Firewalls Don't Stop Dragons Podcast

Despite growing demand from US citizens for privacy protections, the federal government has failed repeatedly to enact basic privacy laws. However, one US state – California – has led the charge on privacy and passed regulations that have benefited people outside the state. Today I’ll speak with Ernesto Falcon who is currently running for California State Senate in District 7. He has decades of experience in public policy, particularly in the realm of privacy rights, both in politics and with the Electronic Frontier Foundation. We’ll talk about how the legislative sausage is made, why we can’t seem to pass privacy regulations, how lobbyists influence policy, and much more. Disclaimer: Views, opinions, or statements expressed are solely those of the candidate and not of his employer at the Electronic Frontier Foundation. Interview Notes Ernesto Falcon’s campaign website: https://www.ernestofalcon.com/  California Consumer Privacy Act: https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act  California Privacy Rights Act: https://en.wikipedia.org/wiki/California_Privacy_Rights_Act  Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:16: Interview prep 0:02:40: Tell us about your CA Senate campaign 0:10:56: How have CA privacy laws impacted the greater US? 0:15:45: How do we regain control over our data? 0:17:59: What is preventing a good federal privacy law? 0:24:36: What are the dangers of all this personal data being hoarded? 0:31:01: How does HIPAA actually work? What doesn’t it cover? 0:33:01: What is the EARN IT Act and why does EFF oppose it? 0:37:58: How do child safety laws undermine privacy? 0:40:41: How are legal wire taps different from backdoors in encryption? 0:43:10: Won’t repressive regimes abuse encryption backdoors? 0:44:45: Is on-device scanning a valid compromise solution? 0:47:07: Will we ever win the Crypto Wars? 0:48:59: How can we best support the privacy cause? 0:52:00: Would more privacy transparency be a good first step? 0:54:35: Are monopolies part of the problem here? 0:58:53: What’s next for you and your senate campaign? 1:00:42: Post interview wrap-up 1:01:46: Go talk to your representative! 1:02:55: Dragon Challenge Coin Promotion!

The Internet of Things (IoT) has added internet connections to lots of home devices. Each and every one of those devices runs software on a computer chip. Almost all software has bugs and those bugs may be exploitable by bad guys. We’re going to take another look at protecting our home networks using a simple, logical methodology. Step one: SCAN. That is, first of all, we need to understand the scope of the problem by enumerating all of the devices on your home network. I’ll explain how to do that. In other news: Apple re-releases security update after web glitch; EV chargers are vulnerable to hacking which could have significant impacts; tax prep firms shared ‘extraordinarily sensitive’ data with Meta; Meta’s new Threads service collects tons of personal info and employs dark patterns to hook you in; France passes law giving law enforcement access to private device cameras, mics and locations; police are collecting and selling personal info, bypassing the 4th Amendment and sharing across state lines; Massachusetts weighs outright ban on selling user location data; printers and printing services may be mining your documents for data. Article Links [MacRumors] Apple Releases Revised iOS and macOS Security Updates to Fix Actively Exploited Vulnerability and Safari Bug https://www.macrumors.com/2023/07/12/apple-releases-revised-security-updates/ [WIRED] EV Charger Hacking Poses a ‘Catastrophic’ Risk https://www.wired.com/story/electric-vehicle-charging-station-hacks/ [The Associated Press] 3 tax prep firms shared ‘extraordinarily sensitive’ data about taxpayers with Meta, lawmakers say https://apnews.com/article/irs-taxpayer-tax-preparation-meta-congress-9315cfca7a0942ab89f765d183fbf822 [Ars Technica] How Threads’ privacy policy compares to Twitter’s (and its rivals’) https://arstechnica.com/security/2023/07/how-threads-privacy-policy-compares-to-twitters-and-its-rivals/ [Yanko Design] The ‘Threads’ App is FILLED With Deceptive Dark Design Patterns – We Spotted More Than TEN https://www.yankodesign.com/2023/07/07/the-threads-app-is-filled-with-deceptive-dark-design-patterns-we-spotted-more-than-ten/ [Gizmodo] France Passes New Bill Allowing Police to Remotely Activate Cameras on Citizens’ Phones https://gizmodo.com/france-bill-allows-police-access-phones-camera-gps-1850609772 [Tampa Bay Times] Hillsborough, Clearwater police monitoring private security cameras https://www.tampabay.com/news/hillsborough/2023/07/10/hillsborough-clearwater-police-monitoring-private-security-cameras/ [New York Daily News] NYPD seeks to grab cell phone IDs from people under arrest or in custody; push for IMEI numbers raises concerns https://www.nydailynews.com/new-york/nyc-crime/ny-nypd-campaign-cellphone-idenfiication-numbers-controversy-20230708-yltabdlozfbppeoodxymyub3zq-story.html [The Sacramento Bee] California cops illegally share data with anti-abortion states https://www.sacbee.com/news/politics-government/capitol-alert/article275795726.html [Engadget] Massachusetts weighs outright ban on selling user location data https://www.engadget.com/massachusetts-weighs-outright-ban-on-selling-user-location-data-191637974.html [The Washington Post] Your printing service might read your documents. Here’s what to know. https://www.washingtonpost.com/technology/2023/07/10/printing-privacy-security-printed-documents/ Tip of the Week: IoT Inventory https://firewallsdontstopdragons.com/secure-your-network-part-1-scan/ Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:45: News preview 0:03:37: Apple Releases Revised iOS and macOS Security Updates 0:07:30: EV Charger Hacking Poses a ‘Catastrophic’ Risk 0:13:27: 3 tax prep firms shared ‘extraordinarily sensitive’ data with Meta 0:17:10: How Threads’ privacy policy compares to Twitter’s 0:22:15: ‘Threads’ App is FILLED With Deceptive Dark Design Patterns 0:28:53: France Passes New Bill Allowing Police to Remotely Activate Cameras on Citizens’ Phones 0:31:30: Tampa Bay area police monitoring private security cameras 0:35:31: NYPD seeks to grab cell phone IDs from people under arrest or in custody 0:42:19: California cops illegally share data with anti-abortion states 0:46:14: Massachusetts weighs outright ban on selling user location data 0:49:50: Your printing service might read your documents 0:56:

After lengthy negotiations and revisions, the White House has finally released its National Cybersecurity Strategy document, outlining it’s priorities and goals. It’s a wide-ranging and ambitious document consisting of five major areas of focus, or “pillars”. What’s new here? What will it mean for businesses and critical infrastructure? And what does this mean for you and I? Today I’ll cover all of that and more with Josh Corman from I Am the Cavalry and formerly with the US Cybersecurity and Infrastructure Security Agency (CISA). Interview Notes National Security Strategy doc: https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf Consequential Cybersecurity: https://claroty.com/blog/consequential-cybersecurity-brace-yourself-for-the-white-house-national-cybersecurity-strategy PPD-21: https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil  Known Exploited Vulnerabilities catalog : https://www.cisa.gov/known-exploited-vulnerabilities-catalog Swimming with Sharks TED talk: https://www.youtube.com/watch?v=rZ6xoAtdF3o  I Am the Cavalry: https://iamthecavalry.org/ CISA Secure by Design: https://www.cisa.gov/securebydesign Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:55: Interview setup 0:04:00: What is this strategy document, at a high level? 0:14:02: What are some of the more important or novels aspects? 0:18:05: Do agencies have the budget and authority to implement these strategies? 0:22:11: Will having a gov’t backstop actually encourage attacks or discourage preparation? 0:30:40: Should the gov’t actively scan US firms/orgs for vulnerabilities? 0:36:56: What should we do about the marketplace for zero-day hacks? 0:39:52: How aggressive should the US be against hackers? 0:41:03: What is NOT addressed by this strategy? 0:45:55: How should be manage our dependencies on foreign software and hardware? 0:52:59: What can everyday people take away from these strategies? 0:59:50: Has this document already had impacts? How do we monitor progress? 1:03:56: Interview wrap-up 1:07:40: Looking ahead

You’re using a password manager. You’re even using two-factor authentication. Great! When done properly, this will keep the bad guys out. Unfortunately, if you’re not careful, it may also keep you out. If you forget your master password or lose access to your 2FA device, you’ll be in real trouble… unless you have an access backup plan. This same plan can also help your spouse or next of kin to access your accounts should you die or become incapacitated. In the news: CISA issues a DDoS warning after multiple attacks; LetMeSpy stalkerware maker suffers a data breach of collected data; researchers use LED power light flicker to break cryptographic keys; Australian PM recommends citizens to power cycle their phones once a day; several artists boycott venues that use facial recognition; Brave browser introduces new localhost access permission; Proton unveils new password manager; Dear Carey questioner asks about PDF readers. Article Links [BleepingComputer] CISA issues DDoS warning after attacks hit multiple US orgs https://www.bleepingcomputer.com/news/security/cisa-issues-ddos-warning-after-attacks-hit-multiple-us-orgs/ [TechCrunch] LetMeSpy, a phone tracking app spying on thousands, says it was hacked https://techcrunch.com/2023/06/27/letmespy-hacked-spyware-thousands/ [The Hacker News] Researchers Find Way to Recover Cryptographic Keys by Analyzing LED Flickers https://thehackernews.com/2023/06/researchers-find-way-to-recover.html [9to5mac.com] Why tips like ‘turn off your iPhone for five minutes’ don’t actually help users https://9to5mac.com/2023/06/26/turn-off-your-iphone-for-5-minutes-advice/ [Rolling Stone] Tom Morello, Zack de la Rocha, and Boots Riley Boycotting Venues That Use Face-Scanning Technology https://www.rollingstone.com/music/music-features/tom-morello-zack-de-la-rocha-facial-recognition-concerts-boycott-1234775909/ [BleepingComputer] Brave Browser boosts privacy with new local resources restrictions https://www.bleepingcomputer.com/news/security/brave-browser-boosts-privacy-with-new-local-resources-restrictions/ [9to5mac.com] Proton Pass end-to-end encrypted password manager is here and free for everyone https://9to5mac.com/2023/06/28/proton-pass-encrypted-password-manager-free/ Tip of the Week – Access Backup Plan: https://firewallsdontstopdragons.com/craft-your-access-backup-plan/  Further Info Saving your Apple Photo Stream pics: https://support.apple.com/en-us/HT210705  Securityzed podcast: https://www.securityzed.com/podcast-test/securityzed-ltfyn-7xm5l-b8c8s-km25d-jbagp-6k9d4-39cr9-z5nhw-w4jwm  Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:00: Photo Stream, Securityzed podcast 0:03:21: News rundown 0:05:10: CISA issues DDoS warning after attacks hit multiple US orgs 0:09:29: LetMeSpy stalkerware maker says it was hacked 0:16:43: Researchers Recover Crypto Keys from LED Flickers 0:24:07: Turn your iPhone off every day for 5 mins? 0:29:39: Artists boycotting venues that Use Face-Scanning Technology 0:34:02: Brave Browser boosts privacy with localhost restrictions 0:41:28: Proton debuts new password manager 0:45:56: Dear Carey question 0:50:05: Tip of the Week 1:00:32: Wrap-up

Right now there are thousands of satellites orbiting above our heads performing crucial tasks. At the end of the day, they’re just computers running software – albeit at thousands of miles up and thousands of miles per hour. Can they be hacked? What are the dangers? Aaron Myrick and the Hack-A-Sat team are trying to answer those questions. And they’re doing it by launching an actual satellite into low earth orbit for this year’s DEF CON hacking contest and asking talented hackers from around the world to take their best shot. Interview Notes Moonlighter Fact Sheet: https://aerospace.org/fact-sheet/moonlighter-fact-sheet Hack-A-Sat 4: https://hackasat.com/moonlighter/  Hack-A-Sat GitHub resources: https://github.com/deptofdefense/hack-a-sat-library  Space-Track.org: https://www.space-track.org/  Moonlighter launch: https://vimeo.com/833432259/4ba9b0927b  Further Info Amulet of Entropy (DEF CON badge): https://amuletofentropy.com/  Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:36: Update Apple devices, ASUS routers 0:01:03: Misc updates 0:03:08: Interview setup 0:04:19: What is Aerospace Corp and what do you do there? 0:08:25: What are things satellites do that we might not think about? 0:13:42: Break down some key stats on satellites for us. 0:17:27: How might we be affected by loss of satellites? 0:21:31: How do you hack an orbiting satellite, logistically? 0:24:38: What sorts of attacks are we worried about? 0:26:58: How do we debug problems in orbiting satellites? 0:30:55: How is hacking a satellite different from a computer? 0:35:23: What happens to old satellites? 0:41:26: What is the Hack-A-Sat program about? 0:43:35: How did the target systems work, prior to this year? 0:46:39: What have we learned so far from past contests? 0:51:24: What’s new with Hack-a-Sat 4? 0:52:43: When and how will Moonlighter launch? 0:58:30: What kinds of things can I hack on Moonlighter? 1:00:43: What’s the future for Hack-a-Sat? 1:03:26: Wrap-up

I launched my mission to improve people’s privacy and security almost ten years ago now. It’s been quite a journey and I’ve learned a lot in that time. One thing I’ve realized is that there’s only so much I can do on my own. And so I’ve encouraged the more technically savvy members of my audience to help others where they can. One downside to being a podcaster is that I don’t have much insight into the effectiveness of my exhortations. I have no idea how many people are going forth to do good deeds nor what those deeds are. So today I’m launching a new campaign to solicit stirring stories of good deeds and every quarter or so I will select the most inspiring deed-doers and reward them with one of my dragon challenge coins! In the news: Clop ransomware gang lists first victims of MOVEit supply chain hacks; firmware bug in Gigabyte motherboards has a fix now; US Congress and intelligence agencies debate reform for mass surveillance program; tissue and fluid samples are being abused by law enforcement for DNA scans; check washing scams are on the rise; how to avoid being scammed by virtual kidnapping schemes; 1Password announces beta support for browser passkey extension; bold new plan for 311 cyber support line. Article Links [TechCrunch] Ransomware gang lists first victims of MOVEit mass-hacks, including US banks and universities https://techcrunch.com/2023/06/15/moveit-clop-mass-hacks-banks-universities/ [restoreprivacy.com] Hackers Stole Millions of Driver’s Licenses and IDs from U.S. States https://restoreprivacy.com/hackers-stole-millions-of-drivers-licenses-and-ids-from-u-s-states/ [Tom’s Hardware] Firmware Backdoor Discovered in Gigabyte Motherboards, 250+ Models Affected https://www.tomshardware.com/news/gigabyte-motherboards-come-with-a-firmware-backdoor [cyberscoop.com] Congress and intelligence officials spar over surveillance reforms https://cyberscoop.com/congress-fbi-section-702/ Senate hearing: https://www.judiciary.senate.gov/oversight-of-section-702-of-the-foreign-intelligence-surveillance-act-and-related-surveillance-authorities  [aclu.org] Donated Blood or an Organ? Police Shouldn’t Have Easy Access to Your DNA https://www.aclu.org/news/privacy-technology/donated-blood-or-an-organ-police-shouldnt-have-easy-access-to-your-dna [Lifehacker] Why You Should Stop Sending Checks in the Mail, Especially Now https://lifehacker.com/why-you-should-stop-sending-checks-in-the-mail-especia-1850543113 [connectsafely.org] Quick-Guide to Virtual Kidnapping Scams https://connectsafely.org/virtualkidnapping/ [9to5mac.com] 1Password passkey support for the web launches in public beta on the Mac https://9to5mac.com/2023/06/06/1password-passkey-browser-extension/ [WIRED] The Bold Plan to Create Cyber 311 Hotlines https://www.wired.com/story/ut-austin-cybersecurity-clinic-311/ Tip of the Week: Go Forth, Do Good Deeds: https://fdsd.me/quest  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:47: News preview 0:03:01: Clop Ransomware hits several public and privacy organizations 0:11:32: Firmware Backdoor Discovered in Gigabyte Motherboards 0:17:04: Congress and intelligence officials spar over surveillance reforms 0:24:13: Police Shouldn’t Have Easy Access to Your DNA 0:28:03: Why You Should Stop Sending Checks in the Mail 0:31:43: Quick-Guide to Virtual Kidnapping Scams 0:37:02: 1Password passkey support for the web launches in public beta 0:38:22: The Bold Plan to Create Cyber 311 Hotlines 0:41:02: Tip of the Week: Go forth, do good deeds 0:49:30: Look ahead

At some point, when you care enough about a particular cause, you shift from following the issue to actually trying to advance the issue – to make a difference. The easiest way to do this is to find groups that are already working for this cause and supporting them with donations of your time and/or money. But what do you do if you can’t find such a group, or maybe there’s no local chapter? Well, you can start your own! It’s not as hard as it sounds – and in fact, there exist organizations that can help you. Today I’ll speak with Rory Mir from the Electronic Frontier Alliance along with leaders from two successful EFA-affiliated groups: Freddy Martinez from Lucy Parsons Labs and Chris Bushick from PDX Privacy. Interview Notes Reach out to EFF organizing team: [email protected]  Electronic Frontier Alliance (EFA): https://www.eff.org/efa  Meetup groups: https://meetup.com  Lucy Parsons Labs: https://lucyparsonslabs.com/ PDX Privacy: https://www.pdxprivacy.org/ EFF on the EARN IT Act: https://www.eff.org/deeplinks/2023/05/dangerous-earn-it-bill-advances-out-committee-several-senators-offer-objections  Further Info Dragon Coins! https://fdsd.me/coin2  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Generate secure passphrases! https://d20key.com/#/ Table of Contents 0:00:25: Interview setup 0:04:32: Introductions and overview of EFA 0:09:12: Lucy Parsons Project overview 0:10:52: PDX Privacy overview 0:12:28: How has the EFA helped you with your projects? 0:15:33: What other types of groups work with the EFA? 0:17:49: What did you do before? What was it like starting your group? 0:23:02: How can you go about finding sources of funding? 0:25:25: What sorts of grants are available? 0:30:09: What accomplishments are you most proud of? 0:34:48: What were some of your biggest challenges? 0:38:51: Do you ever feel like you’re David versus Goliath? 0:42:26: How can I find existing groups that I can support or join? 0:45:58: What’s the first step in starting my own group? 0:49:31: If you were starting over again, what would you have done differently? 0:49:56: Do I need to incorporate or create a legal entity? 0:53:02: Can a non-profit organization make money? 0:57:32: Any parting thoughts you’d like to share? 1:00:32: Wrap-up 1:03:11: Looking ahead 1:04:09: Upcoming challenge coin campaign

Two weeks ago, I told you about the availability of two new top-level domains that also happen to be popular file name extensions: .zip and .mov. The ambiguity will undoubtedly be exploited by ne’er-do-wells to trick people into doing something they shouldn’t do. There are clever ways to manipulate website addresses that would trick even tech-savvy people into clicking malicious links. Today I’ll tell you how these tricks work and explain you can avoid all of these issues by simply blocking these new domains. In other news: iTunes for Windows patches a nasty bug; Android malware downloaded over 420 million times; Android phones vulnerable to fingerprint brute-force attacks; Luxottica exposes 300 million customer records; free VPN service SuperVPN exposes 360 million user records; Amazon gets slap on the wrist for Ring video doorbell private data access; KeePass “master password crack” not as bad as it sounds; Twitter adding Content Notes ‘fact checks’ to images; Microsoft now scanning inside password-protected zip files; drone pilot is NOT killed by drone; AI is NOT likely to cause human extinction; and Brave introduces new Off The Record browsing mode. Plus my Dear Carey question: recommended cheat sheet for computer safety. Article Links [MacRumors] PSA: If You Run Windows, Make Sure to Update iTunes to Fix Security Vulnerability https://www.macrumors.com/2023/06/01/itunes-windows-vulnerability/ [Lifehacker] This Android Malware Was Downloaded Over 420 Million Times https://lifehacker.com/this-android-malware-was-downloaded-over-420-million-ti-1850492306 [BleepingComputer] Android phones are vulnerable to fingerprint brute-force attacks https://www.bleepingcomputer.com/news/security/android-phones-are-vulnerable-to-fingerprint-brute-force-attacks/ [bitdefender.com] Luxottica 2021 breach: 300 million customer records up for grabs online https://www.bitdefender.com/blog/hotforsecurity/luxottica-2021-breach-300-million-customer-records-up-for-grabs-online/ [hackread.com] Free VPN Service SuperVPN Exposes 360 Million User Records https://www.hackread.com/free-vpn-service-supervpn-leaks-user-records/ [AppleInsider] Amazon gets slap on the wrist over privacy violations with Ring cameras https://appleinsider.com/articles/23/05/31/amazon-gets-slap-on-the-wrist-over-privacy-violations-with-ring-cameras [Naked Security] Serious Security: That KeePass “master password crack”, and what we can learn from it https://nakedsecurity.sophos.com/2023/05/31/serious-security-that-keepass-master-password-crack-and-what-we-can-learn-from-it/ [Mashable] Twitter will now put Community Notes ‘fact checks’ on images https://mashable.com/article/twitter-notes-on-media-images [Ars Technica] Microsoft is scanning the inside of password-protected zip files for malware https://arstechnica.com/information-technology/2023/05/microsoft-is-scanning-the-inside-of-password-protected-zip-files-for-malware/ [VICE] USAF Official Says He ‘Misspoke’ About AI Drone Killing Human Operator in Simulated Test https://www.vice.com/en/article/4a33gj/ai-controlled-drone-goes-rogue-kills-human-operator-in-usaf-simulated-test [Schneier Blog] On the Catastrophic Risk of AI https://www.schneier.com/blog/archives/2023/06/on-the-catastrophic-risk-of-ai.html [brave.com] Request “Off the Record” https://brave.com/privacy-updates/26-request-off-the-record/ Tip of the Week: Blocking .zip Domains: https://firewallsdontstopdragons.com/how-to-block-the-new-zip-domain/ Further Info How to send files securely: https://firewallsdontstopdragons.com/how-to-send-files-securely-like-tax-info/  Checklist of Tips for my book: https://firewallsdontstopdragons.com/wp-content/uploads/2023/02/FDSDv5-workbook-v1.pdf 10 Years After Snowden: https://www.eff.org/deeplinks/2023/05/10-years-after-snowden-some-things-are-better-some-were-still-fighting  The Wayback Machine: https://web.archive.org/  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:27: DEF CON update 0:02:40: News preview 0:04:59: If you use iTunes on Windows, update your app soon 0:06:25: Android malware was downloaded over 420M times 0:10:29: Android phones vulnerable to fingerpint brute force attacks 0:16:59: Luxottica breach exposes 300 million records 0:20:00: Free VPN service SuperVPN exposes 360 million user records 0:24:21: Amazon gets slap on the wrist over Ring privacy violations 0:26:10: KeePass “master password crack” 0:29:59: Twitter to put Community Notes on i

Modern cars are more like smartphones on wheels. Like our cell phones, they are chock full of sensors, computer chips and software, and they’re connected to the internet 24/7 via cellular modems. What data is being collected? Who owns this data? How secure is your data? Who is it being shared with? And most importantly, what – if anything – can you do about it? Since we last spoke with Privacy4Car’s Andrea Amico, his company has released a powerful new Vehicle Privacy Report tool that aims to answer at least some of these questions and help you to be a more informed car buyer. Today we’ll delve into the murky world of car data collection and privacy. Andrea Amico is one of the nation’s leading authorities on vehicle privacy and cybersecurity. He is also the founder of Privacy4Cars, the first and only privacy-tech company focused on identifying the challenges posed by vehicle data. Interview Notes Privacy4Cars: https://privacy4cars.com/  Vehicle Privacy Report tool: https://vehicleprivacyreport.com/  Assert your data rights: https://privacy4cars.com/personal-use/assert-your-data-rights/  Previous interview: Driving Data Privacy for Cars https://podcast.firewallsdontstopdragons.com/2021/09/13/driving-data-privacy-for-cars/  New privacy rules will impact your shop: https://www.autoserviceworld.com/new-privacy-rules-will-impact-your-shop/ Who Is Collecting Data From Your Car? https://themarkup.org/the-breakdown/2022/07/27/who-is-collecting-data-from-your-car Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:04:38: What has happened with Privacy4Cars since we last spoke? 0:06:17: Why are cars collecting so much data? How private is this data? 0:09:31: You say cars are “cell phones on wheels” – what does that mean? 0:10:24: Are cars connected even when turned off? 0:11:55: What types of data is my car collecting? 0:14:16: Do electric cars gather more data than regular cars? 0:16:54: Do cameras built into your car represent a privacy risk? 0:21:51: Who can access my car’s data? Can I access it myself? 0:27:25: Who owns the data in rental or fleet cars? What about wrecked cars? 0:32:24: Cars now have smartphone apps – what data are they collecting? 0:37:18: How do I know if I’ve opted in to data collection? 0:40:42: Can I opt of of data collection? If so, how? 0:44:20: What about Apple’s CarPlay or Google’s Android Auto? 0:49:37: How do I know which cars best respect my privacy? 0:55:08: How does the Vehicle Privacy Report tool work? 0:57:14: What does this tool tell me about a car? 1:00:43: What’s the value of this tool for car makers and dealerships? 1:06:09: What’s next for your company and the reporting tool? 1:09:49: Interview follow-up notes

Everyone hates dealing with passwords. This has led to a mad search for ‘password-killer’ technology. After several failed attempts, there’s finally a worthy contender: passkeys. The technology has been around for years – it’s the basis for hardware keys like YubiKey. But no one wanted to have to carry the little things all the time. With passkeys, you get the same phishing-proof, passwordless goodness but tied to a device you always have: your smartphone. Websites are slowly rolling out the ability to secure your accounts with passkeys, and Apple, Google and Microsoft are building support for passkeys into their operating systems. But I would caution you to wait a bit before jumping on the bandwagon – I’ll explain why in today’s show. In other news: update all your Apple devices; FBI and NSA break the notorious Snake malware; Intel deploys microcode security update; location data on 2M Toyoya customers exposed for years; new .zip and .mov domains are dangerously ambiguous; new crafty Chinese router malware; online age verification will cause serious problems; Apple will allow you to ‘bank’ your voice soon. Article Links [Tom’s Guide] Apple issues urgent fix to block zero-day attacks — update your iPhone and Mac now https://www.tomsguide.com/news/apple-issues-urgent-fix-to-block-zero-day-attacks-update-your-iphone-and-mac-now [tech.co] FBI & NSA Cut the Head Off Notorious Russian Snake Malware https://tech.co/news/nsa-fbi-russian-snake-malware [Tom’s Hardware] Intel Deploys Undisclosed Microcode Security Update For CPUs Going Back To Coffee Lake https://www.tomshardware.com/news/intel-microcode-security-update [BleepingComputer] Toyota: Car location data of 2 million customers exposed for ten years https://www.bleepingcomputer.com/news/security/toyota-car-location-data-of-2-million-customers-exposed-for-ten-years/ [Digital Trends] Hackers are using a devious new trick to infect your devices https://www.digitaltrends.com/computing/hackers-are-abusing-zip-mov-domain-names/ [9to5mac.com] Researchers find security flaw in Wemo Smart Plug, Belkin says it won’t release a patch https://9to5mac.com/2023/05/16/wemo-smart-plug-security-flaw-no-patch-coming/ [Ars Technica] Malware turns home routers into proxies for Chinese state-sponsored hackers https://arstechnica.com/information-technology/2023/05/malware-turns-home-routers-into-proxies-for-chinese-state-sponsored-hackers/ [Electronic Frontier Foundation] Age Verification Mandates Would Undermine Anonymity Online https://www.eff.org/deeplinks/2023/03/age-verification-mandates-would-undermine-anonymity-online [9to5mac.com] Everyone should use Personal Voice; it does in 15 minutes what currently takes several weeks https://9to5mac.com/2023/05/19/everyone-should-use-personal-voice/ Tip of the Week: The Pros & Cons of Passkeys https://firewallsdontstopdragons.com/the-pros-and-cons-of-passkeys/ Further Info Meross MSS115 Matter-enabled smart plug: https://shop.meross.com/products/meross-matter-smart-wi-fi-plug-mini-mss115 Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:10: Update on new location tracker spec 0:02:52: News preview 0:05:30: FBI & NSA Cut the Head Off Notorious Russian Snake Malware 0:07:27: Intel Deploys Undisclosed Microcode Security Update 0:11:12: Toyota location data of 2M customers exposed for years 0:15:34: Phishers looking to capitalize on ambiguous new TLDs 0:19:32: Security flaws in Wemo Smart Plug won’t be fixed 0:25:08: Malware turns home routers into proxies for Chinese hackers 0:30:53: Age Verification Mandates Would Undermine Anonymity Online 0:39:23: Apple to offer new “voice-banking” technology 0:43:42: Dear Carey/Tip of the Week 0:59:19: Upcoming shows, coin promotion

In the book “1984” (published in 1949), George Orwell envisioned a Big Brother that would control the media and dictate what was “truth”. But Orwell didn’t predict that “telescreens” would fit in our pockets or that we would willingly carry them with us 24/7, even to the bathroom. He also didn’t foresee that we would willingly subscribe to sources of mis- and disinformation in the form of social media. Today I speak with the co-author of the book “Ministry of Truth”, Vincent Hendricks, about the current state of social media and its influence on democracy and society. Vincent F. Hendricks, author of THE MINISTRY OF TRUTH: BigTech’s Influence On Facts, Feelings And Fictions, is Professor of Formal Philosophy at the University of Copenhagen. He is the Director of the Center for Information and Bubble Studies (CIBS) funded by the Carlsberg Foundation. Interview Notes “Ministry of Truth” book: https://www.vince-inc.com/vincent/?p=7625  “1984” by George Orwell: https://en.wikipedia.org/wiki/Nineteen_Eighty-Four “Reality Lost” (free PDF book): https://link.springer.com/book/10.1007/978-3-030-00813-0 Vincent Hendricks website: https://www.vince-inc.com/vincent/ More from Vincent: https://www.oecd-forum.org/users/vincent-f-hendricks Blocking Google popups (and other annoyances): https://firewallsdontstopdragons.com/how-to-block-google-popups/ Further Info Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest   Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:23: Pre-inteview notes 0:03:51: Why did you write this book? 0:06:06: What is the current state of social media content moderation? 0:10:41: How equally are moderation rules applied to all users? 0:12:44: Do algorithms just feed our desire for stuff that’s not good for us? 0:16:39: Are things really worse today or just different? 0:21:21: Do private companies have a moral duty to support a “public square”? 0:26:23: Are social media companies warping the public discourse? 0:28:58: Is TikTok really more of a threat than Facebook or Twitter? 0:31:15: Are any of the proposed TikTok solutions viable? 0:35:41: Why can’t the US Congress pass a real privacy law? 0:38:00: Can we fix some key social media ills by adding some friction? 0:41:10: How will AI systems like ChatGPT impact disinformation? 0:44:15: Can AI also have positive impacts on social media? 0:48:10: How are social media platforms like casinos? 0:50:28: How are social media platforms like Orwell’s Ministry of Truth? 0:51:34: How much responsibility do we have here? 0:57:42: What tips do you have for using social media today? 1:02:59: Interview wrap-up 1:03:28: Privacy and security book club 1:04:37: Patron perks 1:05:02: Preview of upcoming shows

Have you noticed Google getting really pushy lately with offers to “sign in with Google”? You’re not alone. Many websites offer the ability to create a free account so that you can “personalize your experience”, but lately Google has been popping up an very annoying window to prompt you to create this account by signing in with your Google account. First of all, you almost never need to create an account to view the site. But second, even if you do want to create an account, you shouldn’t be linking that account with Google. You’re creating a data sharing arrangement that is completely unnecessary and not in your best interests. I’ll explain how to block these irritating popups (and many like them) for good. In other news: 1Password was not hacked, but recent messages might have worried you; new macOS malware stealer app; five things scammers hope you search for; Microsoft Edge is recording your web surfing data; Windows 10 will never receive another feature update; Microsoft is rewriting core Windows software in a memory-safe language; study claims 83% of passwords can be hacked in one second; Google adds support for passkeys; Apple issues first Rapid Security Response with confusing messages; NYPD hands out 500 free AirTags to combat auto thefts; Apple and Google partner on industry spec to thwart unwanted tracking devices; Google adds cloud backup for 2FA without end-to-end encryption; Amazon Clinic requires you to sign away privacy rights; Washington State pass health data privacy law; my take on recent efforts to undermine encryption and restrict access to social media. Article Links [Digital Trends] No, 1Password wasn’t hacked – here’s what really happened https://www.digitaltrends.com/computing/1password-secret-keys-not-hacked/ [9to5mac.com] PSA: ‘Atomic macOS Stealer’ malware can compromise iCloud Keychain passwords, credit cards, crypto wallets https://9to5mac.com/2023/04/28/atomic-macos-stealer-malware-steal-passwords/ [Lifehacker] Five Things Scammers Are Hoping You Google https://lifehacker.com/five-things-scammers-are-hoping-you-google-1850405964 [The Verge] Microsoft Edge is leaking the sites you visit to Bing https://www.theverge.com/2023/4/25/23697532/microsoft-edge-browser-url-leak-bing-privacy [Lifehacker] Microsoft Will Never Update Windows 10 Again (But You Can Keep Using It) https://lifehacker.com/microsoft-will-never-update-windows-10-again-but-you-c-1850386188 [theregister.com] Microsoft is busy rewriting core Windows code in memory-safe Rust https://www.theregister.com/2023/04/27/microsoft_windows_rust/ [9to5mac.com] Study reveals top 20 most used passwords; 83% can be cracked in a second https://9to5mac.com/2023/05/02/most-used-passwords-report/ [The Hacker News] Google Introduces Passwordless Secure Sign-In with Passkeys for Google Accounts https://thehackernews.com/2023/05/google-introduces-passwordless-secure.html [AppleInsider] Apple issues Rapid Security Response update for iOS 16.4.1, macOS 13.3.1 https://appleinsider.com/articles/23/05/01/apple-issues-rapid-security-response-update-for-ios-1641-macos-1331 [AppleInsider] New York hands out 500 AirTags in car theft crackdown https://appleinsider.com/articles/23/05/01/new-york-hands-out-500-airtags-in-car-theft-crackdown [Apple] Apple, Google partner on an industry specification to address unwanted tracking https://www.apple.com/newsroom/2023/05/apple-google-partner-on-an-industry-specification-to-address-unwanted-tracking/ [Gizmodo] Google’s New Two-Factor Authentication Isn’t End-to-End Encrypted, Tests Show https://gizmodo.com/google-authenticator-two-factor-not-end-encrypted-1850377102 [The Washington Post] To become an Amazon Clinic patient, first you sign away some privacy https://www.washingtonpost.com/technology/2023/05/01/amazon-clinic-hipaa-privacy/ [The Verge] Washington passes law requiring consent before companies collect health data https://www.theverge.com/2023/4/28/23702246/washington-health-data-law-consent-collect-sell [Yahoo] India has blocked 14 mobile messenger apps on security fears https://www.yahoo.com/lifestyle/india-blocked-14-mobile-messenger-074000711.html [CNN] Arkansas governor signs sweeping bill imposing a minimum age limit for social media usage https://www.cnn.com/2023/04/12/tech/arkansas-social-media-age-limit/index.html [act.eff.org] The “Earn It” Act is Back, Seeking To Scan Us All https://act.eff.org/action/the-earn-it-act-is-back-seeking-to-scan-us-all Tip of the Week: Block Google Sign-In Popups: https://firewallsdontstopdragons.com/how-to-block-google-popups/   Further Info TP-Link software update: https://www.tp-link.com/us/support/download/archer-ax21/v3/#Firmware  Install uBlock Origin: https://ublockorigin.com/  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our missi

There’s a big difference between mass surveillance and targeted surveillance based on a court-approved, limited-scope search warrant. But advances in technology have made warrant-less, dragnet surveillance exceptionally easy and stunningly effective. Local law enforcement agencies have deployed several types of surveillance systems in our communities, but have strongly resisted calls for transparency and oversight. Furthermore, police have simply bypassed the need for a warrant and pesky Fourth Amendment rights by just buying surveillance data from private companies. My guests today – Albert Fox Cahn and Evan Enzer, from the Surveillance Technology Oversight Project (S.T.O.P.) – will explain what’s going on, why it’s a danger to our privacy rights and democratic principles, and what we can do to fix it. Interview Notes Surveillance Technology Oversight Project: https://www.stopspying.org/  STOP on Twitter & TikTok: @STOPSpyingNY Donate to S.T.O.P.  https://www.stopspying.org/donate  STOP Trojan House report: https://www.stopspying.org/the-trojan-house  Public Oversight of Surveillance Technology (POST) Act: https://www.nyc.gov/site/nypd/about/about-nypd/policy/post-act.page  Community Control of Police Surveillance (CCOPS): https://www.eff.org/issues/community-control-police-surveillance-ccops  Electronic Frontier Alliance: https://www.eff.org/fight  EFF’s Atlas of Surveillance: https://atlasofsurveillance.org/  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:33: Interview setup 0:03:26: What is the Surveillance Technology Oversight Project? 0:07:57: What are the most common mass surveillance technologies? 0:10:15: How does Shot Spotter work and what are the dangers? 0:13:02: Do these technologies actually reduce crime? 0:14:38: Is law enforcement required to disclose info on these systems? 0:17:35: How transparent is the funding around these projects? 0:19:21: Who has access to this surveillance data? 0:21:20: 9/11 revealed a lack of data sharing – what’s the right balance? 0:22:42: Is privately obtained surveillance data subject to 4th Amendment rights? 0:23:53: What is the “third party doctrine” and how does it apply here? 0:26:15: How does purchased data differ from data obtained via warrant? 0:27:56: How does the practice of “parallel construction” work? 0:29:22: What is my legal right to privacy when in public spaces? 0:31:09: What are my legal rights to “surveil” law enforcement? 0:32:44: How are police using copyright law to curtail video taping? 0:34:13: Who watches the watchers? Is there any oversight of mass surveillance? 0:36:52: How do you uncover surveillance use and abuse? 0:38:45: How can we mitigate consumer surveillance tech? 0:41:53: Are there any tools or techniques to mitigate public surveillance? 0:46:22: What’s the solution here? How do we rein in mass surveillance? 0:50:06: How can people get involved in the fight against mass surveillance? 0:51:51: Interview wrap-up 0:54:51: Looking ahead

Our smartphones have become indispensable tools for our daily lives – so seeing that dreaded red battery indicator can induce some serious anxiety. But before you jack your phone into some public USB charging port, think twice. Those USB connections can pass data as well as power, and it’s actually possible to hack your phone using those ubiquitous and innocent-looking ports. Is this common? Probably not. But it’s also very easy to avoid. I’ll give you several tips for staying safe, particularly while traveling. In other news: Mullvad VPN was subjected to a search warrant (but had no data to give up); Proton has announced that it has created a password manager; YubiCo is merging with another company and going public; Facebook probably owes you some money; Apple HomePods can tell you if your house is on fire; one of several Israeli spyware makers is shutting down; the US and several partner countries are urging device makers to adopt Security by Design principles; hackers use fake Chrome updates to install malware; the much-hyped Florida water treatment plant hack wasn’t really a hack; clever thieves are stealing modern cars through headlamp connectors; and health care portal check-in vendors are tricking patients into allowing them to monetize very sensitive health data. Article Links [mullvad.net] Mullvad VPN was subject to a search warrant. Customer data not compromised https://mullvad.net/en/blog/2023/4/20/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised/ [proton.me] Proton Pass is now in beta https://proton.me/blog/proton-pass-beta [yubico.com] Yubico is merging with ACQ Bure: merged company intends to go public on Nasdaq First North Growth Market in Stockholm https://www.yubico.com/blog/yubico-is-merging-with-acq-bure/ [Lifehacker] Facebook Probably Owes You Money https://lifehacker.com/facebook-probably-owes-you-money-1850350640 [MacRumors] HomePod Can Now Alert You If Your Smoke Alarm Goes Off https://www.macrumors.com/2023/04/18/homepod-alert-smoke-alarm/ [The Hacker News] Israeli Spyware Vendor QuaDream to Shut Down Following Citizen Lab and Microsoft Expose https://thehackernews.com/2023/04/israeli-spyware-vendor-quadream-to-shut.html [cisa.gov] U.S. and International Partners Publish Secure-by-Design and -Default Principles and Approaches  https://www.cisa.gov/news-events/news/us-and-international-partners-publish-secure-design-and-default-principles-and-approaches [Tom’s Guide] Hackers are using fake Chrome updates to spread malware — don’t fall for this https://www.tomsguide.com/news/hackers-are-using-fake-chrome-updates-to-spread-malware-dont-fall-for-this  [VICE] Much-Hyped Water Plant Hack Wasn’t a Hack, Was Actually User Error, Official Says https://www.vice.com/en/article/y3wddv/much-hyped-water-plant-hack-wasnt-a-hack-was-actually-user-error-official-says [theregister.com] CAN do attitude: How thieves steal cars using network bus https://www.theregister.com/2023/04/06/can_injection_attack_car_theft/ [statnews.com] I declined to share my medical data with advertisers at my doctor’s office. One company claimed otherwise https://www.statnews.com/2023/04/07/medical-data-privacy-phreesia/ Tip of the Week: How to Avoid Juice Jacking https://firewallsdontstopdragons.com/how-to-avoid-juice-jacking/ Further Info Facebook settlement form: https://www.facebookuserprivacysettlement.com/#submit-claim CISA Secure by Design, Secure by Default: https://www.cisa.gov/securebydesign  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:02: News preview 0:03:03: Mullvad VPN search warrant reveals zero customer data 0:04:57: Proton launching a new password manager 0:06:46: YubiCo merging with ACQ Bure 0:07:41: Facebook may owe you some money 0:12:10: Apple HomePod can now detect smoke alarm alerts 0:15:16: Israeli Spyware Vendor QuaDream to Shut Down 0:20:38: U.S. (et al) Publish Secure-by-Design Principles 0:24:33: Hackers use fake Chrome updates to spread malware 0:31:13: Much-Hyped Water Plant “Hack” Was Actually User Error 0:36:45: Clever thieves steal cars by hacking CAN bus 0:45:24: Unwanted sharing of medical data with advertisers 0:57:48: Tip of the Week: Juice Jacking 1:03:39: Preview of upcoming stuff

As cybersecurity experts love to say, the “S” in “IoT” stands for security… meaning there is none. I’ve seen estimates that say there were almost 30 billion IoT devices on the internet in 2022. I have dozens of them on my home network alone. Each of these devices contains at least one computer, which is running potentially hackable software. And because these devices have internet connections, they are vulnerable to cyber attacks from anywhere on the planet. Today I’ll ask Bill Niefert from Corellium how IoT devices differ from regular computers, how secure they are, what the risks are of insecure smart devices, and how we can make them better. Interview Notes Corellium: https://www.corellium.com/  Interesting IoT statistics: https://techjury.net/blog/internet-of-things-statistics/  Raspberry Pi: https://www.raspberrypi.org/  Fun RPi projects: https://www.pcworld.com/article/420028/10-practical-raspberry-pi-projects-anyone-can-do.html  Matter IoT standard: https://en.wikipedia.org/wiki/Matter_(standard)  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:40: Interview terminology preview 0:04:49: Tell us about Corellium and what you do there 0:09:34: What is an ARM processor? 0:12:23: How do IoT devices compare to regular computers? 0:16:03: How do you design for security in cheap, slow IoT devices? 0:20:10: Are IoT devices fundamentally more hackable than regular computers? 0:25:07: Does your home Wi-Fi router adequately shield IoT devices from hacking? 0:28:31: Should you put IoT devices on your guest network? 0:34:35: What are the real-world dangers of having compromised IoT devices? 0:37:34: What is the new Matter IoT framework all about? 0:43:47: Does the Matter standard come with improved cybersecurity? 0:45:30: What are the privacy concerns for IoT devices? 0:53:19: Should IoT manufacturers be held liable for security failures? 0:58:18: Wrap-up 0:59:16: What is a Raspberry Pi and what can I do with it? 1:01:25: Matter security and privacy 1:02:16: Bonus content

Right after releasing my episode on web fingerprinting, highly-respected VPN provider Mullvad teamed up with Tor to release a new web browser, specifically designed to protect your privacy – including attempting to block fingerprinting! Great timing, so I thought I’d give you my review of the Mullvad Browser – the good, the bad, and (yes) the ugly. In other news: Timely tips on spotting IRS phone scams; ultrasound attacks can hijack your smart speakers; brace yourself for a wave of more sophisticated AI-based scams; alcohol recover startups shared patients’ data with advertisers; Google to require app developers to let you delete your account data; FBI’s Operation Cookie Monster shuts down popular cybercrime forum; Facebook will grudgingly offer users in Europe to opt out of all tracking; the FDA is requiring medical device manufacturers to improve cybersecurity and support; and I answer a Dear Carey question about how to use a Mac mini as a server to host private versions of cloud apps. Article Links [NPR] No, the IRS isn’t calling you. It isn’t texting or emailing you, either https://www.npr.org/2023/04/07/1168353969/irs-scam-tax-day-imposter-how-to-avoid [Gizmodo] Ultrasound Attack Can Secretly Hijack Phones and Smart Speakers, Researchers Find https://gizmodo.com/ultrasound-attack-hacks-phones-siri-alexa-usenix-1850273055 [WIRED] Brace Yourself for a Tidal Wave of ChatGPT Email Scams https://www.wired.com/story/large-language-model-phishing-scams/ [TechCrunch] Alcohol recovery startups Monument and Tempest shared patients’ private data with advertisers https://techcrunch.com/2023/04/04/monument-tempest-alcohol-data-breach/ [Engadget] Google will require that Android apps let you delete your account and data https://www.engadget.com/google-will-require-that-android-apps-let-you-delete-your-account-and-data-170618841.html [CNN] ‘Operation Cookie Monster’: FBI seizes popular cybercrime forum used for large-scale identity theft https://www.cnn.com/2023/04/04/politics/genesis-market-fbi-seizure/index.html [BGR] Facebook and Instagram users can now opt out of tracking, but only in Europe https://bgr.com/tech/facebook-and-instagrams-users-can-now-opt-out-of-tracking-but-only-in-europe/ [scmagazine.com] FDA will refuse new medical devices for cybersecurity reasons on Oct. 1 https://www.scmagazine.com/news/device-security/fda-will-refuse-new-medical-devices-for-cybersecurity-reasons-on-oct-1 Tip of the Week: Mullvad Browser https://firewallsdontstopdragons.com/new-privacy-tool-mullvad-browser/ Further Info Watchman Privacy interview: https://www.youtube.com/watch?v=fByagxDetVI  Using ultrasound to drive away teens: https://www.today.com/news/controversial-mosquito-sonic-devices-deter-young-people-high-pitched-sounds-t157801  Train Siri to recognize your voice: https://support.apple.com/en-us/HT204753  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:22: Important software updates 0:01:13: Watchman Privacy interview 0:01:44: News preview 0:04:38: Beware IRS phone scams 0:09:42: New ultrasound attacks against digital assistants 0:17:51: Brace yourself for AI-enhanced email scams 0:27:45: Alcohol recovery startups shared patients’ private data with advertisers 0:30:28: Google will require that Android apps delete your account and data 0:35:00: FBI Operation Cookie Monster shuts down popular cybercrime forum 0:37:43: Facebook users in EU can now opt out of tracking 0:41:15: FDA to require medical devices to have better security and support 0:46:05: Dear Carey: What to do with a Mac mini home server? 0:53:49: Tip of the Week: Mullvad Browser 1:00:07: Wrap-up and preview of upcoming shows

On today’s show, I’ll take you behind the scenes of not one, not two, but three different privacy websites. I ask Nate from The New Oil and Niek from Privacy Guides how they deal with being a public figures advocating for privacy, how they set their personal standards for privacy products, and how they cope with people and product makers who complain about their recommendations (or lack thereof). I ask them about some favorite products that they’ve had to remove from their recommended lists and where they go to keep up to date on privacy topics and products. Finally, I ask them what gives them hope about the future of privacy and what keeps them up at night. Interview Notes The New Oil: https://thenewoil.org/  Privacy Guides: https://www.privacyguides.org/ Techlore: https://techlore.tech/ Panopticon: https://en.wikipedia.org/wiki/Panopticon Naomi Brockwell on VPNs: https://www.youtube.com/watch?v=8MHBMdTBlok  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:02: Transcriptions coming! 0:04:25: Introductions 0:05:55: As a private person, what’s it like putting yourself out there? 0:09:13: How do you handle the haters? 0:12:09: How do you keep up to date on privacy and related products? 0:15:29: How often have you had to reverse product recommendations? 0:20:33: How do you set the threshold for how private a product should be? 0:26:10: Where do YOU go to learn about privacy products and topics? 0:31:19: A little humility goes a long way 0:33:25: Choosing a good VPN provider 0:37:44: Should people use antivirus software? If so, which ? 0:40:57: How do you set and enforce your product recommendation criteria? 0:47:27: Do you think your standards help to improve the market? 0:49:08: What gives you hope about the future? And what keeps you up at night? 0:55:10: What can I do to further the cause of privacy? 0:59:05: Interview wrap-up 1:00:32: Dear Carey: Top privacy guidelines and topics for discussion?

Marketers are desperately trying to follow us as we traverse the web. Tracking where we go and what we do allows them to better target us with ads. Browsers have built in protections to block older tracking techniques like cookies and tracking pixels, and so ad companies have had find new methods for identifying us across websites. Unfortunately, they’ve settled on a technique that is extremely difficult to defeat: fingerprinting. I’ll explain what is, how it works, and what you can do to mitigate it. In other news: Google is warning Android users to update their devices right away in order to fix some truly nasty bugs; hackers are using malicious Chrome extensions to read your Gmail and potentially hack your Android device; popular fertility apps are collecting ridiculous amounts of highly personal data and sharing it with partners; scammers are using AI to simulate voices of people you know to steal your money; CISA has launched a great new ransomware vulnerability pilot program; I’ll tell you why you should opt out of sharing your data with your mobile service provider; America’s threatening to ban TikTok but this won’t fix the real problem; the IRS is supposed to be moving away from ID.me authentication. Article Links [Naked Security] Dangerous Android phone 0-day bugs revealed – patch or work around them now! https://nakedsecurity.sophos.com/2023/03/17/dangerous-android-phone-0-day-bugs-revealed-patch-or-work-around-them-now/ [Tom’s Guide] Hackers are stealing Gmail messages — delete this extension right now https://www.tomsguide.com/news/hackers-are-stealing-gmail-messages-delete-this-extension-right-now [The Conversation] Popular fertility apps are engaging in widespread misuse of data, including on sex, periods and pregnancy https://theconversation.com/popular-fertility-apps-are-engaging-in-widespread-misuse-of-data-including-on-sex-periods-and-pregnancy-202127 [consumer.ftc.gov] Scammers use AI to enhance their family emergency schemes https://consumer.ftc.gov/consumer-alerts/2023/03/scammers-use-ai-enhance-their-family-emergency-schemes [cisa.gov] CISA Establishes Ransomware Vulnerability Warning Pilot Program https://www.cisa.gov/news-events/news/cisa-establishes-ransomware-vulnerability-warning-pilot-program [briankrebs] Why You Should Opt Out of Sharing Data With Your Mobile Provider https://krebsonsecurity.com/2023/03/why-you-should-opt-out-of-sharing-data-with-your-mobile-provider/ [The Washington Post] America’s online privacy problems are much bigger than TikTok https://www.washingtonpost.com/technology/2023/03/24/tiktok-online-privacy-laws/ Dear Carey: IRS plans to approve use of Login-dot-gov as Tax Day nears https://www.fcw.com/it-modernization/2023/03/plans-approve-use-login-dot-gov-tax-day-nears/383934/  Tip of the Week: https://firewallsdontstopdragons.com/how-to-block-web-fingerprinting/  Further Info Syncthing: https://syncthing.net/  KeePassXC: https://keepassxc.org/  IP address black list check: https://whatismyipaddress.com/blacklist-check  EFF on TikTok: https://www.eff.org/deeplinks/2023/03/government-hasnt-justified-tiktok-ban Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:49: Local password vault sync solution 0:05:07: News preview 0:06:47: Dangerous Android Baseband Bugs Patched 0:18:19: Hackers stealing Gmail messages via browser plugin 0:22:29: Popular fertility apps are engaging in widespread misuse of data 0:29:59: Scammers use voice AI to fool relatives 0:34:12: CISA establishes ransomware vulnerability program 0:37:05: Opting Out of Sharing Data With Your Mobile Provider 0:44:06: The latest on banning TikTok 0:49:05: Dear Carey: Do I have to use ID.me to log in to my IRS account? 0:52:55: Tip of the Week: Blocking Web Fingerprinting 1:04:38: Wrap-up

If for some reason you haven’t started using a password manager yet, it’s time to make the move. But how can you trust all these important secrets to some unknown company? How can you be sure that your password vault will be safe in a cloud-based service? And finally, how do you figure out which service is best for you? Today I’ll ask Kasey Babcock from Bitwarden all those questions. We’ll also talk about two-factor authentication and newer “passkeys” technology, Argon2 vs PBKDF2, and even how you might self-host a solution like Bitwarden if you want to have full control. Kasey Babcock is a Product Marketing Manager at Bitwarden, and she has many years of experience working at software start-ups in the cybersecurity and project portfolio management industries, working with product and engineering teams to communicate meaningful cybersecurity information and product updates. Interview Notes Bitwarden Personal: https://bitwarden.com/products/personal/  Bitwarden Secrets Manager: https://bitwarden.com/products/secrets-manager/  Bitwarden blog article: https://bitwarden.com/blog/accelerating-value-for-bitwarden-users-bitwarden-raises-usd100-million/  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:02: Pre-interview notes 0:02:21: Why should people entrust their credentials to a password manager? 0:07:49: What is Argon2 and how does it compare to PBKDF2? 0:09:15: How can regular people evaluate the security of software products? 0:14:34: How important is it for security software to be open-source? 0:16:32: How do third party security audits work? 0:18:48: What is “pen testing”? 0:19:16: How much control do audited companies have over releasing audit results? 0:20:35: What are the benefits of self-hosting a solution like Bitwarden? 0:23:55: Should we trust cloud-based password vault storage? 0:25:29: What are some red flags to look for when evaluating security companies? 0:27:36: Bitwarden recently received $100M in funding – has this changed your focus? 0:30:57: What is “secrets management” for software developers? 0:33:31: What is “passwordless” and is it phishing-proof? 0:39:18: How do I set up and use passkeys? 0:44:09: How long before we can use passkeys? 0:45:42: Will passwordless systems still require two-factor auth? 0:48:22: What’s next for Bitwarden? What features can we look forward to? 0:50:06: Interview wrap-up

Our devices are connected to the Internet 24/7 and the only thing separating them from the bad guys is usually your home router. In the era of smart devices and the Internet of Things (IoT), we also now have many more doohickeys connected to the Internet – most of them with crappy security. If one of those devices is compromised, the bad guys now have a beachhead from which to probe and attack all your other devices. In today’s show, we’ll review some important cybersecurity tips for our home network and connected devices. In other news: police raid homes of alleged ransomware gang; locally exploitable TPM 2.0 security flaws found; White House unveils comprehensive cybersecurity strategy; new LastPass breach details show specific employee was targeted at home; browser synchronization features may compromise employer systems; Catholic group buys data to target gay priests; private home webcams are a goldmine for police evidence gathering; telehealth companies leak sensitive patient data; ICE and Secret Service admit to using cell-site simulators to collect mass surveillance data. Article Links [The Verge] Police raid homes of alleged hackers who attacked hospital systems https://www.theverge.com/2023/3/6/23627238/hackers-ransomware-raid-german-ukrainian-police [TechSpot] Two security flaws in the TPM 2.0 specs put cryptographic keys at risk https://www.techspot.com/news/97824-two-security-flaws-tpm-20-specs-put-cryptographic.html [The Washington Post] Biden unveils cyber strategy that takes more aggressive regulatory approach https://www.washingtonpost.com/national-security/2023/03/02/cybersecurity-biden/ [Ars Technica] LastPass says employee’s home computer was hacked and corporate vault taken https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/ [Kaspersky] Disable browser synchronization in the office https://www.kaspersky.com/blog/disable-browser-sync-enterprise/47460/ [The Washington Post] Catholic group spent millions on app data that tracked gay priests https://www.washingtonpost.com/dc-md-va/2023/03/09/catholics-gay-priests-grindr-data-bishops/ [Electronic Frontier Foundation] Report: ICE and the Secret Service Conducted Illegal Surveillance of Cell Phones https://www.eff.org/deeplinks/2023/03/report-ice-and-secret-service-conducted-illegal-surveillance-cell-phones [POLITICO] The privacy loophole in your doorbell https://www.politico.com/news/2023/03/07/privacy-loophole-ring-doorbell-00084979 [TechCrunch] Telehealth startup Cerebral shared millions of patients’ data with advertisers https://techcrunch.com/2023/03/10/cerebral-shared-millions-patient-data-advertisers/ [NPR] Personal information of members of Congress exposed in health data breach https://www.npr.org/2023/03/09/1162191035/personal-information-of-u-s-house-members-exposed-in-health-data-breach Securing Your Home Network: https://firewallsdontstopdragons.com/how-to-secure-your-home-network/ Further Info Apple’s HomeKit Secure Video: https://support.apple.com/en-us/HT210538 Shodan: https://www.shodan.io/ What’s My IP? https://www.whatismyip.com/ NSA home network security (PDF): https://media.defense.gov/2023/Feb/22/2003165170/-1/-1/0/CSI_BEST_PRACTICES_FOR_SECURING_YOUR_HOME_NETWORK.PDF What a VPN Is (and Isn’t): https://firewallsdontstopdragons.com/what-a-vpn-is-and-isnt/ Get your Dragon Swag! https://fdsd.me/merch Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:16: News preview 0:02:16: Police raid homes of alleged health system hackers 0:04:16: Two security flaws in the TPM 2.0 spec 0:08:50: White House unveils aggressive cyber strategy 0:14:41: LastPass breach details sophisticated attack 0:25:09: Bbrowser synchronization can create risk to corporate systems 0:30:49: Catholic group bought app data that tracked gay priests 0:33:53: Ring doorbell data dragnet 0:43:09: ICE Conducted Illegal Surveillance of Cell Phones 0:46:36: Cerebral shared millions of patients’ data with advertisers 0:49:59: Personal information of members of Congress exposed in health data breach 0:52:19: Dear Carey: secure, privavy home web cameras 0:59:00: Tip of the Week: Securing Your Home Network 1:05:52: Wrap-up and looking ahead

Privacy advocates like me implore people to use secure apps that protect their data. But how difficult is it to actually create those apps? How do you balance security and privacy against sharing features and ease of use? How do you earn the trust of your users and how do you keep that trust? When does being private begin to negatively impact your ability to participate in society? Today I’ll ask Mo, the creator of the secure note-taking app Standard Notes, all of these questions and more – including his personal thoughts for how best to organize and back up your notes and other data. Interview Notes Standard Notes: https://standardnotes.com/  Write Fearlessly (blog article): https://standardnotes.com/why-encrypted  Standard Notes YouTube channel: https://www.youtube.com/@standardnotes  Second Brain note taking styles: https://fortelabs.com/blog/the-4-notetaking-styles-how-to-choose-a-digital-notes-app-as-your-second-brain/  Tresosit secure cloud storage: https://tresorit.com/individuals Sync.com secure cloud storage: https://sync.com/  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:19: What is Standard Notes and how is it different? 0:06:19: What is true end-to-end encryption? 0:08:35: What does privacy mean to you? 0:14:14: What do people misunderstand most about privacy? 0:17:43: How do you secure a web app? 0:23:08: Does security preclude any popular app features? 0:27:31: Should we really encrypt everything? 0:33:30: How do you earn and keep your users’ trust? 0:37:57: How important is humility and honesty in security marketing? 0:39:42: What is your note taking organizational strategy? 0:47:03: How do you figure out what organizational style works for you? 0:50:43: How do you make sure all your data is backed up and findable? 0:56:17: What does the future hold for privacy? 1:01:04: What’s next for Standard Notes? 1:05:06: Interview wrap-up

Web links are great, when you’re on the web. But if you need to read off or write down a web address, or URL, to someone else, anything beyond a simple domain name is going to be way too complicated. Ideally, you want something short and memorable. Enter link-shortening services like Bitly, Owly and others. These services convert long, ugly URLs to short, simple, memorable links. Unfortunately, this also obscures the actual link. When you click a shortened link, you have no idea where it will take you. Today, I’ll give you some tools that will allow you to determine the final destination and even see an image of the site without actually going there. In other news: TikTok group teaches people how to hot-wire Kia and Hyundai cars; Twitter charges users for the least-secure two-factor authentication method; scam authenticator apps proliferation on the app store; Apple devices are being stolen after surreptitiously learning the lock codes; Google to launch Android Privacy Sandbox beta; Mozilla discovers huge discrepancies between actual privacy policies and the ‘nutrition label’ summaries on top Android apps; supermarkets track tons of user data via loyalty cards and apps; we need to create a much more robust and resilient internet; and the CEO of Safing answers a user question about Portmaster and SPN. Article Links [Lifehacker] TikTokers Are Hot-Wiring These Hyundai and Kia Cars https://lifehacker.com/tiktokers-are-hot-wiring-these-hyundai-and-kia-cars-1850113943 [Mashable] Twitter to charge users for SMS two-factor authentication https://mashable.com/article/twitter-removes-sms-2fa [9to5mac.com] Scam authenticator app advertising on App Store: Sends all your QR codes to the developer https://9to5mac.com/2023/02/21/scam-authenticator-app/ [MacRumors] Apple Responds to Report About Thieves Spying on iPhone Passcodes to ‘Steal Your Entire Digital Life’ https://www.macrumors.com/2023/02/24/iphone-stolen-passcodes-report/ [The Verge] Google launches first Android beta for ad-tracking overhaul https://www.theverge.com/2023/2/14/23599027/google-android-privacy-sandbox-beta-advertising-tracking [foundation.mozilla.org] Mozilla Study: Data Privacy Labels for Most Top Apps in Google Play Store are False or Misleading [The Markup] Forget Milk and Eggs: Supermarkets Are Having a Fire Sale on Data About You https://themarkup.org/privacy/2023/02/16/forget-milk-and-eggs-supermarkets-are-having-a-fire-sale-on-data-about-you [Schneier Blog] What Will It Take? https://www.schneier.com/blog/archives/2023/02/what-will-it-take.html How to Reveal Shortened URLs: https://firewallsdontstopdragons.com/how-to-reveal-shortened-urls/ Further Info 2FA apps: https://lifehacker.com/the-best-authenticator-apps-for-iphone-and-android-1850140802  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:47: Book out of stock? 0:01:45: News rundown 0:04:09: Hot-Wiring Hyundai and Kia Cars 0:09:11: Twitter to charge users for SMS 2FA 0:12:58: Scam authenticator apps 0:18:13: Thieves Spying on iPhone Passcodes to ‘Steal Your Entire Digital Life’ 0:24:22: Google launches first Android beta for Privacy Sandbox 0:27:52: Data Privacy Labels in Google Play Store are False or Misleading 0:34:59: Supermarkets Are Having a Fire Sale on Data About You 0:44:41: Schneier: What Will It Take? 0:52:38: Dear Carey 0:55:53: Tip of the Week 1:01:21: Wrap up: merch store, previews

Social media wasn’t always so bad. It didn’t use to collect so much information. It didn’t use to feed us content we didn’t ask for in an attempt to maintain our attention. Doom scrolling, virtue signaling, algorithmic feeds and misinformation bots are not natural extensions of social media. So what went wrong? And better yet, how can we fix it? Today I’ll discuss all of these topics and more with Suzie Dawson, the founder of Panquake.com. She’s on a mission to solve all of these problems and restore the promise of social media to be a positive force for society and serve the users, not corporations or governments. Interview Notes Panquake: https://panquake.com/ A Personal Message from our Founder (Suzie): https://vimeo.com/770524936  What is Panquake? https://vimeo.com/503223746  The Social Dilemma (documentary): https://www.thesocialdilemma.com/  Mastodon: https://joinmastodon.org/  Fediverse: https://www.eff.org/deeplinks/2022/11/fediverse-could-be-awesome-if-we-dont-screw-it  Microsoft’s Decentralized Identity: https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/decentralized-identifier-overview Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:18: interview preview 0:05:24: What is Panquake.com and why did you create it? 0:06:25: When and why did social media platforms go wrong? 0:07:55: Why is our relationship with Big Tech such an abusive one? 0:10:09: Are algorithmic feeds inherently bad or just exposing human nature? 0:15:25: How does Facebook learn so much about us? 0:16:24: Without algorithmic feeds, how do I discover new content? 0:17:51: How do you convince people to pay for their social media platform? 0:21:27: What other things do people hate about modern social media platforms? 0:25:53: What does it mean to be ‘shadow banned’? 0:27:32: How can we stop malicious bot behavior? 0:30:39: What’s the best way to implement account verification? 0:34:59: How do we spark a backwards paradigm shift? 0:36:44: What is the role of social media platforms in moderating content? 0:40:00: How does moderation vary globally? 0:41:23: Is TikTok more dangerous to society than Twitter or Facebook? 0:47:21: What is the “Fediverse” and how does it work? 0:53:40: How important is data portability or ownership? 0:58:34: What’s next for Panquake? 1:03:19: Suzie asks ME a question! 1:04:56: Interview wrap-up 1:05:41: patron bonus content and benefits 1:06:43: Swag Shop is OPEN! 1:08:43: Upcoming interviews

As a general rule, I would normally advise people to minimize the number of online accounts they have, including avoiding creating unnecessary accounts and closing accounts they no longer need. However, as a regular citizen, there are a handful of governmental accounts that exist for you already, whether you use them or not. And you should claim those accounts for yourself before bad guys do this on your behalf. Furthermore, as a home owner or modern consumer, you probably have several other accounts that you may never have claimed: utilities, financial institutions, medical portals, and more. Today I’ll tell you where and why to plant your flag. In other news: Booking.com reservation data being used to scam customers; top background check service customers’ data leaked; Finnish psychotherapy extortion suspect arrested; FTC takes on telehealth data sharing; the ACLU lobbies court to restrict Google geofence warrant data; Anker admits to Eufy camera security bugs; fake, malicious Bitwarden ads deliver malware; maker of stalkerware fined and forced to notify victims; NIST proposes security protocols for low-power IoT devices. I also answer a listener question about IPv4 vs IPv6. Article Links [Ars Technica] Mysterious leak of Booking.com reservation data is being used to scam customers https://arstechnica.com/information-technology/2023/02/mysterious-leak-of-booking-com-reservation-data-is-being-used-to-scam-customers/ [TechRadar] Top background check services hit by data breach https://www.techradar.com/news/top-background-check-services-hit-by-data-breach [Naked Security] Finnish psychotherapy extortion suspect arrested in France https://nakedsecurity.sophos.com/2023/02/06/finnish-psychotherapy-extortion-suspect-arrested-in-france/ [The Markup] The FTC Is Taking on Telehealth’s Data Sharing Problem—​Starting with GoodRx – The Markup https://themarkup.org/pixel-hunt/2023/02/01/the-ftc-is-taking-on-telehealths-data-sharing-problem-starting-with-goodrx [Computerworld] ACLU, public defenders push back against Google giving police your mobile data https://www.computerworld.com/article/3686535/aclu-public-defenders-push-back-against-google-giving-police-your-mobile-data.html [9to5mac.com] Anker admits to lying about Eufy security camera encryption; describes future plans https://9to5mac.com/2023/02/01/eufy-security-camera-encryption/ [PCWorld] Phony, malicious Bitwarden ads slip past Google’s watch https://www.pcworld.com/article/1487690/phony-bitwarden-ads-are-the-latest-to-slip-through-on-googles-watch.html [Electronic Frontier Foundation] Stalkerware Maker Fined $410k and Compelled to Notify Victims https://www.eff.org/deeplinks/2023/02/stalkerware-maker-fined-410k-and-compelled-notify-victims [ZDNet] Tiny IoT devices are getting their own special encryption algorithms https://www.zdnet.com/article/tiny-iot-devices-are-getting-their-own-special-encryption-algorithms/ Further Info Order the new 5th edition of my book! https://fdsd.me/book  OSINT Tools: https://inteltechniques.com/tools/index.html  WireGuard IPv6 help: https://stanislas.blog/2019/01/how-to-setup-vpn-server-wireguard-nat-ipv6/  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:29: News preview 0:03:58: Booking.com users being targeted with convincing scams 0:09:11: Top background check services hit by data breach 0:12:16: Finnish psychotherapy extortion suspect arrested 0:18:48: FTC Is Taking on Telehealth’s Data Sharing Problem 0:23:23: ACLU pushes back against Google geofence warrants 0:31:07: Anker admits to lying about Eufy security camera encryption 0:37:38: Phony, malicious Bitwarden ads slip past Google 0:41:05: Stalkerware Maker Fined $410k and Compelled to Notify Victims 0:44:43: IoT devices are getting their own special encryption algorithms 0:47:38: Dear Carey: IPv4 vs IPv6 0:55:01: Tip of the Week: Plant Your Flag 1:00:03: Wrap up

The business of data mining and behavioral advertising has never been stronger or more ubiquitous. And yet, cracks are beginning to appear in the foundations of surveillance capitalism. Nowhere is this more evident than in the European Union where advertising behemoths like Google and Meta (parent company of Facebook) have suffered a series of legal defeats at the hands of aggressive privacy regulators. The GDPR has provided a framework for curtailing rampant abuses of the advertising industry and its promise is finally coming to fruition. Today I’ll speak with Johnny Ryan from the Irish Council for Civil Liberties, who is fighting for all of us on the front lines of the war for privacy. Johnny Ryan works at the Irish Council for Civil Liberties and he was previously Chief Policy Officer at Brave. He has testified and spoken at the US Senate, the European Commission, and the European Parliament. Interview Notes Irish Regulators Fine Facebook $414 Million https://thehackernews.com/2023/01/irish-regulators-fine-facebook-414.html  Irish Council for Civil Liberties: https://www.iccl.ie/  Ep231: Selling You Out to the Highest Bidder https://podcast.firewallsdontstopdragons.com/2021/08/02/selling-you-out-to-the-highest-bidder/  Fair Information Practice Principles (FIPPs): https://en.wikipedia.org/wiki/FTC_fair_information_practice  Diesel-Gate: https://en.wikipedia.org/wiki/Volkswagen_emissions_scandal  Further Info Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:23: The 5th edition is OUT!! 0:02:50: Interview prep 0:05:02: Give us a refresher on how behavioral ads work 0:08:41: Why was Meta fined and will they be able to appeal? 0:18:40: How does tracking consent work now and how should it work? 0:26:25: How are these fines determined and why wasn’t this one bigger? 0:29:52: What changes we will see as a result of this and by when? 0:32:45: Will this ruling affect other companies, as well? 0:34:11: Will this ruling affect more than just notice and consent? 0:36:19: Why can’t we just go back to context-based ads? 0:41:15: Are behavior-based ads really more valuable? 0:43:52: Is there more private way to have targeted ads? 0:47:18: Will Google’s new ad framework just solidify their dominance? 0:51:42: Won’t intelligence agencies abuse all of the data collected about us? 0:57:41: Has surveillance capitalism peaked? What does the future look like? 1:02:02: Interview follow-up 1:03:32: Getting the book on people’s radars

Every January, we celebrate privacy with Data Privacy Week. It has rightly expanded from Data Privacy Day. And of course every day should be data privacy day. In the news: The FBI shuts down a major ransomware group; new Windows malware steals passwords and other data; new Android malware can completely take over your device; a dangerous “malvertising” campaign mimics popular software to steal info; the previously-secret “no fly” list was leaked online; tens of thousands of PayPal accounts hacked via credential stuffing; T-Mobile admits to over 37M customer records stolen; and Twitter GodMode is back (or rather never really went away). I’ll answer a Dear Carey question about Plain, the service that allows financial tech aggregators to access your account information and my Tip of the Week will explain Apple’s new Advanced Data Protection feature. Article Links [NPR] FBI says it ‘hacked the hackers’ to shut down major ransomware group https://www.npr.org/2023/01/26/1151696092/fbi-says-it-hacked-the-hackers-to-shut-down-major-ransomware-group [Tom’s Guide] This Windows malware is stealing passwords and other data — how to stay safe https://www.tomsguide.com/news/this-windows-malware-is-stealing-passwords-and-other-data-how-to-stay-safe [TechSpot] New malware dubbed “Hook” allows hijacking and real-time spying on Android devices https://www.techspot.com/news/97356-new-malware-dubbed-hook-allows-hijacking-real-time.html [TechRadar] This dangerous malvertising campaign mimicks popular software to steal victim info https://www.techradar.com/news/this-dangerous-malvertising-campaign-mimicks-popular-software-to-steal-victim-info [BleepingComputer] Secret terrorist watchlist with 2 million records exposed online https://www.bleepingcomputer.com/news/security/secret-terrorist-watchlist-with-2-million-records-exposed-online/ [BleepingComputer] PayPal accounts breached in large-scale credential stuffing attack https://www.bleepingcomputer.com/news/security/paypal-accounts-breached-in-large-scale-credential-stuffing-attack/ [Naked Security] T-Mobile admits to 37,000,000 customer records stolen by “bad actor” https://nakedsecurity.sophos.com/2023/01/20/t-mobile-admits-to-37000000-customer-records-stolen-by-bad-actor/ [9to5mac.com] Twitter GodMode still available to all engineers, following hack of Apple and other accounts https://9to5mac.com/2023/01/24/twitter-godmode/ Dear Carey: Is Plaid Safe? https://www.allthingssecured.com/reviews/security/is-plaid-safe-to-use/  Apple’s Advanced Data Protection: https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web  Apple recovery contact: https://support.apple.com/en-us/HT212513  Further Info ANNUAL LISTENER SURVEY!! https://fdsd.me/survey2023  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:04: News rundown 0:03:19: FBI shuts down Hive ransomware group 0:07:34: New Windows malware steals data 0:12:07: New Android malware that completely takes over device 0:15:43: Malvertising campaign mimicks popular software apps 0:19:44: Secret “no fly list” leaked online 0:24:26: PayPal accounts accessed via credential stuffing attack 0:28:06: T-Mobile admits 37M customer records stolen 0:31:31: Twitter’s GodMode tool is still available to engineers 0:34:59: Dear Carey: Is Plaid safe? 0:45:41: Tip of the Week: Apple’s Advanced Data Protection 0:53:54: 5th edition update and cool resources 0:56:56: How you can help

Our email addresses and cell phone numbers have become highly valuable identifiers for marketers. Like government-issued IDs, your email address and phone number are directly associated with your identity and you will probably have them for life. This makes them ideal for tracking you across websites and accounts. It’s no wonder that you are asked to provide this information all the time, for the simplest things. So why not throw them off your trail by having multiple email addresses and phone numbers? It’s not as hard as you think, and it’s getting easier all the time. This is a privacy concept called aliasing and we’ll delve into all the details with the CEO and founder of SimpleLogin, Son Nguyen Kim. Interview Notes SimpleLogin: https://simplelogin.io/  Proton & SimpleLogin: https://proton.me/support/create-simplelogin-account-proton-account  Data Privacy Week: https://firewallsdontstopdragons.com/data-privacy-day-checklist/  Fastmail Masked Email: https://www.fastmail.help/hc/en-us/articles/4406536368911-Masked-Email  Apply Private Relay: https://support.apple.com/en-us/HT212614  DuckDuckGo Private Email: https://spreadprivacy.com/introducing-email-protection-beta/  MySudo: https://mysudo.com/  Hushed: https://hushed.com/  Privacy.com: https://privacy.com/  Further Info ANNUAL LISTENER SURVEY!! https://fdsd.me/survey2023  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:37: Book updates 0:03:10: Interview setup 0:03:57: What is SimpleLogin ? 0:05:04: How are email addresses used to track us? 0:06:19: Why do we use email addresses as user names? 0:09:42: How do normal email services provide aliases? 0:11:18: How does email subaddressing work? 0:13:05: How do modern email aliases work? 0:16:34: Do replies to alias emails expore your real address? 0:20:05: How do you use aliases to manage spam? 0:22:38: Can emall alias services read my emails? 0:23:36: How do you know you can trust an email alias provider? 0:26:41: How can you use domain names and catch-all aliases to fight spam? 0:30:52: Why are email aliases sometimes rejected? 0:34:45: What happens to my aliases if the service goes away? 0:36:50: What are the security benefits of using aliases? 0:39:44: Why is it so hard to create a phone number alias? 0:42:52: How can I get a second phone number? 0:47:13: Why are phone aliases often rejected? 0:49:15: What other ways can we use aliasing to improve privacy? 0:52:27: interview wrap-up

It’s that time of year again! Time to put the past behind us and look forward to a brand new year, full of possibilities and hope! In today’s show I’ll throw out several tips for improving your privacy and security that you might want to put on your to-do list for 2023. I’ve also got a minor LastPass update and some thoughts on how we might make managing passwords easier and more robust. I’ll answer a listener question on tracking in beta software. And then I’ll cover several news stores: A government watchdog cracks many accounts in a federal agency with a cheap password cracking rig; NortonLifeLock is warning several users that hackers may have breached their accounts; Russian hackers suspected in Royal Mail attack; Iran’s citizens being targeted with spyware in VPN apps; Windows 7 is finally totally dead; identity thieves find authentication bypass to access Experian credit reports; robot vacuum cleaner captured compromising pictures that ended up on social media; even the FBI is recommending ad blockers; dozens of telehealth companies sharing sensitive health information with Big Tech companies. Article Links [TechCrunch] A government watchdog spent $15,000 to crack a federal agency’s passwords in minutes https://techcrunch.com/2023/01/10/interior-department-watchdog-passwords/ [BleepingComputer] NortonLifeLock warns that hackers breached Password Manager accounts https://www.bleepingcomputer.com/news/security/nortonlifelock-warns-that-hackers-breached-password-manager-accounts/ [Metro] Russian hackers suspected to be behind Royal Mail cyber attack https://metro.co.uk/2023/01/13/russian-hackers-suspected-to-be-behind-royal-mail-cyber-attack-18093326/ [techmonitor.ai] Iran’s citizens targeted by EyeSpy spyware hidden in VPNs https://techmonitor.ai/technology/cybersecurity/eyespy-spyware-iran-vpn [Lifehacker] Windows 7 Is Officially Dead https://lifehacker.com/windows-7-is-officially-dead-1849966248 [briankrebs] Identity Thieves Bypassed Experian Security to View Credit Reports https://krebsonsecurity.com/2023/01/identity-thieves-bypassed-experian-security-to-view-credit-reports/ [Kaspersky] Rise of the robot vacuum cleaners https://www.kaspersky.co.uk/blog/robot-vacuum-privacy/25348/ Bonus: https://www.technologyreview.com/2023/01/10/1066500/roomba-irobot-robot-vacuum-beta-product-testers-consent-agreement-misled/  [TechCrunch] Even the FBI says you should use an ad blocker https://techcrunch.com/2022/12/22/fbi-ad-blocker/ [The Markup] “Out Of Control”: Dozens of Telehealth Startups Sent Sensitive Health Information to Big Tech Companies https://themarkup.org/privacy/2022/12/13/out-of-control-dozens-of-telehealth-startups-sent-sensitive-health-information-to-big-tech-companies Further Info ANNUAL LISTENER SURVEY!! https://fdsd.me/survey2023  Data Privacy Checklist: https://firewallsdontstopdragons.com/data-privacy-day-checklist/  BitWarden vault backup: https://community.bitwarden.com/t/how-to-a-users-guide-to-backing-up-your-bitwarden-vault/44083 Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:08: Big sale on pre-order of my book 0:03:05: Show preview 0:04:44: LastPass update 0:09:21: Password innovation ideas 0:13:59: watchdog cracks federal agency’s passwords in minutes 0:17:33: NortonLifeLock warns of account breaches 0:21:31: Russian hackers suspected in Royal Mail cyber attack 0:24:29: Iran’s citizens targeted by spyware in VPNs 0:26:53: Windows 7 Is Officially Dead 0:30:26: Identity Thieves Bypassed Experian Security to View Credit Reports 0:35:06: Rise of the robot vacuum cleaners 0:40:54: Even the FBI says you should use an ad blocker 0:43:07: Telehealth Startups Sent Sensitive Health Info to Big Tech Companies 0:48:04: Dear Carey: Beta software tracking? 0:50:51: Tip of the Week: New Year’s Resolutions! 1:00:57: Wrap-up 1:01:33: Patron benefits

Facebook stock is down 65%, they just paid $725M to settle the Cambridge Analytica lawsuit, and they’ve just been fined over $400M by the EU. But that’s not the worst part (for Meta). The EU and its General Data Protection Regulation (GDPR) is basically saying that its entire business model – surveillance capitalism – is wrong and must stop. That’s the same business model used by Google, too. It really seems that the tide is finally turning in favor of user privacy as more nails are hammered into the coffin of behavior-based advertising. In other news: the first LastPass class actions lawsuit has been filed over the recently announced data breach; WhatsApp adds a feature to bypass internet censorship by repressive regimes; Pornhub is now requiring viewers from Louisiana to verifying the age via ID; data from up to 400M Twitter accounts is up for sale; a military device containing information including biometric scans of over 2000 people was bought on eBay for $68; Mom and daughter kicked out of Rockettes show in Radio City Music Hall. Plus, a Dear Carey question and my Tip of the Week. Article Links [TechRadar] LastPass is being sued following major cyberattack https://www.techradar.com/news/lastpass-is-being-sued-following-cyberattack [The Washington Post] WhatsApp adds feature to bypass internet censors in repressive regimes https://www.washingtonpost.com/technology/2023/01/06/whatsapp-proxy-server-address/ [The Verge] Meta agrees to pay $725 million to settle Cambridge Analytica class action lawsuit https://www.theverge.com/2022/12/23/23523862/meta-cambridge-analytica-class-action-lawsuit-settlement-725-million [The Hacker News] Irish Regulators Fine Facebook $414 Million for Forcing Users to Accept Targeted Ads https://thehackernews.com/2023/01/irish-regulators-fine-facebook-414.html [Ars Technica] Pornhub requires ID from Louisiana users to comply with state’s new porn law https://arstechnica.com/tech-policy/2023/01/no-porn-without-id-louisiana-law-forces-porn-sites-to-verify-users-ages/ [Naked Security] Twitter data of “+400 million unique users” up for sale – what to do? https://nakedsecurity.sophos.com/2022/12/28/twitter-data-of-400-million-unique-users-up-for-sale-what-to-do/ [The New York Times] For Sale on eBay: A Military Database of Fingerprints and Iris Scans https://www.nytimes.com/2022/12/27/technology/for-sale-on-ebay-a-military-database-of-fingerprints-and-iris-scans.html [Ars Technica] MSG defends using facial recognition to kick lawyer out of Rockettes show https://arstechnica.com/tech-policy/2022/12/facial-recognition-flags-girl-scout-mom-as-security-risk-at-rockettes-show/ [Lifehacker] You Can Disable Google Sign-in Pop-ups on All Websites https://lifehacker.com/you-can-disable-google-sign-in-pop-ups-on-all-websites-1849913714 Further Info ANNUAL LISTENER SURVEY!! https://fdsd.me/survey2023  LastPass breach info: https://firewallsdontstopdragons.com/special-lastpass-breach/  Peppering Your Passwords: https://firewallsdontstopdragons.com/password-manager-paranoia/  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:09: Show preview 0:03:01: LastPass updates and first law suit 0:12:22: WhatsApp adds feature allowing censorship bypass 0:15:19: Facebook settles Cambridge Analytica suit for $725M 0:16:50: Irish Regulators Fine Facebook $414 Million 0:21:34: Pornhub requires ID from Louisiana users 0:27:11: 400M+ Twitter users data for sale 0:35:22: Military device with biometric data found on eBay 0:40:37: Woman ejected from Rockettes show 0:44:12: Dear Carey: how do I improve my passwords? 0:49:05: Tip of the Week: Banishing Google’s “sign in” pop ups 0:54:40: Annual listener survey!! 0:55:34: Looking ahead 0:55:58: Book updates

Right before Christmas, LastPass dropped a bombshell report explaining that bad actors appeared to have made copies of LastPass users’ encrypted password vaults. The information was a little short on key details, probably indicating that the investigation is ongoing and we will learn more in the coming weeks. However, we have already learned enough to know that the data breach did leak some important metadata contained in people’s password vaults and that any users who had less-than-secure master passwords should be worried that the encrypted contents may now be vulnerable to disclosure. That is about as bad as it gets. Today I will speak with a cybersecurity and authentication expert from CISA about this breach: what we know, what we don’t know, what we should learn from the incident, and (most importantly) what LastPass users should do about this. Bob Lord is a Senior Technical Advisor for the Cybersecurity and Infrastructure Security Agency (CISA) and former Chief Information Security Officer (CISO) for Yahoo.  Interview Notes SPECIAL REPORT: LastPass Breach: https://firewallsdontstopdragons.com/special-lastpass-breach/ Twitter thread investigating what’s encrypted and what’s not: https://twitter.com/UK_Daniel_Card/status/1606012536582656000 Write-up by a security researcher: https://www.pwndefend.com/2022/12/24/lastpass-breach-the-danger-of-metadata/ Mastodon technical thread #1: https://mastodon.social/@[email protected]/109585049690097599 Mastodon technical thread #2: https://infosec.exchange/@WPalant/109590750504031700 My “diceware” passphrase generator: https://d20key.com/  My blog on creating strong passphrase: https://firewallsdontstopdragons.com/how-when-to-use-a-passphrase/  How to make stronger passwords: https://firewallsdontstopdragons.com/need-a-bigger-password-haystack/  Classic XKCD cartoons on passphrases: https://xkcd.com/936/  Consumer Reports Security Planner: https://securityplanner.consumerreports.org/ Further Info Follow me on social media: https://firewallsdontstopdragons.com/contact/  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:47: Ep300 giveaway updates 0:03:15: interview setup 0:08:17: What do we know about the LastPass breaches? 0:13:25: Were all LastPass users affected? 0:15:03: How is my LastPass data secured, exactly? 0:19:53: What is PBKDF2 and why are iterations important? 0:23:10: Did LastPass increase the iterations for all users over time? 0:26:46: Is any information in my password vault not encrypted? 0:29:35: How do I know if my vault password is strong enough? 0:36:13: What if I didn’t have a strong vault password? What should I do? 0:41:47: Do we have any evidence that people’s vaults have been cracked? 0:45:34: Did LastPass handle this properly? 0:50:50: What can the government do to help here? 0:53:30: Should LastPass users switch to a different service? 0:57:11: Will passwordless authentication solve this problem? 1:01:03: What are the key take-aways here? 1:02:37: My take on the breach and what you should do about it

All our devices and apps use the internet these days. But what are they doing on the internet, exactly? Who are they talking to? You’d be surprised. But there are tools which will not only let you see what they’re up to, but also let you have fine-grain control over what communications you want to allow. But just the mere fact that they’re sending and receiving data to and from multiple sources can be revealing, too. While VPN’s are good for adding a layer of security, they’re really not great at adding privacy – despite having “private” in the name. Thankfully, there’s a new service that can help there, too. We’ll be discussing network privacy and how we can improve it with the CEO of Safing, Raphael Fiedler. Raphael Fiedler is the CEO of Safing, a speaker on topics about privacy, and a regular co-host on an InfoSec podcast. Interview Notes Safing.io, Portmaster, Safing Privacy Network (SPN): https://safing.io/  Securitized podcast: https://www.securityzed.com/  The Hut Six Story: Breaking the Enigma Codes https://www.amazon.com/Hut-Six-Story-Breaking-Enigma/dp/0947712348  Naomi Brockwell, The Dark Side of VPNs: https://www.youtube.com/watch?v=8MHBMdTBlok  OSI Layer Model: https://en.wikipedia.org/wiki/OSI_model  Nym network: https://nymtech.net/  SPN white paper: https://safing.io/files/whitepaper/Gate17.pdf  Further Info 300th episode promotion: https://fdsd.me/ep300  Patron promotion: https://fdsd.me/coinpromo  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents 0:00:35: Promotions update – last call! 0:02:11: Interview preview 0:04:41: How did Safing start? What problems are you trying to solve? 0:07:57: What are the most likely threats to our home network? 0:10:12: Are our devices and apps tattling on us? 0:14:14: What can an application firewall do for us? 0:17:04: Given broad use of HTTPS, do we need VPNs like we used to? 0:19:30: Can we collect useful analytics and still preserve privacy? 0:23:46: Which VPN marketing claims are bogus or misleading? 0:29:31: How does a decentralized VPN work? 0:33:10: What is the value of a decentalized VPN? 0:35:13: How is your SPN different from a VPN? 0:41:10: Who owns the SPN exit nodes? 0:43:27: Can your SPN mix traffic amongst backbone providers? 0:48:18: Can an SPN do anything to prevent fingerprinting? 0:51:14: Does a multi-connection SPN confuse some websites or apps? 0:54:28: How does the SPN compare to Tor or Apply Private Relay? 1:00:22: What’s the roadmap look like for Portmaster and SPN? 1:03:30: Wrap-up

The year is almost over and as we head into the holiday season I wanted to reminisce with some of my favorite snippets from the last year! Unlike in previous ‘best of’ shows, I’ve actually included some new snippets from my private podcast, to give you a little taste of the bonus content that I create for my patrons! The links in the show notes will take you to the full episodes, including all the relevant ‘further information’ links associated with them. Happy holidays, everyone!! Article Links Ep267: Luck Favors the Prepared https://podcast.firewallsdontstopdragons.com/2022/04/11/luck-favors-the-prepared/  Ep279: Necessary Chaos: https://podcast.firewallsdontstopdragons.com/2022/07/04/necessary-chaos/  Ep272: Tomatoes & Telegraphs: https://podcast.firewallsdontstopdragons.com/2022/05/23/tomatoes-telegraphs/  Ep275: Cryptocurrency 101: https://podcast.firewallsdontstopdragons.com/2022/06/06/cryptocurrency-101/  Ep283: No Place Left to Hide: https://podcast.firewallsdontstopdragons.com/2022/08/01/now-place-left-to-hide/ Ep287: The Night the Lights Went Out in Vegas: https://podcast.firewallsdontstopdragons.com/2022/08/29/the-night-the-lights-went-out-in-vegas/  Ep289: Decoding Computers & Software: https://podcast.firewallsdontstopdragons.com/2022/09/12/decoding-computers-software/  Ep292: Capture the Flag for Fun & Profit: https://podcast.firewallsdontstopdragons.com/2022/10/03/capture-the-flag-for-fun-profit/ Steganography: https://en.wikipedia.org/wiki/Steganography Further Info Give the gift of security and privacy! https://fdsd.me/coupons  300th episode promotion: https://fdsd.me/ep300  Patron promotion: https://fdsd.me/coinpromo  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:17: Ep267: How the internet works 0:10:23: Ep279: Getting into electronics and hacking 0:16:22: Ep273: The invention of the one-time pad 0:24:36: Ep275: Why do we need cryptocurrency? 0:30:26: Ep283 BONUS: What’s it like arguing in front of the Supreme Court? 0:35:33: Ep283: This suspect looks just like Woody Harrelson! 0:40:26: Ep287: The time DEF CON almost ended 0:49:15: Ep289: The historical origins of software and storage 0:56:28: Ep292: Ender’s Game-ing a hacker tournament 1:02:20: Ep288 Merlin’s Musings: Steganography 1:10:39: Wrap-up

Today when computer systems fail, they can cause real, physical harm. In just the last few years, we’ve seen cyber attacks interfere with our food supply, tamper with city water supplies, and disrupt gas pipelines. While cheap consumer electronics often have poor security, medical devices like insulin pumps and pacemakers are also vulnerable to attack – and the consequences of failure can be lethal. The free market doesn’t reward better security. Regulations are weak or nonexistent, regulators are understaffed and underfunded. Targeted organizations lack sufficient funding, training and personnel to prepare and respond. They need help. I Am the Cavalry aims to engage technologists and hackers to ride to the rescue. Joshua Corman is VP of Cyber Safety Strategy at Claroty, Founder of I am The Cavalry, and formerly served as Chief Strategist for CISA regarding COVID, healthcare, and public safety. Interview Links I Am The Cavalry: https://iamthecavalry.org/  BSides 2022 Cavalry presentation: https://www.youtube.com/watch?v=aw3egJej7so  The Cavalry Isn’t Coming (DEF CON 21 talk): https://www.youtube.com/watch?v=2kMGdkOMSK0  Rugged Software Manifesto: https://github.com/rugged-software/rugged-software.github.io  CISA Bad Practices: https://www.cisa.gov/BadPractices  CISA Information Sharing and Awareness: https://www.cisa.gov/information-sharing-and-awareness  Maslow’s Hierarchy of Needs: https://www.simplypsychology.org/maslow.html  Click Here to Kill Everyone: https://www.schneier.com/books/click-here/  SBOM interview: https://podcast.firewallsdontstopdragons.com/2021/07/19/its-time-to-drop-the-sbom/  My Jeff Moss interview: https://podcast.firewallsdontstopdragons.com/2022/08/29/the-night-the-lights-went-out-in-vegas/  Further Info 300th episode promotion: https://fdsd.me/ep300  Patron promotion: https://fdsd.me/coinpromo  Send me your questions! https://fdsd.me/qna  Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:28: Giveaway and promotion update 0:02:46: Holiday gift ideas 0:03:59: Interview preview 0:08:35: How did I Am the Cavalry get started? 0:16:52: How does focusing on physical harms change your approach to cybersecurity? 0:20:33: Why is it so important to ‘meet people where they are’? 0:23:40: How do you best help organizations that are target rich but cyber poor? 0:31:47: What is the crawl, walk, run progression? 0:34:33: Why is it so important to compartmentalize systems? 0:35:56: How do we do a better job of designing security in from the start? 0:39:01: Is it safer for small companies to use managed services? 0:42:17: What role should the government play here? 0:52:57: If I want to get help for my organization, where should I go? 0:58:18: What’s next for the Cavalry and how can I get involved? 1:05:09: Interview wrap-up 1:06:35: Book recommendations 1:07:43: Preview of upcoming shows

Tis the season for giving… and unfortunately, also for taking. Scammers tend to be extremely active during the holiday season. We’re buying lots of stuff online, having lots of packages delivered. We’re away from our homes for extended periods of time. We’re giving money to charities. We’re firing up new tech toys. The bad guys know this and are happy to take advantage of our chaotic holiday schedule and unusual levels of spending and giving. I’ll give you some top tips to avoid being a victim this holiday season. In other news: the SFPD wants to arm its law enforcement robots; the TSA is expanding the use of facial recognition at airports; Microsoft warns of malware coming from Google Ads; a new study shows that computer repair shops may be accessing your personal data; WhatsApp data breach affects nearly 500M users; Twitter data breach was far worse than reported; Meta shuts down covert US propaganda operation; US watchdog raises warning for offshore oil and gas rig security; a new malware campaign bypasses Windows protections; LastPass admits to customer data breach caused by previous breach; and Anker’s Eufy cameras caught sending data to cloud without user consent. Article Links [Electronic Frontier Foundation] Red Alert: The SFPD want the power to kill with robots https://www.eff.org/deeplinks/2022/11/red-alert-sfpd-want-power-kill-robots [The Washington Post] TSA now wants to scan your face at security. Here are your rights. https://www.washingtonpost.com/technology/2022/12/02/tsa-security-face-recognition/ [BleepingComputer] Brave starts showing “privacy-preserving” ads in search results https://www.bleepingcomputer.com/news/technology/brave-starts-showing-privacy-preserving-ads-in-search-results/ [Tech.co] Microsoft Warns Hackers Use Google Ads to Deliver Ransomware https://tech.co/news/microsoft-warns-hackers-google-ads-ransomware [Ars Technica] Thinking about taking your computer to the repair shop? Be very afraid https://arstechnica.com/information-technology/2022/11/half-of-computer-repairs-result-in-snooping-of-sensitive-data-study-finds/ [TechRadar] WhatsApp data breach sees nearly 500 million user records up for sale https://www.techradar.com/news/whatsapp-data-breach-sees-nearly-500-million-user-records-up-for-sale [9to5mac.com] Massive Twitter data breach was far worse than reported, reveal security researchers https://9to5mac.com/2022/11/25/massive-twitter-data-breach/ [BleepingComputer] Meta links U.S. military with covert Facebook influence operation https://www.bleepingcomputer.com/news/security/meta-links-us-military-with-covert-facebook-influence-operation/ [TechCrunch] US offshore oil and gas rigs at ‘significant’ risk of cyberattacks, warns watchdog https://techcrunch.com/2022/11/22/offshore-oil-gas-cyberattacks-watchdog/ [TechRadar] This new malware is able to bypass all of Microsoft’s security warnings https://www.techradar.com/news/this-new-malware-is-able-to-bypass-all-of-microsofts-security-warnings [Naked Security] LastPass admits to customer data breach caused by previous breach https://nakedsecurity.sophos.com/2022/12/02/lastpass-admits-to-customer-data-breach-caused-by-previous-breach/ [MacRumors] Anker’s Eufy Cameras Caught Uploading Content to the Cloud Without User Consent https://www.macrumors.com/2022/11/29/eufy-camera-cloud-uploads-no-user-consent/ Tip of the Week: Tis the Season for Scams: https://firewallsdontstopdragons.com/how-to-avoid-holiday-scams/ Further Info Boston Dynamics robodog: https://www.youtube.com/watch?v=6Zbhvaac68Y  This Person Doesn’t Exist: https://thispersondoesnotexist.com/  300th episode promotion: https://fdsd.me/ep300  Patron promotion: https://fdsd.me/coinpromo  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:37: Contest, promo updates 0:01:20: Update Chrome, iOS 0:01:51: News rundown 0:03:53: SFPD wants to arm its robots 0:08:18: TSA to expand use of facial recognition at airports 0:15:12: Brave to start showing “privacy-preserving” ads 0:17:45: Google Ads being used to deliver malware 0:21:17: Computer repair shops may be accessing your private data 0:29:17: WhatsApp data for nearly 500M users breached 0:30:59: Twitter data breach far worse than reported 0:35:03: Meta removes US military covert influence operation 0:38:12: US watchdog warns of offshore oil and gas rig vulnerabilities 0:41:32: New malware evades Microsoft protections for downloaded files 0:44:12: LastPass admits to customer data breach caused by p

I can’t believe I’ve been doing this for 300 weeks – almost 6 years now! And returning for his 3rd “podcentennial” episode is world-renowned security guru Bruce Schneier! Today we’ll discuss hacking – not just in the realm of computers, but in legal, political, social and economic spaces. And then we’ll talk about how artificial intelligence and computer automation are starting to play a significant role in hacking all of these realms. Computers and AI expand the scope, scale and speed of hacking and we’re honestly not prepared for it. To celebrate the 300th episode and the coming release of the 5th edition of my book, today I’m kicking off a big giveaway with lots of prizes and a killer promotion for patrons on Patreon! (See below for links.) Bruce Schneier is an internationally renowned technologist and security guru. He is the author of over one dozen books, including his latest, A Hacker’s Mind, due out in February, I believe. He has testified before Congress and has served on several government committees and corporate boards, written many seminal papers, has a very popular blog called Crypto-Gram, and last but not least, Bruce is the Chief of Security Architecture at Inrupt.  Further Info 300th episode promotion: https://firewallsdontstopdragons.com/enter-to-win-300th-podcast-giveaway/ Patron promotion: https://www.patreon.com/posts/december-patron-75151773 The Coming AI Hackers: https://www.schneier.com/academic/archives/2021/04/the-coming-ai-hackers.html  A Hacker’s Mind book: https://www.schneier.com/books/a-hackers-mind/  Give the gift of security & privacy: https://firewallsdontstopdragons.com/give-the-gift-of-security-and-privacy/ Check out my Best & Worst Gifts Guide for 2022: https://firewallsdontstopdragons.com/best-worst-gifts-2022/ The Coming AI Hackers: https://www.schneier.com/academic/archives/2021/04/the-coming-ai-hackers.html  A Hacker’s Mind book: https://www.schneier.com/books/a-hackers-mind/  The Trolley Problem: https://en.wikipedia.org/wiki/Trolley_problem  Gödel’s incompleteness theorems: https://en.wikipedia.org/wiki/G%C3%B6del’s_incompleteness_theorems  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:31: Interview preview 0:02:29: Interview start 0:03:13: How does hacking differ from inventing or just cheating? 0:07:14: What is artificial intelligence and when will it be like teh sci-fi version? 0:11:32: Do we have to worry about AI replacing us or taking over? 0:13:57: Can we program human values into AI systems? 0:18:09: Why are reward and goal alignment so crucial for AI? 0:20:28: Will we ever implicitly trust AI if we can’t explain its answers? 0:25:37: Do we put too much trust in some AI systems? 0:27:59: How might AI systems be used to hack financial or political systems? 0:33:26: Can we govern AI systems with human laws? 0:36:40: Are non-computer systems more susceptible to hacks due to uncodified norms? 0:42:41: Can AI think outside the box if it doesn’t understand the box? 0:48:05: How does terrorism hack our brains and how do we prevent that? 0:53:35: What are some Utopian possibilities for AI? 0:55:08: How do we get more public interest technologists? 0:56:28: Interview wrap-up 0:58:19: 300th podcast giveaway! 1:01:49: Patron promotion!

Black Friday is just around the corner, which marks the unofficial launch of the holiday shopping season. As you’re considering what gifts to give to your loved ones this year, I want to make sure you’re thinking about the privacy and security aspects. To that end, I have updated my annual Best and Worst Gift Guide and I will go over the highlights in this episode for my Tip of the Week. But I also have a special new gift idea this year: security and privacy coupons that you can download and give to your loved ones! In the news: USPS tells customers to avoid using the big blue mailboxes for gifts and important letters during the holiday season; Google pays nearly $400M fine to 40 states who sued over location tracking; Medibank refuses to pay ransom for data and criminals are starting to leak sensitive medical records online; TransUnion reports a data breach; FBI director warns that TikTok is a national security risk; Lenovo laptops are exposed to UEFI malware risks (update now); a mysterious company with government ties and a history of spying has become a root certificate authority; the British government is scanning its citizens devices looking for vulnerabilities in hopes of fixing them; almost 50% of all Mac malware can be traced to a single, security application; Apple apps are sending tons of analytics data to Apple even when analytics are disabled; I answer a listener question (Dear Carey) about the best Mastodon clients, in the wake of the Twitter collapse. Article Links [Lifehacker] Avoid Using Blue Mailboxes During the Holidays, USPS Warns https://lifehacker.com/avoid-using-blue-mailboxes-during-the-holidays-usps-wa-1849773201 [The Hacker News] Google to Pay $391 Million Privacy Fine for Secretly Tracking Users’ Location https://thehackernews.com/2022/11/google-to-pays-391-million-privacy-fine.html [CPO Magazine] Medibank Refuses Ransom Payments, Hackers Leak Stolen Health Data to Dark Web https://www.cpomagazine.com/cyber-security/medibank-refuses-ransom-payments-hackers-leak-stolen-health-data-to-dark-web/ [BGR] TransUnion data breach compromises financial information of consumers https://bgr.com/tech/transunion-data-breach-compromises-financial-information-of-consumers/ [USA TODAY] FBI director says TikTok poses national security threat, and he’s ‘extremely concerned’ https://www.usatoday.com/story/tech/2022/11/16/tiktok-poses-national-security-threat-fbi/10709987002/ [Ars Technica] Lenovo driver goof poses security risk for users of 25 notebook models https://arstechnica.com/information-technology/2022/11/lenovo-patches-secure-boot-vulnerabilities-that-imperil-25-notebook-models/ [The Washington Post] Mysterious company with government ties plays key internet role https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addresses-government-connections/ [Bleeping Computer] British govt is scanning all Internet devices hosted in UK https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/british-govt-is-scanning-all-internet-devices-hosted-in-uk/amp/ [Tom’s Guide] Almost 50% of macOS malware reportedly comes from single app — delete it now https://www.tomsguide.com/news/new-report-says-nearly-half-of-macos-malware-comes-from-single-app-delete-it-now [Gizmodo] Apple Is Tracking You Even When Its Own Privacy Settings Say It’s Not, New Research Says https://gizmodo.com/apple-iphone-analytics-tracking-even-when-off-app-store-1849757558 Dear Carey: Mastodon clients. https://joinmastodon.org/apps  https://bilge.world/mastodon-ios-apps  Further Info Best & Worst Gifts for 2022: https://firewallsdontstopdragons.com/best–worst-gifts-2022/ Privacy & Security Coupons: https://fdsd.me/coupons  Give thanks and donate! https://firewallsdontstopdragons.com/give-thanks-donate/  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://firewallsdontstopdragons.com/buy-the-book/  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:33: 5th edition update 0:03:38: QR code scam update 0:05:03: Twitter and FTX 0:06:07: News rundown 0:08:11: USPS says you should avoid blue mailboxes for holiday gifts 0:10:48: Google to pay $391M privacy fine to settle suit 0:13:05: Medibank refuses to pay ransom, data starts being posted 0:17:38: TransUnion data breach 0:20:46: FBI directory says TikTok is a national security threat 0:23:40: Lenovo UEFI bug found, patch immediately 0:27:29: Mysterious company with gov’t ties wants to mint certificates 0:39:40: British government to scan internet for vulnerable device

Connected computers have changed the world perhaps more than any other single invention. The impacts of nearly instant global communication and effectively infinite, perfect storage of information are at once undeniable and difficult to fully comprehend. And yet, technologists, bureaucrats and corporate leaders make decisions on a daily basis that should be considering the repercussions. Just because you can do something doesn’t mean you should. Today, we’ll discuss the digitization of the world and some of the more important impacts it has had and is having on society with the authors of the book Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion. Harry Lewis, former Dean of Harvard College, is Gordon McKay Professor of Computer Science at Harvard. Ken Ledeen is the Chairman and Chief Executive Officer at Nevo Technologies, Inc., a software development and information technology consulting firm located in Cambridge, Massachusetts. Wendy Seltzer is Strategy Lead and Counsel to the World Wide Web Consortium (W3C) at MIT, improving the Web’s security, availability, and interoperability through standards. Further Info Buy or download Blown to Bits: https://www.bitsbook.com/thebook/  Weird Marketing Tales interviewed me: https://weirdmarketingtales.com/why-firewalls-dont-stop-dragons-carey-parker-privacy-security/   Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:16: interview start 0:04:03: What brought you all together to write this book? 0:05:28: What are the biggest changes since the first edition? 0:10:04: What were the impacts of the Edward Snowden revelations? 0:12:44: How do we resolve the tension between privacy and law enforcement? 0:16:43: Are computer systems free from bias? 0:19:22: How do algorithms impact judicial decisions? 0:20:45: Why is it hard to explain how AI systems make decisions? 0:28:33: What is net neutrality and who are the gatekeepers today on the internet? 0:31:59: Have we lost the original Utopian ideal of the internet? 0:35:41: How have content moderation and personalization affected our experience? 0:40:48: How do these companies hyper-personalize the web? 0:45:44: Are we changing our own behaviors to game the algorithms? 0:47:35: Are bits more fragile than parchment and cave paintings? 0:53:29: What gives you hope? What keeps you up at night? 0:58:12: Interview wrap-up 0:59:34: Upcoming shows, promotions, interviews

QR codes are not inherently dangerous. They’re effectively links we can click in the real world using the camera app on our phone. Like hyperlinks on a web page, QR code “links” can take you to good websites or bad websites. They can also disguise their ultimate destination by using URL shortening services like bitly or owly. But now “free” QR code generator websites – that is, sites that will let you create one of these QR codes by entering the HTTP link you want it to take people to – are using these redirects to basically hold your QR code for ransom. The QR codes they give you use the redirect links to insert themselves into the middle – and after some time, they will stop working until you subscribe and pay them money. If you’ve already printed these codes on hundreds of business cards or dozens of plaques for your restaurant, they they’ve really got you over a barrel. I’ll help you avoid these scams. In other news: Microsort warns that attackers are quickly leveraging newly reported zero-days; some Chrome extensions are making money by inserting affiliate links for thousands of websites; Microsoft appears to be readying a useful PC cleanup tool for release; Apple clarifies its policy on security updates for older OS releases; a report details how hidden AI algorithms are affecting the lives of DC residents; facial recognition systems are being installed in many soccer stadiums; Uber is planning to bombard their users with ads; Clearview AI has been fined 30M euros by France; Apple is ramping up its own ads on its various apps and devices; and I answer another Dear Carey question, this one on the case that is bringing Section 230 in front of the Supreme Court. Article Links [Hacker News] Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities https://thehackernews.com/2022/11/microsoft-warns-of-uptick-in-hackers.html [BleepingComputer] Chrome extensions with 1 million installs hijack targets’ browsers https://www.bleepingcomputer.com/news/security/chrome-extensions-with-1-million-installs-hijack-targets-browsers/ [PCWorld] Microsoft’s surprise PC Manager system optimizer takes aim at CCleaner https://www.pcworld.com/a rticle/1360140/microsoft-releases-beta-of-a-ccleaner-style-pc-manager-tool.html [Ars Technica] Apple clarifies security update policy: Only the latest OSes are fully patched https://arstechnica.com/gadgets/2022/10/apple-clarifies-security-update-policy-only-the-latest-oses-are-fully-patched/ [WIRED] Algorithms Quietly Run the City of DC—and Maybe Your Hometown https://www.wired.com/story/algorithms-quietly-run-the-city-of-dc-and-maybe-your-hometown/ [WIRED] Soccer Fans, You’re Being Watched https://www.wired.com/story/soccer-world-cup-biometric-surveillance/ [Gizmodo] Uber Plans to Advertise to You At Every Stage of Your Ride, Using Your Own Data https://gizmodo.com/uber-ads-ride-share-uber-eats-1849678092 [Naked Security] Clearview AI image-scraping face recognition service hit with €20m fine in France https://nakedsecurity.sophos.com/2022/10/26/clearview-ai-image-scraping-face-recognition-service-hit-with-e20m-fine-in-france/ [Lifehacker] How to Block Apple’s Own Ads on Your iPhone https://lifehacker.com/how-to-block-apple-s-own-ads-on-your-iphone-1849703889 Tip of the Week: https://firewallsdontstopdragons.com/qr-code-scams-revisited/ Further Info Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:42: Countdown to 300 0:00:57: Twitter dumpster fire 0:01:25: 5th edition update 0:02:47: News preview 0:04:38: Attackers rapidly exploiting 0-day bugs 0:08:43: Chrome extensions committed click fraud 0:14:50: New Microsoft PC Cleaner tool coming 0:17:23: Apple doesn’t fix all bugs on older OS releases 0:21:11: Secret algorithms that affect our lives 0:27:23: Facial recognition spreading to many sports stadiums 0:33:12: Uber plans to show you ads everywhere 0:37:33: Clearview AI fined 20M Euros by France 0:41:49: Apple to do more advertising in their apps 0:44:18: Tip of the Week: QR codes hold links for ransom 0:51:31: Dear Carey 0:57:42: Upcoming stuff

It’s easy to tell people to use this or that privacy tool, but this always assumes that you trust the service that is providing that tool. How can mere mortals ever hope to obtain sufficient knowledge of the inner workings of these products and service providers that would allow them to make an informed decision? Today, I’ll ask Adrianus Warmenhoven from Nord VPN that question, along with questions about normalizing surveillance and what privacy really means in our digital internet society. Adrianus Warmenhoven is a Defensive Strategist and Threat Intelligence Manager at NordVPN. He is responsible for getting the most relevant IOCs (Indicators of Compromise), malware samples and their indicators and generally mapping out the threat landscape for the company’s customers. Interview Links Nord VPN: https://nordvpn.com/ The Follower: https://driesdepoorter.be/thefollower/ Five-Eyes Countries: https://en.wikipedia.org/wiki/Five_Eyes Electronic Frontier Foundation: https://www.eff.org/ Mozilla Foundation: https://foundation.mozilla.org/en/ Give thanks and donate: https://firewallsdontstopdragons.com/give-thanks-donate/ Further Info Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:26: Elon Musk buys Twitter 0:01:31: What is Mastodon? 0:02:36: Interview preview 0:04:13: Tell us about Nord and what you do there 0:05:25: What is most misunderstood about privacy? 0:07:53: How does my privacy overlap your privacy? 0:10:08: What threats to privacy aren’t getting enough attention? 0:13:02: Doesn’t capitalism require companies to monetize our data? 0:16:26: Is it possible compartmentalize our lives today? 0:18:32: Why can’t we learn that just because we can doesn’t mean we should? 0:22:09: How does privacy in the physical world differ from online? 0:24:21: Have we normalized surveillance for the younger generation? 0:30:22: How do we know which companies to trust with our privacy? 0:38:11: How can companies avoid gathering user data? 0:42:47: How important is transparency for consumers? 0:45:48: How do VPNs work and how do they fail? 0:48:46: How important is it for privacy companies to be in favorable jurisdictions? 0:52:19: How can I get more involved with privacy rights? 0:56:03: What gives you hope? 0:57:59: Bonus content 0:58:54: Interview wrapup 1:01:51: Give thanks and donate 1:03:17: Dear Carey – ask me a question 1:04:13: Upcoming stuff

This is going to sound bonkers, even though you’re used to so many things tracking you… web pages, emails, and apps… but I’m here to tell you that while you’re watching your TV, your TV is also watching you. Or I guess more accurately, your TV is watching what you’re watching. Even if you’re not using the built-in smart apps, if you’re just piping pixels in from an external box, your TV can recognize the movies and shows being displayed. And it’s taking meticulous taking notes and selling that data. It’s called Automatic Content Recognition and “post-purchase monetization”. It’s sorta like the Shazam music recognition app, but for TV shows and movies. I’ll tell you what you can do to stop it. In other news: a tricky new ransomware campaign is targeting home Windows users; Signal is removing support for SMS text messaging; Toyota user app data was exposed for years; the White House unveiled a new cybersecurity rating system for consumer products; Apple privacy is better than most, but still falls short; a privacy researcher tries and fails to keep her pregnancy secret from marketers; companies in the UK are tailoring real-life billboards using cameras and AI; relief funds were sent to people impacted by Hurricane Ian using AI algorithms; Facebook’s new VR headset will mine your facial expressions for marketing; Wired article gives tips for avoiding student surveillance tools. Article Links [ZDNet] This unusual ransomware attack targets home PCs, so beware https://www.zdnet.com/article/this-unusual-ransomware-attack-targets-home-pcs-so-beware/ [Signal] Removing SMS support from Signal Android (soon) https://signal.org/blog/sms-removal-android/ [BleepingComputer] Toyota discloses data leak after access key exposed on GitHub https://www.bleepingcomputer.com/news/security/toyota-discloses-data-leak-after-access-key-exposed-on-github/ [CyberScoop] White House to unveil ambitious cybersecurity labeling effort modeled after Energy Star https://www.cyberscoop.com/white-house-to-unveil-internet-of-things-labeling/ [The Atlantic] I Tried to Keep My Pregnancy Secret https://www.theatlantic.com/ideas/archive/2022/10/can-you-hide-your-pregnancy-era-big-data/671692/ [The Guardian] Apple says it prioritizes privacy. Experts say gaps remain https://www.theguardian.com/technology/2022/sep/23/apple-user-data-law-enforcement-falling-short [VICE] Companies in the UK Are Mining Users’ Personal Data to Place Billboard Ads https://www.vice.com/en/article/n7zqmb/companies-in-the-uk-are-mining-users-personal-data-to-place-billboard-ads [WIRED UK] Hurricane Ian Destroyed Their Homes. Algorithms Sent Them Money https://www.wired.co.uk/article/hurricane-ian-destroyed-homes-google-algorithms-sent-money [Gizmodo] Meta’s New Headset Will Track Your Eyes for Targeted Ads https://gizmodo.com/meta-quest-pro-vr-headset-track-eyes-ads-facebook-1849654424 [WIRED] How to Protect Yourself If Your School Uses Surveillance Tech https://www.wired.com/story/how-to-protect-yourself-school-surveillance-tech-privacy/ Tip of the Week: https://firewallsdontstopdragons.com/your-tv-is-watching-you/ Further Info Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:27: News rundown 0:03:40: Sneaky new Windows ransomware targets home users 0:07:20: Signal drops support for SMS on Android 0:14:53: Toyota leak exposed car app data for 5 years 0:18:27: White House cybersecurity product labeling initiative 0:21:54: Privacy scholar tries and fails to keep pregnancy secret 0:28:28: Apple still had glaring privacy holes 0:33:57: UK billboards target content using cameras and AI 0:38:56: Hurricane Ian relief funds sent using AI automation 0:45:23: Facebook VR headset reads your facial expressions 0:51:30: Protecting yourself from school surveillance 0:56:23: Tip of the Week: Your TV is Watching You 1:05:06: Dear Carey 1:08:42: Upcoming book, coin promotions

We talk a lot about security and privacy on my show, but we don’t talk enough about these subjects in relation to students and schools. Schools are tragically underfunded and can’t afford to hire cybersecurity experts, let alone privacy experts. Students are minors who lack the legal rights and life experience to push back against horrific privacy invasions brought on by remote learning and in-home test proctoring. The laws in the US are woefully outdated and we too often assume that what is legal is the same as what is right and just. Today, I’ll discuss these challenges and ethical dilemmas with Doug Levin. Doug Levin is co-founder and national director of the K12 Security Information eXchange (K12 SIX), a national non-profit dedicated solely to helping schools protect themselves from emerging cybersecurity threats. Interview Links: K12 SIX: https://www.k12six.org/ Annual “State of K-12 Cybersecurity Report’: https://www.k12six.org/the-report  K-12 Essentials Series: https://www.k12six.org/essentials-series  Public event calendar: https://www.k12six.org/events  US Department of Education, Privacy Technical Assistance Center: https://studentprivacy.ed.gov/  CISA K-12 Cybersecurity Resources: https://www.cisa.gov/stopransomware/k-12-resources  CISA Back to School Campaign: https://www.cisa.gov/r8-virtual-back-school-campaign-2022  US GAO: “Critical Infrastructure Protection: Education Should Take Additional Steps to Help Protect K-12 Schools from Cyber Threats” https://www.gao.gov/products/gao-22-105024  EFF: Student Privacy Resources https://www.eff.org/issues/student-privacy  CDT: Student Privacy Resources https://cdt.org/area-of-focus/privacy-data/student-privacy/  EPIC: Student Privacy https://epic.org/issues/data-protection/student-privacy / Algorithmic Justice League: https://www.ajl.org/  The Markup: https://themarkup.org/machine-learning/2022/01/19/help-us-investigate-the-ed-tech-industry  Fight for the Future, which e.g., runs this campaign: https://www.baneproctoring.com/  ACLU: https://www.nyclu.org/en/issues/education-policy-center/technology-schools  Further Info Send me your questions! https://fdsd.me/qna  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:24: Pre-interview definition of terms 0:05:07: What is K12SIX about? 0:10:52: What are the biggest security threats for schools? 0:17:15: What about security threats for teachers and students? 0:21:58: What are your top security recommendations for schools? 0:30:01: What are the major impediments for schools improving cybersecurity? 0:33:20: How can schools systems best share info and help one another? 0:37:41: What are the main privacy threats for students? 0:46:25: How is student data being used (or abused)? 0:48:36: How do AI systems fail when it comes to minority populations? 0:51:32: How can students and parents assert their privacy rights? 0:56:03: What resources can you recomment for schools and students? 0:59:39: Interview wrap-up 1:00:40: Not reusing user names and passwords 1:02:20: Preview of upcoming shows, promotions

Cold hard cash is becoming more and more rare these days. People just don’t carry it around much any more. So how do you split a bill at a restaurant or buy from a street vendor? Many people today use mobile payment apps like Venmo, Apple Pay, PayPal, the Cash App, or a service promoted by many US banks called Zelle. While convenient, are these payment systems safe? Most of them actually are pretty secure (though some of them are not very private, like Venmo). But because most of these apps draw directly from your bank account, if you send money to the wrong person, either by mistake or because you were scammed, that money is pretty much gone. Ironically, this is very much like physical cash. Specifically, protections many people assume they have against fraudulent bank transactions don’t really apply. You explicitly made the transfer and therefore many banks will not reimburse you for the loss. In other news: Optus confirms massive data breach; Optus breach triggers privacy regulation review in Australia; Facebook shuts down propaganda campaigns from Russia and China; Facebook warns 1M users of potential credential theft; Google will be migrating Fitbit customers to Google accounts; Microsoft adds new protections to warn you of PC password reuse and insecure storage; the FTC is pushing for new rules around location data collection and sharing; Google releases new tool to help purge personal information from its search results. Article Links [BleepingComputer] Optus confirms 2.1 million ID numbers exposed in data breach https://www.bleepingcomputer.com/news/security/optus-confirms-21-million-id-numbers-exposed-in-data-breach/ [The Verge] Australia to overhaul privacy laws after massive data breach https://www.theverge.com/2022/9/26/23372868/australian-hack-disclosure-privacy-laws-optus-data-breach [Hacker News] Facebook Shuts Down Covert Political ‘Influence Operations’ from Russia and China https://thehackernews.com/2022/09/facebook-shuts-down-covert-political.html [9to5mac.com] Facebook security warning for 1M users: Scam apps stole login credentials https://9to5mac.com/2022/10/07/facebook-security-warning/ [Hacker News] Google to Make Account Login Mandatory for New Fitbit Users in 2023 https://thehackernews.com/2022/09/google-to-make-account-login-mandatory.html [Lifehacker] Microsoft Has a New Trick for Keeping Your Password Safe https://lifehacker.com/microsoft-has-a-new-trick-for-keeping-your-password-saf-1849580498 [Bloomberg] FTC Joins Push for Rules on Trade of Smartphone Location Data https://www.bloomberg.com/news/articles/2022-09-16/location-data-rules-draw-ftc-s-attention-post-roe [The Verge] In 2023, Google can notify you if personal info pops up in search https://www.theverge.com/2022/9/28/23377208/google-results-about-you-notifications-personal-info [briankrebs] Report: Big U.S. Banks Are Stiffing Account Takeover Victims https://krebsonsecurity.com/2022/10/report-big-u-s-banks-are-stiffing-account-takeover-victims/ Further Info National Cybersecurity Awareness Month: https://www.cisa.gov/cybersecurity-awareness-month Consumer Reports: payment apps: https://www.consumerreports.org/digital-payments/how-to-safely-pay-for-goods-and-services-with-someone-you-dont-know/   Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:42: News rundown 0:02:49: 10 Million Optus users affected by breach 0:06:04: Optus breached via open web interface 0:10:28: Facebook shuts down political influence campaigns 0:13:38: Facebook warns 1M users of potential credential theft 0:18:42: Google to require Fitbit users to log in with Google account 0:20:45: Microsoft releases new password protections in Windows 0:25:46: FTC pushing new rules on sharing location data 0:31:44: Google tool helps remove personal info from search results 0:33:50: Banks rarely refund money from Zelle scams 0:39:37: Tip of the Week 0:44:31: Q&A: Is Apple’s Time Machine safe against ransomware? 0:48:27: Q&A: Can I trust my bank’s data access provider? 0:53:45: 5th edition of the book

Cybersecurity is the only technical, professional occupation I know of where practitioners routinely sharpen their skills through open competitions. The contests are based on the classic capture the flag game – except the flags are all virtual and capturing them involves hacking computers. Also unlike most other technical careers, cybersecurity is a high-paying profession that doesn’t require a university degree or formal training. There are literally hundreds of thousands of unfilled cybersecurity jobs right now. You can also just dabble in cybersecurity, making money from bug bounty programs. Or you can just hack for the fun of it – in a completely safe and legal environment. Jordan will tell you all about it in today’s show! Jordan Wiens has been a reverse engineer, vulnerability researcher, network security engineer, three-time DEF CON CTF winner, even a technical magazine writer but now he’s mostly a has-been CTF player who loves to talk about them. He has been the CTF expert for the first three years of HackASat and he was one of the founders of Vector 35, the company that makes Binary Ninja. Interview Links Hack-A-Sat 3: https://hackasat.com/ Satellite hacked using $25 hardware: https://threatpost.com/starlink-hack/180389/ Decommissioned satellite hacked to broadcast movie: https://www.independent.co.uk/tech/hack-satellite-hijack-def-con-b2147595.html Student Rick-Rolls school: https://www.malwarebytes.com/blog/news/2021/10/high-school-student-rickrolls-entire-school-district-and-gets-praised Hack-A-Sat 2 interview: https://podcast.firewallsdontstopdragons.com/2021/06/21/hacking-satellites-for-fun-profit/ Plaid CTF: https://plaidctf.com/ CTFTime.org: https://ctftime.org/ Pwnable.kr: https://pwnable.kr/ Pwnable.tw: https://pwnable.tw/ Reversing.kr: http://reversing.kr/ Shodan: https://www.shodan.io/ Burp Suite: https://portswigger.net/burp Wireshark: https://www.wireshark.org/ Binary Ninja: https://binary.ninja/ Metasploit: https://www.metasploit.com/ Nmap: https://nmap.org/ Live Overflow: https://liveoverflow.com/ TryHackMe: https://tryhackme.com/ Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Support my work! https://firewallsdontstopdragons.com/support/ Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:03: Interview setup 0:04:25: What is Hack-A-Sat? 0:08:44: How has the Hack-A-Sat program evolved? 0:12:58: How did CTF’s start out and when did they become popular? 0:17:37: Why do we have so many unfilled cybersecurity jobs? 0:21:15: Do you need a college degree to work in cybersecurity? 0:29:39: What’s a black hat hacker vs white hat? What’s a red team or blue team? 0:32:15: How do CTF’s actually work? What is a flag and how do I capture it? 0:38:05: Are they beginner CTFs that are free to try? 0:44:38: What sorts of tools do hackers use in CTFs and in real hacking? 0:51:57: How do hackers chain together multiple exploits? 0:56:26: What’s your advice to someone who would like to try a CTF? 1:00:36: What’s next for Hack-A-Sat? 1:02:25: interview wrapup 1:04:07: What is Rick-Rolling? 1:05:23: Try a CTF, go to a hacker con!

Apple just released a major update to its iPhone operating system, iOS 16. This release has some really important security and privacy features, including Passkeys, Lockdown Mode and Safety Check. I’ll give you an overview of these features. In other news: D-Link routers have a major vulnerability that’s being actively exploited; Uber was completely pwned by a cocky 18-year old hacker; Morgan Stanley was fined $35 million for failing to delete user data from hundreds of hard drives before reselling them; Chrome and Edge may be sending your form data back to Google and Microsoft; a new voice AI tool lets you change your voice to sound like someone else; health apps are sharing your personal data and HIPAA isn’t helping; the US military is using yet another data broker to buy incredibly detailed information on almost all internet users; US border agents can search your phone and even copy your phone’s data, and may save that info for 15 years; your car is coughing up tons of personal and auto data to dozens of data companies; Intel’s new AI will be used to find students who are confused or even emotionally distressed. Article Links [BleepingComputer] Moobot botnet is coming for your unpatched D-Link router https://www.bleepingcomputer.com/news/security/moobot-botnet-is-coming-for-your-unpatched-d-link-router/ [WIRED] The Uber Hack’s Devastation Is Just Starting to Reveal Itself https://www.wired.com/story/uber-hack-mfa-phishing/ [Ars Technica] $35M fine for Morgan Stanley after unencrypted, unwiped hard drives are auctioned https://arstechnica.com/information-technology/2022/09/morgan-stanley-pays-35m-penalty-for-extensive-failure-to-safeguard-customer-data/ [BleepingComputer] Google, Microsoft can get your passwords via web browser’s spellcheck https://www.bleepingcomputer.com/news/security/google-microsoft-can-get-your-passwords-via-web-browsers-spellcheck/ [Ars Technica] With Koe Recast, you can change your voice as easily as your clothing https://arstechnica.com/information-technology/2022/09/with-koe-recast-you-can-change-your-voice-as-easily-as-your-clothing/ [The Washington Post] Health apps share your concerns with advertisers. HIPAA can’t stop it. https://www.washingtonpost.com/technology/2022/09/22/health-apps-privacy/ [VICE] Revealed: U.S. Military Bought Mass Monitoring Tool That Includes Internet Browsing, Email Data https://www.vice.com/en/article/y3pnkw/us-military-bought-mass-monitoring-augury-team-cymru-browsing-email-data [Engadget] US border forces are seizing Americans’ phone data and storing it for 15 years https://www.engadget.com/us-border-forces-traveler-data-15-years-085106938.html [The Washington Post] How to prevent customs agents from copying your phone’s content https://www.washingtonpost.com/technology/2022/09/18/phone-data-privacy-customs/ [The Markup] Who Is Collecting Data from Your Car? – The Markup https://themarkup.org/the-breakdown/2022/07/27/who-is-collecting-data-from-your-car [Protocol] Intel thinks its AI knows what students think and feel in class https://www.protocol.com/enterprise/emotion-ai-school-intel-edutech Tip of the Week: https://firewallsdontstopdragons.com/ios-16-privacy-security/ Further Info Koe Recast web demo: https://koe.ai/recast/  100-mile US border zone: https://www.aclu.org/other/constitution-100-mile-border-zone  Tech Model Railroad Club: https://en.wikipedia.org/wiki/Tech_Model_Railroad_Club  Send me your questions! https://firewallsdontstopdragons.com/dear-carey-podcast-qa/     Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:54: News rundown 0:05:53: Major D-Link router vulnerability 0:08:43: Uber hacked by 18-year old 0:12:23: Morgan Stanley fined $35 million for mishandling customer data 0:16:53: Google and Microsoft browser spell checkers may see personal data 0:23:11: Tool allows you to change your voice to sound like someone else 0:30:16: Health apps are sharing your personal, sensitive information 0:37:05: Yet another data broker selling tons of info to US government 0:43:30: CBP copies your device data and may store it for 15 years 0:47:56: How to guard your phone data at international borders 0:54:32: Your car data is up for sale by multiple third parties 1:00:17: Schools use face AI to find bored or troubled students 1:05:15: New privacy and security features of iOS 16 1:16:18: Send me your questions! 1:20:15: Upcoming interviews

You may not be into cryptocurrency, but a recent incident involving a so-called “cryptocurrency mixer” has some important implications for privacy and free speech. Today we’ll examine the relative anonymity of cryptocurrency transactions, tools that can be used to enhance that anonymity, and why the code that created these tools – and the services that might host them – must be protected under the First Amendment. Along the way, we’ll explore the limits of free speech in the US and some interesting attempts to capture those rights. Kurt Opsahl is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation, the leading nonprofit defending digital privacy, free speech, and innovation. Interview Links Coin Center article on Tornado Cash: https://www.coincenter.org/analysis-what-is-and-what-is-not-a-sanctionable-entity-in-the-tornado-cash-case/  Electronic Frontier Foundation: https://www.eff.org/  Code, Speech, and the Tornado Cash Mixer https://www.eff.org/deeplinks/2022/08/code-speech-and-tornado-cash-mixer  Treasury Dept sued over Tornado Cash sanctions: https://fortune.com/2022/09/08/coinbase-employees-and-ethereum-backers-sue-u-s-treasury-over-tornado-cash-sanctions/  Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:42: Interview setup 0:02:43: How anonymous are cryptocurrency transactions? 0:07:30: What is a cryptocurrency mixer and why would I use one? 0:10:34: Kurt’s thoughts on “going dark” 0:12:45: Physical currency is not technically anonymous, either 0:14:07: How did the White House try to fix this problem? 0:15:27: Who is OFAC and what is the SDN list? 0:16:57: Who or what is Tornado Cash? 0:20:23: What about Tornado Cash drew scrunity from the US Gov’t? 0:22:08: How does all of this relate to free speech? 0:26:22: One of the developers was arrested – what’s the EFF’s take on this? 0:29:14: Is a platform responsible for illegal activities related to content they host? 0:31:18: What’s the limit of free speech when it comes to software code? 0:41:00: What free speech rights to platforms themselves have? 0:44:42: What about attempts to turn code into books or T-shirts to gain protection? 0:48:04: What’s next for the Tornado Cash case? 0:55:12: Interview wrap-up 0:55:46: Looking ahead

A little over 20 years ago, Charles Petzold wrote what would become a classic book on understanding modern computers and the software that drives them. Computers have become essential to daily life and inhabit more and more of the devices we use every day. Every “smart” device you own contains a computer running software. While these little silicon chips and the binary code running them seem like magic, they’re really just a series of simple building blocks chained together to accomplish a task. Having a basic understanding of these concepts can give us a lot more perspective on how computers can be used and abused, programmed and subverted. When I learned that Charles was releasing a fully updated 2nd edition of Code, I asked him to come on the show to give us all a historical overview of computers and software. He graciously agreed. The concepts of computing and programming go back a lot further than you might think. Today we’ll learn about this and much more. Charles Petzold is the author of the books Code, The Annotated Turing, and numerous programming tutorials involving Microsoft Windows. Interview Notes Code: The Hidden Language of Computer Hardware and Software: https://www.charlespetzold.com/books/  Companion website: https://codehiddenlanguage.com/  The Annotated Turing: https://www.charlespetzold.com/AnnotatedTuring/  Alan Turing: https://en.wikipedia.org/wiki/Alan_Turing  Ada Lovelace: https://en.wikipedia.org/wiki/Ada_Lovelace  Delay Line Mercury Storage: https://en.wikipedia.org/wiki/Delay-line_memory#Mercury_delay_lines  Steganography: https://en.wikipedia.org/wiki/Steganography  Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:08: Hold off on iOS 16 update 0:02:47: Preview of today’s interview 0:05:49: Why did you write this book and who was your target audience? 0:11:03: Why should we understand the basics of computing? 0:12:39: What IS a “computer”, fundamentally? 0:16:35: Where did computers start, historically? 0:19:21: What’s the origin of software and programming computers? 0:22:14: How did we store computer programs before hard drives? 0:25:30: How did encoding enable us to communicate over large distances? 0:30:00: How do we measure progress in computing? 0:34:24: How did you decide how to lay out the concepts in the book? 0:39:29: How can understanding computers help us be more secure? 0:43:17: What does the future of computing look like? 0:49:58: What will your next book be about? 0:53:55: Interview wrap-up 0:54:53: My Google rant 0:58:03: A bit on steganography and codes 0:59:41: Upcoming shows, schedule change

Password manager software maker LastPass suffered a data breach last week, which understandably made their customers very nervous – and caused some people to question the decision to put all their passwords in one digital basket. In today’s show, I’ll explain why this particular breach was not a threat to anyone’s passwords and why you should still use a high quality password manager. In other news: Former security chief blows the whistle on Twitter; major VPN providers are pulling out of India over surveillance law issues; a set of popular Chrome extensions caught committing click fraud; Google’s new Chrome extension restrictions threaten to hobble ad blockers; a father’s Google accounts are deleted over false AI-flagged CSAM; US Federal Trade Commission sues a data broker over lax protection of location data; EFF finds another data broker selling location data to law enforcement; Google launches bug bounty program for open source software projects; DuckDuckGo’s email privacy protection feature now available to all; Ohio judge rules that scanning students’ rooms before tests is illegal; a flight to Cabo is nearly grounded thanks to a passenger sending dick pics to other passengers, including one of the pilots. Article Links [The Washington Post] Former security chief claims Twitter buried ‘egregious deficiencies’ https://www.washingtonpost.com/technology/interactive/2022/twitter-whistleblower-sec-spam/ [9to5mac.com] Major VPN services shut down in India over anti-privacy law; Apple hasn’t yet commented https://9to5mac.com/2022/09/01/major-vpn-services/ [BleepingComputer] Chrome extensions with 1.4 million installs steal browsing data https://www.bleepingcomputer.com/news/security/chrome-extensions-with-14-million-installs-steal-browsing-data/ [BleepingComputer] AdGuard’s new ad blocker struggles with Google’s Manifest v3 rules https://www.bleepingcomputer.com/news/security/adguard-s-new-ad-blocker-struggles-with-google-s-manifest-v3-rules/ [The New York Times] A Dad Took Photos of His Naked Toddler for the Doctor. Google Flagged Him as a Criminal. https://www.nytimes.com/2022/08/21/technology/google-surveillance-toddler-photo.html [Reuters] U.S. FTC sues data broker Kochava for alleged sale of sensitive data https://www.reuters.com/legal/us-ftc-sues-data-broker-kochava-alleged-sale-sensitive-data-2022-08-29/ [Electronic Frontier Foundation] Data Broker Helps Police See Everywhere You’ve Been with the Click of a Mouse: EFF Investigation https://www.eff.org/press/releases/data-broker-helps-police-see-everywhere-youve-been-click-mouse-eff-investigation [Naked Security] LastPass source code breach – do we still recommend password managers? https://nakedsecurity.sophos.com/2022/08/29/lastpass-source-code-breach-do-we-still-recommend-password-managers/ [Decipher] Google Launches Bug Bounty Program For Open Source Projects https://duo.com/decipher/google-launches-bug-bounty-program-for-its-open-source-projects [Spread Privacy] Protect Your Inbox: DuckDuckGo Email Protection Beta Now Open to All! https://spreadprivacy.com/protect-your-inbox-with-duckduckgo-email-protection/ [The Verge] University can’t scan students’ rooms during remote tests, judge rules https://www.theverge.com/2022/8/23/23318067/cleveland-state-university-online-proctoring-decision-room-scan [VICE] Creeps Airdropping Dick Pics Just Made Flying Even Worse https://www.vice.com/en/article/3adag9/southwest-tiktok-video-pilot-airdropped-nudes Tip of the Week: How to Prevent Cyberflashing https://firewallsdontstopdragons.com/how-to-prevent-cyberflashing/  Further Info Peppering Your Passwords: https://firewallsdontstopdragons.com/password-manager-paranoia/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:32: Update Google Chrome and older iPhones 0:05:48: Twitter whistleblower 0:10:29: Major VPN services shutting down in India 0:14:00: Popular Chrome extensions committing link fraud 0:16:51: Google Chrome changes will limit ad blockers 0:23:38: Father loses Google accounts of false CSAM flagging by AI 0:27:22: FTC sues data broker 0:30:17: EFF research uncovers more police purchases of location data 0:34:55: LastPass source code breach 0:46:43: Google launches bug bounty for open source software 0:49:51: DuckDuckGo email privacy feature now open to all 0:55:55: Court blocks scanning of students’ rooms during remote tests 1:00:43: Cyberflashing nearly grounds flight 1:05:35: Notes on upcom

Thirty years ago, a young hacker named Jeff Moss (aka The Dark Tangent) threw a party in the desert of Nevada to commemorate the demise of a bulletin board system called PlatinumNet. Unlike the other handful of hacker conferences in that time, this one would be on the West Coast and open to everyone. Over the next three decades, DEF CON would become the preeminent hacker convention for the US (possibly the world), drawing upwards of 30,000 attendees. Along with its more-corporate spinoff Black Hat and related BSides conference, the back-to-back conferences are affectionately referred to as Hacker Summer Camp. In today’s show, I’ll walk down memory lane with Jeff, discussing the ups and downs he’s experienced and delve into what this has all meant to him, personally. Oh yeah… and also the incident involving strippers and hacking the power grid. Further Info Amulet of Entropy badge: ​https://amuletofentropy.com/  DEF CON documentary: https://www.youtube.com/watch?v=SUhyeY0Fsvw My first trip to DEF CON: https://podcast.firewallsdontstopdragons.com/2021/08/11/understanding-hackers-hacking/  Last year’s interview with Jeff Moss: https://podcast.firewallsdontstopdragons.com/2021/08/16/on-a-dark-tangent/  Hackers, book by Steven Levy: https://www.amazon.com/Hackers-Computer-Revolution-Steven-Levy/dp/1449388396 Legion of Doom (LOD) vs Masters of Deception (MOD): ​​https://en.wikipedia.org/wiki/Great_Hacker_War  SATAN tool: https://en.wikipedia.org/wiki/Security_Administrator_Tool_for_Analyzing_Networks A brief history of hacking: https://encyclopedia.kaspersky.com/knowledge/a-brief-history-of-hacking/  Cap’N Crunch whistle: https://www.thingiverse.com/thing:2630646  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:31: Hacker Summer Camp 0:03:30: pre-interview things of note 0:05:31: DEF CON, the early years 0:12:02: How had DEF CON changed since the beginning? 0:16:08: What’s the closest DEF CON ever came to ending? 0:24:44: Why is DEF CON so full of shennanigans? 0:26:49: What has DEF CON meant to you, personally? 0:32:02: Thoughts on the DEF CON culture 0:37:13: What’s your “Jeff sense” on choosing the best people? 0:39:50: What’s in the future for DEF CON? 0:46:13: What speakers have you always wanted but couldn’t get? 0:51:04: learning more about hackers and hacking 0:53:50: Where does “2600” come from? 0:57:18: Important notes for new listeners

If it’s August in Las Vegas, it’s time for Hacker Summer Camp. There are three hacker conferences that coordinate to happen next to each other every year: BSides Las Vegas, Black Hat and DEF CON. My first trip to DEF CON was last year and I was hooked – I hope to go back every year. This was the big 30th anniversary of DEF CON and several of the news stories this week came from one of these hacker conferences. And next week I’ll air my wonderful interview with DEF CON’s CEO and Founder, Jeff Moss (aka The Dark Tangent). In the news this week: Several malicious Mac apps have slipped through Apple’s App Store security checks and contain malware – you should delete them ASAP; iOS VPN apps aren’t properly securing connections made before activating the VPN; TikTok’s in-app browser injects JavaScript code that could enable it to snoop on your session, including capturing keystrokes; Cisco’s network breach has lessons for all of us; Signal’s use of phone numbers as identifiers highlighted due to breach at Twilio; a new jailbreak has been found on John Deere tractors that might allow farmers to service their own equipment; Amazon is planning to release a reality TV show based on Ring doorbell footage; a digital hallway pass allows schools to intrusively monitor its students; and law enforcement is tapping into DNA databases of the blood samples taken at birth by hospitals to solve crimes. Article Links [Tom’s Guide] These Mac apps are secretly spreading malware — delete them now https://www.tomsguide.com/news/these-mac-apps-are-secretly-spreading-malware-delete-them-now [Ars Technica] iOS VPNs have leaked traffic for years, researcher claims [Updated] https://arstechnica.com/information-technology/2022/08/ios-vpns-still-leak-traffic-more-than-2-years-later-researcher-claims/ [Forbes] TikTok’s In-App Browser Includes Code That Can Monitor Your Keystrokes, Researcher Says https://www.forbes.com/sites/richardnieva/2022/08/18/tiktok-in-app-browser-research/ [None] Cisco Confirms Network Breach Via Hacked Employee Google Account https://threatpost.com/cisco-network-breach-google/180385/ [TechCrunch] Signal says 1,900 users’ phone numbers exposed by Twilio breach https://techcrunch.com/2022/08/15/signal-phone-number-exposed-twilio/ [Ars Technica] A new jailbreak for John Deere tractors rides the right-to-repair wave https://arstechnica.com/information-technology/2022/08/a-new-jailbreak-for-john-deere-tractors-rides-the-right-to-repair-wave/ [VICE] ‘Ring Nation’ Is Amazon’s Reality Show for Our Surveillance Dystopia https://www.vice.com/en/article/7k8x49/ring-nation-is-amazons-reality-show-for-our-surveillance-dystopia [VICE] A Tool That Monitors How Long Kids Are in the Bathroom Is Now in 1,000 American Schools https://www.vice.com/en/article/dy73n7/ehallpass-1000-thousand-schools-monitor-bathroom [WIRED] Police Used a Baby’s DNA to Investigate Its Father for a Crime https://www.wired.com/story/police-used-a-babys-dna-to-investigate-its-father-for-a-crime/ Tip of the Week: https://firewallsdontstopdragons.com/be-my-guest-no-i-insist/ Further Info A few Amulets of Entropy are still left: https://hackerboxes.com/collections/past-hackerboxes/products/hackerbox-0080-entropy Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:17: DEFCON 30 notes 0:03:00: Quick security notes 0:03:46: News run down 0:06:50: Delete these Apple apps immediately 0:10:44: iOS VPN apps fail to secure old connections 0:15:00: TikTok’s in-app browser able to record private info 0:20:49: Cisco breach due to employee Google account hack 0:25:08: Signal says 1900 users’ phone numbers exposed 0:28:15: Hacker reports vulnerability in John Deere equipment 0:32:04: Amazon’s new Ring video reality show 0:36:27: e-HallPass monitors students bathroom breaks 0:39:27: US baby DNA being used by law enforcement 0:44:54: Tip of the Week 0:51:51: Wrap up

There’s no doubt that the internet has enabled criminals to share illicit and vile content with ease. The advent of high-quality end-to-end encrypted communications has made sharing this material harder for law enforcement to police. But the solution is not to cripple this technology, which is essential for security, privacy and even democracy. Today I’ll discuss this thorny issue with Dhanaraj Thakur from the Center for Democracy and Technology. We’ll talk about several dangerous proposals currently being considered in the US and Europe, and some potential solutions that can limit criminal behavior while preserving security and our right to privacy. Dhanaraj Thakur is Research Director at the Center for Democracy & Technology, where he leads research that advances human rights and civil liberties online. Further Info Outside Looking In: Approaches to Content Moderation in End-to-End Encrypted Systems: https://cdt.org/insights/outside-looking-in-approaches-to-content-moderation-in-end-to-end-encrypted-systems/ End Run Around Your Rights: https://podcast.firewallsdontstopdragons.com/2021/12/13/end-run-around-your-rights/ Center for Democracy & Technology: https://cdt.org/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:19: Rebranding rolling out 0:02:11: Why is content moderation coming to the fore? 0:05:11: What are the types of content we’re trying to control? 0:08:30: How is automated copyright detection being abused by police? 0:09:49: What are the phases of content moderation? 0:12:01: How can content moderation scale on huge platforms? 0:15:14: How does moderation differ inside vs outside the US? 0:18:12: What is the platform liability for content? 0:21:33: How good is automated content filtering? 0:25:01: When does moderation become censorship? 0:27:52: Can social media companies block or allow whatever they want? 0:30:53: What does end-to-end encryption really mean? 0:34:42: How important is metadata for identifying illicit content? 0:37:26: What are the current legislative proposals around content moderation? 0:41:13: How can we comply with these orders without losing privacy? 0:46:09: So where do we draw the line? 0:48:44: How did we police this before the internet? 0:49:34: How can I learn more and get involved? 0:51:57: Listener mailbag coming soon! 0:52:49: Preview of coming shows