Today, we travel back in time and back to The L0pht with one of the original founders of L0pht Heavy Industries, Weld Pond (aka Chris Wysopal). We'll talk about how hacker culture has impacted modern technology, cybersecurity practices and digital rights, while sprinkling in some classic and hilarious stories from hacker history by someone who lived them.
Interview Notes
Veracode: https://www.veracode.com/
L0pht.com: https://l0pht.com/
L0pht Congressional testimony 1998: https://www.youtube.com/watch?v=VVJldn_MmMY
DEF CON 26 reunion panel: https://archive.org/details/youtube-noE4o-roAWM
MIT Lockpicking guide: https://archive.org/details/mit-guide-to-lock-picking-v05/mode/2up
The Open Organisation Of Lockpickers (TOOOL): https://toool.us/
2600: https://www.2600.com/
Classic engineering references: https://bitsavers.org/
Further Info
Send me your questions! https://fdsd.me/qna
Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book
Subscribe to the newsletter: https://fdsd.me/newsletter
Become a patron! https://www.patreon.com/FirewallsDontStopDragons
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Give the gift of privacy and security: https://fdsd.me/coupons
Support our mission! https://fdsd.me/support
Generate secure passphrases! https://d20key.com/#/
Table of Contents
Use these timestamps to jump to a particular section of the show.
0:00:16: intro
0:00:40: Interview setup
0:03:19: How did you come to be in The L0pht?
0:08:36: How did meeting in real life as well as online affect L0pht's dynamics?
0:09:34: How did you find so much free and adandoned computer hardware?
0:13:44: How did you manage to just drive your van in the NSA parking lot?
0:19:20: What has been the lasting impact of your Congressional testimony in 1998?
0:21:45: How did you come to invite cyber czar Richard Clarke to The L0pht?
0:27:17: How have hackers pushed back against overreach from corporations?
0:36:05: Why are lockpicking and computer hacking so closely related?
0:40:55: Is it easier or harder to be a hacker today versus when you started?
0:45:56: Are we still fighing the Crypto Wars of the 90s? Are we winning?
0:51:17: Are there any glaring misconceptions about The L0pht you'd like to fix?
0:55:16: Where are The L0pht folks now and what are they up to?
0:57:51: Interview wrap-up
1:00:59: Patron bonus preview
1:01:35: Looking ahead
--------
1:03:21
Onion Routing
Not all Privacy Enhancing Technologies are new - but this one is probably new to you. Onion routing was developing in the 1990's by the US government and is the basis for the Tor Network. Onion routing does one thing very well: it masks your actual IP address. While you can use a VPN for this purpose, onion routing adds a different layer of anonymity - and it's just a cool technology. Today I'll explain how it works, how to use it, and the pros and cons of doing so.
In other news: Bitly is leveraging its URL-shortening empire to monetize your links; a major car company is experimenting with in-car pop up ads; a cautionary tale about law enforcement's access to private phone data; Russian spies are using a clever new phishing technique to gain access to Microsoft 365 accounts; Apple pulls its Advanced Data Protection feature from the UK market in response to demands to 'backdoor' its encryption; and whatever your political beliefs, the chaos and careless changes made by the DOGE group are seriously undermining national security.
Article Links
[tedium.co] Broken Bits https://tedium.co/2025/02/07/bitly-terms-of-service-change/
[techstory.in] Stellantis Introduces Pop-Up Ads in Vehicles, Sparking Outrage Among Owners https://techstory.in/stellantis-introduces-pop-up-ads-in-vehicles-sparking-outrage-among-owners/
[arstechnica.com] No warrant or crimes—but Oregon woman’s nudes were shared after illegal phone search https://arstechnica.com/tech-policy/2025/02/no-warrant-or-crimes-but-oregon-womans-nudes-were-shared-after-illegal-phone-search/
[arstechnica.com] Russian spies use device code phishing to hijack Microsoft accounts https://arstechnica.com/information-technology/2025/02/russian-spies-use-device-code-phishing-to-hijack-microsoft-accounts/
[bbc.com] Apple pulls data protection tool after UK government security row https://www.bbc.com/news/articles/cgj54eq4vejo
[schneier.com] DOGE as a National Cyberattack https://www.schneier.com/blog/archives/2025/02/doge-as-a-national.html
Tip of the Week: How Onion Routing Works: https://firewallsdontstopdragons.com/how-onion-routing-works/
Further Info
Safe link shortener: https://kutt.it/
Read before using the Tor Browser: https://www.privacyguides.org/en/tor/
Tor Browser: https://www.torproject.org/download/
Onion sites that don’t suck: https://github.com/neilzone/onion-sites-that-dont-suck
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support our mission! https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
Use these timestamps to jump to a particular section of the show.
0:00:07: News preview
0:02:19: Broken Bits
0:13:50: Stellantis Introduces Pop-Up Ads in Vehicles
0:20:28: Oregon woman’s nudes were shared after illegal phone search
0:28:03: Russian spies use device code phishing to hijack Microsoft accounts
0:35:07: Apple pulls data protection tool after UK government security row
0:45:58: DOGE as a National Cyberattack
0:59:54: Tip of the Week: Onion Routing
1:11:53: Wrap-up
--------
1:13:45
Security Planner
Generic security advice is good, but tailored advice is much better. Everyone's situation is a little different. What are you trying to protect? Who or what are you trying to protect it from? What are the consequences of failure? This is called threat modeling. And thankfully, the wonderful folks at Consumer Reports have a free, easy-to-use Security Planner tool that will help anyone do this assessment and provide custom solutions. My guest today is Yael Grauer, who will help us understand how to think about our security and how the CR tool can help you protect your data and devices.
Interview Notes
Consumer Reports Security Planner tool: https://securityplanner.consumerreports.org/
Yael’s website: https://yaelwrites.com/
Big Ass Data Broker Opt Out List (BADBOOL): https://github.com/yaelwrites/Big-Ass-Data-Broker-Opt-Out-List
Consumer Reports advocacy: https://advocacy.consumerreports.org/
CR’s Digital Standard: https://thedigitalstandard.org/
CR’s Consumer Readiness Report 2024 (PDF): https://innovation.consumerreports.org/wp-content/uploads/2024/09/2024-Consumer-Cyber-Readiness-Report.pdf
How to choose a PIN code: https://firewallsdontstopdragons.com/how-to-choose-a-pin/
Further Info
Send me your questions! https://fdsd.me/qna
Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book
Subscribe to the newsletter: https://fdsd.me/newsletter
Become a patron! https://www.patreon.com/FirewallsDontStopDragons
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Give the gift of privacy and security: https://fdsd.me/coupons
Support our mission! https://fdsd.me/support
Generate secure passphrases! https://d20key.com/#/
Table of Contents
Use these timestamps to jump to a particular section of the show.
0:00:07: Intro
0:01:07: Interview setup
0:02:35: Yael introduction
0:04:19: What questions should we answer to get useful security advice?
0:06:41: How does Security Planner work?
0:08:03: How does Security Planner tailor its suggestions?
0:10:58: How do you decide what the most important factors are for security?
0:15:11: What might trigger me to re-run this tool and get a fresh report?
0:17:18: How does Consumer Reports research its recommendations?
0:19:59: How does CR vet the products and services that it recommends?
0:23:18: How do you weight things like convenience and ease of use?
0:27:34: Is it okay to make people pay for basic security features?
0:35:08: What role should government play in pushing for better security?
0:36:55: How important is transparency for driving better security?
0:39:15: What did the CR Cyber Readiness survey reveal?
0:43:22: Why do we choose bad passwords?
0:45:55: Why don't companies provider better support for security problems?
0:51:39: What's next for you and CR? How do we get updates?
0:53:43: Interview wrap-up
0:56:20: Patron bonus content preview
0:57:06: Looking ahead
--------
58:34
Crypto Wars 2.0
Privacy is a human right - and you don't have to justify rights, you just have them. That's kinda the whole point. But you do need to exercise them and defend them sometimes. It has been leaked that the UK is telling Apple to reveal the encrypted data of every single one of their users to the UK government under the auspices of the Investigatory Powers Act (and its recent controversial Amendment). This would be a privacy and security disaster, and we were not even supposed to know about it.
In other news: Netgear warns of serious router bugs (so update your firmware now); DeepSeek AI app has serious security and privacy problems, but the AI model has real promise in other ways; AngelSense personal customer data exposed; Cybercrime groups exploit 7-Zip app flaws to bypass Windows protections; some clever Mac and iOS malware making the rounds; new Android Identity Check feature released, and I introduce some Privacy Enhancing Technologies.
Article Links
[Bleeping Computer] Netgear warns users to patch critical WiFi router vulnerabilities https://www.bleepingcomputer.com/news/security/netgear-warns-users-to-patch-critical-wifi-router-vulnerabilities/
[krebsonsecurity.com] Experts Flag Security, Privacy Risks in DeepSeek AI App https://krebsonsecurity.com/2025/02/experts-flag-security-privacy-risks-in-deepseek-ai-app/
[techcrunch.com] AngelSense exposed location data and personal information of tracked users https://techcrunch.com/2025/01/30/angelsense-exposed-location-data-and-personal-information-of-tracked-users/
[The Hacker News] Russian Cybercrime Groups Exploiting 7-Zip Flaw to Bypass Windows MotW Protections https://thehackernews.com/2025/02/russian-cybercrime-groups-exploiting-7.html
[appleinsider.com] New macOS malware disguises itself as Chrome & Zoom installers https://appleinsider.com/articles/25/02/04/new-macos-malware-disguises-itself-as-chrome-zoom-installers
[macrumors.com] Apple Removed Apps Infested With Screen Reading Malware https://www.macrumors.com/2025/02/06/apple-removed-screen-reading-malware-apps/
[Bleeping Computer] New Android Identity Check locks settings outside trusted locations https://www.bleepingcomputer.com/news/security/new-android-identity-check-locks-settings-outside-trusted-locations/
[theverge.com] Apple ordered to open encrypted user accounts globally to UK spying https://www.theverge.com/news/608145/apple-uk-icloud-encrypted-backups-spying-snoopers-charter
Tip of the Week: https://firewallsdontstopdragons.com/privacy-enhancing-technologies-pet/
Further Info
Securing your router: https://firewallsdontstopdragons.com/secure-your-network-4-remediate/
Objective-See tools: https://objective-see.org/
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book
Subscribe to the newsletter: https://fdsd.me/newsletter
Become a patron! https://www.patreon.com/FirewallsDontStopDragons
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Give the gift of privacy and security: https://fdsd.me/coupons
Support our mission! https://fdsd.me/support
Generate secure passphrases! https://d20key.com/#/
Table of Contents
Use these timestamps to jump to a particular section of the show.
0:00:06: Intro
0:00:20: Tax scams, ID.me
0:02:54: News preview
0:05:01: Netgear router vulnerabilities
0:08:17: DeepSeek AI has security problems, but also shows promise
0:19:36: AngelSense exposed personal information of tracked users
0:26:23: Russian Cybercrime Groups Exploiting 7-Zip Flaw
0:35:44: macOS stealer malware disguises itself as fake installer
0:42:30: New Apple malware uses OCR to mine secrets
0:46:00: New Android Identity Check locks settings outside trusted locations
0:49:10: Apple ordered to open encrypted user accounts globally to UK spying
1:04:56: Tip of the Week: Privacy Enhancing Technologi...
--------
1:08:30
Controlling Your Digital ID
In the real world, we present different aspects of ourselves in different environments: home, work, family, friends, school, etc. Why can't we do this in the virtual world, as well? While marketers love to identify us with unique identifiers so they can track us mercilessly, there are tools we can use that will allow us to compartmentalize our digital lives just like we can in the real world. Today we'll discuss the notion of decentralized identity with Dr. Paul Ashley, CTO of Anonyome Labs who runs the MySudo service.
Interview Notes
MySudo: https://anonyome.com/individuals/mysudo/
Anonyome Labs: https://anonyome.com/
Open Wallet Foundation: https://openwallet.foundation/
Verifiable Credentials (W3C): https://www.w3.org/TR/vc-data-model/
Privacy is Power interview: https://podcast.firewallsdontstopdragons.com/2024/11/25/privacy-is-power-2/
EFF on digital wallets: https://www.eff.org/deeplinks/2024/09/digital-id-isnt-everybody-and-thats-okay
Further Info
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book
Subscribe to the newsletter: https://fdsd.me/newsletter
Become a patron! https://www.patreon.com/FirewallsDontStopDragons
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Give the gift of privacy and security: https://fdsd.me/coupons
Support our mission! https://fdsd.me/support
Generate secure passphrases! https://d20key.com/#/
Table of Contents
Use these timestamps to jump to a particular section of the show.
0:00:14: Intro
0:00:38: Getting more non-US news stories
0:02:44: Still waiting on big winner to reply
0:03:15: Intervew setup
0:05:23: How did Anonyome Labs get started?
0:12:20: Which identifiers are most valuable for tracking people?
0:15:19: Can you explain "de-centralized IDs " and "identity wallets"?
0:24:28: Are there open standards for digital ID?
0:29:20: Can digital ID be used to privately verify your age online?
0:32:18: Can email relay companies see all your emails?
0:36:31: How about using a custom domain for creating email aliases?
0:38:50: Don't a lot of sites reject email and phone numbers from alias services?
0:43:17: Do social media companies allow you to have multiple accounts?
0:46:37: What about ad ID's and fingerprinting?
0:51:21: What happens if your virtual ID company goes bad or goes dark?
0:55:36: Can I trust the virtual ID companies with my privacy?
0:59:07: Are there downsides or gotchas to using services like these?
1:00:51: How can we convince companies to respect our privacy?
1:04:48: What else is MySudo working on?
1:07:41: Interview wrap-up
1:08:17: Patron preview
1:08:42: Looking ahead
USA