Talkin' Bout [Infosec] News: TikTok's Invasive Privacy Policy (Jan 26, 2026)

Podcast: Talkin’ Bout [Infosec] News
Host: Black Hills Information Security (Corey Ham, with Troy Wajuoda, Ralph, Rock Lambros, Mike, Hayden)
Date: January 28, 2026
Episode Theme: This episode dives deep into critical cybersecurity news of the week, focusing on TikTok’s alarmingly invasive privacy policy, as well as other trending infosec, technology, and privacy issues.

Episode Overview

The team at BHIS, joined by guest Rock Lambros, explores recent news touching on persistent security problems (e.g., firewall vulnerabilities), the ever-expanding reach of consumer data collection, regulation attempts in tech (from social media and parental controls to 3D printer legislation), and the rise of powerful AI personal assistants. The conversation is fast-paced, breezy, and loaded with both technical insights and entertaining banter.

Major Discussion Points & Insights

1. Firewall Vulnerabilities: The Fortinet Auth Bypass (07:29 - 11:55)

• Persistent Auth Bypass Vulnerabilities: Corey discusses (yet again) another critical authentication bypass on Fortinet firewall interfaces.
  • "This is like the 10th time this has happened, at least... Firewall management interfaces should not be exposed. We know this, everyone knows this." (07:29)
• Patch failures and re-exploitation: Even after fixes, vulnerabilities are being exploited due to improper patching.
• Broader Market Perspective: Fortinet is popular in the mid-market, sometimes compared to “the Honda Civic or Kia” of firewalls.
• Security Fundamentals: The team reiterates that no firewall or vendor is immune.
  • "All of it. All of it [can be breached]." (11:00)

Notable quote:
"What firewall do you have is kind of like, what car do you drive of Enterprise Security?" – Corey Ham (09:41)

2. Telnet: A Ten-Year-Old Vulnerability Still Live (14:26 - 16:28)

• Historic Vulnerabilities Still Out There: Discussion of a 10+ year old Telnet flaw still found on 800,000 servers (per Shodan).
• Real-World Persistence: Organizations often have legacy devices/EOL hardware with open Telnet that no one claims ownership over.
• Patch Gaps in Open Source: Even in open-source, widely used but rarely audited code can hide major issues.

Notable quote:
"We find a firewall in a closet, unplugged it. It's still there... We weren't using this... but we still have it." – Corey Ham (15:08)

3. TikTok’s Privacy Policy: More Invasive Than Ever (17:26 - 21:49)

• Clara Hawking’s LinkedIn Analysis: TikTok’s revised privacy policy is dissected, revealing:
  • Aggressive data grabs—identity docs, private messages, clipboard content, environmental analysis of videos, etc.
  • "It explicitly acknowledges that it can gather account details, identity verification documents, private messages, drafts. It also says clipboard content. That is the one that really gave me shudders." – Corey Ham (17:55)
• Increasing Normalization of Extreme Data Collection: Despite bans and personal avoidance, TikTok’s popularity and normalization of invasive features continues.
• Broader Context: Comparisons to other platforms (Meta, YouTube, Snapchat).
  • "It is one of the most aggressive data collection regimes of any mainstream consumer platform." (21:16, referencing Hawking)

Notable quotes:
"This is why you don't copy paste your passwords on a password manager." – Hayden (18:38)
"All of the information you put on your phone is getting ingested by someone else. Safe to say." – Corey Ham (21:44)

4. Privacy in Practice: Supreme Court Case on Web Tracking (24:22 - 26:40)

• A Person Suing for “The Core Use Case of the Internet”: Supreme Court considers if tracking user activity on 247sports.com (shared with Facebook) violates ancient video rental privacy laws.
  • "He's essentially suing to say, like, I don't want the Internet to exist." – Corey Ham (25:24)
• Legal Dissonance: The team finds it both quaint and depressing that privacy laws lag so far behind technical reality.

5. The State of Digital Advertising (27:03 - 30:38)

• Annoyance and Pervasiveness: Overwhelming digital ad sprawl across platforms, including more intrusive YouTube ad placements and direct in-video sponsorships.
• Ad revenue remains creator’s main income stream, though Premium subscriptions (ad-free) do pay out more to creators.
• Creative Burnout: High demands for content creation with diminishing returns for new entrants.

6. Parental Controls: Google’s “Graduation” Emails (31:03 - 34:22)

• Sensational News vs. Reality: The panel examines a viral article where a parent was shocked by Google emailing their child about possibly ending parental controls at age 13.
  • The reaction is seen as overblown; actual un-supervised access still requires parental consent.
  • "If this is the only way of supervising your kid, you're probably not a very good supervisor." – Corey Ham (32:37)

7. Social Media Regulation: The UK’s House of Lords Proposal (34:35 - 39:23)

• Proposed Ban on Social Media for Under-16s: The House of Lords considered restricting access for children, sparking debate over practicality and effectiveness.
• Historical Comparison: The conversation draws parallels between regulating social media and past efforts against smoking, recognizing that regulation might mostly shift cultural attitudes.
• Roblox as Social Media: Broader question of what even defines “social media” as chat and interactive features bleed into gaming—key for understanding the future of regulation.

Notable quote:
"Legislation creating the next generation of hackers. Hell yeah." – Corey Ham (36:42)

8. 3D Printer Legislation: Washington State’s Extreme Bill (42:20 - 47:57)

• Proposed Law: Requires all 3D printers (and even milling machines) to check creations against a government database to prevent the manufacturing of firearms.
• Technical Impracticality: The panel concurs it’s virtually unenforceable. Users could print tiny, undetectable parts, or use “dumb” machines with no cloud features.
• Historic Parallel: Comparison to printers integrating secret IDs to prevent counterfeiting.
• Freedom, Privacy, and “You Can’t Put the Cat Back in the Bag”: The scale of existing firearms and general technology limitations make such proposals ineffective.

9. Password Manager Innovations (“Firewall for the Web”) (48:28 - 51:40)

• New Defenses from 1Password: The product launches brand protection tools to block password autofill on typo-squatted/phishing domains.
  • "Wouldn't you just check the URL that's saved in 1Password and then check the destination? That's part of what they're doing." – Corey Ham & Hayden (49:27)
• AI Integration: 1Password and other managers increasingly work with AI models for credentials handling. Feature rollouts will get more sophisticated—and more controversial.

10. AI Personal Assistant Explosion: Claude Bot (52:08 - 59:55)

• Rise of “Claude Bot”: This open-source AI assistant hooks into Claude (Anthropic’s LLM) and can control various APIs, calendar apps, smart devices, and can even automate actions via Signal or Telegram.
  • "It's kind of like bringing in that personal assistant that AI has been promising." – Corey Ham (53:32)
• Security Nightmare: Connect too much, and someone could prompt-inject the bot with malicious instructions ("prompt injection"), especially if exposed to public interfaces like Twitter.
  • "Anything that can get to AI can be prompt injected." – Corey Ham (55:36)
• User Experience: Setting up “private” Claude Bots is tantalizing but risky—plugin isolation, local-only deployments, and proper allowlisting become vital.
  • "If you just hit install and hit go, like, you're totally screwed." – Ralph (59:55)
• Addictive Power: The allure for tech enthusiasts is real—a “drug” of automation, but one carrying significant dangers.

11. Final Thoughts: AI Everywhere, Security Needed

• The year of the “assistant” is coming, but so is the year of spectacular user mistakes and malicious exploits.
• Security researchers must prepare for a wave of social engineering, prompt injection, and new threat models surrounding personal AIs.

Timestamps for Key Segments

• Fortinet Auth Bypass: 07:29 – 11:55
• Telnet Vulnerability: 14:26 – 16:28
• TikTok Privacy Policy: 17:26 – 21:49
• Supreme Court Web Tracking Case: 24:22 – 26:40
• Ads/Economics of Content: 27:03 – 30:38
• Google Parental Controls Flap: 31:03 – 34:22
• UK Social Media Ban for Under-16s: 34:35 – 39:23
• 3D Printing Regulation (WA State): 42:20 – 47:57
• 1Password Brand Protection with AI: 48:28 – 51:40
• Claude Bot—AI Automation Wave: 52:08 – 59:55

Notable Quotes & Memorable Moments

• "This is why you don't copy paste your passwords on a password manager." – Hayden (18:38)
• "He's essentially suing to say, like, I don't want the Internet to exist." – Corey Ham (25:24)
• "Legislation creating the next generation of hackers. Hell yeah." – Corey Ham (36:42)
• "Anything that can get to AI can be prompt injected." – Corey Ham (55:36)
• "If you just hit install and hit go, like, you're totally screwed." – Ralph (59:55)

Panel Tone & Dynamic

The conversation is fast-paced, sarcastic, and loaded with inside jokes that also illuminate important truths about the chaotic, imperfect world of cybersecurity. While the panelists are technically deep, they balance earnest advice on staying secure with irreverent takes on the futility of many headline news stories.

Summary Takeaway

If you work in infosec—or just follow the news—this episode is a must-listen. It covers critical threats (old and new), exposes the futility of certain policy efforts, and underscores the relentless march of both advertising and AI into every corner of our digital lives. TikTok’s privacy regime stands out as particularly egregious, but the bigger pattern is that privacy, control, and exploitation are converging, whether on firewalls, phones, or AI bots.

If there’s one overarching lesson, it’s that the perimeter is dead, privacy is mostly an illusion, and your new AI assistant may soon be your biggest liability as well as your most tempting toy.