Riding the Data Gravy Train

28 april 2025 | 74 min

Data brokers are out of control. While we think of them gathering data in order to target us with ads, they can actually use the targeted ad system (real-time bidding) to collect vast quantities of personal information. It’s a very shady business and the primary players are trying hard to obfuscate what they’re doing. Thankfully, we have people like my guest, Zach Edwards, whose investigations are ripping the cover off of these unscrupulous practices.

Interview Notes

Zach Edwards: https://www.linkedin.com/in/zedwards/
Zach at Silent Push: https://www.silentpush.com/team/zach-edwards/
Using email aliases: https://firewallsdontstopdragons.com/how-to-use-email-aliases-part-1/
Disable mobile ad ID (iOS): https://ssd.eff.org/module/how-to-get-to-know-iphone-privacy-and-security-settings#disable-ad-tracking
Disable mobile ad ID (Android): https://ssd.eff.org/module/how-to-get-to-know-android-privacy-and-security-settings#disable-ad-tracking

Further Info

Dragon Coin Promo!! https://fdsd.me/promo425
Generate passphrases with a d20: https://d20key.com/#/
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support the mission: https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch

0:00:00: Intro
0:01:15: Last call for dragon coins!
0:01:57: Interview setup
0:03:01: Lingo definitions
0:05:05: How did you get into ad tracking as a profession?
0:12:57: How does Real-Time Bidding work?
0:16:16: Who are the big players in this space?
0:28:25: How does RTB leak data about us?
0:42:47: How much info about us is actually inferred rather than explicit?
0:46:09: Who else is looking to get hold of this ad data?
0:50:33: How else is our data being abused?
0:54:13: How does my data being leaked impact other people?
0:56:04: Are government agencies doing enough to protect our data?
0:57:53: Have we managed to fix any of the RTB system problems?
0:59:56: Is there a way to have targeted ads AND privacy?
1:05:31: So what can we do about this?
1:09:26: Wrap-up: revisiting email aliases
1:12:51: Patron bonus content preview
1:13:33: Looking ahead

Travel Insecurity

21 april 2025 | 66 min

Life on the Blue Team

14 april 2025 | 65 min

It’s easy to be a Monday morning quarterback, even with cybersecurity. But defending a business, of any size, against cyber threats today is hard. Like, really hard. Defenders have to succeed every single time; attackers only need to succeed once. And then your company makes the headlines. Today we’ll delve into the world of the “blue team” – the defenders who are charged with protecting your data and the services you depend on – with cyber expert Oz Jones. Along the way, we’ll learn valuable lessons for everyone.

Interview Notes

Oz Jones on LinkedIn: https://www.linkedin.com/in/4f5a/
Troy Hunt got pwned: https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/
CIS Controls: https://www.cisecurity.org/controls
Marsh’s Top 12 controls: https://www.marsh.com/en-gb/services/cyber-risk/insights/cyber-resilience-twelve-key-controls-to-strengthen-your-security.html

Further Info

Dragon Coin Promo!! https://fdsd.me/promo425
Generate passphrases with a d20: https://d20key.com/#/
My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support the mission: https://fdsd.me/support
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch

0:00:00: Intro
0:00:29: Patron promo is LIVE!
0:01:16: Correction
0:01:49: Interview setup
0:04:44: Jargon definitions
0:06:39: How did you get into cyber incident response?
0:09:56: What does it mean to be on the Blue Team?
0:13:25: What are the most impactful cyber threats to companies today?
0:16:34: Are people or companies most as risk for ransomware attacks?
0:19:57: What impact has cyber insurance had on cyber security?
0:21:02: What are the most common types of attacks on companies?
0:23:59: How should companies educate their employees about cyber threats?
0:30:48: How does working from home or using personal devices impact cyber attacks?
0:35:22: How can you protect your company against supply chain attacks?
0:38:45: What resources are available to help companies prepare?
0:41:07: How can we detect attacks and malware infections?
0:44:22: After an attack, how do you respond?
0:48:05: What are my legal obligations for notifying my customers?
0:50:25: Are table top simulations useful?
0:52:07: Are there incident response consultants you can hire?
0:53:05: Can you recommend some helpful resources?
0:56:11: As consumers, how can we make better choices?
0:58:22: Interview wrap-up
1:01:51: Troy Hunt was pwned
1:03:04: Patron bonus preview
1:04:32: Looking ahead

Differential Privacy

7 april 2025 | 72 min

Microscoping Our Apps

31 mars 2025 | 71 min

We’ve been installing apps on our smartphones for almost two decades now. The iPhone and Android app stores kicked off in 2008 and we still, to this day, have no real way to know what’s in them. It turns out that most apps are an amalgamation of software libraries and development kits from various third party vendors, so often even the makers of apps don’t fully understand the makeup of their products. Lisa LeVasseur from Internet Safety Labs has worked to build tools to dissect and inspect our apps and help us understand what they’re really doing.

Interview Notes

Internet Safety Labs: https://internetsafetylabs.org/
App Microscope: https://appmicroscope.org/
Interview with Dr. Johnny Ryan on real-time bidding: https://podcast.firewallsdontstopdragons.com/2021/08/02/selling-you-out-to-the-highest-bidder/
Dark Patterns interview: https://podcast.firewallsdontstopdragons.com/2020/11/16/dark-patterns-part-1/
Using Burp Suite to intercept HTTP traffic: https://portswigger.net/burp/documentation/desktop/getting-started/intercepting-http-traffic
Exodus Privacy: https://exodus-privacy.eu.org/en/
Henrietta Lacks: https://en.wikipedia.org/wiki/Henrietta_Lacks

Further Info

My book: https://fdsd.me/book
My newsletter: https://fdsd.me/newsletter
Support the mission: https://fdsd.me/support
My social media: https://firewallsdontstopdragons.com/contact/
Give the gift of privacy and security: https://fdsd.me/coupons
Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch

0:00:00: Intro
0:00:31: Note on 23andMe
0:01:35: Follow my social media
0:01:58: Signal debacle
0:02:39: Interview setup
0:07:06: What is Internet Safety Labs and what do you do there?
0:09:49: What are the privacy risks with EdTech?
0:16:31: How did the pandemic impact EdTech software?
0:19:02: How does the “notice and consent” model work with EdTech software?
0:25:26: Do app makers even know what’s in their own software?
0:28:11: How do ads inside our apps get there?
0:30:45: How does App Microscope work?
0:32:33: How does safety differ from security?
0:34:37: What can you learn from the data and metadata an app generates?
0:37:22: Do you study “dark patterns” in apps?
0:41:42: How do you determine the software makeup of a given app?
0:47:10: How accurate are the app privacy “nutrition” labels?
0:51:58: How important are the non-technical aspects of an app for safety?
0:56:33: How do I use the App Microscope tool?
1:00:38: How can we support your efforts?
1:04:41: Interview follow-up
1:08:51: Burp Suite info
1:09:32: Patron bonus preview
1:10:27: Looking ahead

It’s Tax (Scam) Time Again

24 mars 2025 | 59 min

All Things Secured

17 mars 2025 | 65 min

Josh Summers lived in China for many years and learned a lot about privacy and security. Since he left, he’s made it his mission to share this knowledge through his website and YouTube channel called All Things Secured – helping regular, everyday people like you and me to protect our data and devices. Today we’ll talk specifically about improving your security and privacy on iPhones and Android phones, and even some alternatives outside the Apple and Google ecosystems.

Interview Notes

All Things Secured: https://www.allthingssecured.com/
All Things Secured YouTube: https://www.youtube.com/@AllThingsSecured
Apple iPhone Lockdown Mode: https://support.apple.com/en-us/105120
Apple Stolen Device Protection: https://support.apple.com/en-us/120340
Apple Advanced Data Protection: https://support.apple.com/en-us/108756
Android Theft Protection: https://blog.google/products/android/android-theft-protection/
Google Advanced Protection Program: https://landing.google.com/advancedprotection/faq/
iPhone hide/lock apps: https://support.apple.com/guide/iphone/lock-or-hide-or-an-app-iph00f208d05/ios
Cryptomator: https://cryptomator.org/
OsmAnd maps: https://osmand.net/
Jitsi video conferencing: https://jitsi.org/
Hoody AI: https://hoody.com/ai
DuckDuckGo AI: https://duck.ai/
GrapheneOS: https://grapheneos.org/

Further Info

Recommend news stories: send to news [at] firewallsdontstopdragons.com
Send me your questions! https://fdsd.me/qna
Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book
Subscribe to the newsletter: https://fdsd.me/newsletter
Become a patron! https://www.patreon.com/FirewallsDontStopDragons
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Give the gift of privacy and security: https://fdsd.me/coupons
Support our mission! https://fdsd.me/support
Generate secure passphrases! https://d20key.com/#/

0:00:14: intro
0:00:27: Couple quick news items
0:01:59: Interview setup
0:02:47: How did you come to start All Things Secured?
0:04:41: What’s is like living in China, from a privacy perspective?
0:07:26: What are the basic security and privacy risks with a smartphone?
0:11:21: How do iPhones compare to Android phones?
0:13:35: How does Android’s multi-level ecosystem impact security?
0:16:42: How secure are smartphones against remote attacks?
0:19:39: Can you protect your smartphone against direct physical access?
0:25:20: What are some of the latest and greatest smartphone security features?
0:35:51: What if we don’t trust Apple or Google’s security?
0:40:05: If we don’t trust Apple or Google apps, which ones should we consider using?
0:45:35: How can we protect our privacy with AI?
0:53:08: Are there better smartphone options beyond iOS and Android?
0:56:27: What worries you most? What gives you hope?
0:58:54: How can we learn more from you?
1:00:01: Interview wrap-up
1:00:55: Patron bonus content
1:01:55: Guest appearances
1:02:47: Looking ahead

Slay Browser Ads Forever

10 mars 2025 | 68 min

Back to The L0pht

3 mars 2025 | 63 min

Today, we travel back in time and back to The L0pht with one of the original founders of L0pht Heavy Industries, Weld Pond (aka Chris Wysopal). We’ll talk about how hacker culture has impacted modern technology, cybersecurity practices and digital rights, while sprinkling in some classic and hilarious stories from hacker history by someone who lived them.

Interview Notes

Veracode: https://www.veracode.com/
L0pht.com: https://l0pht.com/
L0pht Congressional testimony 1998: https://www.youtube.com/watch?v=VVJldn_MmMY
DEF CON 26 reunion panel: https://archive.org/details/youtube-noE4o-roAWM
MIT Lockpicking guide: https://archive.org/details/mit-guide-to-lock-picking-v05/mode/2up
The Open Organisation Of Lockpickers (TOOOL): https://toool.us/
2600: https://www.2600.com/
Classic engineering references: https://bitsavers.org/

Further Info

Send me your questions! https://fdsd.me/qna
Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book
Subscribe to the newsletter: https://fdsd.me/newsletter
Become a patron! https://www.patreon.com/FirewallsDontStopDragons
Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch
Give the gift of privacy and security: https://fdsd.me/coupons
Support our mission! https://fdsd.me/support
Generate secure passphrases! https://d20key.com/#/

0:00:16: intro
0:00:40: Interview setup
0:03:19: How did you come to be in The L0pht?
0:08:36: How did meeting in real life as well as online affect L0pht’s dynamics?
0:09:34: How did you find so much free and adandoned computer hardware?
0:13:44: How did you manage to just drive your van in the NSA parking lot?
0:19:20: What has been the lasting impact of your Congressional testimony in 1998?
0:21:45: How did you come to invite cyber czar Richard Clarke to The L0pht?
0:27:17: How have hackers pushed back against overreach from corporations?
0:36:05: Why are lockpicking and computer hacking so closely related?
0:40:55: Is it easier or harder to be a hacker today versus when you started?
0:45:56: Are we still fighing the Crypto Wars of the 90s? Are we winning?
0:51:17: Are there any glaring misconceptions about The L0pht you’d like to fix?
0:55:16: Where are The L0pht folks now and what are they up to?
0:57:51: Interview wrap-up
1:00:59: Patron bonus preview
1:01:35: Looking ahead

Onion Routing

24 februari 2025 | 74 min

Security Planner

17 februari 2025 | 59 min

Generic security advice is good, but tailored advice is much better. Everyone's situation is a little different. What are you trying to protect? Who or what are you trying to protect it from? What are the consequences of failure? This is called threat modeling. And thankfully, the wonderful folks at Consumer Reports have a free, easy-to-use Security Planner tool that will help anyone do this assessment and provide custom solutions. My guest today is Yael Grauer, who will help us understand how to think about our security and how the CR tool can help you protect your data and devices. Interview Notes Consumer Reports Security Planner tool: https://securityplanner.consumerreports.org/ Yael’s website: https://yaelwrites.com/ Big Ass Data Broker Opt Out List (BADBOOL): https://github.com/yaelwrites/Big-Ass-Data-Broker-Opt-Out-List Consumer Reports advocacy: https://advocacy.consumerreports.org/ CR’s Digital Standard: https://thedigitalstandard.org/ CR’s Consumer Readiness Report 2024 (PDF): https://innovation.consumerreports.org/wp-content/uploads/2024/09/2024-Consumer-Cyber-Readiness-Report.pdf How to choose a PIN code: https://firewallsdontstopdragons.com/how-to-choose-a-pin/ Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:07: Intro 0:01:07: Interview setup 0:02:35: Yael introduction 0:04:19: What questions should we answer to get useful security advice? 0:06:41: How does Security Planner work? 0:08:03: How does Security Planner tailor its suggestions? 0:10:58: How do you decide what the most important factors are for security? 0:15:11: What might trigger me to re-run this tool and get a fresh report? 0:17:18: How does Consumer Reports research its recommendations? 0:19:59: How does CR vet the products and services that it recommends? 0:23:18: How do you weight things like convenience and ease of use? 0:27:34: Is it okay to make people pay for basic security features? 0:35:08: What role should government play in pushing for better security? 0:36:55: How important is transparency for driving better security? 0:39:15: What did the CR Cyber Readiness survey reveal? 0:43:22: Why do we choose bad passwords? 0:45:55: Why don't companies provider better support for security problems? 0:51:39: What's next for you and CR? How do we get updates? 0:53:43: Interview wrap-up 0:56:20: Patron bonus content preview 0:57:06: Looking ahead

Crypto Wars 2.0

10 februari 2025 | 69 min

Privacy is a human right - and you don't have to justify rights, you just have them. That's kinda the whole point. But you do need to exercise them and defend them sometimes. It has been leaked that the UK is telling Apple to reveal the encrypted data of every single one of their users to the UK government under the auspices of the Investigatory Powers Act (and its recent controversial Amendment). This would be a privacy and security disaster, and we were not even supposed to know about it. In other news: Netgear warns of serious router bugs (so update your firmware now); DeepSeek AI app has serious security and privacy problems, but the AI model has real promise in other ways; AngelSense personal customer data exposed; Cybercrime groups exploit 7-Zip app flaws to bypass Windows protections; some clever Mac and iOS malware making the rounds; new Android Identity Check feature released, and I introduce some Privacy Enhancing Technologies. Article Links [Bleeping Computer] Netgear warns users to patch critical WiFi router vulnerabilities https://www.bleepingcomputer.com/news/security/netgear-warns-users-to-patch-critical-wifi-router-vulnerabilities/ [krebsonsecurity.com] Experts Flag Security, Privacy Risks in DeepSeek AI App https://krebsonsecurity.com/2025/02/experts-flag-security-privacy-risks-in-deepseek-ai-app/ [techcrunch.com] AngelSense exposed location data and personal information of tracked users https://techcrunch.com/2025/01/30/angelsense-exposed-location-data-and-personal-information-of-tracked-users/ [The Hacker News] Russian Cybercrime Groups Exploiting 7-Zip Flaw to Bypass Windows MotW Protections https://thehackernews.com/2025/02/russian-cybercrime-groups-exploiting-7.html [appleinsider.com] New macOS malware disguises itself as Chrome & Zoom installers https://appleinsider.com/articles/25/02/04/new-macos-malware-disguises-itself-as-chrome-zoom-installers [macrumors.com] Apple Removed Apps Infested With Screen Reading Malware https://www.macrumors.com/2025/02/06/apple-removed-screen-reading-malware-apps/ [Bleeping Computer] New Android Identity Check locks settings outside trusted locations https://www.bleepingcomputer.com/news/security/new-android-identity-check-locks-settings-outside-trusted-locations/ [theverge.com] Apple ordered to open encrypted user accounts globally to UK spying https://www.theverge.com/news/608145/apple-uk-icloud-encrypted-backups-spying-snoopers-charter Tip of the Week: https://firewallsdontstopdragons.com/privacy-enhancing-technologies-pet/ Further Info Securing your router: https://firewallsdontstopdragons.com/secure-your-network-4-remediate/ Objective-See tools: https://objective-see.org/ Recommend news stories: send to news [at] firewallsdontstopdragons.com Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:06: Intro 0:00:20: Tax scams, ID.me 0:02:54: News preview 0:05:01: Netgear router vulnerabilities 0:08:17: DeepSeek AI has security problems, but also shows promise 0:19:36: AngelSense exposed personal information of tracked users 0:26:23: Russian Cybercrime Groups Exploiting 7-Zip Flaw 0:35:44: macOS stealer malware disguises itself as fake installer 0:42:30: New Apple malware uses OCR to mine secrets 0:46:00: New Android Identity Check locks settings outside trusted locations 0:49:10: Apple ordered to open encrypted user accounts globally to UK spying 1:04:56: Tip of the Week: Privacy Enhancing Technologi...

Controlling Your Digital ID

3 februari 2025 | 69 min

In the real world, we present different aspects of ourselves in different environments: home, work, family, friends, school, etc. Why can't we do this in the virtual world, as well? While marketers love to identify us with unique identifiers so they can track us mercilessly, there are tools we can use that will allow us to compartmentalize our digital lives just like we can in the real world. Today we'll discuss the notion of decentralized identity with Dr. Paul Ashley, CTO of Anonyome Labs who runs the MySudo service. Interview Notes MySudo: https://anonyome.com/individuals/mysudo/ Anonyome Labs: https://anonyome.com/ Open Wallet Foundation: https://openwallet.foundation/ Verifiable Credentials (W3C): https://www.w3.org/TR/vc-data-model/ Privacy is Power interview: https://podcast.firewallsdontstopdragons.com/2024/11/25/privacy-is-power-2/ EFF on digital wallets: https://www.eff.org/deeplinks/2024/09/digital-id-isnt-everybody-and-thats-okay Further Info Recommend news stories: send to news [at] firewallsdontstopdragons.com Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:14: Intro 0:00:38: Getting more non-US news stories 0:02:44: Still waiting on big winner to reply 0:03:15: Intervew setup 0:05:23: How did Anonyome Labs get started? 0:12:20: Which identifiers are most valuable for tracking people? 0:15:19: Can you explain "de-centralized IDs " and "identity wallets"? 0:24:28: Are there open standards for digital ID? 0:29:20: Can digital ID be used to privately verify your age online? 0:32:18: Can email relay companies see all your emails? 0:36:31: How about using a custom domain for creating email aliases? 0:38:50: Don't a lot of sites reject email and phone numbers from alias services? 0:43:17: Do social media companies allow you to have multiple accounts? 0:46:37: What about ad ID's and fingerprinting? 0:51:21: What happens if your virtual ID company goes bad or goes dark? 0:55:36: Can I trust the virtual ID companies with my privacy? 0:59:07: Are there downsides or gotchas to using services like these? 1:00:51: How can we convince companies to respect our privacy? 1:04:48: What else is MySudo working on? 1:07:41: Interview wrap-up 1:08:17: Patron preview 1:08:42: Looking ahead

Treat Plugins Like Apps

27 januari 2025 | 71 min

Software plugins allow you to add functionality to existing applications. Web browsers commonly use these extensions to add functionality like shopping helpers, password managers, ad blockers and much, much more. In a way, these add-ons are like "apps" for the browser. Like apps, they can view and manipulate your data. In the browser, they may alter the web page, track pages you visit, and even mine any data you might enter into web forms. Also like apps, plugins can have permissions which you must agree to when you install them. Therefore, we need to be very careful which plugins we install and make sure we trust the maker. Today I'll explain how to audit your plugins. In other news: The TikTok ban has been given a 75-day reprieve; the Trump administration fires scores of cybersecurity experts; Apple Intelligence will soon be enabled by default on iPhones and Macs; some clever researchers have hacked the iPhone USB-C connection; a tricky new smishing campaign tricks users into bypassing Apple protections; PowerSchool hack affects 62M students and 9M teachers; new AI took can identify where a photo was taken; Subaru hack exposes scary amount of location data collection; fuzzing tool find over 100 bugs in modern cellular network; Texas sues Allstate for using private car data; FTC to ban GM from sharing location info; exercise equipment collects lots of personal data; federal court finally rules that Section 702 FISA data access requires a warrant. Article Links [theverge.com] Trump signs order refusing to enforce TikTok ban for 75 days https://www.theverge.com/2025/1/20/24348213/trump-tiktok-ban-executive-order-sale-delay-china [techcrunch.com] Trump administration fires members of cybersecurity review board in “horribly shortsighted” decision https://techcrunch.com/2025/01/22/trump-administration-fires-members-of-cybersecurity-review-board-in-horribly-shortsighted-decision/ [macrumors.com] macOS Sequoia 15.3 and iOS 18.3 Enable Apple Intelligence Automatically https://www.macrumors.com/2025/01/21/macos-sequoia-15-3-apple-intelligence-opt-out/ [9to5mac.com] Security vulnerability in iPhone’s USB-C port, and a gotcha with iMessage scams https://9to5mac.com/2025/01/14/security-vulnerability-in-iphones-usb-c-port-and-a-gotcha-with-imessage-scams/ [Tech Radar] PowerSchool hack keeps getting worse - 62 million students now thought to be affected https://www.techradar.com/pro/security/powerschool-hack-keeps-getting-worse-62-million-students-now-thought-to-be-affected [404media.co] The Powerful AI Tool That Cops (or Stalkers) Can Use to Geolocate Photos in Seconds https://www.404media.co/the-powerful-ai-tool-that-cops-or-stalkers-can-use-to-geolocate-photos-in-seconds/ [wired.com] Subaru Security Flaws Exposed Its System for Tracking Millions of Cars https://www.wired.com/story/subaru-location-tracking-vulnerabilities/ [The Hacker News] RANsacked: Over 100 Security Flaws Found in LTE and 5G Network Implementations https://thehackernews.com/2025/01/ransacked-over-100-security-flaws-found.html [gizmodo.com] Texas Sues Allstate for Collecting Driver Data to Raise Premiums https://gizmodo.com/texas-sues-allstate-for-collecting-driver-data-to-raise-premiums-2000549878 [techcrunch.com] GM banned from sharing driving and location data with insurance companies https://techcrunch.com/2025/01/17/gm-banned-from-sharing-driving-and-location-data-with-insurance-companies/ [consumerreports.org] Your Exercise Bike Knows a Lot About You—and It Doesn't Keep Every Secret https://www.consumerreports.org/health/health-privacy/exercise-machine-privacy-a3907557984/ [eff.org] VICTORY! Federal Court (Finally) Rules Backdoor Searches of 702 Data Unconstitutional https://www.eff.org/deeplinks/2025/01/victory-federal-court-finally-rules-backdoor-searches-702-data-unconstitutional Tip of the Week: Treat Extensions Like Apps: https://firewallsdontstopdragons.com/treat-extensions-like-apps/ Further Info

Reclaiming Data Privacy

20 januari 2025 | 61 min

There are way too many data brokers and they have way too much of our data. We've talked a lot lately about what you can do to reclaim your privacy and claw back some of that data and today I'm going to give you yet another interesting tool for your privacy toolbox: Permission Slip. This app and the related service, brought to you by Consumer Reports, will work on your behalf to request that these data brokers relinquish your information, or at least suppress the sharing of that data to the extent that's legally possible. The tool has some helpful and interesting features that you may not find on other, similar services. Sukhi Gulati GIlbert is my guest today and will explain why you should consider using this tool and how it supports the overall effort to rein in dangerous business of data mining. Interview Notes Permission Slip app: https://permissionslipcr.com/ Protecting Your Privacy Online: https://www.consumerreports.org/electronics/privacy/from-our-president-protecting-your-privacy-online-a1603013649/ Digital Security & Privacy: https://www.consumerreports.org/digital-security-privacy/ CR Report on data deletion services (PDF): https://innovation.consumerreports.org/wp-content/uploads/2024/08/Data-Defense_-Evaluating-People-Search-Site-Removal-Services-.pdf California data broker registry: https://cppa.ca.gov/data_broker_registry/ How to download the Vermont data broker list (which doesn’t seem to work): https://www.muckrock.com/foi/vermont-80/vermont-data-broker-db-107096/ My article series on data deletion: https://firewallsdontstopdragons.com/osint-reconnaissance/ Further Info Annual listener survey!! https://fdsd.me/survey2025 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:12: Intro 0:00:51: Couple quick news notes 0:01:45: Last call: listener survey 0:02:47: Interview setup 0:03:48: What brought you to Consumer Reports and the Permission Slip app? 0:07:19: How does Permission Slip compare to other data deletion services? 0:14:17: Where are the data brokers getting so much of our personal info? 0:17:00: How do I use Permission Slip? 0:21:47: What info does Permission Slip give to brokers? 0:24:42: Is it more effective to request data deletion yourself versus using a service? 0:31:12: What level of success should I expect when deleting my data? 0:33:16: Are there any limitations or exclusions for data deletion? 0:38:19: What if you live in a state or country with no privacy laws? 0:39:44: Can we limit access to our public data records? 0:41:24: Does freezing your credit do anything to limit data sharing? 0:43:53: How broken is the 'notice and consent' model for privacy? 0:45:57: Would it help to actively spread incorrect personal info? 0:48:31: How else can we reduce our data footprint? 0:50:04: What's next for Consumer Reports in terms of privacy? 0:53:46: What does Permission Slip Pro cost? 0:55:19: Interview wrap-up 0:59:11: Patron content preview 0:59:50: Looking ahead

New Year’s Resolutions 2025!

13 januari 2025 | 66 min

The start of a new year is always a good time to add some big juicy goals to your to-do list - call them New Year's Resolutions, if that works for you, but really it's just about making up your mind to tackle some important personal objectives. Today I'll give you several ideas to improve your privacy and security in 2025, and those around you. In the news: dozens of malicious Chrome Browser extensions identified; net neutrality is dead, again, and probably for good this time; Apple to pay a meager $95M to settle a Siri privacy class action suit; Apple's new Enhanced Visual Search is enabled by default and sending data to Apple; proposed ban on TP-Link routers is missing the real problem; Google's change in its Privacy Sandbox policy seems to now allow the use of device fingerprinting; proposed HIPAA amendments will close major health data security gaps. Article Links [Ars Technica] Time to check if you ran any of these 33 malicious Chrome extensions https://arstechnica.com/security/2025/01/dozens-of-backdoored-chrome-extensions-discovered-on-2-6-million-devices/ Terms of service study: https://www.helpnetsecurity.com/2016/07/14/agree-terms-conditions-lie/ [nytimes.com] Net Neutrality Rules Struck Down by Appeals Court https://www.nytimes.com/2025/01/02/technology/net-neutrality-rules-fcc.html [reuters.com] Apple to pay $95 million to settle Siri privacy lawsuit https://www.reuters.com/legal/apple-pay-95-million-settle-siri-privacy-lawsuit-2025-01-02/ [macrumors.com] Apple Says Siri Data Has Never Been Sold or Used for Marketing https://www.macrumors.com/2025/01/06/apple-siri-data-not-sold-for-marketing/ [9to5mac.com] Enhanced Visual Search shares your photos with Apple by default, to identify landmarks https://9to5mac.com/2024/12/30/enhanced-visual-search-shares-your-photos-with-apple-by-default-to-identify-landmarks/ [csoonline.com] No evidence that TP-Link routers are a Chinese security threat https://www.csoonline.com/article/3504775/no-evidence-that-tp-link-routers-are-a-chinese-security-threat.html [Lukasz Olejnik blog] Biggest Privacy Erosion in 10 Years? On Google’s Policy Change Towards Fingerprinting https://blog.lukaszolejnik.com/biggest-privacy-erosion-in-10-years-on-googles-policy-change-towards-fingerprinting/ [Dark Reading] Proposed HIPAA Amendments Will Close Healthcare Security Gaps https://www.darkreading.com/cyber-risk/proposed-hipaa-amendments-close-healthcare-security-gaps Tip of the Week: https://firewallsdontstopdragons.com/new-years-resolutions-2025/ Further Info Annual listener survey!! https://fdsd.me/survey2025 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:07: Intro 0:01:24: News preview 0:02:59: Time to check if you ran any of these 33 malicious Chrome extensions 0:12:51: Net Neutrality Rules Struck Down by Appeals Court 0:16:49: Apple to pay $95 million to settle Siri privacy lawsuit 0:19:02: Apple Says Siri Data Has Never Been Sold or Used for Marketing 0:26:29: Enhanced Visual Search shares your photos with Apple by default 0:35:23: No evidence that TP-Link routers are a Chinese security threat 0:47:01: Biggest Privacy Erosion in 10 Years? On Google’s Policy Change Towards Fingerprinting 0:53:08: Proposed HIPAA Amendments Will Close Healthcare Security Gaps 0:57:16: Tip of the Week: New Years Resolutions for 2025! 1:04:53: Wrap-up

ALPRs Are Everywhere

6 januari 2025 | 64 min

There are many ways in which we are tracked in the real world, but one of the most ubiquitous and insidious technologies is Automated License Plate Readers. These camera systems are deployed in just about every city by both public and private organizations. Furthermore, the third parties who sell and operate these systems collect and collate data from around the country, making it available to law enforcement and marketing firms. Because these systems capture images of your car, they can also document the make, model and color, any distinguishing marks, and even bumper stickers. Today we'll discuss how and where these systems are deployed, who has access to the data, the repercussions of this mass surveillance and how it can go horribly wrong with my guests Adam Schwartz and Gowri Nayar from the Electronic Frontier Foundation. Interview Notes Donate to the EFF: https://supporters.eff.org/donate/join-eff-today The Human Toll of ALPR Errors: https://www.eff.org/deeplinks/2024/11/human-toll-alpr-errors EFF’s Street Level Surveillance: https://sls.eff.org/ Community Control of Police Surveillance (CCOPS): https://www.eff.org/issues/community-control-police-surveillance-ccops US 100-mile “border zone” facts: https://www.aclu.org/know-your-rights/border-zone Flock camera map: https://www.404media.co/the-open-source-project-deflock-is-mapping-license-plate-surveillance-cameras-all-over-the-world/ DeFlock: https://deflock.me Flock transparency page example: https://transparency.flocksafety.com/riverside-county-ca-sd Further Info Annual listener survey!! https://fdsd.me/survey2025 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:20: Intro 0:01:24: Listener survey and book giveaway 0:03:16: ShmooCon in DC this weekend 0:04:21: Interview setup 0:05:27: What prompted you to write about ALPRs? 0:08:11: How do ALPRs work and what info can they capture? 0:10:14: How long have ALPRs been around and how is EFF tracking their use? 0:11:34: Where are these systems deployed? How do we recognize them? 0:14:19: How does mobile ALPR data collection work? 0:15:58: Are police departments transparent about the use of ALPRs? 0:18:09: Is there a way know where ALPR systems are deployed? 0:20:46: How accurate are ALPRs? What are the consequences of failure? 0:22:37: Are license plate "hot lists" shared across jurisdictions? 0:25:41: Where is ALPR data stored? For how long? Who has access? 0:27:40: Is ALPR data shared among local and federal agencies? How often is the data abused? 0:31:04: Do the ALPR system operators sell this data to anyone else? 0:36:04: What legal expectation of privacy do I have in public spaces? 0:42:57: How does the legal "third party doctrine" apply to ALPR data? 0:45:01: How do we balance the need to catch bad guys with the use of surveillance tech? 0:50:18: Is there any surveillance tech that EFF feels should be banned outright? 0:52:17: Does EFF consult with law enforcement on deployment of surveillance tech? 0:53:05: If we're concerned about surveillance tech being deployed, what can we do? 0:58:19: Interview wrap-up 0:59:29: Notes on the "border zone" width in the US 1:01:09: Patron preview 1:02:01: Survey reminder 1:02:50: Looking ahead

Best of Bonus 2024!

30 december 2024 | 54 min

Every week, I record a special, private bonus podcast for my patrons. Until today, all of that content was restricted to my supporters. But today I’ve got a sampler platter of some of the best snippets from my bonus Q&A with my interview guests. You’ll hear from Micah Lee (author, journalist), Nick Weaver (cybersecurity researcher), Kate Black (health data specialist), Jason Edison (OSINT expert), Dani Cronce and Lizzie Moratti (TunnelVision hack), Bruce Schneier (cryptographer, author), and Carissa Véliz (author, professor). Original Interview Links Ep358: Micah Lee https://podcast.firewallsdontstopdragons.com/2024/01/08/investigating-data-leaks/ Ep360: Nick Weaver https://podcast.firewallsdontstopdragons.com/2024/01/22/rise-of-the-slaughterbots/ Ep368: Kate Black https://podcast.firewallsdontstopdragons.com/2024/03/18/health-data-privacy/ Ep386: Jason Edison https://podcast.firewallsdontstopdragons.com/2024/07/22/open-source-intelligence/ Ep388: Jack Daniel https://podcast.firewallsdontstopdragons.com/2024/08/05/catch-you-on-the-bside/ Ep396: Dani Cronce & Lizzie Moratti https://podcast.firewallsdontstopdragons.com/2024/09/30/tunnelvision-vpns-and-you/ Ep400: Bruce Schneier https://podcast.firewallsdontstopdragons.com/2024/10/28/episode-400-special/ Ep404: Carissa Véliz https://podcast.firewallsdontstopdragons.com/2024/11/25/privacy-is-power-2/ Related Links Micah’s book: https://hacksandleaks.com/ Nick Weaver: https://www1.icsi.berkeley.edu/~nweaver/ Security BSides: https://bsides.org/w/page/12194156/FrontPage Frankie’s Tiki Room (Las Vegas): https://frankiestikiroom.com/ Intel Techniques: https://inteltechniques.com/ TunnelVision: https://www.tunnelvisionbug.com/ Schneier Blog: https://www.schneier.com/ Privacy is Power: https://www.penguinrandomhouse.com/books/673341/privacy-is-power-by-carissa-veliz/ Further Info Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:24: New Years coming up 0:00:48: Show preview 0:02:33: Ep358: Micah Lee - the Snowden docs 0:11:48: Ep360: Nick Weaver - other types of killer drones 0:18:02: Ep368: Kate Black - how do you know if a site or app respects health privacy? 0:20:22: Ep386: Jason Edison - what's it like trying to protect the privacy of celebrities? 0:26:53: Ep388: Jack Daniel - the story of the Les Pukelele 0:33:39: Ep396: Dani Cronce & Lizzie Moratti - getting into hacking 0:42:08: Ep400: Bruce Schneier - can we ever make our devices secure out of the box? 0:48:01: Ep404: Cariss Veliz - should STEM students be required to take ethics classes? 0:53:05: Wrap-up

Replay: Golden Age of Surveillance

23 december 2024 | 42 min

I'm digging into the vault for a classic replay! I first interviewed Phil Zimmermann, creator of Pretty Good Privacy (PGP), on May 7, 2018. It was Episode 63 (we're now at 408) and it was entitled "We Now Live in the Golden Age of Surveillance". In this episode we talk a little about the origins of PGP in the 1990's and what he feels about the FBI's claims that we're "going dark" due to strong end-to-end encrypted communications. I've added some new commentary, but the original episode is preserved in all of its original glory! Interview Notes Original Ep63 interview: https://podcast.firewallsdontstopdragons.com/2018/05/07/we-now-live-in-the-golden-age-of-surveillance/ Ep214: Social Media is Ruining Society https://podcast.firewallsdontstopdragons.com/2021/04/05/social-media-is-ruining-society/ Ep243: Through the Past, Privately: PGP Turns 30 https://podcast.firewallsdontstopdragons.com/2021/10/25/through-the-past-privately-pgp-turns-30/ Phil Zimmermann’s website: https://philzimmermann.com/ Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:26: Flashback setup 0:02:18: Original intro 0:03:20: What drove you to create PGP? 0:06:32: Why were you prosecuted for PGP? 0:13:08: Isn't banning cryptography like trying to ban math? 0:15:13: What's the difference between security and privacy? 0:17:04: Is it possible to be truly anonymous online today? 0:19:06: How is the average person tracking online today? 0:21:49: What are the most private ways to communicate online? 0:24:44: How do we identify trustworthy attachments? 0:25:30: How secure is SMS (texting)? 0:29:41: Are we "going dark"? 0:32:44: Can we escape mass surveillance? 0:36:35: What's next for you? 0:38:09: Original interview wrap-up 0:40:38: Flashback wrap-up 0:41:00: ShmooCon 2025 0:41:56: Looking ahead

Best of 2024!

16 december 2024 | 92 min

I've had some truly amazing interviews this past year. For your listening enjoyment, I've curated a set of clips from some of the best shows, creating a sampler platter of stellar audio content from some amazing guests! If you've never listened to my podcast, this will give you a taste of what you're missing! If you're a regular listener, this will be a fun trip down memory lane, complete with a little new commentary. Enjoy! Original Interview Links Ep362: Patrick Wardle https://podcast.firewallsdontstopdragons.com/2024/02/05/securing-your-mac/ Ep364: Jen Caltrider https://podcast.firewallsdontstopdragons.com/2024/02/19/car-privacy-is-horrid/ Ep366: 404 Media https://podcast.firewallsdontstopdragons.com/2024/03/04/how-our-data-is-abused/ Ep375: Dina Temple-Raston https://podcast.firewallsdontstopdragons.com/2024/05/13/inside-ukraines-it-army/ Ep378: Naomi Brockwell https://podcast.firewallsdontstopdragons.com/2024/05/27/why-privacy-matters/ Ep380: Joseph Cox https://podcast.firewallsdontstopdragons.com/2024/06/10/anom-the-fbis-phone-company/ Ep382: Byron Tau https://podcast.firewallsdontstopdragons.com/2024/06/24/means-of-control/ Ep386: Jason Edison https://podcast.firewallsdontstopdragons.com/2024/07/22/open-source-intelligence/ Ep392: Andy Yen https://podcast.firewallsdontstopdragons.com/2024/09/02/crazy-proton-summer/ Ep398: Space Rogue (Cris Thomas) https://podcast.firewallsdontstopdragons.com/2024/10/14/l0pht-heavy-industries/ Ep400: Bruce Schneier https://podcast.firewallsdontstopdragons.com/2024/10/28/episode-400-special/ Ep402: Stacey Higginbotham https://podcast.firewallsdontstopdragons.com/2024/11/11/cutting-the-software-tether/ Ep404: Carissa Veliz https://podcast.firewallsdontstopdragons.com/2024/11/25/privacy-is-power-2/ Related Links Objective-See: https://objective-see.org/ 404 Media: https://www.404media.co/ Privacy Not Included: https://foundation.mozilla.org/en/privacynotincluded/ Click Here: https://therecord.media/podcast NBTV: https://www.nbtv.media/ Dark Wire: https://www.hachettebookgroup.com/titles/joseph-cox/dark-wire/9781541702691/ Means of Control: https://www.penguinrandomhouse.com/books/706321/means-of-control-by-byron-tau/ Intel Techniques: https://inteltechniques.com/ Proton: https://proton.me/ Space Rogue book: https://www.amazon.com/Space-Rogue-Hackers-Known-Changed-ebook/dp/B0BRQWPBGL Schneier Blog: https://www.schneier.com/ Privacy is Power: https://www.penguinrandomhouse.com/books/673341/privacy-is-power-by-carissa-veliz/ Further Info Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:26: Show preview 0:02:22: Ep362: Patrick Wardle - Mac hardening 0:05:55: Ep364: Jen Caltrider - Car privacy not included 0:11:13: Ep366: 404 Media - abuse of public camera data 0:21:35: Ep375: Dina Temple-Raston - what we should learn from the cyber war in Ukraine 0:30:41: Ep378: Naomi Brockwell - fighting for our privacy 0:36:40: Ep380: Joseph Cox - what did law enforcement learn from Anom? 0:39:22: Ep382: Byron Tau - how law enforcement hides their data gathering 0:45:43: Ep386: Jason Edison - how does law enforcement view mass surveillance? 0:57:10: Ep392: Andy Yen - why Proton embraced AI tech 1:04:08: Ep398: Space Rogue (Cris Thomas) - do you need a college degree to work in cybersecurity? 1:11:05: Ep400: Bruce Schneier - how AI will change politics and law 1:19:02: Ep402: Stacey Higginbotham - escrowing money to address I...

Deleting Your Data

9 december 2024 | 57 min

Have you ever searched for your personal information online? There are dozens of "people search sites" out there, but a simple Google search can also find information about you, too. Behind the scenes, there are hundreds if not thousands of data brokers who are scouring the web constantly for your info creating dossiers on all of us, for sale to anyone willing to pay. We have no federal privacy laws in the US, but even if you live in the EU (with GDPR) or a US state with some privacy protections (like California), you still may find your data online - because much it comes from public records, including voting records, property tax records, and legal filings. How do you find your data? Where did it come from? And more important, what can you do about it? Today will discuss this and more with Ben and Tyler, the founders of data deletion service EasyOptOuts. Interview Notes EasyOptOuts: https://easyoptouts.com/ Consumer Reports study: https://www.consumerreports.org/electronics/personal-information/services-that-delete-data-from-people-search-sites-review-a2705843415/ Brian Krebs on Radaris: https://krebsonsecurity.com/2024/03/a-close-up-look-at-the-consumer-data-broker-radaris/ My blog series on data removal: https://firewallsdontstopdragons.com/osint-reconnaissance/ Jason Edison OSINT interview: https://podcast.firewallsdontstopdragons.com/2024/07/22/open-source-intelligence/ Big Ass Data Broker Opt Out List: https://github.com/yaelwrites/Big-Ass-Data-Broker-Opt-Out-List Further Info Help me reach more people! https://fdsd.me/awareness2 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:04: Staying up to date during December 0:01:45: NPR shout out? 0:02:25: Interview setup 0:04:11: Why did you get into the data deletion business? 0:05:58: How does EasyOptOuts differentiate its service? 0:09:35: Where do these data brokers get all my information? 0:13:37: How often do you find errors in people's information on these sites? 0:15:36: What are the names of some of the top data brokers? Would we know them? 0:17:34: Will a credit freeze prevent data sharing? 0:19:02: What does it cost to get these people reports? 0:21:21: Have you tried deleting data from the recently breached National Public Data? 0:23:02: How do the various US state privacy laws impact our ability to delete our data? 0:27:52: How many data brokers operate in non-US/EU jurisdictions? 0:29:00: Who is selling my data that would surprise me? 0:31:26: How did we consent to this data sharing and can we opt out? 0:34:14: If I wanted to try to clean up my data myself, how would I go about that? 0:38:09: How do I avoid giving away more information while I try to prove my identity? 0:41:34: If I would rather use a deletion service, how does that work and what does it cost? 0:46:39: After deletion, will my data just be replenished after some amount of time? 0:48:01: Any final pro tips on reducing my public data? 0:51:02: Interview wrapup 0:53:26: Patron bonus content preview 0:54:05: Plan for December shows

Letters from the Mailbag

2 december 2024 | 64 min

It's been too long since I've dipped into the listener mailbag, so today I'm going to answer a small selection of your questions on the air! Topics include privacy-respecting baby monitors, the "IoT network" on some Orbi routers, why you can't really use a computer monitor as a "dumb" TV, and whether browser privacy plugins work on first party tracking. We'll also cover some news stories: why you shouldn't upload medical images to AI chatbots; the Fancy Bear "nearest neighbor" attack; Google's new website link overlays; the curious case of cutting undersea internet cables; Microsoft's new Windows Resiliency Initiative; mobile pay apps coming under regulatory scrutiny; iPhone's new tool to strip metadata from shared photos; and Google now warning you about suspicious apps. Article Links [techcrunch.com] PSA: You shouldn’t upload your medical images to AI chatbots https://techcrunch.com/2024/11/19/psa-you-shouldnt-upload-your-medical-images-to-ai-chatbots/ [darkreading.com] Fancy Bear 'Nearest Neighbor' Attack Uses Nearby Wi-Fi Network https://www.darkreading.com/cyberattacks-data-breaches/fancy-bear-nearest-neighbor-attack-wi-fi [9to5google.com] Google’s iOS app now injects links on third-party websites that go back to Search https://9to5google.com/2024/11/25/google-ios-app-link-annotations-search/ [newsweek.com] Chinese Vessel Allegedly Drags Anchor, Severs Undersea Cable Links https://www.newsweek.com/chinese-vessel-allegedly-drags-anchor-severs-undersea-cable-links-1992580 [dw.com] Hybrid warfare on the seabed? https://www.dw.com/en/baltic-sea-underwater-cable-damage-highlights-hybrid-warfare-on-critical-infrastructure/a-70853706 [theverge.com] Microsoft’s new Windows Resiliency Initiative aims to avoid another CrowdStrike incident https://www.theverge.com/2024/11/19/24299873/microsoft-windows-resiliency-initiative-crowdstrike-incident [lifehacker.com] Venmo, Apple Pay, and Other Payment Apps Are About to Be More Regulated https://lifehacker.com/money/payment-apps-are-about-to-be-more-regulated [lifehacker.com] Your iPhone Can Now Automatically Remove Location Data From Photos You Share Online https://lifehacker.com/tech/your-iphone-can-now-automatically-remove-location-data-from-photos-online [lifehacker.com] The Google Play Store Will Soon Warn You Before You Download a Bad App https://lifehacker.com/tech/the-google-play-store-will-warn-you-bad-app Further Info ExifTool: https://exiftool.org/ Help me reach more people! https://fdsd.me/awareness2 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:51: Holiday PSA 0:02:12: News preview 0:03:59: PSA: You shouldn’t upload your medical images to AI chatbots 0:07:22: Fancy Bear 'Nearest Neighbor' Attack Uses Nearby Wi-Fi Network 0:12:59: Google’s iOS app now injects links on third-party websites that go back to Search 0:15:10: Chinese Vessel Allegedly Drags Anchor, Severs Undersea Cable Links 0:18:17: Hybrid warfare on the seabed? 0:27:19: Microsoft’s new Windows Resiliency Initiative aims to avoid another CrowdStrike incident 0:33:11: Venmo, Apple Pay, and Other Payment Apps Are About to Be More Regulated 0:36:30: Your iPhone Can Now Automatically Remove Location Data From Photos You Share Online 0:42:23: The Google Play Store Will Soon Warn You Before You Download a Bad App 0:46:20: Finding a private, secure baby monitor 0:50:44: IoT Network on Netgear Orbi routers? 0:52:50: Using a computer monitor as a dumb TV?

Privacy is Power

25 november 2024 | 62 min

Privacy has been defined in many ways. The right to tell your story your own way. The right to have control over your personal information. The right to be left alone. There's a reason we have T-shirts that say "dance like no one is watching". We censor ourselves when we're being watched. But if knowledge is power, then asymmetries in knowledge must lead to asymmetries in power. Privacy is a human right but it's also a collective good - something we need to respect and support, even if we do not personally feel the need to exercise it. Today I'll explore why privacy is essential, how it is being threatened, and what we can do to reclaim it with Carissa Véliz, a professor of philosophy and author of the wonderful and important book, Privacy is Power. Interview Notes Carissa’s website: https://www.carissaveliz.com/ Privacy is Power: https://www.penguinrandomhouse.com/books/673341/privacy-is-power-by-carissa-veliz/ My review of her book: https://firewallsdontstopdragons.com/privacy-is-power-review/ The Ethics of Privacy and Surveillance: https://www.oxford-aiethics.ox.ac.uk/blog/new-book-ethics-privacy-and-surveillance TEDx: The Case for Ending Data Economy: https://www.youtube.com/watch?v=luCXlPYrTP4 Google’s Don’t Be Evil motto history: https://en.wikipedia.org/wiki/Don't_be_evil Give Thanks & Donate! https://firewallsdontstopdragons.com/give-thanks-donate/ Further Info Help me reach more people! https://fdsd.me/awareness2 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:31: Give Thanks & Donate! 0:01:27: Follow me on Bluesky 0:02:06: Interview setup 0:04:17: What inspired you to write this book? 0:07:04: What impacts has your book had? Did any response surprise you? 0:10:01: When researching the book, what surveillance methods most surprised you? 0:13:31: How and when did all this surveillance start? 0:15:40: Are behavior ads really more effective than contextual ads? 0:19:04: Is it possible to have privacy and still target ads? 0:22:08: What's your take on Google's Privacy Sandbox concept? 0:23:57: Why is the 'notice and consent' model such a failure? 0:28:14: What's your take on the notion of data sovereignty? 0:30:09: Why is privacy a collective good that we all need to protect? 0:32:12: How does asymmetry in knowledge lead to asymmetry in power? 0:34:06: Are we at risk of normalizing surveillance for future generations? 0:37:09: What will it take to trigger a surveillance backlash? 0:40:21: What can we learn from history about overzealous data collection? 0:43:35: How will AI technology impact our privacy? 0:49:30: Can we reap the benefits of our data without giving up privacy? 0:52:45: How do we manifest a society that values and respects privacy? 0:56:15: Interview wrap-up 0:58:36: Still celebrating 400th episode! 0:59:02: Looking ahead

Best & Worst Gifts for 2024

18 november 2024 | 71 min

Holiday shopping season is here! And today I'll give you the highlights of my annual Best & Worst Gift Guide for 2024, with regard to privacy and security. The worst offenders may not surprise you, though some have actually gotten worse since just last year. And I have a few new suggestions for people on your nice list! In the news this week: another popular browser extension has gone rogue; Mozilla laid off 30% of their staff; FBI warns that bad guys are filing fraudulent emergency data requests to steal your private info; Apple quietly introduces a brilliant security feature that is frustrating cops; Microsoft will stop providing security updates for Windows 10 next October; a free decryptor was released for ShrinkLocker ransomware; Signal offers new call link feature; an air fryer app is sending your data to China; and Apple announces feature to share AirTag location with others including airlines to help find lost luggage. Article Links [cyberinsider.com] Popular Chrome Extension to Hide YouTube Shorts Turned Malicious https://cyberinsider.com/popular-chrome-extension-to-hide-youtube-shorts-turned-malicious/ [Tech Crunch] Mozilla Foundation lays off 30% staff, drops advocacy division https://techcrunch.com/2024/11/05/mozilla-foundation-lays-off-30-staff-drops-advocacy-division/ [Tech Crunch] FBI says hackers are sending fraudulent police data requests to tech giants to steal people’s private information https://techcrunch.com/2024/11/08/fbi-says-hackers-are-sending-fraudulent-police-data-requests-to-tech-giants-to-steal-peoples-private-information/ [404media.co] Apple Quietly Introduced iPhone Reboot Code Which is Locking Out Cops https://www.404media.co/apple-quietly-introduced-iphone-reboot-code-which-is-locking-out-cops/ [blog.0patch.com] Long Live Windows 10... With 0patch https://blog.0patch.com/2024/06/long-live-windows-10-with-0patch.html [The Hacker News] Free Decryptor Released for BitLocker-Based ShrinkLocker Ransomware Victims https://thehackernews.com/2024/11/free-decryptor-released-for-bitlocker.html [signal.org] Improving Private Signal Calls: Call Links & More https://signal.org/blog/call-links/ [malwarebytes.com] Air fryers are the latest surveillance threat you didn’t consider https://www.malwarebytes.com/blog/news/2024/11/air-fryers-are-the-latest-surveillance-threat-you-didnt-consider [macrumors.com] Apple Announces iOS 18.2's New AirTag Location Sharing Feature Coming to These 15+ Airlines https://www.macrumors.com/2024/11/11/apple-announces-airtag-location-sharing/ Best & Worst Gift Guide 2024! https://firewallsdontstopdragons.com/best-worst-gifts-2024/ Further Info Help me reach more people! https://fdsd.me/awareness2 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:50: Update Android phones 0:01:23: News preview 0:03:23: Popular Chrome Extension to Hide YouTube Shorts Turned Malicious 0:10:30: Mozilla Foundation lays off 30% staff, drops advocacy division 0:14:06: FBI says hackers are sending fraudulent police data requests to steal people’s private info 0:19:59: Apple Quietly Introduced iPhone Reboot Code Which is Locking Out Cops 0:29:46: Long Live Windows 10... With 0patch 0:39:54: Free Decryptor Released for BitLocker-Based ShrinkLocker Ransomware Victims 0:42:45: Improving Private Signal Calls: Call Links & More 0:45:23: Air fryers are the latest surveillance threat you didn’t consider...

Cutting the Software Tether

11 november 2024 | 63 min

Device manufacturers are breathing new life into old mundane products by connecting them to the internet, giving us the ability to monitor and control them from anywhere. However, this connection to the cloud works both ways. Not only do device makers now have unprecedented access to our usage and personal information, but they can hobble or limit our use of these devices at their whim. Today I'll speak with IoT expert Stacey Higginbotham who is working with Consumer Reports and other consumer rights groups to bring more transparency to the smart device industry, and hopefully allow us to regain control over the devices we purchase. Interview Notes Stacey Higginbotham: https://www.linkedin.com/in/staceyhigginbotham/ Consumer Reports’ FTC filing on software tethering: https://advocacy.consumerreports.org/press_release/ftc-software-tethering/ Who Ya Gonna Call? https://innovation.consumerreports.org/who-ya-gonna-call/ Spotify Cancels Car Thing: https://innovation.consumerreports.org/how-to-kill-a-smart-device-spotify-car-thing-post-mortem/ When Will Your Smart Appliance Turn Dumb? https://innovation.consumerreports.org/when-will-your-smart-appliance-turn-dumb/ CR’s Permission Slip: https://www.permissionslipcr.com/ CR’s Security Planner: https://securityplanner.consumerreports.org/ My interview with Cory Doctorow on adversarial interoperability: https://podcast.firewallsdontstopdragons.com/2020/02/17/adversarial-interoperability-part-1/ Further Info Help me reach more people! https://fdsd.me/awareness2 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:54: Chevron deference 0:01:48: US election impacts 0:03:15: Interview setup 0:03:55: What does it mean for devices to be 'software tethered'? 0:09:23: How might software tethering affect resale of smart devices? 0:13:52: What are the impacts on security and privacy? 0:15:20: How did we agree to these limitations? 0:17:13: 1. Require disclosure of guaranteed minimum support time 0:23:55: 2. Eensure core functionality will work offline or after support ends 0:27:50: What devices might fail to work when offline? 0:30:19: 3. Encourage tools that enable reuse if support ends 0:34:24: 4. Protect adversarial interoperability 0:39:05: What happened to Amazon Dash buttons? 0:40:03: 5. Educate manufacturers on ways to build longevity into designs 0:46:28: Is it easier to get FTC rulings than new regulations? 0:51:29: Does the DMCA still apply to abandoned products? 0:53:13: Should we force companies to escrow software for release if they fail? 0:56:06: What should we be doing as consumers to further this cause? 0:57:39: What's next for your FTC filing? 0:59:55: Interview wrap-up 1:01:28: Patron bonus preview 1:02:19: Looking ahead

Curbing Location Tracking

4 november 2024 | 62 min

Our location is being tracked mercilessly today, in several ways. In the digital age, location data is among the most sensitive information we share, providing a record of our daily lives that can reveal where we live, who we associate with, and our personal routines. For app developers, marketers, and even law enforcement, this data is a goldmine for the ‘app economy’. Today I’ll talk about the most common sources of location data and give you some tips for limiting the tracking. In other news: the FTC files rule that requires canceling be just as easy as subscribing; CFPB takes action against worker surveillance; macOS Sequoia's tightened app security may be annoying to some; it's now legal to hack McFlurry machines to fix them; the EU makes vendors liable for software bugs; city sues Flock saying license plate readers are Unconstitutional; tracking world leaders with a fitness app; smartphone location tracking is out of control. Article Links [theverge.com] The FTC is finally making it easier to cancel your gym membership https://www.theverge.com/2024/10/16/24271649/ftc-click-to-cancel-subscriptions-final-rule [consumerfinance.gov] CFPB Takes Action to Curb Unchecked Worker Surveillance https://www.consumerfinance.gov/about-us/newsroom/cfpb-takes-action-to-curb-unchecked-worker-surveillance/ [appleinsider.com] What's changed in runtime protection for macOS Sequoia https://appleinsider.com/inside/macos-sequoia/tips/whats-changed-in-runtime-protection-for-macos-sequoia [404media.co] It Is Now Legal to Hack McFlurry Machines (and Medical Devices) to Fix Them https://www.404media.co/it-is-now-legal-to-hack-mcflurry-machines-and-medical-devices-to-fix-them/ [Risky Business] The EU will make vendors liable for bugs https://news.risky.biz/risky-biz-news-the-eu-will-make-vendors-liable-for-bugs/ [404media.co] Lawsuit Argues Warrantless Use of Flock Surveillance Cameras Is Unconstitutional https://www.404media.co/lawsuit-argues-warrantless-use-of-flock-surveillance-cameras-is-unconstitutional/ [schneier.com] Tracking World Leaders Using Strava https://www.schneier.com/blog/archives/2024/10/tracking-world-leaders-using-strava.html [arstechnica.com] Location tracking of phones is out of control. Here’s how to fight back. https://arstechnica.com/information-technology/2024/10/phone-tracking-tool-lets-government-agencies-follow-your-every-move/ Tip of the Week: https://firewallsdontstopdragons.com/how-to-curb-location-tracking/ Further Info Help me reach more people! https://fdsd.me/awareness2 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:06: News preview 0:04:41: FTC is finally making it easier to cancel your gym membership 0:07:19: CFPB Takes Action to Curb Unchecked Worker Surveillance 0:14:23: What's changed in runtime protection for macOS Sequoia 0:21:57: It Is Now Legal to Hack McFlurry Machines (and Medical Devices) to Fix Them 0:28:15: The EU will make vendors liable for bugs 0:33:00: Lawsuit Argues Warrantless Use of Flock Surveillance Cameras Is Unconstitutional 0:41:09: Tracking World Leaders Using Strava 0:42:38: Location tracking of phones is out of control. Here’s how to fight back. 0:49:56: Tip of the Week: Curbing Location Tracking 1:00:57: Looking ahead

Episode 400 Special

28 oktober 2024 | 75 min

The first episode of Firewalls Don't Stop Dragons Podcast aired on March 8, 2017 - almost 8 years ago now. Over that time, I've interviewed over 135 unique and amazing people, covered countless cybersecurity and privacy stories, and offered 100's of tips for protecting your devices and data. To celebrate this momentous occasion, world-renowned cryptography guru Bruce Schneier has returned to for our traditional Podcentennial interview! We discuss several timely topics including the Crowdstrike incident, the pager bombing and supply attacks more generally, US election security, the open market for cyber vulnerabilities, US intelligence agencies' focus on offense versus defense, how AI might actually benefit democracy and much more! Interview Notes Bruce Schneier’s blog:https://www.schneier.com/ Inrupt’s Solid concept: https://www.inrupt.com/solid Data and Goliath (book): https://www.schneier.com/books/data-and-goliath/ Bruce’s NY Time article on pager bombs: https://www.schneier.com/essays/archives/2024/09/israels-pager-attacks-have-changed-the-world.html Joseph Cox “Anom” interview: https://podcast.firewallsdontstopdragons.com/2024/06/10/anom-the-fbis-phone-company/ WaPo detailed analysis of pager bomb attack: https://www.washingtonpost.com/world/2024/10/05/israel-mossad-hezbollah-pagers-nasrallah/ Restoring Trust in Elections: https://podcast.firewallsdontstopdragons.com/2023/12/11/restoring-trust-in-elections/ Hacking election systems w/ Harri Hursti: https://podcast.firewallsdontstopdragons.com/2021/11/08/restoring-trust-in-our-elections/ Hacker Halted conference info: https://hackerhalted.com/agenda/#day-two-october-31st Further Info Help me reach more people! https://fdsd.me/awareness2 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:53: Interview setup 0:06:21: What should we have learned from the Crowdstrike incident? 0:11:21: Why is it more profitable for products to be brittle? 0:13:59: Do regulations stifle innovation? 0:15:27: Should intelligence agencies focus more on cyber offense or defense? 0:22:29: Should it be legal to buy and sell zero-days on the open market? 0:26:44: How secure are our election systems today? How do we get people to trust the outcomes? 0:35:41: What's your take on the arrest of Telegram's CEO? 0:39:18: How do we convince lawmakers not to subvert encrypted communications? 0:43:48: How did the exploding pager attack change our views of supply chain security? 0:49:26: In what ways might AI actually benefit our democracy? 0:58:03: Should there be any guardrails on AI systems? 1:01:17: What's next for you? What's the latest on the Solid project? 1:03:49: Interview wrap-up 1:07:51: More info for new listeners 1:13:38: Meet me at Hacker Halted Conference! 1:14:14: Looking ahead

Understanding AI Chatbots

21 oktober 2024 | 59 min

Artificial Intelligence (AI) is the buzzword of the day. There are many types of AI, but one particular flavor is getting a lot of press these days: chatbots. Formally referred to as Large Language Models (LLMs), chatbots like ChatGPT, Claude and Gemini are everywhere - either directly or integrated with other popular apps. This technology is real and it's here to stay, so it's important that we understand what it is, how it works, and what the limitations are. Today I'll explore some aspects of LLMs that you probably weren't aware of. In other news: critical, exploited Firefox bug is fixed (update now!); National Public Data files for bankruptcy after massive breach; hackers target Qualcomm chip zero-day used in many Android phones; China attackers exploit legally-mandated wiretapping backdoor in major telecom systems; new FIDO standard proposed for allowing passkeys to be exported and backed up; a PSA on why you shouldn't share personal information with AI chatbots. Article Links [The Hacker News] Mozilla Warns of Active Exploitation in Firefox, Urges Users to Update Immediately https://thehackernews.com/2024/10/mozilla-warns-of-active-exploitation-in.html [therecord.media] National Public Data files for bankruptcy, citing fallout from cyberattack https://therecord.media/national-public-data-bankruptcy-cyberattack [techcrunch.com] Hackers were targeting Android users with Qualcomm zero-day https://techcrunch.com/2024/10/09/hackers-were-targeting-android-users-with-qualcomm-zero-day/ [pluralistic.net] China hacked Verizon, AT&T and Lumen using the FBI’s backdoor https://pluralistic.net/2024/10/07/foreseeable-outcomes/ [appleinsider.com] Future Passkeys will be able to be shared across platforms & password vaults https://appleinsider.com/articles/24/10/15/future-passkeys-will-be-able-to-be-shared-across-platforms-password-vaults [9to5mac.com] PSA: Here’s another reason not to include personal details in AI chats https://9to5mac.com/2024/10/17/psa-heres-another-reason-not-to-include-personal-details-in-ai-chats/ Tip of the Week: Understanding AI Chatbots Further Info Help me reach more people! https://fdsd.me/awareness2 Privacy Not Included chatbot privacy guide: https://foundation.mozilla.org/en/privacynotincluded/articles/how-to-protect-your-privacy-from-chatgpt-and-other-ai-chatbots/ Gandalf AI game: https://gandalf.lakera.ai/baseline Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:01: Google finally killing uBlock Origin 0:04:07: News preview 0:05:54: Mozilla Warns of Active Exploitation in Firefox 0:08:55: National Public Data files for bankruptcy 0:14:42: Hackers were targeting Android users with Qualcomm zero-day 0:19:14: China hacked Verizon, AT&T and Lumen using the FBI’s backdoor 0:26:10: Future Passkeys will be able to be shared across platforms & password vaults 0:31:08: Here’s another reason not to include personal details in AI chats 0:37:40: Tip of the Week: Understanding Chatbots 0:55:55: Wrapping up 0:56:35: Celebrating 400 episodes!

L0pht Heavy Industries

14 oktober 2024 | 69 min

L0pht Heavy Industries (pronounced "loft") was one of the most influential hacker groups in history. Unlike many others, L0pht carefully cultivated a relationship with mass media, sold profitable products, started businesses, and even testified before the US Senate. Cris Thomas, aka Space Rogue, was one of the earliest members of the L0pht and he recently published a book chronicling the groups long and storied history called Space Rogue: How the Hackers Known As L0pht Changed the World. Today I sit down with Cris to discuss that history and the impacts that the L0pht and other hacker groups have had on all of us. Interview Notes Space Rogue’s website: https://www.spacerogue.net/ L0pht homepage: https://l0pht.com/ L0phtCrack: https://www.l0phtcrack.com/ Textfiles.com: http://textfiles.com/ L0phy testimony: https://www.youtube.com/watch?v=VVJldn_MmMY Charlie Rose “Hackers” interview: https://www.youtube.com/watch?v=zbTkOuPv2fo PicoCTF: https://www.picoctf.org/ Hack the Box: https://help.hackthebox.com/en/articles/5200851-introduction-to-ctfs Further Info Help me reach more people! https://fdsd.me/awareness2 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:23: Episode 400 coming soon! 0:01:16: Interview setup 0:03:49: Tell us about your book 0:04:52: What is your origin story? How'd you get into hacking? 0:08:15: How often did you meet your fellow hackers in person? 0:10:49: How did the L0pht get started? 0:15:39: What was the reaction when you "come out" as a hacker to friends and family? 0:20:02: How much did different hacker groups interact back in the day? 0:23:19: L0pht cultivated a relationship with the media - how did that affect the dynamic? 0:28:19: What's the history behind the infamous L0phtCrack password tool? 0:35:36: What was it like testifying in front of the US Senate? 0:38:32: How did you get away with testifying under your hacker names? 0:45:29: How did Hacker News Network come to be? 0:52:06: How did we avoid a hacker cyber war against China in the late 90s? 0:57:15: Which of L0pht's many achievements are you most proud of? 0:59:40: What advice would you give to someone wanting to get into cybersecurity? 1:05:39: What's next for you? 1:06:23: Patron bonus content preview 1:06:52: Post-interview notes 1:08:36: Looking ahead

Indicators of Account Compromise

7 oktober 2024 | 70 min

Sometimes it’s obvious when your accounts are hacked. Maybe your money is gone. Maybe you can no longer log in using the password you know is correct. Maybe everyone you know has gotten a scam email from you that you didn’t send. But sometimes bad guys aren’t so obvious. They may lurk around in your accounts to gather information for identity theft or in hopes of gaining access to other more lucrative accounts. I'll tell you how to find out. In other news: CA governor vetoes opt-out signal bill but signs car privacy bill; 23andMe is in trouble and your data may be, too; PayPal opted you into data sharing without asking; Kaspersky deletes itself and installs UltraAV without asking; 100 million Americans had background data leaked; researchers add facial recognition tech to Meta's smart glasses; NIST updates password rules to with common sense changes; US & Microsoft seize 100+ web domains used by Russian hackers. Article Links [Ars Technica] Calif. Governor vetoes bill requiring opt-out signals for sale of user data https://arstechnica.com/tech-policy/2024/09/calif-gov-vetoes-attempt-to-require-new-privacy-option-in-browsers-and-oses/ [Teach Privacy] Bankruptcy Sale of DNA Data: From Toysmart to 23andMe https://teachprivacy.com/bankruptcy-sale-of-dna-data-from-toysmart-to-23andme/ [404 Media] Paypal Opted You Into Sharing Data Without Your Knowledge https://www.404media.co/paypal-personalized-shopping-opt-out/ [Bleeping Computer] Kaspersky deletes itself, installs UltraAV antivirus without warning https://www.bleepingcomputer.com/news/security/kaspersky-deletes-itself-installs-ultraav-antivirus-without-warning/ [Tom’s Guide] 100 million Americans just had their background check data exposed https://www.tomsguide.com/computing/online-security/100-million-americans-just-had-their-background-check-data-exposed-online-how-to-stay-safe [404 Media] Someone Put Facial Recognition Tech onto Meta's Smart Glasses to Instantly Dox Strangers https://www.404media.co/someone-put-facial-recognition-tech-onto-metas-smart-glasses-to-instantly-dox-strangers/ [Ars Technica] NIST proposes barring some of the most nonsensical password rules https://arstechnica.com/security/2024/09/nist-proposes-barring-some-of-the-most-nonsensical-password-rules/ [The Record] California passes car data privacy law to protect domestic abuse survivors https://therecord.media/california-car-data-privacy-law-domestic-abuse-tracking [Semafor] US, Microsoft seize more than 100 websites used by Russian hackers https://www.semafor.com/article/10/03/2024/us-microsoft-seize-more-than-100-websites-used-by-russian-hackers Tip of the Week: Indicators of Account Compromise: https://firewallsdontstopdragons.com/indicators-of-account-compromise/ Further Info Help me reach more people! https://fdsd.me/awareness2 Treasure Chest promotion: https://firewallsdontstopdragons.com/treasure-coin-promo/ How to enable Global Privacy Control: https://firewallsdontstopdragons.com/how-to-enable-global-privacy-control/ My article on removing your data from the web: https://firewallsdontstopdragons.com/osint-remediation/ CISA Cybersecurity Awareness Month resources: https://www.cisa.gov/resources-tools/resources/secure-our-world-resources-cybersecurity-awareness-month-2024-toolkit Stay Safe Online CAM site: https://staysafeonline.org/programs/cybersecurity-awareness-month/ Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents

TunnelVision, VPNs and You

30 september 2024 | 74 min

Two security researchers showed how many modern VPN services are vulnerable to malicious misconfiguration, exposing some or all of your internet traffic. While this is not likely to impact most of us, it does expose the limitations of Virtual Private Networks and why they are not silver bullets for security of privacy - despite many marketing claims to the contrary. Today we'll discuss how TunnelVision works, how it can be mitigated, and how this affects different privacy threat models with the two researchers from Leviathan Security, Dani Cronce and Lizzie Moratti. Interview Notes Lizzie Moratti: https://www.linkedin.com/in/lmoratti/ Dani Cronce: https://www.linkedin.com/in/danicronce/ TunnelVision: https://www.tunnelvisionbug.com/ ProtonVPN threat model: https://protonvpn.com/blog/threat-model Dani’s GitHub: https://github.com/superit23 Leviathan Security blog: https://www.leviathansecurity.com/blog Veilid: https://veilid.com/ Willy Wonka scene: https://www.youtube.com/watch?v=pvS3j8VtanM Linux network namespaces: https://blog.scottlowe.org/2013/09/04/introducing-linux-network-namespaces/ What is DeFi? https://www.investopedia.com/decentralized-finance-defi-5113835 Further Info Help me brainstorm ways to reach more people!: https://fdsd.me/awareness2 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:23: Reminder: brainstorming survey 0:01:47: Podcast chapter markers! 0:02:54: Interview setup 0:05:55: What is a VPN and what isits intended purpose? 0:10:27: If most connections are secured today, why do we need a VPN? 0:12:40: Why do we trust a VPN provider more than our internet access provider? 0:17:40: What are you trying to do with a VPN? 0:19:13: Who can see my internet traffic? 0:25:30: What is TunnelVision and what are the implications for VPN users? 0:29:42: What's a less technical way to understand TunnelVision? 0:33:06: Why might I not want all my traffic to go through the VPN? 0:35:02: How dangerous is TunnelVision for the average person? 0:42:30: How did the VPN companies respond? 0:51:19: What VPN features can mitigate the risk? 0:57:42: Have any VPN makers fixed this problem? Do OS vendors have responsibility here? 1:02:11: Do you have recommendations for VPNs? Is there new tech that might help here? 1:04:00: Would privacy regulations help here? 1:06:24: What are you working on next? 1:08:51: Interview wrap-up 1:13:31: Looking ahead

Malware Reboot Remedy

23 september 2024 | 63 min

We often think of malware as a problem for our computers and perhaps our smartphones. But bad guys love to hack our home routers and IoT devices, as well. Thankfully, purging malware from those types of devices can usually be done just by rebooting them. (There's a reason tech support always asks you to try turning your device off and back on again.) I'll explain why this works and what you should do to protect your connected devices. In other news: I explain why most people are not in danger of their devices blowing up; a new Windows phishing campaign uses fake CAPTCHAs and PowerShell; LinkedIn started training their AI on your data before telling you how to opt out; Oracle's CEO touts his vision of ubiquitous AI surveillance; Ford seeks a patent to show you ads in your vehicle based on your conversations and other private data; Meta admits to scraping public Instagram and Facebook posts to train its AI; four great new iOS 18 privacy and security features; Apple Intelligence servers are very basic, for a reason; and the FBI shuts down a massive Chinese botnet. Article Links [WIRED] Your Phone Won’t Be the Next Exploding Pager https://www.wired.com/story/exploding-pagers-hezbollah-phones/ [briankrebs] This Windows PowerShell Phish Has Scary Potential https://krebsonsecurity.com/2024/09/this-windows-powershell-phish-has-scary-potential/ [404media.co] LinkedIn Is Training AI on User Data Before Updating Its Terms of Service https://www.404media.co/linkedin-is-training-ai-on-user-data-before-updating-its-terms-of-service/ [theregister.com] Ellison declares Oracle 'all in' on AI mass surveillance https://www.theregister.com/2024/09/16/oracle_ai_mass_surveillance_cloud/ [therecord.media] Ford seeks patent for tech that listens to driver conversations to serve ads https://therecord.media/ford-patent-application-in-vehicle-listening-advertising [9to5Mac] Meta scraped all public Facebook and Instagram posts since 2007 for AI training https://9to5mac.com/2024/09/11/meta-scraped-all-public-facebook-and-instagram-posts-since-2007-for-ai-training/ [TechRadar] I'm a privacy expert—here are the 4 iOS 18 features I'm excited about https://www.techradar.com/phones/im-a-privacy-experthere-are-the-4-ios-18-features-im-excited-about [9to5Mac] Apple Intelligence servers are really basic, says Craig Federighi – and that’s deliberate https://9to5mac.com/2024/09/12/apple-intelligence-servers-are-really-basic-says-craig-federighi-and-thats-deliberate/ [Gizmodo] FBI Shuts Down Botnet Run by Beijing-Backed Hackers That Hijacked Over 200,000 Devices https://gizmodo.com/fbi-shuts-down-botnet-run-by-beijing-backed-hackers-that-hijacked-over-200000-devices-2000500627 Tip of the Week: Malware Reboot Remedy Further Info Awareness Campaign Phase 2!: https://fdsd.me/awareness2 LinkedIn privacy settings: https://www.linkedin.com/mypreferences/d/categories/privacy Test your ad blocker(s): https://d3ward.github.io/toolz/adblock.html Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:31: Update Apple devices 0:01:36: Awareness Campaign teaser 0:02:04: News rundown 0:04:08: Your Phone Won’t Be the Next Exploding Pager 0:08:00: This Windows PowerShell Phish Has Scary Potential 0:12:34: LinkedIn Trains AI on Your Data Before Updating Its ToS 0:16:41: Ellison declares Oracle 'all in' on AI mass surveillance 0:20:15: Ford seeks patent for tech that listens to ...

Post-Quantum Crypto

16 september 2024 | 68 min

You may be vaguely aware of the term 'quantum computing' from media reports. But what you may not have picked up on is that one of the primary uses for quantum computers may be to break data encryption. Furthermore, you may not realize that if three-letter agencies can save off our encrypted emails and messages now, this could mean they could read them in the future when sufficiently powerful quantum computing becomes viable. How does this work? And what can we do about it now to protect our privacy in the future? We'll dig into all of this today with Brandon Sundh from Tuta (formerly Tutanota), a prominent secure email company, who is already deploying such protections. Interview Notes Try Tuta! https://tuta.com/ Tuta’s quantum-safe crypto: https://tuta.com/blog/post-quantum-cryptography Quantum mechanics: https://en.wikipedia.org/wiki/Quantum_mechanics Schrödinger's cat: https://en.wikipedia.org/wiki/Schr%C3%B6dinger's_cat NIST post-quantum standards: https://csrc.nist.gov/projects/post-quantum-cryptography NSA pays RSA to weaken encryption?: https://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220/ Longer passwords are better: https://firewallsdontstopdragons.com/need-a-bigger-password-haystack/ Privacy Guides on Proton Wallet: https://www.privacyguides.org/articles/2024/09/08/proton-wallet-review/#why-does-this-exist Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:50: Some terminology first 0:07:33: What is quantum computing and what's it good for? 0:16:25: What are the currrent capabilities of quantum computers? 0:22:02: How long have we been working on quantum computers? 0:25:01: If QC is still so far off, why do we need to prepare now? 0:30:53: How do we design encryption to make it safe against quantum computers? 0:36:10: How can we be sure that the NSA isn't buillding backdoors into these algorithms? 0:41:11: Will post-quantum algorithms replace current ones or augment them? 0:45:51: How soon will quantum-safe crypto be roled out? 0:52:42: Who will be able to own and operate these quantum computers? 0:54:45: Are law enforcement agencies pushing back against quantum-safe crypto? 1:00:34: Who is more likely to win: coder makers or code breakers? 1:04:24: Wrap-up 1:05:55: Looking ahead

The Truth is Out There

9 september 2024 | 74 min

Mis- and disinformation is just a fact of modern life, but certain events can cause the practice to significantly increase - like a big election. This is a good time to review this phenomenon, learning how to recognize it, how to avoid being drawn in, and perhaps most importantly how to reduce its spread. In other news: Telegram's CEO was arrested in France; too many people keep saying Telegram is an secure messaging app when it's really not; if you think ads and tracking are bad now, wait till you hear all the ways modern TVs are monetizing their users; sextortion scams are using some new techniques to scam their victims; consumer groups have lobbied the FTC to create clear guidance on 'software tethering'; and California just approved a new privacy bill that will finally require companies to honor universal opt-out signals from apps and browsers. Article Links BBC] Telegram CEO Pavel Durov arrested at French airport https://www.bbc.com/news/articles/ckg2kz9kn93o [blog.cryptographyengineering.com] Is Telegram really an encrypted messaging app? https://blog.cryptographyengineering.com/2024/08/25/telegram-is-not-really-an-encrypted-messaging-app/ [Ars Technica] Your TV set has become a digital billboard. And it’s only getting worse. https://arstechnica.com/gadgets/2024/08/tv-industrys-ads-tracking-obsession-is-turning-your-living-room-into-a-store/ [briankrebs] Sextortion Scams Now Include Photos of Your Home https://krebsonsecurity.com/2024/09/sextortion-scams-now-include-photos-of-your-home/ [advocacy.consumerreports.org] Consumer Reports, U.S. PIRG, and 15 other groups call on FTC to create clear guidance for ‘software tethering’ https://advocacy.consumerreports.org/press_release/ftc-software-tethering/ [Dark Reading] California Approves Privacy Bill Requiring Opt-Out Tools https://www.darkreading.com/data-privacy/california-privacy-bill-require-opt-out-tools Tip of the Week: Spotting Fake News https://firewallsdontstopdragons.com/the-truth-is-out-there/ Further Info My series on deleting your public data online: https://firewallsdontstopdragons.com/osint-reconnaissance/ Enabling Global Privacy Control (GPC): https://firewallsdontstopdragons.com/how-to-enable-global-privacy-control/ Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:14: News preview 0:05:22: Telegram CEO Pavel Durov arrested at French airport 0:09:47: Is Telegram really an encrypted messaging app? 0:19:57: Your TV set has become a digital billboard. And it’s only getting worse. 0:41:25: Sextortion Scams Now Include Photos of Your Home 0:48:06: Consumer groups call on FTC to create clear guidance for ‘software tethering’ 0:54:33: California Approves Privacy Bill Requiring Opt-Out Tools 0:59:22: Tip of the Week: Dealing with Misinformation 1:11:36: Looking ahead

Crazy Proton Summer

2 september 2024 | 77 min

Proton released three major new products this summer, all within the span of about a couple months: Proton Docs, Proton Wallet and Proton Scribe. Given that Proton is a privacy-focused company, some of these offerings seemed almost at odds with that mission. So today I ask Andy Yen (Proton's CEO) some questions about the privacy of their Bitcoin wallet and AI editing tool. We also discuss the new Proton Foundation and how it safeguards their privacy mission for the future. Finally, I ask Andy if they would consider acquiring Mozilla to save the Firefox browser and, in the wake of the blow back Signal received about protecting local access to messaging data, how Proton addresses the 'compromised machine' threat model. Interview Notes Proton Docs: https://proton.me/blog/docs-proton-drive Proton Wallet: https://proton.me/blog/proton-wallet-launch Proton Scribe: https://proton.me/blog/proton-scribe-writing-assistant Proton Foundation: https://proton.me/blog/proton-non-profit-foundation Techlore on Proton Wallet: https://www.youtube.com/watch?v=tESbBM2LZHM&t=1922s Seth for Privacy’s Andy Yen interview: https://optoutpod.com/episodes/protonwallet-andy-yen/ My interview on Easy Prey Podcast: https://www.easyprey.com/firewalls-dont-stop-dragons-with-carey-parker/ Techlore: https://www.techlore.tech/ Privacy Guides: https://www.privacyguides.org/ The New Oil: https://thenewoil.org/ Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:18: Interview setup 0:04:18: Why did you release so many new products all at once? 0:05:53: Did you develop Proton Docs from scratch? Will we get Proton Sheets, too? 0:10:09: What drove you to add AI features? How do you maintain privacy with AI? 0:17:07: Why did Proton feel the need to create another cryptocurrency wallet? 0:21:37: Who is the target audience for Proton Wallet? 0:28:38: As a privacy company, why go with Bitcoin, which is not really private? 0:39:34: Will you support Monero or Zcash? 0:40:40: Why did you restructure Proton as a foundation? What's the impact of this? 0:45:41: How is this new foundation different from others like Mozilla or Tor? 0:47:59: Would Proton ever consider acquiring Mozilla to save Firefox? 0:55:43: Does TunnelVision affect Proton VPN? How can we improve VPNs generally? 1:01:35: Signal was bashed for not encrypting local keys. How does Proton handle this? 1:05:25: What's coming next from Proton? 1:07:48: Interview wrap-up 1:10:54: Couple updates on Wallet, Scribe availability 1:11:50: Recommending other great privacy resources and Proton discussions 1:12:53: Upcoming shows 1:14:29: Upcoming podcast awareness campaign

National Public Data Breach

26 augusti 2024 | 82 min

The headlines have been on fire with stories about 3 billion people's data being leaked from a company you've never heard of. But like many such stories, the mainstream media gets a lot of the important details wrong and glosses over a lot of the important nuances. Today we're going to dive into what really happened and what you should do about it, whether your data was part of the breach or not. In other news: Illinois waters down its landmark biometric information law; US court rules geofence warrants are unconstitutional; FTC to investigate :surveillance pricing" and files rule impacting shady product reviews; the CFPB cracks down on some types of consumer data sales; and Consumer Reports evaluates several top data deletion services. Article Links [Reuters] Illinois governor approves business-friendly overhaul of biometric privacy law https://www.reuters.com/legal/government/illinois-governor-approves-business-friendly-overhaul-biometric-privacy-law-2024-08-05/ [TechCrunch] US appeals court rules geofence warrants are unconstitutional https://techcrunch.com/2024/08/13/us-appeals-court-rules-geofence-warrants-are-unconstitutional/ [Electronic Frontier Foundation] To Fight Surveillance Pricing, We Need Privacy First https://www.eff.org/deeplinks/2024/08/fight-surveillance-pricing-we-need-privacy-first [ftc.gov] Federal Trade Commission Announces Final Rule Banning Fake Reviews and Testimonials https://www.ftc.gov/news-events/news/press-releases/2024/08/federal-trade-commission-announces-final-rule-banning-fake-reviews-testimonials [natlawreview.com] CFPB Forecasts New Rule Cracking Down on Consumer Data Sales https://natlawreview.com/article/cfpb-forecasts-new-rule-cracking-down-consumer-data-sales [Los Angeles Times] Hackers may have stolen the Social Security numbers of every American. How to protect yourself https://www.latimes.com/business/story/2024-08-13/hacker-claims-theft-of-every-american-social-security-number [troyhunt.com] Inside the "3 Billion People" National Public Data Breach https://www.troyhunt.com/inside-the-3-billion-people-national-public-data-breach/ [consumerreports.org] Evaluating People-Search Site Removal Services https://innovation.consumerreports.org/new-report-data-defense-evaluating-people-search-site-removal-services/ Tip of the Week: OSINT Final Steps https://firewallsdontstopdragons.com/osint-final-steps/ Other Helpful Links Have I Been Pwned: https://haveibeenpwned.com/ NPD Data Breach search tool: https://npd.pentester.com/ Privacy Guides data removal tools: https://www.privacyguides.org/en/data-broker-removals/ Techlore video on data removal: https://www.youtube.com/watch?v=tESbBM2LZHM Google’s Results About You: https://myactivity.google.com/results-about-you?pli=1 How to freeze your credit: https://firewallsdontstopdragons.com/credit-freeze-now-is-the-time/ How and why to plant your flag: https://firewallsdontstopdragons.com/why-you-need-to-plant-your-flag/ Strong passwords: https://firewallsdontstopdragons.com/need-a-bigger-password-haystack/ Backing up 2FA codes: https://firewallsdontstopdragons.com/how-to-backup-2fa-seed-codes/ Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:04:00: News preview 0:06:33: Illinois governor approves business-friendly overhaul of biometric privacy law 0:11:18: US appeals court rules geofence warrants are unconstitutional ...

Dating App Privacy

19 augusti 2024 | 61 min

Finding your soul mate or even just a one-night stand can all be done digitally now - there's an app for that. Several, in fact. But in order to find the best match, you need to turn over a lot of extremely personal information. You probably also need to let the app track your location, so you're only matching people within some acceptable distance. You would hope that dating apps would be better than other apps at securing your private data... but are they? And are these services selling my data to advertisers? Today I answer these questions and many more with Zoë MacDonald from Mozilla's Privacy Not Included team who recently published a full report on this topic. Interview Notes Privacy Not Included report on dating apps: https://foundation.mozilla.org/en/privacynotincluded/articles/data-hungry-dating-apps-are-worse-than-ever-for-your-privacy/ Mozilla Foundation: https://foundation.mozilla.org/en/?form=donate-header Mozilla’s Privacy Not Included: https://foundation.mozilla.org/en/privacynotincluded/ Falling out of love with dating apps: https://www.theguardian.com/lifeandstyle/2023/oct/28/its-quite-soul-destroying-how-we-fell-out-of-love-with-dating-apps Using dating apps to locate someone: https://www.techradar.com/pro/privacy-flaw-in-top-dating-apps-could-have-revealed-user-location-down-to-2-metres How to freeze your credit: https://firewallsdontstopdragons.com/credit-freeze-now-is-the-time/ Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:57:02: Wrap-up and looking ahead 0:02:06: Freeze your credit! 0:04:19: How do modern dating apps work, exactly? 0:08:19: How do they find compatible matches? 0:10:34: Do these apps require constant access to your current location? 0:14:50: How much information used by these apps is inferred vs explicitly requested? 0:17:59: Do these apps use inferred data to weed out bad actors? 0:20:36: How did you decide which apps to evaluate? 0:23:54: What were your key takeaways and most alarming findings? 0:25:57: Do apps owned by the same parent company have similar privacy policies? 0:27:28: How transparent are these apps about sharing your data? 0:29:08: Was there any correlation between app cost and monetizing your data? 0:31:20: Are dating apps better about securing your personal data? 0:33:53: Do any of the dating apps offer end-to-end encryption of DMs? 0:35:40: Do these services try to keep you from leaving the app? 0:39:03: Once you find a match, can you get a refund for unused subscription time? 0:40:28: How do new AI features on dating apps affect your privacy? 0:43:30: Have there been any major dating service data breaches? 0:45:05: How bad are these apps for romance scams like 'big butchering'? 0:47:10: If I still want to use a dating app, how do I maximize my privacy? 0:51:19: Can I use a service on the web only (no app)? Can I delete my data? 0:54:20: How well do dating apps actually work, in terms of finding a mate?

Hacker Summer Camp 2024

12 augusti 2024 | 60 min

It's time once again for cybersecurity professionals to make the pilgrimage to the scorching desert of Las Vegas, Nevada for a week of tech conferences that we lovingly refer to as Hacker Summer Camp. Today I'll bring you my on-the-ground reporting from BSides and DEF CON. I'll also bring you part 2 of my series on Open Source Intelligence (OSINT) and how to purge your personal data from the web. In the news this week: Vegas hotels search hacker's rooms; Apple and others fix old but important browser bug; NFL rolls out more facial recognition at stadiums; Ford looks to patent car surveillance tech; automakers sold your data to brokers for pennies; border agents can no longer search your smartphone without a warrant; judge rules that Google is a monopoly. Article Links [404media.co] Hotel to Search Rooms During DEF CON Hacking Conference https://www.404media.co/hotel-to-search-rooms-during-def-con-hacking-conference/ [AppleInsider] Apple has closed an ancient macOS Safari security hole https://appleinsider.com/articles/24/08/07/apple-has-closed-an-ancient-macos-safari-security-hole [therecord.media] NFL to roll out facial authentication software league-wide https://therecord.media/nfl-to-roll-out-facial-authentication-league-wide [therecord.media] Ford wants patent for tech allowing cars to surveil and report speeding drivers https://therecord.media/ford-seeks-patent-cars-surveil-speeders-report-to-police [The New York Times] Automakers Sold Driver Data for Pennies, Senators Say https://www.nytimes.com/2024/07/26/technology/driver-data-sold-for-pennies.html [9to5Mac] Border agents cannot search smartphones without a warrant, rules federal court https://9to5mac.com/2024/07/29/cannot-search-smartphones-without-a-warrant/ [AppleInsider] Judge rules Google is a search and advertising monopoly https://appleinsider.com/articles/24/08/05/judge-rules-that-google-is-a-search-and-advertising-monopoly Tip of the Week: OSINT Remediation https://firewallsdontstopdragons.com/osint-remediation/ Further Info BSides Las Vegas: https://bsideslv.org/ DEF CON 32: https://defcon.org/html/defcon-32/dc-32-index.html UnDisruptible27: https://securityandtechnology.org/undisruptable27/ Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:26: Summer Camp Highlights 0:10:25: Hotel to Search Rooms During DEF CON 0:15:14: Apple has closed an ancient macOS Safari security hole 0:20:00: NFL to roll out facial authentication software league-wide 0:26:25: Ford wants patent for tech allowing cars to surveil and report speeding drivers 0:29:38: Automakers Sold Driver Data for Pennies, Senators Say 0:32:46: Border agents cannot search smartphones without a warrant, 0:36:44: Judge rules Google is a search and advertising monopoly 0:40:52: Tip of the Week: OSINT Remediation 0:54:25: EFF Tech Trivia update

Catch You on the BSide

5 augusti 2024 | 75 min

Jack Daniel is a storyteller, wanderer, comic, bartender, blacksmith, luthier, historian, mechanic, and the world’s oldest millennial. He is also one of the founders of Security BSides. Jack has a colorful and interesting history, and today we'll learn about how and why he started BSides, delve into a little hacker conference history, talk about modern hackers and cybersecurity conferences and how he's seen them change over the years, and how hackers and their conferences are vastly different than the others. Interview Notes Jack Daniel: https://www.linkedin.com/in/jackadaniel/ BSides official site: https://bsides.org/ BSides Las Vegas (part of hacker summer camp): https://bsideslv.org/ InfoSecMap: https://infosecmap.com/ Cult of the Dead Cow interview: https://podcast.firewallsdontstopdragons.com/2023/08/07/cult-of-the-dead-cow/ Jeff Moss interview #1: https://podcast.firewallsdontstopdragons.com/2021/08/16/on-a-dark-tangent/ Jeff Moss interview #2: https://podcast.firewallsdontstopdragons.com/2022/08/29/the-night-the-lights-went-out-in-vegas/ CackalackyCon: https://cackalackycon.org/ Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:49: Interview lingo 0:04:05: How did you get into the world of cybersecurity and hacking? 0:12:40: Why did you start BSides? 0:17:43: What were some of the first BSides talks like? 0:21:42: What are the founding principles of BSides? 0:28:00: What approval do you need to start a BSides conference? 0:34:44: How have other hacker conferences influenced BSides and vice versa? 0:36:53: Is there a beef between BSides and Black Hat? 0:38:58: What's your connection with ShmooCon? 0:42:42: How have hackers and these conferences changed since the old days? 0:47:40: Discussion on responsible disclosure 0:50:39: Two different kinds of presenters 0:54:02: You might be a hacker if... 1:01:30: What's the best way to find a local hacker conference? 1:06:50: BSides is about community 1:08:29: Interview wrap-up 1:11:19: Patron content 1:11:53: Looking ahead

CrowdStrike Lessons Learned

29 juli 2024 | 59 min

Last week, we all learned about a company called CrowdStrike that apparently has the capability to single-handedly bring multiple airlines, hospitals and other large companies to their knees in an instant. There are many lessons we should be learning from this incident, though I'm not going to hold my breath. I'll tell you what happened and what I think we should be doing to avoid a repeat of this incident in the future. In other news: Google finally throws in the towel on blocking third-party cookies; a private organization claims to have gained access to advertising-based location data on Trump's shooter; Republican VP candidate JD Vance forgets to make his Venmo data private; leaked docs show what phones Cellebrite can and can't hack; Meta takes down thousands of accounts related to sextortion ring; and for my Tip of the Week, we'll tackle part 1 of my article on deleting your public data from the web. Article Links [AppleInsider] Google gives up on Chrome plan to ditch third-party cookies https://appleinsider.com/articles/24/07/23/google-gives-up-on-chrome-plan-to-ditch-third-party-cookies [404media.co] Heritage Foundation Claims to Use Location Data to Track Trump Shooter's Movements https://www.404media.co/heritage-foundation-claims-to-use-location-data-to-track-trump-shooters-movements/ [9to5Mac] J.D. Vance Venmo connections public, as privacy failing still in place six years later https://9to5mac.com/2024/07/19/jd-vance-venmo-connections-public/ [404media.co] Leaked Docs Show What Phones Cellebrite Can (and Can’t) Unlock https://www.404media.co/leaked-docs-show-what-phones-cellebrite-can-and-cant-unlock/ [The Washington Post] Meta takes down thousands of Facebook, Instagram accounts running sextortion scams from Nigeria https://www.washingtonpost.com/business/2024/07/24/meta-nigeria-sextortion-scam-instagram-facebook/fce496c6-49b8-11ef-9149-c75da5dd9201_story.html [Schneier Blog] The CrowdStrike Outage and Market-Driven Brittleness https://www.schneier.com/blog/archives/2024/07/the-crowdstrike-outage-and-market-driven-brittleness.html Tip of the Week:OSINT Reconnaissance: https://firewallsdontstopdragons.com/osint-reconnaissance/ Further Info Book surge results: https://fdsd.me/booksurge Moxie Marlinspike (Signal) on Cellebrite vulnerabilities: https://signal.org/blog/cellebrite-vulnerabilities/ Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:51: AT&T breach update 0:01:44: News rundown 0:03:56: Google gives up on Chrome plan to ditch third-party cookies 0:08:28: Group Claims to Use Location Data to Track Trump Shooter's Movements 0:13:42: J.D. Vance Venmo connections public 0:19:28: Leaked Docs Show What Phones Cellebrite Can (and Can’t) Unlock 0:27:35: Meta takes down thousands of accounts running sextortion scams 0:31:21: Lessons from the CrowdStrike Outage 0:44:52: Tip of the Week: OSINT Reconnaissance 0:55:20: Book surge report 0:57:06: More help will be needed 0:58:10: Looking ahead

Open Source Intelligence

22 juli 2024 | 82 min

If someone decided to dig into your life - perhaps even try to 'dox' you - how might they go about doing that? What could they find about you right now on the internet? You might be surprised at how much information is readily available from public sources, including your local government agencies and state databases. Today I'll be talking with Jason Edison from Intel Techniques whose day job is using open source intelligence, or OSINT, to find suspected criminals and whose night job is helping people remove that same information to protect their privacy and even personal security. Interview Notes Intel Techniques: https://inteltechniques.com/ Data Removal Guide: https://inteltechniques.com/workbook.html Data Removal Workbook (PDF): https://inteltechniques.com/data/workbook.pdf Credit Freeze Guide: https://inteltechniques.com/freeze.html MySudo privacy app: https://mysudo.com/ SimpleLogin (Proton) email aliases: https://simplelogin.io/ Private credit cards: https://privacy.com/ Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:41: Interview setup 0:02:34: What do you do for your day job in law enforcement? 0:05:17: What is open source intelligence, exactly? 0:08:41: What are your primary sources for OSINT? 0:12:01: What is doxing and how might it impact someone? 0:14:56: How does an OSINT specialist also value personal privacy? 0:22:36: How do others in law enforcement view data collection and privacy? 0:28:36: When emotional cases arise, do officials favor privacy rights over catching bad guys? 0:33:32: How do we balance privacy rights vs public safety? 0:39:19: How would you do a full workup on someone? 0:45:18: Where do people overshare or give away the most personal information? 0:52:31: How much of my personal information is available via public records? 0:56:43: Will tooks like AI help us find the needles in the haystacks? 1:00:56: What about data deletion services - are they worth it? 1:07:51: How useful are email and phone aliases for privacy? 1:11:17: How do you prove your identity to deletion sites without giving more info? 1:17:10: What tools can I find at Intel Techniques? 1:19:00: My data deletion journey

How & Why to Block Ads

15 juli 2024 | 78 min

Ads on the web are beyond annoying - they are actually a threat to your privacy and sometimes even your security. Ads pay for a lot of the "free" web content we consume, but until ad networks stop tracking us and selling ad space to phishing and malware groups, we need tools to block them. Today I'll give you two solid options for doing so. In the news: Australian man charged for WiFi scam on flights; Airbnb reveals 35,000 complaints about hidden cameras; Linksys routers expose WiFi credentials; a massive new hacker list contains 10 billion unique passwords; a new AT&T call and text records data breach; Signal gets flak for response to storing encryption keys in the clear; Mozilla launches "privacy-preserving" ad attribution system (on by default); Proton launches encrypted Google Docs competitor. Article Links [The Hacker News] Australian Man Charged for Fake Wi-Fi Scam on Domestic Flights https://thehackernews.com/2024/07/australian-man-charged-for-fake-wi-fi.html [9to5Mac] 35,000 complaints about hidden cameras in Airbnb properties https://9to5mac.com/2024/07/10/hidden-cameras-in-airbnb-properties/ [stackdiary.com] Linksys Velop routers send Wi-Fi passwords in plaintext to US servers https://stackdiary.com/linksys-velop-routers-send-wi-fi-passwords-in-plaintext-to-us-servers/ [cybernews.com] RockYou2024: 10 billion passwords leaked in the largest compilation of all time https://cybernews.com/security/rockyou2024-largest-password-compilation-leak/ [TechCrunch] What the AT&T call records data breach means for you https://techcrunch.com/2024/07/12/what-the-att-call-records-data-breach-means-for-you/ [stackdiary.com] Signal under fire for storing encryption keys in plaintext https://stackdiary.com/signal-under-fire-for-storing-encryption-keys-in-plaintext/ [Mozilla] Privacy-Preserving Attribution https://support.mozilla.org/en-US/kb/privacy-preserving-attribution [Lifehacker] Why You Should Consider Proton Docs Over Google https://lifehacker.com/tech/why-you-should-consider-proton-docs-over-google Tip of the Week: How & Why to Block Ads https://firewallsdontstopdragons.com/how-and-why-to-block-ads/ Further Info Enter the DEF CON 32 ticket raffle: send email to [email protected] Techlore NextDNS tutorial: https://www.youtube.com/watch?v=WUG57ynLb8I Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:21: Book surge report 0:03:00: News rundown 0:05:06: Australian Man Charged for Fake Wi-Fi Scam on Domestic Flights 0:09:50: 35,000 complaints about hidden cameras in Airbnb properties 0:15:31: Linksys Velop routers send Wi-Fi passwords in plaintext to US servers 0:20:29: 10 billion passwords leaked in the largest compilation of all time 0:26:51: What the AT&T call records data breach means for you 0:32:37: Signal under fire for storing encryption keys in plaintext 0:47:24: Mozilla's new Privacy-Preserving Attribution 0:58:58: New: Proton Docs! 1:00:18: Tip of the Week: How & Why to Block Ads 1:12:41: Wrap up 1:13:01: Book surge report 1:15:25: DEF CON 32 ticket raffle! 1:17:48: Looking ahead

Promising Privacy Tech

8 juli 2024 | 71 min

We're generating a ridiculous amount of data every day. Much of it is highly personal and that's dangerous. But there are actually several Privacy Enhancing Technologies that may allow us to use this personal data to improve our collective quality of life without ruining the privacy of the data subjects. I'll be discussing these PETs with Irene Knapp who spent five years working in the privacy department at Google. I will also spend a good bit of time asking them about what it's like working at Google and get some insights about the company's approach to privacy from the inside. (Spoiler: it's not good.) Interview Notes Internet Safety Labs: https://internetsafetylabs.org/about-us/ Irene’s Google departure post: https://medium.com/@Irenes/on-the-occasion-of-leaving-google-b8c7029c8d8b Coworker.org: https://coworker.org Google loses privacy chief: https://www.techspot.com/news/103268-google-privacy-chief-head-competition-law-leaving-not.html Further Info BOOK SURGE!! https://fdsd.me/booksurge Send me your questions! https://fdsd.me/qna Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:40: Interview setup 0:03:56: What is Internet Safety Labs and what do you do there? 0:05:45: Why do we not have liability in the software industry? 0:07:02: How did you come to work for Google and what was your experience like there? 0:07:58: What caused you to eventually leave? 0:10:26: How did private policy evolve while you were at Google? 0:12:36: What was happening in Google that impeded your efforts? 0:19:19: How does Google compare to other companies like Facebook? 0:20:56: What's your take on Google's new Privacy Sandbox technology? 0:27:24: Can we do some good with all the data we're collecting? 0:33:51: From where do we derive a legal right to privacy? 0:35:10: How does differential privacy work? 0:38:49: Where might we use differential privacy? 0:41:59: What is homomorphic encryption and how does it work? 0:44:47: Are there any other promising PETs? 0:46:49: How do zero knowledge proofs work? 0:49:20: Which of the PETs seem most promising right now? 0:51:20: Do we need privacy regulations to save us here? 0:56:19: What's next for you? 0:58:31: Interview wrap-up 1:00:52: BOOK SURGE!!

Backing Up Other Data

1 juli 2024 | 80 min

We've talked about how to backup your local device data and how to back up data that is primarily stored in the cloud. But there's a lot of important, irreplaceable data we take for granted: data owned by others. This might be shared online photo albums, cloud document collaborations, eBooks and other digital media, and even websites you frequently rely on. Today we'll talk about how you can make local copies of these files in case they should ever go offline. In other news: European politicians' personal details exposed online; Proton transitions to non-profit corporate structure; lawsuit claims Microsoft tracked sex toy purchases; online ID verification service exposed drivers licenses; new Mac info-stealer served up by Google Ads; law enforcement is spying on Americans' mail; new ALPR vulnerabilities prove it's a public safety threat; UK hospital hack leaks 300M patient records; US bans Kaspersky software; Sonos removes promise not to sell its users' data; Mozilla buys a 'privacy-centric' ad firm. Article Links [proton.me] Cyber house of cards – Politicians’ personal details exposed online https://proton.me/blog/politicians-exposed-dark-web [proton.me] Proton is transitioning towards a non-profit structure https://proton.me/blog/proton-non-profit-foundation [404media.co] Lawsuit Claims Microsoft Tracked Sex Toy Shoppers With 'Recording in Real Time' Software https://www.404media.co/lawsuit-claims-microsoft-tracked-sex-toy-shoppers-with-recording-in-real-time-software/ [404media.co] ID Verification Service for TikTok, Uber, X Exposed Driver Licenses https://www.404media.co/id-verification-service-for-tiktok-uber-x-exposed-driver-licenses-au10tix/ [Ars Technica] Mac users served info-stealer malware through Google ads https://arstechnica.com/security/2024/06/mac-info-stealer-malware-distributed-through-google-ads/ [The Washington Post] Law enforcement is spying on thousands of Americans’ mail, records show https://www.washingtonpost.com/technology/2024/06/24/post-office-mail-surveillance-law-enforcement/ [Electronic Frontier Foundation] New ALPR Vulnerabilities Prove Mass Surveillance Is a Public Safety Threat https://www.eff.org/deeplinks/2024/06/new-alpr-vulnerabilities-prove-mass-surveillance-public-safety-threat [TechCrunch] US bans sale of Kaspersky software citing security risk from Russia https://techcrunch.com/2024/06/20/us-bans-kaspersky-software-security-risk-russia/ [AppleInsider] Sonos removes a promise to not sell personal data, gets busted by users https://appleinsider.com/articles/24/06/15/sonos-removes-a-promise-to-not-sell-personal-data-gets-busted-by-users [theregister.com] What's up with Mozilla buying ad firm Anonym? It's all about 'privacy-centric advertising' https://www.theregister.com/2024/06/18/mozilla_buys_anonym_betting_privacy/ Tip of the Week: Backing Up Other Data https://firewallsdontstopdragons.com/how-to-backup-other-data/ Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:25: Book blitz coming soon 0:00:55: Dear Carey reminder 0:01:38: Bitwarden bug fixed 0:02:28: News rundown 0:04:22: EU politicians’ personal details exposed online 0:10:37: Proton adopts non-profit structure 0:15:15: Lawsuit Claims Microsoft Tracked Sex Toy Shoppers 0:19:28: ID Verification Service Exposed Driver Licenses 0:27:38: Mac users served info-stealer malware through Google ads

Means of Control

24 juni 2024 | 73 min

Every day, we generate tons of digital exhaust: our web browsing, GPS location, online and in-store purchases, emails and messages, social media posts and feed viewing habits, and much, much more. Online marketers and data brokers have been living off these breadcrumbs for years. The intelligence and law enforcement agencies have found this data to be incredibly revealing, and they can buy most of this data on the open market without requiring any sort of warrant - and they have. This has important implications for democratic societies that value privacy and freedom. I'll discuss how this mass surveillance works and what it means for all of us with Byron Tau, author of the book "Means of Control". Interview Notes Means of Control: https://www.amazon.com/Means-Control-Alliance-Government-Surveillance/dp/0593443225 Byron Tau at NOTUS: https://www.notus.org/byron-tau Puking Monkey’s DEF CON presentation: https://www.youtube.com/watch?v=T43Ti7c11lY Make your EZ Pass “moo”: https://hackaday.com/2013/09/16/modified-e-zpass-detects-reads-far-from-toll-booths/ Official US policy on collecting public info on citizens: https://www.dni.gov/index.php/newsroom/press-releases/press-releases-2024/3815-odni-releases-ic-policy-framework-for-commercially-available-information Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:58: Update your Windows PCs 0:01:32: Interview setup 0:04:59: How might the collection of online data impact a regular person? 0:10:13: What sorts of things can all this data reveal about us? 0:15:44: How much can we learn by tracking a person's location? 0:17:38: What is 'gray data'? 0:22:40: Our data can be saved virtually forever - what are the ramifications? 0:26:30: How are data gathering rules different for law enforcement vs intelligence agencies? 0:32:54: When did data brokers start selling our info to government agencies? 0:39:22: Is it legal for these agencies to act as data brokers themselves? 0:42:12: What laws have impacted this sort of data collection in the US? 0:44:49: How and why do these agencies hide this data collection? 0:51:02: Are governments sharing data to skirt local restrictions? 0:54:54: How have these spy programs evolved since 9/11? 1:00:28: Have government agencies lobbied Congress against federal privacy laws?? 1:03:20: How can we limit data collection and increase our privacy? 1:06:24: Could the Big Tech backlash help get a privacy law passed? 1:08:33: What are you working on next? 1:09:59: Interview follow-up 1:11:36: Looking ahead

Backup Your Cloud Data

17 juni 2024 | 66 min

Until recently, most of our important data lived primarily on our devices. Backing up that data often meant choosing a cloud backup service. But today, many of our most important photos and files are actually stored in the cloud. While cloud servers are supposed to be more robust than home computers with flaky hard drives and smartphones that get lost or stolen, it also means that someone else is in control of that data. Cloud services go offline, get bought out or even shut down. We now need to be sure to back up our cloud data, too. In other news: 23andMe breach under investigation by US and Canada; cops release personal location info to FOIA request; hacker gains access to Tile customer data; more car privacy updates; Microsoft Recall backlash highlights our distrust; report shows Microsoft favoring profits over security; Mac Bartender app shadily changes ownership; new Apple privacy features coming. Article Links [malwarebytes.com] 23andMe data breach under joint investigation in two countries https://www.malwarebytes.com/blog/news/2024/06/23andme-data-breach-under-joint-investigation-in-two-countries [theregister.com] Crooks threaten to leak 3B personal records 'stolen from background check firm' https://www.theregister.com/2024/06/03/usdod_data_dump/ [404media.co] Cops Released a Car’s Travel History to a Total Stranger https://www.404media.co/cops-released-a-cars-travel-history-to-a-total-stranger/ [404media.co] Hacker Accesses Internal ‘Tile’ Tool That Provides Location Data to Cops https://www.404media.co/hacker-accesses-internal-tile-tool-that-provides-location-data-to-cops/ [The New York Times] Is Your Driving Being Secretly Scored? https://www.nytimes.com/2024/06/09/technology/driver-scores-insurance-data-apps.html [Windows Central] A PR disaster: Microsoft has lost trust with its users, and Windows Recall is the straw that broke the camel's back https://www.windowscentral.com/software-apps/windows-11/microsoft-has-lost-trust-with-its-users-windows-recall-is-the-last-straw [ProPublica] Microsoft Chose Profit Over Security and Left U.S. Government Vulnerable to Russian Hack, Whistleblower Says https://www.propublica.org/article/microsoft-solarwinds-golden-saml-data-breach-russian-hackers [AppleInsider] Adobe's new terms of service unacceptably gives them access to all of your projects, for free https://appleinsider.com/articles/24/06/06/adobes-new-terms-of-service-unacceptably-gives-them-access-to-all-of-your-projects-for-free [MacRumors] PSA: Bartender Mac App Under New Ownership, But Lack of Transparency Raises Concerns https://www.macrumors.com/2024/06/04/bartender-mac-app-new-owner/ [9to5Mac] iOS 18 includes these new privacy features: Lock and hide apps, improved contact permissions, more https://9to5mac.com/2024/06/10/ios-18-includes-these-new-privacy-features-lock-and-hide-apps-improved-contact-permissions-more/ Tip of the Week: Backup Your Cloud Data: https://firewallsdontstopdragons.com/how-to-backup-cloud-data/ Further Info Under New Management plugin: https://github.com/classvsoftware/under-new-management Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:52: News preview 0:03:11: 23andMe data breach under joint investigation in two countries 0:07:01: Crooks threaten to leak 3B personal records 'stolen from background check firm' 0:09:52: Cops Released a Car’s Travel History to a Total Stranger

Anom: The FBI’s Phone Company

10 juni 2024 | min

Encrypted communications are important for everyone, even if you have nothing to hide. But they're also important when you're trying to hide global criminal operations. Drug smugglers and money launderers have special needs when it comes to secure messaging. Several phone companies were created to address this market. Unfortunately for the criminals, the most popular one - Anom - was secretly run by the FBI. Today Joseph Cox from 404 Media will tell us about this astoundingly audacious sting operation, which is the basis for his book, Dark Wire. Interview Notes Order Dark Wire: https://a.co/d/h9o7ump Anom website (right before take down): https://web.archive.org/web/20210507151115/http://anom.io/ Phantom Secure website (circa 2017): https://web.archive.org/web/20170330122723/http://phantomsecure.com/ Vice Anom story: https://www.vice.com/en/article/n7b4gg/anom-phone-arcaneos-fbi-backdoor Anom phone video: https://www.youtube.com/watch?v=EA1KS-xh0n0 Operation Trojan Shield: https://en.wikipedia.org/wiki/Operation_Trojan_Shield Trojan Shield press conference: https://www.youtube.com/watch?v=S89O0nis_ss Encrochat: https://en.wikipedia.org/wiki/EncroChat Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:54: Migrating to Mastodon 0:02:24: Embracing the dark... mode 0:02:45: Countdown to 400 0:03:28: Interview setup 0:04:30: How did this all start with you on an obscure forum for criminals? 0:08:34: What was Operation Trojan Shield? 0:10:49: How did the FBI start a secure phone company? 0:12:41: What were some of Anom's key tech features? 0:15:26: Where did they get the Arcane Operating System? 0:17:56: How did the 'duress' feature work? 0:20:18: How did Anom copy encrypted messages without being detected? 0:24:35: How were these phones marketed to criminals? 0:28:10: What does these phones cost? 0:30:09: What were the legal aspects for this multi-national operation? 0:34:49: How did they use this intelligence without revealing the source? 0:39:38: Did the criminals ever suspect the phones? 0:42:04: How did this all come to an end? 0:46:14: So, are we 'going dark' or not? 0:49:27: What lessons did the FBI take away from all this? 0:51:36: Can we still trust things like Signal and Proton? 0:55:39: What's your next big story or book? 0:58:09: Interview end notes 1:03:12: Looking ahead

Migrate to Mastodon

3 juni 2024 | 65 min

Most major social media platforms are a hot mess. Your feed is filled with tons of crap you never asked to see and your data is mined mercilessly to serve you targeted ads. The promise of having a place to trade interesting posts with friends and family is now muddied up with sponsored content chosen by hidden algorithms optimized to keep you scrolling. It doesn't have to be that way. I've found something much better, and I'm inviting you to come join me. In other news: Ticketmaster breach leaks data on half a billion users; the iOS bug that resurrected deleted photos explained; GPT-4 can write working malware based only on CVE bug descriptions; Slack customers upset to learn that their data was being used to train AI systems; WiFi location service can be used to track mobile routers; police are trialing new devices that can track and identify you based on multiple electronic signals; new Windows AI feature records everything you do on your PC; Microsoft rolling out welcome changes to admin privilege use; Google adding several privacy and security features to Android 15; and iVerify how has an Android app. Article Links [Mashable] Ticketmaster hacked. Breach affects more than half a billion users. https://mashable.com/article/ticketmaster-data-breach-shinyhunters-hack [9to5Mac] Security Bite: Here’s the iOS 17.5 bug that resurfaced deleted photos https://9to5mac.com/2024/05/26/security-bite-heres-the-ios-17-5-bug-that-resurfaced-deleted-photos/ [Dark Reading] GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories https://www.darkreading.com/threat-intelligence/gpt-4-can-exploit-most-vulns-just-by-reading-threat-advisories [securityweek.com] User Outcry as Slack Scrapes Customer Data for AI Model Training https://www.securityweek.com/user-outcry-as-slack-scrapes-customer-data-for-ai-model-training/ [9to5Mac] Apple Location Services vulnerability can enable troop movements to be tracked https://9to5mac.com/2024/05/24/apple-location-services-vulnerability/ [Forbes] New Police Tech Can Detect Phones, Pet Trackers And Library Books In A Moving Car https://www.forbes.com/sites/thomasbrewster/2024/05/14/police-car-surveillance-tech-uncovers-phones-pet-trackers-and-library-books/ [Ars Technica] New Windows AI feature records everything you’ve done on your PC https://arstechnica.com/gadgets/2024/05/microsofts-new-recall-feature-will-record-everything-you-do-on-your-pc/ [PCWorld] Microsoft battens security hatches on Windows admin accounts https://www.pcworld.com/article/2344405/microsoft-battens-security-hatches-on-oft-used-windows-admin-accounts.html [Lifehacker] Google Is Rolling Out Some Great Privacy Features to Android This Year https://lifehacker.com/tech/google-is-rolling-out-some-great-privacy-features-with-android-15 [iverify.io] iVerify Basic is now on Android! https://www.iverify.io/post/iverify-basic-is-now-on-android Tip of the Week: Move to Mastodon https://firewallsdontstopdragons.com/how-to-move-to-mastodon/ Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:34: Ticketmaster hacked, breach affects more than half a billion users 0:05:59: Here’s the iOS 17.5 bug that resurfaced deleted photos 0:12:28: GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories 0:17:36: User Outcry as Slack Scrapes Customer Data for AI Model Training 0:23:12: Apple Location Services vulnerability can enable troop movements ...

Why Privacy Matters

27 maj 2024 | 68 min

Our privacy has never been more threatened. While some of us are vaguely aware of this, most of the rampant data collection and sharing is completely opaque. And the consequences are more dire than most of us realize. We can't afford to be complacent. We need to push back, to ask questions, and make better choices. Privacy-respecting apps and services do exist today. Making a deliberate and overt decision to use them will force the market (and our elected representatives) to take notice. My guest Naomi Brockwell from NBTV will make a compelling case for privacy and reclaiming control of our data, including several top notch tips for doing so. Interview Notes Naomi Brockwell’s NBTV: https://www.nbtv.media/ A World Without Privacy: https://www.nbtv.media/episodes/a-world-without-privacy A Beginner’s Introduction to Privacy: https://www.amazon.com/Beginners-Introduction-Privacy-Naomi-Brockwell-ebook/dp/B0BQHS8MFS Who can access your car remotely? https://www.youtube.com/watch?v=Ff9pmaSdZV8 Naomi Brockwell on All Things Secured: https://www.youtube.com/watch?v=D0WjIWBQEBM Michael Bazzell’s Extreme Privacy resources: https://inteltechniques.com/links.html Try Proton! https://firewallsdontstopdragons.com/its-time-to-try-proton/ Try Signal! https://firewallsdontstopdragons.com/how-to-switch-to-signal/ Further Info Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:58: How did you become a privacy evangelist? 0:06:51: What are some of the most mind-blowing ways we leak personal data? 0:09:56: What were some of Orwell's most prescient predictions in 1984? 0:15:49: How is surveillance different in real life from 1984? 0:22:23: How does data collection skew the power balance between citizens and authorities? 0:26:36: How do you counter the "I have nothing to hide" argument? 0:29:55: Why is it so important to normalize the use of privacy tools? 0:33:46: What changes do you recommend and what are the impacts for making them? 0:45:48: If you've given away tons of personal data already, is it too late? 0:50:07: What can we do to push vendors to respect our privacy more? 0:57:49: What's the future of privacy look like? 1:00:15: Post-interview notes 1:06:11: Looking ahead

How to Choose a PIN

20 maj 2024 | 71 min

Security experts talk at length about how to choose a good password - but we don't often talk about how to choose a good PIN code. A recent analysis by a researcher shows popular patterns humans use when choosing PIN codes, and therefore what you should avoid doing. In the news: MediSecure e-Rx firm hit by data breach; CISA warns of active D-Link router exploit; a couple cases of insecure APIs being abused; 53k Nissan employees' SSN's leaked; new macOS malware called Cuckoo; Ascension Healthcare suffers cyberattack; Proton user's poor OpSec gives him away; TunnelVision VPN attack exploits DHCP feature; Maryland & Vermont pass data privacy laws; tracker detection feature debuts on iPhone & Android. Article Links [BleepingComputer] MediSecure e-script firm hit by ‘large-scale’ data breach https://www.bleepingcomputer.com/news/security/medisecure-e-script-firm-hit-by-large-scale-ransomware-data-breach/ [The Hacker News] CISA Warns of Actively Exploited D-Link Router Vulnerabilities https://thehackernews.com/2024/05/cisa-warns-of-actively-exploited-d-link.html [Ars Technica] How I upgraded my water heater and discovered how bad smart home security can be https://arstechnica.com/gadgets/2024/05/how-i-upgraded-my-water-heater-and-discovered-how-bad-smart-home-security-can-be/ [BleepingComputer] Dell API abused to steal 49 million customer records in data breach https://www.bleepingcomputer.com/news/security/dell-api-abused-to-steal-49-million-customer-records-in-data-breach/ [infosecurity-magazine.com] 53,000 Nissan Employees' Social Security Numbers Exposed https://www.infosecurity-magazine.com/news/employees-social-security-nissan/ [Tom's Guide] New Cuckoo macOS malware can take over all Macs and steal your passwords https://www.tomsguide.com/computing/malware-adware/new-cuckoo-macos-malware-can-take-over-all-macs-and-steals-your-passwords-too-dont-fall-for-this [Dark Reading] Ascension Healthcare Suffers Major Cyberattack https://www.darkreading.com/cyberattacks-data-breaches/ascension-healthcare-hit-by-cyberattack [restoreprivacy.com] Proton Mail Discloses User Data Leading to Arrest in Spain https://restoreprivacy.com/protonmail-discloses-user-data-leading-to-arrest-in-spain/ [Ars Technica] Novel attack against virtually all VPN apps neuters their entire purpose https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/ [mullvad.net] Evaluating the impact of TunnelVision https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision [epic.org] Vermont Passes Landmark Data Privacy Bill https://epic.org/vermont-passes-landmark-data-privacy-bill/ [epic.org] Governor Moore Signs Maryland Online Data Privacy Act https://epic.org/governor-moore-signs-maryland-online-data-privacy-act/ [9to5Mac] Here’s how the new Cross-Platform Tracking Detection works https://9to5mac.com/2024/05/13/cross-platform-tracking-detection-ios-17-5/ Tip of the Week: How to Choose a PIN https://firewallsdontstopdragons.com/how-to-choose-a-pin/ Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:34: Update Apple devices, Chrome 0:01:16: A note on supporting Firefox 0:03:48: News preview 0:07:00: MediSecure hit by large-scale data breach 0:09:01: CISA Warns of Actively Exploited D-Link Router Vulnerabilities 0:13:14: How I upgraded my water heater and discovered how bad smart home securi...

Inside Ukraine’s IT Army

13 maj 2024 | 49 min

Russia has been hacking Ukraine for at least a decade now, but since the invasion of Ukraine in February of 2022, the cyber war has changed. Instead of being a tactical element, cyber war is now a full-fledged strategic aspect of the conflict, on both sides. At the outset, Ukraine put out an official call to enlist cyber warriors from around the globe to their cause in what's been called the IT Army of Ukraine. Today we'll look at how this group was formed, how it operates, and what we should all be learning from what's happening there. My guest is Dina Temple-Raston from The Record, the Click Here Podcast, and formerly NPR. Interview Notes Dina Temple-Raston at The Record: https://therecord.media/author/dina-temple-raston Click Here podcast: https://therecord.media/podcast Click Here, Episode 98: “Lessons from the world's first hybrid war”: https://podcasts.apple.com/us/podcast/click-here/id1225077306?i=1000639045741 NPR’s I’ll Be Seeing You: https://www.npr.org/series/760566025/ill-be-seeing-you Operation Glowing Symphony: https://www.npr.org/2019/09/26/763545811/how-the-u-s-hacked-isis Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:04:50: How did you get into covering cybersecurity and cyber warfare? 0:06:48: When and how did Russian cyber attacks begin in Ukraine? 0:15:40: What is the IT Army of Ukraine and what is its origin? 0:20:47: Have we seen other cyberwar volunteer organizations? 0:23:05: How are information and communications being utilized by the IT Army? 0:26:53: How has Russia responded to this? 0:28:34: How are IT Army members recruited and vetted? 0:30:17: How are objectives coordinated? 0:31:20: Where are IT Army members coming from? 0:32:03: Do we know if Western military members are participating in the IT Army? 0:36:30: What are the military lessons to be learned here? 0:42:11: What should civilians be learning from all of this? 0:46:01: What's next for you and Click Here? 0:47:14: Wrap-up and looking ahead

Please Quit Chrome

6 maj 2024 | 73 min

Google's Chrome browser has dominated the planet - both on desktop computers and mobile devices. Furthermore, many other popular web browsers are actually based on the same Google-made Chromium browser engine, including Microsoft Edge and Brave Browser. This gives Google an inordinate amount of influence on web standards, in particular preventing better privacy protections. We need to support privacy-forward alternatives lest they disappear. In other news: US passes expanded mass surveillance policies instead of curbing them; TikTok ban bill becomes law giving Bytedance a year to sell it; UK's Investigatory Powers Bill amendment passes; photo-sharing app will use users' uploaded images to train AI; Health insurers Kaiser and Change Healthcare are hacked; antivirus software service installs malware on user's systems; FCC fines telecom's $200M; CISA director pushes for vendor accountability; CISA's proactive protection programs are making positive impacts; UK becomes first country to enforce strong and strict IoT security requirements; net neutrality is back; Google again delays killing third party cookies. Article Links [Electronic Frontier Foundation] U.S. Senate and Biden Administration Shamefully Renew and Expand FISA Section 702, Ushering in a Two Year Expansion of Unconstitutional Mass Surveillance https://www.eff.org/deeplinks/2024/04/us-senate-and-biden-administration-shamefully-renew-and-expand-fisa-section-702-0 [TechCrunch] Biden signs bill that would ban TikTok if ByteDance fails to sell the app https://techcrunch.com/2024/04/24/biden-signs-bill-that-would-ban-tiktok-if-bytedance-fails-to-sell-the-app/ [theregister.com] UK's Investigatory Powers Bill to become law despite tech world opposition https://www.theregister.com/2024/04/26/investigatory_powers_bill/ [TechCrunch] Photo-sharing community EyeEm will license users photos to train AI if they don’t delete them https://techcrunch.com/2024/04/26/photo-sharing-community-eyeem-will-license-users-photos-to-train-ai-if-they-dont-delete-them/ [TechCrunch] Health insurance giant Kaiser notifies millions of a data breach https://techcrunch.com/2024/04/25/kaiser-permanente-health-plan-millions-data-breach/ [TechCrunch] Change Healthcare hackers broke in using stolen credentials — and no MFA, says UHG CEO https://techcrunch.com/2024/04/30/uhg-change-healthcare-ransomware-compromised-credentials-mfa/ [Ars Technica] Hackers infect users of antivirus service that delivered updates over HTTP https://arstechnica.com/security/2024/04/hackers-infect-users-of-antivirus-service-that-delivered-updates-over-http/ [BleepingComputer] FCC fines carriers $200 million for illegally sharing user location https://www.bleepingcomputer.com/news/technology/fcc-fines-carriers-200-million-for-illegally-sharing-user-location/ [cybersecuritydive.com] CISA director pushes for vendor accountability and less emphasis on victims’ errors https://www.cybersecuritydive.com/news/cisa-highlights-vendors-errors/714300/ [therecord.media] More than 800 vulnerabilities resolved through CISA ransomware notification pilot https://therecord.media/vulnerabilities-resolved-through-cisa-pilot [therecord.media] UK becomes first country to ban default bad passwords on IoT devices https://therecord.media/united-kingdom-bans-defalt-passwords-iot-devices [WIRED] Net Neutrality Returns to a Very Different Internet https://www.wired.com/story/fcc-net-neutrality-rules-vote/ [Ars Technica] Google delays third-party cookie death again: Now scheduled for 2025 https://arstechnica.com/gadgets/2024/04/google-delays-third-party-cookie-death-again-now-scheduled-for-2025/ Tip of the Week: https://firewallsdontstopdragons.com/its-time-to-quit-chrome/ Further Info Under New Management plugin: https://github.com/classvsoftware/under-new-management Donate to Mozilla (Firefox): https://foundation.mozilla.org/en/donate/ Send me your questions! https://fdsd.me/qna

The Rise of CBDC

29 april 2024 | 69 min

AI has been grabbing all the tech headlines, but cryptocurrency is still innovating and changing. One of the primary goals of cryptocurrency was to be decentralized and therefore not controlled by governments like fiat currency. That is about to change. Central Bank Digital Currency (CBDC) is a new type of cryptocurrency that is created and governed by nation states, which comes with serious implications for privacy and global economics. Thankfully I've got cryptocurrency expert Seth for Privacy on the show to explain how CBDC works and how it will affect us. Interview Notes Opt Out Podcast: https://optoutpod.com/ Freedom.Tech: https://freedom.tech/ Foundation.xyz: https://foundation.xyz/ CBDC tracker: https://cbdctracker.hrf.org/home Buying Monero: https://freedom.tech/buying-monero-privately/ Samourai Wallet 1: https://freedom.tech/how-samourai-worked/ Samourai Wallet 2: https://freedom.tech/samourai-to-sparrow/ Cryptocurrency 101 interview: https://podcast.firewallsdontstopdragons.com/2022/06/06/cryptocurrency-101/ Further Info Treasure & Coin Promo: https://fdsd.me/promo424 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:30: Promo update 0:01:42: News preview 0:04:34: AT&T now says over 50M accounts were compromised 0:11:37: Apple password reset notification attack 0:16:04: Outlook is Microsoft’s new data collection service 0:22:40: Kobold letters 0:29:27: Backdoor in XZ Utils That Almost Happene 0:39:42: OpenAI and Google reportedly used transcriptions of YouTube videos to train their AI models 0:45:57: How to Turn Off Meta AI on their various apps 0:49:07: Vulnerabilities Identified in LG WebOS 0:52:14: Roku Says More Than 500,000 Accounts Were Compromised 0:56:05: X May Charge New Users a 'Small Fee' to Post, Like and Reply 1:00:04: DuckDuckGo Is Taking Its Privacy Fight to Data Brokers 1:04:19: Google Launches Android Find My Device Network 1:07:29: The CFPB wants to rein in data brokers 1:12:23: Tip of the Week: Freeze Your Credit 1:18:05: Wrap-up 1:19:06: Looking ahead

Just Do It: Freeze Your Credit

22 april 2024 | 80 min

You've heard people like me recommend this for years. It's time to just do it: freeze your credit report. There are really no downsides at this point. For example, it's now free everywhere in the US, by law. It's also free to temporarily "thaw" your credit. And it's gotten a lot easier to do, too. Freezing your credit is your main defense against financial identity theft. And with the sheer number of data breaches (like the recent massive AT&T leak), the personal information needed to commit identity theft is out there already. In other news: AT&T now says 51 million past and current customers' data were leaked; beware of a new password reset 'bomb' campaign; Microsoft is using Outlook to harvest and share your data; a new email scam alters their content after forwarding; a devious and devastating supply chain attack was thwarted in the nick of time; AI organizations are using sneaky techniques to train their models on your data; Meta is lacing its apps with AI, and there's not much you can do about it; LG TVs are hacked; Roku is breached again, this time affecting over 500,000 accounts; Twitter/X looking to charge new users a small fee to try to curb bot accounts; DuckDuckGo unveils trio of new for-pay privacy services; Google launches their own Find My network; and various US government agencies, lacking a real privacy law, attempt to curb privacy abuses using existing powers. Article Links [BleepingComputer] AT&T now says data breach impacted 51 million customers https://www.bleepingcomputer.com/news/security/att-now-says-data-breach-impacted-51-million-customers/ [AppleInsider] If you're getting dozens of password reset notifications, you're being attacked https://appleinsider.com/articles/24/03/27/if-youre-getting-dozens-of-password-reset-notifications-youre-being-attacked [proton.me] Outlook is Microsoft’s new data collection service https://proton.me/blog/outlook-is-microsofts-new-data-collection-service [Lutra Security] Kobold letters https://lutrasecurity.com/en/articles/kobold-letters/ [Schneier Blog] Backdoor in XZ Utils That Almost Happened https://www.schneier.com/blog/archives/2024/04/backdoor-in-xz-utils-that-almost-happened.html [Engadget] OpenAI and Google reportedly used transcriptions of YouTube videos to train their AI models https://www.engadget.com/openai-and-google-reportedly-used-transcriptions-of-youtube-videos-to-train-their-ai-models-163531073.html [Lifehacker] How to Turn Off Meta AI on Facebook, Instagram, Messenger, and WhatsApp https://lifehacker.com/tech/how-to-turn-off-meta-ai-on-facebook-instagram-messenger-whatsapp [bitdefender.com] Vulnerabilities Identified in LG WebOS https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos/ [Lifehacker] Roku Says More Than 500,000 Accounts Were Compromised in a Cyberattack https://lifehacker.com/tech/roku-cyberattack-compromises-accounts [MacRumors] X May Charge New Users a 'Small Fee' to Post, Like and Reply https://www.macrumors.com/2024/04/15/x-small-fee-new-users/ [WIRED] DuckDuckGo Is Taking Its Privacy Fight to Data Brokers https://www.wired.com/story/duckduckgo-vpn-data-removal-tool-privacy-pro/ [MacRumors] Google Launches Android Find My Device Network https://www.macrumors.com/2024/04/08/google-android-find-my-device-network-2/ [ftc.gov] Proposed FTC Order will Prohibit Telehealth Firm from Using or Disclosing Sensitive Data for Advertising Purposes https://www.ftc.gov/news-events/news/press-releases/2024/04/proposed-ftc-order-will-prohibit-telehealth-firm-cerebral-using-or-disclosing-sensitive-data [The Verge] The CFPB wants to rein in data brokers https://www.theverge.com/2024/4/15/24131354/cfpb-data-brokers-fair-credit-reporting-act [therecord.media] Automakers and FCC square off over potential regulations for connected cars https://therecord.media/fcc-automakers-connected-cars-regulation-mvnos Tip of the Week: https://firewallsdontstopdragons.

Protecting Kids Online

15 april 2024 | 70 min

There's a lot of nasty stuff online - things we would prefer our kids not see, at least not until they're mature enough to handle it. Our elected representatives have proposed various regulations to try to protect kids online, and while this is obviously a laudable goal, the devil is always in the details. Many of the proposed solutions have serious negative consequences for both kids and adults, chilling free speech and blocking useful content. I'll discuss the latest iteration of these proposed solutions in the US called the Kids Online Safety Act (KOSA) as well as the similar Online Safety Act in the UK. With me is Joe Mullin, senior policy analyst at the Electronic Frontier Foundation (EFF). Interview Notes Joe Mullin (EFF): https://www.eff.org/about/staff/joe-mullin EFF on KOSA: https://www.eff.org/deeplinks/2024/02/dont-fall-latest-changes-dangerous-kids-online-safety-act EFF on KOSA in depth: https://www.eff.org/deeplinks/2024/03/analyzing-kosas-constitutional-problems-depth Contact Congress: https://www.eff.org/congress EFF on CA ballot initiative: https://www.eff.org/deeplinks/2024/02/eff-opposes-california-initiative-would-cause-mass-censorship EFF submission to Ofcom: https://www.eff.org/deeplinks/2024/03/effs-submission-ofcoms-consultation-illegal-harms Santa Clara Principles for online content moderation: https://santaclaraprinciples.org/ Further Info Treasure & Coin Promo: https://fdsd.me/promo424 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:56: Eclipse! 0:01:50: Treasure & Coin promo update 0:02:29: Interview preview 0:03:41: What are the primary concerns today with kids on the internet? 0:08:24: What laws already exist to protect kids online? 0:17:05: What are the key provisions of KOSA? 0:25:04: What content is KOSA trying to restrict based on age? 0:34:22: What did we learn from the UK's Online Safety Act? 0:38:47: Doesn't KOSA interfere with Section 230? 0:44:41: How does KOSA impact content access for adults? 0:50:17: Are our representatives seeking insights from groups like EFF? 0:54:58: Are there onlione safety regulations EFF could support? 0:58:55: Do you have any advice for parents on protecting their kids online? 1:06:55: Interview wrap-up 1:08:59: Patron bonus content 1:09:28: Looking ahead

Answering Listener Questions

8 april 2024 | 59 min

Today I answer some of the most interesting listener questions from the past several months, including: how to do you get SMS 2FA codes while traveling abroad; should I periodically change all my passwords; how do hackers attack IoT devices inside my home network; can a website fingerprint me based on a hardware security key; can you recommend an email client that protects your privacy; if I give my IoT device permission to see my local network, does that include the guest network; how to hackers find vulnerabilities and figure out how to attack them; why can't I use my VPN on an airplane to stream Netflix; how can I protect my cryptocurrency and smartphone. Also, I give my take on the crazy TikTok ban legislation. Links New Year’s Resolutions for 2024: https://firewallsdontstopdragons.com/new-years-resolutions-for-2024/ GRC’s Shields Up! Tool: https://www.grc.com/shieldsup Secure your home network: https://firewallsdontstopdragons.com/secure-your-network-part-1-scan/ My Take on TikTok Ban: https://firewallsdontstopdragons.com/my-take-on-tiktok-ban/ The TikTok Situation is a Mess: https://lifehacker.com/tech/the-tiktok-situation-is-a-mess EFF on TikTok: https://www.eff.org/deeplinks/2024/03/5-big-unanswered-questions-about-tiktok-bill The US Wants to Ban TikTok: https://www.404media.co/the-u-s-wants-to-ban-tiktok-for-the-sins-of-every-social-media-company/ Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:38: Couple quick updates 0:02:37: Getting SMS 2FA codes while traveling abroad 0:07:37: Should I periodically change all my passwords? 0:13:23: How do hackers attack IoT devices inside my home network? 0:19:10: Can a website fingerprint me based on a hardware security key? 0:24:42: Can you recommend an email client that protects your privacy? 0:29:30: If I give my IoT device permission to see my local network, does that include the guest network? 0:33:18: How to hackers find vulnerabilities and figure out how to attack them? 0:37:35: Why can't I use my VPN on an airplane to stream Netflix? 0:43:57: How can I protect my cryptocurrency and smartphone? 0:50:05: AT&T breach update 0:50:56: My Take on TikTok 0:57:28: Wrap-up

He Said She Said

1 april 2024 | 60 min

Today I talk with Justin and Jodi Daniels about that state of privacy today, how we can help consumers and companies better understand the importance of privacy and security, and how companies are dealing with these aspects internally. We talk about the state of privacy regulations (or the lack thereof), why companies are failing to protect their customers, and what we can do about that. Justin and Jodi host a podcast together called She Said Privacy, He Said Security. They've also co-written a book called "Data Reimagined: Building trust one byte at a time". Interview Notes Justin & Jodi Daniels’ podcast: https://redcloveradvisors.com/podcasts/ Justin Daniels: https://www.linkedin.com/in/justinsdaniels/ Jodi Daniels: https://www.linkedin.com/in/jodihoffmandaniels/ Red Clover Advisors: https://redcloveradvisors.com/ Baker Donelson: https://www.bakerdonelson.com/ Data Reimagined book: https://redcloveradvisors.com/book-sales/ International Association of Privacy Professionals (IAPP): https://iapp.org/ Information Commissioner’s Office (ICO): https://ico.org.uk/ YourAdChoices (AboutAds.info): https://youradchoices.com/ How to enable Global Privacy Control: https://firewallsdontstopdragons.com/how-to-enable-global-privacy-control/ Jeff Jockisch top 10: https://www.linkedin.com/posts/jozian_privacypodcast-peopleschoice-privacyawards-activity-7155591864593637376-Q3bi/ Further Info Coin & Treasure Promo: https://fdsd.me/promo424 Send me your questions: https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:33: Interview setup 0:03:31: Tell me about your podcast and how you got into this space. 0:06:40: How do you explain privacy to regular, everyday people? 0:09:37: How can we help people better understand the need for privacy? 0:11:10: What are the newest threats to our privacy? 0:14:58: So how do we know what to trust? 0:17:07: What mistakes do companies make when crafting and implementing privacy policies? 0:21:37: How should companies embrace privacy? 0:25:51: What's life like for a Chief Privacy Officer today? 0:30:22: Can we blame companies for monetizing our data since it's legal to do so? 0:34:01: How do we combat privacy problems with security tech? 0:37:11: Why can't the US government pass a federal privacy law? 0:42:54: Would it help to pass laws that mandate transparency? 0:46:11: What about a universal opt-out mechanism? 0:47:24: Is mainstream media covering privacy and security properly? 0:49:36: What are some promising Privacy Enhancing Technologies? 0:53:50: What are some of your top resources to learn more about privacy? 0:56:09: Any final thoughts? 0:57:30: Interview follow-up 0:59:25: Looking ahead

Account Security is Broken

25 mars 2024 | 64 min

Passwords, two-factor authentication and even passkeys don't matter if you can access someone's account by answering three simple account recovery questions. Also, just about every account today has a way to reset your password, no matter how strong it is, if you can gain access to someone's email account. Until we can remove these weak links, it doesn't matter how secure our regular authentication schemes are. In the news: old A&T breach data is making the rounds; Apple Silicon chips have a security flaw baked into the hardware; two very popular digital safe locks come with backdoor codes; Twitter/X is failing to properly check posted links that redirect to scam sites; a court rules that external continuous camera surveillance of your house doesn't require a warrant; searches for VPNs spike after PornHub pulls out of Texas; a blockbuster NY Times article brings much needed attention to data collection in cars; AirBnB implements a blanket camera ban. And I announce a killer new patron promotion! Click this link! https://fdsd.me/promo424 Article Links [restoreprivacy.com] AT&T Investigating Potential Breach Following Leak of 73.4 Million Records https://restoreprivacy.com/att-investigating-breach-following-leak-of-73-4-million-records/ HaveIBeenPwned.com: https://haveibeenpwned.com/ [9to5Mac] Unpatchable security flaw in Apple Silicon Macs breaks encryption https://9to5mac.com/2024/03/22/unpatchable-security-flaw-mac/ [404media.co] Massively Popular Safe Locks Have Secret Backdoor Codes https://www.404media.co/massively-popular-safe-locks-have-secret-backdoor-codes/ [Lifehacker] It's Not Safe to Click Links on X https://lifehacker.com/tech/its-not-safe-to-click-links-on-x [Gizmodo] The Feds Can Film Your Front Porch for 68 Days Without a Warrant, Says Court https://gizmodo.com/feds-can-film-your-front-porch-without-warrant-1851352414 [CNN] Searches for VPNs spike in Texas after Pornhub pulls out of the state https://www.cnn.com/2024/03/15/tech/vpn-searches-spike-texas-pornhub [The New York Times] Automakers Are Sharing Consumers’ Driving Behavior With Insurance Companies https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html [Lifehacker] Airbnb's New Security Camera Ban Is a Big Deal https://lifehacker.com/tech/airbnbs-new-security-camera-ban Tip of the Week: https://firewallsdontstopdragons.com/account-security-is-broken/ Further Info Become a Patron! (promo): https://fdsd.me/promo424 Lock & Code Podcast: https://www.malwarebytes.com/blog/podcast/2024/03/securing-your-home-network-is-long-tiresome-and-entirely-worth-it-with-carey-parker-lock-and-code-s05e07 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:04:05: News preview 0:06:12: AT&T Investigating Potential Breach Following Leak of 73.4 Million Records 0:11:24: Unpatchable security flaw in Apple Silicon Macs breaks encryption 0:16:34: Massively Popular Safe Locks Have Secret Backdoor Codes 0:21:57: It's Not Safe to Click Links on X 0:30:28: The Feds Can Film Your Front Porch for 68 Days Without a Warrant, Says Court 0:33:28: Searches for VPNs spike in Texas after Pornhub pulls out of the state 0:38:35: Automakers Are Sharing Consumers’ Driving Behavior With Insurance 0:47:36: Airbnb's New Security Camera Ban Is a Big Deal 0:49:57: Tip of the Week: Account Security is Broken 0:55:49: Dragon Coin promotion details

Health Data Privacy

18 mars 2024 | 69 min

The United States has no general data privacy laws. However, we do have some sector-specific regulations, including HIPAA for health data. But there are many misconceptions about HIPAA. For example, the "P" in HIPAA does not stand for Privacy - it stands for Portability. So, what information does HIPAA cover? Which healthcare and related service providers are governed by HIPAA? And most importantly, what can you do to protect your medical and health data? Today we'll dive deep into this subject with Kate Black, a data, privacy & health lawyer and a strategic advisor in the health data field. Interview Notes Kate Black: https://www.linkedin.com/in/kate-black-sfo/ Washington’s My Health, My Data law: https://hintzelaw.com/blog/2023/4/9/wa-my-health-my-data-act-pt1-overview HIPAA rights: https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html STAT medical news: https://www.statnews.com/ Further Info Check out my dragon challenge coins! https://fdsd.me/coin2 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:29: What is covered by HIPAA? What isn't covered? 0:06:51: Can I sign away my HIPAA rights? 0:08:08: Who in my medical provider's office can access my data? 0:10:23: How audits HIPAA compliance? 0:11:47: How is my health data shared between providers? 0:14:49: Are certain types of health data treated differently? 0:15:23: How does health privacy work for minors? 0:16:53: Outside of health providers, who else can access my data? 0:20:56: How does HIPAA compare to other sector-specific privacy laws? 0:22:20: Do secondary providers share back with my primary care physician? 0:24:42: Who stores and protects my digital medical records? 0:27:46: How are third party providers audited for privacy and security? 0:29:56: Are HIPAA security requirements keeping up with the times? 0:33:13: Do I have full access to my complete medical record? 0:36:52: How do marketers get my health data? 0:39:51: What laws govern inferred health information? 0:45:48: Do pharmacies sell health data to marketers? 0:48:57: How private are online medical portals and checkin services? 0:53:35: How concerned should we be about using DNA analysis services? 0:59:17: How can we improve our health privacy laws? 1:00:30: What are your personal tips for protecting health data? 1:02:37: If I think someone has abused my data, what can I do? 1:04:13: Interview wrap-up 1:06:49: Looking ahead

Backing Up 2FA Seeds

11 mars 2024 | 67 min

Two-factor authentication (2FA) is a fantastic way to improve the security of your online accounts. However, if you lose access to the device containing your authenticator app, you may lose access to your 2FA-protected accounts. You need to backup the seed codes used to set up each account. I'll give you several methods for doing this. In the news: FBI uses smartphone push notifications to track down criminals; Roku TVs block all access until users consent to force arbitration; cheap video doorbells have horrible security; AI can be used to determine where photos were taken; vending machine caught using facial recognition; what happens to your data when a data broker goes bankrupt; your personal information that is publicly available; New Jersey passes motor vehicle data deletion law; Proton Mail's new email aliasing feature; in Canada, police now need warrant to get a person's IP address; US cracks down on commercial spyware firm; NSO Group forced to hand over source code to Meta in legal case; Authy is shutting down its desktop app. Article Links [The Washington Post] The FBI’s new tactic: Catching suspects with push alerts https://www.washingtonpost.com/technology/2024/02/29/push-notification-surveillance-fbi/ [TechCrunch] Roku disables TVs and streaming devices until users consent to forced arbitration https://techcrunch.com/2024/03/05/roku-disables-tvs-and-streaming-devices-until-users-consent-to-forced-arbitration/ [Consumer Reports] These Video Doorbells Have Terrible Security https://www.consumerreports.org/home-garden/home-security-cameras/video-doorbells-sold-by-major-retailers-have-security-flaws-a2579288796/ [NPR] Artificial intelligence can find your location in photos, worrying privacy experts https://www.npr.org/2023/12/19/1219984002/artificial-intelligence-can-find-your-location-in-photos-worrying-privacy-expert [Ars Technica] Vending machine error reveals secret face image database of college students https://arstechnica.com/tech-policy/2024/02/vending-machine-error-reveals-secret-face-image-database-of-college-students/ [The Markup] What Happens to Your Sensitive Data When a Data Broker Goes Bankrupt? – The Markup https://themarkup.org/privacy/2024/02/23/what-happens-to-your-sensitive-data-when-a-data-broker-goes-bankrupt [Lifehacker] All of Your Information That’s Publicly Available (and What You Can Do About It) https://lifehacker.com/tech/all-your-information-thats-publicly-available-what-to-do-about-it [privacy4cars.com] “Motor Vehicle Data Deletion Act” of New Jersey https://privacy4cars.com/nj-law/ [Lifehacker] Proton Mail Now Lets You Hide Your Real Email Address https://lifehacker.com/tech/how-to-set-up-email-aliases-proton-mail [CBC] Police now need a warrant to get a person's IP address, Supreme Court rules https://www.cbc.ca/news/politics/supreme-court-privacy-ipaddress-1.7130727 [The Hacker News] U.S. Cracks Down on Predatory Spyware Firm for Targeting Officials and Journalists https://thehackernews.com/2024/03/us-cracks-down-on-predatory-spyware.html [9to5Mac] iPhone spyware company NSO suffers major defeat in US court, in Meta lawsuit https://9to5mac.com/2024/03/01/iphone-spyware-company-nso-must-reveal-code/ [The Verge] Authy is shutting down its desktop app https://www.theverge.com/2024/1/8/24030477/authy-desktop-app-shutting-down Tip of the Week: Backing Up Your 2FA Seed Codes https://firewallsdontstopdragons.com/how-to-backup-2fa-seed-codes/ Command line tool to extract codes from Authy: https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93 Further Info Check out my dragon challenge coins! https://fdsd.me/coin2 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch!

How Our Data is Abused

4 mars 2024 | 67 min

With the rise of IoT and tracking technologies (both online and in the real word), we are generating staggering amounts of highly personal information. This massive trove of juicy data has drawn the attention of several interested parties outside the realm of consumer marketing. Like chum in the water, it's created a feeding frenzy from data aggregators as well as from law enforcement and intelligence agencies, both foreign and domestic. The journalists at 404 Media have published several blockbuster articles on this data ecosystem which have triggered backlashes from lawmakers and consumers alike. Today I'll speak with two of the founders: Joseph Cox and Jason Koebler. Interview Notes 404 Media: https://www.404media.co/ 404 Media podcast: https://www.404media.co/the-404-media-podcast/ 404 Media support: https://www.404media.co/faq/ Formation of 404 Media: https://www.nytimes.com/2023/08/22/business/media/404-media-vice-motherboard.html Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:03: Interview setup 0:02:45: How did 404 Media come to be? 0:12:00: When do we think law enforcement started buying our data? 0:15:39: What's up with companies listening to our conversations? 0:23:01: Where does law enforcement go to get our data? 0:27:46: How are video feeds being gathered and sold? 0:34:23: Can't all this data also be used by "bad guys"? 0:39:13: Is it legal for law enforcement to buy data from foreign sources? 0:44:28: Have your stories triggered responses from the US government? 0:50:01: Trust in media is low these days - how can we fix that? 0:59:37: How can we support good work like yours? 1:03:22: Wrap-up

Mitigating AI Risks

26 februari 2024 | 65 min

Artificial Intelligence is the buzzword of the day. Since the launch of ChatGPT in November 2022, there has been a flood of AI-based tools and services. Many tech firms are racing to build AI into their products without considering the consequences, let alone taking the time to build in guardrails for privacy and security. Today, I'll tell you about some of the risks, how to mitigate them and explain why you should spend some time playing with AI tools so we can understand how they do (and don't) work. In other news: Wyze home webcams had yet another security breach; Poland's PM calls out illegal use of Pegasus spyware by opposition party; US military finally notifies 20,000 of email data breach; Skiff was bought by Notion and will shut down services; FTC fines Avast antivirus $16.5M for mining user data; Backdoors in encryption violate human rights according to EU court; LockBit ransomware servers were taken over by multinational law enforcement efforts; Apple's iMessage gaining quantum computer resistant encryption; Signal finally allows users to hide cell phone numbers via usernames; new Android secure browsing features announced. Article Links [Lifehacker] Wyze Had a Security Breach (Again) https://lifehacker.com/tech/wyze-security-breach-again [The Associated Press] Poland’s prime minister says authorities widely used spyware under the previous government https://apnews.com/article/poland-government-pegasus-spyware-tusk-duda-78420fc7099401926d28b5be98669192 [TechCrunch] US military notifies 20,000 of data breach after cloud email leak https://techcrunch.com/2024/02/14/department-defense-data-breach-microsoft-cloud-email/ [The Cut] The Day I Put $50,000 in a Shoe Box and Handed It to a Stranger https://www.thecut.com/article/amazon-scam-call-ftc-arrest-warrants.html https://pluralistic.net/2024/02/05/cyber-dunning-kruger/ [restoreprivacy.com] Skiff Mail Shutting Down in 6 Months (Try These Alternatives) https://restoreprivacy.com/skiff-shutting-down-alternatives-to-skiff-mail/ [404media.co] FTC Fines Avast $16.5 Million For Selling Browsing Data Harvested by Antivirus https://www.404media.co/impact-ftc-fines-avast-16-5-million-for-selling-browsing-data-harvested-by-antivirus/ [Ars Technica] Backdoors that let cops decrypt messages violate human rights, EU court says https://arstechnica.com/tech-policy/2024/02/human-rights-court-takes-stand-against-weakening-of-end-to-end-encryption/ [Ars Technica] LockBit ransomware group taken down in multinational operation https://arstechnica.com/information-technology/2024/02/lockbit-ransomware-group-taken-down-in-multinational-operation/ [WIRED] Apple’s iMessage Is Getting Post-Quantum Encryption https://www.wired.com/story/apple-pq3-post-quantum-encryption/ [signal.org] Keep your phone number private with Signal usernames https://signal.org/blog/phone-number-privacy-usernames/ [Lifehacker] These New Android Features Will Keep You Safer Online https://lifehacker.com/tech/android-safer-browsing-and-live-threat-detection-rolling-out Tip of the Week: Mitigating AI Risks https://firewallsdontstopdragons.com/how-to-mitigate-the-risks-of-ai/ Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:44: AT&T outage, hot take 0:03:08: News rundown 0:04:44: Wyze Had a Security Breach (Again) 0:07:27: Poland’s PM says authorities used spyware under the previous government

Car Privacy is Horrid

19 februari 2024 | 65 min

Modern cars are chock full of sensors and connected to the internet via built-in cellular modems. That's a recipe for massive data collection. Last September, Mozilla's Privacy Not Included team released a blockbuster report how much data our cars were gathering and it was absolutely staggering. According to the hard-to-find privacy policies, your car can collect extremely personal information including precise location, contact lists from your phone, call and message data, and - believe it or not - even "sexual activity". Today, I'll walk through this report and its implications with the head of Mozilla's Privacy Not Included project, Jen Caltrider. Interview Notes Mozilla’s Privacy Not Included: https://foundation.mozilla.org/en/privacynotincluded/ Mozilla’s car report: https://foundation.mozilla.org/en/privacynotincluded/articles/its-official-cars-are-the-worst-product-category-we-have-ever-reviewed-for-privacy/ Mozilla's report on AI chatbots: https://foundation.mozilla.org/en/privacynotincluded/articles/happy-valentines-day-romantic-ai-chatbots-dont-have-your-privacy-at-heart/ Donate to Mozilla Foundation: https://donate.mozilla.org/ Mozilla layoffs: https://techcrunch.com/2024/02/13/mozilla-downsizes-as-it-refocuses-on-firefox-and-ai-read-the-memo/ Sign the petition to stop car data gathering! https://foundation.mozilla.org/en/privacynotincluded/articles/car-companies-stop-your-huge-data-collection-programs-en/ Bruce Schneier article in Slate: https://slate.com/technology/2023/12/ai-mass-spying-internet-surveillance.html Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:39: What were some top finding from your car privacy report? 0:05:14: Which cars did you review and how did you evaluate them? 0:09:44: How was I notified and how did I consent to my car's privacy policy? 0:10:39: What are cars tracking? Are electric cars any worse than gas cars? 0:13:55: What third party data mining is going on in my car? 0:20:41: Is there a way to opt out of data sharing? 0:24:10: Is less data collected in Europe? 0:26:02: Where is all my data stored? Locally, in the cloud, or both? 0:28:52: Is the data at least secured? 0:29:48: Can dealerships access my data? What about law enforcement? 0:32:28: What about rental or fleet cars? What about passengers? 0:37:24: Do car dealers disclose this data collection to shoppers? 0:39:11: What are some of the security problems with this data collection? 0:45:55: How did car makers and legislators respond to your report? 0:48:36: Do modern privacy laws cover auto data? 0:50:48: So what can we do about this today? 0:54:30: What will Privacy Not Included tackle next? 0:58:40: Wrap-up

Avoiding Tax Scams

12 februari 2024 | 53 min

It's tax time here again in the USA, and therefore it's also time for tax scams. I'll explain how to recognize common tax scams, how to respond to them, how to prevent scammers from taking over your IRS account and even filing fraudulent tax returns in your name. In other news: the Mother of All Breaches (MOAB) contains 26 billion records; 23andMe is in trouble after massive data breach and pending class action lawsuits; a viral story about a smart toothbrush botnet isn't true... but could have been; a clever hack of older computer TPM modules could expose encrypted hard drive data (but it's not easy to do); Malwarebytes has issued their 2024 malware report; the FBI and CISA are raising the alarm over Chinese hackers and key US infrastructure, as well as taking action to prevent it; you might want to consider creating a family password to defeat voice clone scams; Mozilla has released a new data deletion service; and Privacy4Cars has an interesting new mechanism for universally opting out of data collection. Article Links [cybernews] Mother of all breaches reveals 26 billion records https://cybernews.com/security/billions-passwords-credentials-leaked-mother-of-all-breaches/ [Fast Company] 23andMe at risk of being delisted from the Nasdaq as lawsuits mount https://www.fastcompany.com/91020738/23andme-risk-delisted-nasdaq-class-action-lawsuits [404media.co] The Viral Smart Toothbrush Botnet Story Almost Certainly Isn't Real https://www.404media.co/the-viral-toothbrush-ddos-botnet-story-almost-certainly-isnt-real/ [Tom's Hardware] YouTuber breaks BitLocker encryption in less than 43 seconds with sub-$10 Raspberry Pi Pico https://www.tomshardware.com/pc-components/cpus/youtuber-breaks-bitlocker-encryption-in-less-than-43-seconds-with-sub-dollar10-raspberry-pi-pico [9to5Mac] Report: Mac security threats on the rise, here’s what to watch out for https://9to5mac.com/2024/02/06/report-mac-security-threats-on-the-rise/ [NBC News] FBI director to warn Chinese hackers aim to 'wreak havoc' on US critical infrastructure https://www.nbcnews.com/politics/national-security/fbi-director-warn-chinese-hackers-aim-wreak-havoc-us-critical-infrastr-rcna136524 [Ars Technica] Chinese malware removed from SOHO routers after FBI issues covert commands https://arstechnica.com/security/2024/01/chinese-malware-removed-from-soho-routers-after-fbi-issues-covert-commands/ [cisa.gov] CISA and FBI Release Secure by Design Alert Urging Manufacturers to Eliminate Defects in SOHO Routers https://www.cisa.gov/news-events/alerts/2024/01/31/cisa-and-fbi-release-secure-design-alert-urging-manufacturers-eliminate-defects-soho-routers [9to5Mac] FCC outlaws voice cloning robocalls after AI-generated voice claimed to be President Biden https://9to5mac.com/2024/02/08/voice-cloning-robocalls/ [Electronic Frontier Foundation] Worried about AI voice clone scams? Create a family password https://www.eff.org/deeplinks/2024/01/worried-about-ai-voice-clone-scams-create-family-password [The Verge] Firefox maker Mozilla has a new subscription to keep your info out of data brokers’ clutches https://www.theverge.com/2024/2/6/24062765/mozilla-monitor-plus-firefox-paid-subscription-privacy-data-broker-removal-requests [optoutcode.com] A Privacy4Cars Universal Opt-Out Concept https://optoutcode.com/ Tip of the Week: Avoiding Tax Scams https://firewallsdontstopdragons.com/how-to-avoid-tax-scams/ Further Info Secure Your Network: https://firewallsdontstopdragons.com/secure-your-network-part-1-scan/ Davos speech, original: https://www.youtube.com/watch?v=fJoEPRQMBuY Davos speech, translated: https://www.youtube.com/live/6Fwv9Cek2F4?feature=shared&t=98 How to enable Global Privacy Control: https://firewallsdontstopdragons.com/how-to-enable-global-privacy-control/ How to send files securely: https://firewallsdontstopdragons.com/how-to-send-files-securely-like-tax-info/ Send me your questions! https://fdsd.

Securing Your Mac

5 februari 2024 | 73 min

Are Macs really safer than PCs? What should you do to make your Mac more secure? How do you know if your Mac has a virus? And how do you know which security apps you can trust? I'll dig into all of these questions and more today with Mac security guru Patrick Wardle. Patrick Wardle is the founder of the Objective-See Foundation. Having worked at NASA and the NSA, as well as presented at countless security conferences Patrick is passionate about all things related to macOS security, writing books on macOS malware, and releasing free open-source security tools to protect Mac users. Interview Notes Objective See (free Mac tools): https://objective-see.org/ The Art of Mac Malware (book): https://taomm.org/ Objective by the Sea conference: https://objectivebythesea.org/ Apple’s Malware protections: https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/1/web/1 Reinstall macOS in Recovery Mode: https://support.apple.com/en-us/HT204904 Jamf presentation on Apple anti-malware tools: https://www.jamf.com/resources/videos/a-closer-look-at-macos-built-in-security-tools/ Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:45: Interview setup 0:04:06: What have you been up to since we last had you on the show? 0:13:40: Are Macs safer than PCs? 0:17:34: How effective are modern antivirus programs? 0:22:25: Which are the better AV software programs? 0:24:45: Tell us about the Mac security apps that you created 0:27:53: How does Lulu differ from a regular firewall? 0:32:00: How do you know which security software you can trust? 0:38:00: How do we combat security fatigue? 0:43:22: Does the Apple App Store protect me from bad apps? 0:52:09: What's your take on Apple's new Lockdown Mode? 0:53:34: How do I know if my computer is infected with malware? 0:58:03: What should I do to protect my brand new Mac? 1:01:23: What worries you most right now? What gives you hope? 1:04:43: What's next for you? 1:10:31: Wrap-up

Data Privacy Week 2024

29 januari 2024 | 68 min

While every week is Data Privacy Week here at Firewalls Don't Stop Dragons, the rest of the world stops to join us in focusing on how and why to protect your personal data. I'll give you some of my top privacy tips and refer you to a lot of top privacy resources. In the news: Microsoft executives' emails are hacked by a nation-state actor; Facebook is gathering even more data with the help of other companies; a company is using real-time bidding to track us and sell to intelligence agencies; Mozilla outlines how incumbent browser owners tilt the playing field in favor of the owner; the EU is driving major changes to how iOS will work (but only in the EU); Brave browser simplifies its anti-fingerprinting options; Facebook limits how adult strangers can DM minors; FTC brings actions against GoodRx and Intuit; Samsung matches Google's 7-year OS update update promise; and Apple rolls out Stolen Device Protection feature. Article Links [msrc.microsoft.com] Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/ [Consumer Reports] Each Facebook User Is Monitored by Thousands of Companies https://www.consumerreports.org/electronics/privacy/each-facebook-user-is-monitored-by-thousands-of-companies-a5824207467/ [404media.co] Inside a Global Phone Spy Tool Monitoring Billions https://www.404media.co/inside-global-phone-spy-tool-patternz-nuviad-real-time-bidding/ [Mozilla] Platform Tilt: Documenting the Uneven Playing Field for an Independent Browser Like Firefox https://blog.mozilla.org/netpolicy/2024/01/19/platform-tilt [MacRumors] Here Are All the iPhone Changes Coming to EU Users by March 6 https://www.macrumors.com/2024/01/26/iphone-changes-coming-to-eu-users/ [brave.com] Brave browser simplifies its fingerprinting protections https://brave.com/privacy-updates/28-sunsetting-strict-fingerprinting-mode/ [9to5Mac] Adult strangers won’t be able to send DMs to teens on Instagram or Facebook https://9to5mac.com/2024/01/25/teens-on-instagram-safeguards/ [ftc.gov] FTC Statement on Intuit TurboTax Case https://www.ftc.gov/news-events/news/press-releases/2024/01/statement-samuel-levine-director-ftc-bureau-consumer-protection-regarding-commissions-order-opinion [ftc.gov] FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising [9to5Google] Samsung Galaxy S24 follows Google Pixel 8’s lead with 7 years of Android updates https://9to5google.com/2024/01/17/samsung-galaxy-s24-android-updates-policy/ [AppleInsider] How to use Stolen Device Protection https://appleinsider.com/articles/24/01/23/how-to-use-stolen-device-protection Tip of the Week: Data Privacy Checklist https://fdsd.me/dpc Further Info Carey’s Data Privacy Checklist (just updated!): https://fdsd.me/dpc Proton’s mention: https://www.linkedin.com/posts/protonprivacy_protonprivacyreadinglist-activity-7155246272273170432-XlM0 Jeff Jockisch’s Best Privacy Podcast results: https://www.linkedin.com/posts/jozian_privacypodcast-peopleschoice-privacyawards-activity-7146196804940820481-yB-P Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:29: Recent accolades

Rise of the Slaughterbots

22 januari 2024 | 71 min

Drones are everywhere today. Cheap and tiny accelerometers, gyroscopes and processors have allowed us to create drones that anyone can afford and everyone can fly. Drones have been used by law enforcement and military forces, as well - for surveillance but also for killing. With the rapid development of AI technologies, what happens when we make these drones autonomous? What are the implications for privacy and security? I'll discuss this and more with Nick Weaver, computer and cybersecurity expert, and chief mad scientist at Skerry Technologies. Interview Notes Nick Weaver: https://www1.icsi.berkeley.edu/~nweaver/ NYPD drone use: https://www.washingtonpost.com/nation/2023/09/01/drones-labor-day-parties-new-york/ AI drone “kills” its operator: https://www.reuters.com/article/factcheck-ai-drone-kills/fact-check-simulation-of-ai-drone-killing-its-human-operator-was-hypothetical-air-force-says-idUSL1N38023R/ The Future of Drone Warfare: https://www.schneier.com/blog/archives/2023/10/the-future-of-drone-warfare.html Betaflight: https://github.com/betaflight/betaflight Ardupilot: https://github.com/ArduPilot/ardupilot PX4: https://github.com/PX4/PX4-Autopilot Small Business Innovation Research: https://www.sbir.gov/ Further Info Data Privacy Week: https://staysafeonline.org/programs/data-privacy-week/ Carey’s Data Privacy Checklist (just updated!): https://fdsd.me/dpc Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:21: Data Privacy Week teaser 0:01:11: Apple backdoor clarification 0:03:14: Interview setup 0:07:15: What first got you interested in autonomous drone technology? 0:10:27: What technologies have enabled the explosion of cheap drones? 0:15:22: What are the capabilities of modern consumer drones? 0:17:54: Are there any legal restrictions on flying drones? 0:20:44: Are there privacy laws around drone surveillance? 0:22:24: How are drones used by law enforcement? 0:25:14: How are drones being used for criminal purposes? 0:27:12: What level of autonomy or AI can be found in consumer drones today? 0:29:41: How hard is it to turn a DJI drone into an autonomous killbot? 0:35:49: What sorts of countermeasures have we developed against drones? 0:45:11: What roles have drones played in modern warfare? 0:48:40: Can you detect drones on radar? 0:50:22: Have drones influenced modern military tactics? 0:52:33: Are there treaties restricting automomous killing machines? 0:55:51: What's the future of automonous drone tech? 0:58:46: Is it difficult today to make your own drone? 1:06:24: Interview wrap-up 1:09:08: Annual listener survey update

New Year’s Resolutions: 2024

15 januari 2024 | 82 min

The new year is here! And I've got a handful of solid tips for you that you should absolutely plan to accomplish in 2024! I also have a lot of news to catch you up on: 23andMe blames its customers for their data breach; Burger King in Brazil using facial recognition to offer discounts based on how hungover you look; Russian agents hack live webcams to hone in on targets in Ukraine; fake celebrity ads for medicare scam on YouTube; Facebook's Link History is a confusing new tracking feature; FTC orders location data broker to stop selling your info; Google new location history changes may spell the end for geofence warrants; AirDrop anonymity cracked by China; well-hidden iPhone backdoor discovered by Kaspersky; UK tries to further expand surveillance capabilities; the Beeper Mini messaging saga is over; and a marketing company is offering to listen in on real time conversations to target ads. Article Links [TechCrunch] 23andMe tells victims it’s their fault that their data was breached https://techcrunch.com/2024/01/03/23andme-tells-victims-its-their-fault-that-their-data-was-breached/ [Dark Reading] Russian Agents Hack Webcams to Guide Missile Attacks on Kyiv https://www.darkreading.com/ics-ot-security/russian-agents-use-residential-webcams-to-gather-info-for-missile-attack-on-kyiv [404media.co] Deepfaked Celebrity Ads Promoting Medicare Scams Run Rampant on YouTube https://www.404media.co/joe-rogan-taylor-swift-andrew-tate-ai-deepfake-youtube-medicare-ads/ [Gizmodo] Meet ‘Link History,’ Facebook’s New Way to Track the Websites You Visit https://gizmodo.com/meet-link-history-facebook-s-new-way-to-track-the-we-1851134018 [ftc.gov] FTC Order Prohibits Data Broker X-Mode Social and Outlogic from Selling Sensitive Location Data https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-order-prohibits-data-broker-x-mode-social-outlogic-selling-sensitive-location-data [Electronic Frontier Foundation] Is This the End of Geofence Warrants? https://www.eff.org/deeplinks/2023/12/end-geofence-warrants [9to5Mac] AirDrop cracked by China, revealing phone number and email address of sender https://9to5mac.com/2024/01/09/airdrop-cracked-by-china/ [Schneier Blog] New iPhone Exploit Uses Four Zero-Days https://www.schneier.com/blog/archives/2024/01/new-iphone-exploit-uses-four-zero-days.html Security Now, Ep955: https://youtu.be/fJHzq4YOv68?si=WTdyr5LCXV4xJh-k&t=2105 [POLITICO Europe] Britain’s got some of Europe’s toughest surveillance laws. Now it wants more https://www.politico.eu/article/uk-bulking-up-spying-regime-breakneck-speed/ [MacRumors] Beeper Mini Resorts to Jailbreaking iPhones to Rescue Blue Bubbles https://www.macrumors.com/2023/12/21/beeper-mini-jailbroken-iphones-rescue-imessage/ [404media.co] Marketing Company Claims That It Actually Is Listening to Your Phone and Smart Speakers to Target Ads https://www.404media.co/cmg-cox-media-actually-listening-to-phones-smartspeakers-for-ads-marketing/ Tip of the Week: https://firewallsdontstopdragons.com/new-years-resolutions-for-2024/ Further Info Take the annual listener survey! https://fdsd.me/survey2024 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:38: Listener survey 0:01:57: News rundown 0:04:35: 23andMe blames victims for their data breach 0:09:39: Russian Agents Hack Webcams to Guide Missile Attacks on Kyiv 0:15:19: Deepfaked Celebrity Ads Promoting Medicare Scams ...

Investigating Data Leaks

8 januari 2024 | 64 min

Data breaches are usually produced by hackers looking for financial gain. Data leaks, on the other hand, are usually published by whistleblowers or perhaps accidentally disclosed via negligence. Journalists today are inundated by such data leaks - to the point where specialized tools and techniques are required to parse through the piles of digital detritus to ascertain the value and import that they may represent. Micah Lee has been performing this function for The Intercept for many years, including analyzing the Snowden documents. And he has just released a book that outlines the tools, techniques and procedures he uses for this arduous process. Today we discuss the importance and impact of whistleblowers, the state of data leaks today, and how it has impacted modern journalism. Interview Notes Micah’s book: https://hacksandleaks.com/ Excerpt article: https://theintercept.com/2023/12/16/hacked-datasets-verification/ Micah’s GIthub project: https://github.com/micahflee/hacks-leaks-and-revelations COINTELPRO documentary: https://en.wikipedia.org/wiki/1971_(2014_film) “The Burglary” book: https://www.amazon.com/Burglary-Discovery-Edgar-Hoovers-Secret/dp/0307962954 EFF’s Surveillance Self-Defense Guide: https://ssd.eff.org/ Further Info Take the annual listener survey! https://fdsd.me/survey2024 Vote for my show as the best privacy podcast! http://tinyurl.com/PPPCAwards2024 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:29: Pre-show notes 0:03:32: Interview prep 0:05:57: Tell us more about the book and why you wrote it. 0:08:11: What's the difference between a data breach and a data leak? 0:10:02: What are some of history's most importank leaks? 0:16:14: How do journalists typically obtain leaked data? 0:22:04: You've just obtained a massive blob of data. How do you analyze it? 0:27:05: How do you handle leaked data ethnically? 0:30:14: Do you warn the owners of leaked data before you reveal it? 0:32:23: I want to blow the whistle? What should I do? What shoudn't I do? 0:36:28: I've extracted my data. How do I securely share it with a journalist? 0:38:57: What are the legal ramifications of whistleblowing? 0:41:57: How hard is it to analyze digital data? What tools do you use? 0:44:39: Are there dangers to analyzing leaked data? 0:46:43: How do organizations try to identify data leakers? 0:49:42: Will AI tools like ChatGPT help to analyze data leaks? 0:52:19: What can the average person take away from all of this? 0:54:15: How do you know which news sources you can trust today? 0:56:08: Interview wrap-up 0:57:10: Micah blocked on Twitter? 0:57:55: Text parsing tools 0:58:30: Show links 0:58:53: Bonus podcast preview 0:59:42: Annual listener survey raffle info

Best of 2023 Bonus Content

1 januari 2024 | 58 min

Every week, I record a special, private bonus podcast for my patrons. Until today, all of that content was restricted to my supporters. But today I've got a sampler platter of some of the best snippets from my bonus Q&A with my interview guests, along with an episode of my more-technical bonus series I call Merlin's Musings. You'll hear from Josh Corman (CISA and I Am the Cavalry), Ernesto Falcon (EFF and CA Senate candidate), Omega and Deth Veggie (Cult of the Dead Cow), Michael Littman (AI expert from Brown Univ) and Cory Doctorow (author and activist), plus the strange story of the ProxyHam. Podcast Links These are links to the public podcasts associated with the bonus clips I played today along with some related links. Ep332, Josh Corman: https://podcast.firewallsdontstopdragons.com/2023/07/10/national-cyber-strategy/ Cyberattacks on hospitals are growing threats to patient safety, experts say : https://abcnews.go.com/Health/cyberattacks-hospitals-growing-threats-patient-safety-experts/story?id=99115898 Ep334, Ernesto Falcon: https://podcast.firewallsdontstopdragons.com/2023/07/24/the-politics-of-privacy/ Ep336, Cult of the Dead Cow: https://podcast.firewallsdontstopdragons.com/2023/08/07/cult-of-the-dead-cow/ Ep338, Michael Littman: https://podcast.firewallsdontstopdragons.com/2023/08/21/demystifying-ai/ Ep348, Cory Doctorow: https://podcast.firewallsdontstopdragons.com/2023/10/30/reclaiming-the-internet/ Wired article on ProxyHam: https://www.wired.com/2015/07/online-anonymity-project-proxyham-mysteriously-vanishes/ Hackaday ProxyHam: https://hackaday.com/tag/proxyham/ ProxyGambit: https://github.com/samyk/proxygambit Further Info Become a patron! https://www.patreon.com/FirewallsDontStopDragons Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:41: Josh Corman: analog back and sci-fi table top exercises 0:12:51: Ernesto Falcon: raising money and CA influence 0:19:19: Cult of the Dead Cow: Agent Steal 0:23:44: Michael Littman: Superintelligent AI risks vs reality 0:33:03: Cory Doctorow: Burning Man 0:41:00: Merlin's Musings: ProxyHam 0:53:37: Wrapup & patron perks

Classic Replay: Lavabit

25 december 2023 | 70 min

Today, I dip back into the archives to bring you a classic interview from the first year of this podcast. In Episode 21 (Aug 2017) I interviewed Ladar Levison, the founder of the secure email service Lavabit. He started Lavabit in 2004 as one of the first truly secure, end-to-end encrypted email services focused on the privacy of users, almost ten years before Proton Mail launched. But when the FBI came (literally) knocking in 2013 asking him to subvert the encryption so that they could monitor his users (in particular a guy named Edward Snowden), Ladar decided to shut down Lavabit instead of complying. Ladar relaunched Lavabit in 2021 and I interviewed him that summer about his company, the right to privacy, the story of the shutdown, and much more. It's as relevant today as it was then. Interview Notes Lavabit: https://lavabit.com/ Lavabit history: https://en.wikipedia.org/wiki/Lavabit Mr Peaboy and the Wayback Machine: https://en.wikipedia.org/wiki/Mister_Peabody Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:29: Set the Wayback Machine for 2017! 0:04:10: Episode 1 intro 0:06:47: Ladar Levison episode intro 0:09:43: How and why did you start Lavabit? 0:13:24: Why did you shut Lavabit down in 2013? 0:18:36: How did the Snowden FBI request differ from the previous ones? 0:22:56: Why is privacy important for democracy? 0:26:56: Why don't people seem to believe privacy is important? 0:28:32: Why should we fight for our right to privacy? 0:30:51: What is the legal basis for email searches? 0:35:12: How should we allow law enforcement access to private data? 0:39:29: Do you worry about losing access to encryption technology? 0:51:25: Is secure email an oxymoron? 0:53:30: How do we protect users from themselves? 0:55:30: Who should be using encrypted email? 0:59:35: What is the new Lavabit service like? 1:01:33: How does Lavabit work with non-Lavabit recipients? 1:02:25: Is the new Lavavit service available now? 1:04:08: Does using E2EE services get you on some watch list? 1:05:56: How can people best support the right to privacy? 1:07:56: Wrap-up and look ahead

Best of 2023

18 december 2023 | 67 min

Restoring Trust in Elections

11 december 2023 | 69 min

We here in the US like to believe that we're the gold standard for democracy. And yet, in recent years, much of the electorate has lost faith in the outcome of our elections. Many security researchers have found concerning vulnerabilities in our voting systems, and yet we have no evidence that those vulnerabilities have actually been exploited. Many people believe that people are voting multiple times or that ineligible people are voting, and yet study after study shows that voter fraud is nearly non-existent. How can we restore trust in our election results? What changes must we make to our election systems and processes to promote complete transparency and remove doubt? Today I'll dig deep into this complicated topic with Ben Adida, founder and Executive Director of VotingWorks. Interview Notes VotingWorks: https://www.voting.works/ Risk Limiting Audits with ARLO: https://www.voting.works/risk-limiting-audits Verified Voting, Verifier tool: https://verifiedvoting.org/verifier/ Ben’s PhD thesis defense (Verifying a Secret-Ballot Election with Cryptography) and much more: https://ben.adida.net/presentations/ Voluntary Voting System Guidelines (VVSG) 2.0: https://www.eac.gov/sites/default/files/TestingCertification/Voluntary_Voting_System_Guidelines_Version_2_0.pdf Harri Hursti interview: https://podcast.firewallsdontstopdragons.com/2021/11/08/restoring-trust-in-our-elections/ ElectionGuard interview: https://podcast.firewallsdontstopdragons.com/2021/12/06/defending-democracy-with-technology/ DEF CON Voting Village videos: https://www.youtube.com/@defconvotingvillage/videos Further Info Give the gift of privacy and security: https://fdsd.me/coupons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:28: What is the mission of VotingWorks and what drove you to found it? 0:04:39: How do election work, exactly, here in the US? 0:12:26: How are all the votes tabulated and reported? 0:14:11: Where are US elections most vulnerable to influence? 0:19:52: How does accessibility impact security in elections? 0:24:27: How can we harden the election systems and processes? 0:31:16: How to risk-limiting audits work? 0:33:11: How vulnerable are election computers to hacking? 0:36:37: If our systems are vulnerable, why haven't they been hacked? 0:43:37: How can we best convince people that our election outcomes are valid? 0:51:30: How prevelent is voter fraud in the US? 0:53:56: Do we have federal minimum guidelines for election security? 0:56:52: Why aren't election systems open for third party review? 0:58:25: How do I learn about my local election systems and processes? 1:04:22: Wrap-up 1:07:34: Looking ahead

Using Email Aliases

4 december 2023 | 72 min

Your online account credentials have two parts: a user name and a password. Today, most online providers force you to use your email address for your user name. This gives the service provider a guaranteed way to contact (and spam) their users, but it also means that bad guys know half of all your credentials and data brokers have a unique ID to track you across all your accounts. Today I'll explain the value of using email aliases for your online user names. In other news: Iranian hackers attack US water plant; CISA launches program to address critical infrastructure threats; Google Drive users report missing data; Plex users fear new feature will leak p0rn watching habits; several articles on the ease of using data broker tools to spy on just about anyone, creating privacy and national security problems; smart mattress company CEO inadvertently reveals extent of data collection; concerns about IoT device sold with a home; overblown fears over Apple's new NameDrop feature; Zelle offering refunds to some scam victims; and Malwarebyte's survey of people's security practices (spoiler: it's bad). Article Links [The Hacker News] Iranian Hackers Exploit PLCs in Attack on Water Authority in U.S. https://thehackernews.com/2023/11/iranian-hackers-exploit-plcs-in-attack.html [Dark Reading] CISA Launches Pilot Program to Address Critical Infrastructure Threats https://www.darkreading.com/ics-ot/cisa-launches-pilot-program-critical-infrastructure-threats [AppleInsider] Google Drive users complain of missing files, months of data disappearing https://appleinsider.com/articles/23/11/27/google-drive-users-complain-of-missing-files-months-of-data-disappearing [404media.co] Plex Users Fear New Feature Will Leak Porn Habits to Their Friends and Family https://www.404media.co/plex-users-fear-discover-together-week-in-review-feature-will-leak-porn-habits-to-their-friends-and-family/ [Rolling Stone] We Spied on Trump’s ‘Southern White House’ From Our Couches https://www.rollingstone.com/culture/culture-features/data-brokers-trump-tech-spying-privacy-threat-1234897098/ [9to5mac.com] Data brokers selling even more sensitive info; national security risk, says report https://9to5mac.com/2023/11/14/data-brokers-sensitive-info/ [MIT Technology Review] The US military’s privacy problem in three charts https://www.technologyreview.com/2023/11/13/1083262/the-us-militarys-privacy-problem-in-three-charts/ [therecord.media] Court rules automakers can record and intercept owner text messages https://therecord.media/class-action-lawsuit-cars-text-messages-privacy [404media.co] CEO Reminds Everyone His Company Collects Customers' Sleep Data to Make Zeitgeisty Point About OpenAI Drama https://www.404media.co/ceo-reminds-everyone-eightsleep-pod-collects-sleep-data-to-make-zeitgeisty-point-about-openai-drama/ [sdmmag.com] Who Is Gonna “Own” the IoT? https://www.sdmmag.com/articles/93730-who-is-gonna-own-the-iot [TechRadar] NameDrop in iOS 17 doesn’t have to be a privacy nightmare – here’s how to control it https://www.techradar.com/phones/ios/namedrop-in-ios-17-doesnt-have-to-be-a-privacy-nightmare-heres-how-to-control-it [9to5mac.com] Zelle scams: App now starting limited refunds, under pressure from lawmakers https://9to5mac.com/2023/11/13/zelle-scams/ [malwarebytes.com] 3 crucial security steps people should do, but don't https://www.malwarebytes.com/blog/news/2023/10/the-3-crucial-security-steps-people-should-do-but-dont OwnCloud hack: https://www.helpnetsecurity.com/2023/11/28/cve-2023-49103/ Pros & Cons of Antivirus Software: https://firewallsdontstopdragons.com/the-pros-and-cons-of-anti-virus-software/ Tip of the Week: https://firewallsdontstopdragons.com/how-to-use-email-aliases-part-1/ Further Info Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support

Smart City Blues

27 november 2023 | 58 min

City governments are relying more and more on a vast network of sensors to tell them what's going on: stop light cameras, gunshot detectors, air quality sensors, license plate readers, automated toll booths, and much more. While these technologies can help the powers that be allocate precious resources and gain helpful insights, they can also lead to over-policing, chilling of free speech and mass warrantless surveillance. Today I'll discuss the dangers of smart cities with Eleni Manis from the Surveillance Technology Oversight Project (STOP). Interview Notes Surveillance Technology Oversight Project: https://www.stopspying.org/ S.T.O.P.'s Beginner’s Guide to the All-Too-Dumb World of Smart Cities: www.justcities.tech CCOPS laws: https://www.eff.org/issues/community-control-police-surveillance-ccops Further Info Best & Worst Gifts for 2023: https://firewallsdontstopdragons.com/best-worst-gifts-2023/ Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:04:38: What got you into researching smart cities? 0:09:03: What are the positive aspects of smart cities? 0:13:06: How ubiquitous are these smart city technologies? 0:15:32: What are some of the most concerning smart city technologies? 0:16:45: is this data being shared between local and federal agencies? 0:19:14: Can students opt out of school surveillance? 0:20:48: How can the police access footage from video doorbells? 0:24:20: How is this tech used for predictive policing? 0:26:31: Do these predictive policing systems actually work? 0:27:29: How does this mass surveillance affect people? 0:28:58: What about use of surveillance tech in neighborhoods? 0:33:56: Who operates these sensor networks? Who can access the data? 0:37:49: Is it possible to anonymize this data properly? 0:42:06: Can government agencies access our cellular data? 0:45:22: Can you refuse to hand your cell phone over to authorities? 0:48:04: Can we find ways to collect this data without ruining privacy? 0:49:42: How do I find out what smart city tech is being used in my area? 0:53:29: Wrap-up 0:54:57: Preview of upcoming shows

Best & Worst Gifts for 2023

20 november 2023 | 62 min

The holiday gift-giving season is upon us - and therefore it's time for my annual guide on the best and worst gifts for your loved ones, at least in terms of security and privacy. There are some perennial favs on the nice and naughty lists, but there are some newcomers, as well. And I've got some top tips for how to shop for privacy-respecting, security-protecting products! I've even got some ideas for free and helpful stocking stuffers. In the news: FCC tried to protect consumers from SIM-swap attacks; cheap children's tablet came with malware and data mining software; medical transcription service has data of 9M patients exposed; hackers hold data from plastic surgeon patients for ransom, including nude photos; FTC filing in Kochava case unsealed showing 'staggering' amount of data for sale; Bitwarden announces support for passkeys; Article 45 of eIDAS 2.0 bill will completely undermine internet security in the EU. Article Links [The Hacker News] FCC Enforces Stronger Rules to Protect Customers Against SIM Swapping Attacks https://thehackernews.com/2023/11/fcc-enforces-stronger-rules-to-protect.html [TechCrunch] Children’s tablet has malware and exposes kid’s data, researcher finds https://techcrunch.com/2023/11/16/childrens-tablet-has-malware-and-exposes-kids-data-researcher-finds/ [BleepingComputer] PJ&A says cyberattack exposed data of nearly 9 million patients https://www.bleepingcomputer.com/news/security/pj-and-a-says-cyberattack-exposed-data-of-nearly-9-million-patients/ [8newsnow.com] Hackers target Las Vegas plastic surgeons, post patient information, naked photos online https://www.8newsnow.com/investigators/hackers-target-las-vegas-plastic-surgeons-post-patient-information-naked-photos-online/ [Ars Technica] Data broker’s “staggering” sale of sensitive info exposed in unsealed FTC filing https://arstechnica.com/tech-policy/2023/11/data-brokers-staggering-sale-of-sensitive-info-exposed-in-unsealed-ftc-filing/ [bitwarden.com] Bitwarden launches passkey management https://bitwarden.com/blog/bitwarden-launches-passkey-management/ [Electronic Frontier Foundation] Article 45 Will Roll Back Web Security by 12 Years https://www.eff.org/deeplinks/2023/11/article-45-will-roll-back-web-security-12-years Best & Worst Gifts for 2023: https://firewallsdontstopdragons.com/best-worst-gifts-2023/ Further Info Give Thanks!: https://firewallsdontstopdragons.com/give-thanks-donate/ Consumer Reports Naughty List: https://foundation.mozilla.org/en/privacynotincluded/articles/our-longest-naughty-list-ever-the-2023-holiday-buyers-guide-is-here/ Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:37: News run-down 0:03:18: FCC Enforces Stronger Rules to Protect Against SIM Swapping 0:06:39: Children’s tablet has malware and exposes kid’s data 0:11:22: Cyberattack exposed data of nearly 9 million patients 0:15:16: Hackers target plastic surgeons, post patient info, naked photos online 0:22:37: Data broker’s “staggering” sale of sensitive info exposed in unsealed FTC filing 0:27:10: Bitwarden launches passkey management 0:30:45: Article 45 Will Roll Back Web Security by 12 Years 0:39:00: Best & Worst Gifts for 2023 0:42:38: The Naughty List 0:47:50: The Nice List 0:59:14: Give thanks! 1:00:03: FDSD Merch sale! 1:00:25: Upcoming shows & promotion

Smartphone Spyware

13 november 2023 | 72 min

Today there is a thriving market for legal, for-profit smartphone spyware (aka mercenary spyware). Companies like the NSO Group are free to create and sell highly sophisticated, zero-click malware such as Pegasus which has been used to spy on dissidents, politicians, activists and journalists around the world. There are also several apps available to parents to track their children, but are often used to abuse or stalk adult partners or ex-lovers. Today I'll discuss the state of these malicious apps, ways to protect our smartphones and even detect such spyware after the fact with the co-founders of iVerify, Danny Rogers and Rocky Cole. Interview Notes iVerify app: https://www.iverify.io/consumer xkcd “Security” cartoon: https://xkcd.com/538/ Moxie Marlinspike (Signal) on Cellebrite tool: https://signal.org/blog/cellebrite-vulnerabilities/ Further Info Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:38: Interview setup 0:03:08: How does iVerify work and why did you create it? 0:07:10: What sort of people need protection like iVerify? 0:11:07: How do you know that you can trust a security app? 0:14:54: What do MDM profiles do to my phone? Is it reversible? 0:20:37: How dangerous are third-party app stores, compared to Apple/Google? 0:27:37: If an app I've installed is pulled from the app store, will I be notified? 0:28:50: How hard is it today to jailbreak a phone? 0:31:49: How do you tell if a phone has been hacked? 0:33:21: Can you detect if an app has escaped its sandbox? 0:38:09: What is the marketplace like for spyware? 0:41:36: Are phones getting harder to hack? 0:44:16: Is it possible to detect or prevent hacking via physical access? 0:49:11: How do Apple and Google phones compare on security? 0:52:08: How does Apple's Lockdown Mode work? 0:54:47: Should governments outlaw the sale of mercenary spyware? 1:01:10: Should governments hoard 0-days or disclose them? 1:03:31: What are your top security tips for regular users? 1:05:44: What's next for iVerify? 1:07:28: Wrap-up

The Rise of Cellular IoT

6 november 2023 | 64 min

Connecting all our stuff to the internet – making devices “smart” – brings with it a lot of risks. Besides the more obvious cybersecurity vulnerabilities, these devices are also collecting a lot of personal data, offsetting razor thin profit margins by monetizing our data. In most cases, we can limit this data exfiltration using outbound firewalls and DNS services, or just by disconnecting the devices from the internet altogether. But lately I've been seeing devices coming configured with cellular data connections, which would effectively bypass your home network entirely - and therefore your ability to block or control the data flow. In other news: 1Passwords discloses security breach; Drug makers to pay 23andMe for access to your DNA; EFF publishes guidance for 23andMe customers after further data breach; Apple's private Wi-Fi MAC address feature has never worked right, until now; Hackers find side-channel attack on Apple Silicon to pull private data from Safari browsers; Windows PCs targeted with new malware; YouTube is waging a new way on ad blockers; Apple's iMessage has new method to thwart 'ghost' listeners; the White House releases sweeping executive order on AI; Pew publishes new study on data privacy views. Article Links [BleepingComputer] 1Password discloses security incident linked to Okta breach https://www.bleepingcomputer.com/news/security/1password-discloses-security-incident-linked-to-okta-breach/ [Bloomberg] Drugmakers Are Set to Pay 23andMe Millions to Access Consumer DNA https://www.bloomberg.com/news/articles/2023-10-30/23andme-will-give-gsk-access-to-consumer-dna-data [Electronic Frontier Foundation] What to Do If You're Concerned About the 23andMe Breach https://www.eff.org/deeplinks/2023/10/what-do-if-youre-concerned-about-23andme-breach [AppleInsider] Apple's private Wi-Fi MAC addresses were security theater until iOS 17.1 https://appleinsider.com/articles/23/10/27/apples-private-wi-fi-mac-addresses-were-security-theater-until-ios-171 [Ars Technica] Hackers can force iOS and macOS browsers to divulge passwords and much more https://arstechnica.com/security/2023/10/hackers-can-force-ios-and-macos-browsers-to-divulge-passwords-and-a-whole-lot-more/ [TechRadar] Windows PCs are being targeted with a nasty new malware - here's what you need to know https://www.techradar.com/pro/security/windows-pcs-are-being-targeted-with-a-nasty-new-malware-heres-what-you-need-to-know [404media.co] YouTube's 'War' on Adblockers Shows How Google Controls the Internet https://www.404media.co/youtubes-war-on-adblockers-shows-how-google-controls-the-internet/ [9to5mac.com] iMessage Contact Key Verification blocks the ‘ghost proposal’ plan by government spy agency https://9to5mac.com/2023/10/30/imessage-contact-key-verification-reason/ [Mashable] White House drops an AI regulation bombshell: 10 new mandates that'll shake up the industry https://mashable.com/article/white-house-drops-ai-regulation-bombshell [pewresearch.org] How Americans View Data Privacy https://www.pewresearch.org/internet/2023/10/18/how-americans-view-data-privacy/ Tip of the Week: The Rise of Cellular IoT https://firewallsdontstopdragons.com/the-rise-of-cellular-iot/ Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:56: News rundown 0:03:11: 1Password discloses security incident linked to Okta breach 0:06:09: Drugmakers Are Set to Pay 23andMe Millions to Access Consumer DNA 0:10:08: What to Do If You're Concerned About t...

Reclaiming the Internet

30 oktober 2023 | 70 min

What happened to the internet? It had so much promise. Social media and search results are full of stuff we never wanted to see. Surveillance capitalism is monetizing our most private information to serve us so many ads that we can never seem to consume the actual content. And if we're all so unhappy with the incumbents, where are the competitors offering better service? Cory Doctorow helps us understand how the internet got so crappy and what we can do to fix it. Cory Doctorow is a science fiction author, activist, journalist and blogger at the site Pluralistic. He has written a bunch of great books, both fiction and non, including Little Brother, Red Team Blues and Chokepoint Capitalism. Interview Notes TikTok’s Ensh*tification: https://pluralistic.net/2023/01/21/potemkin-ai/#hey-guys Cory’s blog: https://pluralistic.net/ Cory at DEF CON 31: https://www.youtube.com/watch?v=rimtaSgGz_4 The Internet Con: https://craphound.com/category/internetcon/ Chokepoint Capitalism: https://chokepointcapitalism.com/ Red Team Blues: https://craphound.com/category/novels/redteamblues/ Saving the News from Big Tech: https://www.eff.org/deeplinks/2023/04/saving-news-big-tech Tracking Exposed: https://tracking.exposed/ Further Info Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:55: Defining some terms 0:03:57: Swear warning 0:04:25: What have you been up to since we last had you on the show? 0:07:58: What is ensh*tification? How does it work? 0:18:26: Have any companies actually completed the ensh*tification cycle? 0:22:36: Do we have concrete examples of interoperability breaking this cycle? 0:29:07: What percentage of oday are not what we asked for? 0:37:04: What happens to DRM'd content when the licencing company goes away? 0:39:19: How can we reverse engineer these algorithms? 0:41:04: How is social media promotion like a big carnival teddy bear? 0:44:28: Whatever happened to the Amazon Smile program? 0:45:58: What do you mean by the End-to-End Principle? 0:51:53: Isn't ensh*tification just a natural result of modern capitalism? 0:54:02: Doesn't capitalism require rules (aka regulations)? 0:57:18: So what are the solutions? How do we fix the internet? 1:02:46: Did we undermine antitrust by lowering the bar of consumer harm? 1:04:25: What can we do to help, as consumers and citizens? 1:07:06: Wrap-up 1:07:50: Looking ahead

It’s Time to Try Proton

23 oktober 2023 | 57 min

Email is old and was never built for security and privacy. Thankfully there are several modern secure email services. My personal favorite is Proton Mail and I'll explain to you today why you should really give it a try. I will also (finally) answer several interesting "Dear Carey" questions from listeners. In other news: If you use WinRAR, you need to update right away; hackers are targeting a company that brokers Emergency Data Requests between law enforcement and Big Tech companies; Google is forced to reveal user search history in a CO court case; Google is making passkeys the default, but you may want to wait; EFF asks MasterCard to stop selling our data; and Bruce Schneier has an insightful article around the rather heated discussions over the benefits and dangers of artificial intelligence. Article Links [Gizmodo] You Need to Update WinRAR, Right Now https://gizmodo.com/you-need-to-update-winrar-right-now-1850939201 [404media.co] Hackers Target Company That Vets Police Data Requests for Tech Giants https://www.404media.co/hackers-target-kodex-accounts-edrs/ [TechSpot] Google forced to reveal user search history in Colorado court ruling https://www.techspot.com/news/100529-google-forced-reveal-users-search-queries-colorado-court.html [blog.google] Passwordless by default: Make the switch to passkeys https://blog.google/technology/safety-security/passkeys-default-google-accounts/ [Electronic Frontier Foundation] Mastercard Should Stop Selling Our Data https://www.eff.org/deeplinks/2023/10/mastercard-should-stop-selling-our-data [Schneier Blog] AI Risks https://www.schneier.com/blog/archives/2023/10/ai-risks.html Tip of the Week: Try Proton https://firewallsdontstopdragons.com/its-time-to-try-proton/ Further Info De-Googling Your Life: https://firewallsdontstopdragons.com/reducing-my-google-footprint/ Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:12: News rundown 0:02:38: You Need to Update WinRAR, Right Now 0:05:10: Hackers Target Company That Vets Police Data Requests for Tech Giants 0:11:22: Google forced to reveal user search history in Colorado court ruling 0:15:59: Google: Passwordless by default 0:21:48: EFF: Mastercard Should Stop Selling Our Data 0:25:59: Bruce Schneier: AI Risks 0:33:12: Mailbag!! 0:42:28: Tip of the Week: Try Proton 0:54:25: Wrap up, look ahead

What’s Your Threat Model?

16 oktober 2023 | 61 min

There are several privacy-focused services available today. And the products we use have a dizzying array of privacy and security settings. How do you know which products you need and which vendors you can trust? How do you know which protections you need and which ones you don't? It comes down to understanding your personal threat model. We each have different things to protect and different consequences for failure. Today I'll speak with Andy Yen, CEO and founder of Proton, to help us figure out what we need. Interview Notes Proton Sentinel: https://proton.me/blog/sentinel-high-security-program Privacy Decrypted #1: https://proton.me/blog/what-is-a-threat-model?ref=instantsearch Private from Everyone (But Us): https://podcast.firewallsdontstopdragons.com/2022/04/25/private-from-everyone-but-us/ Security Planner (threat model tool): https://innovation.consumerreports.org/initiatives/security-planner/ Ars Technica threat model series: https://arstechnica.com/features/2021/10/securing-your-digital-life-part-1/ Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:03: Show preview0:01:44: Delete Act passes0:02:36: What new at Proton since we last spoke?0:07:00: How do you determine your personal threat model?0:09:21: How does Proton decide which threat models to address?0:13:40: How do you learn about all the possible security settings?0:15:37: How do you know which companies and products you can trust?0:18:11: How should VC money and buyouts affect our trust?0:22:30: What should tech reviewers be focusing on with privacy products?0:26:24: How important is a company's location for privacy?0:28:47: Are technological solutions sufficient to protect our data?0:30:22: Has Proton received any pressure from governments to weaken privacy?0:33:27: Does Proton actively market to government officials?0:34:43: How can larger companies protect against insider threats?0:37:05: What's your take on the LastPass breach?0:41:32: What is Proton Sentinel and who is it for?0:46:09: Will Sentinel be able to scale?0:47:31: Proton asks Sentinel users for personal information - is that safe?0:51:04: Can you share any specific Sentinel success stories?0:53:39: What other features would you like to add to Proton?0:58:30: Wrap-up1:00:11: Look ahead

Cybersecurity Awareness Month

9 oktober 2023 | 67 min

October is national Cybersecurity Awareness Month here in the US. One of the four key themes this year is Recognizing and Reporting Phishing. We just discussed this at length with Nick Oles, but I wanted to give my perspective and tell you how to report phishing emails to the proper authorities. In other news: cheap Android TV boxes come laced with malware and fraud software; 23andMe investigating massive data breach; US agencies caught using location data illegally; Meta proposes subscription plans in Europe for Facebook and Instagram; FBI warns of 'phantom hacker' scams targeting elderly; new Microsoft AI tool can simulate any voice with just 3 seconds of audio; attackers don't bother brute-forcing long passwords; free upgrade from Windows 7/8 to 10 is going away soon; FCC details plans to reinstate net neutrality; how to turn off Google's new Topics tracking system; new app from Consumer Reports to delete personal data; new privacy-respecting URL shortening tool from Panquake. Article Links [WIRED] Your Cheap Android TV Streaming Box May Have a Dangerous Backdoor https://www.wired.com/story/android-tv-streaming-boxes-china-backdoor/ [cyberscoop.com] DNA testing service 23andMe investigating theft of user data https://cyberscoop.com/23andme-user-data-theft/ [404media.co] ICE, CBP, Secret Service All Illegally Used Smartphone Location Data https://www.404media.co/ice-cbp-secret-service-all-broke-law-with-smartphone-location-data/ [9to5mac.com] Meta proposing ad-free Facebook and Instagram plans for up to $17/month https://9to5mac.com/2023/10/03/facebook-instagram-no-ads-plan/ [BleepingComputer] FBI warns of surge in 'phantom hacker' scams impacting elderly https://www.bleepingcomputer.com/news/security/fbi-warns-of-surge-in-phantom-hacker-scams-impacting-elderly/ [futurism.com] New Microsoft AI Can Clone Your Voice From Three Seconds of Audio https://futurism.com/the-byte/new-microsoft-ai-clone-your-voice [therecord.media] Attackers don’t bother brute-forcing long passwords, Microsoft engineer says https://therecord.media/attackers-dont-bother-brute-forcing-long-passwords-microsoft-engineer-says/ [TechRadar] Been putting off that free Windows 11 or 10 upgrade? Windows 7 and 8 diehards need to move fast https://www.techradar.com/computing/windows/been-putting-off-that-free-windows-11-or-10-upgrade-windows-7-and-8-diehards-need-to-move-fast [Ars Technica] FCC details plan to restore the net neutrality rules repealed by Ajit Pai https://arstechnica.com/tech-policy/2023/09/fcc-details-plan-to-restore-the-net-neutrality-rules-repealed-by-ajit-pai/ [Electronic Frontier Foundation] How To Turn Off Google’s “Privacy Sandbox” Ad Tracking—and Why You Should https://www.eff.org/deeplinks/2023/09/how-turn-googles-privacy-sandbox-ad-tracking-and-why-you-should [CNET] This App Can Delete Your Personal History from Websites. And It's Simple https://www.cnet.com/tech/services-and-software/this-app-can-delete-your-personal-history-from-websites-and-its-simple-heres-how-to-use/ [talkliberation.substack.com] NOW SERVING: An early release of the Panquake Pie! https://talkliberation.substack.com/p/panquake-early-release-pnqk-now-available Tip of the Week: Catching Phish: https://firewallsdontstopdragons.com/how-to-catch-a-phish/ Further Info Win a copy of “How to Catch a Phish”! https://fdsd.me/catchaphish National Cybersecurity Awareness Month: https://www.cisa.gov/cybersecurity-awareness-month Microsoft’s VALL-E voice-gen tool: https://www.microsoft.com/en-us/research/project/vall-e-x/ Panquake URL shortener: https://pnqk.me/ Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Generate secure passphrases! https://d20key.

Catching Phish

2 oktober 2023 | 70 min

The weakest link in most cybersecurity systems is you - that is, human beings. And one of the primary ways that people are tricked into infecting their devices (and potentially then threatening other devices on the network) is through phishing. We've all seen the Nigerian Prince scams, but with AI tools like ChatGPT, scam emails are going to get a lot harder to spot. On today's show, author and cybersecurity expert Nick Oles will teach us how to recognize phishing emails, introduce us to tools for detecting and protecting against phishing, and detail other techniques for defending against these sorts of attacks. All of this is just a taste of the top notch advice contained in his new book, "How to Catch a Phish". Interview Notes How to Catch a Phish: https://www.amazon.com/How-Catch-Phish-Practical-Detecting/dp/1484293606 Win a free copy!! https://fdsd.me/catchaphish Nick Oles on LinkedIn: https://www.linkedin.com/in/nick-o-8b5b6349/ National Cybersecurity Awareness Month: https://www.cisa.gov/cybersecurity-awareness-month Virustotal URL scanner: https://www.virustotal.com/gui/home/url URLscan.io: https://urlscan.io/ SANS PICERL Incident Response model (PDF): https://www.sans.org/media/score/504-incident-response-cycle.pdf Malwarebytes personal: https://www.malwarebytes.com/getprotection Further Info Nominate someone for a challenge coin: https://fdsd.me/quest Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:45: Patron book club update0:02:11: Nat'l Cybersecurity Awareness Month0:02:48: What drove you to write the book?0:06:57: What really happens behind the scenes when I send an email?0:13:37: What are email headers and why would I want to look at them?0:17:13: How are email senders spoofed and can we prevent this?0:23:35: Do email clients have indicators for vetted senders?0:25:40: What is phishing and how can we recognize it?0:32:06: How has phishing evolved over the years?0:37:01: What are spearphishing and business email compromise?0:40:24: Do spam filters help at all with phishing emails?0:42:50: How do I know if I can trust any link or URL in an email?0:48:34: Are web email clients safer than dedicated email apps?0:51:35: How can we know which email attachments are safe to open?0:54:48: If I accidentally click a bad link or attachment, what then?0:59:11: How will AI impact phishing campaigns?1:01:13: Are things getting better or getting worse?1:04:08: Interview wrap-up1:07:44: Book giveaway details

iOS 17 Security & Privacy

25 september 2023 | 64 min

Apple has just released a major update to its mobile operating system: iOS 17. There are tons of fun new features, but today I'll walk you through some of the security and privacy enhancements. These include new protections in Lockdown Mode, the Check In feature which can alert loves ones if you fail to arrive at your destination, some privacy-enhancing web browser features, and support for securely sharing passwords and passkeys with others. In other news: a critical WebP vulnerability means we have to update most of our apps and devices; credit bureaus in the US now allow free weekly access to your credit reports; Proton announces a new, privacy-focused CAPTCHA service; the FTC puts data brokers on notice; LastPass is requiring their users to make their master passwords longer; password managers are still your best bet for web security, despite the LastPass debacle; Hyundai Pay seeks to make in-car payments a thing; and an interesting article from a privacy advocate claiming that privacy tools are too difficult to use. Article Links [MakeUseOf] Update Everything: This Critical WebP Vulnerability Affects Major Browsers and Apps https://www.makeuseof.com/critical-webp-vulnerability-affects-major-browsers-apps/ [Consumer Reports] Credit Bureaus Equifax, Experian, and TransUnion Announce Permanent, Free Weekly Access to Credit Reports https://www.consumerreports.org/money/credit-scores-reports/credit-bureaus-permanent-free-weekly-credit-report-access-a2226546788/ [proton.me] Introducing Proton CAPTCHA https://proton.me/blog/proton-captcha [The Washington Post] FTC consumer protection chief puts data brokers on notice https://www.washingtonpost.com/politics/2023/09/21/ftc-consumer-protection-chief-puts-data-brokers-notice/ [briankrebs] LastPass: ‘Horse Gone Barn Bolted’ is Strong Password https://krebsonsecurity.com/2023/09/lastpass-horse-gone-barn-bolted-is-strong-password/ [ZDNet] Why you can still trust (other) password managers, even after that LastPass mess https://www.zdnet.com/article/why-you-can-still-trust-other-password-managers-even-after-that-lastpass-mess/ [The Verge] ‘Hyundai Pay’ is the latest effort by car companies to make in-car payments a thing https://www.theverge.com/2023/9/6/23861412/hyundai-pay-parkopedia-in-car-payment [theprivacydad.com] Privacy Tools Are Not Worth the Hassle https://theprivacydad.com/privacy-tools-are-not-worth-the-hassle/ [TechCrunch] iOS 17 includes these new security and privacy features https://techcrunch.com/2023/09/18/ios-17-includes-these-new-security-and-privacy-features/ Tip of the Week: iOS 17 Security & Privacy: https://firewallsdontstopdragons.com/ios-17-security-privacy/ Further Info Secure Your Home Network article series: https://firewallsdontstopdragons.com/secure-your-network-part-1-scan/ Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:27: Delete Act update 0:00:59: BSides RDU 0:01:54: News rundown 0:04:20: Critical WebP Vulnerability Affects Major Browsers and Apps 0:12:22: Credit Bureaus Announce Permanent, Free Weekly Access to Credit Reports 0:17:24: Introducing Proton CAPTCHA 0:22:07: FTC consumer protection chief puts data brokers on notice 0:26:19: LastPass requiring users to create longer passwords 0:32:58: Why you can still trust (non-LastPass) password managers 0:43:01: ‘Hyundai Pay’ in-car payments coming 0:45:38: "Privacy Tools Are Not Worth the Hassle" 0:54:57: Tip of the Week: iOS 17 security & priv...

Your Face Belongs to Us

18 september 2023 | 62 min

When the New York Times broke the Clearview AI story in 2020, we suddenly had to face the reality that no one could truly be anonymous in public any more. This powerful app could take a picture of any face and find dozens of public images on the internet that they were in - even just in the background. And if those pictures were associated with a social media profile, we could identify the owner of the face along with their friends and family - all in an instant. Today I speak with Kashmir Hill about her investigation of this company and the sobering impacts of facial recognition technology in a world full of cameras, chronicled in her new book "Your Face Belongs to Us". Interview Notes Your Face Belongs to Us: https://www.kashmirhill.com/book Kashmir Hill facial recognition stories: https://www.kashmirhill.com/stories/face-recognition Clearview AI, delete dead links: https://www.clearview.ai/privacy-and-requests FRT used to track activity in coffee shop: https://www.linkedin.com/posts/endritrestelica_ai-tech-activity-7098293527951851520-Mejy/ PimEyes: https://pimeyes.com/ Fawkes masking tool: https://sandlab.cs.uchicago.edu/fawkes/ Further Info Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:37: Tell us about your beat at the New York Times 0:02:17: What is the Clearview app and what does it do? 0:05:12: How did you come to write about Clearview AI? 0:07:40: What happened when you first investigated this company? 0:11:46: How did Clearview AI obtain all these images of our faces? 0:14:24: Why are privacy advocates calling for a ban on this technology? 0:16:36: Do the makers of Clearview appreciate the privacy implications of their tool? 0:18:56: How did 9/11 influence our views on surveillance technology? 0:22:33: Who has access to the Clearview app? 0:24:14: How do we know who is using this tool? 0:25:22: How has Clearview tried to win approval for this tool? 0:27:37: What's to stop others from copying this technology? 0:31:05: Wasn't Clearview used to ban lawyers from venues in NYC? 0:33:13: Didn't Illinois sue Clearview AI and win? 0:34:09: Where else is facial recognition being used today? 0:38:05: How often is FRT used in solving crimes in the US? 0:41:26: What about cases where FRT identifies the wrong person? 0:43:23: How accurate are these tools? What causes them to fail? 0:45:59: How accurate is Clearview compared to other tools? 0:47:02: How well does Clearview deal with facial hair, masks, etc? 0:50:01: What can we do to protect our faces online? 0:52:33: How well can Clearview pick out faces in the background? 0:54:41: What's the future of privacy in a world full of cameras? 0:56:24: What can we do to rein in abuse of FRT? 0:58:00: Wrap up and a look ahead

Remediate Your Network

11 september 2023 | 67 min

Today I wrap up my four-part series on how to secure your home network. We've enumerated our devices, gotten rid of stuff we don't need, assessed the state of our devices and now it's time to actually remediate any vulnerabilities we found. I'll walk you through everything you need to do. In other news: Chrome's Topics API has rolled out (and I'll tell you how to shut it off); Apple fixes two zero-day, zero-click exploits; FBI dismantles and even fixes the Qakbot malware network; the UK backs down on requirements to undermine end-to-end encryption; Macs are being targeted with a malvertising campaign; LastPass breach seems to be behind crypto wallet stealing; Apple reveals why it abandoned its CSAM scanning feature; Kias and Hyundais are being stolen left and right and are being sued; new cars are a privacy nightmare; Chrome extensions are able to steal private data from web pages. Article Links [The Verge] How to disable Chrome’s new targeted ad tracking https://www.theverge.com/23860050/chrome-ads-topics-sandbox [citizenlab.ca] NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/ [TechCrunch] FBI operation tricked thousands of computers infected by Qakbot into uninstalling the malware https://techcrunch.com/2023/08/29/fbi-operation-qakbot-uninstall/ [AppleInsider] UK backs down from nonsensical law after threats from Apple, WhatsApp https://appleinsider.com/articles/23/09/06/uk-backs-down-from-nonsensical-law-after-threats-from-apple-whatsapp [Tom's Guide] Macs under threat from malicious ads spreading malware — don’t fall for this https://www.tomsguide.com/news/macs-under-threat-from-malicious-ads-spreading-malware-dont-fall-for-this [briankrebs] Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/ [WIRED] Apple’s Decision to Kill Its CSAM Photo-Scanning Tool Sparks Fresh Controversy https://www.wired.com/story/apple-csam-scanning-heat-initiative-letter/ [VICE] Kias and Hyundais Keep Getting Stolen by the Thousands and Cities Are Suing https://www.vice.com/en/article/93kdmp/kias-and-hyundais-keep-getting-stolen-by-the-thousands-and-cities-are-suing [Gizmodo] If You’ve Got a New Car, It’s a Data Privacy Nightmare https://gizmodo.com/mozilla-new-cars-data-privacy-report-1850805416 [techxplore.com] Researchers issue warning over Chrome extensions that access private data https://techxplore.com/news/2023-09-issue-chrome-extensions-access-private.html Tip of the Week: Remediate Your Network: https://firewallsdontstopdragons.com/secure-your-network-4-remediate/ Further Info Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:29: Kashmir Hill interview coming 0:01:40: News rundown 0:04:32: How to disable Chrome’s new targeted ad tracking 0:07:12: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild 0:10:36: FBI operation dismantles Qakbot botnet 0:13:51: UK backs down from nonsensical law after threats from Apple, WhatsApp 0:17:10: Macs under threat from malicious ads spreading malware 0:23:03: Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach

Containing Big Data

4 september 2023 | 71 min

In the US today we're dealing with a completely unfettered free-for-all of data harvesting. Without meaningful privacy regulations like the EU's GDPR, our private information is being collected, collated, packaged and sold by data brokers to all comers. Ad companies like Google and Facebook collect and hoard our data to sell targeted ads for high profits without commensurate benefits to the people placing the ads. How does it all work? What's our data worth? And how can we protect it? I'll discuss all of this and more with my guest, Tom Kemp. Tom Kemp is a Silicon Valley-based entrepreneur, investor, and policy advisor. Tom is also the author of Containing Big Tech: How to Protect Our Civil Rights, Economy, and Democracy. Interview Notes Containing Big Tech:: https://www.tomkemp.ai/containing-big-tech Let’s Make Privacy Easy: https://techpolicy.press/lets-make-privacy-easy/ LinkedIn panel discussion on AI and privacy regulation in the US: https://www.linkedin.com/events/thestateofusprivacy-airegulatio7087548531820941312/ SB362 (Delete Act): https://www.darkreading.com/endpoint/why-the-california-delete-act-matters Tom’s post on SB362: https://www.linkedin.com/posts/tomkemp_sb362-databrokers-privacy-activity-7103448636260302848-Qg6p Global Privacy Control: https://firewallsdontstopdragons.com/how-to-enable-global-privacy-control/ Further Info Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:20: Follow me on Bluesky? 0:01:32: Interview preview 0:02:59: What are data brokers? Would we recognize their names? 0:06:07: How big is the data broker industry? 0:08:35: You say there are 5 different types of data brokers - what are they? 0:12:10: Are there financial data brokers outside the US? 0:15:53: Are we granting permission for data collection without realizing it? 0:18:44: Who is making money off our data and what is it really worth? 0:21:56: Who is selling our data out the back door? 0:26:50: Why is location data so valuable? 0:28:40: How much of my data is raw and how much is inferred or extrapolated? 0:33:06: How often do data records contain errors? 0:36:24: How much of our personal data is publicly available? 0:38:46: Can we have an ad-based web economy and privacy, too? 0:44:56: Our behavior ads really worth more than contextual ads? 0:48:08: Can antitrust laws be leveraged against data collection? 0:50:46: Can laws requiring transparency in data collection be a stepping stone? 0:56:14: Why can't we pass a federal privacy law? 0:58:25: What can we do right now to limit data collection? 1:01:50: What else does your book cover? 1:05:28: Interview wrap-up 1:06:01: Delete Act (SB362) Udpate 1:06:58: A note on warranty registrations 1:08:11: Global Privacy Control article 1:08:28: Patron podcast teaser 1:08:50: Look ahead

Assessing Your Network Security

28 augusti 2023 | 59 min

In the third part of my series on securing your home network, we'll assess your security and privacy vulnerabilities. In prior weeks, we've exhaustively listed our network devices (Scan) and removed any devices that we no longer need or don't need to be "smart" (Simplify). Now it's time to investigate the remaining devices and think about what we need to do to secure them. In other news: an old Mac malware info stealer is back; thousands of Android apps are evading detection using an interesting technique; Illinois just passed a law allowing doxing victims to sue perpetrators for damages; Meta plans to roll out end-to-end encryption for Messenger by year's end; LinkedIn accounts are being targeted for takeover; Intel's GPU driver collects personal info by default; Tesla suffers data breach of 75,000 current and former employees; police are accessing DNA databases even for people who opted out of this access; Pennsylvania court says police been to be transparent about social media monitoring; Kansas newspaper raid by police teaches us how better to encrypt our data; hackers are selling credit report info on just about any American; NSA director tells employees to spy "with dignity and respect". Article Links [TechRadar] One of the worst Mac malware strains is back and hiding as a productivity app - so beware https://www.techradar.com/pro/security/one-of-the-worst-mac-malware-strains-is-back-and-hiding-as-a-productivity-app-so-beware [Tom's Guide] Thousands of Android malware apps use stealthy APKs to bypass security, study finds https://www.tomsguide.com/news/thousands-of-android-malware-apps-use-stealthy-apks-to-bypass-security-study-finds [Ars Technica] Illinois just made it possible to sue people for doxxing attacks https://arstechnica.com/tech-policy/2023/08/illinois-just-made-it-possible-to-sue-people-for-doxxing-attacks/ [TechCrunch] Meta plans to roll out default end-to-end encryption for Messenger by the end of the year https://techcrunch.com/2023/08/22/meta-plans-to-roll-out-default-end-to-end-encryption-for-messenger-by-the-end-of-the-year/ [TechRadar] LinkedIn user accounts have been taken over in huge hacking campaign https://www.techradar.com/pro/security/linkedin-user-accounts-have-been-taken-over-in-huge-hacking-campaign [extremetech.com] Intel's GPU Drivers Now Collect Telemetry https://www.extremetech.com/gaming/intels-gpu-drivers-now-collect-telemetry-including-how-you-use-your-computer [TechCrunch] Tesla says data breach impacting 75,000 employees was an insider job https://techcrunch.com/2023/08/21/tesla-breach-employee-insider/ [BBC] Why US tech giants are threatening to quit the UK https://www.bbc.com/news/technology-66304002 [The Intercept] Police Are Getting DNA Data From People Who Think They Opted Out https://theintercept.com/2023/08/18/gedmatch-dna-police-forensic-genetic-genealogy/ [The Associated Press] A Pennsylvania court says state police can’t hide how it monitors social media https://apnews.com/article/pennsylvania-police-aclu-social-media-monitoring-1508189aba86cc776e19892b4a2b358a [freedom.press] What a newsroom police raid teaches us about encrypting our devices https://freedom.press/training/blog/marion-record-police-raid/ [404media.co] The Secret Weapon Hackers Can Use to Dox Nearly Anyone in America for $15 https://www.404media.co/the-secret-weapon-hackers-can-use-to-dox-nearly-anyone-in-america-for-15-tlo-usinfosearch-transunion/ [The Intercept] NSA Orders Employees to Spy on the World “With Dignity and Respect” https://theintercept.com/2023/08/25/nsa-spy-dignity-respect/ Tip of the Week: Securing Your Network 3: Assess: https://firewallsdontstopdragons.com/secure-your-network-3-assess/ Further Info Dragon Challenge Coin promotion: https://fdsd.me/promo823 Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions!

Demystifying AI

21 augusti 2023 | 69 min

Unless you've been living under a rock, you've seen several news stories about AI, machine learning and so-called Large Language Models. While tools like ChatGPT hold a lot of promise, many are deeply concerned about AI replacing jobs, generating potent malware, and being used in phishing and disinformation campaigns. Today I will ask AI expert Michael Littman to explain clearly what AI is and what it isn't, how the technology actually works, and what we should and maybe shouldn't be worried about. Michael Littman is a computer science professor at Brown University who has won several prestigious teaching awards while studying machine learning and the implications of artificial intelligence. He serves as division director for Information and Intelligent Systems at the National Science Foundation and is also a Fellow of the Association for the Advancement of Artificial Intelligence and the Association for Computing Machinery. Interview Notes Gathering Strength, Gathering Storms: The One Hundred Year Study on Artificial Intelligence https://ai100.stanford.edu/gathering-strength-gathering-storms-one-hundred-year-study-artificial-intelligence-ai100-2021-study Code to Joy book preorder: https://www.amazon.com/Code-Joy-Everyone-Should-Programming/dp/0262546396/ Michael Littman’s website: https://www.littmania.com/ Gandalf AI challenge: https://gandalf.lakera.ai/ ChatGPT: https://openai.com/blog/chatgpt Stable Diffusion: https://stability.ai/stablediffusion Canva Image Generator online: https://www.canva.com/ai-image-generator/ Paperclip Maximizer: https://en.wikipedia.org/wiki/Instrumental_convergence#Paperclip_maximizer Further Info Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:56: Dragon coin promo update 0:01:51: Interview preview 0:03:15: What is Artificial Intelligence, really? 0:05:36: Is it a mistake to anthropomorphize AI? 0:08:50: What is AI versus machine learning? 0:11:59: How does AI differ from normal computer code? 0:14:49: What is a large language model or LLM? 0:18:45: What does it take to create an LLM? 0:22:04: Why are these AI models limited to certain points in time? 0:26:46: How are these chat bots leading people to believe they're sentient? 0:28:54: What was behind the AI explosion in late 2022? 0:32:29: How to AI systems generate images from text prompts? 0:35:36: How are AI systems affected by their training data? 0:40:24: Which concerns about AI are justified and which are overblown? 0:44:55: What sorts of jobs may be impacted by AI? 0:47:15: Is there an art to creating AI prompts? 0:48:43: Can you trick AI systems? 0:51:42: How do we detect AI output? How should we restrict this technology? 0:56:19: How can we try out these AI systems to learn more? 0:59:26: What's the next big thing in AI? 1:02:12: Why should people learn to do a little coding? 1:05:27: Wrap-up 1:07:01: Gandalf AI game 1:08:19: Upcoming interviews

Hacker Summer Camp 2023

15 augusti 2023 | 56 min

Every summer, hackers from around the US and around the globe descend on Las Vegas, Nevada, for a series of computer security conferences which are lovingly referred to as hacker summer camp. These conferences - BSides Las Vegas, BlackHat and DEF CON - run for over a week, each overlapping the other. They bring top tier security researchers, government and industry leaders, and eager hackers to learn about new vulnerabilities, new defense mechanisms, and everything in between. There are contests and parties galore, allowing hackers to test their skills and network with others. Today I'll tell you about my trip to BSides and DEF CON in 2023. Article Links [securityweek.com] Downfall: New Intel CPU Attack Exposing Sensitive Information https://www.securityweek.com/downfall-new-intel-cpu-attack-exposing-sensitive-information/ [9to5mac.com] Mac malware can easily bypass Apple’s Background Task Manager, says security researcher https://9to5mac.com/2023/08/14/mac-malware-background-task-manager/ [whitehouse.gov] Biden-⁠Harris Administration Launches Artificial Intelligence Cyber Challenge to Protect America’s Critical Software https://www.whitehouse.gov/briefing-room/statements-releases/2023/08/09/biden-harris-administration-launches-artificial-intelligence-cyber-challenge-to-protect-americas-critical-software/ Donate to Maui wildfire relief fund: https://www.gofundme.com/f/5auw5q-maui-wildfire-relief-fund Veilid project (cDc): https://veilid.com/ Back Orifice: https://en.wikipedia.org/wiki/Back_Orifice Namecheck from Steve Gibson: https://youtu.be/hGyVuszu0F8?t=6240 CalyxOS mention: https://en.wikipedia.org/wiki/CalyxOS Tom Kemp on LinkedIn Live: https://www.tomkemp.ai/blog/2023/7/19/live-event-the-state-of-us-privacy-and-ai-regulation Further Info Dragon Challenge Coin promotion: https://fdsd.me/promo823 Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:04: Preview 0:01:27: Look ma, I'm on Wikipedia! 0:02:16: Steve Gibson reads FDSD 0:03:16: Show overview 0:04:29: What is Hacker Summer Camp? 0:06:21: Using Lockdown Mode on Apple 0:07:20: BSides Las Vegas 2023, Josh Corman, et al 0:08:28: BSides pool party 0:09:44: I skipped out on linecon 0:11:36: I skipped the merch line, too 0:12:36: Darknet Diaries meets FDSD 0:13:13: r00t party! 0:15:14: cDc announces Veilid platform 0:18:48: Voting Village, brush with Chris Krebs 0:20:34: Interview with Nick Oles 0:22:49: Meet Joe Gray ("Practical Social Engineering" author) 0:23:22: cDc Veilid launch party 0:24:19: Checking in the the Hack-a-Sat team 0:38:00: EFF Tech Trivia 0:38:37: Hacker Jeopardy 0:40:11: Evacuation of Caesar's Forum 0:41:50: Closing ceremonies 0:42:48: No swag or amulet sightings 0:43:31: Downfall: New Intel CPU Attack Exposing Sensitive Information 0:47:24: Mac malware can easily bypass Apple’s Background Task Manager 0:52:22: Maui wildfire relief fund 0:53:01: DARPA Launches AI Cyber Challenge 0:54:07: Looking ahead 0:55:28: Dragon coin promotion is ending soon

Cult of the Dead Cow

7 augusti 2023 | 77 min

In the early 1980s, personal computers started entering our homes. Prior to the internet and services like America On Line (AOL), there were online bulletin board systems (BBS) where people could share text files via phone modem connections. Of course, if you wanted to connect to a BBS outside your home area code, you would have to dial long distance - which at the time could be prohibitively expensive. Necessity is the mother of invention and it's no coincidence that some of the earliest hacking was of the phone system to get free long distance calls. One of the first named groups of hackers was The Cult of the Dead Cow (aka, cDc). Today I'll reminisce about the old days with two prominent members of cDc: Deth Veggie and Omega. We'll talk about what it was like in the days prior to the internet, how hackers think, and how hacking has evolved over the years. We'll talk about how cDc pioneered the hactivist movement and how their group overlapped and interacted with other famous groups like L0pht Heavy Industries, Masters of Deception (MOD), Legion of Doom (LOD) and much, much more. Interview Notes The Cult of the Dead Cow: https://cultdeadcow.com/ "The Cult of the Dead Cow" book: https://www.hachettebookgroup.com/titles/joseph-menn/cult-of-the-dead-cow/9781549169991/ cDc text files: http://textfiles.com/groups/CDC/ The Hacker’s Manifesto: http://phrack.org/issues/7/3.html Hactivismo Declaration: https://web.archive.org/web/20090502054355/http://www.cultdeadcow.com/cDc_files/declaration.html cDc’s unofficial suggested reading/viewing list: https://fdsd.me/cdclist Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:43: Interview prep 0:03:51: How did cDc start and where did it get its name? 0:08:11: How did you get involved with cDc? 0:11:15: What is a BBS? What are textfiles? 0:15:36: What sort of information did these textfiles contain? 0:23:46: What really happened in the Hacker Wars? 0:25:28: How did phone phreaking work? 0:29:43: How did you choose your handle? When did you first use it in public? 0:37:47: Two things War Games got right 0:38:38: Blue boxes and red boxes 0:40:26: What did your friends & family think? How have perceptions of hackers changed? 0:45:16: What is hacktivism? What sort of hactivist behavior is acceptable? 0:51:58: What are some examples of hactivism? 0:55:19: What are some signs that I might enjoy hacking? 1:01:49: Hacking in the real world, questioning everything. 1:04:38: Books and movies with accurate portrayals of hackers & hacking? 1:11:14: Interview wrap-up 1:12:46: Patron bonus material & promo 1:16:04: Next week's show may be delayed

Less is More

31 juli 2023 | min

Last time, I told you how to enumerate all the devices on your home network. Before we go to the trouble of analyzing and mitigating their vulnerabilities, we should take the opportunity to cull the inventory. Do you really need all of these devices? Or could you forego the "smart" features that require them to be connected to your network? Today we'll talk about reducing your attack surface before we bother trying to secure it. In other news: the White House announces new cybersecurity labeling program; the SEC mandates a 4-day reporting window for cyber attacks; EFF opposes a bill that threatens our privacy; stolen Microsoft signing keys behind a set of targeted US government email hacks; more details emerge about Facebook mining Onano VPN for user data; TETRA radios used for decades revealed to have deliberately weakened encryption; ALPR data now being used with AI algorithms to guess which cars might contain criminals; Apple threatens to pull Facetime, Messages from UK over proposed surveillance law changes; Google's Web Integrity API causes a stir; Apple to require justification for use of some APIs that might compromise user privacy. Article Links [whitehouse.gov] Biden-⁠Harris Administration Announces Cybersecurity Labeling Program for Smart Devices to Protect American Consumers https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/18/biden-harris-administration-announces-cybersecurity-labeling-program-for-smart-devices-to-protect-american-consumers/ [The Hacker News] New SEC Rules Require U.S. Companies to Reveal Cyber Attacks Within 4 Days https://thehackernews.com/2023/07/new-sec-rules-require-us-companies-to.html [Electronic Frontier Foundation] Amended Cooper Davis Act Is a Direct Threat to Encryption https://www.eff.org/deeplinks/2023/07/amended-cooper-davis-act-direct-threat-encryption [TechCrunch] Microsoft lost its keys, and the government got hacked https://techcrunch.com/2023/07/17/microsoft-lost-keys-government-hacked/ [Financial Review] Facebook admits it used app to ‘know nearly everything’ about users https://www.afr.com/companies/media-and-marketing/facebook-admits-it-used-app-to-know-nearly-everything-about-users-20230713-p5do2a [WIRED] Code Kept Secret for Years Reveals Its Flaw—a Backdoor https://www.wired.com/story/tetra-radio-encryption-backdoor/ [Forbes] This AI Watches Millions Of Cars Daily And Tells Cops If You’re Driving Like A Criminal https://www.forbes.com/sites/thomasbrewster/2023/07/17/license-plate-reader-ai-criminal/ [MacRumors] Apple Threatens to Pull FaceTime and iMessage in the UK Over Proposed Surveillance Law Changes https://www.macrumors.com/2023/07/20/apple-threatens-to-pull-facetime-and-imessage-uk/ [Ars Technica] Google’s nightmare “Web Integrity API” wants a DRM gatekeeper for the web https://arstechnica.com/gadgets/2023/07/googles-web-integrity-api-sounds-like-drm-for-the-web/ [MacRumors] Apple Developers Required to Justify Use of Some APIs in Latest Move to Boost Privacy https://www.macrumors.com/2023/07/28/developers-required-to-justify-api-use/ Tip of the Week: Less is More: https://firewallsdontstopdragons.com/secure-your-network-2-simplify/ Further Info Stop the bad bills: https://www.eff.org/deeplinks/2023/07/you-can-help-stop-these-bad-internet-bills Dragon Challenge Coin Promo! https://fdsd.me/promo823 Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Table of Contents Add time-based list of markers.

The Politics of Privacy

24 juli 2023 | 67 min

Despite growing demand from US citizens for privacy protections, the federal government has failed repeatedly to enact basic privacy laws. However, one US state - California - has led the charge on privacy and passed regulations that have benefited people outside the state. Today I'll speak with Ernesto Falcon who is currently running for California State Senate in District 7. He has decades of experience in public policy, particularly in the realm of privacy rights, both in politics and with the Electronic Frontier Foundation. We'll talk about how the legislative sausage is made, why we can't seem to pass privacy regulations, how lobbyists influence policy, and much more. Disclaimer: Views, opinions, or statements expressed are solely those of the candidate and not of his employer at the Electronic Frontier Foundation. Interview Notes Ernesto Falcon’s campaign website: https://www.ernestofalcon.com/ California Consumer Privacy Act: https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act California Privacy Rights Act: https://en.wikipedia.org/wiki/California_Privacy_Rights_Act Further Info Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:16: Interview prep 0:02:40: Tell us about your CA Senate campaign 0:10:56: How have CA privacy laws impacted the greater US? 0:15:45: How do we regain control over our data? 0:17:59: What is preventing a good federal privacy law? 0:24:36: What are the dangers of all this personal data being hoarded? 0:31:01: How does HIPAA actually work? What doesn't it cover? 0:33:01: What is the EARN IT Act and why does EFF oppose it? 0:37:58: How do child safety laws undermine privacy? 0:40:41: How are legal wire taps different from backdoors in encryption? 0:43:10: Won't repressive regimes abuse encryption backdoors? 0:44:45: Is on-device scanning a valid compromise solution? 0:47:07: Will we ever win the Crypto Wars? 0:48:59: How can we best support the privacy cause? 0:52:00: Would more privacy transparency be a good first step? 0:54:35: Are monopolies part of the problem here? 0:58:53: What's next for you and your senate campaign? 1:00:42: Post interview wrap-up 1:01:46: Go talk to your representative! 1:02:55: Dragon Challenge Coin Promotion!

IoT Inventory

17 juli 2023 | 71 min

The Internet of Things (IoT) has added internet connections to lots of home devices. Each and every one of those devices runs software on a computer chip. Almost all software has bugs and those bugs may be exploitable by bad guys. We're going to take another look at protecting our home networks using a simple, logical methodology. Step one: SCAN. That is, first of all, we need to understand the scope of the problem by enumerating all of the devices on your home network. I'll explain how to do that. In other news: Apple re-releases security update after web glitch; EV chargers are vulnerable to hacking which could have significant impacts; tax prep firms shared 'extraordinarily sensitive' data with Meta; Meta's new Threads service collects tons of personal info and employs dark patterns to hook you in; France passes law giving law enforcement access to private device cameras, mics and locations; police are collecting and selling personal info, bypassing the 4th Amendment and sharing across state lines; Massachusetts weighs outright ban on selling user location data; printers and printing services may be mining your documents for data. Article Links [MacRumors] Apple Releases Revised iOS and macOS Security Updates to Fix Actively Exploited Vulnerability and Safari Bug https://www.macrumors.com/2023/07/12/apple-releases-revised-security-updates/ [WIRED] EV Charger Hacking Poses a ‘Catastrophic’ Risk https://www.wired.com/story/electric-vehicle-charging-station-hacks/ [The Associated Press] 3 tax prep firms shared ‘extraordinarily sensitive’ data about taxpayers with Meta, lawmakers say https://apnews.com/article/irs-taxpayer-tax-preparation-meta-congress-9315cfca7a0942ab89f765d183fbf822 [Ars Technica] How Threads’ privacy policy compares to Twitter’s (and its rivals’) https://arstechnica.com/security/2023/07/how-threads-privacy-policy-compares-to-twitters-and-its-rivals/ [Yanko Design] The ‘Threads’ App is FILLED With Deceptive Dark Design Patterns – We Spotted More Than TEN https://www.yankodesign.com/2023/07/07/the-threads-app-is-filled-with-deceptive-dark-design-patterns-we-spotted-more-than-ten/ [Gizmodo] France Passes New Bill Allowing Police to Remotely Activate Cameras on Citizens' Phones https://gizmodo.com/france-bill-allows-police-access-phones-camera-gps-1850609772 [Tampa Bay Times] Hillsborough, Clearwater police monitoring private security cameras https://www.tampabay.com/news/hillsborough/2023/07/10/hillsborough-clearwater-police-monitoring-private-security-cameras/ [New York Daily News] NYPD seeks to grab cell phone IDs from people under arrest or in custody; push for IMEI numbers raises concerns https://www.nydailynews.com/new-york/nyc-crime/ny-nypd-campaign-cellphone-idenfiication-numbers-controversy-20230708-yltabdlozfbppeoodxymyub3zq-story.html [The Sacramento Bee] California cops illegally share data with anti-abortion states https://www.sacbee.com/news/politics-government/capitol-alert/article275795726.html [Engadget] Massachusetts weighs outright ban on selling user location data https://www.engadget.com/massachusetts-weighs-outright-ban-on-selling-user-location-data-191637974.html [The Washington Post] Your printing service might read your documents. Here’s what to know. https://www.washingtonpost.com/technology/2023/07/10/printing-privacy-security-printed-documents/ Tip of the Week: IoT Inventory https://firewallsdontstopdragons.com/secure-your-network-part-1-scan/ Further Info Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about sec...

National Cyber Strategy

10 juli 2023 | 69 min

After lengthy negotiations and revisions, the White House has finally released its National Cybersecurity Strategy document, outlining it's priorities and goals. It's a wide-ranging and ambitious document consisting of five major areas of focus, or "pillars". What's new here? What will it mean for businesses and critical infrastructure? And what does this mean for you and I? Today I'll cover all of that and more with Josh Corman from I Am the Cavalry and formerly with the US Cybersecurity and Infrastructure Security Agency (CISA). Interview Notes National Security Strategy doc: https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf Consequential Cybersecurity: https://claroty.com/blog/consequential-cybersecurity-brace-yourself-for-the-white-house-national-cybersecurity-strategy PPD-21: https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil Known Exploited Vulnerabilities catalog : https://www.cisa.gov/known-exploited-vulnerabilities-catalog Swimming with Sharks TED talk: https://www.youtube.com/watch?v=rZ6xoAtdF3o I Am the Cavalry: https://iamthecavalry.org/ CISA Secure by Design: https://www.cisa.gov/securebydesign Further Info Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:55: Interview setup 0:04:00: What is this strategy document, at a high level? 0:14:02: What are some of the more important or novels aspects? 0:18:05: Do agencies have the budget and authority to implement these strategies? 0:22:11: Will having a gov't backstop actually encourage attacks or discourage preparation? 0:30:40: Should the gov't actively scan US firms/orgs for vulnerabilities? 0:36:56: What should we do about the marketplace for zero-day hacks? 0:39:52: How aggressive should the US be against hackers? 0:41:03: What is NOT addressed by this strategy? 0:45:55: How should be manage our dependencies on foreign software and hardware? 0:52:59: What can everyday people take away from these strategies? 0:59:50: Has this document already had impacts? How do we monitor progress? 1:03:56: Interview wrap-up 1:07:40: Looking ahead

Access Backup Plan

3 juli 2023 | 62 min

You're using a password manager. You're even using two-factor authentication. Great! When done properly, this will keep the bad guys out. Unfortunately, if you're not careful, it may also keep you out. If you forget your master password or lose access to your 2FA device, you'll be in real trouble... unless you have an access backup plan. This same plan can also help your spouse or next of kin to access your accounts should you die or become incapacitated. In the news: CISA issues a DDoS warning after multiple attacks; LetMeSpy stalkerware maker suffers a data breach of collected data; researchers use LED power light flicker to break cryptographic keys; Australian PM recommends citizens to power cycle their phones once a day; several artists boycott venues that use facial recognition; Brave browser introduces new localhost access permission; Proton unveils new password manager; Dear Carey questioner asks about PDF readers. Article Links [BleepingComputer] CISA issues DDoS warning after attacks hit multiple US orgs https://www.bleepingcomputer.com/news/security/cisa-issues-ddos-warning-after-attacks-hit-multiple-us-orgs/ [TechCrunch] LetMeSpy, a phone tracking app spying on thousands, says it was hacked https://techcrunch.com/2023/06/27/letmespy-hacked-spyware-thousands/ [The Hacker News] Researchers Find Way to Recover Cryptographic Keys by Analyzing LED Flickers https://thehackernews.com/2023/06/researchers-find-way-to-recover.html [9to5mac.com] Why tips like ‘turn off your iPhone for five minutes’ don’t actually help users https://9to5mac.com/2023/06/26/turn-off-your-iphone-for-5-minutes-advice/ [Rolling Stone] Tom Morello, Zack de la Rocha, and Boots Riley Boycotting Venues That Use Face-Scanning Technology https://www.rollingstone.com/music/music-features/tom-morello-zack-de-la-rocha-facial-recognition-concerts-boycott-1234775909/ [BleepingComputer] Brave Browser boosts privacy with new local resources restrictions https://www.bleepingcomputer.com/news/security/brave-browser-boosts-privacy-with-new-local-resources-restrictions/ [9to5mac.com] Proton Pass end-to-end encrypted password manager is here and free for everyone https://9to5mac.com/2023/06/28/proton-pass-encrypted-password-manager-free/ Tip of the Week - Access Backup Plan: https://firewallsdontstopdragons.com/craft-your-access-backup-plan/ Further Info Saving your Apple Photo Stream pics: https://support.apple.com/en-us/HT210705 Securityzed podcast: https://www.securityzed.com/podcast-test/securityzed-ltfyn-7xm5l-b8c8s-km25d-jbagp-6k9d4-39cr9-z5nhw-w4jwm Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:00: Photo Stream, Securityzed podcast 0:03:21: News rundown 0:05:10: CISA issues DDoS warning after attacks hit multiple US orgs 0:09:29: LetMeSpy stalkerware maker says it was hacked 0:16:43: Researchers Recover Crypto Keys from LED Flickers 0:24:07: Turn your iPhone off every day for 5 mins? 0:29:39: Artists boycotting venues that Use Face-Scanning Technology 0:34:02: Brave Browser boosts privacy with localhost restrictions 0:41:28: Proton debuts new password manager 0:45:56: Dear Carey question 0:50:05: Tip of the Week 1:00:32: Wrap-up

Hacking in Space

26 juni 2023 | 66 min

Right now there are thousands of satellites orbiting above our heads performing crucial tasks. At the end of the day, they're just computers running software - albeit at thousands of miles up and thousands of miles per hour. Can they be hacked? What are the dangers? Aaron Myrick and the Hack-A-Sat team are trying to answer those questions. And they're doing it by launching an actual satellite into low earth orbit for this year's DEF CON hacking contest and asking talented hackers from around the world to take their best shot. Interview Notes Moonlighter Fact Sheet: https://aerospace.org/fact-sheet/moonlighter-fact-sheet Hack-A-Sat 4: https://hackasat.com/moonlighter/ Hack-A-Sat GitHub resources: https://github.com/deptofdefense/hack-a-sat-library Space-Track.org: https://www.space-track.org/ Moonlighter launch: https://vimeo.com/833432259/4ba9b0927b Further Info Amulet of Entropy (DEF CON badge): https://amuletofentropy.com/ Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:36: Update Apple devices, ASUS routers 0:01:03: Misc updates 0:03:08: Interview setup 0:04:19: What is Aerospace Corp and what do you do there? 0:08:25: What are things satellites do that we might not think about? 0:13:42: Break down some key stats on satellites for us. 0:17:27: How might we be affected by loss of satellites? 0:21:31: How do you hack an orbiting satellite, logistically? 0:24:38: What sorts of attacks are we worried about? 0:26:58: How do we debug problems in orbiting satellites? 0:30:55: How is hacking a satellite different from a computer? 0:35:23: What happens to old satellites? 0:41:26: What is the Hack-A-Sat program about? 0:43:35: How did the target systems work, prior to this year? 0:46:39: What have we learned so far from past contests? 0:51:24: What's new with Hack-a-Sat 4? 0:52:43: When and how will Moonlighter launch? 0:58:30: What kinds of things can I hack on Moonlighter? 1:00:43: What's the future for Hack-a-Sat? 1:03:26: Wrap-up

Go Forth, Do Good Deeds

19 juni 2023 | 51 min

I launched my mission to improve people’s privacy and security almost ten years ago now. It’s been quite a journey and I’ve learned a lot in that time. One thing I’ve realized is that there’s only so much I can do on my own. And so I’ve encouraged the more technically savvy members of my audience to help others where they can. One downside to being a podcaster is that I don’t have much insight into the effectiveness of my exhortations. I have no idea how many people are going forth to do good deeds nor what those deeds are. So today I'm launching a new campaign to solicit stirring stories of good deeds and every quarter or so I will select the most inspiring deed-doers and reward them with one of my dragon challenge coins! In the news: Clop ransomware gang lists first victims of MOVEit supply chain hacks; firmware bug in Gigabyte motherboards has a fix now; US Congress and intelligence agencies debate reform for mass surveillance program; tissue and fluid samples are being abused by law enforcement for DNA scans; check washing scams are on the rise; how to avoid being scammed by virtual kidnapping schemes; 1Password announces beta support for browser passkey extension; bold new plan for 311 cyber support line. Article Links [TechCrunch] Ransomware gang lists first victims of MOVEit mass-hacks, including US banks and universities https://techcrunch.com/2023/06/15/moveit-clop-mass-hacks-banks-universities/ [restoreprivacy.com] Hackers Stole Millions of Driver’s Licenses and IDs from U.S. States https://restoreprivacy.com/hackers-stole-millions-of-drivers-licenses-and-ids-from-u-s-states/ [Tom's Hardware] Firmware Backdoor Discovered in Gigabyte Motherboards, 250+ Models Affected https://www.tomshardware.com/news/gigabyte-motherboards-come-with-a-firmware-backdoor [cyberscoop.com] Congress and intelligence officials spar over surveillance reforms https://cyberscoop.com/congress-fbi-section-702/ Senate hearing: https://www.judiciary.senate.gov/oversight-of-section-702-of-the-foreign-intelligence-surveillance-act-and-related-surveillance-authorities [aclu.org] Donated Blood or an Organ? Police Shouldn’t Have Easy Access to Your DNA https://www.aclu.org/news/privacy-technology/donated-blood-or-an-organ-police-shouldnt-have-easy-access-to-your-dna [Lifehacker] Why You Should Stop Sending Checks in the Mail, Especially Now https://lifehacker.com/why-you-should-stop-sending-checks-in-the-mail-especia-1850543113 [connectsafely.org] Quick-Guide to Virtual Kidnapping Scams https://connectsafely.org/virtualkidnapping/ [9to5mac.com] 1Password passkey support for the web launches in public beta on the Mac https://9to5mac.com/2023/06/06/1password-passkey-browser-extension/ [WIRED] The Bold Plan to Create Cyber 311 Hotlines https://www.wired.com/story/ut-austin-cybersecurity-clinic-311/ Tip of the Week: Go Forth, Do Good Deeds: https://fdsd.me/quest Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:47: News preview 0:03:01: Clop Ransomware hits several public and privacy organizations 0:11:32: Firmware Backdoor Discovered in Gigabyte Motherboards 0:17:04: Congress and intelligence officials spar over surveillance reforms 0:24:13: Police Shouldn’t Have Easy Access to Your DNA 0:28:03: Why You Should Stop Sending Checks in the Mail 0:31:43: Quick-Guide to Virtual Kidnapping Scams

Making a Difference

12 juni 2023 | 66 min

At some point, when you care enough about a particular cause, you shift from following the issue to actually trying to advance the issue - to make a difference. The easiest way to do this is to find groups that are already working for this cause and supporting them with donations of your time and/or money. But what do you do if you can't find such a group, or maybe there's no local chapter? Well, you can start your own! It's not as hard as it sounds - and in fact, there exist organizations that can help you. Today I'll speak with Rory Mir from the Electronic Frontier Alliance along with leaders from two successful EFA-affiliated groups: Freddy Martinez from Lucy Parsons Labs and Chris Bushick from PDX Privacy. Interview Notes Reach out to EFF organizing team: [email protected] Electronic Frontier Alliance (EFA): https://www.eff.org/efa Meetup groups: https://meetup.com Lucy Parsons Labs: https://lucyparsonslabs.com/ PDX Privacy: https://www.pdxprivacy.org/ EFF on the EARN IT Act: https://www.eff.org/deeplinks/2023/05/dangerous-earn-it-bill-advances-out-committee-several-senators-offer-objections Further Info Dragon Coins! https://fdsd.me/coin2 Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Generate secure passphrases! https://d20key.com/#/ Table of Contents 0:00:25: Interview setup 0:04:32: Introductions and overview of EFA 0:09:12: Lucy Parsons Project overview 0:10:52: PDX Privacy overview 0:12:28: How has the EFA helped you with your projects? 0:15:33: What other types of groups work with the EFA? 0:17:49: What did you do before? What was it like starting your group? 0:23:02: How can you go about finding sources of funding? 0:25:25: What sorts of grants are available? 0:30:09: What accomplishments are you most proud of? 0:34:48: What were some of your biggest challenges? 0:38:51: Do you ever feel like you're David versus Goliath? 0:42:26: How can I find existing groups that I can support or join? 0:45:58: What's the first step in starting my own group? 0:49:31: If you were starting over again, what would you have done differently? 0:49:56: Do I need to incorporate or create a legal entity? 0:53:02: Can a non-profit organization make money? 0:57:32: Any parting thoughts you'd like to share? 1:00:32: Wrap-up 1:03:11: Looking ahead 1:04:09: Upcoming challenge coin campaign

Blocking .zip Domains

5 juni 2023 | 66 min

Two weeks ago, I told you about the availability of two new top-level domains that also happen to be popular file name extensions: .zip and .mov. The ambiguity will undoubtedly be exploited by ne'er-do-wells to trick people into doing something they shouldn't do. There are clever ways to manipulate website addresses that would trick even tech-savvy people into clicking malicious links. Today I'll tell you how these tricks work and explain you can avoid all of these issues by simply blocking these new domains. In other news: iTunes for Windows patches a nasty bug; Android malware downloaded over 420 million times; Android phones vulnerable to fingerprint brute-force attacks; Luxottica exposes 300 million customer records; free VPN service SuperVPN exposes 360 million user records; Amazon gets slap on the wrist for Ring video doorbell private data access; KeePass "master password crack" not as bad as it sounds; Twitter adding Content Notes 'fact checks' to images; Microsoft now scanning inside password-protected zip files; drone pilot is NOT killed by drone; AI is NOT likely to cause human extinction; and Brave introduces new Off The Record browsing mode. Plus my Dear Carey question: recommended cheat sheet for computer safety. Article Links [MacRumors] PSA: If You Run Windows, Make Sure to Update iTunes to Fix Security Vulnerability https://www.macrumors.com/2023/06/01/itunes-windows-vulnerability/ [Lifehacker] This Android Malware Was Downloaded Over 420 Million Times https://lifehacker.com/this-android-malware-was-downloaded-over-420-million-ti-1850492306 [BleepingComputer] Android phones are vulnerable to fingerprint brute-force attacks https://www.bleepingcomputer.com/news/security/android-phones-are-vulnerable-to-fingerprint-brute-force-attacks/ [bitdefender.com] Luxottica 2021 breach: 300 million customer records up for grabs online https://www.bitdefender.com/blog/hotforsecurity/luxottica-2021-breach-300-million-customer-records-up-for-grabs-online/ [hackread.com] Free VPN Service SuperVPN Exposes 360 Million User Records https://www.hackread.com/free-vpn-service-supervpn-leaks-user-records/ [AppleInsider] Amazon gets slap on the wrist over privacy violations with Ring cameras https://appleinsider.com/articles/23/05/31/amazon-gets-slap-on-the-wrist-over-privacy-violations-with-ring-cameras [Naked Security] Serious Security: That KeePass “master password crack”, and what we can learn from it https://nakedsecurity.sophos.com/2023/05/31/serious-security-that-keepass-master-password-crack-and-what-we-can-learn-from-it/ [Mashable] Twitter will now put Community Notes 'fact checks' on images https://mashable.com/article/twitter-notes-on-media-images [Ars Technica] Microsoft is scanning the inside of password-protected zip files for malware https://arstechnica.com/information-technology/2023/05/microsoft-is-scanning-the-inside-of-password-protected-zip-files-for-malware/ [VICE] USAF Official Says He ‘Misspoke’ About AI Drone Killing Human Operator in Simulated Test https://www.vice.com/en/article/4a33gj/ai-controlled-drone-goes-rogue-kills-human-operator-in-usaf-simulated-test [Schneier Blog] On the Catastrophic Risk of AI https://www.schneier.com/blog/archives/2023/06/on-the-catastrophic-risk-of-ai.html [brave.com] Request "Off the Record" https://brave.com/privacy-updates/26-request-off-the-record/ Tip of the Week: Blocking .zip Domains: https://firewallsdontstopdragons.com/how-to-block-the-new-zip-domain/ Further Info How to send files securely: https://firewallsdontstopdragons.com/how-to-send-files-securely-like-tax-info/ Checklist of Tips for my book: https://firewallsdontstopdragons.com/wp-content/uploads/2023/02/FDSDv5-workbook-v1.pdf 10 Years After Snowden: https://www.eff.org/deeplinks/2023/05/10-years-after-snowden-some-things-are-better-some-were-still-fighting The Wayback Machine: https://web.archive.org/

Vehicle Privacy Report

29 maj 2023 | 75 min

Modern cars are more like smartphones on wheels. Like our cell phones, they are chock full of sensors, computer chips and software, and they're connected to the internet 24/7 via cellular modems. What data is being collected? Who owns this data? How secure is your data? Who is it being shared with? And most importantly, what - if anything - can you do about it? Since we last spoke with Privacy4Car's Andrea Amico, his company has released a powerful new Vehicle Privacy Report tool that aims to answer at least some of these questions and help you to be a more informed car buyer. Today we'll delve into the murky world of car data collection and privacy. Andrea Amico is one of the nation’s leading authorities on vehicle privacy and cybersecurity. He is also the founder of Privacy4Cars, the first and only privacy-tech company focused on identifying the challenges posed by vehicle data. Interview Notes Privacy4Cars: https://privacy4cars.com/ Vehicle Privacy Report tool: https://vehicleprivacyreport.com/ Assert your data rights: https://privacy4cars.com/personal-use/assert-your-data-rights/ Previous interview: Driving Data Privacy for Cars https://podcast.firewallsdontstopdragons.com/2021/09/13/driving-data-privacy-for-cars/ New privacy rules will impact your shop: https://www.autoserviceworld.com/new-privacy-rules-will-impact-your-shop/ Who Is Collecting Data From Your Car? https://themarkup.org/the-breakdown/2022/07/27/who-is-collecting-data-from-your-car Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:04:38: What has happened with Privacy4Cars since we last spoke? 0:06:17: Why are cars collecting so much data? How private is this data? 0:09:31: You say cars are "cell phones on wheels" - what does that mean? 0:10:24: Are cars connected even when turned off? 0:11:55: What types of data is my car collecting? 0:14:16: Do electric cars gather more data than regular cars? 0:16:54: Do cameras built into your car represent a privacy risk? 0:21:51: Who can access my car's data? Can I access it myself? 0:27:25: Who owns the data in rental or fleet cars? What about wrecked cars? 0:32:24: Cars now have smartphone apps - what data are they collecting? 0:37:18: How do I know if I've opted in to data collection? 0:40:42: Can I opt of of data collection? If so, how? 0:44:20: What about Apple's CarPlay or Google's Android Auto? 0:49:37: How do I know which cars best respect my privacy? 0:55:08: How does the Vehicle Privacy Report tool work? 0:57:14: What does this tool tell me about a car? 1:00:43: What's the value of this tool for car makers and dealerships? 1:06:09: What's next for your company and the reporting tool? 1:09:49: Interview follow-up notes

Problems with Passkeys

22 maj 2023 | 62 min

Everyone hates dealing with passwords. This has led to a mad search for 'password-killer' technology. After several failed attempts, there's finally a worthy contender: passkeys. The technology has been around for years - it's the basis for hardware keys like YubiKey. But no one wanted to have to carry the little things all the time. With passkeys, you get the same phishing-proof, passwordless goodness but tied to a device you always have: your smartphone. Websites are slowly rolling out the ability to secure your accounts with passkeys, and Apple, Google and Microsoft are building support for passkeys into their operating systems. But I would caution you to wait a bit before jumping on the bandwagon - I'll explain why in today's show. In other news: update all your Apple devices; FBI and NSA break the notorious Snake malware; Intel deploys microcode security update; location data on 2M Toyoya customers exposed for years; new .zip and .mov domains are dangerously ambiguous; new crafty Chinese router malware; online age verification will cause serious problems; Apple will allow you to 'bank' your voice soon. Article Links [Tom's Guide] Apple issues urgent fix to block zero-day attacks — update your iPhone and Mac now https://www.tomsguide.com/news/apple-issues-urgent-fix-to-block-zero-day-attacks-update-your-iphone-and-mac-now [tech.co] FBI & NSA Cut the Head Off Notorious Russian Snake Malware https://tech.co/news/nsa-fbi-russian-snake-malware [Tom's Hardware] Intel Deploys Undisclosed Microcode Security Update For CPUs Going Back To Coffee Lake https://www.tomshardware.com/news/intel-microcode-security-update [BleepingComputer] Toyota: Car location data of 2 million customers exposed for ten years https://www.bleepingcomputer.com/news/security/toyota-car-location-data-of-2-million-customers-exposed-for-ten-years/ [Digital Trends] Hackers are using a devious new trick to infect your devices https://www.digitaltrends.com/computing/hackers-are-abusing-zip-mov-domain-names/ [9to5mac.com] Researchers find security flaw in Wemo Smart Plug, Belkin says it won’t release a patch https://9to5mac.com/2023/05/16/wemo-smart-plug-security-flaw-no-patch-coming/ [Ars Technica] Malware turns home routers into proxies for Chinese state-sponsored hackers https://arstechnica.com/information-technology/2023/05/malware-turns-home-routers-into-proxies-for-chinese-state-sponsored-hackers/ [Electronic Frontier Foundation] Age Verification Mandates Would Undermine Anonymity Online https://www.eff.org/deeplinks/2023/03/age-verification-mandates-would-undermine-anonymity-online [9to5mac.com] Everyone should use Personal Voice; it does in 15 minutes what currently takes several weeks https://9to5mac.com/2023/05/19/everyone-should-use-personal-voice/ Tip of the Week: The Pros & Cons of Passkeys https://firewallsdontstopdragons.com/the-pros-and-cons-of-passkeys/ Further Info Meross MSS115 Matter-enabled smart plug: https://shop.meross.com/products/meross-matter-smart-wi-fi-plug-mini-mss115 Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:10: Update on new location tracker spec 0:02:52: News preview 0:05:30: FBI & NSA Cut the Head Off Notorious Russian Snake Malware 0:07:27: Intel Deploys Undisclosed Microcode Security Update 0:11:12: Toyota location data of 2M customers exposed for years

Probing the Ministry of Truth

15 maj 2023 | 66 min

In the book "1984" (published in 1949), George Orwell envisioned a Big Brother that would control the media and dictate what was "truth". But Orwell didn't predict that "telescreens" would fit in our pockets or that we would willingly carry them with us 24/7, even to the bathroom. He also didn't foresee that we would willingly subscribe to sources of mis- and disinformation in the form of social media. Today I speak with the co-author of the book "Ministry of Truth", Vincent Hendricks, about the current state of social media and its influence on democracy and society. Vincent F. Hendricks, author of THE MINISTRY OF TRUTH: BigTech's Influence On Facts, Feelings And Fictions, is Professor of Formal Philosophy at the University of Copenhagen. He is the Director of the Center for Information and Bubble Studies (CIBS) funded by the Carlsberg Foundation. Interview Notes “Ministry of Truth” book: https://www.vince-inc.com/vincent/?p=7625 “1984” by George Orwell: https://en.wikipedia.org/wiki/Nineteen_Eighty-Four "Reality Lost" (free PDF book): https://link.springer.com/book/10.1007/978-3-030-00813-0 Vincent Hendricks website: https://www.vince-inc.com/vincent/ More from Vincent: https://www.oecd-forum.org/users/vincent-f-hendricks Blocking Google popups (and other annoyances): https://firewallsdontstopdragons.com/how-to-block-google-popups/ Further Info Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:23: Pre-inteview notes 0:03:51: Why did you write this book? 0:06:06: What is the current state of social media content moderation? 0:10:41: How equally are moderation rules applied to all users? 0:12:44: Do algorithms just feed our desire for stuff that's not good for us? 0:16:39: Are things really worse today or just different? 0:21:21: Do private companies have a moral duty to support a "public square"? 0:26:23: Are social media companies warping the public discourse? 0:28:58: Is TikTok really more of a threat than Facebook or Twitter? 0:31:15: Are any of the proposed TikTok solutions viable? 0:35:41: Why can't the US Congress pass a real privacy law? 0:38:00: Can we fix some key social media ills by adding some friction? 0:41:10: How will AI systems like ChatGPT impact disinformation? 0:44:15: Can AI also have positive impacts on social media? 0:48:10: How are social media platforms like casinos? 0:50:28: How are social media platforms like Orwell's Ministry of Truth? 0:51:34: How much responsibility do we have here? 0:57:42: What tips do you have for using social media today? 1:02:59: Interview wrap-up 1:03:28: Privacy and security book club 1:04:37: Patron perks 1:05:02: Preview of upcoming shows

Blocking Google Popups

8 maj 2023 | 69 min

Have you noticed Google getting really pushy lately with offers to "sign in with Google"? You're not alone. Many websites offer the ability to create a free account so that you can "personalize your experience", but lately Google has been popping up an very annoying window to prompt you to create this account by signing in with your Google account. First of all, you almost never need to create an account to view the site. But second, even if you do want to create an account, you shouldn't be linking that account with Google. You're creating a data sharing arrangement that is completely unnecessary and not in your best interests. I'll explain how to block these irritating popups (and many like them) for good. In other news: 1Password was not hacked, but recent messages might have worried you; new macOS malware stealer app; five things scammers hope you search for; Microsoft Edge is recording your web surfing data; Windows 10 will never receive another feature update; Microsoft is rewriting core Windows software in a memory-safe language; study claims 83% of passwords can be hacked in one second; Google adds support for passkeys; Apple issues first Rapid Security Response with confusing messages; NYPD hands out 500 free AirTags to combat auto thefts; Apple and Google partner on industry spec to thwart unwanted tracking devices; Google adds cloud backup for 2FA without end-to-end encryption; Amazon Clinic requires you to sign away privacy rights; Washington State pass health data privacy law; my take on recent efforts to undermine encryption and restrict access to social media. Article Links [Digital Trends] No, 1Password wasn’t hacked – here’s what really happened https://www.digitaltrends.com/computing/1password-secret-keys-not-hacked/ [9to5mac.com] PSA: ‘Atomic macOS Stealer’ malware can compromise iCloud Keychain passwords, credit cards, crypto wallets https://9to5mac.com/2023/04/28/atomic-macos-stealer-malware-steal-passwords/ [Lifehacker] Five Things Scammers Are Hoping You Google https://lifehacker.com/five-things-scammers-are-hoping-you-google-1850405964 [The Verge] Microsoft Edge is leaking the sites you visit to Bing https://www.theverge.com/2023/4/25/23697532/microsoft-edge-browser-url-leak-bing-privacy [Lifehacker] Microsoft Will Never Update Windows 10 Again (But You Can Keep Using It) https://lifehacker.com/microsoft-will-never-update-windows-10-again-but-you-c-1850386188 [theregister.com] Microsoft is busy rewriting core Windows code in memory-safe Rust https://www.theregister.com/2023/04/27/microsoft_windows_rust/ [9to5mac.com] Study reveals top 20 most used passwords; 83% can be cracked in a second https://9to5mac.com/2023/05/02/most-used-passwords-report/ [The Hacker News] Google Introduces Passwordless Secure Sign-In with Passkeys for Google Accounts https://thehackernews.com/2023/05/google-introduces-passwordless-secure.html [AppleInsider] Apple issues Rapid Security Response update for iOS 16.4.1, macOS 13.3.1 https://appleinsider.com/articles/23/05/01/apple-issues-rapid-security-response-update-for-ios-1641-macos-1331 [AppleInsider] New York hands out 500 AirTags in car theft crackdown https://appleinsider.com/articles/23/05/01/new-york-hands-out-500-airtags-in-car-theft-crackdown [Apple] Apple, Google partner on an industry specification to address unwanted tracking https://www.apple.com/newsroom/2023/05/apple-google-partner-on-an-industry-specification-to-address-unwanted-tracking/ [Gizmodo] Google’s New Two-Factor Authentication Isn’t End-to-End Encrypted, Tests Show https://gizmodo.com/google-authenticator-two-factor-not-end-encrypted-1850377102 [The Washington Post] To become an Amazon Clinic patient, first you sign away some privacy https://www.washingtonpost.com/technology/2023/05/01/amazon-clinic-hipaa-privacy/ [The Verge] Washington passes law requiring consent before companies collect health data https://www.theverge.

STOPping Mass Surveillance

1 maj 2023 | 56 min

There's a big difference between mass surveillance and targeted surveillance based on a court-approved, limited-scope search warrant. But advances in technology have made warrant-less, dragnet surveillance exceptionally easy and stunningly effective. Local law enforcement agencies have deployed several types of surveillance systems in our communities, but have strongly resisted calls for transparency and oversight. Furthermore, police have simply bypassed the need for a warrant and pesky Fourth Amendment rights by just buying surveillance data from private companies. My guests today - Albert Fox Cahn and Evan Enzer, from the Surveillance Technology Oversight Project (S.T.O.P.) - will explain what's going on, why it's a danger to our privacy rights and democratic principles, and what we can do to fix it. Interview Notes Surveillance Technology Oversight Project: https://www.stopspying.org/ STOP on Twitter & TikTok: @STOPSpyingNY Donate to S.T.O.P. https://www.stopspying.org/donate STOP Trojan House report: https://www.stopspying.org/the-trojan-house Public Oversight of Surveillance Technology (POST) Act: https://www.nyc.gov/site/nypd/about/about-nypd/policy/post-act.page Community Control of Police Surveillance (CCOPS): https://www.eff.org/issues/community-control-police-surveillance-ccops Electronic Frontier Alliance: https://www.eff.org/fight EFF’s Atlas of Surveillance: https://atlasofsurveillance.org/ Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:33: Interview setup 0:03:26: What is the Surveillance Technology Oversight Project? 0:07:57: What are the most common mass surveillance technologies? 0:10:15: How does Shot Spotter work and what are the dangers? 0:13:02: Do these technologies actually reduce crime? 0:14:38: Is law enforcement required to disclose info on these systems? 0:17:35: How transparent is the funding around these projects? 0:19:21: Who has access to this surveillance data? 0:21:20: 9/11 revealed a lack of data sharing - what's the right balance? 0:22:42: Is privately obtained surveillance data subject to 4th Amendment rights? 0:23:53: What is the "third party doctrine" and how does it apply here? 0:26:15: How does purchased data differ from data obtained via warrant? 0:27:56: How does the practice of "parallel construction" work? 0:29:22: What is my legal right to privacy when in public spaces? 0:31:09: What are my legal rights to "surveil" law enforcement? 0:32:44: How are police using copyright law to curtail video taping? 0:34:13: Who watches the watchers? Is there any oversight of mass surveillance? 0:36:52: How do you uncover surveillance use and abuse? 0:38:45: How can we mitigate consumer surveillance tech? 0:41:53: Are there any tools or techniques to mitigate public surveillance? 0:46:22: What's the solution here? How do we rein in mass surveillance? 0:50:06: How can people get involved in the fight against mass surveillance? 0:51:51: Interview wrap-up 0:54:51: Looking ahead

How to Avoid Juice Jacking

24 april 2023 | 67 min

Our smartphones have become indispensable tools for our daily lives - so seeing that dreaded red battery indicator can induce some serious anxiety. But before you jack your phone into some public USB charging port, think twice. Those USB connections can pass data as well as power, and it's actually possible to hack your phone using those ubiquitous and innocent-looking ports. Is this common? Probably not. But it's also very easy to avoid. I'll give you several tips for staying safe, particularly while traveling. In other news: Mullvad VPN was subjected to a search warrant (but had no data to give up); Proton has announced that it has created a password manager; YubiCo is merging with another company and going public; Facebook probably owes you some money; Apple HomePods can tell you if your house is on fire; one of several Israeli spyware makers is shutting down; the US and several partner countries are urging device makers to adopt Security by Design principles; hackers use fake Chrome updates to install malware; the much-hyped Florida water treatment plant hack wasn't really a hack; clever thieves are stealing modern cars through headlamp connectors; and health care portal check-in vendors are tricking patients into allowing them to monetize very sensitive health data. Article Links [mullvad.net] Mullvad VPN was subject to a search warrant. Customer data not compromised https://mullvad.net/en/blog/2023/4/20/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised/ [proton.me] Proton Pass is now in beta https://proton.me/blog/proton-pass-beta [yubico.com] Yubico is merging with ACQ Bure: merged company intends to go public on Nasdaq First North Growth Market in Stockholm https://www.yubico.com/blog/yubico-is-merging-with-acq-bure/ [Lifehacker] Facebook Probably Owes You Money https://lifehacker.com/facebook-probably-owes-you-money-1850350640 [MacRumors] HomePod Can Now Alert You If Your Smoke Alarm Goes Off https://www.macrumors.com/2023/04/18/homepod-alert-smoke-alarm/ [The Hacker News] Israeli Spyware Vendor QuaDream to Shut Down Following Citizen Lab and Microsoft Expose https://thehackernews.com/2023/04/israeli-spyware-vendor-quadream-to-shut.html [cisa.gov] U.S. and International Partners Publish Secure-by-Design and -Default Principles and Approaches   https://www.cisa.gov/news-events/news/us-and-international-partners-publish-secure-design-and-default-principles-and-approaches [Tom's Guide] Hackers are using fake Chrome updates to spread malware — don’t fall for this https://www.tomsguide.com/news/hackers-are-using-fake-chrome-updates-to-spread-malware-dont-fall-for-this [VICE] Much-Hyped Water Plant Hack Wasn't a Hack, Was Actually User Error, Official Says https://www.vice.com/en/article/y3wddv/much-hyped-water-plant-hack-wasnt-a-hack-was-actually-user-error-official-says [theregister.com] CAN do attitude: How thieves steal cars using network bus https://www.theregister.com/2023/04/06/can_injection_attack_car_theft/ [statnews.com] I declined to share my medical data with advertisers at my doctor’s office. One company claimed otherwise https://www.statnews.com/2023/04/07/medical-data-privacy-phreesia/ Tip of the Week: How to Avoid Juice Jacking https://firewallsdontstopdragons.com/how-to-avoid-juice-jacking/ Further Info Facebook settlement form: https://www.facebookuserprivacysettlement.com/#submit-claim CISA Secure by Design, Secure by Default: https://www.cisa.gov/securebydesign Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.

Securing the Internet of Things

17 april 2023 | 64 min

As cybersecurity experts love to say, the "S" in "IoT" stands for security... meaning there is none. I've seen estimates that say there were almost 30 billion IoT devices on the internet in 2022. I have dozens of them on my home network alone. Each of these devices contains at least one computer, which is running potentially hackable software. And because these devices have internet connections, they are vulnerable to cyber attacks from anywhere on the planet. Today I'll ask Bill Niefert from Corellium how IoT devices differ from regular computers, how secure they are, what the risks are of insecure smart devices, and how we can make them better. Interview Notes Corellium: https://www.corellium.com/ Interesting IoT statistics: https://techjury.net/blog/internet-of-things-statistics/ Raspberry Pi: https://www.raspberrypi.org/ Fun RPi projects: https://www.pcworld.com/article/420028/10-practical-raspberry-pi-projects-anyone-can-do.html Matter IoT standard: https://en.wikipedia.org/wiki/Matter_(standard) Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:40: Interview terminology preview 0:04:49: Tell us about Corellium and what you do there 0:09:34: What is an ARM processor? 0:12:23: How do IoT devices compare to regular computers? 0:16:03: How do you design for security in cheap, slow IoT devices? 0:20:10: Are IoT devices fundamentally more hackable than regular computers? 0:25:07: Does your home Wi-Fi router adequately shield IoT devices from hacking? 0:28:31: Should you put IoT devices on your guest network? 0:34:35: What are the real-world dangers of having compromised IoT devices? 0:37:34: What is the new Matter IoT framework all about? 0:43:47: Does the Matter standard come with improved cybersecurity? 0:45:30: What are the privacy concerns for IoT devices? 0:53:19: Should IoT manufacturers be held liable for security failures? 0:58:18: Wrap-up 0:59:16: What is a Raspberry Pi and what can I do with it? 1:01:25: Matter security and privacy 1:02:16: Bonus content

Reviewing Mullvad Browser

10 april 2023 | 63 min

Right after releasing my episode on web fingerprinting, highly-respected VPN provider Mullvad teamed up with Tor to release a new web browser, specifically designed to protect your privacy - including attempting to block fingerprinting! Great timing, so I thought I'd give you my review of the Mullvad Browser - the good, the bad, and (yes) the ugly. In other news: Timely tips on spotting IRS phone scams; ultrasound attacks can hijack your smart speakers; brace yourself for a wave of more sophisticated AI-based scams; alcohol recover startups shared patients' data with advertisers; Google to require app developers to let you delete your account data; FBI's Operation Cookie Monster shuts down popular cybercrime forum; Facebook will grudgingly offer users in Europe to opt out of all tracking; the FDA is requiring medical device manufacturers to improve cybersecurity and support; and I answer a Dear Carey question about how to use a Mac mini as a server to host private versions of cloud apps. Article Links [NPR] No, the IRS isn't calling you. It isn't texting or emailing you, either https://www.npr.org/2023/04/07/1168353969/irs-scam-tax-day-imposter-how-to-avoid [Gizmodo] Ultrasound Attack Can Secretly Hijack Phones and Smart Speakers, Researchers Find https://gizmodo.com/ultrasound-attack-hacks-phones-siri-alexa-usenix-1850273055 [WIRED] Brace Yourself for a Tidal Wave of ChatGPT Email Scams https://www.wired.com/story/large-language-model-phishing-scams/ [TechCrunch] Alcohol recovery startups Monument and Tempest shared patients’ private data with advertisers https://techcrunch.com/2023/04/04/monument-tempest-alcohol-data-breach/ [Engadget] Google will require that Android apps let you delete your account and data https://www.engadget.com/google-will-require-that-android-apps-let-you-delete-your-account-and-data-170618841.html [CNN] ‘Operation Cookie Monster’: FBI seizes popular cybercrime forum used for large-scale identity theft https://www.cnn.com/2023/04/04/politics/genesis-market-fbi-seizure/index.html [BGR] Facebook and Instagram users can now opt out of tracking, but only in Europe https://bgr.com/tech/facebook-and-instagrams-users-can-now-opt-out-of-tracking-but-only-in-europe/ [scmagazine.com] FDA will refuse new medical devices for cybersecurity reasons on Oct. 1 https://www.scmagazine.com/news/device-security/fda-will-refuse-new-medical-devices-for-cybersecurity-reasons-on-oct-1 Tip of the Week: Mullvad Browser https://firewallsdontstopdragons.com/new-privacy-tool-mullvad-browser/ Further Info Watchman Privacy interview: https://www.youtube.com/watch?v=fByagxDetVI Using ultrasound to drive away teens: https://www.today.com/news/controversial-mosquito-sonic-devices-deter-young-people-high-pitched-sounds-t157801 Train Siri to recognize your voice: https://support.apple.com/en-us/HT204753 Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:22: Important software updates 0:01:13: Watchman Privacy interview 0:01:44: News preview 0:04:38: Beware IRS phone scams 0:09:42: New ultrasound attacks against digital assistants 0:17:51: Brace yourself for AI-enhanced email scams 0:27:45: Alcohol recovery startups shared patients' private data with advertisers 0:30:28: Google will require that Android apps delete your account and data 0:35:00: FBI Operation Cookie Monster shuts down popular...

Privacy Peeps Panel

3 april 2023 | 65 min

On today's show, I'll take you behind the scenes of not one, not two, but three different privacy websites. I ask Nate from The New Oil and Niek from Privacy Guides how they deal with being a public figures advocating for privacy, how they set their personal standards for privacy products, and how they cope with people and product makers who complain about their recommendations (or lack thereof). I ask them about some favorite products that they've had to remove from their recommended lists and where they go to keep up to date on privacy topics and products. Finally, I ask them what gives them hope about the future of privacy and what keeps them up at night. Interview Notes The New Oil: https://thenewoil.org/ Privacy Guides: https://www.privacyguides.org/ Techlore: https://techlore.tech/ Panopticon: https://en.wikipedia.org/wiki/Panopticon Naomi Brockwell on VPNs: https://www.youtube.com/watch?v=8MHBMdTBlok Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:02: Transcriptions coming! 0:04:25: Introductions 0:05:55: As a private person, what's it like putting yourself out there? 0:09:13: How do you handle the haters? 0:12:09: How do you keep up to date on privacy and related products? 0:15:29: How often have you had to reverse product recommendations? 0:20:33: How do you set the threshold for how private a product should be? 0:26:10: Where do YOU go to learn about privacy products and topics? 0:31:19: A little humility goes a long way 0:33:25: Choosing a good VPN provider 0:37:44: Should people use antivirus software? If so, which ? 0:40:57: How do you set and enforce your product recommendation criteria? 0:47:27: Do you think your standards help to improve the market? 0:49:08: What gives you hope about the future? And what keeps you up at night? 0:55:10: What can I do to further the cause of privacy? 0:59:05: Interview wrap-up 1:00:32: Dear Carey: Top privacy guidelines and topics for discussion?

Fingerprinting Your Devices

27 mars 2023 | 66 min

Marketers are desperately trying to follow us as we traverse the web. Tracking where we go and what we do allows them to better target us with ads. Browsers have built in protections to block older tracking techniques like cookies and tracking pixels, and so ad companies have had find new methods for identifying us across websites. Unfortunately, they've settled on a technique that is extremely difficult to defeat: fingerprinting. I'll explain what is, how it works, and what you can do to mitigate it. In other news: Google is warning Android users to update their devices right away in order to fix some truly nasty bugs; hackers are using malicious Chrome extensions to read your Gmail and potentially hack your Android device; popular fertility apps are collecting ridiculous amounts of highly personal data and sharing it with partners; scammers are using AI to simulate voices of people you know to steal your money; CISA has launched a great new ransomware vulnerability pilot program; I'll tell you why you should opt out of sharing your data with your mobile service provider; America's threatening to ban TikTok but this won't fix the real problem; the IRS is supposed to be moving away from ID.me authentication. Article Links [Naked Security] Dangerous Android phone 0-day bugs revealed – patch or work around them now! https://nakedsecurity.sophos.com/2023/03/17/dangerous-android-phone-0-day-bugs-revealed-patch-or-work-around-them-now/ [Tom's Guide] Hackers are stealing Gmail messages — delete this extension right now https://www.tomsguide.com/news/hackers-are-stealing-gmail-messages-delete-this-extension-right-now [The Conversation] Popular fertility apps are engaging in widespread misuse of data, including on sex, periods and pregnancy https://theconversation.com/popular-fertility-apps-are-engaging-in-widespread-misuse-of-data-including-on-sex-periods-and-pregnancy-202127 [consumer.ftc.gov] Scammers use AI to enhance their family emergency schemes https://consumer.ftc.gov/consumer-alerts/2023/03/scammers-use-ai-enhance-their-family-emergency-schemes [cisa.gov] CISA Establishes Ransomware Vulnerability Warning Pilot Program https://www.cisa.gov/news-events/news/cisa-establishes-ransomware-vulnerability-warning-pilot-program [briankrebs] Why You Should Opt Out of Sharing Data With Your Mobile Provider https://krebsonsecurity.com/2023/03/why-you-should-opt-out-of-sharing-data-with-your-mobile-provider/ [The Washington Post] America’s online privacy problems are much bigger than TikTok https://www.washingtonpost.com/technology/2023/03/24/tiktok-online-privacy-laws/ Dear Carey: IRS plans to approve use of Login-dot-gov as Tax Day nears https://www.fcw.com/it-modernization/2023/03/plans-approve-use-login-dot-gov-tax-day-nears/383934/ Tip of the Week: https://firewallsdontstopdragons.com/how-to-block-web-fingerprinting/ Further Info Syncthing: https://syncthing.net/ KeePassXC: https://keepassxc.org/ IP address black list check: https://whatismyipaddress.com/blacklist-check EFF on TikTok: https://www.eff.org/deeplinks/2023/03/government-hasnt-justified-tiktok-ban Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:49: Local password vault sync solution 0:05:07: News preview 0:06:47: Dangerous Android Baseband Bugs Patched 0:18:19: Hackers stealing Gmail messages via browser plugin 0:22:29: Popular fertility apps are engaging in widespread misuse of data

Solving Your Password Problems

20 mars 2023 | 55 min

If for some reason you haven't started using a password manager yet, it's time to make the move. But how can you trust all these important secrets to some unknown company? How can you be sure that your password vault will be safe in a cloud-based service? And finally, how do you figure out which service is best for you? Today I'll ask Kasey Babcock from Bitwarden all those questions. We'll also talk about two-factor authentication and newer "passkeys" technology, Argon2 vs PBKDF2, and even how you might self-host a solution like Bitwarden if you want to have full control. Kasey Babcock is a Product Marketing Manager at Bitwarden, and she has many years of experience working at software start-ups in the cybersecurity and project portfolio management industries, working with product and engineering teams to communicate meaningful cybersecurity information and product updates. Interview Notes Bitwarden Personal: https://bitwarden.com/products/personal/ Bitwarden Secrets Manager: https://bitwarden.com/products/secrets-manager/ Bitwarden blog article: https://bitwarden.com/blog/accelerating-value-for-bitwarden-users-bitwarden-raises-usd100-million/ Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:02: Pre-interview notes 0:02:21: Why should people entrust their credentials to a password manager? 0:07:49: What is Argon2 and how does it compare to PBKDF2? 0:09:15: How can regular people evaluate the security of software products? 0:14:34: How important is it for security software to be open-source? 0:16:32: How do third party security audits work? 0:18:48: What is "pen testing"? 0:19:16: How much control do audited companies have over releasing audit results? 0:20:35: What are the benefits of self-hosting a solution like Bitwarden? 0:23:55: Should we trust cloud-based password vault storage? 0:25:29: What are some red flags to look for when evaluating security companies? 0:27:36: Bitwarden recently received $100M in funding - has this changed your focus? 0:30:57: What is "secrets management" for software developers? 0:33:31: What is "passwordless" and is it phishing-proof? 0:39:18: How do I set up and use passkeys? 0:44:09: How long before we can use passkeys? 0:45:42: Will passwordless systems still require two-factor auth? 0:48:22: What's next for Bitwarden? What features can we look forward to? 0:50:06: Interview wrap-up

Securing Your Home Network

13 mars 2023 | 67 min

Our devices are connected to the Internet 24/7 and the only thing separating them from the bad guys is usually your home router. In the era of smart devices and the Internet of Things (IoT), we also now have many more doohickeys connected to the Internet - most of them with crappy security. If one of those devices is compromised, the bad guys now have a beachhead from which to probe and attack all your other devices. In today's show, we'll review some important cybersecurity tips for our home network and connected devices. In other news: police raid homes of alleged ransomware gang; locally exploitable TPM 2.0 security flaws found; White House unveils comprehensive cybersecurity strategy; new LastPass breach details show specific employee was targeted at home; browser synchronization features may compromise employer systems; Catholic group buys data to target gay priests; private home webcams are a goldmine for police evidence gathering; telehealth companies leak sensitive patient data; ICE and Secret Service admit to using cell-site simulators to collect mass surveillance data. Article Links [The Verge] Police raid homes of alleged hackers who attacked hospital systems https://www.theverge.com/2023/3/6/23627238/hackers-ransomware-raid-german-ukrainian-police [TechSpot] Two security flaws in the TPM 2.0 specs put cryptographic keys at risk https://www.techspot.com/news/97824-two-security-flaws-tpm-20-specs-put-cryptographic.html [The Washington Post] Biden unveils cyber strategy that takes more aggressive regulatory approach https://www.washingtonpost.com/national-security/2023/03/02/cybersecurity-biden/ [Ars Technica] LastPass says employee’s home computer was hacked and corporate vault taken https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/ [Kaspersky] Disable browser synchronization in the office https://www.kaspersky.com/blog/disable-browser-sync-enterprise/47460/ [The Washington Post] Catholic group spent millions on app data that tracked gay priests https://www.washingtonpost.com/dc-md-va/2023/03/09/catholics-gay-priests-grindr-data-bishops/ [Electronic Frontier Foundation] Report: ICE and the Secret Service Conducted Illegal Surveillance of Cell Phones https://www.eff.org/deeplinks/2023/03/report-ice-and-secret-service-conducted-illegal-surveillance-cell-phones [POLITICO] The privacy loophole in your doorbell https://www.politico.com/news/2023/03/07/privacy-loophole-ring-doorbell-00084979 [TechCrunch] Telehealth startup Cerebral shared millions of patients’ data with advertisers https://techcrunch.com/2023/03/10/cerebral-shared-millions-patient-data-advertisers/ [NPR] Personal information of members of Congress exposed in health data breach https://www.npr.org/2023/03/09/1162191035/personal-information-of-u-s-house-members-exposed-in-health-data-breach Securing Your Home Network: https://firewallsdontstopdragons.com/how-to-secure-your-home-network/ Further Info Apple’s HomeKit Secure Video: https://support.apple.com/en-us/HT210538 Shodan: https://www.shodan.io/ What’s My IP? https://www.whatismyip.com/ NSA home network security (PDF): https://media.defense.gov/2023/Feb/22/2003165170/-1/-1/0/CSI_BEST_PRACTICES_FOR_SECURING_YOUR_HOME_NETWORK.PDF What a VPN Is (and Isn't): https://firewallsdontstopdragons.com/what-a-vpn-is-and-isnt/ Get your Dragon Swag! https://fdsd.me/merch Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show.

Designing Apps for Privacy

6 mars 2023 | 67 min

Privacy advocates like me implore people to use secure apps that protect their data. But how difficult is it to actually create those apps? How do you balance security and privacy against sharing features and ease of use? How do you earn the trust of your users and how do you keep that trust? When does being private begin to negatively impact your ability to participate in society? Today I'll ask Mo, the creator of the secure note-taking app Standard Notes, all of these questions and more - including his personal thoughts for how best to organize and back up your notes and other data. Interview Notes Standard Notes: https://standardnotes.com/ Write Fearlessly (blog article): https://standardnotes.com/why-encrypted Standard Notes YouTube channel: https://www.youtube.com/@standardnotes Second Brain note taking styles: https://fortelabs.com/blog/the-4-notetaking-styles-how-to-choose-a-digital-notes-app-as-your-second-brain/ Tresosit secure cloud storage: https://tresorit.com/individuals Sync.com secure cloud storage: https://sync.com/ Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:19: What is Standard Notes and how is it different? 0:06:19: What is true end-to-end encryption? 0:08:35: What does privacy mean to you? 0:14:14: What do people misunderstand most about privacy? 0:17:43: How do you secure a web app? 0:23:08: Does security preclude any popular app features? 0:27:31: Should we really encrypt everything? 0:33:30: How do you earn and keep your users' trust? 0:37:57: How important is humility and honesty in security marketing? 0:39:42: What is your note taking organizational strategy? 0:47:03: How do you figure out what organizational style works for you? 0:50:43: How do you make sure all your data is backed up and findable? 0:56:17: What does the future hold for privacy? 1:01:04: What's next for Standard Notes? 1:05:06: Interview wrap-up

Unmasking Shortened Links

27 februari 2023 | 64 min

Web links are great, when you're on the web. But if you need to read off or write down a web address, or URL, to someone else, anything beyond a simple domain name is going to be way too complicated. Ideally, you want something short and memorable. Enter link-shortening services like Bitly, Owly and others. These services convert long, ugly URLs to short, simple, memorable links. Unfortunately, this also obscures the actual link. When you click a shortened link, you have no idea where it will take you. Today, I'll give you some tools that will allow you to determine the final destination and even see an image of the site without actually going there. In other news: TikTok group teaches people how to hot-wire Kia and Hyundai cars; Twitter charges users for the least-secure two-factor authentication method; scam authenticator apps proliferation on the app store; Apple devices are being stolen after surreptitiously learning the lock codes; Google to launch Android Privacy Sandbox beta; Mozilla discovers huge discrepancies between actual privacy policies and the 'nutrition label' summaries on top Android apps; supermarkets track tons of user data via loyalty cards and apps; we need to create a much more robust and resilient internet; and the CEO of Safing answers a user question about Portmaster and SPN. Article Links [Lifehacker] TikTokers Are Hot-Wiring These Hyundai and Kia Cars https://lifehacker.com/tiktokers-are-hot-wiring-these-hyundai-and-kia-cars-1850113943 [Mashable] Twitter to charge users for SMS two-factor authentication https://mashable.com/article/twitter-removes-sms-2fa [9to5mac.com] Scam authenticator app advertising on App Store: Sends all your QR codes to the developer https://9to5mac.com/2023/02/21/scam-authenticator-app/ [MacRumors] Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life' https://www.macrumors.com/2023/02/24/iphone-stolen-passcodes-report/ [The Verge] Google launches first Android beta for ad-tracking overhaul https://www.theverge.com/2023/2/14/23599027/google-android-privacy-sandbox-beta-advertising-tracking [foundation.mozilla.org] Mozilla Study: Data Privacy Labels for Most Top Apps in Google Play Store are False or Misleading [The Markup] Forget Milk and Eggs: Supermarkets Are Having a Fire Sale on Data About You https://themarkup.org/privacy/2023/02/16/forget-milk-and-eggs-supermarkets-are-having-a-fire-sale-on-data-about-you [Schneier Blog] What Will It Take? https://www.schneier.com/blog/archives/2023/02/what-will-it-take.html How to Reveal Shortened URLs: https://firewallsdontstopdragons.com/how-to-reveal-shortened-urls/ Further Info 2FA apps: https://lifehacker.com/the-best-authenticator-apps-for-iphone-and-android-1850140802 Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:47: Book out of stock? 0:01:45: News rundown 0:04:09: Hot-Wiring Hyundai and Kia Cars 0:09:11: Twitter to charge users for SMS 2FA 0:12:58: Scam authenticator apps 0:18:13: Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life' 0:24:22: Google launches first Android beta for Privacy Sandbox 0:27:52: Data Privacy Labels in Google Play Store are False or Misleading 0:34:59: Supermarkets Are Having a Fire Sale on Data About You 0:44:41: Schneier: What Will It Take? 0:52:38: Dear Carey 0:55:53: Tip of the Week 1:01:21: Wrap up: merch store, previews

Fixing Social Media

20 februari 2023 | 70 min

Social media wasn't always so bad. It didn't use to collect so much information. It didn't use to feed us content we didn't ask for in an attempt to maintain our attention. Doom scrolling, virtue signaling, algorithmic feeds and misinformation bots are not natural extensions of social media. So what went wrong? And better yet, how can we fix it? Today I'll discuss all of these topics and more with Suzie Dawson, the founder of Panquake.com. She's on a mission to solve all of these problems and restore the promise of social media to be a positive force for society and serve the users, not corporations or governments. Interview Notes Panquake: https://panquake.com/ A Personal Message from our Founder (Suzie): https://vimeo.com/770524936 What is Panquake? https://vimeo.com/503223746 The Social Dilemma (documentary): https://www.thesocialdilemma.com/ Mastodon: https://joinmastodon.org/ Fediverse: https://www.eff.org/deeplinks/2022/11/fediverse-could-be-awesome-if-we-dont-screw-it Microsoft’s Decentralized Identity: https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/decentralized-identifier-overview Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:18: interview preview 0:05:24: What is Panquake.com and why did you create it? 0:06:25: When and why did social media platforms go wrong? 0:07:55: Why is our relationship with Big Tech such an abusive one? 0:10:09: Are algorithmic feeds inherently bad or just exposing human nature? 0:15:25: How does Facebook learn so much about us? 0:16:24: Without algorithmic feeds, how do I discover new content? 0:17:51: How do you convince people to pay for their social media platform? 0:21:27: What other things do people hate about modern social media platforms? 0:25:53: What does it mean to be 'shadow banned'? 0:27:32: How can we stop malicious bot behavior? 0:30:39: What's the best way to implement account verification? 0:34:59: How do we spark a backwards paradigm shift? 0:36:44: What is the role of social media platforms in moderating content? 0:40:00: How does moderation vary globally? 0:41:23: Is TikTok more dangerous to society than Twitter or Facebook? 0:47:21: What is the "Fediverse" and how does it work? 0:53:40: How important is data portability or ownership? 0:58:34: What's next for Panquake? 1:03:19: Suzie asks ME a question! 1:04:56: Interview wrap-up 1:05:41: patron bonus content and benefits 1:06:43: Swag Shop is OPEN! 1:08:43: Upcoming interviews

Where & Why to Plant Your Flag

13 februari 2023 | 62 min

As a general rule, I would normally advise people to minimize the number of online accounts they have, including avoiding creating unnecessary accounts and closing accounts they no longer need. However, as a regular citizen, there are a handful of governmental accounts that exist for you already, whether you use them or not. And you should claim those accounts for yourself before bad guys do this on your behalf. Furthermore, as a home owner or modern consumer, you probably have several other accounts that you may never have claimed: utilities, financial institutions, medical portals, and more. Today I'll tell you where and why to plant your flag. In other news: Booking.com reservation data being used to scam customers; top background check service customers' data leaked; Finnish psychotherapy extortion suspect arrested; FTC takes on telehealth data sharing; the ACLU lobbies court to restrict Google geofence warrant data; Anker admits to Eufy camera security bugs; fake, malicious Bitwarden ads deliver malware; maker of stalkerware fined and forced to notify victims; NIST proposes security protocols for low-power IoT devices. I also answer a listener question about IPv4 vs IPv6. Article Links [Ars Technica] Mysterious leak of Booking.com reservation data is being used to scam customers https://arstechnica.com/information-technology/2023/02/mysterious-leak-of-booking-com-reservation-data-is-being-used-to-scam-customers/ [TechRadar] Top background check services hit by data breach https://www.techradar.com/news/top-background-check-services-hit-by-data-breach [Naked Security] Finnish psychotherapy extortion suspect arrested in France https://nakedsecurity.sophos.com/2023/02/06/finnish-psychotherapy-extortion-suspect-arrested-in-france/ [The Markup] The FTC Is Taking on Telehealth’s Data Sharing Problem—Starting with GoodRx – The Markup https://themarkup.org/pixel-hunt/2023/02/01/the-ftc-is-taking-on-telehealths-data-sharing-problem-starting-with-goodrx [Computerworld] ACLU, public defenders push back against Google giving police your mobile data https://www.computerworld.com/article/3686535/aclu-public-defenders-push-back-against-google-giving-police-your-mobile-data.html [9to5mac.com] Anker admits to lying about Eufy security camera encryption; describes future plans https://9to5mac.com/2023/02/01/eufy-security-camera-encryption/ [PCWorld] Phony, malicious Bitwarden ads slip past Google’s watch https://www.pcworld.com/article/1487690/phony-bitwarden-ads-are-the-latest-to-slip-through-on-googles-watch.html [Electronic Frontier Foundation] Stalkerware Maker Fined $410k and Compelled to Notify Victims https://www.eff.org/deeplinks/2023/02/stalkerware-maker-fined-410k-and-compelled-notify-victims [ZDNet] Tiny IoT devices are getting their own special encryption algorithms https://www.zdnet.com/article/tiny-iot-devices-are-getting-their-own-special-encryption-algorithms/ Further Info Order the new 5th edition of my book! https://fdsd.me/book OSINT Tools: https://inteltechniques.com/tools/index.html WireGuard IPv6 help: https://stanislas.blog/2019/01/how-to-setup-vpn-server-wireguard-nat-ipv6/ Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:29: News preview 0:03:58: Booking.com users being targeted with convincing scams 0:09:11: Top background check services hit by data breach 0:12:16: Finnish psychotherapy extortion suspect arrested 0:18:48: FTC Is Taking on Telehealth’s Data Sharing Problem 0:23:23: ACLU pushes back against Google geofence warrants 0:31:07: Anker admits to lying about Eufy security camera e...

Combatting Surveillance Capitalism

6 februari 2023 | 66 min

The business of data mining and behavioral advertising has never been stronger or more ubiquitous. And yet, cracks are beginning to appear in the foundations of surveillance capitalism. Nowhere is this more evident than in the European Union where advertising behemoths like Google and Meta (parent company of Facebook) have suffered a series of legal defeats at the hands of aggressive privacy regulators. The GDPR has provided a framework for curtailing rampant abuses of the advertising industry and its promise is finally coming to fruition. Today I'll speak with Johnny Ryan from the Irish Council for Civil Liberties, who is fighting for all of us on the front lines of the war for privacy. Johnny Ryan works at the Irish Council for Civil Liberties and he was previously Chief Policy Officer at Brave. He has testified and spoken at the US Senate, the European Commission, and the European Parliament. Interview Notes Irish Regulators Fine Facebook $414 Million https://thehackernews.com/2023/01/irish-regulators-fine-facebook-414.html Irish Council for Civil Liberties: https://www.iccl.ie/ Ep231: Selling You Out to the Highest Bidder https://podcast.firewallsdontstopdragons.com/2021/08/02/selling-you-out-to-the-highest-bidder/ Fair Information Practice Principles (FIPPs): https://en.wikipedia.org/wiki/FTC_fair_information_practice Diesel-Gate: https://en.wikipedia.org/wiki/Volkswagen_emissions_scandal Further Info Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:23: The 5th edition is OUT!! 0:02:50: Interview prep 0:05:02: Give us a refresher on how behavioral ads work 0:08:41: Why was Meta fined and will they be able to appeal? 0:18:40: How does tracking consent work now and how should it work? 0:26:25: How are these fines determined and why wasn't this one bigger? 0:29:52: What changes we will see as a result of this and by when? 0:32:45: Will this ruling affect other companies, as well? 0:34:11: Will this ruling affect more than just notice and consent? 0:36:19: Why can't we just go back to context-based ads? 0:41:15: Are behavior-based ads really more valuable? 0:43:52: Is there more private way to have targeted ads? 0:47:18: Will Google's new ad framework just solidify their dominance? 0:51:42: Won't intelligence agencies abuse all of the data collected about us? 0:57:41: Has surveillance capitalism peaked? What does the future look like? 1:02:02: Interview follow-up 1:03:32: Getting the book on people's radars

Data Privacy Week 2023

30 januari 2023 | 61 min

Every January, we celebrate privacy with Data Privacy Week. It has rightly expanded from Data Privacy Day. And of course every day should be data privacy day. In the news: The FBI shuts down a major ransomware group; new Windows malware steals passwords and other data; new Android malware can completely take over your device; a dangerous "malvertising" campaign mimics popular software to steal info; the previously-secret "no fly" list was leaked online; tens of thousands of PayPal accounts hacked via credential stuffing; T-Mobile admits to over 37M customer records stolen; and Twitter GodMode is back (or rather never really went away). I'll answer a Dear Carey question about Plain, the service that allows financial tech aggregators to access your account information and my Tip of the Week will explain Apple's new Advanced Data Protection feature. Article Links [NPR] FBI says it 'hacked the hackers' to shut down major ransomware group https://www.npr.org/2023/01/26/1151696092/fbi-says-it-hacked-the-hackers-to-shut-down-major-ransomware-group [Tom's Guide] This Windows malware is stealing passwords and other data — how to stay safe https://www.tomsguide.com/news/this-windows-malware-is-stealing-passwords-and-other-data-how-to-stay-safe [TechSpot] New malware dubbed "Hook" allows hijacking and real-time spying on Android devices https://www.techspot.com/news/97356-new-malware-dubbed-hook-allows-hijacking-real-time.html [TechRadar] This dangerous malvertising campaign mimicks popular software to steal victim info https://www.techradar.com/news/this-dangerous-malvertising-campaign-mimicks-popular-software-to-steal-victim-info [BleepingComputer] Secret terrorist watchlist with 2 million records exposed online https://www.bleepingcomputer.com/news/security/secret-terrorist-watchlist-with-2-million-records-exposed-online/ [BleepingComputer] PayPal accounts breached in large-scale credential stuffing attack https://www.bleepingcomputer.com/news/security/paypal-accounts-breached-in-large-scale-credential-stuffing-attack/ [Naked Security] T-Mobile admits to 37,000,000 customer records stolen by “bad actor” https://nakedsecurity.sophos.com/2023/01/20/t-mobile-admits-to-37000000-customer-records-stolen-by-bad-actor/ [9to5mac.com] Twitter GodMode still available to all engineers, following hack of Apple and other accounts https://9to5mac.com/2023/01/24/twitter-godmode/ Dear Carey: Is Plaid Safe? https://www.allthingssecured.com/reviews/security/is-plaid-safe-to-use/ Apple’s Advanced Data Protection: https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web Apple recovery contact: https://support.apple.com/en-us/HT212513 Further Info ANNUAL LISTENER SURVEY!! https://fdsd.me/survey2023 Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:04: News rundown 0:03:19: FBI shuts down Hive ransomware group 0:07:34: New Windows malware steals data 0:12:07: New Android malware that completely takes over device 0:15:43: Malvertising campaign mimicks popular software apps 0:19:44: Secret "no fly list" leaked online 0:24:26: PayPal accounts accessed via credential stuffing attack 0:28:06: T-Mobile admits 37M customer records stolen 0:31:31: Twitter's GodMode tool is still available to engineers 0:34:59: Dear Carey: Is Plaid safe? 0:45:41: Tip of the Week: Apple's Advanced Data Protection 0:53:54: 5th edition update and cool resources 0:56:56: How you can help

Using Aliases to Improve Privacy

23 januari 2023 | 56 min

Our email addresses and cell phone numbers have become highly valuable identifiers for marketers. Like government-issued IDs, your email address and phone number are directly associated with your identity and you will probably have them for life. This makes them ideal for tracking you across websites and accounts. It's no wonder that you are asked to provide this information all the time, for the simplest things. So why not throw them off your trail by having multiple email addresses and phone numbers? It's not as hard as you think, and it's getting easier all the time. This is a privacy concept called aliasing and we'll delve into all the details with the CEO and founder of SimpleLogin, Son Nguyen Kim. Interview Notes SimpleLogin: https://simplelogin.io/ Proton & SimpleLogin: https://proton.me/support/create-simplelogin-account-proton-account Data Privacy Week: https://firewallsdontstopdragons.com/data-privacy-day-checklist/ Fastmail Masked Email: https://www.fastmail.help/hc/en-us/articles/4406536368911-Masked-Email Apply Private Relay: https://support.apple.com/en-us/HT212614 DuckDuckGo Private Email: https://spreadprivacy.com/introducing-email-protection-beta/ MySudo: https://mysudo.com/ Hushed: https://hushed.com/ Privacy.com: https://privacy.com/ Further Info ANNUAL LISTENER SURVEY!! https://fdsd.me/survey2023 Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:37: Book updates 0:03:10: Interview setup 0:03:57: What is SimpleLogin ? 0:05:04: How are email addresses used to track us? 0:06:19: Why do we use email addresses as user names? 0:09:42: How do normal email services provide aliases? 0:11:18: How does email subaddressing work? 0:13:05: How do modern email aliases work? 0:16:34: Do replies to alias emails expore your real address? 0:20:05: How do you use aliases to manage spam? 0:22:38: Can emall alias services read my emails? 0:23:36: How do you know you can trust an email alias provider? 0:26:41: How can you use domain names and catch-all aliases to fight spam? 0:30:52: Why are email aliases sometimes rejected? 0:34:45: What happens to my aliases if the service goes away? 0:36:50: What are the security benefits of using aliases? 0:39:44: Why is it so hard to create a phone number alias? 0:42:52: How can I get a second phone number? 0:47:13: Why are phone aliases often rejected? 0:49:15: What other ways can we use aliasing to improve privacy? 0:52:27: interview wrap-up

New Year’s Resolutions: 2023

16 januari 2023 | 64 min

It’s that time of year again! Time to put the past behind us and look forward to a brand new year, full of possibilities and hope! In today's show I'll throw out several tips for improving your privacy and security that you might want to put on your to-do list for 2023. I've also got a minor LastPass update and some thoughts on how we might make managing passwords easier and more robust. I'll answer a listener question on tracking in beta software. And then I'll cover several news stores: A government watchdog cracks many accounts in a federal agency with a cheap password cracking rig; NortonLifeLock is warning several users that hackers may have breached their accounts; Russian hackers suspected in Royal Mail attack; Iran's citizens being targeted with spyware in VPN apps; Windows 7 is finally totally dead; identity thieves find authentication bypass to access Experian credit reports; robot vacuum cleaner captured compromising pictures that ended up on social media; even the FBI is recommending ad blockers; dozens of telehealth companies sharing sensitive health information with Big Tech companies. Article Links [TechCrunch] A government watchdog spent $15,000 to crack a federal agency’s passwords in minutes https://techcrunch.com/2023/01/10/interior-department-watchdog-passwords/ [BleepingComputer] NortonLifeLock warns that hackers breached Password Manager accounts https://www.bleepingcomputer.com/news/security/nortonlifelock-warns-that-hackers-breached-password-manager-accounts/ [Metro] Russian hackers suspected to be behind Royal Mail cyber attack https://metro.co.uk/2023/01/13/russian-hackers-suspected-to-be-behind-royal-mail-cyber-attack-18093326/ [techmonitor.ai] Iran’s citizens targeted by EyeSpy spyware hidden in VPNs https://techmonitor.ai/technology/cybersecurity/eyespy-spyware-iran-vpn [Lifehacker] Windows 7 Is Officially Dead https://lifehacker.com/windows-7-is-officially-dead-1849966248 [briankrebs] Identity Thieves Bypassed Experian Security to View Credit Reports https://krebsonsecurity.com/2023/01/identity-thieves-bypassed-experian-security-to-view-credit-reports/ [Kaspersky] Rise of the robot vacuum cleaners https://www.kaspersky.co.uk/blog/robot-vacuum-privacy/25348/ Bonus: https://www.technologyreview.com/2023/01/10/1066500/roomba-irobot-robot-vacuum-beta-product-testers-consent-agreement-misled/ [TechCrunch] Even the FBI says you should use an ad blocker https://techcrunch.com/2022/12/22/fbi-ad-blocker/ [The Markup] “Out Of Control”: Dozens of Telehealth Startups Sent Sensitive Health Information to Big Tech Companies https://themarkup.org/privacy/2022/12/13/out-of-control-dozens-of-telehealth-startups-sent-sensitive-health-information-to-big-tech-companies Further Info ANNUAL LISTENER SURVEY!! https://fdsd.me/survey2023 Data Privacy Checklist: https://firewallsdontstopdragons.com/data-privacy-day-checklist/ BitWarden vault backup: https://community.bitwarden.com/t/how-to-a-users-guide-to-backing-up-your-bitwarden-vault/44083 Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:08: Big sale on pre-order of my book 0:03:05: Show preview 0:04:44: LastPass update 0:09:21: Password innovation ideas 0:13:59: watchdog cracks federal agency’s passwords in minutes 0:17:33: NortonLifeLock warns of account breaches 0:21:31: Russian hackers suspected in Royal Mail cyber attack 0:24:29: Iran’s citizens targeted by spyware in VPNs 0:26:53: Windows 7 Is Officially Dead

Privacy Tide is Turning

9 januari 2023 | 58 min

Facebook stock is down 65%, they just paid $725M to settle the Cambridge Analytica lawsuit, and they've just been fined over $400M by the EU. But that's not the worst part (for Meta). The EU and its General Data Protection Regulation (GDPR) is basically saying that its entire business model - surveillance capitalism - is wrong and must stop. That's the same business model used by Google, too. It really seems that the tide is finally turning in favor of user privacy as more nails are hammered into the coffin of behavior-based advertising. In other news: the first LastPass class actions lawsuit has been filed over the recently announced data breach; WhatsApp adds a feature to bypass internet censorship by repressive regimes; Pornhub is now requiring viewers from Louisiana to verifying the age via ID; data from up to 400M Twitter accounts is up for sale; a military device containing information including biometric scans of over 2000 people was bought on eBay for $68; Mom and daughter kicked out of Rockettes show in Radio City Music Hall. Plus, a Dear Carey question and my Tip of the Week. Article Links [TechRadar] LastPass is being sued following major cyberattack https://www.techradar.com/news/lastpass-is-being-sued-following-cyberattack [The Washington Post] WhatsApp adds feature to bypass internet censors in repressive regimes https://www.washingtonpost.com/technology/2023/01/06/whatsapp-proxy-server-address/ [The Verge] Meta agrees to pay $725 million to settle Cambridge Analytica class action lawsuit https://www.theverge.com/2022/12/23/23523862/meta-cambridge-analytica-class-action-lawsuit-settlement-725-million [The Hacker News] Irish Regulators Fine Facebook $414 Million for Forcing Users to Accept Targeted Ads https://thehackernews.com/2023/01/irish-regulators-fine-facebook-414.html [Ars Technica] Pornhub requires ID from Louisiana users to comply with state’s new porn law https://arstechnica.com/tech-policy/2023/01/no-porn-without-id-louisiana-law-forces-porn-sites-to-verify-users-ages/ [Naked Security] Twitter data of “+400 million unique users” up for sale – what to do? https://nakedsecurity.sophos.com/2022/12/28/twitter-data-of-400-million-unique-users-up-for-sale-what-to-do/ [The New York Times] For Sale on eBay: A Military Database of Fingerprints and Iris Scans https://www.nytimes.com/2022/12/27/technology/for-sale-on-ebay-a-military-database-of-fingerprints-and-iris-scans.html [Ars Technica] MSG defends using facial recognition to kick lawyer out of Rockettes show https://arstechnica.com/tech-policy/2022/12/facial-recognition-flags-girl-scout-mom-as-security-risk-at-rockettes-show/ [Lifehacker] You Can Disable Google Sign-in Pop-ups on All Websites https://lifehacker.com/you-can-disable-google-sign-in-pop-ups-on-all-websites-1849913714 Further Info ANNUAL LISTENER SURVEY!! https://fdsd.me/survey2023 LastPass breach info: https://firewallsdontstopdragons.com/special-lastpass-breach/ Peppering Your Passwords: https://firewallsdontstopdragons.com/password-manager-paranoia/ Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:09: Show preview 0:03:01: LastPass updates and first law suit 0:12:22: WhatsApp adds feature allowing censorship bypass 0:15:19: Facebook settles Cambridge Analytica suit for $725M 0:16:50: Irish Regulators Fine Facebook $414 Million 0:21:34: Pornhub requires ID from Louisiana users 0:27:11: 400M+ Twitter users data for sale 0:35:22: Military device with biometric data found on eBay

SPECIAL: LastPass Breach

2 januari 2023 | 84 min

Right before Christmas, LastPass dropped a bombshell report explaining that bad actors appeared to have made copies of LastPass users' encrypted password vaults. The information was a little short on key details, probably indicating that the investigation is ongoing and we will learn more in the coming weeks. However, we have already learned enough to know that the data breach did leak some important metadata contained in people's password vaults and that any users who had less-than-secure master passwords should be worried that the encrypted contents may now be vulnerable to disclosure. That is about as bad as it gets. Today I will speak with a cybersecurity and authentication expert from CISA about this breach: what we know, what we don't know, what we should learn from the incident, and (most importantly) what LastPass users should do about this. Bob Lord is a Senior Technical Advisor for the Cybersecurity and Infrastructure Security Agency (CISA) and former Chief Information Security Officer (CISO) for Yahoo. Interview Notes SPECIAL REPORT: LastPass Breach: https://firewallsdontstopdragons.com/special-lastpass-breach/ Twitter thread investigating what’s encrypted and what’s not: https://twitter.com/UK_Daniel_Card/status/1606012536582656000 Write-up by a security researcher: https://www.pwndefend.com/2022/12/24/lastpass-breach-the-danger-of-metadata/ Mastodon technical thread #1: https://mastodon.social/@[email protected]/109585049690097599 Mastodon technical thread #2: https://infosec.exchange/@WPalant/109590750504031700 My “diceware” passphrase generator: https://d20key.com/ My blog on creating strong passphrase: https://firewallsdontstopdragons.com/how-when-to-use-a-passphrase/ How to make stronger passwords: https://firewallsdontstopdragons.com/need-a-bigger-password-haystack/ Classic XKCD cartoons on passphrases: https://xkcd.com/936/ Consumer Reports Security Planner: https://securityplanner.consumerreports.org/ Further Info Follow me on social media: https://firewallsdontstopdragons.com/contact/ Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:47: Ep300 giveaway updates 0:03:15: interview setup 0:08:17: What do we know about the LastPass breaches? 0:13:25: Were all LastPass users affected? 0:15:03: How is my LastPass data secured, exactly? 0:19:53: What is PBKDF2 and why are iterations important? 0:23:10: Did LastPass increase the iterations for all users over time? 0:26:46: Is any information in my password vault not encrypted? 0:29:35: How do I know if my vault password is strong enough? 0:36:13: What if I didn't have a strong vault password? What should I do? 0:41:47: Do we have any evidence that people's vaults have been cracked? 0:45:34: Did LastPass handle this properly? 0:50:50: What can the government do to help here? 0:53:30: Should LastPass users switch to a different service? 0:57:11: Will passwordless authentication solve this problem? 1:01:03: What are the key take-aways here? 1:02:37: My take on the breach and what you should do about it

Building a Better Private Network

26 december 2022 | 65 min

All our devices and apps use the internet these days. But what are they doing on the internet, exactly? Who are they talking to? You'd be surprised. But there are tools which will not only let you see what they're up to, but also let you have fine-grain control over what communications you want to allow. But just the mere fact that they're sending and receiving data to and from multiple sources can be revealing, too. While VPN's are good for adding a layer of security, they're really not great at adding privacy - despite having "private" in the name. Thankfully, there's a new service that can help there, too. We'll be discussing network privacy and how we can improve it with the CEO of Safing, Raphael Fiedler. Raphael Fiedler is the CEO of Safing, a speaker on topics about privacy, and a regular co-host on an InfoSec podcast. Interview Notes Safing.io, Portmaster, Safing Privacy Network (SPN): https://safing.io/ Securitized podcast: https://www.securityzed.com/ The Hut Six Story: Breaking the Enigma Codes https://www.amazon.com/Hut-Six-Story-Breaking-Enigma/dp/0947712348 Naomi Brockwell, The Dark Side of VPNs: https://www.youtube.com/watch?v=8MHBMdTBlok OSI Layer Model: https://en.wikipedia.org/wiki/OSI_model Nym network: https://nymtech.net/ SPN white paper: https://safing.io/files/whitepaper/Gate17.pdf Further Info 300th episode promotion: https://fdsd.me/ep300 Patron promotion: https://fdsd.me/coinpromo Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents 0:00:35: Promotions update - last call! 0:02:11: Interview preview 0:04:41: How did Safing start? What problems are you trying to solve? 0:07:57: What are the most likely threats to our home network? 0:10:12: Are our devices and apps tattling on us? 0:14:14: What can an application firewall do for us? 0:17:04: Given broad use of HTTPS, do we need VPNs like we used to? 0:19:30: Can we collect useful analytics and still preserve privacy? 0:23:46: Which VPN marketing claims are bogus or misleading? 0:29:31: How does a decentralized VPN work? 0:33:10: What is the value of a decentalized VPN? 0:35:13: How is your SPN different from a VPN? 0:41:10: Who owns the SPN exit nodes? 0:43:27: Can your SPN mix traffic amongst backbone providers? 0:48:18: Can an SPN do anything to prevent fingerprinting? 0:51:14: Does a multi-connection SPN confuse some websites or apps? 0:54:28: How does the SPN compare to Tor or Apply Private Relay? 1:00:22: What's the roadmap look like for Portmaster and SPN? 1:03:30: Wrap-up

Best of 2022!

19 december 2022 | 72 min

The year is almost over and as we head into the holiday season I wanted to reminisce with some of my favorite snippets from the last year! Unlike in previous 'best of' shows, I've actually included some new snippets from my private podcast, to give you a little taste of the bonus content that I create for my patrons! The links in the show notes will take you to the full episodes, including all the relevant 'further information' links associated with them. Happy holidays, everyone!! Article Links Ep267: Luck Favors the Prepared https://podcast.firewallsdontstopdragons.com/2022/04/11/luck-favors-the-prepared/ Ep279: Necessary Chaos: https://podcast.firewallsdontstopdragons.com/2022/07/04/necessary-chaos/ Ep272: Tomatoes & Telegraphs: https://podcast.firewallsdontstopdragons.com/2022/05/23/tomatoes-telegraphs/ Ep275: Cryptocurrency 101: https://podcast.firewallsdontstopdragons.com/2022/06/06/cryptocurrency-101/ Ep283: No Place Left to Hide: https://podcast.firewallsdontstopdragons.com/2022/08/01/now-place-left-to-hide/ Ep287: The Night the Lights Went Out in Vegas: https://podcast.firewallsdontstopdragons.com/2022/08/29/the-night-the-lights-went-out-in-vegas/ Ep289: Decoding Computers & Software: https://podcast.firewallsdontstopdragons.com/2022/09/12/decoding-computers-software/ Ep292: Capture the Flag for Fun & Profit: https://podcast.firewallsdontstopdragons.com/2022/10/03/capture-the-flag-for-fun-profit/ Steganography: https://en.wikipedia.org/wiki/Steganography Further Info Give the gift of security and privacy! https://fdsd.me/coupons 300th episode promotion: https://fdsd.me/ep300 Patron promotion: https://fdsd.me/coinpromo Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:17: Ep267: How the internet works 0:10:23: Ep279: Getting into electronics and hacking 0:16:22: Ep273: The invention of the one-time pad 0:24:36: Ep275: Why do we need cryptocurrency? 0:30:26: Ep283 BONUS: What's it like arguing in front of the Supreme Court? 0:35:33: Ep283: This suspect looks just like Woody Harrelson! 0:40:26: Ep287: The time DEF CON almost ended 0:49:15: Ep289: The historical origins of software and storage 0:56:28: Ep292: Ender's Game-ing a hacker tournament 1:02:20: Ep288 Merlin's Musings: Steganography 1:10:39: Wrap-up

We Are the Cavalry

12 december 2022 | 69 min

Today when computer systems fail, they can cause real, physical harm. In just the last few years, we've seen cyber attacks interfere with our food supply, tamper with city water supplies, and disrupt gas pipelines. While cheap consumer electronics often have poor security, medical devices like insulin pumps and pacemakers are also vulnerable to attack - and the consequences of failure can be lethal. The free market doesn't reward better security. Regulations are weak or nonexistent, regulators are understaffed and underfunded. Targeted organizations lack sufficient funding, training and personnel to prepare and respond. They need help. I Am the Cavalry aims to engage technologists and hackers to ride to the rescue. Joshua Corman is VP of Cyber Safety Strategy at Claroty, Founder of I am The Cavalry, and formerly served as Chief Strategist for CISA regarding COVID, healthcare, and public safety. Interview Links I Am The Cavalry: https://iamthecavalry.org/ BSides 2022 Cavalry presentation: https://www.youtube.com/watch?v=aw3egJej7so The Cavalry Isn’t Coming (DEF CON 21 talk): https://www.youtube.com/watch?v=2kMGdkOMSK0 Rugged Software Manifesto: https://github.com/rugged-software/rugged-software.github.io CISA Bad Practices: https://www.cisa.gov/BadPractices CISA Information Sharing and Awareness: https://www.cisa.gov/information-sharing-and-awareness Maslow’s Hierarchy of Needs: https://www.simplypsychology.org/maslow.html Click Here to Kill Everyone: https://www.schneier.com/books/click-here/ SBOM interview: https://podcast.firewallsdontstopdragons.com/2021/07/19/its-time-to-drop-the-sbom/ My Jeff Moss interview: https://podcast.firewallsdontstopdragons.com/2022/08/29/the-night-the-lights-went-out-in-vegas/ Further Info 300th episode promotion: https://fdsd.me/ep300 Patron promotion: https://fdsd.me/coinpromo Send me your questions! https://fdsd.me/qna Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:28: Giveaway and promotion update 0:02:46: Holiday gift ideas 0:03:59: Interview preview 0:08:35: How did I Am the Cavalry get started? 0:16:52: How does focusing on physical harms change your approach to cybersecurity? 0:20:33: Why is it so important to 'meet people where they are'? 0:23:40: How do you best help organizations that are target rich but cyber poor? 0:31:47: What is the crawl, walk, run progression? 0:34:33: Why is it so important to compartmentalize systems? 0:35:56: How do we do a better job of designing security in from the start? 0:39:01: Is it safer for small companies to use managed services? 0:42:17: What role should the government play here? 0:52:57: If I want to get help for my organization, where should I go? 0:58:18: What's next for the Cavalry and how can I get involved? 1:05:09: Interview wrap-up 1:06:35: Book recommendations 1:07:43: Preview of upcoming shows

Tis the Season for Scams

5 december 2022 | 69 min

Tis the season for giving... and unfortunately, also for taking. Scammers tend to be extremely active during the holiday season. We're buying lots of stuff online, having lots of packages delivered. We're away from our homes for extended periods of time. We're giving money to charities. We're firing up new tech toys. The bad guys know this and are happy to take advantage of our chaotic holiday schedule and unusual levels of spending and giving. I'll give you some top tips to avoid being a victim this holiday season. In other news: the SFPD wants to arm its law enforcement robots; the TSA is expanding the use of facial recognition at airports; Microsoft warns of malware coming from Google Ads; a new study shows that computer repair shops may be accessing your personal data; WhatsApp data breach affects nearly 500M users; Twitter data breach was far worse than reported; Meta shuts down covert US propaganda operation; US watchdog raises warning for offshore oil and gas rig security; a new malware campaign bypasses Windows protections; LastPass admits to customer data breach caused by previous breach; and Anker's Eufy cameras caught sending data to cloud without user consent. Article Links [Electronic Frontier Foundation] Red Alert: The SFPD want the power to kill with robots https://www.eff.org/deeplinks/2022/11/red-alert-sfpd-want-power-kill-robots [The Washington Post] TSA now wants to scan your face at security. Here are your rights. https://www.washingtonpost.com/technology/2022/12/02/tsa-security-face-recognition/ [BleepingComputer] Brave starts showing "privacy-preserving" ads in search results https://www.bleepingcomputer.com/news/technology/brave-starts-showing-privacy-preserving-ads-in-search-results/ [Tech.co] Microsoft Warns Hackers Use Google Ads to Deliver Ransomware https://tech.co/news/microsoft-warns-hackers-google-ads-ransomware [Ars Technica] Thinking about taking your computer to the repair shop? Be very afraid https://arstechnica.com/information-technology/2022/11/half-of-computer-repairs-result-in-snooping-of-sensitive-data-study-finds/ [TechRadar] WhatsApp data breach sees nearly 500 million user records up for sale https://www.techradar.com/news/whatsapp-data-breach-sees-nearly-500-million-user-records-up-for-sale [9to5mac.com] Massive Twitter data breach was far worse than reported, reveal security researchers https://9to5mac.com/2022/11/25/massive-twitter-data-breach/ [BleepingComputer] Meta links U.S. military with covert Facebook influence operation https://www.bleepingcomputer.com/news/security/meta-links-us-military-with-covert-facebook-influence-operation/ [TechCrunch] US offshore oil and gas rigs at ‘significant’ risk of cyberattacks, warns watchdog https://techcrunch.com/2022/11/22/offshore-oil-gas-cyberattacks-watchdog/ [TechRadar] This new malware is able to bypass all of Microsoft's security warnings https://www.techradar.com/news/this-new-malware-is-able-to-bypass-all-of-microsofts-security-warnings [Naked Security] LastPass admits to customer data breach caused by previous breach https://nakedsecurity.sophos.com/2022/12/02/lastpass-admits-to-customer-data-breach-caused-by-previous-breach/ [MacRumors] Anker's Eufy Cameras Caught Uploading Content to the Cloud Without User Consent https://www.macrumors.com/2022/11/29/eufy-camera-cloud-uploads-no-user-consent/ Tip of the Week: Tis the Season for Scams: https://firewallsdontstopdragons.com/how-to-avoid-holiday-scams/ Further Info Boston Dynamics robodog: https://www.youtube.com/watch?v=6Zbhvaac68Y This Person Doesn’t Exist: https://thispersondoesnotexist.com/ 300th episode promotion: https://fdsd.me/ep300 Patron promotion: https://fdsd.me/coinpromo Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book

300th Episode!!

28 november 2022 | 67 min

I can't believe I've been doing this for 300 weeks - almost 6 years now! And returning for his 3rd "podcentennial" episode is world-renowned security guru Bruce Schneier! Today we'll discuss hacking - not just in the realm of computers, but in legal, political, social and economic spaces. And then we'll talk about how artificial intelligence and computer automation are starting to play a significant role in hacking all of these realms. Computers and AI expand the scope, scale and speed of hacking and we're honestly not prepared for it. To celebrate the 300th episode and the coming release of the 5th edition of my book, today I'm kicking off a big giveaway with lots of prizes and a killer promotion for patrons on Patreon! (See below for links.) Bruce Schneier is an internationally renowned technologist and security guru. He is the author of over one dozen books, including his latest, A Hacker’s Mind, due out in February, I believe. He has testified before Congress and has served on several government committees and corporate boards, written many seminal papers, has a very popular blog called Crypto-Gram, and last but not least, Bruce is the Chief of Security Architecture at Inrupt. Further Info 300th episode promotion: https://firewallsdontstopdragons.com/enter-to-win-300th-podcast-giveaway/ Patron promotion: https://www.patreon.com/posts/december-patron-75151773 The Coming AI Hackers: https://www.schneier.com/academic/archives/2021/04/the-coming-ai-hackers.html A Hacker’s Mind book: https://www.schneier.com/books/a-hackers-mind/ Give the gift of security & privacy: https://firewallsdontstopdragons.com/give-the-gift-of-security-and-privacy/ Check out my Best & Worst Gifts Guide for 2022: https://firewallsdontstopdragons.com/best-worst-gifts-2022/ The Coming AI Hackers: https://www.schneier.com/academic/archives/2021/04/the-coming-ai-hackers.html A Hacker’s Mind book: https://www.schneier.com/books/a-hackers-mind/ The Trolley Problem: https://en.wikipedia.org/wiki/Trolley_problem Gödel's incompleteness theorems: https://en.wikipedia.org/wiki/G%C3%B6del's_incompleteness_theorems Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:31: Interview preview 0:02:29: Interview start 0:03:13: How does hacking differ from inventing or just cheating? 0:07:14: What is artificial intelligence and when will it be like teh sci-fi version? 0:11:32: Do we have to worry about AI replacing us or taking over? 0:13:57: Can we program human values into AI systems? 0:18:09: Why are reward and goal alignment so crucial for AI? 0:20:28: Will we ever implicitly trust AI if we can't explain its answers? 0:25:37: Do we put too much trust in some AI systems? 0:27:59: How might AI systems be used to hack financial or political systems? 0:33:26: Can we govern AI systems with human laws? 0:36:40: Are non-computer systems more susceptible to hacks due to uncodified norms? 0:42:41: Can AI think outside the box if it doesn't understand the box? 0:48:05: How does terrorism hack our brains and how do we prevent that? 0:53:35: What are some Utopian possibilities for AI? 0:55:08: How do we get more public interest technologists? 0:56:28: Interview wrap-up 0:58:19: 300th podcast giveaway! 1:01:49: Patron promotion!

Best & Worst Gifts for 2022

21 november 2022 | 76 min

Black Friday is just around the corner, which marks the unofficial launch of the holiday shopping season. As you're considering what gifts to give to your loved ones this year, I want to make sure you're thinking about the privacy and security aspects. To that end, I have updated my annual Best and Worst Gift Guide and I will go over the highlights in this episode for my Tip of the Week. But I also have a special new gift idea this year: security and privacy coupons that you can download and give to your loved ones! In the news: USPS tells customers to avoid using the big blue mailboxes for gifts and important letters during the holiday season; Google pays nearly $400M fine to 40 states who sued over location tracking; Medibank refuses to pay ransom for data and criminals are starting to leak sensitive medical records online; TransUnion reports a data breach; FBI director warns that TikTok is a national security risk; Lenovo laptops are exposed to UEFI malware risks (update now); a mysterious company with government ties and a history of spying has become a root certificate authority; the British government is scanning its citizens devices looking for vulnerabilities in hopes of fixing them; almost 50% of all Mac malware can be traced to a single, security application; Apple apps are sending tons of analytics data to Apple even when analytics are disabled; I answer a listener question (Dear Carey) about the best Mastodon clients, in the wake of the Twitter collapse. Article Links [Lifehacker] Avoid Using Blue Mailboxes During the Holidays, USPS Warns https://lifehacker.com/avoid-using-blue-mailboxes-during-the-holidays-usps-wa-1849773201 [The Hacker News] Google to Pay $391 Million Privacy Fine for Secretly Tracking Users' Location https://thehackernews.com/2022/11/google-to-pays-391-million-privacy-fine.html [CPO Magazine] Medibank Refuses Ransom Payments, Hackers Leak Stolen Health Data to Dark Web https://www.cpomagazine.com/cyber-security/medibank-refuses-ransom-payments-hackers-leak-stolen-health-data-to-dark-web/ [BGR] TransUnion data breach compromises financial information of consumers https://bgr.com/tech/transunion-data-breach-compromises-financial-information-of-consumers/ [USA TODAY] FBI director says TikTok poses national security threat, and he's 'extremely concerned' https://www.usatoday.com/story/tech/2022/11/16/tiktok-poses-national-security-threat-fbi/10709987002/ [Ars Technica] Lenovo driver goof poses security risk for users of 25 notebook models https://arstechnica.com/information-technology/2022/11/lenovo-patches-secure-boot-vulnerabilities-that-imperil-25-notebook-models/ [The Washington Post] Mysterious company with government ties plays key internet role https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addresses-government-connections/ [Bleeping Computer] British govt is scanning all Internet devices hosted in UK https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/british-govt-is-scanning-all-internet-devices-hosted-in-uk/amp/ [Tom's Guide] Almost 50% of macOS malware reportedly comes from single app — delete it now https://www.tomsguide.com/news/new-report-says-nearly-half-of-macos-malware-comes-from-single-app-delete-it-now [Gizmodo] Apple Is Tracking You Even When Its Own Privacy Settings Say It’s Not, New Research Says https://gizmodo.com/apple-iphone-analytics-tracking-even-when-off-app-store-1849757558 Dear Carey: Mastodon clients. https://joinmastodon.org/apps https://bilge.world/mastodon-ios-apps Further Info Best & Worst Gifts for 2022: https://firewallsdontstopdragons.com/best--worst-gifts-2022/ Privacy & Security Coupons: https://fdsd.me/coupons Give thanks and donate! https://firewallsdontstopdragons.com/give-thanks-donate/ Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://firewallsdo...

Surveying the Digital Explosion

14 november 2022 | 61 min

Connected computers have changed the world perhaps more than any other single invention. The impacts of nearly instant global communication and effectively infinite, perfect storage of information are at once undeniable and difficult to fully comprehend. And yet, technologists, bureaucrats and corporate leaders make decisions on a daily basis that should be considering the repercussions. Just because you can do something doesn't mean you should. Today, we'll discuss the digitization of the world and some of the more important impacts it has had and is having on society with the authors of the book Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion. Harry Lewis, former Dean of Harvard College, is Gordon McKay Professor of Computer Science at Harvard. Ken Ledeen is the Chairman and Chief Executive Officer at Nevo Technologies, Inc., a software development and information technology consulting firm located in Cambridge, Massachusetts. Wendy Seltzer is Strategy Lead and Counsel to the World Wide Web Consortium (W3C) at MIT, improving the Web’s security, availability, and interoperability through standards. Further Info Buy or download Blown to Bits: https://www.bitsbook.com/thebook/ Weird Marketing Tales interviewed me: https://weirdmarketingtales.com/why-firewalls-dont-stop-dragons-carey-parker-privacy-security/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:16: interview start 0:04:03: What brought you all together to write this book? 0:05:28: What are the biggest changes since the first edition? 0:10:04: What were the impacts of the Edward Snowden revelations? 0:12:44: How do we resolve the tension between privacy and law enforcement? 0:16:43: Are computer systems free from bias? 0:19:22: How do algorithms impact judicial decisions? 0:20:45: Why is it hard to explain how AI systems make decisions? 0:28:33: What is net neutrality and who are the gatekeepers today on the internet? 0:31:59: Have we lost the original Utopian ideal of the internet? 0:35:41: How have content moderation and personalization affected our experience? 0:40:48: How do these companies hyper-personalize the web? 0:45:44: Are we changing our own behaviors to game the algorithms? 0:47:35: Are bits more fragile than parchment and cave paintings? 0:53:29: What gives you hope? What keeps you up at night? 0:58:12: Interview wrap-up 0:59:34: Upcoming shows, promotions, interviews

Redirect Ransom

7 november 2022 | 59 min

QR codes are not inherently dangerous. They're effectively links we can click in the real world using the camera app on our phone. Like hyperlinks on a web page, QR code "links" can take you to good websites or bad websites. They can also disguise their ultimate destination by using URL shortening services like bitly or owly. But now "free" QR code generator websites - that is, sites that will let you create one of these QR codes by entering the HTTP link you want it to take people to - are using these redirects to basically hold your QR code for ransom. The QR codes they give you use the redirect links to insert themselves into the middle - and after some time, they will stop working until you subscribe and pay them money. If you've already printed these codes on hundreds of business cards or dozens of plaques for your restaurant, they they've really got you over a barrel. I'll help you avoid these scams. In other news: Microsort warns that attackers are quickly leveraging newly reported zero-days; some Chrome extensions are making money by inserting affiliate links for thousands of websites; Microsoft appears to be readying a useful PC cleanup tool for release; Apple clarifies its policy on security updates for older OS releases; a report details how hidden AI algorithms are affecting the lives of DC residents; facial recognition systems are being installed in many soccer stadiums; Uber is planning to bombard their users with ads; Clearview AI has been fined 30M euros by France; Apple is ramping up its own ads on its various apps and devices; and I answer another Dear Carey question, this one on the case that is bringing Section 230 in front of the Supreme Court. Article Links [Hacker News] Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities https://thehackernews.com/2022/11/microsoft-warns-of-uptick-in-hackers.html [BleepingComputer] Chrome extensions with 1 million installs hijack targets’ browsers https://www.bleepingcomputer.com/news/security/chrome-extensions-with-1-million-installs-hijack-targets-browsers/ [PCWorld] Microsoft’s surprise PC Manager system optimizer takes aim at CCleaner https://www.pcworld.com/a rticle/1360140/microsoft-releases-beta-of-a-ccleaner-style-pc-manager-tool.html [Ars Technica] Apple clarifies security update policy: Only the latest OSes are fully patched https://arstechnica.com/gadgets/2022/10/apple-clarifies-security-update-policy-only-the-latest-oses-are-fully-patched/ [WIRED] Algorithms Quietly Run the City of DC—and Maybe Your Hometown https://www.wired.com/story/algorithms-quietly-run-the-city-of-dc-and-maybe-your-hometown/ [WIRED] Soccer Fans, You’re Being Watched https://www.wired.com/story/soccer-world-cup-biometric-surveillance/ [Gizmodo] Uber Plans to Advertise to You At Every Stage of Your Ride, Using Your Own Data https://gizmodo.com/uber-ads-ride-share-uber-eats-1849678092 [Naked Security] Clearview AI image-scraping face recognition service hit with €20m fine in France https://nakedsecurity.sophos.com/2022/10/26/clearview-ai-image-scraping-face-recognition-service-hit-with-e20m-fine-in-france/ [Lifehacker] How to Block Apple’s Own Ads on Your iPhone https://lifehacker.com/how-to-block-apple-s-own-ads-on-your-iphone-1849703889 Tip of the Week: https://firewallsdontstopdragons.com/qr-code-scams-revisited/ Further Info Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:42: Countdown to 300

Building Trust with Privacy

31 oktober 2022 | 65 min

It's easy to tell people to use this or that privacy tool, but this always assumes that you trust the service that is providing that tool. How can mere mortals ever hope to obtain sufficient knowledge of the inner workings of these products and service providers that would allow them to make an informed decision? Today, I'll ask Adrianus Warmenhoven from Nord VPN that question, along with questions about normalizing surveillance and what privacy really means in our digital internet society. Adrianus Warmenhoven is a Defensive Strategist and Threat Intelligence Manager at NordVPN. He is responsible for getting the most relevant IOCs (Indicators of Compromise), malware samples and their indicators and generally mapping out the threat landscape for the company’s customers. Interview Links Nord VPN: https://nordvpn.com/The Follower: https://driesdepoorter.be/thefollower/ Five-Eyes Countries: https://en.wikipedia.org/wiki/Five_Eyes Electronic Frontier Foundation: https://www.eff.org/ Mozilla Foundation: https://foundation.mozilla.org/en/ Give thanks and donate: https://firewallsdontstopdragons.com/give-thanks-donate/ Further Info Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:26: Elon Musk buys Twitter0:01:31: What is Mastodon?0:02:36: Interview preview0:04:13: Tell us about Nord and what you do there0:05:25: What is most misunderstood about privacy?0:07:53: How does my privacy overlap your privacy?0:10:08: What threats to privacy aren't getting enough attention?0:13:02: Doesn't capitalism require companies to monetize our data?0:16:26: Is it possible compartmentalize our lives today?0:18:32: Why can't we learn that just because we can doesn't mean we should?0:22:09: How does privacy in the physical world differ from online?0:24:21: Have we normalized surveillance for the younger generation?0:30:22: How do we know which companies to trust with our privacy?0:38:11: How can companies avoid gathering user data?0:42:47: How important is transparency for consumers?0:45:48: How do VPNs work and how do they fail?0:48:46: How important is it for privacy companies to be in favorable jurisdictions?0:52:19: How can I get more involved with privacy rights?0:56:03: What gives you hope?0:57:59: Bonus content0:58:54: Interview wrapup1:01:51: Give thanks and donate1:03:17: Dear Carey - ask me a question1:04:13: Upcoming stuff

Your TV is Watching You

24 oktober 2022 | 70 min

This is going to sound bonkers, even though you're used to so many things tracking you... web pages, emails, and apps... but I'm here to tell you that while you're watching your TV, your TV is also watching you. Or I guess more accurately, your TV is watching what you're watching. Even if you're not using the built-in smart apps, if you're just piping pixels in from an external box, your TV can recognize the movies and shows being displayed. And it's taking meticulous taking notes and selling that data. It's called Automatic Content Recognition and "post-purchase monetization". It's sorta like the Shazam music recognition app, but for TV shows and movies. I'll tell you what you can do to stop it. In other news: a tricky new ransomware campaign is targeting home Windows users; Signal is removing support for SMS text messaging; Toyota user app data was exposed for years; the White House unveiled a new cybersecurity rating system for consumer products; Apple privacy is better than most, but still falls short; a privacy researcher tries and fails to keep her pregnancy secret from marketers; companies in the UK are tailoring real-life billboards using cameras and AI; relief funds were sent to people impacted by Hurricane Ian using AI algorithms; Facebook's new VR headset will mine your facial expressions for marketing; Wired article gives tips for avoiding student surveillance tools. Article Links [ZDNet] This unusual ransomware attack targets home PCs, so beware https://www.zdnet.com/article/this-unusual-ransomware-attack-targets-home-pcs-so-beware/[Signal] Removing SMS support from Signal Android (soon) https://signal.org/blog/sms-removal-android/[BleepingComputer] Toyota discloses data leak after access key exposed on GitHub https://www.bleepingcomputer.com/news/security/toyota-discloses-data-leak-after-access-key-exposed-on-github/[CyberScoop] White House to unveil ambitious cybersecurity labeling effort modeled after Energy Star https://www.cyberscoop.com/white-house-to-unveil-internet-of-things-labeling/[The Atlantic] I Tried to Keep My Pregnancy Secret https://www.theatlantic.com/ideas/archive/2022/10/can-you-hide-your-pregnancy-era-big-data/671692/[The Guardian] Apple says it prioritizes privacy. Experts say gaps remain https://www.theguardian.com/technology/2022/sep/23/apple-user-data-law-enforcement-falling-short[VICE] Companies in the UK Are Mining Users’ Personal Data to Place Billboard Ads https://www.vice.com/en/article/n7zqmb/companies-in-the-uk-are-mining-users-personal-data-to-place-billboard-ads[WIRED UK] Hurricane Ian Destroyed Their Homes. Algorithms Sent Them Money https://www.wired.co.uk/article/hurricane-ian-destroyed-homes-google-algorithms-sent-money[Gizmodo] Meta’s New Headset Will Track Your Eyes for Targeted Ads https://gizmodo.com/meta-quest-pro-vr-headset-track-eyes-ads-facebook-1849654424[WIRED] How to Protect Yourself If Your School Uses Surveillance Tech https://www.wired.com/story/how-to-protect-yourself-school-surveillance-tech-privacy/Tip of the Week: https://firewallsdontstopdragons.com/your-tv-is-watching-you/ Further Info Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:27: News rundown0:03:40: Sneaky new Windows ransomware targets home users0:07:20: Signal drops support for SMS on Android0:14:53: Toyota leak exposed car app data for 5 years0:18:27: White House cybersecurity product labeling initiative0:21:54: Privacy scholar tries and fails to keep pregnancy secret0:28:28: Apple still had glaring privacy holes0:33:...

Protecting Schools and Students

17 oktober 2022 | 65 min

We talk a lot about security and privacy on my show, but we don't talk enough about these subjects in relation to students and schools. Schools are tragically underfunded and can't afford to hire cybersecurity experts, let alone privacy experts. Students are minors who lack the legal rights and life experience to push back against horrific privacy invasions brought on by remote learning and in-home test proctoring. The laws in the US are woefully outdated and we too often assume that what is legal is the same as what is right and just. Today, I'll discuss these challenges and ethical dilemmas with Doug Levin. Doug Levin is co-founder and national director of the K12 Security Information eXchange (K12 SIX), a national non-profit dedicated solely to helping schools protect themselves from emerging cybersecurity threats. Interview Links: K12 SIX: https://www.k12six.org/Annual “State of K-12 Cybersecurity Report’: https://www.k12six.org/the-report K-12 Essentials Series: https://www.k12six.org/essentials-series Public event calendar: https://www.k12six.org/events US Department of Education, Privacy Technical Assistance Center: https://studentprivacy.ed.gov/ CISA K-12 Cybersecurity Resources: https://www.cisa.gov/stopransomware/k-12-resources CISA Back to School Campaign: https://www.cisa.gov/r8-virtual-back-school-campaign-2022 US GAO: “Critical Infrastructure Protection: Education Should Take Additional Steps to Help Protect K-12 Schools from Cyber Threats” https://www.gao.gov/products/gao-22-105024 EFF: Student Privacy Resources https://www.eff.org/issues/student-privacy CDT: Student Privacy Resources https://cdt.org/area-of-focus/privacy-data/student-privacy/ EPIC: Student Privacy https://epic.org/issues/data-protection/student-privacy /Algorithmic Justice League: https://www.ajl.org/ The Markup: https://themarkup.org/machine-learning/2022/01/19/help-us-investigate-the-ed-tech-industry Fight for the Future, which e.g., runs this campaign: https://www.baneproctoring.com/ ACLU: https://www.nyclu.org/en/issues/education-policy-center/technology-schools Further Info Send me your questions! https://fdsd.me/qna Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:24: Pre-interview definition of terms0:05:07: What is K12SIX about?0:10:52: What are the biggest security threats for schools?0:17:15: What about security threats for teachers and students?0:21:58: What are your top security recommendations for schools?0:30:01: What are the major impediments for schools improving cybersecurity?0:33:20: How can schools systems best share info and help one another?0:37:41: What are the main privacy threats for students?0:46:25: How is student data being used (or abused)?0:48:36: How do AI systems fail when it comes to minority populations?0:51:32: How can students and parents assert their privacy rights?0:56:03: What resources can you recomment for schools and students?0:59:39: Interview wrap-up1:00:40: Not reusing user names and passwords1:02:20: Preview of upcoming shows, promotions

Mobile Payment Fraud

10 oktober 2022 | 57 min

Cold hard cash is becoming more and more rare these days. People just don't carry it around much any more. So how do you split a bill at a restaurant or buy from a street vendor? Many people today use mobile payment apps like Venmo, Apple Pay, PayPal, the Cash App, or a service promoted by many US banks called Zelle. While convenient, are these payment systems safe? Most of them actually are pretty secure (though some of them are not very private, like Venmo). But because most of these apps draw directly from your bank account, if you send money to the wrong person, either by mistake or because you were scammed, that money is pretty much gone. Ironically, this is very much like physical cash. Specifically, protections many people assume they have against fraudulent bank transactions don't really apply. You explicitly made the transfer and therefore many banks will not reimburse you for the loss. In other news: Optus confirms massive data breach; Optus breach triggers privacy regulation review in Australia; Facebook shuts down propaganda campaigns from Russia and China; Facebook warns 1M users of potential credential theft; Google will be migrating Fitbit customers to Google accounts; Microsoft adds new protections to warn you of PC password reuse and insecure storage; the FTC is pushing for new rules around location data collection and sharing; Google releases new tool to help purge personal information from its search results. Article Links [BleepingComputer] Optus confirms 2.1 million ID numbers exposed in data breach https://www.bleepingcomputer.com/news/security/optus-confirms-21-million-id-numbers-exposed-in-data-breach/[The Verge] Australia to overhaul privacy laws after massive data breach https://www.theverge.com/2022/9/26/23372868/australian-hack-disclosure-privacy-laws-optus-data-breach[Hacker News] Facebook Shuts Down Covert Political 'Influence Operations' from Russia and China https://thehackernews.com/2022/09/facebook-shuts-down-covert-political.html[9to5mac.com] Facebook security warning for 1M users: Scam apps stole login credentials https://9to5mac.com/2022/10/07/facebook-security-warning/[Hacker News] Google to Make Account Login Mandatory for New Fitbit Users in 2023 https://thehackernews.com/2022/09/google-to-make-account-login-mandatory.html[Lifehacker] Microsoft Has a New Trick for Keeping Your Password Safe https://lifehacker.com/microsoft-has-a-new-trick-for-keeping-your-password-saf-1849580498[Bloomberg] FTC Joins Push for Rules on Trade of Smartphone Location Data https://www.bloomberg.com/news/articles/2022-09-16/location-data-rules-draw-ftc-s-attention-post-roe[The Verge] In 2023, Google can notify you if personal info pops up in search https://www.theverge.com/2022/9/28/23377208/google-results-about-you-notifications-personal-info[briankrebs] Report: Big U.S. Banks Are Stiffing Account Takeover Victims https://krebsonsecurity.com/2022/10/report-big-u-s-banks-are-stiffing-account-takeover-victims/ Further Info National Cybersecurity Awareness Month: https://www.cisa.gov/cybersecurity-awareness-monthConsumer Reports: payment apps: https://www.consumerreports.org/digital-payments/how-to-safely-pay-for-goods-and-services-with-someone-you-dont-know/ Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:42: News rundown0:02:49: 10 Million Optus users affected by breach0:06:04: Optus breached via open web interface0:10:28: Facebook shuts down political influence campaigns0:13:38: Facebook warns 1M users of potential credential the...

Capture the Flag for Fun & Profit

3 oktober 2022 | 69 min

Cybersecurity is the only technical, professional occupation I know of where practitioners routinely sharpen their skills through open competitions. The contests are based on the classic capture the flag game - except the flags are all virtual and capturing them involves hacking computers. Also unlike most other technical careers, cybersecurity is a high-paying profession that doesn't require a university degree or formal training. There are literally hundreds of thousands of unfilled cybersecurity jobs right now. You can also just dabble in cybersecurity, making money from bug bounty programs. Or you can just hack for the fun of it - in a completely safe and legal environment. Jordan will tell you all about it in today's show! Jordan Wiens has been a reverse engineer, vulnerability researcher, network security engineer, three-time DEF CON CTF winner, even a technical magazine writer but now he's mostly a has-been CTF player who loves to talk about them. He has been the CTF expert for the first three years of HackASat and he was one of the founders of Vector 35, the company that makes Binary Ninja. Interview Links Hack-A-Sat 3: https://hackasat.com/ Satellite hacked using $25 hardware: https://threatpost.com/starlink-hack/180389/ Decommissioned satellite hacked to broadcast movie: https://www.independent.co.uk/tech/hack-satellite-hijack-def-con-b2147595.html Student Rick-Rolls school: https://www.malwarebytes.com/blog/news/2021/10/high-school-student-rickrolls-entire-school-district-and-gets-praised Hack-A-Sat 2 interview: https://podcast.firewallsdontstopdragons.com/2021/06/21/hacking-satellites-for-fun-profit/ Plaid CTF: https://plaidctf.com/ CTFTime.org: https://ctftime.org/ Pwnable.kr: https://pwnable.kr/ Pwnable.tw: https://pwnable.tw/ Reversing.kr: http://reversing.kr/ Shodan: https://www.shodan.io/Burp Suite: https://portswigger.net/burp Wireshark: https://www.wireshark.org/ Binary Ninja: https://binary.ninja/ Metasploit: https://www.metasploit.com/ Nmap: https://nmap.org/ Live Overflow: https://liveoverflow.com/ TryHackMe: https://tryhackme.com/ Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Support my work! https://firewallsdontstopdragons.com/support/ Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequestGenerate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:03: Interview setup0:04:25: What is Hack-A-Sat?0:08:44: How has the Hack-A-Sat program evolved?0:12:58: How did CTF's start out and when did they become popular?0:17:37: Why do we have so many unfilled cybersecurity jobs?0:21:15: Do you need a college degree to work in cybersecurity?0:29:39: What's a black hat hacker vs white hat? What's a red team or blue team?0:32:15: How do CTF's actually work? What is a flag and how do I capture it?0:38:05: Are they beginner CTFs that are free to try?0:44:38: What sorts of tools do hackers use in CTFs and in real hacking?0:51:57: How do hackers chain together multiple exploits?0:56:26: What's your advice to someone who would like to try a CTF?1:00:36: What's next for Hack-A-Sat?1:02:25: interview wrapup1:04:07: What is Rick-Rolling?1:05:23: Try a CTF, go to a hacker con!

iOS 16 Security & Privacy Features

26 september 2022 | 81 min

Apple just released a major update to its iPhone operating system, iOS 16. This release has some really important security and privacy features, including Passkeys, Lockdown Mode and Safety Check. I’ll give you an overview of these features. In other news: D-Link routers have a major vulnerability that’s being actively exploited; Uber was completely pwned by a cocky 18-year old hacker; Morgan Stanley was fined $35 million for failing to delete user data from hundreds of hard drives before reselling them; Chrome and Edge may be sending your form data back to Google and Microsoft; a new voice AI tool lets you change your voice to sound like someone else; health apps are sharing your personal data and HIPAA isn’t helping; the US military is using yet another data broker to buy incredibly detailed information on almost all internet users; US border agents can search your phone and even copy your phone’s data, and may save that info for 15 years; your car is coughing up tons of personal and auto data to dozens of data companies; Intel’s new AI will be used to find students who are confused or even emotionally distressed. Article Links [BleepingComputer] Moobot botnet is coming for your unpatched D-Link router https://www.bleepingcomputer.com/news/security/moobot-botnet-is-coming-for-your-unpatched-d-link-router/[WIRED] The Uber Hack’s Devastation Is Just Starting to Reveal Itself https://www.wired.com/story/uber-hack-mfa-phishing/[Ars Technica] $35M fine for Morgan Stanley after unencrypted, unwiped hard drives are auctioned https://arstechnica.com/information-technology/2022/09/morgan-stanley-pays-35m-penalty-for-extensive-failure-to-safeguard-customer-data/[BleepingComputer] Google, Microsoft can get your passwords via web browser’s spellcheck https://www.bleepingcomputer.com/news/security/google-microsoft-can-get-your-passwords-via-web-browsers-spellcheck/[Ars Technica] With Koe Recast, you can change your voice as easily as your clothing https://arstechnica.com/information-technology/2022/09/with-koe-recast-you-can-change-your-voice-as-easily-as-your-clothing/[The Washington Post] Health apps share your concerns with advertisers. HIPAA can’t stop it. https://www.washingtonpost.com/technology/2022/09/22/health-apps-privacy/[VICE] Revealed: U.S. Military Bought Mass Monitoring Tool That Includes Internet Browsing, Email Data https://www.vice.com/en/article/y3pnkw/us-military-bought-mass-monitoring-augury-team-cymru-browsing-email-data[Engadget] US border forces are seizing Americans’ phone data and storing it for 15 years https://www.engadget.com/us-border-forces-traveler-data-15-years-085106938.html[The Washington Post] How to prevent customs agents from copying your phone’s content https://www.washingtonpost.com/technology/2022/09/18/phone-data-privacy-customs/[The Markup] Who Is Collecting Data from Your Car? – The Markup https://themarkup.org/the-breakdown/2022/07/27/who-is-collecting-data-from-your-car[Protocol] Intel thinks its AI knows what students think and feel in class https://www.protocol.com/enterprise/emotion-ai-school-intel-edutechTip of the Week: https://firewallsdontstopdragons.com/ios-16-privacy-security/ Further Info Koe Recast web demo: https://koe.ai/recast/ 100-mile US border zone: https://www.aclu.org/other/constitution-100-mile-border-zone Tech Model Railroad Club: https://en.wikipedia.org/wiki/Tech_Model_Railroad_Club Send me your questions! https://firewallsdontstopdragons.com/dear-carey-podcast-qa/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Tornado Warning for Free Speech

19 september 2022 | 57 min

You may not be into cryptocurrency, but a recent incident involving a so-called "cryptocurrency mixer" has some important implications for privacy and free speech. Today we'll examine the relative anonymity of cryptocurrency transactions, tools that can be used to enhance that anonymity, and why the code that created these tools - and the services that might host them - must be protected under the First Amendment. Along the way, we'll explore the limits of free speech in the US and some interesting attempts to capture those rights. Kurt Opsahl is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation, the leading nonprofit defending digital privacy, free speech, and innovation. Interview Links Coin Center article on Tornado Cash: https://www.coincenter.org/analysis-what-is-and-what-is-not-a-sanctionable-entity-in-the-tornado-cash-case/ Electronic Frontier Foundation: https://www.eff.org/ Code, Speech, and the Tornado Cash Mixer https://www.eff.org/deeplinks/2022/08/code-speech-and-tornado-cash-mixer Treasury Dept sued over Tornado Cash sanctions: https://fortune.com/2022/09/08/coinbase-employees-and-ethereum-backers-sue-u-s-treasury-over-tornado-cash-sanctions/ Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:42: Interview setup0:02:43: How anonymous are cryptocurrency transactions?0:07:30: What is a cryptocurrency mixer and why would I use one?0:10:34: Kurt's thoughts on "going dark"0:12:45: Physical currency is not technically anonymous, either0:14:07: How did the White House try to fix this problem?0:15:27: Who is OFAC and what is the SDN list?0:16:57: Who or what is Tornado Cash?0:20:23: What about Tornado Cash drew scrunity from the US Gov't?0:22:08: How does all of this relate to free speech?0:26:22: One of the developers was arrested - what's the EFF's take on this?0:29:14: Is a platform responsible for illegal activities related to content they host?0:31:18: What's the limit of free speech when it comes to software code?0:41:00: What free speech rights to platforms themselves have?0:44:42: What about attempts to turn code into books or T-shirts to gain protection?0:48:04: What's next for the Tornado Cash case?0:55:12: Interview wrap-up0:55:46: Looking ahead

Decoding Computers & Software

12 september 2022 | 62 min

A little over 20 years ago, Charles Petzold wrote what would become a classic book on understanding modern computers and the software that drives them. Computers have become essential to daily life and inhabit more and more of the devices we use every day. Every "smart" device you own contains a computer running software. While these little silicon chips and the binary code running them seem like magic, they're really just a series of simple building blocks chained together to accomplish a task. Having a basic understanding of these concepts can give us a lot more perspective on how computers can be used and abused, programmed and subverted. When I learned that Charles was releasing a fully updated 2nd edition of Code, I asked him to come on the show to give us all a historical overview of computers and software. He graciously agreed. The concepts of computing and programming go back a lot further than you might think. Today we'll learn about this and much more. Charles Petzold is the author of the books Code, The Annotated Turing, and numerous programming tutorials involving Microsoft Windows. Interview Notes Code: The Hidden Language of Computer Hardware and Software: https://www.charlespetzold.com/books/ Companion website: https://codehiddenlanguage.com/ The Annotated Turing: https://www.charlespetzold.com/AnnotatedTuring/ Alan Turing: https://en.wikipedia.org/wiki/Alan_Turing Ada Lovelace: https://en.wikipedia.org/wiki/Ada_Lovelace Delay Line Mercury Storage: https://en.wikipedia.org/wiki/Delay-line_memory#Mercury_delay_lines Steganography: https://en.wikipedia.org/wiki/Steganography Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:08: Hold off on iOS 16 update0:02:47: Preview of today's interview0:05:49: Why did you write this book and who was your target audience?0:11:03: Why should we understand the basics of computing?0:12:39: What IS a "computer", fundamentally?0:16:35: Where did computers start, historically?0:19:21: What's the origin of software and programming computers?0:22:14: How did we store computer programs before hard drives?0:25:30: How did encoding enable us to communicate over large distances?0:30:00: How do we measure progress in computing?0:34:24: How did you decide how to lay out the concepts in the book?0:39:29: How can understanding computers help us be more secure?0:43:17: What does the future of computing look like?0:49:58: What will your next book be about?0:53:55: Interview wrap-up0:54:53: My Google rant0:58:03: A bit on steganography and codes0:59:41: Upcoming shows, schedule change

LastPass Source Code Breach

5 september 2022 | 69 min

Password manager software maker LastPass suffered a data breach last week, which understandably made their customers very nervous - and caused some people to question the decision to put all their passwords in one digital basket. In today's show, I'll explain why this particular breach was not a threat to anyone's passwords and why you should still use a high quality password manager. In other news: Former security chief blows the whistle on Twitter; major VPN providers are pulling out of India over surveillance law issues; a set of popular Chrome extensions caught committing click fraud; Google's new Chrome extension restrictions threaten to hobble ad blockers; a father's Google accounts are deleted over false AI-flagged CSAM; US Federal Trade Commission sues a data broker over lax protection of location data; EFF finds another data broker selling location data to law enforcement; Google launches bug bounty program for open source software projects; DuckDuckGo's email privacy protection feature now available to all; Ohio judge rules that scanning students' rooms before tests is illegal; a flight to Cabo is nearly grounded thanks to a passenger sending dick pics to other passengers, including one of the pilots. Article Links [The Washington Post] Former security chief claims Twitter buried ‘egregious deficiencies’ https://www.washingtonpost.com/technology/interactive/2022/twitter-whistleblower-sec-spam/[9to5mac.com] Major VPN services shut down in India over anti-privacy law; Apple hasn’t yet commented https://9to5mac.com/2022/09/01/major-vpn-services/[BleepingComputer] Chrome extensions with 1.4 million installs steal browsing data https://www.bleepingcomputer.com/news/security/chrome-extensions-with-14-million-installs-steal-browsing-data/[BleepingComputer] AdGuard’s new ad blocker struggles with Google’s Manifest v3 rules https://www.bleepingcomputer.com/news/security/adguard-s-new-ad-blocker-struggles-with-google-s-manifest-v3-rules/[The New York Times] A Dad Took Photos of His Naked Toddler for the Doctor. Google Flagged Him as a Criminal. https://www.nytimes.com/2022/08/21/technology/google-surveillance-toddler-photo.html[Reuters] U.S. FTC sues data broker Kochava for alleged sale of sensitive data https://www.reuters.com/legal/us-ftc-sues-data-broker-kochava-alleged-sale-sensitive-data-2022-08-29/[Electronic Frontier Foundation] Data Broker Helps Police See Everywhere You’ve Been with the Click of a Mouse: EFF Investigation https://www.eff.org/press/releases/data-broker-helps-police-see-everywhere-youve-been-click-mouse-eff-investigation[Naked Security] LastPass source code breach – do we still recommend password managers? https://nakedsecurity.sophos.com/2022/08/29/lastpass-source-code-breach-do-we-still-recommend-password-managers/[Decipher] Google Launches Bug Bounty Program For Open Source Projects https://duo.com/decipher/google-launches-bug-bounty-program-for-its-open-source-projects[Spread Privacy] Protect Your Inbox: DuckDuckGo Email Protection Beta Now Open to All! https://spreadprivacy.com/protect-your-inbox-with-duckduckgo-email-protection/[The Verge] University can’t scan students’ rooms during remote tests, judge rules https://www.theverge.com/2022/8/23/23318067/cleveland-state-university-online-proctoring-decision-room-scan[VICE] Creeps Airdropping Dick Pics Just Made Flying Even Worse https://www.vice.com/en/article/3adag9/southwest-tiktok-video-pilot-airdropped-nudesTip of the Week: How to Prevent Cyberflashing https://firewallsdontstopdragons.com/how-to-prevent-cyberflashing/ Further Info Peppering Your Passwords: https://firewallsdontstopdragons.com/password-manager-paranoia/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero!

The Night the Lights Went Out in Vegas

29 augusti 2022 | 60 min

Thirty years ago, a young hacker named Jeff Moss (aka The Dark Tangent) threw a party in the desert of Nevada to commemorate the demise of a bulletin board system called PlatinumNet. Unlike the other handful of hacker conferences in that time, this one would be on the West Coast and open to everyone. Over the next three decades, DEF CON would become the preeminent hacker convention for the US (possibly the world), drawing upwards of 30,000 attendees. Along with its more-corporate spinoff Black Hat and related BSides conference, the back-to-back conferences are affectionately referred to as Hacker Summer Camp. In today's show, I'll walk down memory lane with Jeff, discussing the ups and downs he's experienced and delve into what this has all meant to him, personally. Oh yeah... and also the incident involving strippers and hacking the power grid. Further Info Amulet of Entropy badge: https://amuletofentropy.com/ DEF CON documentary: https://www.youtube.com/watch?v=SUhyeY0FsvwMy first trip to DEF CON: https://podcast.firewallsdontstopdragons.com/2021/08/11/understanding-hackers-hacking/ Last year’s interview with Jeff Moss: https://podcast.firewallsdontstopdragons.com/2021/08/16/on-a-dark-tangent/ Hackers, book by Steven Levy: https://www.amazon.com/Hackers-Computer-Revolution-Steven-Levy/dp/1449388396Legion of Doom (LOD) vs Masters of Deception (MOD): https://en.wikipedia.org/wiki/Great_Hacker_War SATAN tool: https://en.wikipedia.org/wiki/Security_Administrator_Tool_for_Analyzing_NetworksA brief history of hacking: https://encyclopedia.kaspersky.com/knowledge/a-brief-history-of-hacking/ Cap’N Crunch whistle: https://www.thingiverse.com/thing:2630646 Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:31: Hacker Summer Camp0:03:30: pre-interview things of note0:05:31: DEF CON, the early years0:12:02: How had DEF CON changed since the beginning?0:16:08: What's the closest DEF CON ever came to ending?0:24:44: Why is DEF CON so full of shennanigans?0:26:49: What has DEF CON meant to you, personally?0:32:02: Thoughts on the DEF CON culture0:37:13: What's your "Jeff sense" on choosing the best people?0:39:50: What's in the future for DEF CON?0:46:13: What speakers have you always wanted but couldn't get?0:51:04: learning more about hackers and hacking0:53:50: Where does "2600" come from?0:57:18: Important notes for new listeners

Hacker Summer Camp 2022

22 augusti 2022 | 54 min

If it's August in Las Vegas, it's time for Hacker Summer Camp. There are three hacker conferences that coordinate to happen next to each other every year: BSides Las Vegas, Black Hat and DEF CON. My first trip to DEF CON was last year and I was hooked - I hope to go back every year. This was the big 30th anniversary of DEF CON and several of the news stories this week came from one of these hacker conferences. And next week I'll air my wonderful interview with DEF CON's CEO and Founder, Jeff Moss (aka The Dark Tangent). In the news this week: Several malicious Mac apps have slipped through Apple's App Store security checks and contain malware - you should delete them ASAP; iOS VPN apps aren't properly securing connections made before activating the VPN; TikTok's in-app browser injects JavaScript code that could enable it to snoop on your session, including capturing keystrokes; Cisco's network breach has lessons for all of us; Signal's use of phone numbers as identifiers highlighted due to breach at Twilio; a new jailbreak has been found on John Deere tractors that might allow farmers to service their own equipment; Amazon is planning to release a reality TV show based on Ring doorbell footage; a digital hallway pass allows schools to intrusively monitor its students; and law enforcement is tapping into DNA databases of the blood samples taken at birth by hospitals to solve crimes. Article Links [Tom's Guide] These Mac apps are secretly spreading malware — delete them now https://www.tomsguide.com/news/these-mac-apps-are-secretly-spreading-malware-delete-them-now[Ars Technica] iOS VPNs have leaked traffic for years, researcher claims [Updated] https://arstechnica.com/information-technology/2022/08/ios-vpns-still-leak-traffic-more-than-2-years-later-researcher-claims/[Forbes] TikTok’s In-App Browser Includes Code That Can Monitor Your Keystrokes, Researcher Says https://www.forbes.com/sites/richardnieva/2022/08/18/tiktok-in-app-browser-research/[None] Cisco Confirms Network Breach Via Hacked Employee Google Account https://threatpost.com/cisco-network-breach-google/180385/[TechCrunch] Signal says 1,900 users’ phone numbers exposed by Twilio breach https://techcrunch.com/2022/08/15/signal-phone-number-exposed-twilio/[Ars Technica] A new jailbreak for John Deere tractors rides the right-to-repair wave https://arstechnica.com/information-technology/2022/08/a-new-jailbreak-for-john-deere-tractors-rides-the-right-to-repair-wave/[VICE] 'Ring Nation' Is Amazon's Reality Show for Our Surveillance Dystopia https://www.vice.com/en/article/7k8x49/ring-nation-is-amazons-reality-show-for-our-surveillance-dystopia[VICE] A Tool That Monitors How Long Kids Are in the Bathroom Is Now in 1,000 American Schools https://www.vice.com/en/article/dy73n7/ehallpass-1000-thousand-schools-monitor-bathroom[WIRED] Police Used a Baby’s DNA to Investigate Its Father for a Crime https://www.wired.com/story/police-used-a-babys-dna-to-investigate-its-father-for-a-crime/Tip of the Week: https://firewallsdontstopdragons.com/be-my-guest-no-i-insist/ Further Info A few Amulets of Entropy are still left: https://hackerboxes.com/collections/past-hackerboxes/products/hackerbox-0080-entropySubscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:17: DEFCON 30 notes0:03:00: Quick security notes0:03:46: News run down0:06:50: Delete these Apple apps immediately0:10:44: iOS VPN apps fail to secure old connections0:15:00: TikTok's in-app browser a...

Privacy vs Content Moderation

15 augusti 2022 | 54 min

There's no doubt that the internet has enabled criminals to share illicit and vile content with ease. The advent of high-quality end-to-end encrypted communications has made sharing this material harder for law enforcement to police. But the solution is not to cripple this technology, which is essential for security, privacy and even democracy. Today I'll discuss this thorny issue with Dhanaraj Thakur from the Center for Democracy and Technology. We'll talk about several dangerous proposals currently being considered in the US and Europe, and some potential solutions that can limit criminal behavior while preserving security and our right to privacy. Dhanaraj Thakur is Research Director at the Center for Democracy & Technology, where he leads research that advances human rights and civil liberties online. Further Info Outside Looking In: Approaches to Content Moderation in End-to-End Encrypted Systems: https://cdt.org/insights/outside-looking-in-approaches-to-content-moderation-in-end-to-end-encrypted-systems/ End Run Around Your Rights: https://podcast.firewallsdontstopdragons.com/2021/12/13/end-run-around-your-rights/ Center for Democracy & Technology: https://cdt.org/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:19: Rebranding rolling out0:02:11: Why is content moderation coming to the fore?0:05:11: What are the types of content we're trying to control?0:08:30: How is automated copyright detection being abused by police?0:09:49: What are the phases of content moderation?0:12:01: How can content moderation scale on huge platforms?0:15:14: How does moderation differ inside vs outside the US?0:18:12: What is the platform liability for content?0:21:33: How good is automated content filtering?0:25:01: When does moderation become censorship?0:27:52: Can social media companies block or allow whatever they want?0:30:53: What does end-to-end encryption really mean?0:34:42: How important is metadata for identifying illicit content?0:37:26: What are the current legislative proposals around content moderation?0:41:13: How can we comply with these orders without losing privacy?0:46:09: So where do we draw the line?0:48:44: How did we police this before the internet?0:49:34: How can I learn more and get involved?0:51:57: Listener mailbag coming soon!0:52:49: Preview of coming shows

Security Via Subtraction

8 augusti 2022 | 59 min

All software has bugs, so the more software you have installed, the more bugs you have. It's not just the bugs in any individual application, but it's also magnified by interactions between some applications. Thankfully, the converse is also true: the less software you have installed, the fewer bugs you have (statistically, anyway). How many apps have you installed because they were free? How many apps came installed with your PC that you never use? How about companion apps for products you no longer own? Or maybe apps you installed years ago that you've forgotten about. You need to review all of your apps and get rid of anything you aren't using. You can always reinstall them later, if necessary. But removing unused apps will also remove any software bugs and vulnerabilities that inevitably come with them. (It's also one less app to gather and sell personal data.) In other news: Amazon is looking to buy the maker of Roomba robotic vacuums that know the map of your home; Amazon is also hoping to buy a medical company to start directly providing healthcare; Google once again delays removing support for 3rd party cookies in Chrome; a candidate post-quantum computing encryption algorithm was defeated in an hour with a regular PC; open source software is used everywhere, but is getting very little security support; hackers act on patched bugs within minutes; our cars are collecting and sharing tons of detailed information about us and our driving habits; Samsung has implemented a "repair mode" to protect your data while your phone is in the shop; and a new Android malware is contained in several "cleaner" apps. Article Links [Mashable] Amazon vacuums up Roomba maker iRobot, sparking immediate privacy concerns https://mashable.com/article/amazon-irobot-acquisition-roomba-privacy[Time] Amazon's Dangerous Ambition to Dominate Healthcare https://time.com/6201575/amazons-dangerous-ambition-to-dominate-healthcare/[HackerNews] Google Delays Blocking 3rd-Party Cookies in Chrome Browser Until 2024 https://thehackernews.com/2022/07/google-delays-blocking-3rd-party.html[Ars Technica] Post-quantum encryption contender is taken out by single-core PC and 1 hour https://arstechnica.com/information-technology/2022/08/sike-once-a-post-quantum-encryption-contender-is-koed-in-nist-smackdown/[Ars Technica] Samsung’s “repair mode” lets technicians look at your phone, not your data https://arstechnica.com/gadgets/2022/07/samsungs-repair-mode-lets-technicians-look-at-your-phone-not-your-data/[Lawfare] Open-Source Security: How Digital Infrastructure Is Built on a House of Cards https://www.lawfareblog.com/open-source-security-how-digital-infrastructure-built-house-cards[ZDNet] Race against time: Hackers start hunting for victims just 15 minutes after a bug is disclosed https://www.zdnet.com/article/race-against-time-hackers-start-hunting-for-victims-just-15-minutes-after-a-bug-is-disclosed/[The Markup] Who Is Collecting Data from Your Car? – The Markup https://themarkup.org/the-breakdown/2022/07/27/who-is-collecting-data-from-your-car[Ars Technica] T-Mobile to pay $500M for one of the largest data breaches in US history https://arstechnica.com/tech-policy/2022/07/t-mobile-to-pay-500m-for-one-of-the-largest-data-breaches-in-us-history/[Tom's Guide] Millions infected by 'auto-starting' Android malware — delete these apps now https://www.tomsguide.com/news/millions-infected-by-auto-starting-android-malware-delete-these-apps-nowTip of the Week: https://firewallsdontstopdragons.com/deleting-your-way-to-better-security/ Further Info Mac AppCleaner: https://freemacsoft.net/appcleaner/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Would you like me to speak to your g...

No Place Left to Hide

1 augusti 2022 | 62 min

Cameras are everywhere. Every person you pass on the street has a camera on their phone and security cameras are everywhere. They're so cheap and small now, and most of them are connected to the cloud. Not only does that mean they basically have unlimited storage, but it also opens the door for computers to process those images and footage looking for faces. Today, I'll speak with Nate Wessler from the ACLU about the implications of this technological perfect storm on our privacy and what rights we actually have today with regard to facial recognition and use of these systems by law enforcement. Nate Wessler is a deputy director with the ACLU’s Speech, Privacy, and Technology Project, where he focuses on litigation and advocacy around surveillance and privacy issues, including government searches of electronic devices, requests for sensitive data held by third parties, and use of surveillance technologies. Further Info ACLU suit against Clearview AI: https://iapp.org/news/a/aclu-files-class-action-vs-clearview-ai-under-biometric-privacy-law/Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:41: DEF CON updates0:03:18: Interview start0:05:46: Carpenter v. US case0:10:13: What's my expectation of privacy in public spaces?0:17:30: Private right of action0:18:58: What rights do I have for online photos of me?0:21:54: Aren't we enabling facial recognition by tagging people?0:23:47: Is there any solution beyond regulation?0:27:16: Who is Clearview AI and what are they doing?0:32:24: ACLU's lawsuit win against Clearview AI0:38:57: Is it possible to limit this tech to just "the good guys"?0:43:00: This guy looks like Woody Harrelson!0:47:07: What about the good uses for this tech?0:53:09: What about 1-to-1 facial matching services?0:56:20: So what can we, as citizens, do about all of this?0:58:22: When should we reach out to the ACLU?1:00:26: Wrap up

Hacking Your Honda

25 juli 2022 | 70 min

The "rolling code" technology used to remotely open and lock your car is supposed to prevent hacking. Unfortunately, Honda has a pretty serious vulnerability in their cars that apparently allows anyone with a little talent and cheap hacking tools to get into your car - and maybe even start it (though not actually drive it away). If correct, this vulnerability affects probably all Hondas made over the last 10 years. So far, Honda has denied that this is a problem, but many researchers have reproduced the hack. In other news: cheap, Chinese-made GPS vehicle trackers are vulnerable to remote hacking; Chrome, Edge and Safari browsers fix serious 0-day bugs; Twitter data breach info on 5.4M users is up for sale on the dark web; Windows getting a crucial security update to make important security feature on by default; the Conti ransomware gang is attacking the entire country of Costa Rica; Facebook quickly bypasses Firefox's URL tracking removal feature; Tor Browser adds a useful feature that will help people in repressive countries; Google appears ready to stop blocking political spam emails; Amazon admits to giving Ring video to law enforcement without consent or a warrant; a complicated, targeted web browser trick can be used to identify website visitors. Article Links [U.S. News & World Report] Researchers: Chinese-Made GPS Tracker Highly Vulnerable https://www.usnews.com/news/business/articles/2022-07-19/researchers-chinese-made-gps-tracker-highly-vulnerable[Ars Technica] 0-day used to infect Chrome users could pose threat to Edge and Safari users, too https://arstechnica.com/information-technology/2022/07/exploit-seller-used-chrome-exploit-and-2-other-0-days-to-infect-journalists/[9to5mac.com] Twitter data breach exposes contact details for 5.4M accounts; on sale for $30k https://9to5mac.com/2022/07/22/twitter-data-breach/[ZDNet] Windows 11 is getting a new security setting to block ransomware attacks https://www.zdnet.com/article/windows-11-is-getting-a-new-security-setting-to-block-ransomware-attacks/[ThreatPost] Conti’s Reign of Chaos: Costa Rica in the Crosshairs https://threatpost.com/contis-costa-rica/180258/[Schneier Blog] Facebook Is Now Encrypting Links to Prevent URL Stripping https://www.schneier.com/blog/archives/2022/07/facebook-is-now-encrypting-links-to-prevent-url-stripping.html[None] Tor Browser Adds Automatic Censorship Circumvention https://www.infosecurity-magazine.com/news/tor-browser-automatic-censorship/[Inc. Magazine] Google Revealed Plans for a Big Change to Gmail That Almost Nobody Wants. You Have 19 Days to Object https://www.inc.com/bill-murphy-jr/google-revealed-plans-for-a-big-change-to-gmail-that-almost-nobody-wants-you-have-19-days-to-object.html[The Intercept] Amazon Admits Giving Ring Camera Footage to Police Without a Warrant or Consent https://theintercept.com/2022/07/13/amazon-ring-camera-footage-police-ed-markey/[The Drive] I Tried the Honda Keyfob Hack on My Own Car. It Totally Worked https://www.thedrive.com/news/i-tried-the-honda-keyfob-hack-on-my-own-car-it-totally-worked[WIRED] A New Attack Can Unmask Anonymous Users on Any Major Browser https://www.wired.com/story/web-deanonymization-side-channel-attack-njit/Tip of the Week: More Uses for Password Vaults: https://firewallsdontstopdragons.com/more-uses-for-password-vaults/ Further Info Amulet of Entropy!!: https://amuletofentropy.com/ Peppering your passwords: https://firewallsdontstopdragons.com/password-manager-paranoia/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:02: Bad Bugs in GPS Vehicle Trackers0:07:16: Zero-Day Bugs in Chrome, Edge,

Crowdsourcing Network Security

18 juli 2022 | 71 min

We take that little box that connects our home to the internet for granted. But in reality, it's often the only thing hiding our computers and vulnerable IoT devices from automated, remote attacks. This "internet background radiation" is ever present - a massive network of malicious or compromised devices, constantly scanning the internet for exposed and ill-protected systems. Today, we'll discuss routers, firewalls and other common aspects of home network security with the CEO of CrowdSec. He'll also explain how we can enable these devices to share information in a sort of global neighborhood watch program, distributing information about bad actors to better protect us all. Philippe Humeau graduated as an IT security engineer in 1999 in Cyber security. He then created his first company, dedicated to red team penetration testing and high-security hosting. After selling his first company, his eternal crushes for Cybersecurity led him to create CrowdSec in 2020. This open-source editor creates a participative IPS which generates a global, crowd-powered CTI. Further Info CrowdSec: https://crowdsec.net/ CrowdSec code repository: https://github.com/crowdsecurity/crowdsec Lulu reverse firewall: https://objective-see.org/products/lulu.html Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Amulet of Entropy!!:https://amuletofentropy.com/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:46: Update on Firefox Total Cookie Protection0:03:50: DEF CON coming soon0:04:47: Interview start0:06:49: What does a firewall do?0:10:18: Should I enable the firewall on my computer, too?0:14:18: What is Universal Plug and Play (uPnP?)0:16:04: What is Network Address Translation (NAT)?0:20:16: Hacker vs Cybercriminal?0:21:17: Internet Background Radiation0:26:19: Creating network silos0:29:28: Attacks from within0:32:15: Botnets and DDoS attacks0:35:37: What are the biggest network threats today?0:40:16: Who are the main threat actors?0:45:09: How does Crowdsec work?0:49:36: How quickly do agents share info?0:51:37: How does Crowdsec make money?0:53:03: Can you use Crowdsec on home routers?0:55:28: Are things getting better or worse?0:57:43: Top security tips?1:01:45: How do you poke a hole in a firewall?1:04:01: Setting up guest network1:07:48: Reverse firewalls1:09:07: Final word

The Data Dam is Breaking

11 juli 2022 | 58 min

This week we'll talk about three significant new data breaches. Each of these data leaks are important in different ways, but the trend is clear: data wants to be free. First of all, we need to stop collecting so damn much of it. But second, we need to make it more expensive for data-collectors who are criminally negligent with the protection of our data. Right now, it's cheaper to let it escape than to spend time, effort and money to protect it. (In my Tip of the Week, I'll tell you about a great free tool that will let you protect your own data.) In other news: Google patches some serious zero-day Chrome bugs and I'll explain how they work; personal data for many California gun owners was leaked; Marriott suffered yet another customer data breach; personal data on over 1 billion people in China is up for sale; Crypto exchange Coinbase is sharing info with US immigration enforcers; a sophisticated malware named ZouRAT is infecting SOHO routers; a new Windows worm appears to be coming from infected USB devices; a free decryptor has been released for AstraLocker and Yashma ransomware; Apple's new Lockdown mode shows real promise; and the US Immigration and Customs Enforcement agency has become a full-tilt mass surveillance organization. Article Links [Naked Security] Google patches “in-the-wild” Chrome zero-day – update now! https://nakedsecurity.sophos.com/2022/07/05/google-patches-in-the-wild-chrome-zero-day-update-now/[Gizmodo] California Gun Owners Had Lots of Their Data Exposed by the State Government https://gizmodo.com/california-gun-owners-data-exposed-state-justice-dept-1849124116[TechCrunch] Hotel giant Marriott confirms yet another data breach https://techcrunch.com/2022/07/06/marriott-breach-again/[ZDNet] Giant data breach? Leaked personal data of one billion people has been spotted for sale on the dark web https://www.zdnet.com/article/giant-data-breach-leaked-personal-data-of-one-billion-people-has-been-spotted-for-sale-on-the-dark-web/[The Intercept] Cryptocurrency Titan Coinbase Providing “Geo Tracking Data” to ICE https://theintercept.com/2022/06/29/crypto-coinbase-tracer-ice/[Ars Technica] A wide range of routers are under attack by new, unusually sophisticated malware https://arstechnica.com/information-technology/2022/06/a-wide-range-of-routers-are-under-attack-by-new-unusually-sophisticated-malware/[PCM] Hundreds of Windows Networks Are Infected With Raspberry Robin Worm https://www.pcmag.com/news/hundreds-of-windows-networks-are-infected-with-raspberry-robin-worm[BleepingComputer] Free decryptor released for AstraLocker, Yashma ransomware victims https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-astralocker-yashma-ransomware-victims/[9to5mac.com] Firefox now lets users remove tracking parameters from URLs to enhance privacy https://9to5mac.com/2022/06/29/tracking-parameters-urls-firefox/[Ars Technica] Why Lockdown mode from Apple is one of the coolest security ideas ever https://arstechnica.com/information-technology/2022/07/introducing-lockdown-from-apple-the-coolest-defense-youll-probably-never-use/Data-Driven Deportation in the 21st Century https://americandragnet.org/Tip of the Week: https://firewallsdontstopdragons.com/creating-a-file-vault-with-cryptomator/ Further Info Cryptomator: https://cryptomator.org/ Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Seth interview on cryptocurrency: https://podcast.firewallsdontstopdragons.com/2022/06/06/cryptocurrency-101/ Amulet of Entropy!!:https://amuletofentropy.com/ No More Ransom. A non-profit devoted to helping break ransomware crypto so that victims don’t have to pay.ID Ransomware. A tool for identifying which ransomware you’ve been infected with and then guiding you to other resources for help.Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your...

Necessary Chaos

4 juli 2022 | 65 min

While many of us prefer order in our lives, at least most of the time, we sometimes need a little chaos. Specifically, we need a source of true randomness in order to properly drive many of our cryptographic systems - to secure our digital communications, for example. And while computers are very good at doing what we tell them to do, they suck at being unpredictable. Therefore we have to find other ways to inject a little chaos. Today I will discuss these concepts with Joe Long, founder and CEO of HackerBoxes.com. Along the way, we'll share stories of hardware hacking and our love of electronics tinkering. And then we'll reveal a totally geeky project we've been working on together for many months now that we dubbed the Amulet of Entropy! Joe Long is a professional engineer, patent attorney, and hardware hacker. He has decades of expertise in electronics which he has taught to over a million students around the world. Joe is the founder of HackerBoxes - a company that provides kits, workshops, and monthly subscription boxes for building and learning electronics. Further Info Amulet of Entropy!!: https://amuletofentropy.com/HackerBox #0080: https://hackerboxes.com/products/hackerbox-0080-entropy Amulet GitHub repo: https://github.com/FirewallDragon/amulet-of-entropyHackerBoxes: https://hackerboxes.com/ Forrest Mims electronics books: https://www.forrestmims.com/ Humble Bundle electronics books: https://www.humblebundle.com/books/boards-coding-make-co-books HackADay: https://hackaday.com/DEF CON 30: https://defcon.org/html/defcon-30/dc-30-index.html Firewalls Don’t Stop Dragons book: https://www.amazon.com/gp/product/1484261887 Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:04:23: Start of interview0:05:42: What is a hardware hacker?0:09:09: What got you into electronics?0:14:49: What do you need to get into electronics?0:21:46: What is entropy?0:24:36: Where do we find entropy in everyday life?0:28:18: Why is entropy important for cryptography?0:30:58: Why do computers suck at randomness?0:35:18: So how do we find true random values?0:38:42: What happens randomness fails?0:41:17: How we use patterns to efficiently encode things0:46:44: The Amulet of Entropy!0:51:53: Designing the project0:55:33: Fun uses of entropy0:56:41: How do I get one??0:57:53: Outro1:01:06: DEF CON 30 talk1:01:45: Electronics resources for newbies

Total Cookie Protection

27 juni 2022 | 65 min

Firefox officially rolled out its Total Cookie Protection feature last week, which is a clever and elegant solution for blocking tracking using third party cookies. Unfortunately... it doesn't seem to be working for me when I tested it. There are at least a couple reasons for why this might be, and a workaround, both of which I will discuss in today's Tip of the Week. Also: A drunk employee lost a flash drive with half a million customer's data in Japan; a TikTok leak appears to show that even with US user data being "moved" to US soil, engineers in China can still access it; a new voicemail scam tries to trick you into giving up your Microsoft account credentials; MEGA fixes several flaws which might allow a rogue employee to view your data; 56 security flaws in industrial systems could impact thousands of devices around the world; Google Password Manager now allows for client-side encryption; Microsoft's Defender is now available for non-Windows devices (for a fee); T-Mobile is the latest to use its privileged position to hoover up and sell customer data; spyware companies are proliferating; Facebook is receiving sensitive medical info from it's Meta Pixel; and vacation rentals are sadly great places for spycams, and I'll help you try to spot them. Article Links [The Guardian] Japanese city worker loses USB containing personal details of every resident https://www.theguardian.com/world/2022/jun/24/japanese-city-worker-loses-usb-containing-personal-details-of-every-resident[Gizmodo] TikTok Leak Alleges User Data Isn't Private: ‘Everything Is Seen in China’ https://gizmodo.com/tiktok-china-oracle-bytedance-1849078477[Threatpost] Voicemail Scam Steals Microsoft Credentials https://threatpost.com/voicemail-phishing-scam-steals-microsoft-credentials/180005/[BleepingComputer] MEGA fixes critical flaws that allowed the decryption of user data https://www.bleepingcomputer.com/news/security/mega-fixes-critical-flaws-that-allowed-the-decryption-of-user-data/[BleepingComputer] Icefall: 56 flaws impact thousands of exposed industrial devices https://www.bleepingcomputer.com/news/security/icefall-56-flaws-impact-thousands-of-exposed-industrial-devices/[9to5Google] Google Password Manager starts offering on-device encryption on Android, iOS, and Chrome https://9to5google.com/2022/06/21/google-password-on-device-encryption/[PCM] WTF? Do I Have to Pay for Microsoft's Defender Antivirus Now? https://www.pcmag.com/news/wtf-do-i-have-to-pay-for-microsofts-defender-antivirus-now[The Verge] T-Mobile is selling your app usage data to advertisers — here’s how to opt out https://www.theverge.com/2022/6/24/23181851/t-mobile-browsing-data-app-insights-marketing-opt-out[WIRED] Google Warns of New Spyware Targeting iOS and Android Users https://www.wired.com/story/hermit-spyware-rcs-labs/[The Markup] Facebook Is Receiving Sensitive Medical Information from Hospital Websites – The Markup https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-from-hospital-websites[USA TODAY] How to spot hidden surveillance cameras in your Airbnb, VRBO, or vacation rentals https://www.usatoday.com/story/tech/columnist/komando/2022/06/23/how-check-hidden-cameras-airbnb-vrbo-vacation-rentals/7652726001/ Further Info Tip of the Week: Total Cookie Protection? https://firewallsdontstopdragons.com/total-cookie-protection/Cookie Forensics Test: https://www.grc.com/cookies/forensics.htm Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:17: News topic summary0:04:47: Drunk worker loses customer data0:08:00: TikTok phone call leak0:12:04: Microsoft voicemail scam0:16:23: ...

Moving Beyond Passwords

20 juni 2022 | 63 min

Everyone hates dealing with passwords, and yet they've been the de facto standard of computer authentication for decades. But there's light at the end of this long tunnel. There is a passwordless future where we can log in to our accounts using just our smartphones. In this future, it won't matter if websites are breached because there will be no password databases to steal. Even phishing will be a thing of the past. And thankfully, that future isn't far away. Today I'll discuss where we are, how we got here, and where we're going with Yubico's Derek Hanson. Derek Hanson has been involved in the identity and security industry for over ten years. He has been building networks and deploying computer systems since the mid-90s and now is an advocate for how you can best protect them. And he is now the VP of Solutions Architecture and Alliances at Yubico. Further Info Yubico/YubiKey: https://www.yubico.com/ NIST password guidelines: https://www.infosecurity-magazine.com/blogs/nist-password-guidelines/ OPM fingerprint database hack: https://www.wired.com/2015/09/opm-now-admits-5-6m-feds-fingerprints-stolen-hackers/ WebAuthn: https://webauthn.guide/ FIDO: https://fidoalliance.org/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/ Table of Contents (new!) Use these timestamps to jump to a particular section of the show. 0:01:01: Welcome new patrons!0:01:41: New table of contents0:03:40: Update Windows ASAP0:04:03: Pre-interview notes0:04:34: Interview start0:06:21: Why do we still use passwords?0:11:26: Why don't more people use password managers?0:15:25: NIST updates password recommendations0:17:50: Should we use biometrics for authentication?0:23:40: How do passwordless systems compare to what we have now?0:29:00: How does authentication work in a passwordless system?0:32:50: Have we settled on a single passwordless standard?0:37:24: How well is this new standard supported?0:40:41: How do I use this passwordless technology?0:43:00: How soon will we see passwordless logins?0:46:22: Which 2FA system is best and will we still need this going forward?0:51:33: What current technologies are best for securing our accounts?0:55:18: How do hardware keys work?1:00:42: OPM fingerprint hack1:01:48: Bonus content preview1:02:02: Upcoming shows

Peppering Your Passwords

13 juni 2022 | 58 min

I preach about using password managers constantly - because they really are a fantastic tool for increasing your security. Humans suck at creating memorable passwords that are not also easy to guess. But the idea of putting all your juicy secrets into a digital vault that is controlled by a third party and synchronizing through the cloud may not sit well with you. And I totally get that. It's a very valid concern. But what if there were a way to have your cake and eat it, too? (I never understood that expression... what good is having cake if you can't eat it, right?) I'll explain a simple technique using cryptographic "pepper" that will allow you to use a password manager, even if you don't trust it. In other news: US water utilities are woefully unprepared for cyberattacks; paper ballots are essential for secure elections, but not sufficient; PDFs are being used to cleverly hide keylogging malware; Chinese hackers have infiltrated many global telecom companies for years; Australia's new "secure" digital driver's license is anything but; the FBI manages to recover half of the Colonial Pipeline ransom; a new facial search engine is on the scene, with even less protections than Clearview AI; and the Tim Horton's app stole a heck of a lot of user location data from its customers. Article Links U.S. Water Utilities Prime Cyberattack Target, Experts | Threatpost https://threatpost.com/water-cyberattack-target/179935/Do Ballot Barcodes Threaten Election Security? https://cdt.org/insights/do-ballot-barcodes-threaten-election-security/[BleepingComputer] PDF smuggles Microsoft Word doc to drop Snake Keylogger malware https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/[MIT Technology Review] Chinese hackers exploited years-old software flaws to break into telecom giants https://www.technologyreview.com/2022/06/08/1053375/chinese-hackers-exploited-years-old-software-flaws-to-break-into-telecom-giants/[Ars Technica] “Tough to forge” digital driver’s license is… easy to forge https://arstechnica.com/information-technology/2022/05/digital-drivers-license-used-by-4m-australians-is-a-snap-to-forge/FBI Recovers $2.3 Million of Colonial Pipeline Ransomware Payment; Some Que https://www.cpomagazine.com/cyber-security/fbi-recovers-2-3-million-of-colonial-pipeline-ransomware-payment-some-questions-about-the-attack-answered/[The Mercury News] A face search engine anyone can use is alarmingly accurate https://www.mercurynews.com/2022/05/28/a-face-search-engine-anyone-can-use-is-alarmingly-accurate-2[CTV News] Tim Hortons app collected vast amounts of sensitive data: privacy watchdogs https://www.ctvnews.ca/business/tim-hortons-app-collected-vast-amounts-of-sensitive-data-privacy-watchdogs-1.5927716Pepper Your Passwords: https://firewallsdontstopdragons.com/password-manager-paranoia/ Further Info Only FIVE DAYS LEFT to get your dragon coin! https://firewallsdontstopdragons.com/return-of-the-dragon-coins/ Techlore interview: https://youtu.be/-GubGbuWBfk Exploits of a Mom (XKCD “Bobby Tables” cartoon): https://xkcd.com/327/Bobby Tables explanation: https://www.explainxkcd.com/wiki/index.php/Little_Bobby_Tables Generate secure passphrases! https://d20key.com/#/Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker

Cryptocurrency 101

6 juni 2022 | 74 min

Emergency Mode

30 maj 2022 | 49 min

Modern smartphones have a potentially life-saving feature called "SOS" or "Emergency" mode that can give first responders critical medical information and automatically dial your country's emergency phone number. It can report your location and even notify selected contacts. In today's show, I'll share a story from one woman who believes this mode saved her life. It's easy to use and set up, but it won't do you any good if you don't know about it. I'll tell you everything you need to know. In other news: Clearview AI is looking to expand its services to schools, banks and other institutions that wish to authenticate people; MasterCard is launching a new facial recognition system that will allow users to pay "with a smile"; the US Department of Justice has finally issued long-overdue guidance on common sense limitations for prosecuting security researchers and regular people who might run afoul of the tragically over-broad Computer Fraud and Abuse Act (CFAA); Twitter has been fined and Google has been sued for abusing customer data; local governments forced children to use EdTech software that surreptitiously harvested their data and fed them behavior-based ads; DuckDuckGo is in damage control over reports that it isn't blocking some Microsoft web tracking due to an agreement which they legally can't discuss; there's a new Wells Fargo phishing campaign going around which seeks to gather tons of data that would easily enable identity thefts; and a security researcher has found a bug with the OAuth single-sign on functionality used by Facebook. Article Links [Gizmodo] Clearview AI Says It's Bringing Facial Recognition to Schools https://gizmodo.com/clearview-ai-facial-recognition-privacy-1848975528[The Guardian] Mastercard launches ‘smile to pay’ system amid privacy concerns https://www.theguardian.com/technology/2022/may/17/mastercard-launches-smile-to-pay-amid-privacy-concerns[The Verge] Justice Department pledges not to charge security researchers with hacking crimes https://www.theverge.com/2022/5/19/23130910/justice-department-cfaa-hacking-law-guideline-limits-security-research[NPR] Twitter agrees to pay $150 million after FTC, DOJ accuse company of mishandling data https://www.npr.org/2022/05/25/1101275323/twitter-privacy-settlement-doj-ftc[None] Governments Harm Children’s Rights in Online Learning https://www.hrw.org/news/2022/05/25/governments-harm-childrens-rights-online-learning[Review Geek] DuckDuckGo Isn’t as Private as You Thought https://www.reviewgeek.com/118915/duckduckgo-isnt-as-private-as-you-thought/[Sky] Google sued for using the NHS data of 1.6 million Brits 'without their knowledge or consent' https://news.sky.com/story/google-sued-for-using-the-nhs-data-of-1-6-million-brits-without-their-knowledge-or-consent-12614525[None] Bank phishing and identity theft https://usa.kaspersky.com/blog/wells-fargo-phishing-identity-theft/26473/[Forbes] Security Warning For Facebook Users Who Login With Gmail OAuth Code https://www.forbes.com/sites/gordonkelly/2022/05/21/google-gmail-security-facebook-oauth-login-warning/[9to5mac.com] iPhone SOS credited with saving woman during assault attempt – Here’s how to set it up https://9to5mac.com/2022/05/24/iphone-sos-how-to-set-it-up/Set up Emergency mode, Apple iPhone: https://support.apple.com/en-us/HT208076Set up Emergency mode, Google Pixel: https://support.google.com/pixelphone/answer/7055029Set up Emergency mode, Samsung Galaxy: https://www.samsung.com/us/support/answer/ANS00050849/ Further Info Get your Dragon Challenge Coin!! https://firewallsdontstopdragons.com/return-of-the-dragon-coins/ Generate secure passphrases! https://d20key.com/#/Amulet of Entropy teaser #2: https://twitter.com/HackerBoxes/status/1530341605567242240?s=20&t=OWW931j-mZk8cMRc6yp9bA Stop Using “Sign in with”: https://firewallsdontstopdragons.com/stop-using-sign-in-with/ EFF on facial recognition technology: https://www.eff.org/deeplinks/2021/10/face-recognition-isnt-just-face-ide...

Tomatoes & Telegraphs

23 maj 2022 | 58 min

There's a lot we can glean from history but sometimes it's not as obvious as you might think. For example, did you know that until the mid-1800's, most of Americans hated tomatoes and that ketchup was originally made from mushrooms? The story behind how Americans came to love tomatoes is quite fascinating, but what is perhaps most interesting is the way our guest applies this knowledge to the realm of cybersecurity. Today we will also learn how one of the most powerful cryptographic techniques to this day originated in the time of the telegraph. Along the way, we'll discuss how humans choose their passwords, how they should be creating passwords, and how often we should be changing our passwords. Anthony Collette is a Senior Consent Form Editor at the largest Institutional Review Board (IRB) in the United States. This regulatory agency has reviewed over 1,000 COVID-19 research studies, conducted at more than 12,000 locations. Mr. Collette analyzes complex medical documents, synthesizes the central concepts, and translates technical jargon into relatable language directed to the non-technical research participant. These skills transfer perfectly to the task of analyzing and understanding the conflicting and often outdated advice given about passwords, stripping away what’s unnecessary, and getting down to the actionable core of the issues. Interview Links Anthony Collette: https://www.linkedin.com/in/tonycollette/ Loistava Information Security website: www.LositavaInfoSecurity.comCASTALOT™ Dice Landing Page: https://www.castalotdice.com?utm_source=dragons1 CASTALOT™ Dice Facebook VIP Group: https://www.facebook.com/groups/1317312032055849The History of Tomatoes in America: https://www.amazon.com/Tomato-America-History-Culture-Cookery/dp/1570030006/ NY Times, Secret Life of Passwords: https://www.nytimes.com/2014/11/19/magazine/the-secret-life-of-passwords.html A Look at Telegraph Codes (Steven Bellovin): https://www.cs.columbia.edu/~smb/papers/codebooks.pdf DFLEKT Keyless Entry Protection: https://www.duku.co.uk/dflekt Further Info Get your Dragon Challenge Coin!! https://firewallsdontstopdragons.com/return-of-the-dragon-coins/ Generate secure passphrases! https://d20key.com/#/ Amulet of Entropy teaser: https://twitter.com/HackerBoxes/status/1523318662807298051?s=20&t=dwQFy7ieRMGjRCqgAR7btQ

Global Privacy Control

16 maj 2022 | 68 min

When we surf the web today - on our computers or smartphones - we are mercilessly tracked. Marketing firms and data brokers are hoovering up ungodly amounts of our personal data, selling it, trading it and mining it to derive even more about us. Many offer some way to limit or stop this wanton data collection, but good luck figuring out how - let alone even knowing who to ask. Wouldn't it be nice if you could just click one button and tell everyone to leave you alone? Of course, we tried this a decade ago with Do Not Track, but there were no regulations in place to require companies to respect it. While we have a long way to go, some regions do now have privacy laws - and now we have a new way to invoke our privacy rights: Global Privacy Control. Today, I'll tell you how to enable this on your devices and tell data miners to get lost. In other news: Clearview AI has been forced to cut back on its creepy facial recognition software; the EU is proposing dangerous new surveillance requirements in the name of child safety; if you have an HP computer, you need to check for BIOS software updates ASAP; automated vehicles are outfitted with tons of video cameras, and law enforcement have been using this data for investigations; thousands of popular websites are saving data from online forms even if you don't click 'submit'; the CDC has been buying cell phone location data to track compliance with covid curfews and more; data from period-tracking apps may soon be used against people seeking abortions if Roe v. Wade is struck down in the US; Facebook is ending some location-based services (though still collecting your location data); Chinese hackers have stolen hundreds of billions of dollars in intellectual property, including military, manufacturing and pharmaceutical info; and mental health apps aren't taking proper care of your very personal data. Article Links [Engadget] Clearview AI agrees to limit sales of facial recognition data in the US https://www.engadget.com/clearview-ai-agrees-to-limit-sales-of-facial-recognition-data-in-the-us-173357030.html[Electronic Frontier Foundation] The EU Commission’s New Proposal Would Undermine Encryption And Scan Our Messages https://www.eff.org/deeplinks/2022/05/eu-commissions-new-proposal-would-undermine-encryption-and-scan-our-messages[TechSpot] HP pushes out BIOS update addressing high-severity vulnerabilities affecting 200+ models https://www.techspot.com/news/94561-hp-pushes-out-bios-update-addressing-high-severity.html[VICE] San Francisco Police Are Using Driverless Cars As Mobile Surveillance Cameras https://www.vice.com/en/article/v7dw8x/san-francisco-police-are-using-driverless-cars-as-mobile-surveillance-cameras[WIRED] Thousands of Popular Websites See What You Type—Before You Hit Submit https://www.wired.com/story/leaky-forms-keyloggers-meta-tiktok-pixel-study/[None] CDC tracked Americans’ phones to see if they followed COVID-19 lockdowns https://www.mlive.com/news/2022/05/cdc-tracked-americans-phones-to-see-if-they-followed-covid-19-lockdowns.html[VICE] Data Broker SafeGraph Stops Selling Location Data of People Who Visit Planned Parenthood https://www.vice.com/en/article/88gyn5/data-broker-safegraph-stops-selling-location-data-of-people-who-visit-planned-parenthood[NPR] How period tracking apps and data privacy fit into a post-Roe v. Wade climate https://www.npr.org/2022/05/10/1097482967/roe-v-wade-supreme-court-abortion-period-apps[9to5mac.com] Facebook to discontinue Nearby Friends and other location-based features https://9to5mac.com/2022/05/05/facebook-to-discontinue-nearby-friends-and-other-location-based-features/[CBS News] Chinese hackers took trillions in intellectual property from about 30 multinational companies https://www.cbsnews.com/news/chinese-hackers-took-trillions-in-intellectual-property-from-about-30-multinational-companies/[The Verge] Mental health apps have terrible privacy protections, report finds https://www.theverge.

How to Stop Tracking & Stalking

9 maj 2022 | 72 min

We are being tracked constantly by our cell phones. We willingly carry supercomputers in our pockets 24/7, and these devices are chock full of sensors and radios that are tattling on us. Sometimes on purpose, sometimes incidentally, and sometimes maliciously. Apps for brick and mortar stores are tracking you within their stores, noting where you go, how long you stay in some locations, and where you don't go. Other apps track your global location and sell it to third parties. Apps to keep tabs on kids can also be used to stalk significant others. And spyware is used to track journalists, dissidents and "people of interest" by authoritarian governments. If all of that weren't bad enough, there are several cheap electronic devices that anyone can buy and hide on you to track your movements. Today I'll talk about all of this tracking and stalking with David Ruiz from Malwarebytes, and we'll give you some tips on how to avoid it. David Ruiz is an online privacy advocate for Malwarebytes, where he writes about online privacy, cybersecurity, and the laws and proposed legislation that regulate how data is stored, shared, and accessed. Further Info Malwarebytes blog: https://blog.malwarebytes.com/Malwarebytes podcast: https://blog.malwarebytes.com/category/podcast/ David Ruiz interviews me: https://blog.malwarebytes.com/podcast/2022/03/de-googling-carey-parkers-and-your-life-lock-and-code-s03e06/ Coalition Against Stalkerware: https://stopstalkerware.org/ Malwarebytes detection software: https://www.malwarebytes.com/mwb-download Stalkerware-type detections hit record high in 2021, but fell in second half https://blog.malwarebytes.com/stalkerware/2022/04/stalkerware-type-detections-hit-record-high-in-2021-but-fell-in-second-half/ Kashmir Hill article: https://www.nytimes.com/2022/02/11/technology/airtags-gps-surveillance.html Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/or privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

What is the Most Private Browser?

2 maj 2022 | 62 min

Security isn't a big differentiator today when choosing a web browser. First of all, 3 of the top 5 browsers all use the same engine - Chrome, Edge and Opera are all based on Chromium. Second, there's no real conflict of interest between browser makers and browser users when it comes to security - it's a win-win situation. Also, most browsers today are plenty fast enough and come with similar user features. So to me, the real differentiator when choosing a web browser is privacy. Today I'll give you my top choices for the most privacy-respecting web browser. (Spoiler alert: Chrome didn't make the list.) NOTE: I'm giving away TEN free subscriptions to ProtonMail plus! All you have to do to enter is sign up for a free ProtonMail account here and then shoot me an email from your new account (send it to proton at firewallsdontstopdragons.com)! That's it! Do it by 11:59AM Eastern Time on May 6th. In other news: The US and 60 other countries have signed an aspiration Declaration for the Future of the Internet; in a twist of fate, Russia is now the target of global hacking; another nasty Java zero-day bug has been found; leaked Cellebrite documents detail which iPhones they can hack into; Amazon and third parties are mining your Alexa requests for personal data; Microsoft is going to add a free VPN to its Edge browser; Facebook is pulling detailed user data from the US college financial aid site FAFSA; and apparently Facebook has no clue how to tell the source of all the data it collects (making it impossible to comply with privacy regulations); Google is now giving you a way to remove some person info from its searches; and Brave and DuckDuckGo are both blocking Google "AMP" links which collect data about the sites you visit. Article Links EFF Statement on the Declaration for the Future of the Internet https://www.eff.org/deeplinks/2022/04/eff-statement-declaration-future-internet Declaration for the Future of the Internet: https://www.whitehouse.gov/wp-content/uploads/2022/04/Declaration-for-the-Future-for-the-Internet_Launch-Event-Signing-Version_FINAL.pdf Russia Is Being Hacked at an Unprecedented Scale https://www.wired.co.uk/article/russia-hacked-attacks Java Cryptography Implementation Mistake Allows Digital-Signature Forgeries https://www.schneier.com/blog/archives/2022/04/java-cryptography-implementation-mistake-allows-digital-signature-forgeries.html Cellebrite iPhone cracking: Here’s which models the kit can unlock and access, and how to protect your data https://9to5mac.com/2022/04/29/cellebrite-iphone-cracking/ Report: Amazon and third parties use Alexa voice data for ads while Siri respects privacy https://9to5mac.com/2022/04/29/amazon-alexa-voice-data-used-for-ads/ Microsoft Is Adding a Free VPN to the Edge Browser https://www.pcmag.com/news/microsoft-is-adding-a-free-vpn-to-the-edge-browser Go read this exposé on how FAFSA got caught sending personal info to Facebook https://www.theverge.com/2022/4/29/23048305/fafsa-facebook-department-of-education-us-student-financial-aid-meta-tracking-pixel Applied for Student Aid Online? Facebook Saw You https://themarkup.org/pixel-hunt/2022/04/28/applied-for-student-aid-online-facebook-saw-you Facebook doesn't know what most of its user data is used for https://appleinsider.com/articles/22/04/27/facebook-doesnt-know-what-most-of-its-user-data-is-used-for You can now ask Google to remove your phone number from search https://www.androidauthority.com/google-search-remove-phone-number-3158456/ Google request site: https://support.google.com/websearch/answer/9673730 Brave, DuckDuckGo updates target Google AMP sites in privacy push https://www.macworld.com/article/633804/brave-duckduckgo-updates-target-google-amp-sites-in-privacy-push.html Which Is the Most Private Browser? https://firewallsdontstopdragons.com/which-is-the-most-private-browser/ Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.

Private from Everyone (But Us)

25 april 2022 | 51 min

Demystifying VPNs

18 april 2022 | 57 min

When people don't understand how something works, it can be easy to be afraid of the consequences of that thing not working right. And this also makes them ripe targets for being frightened by hucksters who will then happily sell them a solution for the problem. This was the trade of snake oil salesmen back in the day - selling cures for ailments that didn't exist or that didn't actually improve the consumer's health. The realm of computers is rife with cybersecurity snake oil, as well, and one of the most lucrative products is a virtual private network (VPN) service. Today I'm going to help you understand just what a VPN is and (perhaps more importantly) what it is not. In other news: T-Mobile tried to buy their hacked customer data back (and failed); the feds have discovered a troubling and powerful new hacking toolkit for industrial control systems; 8 million Cash App users may have had their data exposed; Pegasus spyware was discovered on the devices of EU officials; a company is offering to install chips under your skin that will allow you to pay for stuff with your hand; a scathing article about a security failure by Wyze web cams; and hackers are using fake Emergency Data Requests to get your data from tech companies. Article Links T-Mobile Secretly Bought Its Customer Data from Hackers to Stop Leak. It Failed. https://www.vice.com/en/article/k7w9mv/tmobile-hacked-bought-data-mandiant Feds Uncover a ‘Swiss Army Knife’ for Hacking Industrial Control Systems https://www.wired.com/story/pipedream-ics-malware/ Over 8 Million Cash App Users Potentially Exposed in a Data Breach After a Former Employee Downloaded Customer Information https://www.cpomagazine.com/cyber-security/over-8-million-cash-app-users-potentially-exposed-in-a-data-breach-after-a-former-employee-downloaded-customer-information/ Pegasus spyware hacked iPhones of senior EU officials, who were alerted by Apple https://9to5mac.com/2022/04/11/pegasus-spyware-hacked-iphones-of-senior-eu-officials/ The microchip implants that let you pay with your hand https://www.bbc.com/news/business-61008730 I’m done with Wyze https://www.theverge.com/23003418/wyze-cam-v1-vulnerability-no-patch-bitdefender-responsible-disclosure Hackers Using Fake Police Data Requests against Tech Companies https://www.schneier.com/blog/archives/2022/04/hackers-using-fake-police-data-requests-against-tech-companies.html VPNs are digital 'snake oil,' expert claims — here's why https://www.tomsguide.com/news/vpn-big-claims-truth-shmoocon22 What a VPN Is (and Isn’t): https://firewallsdontstopdragons.com/what-a-vpn-is-and-isnt/ Further Info John Oliver on data brokers: https://www.youtube.com/watch?v=wqn3gR1WTcA Mullvad VPN: https://mullvad.net/IVPN: https://www.ivpn.net/ProtonVPN: https://protonvpn.com/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Luck Favors the Prepared

11 april 2022 | 75 min

De-Google Your Life (Part 4)

4 april 2022 | 55 min

I wrap up my de-Google project this week with two biggies: Google Drive and Google Docs. I decided to reduce my Google data footprint as one of my 2022 New Year's resolutions, so I've done a ton of research to replace all the major Google services with privacy-respecting alternatives. My hope is that you can use this information to reduce your own Google data exposure (and help your friends and family, while you're at it). In other news: UK police arrested seven people that may be tied to the Lapsus$ hacking group; the FCC has flagged Kaspersky software as a risk to national security; a very tricky new phishing technique tricks you into giving up your Facebook, Apple and Google credentials; an open-source software developer makes the dubious decision to target Russian users with "protestware"; the US passes a much-needed cybersecurity regulation (that takes way too long to come into effect); the Russia-based Yandex search engine is harvesting user details from many people, even those not using its search engine; app developers and cloud service providers are leaving your data lying around for anyone to find; and Google is testing its new tracking platform called Topics, which they will use to eventually replace third party cookies. Article Links UK police arrest 7 hacking suspects – have they bust the LAPSUS$ gang? https://nakedsecurity.sophos.com/2022/03/25/uk-police-arrest-7-hacking-suspects-have-they-bust-the-lapsus-gang/ FCC flags Russian cybersecurity firm Kaspersky as risk to national security https://mashable.com/article/fcc-bans-kaspersky-antivirus This 'browser in browser' attack will steal your passwords — here's how to avoid it https://www.tomsguide.com/news/bitb-phishing-attackDeveloper Sabotages Open-Source Software Package https://www.schneier.com/blog/archives/2022/03/developer-sabotages-open-source-software-package.htmlUS Passes "Game-Changing" Cyber Incident Reporting Legislation https://www.infosecurity-magazine.com/news/us-cyber-incident-reporting/ Yandex is sending data harvested from millions of iOS users to Russia https://9to5mac.com/2022/03/29/yandex-is-sending-data-from-ios-users/ Your personal data is exposed to hackers — alarming report reveals mobile apps are not protecting your info https://www.laptopmag.com/news/your-personal-data-is-exposed-to-hackers-alarming-report-reveals-mobile-apps-are-not-protecting-your-info Chrome’s “Topics” advertising system is here, whether you want it or not https://arstechnica.com/gadgets/2022/03/googles-topics-advertising-system-starts-rolling-out-to-chrome-canary/ De-Google My Life, Part 4: https://firewallsdontstopdragons.com/de-google-my-life-part-4 Further Info Crypotmator: https://cryptomator.org/Sync.com: https://www.sync.com/ ONLYOFFICE: https://www.onlyoffice.com/ NextCloud: https://nextcloud.com/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker

Teaching & Preaching Privacy

28 mars 2022 | 66 min

De-Google Your Life (Part 3)

21 mars 2022 | 61 min

One of my New Year's resolutions for 2022 is to reduce my Google footprint - to try to de-Google my life as best I can - and hopefully inspire you to do the same. In today's show, I'll talk about replacing Google's many communications apps (Meet, Hangouts, Chat, Talk), Google Authenticator (the Kleenex of 2FA apps), Google Maps and Waze, and YouTube. In security and privacy news: ISPs in the UK are complaining about Apple's Private Relay feature; the Federal Trade Commission has a new weapon to fight algorithmic data mining; if someone tricks you into sending them money via Zelle, your bank probably won't give it back; Russia has issued a state-sponsored "trusted root CA" that could undermine privacy in Russia for a decade; the EFF weighs in on attempts to cut off Russia (and its citizens) from the internet; DuckDuckGo took a controversial step to down-rate Russian mis/disinformation in its search results; Google is mining info from receipts and invoices in your email; and Google is also mining data from your dialer and messaging apps on Android. Article Links UK Network Operators Target iCloud Private Relay in Complaint to Regulator https://www.macrumors.com/2022/03/13/uk-network-operators-target-icloud-private-relay/ The FTC’s new enforcement weapon spells death for algorithms https://www.protocol.com/policy/ftc-algorithm-destroy-data-privacy Fraud is flourishing on Zelle. The banks say it’s not their problem. https://www.seattletimes.com/business/fraud-is-flourishing-on-zelle-the-banks-say-its-not-their-problem/ You Should Not Trust Russia’s New “Trusted Root CA” https://www.eff.org/deeplinks/2022/03/you-should-not-trust-russias-new-trusted-root-ca Wartime Is a Bad Time To Mess With the Internet https://www.eff.org/deeplinks/2022/03/wartime-bad-time-mess-internet DuckDuckGo down-ranks sites spreading Russian propaganda https://www.bleepingcomputer.com/news/technology/duckduckgo-down-ranks-sites-spreading-russian-propaganda/ Gmail tracking: Google keeps records of everything you buy. Here is how to delete this information. https://tutanota.com/blog/posts/gmail-tracks-everything-you-buy/ Google to make changes to apps after TCD study finds privacy issues https://www.irishtimes.com/business/technology/google-to-make-changes-to-apps-after-tcd-study-finds-privacy-issues-1.4826225 De-Google My Life, Part 3: https://firewallsdontstopdragons.com/de-google-my-life-part-3/ Further Info Podcast 5th Anniversary Giveaway! https://firewallsdontstopdragons.com/5th-anniversary-giveaway/ My Lock & Code podcast interview: https://blog.malwarebytes.com/podcast/2022/03/de-googling-carey-parkers-and-your-life-lock-and-code-s03e06/ Data Privacy for Cars: https://podcast.firewallsdontstopdragons.com/2021/09/13/driving-data-privacy-for-cars/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Computer Security Goes Microscopic

14 mars 2022 | 62 min

My De-Google Strategy

7 mars 2022 | 64 min

As my de-Google project progresses, I realized that I skipped the most important step: reconnaissance. Before you can de-Google your life, you need to first make a list of the Google products and services you interact with - and not all of them have "Google" in their names. Google also owns YouTube, Waze, Nest, Fitbit, Chromebooks, and much more. Furthermore, you need to know and understand what information Google already knows about you. And while you're doing that, you should delete all the existing data and prevent further collection. Thankfully, Google provides several tools to help you do this (most likely due to regulations like GDPR and CCPA). I'll help you create your personal de-Google to-do list. In other news: today I'm launching a massive giveaway promotion to celebrate the 5th anniversary of the podcast!! Also, 100 million Samsung phones shipped with horrible security flaws; Nvidia hackers are pressuring the company to turn off cryptocurrency mining limitations; the (Russian) Conti and TrickBot ransomware operations have been hacked; details of 120,000 Russian soldiers in Ukraine have been leaked (on purpose); the US Senate has passed landmark cybersecurity legislation in light of the rising cyber warfare threat; and the ACLU has published a sobering report about a mass surveillance company called Flock (no relation to Google's FLoC). Article Links 100 Million Samsung Phones Shipped With Flawed Encryption https://www.cpomagazine.com/cyber-security/100-million-samsung-phones-shipped-with-flawed-encryption-galaxy-s8-to-s21-series-cryptographic-keys-trivial-to-expose/ Nvidia Hackers Threaten to Release Mining-Limiter Killer https://www.tomshardware.com/news/nvidia-hackers-threaten-to-release-lhr-performance-limiter Conti Ransomware source code leaked by Ukrainian researcher https://www.bleepingcomputer.com/news/security/conti-ransomware-source-code-leaked-by-ukrainian-researcher/ Details of '120,000 Russian soldiers' leaked by Ukrainian media https://www.theregister.com/2022/03/02/russian_soldier_leaks/ Senate passes cybersecurity act forcing orgs to report cyberattacks, ransom payments https://www.zdnet.com/article/senate-passes-cybersecurity-act-forcing-critical-infrastructure-orgs-to-report-cyberattacks-ransom-payments/ Fast-Growing Company Flock is Building a New AI-Driven Mass-Surveillance System https://www.aclu.org/report/fast-growing-company-flock-building-new-ai-driven-mass-surveillance-system My De-Google Strategy: https://firewallsdontstopdragons.com/my-de-google-strategy/ Lawrence Lessig’s article: https://medium.lessig.org/crowdsourced-war-b5774c0ca7b5 Further Info 5th Anniversary Giveaway!! Details will be posted this week on my blog - keep your eye out on my main website! https://firewallsdontstopdragons.com/ Check out Techlore: https://techlore.tech/ Conti Ransomware report from Krebs On Security: https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/ https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/ https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-iii-weaponry/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Securing Your Mobile Device

28 februari 2022 | 69 min

De-Google Your Life (Part 2)

21 februari 2022 | 53 min

One of my big goals for 2022 was to minimize my Google footprint. In the last news show, I covered Google Search, Chrome and Android. In today's show, I'll tackle two other big ones: Google's email (Gmail) and calendar (Gcal) services (and Google's contacts, for good measure). I actually replaced Gmail with two different services, because they each address two different needs I have. In others news: Microsoft finally disables Word and Excel macros by default for any file downloaded from the internet; the IRS backs off it's requirement for using facial recognition to authenticate to the IRS website; Missouri's prosecutor declines to prosecute the reporter who pointed out a state website which gave away social security numbers for some state employees; Kashmir Hill compares the relative privacy and tracking capabilities of AirTags, Tile and a cheap GPS tracker; two US senators are decrying a newly declassified report of a CIA program that surveils American citizens in bulk; a remote test proctoring company sinks to new lows; hundreds of Android apps were found to be tracking you using ultrasonic signals; and Google will be implementing a new privacy feature in Android that it claims is just as private as Apple's App Tracking Transparency, but will somehow preserve the ad-based web economy. Article Links Microsoft's Small Step to Disable Macros Is a Huge Win for Security https://www.wired.com/story/microsoft-disables-macros-default-security-phishing/ IRS To Ditch Biometric Requirement for Online Access https://krebsonsecurity.com/2022/02/irs-to-ditch-biometric-requirement-for-online-access/ Missouri prosecutor won't press charges against reporter who found flaw in state website https://www.kcur.org/politics-elections-and-government/2022-02-14/missouri-prosecutor-wont-press-charges-against-reporter-who-found-flaw-in-state-website New test shows AirTag’s safety precautions are far better than Tile, other GPS trackers https://9to5mac.com/2022/02/11/airtag-safety-vs-tile/ T2 Mac security vulnerability means passwords can now be cracked https://9to5mac.com/2022/02/17/t2-mac-security-vulnerability-passware/ Senators say CIA has been collecting data in bulk in secret program https://thehill.com/homenews/administration/593833-senators-say-cia-has-been-collecting-american-data-in-bulk-in-secret A Network of Fake Test Answer Sites Is Trying to Incriminate Students https://themarkup.org/machine-learning/2022/02/15/a-network-of-fake-test-answer-sites-is-trying-to-incriminate-students Hundreds of apps spying on users with ultrasonic tracking technology https://www.komando.com/gadgets/hundreds-of-apps-spying-on-users-with-ultrasonic-tracking-technology/402030/ Google's New Plan for Android Privacy Doesn't Sound All That Private https://gizmodo.com/google-android-privacy-sandbox-apple-ios-meta-1848547922?rev=1645048008531 De-Google My LIfe (part 2): https://firewallsdontstopdragons.com/de-google-my-life-part-2/ Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Free & Open Source Software

14 februari 2022 | 73 min

You may not know it, but our world has already been basically taken over by free and open source software, or FOSS - specifically, the Linux operating system. Just about every single electronic appliance or device today, from your smartphone to your smart toaster, is running some flavor of the Linux operating system. Furthermore, open source software projects are the bedrock of many for-profit software applications, operating systems, mobile apps and web apps. It's everywhere, and yet you probably know very little about it. Today, Sean O'Brien will give us a little FOSS history lesson, explain why supporting this movement is so important, and even tell us how we might replace some pricey and user-hostile popular software with top-notch free and open alternatives. Sean O’Brien is a lecturer in Cybersecurity at Yale Law School and Chief Security Officer at Panquake.com He is a Visiting Fellow at the Information Society Project at Yale Law School, where he founded and leads the Privacy Lab initiative. He has been involved in Free and Open-Source Software (FOSS) for approximately two decades, including volunteer work for the Free Software Foundation and FreedomBox Foundation. Show Links Panquake: https://panquake.com/ Yale Privacy Lab: https://privacylab.yale.edu/ It’s FOSS website: https://itsfoss.com/ Free Software Foundation: https://www.fsf.org/ Intro to Linux classes: https://itsfoss.com/free-linux-training-courses/ Windows Subsystem for Linux: https://docs.microsoft.com/en-us/windows/wsl/about System 76: https://system76.com/Purism: https://puri.sm/ Lineage OS: https://lineageos.org/Graphene OS: https://grapheneos.org/ Calyx OS: https://calyxos.org/ F-Droid: https://f-droid.org/ LibreOffice: https://www.libreoffice.org/ VLC Media Player: https://www.videolan.org/vlc/ Audacity audio editor: https://www.audacityteam.org/GIMP photo editor: https://www.gimp.org/ Inkscape illustrator: https://inkscape.org/ CryptPad: https://cryptpad.fr/ Further Info Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

De-Google Your Life

7 februari 2022 | 57 min

One of my New Year's Resolutions for 2022 is to minimize my Google footprint. In reality, it's very difficulty to completely avoid Google products, if you include things like Google Analytics, Google's cloud computing, and other services that we may not directly choose. But thankfully, there are many excellent, privacy-respecting alternatives to Google's more well-known products and services. In today's show, I'll start with some of the most basic ones: Google Search, Google Chrome browser, and Android. In other news: Google beats Apple to offering a way to disable insecure 2G cellular connections; people are selling "silent" AirTags that won't beep to let you know they're near (which could be better for stalking people); Facebook reported its first ever loss in subscribers along with a $10 billion loss due to people opting out of ad tracking; privacy advocates scored a huge win in the European Union against advertisers collecting and sharing your data; the IRS may be rethinking its coming requirement for facial recognition-based authentication after pushback; the FBI admits to evaluating NSO Group's nasty Pegasus cell phone spyware; Kaspersky finds several serious vulnerabilities in wearable medical devices; and Google has abandoned its FLoC web tracking system for a much more privacy-respecting version called Topics. Article Links EFF praises Android’s new 2G kill switch, wants Apple to follow suit https://arstechnica.com/gadgets/2022/01/eff-praises-androids-new-2g-kill-switch-wants-apple-to-follow-suit/Sale of 'Silent AirTags' on eBay and Etsy Raises Privacy Concerns https://www.macrumors.com/2022/02/03/silent-airtags-privacy-concerns/Facebook lost daily users for the first time ever last quarter https://www.theverge.com/2022/2/2/22914970/facebook-app-loses-daily-users-first-time-earnings A Change by Apple Is Tormenting Internet Companies, Especially Meta https://www.nytimes.com/2022/02/03/technology/apple-privacy-changes-meta.html Regulators find Europe’s ad-tech industry acted unlawfully https://www.engadget.com/european-union-gdpr-ad-tech-unlawful-iccl-iab-europe-125735068.htmlTreasury Weighing Alternatives to ID.me Over Privacy Concerns https://www.bloomberg.com/news/articles/2022-01-28/treasury-weighing-id-me-alternatives-over-privacy-concerns FBI acknowledges it tested NSO Group’s spyware https://www.washingtonpost.com/technology/2022/02/02/pegasus-fbi-nso-test/ Unpatched Security Bugs in Medical Wearables Allow Patient Tracking, Data Theft https://threatpost.com/unpatched-security-bugs-medical-wearables-patient-tracking-data-theft/178150/ Google abandons FLoC, introduces Topics API to replace tracking cookies https://www.theverge.com/2022/1/25/22900567/google-floc-abandon-topics-api-cookies-tracking De-Google My Life, Part 1: https://firewallsdontstopdragons.com/de-google-my-life-part-1/Apple’s new Personal Safety User Guide: https://support.apple.com/guide/personal-safety/welcome/web Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Searching for Privacy

31 januari 2022 | 55 min

We tell our search engines a lot of very personal things. They arguably know more about us than our best friends and significant others do. A history of your search terms can reveal so much about you, especially when viewed over the course of days, months and even years. And unfortunately, companies like Google use this privileged position to better target us with advertisements. This may seem innocuous, today's guest, Kelly Finnerty, will explain how this data collection can lead to some truly creepy outcomes and even emotional harm. But it doesn't have to be that way. There are search engines and other tools that don't track your history and sell you out. And there is hope for a brighter, privacy-respecting future. Kelly Finnerty is the director of brand for Startpage, a global privacy technology company that provides search and browsing products that protect people's personal data. Kelly is a #techforgood advocate that believes privacy is a worldwide human right. Episode Links Startpage browser extension: https://add.startpage.com/protection/ What does your search engine know about you? https://www.startpage.com/privacy-please/startpage-articles/what-does-your-search-engine-know-about-you Startpage data flow: https://support.startpage.com/index.php?/en/Knowledgebase/Article/View/1276/0/how-startpage-processes-and-protects-your-dataInterview with System1 CEO: https://thinkprivacy.ch/system1-interview/ Terms of Service; Didn’t Read: https://tosdr.org/ EFF’s Surveillance Self Defense: https://ssd.eff.org/ Further Info Annual listener survey: https://bit.ly/Firewalls-survey-2022Carey’s 2022 Privacy Blog: https://firewallsdontstopdragons.com/data-privacy-week-2022/ Carey’s Privacy Checklist: https://firewallsdontstopdragons.com/data-privacy-day-checklist/ Data Privacy Week: https://staysafeonline.org/data-privacy-week/Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Building a Privacy-Respecting World

24 januari 2022 | 66 min

Data Privacy Week 2022

17 januari 2022 | 57 min

Of course, every week should be "data privacy week", but we do set aside a specific time each year to focus on privacy - particularly educating as many people as possible about it. Until this year, we only dedicated one day for this - but as of 2022, it's been promoted to an entire week! Data Privacy Week runs from January 24-28, so today I'm going to prep you for it with several of my top privacy protection tips! In the news: the FBI uses foreign intelligence services to sidestep US surveillance restrictions; Russia takes down the REvil ransomware outfit as the United State's request; Google gives Android users the ability to disable insecure 2G cell connections; Subaru is sued in Illinois for capturing driver's biometric information with consent; lawmakers propose legislation to simplify and standardize terms of services agreements; and the Ponemon Institute releases the results of a recent poll on what people worry about with relation to privacy and what they feel should be done about it. Article Links Using Foreign Nationals to Bypass US Surveillance Restrictions https://www.schneier.com/blog/archives/2022/01/using-foreign-nationals-to-bypass-us-surveillance-restrictions.html Russia’s FSB says it has taken down REvil hacker group at US request https://www.theverge.com/2022/1/14/22883675/russia-fsb-revil-hacker-group-ransomware-us-request-fbi-doj VICTORY: Google Releases “disable 2g” Feature for New Android Smartphones https://www.eff.org/deeplinks/2022/01/victory-google-releases-disable-2g-feature-new-android-smartphones Class action: Subaru DriverFocus system improperly scans driver's faces, eyes https://cookcountyrecord.com/stories/613746211-class-action-subaru-driverfocus-system-improperly-scans-driver-s-faces-eyes Lawmakers Come After Companies’ Terms of Service With New TLDR Bill https://www.gizmodo.com.au/2022/01/lawmakers-come-after-companies-terms-of-service-with-new-tldr-bill/ New Ponemon Institute Report Indicates Major Consumer Privacy Gap https://www.cpomagazine.com/data-privacy/new-ponemon-institute-report-indicates-major-consumer-privacy-gap/ Further Info Data Privacy Week: https://staysafeonline.org/data-privacy-week/about-dpw/ My Data Privacy checklist: https://firewallsdontstopdragons.com/data-privacy-day-checklist/ DNA service impacts: https://thenib.com/its-all-relatives/ Annual listener survey: https://bit.ly/Firewalls-survey-2022Hunting for Stingrays podcast: https://podcast.firewallsdontstopdragons.com/2021/04/19/hunting-for-stingrays-part-1/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

2022 New Year’s Resolutions

10 januari 2022 | 90 min

It's the start of a brand new calendar year! And therefore it's time to engage in that annual ritual of planning to do better this year by making our list of New Year's Resolutions. To help you with the cybersecurity and privacy items on your list (an area where we all need major improvement), I will share with you my personal list of cyber goals for 2022. Yes, even security advocates can suffer from the "do as I say, not as I do" syndrome. We're all human, and there are plenty of things that I still need to get done - things that you probably need to do, too. I'll also catch you up on the latest security and privacy news: several articles popped up about a supposed data breach at LastPass that turned out to be incorrect; the US Federal Trade Commission is getting very serious about fining companies with lax cybersecurity practices in light of the Log4J/Log4Shell nightmare; clever scammers in Texas are tricking motorists into paying the wrong people for parking; Norton 360 and other antivirus software packages have started pre-installing cryptocurrency mining software on their customers' computers; TurboTax is the second major tax-filing software service to drop out of the federal Free File program; Google's adoption of the Manifest V3 specification gives users yet another reason not to use their Chrome browser; and a lawsuit in California alleges that Google's exclusive search engine deal with Apple is stifling competition and harming consumers. Article Links LastPass says there’s no data breach, so your passwords were not hacked https://bgr.com/tech/lastpass-says-theres-no-data-breach-so-your-passwords-were-not-hacked/?bgr-partner=flipboard FTC to Go After Companies that Ignore Log4j https://threatpost.com/ftc-pursue-companies-log4j/177368/ QR code scammers hitting on-street parking in Texas cities https://www.click2houston.com/news/local/2022/01/05/qr-code-scammers-hitting-on-street-parking-in-texas-cities-this-is-what-houston-officials-want-you-to-know/ Norton 360 Now Comes With a Cryptominer https://krebsonsecurity.com/2022/01/norton-360-now-comes-with-a-cryptominer/ 500M Avira Antivirus Users Introduced to Cryptomining https://krebsonsecurity.com/2022/01/500m-avira-antivirus-users-introduced-to-cryptomining/ Want to file your tax return for free? TurboTax opts out of major program https://www.freep.com/story/money/personal-finance/susan-tompor/2022/01/05/how-file-your-tax-return-free-turbotax/9077019002/ Podcast on Free File report from Pro Publica: https://podcast.firewallsdontstopdragons.com/2020/01/13/why-free-file-isnt-free/ Google makes the perfect case for why you shouldn't use Chrome https://www.techrepublic.com/article/google-makes-the-perfect-case-for-why-you-shouldnt-use-chrome/ Google Basically Pays Apple to Stay Out of the Search Engine Business, Class Action Lawsuit Alleges https://www.macrumors.com/2022/01/05/google-pays-apple-stay-out-of-search/ Betty White on MFA: https://www.youtube.com/watch?v=DmIDtDAYTPA Further Info Annual listener survey: https://bit.ly/Firewalls-survey-2022Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/or privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

The State of Kids’ Privacy

3 januari 2022 | 73 min

The Best of 2021

27 december 2021 | 67 min

We've come to the end of another year. As we take a breather and gather with family and friends for the holidays, it's a good time to look back over the year that just passed. I've collected a handful of snippets from some of my favorite shows from this year, along with some a little commentary. If you're new to the show, you can catch up on some stuff you may have missed. Or if you'd like to introduce someone else to the podcast, this would be a great one to share. You can find all the original, full-length episodes using the links below. Best Of Episodes Ep206, Feb 8 - Troy Hunt, De-Platforming: https://podcast.firewallsdontstopdragons.com/2021/02/08/free-speech-deplatforming/Ep214, Apr 5 - Phil Zimmerman, Social media is ruining society https://podcast.firewallsdontstopdragons.com/2021/04/05/social-media-is-ruining-societyEp219, May 10 - Alison Macrina, library freedom https://podcast.firewallsdontstopdragons.com/2021/05/10/protecting-intellectual-freedom-part-1/ Ep232, Aug 9 - DEFCON - understanding hackers https://podcast.firewallsdontstopdragons.com/2021/08/11/understanding-hackers-hacking/ Ep233, Aug 16 - DEFCON - Jeff Moss interview https://podcast.firewallsdontstopdragons.com/2021/08/16/on-a-dark-tangent/Ep235, Aug 30 - Morpheus - Todd Austin https://podcast.firewallsdontstopdragons.com/2021/08/30/morpheus-securing-cpus-with-entropy/Ep237, Sep 13 - Privacy for Cars - Andrea Amico https://podcast.firewallsdontstopdragons.com/2021/09/13/driving-data-privacy-for-cars/Ep245, Nov 8 - Harri Hursti https://podcast.firewallsdontstopdragons.com/2021/11/08/restoring-trust-in-our-elections/ Ep200, Dec 27, 2020 - Bruce Schneier https://podcast.firewallsdontstopdragons.com/2020/12/28/200th-podcast-new-years-2021/ Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

The Log4Shell Debacle

20 december 2021 | 79 min

The internet is on fire this week. The worst cybersecurity vulnerability of the last ten years (and perhaps more) has kicked the internet ant hill. Companies around the globe - big and small - are scrambling to repair a gaping hole in a ridiculously mundane but widely popular open source tool called Log4J. What it is and what does it mean for you? I'll get into all of that today. In other news: many popular wireless home routers are riddled with security bugs (update your firmware now); family "safety" app Life360 is selling your detailed location data; Consumer Reports released a comprehensive report on VPN security and privacy; Firefox just got a lot more secure; LastPass is once again an independent company; Apple released a lot of cool security and privacy features for iOS and macOS; and Verizon just opted you into a program for tracking you - and how you can opt out. (I'll touch on T-Mobile and AT&T tracking, too.) Article Links Op-Ed: What a house cat can teach us about cybersecurity https://www.latimes.com/opinion/story/2021-11-07/op-ed-what-a-house-cat-can-teach-us-about-cybersecurity Nine WiFi routers used by millions were vulnerable to 226 flaws https://www.bleepingcomputer.com/news/security/nine-wifi-routers-used-by-millions-were-vulnerable-to-226-flaws/ The Popular Family Safety App Life360 Is Selling Precise Location Data on Its Tens of Millions of Users https://themarkup.org/privacy/2021/12/06/the-popular-family-safety-app-life360-is-selling-precise-location-data-on-its-tens-of-millions-of-user Consumer Reports exhaustive report on VPNs https://www.consumerreports.org/vpn-services/mullvad-ivpn-mozilla-vpn-top-consumer-reports-vpn-testing-a9588707317/ The new Firefox 95 might be the most secure web browser on the market https://www.techrepublic.com/article/the-new-firefox-95-might-be-the-most-secure-web-browser-on-the-market/ The Log4Shell 0-day, four days on: What is it, and how bad is it really? https://arstechnica.com/information-technology/2021/12/the-log4shell-zeroday-4-days-on-what-is-it-and-how-bad-is-it-really/ Widely-Used Kronos Payroll Provider Down for “Weeks” Due to Ransomware Attack; Was Log4Shell Involved? https://www.cpomagazine.com/cyber-security/widely-used-kronos-payroll-provider-down-for-weeks-due-to-ransomware-attack-was-log4shell-involved/ LastPass is going to become an independent company https://www.theverge.com/2021/12/14/22833319/lastpass-independent-company-logmeinHow to Use App Privacy Report in the iOS 15.2 Beta https://www.macrumors.com/guide/app-privacy-report/iOS 15.2 Beta 2 Lets Your Family Access Your Data If You Pass Away https://www.macrumors.com/2021/11/09/ios-15-2-legacy-contact/ Hide My Email Available in Mail App With New iOS 15.2 and macOS Monterey 12.1 Betas https://www.macrumors.com/2021/11/09/macos-monterey-12-1-beta-2-hide-my-email/ iOS 15.2 Beta Adds Messages Communication Safety Feature for Kids https://www.macrumors.com/2021/11/09/apple-messages-communication-safety-ios-15-2/ Verizon May Have Just Enrolled You in a Data-Collection Scheme–Here's How to Get Out https://gizmodo.com/verizon-may-have-just-enrolled-you-in-a-data-collection-1848156157 Further Info Still looking for holiday gifts? https://firewallsdontstopdragons.com/best-worst-gifts-2021/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

End Run Around Your Rights

13 december 2021 | 55 min

Defending Democracy with Technology

6 december 2021 | 62 min

Transparency is critical when it comes to trust - and right now, particularly in the United States, we're having some real issues with trust in our elections. Most of our election systems today are completely opaque in terms of their hardware and software design because they're made by private companies who want to protect their intellectual property. But this secrecy also seriously impedes independent third parties from being able to test and verify these devices that are crucial to our democracy, and therefore contributes to the distrust in our election outcomes. Microsoft is working to change this with a program called ElectionGuard - a free and open source software framework that would allow any company (existing or new) to create robust and secure election systems. Not only can security researchers, journalists and democracy activists review and test the code, but the system actually provides technical capabilities that would allow voters and watchdog groups with a secure and private method for verifying that all votes were counted correctly. And that's just part of what Microsoft is doing to defend democratic processes as part of their Democracy Forward program. Ethan Chumley is a Senior Security Strategist for Microsoft’s Democracy Forward Program, leading the team’s Critical Institution cybersecurity programs. He works at the intersection of cybersecurity, policy, and technology in support of open and secure elections by working with political campaigns, elections organizations, think tanks, NGOs, disinformation researchers, and tech industry partners. Further Info Microsoft ElectionGuard: https://www.electionguard.vote/ Microsoft's Democracy Forward program: https://news.microsoft.com/on-the-issues/topic/defending-democracy-program/ Contact Microsoft about ElectionGuard: [email protected] Contact Microsoft about protecting elections: [email protected] ElectionGuard code: https://github.com/microsoft/electionguard Harri Hursti interview: https://podcast.firewallsdontstopdragons.com/2021/11/08/restoring-trust-in-our-elections/ Article on brute forcing debit card numbers: https://www.techspot.com/news/92476-hackers-brute-force-guessing-payment-card-numbers-there.html Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

My Debit Card Was Hacked

29 november 2021 | 68 min

Credit cards are more secure than debit cards. I've said this in my book, my podcast, my blog and my seminars. Credit card transactions are loans - you're not out any money if a fraudulent charge comes through (assuming you or the credit card company catches it first). With debit cards, any fraud activity will actually take your money from your account - it's gone and you have to convince your bank to give it back. And so, I almost never use my debit card. And yet, I was still hacked. My card wasn't stolen or cloned with a skimmer. The number wasn't leaked in a hack. The bad guys somehow managed to guess my card number. And then they got clever and drained my bank account. I'll give you the details today and give you some pointers for avoiding being bitten the same way I was. In other news: bad guys have come up with some very clever ways to drain your bank accounts using Zelle and text messages; they've also used similar techniques to disable the Find My feature on stolen iPhones; Apple is suing Israeli hacking company NSO Group over their Pegasus spyware; attackers apparently don't try guessing passwords longer than about 10 characters; GoDaddy admits to a major breach, but in a dumb way; there's a nasty new Windows bug that was give up by an upset security researcher; there's a powerful IoT malware that appears to be lurking on the internet; Microsoft Windows is doing some shady stuff to force you to use Edge browser and give up your data; and Vizio makes more money off your TV data than off the TV itself. Article Links The ‘Zelle Fraud’ Scam: How it Works, How to Fight Back https://krebsonsecurity.com/2021/11/the-zelle-fraud-scam-how-it-works-how-to-fight-back/ iPhone thieves are using this trick to disable Find My on stolen devices https://www.imore.com/iphone-thieves-are-using-trick-disable-find-my-stolen-devices Apple sues NSO Group for attacking iPhones with Pegasus spyware https://www.theverge.com/2021/11/23/22798917/apple-nso-group-spyware-pegasus-cybersecurity-research Apple will alert users exposed to state-sponsored spyware attacks https://appleinsider.com/articles/21/11/25/apple-will-alert-users-exposed-to-state-sponsored-spyware-attacks Attackers don’t bother brute-forcing long passwords https://therecord.media/attackers-dont-bother-brute-forcing-long-passwords-microsoft-engineer-says/ GoDaddy admits to password breach: check your Managed WordPress site! https://nakedsecurity.sophos.com/2021/11/23/godaddy-admits-to-password-breach-check-your-managed-wordpress-site/ New Windows zero-day with public exploit lets you become an admin https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/ This mysterious malware could threaten millions of routers and IoT devices https://www.zdnet.com/article/this-mysterious-malware-could-threaten-millions-of-routers-and-iot-devices/ Microsoft Enables Edge Sync By Default, Hoovering Up Your Data in the Process https://www.extremetech.com/computing/329162-microsoft-enables-edge-sync-by-default-hoovering-up-your-data-in-the-process?source=Computing Vizio is making more money selling your data than it is selling TVs https://knowtechie.com/vizio-is-making-more-money-selling-your-data-than-it-is-selling-tvs/ My Debit Card Was Hacked: https://firewallsdontstopdragons.com/my-debit-card-was-hacked/ Further Info HUGE sale on my book! 9.99/6.99: https://link.springer.com/book/10.1007/978-1-4842-6189-7Give Thanks and Donate https://firewallsdontstopdragons.com/give-thanks-donate/ Best & WorstBecome a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Security Requires Privacy

22 november 2021 | 76 min

Best & Worst Gifts for 2021

15 november 2021 | 53 min

The gift-giving season is officially upon us, and with covid supply chain issues, if you're going to order gifts, you need to get on it. And in today's show, I'll share the highlights of my annual Best & Worst Gift Guide where I focus on the privacy and security of popular gifts. You won't be surprised at a lot of the items on my naughty list, but I'll bet you'll find some interesting ideas from the nice list that you can give your loved ones this holiday season. I will also cover several news items - many of them actually good news! A new bipartisan bill would allow people to disable news feeds based on algorithms; Apple has dialed back some of it's well-intentioned but poorly-implemented child safety features; Facebook will remove many sensitive categories for targeted ads and stop using facial recognition; several people associate with the Kaseya ransomware hack have been arrested; and 23andme's DNA database (your DNA) may be leveraged foro a lucrative pharmaceutical business. Article Links New bipartisan bill takes aim at algorithms https://www.axios.com/algorithm-bill-house-bipartisan-5293581e-430f-4ea1-8477-bd9adb63519c.html Apple Has Listened And Will Retract Some Harmful Phone-Scanning https://www.eff.org/deeplinks/2021/11/apple-has-listened-and-will-retract-some-harmful-phone-scanning Facebook-parent Meta will remove the ability to target ads based on sensitive categories https://www.cnn.com/2021/11/09/tech/meta-facebook-ad-targeting-change/index.html Facebook shutting down face recognition efforts & deleting data https://appleinsider.com/articles/21/11/02/facebook-shutting-down-face-recognition-efforts-deleting-data Meta to continue use of facial recognition technology: https://appleinsider.com/articles/21/11/04/meta-to-continue-use-of-facial-recognition-technology Kaseya ransomware suspect nabbed in Poland, $6m seized from absent colleague https://nakedsecurity.sophos.com/2021/11/08/kaseya-ransomware-suspect-nabbed-in-poland-6m-seized-from-absent-colleague/ All Those 23andMe Spit Tests Were Part of a Bigger Plan https://www.bloomberg.com/news/features/2021-11-04/23andme-to-use-dna-tests-to-make-cancer-drugs Further Info My annual Best & Worst Gift Guide is out for 2021! https://firewallsdontstopdragons.com/best-worst-gifts-2021/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Restoring Trust in Our Elections

8 november 2021 | 85 min

Nothing is arguably more fundamental to a democracy than voting. But it's not enough to have a secure election. The electorate also needs to trust that the results are valid. In the United States today, that trust is in short supply - many people believe that the 2020 election was rigged. On one hand, many of our electronic voting systems are demonstrably insecure and trivially capable of being hacked. On the other, our cybersecurity experts, government agencies and election officials are telling us that the 2020 election was one of the most secure in US history and voter fraud almost never happens. So which is it? How do we reconcile these two seemingly incongruent positions? Today I'll ask these questions and more of computer and election security guru Harri Hursti. Harri has investigated and hacked several popular election systems used in the US and runs the Voting Machine Hacking Village at the annual DEF CON hacking conference. He's also officially observed many elections around the world and participated in several high profile audits. As if that weren't enough, Harri's been featured in two separate HBO documentaries on election security and is co-founder of the Election Integrity Foundation. I met Harri at DEF CON 29 and I was thrilled when he agreed to come on the show. Further Info Harri Hursti: https://en.wikipedia.org/wiki/Harri_Hursti Election Integrity Foundation https://electionintegrityfoundation.org/ California voting system review (“top to bottom”): https://www.sos.ca.gov/elections/voting-systems/oversight/top-bottom-review Ohio voting system review (“Everest”): https://www.eac.gov/documents/2017/03/21/everest-report-state-voting-systems-voting-technology New Hampshire election audit: http://doj.nh.gov/sb43/documents/20210713-sb43-forensic-audit-report.pdf Kill Chain: The Cyber War on America's Elections (HBO documentary, 2020) https://www.hbo.com/documentaries/kill-chain-the-cyber-war-on-americas-elections Hacking Democracy (HBO documentary, 2006) https://www.youtube.com/watch?v=b_gb_w_L9NE Election Administration and Voting Survey 2020: https://www.eac.gov/research-and-data/studies-and-reports Voluntary Voting System Guidelines: https://www.eac.gov/voting-equipment/voluntary-voting-system-guidelines CISA, Election Security Rumor vs Reality: https://www.cisa.gov/rumorcontrol 2020 election security reports: https://www.brennancenter.org/our-work/research-reports/its-official-election-was-secure DEF CON 25 Voting Machine Hacking Village Report: https://archive.org/download/DEFCON25VotingVillageReport/DEF%20CON%2025%20voting%20village%20report.pdf Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Spooky Security Stories

1 november 2021 | 66 min

There were lots of scary computer security and privacy stories in the news this week, coinciding nicely with Halloween. We'll start off with an unfortunate new cybersecurity term: killware. This is software whose end result is actual physical harm to human beings, including death. Sadly, this is now a thing. And I don't know about you, but Mark Zuckerberg's vision of the future (the "metaverse") is pretty damn scary, too. In other news: a hacker seems to have stolen the government identity information for every person in Argentina; a New York Times journalist explains how his iPhone has been hacked multiple times by the NSO Group and what he does to protect himself (and his sources); the FBI, the Secret Service and other "like-minded countries" seem to have finally taken down the REvil ransomware gang for good; Facebook has changed its name to "Meta"; link previews in chat apps can actually cause serious security and privacy problems; Delta Airlines and UK schools are normalizing the use of facial recognition for mundane purposes; your ISP is collecting tons of information about you in the US because we let them; and finally, I demystify and debunk the "dangers" of QR codes. Article Links Killware: What You Need to Know https://adamlevin.com/2021/10/15/killware-what-you-need-to-know/Hacker steals government ID database for Argentina’s entire population https://therecord.media/hacker-steals-government-id-database-for-argentinas-entire-population/ NYT journalist describes his iPhone being hacked, and the precautions he now takes https://9to5mac.com/2021/10/25/nyt-journalist-describes-his-iphone-being-hacked-and-the-precautions-he-now-takes/ FBI, others crush REvil using ransomware gang’s favorite tactic against it https://arstechnica.com/tech-policy/2021/10/fbi-others-crush-revil-using-ransomware-gangs-favorite-tactic-against-it/ Facebook changes its name to Meta: https://www.inc.com/jason-aten/5-things-mark-zuckerberg-said-about-his-plan-for-metaverse-that-should-make-you-very-worried.html Link Previews in Popular Messaging Apps May Lead to Security Vulnerabilities https://www.macrumors.com/2020/10/26/link-previews-may-lead-to-security-vulnerabilities/ Delta Air Lines partners with TSA PreCheck to launch biometrics-based bag drops https://finance.yahoo.com/news/delta-air-lines-partners-tsa-164655619.html UK schools are using facial recognition to take pupils’ lunch money https://www.theverge.com/2021/10/18/22732330/uk-schools-facial-recognition-lunch-payments-north-ayrshire Location Data Firm Got GPS Data From Apps Even When People Opted Out https://www.vice.com/en/article/5dgmqz/huq-location-data-opt-out-no-consent Internet service providers have so much data on you https://www.protocol.com/policy/isp-ftc-data Beware QR Code… Articles: https://firewallsdontstopdragons.com/beware-qr-code-articles/ Further Info Only ONE DAY LEFT to snag your challenge coin!! The promotion ends at 11pm Eastern Time on Tuesday, November 2nd! https://firewallsdontstopdragons.com/my-challenge-coins-are-back/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Through the Past, Privately: PGP Turns 30

25 oktober 2021 | 75 min

Today, we're surrounded by strong encryption. Thanks to efforts like Let's Encrypt, almost all web communications today at encrypted. And thanks to wonderful privacy communications tools like Signal, we can share private thoughts instantly and securely with anyone on the planet. But this was not always the case. This secure, private, encryption-enabled future we're living now was far from certain 30 years ago when Phil Zimmermann created and freely released his email encryption tool Pretty Good Privacy (PGP). If not for Phil and a handful of others, we could very easily have lost the Crypto Wars of the 1990's and authoritarian mass surveillance could have been the norm. In today's show, Phil and I walk through the creation of PGP, the technological and political climate of that day, and the nerve-racking few years where Phil faced potential jail time for releasing "munitions grade" encryption to the world. We'll also discuss the literally life-saving impacts PGP has had over these last 30 years and how global law enforcement agencies and liberal democratic governments have revived the Crypto Wars. Phil Zimmermann is the creator of Pretty Good Privacy, which is still widely regarded as the gold standard for secure email communication. Phil went on to form Silent Circle and win several prestigious awards including US Privacy Champion and was inducted into the Cybersecurity Hall of Fame. Further Info Phil Zimmermann’s website: https://philzimmermann.com/ Phil’s announcement for the 30th anniversary of PGP: https://philzimmermann.com/EN/news/index.htmlPGP Web of Trust: https://en.wikipedia.org/wiki/Web_of_trust SNL Bass-o-matic skit: https://www.nbc.com/saturday-night-live/video/bassomatic/n8631 National Cybersecurity Awareness Month resources: https://www.cisa.gov/cybersecurity-awareness-month-resources Only ONE WEEK LEFT to snag your challenge coin!! https://firewallsdontstopdragons.com/my-challenge-coins-are-back/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Rough Week for Facebook

18 oktober 2021 | 70 min

Facebook had a horrible, no-good, very bad week. Not only did Facebook, Instagram and WhatsApp go completely offline for about six hours, a whistleblower came forward to show the world what most of us already knew: Facebook values money over its users' well being. And I have another story that backs that up, as well - one that you almost surely did not hear about. In other news: the FTC tells app makers to fess up when users private data gets loose; the governor of Missouri wants to sue a newspaper for revealing a horrible security flaw that exposed teachers' social security numbers; Apple's attempts to prevent user tracking on iOS are being undermined by unscrupulous apps; a company that you've never heard of with access to almost all cellular text messages was hacked over the course of five years; the VPN maker and VPN review industries are awash in conflicts of interest; Windows 11 is finally out, but it's not clear if and whether you should upgrade to it; and Firefox is searching for more ways to make money and stay alive, including adding more sponsored search suggestions for you to consider. Article Links FTC says health apps must notify consumers about data breaches — or face fines https://techcrunch.com/2021/09/16/ftc-says-health-apps-must-notify-consumers-if-their-data-is-breached-or-face-fines/ Missouri Governor Vows to Prosecute St. Louis Post-Dispatch for Reporting Security Vulnerability https://krebsonsecurity.com/2021/10/missouri-governor-vows-to-prosecute-st-louis-post-dispatch-for-reporting-security-vulnerability/ Investigation Finds Apple App Tracking Rules May Be Ineffective; IDFA Blocked, but Apps Frequently Access Other Identifiers https://www.cpomagazine.com/data-privacy/investigation-finds-apple-app-tracking-rules-may-be-ineffective-idfa-blocked-but-apps-frequently-access-other-identifiers/ Company That Routes Billions of Text Messages Quietly Says It Was Hacked https://www.vice.com/en/article/z3xpm8/company-that-routes-billions-of-text-messages-quietly-says-it-was-hacked Consolidation of the VPN industry spells trouble for the consumer, https://blog.windscribe.com/consolidation-of-the-vpn-industry-spells-trouble-for-the-consumer-57e638634cf0/Facebook has finally given a reason for the six-hour outage Monday https://www.theverge.com/2021/10/4/22709806/facebook-says-the-six-hour-outage Understanding How Facebook Disappeared from the Internet: https://blog.cloudflare.com/october-2021-facebook-outage/ Facebook bans developer behind Unfollow Everything tool https://www.theverge.com/2021/10/8/22716044/facebook-unfollow-everything-tool-louis-barclay-banned-for-lifeFacebook whistleblower Frances Haugen tells lawmakers that meaningful reform is necessary ‘for our common good’ https://www.washingtonpost.com/technology/2021/10/05/facebook-senate-hearing-frances-haugen/ Windows 11 compatibility: Check if your PC meets Microsoft's requirements https://www.cnet.com/tech/computing/windows-11-compatibility-check-if-your-pc-meets-microsofts-requirements/ Firefox Now Sends Your Address Bar Keystrokes to Mozilla https://www.howtogeek.com/760425/firefox-now-sends-your-address-bar-keystrokes-to-mozilla/ BONUS: Trust, but verify: An in-depth analysis of ExpressVPN's terrible, horrible, no good, very bad week https://www.zdnet.com/article/trust-but-verify-an-in-depth-analysis-of-expressvpns-terrible-horrible-no-good-very-bad-week/ Further Info National Cybersecurity Awareness Month resources: https://www.cisa.gov/cybersecurity-awareness-month-resources Only two weeks left to snag a challenge coin!! https://firewallsdontstopdragons.com/my-challenge-coins-are-back/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Privacy Dynamic Duo

11 oktober 2021 | 79 min

Today I have the great honor and pleasure of speaking with two luminaries in the field of privacy: Michelle Finneran Dennedy and Melanie Ensign. Between them, they have decades of experience managing privacy processes, policies, technology and communications within dozens of big name tech companies. I get their unique perspective on data privacy and the evolution of how these companies approach the problem of collecting and managing your data. Are things getting better or worse? How can companies earn the trust of their customers? Is data the new oil? And is it an asset or a liability? How can we have social media like Facebook and privacy at the same time? NOTE: I captured WAY more content from these two than I could fit into this one podcast. To get the full interview, become a patron! (And nab yourself a kick-butt challenge coin, too!) Michelle Dennedy was the first CPO for many global IT infrastructure companies including Oracle, McAfee, Intel & Cisco. Michelle is now a partner at Privatus.online and CEO at a Privacy Engineering startup in stealth mode. She is the co-author of The Privacy Engineer’s Manifesto and The Privacy Engineer’s Companion. Melanie Ensign is the CEO of Discernible, helping cybersecurity & privacy teams better communicate with business leaders and consumers. She is also part of the DEF CON leadership team. Further Info Discernable: https://discernibleinc.com/ Privatus: https://privatus.online/ The Privacy Engineer’s Manifesto: https://www.amazon.com/Privacy-Engineers-Manifesto-Getting-Policy/dp/1430263555 The Rise of Privacy Tech (TROPT): https://www.riseofprivacytech.com/ Privacy is Power (book): https://firewallsdontstopdragons.com/privacy-is-power-review/ The Social Dilemma: https://www.thesocialdilemma.com/ The challenge coin promotion is BACK!! https://firewallsdontstopdragons.com/my-challenge-coins-are-back/Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

iOS 15 Privacy & Security Features

4 oktober 2021 | 68 min

I admit it. I'm an Apple fan. Are they perfect? Definitely not. But in most cases, they're actually trying to be good. And at the end of the day, their business model doesn't rely on hoovering up your personal data. Apple just released a big update to its devices, iOS 15, and it's got some really cool security and privacy features. I'll tell you all about them in today's show. In other news: thousands of Netgear routers can be hacked via a Disney parental control feature even if you didn't ask for it; yet another company is scraping social media and public info to sell it to law enforcement; the NSA and CIA are warning their employees to block ads for cybersecurity reasons; Microsoft has rolled out a "passwordless" login system; EFF is ending support for its wonderful browser plugin HTTPS Everywhere - because HTTPS is now already everywhere; Amazon's new house robot, Astro, is a privacy nightmare (shocker); and this is the first week of National Cybersecurity Awareness Month in the US. Article Links National Cybersecurity Awareness Month, Week #1: Own your role in cybersecurity https://staysafeonline.org/wp-content/uploads/2020/04/Own-Your-Role-in-Cybersecurity_-Start-with-the-Basics-.pdf Thousands of Netgear routers can be hacked — here's what to do https://www.tomsguide.com/news/netgear-router-circle-patches Researcher drops three iOS zero-days that Apple refused to fix https://www.bleepingcomputer.com/news/security/researcher-drops-three-ios-zero-days-that-apple-refused-to-fix/ ShadowDragon: Inside the Social Media Surveillance Software That Can Watch Your Every Move https://theintercept.com/2021/09/21/surveillance-social-media-police-microsoft-shadowdragon-kaseware/ The NSA and CIA Use Ad Blockers Because Online Advertising Is So Dangerous https://www.vice.com/en/article/93ypke/the-nsa-and-cia-use-ad-blockers-because-online-advertising-is-so-dangerous You Can Now Sign-in to Your Microsoft Accounts Without a Password https://thehackernews.com/2021/09/you-can-now-sign-in-to-you-microsoft.html HTTPS Is Actually Everywhere https://www.eff.org/deeplinks/2021/09/https-actually-everywhere Amazon Astro is ‘terrible’ and will ‘throw itself down’ stairs, developers reportedly claim https://www.theverge.com/2021/9/28/22699284/amazon-astro-real-world-stairs-fragile-developer-claims-documents-tracking National Cybersecurity Awareness Month https://www.cisa.gov/cybersecurity-awareness-monthApple’s iOS 15 Privacy and Security features: https://firewallsdontstopdragons.com/ios-15-security-privacy-features/ Further Info The challenge coin promotion is BACK!! https://firewallsdontstopdragons.com/my-challenge-coins-are-back/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Apple’s Problematic CSAM Scanning

27 september 2021 | 68 min

Security Is Hard

20 september 2021 | 57 min

It's really easy to complain about the sadly insecure state of many of our products and services, but the fact is that doing security right is hard - even when you're trying to get it right. Part of the problem is that there are just so many things to secure, even on a single product or service. Today we're going to discuss several recent security issues with popular products, and why getting it right can be such a daunting task. In today's show: a universal decryption key for all REvil ransomware victims prior to July 13th is now available; Microsoft patched a nasty security bug in all of its Windows OS versions, but it's still being actively exploited (hint: patch now!); it was recently argued that WhatsApp's end-to-end encryption has a "backdoor", but I'll explain why that's not true; a home security system maker refuses to patch a bug that would allow an attacker to disable your system just by knowing (or guessing) your email address; ProtonMail is forced to alter its "no IP logging" marketing in the face of a recent incident involving a French activist's account; new Mac malware has emerged that uses poisoned search results to trick its victims; and for my tip of the week, I'll tell you about a new fourth credit bureau where you should freeze your credit report. Article Links Free REvil ransomware master decrypter released for past victims https://www.bleepingcomputer.com/news/security/free-revil-ransomware-master-decrypter-released-for-past-victims/ Recently reported Microsoft zero-day gaining popularity with attackers, Kaspersky says https://www.msn.com/en-us/news/technology/recently-reported-microsoft-zero-day-gaining-popularity-with-attackers-kaspersky-says/ar-AAOyUvR WhatsApp Fixes Its Biggest Encryption Loophole https://www.wired.com/story/whatsapp-end-to-end-encrypted-backups/ No, Facebook Isn't Reading Your Private WhatsApp Messages. The Problem Is Much Worse https://www.inc.com/jason-aten/no-facebook-isnt-reading-your-private-whatsapp-messages-problem-is-much-worse.html Pwned! The home security system that can be hacked with your email address https://nakedsecurity.sophos.com/2021/09/02/pwned-the-home-security-system-that-can-be-hacked-with-your-email-address/ ProtonMail Amends Its Policy After Giving Up an Activist’s Data https://www.wired.com/story/protonmail-amends-policy-after-giving-up-activists-data/ New Mac malware spreads via search results https://www.tomsguide.com/news/mac-malware-fake-iterm2Tip of the week: https://firewallsdontstopdragons.com/freeze-you-credit-at-innovis-too/ Further Info Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerStay tuned for a new challenge coin promotion! https://firewallsdontstopdragons.com/get-your-official-challenge-coin/ Generate secure passphrases! https://d20key.com/#/

Driving Data Privacy for Cars

13 september 2021 | 69 min

Privacy Matters

6 september 2021 | 60 min

For many people, privacy is just a vague concept. But it can literally be a matter of life and death. It deserves your attention, your consideration and (crucially) your support. Technology has vastly improved our daily lives, but some of it also threatens to undermine our basic human rights and even our democracy/society. We need to understand the implications of the laws we pass - and the laws we aren't passing. Today, I'll talk about several stories with a common theme: privacy matters. Of course, I'll also cover several security-related topics this week, as well: I'll tell you how to completely hack someone's Windows PC with a gaming mouse; Microsoft's Azure cloud service left thousands of customers' data completely exposed; new and disturbing details emerge about the role of NSA-pushed backdoors in the massive Juniper breach of 2015; Australia considers making state ID required for social media accounts; Google tries to cut off access to account data that endangers US helpers in Afghanistan; Apple partners with 8 US states to incorporate state IDs into Apple Wallet; Apple has thankfully delayed its rollout of on-device surveillance technology aimed at stemming child porn; the FTC comes down hard on a stalkerware company; and I take a moment to reflect on the 20th anniversary of 9/11. My Tip of the Week explains how to quickly disable biometric unlocking of your smartphone. Article Links Not just Razer: SteelSeries mice, keyboards hijack Windows 10 too — what you can do https://www.tomsguide.com/news/steelseries-windows-privilege-escalationMicrosoft Azure cloud vulnerability is the ‘worst you can imagine’ https://www.theverge.com/2021/8/27/22644161/microsoft-azure-database-vulnerabilty-chaosdbJuniper Breach Mystery Starts to Clear With New Details on Hackers and U.S. Role https://finance.yahoo.com/news/juniper-breach-mystery-starts-clear-130016591.html Australia Considers Social Media ID Requirement https://www.infosecurity-magazine.com/news/australia-considers-social-media Google locks Afghan government email accounts as concerns grow over the Taliban tracking down their enemies https://www.businessinsider.com/google-locks-afghan-government-email-accounts-to-block-taliban-report-2021-9Opinion: It’s dangerously stupid to put your state ID in your Apple Wallet https://thenextweb.com/news/dangerously-stupid-state-id-in-your-apple-walletMillions of smartphones, laptops, trucks, planes affected by new Bluetooth flaws — what you need to know https://www.tomsguide.com/news/braktooth-bluetooth-flawsApple cares about privacy, unless you work at Apple https://www.theverge.com/22648265/apple-employee-privacy-icloud-idApple backs down on CSAM features, postpones launch https://appleinsider.com/articles/21/09/03/apple-backs-dowVictory! Federal Trade Commission Bans Stalkerware Company from Conducting Business https://www.eff.org/deeplinks/2021/09/victory-federal-trade-commission-bans-stalkerware-company-conducting-business ‘Panic made us vulnerable’: how 9/11 made the US surveillance state – and the Americans who fought backhttps://www.theguardian.com/world/2021/sep/04/surveillance-state-september-11-panic-made-us-vulnerable Further Info Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Morpheus: Securing CPUs with Entropy

30 augusti 2021 | 64 min

Beware the Four Horsemen

23 augusti 2021 | 84 min

How far would you go to protect your children from sexual predators? How much privacy would you give up to try to prevent the sharing of child pornography? We are now faced squarely with those questions because Apple has just announced some new initiatives that it believes will curb the viewing and sharing of pornographic images. But we need to be extremely careful here. The Four Horsemen of the Infocalypse are pedophiles, terrorists, drug dealers and organized crime. When someone asks you what privacy and civil liberties you would be willing to give up to stop these undeniably bad things, you need to replace their bogeyman with other straw men and make sure your convictions still hold. Technologies that can be used to stop something you hate today can also be used to stop things you don't tomorrow. Today I'll discuss Apple's new "child safety" initiatives and explain why I think they're making the wrong tradeoffs. And also why they are actually not that effective and even potentially harmful to children. In other news: Both T-Mobile and AT&T appear to have suffered massive data breaches of current and even prospective customers; Microsoft's PrintNightmare continues, despite several attempts to fix the issues; millions of home routers, web cams and baby monitors are vulnerable to a new attacks; Facebook is trying to help Afgans hide their friends lists in the face of Taliban reprisals; your IoT devices are horrible with random numbers, and that's a huge security risk; a secret terrorist watch list with almost 2 million people has leaked; and the OAuth web app authentication system is ripe for hacking, potentially putting several of your accounts at risk. Article Links Blocking the Exploitation of PrintNightmare https://securityboulevard.com/2021/08/blocking-the-exploitation-of-printnightmare/Disabling your Print Spooler (see “Workarounds”): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527Millions of home Wi-Fi routers under attack by botnet malware https://www.tomsguide.com/news/arcadyan-router-malwareSEE ALSO: Router Security: https://routersecurity.org/ T-Mobile Data Breach: 100 Million Customer Data Records Compromised Including Social Security, Driver’s License & Unique Device Numbers https://www.cpomagazine.com/cyber-security/t-mobile-data-breach-100-million-customer-data-records-compromised-including-social-security-drivers-license-unique-device-numbers/Hacker Selling Private Data Allegedly from 70 Million AT&T Customers https://restoreprivacy.com/att-data-breach-70-million-customers/ Millions of Web Camera and Baby Monitor Feeds Are Exposed https://www.wired.com/story/kalay-iot-bug-video-feeds/ Secret terrorist watchlist with 2 million records exposed online https://www.bleepingcomputer.com/news/security/secret-terrorist-watchlist-with-2-million-records-exposed-online/ To protect users, Facebook says it’s hiding friends lists on accounts in Afghanistan https://www.nytimes.com/2021/08/20/world/asia/afghanistan-facebook.html Web apps have become so complex that they're unsafe to use, researchers say https://www.tomsguide.com/news/unsafe-web-apps-oauth DEFCON “You’re doing IoT RNG” paper: https://labs.bishopfox.com/tech-blog/youre-doing-iot-rng Apple’s New ‘Child Safety’ Initiatives, and the Slippery Slope https://daringfireball.net/2021/08/apple_child_safety_initiatives_slippery_slopeWe built a system like Apple’s to flag child sexual abuse material — and concluded the tech was dangerous https://www.washingtonpost.com/opinions/2021/08/19/apple-csam-abuse-encryption-security-privacy-dangerous/Open letter to Apple from 90+ world orgs https://cdt.org/insights/international-coalition-calls-on-apple-to-abandon-plan-to-build-surveillance-capabilities-into-iphones-ipads-and-other-products/ Tell Apple not to scan our phones: https://act.eff.org/action/tell-apple-don-t-scan-our-phones Further Info Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to ...

On a Dark Tangent

16 augusti 2021 | 64 min

Understanding Hackers & Hacking

11 augusti 2021 | 92 min

Selling You Out to the Highest Bidder

2 augusti 2021 | 92 min

Every time you load a web page, your personal data is being shared with thousands of companies. The ad spaces on the page are being auctioned off to the highest bidder in fractions of a second. The Irish Council for Civil Liberties calls this the biggest data breach in history, and is suing the ad tech companies on your behalf to stop this needlessly invasive and dangerous practice. My guest Johnny Ryan will explain how this real-time bidding process works and has insider documentation on the types of extremely personal data that's being shared in order to target those ads to you. Dr Johnny Ryan is a Senior Fellow at the Irish Council for Civil Liberties, and a Senior Fellow at the Open Markets Institute. He is focused on surveillance, data rights, competition/anti-trust, and privacy. He is former Chief Policy & Industry Relations Officer at Brave, the private web browser. Dr Ryan led Brave’s campaign for GDPR enforcement, and liaised with government and industry colleagues globally. Previously, Dr. Ryan worked in adtech, media, and policy. His previous roles included Chief Innovation Officer of The Irish Times and Senior Researcher at the Institute of International & European Affairs (IIEA). Further Info: Irish Council for Civil Liberties lawsuit: https://www.iccl.ie/rtb-june-2021/ Johnny Ryan: https://www.iccl.ie/staff/dr-johnny-ryan/ IAB Audience Taxonomy: https://www.iab.com/guidelines/audience-taxonomy/ IAB Content Taxonomy: https://www.iab.com/guidelines/content-taxonomy/ OpenRTB 3.0 spec: https://github.com/InteractiveAdvertisingBureau/openrtb Browser plugin: https://chrome.google.com/webstore/detail/bidfilter-header-bidding/addamgcbhieigmdmmaooppajdocgggck FTC’s data broker report from 2014: Data Brokers: A Call for Transparency and Accountability Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

Guard Your Digital Rolodex

26 juli 2021 | 59 min

Your phone number is arguably as strong a personal identifier as your social security number, passport number or email address. These are things we almost never change any more - meaning that it's an identifier for life. Our cell phones contain a ton of personal information, including our locations (not just now, but over time). Today I'll help you understand why it's so important to protect your cell phone number and digital contact lists. In other news: you need to update everything again... Apple, Microsoft, Google, Adobe; REvil ransomware gang has disappeared completely from the dark web - and possibly not coincidentally, Kaseya has obtained a universal decryption key for all of it's customers (REvil victims); the Pegasus Project appears to have unveiled serious abuses of the NSO Group's spyware; Venmo finally gets rid of the public transaction list; the FBI is using cell site simulators to track cars; and it turns out that it's easy and highly profitable to re-associate people with supposedly anonymous data sets. Article Links Apple fixes bug that breaks iPhone WiFi when joining rogue hotspots https://www.bleepingcomputer.com/news/security/apple-fixes-bug-that-breaks-iphone-wifi-when-joining-rogue-hotspots/ Revil Ransomware Group Missing From Dark Web; Temporary Vacation, or Permanently Out of Business? https://www.cpomagazine.com/cyber-security/revil-ransomware-group-missing-from-dark-web-temporary-vacation-or-permanently-out-of-business/ The Kaseya Ransomware Nightmare Is Almost Over https://www.wired.com/story/kaseya-ransomware-nightmare-is-almost-over/ Takeaways from the Pegasus Project https://www.washingtonpost.com/investigations/2021/07/18/takeaways-nso-pegasus-project/ How to Protect Yourself From the New Windows 10 and 11 Security Bug https://lifehacker.com/how-to-protect-yourself-from-the-new-windows-10-and-11-1847338342 Venmo removes its global, public feed as part of a major redesign https://techcrunch.com/2021/07/20/venmo-removes-its-global-public-feed-in-a-significant-app-redesign/ The FBI Is Locating Cars By Spying On Their WiFi https://www.forbes.com/sites/thomasbrewster/2021/07/22/the-fbi-is-using-stingray-smartphone-surveillance-to-locate-cars-and-spy-on-their-wifi/?sh=113ea16335c8 Inside the Industry That Unmasks People at Scale https://www.vice.com/en/article/epnmvz/industry-unmasks-at-scale-maid-to-pii A priest’s phone location data outed his private life. It could happen to anyone. https://www.washingtonpost.com/technology/2021/07/22/data-phones-leaks-church/ Connected cars: What happens to your data after you leave your rental car behind? https://www.zdnet.com/article/connected-cars-what-happens-to-your-data-after-you-leave-your-rental-car/ Privacy International 2017 study: http://privacyinternational.org/sites/default/files/2017-12/cars_briefing.pdf Further Info Who’s making money on ransomware? https://ransomwhe.re/ No More Ransom: https://www.nomoreransom.org/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

It’s Time to Drop the SBOM

19 juli 2021 | 70 min

How to Keep Ransomware at Bay

12 juli 2021 | 60 min

Just when you thought it couldn't get worse, the bad guys say "hold my beer". The REvil gang has managed to pull off what appears to be the biggest ransomware infection ever through a clever supply chain attack on a company you've never heard of called Kaseya. Kaseya is what we call a Managed Service Provider, or MSP. They manage software and IT functions for lots of small-to-medium sized businesses, so that those companies don't have to. But this also gives MSP's a very privileged security position, making it a prime target for bad guys wanting to infect a lot of companies with a single hack. Today I'll catch you up on this ongoing horror show and give you some tips on how to avoid becoming a ransomware victim yourself. In other news: Kaspersky Password Manager (KPM) was found to have a bad bug making its generated passwords a lot easier to crack; I'll tell you about how some Brazilian iPhone thieves came up with a clever way to hack your accounts; Google has delayed FLoC and blocking of third-party cookies for at least two years; a Microsoft exec tells the US Congress about how law enforcement and intelligence agencies make thousands of gag-order-restricted demands for data every year; a research group discovers that an old cell phone encryption standard was intentionally weakened to allow easier cracking; Microsoft's PrintNightmare bug is still not fully patched and the back story is a comedy of errors; and with hurricane season upon us, I'll point you to some great tips on preparing for power outages. Article Links A popular password manager screwed up, but there's an easy fix https://mashable.com/article/kaspersky-password-manager-security-bug Brazilian iPhone thieves demonstrate importance of responsible password practices https://appleinsider.com/articles/21/07/07/brazilian-iphone-thieves-demonstrate-importance-of-responsible-password-practices Why Google Can't Bring Itself to Make the Internet Respect Your Privacy https://www.inc.com/jason-aten/why-google-cant-bring-itself-to-make-internet-respect-your-privacy.html Microsoft exec: Targeting of Americans’ records ‘routine’ https://apnews.com/article/government-and-politics-technology-business-ed50baf4ffb09ca50cda9b8a262c54ad Bombshell Report Finds Phone Network Encryption Was Deliberately Weakened https://www.vice.com/en/article/4avnan/bombshell-report-finds-phone-network-encryption-was-deliberately-weakened PrintNightmare official patch is out – update now? https://nakedsecurity.sophos.com/2021/07/07/printnightmare-official-patch-is-out-update-now/ Up to 1,500 businesses infected in one of the worst ransomware attacks ever https://arstechnica.com/gadgets/2021/07/up-to-1500-businesses-infected-in-one-of-the-worst-ransomware-attacks-ever/ Further Info Microsoft PrintNightmare patch: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 CISA, FBI share guidance for victims of Kaseya ransomware attack https://www.bleepingcomputer.com/news/security/cisa-fbi-share-guidance-for-victims-of-kaseya-ransomware-attack/ Ransomware Defense: Top 5 Things to Do Right Now https://threatpost.com/ransomware-defense-top-5-tips/167536/ How to prepare for a power outage: https://firewallsdontstopdragons.com/how-to-prepare-for-power-outage/ How to safely download software: https://firewallsdontstopdragons.com/how-to-safely-download-software/ Sign up for the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Make That Shaken AND Stirred

5 juli 2021 | 71 min

Robocalls are the bane of my existence. I get so many spam calls that I've just stopped answering my home phone altogether. I've given out my cell number to fewer people, so thankfully I get fewer junk calls there. But I still won't answer any calls unless I recognize the number. Why is it so easy to spoof caller ID? Well, starting July 1st in the US, mobile carriers are now required to implement a new(ish) set of technologies to make that more difficult: "Stir" ("secure telephone identity revisited") and "Shaken" ("signature-based handling of asserted information using tokens"). While not perfect, they should at least help identify shady callers. In today's Tip of the Week, I'll give you some other options for blocking spam calls, as well. Lots of other (mostly bad) cybersecurity news to cover today: Someone scraped a ton of LinkedIn data from over 700M LinkedIn subscribers (about 92% of total users) and posted it for $5000; a very odd and specific WiFi SSID could break your iPhone; 30M Dell computers are vulnerable to a nasty BIOS attack; many users of the old WD My Book Live storage drives have had all their data erased; the REvil ransomware gang has attacked at least 200 companies with a new supply chain hack; Microsoft tries and fails miserably to fix a bad printer server bug ("PrintNightmare"), Russian hackers are constantly trying to brute force your bad passwords; and finally, the USA's CISA is warning manufacturers of ThroughTek devices about an exploitable vulnerability in several webcams and IoT devices. Article Links Data Scraping Yields 700 Million LinkedIn Profiles for Sale on Dark Web; About 92% Of Platform Users, but Mostly Public Information https://www.cpomagazine.com/cyber-security/data-scraping-yields-700-million-linkedinBeware! Connecting to This Wireless Network Can Break Your iPhone's Wi-Fi Feature https://thehackernews.com/2021/06/beware-connecting-to-this-wireless.html 30M Dell Devices at Risk for Remote BIOS Attacks, RCE https://threatpost.com/dell-bios-attacks-rce/167195/ Western Digital My Book Live devices being remotely wiped by attackers https://appleinsider.com/articles/21/06/25/western-digital-my-book-live-devices-being-remotely-wiped-by-attackers REvil ransomware hits 200 companies in MSP supply-chain attack https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-200-companies-in-msp-supply-chain-attack/ How to Avoid Windows' 'PrintNightmare' Security Threat https://lifehacker.com/how-to-avoid-windows-printnightmare-security-threat-1847221653 Russian Hackers Are Trying to Brute-Force Hundreds of Networks https://www.wired.com/story/fancy-bear-russia-brute-force-hacking/ CISA warns manufacturers of ThroughTek vulnerability (webcams) https://www.zdnet.com/article/cisa-warns-manufacturers-of-throughtek-vulnerability/ Robocalls are out of control. But that could all change today https://www.cnet.com/news/robocalls-are-out-of-control-but-that-could-all-change-today/ Further Info Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Sad State of Cybersecurity

28 juni 2021 | 60 min

Hacking Satellites for Fun & Profit

21 juni 2021 | 65 min

Are satellites really just IoT devices in space? They're small computers and connected to the internet, not unlike Nest thermostats, baby video monitors, and smart toasters. You'd think that they'd be a lot more complex and secure... but are they really? My two guests today are running a program to test that very question, and in the process, try to make our military and commercial satellites more secure. We don't think about it, but satellites play a crucial role in our daily lives. GPS satellites are used by airplanes, ships and even agricultural machinery. Weather satellites allow us to predict the path of severe storms and save countless lives. We take them for granted, but these orbiting computers are critical in our modern lives. The Hack-A-Sat contest was created to help ensure the security of these systems. Anyone can enter - and time to register for this year's tournament is running out! Carl Rodio Jr. is Principal Cyber Security Engineer for The MITRE Corporation, supporting the US Space Force Defensive Cyber Operations for Space Systems (DCO-S) program. MITRE operates Federally Funded Research and Development Centers (FFRDC's), which support the US government in a variety of capacities. Jason Williams is a Security Researcher, Engineer, and CEO of Cromulence LLC and member of Legitimate Business Syndicate (organizers of DEF CON CTF 2012-2017). 15+ years experience in cybersecurity and vulnerability research. Further Info Hack-A-Sat 2: https://www.hackasat.com/ US Digital Service: https://www.usds.gov/Cromulence LLC: https://cromulence.com/MITRE Corp: https://www.mitre.org/HUGE sale on my book right now! Use code SUMMER2021: https://www.apress.com/us/book/9781484261880 Get your custom d20 challenge coin! https://firewallsdontstopdragons.com/get-your-official-challenge-coin/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Payment App Privacy Sucks

14 juni 2021 | 69 min

Payment apps are fairly secure & very convenient, but NOT private. And Venmo is the worst. Venmo is the only payment app that is primarily a "social" app. That's shorthand for "share as much info as possible, with as many people as possible". If you weren't already aware, all Venmo transactions are public by default. (That might come as an unwelcome surprise to the third of millennials who have used Venmo to pay for drugs.) Your Venmo friends list is also public by default, as Joe Biden recently discovered. But perhaps due to that event, Venmo at least now gives you a way to make it private. I'll tell you how to change this and other Venmo privacy settings - and also which apps are better at privacy. Lots of other news to cover today: Amazon Sidewalk has been activated for all new Echo and Ring devices (like it or not), but you can turn it off; Amazon Ring is offering more transparency on requests for video footage by law enforcement; Apple addresses some of the "stalker" privacy concerns with AirTags; apps are sidestepping Apple's new App Tracking Transparency (shocker); TikTok just changed its privacy policy to mention the collection of your biometric info, including "faceprints" and "voiceprints"; we found out how the hackers got into the Colonial Pipeline computers and (maybe) how the FBI managed to get back some of the ransom money; the FBI secretly ran an encrypted communication platform marketed to criminals called Anom; and a new facial recognition service allows you (or come creeper) to search the web for anyone's face for free. Article Links Amazon is about to share your Internet connection with neighbors. Here’s how to turn it off. https://www.washingtonpost.com/technology/2021/06/07/amazon-sidewalk-network/ Ring will require police & fire departments to make public requests for video footage https://appleinsider.com/articles/21/06/03/ring-will-require-police-fire-departments-to-make-public-requests-for-video-footage Apple announces AirTag privacy improvements, Android app coming this year https://9to5mac.com/2021/06/03/airtag-privacy-improvements-sound-android-app/ How to Check Your AirTags Firmware Version https://www.macrumors.com/how-to/check-airtags-firmware-version/ Apps Continuing to Track Users Despite Apple's Privacy Prompt https://www.macrumors.com/2021/06/07/apps-continuing-to-track-users/ WhatsApp is getting a crafty new way to verify your identity https://www.techradar.com/news/whatsapp-is-getting-a-crafty-new-way-to-verify-your-identity TikTok just gave itself permission to collect biometric data on U.S. users, including ‘faceprints and voiceprints’ https://techcrunch.com/2021/06/03/tiktok-just-gave-itself-permission-to-collect-biometric-data-on-u-s-users-including-faceprints-and-voiceprints/ Ransomware attackers used compromised password to access Colonial Pipeline network https://www.cnn.com/2021/06/04/politics/colonial-pipeline-ransomware-attack-password/index.html How could the FBI recover BTC from Colonial’s ransomware payment? https://nakedsecurity.sophos.com/2021/06/09/how-could-the-fbi-recover-btc-from-colonials-ransomware-payment/ The FBI's Anom Stunt Rattles the Encryption Debate https://www.wired.com/story/fbi-anom-phone-network-encryption-debate/ This facial recognition website can turn anyone into a cop - or a stalker https://news.yahoo.com/facial-recognition-website-turn-anyone-113646451.html VICTORY: You Can Now Make Your Venmo Friends List Private. Here’s How. https://www.eff.org/deeplinks/2021/06/victory-you-can-now-make-your-venmo-friends-list-private-heres-how Further Info HUGE sale on my book right now (55% off)! Use code SUMMER2021: https://www.apress.com/us/book/9781484261880 Get your custom d20 challenge coin! https://firewallsdontstopdragons.com/get-your-official-challenge-coin/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/or privacy? http://bit.

Have I Been FLoCed? (Part 2)

7 juni 2021 | 50 min

Have I Been FLoCed? (Part 1)

31 maj 2021 | 48 min

How & When to Use a Passphrase

24 maj 2021 | 82 min

Today is the day we've all been waiting for! The super-secret, highly-collectible, security-enhancing device is finally HERE!! For a short period of time, I will be offering a very limited edition challenge coins to my patrons. Not only is the coin itself amazingly cool, it can also help you generate secure passphrases using my brand new website d20key.com! Listen in today for all the details, as well as my tip of the week for how and when to use passphrases (instead of passwords)! In other news: The Colonial Pipeline is open again after a nasty ransomware attack by the DarkSide group; President Biden signs a landmark executive order to strength cybersecurity for the US government and anyone who sells to them; the HSE in Ireland is hit with a ransomware attack, too; Microsoft warns of a fake ransomware infection that just steals data; apparently when give a real, clear choice, almost no one wants apps to track them (Apple's App Tracking Transparency update); Veritone launches a creepy new deep-fake voice service for celebrities; Eufy camera bug crosses wires and shows people the wrong camera feeds (as in, from cameras they don't own); and Amazon is enabling its Sidewalk mesh network by default - and I'll tell you how to disable it. Further Info Get your own Firewalls Don’t Stop Dragons Challenge Coin! https://www.patreon.com/FirewallsDontStopDragons How and When to Use a Passphrase: https://firewallsdontstopdragons.com/how-when-to-use-a-passphrase/ Generate a secure passphrase! https://d20key.com/ Check out my Malwarebytes interview! https://blog.malwarebytes.com/category/podcast/ Threat Technology’s list of 20 Best Security Podcasts: https://threat.technology/20-best-computer-security-podcasts-of-2021/ FAQ: DarkSide Ransomware Group and Colonial Pipeline https://www.eff.org/deeplinks/2021/05/faq-darkside-ransomware-group-and-colonial-pipeline DarkSide group that attacked Colonial Pipeline drops from sight online https://www.washingtonpost.com/technology/2021/05/14/darkside-ransomware-shutting-down/ Biden signs executive order to strengthen US cybersecurity https://arstechnica.com/information-technology/2021/05/biden-signs-executive-order-to-strengthen-us-cybersecurity/ Irish cyber-attack: Hackers bail out Irish health service for free https://www.bbc.com/news/world-europe-57197688 Microsoft Warns of Data Stealing Malware That Pretends to Be Ransomware https://thehackernews.com/2021/05/microsoft-warns-of-data-stealing.html Americans Actually Want Privacy. Shocking. https://www.nytimes.com/2021/05/20/opinion/apple-facebook-ios-privacy.html Coalition Launches ‘Dark Patterns’ Tip Line to Expose Deceptive Technology Design https://www.eff.org/press/releases/coalition-launches-dark-patterns-tip-line-expose-deceptive-technology-design Veritone launches new platform to let celebrities and influencers clone their voice with AI https://www.theverge.com/2021/5/14/22432180/voice-clone-deepfake-celebrities-influencers-veritone-ai-platform Eufy camera owners report video mixups https://nakedsecurity.sophos.com/2021/05/17/those-arent-my-kids-eufy-camera-owners-report-video-mixups/ Here’s Anker’s apology after 712 Eufy customers had camera feeds exposed to strangers https://www.theverge.com/2021/5/19/22444164/eufy-security-camera-glitch-privacy-feed-exposed-statement-detailsAmazon's Sidewalk Network Is Turned On by Default. Here's How to Turn It Off https://www.inc.com/jason-aten/amazons-sidewalk-network-is-turned-on-by-default-heres-how-to-turn-it-off.html

Protecting Intellectual Freedom (Part 2)

17 maj 2021 | 46 min

Protecting Intellectual Freedom (Part 1)

10 maj 2021 | 41 min

App Tracking Transparency

3 maj 2021 | 83 min

After what seemed like forever, Apple has finally released its App Tracking Transparency (ATT) feature which requires apps to get your permission to track you across other apps and websites. This was announced last year and delayed by several months to allow app makers to come into compliance (particularly Facebook). Today I'll tell you what this feature does and doesn't do, and of course, how to enable it. Tons of other security and privacy news to cover today, as well: A nasty bug was just fixed in macOS (update now!!); Firefox fixes a bug that could allow fake HTTPS lock icons and therefore compromise security; Facebook Messenger users have been targeted with a major scam; Codecov hack is just the latest in software supply chain attacks that threaten hundreds of companies and their customers; bad guys hacked ad servers to serve up malware; the US Postal Service is running a 'covert operations program' that monitors social media accounts; more US federal agencies are turning to private companies to buy data on people and bypass the 4th Amendment; Emotet malware has been taken down; the FBI has been hacking company servers without their consent (but with a warrant) to try to fix Exchange server hacks; some promising new AI regulations have cropped up in Europe and the US; Signal expertly trolls and hamstrings Cellebrite; and finally, Apple's long-awaited AirTags have finally been released, but the anti-stalker protections seem to fall short, particularly for Android owners. Further Info: A macOS major security bug has just been fixed - UPDATE NOW! https://www.forbes.com/sites/thomasbrewster/2021/04/26/update-your-mac-now-the-worst-hack-in-years-hits-apple-computers/Mozilla Fixes Firefox Flaw That Allowed Spoofing of HTTPS Browser Padlock https://threatpost.com/mozilla-fixes-firefox-flaw/165501/Facebook Messenger users targeted by a large-scale scam https://www.helpnetsecurity.com/2021/04/20/facebook-messenger-scam/Codecov hackers breached hundreds of restricted customer sites https://www.reuters.com/technology/codecov-hackers-breached-hundreds-restricted-customer-sites-sources-2021-04-19/120 Compromised Ad Servers Target Millions of Internet Users https://thehackernews.com/2021/04/120-compromised-ad-servers-target.htmlThe Postal Service is running a 'covert operations program' that monitors Americans' social media posts https://news.yahoo.com/the-postal-service-is-running-a-running-a-covert-operations-program-that-monitors-americans-social-media-posts-160022919.htmlFederal Agencies Are Secretly Buying Consumer Data https://www.brennancenter.org/our-work/analysis-opinion/federal-agencies-are-secretly-buying-consumer-dataEmotet Malware Taken Down By Global Law Enforcement Effort https://www.cpomagazine.com/cyber-security/emotet-malware-taken-down-by-global-law-enforcement-effort-cleanup-patch-pushed-to-1-6-million-infected-devices/Are we safer with the FBI accessing our computers without consent? https://thenextweb.com/news/are-we-safer-with-the-fbi-accessing-our-computers-without-consent-syndicationThe sun is setting on A.I.’s Wild West https://fortune.com/2021/04/27/the-sun-is-setting-on-a-i-s-wild-west/Signal professionally trolls and screws Cellebrite: https://signal.org/blog/cellebrite-vulnerabilities/ AirTags are scarily good at tracking items and ... people. I know because I tried. https://mashable.com/review/apple-airtags-review/ Apple reveals more about AirTag stalking protections as domestic abuse concerns expressed https://9to5mac.com/2021/04/30/airtag-stalking-protections/

Hunting for Stingrays (Part 2)

26 april 2021 | 56 min

While law enforcement touts the benefits of cell site simulators, today we will talk about the negative impacts, as well. While the actual impacts are not documented due to secrecy, we have to wonder whether Stingrays could interfere with critical communications like 911 calls, for example. We also must understand that any tool can be used for good and for evil, by the "good guys" as well as the "bad guys". In an effort to bring more transparency, Cooper created Crocodile Hunter (a reference to Steve Irwin, who was tragically killed by a real-life stingray). Cooper explains how it works and how anyone can make one. And finally we'll talk about why it's so important to get out there and fight for more transparency. Cooper shows us what a difference this can make in your community with two very different situations in two US cities. Cooper Quintin is a security researcher and Senior Staff Technologist with the EFF Threat Lab. He has worked on projects such as Privacy Badger, Canary Watch, and analysis of state sponsored malware campaigns such as Dark Caracal. He has also performed security trainings for activists, non profit workers and ordinary folks, and given talks about security research at security conferences around the world. He previously worked building websites for non-profits, such as Greenpeace, Adbusters, and the Chelsea Manning Support Network. Cooper was also an editor and contributor to the hacktivist journal, “Hack this Zine.” He has spoken at multiple black hat conferences about security issues ranging from IMSI Catchers to Malware attacks against journalists. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragonsElectronic Frontier Foundation (EFF): https://www.eff.org/ EFF’s Electronic Frontier Alliance: https://www.eff.org/electronic-frontier-alliance Crocodile Hunter project: https://github.com/EFForg/crocodilehunterHow IMSI catchers work: https://www.eff.org/wp/gotta-catch-em-all-understanding-how-imsi-catchers-exploit-cell-networksEFF page on IMSI catchers: https://www.eff.org/pages/cell-site-simulatorsimsi-catchersWhy 5g won’t help: https://www.eff.org/deeplinks/2019/01/5g-protocol-may-still-be-vulnerable-imsi-catchersDIGITS documentary: https://curiositystream.com/video/1720My new Apress video: Maximum Privacy with End-to-End Encryption https://link.springer.com/video/10.1007/978-1-4842-7034-9

Hunting for Stingrays (Part 1)

19 april 2021 | 53 min

The single easiest way to track someone today is using their cell phone. We have them with us at all times and in order for them to work, they must be tracked by the cell phone network. When law enforcement wants to identify people at a protest or hanging around a particular area, they could take the time to get a warrant to present to multiple cell phone providers. Or they could simply bring in a portable, fake cell site. Any cell phones in the area will reveal their location to all nearby cell sites, and the owners of those phones will be none the wiser. The use of cell site simulators (often known by a particularly popular model called a "Stingray") is heavily shrouded in secrecy. Even their very existence was denied for years. Today, we'll talk with a man who has made it his mission to uncover the use of such devices. We'll talk about how they work, why they're so hard to detect, and the broader implications of their use by police and sheriff's departments with little to no oversight. Cooper Quintin is a security researcher and Senior Staff Technologist with the EFF Threat Lab. He has worked on projects such as Privacy Badger, Canary Watch, and analysis of state sponsored malware campaigns such as Dark Caracal. He has also performed security trainings for activists, non profit workers and ordinary folks, and given talks about security research at security conferences around the world. He previously worked building websites for non-profits, such as Greenpeace, Adbusters, and the Chelsea Manning Support Network. Cooper was also an editor and contributor to the hacktivist journal, "Hack this Zine." He has spoken at multiple black hat conferences about security issues ranging from IMSI Catchers to Malware attacks against journalists. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragonsElectronic Frontier Foundation (EFF): https://www.eff.org/ EFF’s Electronic Frontier Alliance: https://www.eff.org/electronic-frontier-alliance Crocodile Hunter project: https://github.com/EFForg/crocodilehunterHow IMSI catchers work: https://www.eff.org/wp/gotta-catch-em-all-understanding-how-imsi-catchers-exploit-cell-networksEFF page on IMSI catchers: https://www.eff.org/pages/cell-site-simulatorsimsi-catchersWhy 5g won't help: https://www.eff.org/deeplinks/2019/01/5g-protocol-may-still-be-vulnerable-imsi-catchersSea Glass project: https://seaglass.cs.washington.edu/ Sitch project: https://sensor.readthedocs.io/en/latest/ My new Apress video: Maximum Privacy with End-to-End Encryption https://link.springer.com/video/10.1007/978-1-4842-7034-9

Trust No One

12 april 2021 | 67 min

Lots of news to cover today... and to me the common thread seems to be a lack of proper security and privacy. So the theme today is "trust no one". And the idea there isn't really personal trust, but computer trust, algorithm trust, procedural trust. We need to engineer our systems and processes around the idea that data is a toxic asset that loves to find ways to leak. Assume that you will be hacked. Assume an employee will do something stupid or go rogue. Assume the "bad guys" will find a way to bypass your main security barrier, so you need to have a second, and possible third barrier in place. Today I'll tell you about yet another massive Facebook and LinkedIn data leak; a new vaccine survey scam to watch out for; some new and troubling ransomware tactics to force victims to pay even if they have good data backups; a hacker site that sold credit cards and social security numbers was itself hacked; LexisNexis and Clearview AI have been working very closely with law enforcement, including ICE; and the ACLU has been caught sharing their own user's data with (of all companies) Facebook. And finally, I review the fantastic new book, Privacy is Power by Carissa Véliz. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragons Privacy is Power book review: https://firewallsdontstopdragons.com/privacy-is-power-review/ Were you part of a data breach? https://haveibeenpwned.com/ Articles quoted today:Don’t Fall for the 'Vaccine Survey' Scam https://twocents.lifehacker.com/don-t-fall-for-the-vaccine-survey-scam-1846620925 Ransomware gang leaks data from Stanford, Maryland universities https://www.bleepingcomputer.com/news/security/ransomware-gang-leaks-data-from-stanford-maryland-universities/ Ransom Gangs Emailing Victim Customers for Leverage https://krebsonsecurity.com/2021/04/ransom-gangs-emailing-victim-customers-for-leverage/ Facebook Says Leak of 533 Million Users’ Data Wasn’t a Hack. https://www.wsj.com/articles/facebook-says-leak-of-533-million-users-data-wasnt-a-hack-does-it-matter-11617910106 , https://www.bleepingcomputer.com/news/security/533-million-facebook-users-phone-numbers-leaked-on-hacker-forum/ Another 500 million accounts have leaked online, and LinkedIn’s in the hot seat https://www.theverge.com/2021/4/8/22374464/linkedin-data-leak-500-million-accounts-scraped-microsoft 70,000 SSNs, 600,000 Credit Card Records Leaked After Stolen-Data Hub Gets Hacked https://gizmodo.com/70-000-ssns-600-000-credit-card-records-leaked-after-s-1846638234 LexisNexis to Provide Giant Database of Personal Information to ICE https://theintercept.com/2021/04/02/ice-database-surveillance-lexisnexis/ Clearview AI used by police https://www.buzzfeednews.com/article/ryanmac/clearview-ai-local-police-facial-recognition ACLU, a defender of digital privacy, reveals that it shares user data with Facebook https://fortune.com/2021/04/02/aclu-shares-data-facebook-third-parties-digital-privacy/

Social Media is Ruining Society

5 april 2021 | 57 min

Stop Using SMS for 2FA

29 mars 2021 | 76 min

Passwords suck and humans aren't good at using them. Password managers can help a lot, but to truly improve your account security these days, you need to add defense in depth. The easiest way to do that today is to enable two-factor authentication, or 2FA. Many websites have supported 2FA for years, but as hacking has gotten more aggressive and password databases are being stolen more often, the popularity of 2FA has grown significantly in the last year or two. Unfortunately, many 2FA systems rely on the lowest common denominator for implementing the PIN code system: SMS or text messaging. SMS is very old, but also very widely used and supported. It's never been terribly secure, but recently some clever security researchers have discovered a simple and cheap way to steal your text messages. Like, for $16. I'll explain this hack and tell you how and why you should switch to the much more secure Time-based one-time-password (TOTP) system for 2FA. In other news: I'll update you on the massive Microsoft Exchange hack; I'll cover a couple stories about Apple bowing to pressure from foreign powers; thousands of surveillance cameras hacked in major corporations, schools, hospitals and even jails; a clever technique to identify deepfake videos; two welcome new privacy features in Firefox; Amazon's take-it-or-leave-it driver surveillance demands; opting out of T-Mobile's new data grab; and Texas making hundreds of millions of dollars off their citizens' data. Further Info Amazing Tom Cruise deep fake videos: https://www.tiktok.com/@deeptomcruise Stop using SMS for 2FA: https://firewallsdontstopdragons.com/stop-using-text-messages-for-2fa/ First interview with PGP’s Phil Zimmermann: https://podcast.firewallsdontstopdragons.com/2018/05/07/we-now-live-in-the-golden-age-of-surveillance/ Microsoft: 92% of Exchange servers safe from ProxyLogon attacks https://www.bleepingcomputer.com/news/security/microsoft-92-percent-of-exchange-servers-safe-from-proxylogon-attacks/ Apple Provides Timeline for ProtonVPN App Update, Suggesting App Store Rejection Was Unrelated to Current Events in Myanmar https://www.macrumors.com/2021/03/25/apple-responds-protonvpn-app-update-rejection/ Apple Bent the Rules for Russia—and Other Countries Will Take Note https://www.wired.com/story/apple-russia-iphone-apps-law/ Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams?sref=iKB6XOvfScientists developed a clever way to detect Deepfakes by analyzing light reflections in the eyes https://thenextweb.com/neural/2021/03/11/ai-detects-deepfakes-analyzing-light-reflections-in-the-cornea-eyes-gans-thispersondoesnotexist/ Firefox 87 introduces new SmartBlock tracker blocking mechanism https://appleinsider.com/articles/21/03/24/firefox-87-launches-introduces-new-smartblock-tracker-blocking-mechanism Mozilla Firefox tweaks Referrer Policy to shore up user privacy https://www.zdnet.com/article/mozilla-firefox-tweaks-referrer-policy-to-shore-up-user-privacy/ Amazon Delivery Drivers Forced to Sign ‘Biometric Consent’ Form or Lose Job https://www.vice.com/en/article/dy8n3j/amazon-delivery-drivers-forced-to-sign-biometric-consent-form-or-lose-job It’s mind-blowing how many millions of dollars Texas makes each year selling your personal data https://www.dallasnews.com/news/watchdog/2021/03/19/its-mind-blowing-how-many-millions-of-dollars-texas-makes-each-year-selling-your-personal-data/ U.S. Carriers Fix SMS Routing Vulnerability That Let Hackers Hijack Texts https://www.macrumors.com/2021/03/25/sms-routing-vulnerability-fix/

Computers Interviewing Humans (Part 2)

22 mars 2021 | 38 min

Computers Interviewing Humans (Part 1)

15 mars 2021 | 38 min

Last Straw for LastPass

8 mars 2021 | 99 min

Ep210. I've recommended LastPass for years - since I wrote my book and every day since. Until now. There are several good (secure and private) password managers out there. But LastPass was the full package: a free tier that had all the functionality most people need and for-pay tiers that had very useful extras. But now they're hobbling the free version by only allowing you to use it on one type of device: either a mobile device or a computer, but not both. To me, that makes the free tier useless. LastPass's Android app was also found to contain seven different trackers. That was the last straw for me. In today's episode, I'll tell you my new recommendations and give you an important tip on making the switch. In other news: a new law in Australia aims to force Google and Facebook to pay for news links; SolarWinds is blaming an intern for using a horrible password; SMS tax scams are picking up; Alexa Skills have serious privacy and security issues; adtech companies are scrambling to avoid telling you that you're being tracked on iOS; cops use copyright filters to prevent being recorded; a new company is creating a nationwide surveillance system; pharmacies are capitalizing on the COVID vaccine to get your data for marketing; Firefox 86 has a killer new system to prevent third party cookie tracking; however, adtech is exploiting a loophole in DNS to turn third party cookies into first party cookies. Further Info: Switching to Bitwarden: https://firewallsdontstopdragons.com/?p=2447Chat with me on Discord and get exclusive content! https://www.patreon.com/FirewallsDontStopDragons SMS tax scam unmasked: Bogus but believable – don’t fall for it! https://nakedsecurity.sophos.com/2021/02/12/sms-tax-scam-unmasked-bogus-but-believable-dont-fall-for-it/Alexa Skills: Security gaps and data protection problems https://www.helpnetsecurity.com/2021/03/02/alexa-skills-security/Ongoing & enormous Microsoft Exchange server hack hits 30,000 US groups https://appleinsider.com/articles/21/03/06/microsoft-exchange-server-hack-affects-over-30000-us-organizationsPost-IDFA Alliance will address concerns of mobile app and game marketers https://venturebeat.com/2021/02/17/post-idfa-alliance-will-address-concerns-of-mobile-app-and-game-marketers/Judge approves $650m settlement of privacy lawsuit against Facebook https://www.theguardian.com/technology/2021/feb/27/facebook-illinois-privacy-lawsuit-settlementCops Using Music to Try to Stop Being Filmed Is Just the Tip of the Iceberg https://www.eff.org/deeplinks/2021/02/cops-using-music-try-stop-being-filmed-just-tip-icebergInside ‘TALON,’ the Nationwide Network of AI-Enabled Surveillance Cameras https://www.vice.com/en/article/bvx4bq/talon-flock-safety-cameras-police-license-plate-readerYou got a vaccine. Walgreens got your data. (Recode) https://www.vox.com/recode/22310281/covid-vaccine-walgreens-cvs-rite-aid-walmart-dataFirefox's Total Cookie Protection aims to stop tracking between multiple sites https://www.engadget.com/firefox-total-cookie-protection-stop-tracking-websites-140044979.htmlOnline Trackers Increasingly Switching to Invasive CNAME Cloaking Technique https://thehackernews.com/2021/02/online-trackers-increasingly-switching.htmlChanges to LastPass Free https://blog.lastpass.com/2021/02/changes-to-lastpass-free/Security researcher raises questions about trackers in LastPass Android app https://appleinsider.com/articles/21/02/26/security-raises-questions-about-trackers-in-lastpass-android-app

Tech Learning Collective (Part 2)

1 mars 2021 | 50 min

Tech Learning Collective (Part 1)

22 februari 2021 | 38 min

Not Just a Face in the Crowd

15 februari 2021 | 60 min

Free Speech & Deplatforming

8 februari 2021 | 64 min

Stop Watching Me!

1 februari 2021 | 60 min

De-Googling Your Life

25 januari 2021 | 57 min

Choosing a Private Email Service (Part 2)

18 januari 2021 | 36 min

Choosing a Private Email Service (Part 1)

11 januari 2021 | 38 min

The Great SolarWinds Hack

4 januari 2021 | 60 min

200th Podcast & New Year’s 2021!

28 december 2020 | 80 min

Best of 2020!

21 december 2020 | 69 min

Setting the Digital Standard (Part 2)

14 december 2020 | 59 min

Setting the Digital Standard (Part 1)

7 december 2020 | 45 min

Best & Worst Gifts Guide 2020

30 november 2020 | 90 min

Dark Patterns (Part 2)

23 november 2020 | 55 min

So, what can we do about these dark patterns? Are there technical solutions to this problem? Or will this require regulations? Or perhaps we just need to train our engineers and consumers better? In part 2 of my interview with Dr. Colin Gray of Purdue University, we talk about some possible solutions to the dark patterns problem, as well as tips and tricks for avoiding them. Colin also shares several interesting resources for further study. Colin M. Gray is an Assistant Professor at Purdue University in the Department of Computer Graphics Technology. He is program lead for an undergraduate major and graduate concentration in UX Design. He holds a PhD in Instructional Systems Technology from Indiana University Bloomington, a MEd in Educational Technology from University of South Carolina, and a MA in Graphic Design from Savannah College of Art & Design. He has worked as an art director, contract designer, and trainer, and his involvement in design work informs his research on design activity and how design capability is learned. His research focuses on the ways in which the pedagogy and practice of designers informs the development of design ability, particularly in relation to ethics, design knowledge, and professional identity formation. Further Info: Colin’s home page: https://colingray.me Dark Patterns: https://darkpatterns.uxp2.com Dark Patterns (Brignull): https://darkpatterns.org/ Give Thanks: https://firewallsdontstopdragons.com/give-thanks-donate/ Rachel Maddow’s plea: https://www.nbcnews.com/feature/nbc-out/rachel-maddow-says-her-partner-has-covid-19-one-point-n1248375COVID-19 risk assessment tool: https://covid19risk.biosci.gatech.edu/ Facebook’s Social Contagion experiment: https://www.forbes.com/sites/kashmirhill/2014/06/30/facebook-only-got-permission-to-do-research-on-users-after-emotion-manipulation-study/Evil By Design: https://www.amazon.com/Evil-Design-Interaction-Lead-Temptation/dp/1118422147 Design Justice: https://design-justice.pubpub.org/ Data Feminism: https://data-feminism.mitpress.mit.edu/ Michael Sandel’s Justice course: http://justiceharvard.org/justicecourse/

Dark Patterns (Part 1)

16 november 2020 | 52 min

Zoom: Now with Actual Privacy

9 november 2020 | 45 min

The Ebb & Flow of the Internet

2 november 2020 | 52 min

Big Proctor is Watching You (part 2)

26 oktober 2020 | 67 min

Big Proctor is Watching You (part 1)

19 oktober 2020 | 47 min

National Cybersecurity Awareness Month

12 oktober 2020 | 55 min

Apple’s Epic Battle Royale (Part 2)

5 oktober 2020 | 39 min

Apple’s Epic Battle Royale (Part 1)

28 september 2020 | 44 min

Take Out the (Windows) Trash

21 september 2020 | 52 min

It’s a Trap!

14 september 2020 | 53 min

Firefox Privacy (Part 2)

7 september 2020 | 39 min

Firefox Privacy (Part 1)

31 augusti 2020 | 36 min

Apple’s Epic Battle

24 augusti 2020 | 60 min

This is Why We Can’t Have Nice Things (part 2)

17 augusti 2020 | 39 min

This is Why We Can’t Have Nice Things (part 1)

10 augusti 2020 | 41 min

The Pros & Cons of Antivirus Software

3 augusti 2020 | 43 min

The Great Twitter Hack

27 juli 2020 | 54 min

Your Money or Your Data (part 2)

20 juli 2020 | 32 min

Your Money or Your Data (part 1)

13 juli 2020 | 34 min

TikTok Boom

6 juli 2020 | 54 min

COVID19 Privacy: Pro Tips (part 2)

29 juni 2020 | 44 min

COVID19 Security: Pro Tips (part 1)

22 juni 2020 | 42 min

From Mailbox to Ballot Box

15 juni 2020 | 45 min

Fiber For Our Future (part 2)

8 juni 2020 | 34 min

Fiber For Our Future (part 1)

1 juni 2020 | 33 min

Apple vs FBI, Part 2

25 maj 2020 | 38 min

Beware the Evil Maid

18 maj 2020 | 46 min

COVID19 Security & Privacy Tips (Part 2)

11 maj 2020 | 37 min

COVID19 Security & Privacy Tips (Part 1)

4 maj 2020 | 33 min

Have You Been Pwned?

27 april 2020 | 54 min

Phish Spotting 101

20 april 2020 | 43 min

Contact Tracing, Privately

13 april 2020 | 47 min

Secure & Private Social Distancing

6 april 2020 | 35 min

Privacy by Design

30 mars 2020 | 47 min

Beware COVID-19 Scams

23 mars 2020 | 54 min

The CCPA and You (Part 2)

16 mars 2020 | 29 min

The CCPA and You (Part 1)

9 mars 2020 | 35 min

Hacked: A Clearer View of Clearview

2 mars 2020 | 48 min

Adversarial Interoperability (Part 2)

24 februari 2020 | 30 min

Adversarial Interoperability (Part 1)

17 februari 2020 | 48 min

Tax Time Brings Tax Scams

10 februari 2020 | 51 min

Just Say No (to Sharing)

3 februari 2020 | 43 min

Data Privacy Day 2020

27 januari 2020 | 50 min

Clearview Knows Who You Are

20 januari 2020 | 32 min

Why “Free File” Isn’t Free

13 januari 2020 | 53 min

Time to Upgrade Windows

6 januari 2020 | 47 min

2020 New Year’s Resolutions

30 december 2019 | 55 min

Behind the One-Way Mirror (part 2)

23 december 2019 | 61 min

Behind the One-Way Mirror (part 1)

16 december 2019 | 67 min

Snail Mail Identity Theft

9 december 2019 | 39 min

Best & Worst Gifts for 2019

2 december 2019 | 60 min

Data vs. Democracy (Part 2)

25 november 2019 | 43 min

Data vs. Democracy (Part 1)

18 november 2019 | 33 min

The Rise of Browser Fingerprinting

11 november 2019 | 39 min

Preventing & Mitigating Identity Theft

4 november 2019 | 51 min

Dropping Dropbox

28 oktober 2019 | 52 min

Risky Business (Part 2)

21 oktober 2019 | 32 min

Risky Business (Part 1)

14 oktober 2019 | 35 min

Don’t Forget to Wipe Your Data

7 oktober 2019 | 55 min

Not Just a Face in the Crowd (Part 2)

30 september 2019 | 41 min

Not Just a Face in the Crowd (Part 1)

23 september 2019 | 38 min

Google’s Not-So-Private Sandbox

16 september 2019 | 40 min

Ring’s Orwellian Doorbell

9 september 2019 | 51 min

Choosing a VPN Provider

2 september 2019 | 50 min

The Great Cellular Sellout (Part 2)

26 augusti 2019 | 40 min

The Great Cellular Sellout (Part 1)

19 augusti 2019 | 38 min

The Tyranny of the Default

12 augusti 2019 | 45 min

The Great Hack

5 augusti 2019 | 37 min

Get Your Equifax Settlement

29 juli 2019 | 46 min

Privacy in a Box (Part 2)

22 juli 2019 | 37 min

Privacy in a Box (Part 1)

15 juli 2019 | 36 min

Big Brother 2.0

8 juli 2019 | 48 min

Set Warp Factor 1.1.1.1

1 juli 2019 | 43 min

The Internet of Junk

24 juni 2019 | 37 min

The Rise of Stalkerware

17 juni 2019 | 38 min

A Tale of Two Browsers: Chrome vs Firefox

10 juni 2019 | 49 min

Polling on Privacy (Pt2)

3 juni 2019 | 37 min

Polling on Privacy (Pt1)

27 maj 2019 | 36 min

Google Knows What You Buy

20 maj 2019 | 30 min

Time to Break Up Facebook

13 maj 2019 | 21 min

Health Apps Behaving Badly

6 maj 2019 | 35 min

Further Facebook Fiascos

29 april 2019 | 37 min

Swiped: Identity Theft (Pt 2)

22 april 2019 | 36 min

Swiped: Identity Theft (pt 1)

15 april 2019 | 45 min

Spotting Scare Scams

8 april 2019 | 39 min

Fix It Already!

1 april 2019 | 49 min

Preparing for Your Digital Afterlife

25 mars 2019 | 40 min

Enter the Panopticon (Part 2)

18 mars 2019 | 48 min

Enter the Panopticon (Part 1)

11 mars 2019 | 50 min

Account Defense in Depth

4 mars 2019 | 37 min

Guiding the Development of AI

25 februari 2019 | 78 min

Artificial Intelligence (AI) has been around for decades, but has only recently begun to fulfill the promise of truly replicating human-like decision making. The Information Age has generated enormous quantities of data and modern technology has given us unprecedented power to ingest and analyze this data. AI systems today control airplanes, financial and insurance systems, and even criminal sentencing recommendations. We can use AI to conduct law enforcement and intelligence gather operations. AI has even generated audio, video and photos that are completely fake but nearly impossible for a human to detect. Our guest today, Lorraine Kisselburgh, is working with international organization to define common-sense guidelines for the creation and use of these AI systems, to maximize potential and minimize abuse. Lorraine Kisselburgh (Ph.D., Purdue University) is a Scholar with the Electronic Privacy Information Center in Washington, D.C., a former professor of media, technology, and society, and a visiting lecturer in the Center for Entrepreneurship at Purdue University. She studies the social implications of emerging technologies, including privacy and ethics in emerging technology contexts. Her research has been awarded funding from the National Science Foundation and the Department of Homeland Security, and recognized by the National Academy of Engineering. She currently serves on the executive committee of Association of Computing Machinery’s (ACM) US Technology Policy Committee (USTPC) and was a member of the ACM Task Force on Code of Ethics. Email: [email protected]: www.lkisselburgh.netTwitter: @lkisselburgh, @EPICPrivacyFacebook: EPICPrivacy Further Information: Universal Guidelines for AI: https://thepublicvoice.org/AI-universal-guidelines/Electronic Privacy Informantion Center (EPIC): https://www.epic.org/"Deep Fake" Obama PSA: https://www.youtube.com/watch?v=cQ54GDm1eL0 Lyrebird fake Trump and Obama voices: https://soundcloud.com/user-535691776/dialogOpenAI fake news articles: https://arstechnica.com/information-technology/2019/02/researchers-scared-by-their-own-work-hold-back-deepfakes-for-text-ai/AI Now Institute: https://ainowinstitute.org/Berkman Klein Center for Internet and Society: https://cyber.harvard.edu/Data & Society Intelligence and Autonomy Initiative: https://autonomy.datasociety.net/WEF’s AI and Machine Learning: https://www.weforum.org/communities/artificial-intelligence-and-machine-learning

Toying With Security

18 februari 2019 | 31 min

You Must Stop Reusing Passwords

11 februari 2019 | 56 min

You Have Been Pwned

4 februari 2019 | 38 min

Data Privacy Day Pod-Centennial!

28 januari 2019 | 78 min

Delete My DNA, Please

21 januari 2019 | 31 min

Ghost on the Wire

14 januari 2019 | 76 min

Google is Watching You

7 januari 2019 | 28 min

2019 Security & Privacy New Years Resolutions

31 december 2018 | 59 min

Replacing Your Plastic Driver’s License

24 december 2018 | 62 min

Ads Are Tracking You in the Real World, Too

17 december 2018 | 68 min

Marriott’s Massive Data Breach

10 december 2018 | 35 min

Lock Down Your Privacy on Your Mobile Devices

26 november 2018 | min

The Best & Worst Gifts for 2018

19 november 2018 | min

Phone Scammers Are Spoofing Your Caller ID

12 november 2018 | min

Why You Should Care About the Future of Computing

5 november 2018 | min

Marketers Are Tracking You On and Off the Web

29 oktober 2018 | min

The Fight for Net Neutrality is Far from Over

22 oktober 2018 | min

Did China Implant Spy Chips in Our Computers?

15 oktober 2018 | min

How to Protect Yourself From Ransomware

8 oktober 2018 | min

Big Companies Behaving Badly: The Facebook Breach Explained

1 oktober 2018 | min

Now Is the Time to Freeze Your Credit

24 september 2018 | min

Prying Yourself From Google’s Clutches

17 september 2018 | min

Did you know that Google owns Android, Waze, YouTube, Pixel phones and Chromebooks? Did you know that almost 90% of Google’s revenue comes from advertising? There’s hardly any part of your online life that isn’t somehow tracked by Google. By using Google’s email, calendar, docs, search, browser, cloud storage and even phones, we are allowing Google to know just about everything about us. But there are viable alternatives that will respect your privacy. Daniel Davis from DuckDuckGo (a search privacy-first search company) will help us understand how and why Google tracks us, and then provide practical replacements for Google’s most popular services and products. Daniel Davis is a Community Manager at DuckDuckGo, the Internet privacy company helping you take control of your personal information online. DuckDuckGo has its roots as the search engine that doesn't track you, and has expanded to protect you no matter where the Internet takes you. For Further Insight: Website: https://duckduckgo.com Twitter: https://twitter.com/duckduckgo LinkedIn: https://www.linkedin.com/company/duck-duck-go Facebook: https://www.facebook.com/duckduckgo/ How to Live Without Google: https://spreadprivacy.com/how-to-remove-google/ Help me to help you! Visit: https://patreon.com/FirewallsDontStopDragons TRANSCRIPT OF FULL INTERVIEW Carey Parker: Hi everybody, welcome back to Firewalls Don't Stop Dragons. I got another great interview show for you today. I know I've had three interviews in a row. It's not normal. Usually I try to go back and forth, but it just hasn't worked out that way lately. I've got some great people available for the reason I just couldn't pass it up. Carey Parker: Today we're gonna be talking with Daniel Davis from DuckDuckGo and DuckDuckGo, if you recall, is the privacy centered search engine that's an alternative to Google search engine and that is what we're going to be talking about today. So we hear all the new stories about Facebook and Cambridge Analytica and all the things that have been exposed and all the things that Facebook knows about you. And what we really need to realize is that all of that just pales in comparison to what Google knows about most of us. Google is all up in everything that we do, and I think you'll actually be surprised to learn that all the different ways that Google is in our lives. Carey Parker: And so as all these scandals around privacy been coming around, I finally just decided personally that I've got to extract myself from Google, and they have some great products. These free products that they've had that I have used for many, many, many years are honestly great functionally, they're wonderful. And because like Facebook because everybody uses them, it's just so easy to share calendars, to share documents to ... email of course is not quite the same because at least emails are standard that many different services support, so you don't have to both be on Gmail in order to send email, which thank God. But, anyway, there are just so many things that Google's part of lives and we're going to cover that in the interview, So I'm not going to give too much away now. Carey Parker: But the point of this interview, what I tasked Daniel with and they've got an article at DuckDuckGo about how to get rid of Google, how to live your life without Google products. And it goes through all the top Google products and gives you a really viable alternative. But to me that wasn't good enough. What I wanted to know was, okay, if I'm deeply embedded in Google and I've got all this data and all my friends know my Gmail address and I'm sharing Google calendars with people, it's not just enough to know here's an alternative, but how do I actually switch from one to the other? And so we're going to talk about that today with Daniel Davis and let's jump right in. Carey Parker: He's got some really great info and we'll start off talking a little bit about what the real backgro...

🎧 The Tale of Ma Bell and Big Brother

10 september 2018 | min

🎧 It’s Time to Fix Our Election Systems (Again)

3 september 2018 | min

🎧 Facebook’s Virtual Private Network is Not Private

27 augusti 2018 | min

🎧 Hacking Your Network Using 1970s Technology

20 augusti 2018 | min

How a Wall of Lava Lamps is Helping Secure the Internet

13 augusti 2018 | min

🎧 Anti-Sex Trafficking Law Does More Harm Than Good

6 augusti 2018 | min

🎧 When Plugins Go Rogue

30 juli 2018 | min

🎧 Your Public Data May Raise Your Insurance Rates

23 juli 2018 | min

🎧 Supreme Court Scores One for Location Privacy

16 juli 2018 | min

Where were you on the night of June 22nd? Your cellular provider knows. And until that date just a few weeks ago, if law enforcement wanted that info, all they had to do was ask. But we’re not just talking about one night… they know every place you’ve been, throughout the day, every day, going back months or even years. Thankfully, the Supreme Court ruled that law enforcement must now get a warrant to obtain this highly sensitive information and show probable cause. In our interview today, I have a truly thought-provoking discussion around the landmark Carpenter vs United States ruling with Shahid Buttar, a lawyer and grassroots organizer for the Electronic Frontier Foundation (EFF). We delve into the history behind cell phone data access in the United States and why a basic right to privacy is fundamental to any democracy. Shahid Buttar leads EFF's grassroots and student outreach efforts. He's a constitutional lawyer focused on the intersection of community organizing and policy reform as a lever to shift legal norms, with roots in communities across the country resisting mass surveillance. From 2009 to 2015, he led the Bill of Rights Defense Committee as Executive Director. After graduating from Stanford Law School in 2003, where he grew immersed in the movement to stop the war in Iraq, Shahid worked for a decade in Washington, D.C. He first worked in private practice for a California-based law firm, with public interest litigation projects advancing campaign finance reform and marriage equality for same-sex couples (as early as 2004, when LGBT rights remained politically marginal). From 2005 to 2008, he helped build a national progressive legal network and managed the communications team at the American Constitution Society for Law & Policy, before founding the program to combat racial & religious profiling at Muslim Advocates. For Further Insight: Website: https://eff.org/efa Twitter URL: https://twitter.com/Sheeyahshee / https://twitter.com/EFF Facebook URL: https://www.facebook.com/EFF Become part of the Electronic Frontier Alliance: [email protected] Help me to help you! Visit: https://patreon.com/FirewallsDontStopDragons

🎧 Crypto 101, What is Encryption, Anyway…

9 juli 2018 | min

One Simple Step to a Faster and More Private Internet

2 juli 2018 | min

🎧 Supreme Court Ruling Protects Your Location Privacy

25 juni 2018 | min

🎧 Your Android Device’s Backdoor May Be Wide Open

18 juni 2018 | min

🎧 Carpe Datum: Opting Out of Data Collection

11 juni 2018 | min

🎧 How NOT to Hide Your Digital Footprints

4 juni 2018 | min

Know Before You Go: Cyber Summer Tips

28 maj 2018 | min

Summer is upon us and for many of us that means travel - but before you even pack your bags, you need to listen to this podcast! In my interview with Michael Kaiser (the Executive Director of the National Cyber Security Alliance), we discuss all the cyber security and privacy issues you need to consider: before you go and while you’re traveling. Going abroad this summer? There are even more things you need to consider well before you leave! I also tell you why everyone needs to reboot their WiFi routers - by request of the FBI, no less! A Russian-made piece of malware called VPNFilter has infected half a million routers world-wise, and the remedy in most cases is simply to power-cycle or reboot your router. It’s easy to do and we should also take a few minutes to do it. Michael Kaiser joined the National Cyber Security Alliance (NCSA) in 2008. As NCSA’s executive director, Mr. Kaiser engages diverse constituencies—business, government and other nonprofit organizations—in NCSA’s broad public education and outreach efforts to promote a safer, more secure and more trusted Internet. Mr. Kaiser leads NCSA in several major awareness initiatives, including National Cyber Security Awareness Month (NCSAM) each October, Data Privacy Day (Jan. 28) and STOP. THINK. CONNECT., the global online safety awareness and education campaign. NCSA builds efforts through public-private partnerships that address cybersecurity and privacy issues for a wide array of target audiences, including individuals, families and the education and business communities. In 2009, Mr. Kaiser was named one of SC Magazine’s information security luminaries. Mr. Kaiser has served on several nonprofit boards. He is currently the chair and a founding board member of SPINUSA, a national nonprofit based in Massachusetts, and has served on the Board of Trustees of the College of the Atlantic in Bar Harbor, Maine, and New Destiny Housing Corporation in New York City. For Further Insight: Web site: staysafeonline.org Follow on Twitter: https://twitter.com/MKaiserNCSA Facebook: https://www.facebook.com/staysafeonline/ LinkedIn: https://www.linkedin.com/in/michael-kaiser-3579752b NCSA’s Cyber Trip Advisor: https://www.stopthinkconnect.org/resources/preview/tip-sheet-ncsas-cyber-trip-advisor Reboot your router and set your admin password: https://firewallsdontstopdragons.com/the-s-in-iot-is-for-security/

🎧 GDPR: Here I Come, Ready or Not

21 maj 2018 | min

🎧 Why You Need to Ditch WhatsApp

14 maj 2018 | min

We Now Live in the Golden Age of Surveillance

8 maj 2018 | min

🎧 Defending Your Home From Rogue IoT Devices

30 april 2018 | min

🎧 Who Was at the Scene of the Crime? Google Knows!

23 april 2018 | min

🎧 Don’t Tread on My Internet: Saving Net Neutrality

16 april 2018 | min

🎧 Best Buy Geek Squad or Spy Squad?

9 april 2018 | min

🎧 I’m Deleting Facebook. You Should, Too.

2 april 2018 | min

🎧 Your Privacy is Now Under a Dark CLOUD

26 mars 2018 | min

🎧 You Should Know What Facebook Knows

19 mars 2018 | min

🎧 Protecting the 2018 and 2020 Elections

12 mars 2018 | min

🎧 Facebook’s Two-Faced Privacy

6 mars 2018 | min

Security Tips from a Professional Hacker

26 februari 2018 | min

🎧 Authorized Personnel Only: Saving You from Yourself

19 februari 2018 | min

🎧 Beware Geeks Bearing Gifts

12 februari 2018 | min

🎧 Mobile Privacy: A Modern Oxymoron

9 februari 2018 | min

🎧 File Your Taxes Before the Bad Guys Do!

5 februari 2018 | min

🎧 Data Privacy Day: Take Control of Your Data

29 januari 2018 | min

🎧 Is This a Bitcoin Boom or a Bubble?

26 januari 2018 | min

🎧 Doing the Cybersecurity Two-Step

22 januari 2018 | min

🎧 Dumpster Diving Trashes the Fourth Amendment

15 januari 2018 | min

🎧 Old Spectre Causes Computer Meltdown

8 januari 2018 | min

🎧 Upholding the Bill of Rights in Cyberspace

5 januari 2018 | min

🎧 Make Your New Years (Cyber) Resolutions!

1 januari 2018 | min

🎧 Curl Up With a Good (Security) Book for the Holidays!

25 december 2017 | min

🎧 The Fight for Net Neutrality Isn’t Over

18 december 2017 | min

🎧 Project Galileo: Ensuring the Silent Voices Are Heard

15 december 2017 | min

🎧 The Best & Worst Cyber-Gifts of 2017

11 december 2017 | min

🎧 A Nasty Worm in Your Apple Product (and How to Fix It)

4 december 2017 | min

It’s Time for Everyone to use Secure Email

30 november 2017 | min

🎧 Choosing the Safest Web Browser

16 november 2017 | min

🎧 It’s Time to End Dragnet Mass Surveillance

9 november 2017 | min

The law that enables the warrantless collection and searching of the communications of US citizens is set to expire at the end of 2017. In today’s show, David Ruiz and I discuss several bills in Congress that attempt to curb the rampant abuses of this legislation (Section 702 of the FISA law). These long-overdue reforms go a long way towards restoring the principles of the Fourth Amendment and reclaiming basic civil liberties that we let slip away in fear after 9/11. In the news this week, I’ll update you on the Reaper botnet and tell you about an effort to safeguard our elections systems before the next major election. I’ll also help you double-check your smartphone app permissions, making sure they don’t have any more access than they need to things like your camera, microphone, location, and contacts. David Ruiz is a writer covering NSA surveillance and federal surveillance policy for Electronic Frontier Foundation, a digital rights non-profit. As 2017 closes, he is deeply involved in covering the multiple bills before Congress that seek to reform or reauthorize Section 702 of the FISA Amendments Act, a law that is currently one of the U.S. government's most powerful surveillance tools. Previously, David worked as a journalist covering legal affairs for some of Silicon Valley's largest companies, including Google, Facebook, Twitter and Uber. He has also had his work featured in KQED, The East Bay Express, SFGate.com, The Sacramento Bee and KZSU Stanford 90.1 FM. Beyond writing, David also hosts a personal podcast called Death Knell, which explores the grieving process after death. For Further Insight: Website: www.davidalruiz.com Follow on Twitter: https://twitter.com/davidalruiz Additional Resources: Surveillance watchdog, Open Technology Institute: https://www.newamerica.org/oti/ End the Backdoor! https://www.endthebackdoor.com/ Lock Down Your LAN (IoT security): http://firewallsdontstopdragons.com/locking-internet-things-iot/ Protect yourself from nosy apps: http://firewallsdontstopdragons.com/smartphone-privacy-reining-nosy-apps/

🎧 Beware the Reaper – Lock Down Your LAN

2 november 2017 | min

🎧 Using Ad Blockers to Tame Those Annoying Web Ads

26 oktober 2017 | min

Do We Own Any Media We Buy Anymore?

19 oktober 2017 | min

The Mouse That Scored, How Copyright Went Wrong

12 oktober 2017 | min

🎧 Goodbye Privacy, Hello Panopticon

5 oktober 2017 | min

🎧 Rise of the Machines: Should We Fear Artificial Intelligence?

21 september 2017 | min

🎧 Equifax Breach, Here’s What You Need to Do

15 september 2017 | min

Firewalls Don’t Stop Dragons Podcast

Every week, this podcast brings you the cybersecurity and privacy news you need, in a manner that's easy for anyone to understand and even entertaining! The host also interviews top industry leaders, ...

Om podden

Avsnitt

Riding the Data Gravy Train

Interview Notes

Further Info

Table of Contents

Travel Insecurity

Article Links

Further Info

Table of Contents

Life on the Blue Team

Interview Notes

Further Info

Table of Contents

Differential Privacy

Article Links

Further Info

Table of Contents

Microscoping Our Apps

Interview Notes

Further Info

Table of Contents

It’s Tax (Scam) Time Again

Article Links

Further Info

Table of Contents

All Things Secured

Interview Notes

Further Info

Table of Contents

Slay Browser Ads Forever

Article Links

Further Info

Table of Contents

Back to The L0pht

Interview Notes

Further Info

Table of Contents

Onion Routing

Article Links

Further Info

Table of Contents

Security Planner

Crypto Wars 2.0

Controlling Your Digital ID

Treat Plugins Like Apps

Reclaiming Data Privacy

New Year’s Resolutions 2025!

ALPRs Are Everywhere

Best of Bonus 2024!

Replay: Golden Age of Surveillance

Best of 2024!

Deleting Your Data

Letters from the Mailbag

Privacy is Power

Best & Worst Gifts for 2024

Cutting the Software Tether

Curbing Location Tracking

Episode 400 Special

Understanding AI Chatbots

L0pht Heavy Industries

Indicators of Account Compromise

TunnelVision, VPNs and You

Malware Reboot Remedy

Post-Quantum Crypto

The Truth is Out There

Crazy Proton Summer

National Public Data Breach

Dating App Privacy

Hacker Summer Camp 2024

Catch You on the BSide

CrowdStrike Lessons Learned

Open Source Intelligence

How & Why to Block Ads

Promising Privacy Tech

Backing Up Other Data

Means of Control

Backup Your Cloud Data