We've been installing apps on our smartphones for almost two decades now. The iPhone and Android app stores kicked off in 2008 and we still, to this day, have no real way to know what's in them. It turns out that most apps are an amalgamation of software libraries and development kits from various third party vendors, so often even the makers of apps don't fully understand the makeup of their products. Lisa LeVasseur from Internet Safety Labs has worked to build tools to dissect and inspect our apps and help us understand what they're really doing.
Interview Notes
Internet Safety Labs: https://internetsafetylabs.org/
App Microscope: https://appmicroscope.org/
Interview with Dr. Johnny Ryan on real-time bidding: https://podcast.firewallsdontstopdragons.com/2021/08/02/selling-you-out-to-the-highest-bidder/
Dark Patterns interview: https://podcast.firewallsdontstopdragons.com/2020/11/16/dark-patterns-part-1/
Using Burp Suite to intercept HTTP traffic: https://portswigger.net/burp/documentation/desktop/getting-started/intercepting-http-traffic
Exodus Privacy: https://exodus-privacy.eu.org/en/
Henrietta Lacks: https://en.wikipedia.org/wiki/Henrietta_Lacks
Further Info
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support the mission: https://fdsd.me/support
My social media: https://firewallsdontstopdragons.com/contact/
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
0:00:00: Intro
0:00:31: Note on 23andMe
0:01:35: Follow my social media
0:01:58: Signal debacle
0:02:39: Interview setup
0:07:06: What is Internet Safety Labs and what do you do there?
0:09:49: What are the privacy risks with EdTech?
0:16:31: How did the pandemic impact EdTech software?
0:19:02: How does the "notice and consent" model work with EdTech software?
0:25:26: Do app makers even know what's in their own software?
0:28:11: How do ads inside our apps get there?
0:30:45: How does App Microscope work?
0:32:33: How does safety differ from security?
0:34:37: What can you learn from the data and metadata an app generates?
0:37:22: Do you study "dark patterns" in apps?
0:41:42: How do you determine the software makeup of a given app?
0:47:10: How accurate are the app privacy "nutrition" labels?
0:51:58: How important are the non-technical aspects of an app for safety?
0:56:33: How do I use the App Microscope tool?
1:00:38: How can we support your efforts?
1:04:41: Interview follow-up
1:08:51: Burp Suite info
1:09:32: Patron bonus preview
1:10:27: Looking ahead
--------
1:10:56
It’s Tax (Scam) Time Again
Tax time is once again upon us here in the USA, which means that the tax scammers are coming out of the woodwork. Many will claim to be representing the IRS, claiming that there is an urgent need to fix a problem with your return, threatening penalties if you don't pay them money. Others will simply try to file fake returns in your name, but send the massive false refund checks to themselves. I'll help you spot and avoid these scams.
In other news: Apple's Passwords app was vulnerable to phishing attacks (now fixed); Amazon is forcing Echo owners to share voice recordings; the Bluetooth chip "backdoor" that wasn't; Captchas were used by Google to translate books and Street View images; ICE uses third party tool to scrape tons of your data; beware of online file converters; Clearview AI attempted to buy millions of mugshots; RCS messaging will soon allow end-to-end encrypted chats between iPhones and Android phones.
Article Links
[9to5mac.com] Apple’s Passwords app was vulnerable to phishing attacks for nearly three months after launch https://9to5mac.com/2025/03/18/apples-passwords-app-was-vulnerable-to-phishing-attacks-for-nearly-three-months-after-launch/
[arstechnica.com] Everything You Say to Your Echo Will Soon Be Sent to Amazon, and You Can’t Opt Out https://arstechnica.com/gadgets/2025/03/everything-you-say-to-your-echo-will-be-sent-to-amazon-starting-on-march-28/
[darkmentor.com] The ESP32 "backdoor" that wasn't https://darkmentor.com/blog/esp32_non-backdoor/
[techradar.com] Captcha if you can: how you’ve been training AI for years without realising it https://www.techradar.com/news/captcha-if-you-can-how-youve-been-training-ai-for-years-without-realising-it
[404media.co] The 200+ Sites an ICE Surveillance Contractor is Monitoring https://www.404media.co/the-200-sites-an-ice-surveillance-contractor-is-monitoring/
[malwarebytes.com] Warning over free online file converters that actually install malware https://www.malwarebytes.com/blog/news/2025/03/warning-over-free-online-file-converters-that-actually-install-malware
[404media.co] Facial Recognition Company Clearview Attempted to Buy Social Security Numbers and Mugshots for its Database https://www.404media.co/facial-recognition-company-clearview-attempted-to-buy-social-security-numbers-and-mugshots-for-its-database/
[appleinsider.com] RCS messaging will get end-to-end encryption on iPhone https://appleinsider.com/articles/25/03/14/rcs-messaging-will-get-end-to-end-encryption-on-iphone
Tip of the Week: https://firewallsdontstopdragons.com/its-tax-scam-time/
Further Info
Data Diva interview: https://www.debbiereynoldsconsulting.com/podcast/e228-carey-parker
Malwarebytes interview: https://www.malwarebytes.com/blog/podcast/2025/03/what-google-chrome-knows-about-you-with-carey-parker-lock-and-code-s06e06
Amazon Mechanical Turk: https://en.wikipedia.org/wiki/Amazon_Mechanical_Turk
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support our mission! https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
Use these timestamps to jump to a particular section of the show.
0:00:00: Intro
0:00:21: Guest appearances
0:01:22: News preview
0:03:50: Apple’s Passwords app was vulnerable to phishing attacks for nearly three months
0:10:41: Everything You Say to Your Echo Will Soon Be Sent to Amazon, and You Can’t Opt Out
0:21:30: The ESP32 "backdoor" that wasn't
0:29:16: Captcha if you can: how you’ve been training AI for years without realising it
0:35:08: The 200+ Sites an ICE Surveillance Contractor is Monitoring
0:43:10: Warning over free online file converters that actually install malware
--------
58:32
All Things Secured
Josh Summers lived in China for many years and learned a lot about privacy and security. Since he left, he's made it his mission to share this knowledge through his website and YouTube channel called All Things Secured - helping regular, everyday people like you and me to protect our data and devices. Today we'll talk specifically about improving your security and privacy on iPhones and Android phones, and even some alternatives outside the Apple and Google ecosystems.
Interview Notes
All Things Secured: https://www.allthingssecured.com/
All Things Secured YouTube: https://www.youtube.com/@AllThingsSecured
Apple iPhone Lockdown Mode: https://support.apple.com/en-us/105120
Apple Stolen Device Protection: https://support.apple.com/en-us/120340
Apple Advanced Data Protection: https://support.apple.com/en-us/108756
Android Theft Protection: https://blog.google/products/android/android-theft-protection/
Google Advanced Protection Program: https://landing.google.com/advancedprotection/faq/
iPhone hide/lock apps: https://support.apple.com/guide/iphone/lock-or-hide-or-an-app-iph00f208d05/ios
Cryptomator: https://cryptomator.org/
OsmAnd maps: https://osmand.net/
Jitsi video conferencing: https://jitsi.org/
Hoody AI: https://hoody.com/ai
DuckDuckGo AI: https://duck.ai/
GrapheneOS: https://grapheneos.org/
Further Info
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book
Subscribe to the newsletter: https://fdsd.me/newsletter
Become a patron! https://www.patreon.com/FirewallsDontStopDragons
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Give the gift of privacy and security: https://fdsd.me/coupons
Support our mission! https://fdsd.me/support
Generate secure passphrases! https://d20key.com/#/
Table of Contents
0:00:14: intro
0:00:27: Couple quick news items
0:01:59: Interview setup
0:02:47: How did you come to start All Things Secured?
0:04:41: What's is like living in China, from a privacy perspective?
0:07:26: What are the basic security and privacy risks with a smartphone?
0:11:21: How do iPhones compare to Android phones?
0:13:35: How does Android's multi-level ecosystem impact security?
0:16:42: How secure are smartphones against remote attacks?
0:19:39: Can you protect your smartphone against direct physical access?
0:25:20: What are some of the latest and greatest smartphone security features?
0:35:51: What if we don't trust Apple or Google's security?
0:40:05: If we don't trust Apple or Google apps, which ones should we consider using?
0:45:35: How can we protect our privacy with AI?
0:53:08: Are there better smartphone options beyond iOS and Android?
0:56:27: What worries you most? What gives you hope?
0:58:54: How can we learn more from you?
1:00:01: Interview wrap-up
1:00:55: Patron bonus content
1:01:55: Guest appearances
1:02:47: Looking ahead
--------
1:04:37
Slay Browser Ads Forever
Google's Chrome browser is rolling out changes that will hamstring ad blockers - so there's never been a better time to try a better browser. There are a handful of good options, but I'm going to recommend that you try Firefox with a fantastic ad blocker called uBlock Origin. If you've never tried this powerful combination, you won't believe what you've been missing.
In other news: the UK scrubs all encryption advice from government sites; Signal's CEO threatens to leave Sweden over backdoor demands; UK private health services hit by Medusa ransomware; Australian IVF provider has patient data stolen; Brazil gives Apple 90 days to allow side loading of apps; millions of Android TVs hijacked by a botnet; Qualcomm and Google team up to offer 8 years of Android updates; Google rolls out AI voice call scam detector; and confusion over Trump admin orders regarding Russia cyber threats.
Article Links
[techcrunch.com] UK quietly scrubs encryption advice from government websites https://techcrunch.com/2025/03/06/uk-quietly-scrubs-encryption-advice-from-government-websites/
[swedenherald.com] Signal's CEO: Then We're Leaving Sweden https://swedenherald.com/article/signals-ceo-then-were-leaving-sweden
[theregister.com] Medusa ransomware gang demands $2M from UK private health services provider https://www.theregister.com/2025/02/20/medusa_hcrg_ransomware/
[techcrunch.com] Hackers publish sensitive patient data allegedly stolen from Australian IVF provider Genea https://techcrunch.com/2025/02/26/hackers-publish-sensitive-patient-data-allegedly-stolen-from-australian-ivf-provider-genea/
[9to5mac.com] Brazilian court gives Apple 90 days to allow sideloading on iOS https://9to5mac.com/2025/03/06/brazilian-court-apple-sideloading-ios/
[tomsguide.com] Millions of Android TVs hijacked in massive botnet https://www.tomsguide.com/computing/online-security/millions-of-android-tvs-hijacked-in-massive-botnet-how-to-see-if-yours-is-at-risk
[arstechnica.com] Qualcomm and Google team up to offer 8 years of Android updates https://arstechnica.com/gadgets/2025/02/qualcomm-and-google-team-up-to-offer-8-years-of-android-updates/
[The Hacker News] Google Rolls Out AI Scam Detection for Android to Combat Conversational Fraud https://thehackernews.com/2025/03/google-rolls-out-ai-scam-detection-for.html
[zetter-zeroday.com] Did Trump Admin Order U.S. Cyber Command and CISA to Stand Down on Russia? https://www.zetter-zeroday.com/did-trump-admin-order-u-s-cyber-command-and-cisa-to-stand-down-on-russia/
[theregister.com] uBlock Origin dead for many as Google purges Manifest v2 extensions https://www.theregister.com/2025/02/24/google_v2_eol_v3_rollout/
Tip of the Week: Slay Browser Ads: https://firewallsdontstopdragons.com/dragon-hacks-slay-browser-ads/
Further Info
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support our mission! https://fdsd.me/support
Check out my dragon challenge coin: https://fdsd.me/coin2
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
Use these timestamps to jump to a particular section of the show.
0:00:07: Intro
0:00:26: Update your Android devices
0:00:47: News rundown
0:02:50: UK quietly scrubs encryption advice from government websites
0:08:45: Signal's CEO: Then We're Leaving Sweden
0:11:01: Medusa ransomware gang hits UK health services provider
0:15:32: Hackers publish patient data allegedly from Australian IVF provider
0:19:13: Brazilian court gives Apple 90 days to allow sideloading on iOS
0:22:32: Millions of Android TVs hijacked in massive botnet
0:32:17: Qualcomm and Google offer 8 years of Android updates
0:39:18: Google Rolls Out AI Scam Detection for Android
--------
1:07:31
Back to The L0pht
Today, we travel back in time and back to The L0pht with one of the original founders of L0pht Heavy Industries, Weld Pond (aka Chris Wysopal). We'll talk about how hacker culture has impacted modern technology, cybersecurity practices and digital rights, while sprinkling in some classic and hilarious stories from hacker history by someone who lived them.
Interview Notes
Veracode: https://www.veracode.com/
L0pht.com: https://l0pht.com/
L0pht Congressional testimony 1998: https://www.youtube.com/watch?v=VVJldn_MmMY
DEF CON 26 reunion panel: https://archive.org/details/youtube-noE4o-roAWM
MIT Lockpicking guide: https://archive.org/details/mit-guide-to-lock-picking-v05/mode/2up
The Open Organisation Of Lockpickers (TOOOL): https://toool.us/
2600: https://www.2600.com/
Classic engineering references: https://bitsavers.org/
Further Info
Send me your questions! https://fdsd.me/qna
Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book
Subscribe to the newsletter: https://fdsd.me/newsletter
Become a patron! https://www.patreon.com/FirewallsDontStopDragons
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Give the gift of privacy and security: https://fdsd.me/coupons
Support our mission! https://fdsd.me/support
Generate secure passphrases! https://d20key.com/#/
Table of Contents
Use these timestamps to jump to a particular section of the show.
0:00:16: intro
0:00:40: Interview setup
0:03:19: How did you come to be in The L0pht?
0:08:36: How did meeting in real life as well as online affect L0pht's dynamics?
0:09:34: How did you find so much free and adandoned computer hardware?
0:13:44: How did you manage to just drive your van in the NSA parking lot?
0:19:20: What has been the lasting impact of your Congressional testimony in 1998?
0:21:45: How did you come to invite cyber czar Richard Clarke to The L0pht?
0:27:17: How have hackers pushed back against overreach from corporations?
0:36:05: Why are lockpicking and computer hacking so closely related?
0:40:55: Is it easier or harder to be a hacker today versus when you started?
0:45:56: Are we still fighing the Crypto Wars of the 90s? Are we winning?
0:51:17: Are there any glaring misconceptions about The L0pht you'd like to fix?
0:55:16: Where are The L0pht folks now and what are they up to?
0:57:51: Interview wrap-up
1:00:59: Patron bonus preview
1:01:35: Looking ahead