Firewalls Don't Stop Dragons Podcast

We’re generating a ridiculous amount of data every day. Much of it is highly personal and that’s dangerous. But there are actually several Privacy Enhancing Technologies that may allow us to use this personal data to improve our collective quality of life without ruining the privacy of the data subjects. I’ll be discussing these PETs with Irene Knapp who spent five years working in the privacy department at Google. I will also spend a good bit of time asking them about what it’s like working at Google and get some insights about the company’s approach to privacy from the inside. (Spoiler: it’s not good.) Interview Notes Internet Safety Labs: https://internetsafetylabs.org/about-us/ Irene’s Google departure post: https://medium.com/@Irenes/on-the-occasion-of-leaving-google-b8c7029c8d8b Coworker.org: https://coworker.org Google loses privacy chief: https://www.techspot.com/news/103268-google-privacy-chief-head-competition-law-leaving-not.html Further Info BOOK SURGE!! https://fdsd.me/booksurge Send me your questions! https://fdsd.me/qna Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:40: Interview setup 0:03:56: What is Internet Safety Labs and what do you do there? 0:05:45: Why do we not have liability in the software industry? 0:07:02: How did you come to work for Google and what was your experience like there? 0:07:58: What caused you to eventually leave? 0:10:26: How did private policy evolve while you were at Google? 0:12:36: What was happening in Google that impeded your efforts? 0:19:19: How does Google compare to other companies like Facebook? 0:20:56: What’s your take on Google’s new Privacy Sandbox technology? 0:27:24: Can we do some good with all the data we’re collecting? 0:33:51: From where do we derive a legal right to privacy? 0:35:10: How does differential privacy work? 0:38:49: Where might we use differential privacy? 0:41:59: What is homomorphic encryption and how does it work? 0:44:47: Are there any other promising PETs? 0:46:49: How do zero knowledge proofs work? 0:49:20: Which of the PETs seem most promising right now? 0:51:20: Do we need privacy regulations to save us here? 0:56:19: What’s next for you? 0:58:31: Interview wrap-up 1:00:52: BOOK SURGE!!

We’ve talked about how to backup your local device data and how to back up data that is primarily stored in the cloud. But there’s a lot of important, irreplaceable data we take for granted: data owned by others. This might be shared online photo albums, cloud document collaborations, eBooks and other digital media, and even websites you frequently rely on. Today we’ll talk about how you can make local copies of these files in case they should ever go offline. In other news: European politicians’ personal details exposed online; Proton transitions to non-profit corporate structure; lawsuit claims Microsoft tracked sex toy purchases; online ID verification service exposed drivers licenses; new Mac info-stealer served up by Google Ads; law enforcement is spying on Americans’ mail; new ALPR vulnerabilities prove it’s a public safety threat; UK hospital hack leaks 300M patient records; US bans Kaspersky software; Sonos removes promise not to sell its users’ data; Mozilla buys a ‘privacy-centric’ ad firm. Article Links [proton.me] Cyber house of cards – Politicians’ personal details exposed online https://proton.me/blog/politicians-exposed-dark-web [proton.me] Proton is transitioning towards a non-profit structure https://proton.me/blog/proton-non-profit-foundation [404media.co] Lawsuit Claims Microsoft Tracked Sex Toy Shoppers With ‘Recording in Real Time’ Software https://www.404media.co/lawsuit-claims-microsoft-tracked-sex-toy-shoppers-with-recording-in-real-time-software/ [404media.co] ID Verification Service for TikTok, Uber, X Exposed Driver Licenses https://www.404media.co/id-verification-service-for-tiktok-uber-x-exposed-driver-licenses-au10tix/ [Ars Technica] Mac users served info-stealer malware through Google ads https://arstechnica.com/security/2024/06/mac-info-stealer-malware-distributed-through-google-ads/ [The Washington Post] Law enforcement is spying on thousands of Americans’ mail, records show https://www.washingtonpost.com/technology/2024/06/24/post-office-mail-surveillance-law-enforcement/ [Electronic Frontier Foundation] New ALPR Vulnerabilities Prove Mass Surveillance Is a Public Safety Threat https://www.eff.org/deeplinks/2024/06/new-alpr-vulnerabilities-prove-mass-surveillance-public-safety-threat [TechCrunch] US bans sale of Kaspersky software citing security risk from Russia  https://techcrunch.com/2024/06/20/us-bans-kaspersky-software-security-risk-russia/ [AppleInsider] Sonos removes a promise to not sell personal data, gets busted by users https://appleinsider.com/articles/24/06/15/sonos-removes-a-promise-to-not-sell-personal-data-gets-busted-by-users [theregister.com] What’s up with Mozilla buying ad firm Anonym? It’s all about ‘privacy-centric advertising’ https://www.theregister.com/2024/06/18/mozilla_buys_anonym_betting_privacy/ Tip of the Week: Backing Up Other Data https://firewallsdontstopdragons.com/how-to-backup-other-data/  Further Info Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:25: Book blitz coming soon 0:00:55: Dear Carey reminder 0:01:38: Bitwarden bug fixed 0:02:28: News rundown 0:04:22: EU politicians’ personal details exposed online 0:10:37: Proton adopts non-profit structure 0:15:15: Lawsuit Claims Microsoft Tracked Sex Toy Shoppers 0:19:28: ID Verification Service Exposed Driver Licenses 0:27:38: Mac users served info-stealer malware through Google ads 0:32:33: Law enforcement is spying on thousands of Americans’ mail 0:37:49: New ALPR Vulnerabilities Prove Mass Surveillance Is a Public Safety Threat 0:45:22: US bans sale of Kaspersky software 0:54:45: Sonos removes a promise to not sell personal data 0:56:21: What’s up with Mozilla buying ad firm Anonym? 1:06:38: Tip of the Week: Backing up other data 1:17:54: Wrap up, look ahead

Every day, we generate tons of digital exhaust: our web browsing, GPS location, online and in-store purchases, emails and messages, social media posts and feed viewing habits, and much, much more. Online marketers and data brokers have been living off these breadcrumbs for years. The intelligence and law enforcement agencies have found this data to be incredibly revealing, and they can buy most of this data on the open market without requiring any sort of warrant – and they have. This has important implications for democratic societies that value privacy and freedom. I’ll discuss how this mass surveillance works and what it means for all of us with Byron Tau, author of the book “Means of Control”. Interview Notes Means of Control: https://www.amazon.com/Means-Control-Alliance-Government-Surveillance/dp/0593443225 Byron Tau at NOTUS: https://www.notus.org/byron-tau Puking Monkey’s DEF CON presentation: https://www.youtube.com/watch?v=T43Ti7c11lY Make your EZ Pass “moo”: https://hackaday.com/2013/09/16/modified-e-zpass-detects-reads-far-from-toll-booths/ Official US policy on collecting public info on citizens: https://www.dni.gov/index.php/newsroom/press-releases/press-releases-2024/3815-odni-releases-ic-policy-framework-for-commercially-available-information Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:58: Update your Windows PCs 0:01:32: Interview setup 0:04:59: How might the collection of online data impact a regular person? 0:10:13: What sorts of things can all this data reveal about us? 0:15:44: How much can we learn by tracking a person’s location? 0:17:38: What is ‘gray data’? 0:22:40: Our data can be saved virtually forever – what are the ramifications? 0:26:30: How are data gathering rules different for law enforcement vs intelligence agencies? 0:32:54: When did data brokers start selling our info to government agencies? 0:39:22: Is it legal for these agencies to act as data brokers themselves? 0:42:12: What laws have impacted this sort of data collection in the US? 0:44:49: How and why do these agencies hide this data collection? 0:51:02: Are governments sharing data to skirt local restrictions? 0:54:54: How have these spy programs evolved since 9/11? 1:00:28: Have government agencies lobbied Congress against federal privacy laws?? 1:03:20: How can we limit data collection and increase our privacy? 1:06:24: Could the Big Tech backlash help get a privacy law passed? 1:08:33: What are you working on next? 1:09:59: Interview follow-up 1:11:36: Looking ahead

Until recently, most of our important data lived primarily on our devices. Backing up that data often meant choosing a cloud backup service. But today, many of our most important photos and files are actually stored in the cloud. While cloud servers are supposed to be more robust than home computers with flaky hard drives and smartphones that get lost or stolen, it also means that someone else is in control of that data. Cloud services go offline, get bought out or even shut down. We now need to be sure to back up our cloud data, too. In other news: 23andMe breach under investigation by US and Canada; cops release personal location info to FOIA request; hacker gains access to Tile customer data; more car privacy updates; Microsoft Recall backlash highlights our distrust; report shows Microsoft favoring profits over security; Mac Bartender app shadily changes ownership; new Apple privacy features coming. Article Links [malwarebytes.com] 23andMe data breach under joint investigation in two countries https://www.malwarebytes.com/blog/news/2024/06/23andme-data-breach-under-joint-investigation-in-two-countries [theregister.com] Crooks threaten to leak 3B personal records ‘stolen from background check firm’ https://www.theregister.com/2024/06/03/usdod_data_dump/ [404media.co] Cops Released a Car’s Travel History to a Total Stranger https://www.404media.co/cops-released-a-cars-travel-history-to-a-total-stranger/ [404media.co] Hacker Accesses Internal ‘Tile’ Tool That Provides Location Data to Cops https://www.404media.co/hacker-accesses-internal-tile-tool-that-provides-location-data-to-cops/ [The New York Times] Is Your Driving Being Secretly Scored? https://www.nytimes.com/2024/06/09/technology/driver-scores-insurance-data-apps.html [Windows Central] A PR disaster: Microsoft has lost trust with its users, and Windows Recall is the straw that broke the camel’s back https://www.windowscentral.com/software-apps/windows-11/microsoft-has-lost-trust-with-its-users-windows-recall-is-the-last-straw [ProPublica] Microsoft Chose Profit Over Security and Left U.S. Government Vulnerable to Russian Hack, Whistleblower Says https://www.propublica.org/article/microsoft-solarwinds-golden-saml-data-breach-russian-hackers [AppleInsider] Adobe’s new terms of service unacceptably gives them access to all of your projects, for free https://appleinsider.com/articles/24/06/06/adobes-new-terms-of-service-unacceptably-gives-them-access-to-all-of-your-projects-for-free [MacRumors] PSA: Bartender Mac App Under New Ownership, But Lack of Transparency Raises Concerns https://www.macrumors.com/2024/06/04/bartender-mac-app-new-owner/ [9to5Mac] iOS 18 includes these new privacy features: Lock and hide apps, improved contact permissions, more https://9to5mac.com/2024/06/10/ios-18-includes-these-new-privacy-features-lock-and-hide-apps-improved-contact-permissions-more/ Tip of the Week: Backup Your Cloud Data: https://firewallsdontstopdragons.com/how-to-backup-cloud-data/  Further Info Under New Management plugin: https://github.com/classvsoftware/under-new-management Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:52: News preview 0:03:11: 23andMe data breach under joint investigation in two countries 0:07:01: Crooks threaten to leak 3B personal records ‘stolen from background check firm’ 0:09:52: Cops Released a Car’s Travel History to a Total Stranger 0:14:22: Hacker Accesses Internal ‘Tile’ Tool That Provides Location Data to Cops 0:20:50: Is Your Driving Being Secretly Scored? 0:29:24: Microsoft has lost trust with its users, and Recall is the straw that broke the camel’s back 0:38:13: Microsoft Chose Profit Over Security and Left U.S. Government Vulnerable to Russian Hack 0:45:44: Bartender Mac App Under New Ownership, But Lack of Transparency Raises Concerns 0:51:43: iOS 18 includes these new privacy features 0:55:27: Tip of the Week: Backup Your Cloud Data 1:04:36: Looking ahead

Encrypted communications are important for everyone, even if you have nothing to hide. But they’re also important when you’re trying to hide global criminal operations. Drug smugglers and money launderers have special needs when it comes to secure messaging. Several phone companies were created to address this market. Unfortunately for the criminals, the most popular one – Anom – was secretly run by the FBI. Today Joseph Cox from 404 Media will tell us about this astoundingly audacious sting operation, which is the basis for his book, Dark Wire. Interview Notes Order Dark Wire: https://a.co/d/h9o7ump Anom website (right before take down): https://web.archive.org/web/20210507151115/http://anom.io/ Phantom Secure website (circa 2017): https://web.archive.org/web/20170330122723/http://phantomsecure.com/  Vice Anom story: https://www.vice.com/en/article/n7b4gg/anom-phone-arcaneos-fbi-backdoor Anom phone video: https://www.youtube.com/watch?v=EA1KS-xh0n0  Operation Trojan Shield: https://en.wikipedia.org/wiki/Operation_Trojan_Shield Trojan Shield press conference: https://www.youtube.com/watch?v=S89O0nis_ss  Encrochat: https://en.wikipedia.org/wiki/EncroChat  Further Info Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:54: Migrating to Mastodon 0:02:24: Embracing the dark… mode 0:02:45: Countdown to 400 0:03:28: Interview setup 0:04:30: How did this all start with you on an obscure forum for criminals? 0:08:34: What was Operation Trojan Shield? 0:10:49: How did the FBI start a secure phone company? 0:12:41: What were some of Anom’s key tech features? 0:15:26: Where did they get the Arcane Operating System? 0:17:56: How did the ‘duress’ feature work? 0:20:18: How did Anom copy encrypted messages without being detected? 0:24:35: How were these phones marketed to criminals? 0:28:10: What does these phones cost? 0:30:09: What were the legal aspects for this multi-national operation? 0:34:49: How did they use this intelligence without revealing the source? 0:39:38: Did the criminals ever suspect the phones? 0:42:04: How did this all come to an end? 0:46:14: So, are we ‘going dark’ or not? 0:49:27: What lessons did the FBI take away from all this? 0:51:36: Can we still trust things like Signal and Proton? 0:55:39: What’s your next big story or book? 0:58:09: Interview end notes 1:03:12: Looking ahead

Most major social media platforms are a hot mess. Your feed is filled with tons of crap you never asked to see and your data is mined mercilessly to serve you targeted ads. The promise of having a place to trade interesting posts with friends and family is now muddied up with sponsored content chosen by hidden algorithms optimized to keep you scrolling. It doesn’t have to be that way. I’ve found something much better, and I’m inviting you to come join me. In other news: Ticketmaster breach leaks data on half a billion users; the iOS bug that resurrected deleted photos explained; GPT-4 can write working malware based only on CVE bug descriptions; Slack customers upset to learn that their data was being used to train AI systems; WiFi location service can be used to track mobile routers; police are trialing new devices that can track and identify you based on multiple electronic signals; new Windows AI feature records everything you do on your PC; Microsoft rolling out welcome changes to admin privilege use; Google adding several privacy and security features to Android 15; and iVerify how has an Android app. Article Links [Mashable] Ticketmaster hacked. Breach affects more than half a billion users. https://mashable.com/article/ticketmaster-data-breach-shinyhunters-hack [9to5Mac] Security Bite: Here’s the iOS 17.5 bug that resurfaced deleted photos https://9to5mac.com/2024/05/26/security-bite-heres-the-ios-17-5-bug-that-resurfaced-deleted-photos/ [Dark Reading] GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories https://www.darkreading.com/threat-intelligence/gpt-4-can-exploit-most-vulns-just-by-reading-threat-advisories [securityweek.com] User Outcry as Slack Scrapes Customer Data for AI Model Training https://www.securityweek.com/user-outcry-as-slack-scrapes-customer-data-for-ai-model-training/ [9to5Mac] Apple Location Services vulnerability can enable troop movements to be tracked https://9to5mac.com/2024/05/24/apple-location-services-vulnerability/ [Forbes] New Police Tech Can Detect Phones, Pet Trackers And Library Books In A Moving Car https://www.forbes.com/sites/thomasbrewster/2024/05/14/police-car-surveillance-tech-uncovers-phones-pet-trackers-and-library-books/ [Ars Technica] New Windows AI feature records everything you’ve done on your PC https://arstechnica.com/gadgets/2024/05/microsofts-new-recall-feature-will-record-everything-you-do-on-your-pc/ [PCWorld] Microsoft battens security hatches on Windows admin accounts https://www.pcworld.com/article/2344405/microsoft-battens-security-hatches-on-oft-used-windows-admin-accounts.html [Lifehacker] Google Is Rolling Out Some Great Privacy Features to Android This Year https://lifehacker.com/tech/google-is-rolling-out-some-great-privacy-features-with-android-15 [iverify.io] iVerify Basic is now on Android! https://www.iverify.io/post/iverify-basic-is-now-on-android Tip of the Week: Move to Mastodon https://firewallsdontstopdragons.com/how-to-move-to-mastodon/ Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:34: Ticketmaster hacked, breach affects more than half a billion users 0:05:59: Here’s the iOS 17.5 bug that resurfaced deleted photos 0:12:28: GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories 0:17:36: User Outcry as Slack Scrapes Customer Data for AI Model Training 0:23:12: Apple Location Services vulnerability can enable troop movements to be tracked 0:34:15: New Police Tech Can Detect Phones, Pet Trackers And Library Books In A Moving Car 0:41:02: New Windows AI feature records everything you’ve done on your PC 0:46:36: Microsoft battens security hatches on Windows admin accounts 0:51:06: Google Is Rolling Out Some Great Privacy Features to Android This Year 0:55:08: iVerify Basic is now on Android 0:56:00: Tip of the Week: Migrate to Mastodon 1:03:21: Looking ahead

Our privacy has never been more threatened. While some of us are vaguely aware of this, most of the rampant data collection and sharing is completely opaque. And the consequences are more dire than most of us realize. We can’t afford to be complacent. We need to push back, to ask questions, and make better choices. Privacy-respecting apps and services do exist today. Making a deliberate and overt decision to use them will force the market (and our elected representatives) to take notice. My guest Naomi Brockwell from NBTV will make a compelling case for privacy and reclaiming control of our data, including several top notch tips for doing so. Interview Notes Naomi Brockwell’s NBTV: https://www.nbtv.media/ A World Without Privacy: https://www.nbtv.media/episodes/a-world-without-privacy A Beginner’s Introduction to Privacy: https://www.amazon.com/Beginners-Introduction-Privacy-Naomi-Brockwell-ebook/dp/B0BQHS8MFS Who can access your car remotely? https://www.youtube.com/watch?v=Ff9pmaSdZV8 Naomi Brockwell on All Things Secured: https://www.youtube.com/watch?v=D0WjIWBQEBM Michael Bazzell’s Extreme Privacy resources: https://inteltechniques.com/links.html Try Proton! https://firewallsdontstopdragons.com/its-time-to-try-proton/ Try Signal! https://firewallsdontstopdragons.com/how-to-switch-to-signal/ Further Info Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:58: How did you become a privacy evangelist? 0:06:51: What are some of the most mind-blowing ways we leak personal data? 0:09:56: What were some of Orwell’s most prescient predictions in 1984? 0:15:49: How is surveillance different in real life from 1984? 0:22:23: How does data collection skew the power balance between citizens and authorities? 0:26:36: How do you counter the “I have nothing to hide” argument? 0:29:55: Why is it so important to normalize the use of privacy tools? 0:33:46: What changes do you recommend and what are the impacts for making them? 0:45:48: If you’ve given away tons of personal data already, is it too late? 0:50:07: What can we do to push vendors to respect our privacy more? 0:57:49: What’s the future of privacy look like? 1:00:15: Post-interview notes 1:06:11: Looking ahead

Security experts talk at length about how to choose a good password – but we don’t often talk about how to choose a good PIN code. A recent analysis by a researcher shows popular patterns humans use when choosing PIN codes, and therefore what you should avoid doing. In the news: MediSecure e-Rx firm hit by data breach; CISA warns of active D-Link router exploit; a couple cases of insecure APIs being abused; 53k Nissan employees’ SSN’s leaked; new macOS malware called Cuckoo; Ascension Healthcare suffers cyberattack; Proton user’s poor OpSec gives him away; TunnelVision VPN attack exploits DHCP feature; Maryland & Vermont pass data privacy laws; tracker detection feature debuts on iPhone & Android. Article Links [BleepingComputer] MediSecure e-script firm hit by ‘large-scale’ data breach https://www.bleepingcomputer.com/news/security/medisecure-e-script-firm-hit-by-large-scale-ransomware-data-breach/ [The Hacker News] CISA Warns of Actively Exploited D-Link Router Vulnerabilities https://thehackernews.com/2024/05/cisa-warns-of-actively-exploited-d-link.html [Ars Technica] How I upgraded my water heater and discovered how bad smart home security can be https://arstechnica.com/gadgets/2024/05/how-i-upgraded-my-water-heater-and-discovered-how-bad-smart-home-security-can-be/ [BleepingComputer] Dell API abused to steal 49 million customer records in data breach https://www.bleepingcomputer.com/news/security/dell-api-abused-to-steal-49-million-customer-records-in-data-breach/ [infosecurity-magazine.com] 53,000 Nissan Employees’ Social Security Numbers Exposed https://www.infosecurity-magazine.com/news/employees-social-security-nissan/ [Tom’s Guide] New Cuckoo macOS malware can take over all Macs and steal your passwords https://www.tomsguide.com/computing/malware-adware/new-cuckoo-macos-malware-can-take-over-all-macs-and-steals-your-passwords-too-dont-fall-for-this [Dark Reading] Ascension Healthcare Suffers Major Cyberattack https://www.darkreading.com/cyberattacks-data-breaches/ascension-healthcare-hit-by-cyberattack [restoreprivacy.com] Proton Mail Discloses User Data Leading to Arrest in Spain https://restoreprivacy.com/protonmail-discloses-user-data-leading-to-arrest-in-spain/ [Ars Technica] Novel attack against virtually all VPN apps neuters their entire purpose https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/ [mullvad.net] Evaluating the impact of TunnelVision https://mullvad.net/en/blog/evaluating-the-impact-of-tunnelvision [epic.org] Vermont Passes Landmark Data Privacy Bill https://epic.org/vermont-passes-landmark-data-privacy-bill/ [epic.org] Governor Moore Signs Maryland Online Data Privacy Act https://epic.org/governor-moore-signs-maryland-online-data-privacy-act/ [9to5Mac] Here’s how the new Cross-Platform Tracking Detection works https://9to5mac.com/2024/05/13/cross-platform-tracking-detection-ios-17-5/ Tip of the Week: How to Choose a PIN https://firewallsdontstopdragons.com/how-to-choose-a-pin/ Further Info Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:34: Update Apple devices, Chrome 0:01:16: A note on supporting Firefox 0:03:48: News preview 0:07:00: MediSecure hit by large-scale data breach 0:09:01: CISA Warns of Actively Exploited D-Link Router Vulnerabilities 0:13:14: How I upgraded my water heater and discovered how bad smart home security can be 0:19:46: Dell API abused to steal 49 million customer records 0:23:11: 53,000 Nissan Employees’ Social Security Numbers Exposed 0:27:06: New Cuckoo macOS malware can take over all Macs and steal your passwords 0:32:41: Ascension Healthcare Suffers Major Cyberattack 0:35:22: Proton Mail Discloses User Data Leading to Arrest in Spain 0:43:35: Novel attack against virtually all VPN apps neuters their entire purpose 0:47:28: Mullvad: Evaluating the impact of TunnelVision 0:55:48: Vermont & Maryland Pass Data Privacy Laws 0:58:27: Here’s how the new Cross-Platform Tracking Detection works 1:01:50: Tip of the Week: How to Choose a PIN 1:10:12: Looking ahead

Russia has been hacking Ukraine for at least a decade now, but since the invasion of Ukraine in February of 2022, the cyber war has changed. Instead of being a tactical element, cyber war is now a full-fledged strategic aspect of the conflict, on both sides. At the outset, Ukraine put out an official call to enlist cyber warriors from around the globe to their cause in what’s been called the IT Army of Ukraine. Today we’ll look at how this group was formed, how it operates, and what we should all be learning from what’s happening there. My guest is Dina Temple-Raston from The Record, the Click Here Podcast, and formerly NPR. Interview Notes Dina Temple-Raston at The Record: https://therecord.media/author/dina-temple-raston  Click Here podcast: https://therecord.media/podcast  Click Here, Episode 98: “Lessons from the world’s first hybrid war”: https://podcasts.apple.com/us/podcast/click-here/id1225077306?i=1000639045741  NPR’s I’ll Be Seeing You: https://www.npr.org/series/760566025/ill-be-seeing-you  Operation Glowing Symphony: https://www.npr.org/2019/09/26/763545811/how-the-u-s-hacked-isis  Further Info Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:04:50: How did you get into covering cybersecurity and cyber warfare? 0:06:48: When and how did Russian cyber attacks begin in Ukraine? 0:15:40: What is the IT Army of Ukraine and what is its origin? 0:20:47: Have we seen other cyberwar volunteer organizations? 0:23:05: How are information and communications being utilized by the IT Army? 0:26:53: How has Russia responded to this? 0:28:34: How are IT Army members recruited and vetted? 0:30:17: How are objectives coordinated? 0:31:20: Where are IT Army members coming from? 0:32:03: Do we know if Western military members are participating in the IT Army? 0:36:30: What are the military lessons to be learned here? 0:42:11: What should civilians be learning from all of this? 0:46:01: What’s next for you and Click Here? 0:47:14: Wrap-up and looking ahead

Google’s Chrome browser has dominated the planet – both on desktop computers and mobile devices. Furthermore, many other popular web browsers are actually based on the same Google-made Chromium browser engine, including Microsoft Edge and Brave Browser. This gives Google an inordinate amount of influence on web standards, in particular preventing better privacy protections. We need to support privacy-forward alternatives lest they disappear. In other news: US passes expanded mass surveillance policies instead of curbing them; TikTok ban bill becomes law giving Bytedance a year to sell it; UK’s Investigatory Powers Bill amendment passes; photo-sharing app will use users’ uploaded images to train AI; Health insurers Kaiser and Change Healthcare are hacked; antivirus software service installs malware on user’s systems; FCC fines telecom’s $200M; CISA director pushes for vendor accountability; CISA’s proactive protection programs are making positive impacts; UK becomes first country to enforce strong and strict IoT security requirements; net neutrality is back; Google again delays killing third party cookies. Article Links [Electronic Frontier Foundation] U.S. Senate and Biden Administration Shamefully Renew and Expand FISA Section 702, Ushering in a Two Year Expansion of Unconstitutional Mass Surveillance https://www.eff.org/deeplinks/2024/04/us-senate-and-biden-administration-shamefully-renew-and-expand-fisa-section-702-0 [TechCrunch] Biden signs bill that would ban TikTok if ByteDance fails to sell the app https://techcrunch.com/2024/04/24/biden-signs-bill-that-would-ban-tiktok-if-bytedance-fails-to-sell-the-app/ [theregister.com] UK’s Investigatory Powers Bill to become law despite tech world opposition https://www.theregister.com/2024/04/26/investigatory_powers_bill/ [TechCrunch] Photo-sharing community EyeEm will license users photos to train AI if they don’t delete them https://techcrunch.com/2024/04/26/photo-sharing-community-eyeem-will-license-users-photos-to-train-ai-if-they-dont-delete-them/ [TechCrunch] Health insurance giant Kaiser notifies millions of a data breach https://techcrunch.com/2024/04/25/kaiser-permanente-health-plan-millions-data-breach/ [TechCrunch] Change Healthcare hackers broke in using stolen credentials — and no MFA, says UHG CEO https://techcrunch.com/2024/04/30/uhg-change-healthcare-ransomware-compromised-credentials-mfa/ [Ars Technica] Hackers infect users of antivirus service that delivered updates over HTTP https://arstechnica.com/security/2024/04/hackers-infect-users-of-antivirus-service-that-delivered-updates-over-http/ [BleepingComputer] FCC fines carriers $200 million for illegally sharing user location https://www.bleepingcomputer.com/news/technology/fcc-fines-carriers-200-million-for-illegally-sharing-user-location/ [cybersecuritydive.com] CISA director pushes for vendor accountability and less emphasis on victims’ errors https://www.cybersecuritydive.com/news/cisa-highlights-vendors-errors/714300/ [therecord.media] More than 800 vulnerabilities resolved through CISA ransomware notification pilot https://therecord.media/vulnerabilities-resolved-through-cisa-pilot [therecord.media] UK becomes first country to ban default bad passwords on IoT devices https://therecord.media/united-kingdom-bans-defalt-passwords-iot-devices [WIRED] Net Neutrality Returns to a Very Different Internet https://www.wired.com/story/fcc-net-neutrality-rules-vote/ [Ars Technica] Google delays third-party cookie death again: Now scheduled for 2025 https://arstechnica.com/gadgets/2024/04/google-delays-third-party-cookie-death-again-now-scheduled-for-2025/ Tip of the Week: https://firewallsdontstopdragons.com/its-time-to-quit-chrome/ Further Info Under New Management plugin: https://github.com/classvsoftware/under-new-management Donate to Mozilla (Firefox): https://foundation.mozilla.org/en/donate/ Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:29: Updates on previous stories 0:02:38: Newsletter DMARC fixed 0:03:34: News preview 0:07:05: U.S. Shamefully Renews and Expands FISA Section 702 0:14:03: Biden signs bill that would ban TikTok if ByteDance fails to sell 0:16:36: UK’s Investigatory Powers Bill to become law 0:20:29: EyeEm will license users photos to train AI if they don’t delete them 0:27:46: Health insurance giant Kaiser notifies millions of a data breach 0:30:42: Change Healthcare hackers broke in using stolen credentials 0:34:42: Hackers in

AI has been grabbing all the tech headlines, but cryptocurrency is still innovating and changing. One of the primary goals of cryptocurrency was to be decentralized and therefore not controlled by governments like fiat currency. That is about to change. Central Bank Digital Currency (CBDC) is a new type of cryptocurrency that is created and governed by nation states, which comes with serious implications for privacy and global economics. Thankfully I’ve got cryptocurrency expert Seth for Privacy on the show to explain how CBDC works and how it will affect us. Interview Notes Opt Out Podcast: https://optoutpod.com/  Freedom.Tech: https://freedom.tech/  Foundation.xyz: https://foundation.xyz/  CBDC tracker: https://cbdctracker.hrf.org/home Buying Monero: https://freedom.tech/buying-monero-privately/ Samourai Wallet 1: https://freedom.tech/how-samourai-worked/  Samourai Wallet 2: https://freedom.tech/samourai-to-sparrow/ Cryptocurrency 101 interview: https://podcast.firewallsdontstopdragons.com/2022/06/06/cryptocurrency-101/  Further Info Treasure & Coin Promo: https://fdsd.me/promo424  Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:30: Promo update 0:01:42: News preview 0:04:34: AT&T now says over 50M accounts were compromised 0:11:37: Apple password reset notification attack 0:16:04: Outlook is Microsoft’s new data collection service 0:22:40: Kobold letters 0:29:27: Backdoor in XZ Utils That Almost Happene 0:39:42: OpenAI and Google reportedly used transcriptions of YouTube videos to train their AI models 0:45:57: How to Turn Off Meta AI on their various apps 0:49:07: Vulnerabilities Identified in LG WebOS 0:52:14: Roku Says More Than 500,000 Accounts Were Compromised 0:56:05: X May Charge New Users a ‘Small Fee’ to Post, Like and Reply 1:00:04: DuckDuckGo Is Taking Its Privacy Fight to Data Brokers 1:04:19: Google Launches Android Find My Device Network 1:07:29: The CFPB wants to rein in data brokers 1:12:23: Tip of the Week: Freeze Your Credit 1:18:05: Wrap-up 1:19:06: Looking ahead

You’ve heard people like me recommend this for years. It’s time to just do it: freeze your credit report. There are really no downsides at this point. For example, it’s now free everywhere in the US, by law. It’s also free to temporarily “thaw” your credit. And it’s gotten a lot easier to do, too. Freezing your credit is your main defense against financial identity theft. And with the sheer number of data breaches (like the recent massive AT&T leak), the personal information needed to commit identity theft is out there already. In other news: AT&T now says 51 million past and current customers’ data were leaked; beware of a new password reset ‘bomb’ campaign; Microsoft is using Outlook to harvest and share your data; a new email scam alters their content after forwarding; a devious and devastating supply chain attack was thwarted in the nick of time; AI organizations are using sneaky techniques to train their models on your data; Meta is lacing its apps with AI, and there’s not much you can do about it; LG TVs are hacked; Roku is breached again, this time affecting over 500,000 accounts; Twitter/X looking to charge new users a small fee to try to curb bot accounts; DuckDuckGo unveils trio of new for-pay privacy services; Google launches their own Find My network; and various US government agencies, lacking a real privacy law, attempt to curb privacy abuses using existing powers. Article Links [BleepingComputer] AT&T now says data breach impacted 51 million customers https://www.bleepingcomputer.com/news/security/att-now-says-data-breach-impacted-51-million-customers/ [AppleInsider] If you’re getting dozens of password reset notifications, you’re being attacked https://appleinsider.com/articles/24/03/27/if-youre-getting-dozens-of-password-reset-notifications-youre-being-attacked [proton.me] Outlook is Microsoft’s new data collection service https://proton.me/blog/outlook-is-microsofts-new-data-collection-service [Lutra Security] Kobold letters https://lutrasecurity.com/en/articles/kobold-letters/ [Schneier Blog] Backdoor in XZ Utils That Almost Happened https://www.schneier.com/blog/archives/2024/04/backdoor-in-xz-utils-that-almost-happened.html [Engadget] OpenAI and Google reportedly used transcriptions of YouTube videos to train their AI models https://www.engadget.com/openai-and-google-reportedly-used-transcriptions-of-youtube-videos-to-train-their-ai-models-163531073.html [Lifehacker] How to Turn Off Meta AI on Facebook, Instagram, Messenger, and WhatsApp https://lifehacker.com/tech/how-to-turn-off-meta-ai-on-facebook-instagram-messenger-whatsapp [bitdefender.com] Vulnerabilities Identified in LG WebOS https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos/ [Lifehacker] Roku Says More Than 500,000 Accounts Were Compromised in a Cyberattack https://lifehacker.com/tech/roku-cyberattack-compromises-accounts [MacRumors] X May Charge New Users a ‘Small Fee’ to Post, Like and Reply https://www.macrumors.com/2024/04/15/x-small-fee-new-users/ [WIRED] DuckDuckGo Is Taking Its Privacy Fight to Data Brokers https://www.wired.com/story/duckduckgo-vpn-data-removal-tool-privacy-pro/ [MacRumors] Google Launches Android Find My Device Network https://www.macrumors.com/2024/04/08/google-android-find-my-device-network-2/ [ftc.gov] Proposed FTC Order will Prohibit Telehealth Firm from Using or Disclosing Sensitive Data for Advertising Purposes https://www.ftc.gov/news-events/news/press-releases/2024/04/proposed-ftc-order-will-prohibit-telehealth-firm-cerebral-using-or-disclosing-sensitive-data [The Verge] The CFPB wants to rein in data brokers https://www.theverge.com/2024/4/15/24131354/cfpb-data-brokers-fair-credit-reporting-act [therecord.media] Automakers and FCC square off over potential regulations for connected cars https://therecord.media/fcc-automakers-connected-cars-regulation-mvnos Tip of the Week: https://firewallsdontstopdragons.com/credit-freeze-now-is-the-time/  Further Info Treasure & Coin Promo: https://fdsd.me/promo424  Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:30: Promo update 0:01:42: News preview 0:04:34: AT&T now says over 50M accounts were compromised 0:11:37: Apple password reset notification attack 0:16:04: Outlook is Microsoft’s new data collection service 0:22:40: Kobold letters 0:29:27: Backdoor in XZ Utils That Almost Happene 0:39:42: OpenAI and Google reportedly used transcriptions of

There’s a lot of nasty stuff online – things we would prefer our kids not see, at least not until they’re mature enough to handle it. Our elected representatives have proposed various regulations to try to protect kids online, and while this is obviously a laudable goal, the devil is always in the details. Many of the proposed solutions have serious negative consequences for both kids and adults, chilling free speech and blocking useful content. I’ll discuss the latest iteration of these proposed solutions in the US called the Kids Online Safety Act (KOSA) as well as the similar Online Safety Act in the UK. With me is Joe Mullin, senior policy analyst at the Electronic Frontier Foundation (EFF). Interview Notes Joe Mullin (EFF): https://www.eff.org/about/staff/joe-mullin EFF on KOSA: https://www.eff.org/deeplinks/2024/02/dont-fall-latest-changes-dangerous-kids-online-safety-act EFF on KOSA in depth: https://www.eff.org/deeplinks/2024/03/analyzing-kosas-constitutional-problems-depth Contact Congress: https://www.eff.org/congress EFF on CA ballot initiative: https://www.eff.org/deeplinks/2024/02/eff-opposes-california-initiative-would-cause-mass-censorship EFF submission to Ofcom: https://www.eff.org/deeplinks/2024/03/effs-submission-ofcoms-consultation-illegal-harms Santa Clara Principles for online content moderation: https://santaclaraprinciples.org/ Further Info Treasure & Coin Promo: https://fdsd.me/promo424 Send me your questions! https://fdsd.me/qna Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Subscribe to the newsletter: https://fdsd.me/newsletter Become a patron! https://www.patreon.com/FirewallsDontStopDragons Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:56: Eclipse! 0:01:50: Treasure & Coin promo update 0:02:29: Interview preview 0:03:41: What are the primary concerns today with kids on the internet? 0:08:24: What laws already exist to protect kids online? 0:17:05: What are the key provisions of KOSA? 0:25:04: What content is KOSA trying to restrict based on age? 0:34:22: What did we learn from the UK’s Online Safety Act? 0:38:47: Doesn’t KOSA interfere with Section 230? 0:44:41: How does KOSA impact content access for adults? 0:50:17: Are our representatives seeking insights from groups like EFF? 0:54:58: Are there onlione safety regulations EFF could support? 0:58:55: Do you have any advice for parents on protecting their kids online? 1:06:55: Interview wrap-up 1:08:59: Patron bonus content 1:09:28: Looking ahead

Today I answer some of the most interesting listener questions from the past several months, including: how to do you get SMS 2FA codes while traveling abroad; should I periodically change all my passwords; how do hackers attack IoT devices inside my home network; can a website fingerprint me based on a hardware security key; can you recommend an email client that protects your privacy; if I give my IoT device permission to see my local network, does that include the guest network; how to hackers find vulnerabilities and figure out how to attack them; why can’t I use my VPN on an airplane to stream Netflix; how can I protect my cryptocurrency and smartphone. Also, I give my take on the crazy TikTok ban legislation. Links New Year’s Resolutions for 2024: https://firewallsdontstopdragons.com/new-years-resolutions-for-2024/  GRC’s Shields Up! Tool: https://www.grc.com/shieldsup  Secure your home network: https://firewallsdontstopdragons.com/secure-your-network-part-1-scan/ My Take on TikTok Ban: https://firewallsdontstopdragons.com/my-take-on-tiktok-ban/ The TikTok Situation is a Mess: https://lifehacker.com/tech/the-tiktok-situation-is-a-mess  EFF on TikTok: https://www.eff.org/deeplinks/2024/03/5-big-unanswered-questions-about-tiktok-bill   The US Wants to Ban TikTok: https://www.404media.co/the-u-s-wants-to-ban-tiktok-for-the-sins-of-every-social-media-company/ Further Info Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:38: Couple quick updates 0:02:37: Getting SMS 2FA codes while traveling abroad 0:07:37: Should I periodically change all my passwords? 0:13:23: How do hackers attack IoT devices inside my home network? 0:19:10: Can a website fingerprint me based on a hardware security key? 0:24:42: Can you recommend an email client that protects your privacy? 0:29:30: If I give my IoT device permission to see my local network, does that include the guest network? 0:33:18: How to hackers find vulnerabilities and figure out how to attack them? 0:37:35: Why can’t I use my VPN on an airplane to stream Netflix? 0:43:57: How can I protect my cryptocurrency and smartphone? 0:50:05: AT&T breach update 0:50:56: My Take on TikTok 0:57:28: Wrap-up

Today I talk with Justin and Jodi Daniels about that state of privacy today, how we can help consumers and companies better understand the importance of privacy and security, and how companies are dealing with these aspects internally. We talk about the state of privacy regulations (or the lack thereof), why companies are failing to protect their customers, and what we can do about that. Justin and Jodi host a podcast together called She Said Privacy, He Said Security. They’ve also co-written a book called “Data Reimagined: Building trust one byte at a time”. Interview Notes Justin & Jodi Daniels’ podcast: https://redcloveradvisors.com/podcasts/ Justin Daniels: https://www.linkedin.com/in/justinsdaniels/ Jodi Daniels: https://www.linkedin.com/in/jodihoffmandaniels/  Red Clover Advisors: https://redcloveradvisors.com/ Baker Donelson: https://www.bakerdonelson.com/ Data Reimagined book: https://redcloveradvisors.com/book-sales/  International Association of Privacy Professionals (IAPP): https://iapp.org/  Information Commissioner’s Office (ICO): https://ico.org.uk/  YourAdChoices (AboutAds.info): https://youradchoices.com/  How to enable Global Privacy Control: https://firewallsdontstopdragons.com/how-to-enable-global-privacy-control/  Jeff Jockisch top 10: https://www.linkedin.com/posts/jozian_privacypodcast-peopleschoice-privacyawards-activity-7155591864593637376-Q3bi/  Further Info Coin & Treasure Promo: https://fdsd.me/promo424 Send me your questions: https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:33: Interview setup 0:03:31: Tell me about your podcast and how you got into this space. 0:06:40: How do you explain privacy to regular, everyday people? 0:09:37: How can we help people better understand the need for privacy? 0:11:10: What are the newest threats to our privacy? 0:14:58: So how do we know what to trust? 0:17:07: What mistakes do companies make when crafting and implementing privacy policies? 0:21:37: How should companies embrace privacy? 0:25:51: What’s life like for a Chief Privacy Officer today? 0:30:22: Can we blame companies for monetizing our data since it’s legal to do so? 0:34:01: How do we combat privacy problems with security tech? 0:37:11: Why can’t the US government pass a federal privacy law? 0:42:54: Would it help to pass laws that mandate transparency? 0:46:11: What about a universal opt-out mechanism? 0:47:24: Is mainstream media covering privacy and security properly? 0:49:36: What are some promising Privacy Enhancing Technologies? 0:53:50: What are some of your top resources to learn more about privacy? 0:56:09: Any final thoughts? 0:57:30: Interview follow-up 0:59:25: Looking ahead

Passwords, two-factor authentication and even passkeys don’t matter if you can access someone’s account by answering three simple account recovery questions. Also, just about every account today has a way to reset your password, no matter how strong it is, if you can gain access to someone’s email account. Until we can remove these weak links, it doesn’t matter how secure our regular authentication schemes are. In the news: old A&T breach data is making the rounds; Apple Silicon chips have a security flaw baked into the hardware; two very popular digital safe locks come with backdoor codes; Twitter/X is failing to properly check posted links that redirect to scam sites; a court rules that external continuous camera surveillance of your house doesn’t require a warrant; searches for VPNs spike after PornHub pulls out of Texas; a blockbuster NY Times article brings much needed attention to data collection in cars; AirBnB implements a blanket camera ban. And I announce a killer new patron promotion! Click this link! https://fdsd.me/promo424 Article Links [restoreprivacy.com] AT&T Investigating Potential Breach Following Leak of 73.4 Million Records https://restoreprivacy.com/att-investigating-breach-following-leak-of-73-4-million-records/ HaveIBeenPwned.com: https://haveibeenpwned.com/  [9to5Mac] Unpatchable security flaw in Apple Silicon Macs breaks encryption https://9to5mac.com/2024/03/22/unpatchable-security-flaw-mac/ [404media.co] Massively Popular Safe Locks Have Secret Backdoor Codes https://www.404media.co/massively-popular-safe-locks-have-secret-backdoor-codes/ [Lifehacker] It’s Not Safe to Click Links on X https://lifehacker.com/tech/its-not-safe-to-click-links-on-x [Gizmodo] The Feds Can Film Your Front Porch for 68 Days Without a Warrant, Says Court https://gizmodo.com/feds-can-film-your-front-porch-without-warrant-1851352414 [CNN] Searches for VPNs spike in Texas after Pornhub pulls out of the state https://www.cnn.com/2024/03/15/tech/vpn-searches-spike-texas-pornhub [The New York Times] Automakers Are Sharing Consumers’ Driving Behavior With Insurance Companies https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html [Lifehacker] Airbnb’s New Security Camera Ban Is a Big Deal https://lifehacker.com/tech/airbnbs-new-security-camera-ban Tip of the Week: https://firewallsdontstopdragons.com/account-security-is-broken/ Further Info Become a Patron! (promo): https://fdsd.me/promo424  Lock & Code Podcast: https://www.malwarebytes.com/blog/podcast/2024/03/securing-your-home-network-is-long-tiresome-and-entirely-worth-it-with-carey-parker-lock-and-code-s05e07 Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:04:05: News preview 0:06:12: AT&T Investigating Potential Breach Following Leak of 73.4 Million Records 0:11:24: Unpatchable security flaw in Apple Silicon Macs breaks encryption 0:16:34: Massively Popular Safe Locks Have Secret Backdoor Codes 0:21:57: It’s Not Safe to Click Links on X 0:30:28: The Feds Can Film Your Front Porch for 68 Days Without a Warrant, Says Court 0:33:28: Searches for VPNs spike in Texas after Pornhub pulls out of the state 0:38:35: Automakers Are Sharing Consumers’ Driving Behavior With Insurance 0:47:36: Airbnb’s New Security Camera Ban Is a Big Deal 0:49:57: Tip of the Week: Account Security is Broken 0:55:49: Dragon Coin promotion details

The United States has no general data privacy laws. However, we do have some sector-specific regulations, including HIPAA for health data. But there are many misconceptions about HIPAA. For example, the “P” in HIPAA does not stand for Privacy – it stands for Portability. So, what information does HIPAA cover? Which healthcare and related service providers are governed by HIPAA? And most importantly, what can you do to protect your medical and health data? Today we’ll dive deep into this subject with Kate Black, a data, privacy & health lawyer and a strategic advisor in the health data field. Interview Notes Kate Black: https://www.linkedin.com/in/kate-black-sfo/  Washington’s My Health, My Data law: https://hintzelaw.com/blog/2023/4/9/wa-my-health-my-data-act-pt1-overview  HIPAA rights: https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html  STAT medical news: https://www.statnews.com/  Further Info Check out my dragon challenge coins! https://fdsd.me/coin2 Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:29: What is covered by HIPAA? What isn’t covered? 0:06:51: Can I sign away my HIPAA rights? 0:08:08: Who in my medical provider’s office can access my data? 0:10:23: How audits HIPAA compliance? 0:11:47: How is my health data shared between providers? 0:14:49: Are certain types of health data treated differently? 0:15:23: How does health privacy work for minors? 0:16:53: Outside of health providers, who else can access my data? 0:20:56: How does HIPAA compare to other sector-specific privacy laws? 0:22:20: Do secondary providers share back with my primary care physician? 0:24:42: Who stores and protects my digital medical records? 0:27:46: How are third party providers audited for privacy and security? 0:29:56: Are HIPAA security requirements keeping up with the times? 0:33:13: Do I have full access to my complete medical record? 0:36:52: How do marketers get my health data? 0:39:51: What laws govern inferred health information? 0:45:48: Do pharmacies sell health data to marketers? 0:48:57: How private are online medical portals and checkin services? 0:53:35: How concerned should we be about using DNA analysis services? 0:59:17: How can we improve our health privacy laws? 1:00:30: What are your personal tips for protecting health data? 1:02:37: If I think someone has abused my data, what can I do? 1:04:13: Interview wrap-up 1:06:49: Looking ahead

Two-factor authentication (2FA) is a fantastic way to improve the security of your online accounts. However, if you lose access to the device containing your authenticator app, you may lose access to your 2FA-protected accounts. You need to backup the seed codes used to set up each account. I’ll give you several methods for doing this. In the news: FBI uses smartphone push notifications to track down criminals; Roku TVs block all access until users consent to force arbitration; cheap video doorbells have horrible security; AI can be used to determine where photos were taken; vending machine caught using facial recognition; what happens to your data when a data broker goes bankrupt; your personal information that is publicly available; New Jersey passes motor vehicle data deletion law; Proton Mail’s new email aliasing feature; in Canada, police now need warrant to get a person’s IP address; US cracks down on commercial spyware firm; NSO Group forced to hand over source code to Meta in legal case; Authy is shutting down its desktop app. Article Links [The Washington Post] The FBI’s new tactic: Catching suspects with push alerts https://www.washingtonpost.com/technology/2024/02/29/push-notification-surveillance-fbi/ [TechCrunch] Roku disables TVs and streaming devices until users consent to forced arbitration https://techcrunch.com/2024/03/05/roku-disables-tvs-and-streaming-devices-until-users-consent-to-forced-arbitration/ [Consumer Reports] These Video Doorbells Have Terrible Security https://www.consumerreports.org/home-garden/home-security-cameras/video-doorbells-sold-by-major-retailers-have-security-flaws-a2579288796/ [NPR] Artificial intelligence can find your location in photos, worrying privacy experts https://www.npr.org/2023/12/19/1219984002/artificial-intelligence-can-find-your-location-in-photos-worrying-privacy-expert [Ars Technica] Vending machine error reveals secret face image database of college students https://arstechnica.com/tech-policy/2024/02/vending-machine-error-reveals-secret-face-image-database-of-college-students/ [The Markup] What Happens to Your Sensitive Data When a Data Broker Goes Bankrupt? – The Markup https://themarkup.org/privacy/2024/02/23/what-happens-to-your-sensitive-data-when-a-data-broker-goes-bankrupt [Lifehacker] All of Your Information That’s Publicly Available (and What You Can Do About It) https://lifehacker.com/tech/all-your-information-thats-publicly-available-what-to-do-about-it [privacy4cars.com] “Motor Vehicle Data Deletion Act” of New Jersey https://privacy4cars.com/nj-law/ [Lifehacker] Proton Mail Now Lets You Hide Your Real Email Address https://lifehacker.com/tech/how-to-set-up-email-aliases-proton-mail [CBC] Police now need a warrant to get a person’s IP address, Supreme Court rules https://www.cbc.ca/news/politics/supreme-court-privacy-ipaddress-1.7130727 [The Hacker News] U.S. Cracks Down on Predatory Spyware Firm for Targeting Officials and Journalists https://thehackernews.com/2024/03/us-cracks-down-on-predatory-spyware.html [9to5Mac] iPhone spyware company NSO suffers major defeat in US court, in Meta lawsuit https://9to5mac.com/2024/03/01/iphone-spyware-company-nso-must-reveal-code/ [The Verge] Authy is shutting down its desktop app https://www.theverge.com/2024/1/8/24030477/authy-desktop-app-shutting-down Tip of the Week: Backing Up Your 2FA Seed Codes https://firewallsdontstopdragons.com/how-to-backup-2fa-seed-codes/ Command line tool to extract codes from Authy: https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93 Further Info Check out my dragon challenge coins! https://fdsd.me/coin2  Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:55: Upcoming promotion 0:01:35: News rundown 0:04:15: The FBI’s new tactic: Catching suspects with push alerts 0:10:44: Roku disables TVs and streaming devices until users consent to forced arbitration 0:14:23: These Video Doorbells Have Terrible Security 0:20:34: Artificial intelligence can find your location in photos 0:25:47: Vending machine error reveals secret face image database 0:28:46: What Happens to Your Sensitive Data When a Data Broker Goes Bankrupt? 0:32:40: All of Your Information That’s Publicly Available 0:38:03: “Motor Vehicle Data Deletion Act” of New Jersey 0:40:17: Proton Mail Now Lets You Hide Your Real Email Address 0:44:09: Supreme Court of Canada: Police need warrant to get a person’s IP address 0:45:33: U.S. Cracks Down on Predatory Spyware Firm for Targeting O

With the rise of IoT and tracking technologies (both online and in the real word), we are generating staggering amounts of highly personal information. This massive trove of juicy data has drawn the attention of several interested parties outside the realm of consumer marketing. Like chum in the water, it’s created a feeding frenzy from data aggregators as well as from law enforcement and intelligence agencies, both foreign and domestic. The journalists at 404 Media have published several blockbuster articles on this data ecosystem which have triggered backlashes from lawmakers and consumers alike. Today I’ll speak with two of the founders: Joseph Cox and Jason Koebler. Interview Notes 404 Media: https://www.404media.co/  404 Media podcast: https://www.404media.co/the-404-media-podcast/ 404 Media support: https://www.404media.co/faq/  Formation of 404 Media: https://www.nytimes.com/2023/08/22/business/media/404-media-vice-motherboard.html  Further Info Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:03: Interview setup 0:02:45: How did 404 Media come to be? 0:12:00: When do we think law enforcement started buying our data? 0:15:39: What’s up with companies listening to our conversations? 0:23:01: Where does law enforcement go to get our data? 0:27:46: How are video feeds being gathered and sold? 0:34:23: Can’t all this data also be used by “bad guys”? 0:39:13: Is it legal for law enforcement to buy data from foreign sources? 0:44:28: Have your stories triggered responses from the US government? 0:50:01: Trust in media is low these days – how can we fix that? 0:59:37: How can we support good work like yours? 1:03:22: Wrap-up

Artificial Intelligence is the buzzword of the day. Since the launch of ChatGPT in November 2022, there has been a flood of AI-based tools and services. Many tech firms are racing to build AI into their products without considering the consequences, let alone taking the time to build in guardrails for privacy and security. Today, I’ll tell you about some of the risks, how to mitigate them and explain why you should spend some time playing with AI tools so we can understand how they do (and don’t) work. In other news: Wyze home webcams had yet another security breach; Poland’s PM calls out illegal use of Pegasus spyware by opposition party; US military finally notifies 20,000 of email data breach; Skiff was bought by Notion and will shut down services; FTC fines Avast antivirus $16.5M for mining user data; Backdoors in encryption violate human rights according to EU court; LockBit ransomware servers were taken over by multinational law enforcement efforts; Apple’s iMessage gaining quantum computer resistant encryption; Signal finally allows users to hide cell phone numbers via usernames; new Android secure browsing features announced. Article Links [Lifehacker] Wyze Had a Security Breach (Again) https://lifehacker.com/tech/wyze-security-breach-again [The Associated Press] Poland’s prime minister says authorities widely used spyware under the previous government https://apnews.com/article/poland-government-pegasus-spyware-tusk-duda-78420fc7099401926d28b5be98669192 [TechCrunch] US military notifies 20,000 of data breach after cloud email leak https://techcrunch.com/2024/02/14/department-defense-data-breach-microsoft-cloud-email/ [The Cut] The Day I Put $50,000 in a Shoe Box and Handed It to a Stranger https://www.thecut.com/article/amazon-scam-call-ftc-arrest-warrants.html https://pluralistic.net/2024/02/05/cyber-dunning-kruger/  [restoreprivacy.com] Skiff Mail Shutting Down in 6 Months (Try These Alternatives) https://restoreprivacy.com/skiff-shutting-down-alternatives-to-skiff-mail/ [404media.co] FTC Fines Avast $16.5 Million For Selling Browsing Data Harvested by Antivirus https://www.404media.co/impact-ftc-fines-avast-16-5-million-for-selling-browsing-data-harvested-by-antivirus/ [Ars Technica] Backdoors that let cops decrypt messages violate human rights, EU court says https://arstechnica.com/tech-policy/2024/02/human-rights-court-takes-stand-against-weakening-of-end-to-end-encryption/ [Ars Technica] LockBit ransomware group taken down in multinational operation https://arstechnica.com/information-technology/2024/02/lockbit-ransomware-group-taken-down-in-multinational-operation/ [WIRED] Apple’s iMessage Is Getting Post-Quantum Encryption https://www.wired.com/story/apple-pq3-post-quantum-encryption/ [signal.org] Keep your phone number private with Signal usernames https://signal.org/blog/phone-number-privacy-usernames/ [Lifehacker] These New Android Features Will Keep You Safer Online https://lifehacker.com/tech/android-safer-browsing-and-live-threat-detection-rolling-out Tip of the Week: Mitigating AI Risks https://firewallsdontstopdragons.com/how-to-mitigate-the-risks-of-ai/ Further Info Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:44: AT&T outage, hot take 0:03:08: News rundown 0:04:44: Wyze Had a Security Breach (Again) 0:07:27: Poland’s PM says authorities used spyware under the previous government 0:10:19: US military notifies 20,000 of data breach after cloud email leak 0:13:50: The Day I Put $50,000 in a Shoe Box and Handed It to a Stranger 0:22:37: Skiff Mail Shutting Down in 6 Months 0:27:14: FTC Fines Avast $16.5 Million For Selling Browsing Data 0:32:20: Backdoors that let cops decrypt messages violate human rights, EU court says 0:36:18: LockBit ransomware group taken down in multinational operation 0:39:41: Apple’s iMessage Is Getting Post-Quantum Encryption 0:45:02: Keep your phone number private with Signal usernames 0:49:20: These New Android Features Will Keep You Safer Online 0:52:12: Tip of the Week: Mitigating AI Risks 1:04:25: Wrap up

Modern cars are chock full of sensors and connected to the internet via built-in cellular modems. That’s a recipe for massive data collection. Last September, Mozilla’s Privacy Not Included team released a blockbuster report how much data our cars were gathering and it was absolutely staggering. According to the hard-to-find privacy policies, your car can collect extremely personal information including precise location, contact lists from your phone, call and message data, and – believe it or not – even “sexual activity”. Today, I’ll walk through this report and its implications with the head of Mozilla’s Privacy Not Included project, Jen Caltrider. Interview Notes Mozilla’s Privacy Not Included: https://foundation.mozilla.org/en/privacynotincluded/  Mozilla’s car report: https://foundation.mozilla.org/en/privacynotincluded/articles/its-official-cars-are-the-worst-product-category-we-have-ever-reviewed-for-privacy/ Mozilla’s report on AI chatbots: https://foundation.mozilla.org/en/privacynotincluded/articles/happy-valentines-day-romantic-ai-chatbots-dont-have-your-privacy-at-heart/ Donate to Mozilla Foundation: https://donate.mozilla.org/  Mozilla layoffs: https://techcrunch.com/2024/02/13/mozilla-downsizes-as-it-refocuses-on-firefox-and-ai-read-the-memo/ Sign the petition to stop car data gathering! https://foundation.mozilla.org/en/privacynotincluded/articles/car-companies-stop-your-huge-data-collection-programs-en/  Bruce Schneier article in Slate: https://slate.com/technology/2023/12/ai-mass-spying-internet-surveillance.html  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:39: What were some top finding from your car privacy report? 0:05:14: Which cars did you review and how did you evaluate them? 0:09:44: How was I notified and how did I consent to my car’s privacy policy? 0:10:39: What are cars tracking? Are electric cars any worse than gas cars? 0:13:55: What third party data mining is going on in my car? 0:20:41: Is there a way to opt out of data sharing? 0:24:10: Is less data collected in Europe? 0:26:02: Where is all my data stored? Locally, in the cloud, or both? 0:28:52: Is the data at least secured? 0:29:48: Can dealerships access my data? What about law enforcement? 0:32:28: What about rental or fleet cars? What about passengers? 0:37:24: Do car dealers disclose this data collection to shoppers? 0:39:11: What are some of the security problems with this data collection? 0:45:55: How did car makers and legislators respond to your report? 0:48:36: Do modern privacy laws cover auto data? 0:50:48: So what can we do about this today? 0:54:30: What will Privacy Not Included tackle next? 0:58:40: Wrap-up

It’s tax time here again in the USA, and therefore it’s also time for tax scams. I’ll explain how to recognize common tax scams, how to respond to them, how to prevent scammers from taking over your IRS account and even filing fraudulent tax returns in your name. In other news: the Mother of All Breaches (MOAB) contains 26 billion records; 23andMe is in trouble after massive data breach and pending class action lawsuits; a viral story about a smart toothbrush botnet isn’t true… but could have been; a clever hack of older computer TPM modules could expose encrypted hard drive data (but it’s not easy to do); Malwarebytes has issued their 2024 malware report; the FBI and CISA are raising the alarm over Chinese hackers and key US infrastructure, as well as taking action to prevent it; you might want to consider creating a family password to defeat voice clone scams; Mozilla has released a new data deletion service; and Privacy4Cars has an interesting new mechanism for universally opting out of data collection. Article Links [cybernews] Mother of all breaches reveals 26 billion records https://cybernews.com/security/billions-passwords-credentials-leaked-mother-of-all-breaches/ [Fast Company] 23andMe at risk of being delisted from the Nasdaq as lawsuits mount https://www.fastcompany.com/91020738/23andme-risk-delisted-nasdaq-class-action-lawsuits [404media.co] The Viral Smart Toothbrush Botnet Story Almost Certainly Isn’t Real https://www.404media.co/the-viral-toothbrush-ddos-botnet-story-almost-certainly-isnt-real/ [Tom’s Hardware] YouTuber breaks BitLocker encryption in less than 43 seconds with sub-$10 Raspberry Pi Pico https://www.tomshardware.com/pc-components/cpus/youtuber-breaks-bitlocker-encryption-in-less-than-43-seconds-with-sub-dollar10-raspberry-pi-pico [9to5Mac] Report: Mac security threats on the rise, here’s what to watch out for https://9to5mac.com/2024/02/06/report-mac-security-threats-on-the-rise/ [NBC News] FBI director to warn Chinese hackers aim to ‘wreak havoc’ on US critical infrastructure https://www.nbcnews.com/politics/national-security/fbi-director-warn-chinese-hackers-aim-wreak-havoc-us-critical-infrastr-rcna136524 [Ars Technica] Chinese malware removed from SOHO routers after FBI issues covert commands https://arstechnica.com/security/2024/01/chinese-malware-removed-from-soho-routers-after-fbi-issues-covert-commands/ [cisa.gov] CISA and FBI Release Secure by Design Alert Urging Manufacturers to Eliminate Defects in SOHO Routers https://www.cisa.gov/news-events/alerts/2024/01/31/cisa-and-fbi-release-secure-design-alert-urging-manufacturers-eliminate-defects-soho-routers [9to5Mac] FCC outlaws voice cloning robocalls after AI-generated voice claimed to be President Biden https://9to5mac.com/2024/02/08/voice-cloning-robocalls/ [Electronic Frontier Foundation] Worried about AI voice clone scams? Create a family password https://www.eff.org/deeplinks/2024/01/worried-about-ai-voice-clone-scams-create-family-password  [The Verge] Firefox maker Mozilla has a new subscription to keep your info out of data brokers’ clutches https://www.theverge.com/2024/2/6/24062765/mozilla-monitor-plus-firefox-paid-subscription-privacy-data-broker-removal-requests [optoutcode.com] A Privacy4Cars Universal Opt-Out Concept https://optoutcode.com/ Tip of the Week: Avoiding Tax Scams https://firewallsdontstopdragons.com/how-to-avoid-tax-scams/ Further Info Secure Your Network: https://firewallsdontstopdragons.com/secure-your-network-part-1-scan/  Davos speech, original: https://www.youtube.com/watch?v=fJoEPRQMBuY  Davos speech, translated: https://www.youtube.com/live/6Fwv9Cek2F4?feature=shared&t=98 How to enable Global Privacy Control: https://firewallsdontstopdragons.com/how-to-enable-global-privacy-control/  How to send files securely: https://firewallsdontstopdragons.com/how-to-send-files-securely-like-tax-info/  Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:57: News rundown 0:04:04: Mother of all breaches reveals 26 billion records 0:07:36: 23andMe at risk of being delisted from the Nasdaq as lawsuits mount 0:10:20: Viral Smart Toothbrush Botnet Story Isn’t Real 0:13:22: YouTuber breaks BitLocker encryption in less than 43 seconds with sub-$10 Raspberry Pi Pico 0:18:31: Mac security threats on the rise 0:22:27: FBI director to warn Chinese hackers aim to ‘wreak havoc’ on US critical infrastructure 0:23:55: Chinese malware removed from SOHO routers after FBI issues covert commands 0:29:48: CI

Are Macs really safer than PCs? What should you do to make your Mac more secure? How do you know if your Mac has a virus? And how do you know which security apps you can trust? I’ll dig into all of these questions and more today with Mac security guru Patrick Wardle. Patrick Wardle is the founder of the Objective-See Foundation. Having worked at NASA and the NSA, as well as presented at countless security conferences Patrick is passionate about all things related to macOS security, writing books on macOS malware, and releasing free open-source security tools to protect Mac users. Interview Notes Objective See (free Mac tools): https://objective-see.org/  The Art of Mac Malware (book): https://taomm.org/ Objective by the Sea conference: https://objectivebythesea.org/  Apple’s Malware protections: https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/1/web/1  Reinstall macOS in Recovery Mode: https://support.apple.com/en-us/HT204904  Jamf presentation on Apple anti-malware tools: https://www.jamf.com/resources/videos/a-closer-look-at-macos-built-in-security-tools/  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:45: Interview setup 0:04:06: What have you been up to since we last had you on the show? 0:13:40: Are Macs safer than PCs? 0:17:34: How effective are modern antivirus programs? 0:22:25: Which are the better AV software programs? 0:24:45: Tell us about the Mac security apps that you created 0:27:53: How does Lulu differ from a regular firewall? 0:32:00: How do you know which security software you can trust? 0:38:00: How do we combat security fatigue? 0:43:22: Does the Apple App Store protect me from bad apps? 0:52:09: What’s your take on Apple’s new Lockdown Mode? 0:53:34: How do I know if my computer is infected with malware? 0:58:03: What should I do to protect my brand new Mac? 1:01:23: What worries you most right now? What gives you hope? 1:04:43: What’s next for you? 1:10:31: Wrap-up

While every week is Data Privacy Week here at Firewalls Don’t Stop Dragons, the rest of the world stops to join us in focusing on how and why to protect your personal data. I’ll give you some of my top privacy tips and refer you to a lot of top privacy resources. In the news: Microsoft executives’ emails are hacked by a nation-state actor; Facebook is gathering even more data with the help of other companies; a company is using real-time bidding to track us and sell to intelligence agencies; Mozilla outlines how incumbent browser owners tilt the playing field in favor of the owner; the EU is driving major changes to how iOS will work (but only in the EU); Brave browser simplifies its anti-fingerprinting options; Facebook limits how adult strangers can DM minors; FTC brings actions against GoodRx and Intuit; Samsung matches Google’s 7-year OS update update promise; and Apple rolls out Stolen Device Protection feature. Article Links [msrc.microsoft.com] Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/ [Consumer Reports] Each Facebook User Is Monitored by Thousands of Companies https://www.consumerreports.org/electronics/privacy/each-facebook-user-is-monitored-by-thousands-of-companies-a5824207467/ [404media.co] Inside a Global Phone Spy Tool Monitoring Billions https://www.404media.co/inside-global-phone-spy-tool-patternz-nuviad-real-time-bidding/ [Mozilla] Platform Tilt: Documenting the Uneven Playing Field for an Independent Browser Like Firefox https://blog.mozilla.org/netpolicy/2024/01/19/platform-tilt [MacRumors] Here Are All the iPhone Changes Coming to EU Users by March 6 https://www.macrumors.com/2024/01/26/iphone-changes-coming-to-eu-users/ [brave.com] Brave browser simplifies its fingerprinting protections https://brave.com/privacy-updates/28-sunsetting-strict-fingerprinting-mode/ [9to5Mac] Adult strangers won’t be able to send DMs to teens on Instagram or Facebook https://9to5mac.com/2024/01/25/teens-on-instagram-safeguards/ [ftc.gov] FTC Statement on Intuit TurboTax Case https://www.ftc.gov/news-events/news/press-releases/2024/01/statement-samuel-levine-director-ftc-bureau-consumer-protection-regarding-commissions-order-opinion [ftc.gov] FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising [9to5Google] Samsung Galaxy S24 follows Google Pixel 8’s lead with 7 years of Android updates https://9to5google.com/2024/01/17/samsung-galaxy-s24-android-updates-policy/ [AppleInsider] How to use Stolen Device Protection https://appleinsider.com/articles/24/01/23/how-to-use-stolen-device-protection Tip of the Week: Data Privacy Checklist https://fdsd.me/dpc  Further Info Carey’s Data Privacy Checklist (just updated!): https://fdsd.me/dpc  Proton’s mention: https://www.linkedin.com/posts/protonprivacy_protonprivacyreadinglist-activity-7155246272273170432-XlM0 Jeff Jockisch’s Best Privacy Podcast results: https://www.linkedin.com/posts/jozian_privacypodcast-peopleschoice-privacyawards-activity-7146196804940820481-yB-P Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:29: Recent accolades 0:03:09: News preview 0:05:14: Microsoft’s Midnight Blizzard attack 0:08:48: Each Facebook User Is Monitored by Thousands of Companies 0:16:06: Inside a Global Phone Spy Tool Monitoring Billions 0:23:38: Platform Tilt: Documenting the Uneven Playing Field for Independent Browsers 0:29:25: iPhone Changes Coming to EU Users by March 6 0:38:09: Brave browser simplifies its fingerprinting protections 0:45:53: Adult strangers won’t be able to send DMs to teens on Instagram or Facebook 0:47:46: FTC Statement on Intuit TurboTax Case 0:50:54: FTC Enforcement Action to Bar GoodRx from Sharing Sensitive Health Info for Ads 0:54:45: Samsung Galaxy S24 follows Google Pixel 8’s lead with 7 years of Android updates 0:57:24: How to use Apple’s Stolen Device Protection 1:03:37: Tip of the Week: Data Privacy Checklist 1:06:10: Wrap up

Drones are everywhere today. Cheap and tiny accelerometers, gyroscopes and processors have allowed us to create drones that anyone can afford and everyone can fly. Drones have been used by law enforcement and military forces, as well – for surveillance but also for killing. With the rapid development of AI technologies, what happens when we make these drones autonomous? What are the implications for privacy and security? I’ll discuss this and more with Nick Weaver, computer and cybersecurity expert, and chief mad scientist at Skerry Technologies. Interview Notes Nick Weaver: https://www1.icsi.berkeley.edu/~nweaver/  NYPD drone use: https://www.washingtonpost.com/nation/2023/09/01/drones-labor-day-parties-new-york/  AI drone “kills” its operator: https://www.reuters.com/article/factcheck-ai-drone-kills/fact-check-simulation-of-ai-drone-killing-its-human-operator-was-hypothetical-air-force-says-idUSL1N38023R/  The Future of Drone Warfare: https://www.schneier.com/blog/archives/2023/10/the-future-of-drone-warfare.html Betaflight: https://github.com/betaflight/betaflight Ardupilot: https://github.com/ArduPilot/ardupilot PX4: https://github.com/PX4/PX4-Autopilot  Small Business Innovation Research: https://www.sbir.gov/  Further Info Data Privacy Week: https://staysafeonline.org/programs/data-privacy-week/  Carey’s Data Privacy Checklist (just updated!): https://fdsd.me/dpc  Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:21: Data Privacy Week teaser 0:01:11: Apple backdoor clarification 0:03:14: Interview setup 0:07:15: What first got you interested in autonomous drone technology? 0:10:27: What technologies have enabled the explosion of cheap drones? 0:15:22: What are the capabilities of modern consumer drones? 0:17:54: Are there any legal restrictions on flying drones? 0:20:44: Are there privacy laws around drone surveillance? 0:22:24: How are drones used by law enforcement? 0:25:14: How are drones being used for criminal purposes? 0:27:12: What level of autonomy or AI can be found in consumer drones today? 0:29:41: How hard is it to turn a DJI drone into an autonomous killbot? 0:35:49: What sorts of countermeasures have we developed against drones? 0:45:11: What roles have drones played in modern warfare? 0:48:40: Can you detect drones on radar? 0:50:22: Have drones influenced modern military tactics? 0:52:33: Are there treaties restricting automomous killing machines? 0:55:51: What’s the future of automonous drone tech? 0:58:46: Is it difficult today to make your own drone? 1:06:24: Interview wrap-up 1:09:08: Annual listener survey update

The new year is here! And I’ve got a handful of solid tips for you that you should absolutely plan to accomplish in 2024! I also have a lot of news to catch you up on: 23andMe blames its customers for their data breach; Burger King in Brazil using facial recognition to offer discounts based on how hungover you look; Russian agents hack live webcams to hone in on targets in Ukraine; fake celebrity ads for medicare scam on YouTube; Facebook’s Link History is a confusing new tracking feature; FTC orders location data broker to stop selling your info; Google new location history changes may spell the end for geofence warrants; AirDrop anonymity cracked by China; well-hidden iPhone backdoor discovered by Kaspersky; UK tries to further expand surveillance capabilities; the Beeper Mini messaging saga is over; and a marketing company is offering to listen in on real time conversations to target ads. Article Links [TechCrunch] 23andMe tells victims it’s their fault that their data was breached https://techcrunch.com/2024/01/03/23andme-tells-victims-its-their-fault-that-their-data-was-breached/ [Dark Reading] Russian Agents Hack Webcams to Guide Missile Attacks on Kyiv https://www.darkreading.com/ics-ot-security/russian-agents-use-residential-webcams-to-gather-info-for-missile-attack-on-kyiv [404media.co] Deepfaked Celebrity Ads Promoting Medicare Scams Run Rampant on YouTube https://www.404media.co/joe-rogan-taylor-swift-andrew-tate-ai-deepfake-youtube-medicare-ads/ [Gizmodo] Meet ‘Link History,’ Facebook’s New Way to Track the Websites You Visit https://gizmodo.com/meet-link-history-facebook-s-new-way-to-track-the-we-1851134018 [ftc.gov] FTC Order Prohibits Data Broker X-Mode Social and Outlogic from Selling Sensitive Location Data https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-order-prohibits-data-broker-x-mode-social-outlogic-selling-sensitive-location-data [Electronic Frontier Foundation] Is This the End of Geofence Warrants? https://www.eff.org/deeplinks/2023/12/end-geofence-warrants [9to5Mac] AirDrop cracked by China, revealing phone number and email address of sender https://9to5mac.com/2024/01/09/airdrop-cracked-by-china/ [Schneier Blog] New iPhone Exploit Uses Four Zero-Days https://www.schneier.com/blog/archives/2024/01/new-iphone-exploit-uses-four-zero-days.html Security Now, Ep955: https://youtu.be/fJHzq4YOv68?si=WTdyr5LCXV4xJh-k&t=2105  [POLITICO Europe] Britain’s got some of Europe’s toughest surveillance laws. Now it wants more https://www.politico.eu/article/uk-bulking-up-spying-regime-breakneck-speed/ [MacRumors] Beeper Mini Resorts to Jailbreaking iPhones to Rescue Blue Bubbles https://www.macrumors.com/2023/12/21/beeper-mini-jailbroken-iphones-rescue-imessage/ [404media.co] Marketing Company Claims That It Actually Is Listening to Your Phone and Smart Speakers to Target Ads https://www.404media.co/cmg-cox-media-actually-listening-to-phones-smartspeakers-for-ads-marketing/ Tip of the Week: https://firewallsdontstopdragons.com/new-years-resolutions-for-2024/  Further Info Take the annual listener survey! https://fdsd.me/survey2024  Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:38: Listener survey 0:01:57: News rundown 0:04:35: 23andMe blames victims for their data breach 0:09:39: Russian Agents Hack Webcams to Guide Missile Attacks on Kyiv 0:15:19: Deepfaked Celebrity Ads Promoting Medicare Scams Run Rampant on YouTube 0:21:31: Meet ‘Link History,’ Facebook’s New Way to Track You 0:29:41: FTC Order Prohibits Data Broker from Selling Sensitive Location Data 0:33:13: Is This the End of Geofence Warrants? 0:36:57: AirDrop cracked by China, revealing phone number and email address of sender 0:43:11: New iPhone Exploit Uses Four Zero-Days 0:51:58: UK trying to expand surveillance powers 0:55:25: The Beeper Mini saga 1:01:25: Marketing Company Claims That It Actually Is Listening to Your Phone to Target Ads 1:07:44: Tip of the Week: New Year’s Resolutions! 1:19:43: Looking ahead

Data breaches are usually produced by hackers looking for financial gain. Data leaks, on the other hand, are usually published by whistleblowers or perhaps accidentally disclosed via negligence. Journalists today are inundated by such data leaks – to the point where specialized tools and techniques are required to parse through the piles of digital detritus to ascertain the value and import that they may represent. Micah Lee has been performing this function for The Intercept for many years, including analyzing the Snowden documents. And he has just released a book that outlines the tools, techniques and procedures he uses for this arduous process. Today we discuss the importance and impact of whistleblowers, the state of data leaks today, and how it has impacted modern journalism. Interview Notes Micah’s book: https://hacksandleaks.com/  Excerpt article: https://theintercept.com/2023/12/16/hacked-datasets-verification/  Micah’s GIthub project: https://github.com/micahflee/hacks-leaks-and-revelations  COINTELPRO documentary: https://en.wikipedia.org/wiki/1971_(2014_film)  “The Burglary” book: https://www.amazon.com/Burglary-Discovery-Edgar-Hoovers-Secret/dp/0307962954  EFF’s Surveillance Self-Defense Guide: https://ssd.eff.org/  Further Info Take the annual listener survey! https://fdsd.me/survey2024  Vote for my show as the best privacy podcast! http://tinyurl.com/PPPCAwards2024   Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:29: Pre-show notes 0:03:32: Interview prep 0:05:57: Tell us more about the book and why you wrote it. 0:08:11: What’s the difference between a data breach and a data leak? 0:10:02: What are some of history’s most importank leaks? 0:16:14: How do journalists typically obtain leaked data? 0:22:04: You’ve just obtained a massive blob of data. How do you analyze it? 0:27:05: How do you handle leaked data ethnically? 0:30:14: Do you warn the owners of leaked data before you reveal it? 0:32:23: I want to blow the whistle? What should I do? What shoudn’t I do? 0:36:28: I’ve extracted my data. How do I securely share it with a journalist? 0:38:57: What are the legal ramifications of whistleblowing? 0:41:57: How hard is it to analyze digital data? What tools do you use? 0:44:39: Are there dangers to analyzing leaked data? 0:46:43: How do organizations try to identify data leakers? 0:49:42: Will AI tools like ChatGPT help to analyze data leaks? 0:52:19: What can the average person take away from all of this? 0:54:15: How do you know which news sources you can trust today? 0:56:08: Interview wrap-up 0:57:10: Micah blocked on Twitter? 0:57:55: Text parsing tools 0:58:30: Show links 0:58:53: Bonus podcast preview 0:59:42: Annual listener survey raffle info

Every week, I record a special, private bonus podcast for my patrons. Until today, all of that content was restricted to my supporters. But today I’ve got a sampler platter of some of the best snippets from my bonus Q&A with my interview guests, along with an episode of my more-technical bonus series I call Merlin’s Musings. You’ll hear from Josh Corman (CISA and I Am the Cavalry), Ernesto Falcon (EFF and CA Senate candidate), Omega and Deth Veggie (Cult of the Dead Cow), Michael Littman (AI expert from Brown Univ) and Cory Doctorow (author and activist), plus the strange story of the ProxyHam. Podcast Links These are links to the public podcasts associated with the bonus clips I played today along with some related links. Ep332, Josh Corman: https://podcast.firewallsdontstopdragons.com/2023/07/10/national-cyber-strategy/  Cyberattacks on hospitals are growing threats to patient safety, experts say : https://abcnews.go.com/Health/cyberattacks-hospitals-growing-threats-patient-safety-experts/story?id=99115898 Ep334, Ernesto Falcon: https://podcast.firewallsdontstopdragons.com/2023/07/24/the-politics-of-privacy/  Ep336, Cult of the Dead Cow: https://podcast.firewallsdontstopdragons.com/2023/08/07/cult-of-the-dead-cow/  Ep338, Michael Littman: https://podcast.firewallsdontstopdragons.com/2023/08/21/demystifying-ai/ Ep348, Cory Doctorow: https://podcast.firewallsdontstopdragons.com/2023/10/30/reclaiming-the-internet/ Wired article on ProxyHam: https://www.wired.com/2015/07/online-anonymity-project-proxyham-mysteriously-vanishes/  Hackaday ProxyHam: https://hackaday.com/tag/proxyham/  ProxyGambit: https://github.com/samyk/proxygambit  Further Info Become a patron! https://www.patreon.com/FirewallsDontStopDragons Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:41: Josh Corman: analog back and sci-fi table top exercises 0:12:51: Ernesto Falcon: raising money and CA influence 0:19:19: Cult of the Dead Cow: Agent Steal 0:23:44: Michael Littman: Superintelligent AI risks vs reality 0:33:03: Cory Doctorow: Burning Man 0:41:00: Merlin’s Musings: ProxyHam 0:53:37: Wrapup & patron perks

Today, I dip back into the archives to bring you a classic interview from the first year of this podcast. In Episode 21 (Aug 2017) I interviewed Ladar Levison, the founder of the secure email service Lavabit. He started Lavabit in 2004 as one of the first truly secure, end-to-end encrypted email services focused on the privacy of users, almost ten years before Proton Mail launched. But when the FBI came (literally) knocking in 2013 asking him to subvert the encryption so that they could monitor his users (in particular a guy named Edward Snowden), Ladar decided to shut down Lavabit instead of complying. Ladar relaunched Lavabit in 2021 and I interviewed him that summer about his company, the right to privacy, the story of the shutdown, and much more. It’s as relevant today as it was then. Interview Notes Lavabit: https://lavabit.com/  Lavabit history: https://en.wikipedia.org/wiki/Lavabit  Mr Peaboy and the Wayback Machine: https://en.wikipedia.org/wiki/Mister_Peabody  Further Info Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:29: Set the Wayback Machine for 2017! 0:04:10: Episode 1 intro 0:06:47: Ladar Levison episode intro 0:09:43: How and why did you start Lavabit? 0:13:24: Why did you shut Lavabit down in 2013? 0:18:36: How did the Snowden FBI request differ from the previous ones? 0:22:56: Why is privacy important for democracy? 0:26:56: Why don’t people seem to believe privacy is important? 0:28:32: Why should we fight for our right to privacy? 0:30:51: What is the legal basis for email searches? 0:35:12: How should we allow law enforcement access to private data? 0:39:29: Do you worry about losing access to encryption technology? 0:51:25: Is secure email an oxymoron? 0:53:30: How do we protect users from themselves? 0:55:30: Who should be using encrypted email? 0:59:35: What is the new Lavabit service like? 1:01:33: How does Lavabit work with non-Lavabit recipients? 1:02:25: Is the new Lavavit service available now? 1:04:08: Does using E2EE services get you on some watch list? 1:05:56: How can people best support the right to privacy? 1:07:56: Wrap-up and look ahead

I’ve culled through the podcasts from the last year and put together an hour’s worth of the best content! Here’s a nice little charcuterie sampler of the top interview segments from 2023. Episode Links Ep347 (Oct 16) What’s Your Threat Model? https://podcast.firewallsdontstopdragons.com/2023/10/16/whats-your-threat-model/  Ep342 (Sep 18) Your Face Belongs to Us https://podcast.firewallsdontstopdragons.com/2023/09/18/your-face-belongs-to-us/  Ep336 (Aug 7) Cult of the Dead Cow https://podcast.firewallsdontstopdragons.com/2023/08/07/cult-of-the-dead-cow/  Ep348 (Oct 30) Reclaiming the Internet https://podcast.firewallsdontstopdragons.com/2023/10/30/reclaiming-the-internet/  Ep324 (May 15) – Probing the Ministry of Truth https://podcast.firewallsdontstopdragons.com/2023/05/15/probing-the-ministry-of-truth/  Ep338 (Aug 21) Demystifying AI https://podcast.firewallsdontstopdragons.com/2023/08/21/demystifying-ai/  Further Info Send me your questions! https://fdsd.me/qna  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Subscribe to the newsletter: https://fdsd.me/newsletter  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:09: Andy Yen, CEO Proton: LastPass breach 0:07:22: Kashmir Hill, NY Times: Clearview Ai 0:17:25: Omega and Deth Veggie, Cult of the Dead Cow: being a hacker 0:39:43: Cory Doctorow, author/activist: ensh*tification 0:49:42: Vincent Hendricks, author: social media 0:58:32: Michael Littman, Brown Univ: Dangers of AI 1:04:46: Wrap-up and look ahead

We here in the US like to believe that we’re the gold standard for democracy. And yet, in recent years, much of the electorate has lost faith in the outcome of our elections. Many security researchers have found concerning vulnerabilities in our voting systems, and yet we have no evidence that those vulnerabilities have actually been exploited. Many people believe that people are voting multiple times or that ineligible people are voting, and yet study after study shows that voter fraud is nearly non-existent. How can we restore trust in our election results? What changes must we make to our election systems and processes to promote complete transparency and remove doubt? Today I’ll dig deep into this complicated topic with Ben Adida, founder and Executive Director of VotingWorks. Interview Notes VotingWorks: https://www.voting.works/ Risk Limiting Audits with ARLO:  https://www.voting.works/risk-limiting-audits  Verified Voting, Verifier tool: https://verifiedvoting.org/verifier/  Ben’s PhD thesis defense (Verifying a Secret-Ballot Election with Cryptography) and much more: https://ben.adida.net/presentations/  Voluntary Voting System Guidelines (VVSG) 2.0: https://www.eac.gov/sites/default/files/TestingCertification/Voluntary_Voting_System_Guidelines_Version_2_0.pdf  Harri Hursti interview: https://podcast.firewallsdontstopdragons.com/2021/11/08/restoring-trust-in-our-elections/  ElectionGuard interview: https://podcast.firewallsdontstopdragons.com/2021/12/06/defending-democracy-with-technology/  DEF CON Voting Village videos: https://www.youtube.com/@defconvotingvillage/videos  Further Info Give the gift of privacy and security: https://fdsd.me/coupons  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:28: What is the mission of VotingWorks and what drove you to found it? 0:04:39: How do election work, exactly, here in the US? 0:12:26: How are all the votes tabulated and reported? 0:14:11: Where are US elections most vulnerable to influence? 0:19:52: How does accessibility impact security in elections? 0:24:27: How can we harden the election systems and processes? 0:31:16: How to risk-limiting audits work? 0:33:11: How vulnerable are election computers to hacking? 0:36:37: If our systems are vulnerable, why haven’t they been hacked? 0:43:37: How can we best convince people that our election outcomes are valid? 0:51:30: How prevelent is voter fraud in the US? 0:53:56: Do we have federal minimum guidelines for election security? 0:56:52: Why aren’t election systems open for third party review? 0:58:25: How do I learn about my local election systems and processes? 1:04:22: Wrap-up 1:07:34: Looking ahead

Your online account credentials have two parts: a user name and a password. Today, most online providers force you to use your email address for your user name. This gives the service provider a guaranteed way to contact (and spam) their users, but it also means that bad guys know half of all your credentials and data brokers have a unique ID to track you across all your accounts. Today I’ll explain the value of using email aliases for your online user names. In other news: Iranian hackers attack US water plant; CISA launches program to address critical infrastructure threats; Google Drive users report missing data; Plex users fear new feature will leak p0rn watching habits; several articles on the ease of using data broker tools to spy on just about anyone, creating privacy and national security problems; smart mattress company CEO inadvertently reveals extent of data collection; concerns about IoT device sold with a home; overblown fears over Apple’s new NameDrop feature; Zelle offering refunds to some scam victims; and Malwarebyte’s survey of people’s security practices (spoiler: it’s bad). Article Links [The Hacker News] Iranian Hackers Exploit PLCs in Attack on Water Authority in U.S. https://thehackernews.com/2023/11/iranian-hackers-exploit-plcs-in-attack.html [Dark Reading] CISA Launches Pilot Program to Address Critical Infrastructure Threats https://www.darkreading.com/ics-ot/cisa-launches-pilot-program-critical-infrastructure-threats [AppleInsider] Google Drive users complain of missing files, months of data disappearing https://appleinsider.com/articles/23/11/27/google-drive-users-complain-of-missing-files-months-of-data-disappearing [404media.co] Plex Users Fear New Feature Will Leak Porn Habits to Their Friends and Family https://www.404media.co/plex-users-fear-discover-together-week-in-review-feature-will-leak-porn-habits-to-their-friends-and-family/ [Rolling Stone] We Spied on Trump’s ‘Southern White House’ From Our Couches https://www.rollingstone.com/culture/culture-features/data-brokers-trump-tech-spying-privacy-threat-1234897098/ [9to5mac.com] Data brokers selling even more sensitive info; national security risk, says report https://9to5mac.com/2023/11/14/data-brokers-sensitive-info/ [MIT Technology Review] The US military’s privacy problem in three charts https://www.technologyreview.com/2023/11/13/1083262/the-us-militarys-privacy-problem-in-three-charts/ [therecord.media] Court rules automakers can record and intercept owner text messages https://therecord.media/class-action-lawsuit-cars-text-messages-privacy [404media.co] CEO Reminds Everyone His Company Collects Customers’ Sleep Data to Make Zeitgeisty Point About OpenAI Drama https://www.404media.co/ceo-reminds-everyone-eightsleep-pod-collects-sleep-data-to-make-zeitgeisty-point-about-openai-drama/ [sdmmag.com] Who Is Gonna “Own” the IoT? https://www.sdmmag.com/articles/93730-who-is-gonna-own-the-iot [TechRadar] NameDrop in iOS 17 doesn’t have to be a privacy nightmare – here’s how to control it https://www.techradar.com/phones/ios/namedrop-in-ios-17-doesnt-have-to-be-a-privacy-nightmare-heres-how-to-control-it [9to5mac.com] Zelle scams: App now starting limited refunds, under pressure from lawmakers https://9to5mac.com/2023/11/13/zelle-scams/ [malwarebytes.com] 3 crucial security steps people should do, but don’t https://www.malwarebytes.com/blog/news/2023/10/the-3-crucial-security-steps-people-should-do-but-dont OwnCloud hack: https://www.helpnetsecurity.com/2023/11/28/cve-2023-49103/  Pros & Cons of Antivirus Software: https://firewallsdontstopdragons.com/the-pros-and-cons-of-anti-virus-software/  Tip of the Week: https://firewallsdontstopdragons.com/how-to-use-email-aliases-part-1/ Further Info Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:57: Important software updates 0:01:56: News run down 0:05:18: Iranian Hackers Exploit PLCs in Attack on Water Authority in U.S. 0:07:49: CISA Launches Pilot Program to Address Critical Infrastructure Threats 0:09:38: Google Drive users complain of missing files, data 0:14:55: Plex Users Fear New Feature Will Leak P*rn Habits to Their Friends and Family 0:19:34: We Spied on Trump’s ‘Southern White House’ From Our Couches 0:23:36: Data brokers selling even more sensitive info creating national security risk 0:26:48: The US military’s privacy problem in three charts 0:30:33: Court rules automakers can record and intercept owner text messages 0:32:49: CEO Reminds Everyone His Company Collects Customers’ Sleep Data via Tweet 0:39:09: Transferring IoT devices in a home sale 0:43:30: NameDrop in

City governments are relying more and more on a vast network of sensors to tell them what’s going on: stop light cameras, gunshot detectors, air quality sensors, license plate readers, automated toll booths, and much more. While these technologies can help the powers that be allocate precious resources and gain helpful insights, they can also lead to over-policing, chilling of free speech and mass warrantless surveillance. Today I’ll discuss the dangers of smart cities with Eleni Manis from the Surveillance Technology Oversight Project (STOP). Interview Notes Surveillance Technology Oversight Project: https://www.stopspying.org/  S.T.O.P.’s Beginner’s Guide to the All-Too-Dumb World of Smart Cities: www.justcities.tech  CCOPS laws: https://www.eff.org/issues/community-control-police-surveillance-ccops  Further Info Best & Worst Gifts for 2023: https://firewallsdontstopdragons.com/best-worst-gifts-2023/ Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:04:38: What got you into researching smart cities? 0:09:03: What are the positive aspects of smart cities? 0:13:06: How ubiquitous are these smart city technologies? 0:15:32: What are some of the most concerning smart city technologies? 0:16:45: is this data being shared between local and federal agencies? 0:19:14: Can students opt out of school surveillance? 0:20:48: How can the police access footage from video doorbells? 0:24:20: How is this tech used for predictive policing? 0:26:31: Do these predictive policing systems actually work? 0:27:29: How does this mass surveillance affect people? 0:28:58: What about use of surveillance tech in neighborhoods? 0:33:56: Who operates these sensor networks? Who can access the data? 0:37:49: Is it possible to anonymize this data properly? 0:42:06: Can government agencies access our cellular data? 0:45:22: Can you refuse to hand your cell phone over to authorities? 0:48:04: Can we find ways to collect this data without ruining privacy? 0:49:42: How do I find out what smart city tech is being used in my area? 0:53:29: Wrap-up 0:54:57: Preview of upcoming shows

The holiday gift-giving season is upon us – and therefore it’s time for my annual guide on the best and worst gifts for your loved ones, at least in terms of security and privacy. There are some perennial favs on the nice and naughty lists, but there are some newcomers, as well. And I’ve got some top tips for how to shop for privacy-respecting, security-protecting products! I’ve even got some ideas for free and helpful stocking stuffers. In the news: FCC tried to protect consumers from SIM-swap attacks; cheap children’s tablet came with malware and data mining software; medical transcription service has data of 9M patients exposed; hackers hold data from plastic surgeon patients for ransom, including nude photos; FTC filing in Kochava case unsealed showing ‘staggering’ amount of data for sale; Bitwarden announces support for passkeys; Article 45 of eIDAS 2.0 bill will completely undermine internet security in the EU. Article Links [The Hacker News] FCC Enforces Stronger Rules to Protect Customers Against SIM Swapping Attacks https://thehackernews.com/2023/11/fcc-enforces-stronger-rules-to-protect.html [TechCrunch] Children’s tablet has malware and exposes kid’s data, researcher finds https://techcrunch.com/2023/11/16/childrens-tablet-has-malware-and-exposes-kids-data-researcher-finds/ [BleepingComputer] PJ&A says cyberattack exposed data of nearly 9 million patients https://www.bleepingcomputer.com/news/security/pj-and-a-says-cyberattack-exposed-data-of-nearly-9-million-patients/ [8newsnow.com] Hackers target Las Vegas plastic surgeons, post patient information, naked photos online https://www.8newsnow.com/investigators/hackers-target-las-vegas-plastic-surgeons-post-patient-information-naked-photos-online/ [Ars Technica] Data broker’s “staggering” sale of sensitive info exposed in unsealed FTC filing https://arstechnica.com/tech-policy/2023/11/data-brokers-staggering-sale-of-sensitive-info-exposed-in-unsealed-ftc-filing/ [bitwarden.com] Bitwarden launches passkey management https://bitwarden.com/blog/bitwarden-launches-passkey-management/ [Electronic Frontier Foundation] Article 45 Will Roll Back Web Security by 12 Years https://www.eff.org/deeplinks/2023/11/article-45-will-roll-back-web-security-12-years Best & Worst Gifts for 2023: https://firewallsdontstopdragons.com/best-worst-gifts-2023/  Further Info Give Thanks!: https://firewallsdontstopdragons.com/give-thanks-donate/  Consumer Reports Naughty List: https://foundation.mozilla.org/en/privacynotincluded/articles/our-longest-naughty-list-ever-the-2023-holiday-buyers-guide-is-here/  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:37: News run-down 0:03:18: FCC Enforces Stronger Rules to Protect Against SIM Swapping 0:06:39: Children’s tablet has malware and exposes kid’s data 0:11:22: Cyberattack exposed data of nearly 9 million patients 0:15:16: Hackers target plastic surgeons, post patient info, naked photos online 0:22:37: Data broker’s “staggering” sale of sensitive info exposed in unsealed FTC filing 0:27:10: Bitwarden launches passkey management 0:30:45: Article 45 Will Roll Back Web Security by 12 Years 0:39:00: Best & Worst Gifts for 2023 0:42:38: The Naughty List 0:47:50: The Nice List 0:59:14: Give thanks! 1:00:03: FDSD Merch sale! 1:00:25: Upcoming shows & promotion

Today there is a thriving market for legal, for-profit smartphone spyware (aka mercenary spyware). Companies like the NSO Group are free to create and sell highly sophisticated, zero-click malware such as Pegasus which has been used to spy on dissidents, politicians, activists and journalists around the world. There are also several apps available to parents to track their children, but are often used to abuse or stalk adult partners or ex-lovers. Today I’ll discuss the state of these malicious apps, ways to protect our smartphones and even detect such spyware after the fact with the co-founders of iVerify, Danny Rogers and Rocky Cole. Interview Notes iVerify app: https://www.iverify.io/consumer xkcd “Security” cartoon: https://xkcd.com/538/  Moxie Marlinspike (Signal) on Cellebrite tool: https://signal.org/blog/cellebrite-vulnerabilities/  Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:38: Interview setup 0:03:08: How does iVerify work and why did you create it? 0:07:10: What sort of people need protection like iVerify? 0:11:07: How do you know that you can trust a security app? 0:14:54: What do MDM profiles do to my phone? Is it reversible? 0:20:37: How dangerous are third-party app stores, compared to Apple/Google? 0:27:37: If an app I’ve installed is pulled from the app store, will I be notified? 0:28:50: How hard is it today to jailbreak a phone? 0:31:49: How do you tell if a phone has been hacked? 0:33:21: Can you detect if an app has escaped its sandbox? 0:38:09: What is the marketplace like for spyware? 0:41:36: Are phones getting harder to hack? 0:44:16: Is it possible to detect or prevent hacking via physical access? 0:49:11: How do Apple and Google phones compare on security? 0:52:08: How does Apple’s Lockdown Mode work? 0:54:47: Should governments outlaw the sale of mercenary spyware? 1:01:10: Should governments hoard 0-days or disclose them? 1:03:31: What are your top security tips for regular users? 1:05:44: What’s next for iVerify? 1:07:28: Wrap-up

Connecting all our stuff to the internet – making devices “smart” – brings with it a lot of risks. Besides the more obvious cybersecurity vulnerabilities, these devices are also collecting a lot of personal data, offsetting razor thin profit margins by monetizing our data. In most cases, we can limit this data exfiltration using outbound firewalls and DNS services, or just by disconnecting the devices from the internet altogether. But lately I’ve been seeing devices coming configured with cellular data connections, which would effectively bypass your home network entirely – and therefore your ability to block or control the data flow. In other news: 1Passwords discloses security breach; Drug makers to pay 23andMe for access to your DNA; EFF publishes guidance for 23andMe customers after further data breach; Apple’s private Wi-Fi MAC address feature has never worked right, until now; Hackers find side-channel attack on Apple Silicon to pull private data from Safari browsers; Windows PCs targeted with new malware; YouTube is waging a new way on ad blockers; Apple’s iMessage has new method to thwart ‘ghost’ listeners; the White House releases sweeping executive order on AI; Pew publishes new study on data privacy views. Article Links [BleepingComputer] 1Password discloses security incident linked to Okta breach https://www.bleepingcomputer.com/news/security/1password-discloses-security-incident-linked-to-okta-breach/ [Bloomberg] Drugmakers Are Set to Pay 23andMe Millions to Access Consumer DNA https://www.bloomberg.com/news/articles/2023-10-30/23andme-will-give-gsk-access-to-consumer-dna-data [Electronic Frontier Foundation] What to Do If You’re Concerned About the 23andMe Breach https://www.eff.org/deeplinks/2023/10/what-do-if-youre-concerned-about-23andme-breach [AppleInsider] Apple’s private Wi-Fi MAC addresses were security theater until iOS 17.1 https://appleinsider.com/articles/23/10/27/apples-private-wi-fi-mac-addresses-were-security-theater-until-ios-171 [Ars Technica] Hackers can force iOS and macOS browsers to divulge passwords and much more https://arstechnica.com/security/2023/10/hackers-can-force-ios-and-macos-browsers-to-divulge-passwords-and-a-whole-lot-more/ [TechRadar] Windows PCs are being targeted with a nasty new malware – here’s what you need to know https://www.techradar.com/pro/security/windows-pcs-are-being-targeted-with-a-nasty-new-malware-heres-what-you-need-to-know [404media.co] YouTube’s ‘War’ on Adblockers Shows How Google Controls the Internet https://www.404media.co/youtubes-war-on-adblockers-shows-how-google-controls-the-internet/ [9to5mac.com] iMessage Contact Key Verification blocks the ‘ghost proposal’ plan by government spy agency https://9to5mac.com/2023/10/30/imessage-contact-key-verification-reason/ [Mashable] White House drops an AI regulation bombshell: 10 new mandates that’ll shake up the industry https://mashable.com/article/white-house-drops-ai-regulation-bombshell [pewresearch.org] How Americans View Data Privacy https://www.pewresearch.org/internet/2023/10/18/how-americans-view-data-privacy/ Tip of the Week: The Rise of Cellular IoT https://firewallsdontstopdragons.com/the-rise-of-cellular-iot/   Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:56: News rundown 0:03:11: 1Password discloses security incident linked to Okta breach 0:06:09: Drugmakers Are Set to Pay 23andMe Millions to Access Consumer DNA 0:10:08: What to Do If You’re Concerned About the 23andMe Breach 0:16:32: Apple’s private Wi-Fi MAC addresses were security theater until iOS 17.1 0:18:59: Hackers can force iOS and macOS browsers to divulge private data 0:25:14: Windows PCs are being targeted with a nasty new malware 0:30:24: YouTube’s ‘War’ on Adblockers Shows How Google Controls the Internet 0:38:48: iMessage Contact Key Verification blocks the ‘ghost proposal’ plan by government spy agency 0:43:50: White House drops an AI regulation bombshell 0:49:53: How Americans View Data Privacy 0:54:33: Tip of the Week: The Cellular IoT Bypass 1:03:14: Wrap-up

What happened to the internet? It had so much promise. Social media and search results are full of stuff we never wanted to see. Surveillance capitalism is monetizing our most private information to serve us so many ads that we can never seem to consume the actual content. And if we’re all so unhappy with the incumbents, where are the competitors offering better service? Cory Doctorow helps us understand how the internet got so crappy and what we can do to fix it. Cory Doctorow is a science fiction author, activist, journalist and blogger at the site Pluralistic. He has written a bunch of great books, both fiction and non, including Little Brother, Red Team Blues and Chokepoint Capitalism. Interview Notes TikTok’s Ensh*tification: https://pluralistic.net/2023/01/21/potemkin-ai/#hey-guys Cory’s blog: https://pluralistic.net/ Cory at DEF CON 31: https://www.youtube.com/watch?v=rimtaSgGz_4  The Internet Con: https://craphound.com/category/internetcon/  Chokepoint Capitalism: https://chokepointcapitalism.com/  Red Team Blues: https://craphound.com/category/novels/redteamblues/   Saving the News from Big Tech: https://www.eff.org/deeplinks/2023/04/saving-news-big-tech  Tracking Exposed: https://tracking.exposed/  Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:55: Defining some terms 0:03:57: Swear warning 0:04:25: What have you been up to since we last had you on the show? 0:07:58: What is ensh*tification? How does it work? 0:18:26: Have any companies actually completed the ensh*tification cycle? 0:22:36: Do we have concrete examples of interoperability breaking this cycle? 0:29:07: What percentage of oday are not what we asked for? 0:37:04: What happens to DRM’d content when the licencing company goes away? 0:39:19: How can we reverse engineer these algorithms? 0:41:04: How is social media promotion like a big carnival teddy bear? 0:44:28: Whatever happened to the Amazon Smile program? 0:45:58: What do you mean by the End-to-End Principle? 0:51:53: Isn’t ensh*tification just a natural result of modern capitalism? 0:54:02: Doesn’t capitalism require rules (aka regulations)? 0:57:18: So what are the solutions? How do we fix the internet? 1:02:46: Did we undermine antitrust by lowering the bar of consumer harm? 1:04:25: What can we do to help, as consumers and citizens? 1:07:06: Wrap-up 1:07:50: Looking ahead

Email is old and was never built for security and privacy. Thankfully there are several modern secure email services. My personal favorite is Proton Mail and I’ll explain to you today why you should really give it a try. I will also (finally) answer several interesting “Dear Carey” questions from listeners. In other news: If you use WinRAR, you need to update right away; hackers are targeting a company that brokers Emergency Data Requests between law enforcement and Big Tech companies; Google is forced to reveal user search history in a CO court case; Google is making passkeys the default, but you may want to wait; EFF asks MasterCard to stop selling our data; and Bruce Schneier has an insightful article around the rather heated discussions over the benefits and dangers of artificial intelligence. Article Links [Gizmodo] You Need to Update WinRAR, Right Now https://gizmodo.com/you-need-to-update-winrar-right-now-1850939201 [404media.co] Hackers Target Company That Vets Police Data Requests for Tech Giants https://www.404media.co/hackers-target-kodex-accounts-edrs/ [TechSpot] Google forced to reveal user search history in Colorado court ruling https://www.techspot.com/news/100529-google-forced-reveal-users-search-queries-colorado-court.html [blog.google] Passwordless by default: Make the switch to passkeys https://blog.google/technology/safety-security/passkeys-default-google-accounts/ [Electronic Frontier Foundation] Mastercard Should Stop Selling Our Data https://www.eff.org/deeplinks/2023/10/mastercard-should-stop-selling-our-data [Schneier Blog] AI Risks https://www.schneier.com/blog/archives/2023/10/ai-risks.html Tip of the Week: Try Proton https://firewallsdontstopdragons.com/its-time-to-try-proton/ Further Info De-Googling Your Life: https://firewallsdontstopdragons.com/reducing-my-google-footprint/  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:12: News rundown 0:02:38: You Need to Update WinRAR, Right Now 0:05:10: Hackers Target Company That Vets Police Data Requests for Tech Giants 0:11:22: Google forced to reveal user search history in Colorado court ruling 0:15:59: Google: Passwordless by default 0:21:48: EFF: Mastercard Should Stop Selling Our Data 0:25:59: Bruce Schneier: AI Risks 0:33:12: Mailbag!! 0:42:28: Tip of the Week: Try Proton 0:54:25: Wrap up, look ahead

There are several privacy-focused services available today. And the products we use have a dizzying array of privacy and security settings. How do you know which products you need and which vendors you can trust? How do you know which protections you need and which ones you don’t? It comes down to understanding your personal threat model. We each have different things to protect and different consequences for failure. Today I’ll speak with Andy Yen, CEO and founder of Proton, to help us figure out what we need. Interview Notes Proton Sentinel: https://proton.me/blog/sentinel-high-security-program  Privacy Decrypted #1: https://proton.me/blog/what-is-a-threat-model?ref=instantsearch  Private from Everyone (But Us):  https://podcast.firewallsdontstopdragons.com/2022/04/25/private-from-everyone-but-us/ Security Planner (threat model tool): https://innovation.consumerreports.org/initiatives/security-planner/  Ars Technica threat model series: https://arstechnica.com/features/2021/10/securing-your-digital-life-part-1/  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:03: Show preview0:01:44: Delete Act passes0:02:36: What new at Proton since we last spoke?0:07:00: How do you determine your personal threat model?0:09:21: How does Proton decide which threat models to address?0:13:40: How do you learn about all the possible security settings?0:15:37: How do you know which companies and products you can trust?0:18:11: How should VC money and buyouts affect our trust?0:22:30: What should tech reviewers be focusing on with privacy products?0:26:24: How important is a company’s location for privacy?0:28:47: Are technological solutions sufficient to protect our data?0:30:22: Has Proton received any pressure from governments to weaken privacy?0:33:27: Does Proton actively market to government officials?0:34:43: How can larger companies protect against insider threats?0:37:05: What’s your take on the LastPass breach?0:41:32: What is Proton Sentinel and who is it for?0:46:09: Will Sentinel be able to scale?0:47:31: Proton asks Sentinel users for personal information – is that safe?0:51:04: Can you share any specific Sentinel success stories?0:53:39: What other features would you like to add to Proton?0:58:30: Wrap-up1:00:11: Look ahead

October is national Cybersecurity Awareness Month here in the US. One of the four key themes this year is Recognizing and Reporting Phishing. We just discussed this at length with Nick Oles, but I wanted to give my perspective and tell you how to report phishing emails to the proper authorities. In other news: cheap Android TV boxes come laced with malware and fraud software; 23andMe investigating massive data breach; US agencies caught using location data illegally; Meta proposes subscription plans in Europe for Facebook and Instagram; FBI warns of ‘phantom hacker’ scams targeting elderly; new Microsoft AI tool can simulate any voice with just 3 seconds of audio; attackers don’t bother brute-forcing long passwords; free upgrade from Windows 7/8 to 10 is going away soon; FCC details plans to reinstate net neutrality; how to turn off Google’s new Topics tracking system; new app from Consumer Reports to delete personal data; new privacy-respecting URL shortening tool from Panquake. Article Links [WIRED] Your Cheap Android TV Streaming Box May Have a Dangerous Backdoor https://www.wired.com/story/android-tv-streaming-boxes-china-backdoor/ [cyberscoop.com] DNA testing service 23andMe investigating theft of user data https://cyberscoop.com/23andme-user-data-theft/ [404media.co] ICE, CBP, Secret Service All Illegally Used Smartphone Location Data https://www.404media.co/ice-cbp-secret-service-all-broke-law-with-smartphone-location-data/ [9to5mac.com] Meta proposing ad-free Facebook and Instagram plans for up to $17/month https://9to5mac.com/2023/10/03/facebook-instagram-no-ads-plan/ [BleepingComputer] FBI warns of surge in ‘phantom hacker’ scams impacting elderly https://www.bleepingcomputer.com/news/security/fbi-warns-of-surge-in-phantom-hacker-scams-impacting-elderly/ [futurism.com] New Microsoft AI Can Clone Your Voice From Three Seconds of Audio https://futurism.com/the-byte/new-microsoft-ai-clone-your-voice [therecord.media] Attackers don’t bother brute-forcing long passwords, Microsoft engineer says https://therecord.media/attackers-dont-bother-brute-forcing-long-passwords-microsoft-engineer-says/ [TechRadar] Been putting off that free Windows 11 or 10 upgrade? Windows 7 and 8 diehards need to move fast https://www.techradar.com/computing/windows/been-putting-off-that-free-windows-11-or-10-upgrade-windows-7-and-8-diehards-need-to-move-fast [Ars Technica] FCC details plan to restore the net neutrality rules repealed by Ajit Pai https://arstechnica.com/tech-policy/2023/09/fcc-details-plan-to-restore-the-net-neutrality-rules-repealed-by-ajit-pai/ [Electronic Frontier Foundation] How To Turn Off Google’s “Privacy Sandbox” Ad Tracking—and Why You Should https://www.eff.org/deeplinks/2023/09/how-turn-googles-privacy-sandbox-ad-tracking-and-why-you-should [CNET] This App Can Delete Your Personal History from Websites. And It’s Simple https://www.cnet.com/tech/services-and-software/this-app-can-delete-your-personal-history-from-websites-and-its-simple-heres-how-to-use/ [talkliberation.substack.com] NOW SERVING: An early release of the Panquake Pie! https://talkliberation.substack.com/p/panquake-early-release-pnqk-now-available Tip of the Week: Catching Phish: https://firewallsdontstopdragons.com/how-to-catch-a-phish/  Further Info Win a copy of “How to Catch a Phish”! https://fdsd.me/catchaphish  National Cybersecurity Awareness Month: https://www.cisa.gov/cybersecurity-awareness-month  Microsoft’s VALL-E voice-gen tool: https://www.microsoft.com/en-us/research/project/vall-e-x/  Panquake URL shortener: https://pnqk.me/  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:21: iOS update, book giveaway 0:01:17: News rundown 0:03:33: Your Cheap Android TV Streaming Box May Have a Dangerous Backdoor 0:07:03: DNA testing service 23andMe investigating theft of user data 0:10:53: ICE, CBP, Secret Service All Illegally Used Smartphone Location Data 0:15:32: Meta proposing ad-free Facebook and Instagram plans for up to $17/mo 0:19:26: FBI warns of surge in ‘phantom hacker’ scams impacting elderly 0:24:07: New Microsoft AI Can Clone Your Voice From Three Seconds of Audio 0:33:34: Attackers don’t bother brute-forcing long passwords 0:38:08: Free upgrade to Windows 10 about to be cut off 0:41:05: FCC details plan to restore the net neutrality rules 0:45:13: How To Turn Off Google’s “Privacy Sandbox” Ad Tracking 0:51:05: This App Can Delete Your Personal History from Websites 0:56:09: Panquake releases free URL shortening tool 0:59:33: Tip of the Week: Re

The weakest link in most cybersecurity systems is you – that is, human beings. And one of the primary ways that people are tricked into infecting their devices (and potentially then threatening other devices on the network) is through phishing. We’ve all seen the Nigerian Prince scams, but with AI tools like ChatGPT, scam emails are going to get a lot harder to spot. On today’s show, author and cybersecurity expert Nick Oles will teach us how to recognize phishing emails, introduce us to tools for detecting and protecting against phishing, and detail other techniques for defending against these sorts of attacks. All of this is just a taste of the top notch advice contained in his new book, “How to Catch a Phish”. Interview Notes How to Catch a Phish: https://www.amazon.com/How-Catch-Phish-Practical-Detecting/dp/1484293606  Win a free copy!! https://fdsd.me/catchaphish Nick Oles on LinkedIn: https://www.linkedin.com/in/nick-o-8b5b6349/ National Cybersecurity Awareness Month: https://www.cisa.gov/cybersecurity-awareness-month  Virustotal URL scanner: https://www.virustotal.com/gui/home/url  URLscan.io: https://urlscan.io/ SANS PICERL Incident Response model (PDF): https://www.sans.org/media/score/504-incident-response-cycle.pdf  Malwarebytes personal: https://www.malwarebytes.com/getprotection  Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:45: Patron book club update0:02:11: Nat’l Cybersecurity Awareness Month0:02:48: What drove you to write the book?0:06:57: What really happens behind the scenes when I send an email?0:13:37: What are email headers and why would I want to look at them?0:17:13: How are email senders spoofed and can we prevent this?0:23:35: Do email clients have indicators for vetted senders?0:25:40: What is phishing and how can we recognize it?0:32:06: How has phishing evolved over the years?0:37:01: What are spearphishing and business email compromise?0:40:24: Do spam filters help at all with phishing emails?0:42:50: How do I know if I can trust any link or URL in an email?0:48:34: Are web email clients safer than dedicated email apps?0:51:35: How can we know which email attachments are safe to open?0:54:48: If I accidentally click a bad link or attachment, what then?0:59:11: How will AI impact phishing campaigns?1:01:13: Are things getting better or getting worse?1:04:08: Interview wrap-up1:07:44: Book giveaway details

Apple has just released a major update to its mobile operating system: iOS 17. There are tons of fun new features, but today I’ll walk you through some of the security and privacy enhancements. These include new protections in Lockdown Mode, the Check In feature which can alert loves ones if you fail to arrive at your destination, some privacy-enhancing web browser features, and support for securely sharing passwords and passkeys with others. In other news: a critical WebP vulnerability means we have to update most of our apps and devices; credit bureaus in the US now allow free weekly access to your credit reports; Proton announces a new, privacy-focused CAPTCHA service; the FTC puts data brokers on notice; LastPass is requiring their users to make their master passwords longer; password managers are still your best bet for web security, despite the LastPass debacle; Hyundai Pay seeks to make in-car payments a thing; and an interesting article from a privacy advocate claiming that privacy tools are too difficult to use. Article Links [MakeUseOf] Update Everything: This Critical WebP Vulnerability Affects Major Browsers and Apps https://www.makeuseof.com/critical-webp-vulnerability-affects-major-browsers-apps/ [Consumer Reports] Credit Bureaus Equifax, Experian, and TransUnion Announce Permanent, Free Weekly Access to Credit Reports https://www.consumerreports.org/money/credit-scores-reports/credit-bureaus-permanent-free-weekly-credit-report-access-a2226546788/ [proton.me] Introducing Proton CAPTCHA https://proton.me/blog/proton-captcha [The Washington Post] FTC consumer protection chief puts data brokers on notice https://www.washingtonpost.com/politics/2023/09/21/ftc-consumer-protection-chief-puts-data-brokers-notice/ [briankrebs] LastPass: ‘Horse Gone Barn Bolted’ is Strong Password https://krebsonsecurity.com/2023/09/lastpass-horse-gone-barn-bolted-is-strong-password/ [ZDNet] Why you can still trust (other) password managers, even after that LastPass mess https://www.zdnet.com/article/why-you-can-still-trust-other-password-managers-even-after-that-lastpass-mess/ [The Verge] ‘Hyundai Pay’ is the latest effort by car companies to make in-car payments a thing https://www.theverge.com/2023/9/6/23861412/hyundai-pay-parkopedia-in-car-payment [theprivacydad.com] Privacy Tools Are Not Worth the Hassle https://theprivacydad.com/privacy-tools-are-not-worth-the-hassle/ [TechCrunch] iOS 17 includes these new security and privacy features https://techcrunch.com/2023/09/18/ios-17-includes-these-new-security-and-privacy-features/ Tip of the Week: iOS 17 Security & Privacy: https://firewallsdontstopdragons.com/ios-17-security-privacy/ Further Info Secure Your Home Network article series: https://firewallsdontstopdragons.com/secure-your-network-part-1-scan/   Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:27: Delete Act update 0:00:59: BSides RDU 0:01:54: News rundown 0:04:20: Critical WebP Vulnerability Affects Major Browsers and Apps 0:12:22: Credit Bureaus Announce Permanent, Free Weekly Access to Credit Reports 0:17:24: Introducing Proton CAPTCHA 0:22:07: FTC consumer protection chief puts data brokers on notice 0:26:19: LastPass requiring users to create longer passwords 0:32:58: Why you can still trust (non-LastPass) password managers 0:43:01: ‘Hyundai Pay’ in-car payments coming 0:45:38: “Privacy Tools Are Not Worth the Hassle” 0:54:57: Tip of the Week: iOS 17 security & privacy features 1:01:25: Send me your Dear Carey questions 1:02:29: Looking ahead

When the New York Times broke the Clearview AI story in 2020, we suddenly had to face the reality that no one could truly be anonymous in public any more. This powerful app could take a picture of any face and find dozens of public images on the internet that they were in – even just in the background. And if those pictures were associated with a social media profile, we could identify the owner of the face along with their friends and family – all in an instant. Today I speak with Kashmir Hill about her investigation of this company and the sobering impacts of facial recognition technology in a world full of cameras, chronicled in her new book “Your Face Belongs to Us”. Interview Notes Your Face Belongs to Us: https://www.kashmirhill.com/book  Kashmir Hill facial recognition stories: https://www.kashmirhill.com/stories/face-recognition Clearview AI, delete dead links: https://www.clearview.ai/privacy-and-requests  FRT used to track activity in coffee shop: https://www.linkedin.com/posts/endritrestelica_ai-tech-activity-7098293527951851520-Mejy/ PimEyes: https://pimeyes.com/  Fawkes masking tool: https://sandlab.cs.uchicago.edu/fawkes/  Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:37: Tell us about your beat at the New York Times 0:02:17: What is the Clearview app and what does it do? 0:05:12: How did you come to write about Clearview AI? 0:07:40: What happened when you first investigated this company? 0:11:46: How did Clearview AI obtain all these images of our faces? 0:14:24: Why are privacy advocates calling for a ban on this technology? 0:16:36: Do the makers of Clearview appreciate the privacy implications of their tool? 0:18:56: How did 9/11 influence our views on surveillance technology? 0:22:33: Who has access to the Clearview app? 0:24:14: How do we know who is using this tool? 0:25:22: How has Clearview tried to win approval for this tool? 0:27:37: What’s to stop others from copying this technology? 0:31:05: Wasn’t Clearview used to ban lawyers from venues in NYC? 0:33:13: Didn’t Illinois sue Clearview AI and win? 0:34:09: Where else is facial recognition being used today? 0:38:05: How often is FRT used in solving crimes in the US? 0:41:26: What about cases where FRT identifies the wrong person? 0:43:23: How accurate are these tools? What causes them to fail? 0:45:59: How accurate is Clearview compared to other tools? 0:47:02: How well does Clearview deal with facial hair, masks, etc? 0:50:01: What can we do to protect our faces online? 0:52:33: How well can Clearview pick out faces in the background? 0:54:41: What’s the future of privacy in a world full of cameras? 0:56:24: What can we do to rein in abuse of FRT? 0:58:00: Wrap up and a look ahead

Today I wrap up my four-part series on how to secure your home network. We’ve enumerated our devices, gotten rid of stuff we don’t need, assessed the state of our devices and now it’s time to actually remediate any vulnerabilities we found. I’ll walk you through everything you need to do. In other news: Chrome’s Topics API has rolled out (and I’ll tell you how to shut it off); Apple fixes two zero-day, zero-click exploits; FBI dismantles and even fixes the Qakbot malware network; the UK backs down on requirements to undermine end-to-end encryption; Macs are being targeted with a malvertising campaign; LastPass breach seems to be behind crypto wallet stealing; Apple reveals why it abandoned its CSAM scanning feature; Kias and Hyundais are being stolen left and right and are being sued; new cars are a privacy nightmare; Chrome extensions are able to steal private data from web pages. Article Links [The Verge] How to disable Chrome’s new targeted ad tracking https://www.theverge.com/23860050/chrome-ads-topics-sandbox [citizenlab.ca] NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/ [TechCrunch] FBI operation tricked thousands of computers infected by Qakbot into uninstalling the malware https://techcrunch.com/2023/08/29/fbi-operation-qakbot-uninstall/ [AppleInsider] UK backs down from nonsensical law after threats from Apple, WhatsApp https://appleinsider.com/articles/23/09/06/uk-backs-down-from-nonsensical-law-after-threats-from-apple-whatsapp [Tom’s Guide] Macs under threat from malicious ads spreading malware — don’t fall for this https://www.tomsguide.com/news/macs-under-threat-from-malicious-ads-spreading-malware-dont-fall-for-this [briankrebs] Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/ [WIRED] Apple’s Decision to Kill Its CSAM Photo-Scanning Tool Sparks Fresh Controversy https://www.wired.com/story/apple-csam-scanning-heat-initiative-letter/ [VICE] Kias and Hyundais Keep Getting Stolen by the Thousands and Cities Are Suing https://www.vice.com/en/article/93kdmp/kias-and-hyundais-keep-getting-stolen-by-the-thousands-and-cities-are-suing [Gizmodo] If You’ve Got a New Car, It’s a Data Privacy Nightmare https://gizmodo.com/mozilla-new-cars-data-privacy-report-1850805416 [techxplore.com] Researchers issue warning over Chrome extensions that access private data https://techxplore.com/news/2023-09-issue-chrome-extensions-access-private.html Tip of the Week: Remediate Your Network: https://firewallsdontstopdragons.com/secure-your-network-4-remediate/ Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:29: Kashmir Hill interview coming 0:01:40: News rundown 0:04:32: How to disable Chrome’s new targeted ad tracking 0:07:12: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild 0:10:36: FBI operation dismantles Qakbot botnet 0:13:51: UK backs down from nonsensical law after threats from Apple, WhatsApp 0:17:10: Macs under threat from malicious ads spreading malware 0:23:03: Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach 0:28:51: Apple’s Decision to Kill Its CSAM Photo-Scanning Tool Sparks Fresh Controversy 0:36:30: Kias and Hyundais Keep Getting Stolen by the Thousands and Cities Are Suing 0:41:41: If You’ve Got a New Car, It’s a Data Privacy Nightmare 0:48:04: Researchers issue warning over Chrome extensions that access private data 0:56:03: Tip of the Week: Remeidate Your Network 1:05:05: Wrap-up

In the US today we’re dealing with a completely unfettered free-for-all of data harvesting. Without meaningful privacy regulations like the EU’s GDPR, our private information is being collected, collated, packaged and sold by data brokers to all comers. Ad companies like Google and Facebook collect and hoard our data to sell targeted ads for high profits without commensurate benefits to the people placing the ads. How does it all work? What’s our data worth? And how can we protect it? I’ll discuss all of this and more with my guest, Tom Kemp. Tom Kemp is a Silicon Valley-based entrepreneur, investor, and policy advisor. Tom is also the author of Containing Big Tech: How to Protect Our Civil Rights, Economy, and Democracy. Interview Notes Containing Big Tech:: https://www.tomkemp.ai/containing-big-tech  Let’s Make Privacy Easy: https://techpolicy.press/lets-make-privacy-easy/  LinkedIn panel discussion on AI and privacy regulation in the US: https://www.linkedin.com/events/thestateofusprivacy-airegulatio7087548531820941312/  SB362 (Delete Act): https://www.darkreading.com/endpoint/why-the-california-delete-act-matters  Tom’s post on SB362: https://www.linkedin.com/posts/tomkemp_sb362-databrokers-privacy-activity-7103448636260302848-Qg6p Global Privacy Control: https://firewallsdontstopdragons.com/how-to-enable-global-privacy-control/  Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:20: Follow me on Bluesky? 0:01:32: Interview preview 0:02:59: What are data brokers? Would we recognize their names? 0:06:07: How big is the data broker industry? 0:08:35: You say there are 5 different types of data brokers – what are they? 0:12:10: Are there financial data brokers outside the US? 0:15:53: Are we granting permission for data collection without realizing it? 0:18:44: Who is making money off our data and what is it really worth? 0:21:56: Who is selling our data out the back door? 0:26:50: Why is location data so valuable? 0:28:40: How much of my data is raw and how much is inferred or extrapolated? 0:33:06: How often do data records contain errors? 0:36:24: How much of our personal data is publicly available? 0:38:46: Can we have an ad-based web economy and privacy, too? 0:44:56: Our behavior ads really worth more than contextual ads? 0:48:08: Can antitrust laws be leveraged against data collection? 0:50:46: Can laws requiring transparency in data collection be a stepping stone? 0:56:14: Why can’t we pass a federal privacy law? 0:58:25: What can we do right now to limit data collection? 1:01:50: What else does your book cover? 1:05:28: Interview wrap-up 1:06:01: Delete Act (SB362) Udpate 1:06:58: A note on warranty registrations 1:08:11: Global Privacy Control article 1:08:28: Patron podcast teaser 1:08:50: Look ahead

In the third part of my series on securing your home network, we’ll assess your security and privacy vulnerabilities. In prior weeks, we’ve exhaustively listed our network devices (Scan) and removed any devices that we no longer need or don’t need to be “smart” (Simplify). Now it’s time to investigate the remaining devices and think about what we need to do to secure them. In other news: an old Mac malware info stealer is back; thousands of Android apps are evading detection using an interesting technique; Illinois just passed a law allowing doxing victims to sue perpetrators for damages; Meta plans to roll out end-to-end encryption for Messenger by year’s end; LinkedIn accounts are being targeted for takeover; Intel’s GPU driver collects personal info by default; Tesla suffers data breach of 75,000 current and former employees; police are accessing DNA databases even for people who opted out of this access; Pennsylvania court says police been to be transparent about social media monitoring; Kansas newspaper raid by police teaches us how better to encrypt our data; hackers are selling credit report info on just about any American; NSA director tells employees to spy “with dignity and respect”. Article Links [TechRadar] One of the worst Mac malware strains is back and hiding as a productivity app – so beware https://www.techradar.com/pro/security/one-of-the-worst-mac-malware-strains-is-back-and-hiding-as-a-productivity-app-so-beware [Tom’s Guide] Thousands of Android malware apps use stealthy APKs to bypass security, study finds https://www.tomsguide.com/news/thousands-of-android-malware-apps-use-stealthy-apks-to-bypass-security-study-finds [Ars Technica] Illinois just made it possible to sue people for doxxing attacks https://arstechnica.com/tech-policy/2023/08/illinois-just-made-it-possible-to-sue-people-for-doxxing-attacks/ [TechCrunch] Meta plans to roll out default end-to-end encryption for Messenger by the end of the year https://techcrunch.com/2023/08/22/meta-plans-to-roll-out-default-end-to-end-encryption-for-messenger-by-the-end-of-the-year/ [TechRadar] LinkedIn user accounts have been taken over in huge hacking campaign https://www.techradar.com/pro/security/linkedin-user-accounts-have-been-taken-over-in-huge-hacking-campaign [extremetech.com] Intel’s GPU Drivers Now Collect Telemetry https://www.extremetech.com/gaming/intels-gpu-drivers-now-collect-telemetry-including-how-you-use-your-computer [TechCrunch] Tesla says data breach impacting 75,000 employees was an insider job https://techcrunch.com/2023/08/21/tesla-breach-employee-insider/ [BBC] Why US tech giants are threatening to quit the UK https://www.bbc.com/news/technology-66304002 [The Intercept] Police Are Getting DNA Data From People Who Think They Opted Out https://theintercept.com/2023/08/18/gedmatch-dna-police-forensic-genetic-genealogy/ [The Associated Press] A Pennsylvania court says state police can’t hide how it monitors social media https://apnews.com/article/pennsylvania-police-aclu-social-media-monitoring-1508189aba86cc776e19892b4a2b358a [freedom.press] What a newsroom police raid teaches us about encrypting our devices https://freedom.press/training/blog/marion-record-police-raid/ [404media.co] The Secret Weapon Hackers Can Use to Dox Nearly Anyone in America for $15 https://www.404media.co/the-secret-weapon-hackers-can-use-to-dox-nearly-anyone-in-america-for-15-tlo-usinfosearch-transunion/ [The Intercept] NSA Orders Employees to Spy on the World “With Dignity and Respect” https://theintercept.com/2023/08/25/nsa-spy-dignity-respect/ Tip of the Week: Securing Your Network 3: Assess: https://firewallsdontstopdragons.com/secure-your-network-3-assess/  Further Info Dragon Challenge Coin promotion: https://fdsd.me/promo823 Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:52: News rundown 0:03:09: One of the worst Mac malware strains is back 0:06:15: Android malware apps use stealthy APKs to bypass security 0:09:17: Illinois now allows you to sue for doxxing attacks 0:13:59: Meta to roll out default E2EE for Messenger by year’s end 0:17:06: LinkedIn accounts taken over in huge hacking campaign 0:19:39: Intel’s GPU Drivers Now Collect Telemetry 0:23:34: Data breach impacting 75,000 Tesla employees was inside job 0:26:39: Why US tech giants are threatening to quit the UK 0:

Unless you’ve been living under a rock, you’ve seen several news stories about AI, machine learning and so-called Large Language Models. While tools like ChatGPT hold a lot of promise, many are deeply concerned about AI replacing jobs, generating potent malware, and being used in phishing and disinformation campaigns. Today I will ask AI expert Michael Littman to explain clearly what AI is and what it isn’t, how the technology actually works, and what we should and maybe shouldn’t be worried about. Michael Littman is a computer science professor at Brown University who has won several prestigious teaching awards while studying machine learning and the implications of artificial intelligence. He serves as division director for Information and Intelligent Systems at the National Science Foundation and is also a Fellow of the Association for the Advancement of Artificial Intelligence and the Association for Computing Machinery. Interview Notes Gathering Strength, Gathering Storms: The One Hundred Year Study on Artificial Intelligence https://ai100.stanford.edu/gathering-strength-gathering-storms-one-hundred-year-study-artificial-intelligence-ai100-2021-study  Code to Joy book preorder: https://www.amazon.com/Code-Joy-Everyone-Should-Programming/dp/0262546396/  Michael Littman’s website: https://www.littmania.com/  Gandalf AI challenge: https://gandalf.lakera.ai/ ChatGPT: https://openai.com/blog/chatgpt  Stable Diffusion: https://stability.ai/stablediffusion  Canva Image Generator online: https://www.canva.com/ai-image-generator/  Paperclip Maximizer: https://en.wikipedia.org/wiki/Instrumental_convergence#Paperclip_maximizer  Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:56: Dragon coin promo update 0:01:51: Interview preview 0:03:15: What is Artificial Intelligence, really? 0:05:36: Is it a mistake to anthropomorphize AI? 0:08:50: What is AI versus machine learning? 0:11:59: How does AI differ from normal computer code? 0:14:49: What is a large language model or LLM? 0:18:45: What does it take to create an LLM? 0:22:04: Why are these AI models limited to certain points in time? 0:26:46: How are these chat bots leading people to believe they’re sentient? 0:28:54: What was behind the AI explosion in late 2022? 0:32:29: How to AI systems generate images from text prompts? 0:35:36: How are AI systems affected by their training data? 0:40:24: Which concerns about AI are justified and which are overblown? 0:44:55: What sorts of jobs may be impacted by AI? 0:47:15: Is there an art to creating AI prompts? 0:48:43: Can you trick AI systems? 0:51:42: How do we detect AI output? How should we restrict this technology? 0:56:19: How can we try out these AI systems to learn more? 0:59:26: What’s the next big thing in AI? 1:02:12: Why should people learn to do a little coding? 1:05:27: Wrap-up 1:07:01: Gandalf AI game 1:08:19: Upcoming interviews

Every summer, hackers from around the US and around the globe descend on Las Vegas, Nevada, for a series of computer security conferences which are lovingly referred to as hacker summer camp. These conferences – BSides Las Vegas, BlackHat and DEF CON – run for over a week, each overlapping the other. They bring top tier security researchers, government and industry leaders, and eager hackers to learn about new vulnerabilities, new defense mechanisms, and everything in between. There are contests and parties galore, allowing hackers to test their skills and network with others. Today I’ll tell you about my trip to BSides and DEF CON in 2023. Article Links [securityweek.com] Downfall: New Intel CPU Attack Exposing Sensitive Information https://www.securityweek.com/downfall-new-intel-cpu-attack-exposing-sensitive-information/ [9to5mac.com] Mac malware can easily bypass Apple’s Background Task Manager, says security researcher https://9to5mac.com/2023/08/14/mac-malware-background-task-manager/ [whitehouse.gov] Biden-⁠Harris Administration Launches Artificial Intelligence Cyber Challenge to Protect America’s Critical Software https://www.whitehouse.gov/briefing-room/statements-releases/2023/08/09/biden-harris-administration-launches-artificial-intelligence-cyber-challenge-to-protect-americas-critical-software/ Donate to Maui wildfire relief fund: https://www.gofundme.com/f/5auw5q-maui-wildfire-relief-fund  Veilid project (cDc): https://veilid.com/  Back Orifice: https://en.wikipedia.org/wiki/Back_Orifice  Namecheck from Steve Gibson: https://youtu.be/hGyVuszu0F8?t=6240  CalyxOS mention: https://en.wikipedia.org/wiki/CalyxOS Tom Kemp on LinkedIn Live: https://www.tomkemp.ai/blog/2023/7/19/live-event-the-state-of-us-privacy-and-ai-regulation  Further Info Dragon Challenge Coin promotion: https://fdsd.me/promo823  Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:04: Preview 0:01:27: Look ma, I’m on Wikipedia! 0:02:16: Steve Gibson reads FDSD 0:03:16: Show overview 0:04:29: What is Hacker Summer Camp? 0:06:21: Using Lockdown Mode on Apple 0:07:20: BSides Las Vegas 2023, Josh Corman, et al 0:08:28: BSides pool party 0:09:44: I skipped out on linecon 0:11:36: I skipped the merch line, too 0:12:36: Darknet Diaries meets FDSD 0:13:13: r00t party! 0:15:14: cDc announces Veilid platform 0:18:48: Voting Village, brush with Chris Krebs 0:20:34: Interview with Nick Oles 0:22:49: Meet Joe Gray (“Practical Social Engineering” author) 0:23:22: cDc Veilid launch party 0:24:19: Checking in the the Hack-a-Sat team 0:38:00: EFF Tech Trivia 0:38:37: Hacker Jeopardy 0:40:11: Evacuation of Caesar’s Forum 0:41:50: Closing ceremonies 0:42:48: No swag or amulet sightings 0:43:31: Downfall: New Intel CPU Attack Exposing Sensitive Information 0:47:24: Mac malware can easily bypass Apple’s Background Task Manager 0:52:22: Maui wildfire relief fund 0:53:01: DARPA Launches AI Cyber Challenge 0:54:07: Looking ahead 0:55:28: Dragon coin promotion is ending soon

In the early 1980s, personal computers started entering our homes. Prior to the internet and services like America On Line (AOL), there were online bulletin board systems (BBS) where people could share text files via phone modem connections. Of course, if you wanted to connect to a BBS outside your home area code, you would have to dial long distance – which at the time could be prohibitively expensive. Necessity is the mother of invention and it’s no coincidence that some of the earliest hacking was of the phone system to get free long distance calls. One of the first named groups of hackers was The Cult of the Dead Cow (aka, cDc). Today I’ll reminisce about the old days with two prominent members of cDc: Deth Veggie and Omega. We’ll talk about what it was like in the days prior to the internet, how hackers think, and how hacking has evolved over the years. We’ll talk about how cDc pioneered the hactivist movement and how their group overlapped and interacted with other famous groups like L0pht Heavy Industries, Masters of Deception (MOD), Legion of Doom (LOD) and much, much more. Interview Notes The Cult of the Dead Cow: https://cultdeadcow.com/ “The Cult of the Dead Cow” book: https://www.hachettebookgroup.com/titles/joseph-menn/cult-of-the-dead-cow/9781549169991/ cDc text files: http://textfiles.com/groups/CDC/ The Hacker’s Manifesto: http://phrack.org/issues/7/3.html  Hactivismo Declaration: https://web.archive.org/web/20090502054355/http://www.cultdeadcow.com/cDc_files/declaration.html cDc’s unofficial suggested reading/viewing list: https://fdsd.me/cdclist  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:43: Interview prep 0:03:51: How did cDc start and where did it get its name? 0:08:11: How did you get involved with cDc? 0:11:15: What is a BBS? What are textfiles? 0:15:36: What sort of information did these textfiles contain? 0:23:46: What really happened in the Hacker Wars? 0:25:28: How did phone phreaking work? 0:29:43: How did you choose your handle? When did you first use it in public? 0:37:47: Two things War Games got right 0:38:38: Blue boxes and red boxes 0:40:26: What did your friends & family think? How have perceptions of hackers changed? 0:45:16: What is hacktivism? What sort of hactivist behavior is acceptable? 0:51:58: What are some examples of hactivism? 0:55:19: What are some signs that I might enjoy hacking? 1:01:49: Hacking in the real world, questioning everything. 1:04:38: Books and movies with accurate portrayals of hackers & hacking? 1:11:14: Interview wrap-up 1:12:46: Patron bonus material & promo 1:16:04: Next week’s show may be delayed

Last time, I told you how to enumerate all the devices on your home network. Before we go to the trouble of analyzing and mitigating their vulnerabilities, we should take the opportunity to cull the inventory. Do you really need all of these devices? Or could you forego the “smart” features that require them to be connected to your network? Today we’ll talk about reducing your attack surface before we bother trying to secure it. In other news: the White House announces new cybersecurity labeling program; the SEC mandates a 4-day reporting window for cyber attacks; EFF opposes a bill that threatens our privacy; stolen Microsoft signing keys behind a set of targeted US government email hacks; more details emerge about Facebook mining Onano VPN for user data; TETRA radios used for decades revealed to have deliberately weakened encryption; ALPR data now being used with AI algorithms to guess which cars might contain criminals; Apple threatens to pull Facetime, Messages from UK over proposed surveillance law changes; Google’s Web Integrity API causes a stir; Apple to require justification for use of some APIs that might compromise user privacy. Article Links [whitehouse.gov] Biden-⁠Harris Administration Announces Cybersecurity Labeling Program for Smart Devices to Protect American Consumers https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/18/biden-harris-administration-announces-cybersecurity-labeling-program-for-smart-devices-to-protect-american-consumers/ [The Hacker News] New SEC Rules Require U.S. Companies to Reveal Cyber Attacks Within 4 Days https://thehackernews.com/2023/07/new-sec-rules-require-us-companies-to.html [Electronic Frontier Foundation] Amended Cooper Davis Act Is a Direct Threat to Encryption https://www.eff.org/deeplinks/2023/07/amended-cooper-davis-act-direct-threat-encryption [TechCrunch] Microsoft lost its keys, and the government got hacked https://techcrunch.com/2023/07/17/microsoft-lost-keys-government-hacked/ [Financial Review] Facebook admits it used app to ‘know nearly everything’ about users https://www.afr.com/companies/media-and-marketing/facebook-admits-it-used-app-to-know-nearly-everything-about-users-20230713-p5do2a [WIRED] Code Kept Secret for Years Reveals Its Flaw—a Backdoor https://www.wired.com/story/tetra-radio-encryption-backdoor/ [Forbes] This AI Watches Millions Of Cars Daily And Tells Cops If You’re Driving Like A Criminal https://www.forbes.com/sites/thomasbrewster/2023/07/17/license-plate-reader-ai-criminal/ [MacRumors] Apple Threatens to Pull FaceTime and iMessage in the UK Over Proposed Surveillance Law Changes https://www.macrumors.com/2023/07/20/apple-threatens-to-pull-facetime-and-imessage-uk/ [Ars Technica] Google’s nightmare “Web Integrity API” wants a DRM gatekeeper for the web https://arstechnica.com/gadgets/2023/07/googles-web-integrity-api-sounds-like-drm-for-the-web/ [MacRumors] Apple Developers Required to Justify Use of Some APIs in Latest Move to Boost Privacy https://www.macrumors.com/2023/07/28/developers-required-to-justify-api-use/ Tip of the Week: Less is More: https://firewallsdontstopdragons.com/secure-your-network-2-simplify/ Further Info Stop the bad bills: https://www.eff.org/deeplinks/2023/07/you-can-help-stop-these-bad-internet-bills  Dragon Challenge Coin Promo! https://fdsd.me/promo823  Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Table of Contents Add time-based list of markers.