (Yahoo): https://www.yahooinc.com/our-technology/paranoids  Suddenly a CISO: https://www.yahooinc.com/paranoids/suddenly-a-ciso-four-pieces-of-transitional-advice  Clipper Chip: https://en.wikipedia.org/wiki/Clipper_chip  Further Info My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support the mission: https://fdsd.me/support  Give the gift of privacy and security: https://fdsd.me/coupons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Table of Contents 0:00:13: Intro 0:01:20: Lingo 0:02:06: How did you become CISO at Yahoo? 0:05:38: Has AI made you job harder? 0:08:54: What the Paranoid ethos? 0:11:49: What a kids taught about cybersecurity? 0:14:05: How do we interest kids in cybersecurity? 0:17:35: How do we get kids to care about privacy? 0:21:42: Can we verify age privately? 0:25:06: Should parents control content restrictions? 0:28:36: Are kids echewing tech today? 0:31:51: How do we combat CSAM? 0:40:31: What’s it like working in law enforement? 0:47:14: Can we get Big Tech to collect less private data? 0:52:19: Is law enforcement skirting the 4th Amendment? 0:58:14: What’s next for The Paranoids? 1:00:01: Wrap-up 1:00:12: Patron podcast preview 1:01:10: Survey highlights 1:05:40: 2026 Milestones 1:06:49: Looking ahead

The latest craze with artificial intelligence is agentic AI – exhibited most recently in the viral AI project called ClawdBot… or Moltbot… or OpenClaw. (The name has changed two times in less than a week.) You download this software, give it access to your AI chatbot accounts, and then give it full and complete access to your computer and online accounts. Why? So you can have an all-powerful assistant who can do real things in the real world as if they were you! What could go wrong? In other news: a new lawsuit claims Meta can read all your WhatsApp messages; an AI toy exposed chat transcripts of their toddler owners; another AI app leaks millions of private conversations; TikTok’s new terms of service are very scary; the US wants visitors to fork over tons of personal info; UK officials were hit by Volt Typhoon; the UK wants to increase facial recognition in public places; the FBI failed to unlock journalist’s iPhone with Lockdown Mode enabled; Google adds cool anti-theft features; CA town disables Flock cameras; Google cripples home proxy network; and Firefox adds one toggle to disable AI features. Article Links WhatsApp Encryption, a Lawsuit, and a Lot of Noise https://blog.cryptographyengineering.com/2026/02/02/whatsapp-encryption-a-lawsuit-and-a-lot-of-noise/ An AI Toy Exposed 50,000 Logs of Its Chats With Kids to Anyone With a Gmail Account https://www.wired.com/story/an-ai-toy-exposed-50000-logs-of-its-chats-with-kids-to-anyone-with-a-gmail-account/ Massive AI Chat App Leaked Millions of Users Private Conversations https://www.404media.co/massive-ai-chat-app-leaked-millions-of-users-private-conversations/ TikTok’s New Terms of Service Has Raised Alarm Bells https://lifehacker.com/tech/tiktoks-new-ownership-tos-concerns The Trump Administration wants your DNA and social media https://www.privacyinternational.org/news-analysis/5713/trump-administration-wants-your-dna-and-social-media Hackers suspected of spying on UK officials’ calls for years https://www.theregister.com/2026/01/27/chinalinked_hackers_accused_of_yearslong/ Police to get 40 new live facial recognition vans and AI help in sweeping reforms https://news.sky.com/story/facial-recognition-technology-to-be-rolled-out-nationally-and-police-will-get-ai-support-13499172 FBI Couldn’t Get into WaPo Reporter’s iPhone Because It Had Lockdown Mode Enabled https://www.404media.co/fbi-couldnt-get-into-wapo-reporters-iphone-because-it-had-lockdown-mode-enabled/ Google Just Updated These Android Theft Protection Features https://lifehacker.com/tech/google-just-updated-these-android-theft-protection-features California city turns off Flock cameras after company shared data without authorization https://therecord.media/california-city-turns-off-flock-cameras-unauthorized-sharing Google cripples IPIDEA proxy network abused by crims https://www.theregister.com/2026/01/29/google_ipidea_crime_network/ Mozilla Adds One-Click Option to Disable Generative AI Features in Firefox https://thehackernews.com/2026/02/mozilla-adds-one-click-option-to.html Tip of the Week: https://firewallsdontstopdragons.com/agents-of-misfortune/  Further Info TikTok’s Real Privacy Risks: https://internetsafetylabs.org/blog/research/tiktoks-real-privacy-risks/  Private TikTok viewer: https://sticktock.com/  EFF’s Atlas of Surveillance: https://www.atlasofsurveillance.org/  DeFlock: https://deflock.org/  My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support our mission! https://fdsd.me/support  Give the gift of privacy and security: https://fdsd.me/coupons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Table of Contents 0:00:07: Intro 0:00:51: News rundown 0:02:51: WhatsApp encryption questioned 0:11:34: AI toy’s logs exposed 0:16:17: AI app leaks user data 0:19:27: TikTok gets worse for privacy 0:23:52: US demands more visitor data 0:30:41: UK hit by Salt Typhoon 0:33:47: UK proposes more mass surveillance 0:36:51: Lockdown Mode protects WaPo journalist iPhone 0:43:03: New Android anti-theft features 0:45:54: CA town shuts down Flock 0:49:07: Google hobbles bad proxy network 0:52:33: Firefox AI kill switch 0:55:18: Tip of the Week 1:02:08: Wrap-up 1:02:21: Patron podcast preview 1:02:30: Looking ahead

We’re all busy people with busy lives. We only have so much time and energy. So when security people dole out to-do lists, we really need to focus on the tips with the most bang for the buck. Conversely, we need to avoid wasting people’s precious resources on advice that is no longer valid or worth the effort. Today, we’ll debunk several of these “Hacklore” tips with security guru Bob Lord. Interview Notes Hacklore: https://www.hacklore.org/letter  Hacklore resources: https://www.hacklore.org/resources  Elevator (un)safety analogy: https://medium.com/@boblord/psa-elevator-un-safety-7ac69a9498de  DNC Security Checklist: https://democrats.org/security/  CISA Secure by Design: https://www.cisa.gov/securebydesign  MITRE’s 2007 Unforgivable Vulnerabilities (PDF): https://cwe.mitre.org/documents/unforgivable_vulns/unforgivable.pdf  Take 9: https://pausetake9.org/  Consumer Reports Security Planner tool: https://securityplanner.consumerreports.org/  EFF security planning: https://ssd.eff.org/module/your-security-plan  Removing online data: https://firewallsdontstopdragons.com/data-diet-introduction/  Generate passphrases with d20 dice! https://d20key.com/#/  Dragon coupons: https://fdsd.me/coupons/  Rafifi (film): https://www.imdb.com/title/tt0048021/  Xkcd password strength: https://xkcd.com/936/  Further Info My book: https://fdsd.me/book  My newsletter: https://fdsd.me/newsletter  Support the mission: https://fdsd.me/support  Give the gift of privacy and security: https://fdsd.me/coupons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Table of Contents 0:00:14: Intro 0:00:25: Survey, promo wrap-up 0:01:30: Interview setup 0:02:22: Lingo definitions 0:02:52: What drove you to launch Hacklore? 0:07:12: Is this advice truly wrong? 0:11:51: 1) Avoid public WiFi 0:17:38: 2) Never scan QR codes 0:22:43: 3) Never charge devices from public USB ports 0:24:38: 4) Turn off Bluetooth and NFC 0:28:25: 5) Regularly clear cookies 0:32:47: 6) Regularly change passwords 0:38:19: Why do we not have web password standards? 0:44:24: Any bad tips that didn’t make the cut? 0:45:53: WIll Hacklore be regularly updated? 0:46:32: What has been the response to Hacklore? 0:48:08: So what are the actual top security tips? 0:49:56: How do we shift the onus to software makers? 0:53:14: What other resources can you recommend? 0:55:40: What’s next for you? 0:56:53: Wrap-up 1:00:40: Generating passphrases 1:02:00: Accessing show notes 1:03:08: Dragon coupons 1:03:40: Patron podcast preview 1:04:24: Looking ahead