As we learned last week from Zach Edwards, our smartphones have a globally unique mobile ad ID, or MAID, that is automatically associated with everything we do on our phones... unless we take explicit steps to turn this off. Today I'll tell you how this works and why you should disable this insidious form of tracking.
In other news: the FTC warns us about a new type of scam; dating app Raw exposed sensitive user data; a determined reporter documents his efforts to disable all the AI features in his Google phone; "juice jacking" is back with a tricky twist; Apple's AirPlay has a vulnerability whose fix may not reach all devices; Microsoft is pushing hard for passwordless accounts; Google Wallet allows you to verify your age without giving up personal info; and there's a new and troubling update to the Signalgate saga.
Article Links
[lifehacker.com] The FTC Is Warning Consumers About a Scam on Discounted Monthly Bills https://lifehacker.com/money/ftc-monthly-services-scam
[techcrunch.com] Dating app Raw exposed users’ location data and personal information https://techcrunch.com/2025/05/02/dating-app-raw-exposed-users-location-data-personal-information/
[cnet.com] I Tried to Turn Off the AI on My Pixel 9. It Wasn't Easy https://www.cnet.com/tech/mobile/i-tried-to-turn-off-the-ai-on-my-pixel-9-it-wasnt-easy/
[arstechnica.com] iOS and Android juice jacking defenses have been trivial to bypass for years https://arstechnica.com/security/2025/04/ios-and-android-juice-jacking-defenses-have-been-trivial-to-bypass-for-years/
[wired.com] Millions of Apple Airplay-Enabled Devices Can Be Hacked via Wi-Fi https://www.wired.com/story/airborne-airplay-flaws/
[Bleeping Computer] Microsoft makes all new accounts passwordless by default https://www.bleepingcomputer.com/news/microsoft/microsoft-makes-all-new-accounts-passwordless-by-default/
[blog.google] It’s now easier to prove age and identity with Google Wallet https://blog.google/products/google-pay/google-wallet-age-identity-verifications/
[404media.co] Mike Waltz Accidentally Reveals Obscure App the Government Is Using to Archive Signal Messages https://www.404media.co/mike-waltz-accidentally-reveals-obscure-app-the-government-is-using-to-archive-signal-messages/
Tip of the Week: Disable your Mobile Ad ID: https://firewallsdontstopdragons.com/disable-your-mobile-ad-id/
Bonus Links
[consumerreports.org] Using Contactless Payments on Your Phone? Take These Smart Steps. https://www.consumerreports.org/money/digital-payments/using-contactless-payments-on-phone-take-these-smart-steps-a1152343770/
Micah Lee’s TM SGNL blogs:
https://micahflee.com/tm-sgnl-the-obscure-unofficial-signal-app-mike-waltz-uses-to-text-with-trump-officials/
https://micahflee.com/heres-the-source-code-for-the-unofficial-signal-app-used-by-trump-officials/
Further Info
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support our mission! https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
Use these timestamps to jump to a particular section of the show.
0:00:00: Intro
0:01:09: News preview
0:03:38: FTC Warning Consumers About a Scam on Discounted Monthly Bills
0:06:51: Dating app Raw exposed users’ location data and personal information
0:13:31: I Tried to Turn Off the AI on My Pixel 9. It Wasn't Easy
0:20:30: iOS and Android juice jacking defenses have been trivial to bypass for years
0:29:07: Millions of Apple Airplay-Enabled Devices Can Be Hacked via Wi-Fi
0:35:06: Microsoft makes all new accounts passwordless by default
0:40:35: It’s now easier to prove age and identity with Google Wallet
0:47:42: Mike Waltz Accidentally Reveals Obscure App ...
--------
1:06:23
Riding the Data Gravy Train
Data brokers are out of control. While we think of them gathering data in order to target us with ads, they can actually use the targeted ad system (real-time bidding) to collect vast quantities of personal information. It's a very shady business and the primary players are trying hard to obfuscate what they're doing. Thankfully, we have people like my guest, Zach Edwards, whose investigations are ripping the cover off of these unscrupulous practices.
Interview Notes
Zach Edwards: https://www.linkedin.com/in/zedwards/
Zach at Silent Push: https://www.silentpush.com/team/zach-edwards/
Using email aliases: https://firewallsdontstopdragons.com/how-to-use-email-aliases-part-1/
Disable mobile ad ID (iOS): https://ssd.eff.org/module/how-to-get-to-know-iphone-privacy-and-security-settings#disable-ad-tracking
Disable mobile ad ID (Android): https://ssd.eff.org/module/how-to-get-to-know-android-privacy-and-security-settings#disable-ad-tracking
Further Info
Dragon Coin Promo!! https://fdsd.me/promo425
Generate passphrases with a d20: https://d20key.com/#/
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support the mission: https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
Use these timestamps to jump to a particular section of the show.
0:00:00: Intro
0:01:15: Last call for dragon coins!
0:01:57: Interview setup
0:03:01: Lingo definitions
0:05:05: How did you get into ad tracking as a profession?
0:12:57: How does Real-Time Bidding work?
0:16:16: Who are the big players in this space?
0:28:25: How does RTB leak data about us?
0:42:47: How much info about us is actually inferred rather than explicit?
0:46:09: Who else is looking to get hold of this ad data?
0:50:33: How else is our data being abused?
0:54:13: How does my data being leaked impact other people?
0:56:04: Are government agencies doing enough to protect our data?
0:57:53: Have we managed to fix any of the RTB system problems?
0:59:56: Is there a way to have targeted ads AND privacy?
1:05:31: So what can we do about this?
1:09:26: Wrap-up: revisiting email aliases
1:12:51: Patron bonus content preview
1:13:33: Looking ahead
--------
1:14:22
Travel Insecurity
Going through border security today - even just returning to your own country - is not at simple and stress-free as it should be. The likelihood of our digital devices being searched by a border agent has increased in recent years and political sensitivities today can be high. Our devices have access to a ridiculous amount of extremely personal information. How can we protect ourselves? The answers aren't great, but I'll give the current best advice from immigration lawyers and civil rights groups.
In other news: the Apple-UK data privacy court case will be at least partially public; some companies are ignoring automated opt-out signals; Waymo may use interior car video to train its AI; data breaches at Hertz and a Planned Parenthood medical lab; air travel group paints a picture of future use of facial recognition; San Francisco police have a new surveillance center; Ukraine drones come with anti-Russian malware; judge rules that 'cell tower dumps' require a warrant.
Article Links
[bbc.com] Apple-UK data privacy row should not be secret, court rules https://www.bbc.com/news/articles/cvgn1lz3v4no
[innovation.consumerreports.org] New Report: Many Companies May Be Ignoring Opt-Out Requests Under State Privacy Laws https://innovation.consumerreports.org/new-report-many-companies-may-be-ignoring-opt-out-requests-under-state-privacy-laws/
[techcrunch.com] Waymo may use interior camera data to train generative AI models, but riders will be able to opt out https://techcrunch.com/2025/04/08/waymo-may-use-interior-camera-data-to-train-generative-ai-models-sell-ads/
[Bleeping Computer] US lab testing provider exposed health data of 1.6 million people https://www.bleepingcomputer.com/news/security/us-lab-testing-provider-exposed-health-data-of-16-million-people/
[9to5mac.com] PSA: Hertz belatedly says customer personal data stolen, inc credit card details https://9to5mac.com/2025/04/15/psa-hertz-belatedly-says-customer-personal-data-stolen-inc-credit-card-details/
[theguardian.com] Boarding Passes and Check in to Be Scrapped in Air Travel Shake-up Plans https://www.theguardian.com/world/2025/apr/11/boarding-passes-and-check-in-to-be-scrapped-in-air-travel-shake-up-plans
[cbsnews.com] San Francisco Police's new surveillance hub being credited with 20% drop in crime https://www.cbsnews.com/sanfrancisco/news/san-francisco-police-surveillance-hub-real-time-investigation-center/
[forbes.com] Russians Capture Ukrainian Drones Which Infect Their Systems With Malware https://www.forbes.com/sites/vikrammittal/2025/04/02/russians-capture-ukrainian-drones-which-infect-their-systems-with-malware/
[404media.co] Judge Rules Blanket Search of Cell Tower Data Unconstitutional https://www.404media.co/judge-rules-blanket-search-of-cell-tower-data-unconstitutional/
Tip of the Week: https://firewallsdontstopdragons.com/border-insecurity/
Further Info
Dragon Coin Promo!! https://fdsd.me/promo425
Generate passphrases with a d20: https://d20key.com/#/
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
How to enable Global Privacy Control: https://firewallsdontstopdragons.com/how-to-enable-global-privacy-control/
How and why to freeze your credit: https://firewallsdontstopdragons.com/credit-freeze-now-is-the-time/
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
0:00:00: Intro
0:00:24: Update Apple stuff
0:00:42: Dragon coin promo!
0:01:32: News preview
0:04:11: Apple-UK data privacy row should not be secret, court rules
0:08:14: Many Companies May Be Ignoring Opt-Out Requests
0:14:20: Waymo may use interior camera data to train generative AI models
0:19:56: US lab testing provider exposed health data of 1.
--------
1:05:30
Life on the Blue Team
It's easy to be a Monday morning quarterback, even with cybersecurity. But defending a business, of any size, against cyber threats today is hard. Like, really hard. Defenders have to succeed every single time; attackers only need to succeed once. And then your company makes the headlines. Today we'll delve into the world of the "blue team" - the defenders who are charged with protecting your data and the services you depend on - with cyber expert Oz Jones. Along the way, we'll learn valuable lessons for everyone.
Interview Notes
Oz Jones on LinkedIn: https://www.linkedin.com/in/4f5a/
Troy Hunt got pwned: https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/
CIS Controls: https://www.cisecurity.org/controls
Marsh’s Top 12 controls: https://www.marsh.com/en-gb/services/cyber-risk/insights/cyber-resilience-twelve-key-controls-to-strengthen-your-security.html
Further Info
Dragon Coin Promo!! https://fdsd.me/promo425
Generate passphrases with a d20: https://d20key.com/#/
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support the mission: https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
0:00:00: Intro
0:00:29: Patron promo is LIVE!
0:01:16: Correction
0:01:49: Interview setup
0:04:44: Jargon definitions
0:06:39: How did you get into cyber incident response?
0:09:56: What does it mean to be on the Blue Team?
0:13:25: What are the most impactful cyber threats to companies today?
0:16:34: Are people or companies most as risk for ransomware attacks?
0:19:57: What impact has cyber insurance had on cyber security?
0:21:02: What are the most common types of attacks on companies?
0:23:59: How should companies educate their employees about cyber threats?
0:30:48: How does working from home or using personal devices impact cyber attacks?
0:35:22: How can you protect your company against supply chain attacks?
0:38:45: What resources are available to help companies prepare?
0:41:07: How can we detect attacks and malware infections?
0:44:22: After an attack, how do you respond?
0:48:05: What are my legal obligations for notifying my customers?
0:50:25: Are table top simulations useful?
0:52:07: Are there incident response consultants you can hire?
0:53:05: Can you recommend some helpful resources?
0:56:11: As consumers, how can we make better choices?
0:58:22: Interview wrap-up
1:01:51: Troy Hunt was pwned
1:03:04: Patron bonus preview
1:04:32: Looking ahead
--------
1:05:18
Differential Privacy
When we collect a lot of personal data, say via the US Census, the goal is to glean important aggregate information and statistics, while somehow preserving the anonymity and privacy of the individual respondents. There's a rigorous mathematical process for doing this - that's actually not that hard to understand - called Differential Privacy. I'll explain how it works.
In the news: iOS has a new location privacy setting; Google confirms it's rolling out AI to Gmail; Windows makes it much harder to avoid creating a Microsoft Account; WhatsApp is rolling out AI in Europe with no way to opt out; Switzerland is considering undermining encrypted communications; 23andMe is going bankrupt - it's time to delete your data; France rejects a backdoor mandate; and finally, I have a lot to say about the US officials' Signal chat debacle.
Article Links
[9to5mac.com] iOS 18.4 includes a new location services privacy setting for your iPhone https://9to5mac.com/2025/04/02/ios-iphone-new-location-services-privacy-toggle/
[forbes.com] Google Confirms Gmail Upgrade—3 Billion Users Must Now Decide https://www.forbes.com/sites/zakdoffman/2025/03/22/google-confirms-gmail-upgrade-3-billion-users-must-now-decide/
[windowscentral.com] Microsoft will force Windows 11 installs to use a Microsoft Account — confirms removal of popular setup bypass https://www.windowscentral.com/software-apps/windows-11/microsoft-will-force-windows-11-installs-to-use-a-microsoft-account-confirms-removal-of-popular-setup-bypass
[Bleeping Computer] WhatsApp's Meta AI is now rolling out in Europe, and it can't be turned off https://www.bleepingcomputer.com/news/artificial-intelligence/whatsapps-meta-ai-is-now-rolling-out-in-europe-and-it-cant-be-turned-off/
[techradar.com] Secure encryption and online anonymity are now at risk in Switzerland – here's what you need to know https://www.techradar.com/vpn/vpn-privacy-security/secure-encryption-and-online-anonymity-are-now-at-risk-in-switzerland-heres-what-you-need-to-know
[arstechnica.com] FTC: 23andMe buyer must honor firm’s privacy promises for genetic data https://arstechnica.com/tech-policy/2025/04/ftc-watching-23andme-bankruptcy-sale-for-impact-on-users-genetic-data/
[schneier.com] The Signal Chat Leak and the NSA https://www.schneier.com/blog/archives/2025/03/the-signal-chat-leak-and-the-nsa.html
[eff.org] A Win for Encryption: France Rejects Backdoor Mandate https://www.eff.org/deeplinks/2025/03/win-encryption-france-rejects-backdoor-mandate
How Differential Privacy Works: https://firewallsdontstopdragons.com/how-differential-privacy-works/
Further Info
Dragon Coin Promo!! https://fdsd.me/promo425
Generate passphrases with a d20: https://d20key.com/#/
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support our mission! https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Table of Contents
0:00:00: Intro
0:00:28: Coin promo teaser
0:02:47: News preview
0:05:21: iOS 18.4 includes a new location services privacy setting
0:10:09: Google Confirms Gmail AI Upgrade
0:16:41: Microsoft will force Windows 11 installs to use a Microsoft Account
0:20:57: WhatsApp's Meta AI is now rolling out in Europe
0:23:32: Secure encryption and online anonymity are now at risk in Switzerland
0:27:33: FTC: 23andMe buyer must honor firm’s privacy promises for genetic data
0:35:09: The Signal Chat Leak
0:53:05: A Win for Encryption: France Rejects Backdoor Mandate
0:56:14: Tip of the Week: Differential Privacy
1:06:20: Coin promo details
1:11:04: Merlin's Musings topic
1:11:29: Looking ahead
Polska