Firewalls Don't Stop Dragons Podcast

All software has bugs, so the more software you have installed, the more bugs you have. It’s not just the bugs in any individual application, but it’s also magnified by interactions between some applications. Thankfully, the converse is also true: the less software you have installed, the fewer bugs you have (statistically, anyway). How many apps have you installed because they were free? How many apps came installed with your PC that you never use? How about companion apps for products you no longer own? Or maybe apps you installed years ago that you’ve forgotten about. You need to review all of your apps and get rid of anything you aren’t using. You can always reinstall them later, if necessary. But removing unused apps will also remove any software bugs and vulnerabilities that inevitably come with them. (It’s also one less app to gather and sell personal data.) In other news: Amazon is looking to buy the maker of Roomba robotic vacuums that know the map of your home; Amazon is also hoping to buy a medical company to start directly providing healthcare; Google once again delays removing support for 3rd party cookies in Chrome; a candidate post-quantum computing encryption algorithm was defeated in an hour with a regular PC; open source software is used everywhere, but is getting very little security support; hackers act on patched bugs within minutes; our cars are collecting and sharing tons of detailed information about us and our driving habits; Samsung has implemented a “repair mode” to protect your data while your phone is in the shop; and a new Android malware is contained in several “cleaner” apps. Article Links [Mashable] Amazon vacuums up Roomba maker iRobot, sparking immediate privacy concerns https://mashable.com/article/amazon-irobot-acquisition-roomba-privacy [Time] Amazon’s Dangerous Ambition to Dominate Healthcare https://time.com/6201575/amazons-dangerous-ambition-to-dominate-healthcare/ [HackerNews] Google Delays Blocking 3rd-Party Cookies in Chrome Browser Until 2024 https://thehackernews.com/2022/07/google-delays-blocking-3rd-party.html [Ars Technica] Post-quantum encryption contender is taken out by single-core PC and 1 hour https://arstechnica.com/information-technology/2022/08/sike-once-a-post-quantum-encryption-contender-is-koed-in-nist-smackdown/ [Ars Technica] Samsung’s “repair mode” lets technicians look at your phone, not your data https://arstechnica.com/gadgets/2022/07/samsungs-repair-mode-lets-technicians-look-at-your-phone-not-your-data/ [Lawfare] Open-Source Security: How Digital Infrastructure Is Built on a House of Cards https://www.lawfareblog.com/open-source-security-how-digital-infrastructure-built-house-cards [ZDNet] Race against time: Hackers start hunting for victims just 15 minutes after a bug is disclosed https://www.zdnet.com/article/race-against-time-hackers-start-hunting-for-victims-just-15-minutes-after-a-bug-is-disclosed/ [The Markup] Who Is Collecting Data from Your Car? – The Markup https://themarkup.org/the-breakdown/2022/07/27/who-is-collecting-data-from-your-car [Ars Technica] T-Mobile to pay $500M for one of the largest data breaches in US history https://arstechnica.com/tech-policy/2022/07/t-mobile-to-pay-500m-for-one-of-the-largest-data-breaches-in-us-history/ [Tom’s Guide] Millions infected by ‘auto-starting’ Android malware — delete these apps now https://www.tomsguide.com/news/millions-infected-by-auto-starting-android-malware-delete-these-apps-now Tip of the Week: https://firewallsdontstopdragons.com/deleting-your-way-to-better-security/ Further Info Mac AppCleaner: https://freemacsoft.net/appcleaner/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:30: DEF CON 30 is here! 0:03:20: News rundown 0:05:55: Amazon to buy iRobot, maker of Roomba 0:11:22: Amazon to get into healthcare 0:16:12: Google again delays removal of 3rd party cookies from Chrome 0:18:20: Post-quantum cryptography algorithms being vetted 0:23:51: Samsung’s “repair mode” protects your data 0:26:53: Open source software needs security support 0:32:36: Hackers pounce on newly-fixed bugs 0:35:23: Your car is collecting and shareing your driving data 0:42:44: T-Mobile fined $500M for data breach 0:46:46: New Android malware embedded in “cleaner” apps 0:49:53: Tip of the Week: Delete unused apps 0:57:29: Preview of next week’s interview 0:57:54: Drinks w/ me at DE

Cameras are everywhere. Every person you pass on the street has a camera on their phone and security cameras are everywhere. They’re so cheap and small now, and most of them are connected to the cloud. Not only does that mean they basically have unlimited storage, but it also opens the door for computers to process those images and footage looking for faces. Today, I’ll speak with Nate Wessler from the ACLU about the implications of this technological perfect storm on our privacy and what rights we actually have today with regard to facial recognition and use of these systems by law enforcement. Nate Wessler is a deputy director with the ACLU’s Speech, Privacy, and Technology Project, where he focuses on litigation and advocacy around surveillance and privacy issues, including government searches of electronic devices, requests for sensitive data held by third parties, and use of surveillance technologies. Further Info ACLU suit against Clearview AI: https://iapp.org/news/a/aclu-files-class-action-vs-clearview-ai-under-biometric-privacy-law/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:41: DEF CON updates 0:03:18: Interview start 0:05:46: Carpenter v. US case 0:10:13: What’s my expectation of privacy in public spaces? 0:17:30: Private right of action 0:18:58: What rights do I have for online photos of me? 0:21:54: Aren’t we enabling facial recognition by tagging people? 0:23:47: Is there any solution beyond regulation? 0:27:16: Who is Clearview AI and what are they doing? 0:32:24: ACLU’s lawsuit win against Clearview AI 0:38:57: Is it possible to limit this tech to just “the good guys”? 0:43:00: This guy looks like Woody Harrelson! 0:47:07: What about the good uses for this tech? 0:53:09: What about 1-to-1 facial matching services? 0:56:20: So what can we, as citizens, do about all of this? 0:58:22: When should we reach out to the ACLU? 1:00:26: Wrap up

The “rolling code” technology used to remotely open and lock your car is supposed to prevent hacking. Unfortunately, Honda has a pretty serious vulnerability in their cars that apparently allows anyone with a little talent and cheap hacking tools to get into your car – and maybe even start it (though not actually drive it away). If correct, this vulnerability affects probably all Hondas made over the last 10 years. So far, Honda has denied that this is a problem, but many researchers have reproduced the hack. In other news: cheap, Chinese-made GPS vehicle trackers are vulnerable to remote hacking; Chrome, Edge and Safari browsers fix serious 0-day bugs; Twitter data breach info on 5.4M users is up for sale on the dark web; Windows getting a crucial security update to make important security feature on by default; the Conti ransomware gang is attacking the entire country of Costa Rica; Facebook quickly bypasses Firefox’s URL tracking removal feature; Tor Browser adds a useful feature that will help people in repressive countries; Google appears ready to stop blocking political spam emails; Amazon admits to giving Ring video to law enforcement without consent or a warrant; a complicated, targeted web browser trick can be used to identify website visitors. Article Links [U.S. News & World Report] Researchers: Chinese-Made GPS Tracker Highly Vulnerable https://www.usnews.com/news/business/articles/2022-07-19/researchers-chinese-made-gps-tracker-highly-vulnerable [Ars Technica] 0-day used to infect Chrome users could pose threat to Edge and Safari users, too https://arstechnica.com/information-technology/2022/07/exploit-seller-used-chrome-exploit-and-2-other-0-days-to-infect-journalists/ [9to5mac.com] Twitter data breach exposes contact details for 5.4M accounts; on sale for $30k https://9to5mac.com/2022/07/22/twitter-data-breach/ [ZDNet] Windows 11 is getting a new security setting to block ransomware attacks https://www.zdnet.com/article/windows-11-is-getting-a-new-security-setting-to-block-ransomware-attacks/ [ThreatPost] Conti’s Reign of Chaos: Costa Rica in the Crosshairs https://threatpost.com/contis-costa-rica/180258/ [Schneier Blog] Facebook Is Now Encrypting Links to Prevent URL Stripping https://www.schneier.com/blog/archives/2022/07/facebook-is-now-encrypting-links-to-prevent-url-stripping.html [None] Tor Browser Adds Automatic Censorship Circumvention https://www.infosecurity-magazine.com/news/tor-browser-automatic-censorship/ [Inc. Magazine] Google Revealed Plans for a Big Change to Gmail That Almost Nobody Wants. You Have 19 Days to Object https://www.inc.com/bill-murphy-jr/google-revealed-plans-for-a-big-change-to-gmail-that-almost-nobody-wants-you-have-19-days-to-object.html [The Intercept] Amazon Admits Giving Ring Camera Footage to Police Without a Warrant or Consent https://theintercept.com/2022/07/13/amazon-ring-camera-footage-police-ed-markey/ [The Drive] I Tried the Honda Keyfob Hack on My Own Car. It Totally Worked https://www.thedrive.com/news/i-tried-the-honda-keyfob-hack-on-my-own-car-it-totally-worked [WIRED] A New Attack Can Unmask Anonymous Users on Any Major Browser https://www.wired.com/story/web-deanonymization-side-channel-attack-njit/ Tip of the Week: More Uses for Password Vaults: https://firewallsdontstopdragons.com/more-uses-for-password-vaults/ Further Info Amulet of Entropy!!: https://amuletofentropy.com/ Peppering your passwords: https://firewallsdontstopdragons.com/password-manager-paranoia/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:02: Bad Bugs in GPS Vehicle Trackers 0:07:16: Zero-Day Bugs in Chrome, Edge, Safari 0:12:47: Twitter data breach affect 5.4M users 0:15:20: Windows new default RDP security setting 0:19:11: Conti gang attacks Costa Rica 0:23:40: Facebook defeats URL tracker removal technique 0:26:31: new Tor Browser feature 0:28:51: Google wants to allow political spam 0:34:08: Ring video given to police without warrant or consent 0:39:17: How to hack just about any modern Honda 0:50:43: Targeted, sophisticated web tracking hack 0:57:59: Tip of the Week 1:08:01: Wrap-up, DEF CON

We take that little box that connects our home to the internet for granted. But in reality, it’s often the only thing hiding our computers and vulnerable IoT devices from automated, remote attacks. This “internet background radiation” is ever present – a massive network of malicious or compromised devices, constantly scanning the internet for exposed and ill-protected systems. Today, we’ll discuss routers, firewalls and other common aspects of home network security with the CEO of CrowdSec. He’ll also explain how we can enable these devices to share information in a sort of global neighborhood watch program, distributing information about bad actors to better protect us all. Philippe Humeau graduated as an IT security engineer in 1999 in Cyber security. He then created his first company, dedicated to red team penetration testing and high-security hosting. After selling his first company, his eternal crushes for Cybersecurity led him to create CrowdSec in 2020. This open-source editor creates a participative IPS which generates a global, crowd-powered CTI. Further Info CrowdSec: https://crowdsec.net/ CrowdSec code repository: https://github.com/crowdsecurity/crowdsec Lulu reverse firewall: https://objective-see.org/products/lulu.html Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Amulet of Entropy!!:https://amuletofentropy.com/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:46: Update on Firefox Total Cookie Protection 0:03:50: DEF CON coming soon 0:04:47: Interview start 0:06:49: What does a firewall do? 0:10:18: Should I enable the firewall on my computer, too? 0:14:18: What is Universal Plug and Play (uPnP?) 0:16:04: What is Network Address Translation (NAT)? 0:20:16: Hacker vs Cybercriminal? 0:21:17: Internet Background Radiation 0:26:19: Creating network silos 0:29:28: Attacks from within 0:32:15: Botnets and DDoS attacks 0:35:37: What are the biggest network threats today? 0:40:16: Who are the main threat actors? 0:45:09: How does Crowdsec work? 0:49:36: How quickly do agents share info? 0:51:37: How does Crowdsec make money? 0:53:03: Can you use Crowdsec on home routers? 0:55:28: Are things getting better or worse? 0:57:43: Top security tips? 1:01:45: How do you poke a hole in a firewall? 1:04:01: Setting up guest network 1:07:48: Reverse firewalls 1:09:07: Final word

This week we’ll talk about three significant new data breaches. Each of these data leaks are important in different ways, but the trend is clear: data wants to be free. First of all, we need to stop collecting so damn much of it. But second, we need to make it more expensive for data-collectors who are criminally negligent with the protection of our data. Right now, it’s cheaper to let it escape than to spend time, effort and money to protect it. (In my Tip of the Week, I’ll tell you about a great free tool that will let you protect your own data.) In other news: Google patches some serious zero-day Chrome bugs and I’ll explain how they work; personal data for many California gun owners was leaked; Marriott suffered yet another customer data breach; personal data on over 1 billion people in China is up for sale; Crypto exchange Coinbase is sharing info with US immigration enforcers; a sophisticated malware named ZouRAT is infecting SOHO routers; a new Windows worm appears to be coming from infected USB devices; a free decryptor has been released for AstraLocker and Yashma ransomware; Apple’s new Lockdown mode shows real promise; and the US Immigration and Customs Enforcement agency has become a full-tilt mass surveillance organization. Article Links [Naked Security] Google patches “in-the-wild” Chrome zero-day – update now! https://nakedsecurity.sophos.com/2022/07/05/google-patches-in-the-wild-chrome-zero-day-update-now/ [Gizmodo] California Gun Owners Had Lots of Their Data Exposed by the State Government https://gizmodo.com/california-gun-owners-data-exposed-state-justice-dept-1849124116 [TechCrunch] Hotel giant Marriott confirms yet another data breach https://techcrunch.com/2022/07/06/marriott-breach-again/ [ZDNet] Giant data breach? Leaked personal data of one billion people has been spotted for sale on the dark web https://www.zdnet.com/article/giant-data-breach-leaked-personal-data-of-one-billion-people-has-been-spotted-for-sale-on-the-dark-web/ [The Intercept] Cryptocurrency Titan Coinbase Providing “Geo Tracking Data” to ICE https://theintercept.com/2022/06/29/crypto-coinbase-tracer-ice/ [Ars Technica] A wide range of routers are under attack by new, unusually sophisticated malware https://arstechnica.com/information-technology/2022/06/a-wide-range-of-routers-are-under-attack-by-new-unusually-sophisticated-malware/ [PCM] Hundreds of Windows Networks Are Infected With Raspberry Robin Worm https://www.pcmag.com/news/hundreds-of-windows-networks-are-infected-with-raspberry-robin-worm [BleepingComputer] Free decryptor released for AstraLocker, Yashma ransomware victims https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-astralocker-yashma-ransomware-victims/ [9to5mac.com] Firefox now lets users remove tracking parameters from URLs to enhance privacy https://9to5mac.com/2022/06/29/tracking-parameters-urls-firefox/ [Ars Technica] Why Lockdown mode from Apple is one of the coolest security ideas ever https://arstechnica.com/information-technology/2022/07/introducing-lockdown-from-apple-the-coolest-defense-youll-probably-never-use/ Data-Driven Deportation in the 21st Century https://americandragnet.org/ Tip of the Week: https://firewallsdontstopdragons.com/creating-a-file-vault-with-cryptomator/ Further Info Cryptomator: https://cryptomator.org/  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Seth interview on cryptocurrency: https://podcast.firewallsdontstopdragons.com/2022/06/06/cryptocurrency-101/   Amulet of Entropy!!:https://amuletofentropy.com/  No More Ransom. A non-profit devoted to helping break ransomware crypto so that victims don’t have to pay. ID Ransomware. A tool for identifying which ransomware you’ve been infected with and then guiding you to other resources for help. Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:19: website facelift 0:01:35: Added Monero “tip jar” support option 0:02:02: Amulet of Entropy update 0:02:38: News overview 0:04:24: Chrome 0-day bugs with explanation 0:12:27: California gun owner info leaked 0:15:23: Another Marriott data breach 0:17:36: Personal data of 1 Billion people leaked 0:20:13: Coinbase providing info to ICE 0:25:28: Routers under attack by ZouRAT 0:31:06: New Windows network worm 0:34:23: Free decryptor for AstraLock ransomware 0:37:50: Firefox removes tracking parameters 0:40:04: Apple’s new Lockdown mode 0:45:19: Data Driven Deportation 0:48:39: Tip of the Week 0:54:19: Outro 0:54:38: How to donate Monero 0:56:16: podcast review 0:57:24: Previews

While many of us prefer order in our lives, at least most of the time, we sometimes need a little chaos. Specifically, we need a source of true randomness in order to properly drive many of our cryptographic systems – to secure our digital communications, for example. And while computers are very good at doing what we tell them to do, they suck at being unpredictable. Therefore we have to find other ways to inject a little chaos. Today I will discuss these concepts with Joe Long, founder and CEO of HackerBoxes.com. Along the way, we’ll share stories of hardware hacking and our love of electronics tinkering. And then we’ll reveal a totally geeky project we’ve been working on together for many months now that we dubbed the Amulet of Entropy! Joe Long is a professional engineer, patent attorney, and hardware hacker.  He has decades of expertise in electronics which he has taught to over a million students around the world.  Joe is the founder of HackerBoxes – a company that provides kits, workshops, and monthly subscription boxes for building and learning electronics. Further Info Amulet of Entropy!!: https://amuletofentropy.com/ HackerBox #0080: https://hackerboxes.com/products/hackerbox-0080-entropy Amulet GitHub repo: https://github.com/FirewallDragon/amulet-of-entropy HackerBoxes: https://hackerboxes.com/ Forrest Mims electronics books: https://www.forrestmims.com/ Humble Bundle electronics books: https://www.humblebundle.com/books/boards-coding-make-co-books HackADay: https://hackaday.com/ DEF CON 30: https://defcon.org/html/defcon-30/dc-30-index.html Firewalls Don’t Stop Dragons book: https://www.amazon.com/gp/product/1484261887 Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:04:23: Start of interview 0:05:42: What is a hardware hacker? 0:09:09: What got you into electronics? 0:14:49: What do you need to get into electronics? 0:21:46: What is entropy? 0:24:36: Where do we find entropy in everyday life? 0:28:18: Why is entropy important for cryptography? 0:30:58: Why do computers suck at randomness? 0:35:18: So how do we find true random values? 0:38:42: What happens randomness fails? 0:41:17: How we use patterns to efficiently encode things 0:46:44: The Amulet of Entropy! 0:51:53: Designing the project 0:55:33: Fun uses of entropy 0:56:41: How do I get one?? 0:57:53: Outro 1:01:06: DEF CON 30 talk 1:01:45: Electronics resources for newbies

Firefox officially rolled out its Total Cookie Protection feature last week, which is a clever and elegant solution for blocking tracking using third party cookies. Unfortunately… it doesn’t seem to be working for me when I tested it. There are at least a couple reasons for why this might be, and a workaround, both of which I will discuss in today’s Tip of the Week. Also: A drunk employee lost a flash drive with half a million customer’s data in Japan; a TikTok leak appears to show that even with US user data being “moved” to US soil, engineers in China can still access it; a new voicemail scam tries to trick you into giving up your Microsoft account credentials; MEGA fixes several flaws which might allow a rogue employee to view your data; 56 security flaws in industrial systems could impact thousands of devices around the world; Google Password Manager now allows for client-side encryption; Microsoft’s Defender is now available for non-Windows devices (for a fee); T-Mobile is the latest to use its privileged position to hoover up and sell customer data; spyware companies are proliferating; Facebook is receiving sensitive medical info from it’s Meta Pixel; and vacation rentals are sadly great places for spycams, and I’ll help you try to spot them. Article Links [The Guardian] Japanese city worker loses USB containing personal details of every resident https://www.theguardian.com/world/2022/jun/24/japanese-city-worker-loses-usb-containing-personal-details-of-every-resident [Gizmodo] TikTok Leak Alleges User Data Isn’t Private: ‘Everything Is Seen in China’ https://gizmodo.com/tiktok-china-oracle-bytedance-1849078477 [Threatpost] Voicemail Scam Steals Microsoft Credentials https://threatpost.com/voicemail-phishing-scam-steals-microsoft-credentials/180005/ [BleepingComputer] MEGA fixes critical flaws that allowed the decryption of user data https://www.bleepingcomputer.com/news/security/mega-fixes-critical-flaws-that-allowed-the-decryption-of-user-data/ [BleepingComputer] Icefall: 56 flaws impact thousands of exposed industrial devices https://www.bleepingcomputer.com/news/security/icefall-56-flaws-impact-thousands-of-exposed-industrial-devices/ [9to5Google] Google Password Manager starts offering on-device encryption on Android, iOS, and Chrome https://9to5google.com/2022/06/21/google-password-on-device-encryption/ [PCM] WTF? Do I Have to Pay for Microsoft’s Defender Antivirus Now? https://www.pcmag.com/news/wtf-do-i-have-to-pay-for-microsofts-defender-antivirus-now [The Verge] T-Mobile is selling your app usage data to advertisers — here’s how to opt out https://www.theverge.com/2022/6/24/23181851/t-mobile-browsing-data-app-insights-marketing-opt-out [WIRED] Google Warns of New Spyware Targeting iOS and Android Users https://www.wired.com/story/hermit-spyware-rcs-labs/ [The Markup] Facebook Is Receiving Sensitive Medical Information from Hospital Websites – The Markup https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-from-hospital-websites [USA TODAY] How to spot hidden surveillance cameras in your Airbnb, VRBO, or vacation rentals https://www.usatoday.com/story/tech/columnist/komando/2022/06/23/how-check-hidden-cameras-airbnb-vrbo-vacation-rentals/7652726001/ Further Info Tip of the Week: Total Cookie Protection? https://firewallsdontstopdragons.com/total-cookie-protection/ Cookie Forensics Test: https://www.grc.com/cookies/forensics.htm Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:17: News topic summary 0:04:47: Drunk worker loses customer data 0:08:00: TikTok phone call leak 0:12:04: Microsoft voicemail scam 0:16:23: MEGA fixes critical encryption flaws 0:21:28: Icefall vulnerabilities 0:27:15: Google Password Manager on-device encryption 0:29:58: MIcrosoft Defender for Individuals 0:34:25: T-Mobile tracks and sells app usage data 0:37:10: Spyware industry is rampant 0:41:14: Facebook getting sensitive medical information 0:46:21: How to spot hidden spy cameras in vacation rentals 0:55:16: Tip of the Week: Total Cookie Protection 1:01:33: 2022 Mid-year goals update 1:03:06: Preview of upcoming shows 1:04:00: Dragon coins will start shipping!

Everyone hates dealing with passwords, and yet they’ve been the de facto standard of computer authentication for decades. But there’s light at the end of this long tunnel. There is a passwordless future where we can log in to our accounts using just our smartphones. In this future, it won’t matter if websites are breached because there will be no password databases to steal. Even phishing will be a thing of the past. And thankfully, that future isn’t far away. Today I’ll discuss where we are, how we got here, and where we’re going with Yubico’s Derek Hanson. Derek Hanson has been involved in the identity and security industry for over ten years. He has been building networks and deploying computer systems since the mid-90s and now is an advocate for how you can best protect them. And he is now the VP of Solutions Architecture and Alliances at Yubico. Further Info Yubico/YubiKey: https://www.yubico.com/ NIST password guidelines: https://www.infosecurity-magazine.com/blogs/nist-password-guidelines/ OPM fingerprint database hack: https://www.wired.com/2015/09/opm-now-admits-5-6m-feds-fingerprints-stolen-hackers/ WebAuthn: https://webauthn.guide/ FIDO: https://fidoalliance.org/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ Table of Contents (new!) Use these timestamps to jump to a particular section of the show. 0:01:01: Welcome new patrons! 0:01:41: New table of contents 0:03:40: Update Windows ASAP 0:04:03: Pre-interview notes 0:04:34: Interview start 0:06:21: Why do we still use passwords? 0:11:26: Why don’t more people use password managers? 0:15:25: NIST updates password recommendations 0:17:50: Should we use biometrics for authentication? 0:23:40: How do passwordless systems compare to what we have now? 0:29:00: How does authentication work in a passwordless system? 0:32:50: Have we settled on a single passwordless standard? 0:37:24: How well is this new standard supported? 0:40:41: How do I use this passwordless technology? 0:43:00: How soon will we see passwordless logins? 0:46:22: Which 2FA system is best and will we still need this going forward? 0:51:33: What current technologies are best for securing our accounts? 0:55:18: How do hardware keys work? 1:00:42: OPM fingerprint hack 1:01:48: Bonus content preview 1:02:02: Upcoming shows

I preach about using password managers constantly – because they really are a fantastic tool for increasing your security. Humans suck at creating memorable passwords that are not also easy to guess. But the idea of putting all your juicy secrets into a digital vault that is controlled by a third party and synchronizing through the cloud may not sit well with you. And I totally get that. It’s a very valid concern. But what if there were a way to have your cake and eat it, too? (I never understood that expression… what good is having cake if you can’t eat it, right?) I’ll explain a simple technique using cryptographic “pepper” that will allow you to use a password manager, even if you don’t trust it. In other news: US water utilities are woefully unprepared for cyberattacks; paper ballots are essential for secure elections, but not sufficient; PDFs are being used to cleverly hide keylogging malware; Chinese hackers have infiltrated many global telecom companies for years; Australia’s new “secure” digital driver’s license is anything but; the FBI manages to recover half of the Colonial Pipeline ransom; a new facial search engine is on the scene, with even less protections than Clearview AI; and the Tim Horton’s app stole a heck of a lot of user location data from its customers. Article Links U.S. Water Utilities Prime Cyberattack Target, Experts | Threatpost https://threatpost.com/water-cyberattack-target/179935/ Do Ballot Barcodes Threaten Election Security? https://cdt.org/insights/do-ballot-barcodes-threaten-election-security/ [BleepingComputer] PDF smuggles Microsoft Word doc to drop Snake Keylogger malware https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/ [MIT Technology Review] Chinese hackers exploited years-old software flaws to break into telecom giants https://www.technologyreview.com/2022/06/08/1053375/chinese-hackers-exploited-years-old-software-flaws-to-break-into-telecom-giants/ [Ars Technica] “Tough to forge” digital driver’s license is… easy to forge https://arstechnica.com/information-technology/2022/05/digital-drivers-license-used-by-4m-australians-is-a-snap-to-forge/ FBI Recovers $2.3 Million of Colonial Pipeline Ransomware Payment; Some Que https://www.cpomagazine.com/cyber-security/fbi-recovers-2-3-million-of-colonial-pipeline-ransomware-payment-some-questions-about-the-attack-answered/ [The Mercury News] A face search engine anyone can use is alarmingly accurate https://www.mercurynews.com/2022/05/28/a-face-search-engine-anyone-can-use-is-alarmingly-accurate-2 [CTV News] Tim Hortons app collected vast amounts of sensitive data: privacy watchdogs https://www.ctvnews.ca/business/tim-hortons-app-collected-vast-amounts-of-sensitive-data-privacy-watchdogs-1.5927716 Pepper Your Passwords: https://firewallsdontstopdragons.com/password-manager-paranoia/  Further Info Only FIVE DAYS LEFT to get your dragon coin! https://firewallsdontstopdragons.com/return-of-the-dragon-coins/ Techlore interview: https://youtu.be/-GubGbuWBfk Exploits of a Mom (XKCD “Bobby Tables” cartoon): https://xkcd.com/327/ Bobby Tables explanation: https://www.explainxkcd.com/wiki/index.php/Little_Bobby_Tables Generate secure passphrases! https://d20key.com/#/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker

Everyone has heard of Bitcoin, but almost no one understands what the heck is actually is. Today I’m interviewing Seth from Seth for Privacy who knows cryptocurrency backwards and forwards. Seth is also a privacy advocate who understands the broader implications of digital currency. I’ll ask him to explain how cryptocurrency works, what the blockchain is, how crypto mining affects our environment, whether cryptocurrency is truly anonymous, and how cryptocurrency has any value whatsoever – and much more! Seth is a privacy educator, Monero contributor, and host of the Opt Out podcast. Further Info Opt Out podcast, https://optoutpod.com Seth’s bio: https://sethforprivacy.com/about/  Seth’s Twitter feed: https://twitter.com/sethforprivacy  Why Cryptocurrencies? https://whycryptocurrencies.com/toc.html  Local Monero: https://localmonero.co/  Cryptocurrency ATMs: https://coinatmradar.com/  Bitcoin energy consumption: https://niccarter.info/topics/#energy  Was Bitcoin Created by This International Drug Dealer? https://www.wired.com/story/was-bitcoin-created-by-this-international-drug-dealer-maybe/  XKCD comic – $5 wrench: https://xkcd.com/538/  Byzantine Generals Problem: https://en.wikipedia.org/wiki/Byzantine_fault  Inside the Bitcoin Bust That Took Down the Web’s Biggest Child Abuse Site https://www.wired.com/story/tracers-in-the-dark-welcome-to-video-crypto-anonymity-myth/  Hot Wallets vs Cold Wallets: https://appleinsider.com/articles/22/06/04/crypto-101-the-difference-between-hot-and-cold-wallets  Microsoft unpatched vulnerability: https://www.kaspersky.com/blog/follina-cve-2022-30190-msdt/44461/  Dragon Coins & Passphrases Get your Dragon Challenge Coin!! https://firewallsdontstopdragons.com/return-of-the-dragon-coins/ Generate secure passphrases! https://d20key.com/#/

Modern smartphones have a potentially life-saving feature called “SOS” or “Emergency” mode that can give first responders critical medical information and automatically dial your country’s emergency phone number. It can report your location and even notify selected contacts. In today’s show, I’ll share a story from one woman who believes this mode saved her life. It’s easy to use and set up, but it won’t do you any good if you don’t know about it. I’ll tell you everything you need to know. In other news: Clearview AI is looking to expand its services to schools, banks and other institutions that wish to authenticate people; MasterCard is launching a new facial recognition system that will allow users to pay “with a smile”; the US Department of Justice has finally issued long-overdue guidance on common sense limitations for prosecuting security researchers and regular people who might run afoul of the tragically over-broad Computer Fraud and Abuse Act (CFAA); Twitter has been fined and Google has been sued for abusing customer data; local governments forced children to use EdTech software that surreptitiously harvested their data and fed them behavior-based ads; DuckDuckGo is in damage control over reports that it isn’t blocking some Microsoft web tracking due to an agreement which they legally can’t discuss; there’s a new Wells Fargo phishing campaign going around which seeks to gather tons of data that would easily enable identity thefts; and a security researcher has found a bug with the OAuth single-sign on functionality used by Facebook. Article Links [Gizmodo] Clearview AI Says It’s Bringing Facial Recognition to Schools https://gizmodo.com/clearview-ai-facial-recognition-privacy-1848975528 [The Guardian] Mastercard launches ‘smile to pay’ system amid privacy concerns https://www.theguardian.com/technology/2022/may/17/mastercard-launches-smile-to-pay-amid-privacy-concerns [The Verge] Justice Department pledges not to charge security researchers with hacking crimes https://www.theverge.com/2022/5/19/23130910/justice-department-cfaa-hacking-law-guideline-limits-security-research [NPR] Twitter agrees to pay $150 million after FTC, DOJ accuse company of mishandling data https://www.npr.org/2022/05/25/1101275323/twitter-privacy-settlement-doj-ftc [None] Governments Harm Children’s Rights in Online Learning https://www.hrw.org/news/2022/05/25/governments-harm-childrens-rights-online-learning [Review Geek] DuckDuckGo Isn’t as Private as You Thought https://www.reviewgeek.com/118915/duckduckgo-isnt-as-private-as-you-thought/ [Sky] Google sued for using the NHS data of 1.6 million Brits ‘without their knowledge or consent’ https://news.sky.com/story/google-sued-for-using-the-nhs-data-of-1-6-million-brits-without-their-knowledge-or-consent-12614525 [None] Bank phishing and identity theft https://usa.kaspersky.com/blog/wells-fargo-phishing-identity-theft/26473/ [Forbes] Security Warning For Facebook Users Who Login With Gmail OAuth Code https://www.forbes.com/sites/gordonkelly/2022/05/21/google-gmail-security-facebook-oauth-login-warning/ [9to5mac.com] iPhone SOS credited with saving woman during assault attempt – Here’s how to set it up https://9to5mac.com/2022/05/24/iphone-sos-how-to-set-it-up/ Set up Emergency mode, Apple iPhone: https://support.apple.com/en-us/HT208076 Set up Emergency mode, Google Pixel: https://support.google.com/pixelphone/answer/7055029 Set up Emergency mode, Samsung Galaxy: https://www.samsung.com/us/support/answer/ANS00050849/  Further Info Get your Dragon Challenge Coin!! https://firewallsdontstopdragons.com/return-of-the-dragon-coins/  Generate secure passphrases! https://d20key.com/#/ Amulet of Entropy teaser #2: https://twitter.com/HackerBoxes/status/1530341605567242240?s=20&t=OWW931j-mZk8cMRc6yp9bA  Stop Using “Sign in with”: https://firewallsdontstopdragons.com/stop-using-sign-in-with/  EFF on facial recognition technology: ​​https://www.eff.org/deeplinks/2021/10/face-recognition-isnt-just-face-identification-and-verification  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

There’s a lot we can glean from history but sometimes it’s not as obvious as you might think. For example, did you know that until the mid-1800’s, most of Americans hated tomatoes and that ketchup was originally made from mushrooms? The story behind how Americans came to love tomatoes is quite fascinating, but what is perhaps most interesting is the way our guest applies this knowledge to the realm of cybersecurity. Today we will also learn how one of the most powerful cryptographic techniques to this day originated in the time of the telegraph. Along the way, we’ll discuss how humans choose their passwords, how they should be creating passwords, and how often we should be changing our passwords. Anthony Collette is a Senior Consent Form Editor at the largest Institutional Review Board (IRB) in the United States. This regulatory agency has reviewed over 1,000 COVID-19 research studies, conducted at more than 12,000 locations. Mr. Collette analyzes complex medical documents, synthesizes the central concepts, and translates technical jargon into relatable language directed to the non-technical research participant. These skills transfer perfectly to the task of analyzing and understanding the conflicting and often outdated advice given about passwords, stripping away what’s unnecessary, and getting down to the actionable core of the issues. Interview Links Anthony Collette: https://www.linkedin.com/in/tonycollette/  Loistava Information Security website: www.LositavaInfoSecurity.com CASTALOT™ Dice Landing Page: https://www.castalotdice.com?utm_source=dragons1  CASTALOT™ Dice Facebook VIP Group: https://www.facebook.com/groups/1317312032055849 The History of Tomatoes in America: https://www.amazon.com/Tomato-America-History-Culture-Cookery/dp/1570030006/  NY Times, Secret Life of Passwords: https://www.nytimes.com/2014/11/19/magazine/the-secret-life-of-passwords.html  A Look at Telegraph Codes (Steven Bellovin): https://www.cs.columbia.edu/~smb/papers/codebooks.pdf  DFLEKT Keyless Entry Protection: https://www.duku.co.uk/dflekt Further Info Get your Dragon Challenge Coin!! https://firewallsdontstopdragons.com/return-of-the-dragon-coins/ Generate secure passphrases! https://d20key.com/#/ Amulet of Entropy teaser: https://twitter.com/HackerBoxes/status/1523318662807298051?s=20&t=dwQFy7ieRMGjRCqgAR7btQ

When we surf the web today – on our computers or smartphones – we are mercilessly tracked. Marketing firms and data brokers are hoovering up ungodly amounts of our personal data, selling it, trading it and mining it to derive even more about us. Many offer some way to limit or stop this wanton data collection, but good luck figuring out how – let alone even knowing who to ask. Wouldn’t it be nice if you could just click one button and tell everyone to leave you alone? Of course, we tried this a decade ago with Do Not Track, but there were no regulations in place to require companies to respect it. While we have a long way to go, some regions do now have privacy laws – and now we have a new way to invoke our privacy rights: Global Privacy Control. Today, I’ll tell you how to enable this on your devices and tell data miners to get lost. In other news: Clearview AI has been forced to cut back on its creepy facial recognition software; the EU is proposing dangerous new surveillance requirements in the name of child safety; if you have an HP computer, you need to check for BIOS software updates ASAP; automated vehicles are outfitted with tons of video cameras, and law enforcement have been using this data for investigations; thousands of popular websites are saving data from online forms even if you don’t click ‘submit’; the CDC has been buying cell phone location data to track compliance with covid curfews and more; data from period-tracking apps may soon be used against people seeking abortions if Roe v. Wade is struck down in the US; Facebook is ending some location-based services (though still collecting your location data); Chinese hackers have stolen hundreds of billions of dollars in intellectual property, including military, manufacturing and pharmaceutical info; and mental health apps aren’t taking proper care of your very personal data. Article Links [Engadget] Clearview AI agrees to limit sales of facial recognition data in the US https://www.engadget.com/clearview-ai-agrees-to-limit-sales-of-facial-recognition-data-in-the-us-173357030.html [Electronic Frontier Foundation] The EU Commission’s New Proposal Would Undermine Encryption And Scan Our Messages https://www.eff.org/deeplinks/2022/05/eu-commissions-new-proposal-would-undermine-encryption-and-scan-our-messages [TechSpot] HP pushes out BIOS update addressing high-severity vulnerabilities affecting 200+ models https://www.techspot.com/news/94561-hp-pushes-out-bios-update-addressing-high-severity.html [VICE] San Francisco Police Are Using Driverless Cars As Mobile Surveillance Cameras https://www.vice.com/en/article/v7dw8x/san-francisco-police-are-using-driverless-cars-as-mobile-surveillance-cameras [WIRED] Thousands of Popular Websites See What You Type—Before You Hit Submit https://www.wired.com/story/leaky-forms-keyloggers-meta-tiktok-pixel-study/ [None] CDC tracked Americans’ phones to see if they followed COVID-19 lockdowns https://www.mlive.com/news/2022/05/cdc-tracked-americans-phones-to-see-if-they-followed-covid-19-lockdowns.html [VICE] Data Broker SafeGraph Stops Selling Location Data of People Who Visit Planned Parenthood https://www.vice.com/en/article/88gyn5/data-broker-safegraph-stops-selling-location-data-of-people-who-visit-planned-parenthood [NPR] How period tracking apps and data privacy fit into a post-Roe v. Wade climate https://www.npr.org/2022/05/10/1097482967/roe-v-wade-supreme-court-abortion-period-apps [9to5mac.com] Facebook to discontinue Nearby Friends and other location-based features https://9to5mac.com/2022/05/05/facebook-to-discontinue-nearby-friends-and-other-location-based-features/ [CBS News] Chinese hackers took trillions in intellectual property from about 30 multinational companies https://www.cbsnews.com/news/chinese-hackers-took-trillions-in-intellectual-property-from-about-30-multinational-companies/ [The Verge] Mental health apps have terrible privacy protections, report finds https://www.theverge.com/2022/5/2/23045250/mozilla-mental-health-app-privacy-analysis Further Info HP Software Updates: https://support.hp.com/us-en/drivers  Data Broker SafeGraph Stops Selling Location Data of People Who Visit Planned Parenthood https://www.vice.com/en/article/88gyn5/data-broker-safegraph-stops-selling-location-data-of-people-who-visit-planned-parenthood  What Companies Can Do Now to Protect Digital Rights In A Post-Roe World https://www.eff.org/deeplinks/2022/05/what-companies-can-do-now-protect-digital-rights-post-roe-world  Leaky Forms Inspector plugin: https://homes.esat.kuleuven.be/~asenol/leaky-forms/#leak-inspector  Nice review of my book: https://indubitablyodin.medium.com/firewalls-dont-stop-dragons-a26abcdc7cb0  Mozilla’s Privacy Not Included: https://foundation.mozilla.org/en/privacynotincluded/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.pa

We are being tracked constantly by our cell phones. We willingly carry supercomputers in our pockets 24/7, and these devices are chock full of sensors and radios that are tattling on us. Sometimes on purpose, sometimes incidentally, and sometimes maliciously. Apps for brick and mortar stores are tracking you within their stores, noting where you go, how long you stay in some locations, and where you don’t go. Other apps track your global location and sell it to third parties. Apps to keep tabs on kids can also be used to stalk significant others. And spyware is used to track journalists, dissidents and “people of interest” by authoritarian governments. If all of that weren’t bad enough, there are several cheap electronic devices that anyone can buy and hide on you to track your movements. Today I’ll talk about all of this tracking and stalking with David Ruiz from Malwarebytes, and we’ll give you some tips on how to avoid it. David Ruiz is an online privacy advocate for Malwarebytes, where he writes about online privacy, cybersecurity, and the laws and proposed legislation that regulate how data is stored, shared, and accessed. Further Info Malwarebytes blog: https://blog.malwarebytes.com/ Malwarebytes podcast: https://blog.malwarebytes.com/category/podcast/  David Ruiz interviews me: https://blog.malwarebytes.com/podcast/2022/03/de-googling-carey-parkers-and-your-life-lock-and-code-s03e06/  Coalition Against Stalkerware: https://stopstalkerware.org/  Malwarebytes detection software: https://www.malwarebytes.com/mwb-download  Stalkerware-type detections hit record high in 2021, but fell in second half https://blog.malwarebytes.com/stalkerware/2022/04/stalkerware-type-detections-hit-record-high-in-2021-but-fell-in-second-half/  Kashmir Hill article: https://www.nytimes.com/2022/02/11/technology/airtags-gps-surveillance.html  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/or privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

Security isn’t a big differentiator today when choosing a web browser. First of all, 3 of the top 5 browsers all use the same engine – Chrome, Edge and Opera are all based on Chromium. Second, there’s no real conflict of interest between browser makers and browser users when it comes to security – it’s a win-win situation. Also, most browsers today are plenty fast enough and come with similar user features. So to me, the real differentiator when choosing a web browser is privacy. Today I’ll give you my top choices for the most privacy-respecting web browser. (Spoiler alert: Chrome didn’t make the list.) NOTE: I’m giving away TEN free subscriptions to ProtonMail plus! All you have to do to enter is sign up for a free ProtonMail account here and then shoot me an email from your new account (send it to proton at firewallsdontstopdragons.com)! That’s it! Do it by 11:59AM Eastern Time on May 6th. In other news: The US and 60 other countries have signed an aspiration Declaration for the Future of the Internet; in a twist of fate, Russia is now the target of global hacking; another nasty Java zero-day bug has been found; leaked Cellebrite documents detail which iPhones they can hack into; Amazon and third parties are mining your Alexa requests for personal data; Microsoft is going to add a free VPN to its Edge browser; Facebook is pulling detailed user data from the US college financial aid site FAFSA; and apparently Facebook has no clue how to tell the source of all the data it collects (making it impossible to comply with privacy regulations); Google is now giving you a way to remove some person info from its searches; and Brave and DuckDuckGo are both blocking Google “AMP” links which collect data about the sites you visit. Article Links EFF Statement on the Declaration for the Future of the Internet https://www.eff.org/deeplinks/2022/04/eff-statement-declaration-future-internet  Declaration for the Future of the Internet: https://www.whitehouse.gov/wp-content/uploads/2022/04/Declaration-for-the-Future-for-the-Internet_Launch-Event-Signing-Version_FINAL.pdf  Russia Is Being Hacked at an Unprecedented Scale https://www.wired.co.uk/article/russia-hacked-attacks  Java Cryptography Implementation Mistake Allows Digital-Signature Forgeries https://www.schneier.com/blog/archives/2022/04/java-cryptography-implementation-mistake-allows-digital-signature-forgeries.html  Cellebrite iPhone cracking: Here’s which models the kit can unlock and access, and how to protect your data https://9to5mac.com/2022/04/29/cellebrite-iphone-cracking/  Report: Amazon and third parties use Alexa voice data for ads while Siri respects privacy https://9to5mac.com/2022/04/29/amazon-alexa-voice-data-used-for-ads/  Microsoft Is Adding a Free VPN to the Edge Browser https://www.pcmag.com/news/microsoft-is-adding-a-free-vpn-to-the-edge-browser  Go read this exposé on how FAFSA got caught sending personal info to Facebook https://www.theverge.com/2022/4/29/23048305/fafsa-facebook-department-of-education-us-student-financial-aid-meta-tracking-pixel  Applied for Student Aid Online? Facebook Saw You https://themarkup.org/pixel-hunt/2022/04/28/applied-for-student-aid-online-facebook-saw-you  Facebook doesn’t know what most of its user data is used for https://appleinsider.com/articles/22/04/27/facebook-doesnt-know-what-most-of-its-user-data-is-used-for  You can now ask Google to remove your phone number from search https://www.androidauthority.com/google-search-remove-phone-number-3158456/  Google request site: https://support.google.com/websearch/answer/9673730  Brave, DuckDuckGo updates target Google AMP sites in privacy push https://www.macworld.com/article/633804/brave-duckduckgo-updates-target-google-amp-sites-in-privacy-push.html  Which Is the Most Private Browser? https://firewallsdontstopdragons.com/which-is-the-most-private-browser/  Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

Google and Facebook will swear up and down that they do not sell your data. While technically true, they do sell access to your data. Basically, your data is private from everyone – but them. And that’s a crucial caveat. To have true privacy, you want to work with a company who has absolutely minimal access to your data. You want privacy by design. And this is not easy to do with a very old internet standard like email. Proton has been offering truly private email for almost a decade (ProtonMail) and over the years has added many other features like a VPN and calendar, making them a true privacy-respecting alternative to the likes of Google. Today I’ll speak with Proton’s founder and CEO, Dr. Andy Yen, about the importance of privacy as a human right and the delicate balance between privacy and the needs of law enforcement. I’ll ask him how to evaluate products for privacy and what can we can all do to bring about a better future where we can express ourselves freely. Dr. Andy Yen is the founder and CEO of Proton. He was a scientist at CERN, has a PhD in physics from Harvard University, and he has long worked to advance privacy and freedom online. Further Info ProtonMail: https://protonmail.com/ Proton & SimpleLogin join forces: https://protonmail.com/blog/proton-and-simplelogin-join-forces/ Check out my security-enhancing challenge coins! https://d20key.com/#/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker

When people don’t understand how something works, it can be easy to be afraid of the consequences of that thing not working right. And this also makes them ripe targets for being frightened by hucksters who will then happily sell them a solution for the problem. This was the trade of snake oil salesmen back in the day – selling cures for ailments that didn’t exist or that didn’t actually improve the consumer’s health. The realm of computers is rife with cybersecurity snake oil, as well, and one of the most lucrative products is a virtual private network (VPN) service. Today I’m going to help you understand just what a VPN is and (perhaps more importantly) what it is not. In other news: T-Mobile tried to buy their hacked customer data back (and failed); the feds have discovered a troubling and powerful new hacking toolkit for industrial control systems; 8 million Cash App users may have had their data exposed; Pegasus spyware was discovered on the devices of EU officials; a company is offering to install chips under your skin that will allow you to pay for stuff with your hand; a scathing article about a security failure by Wyze web cams; and hackers are using fake Emergency Data Requests to get your data from tech companies. Article Links T-Mobile Secretly Bought Its Customer Data from Hackers to Stop Leak. It Failed. https://www.vice.com/en/article/k7w9mv/tmobile-hacked-bought-data-mandiant  Feds Uncover a ‘Swiss Army Knife’ for Hacking Industrial Control Systems https://www.wired.com/story/pipedream-ics-malware/  Over 8 Million Cash App Users Potentially Exposed in a Data Breach After a Former Employee Downloaded Customer Information https://www.cpomagazine.com/cyber-security/over-8-million-cash-app-users-potentially-exposed-in-a-data-breach-after-a-former-employee-downloaded-customer-information/  Pegasus spyware hacked iPhones of senior EU officials, who were alerted by Apple https://9to5mac.com/2022/04/11/pegasus-spyware-hacked-iphones-of-senior-eu-officials/  The microchip implants that let you pay with your hand https://www.bbc.com/news/business-61008730  I’m done with Wyze https://www.theverge.com/23003418/wyze-cam-v1-vulnerability-no-patch-bitdefender-responsible-disclosure  Hackers Using Fake Police Data Requests against Tech Companies https://www.schneier.com/blog/archives/2022/04/hackers-using-fake-police-data-requests-against-tech-companies.html  VPNs are digital ‘snake oil,’ expert claims — here’s why https://www.tomsguide.com/news/vpn-big-claims-truth-shmoocon22  What a VPN Is (and Isn’t): https://firewallsdontstopdragons.com/what-a-vpn-is-and-isnt/  Further Info John Oliver on data brokers: https://www.youtube.com/watch?v=wqn3gR1WTcA  Mullvad VPN: https://mullvad.net/ IVPN: https://www.ivpn.net/ ProtonVPN: https://protonvpn.com/  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ 

Today, most of us take the internet – and access to the internet – for granted. It’s ubiquitous. However, the current war in Ukraine has (hopefully) made us realize that things can change dramatically overnight. While we can always hope for the best, we should be at least minimally prepared for the worst. I’m not suggesting we all prepare for military invasion, but there are much more likely scenarios that might lead to power and communications infrastructure problems like bad storms, natural disasters, and even radical political shifts in democratic countries. Understanding the fundamentals of how our digital world works can help us be more resilient in the face of emergencies. Today I’ll be speaking with a lead cybersecurity instructor from the Tech Learning Collective about some lessons we can learn from the current Russia-Ukraine conflict and be better prepared for digital disruption. Further Info Tech Learning Collective: https://techlearningcollective.com/ How to Prepare for a Power Outage: https://firewallsdontstopdragons.com/how-to-prepare-for-power-outage/ Download Wikipedia: https://wiki.kiwix.org/wiki/Content_in_all_languages VulnHub downloadable, free CTFs: https://www.vulnhub.com/ Black Hills Infosec: https://www.blackhillsinfosec.com/ Crypto-Gram by Bruce Schneier: https://www.schneier.com/crypto-gram/ Code: The Hidden Language of Computer Hardware and Software: https://www.amazon.com/Code-Language-Computer-Hardware-Software/dp/0735611319 The Art of Exploitation: https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441 Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

I wrap up my de-Google project this week with two biggies: Google Drive and Google Docs. I decided to reduce my Google data footprint as one of my 2022 New Year’s resolutions, so I’ve done a ton of research to replace all the major Google services with privacy-respecting alternatives. My hope is that you can use this information to reduce your own Google data exposure (and help your friends and family, while you’re at it). In other news: UK police arrested seven people that may be tied to the Lapsus$ hacking group; the FCC has flagged Kaspersky software as a risk to national security; a very tricky new phishing technique tricks you into giving up your Facebook, Apple and Google credentials; an open-source software developer makes the dubious decision to target Russian users with “protestware”; the US passes a much-needed cybersecurity regulation (that takes way too long to come into effect); the Russia-based Yandex search engine is harvesting user details from many people, even those not using its search engine; app developers and cloud service providers are leaving your data lying around for anyone to find; and Google is testing its new tracking platform called Topics, which they will use to eventually replace third party cookies. Article Links UK police arrest 7 hacking suspects – have they bust the LAPSUS$ gang? https://nakedsecurity.sophos.com/2022/03/25/uk-police-arrest-7-hacking-suspects-have-they-bust-the-lapsus-gang/  FCC flags Russian cybersecurity firm Kaspersky as risk to national security https://mashable.com/article/fcc-bans-kaspersky-antivirus   This ‘browser in browser’ attack will steal your passwords — here’s how to avoid it https://www.tomsguide.com/news/bitb-phishing-attack Developer Sabotages Open-Source Software Package https://www.schneier.com/blog/archives/2022/03/developer-sabotages-open-source-software-package.html US Passes “Game-Changing” Cyber Incident Reporting Legislation https://www.infosecurity-magazine.com/news/us-cyber-incident-reporting/  Yandex is sending data harvested from millions of iOS users to Russia https://9to5mac.com/2022/03/29/yandex-is-sending-data-from-ios-users/  Your personal data is exposed to hackers — alarming report reveals mobile apps are not protecting your info https://www.laptopmag.com/news/your-personal-data-is-exposed-to-hackers-alarming-report-reveals-mobile-apps-are-not-protecting-your-info  Chrome’s “Topics” advertising system is here, whether you want it or not https://arstechnica.com/gadgets/2022/03/googles-topics-advertising-system-starts-rolling-out-to-chrome-canary/  De-Google My Life, Part 4: https://firewallsdontstopdragons.com/de-google-my-life-part-4  Further Info Crypotmator: https://cryptomator.org/ Sync.com: https://www.sync.com/ ONLYOFFICE: https://www.onlyoffice.com/ NextCloud: https://nextcloud.com/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker

Today I’m speaking with a fellow privacy evangelist: Henry from Techlore. Like me, Henry and his team are on a mission to teach regular, everyday people how to secure their data and improve their privacy. Henry and I have a frank discussion about the importance of privacy today and the struggles we have when deciding which privacy-oriented products to recommend. First of all, everyone’s privacy “threat model” is different. Second, many people still don’t understand the true impacts of privacy failures – to themselves and to society in general. Privacy isn’t just a “me” thing – it’s also very much a “we” thing. And if all of that weren’t enough, privacy advocates argue constantly (and often heatedly) about the proper litmus tests to use when evaluating privacy-oriented products. Today, Henry and I will discuss what frustrates us and what gives us hope in the highly nuanced realm of privacy. Further Info Podcast 5th Anniversary Giveaway! https://firewallsdontstopdragons.com/5th-anniversary-giveaway/ Techlore: https://techlore.tech/ Support Techlore! https://www.patreon.com/techlore Simple Login: https://simplelogin.io/ MySudo: https://mysudo.com/ Privacy.com: https://privacy.com/ Malwarebytes Lock & Code podcast: https://blog.malwarebytes.com/category/podcast/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

One of my New Year’s resolutions for 2022 is to reduce my Google footprint – to try to de-Google my life as best I can – and hopefully inspire you to do the same. In today’s show, I’ll talk about replacing Google’s many communications apps (Meet, Hangouts, Chat, Talk), Google Authenticator (the Kleenex of 2FA apps), Google Maps and Waze, and YouTube. In security and privacy news: ISPs in the UK are complaining about Apple’s Private Relay feature; the Federal Trade Commission has a new weapon to fight algorithmic data mining; if someone tricks you into sending them money via Zelle, your bank probably won’t give it back; Russia has issued a state-sponsored “trusted root CA” that could undermine privacy in Russia for a decade; the EFF weighs in on attempts to cut off Russia (and its citizens) from the internet; DuckDuckGo took a controversial step to down-rate Russian mis/disinformation in its search results; Google is mining info from receipts and invoices in your email; and Google is also mining data from your dialer and messaging apps on Android. Article Links UK Network Operators Target iCloud Private Relay in Complaint to Regulator https://www.macrumors.com/2022/03/13/uk-network-operators-target-icloud-private-relay/ The FTC’s new enforcement weapon spells death for algorithms https://www.protocol.com/policy/ftc-algorithm-destroy-data-privacy Fraud is flourishing on Zelle. The banks say it’s not their problem. https://www.seattletimes.com/business/fraud-is-flourishing-on-zelle-the-banks-say-its-not-their-problem/ You Should Not Trust Russia’s New “Trusted Root CA” https://www.eff.org/deeplinks/2022/03/you-should-not-trust-russias-new-trusted-root-ca Wartime Is a Bad Time To Mess With the Internet https://www.eff.org/deeplinks/2022/03/wartime-bad-time-mess-internet DuckDuckGo down-ranks sites spreading Russian propaganda https://www.bleepingcomputer.com/news/technology/duckduckgo-down-ranks-sites-spreading-russian-propaganda/ Gmail tracking: Google keeps records of everything you buy. Here is how to delete this information. https://tutanota.com/blog/posts/gmail-tracks-everything-you-buy/ Google to make changes to apps after TCD study finds privacy issues https://www.irishtimes.com/business/technology/google-to-make-changes-to-apps-after-tcd-study-finds-privacy-issues-1.4826225 De-Google My Life, Part 3: https://firewallsdontstopdragons.com/de-google-my-life-part-3/ Further Info Podcast 5th Anniversary Giveaway! https://firewallsdontstopdragons.com/5th-anniversary-giveaway/  My Lock & Code podcast interview: https://blog.malwarebytes.com/podcast/2022/03/de-googling-carey-parkers-and-your-life-lock-and-code-s03e06/  Data Privacy for Cars: https://podcast.firewallsdontstopdragons.com/2021/09/13/driving-data-privacy-for-cars/  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ 

We didn’t use to think too much about physical computer security because most computers were safely stored in our homes or businesses. But many people today use laptops which can be lost or stolen while traveling or toting them back and forth to work. Having physical access to a computer makes it much easier for bad guys to hack into them and steal our data. By “sniffing” the data signals on the wires in computer motherboards, bad guys can actually pull out security keys that would allow them to bypass encrypted hard drives and account authentication. To combat this, Microsoft’s Pluton project makes this data exfiltration much, much harder by embedding the security circuitry directly into the CPU chip where the “wires” are microscopic and embedded in plastic casings. Tony Chen is a software engineer and security architect in the Microsoft core operating systems team. He’s was the development lead responsible for Xbox One security that worked with the hardware team and AMD to successfully launch the Xbox One console in 2013 which has not been hacked for piracy or cheating for over 5 years. Further Info MIcrosoft’s Pluton project: https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/ Podcast 5th Anniversary Giveaway! https://firewallsdontstopdragons.com/5th-anniversary-giveaway/ Malwarebytes Lock & Code podcast: https://blog.malwarebytes.com/category/podcast/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

As my de-Google project progresses, I realized that I skipped the most important step: reconnaissance. Before you can de-Google your life, you need to first make a list of the Google products and services you interact with – and not all of them have “Google” in their names. Google also owns YouTube, Waze, Nest, Fitbit, Chromebooks, and much more. Furthermore, you need to know and understand what information Google already knows about you. And while you’re doing that, you should delete all the existing data and prevent further collection. Thankfully, Google provides several tools to help you do this (most likely due to regulations like GDPR and CCPA). I’ll help you create your personal de-Google to-do list. In other news: today I’m launching a massive giveaway promotion to celebrate the 5th anniversary of the podcast!! Also, 100 million Samsung phones shipped with horrible security flaws; Nvidia hackers are pressuring the company to turn off cryptocurrency mining limitations; the (Russian) Conti and TrickBot ransomware operations have been hacked; details of 120,000 Russian soldiers in Ukraine have been leaked (on purpose); the US Senate has passed landmark cybersecurity legislation in light of the rising cyber warfare threat; and the ACLU has published a sobering report about a mass surveillance company called Flock (no relation to Google’s FLoC). Article Links 100 Million Samsung Phones Shipped With Flawed Encryption https://www.cpomagazine.com/cyber-security/100-million-samsung-phones-shipped-with-flawed-encryption-galaxy-s8-to-s21-series-cryptographic-keys-trivial-to-expose/  Nvidia Hackers Threaten to Release Mining-Limiter Killer https://www.tomshardware.com/news/nvidia-hackers-threaten-to-release-lhr-performance-limiter  Conti Ransomware source code leaked by Ukrainian researcher https://www.bleepingcomputer.com/news/security/conti-ransomware-source-code-leaked-by-ukrainian-researcher/  Details of ‘120,000 Russian soldiers’ leaked by Ukrainian media https://www.theregister.com/2022/03/02/russian_soldier_leaks/  Senate passes cybersecurity act forcing orgs to report cyberattacks, ransom payments https://www.zdnet.com/article/senate-passes-cybersecurity-act-forcing-critical-infrastructure-orgs-to-report-cyberattacks-ransom-payments/  Fast-Growing Company Flock is Building a New AI-Driven Mass-Surveillance System https://www.aclu.org/report/fast-growing-company-flock-building-new-ai-driven-mass-surveillance-system  My De-Google Strategy: https://firewallsdontstopdragons.com/my-de-google-strategy/  Lawrence Lessig’s article: https://medium.lessig.org/crowdsourced-war-b5774c0ca7b5  Further Info 5th Anniversary Giveaway!! Details will be posted this week on my blog – keep your eye out on my main website! https://firewallsdontstopdragons.com/ Check out Techlore: https://techlore.tech/ Conti Ransomware report from Krebs On Security: https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/ https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/ https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-iii-weaponry/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

Your cell phone is a super computer and phenomenally powerful tracking device. Even George Orwell wouldn’t have dreamed that telescreens would be pocket sized and that citizens would willingly carry them 24/7. That one device knows all about you and has access to your most personal and critical information, including contacts, emails, social media, financial accounts, medical information, and much more. Furthermore, these devices are often used to secure our accounts through two-factor authentication. Stealing or cloning someone’s mobile phone can have dire consequences. Therefore, it’s crucial that we protect it. Today, I’ll speak with Habeeb Awan whose company Efani is dedicated to providing secure phones and cell service to its VIP clientele, and we’ll get his insights into the security risks and mitigation techniques of the mobile world. Haseeb Awan built one of the first and largest bitcoin ATMs – Bitaccess – which has 8000+ locations in 15 countries. He is also the CEO of Efani, America’s most secure and private cell phone service, which protects people against SIM Swaps, eavesdropping, and location tracking. Further Info Efani: https://www.efani.com/ My Startpage interview: https://www.startpage.com/privacy-please/privacy-advocate-articles/privacy-in-action-carey-parker-author-and-podcast-host Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

One of my big goals for 2022 was to minimize my Google footprint. In the last news show, I covered Google Search, Chrome and Android. In today’s show, I’ll tackle two other big ones: Google’s email (Gmail) and calendar (Gcal) services (and Google’s contacts, for good measure). I actually replaced Gmail with two different services, because they each address two different needs I have. In others news: Microsoft finally disables Word and Excel macros by default for any file downloaded from the internet; the IRS backs off it’s requirement for using facial recognition to authenticate to the IRS website; Missouri’s prosecutor declines to prosecute the reporter who pointed out a state website which gave away social security numbers for some state employees; Kashmir Hill compares the relative privacy and tracking capabilities of AirTags, Tile and a cheap GPS tracker; two US senators are decrying a newly declassified report of a CIA program that surveils American citizens in bulk; a remote test proctoring company sinks to new lows; hundreds of Android apps were found to be tracking you using ultrasonic signals; and Google will be implementing a new privacy feature in Android that it claims is just as private as Apple’s App Tracking Transparency, but will somehow preserve the ad-based web economy. Article Links Microsoft’s Small Step to Disable Macros Is a Huge Win for Security https://www.wired.com/story/microsoft-disables-macros-default-security-phishing/  IRS To Ditch Biometric Requirement for Online Access https://krebsonsecurity.com/2022/02/irs-to-ditch-biometric-requirement-for-online-access/  Missouri prosecutor won’t press charges against reporter who found flaw in state website https://www.kcur.org/politics-elections-and-government/2022-02-14/missouri-prosecutor-wont-press-charges-against-reporter-who-found-flaw-in-state-website  New test shows AirTag’s safety precautions are far better than Tile, other GPS trackers https://9to5mac.com/2022/02/11/airtag-safety-vs-tile/  T2 Mac security vulnerability means passwords can now be cracked https://9to5mac.com/2022/02/17/t2-mac-security-vulnerability-passware/  Senators say CIA has been collecting data in bulk in secret program https://thehill.com/homenews/administration/593833-senators-say-cia-has-been-collecting-american-data-in-bulk-in-secret  A Network of Fake Test Answer Sites Is Trying to Incriminate Students https://themarkup.org/machine-learning/2022/02/15/a-network-of-fake-test-answer-sites-is-trying-to-incriminate-students  Hundreds of apps spying on users with ultrasonic tracking technology https://www.komando.com/gadgets/hundreds-of-apps-spying-on-users-with-ultrasonic-tracking-technology/402030/  Google’s New Plan for Android Privacy Doesn’t Sound All That Private https://gizmodo.com/google-android-privacy-sandbox-apple-ios-meta-1848547922?rev=1645048008531  De-Google My LIfe (part 2): https://firewallsdontstopdragons.com/de-google-my-life-part-2/  Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

You may not know it, but our world has already been basically taken over by free and open source software, or FOSS – specifically, the Linux operating system. Just about every single electronic appliance or device today, from your smartphone to your smart toaster, is running some flavor of the Linux operating system. Furthermore, open source software projects are the bedrock of many for-profit software applications, operating systems, mobile apps and web apps. It’s everywhere, and yet you probably know very little about it. Today, Sean O’Brien will give us a little FOSS history lesson, explain why supporting this movement is so important, and even tell us how we might replace some pricey and user-hostile popular software with top-notch free and open alternatives. Sean O’Brien is a lecturer in Cybersecurity at Yale Law School and Chief Security Officer at Panquake.com He is a Visiting Fellow at the Information Society Project at Yale Law School, where he founded and leads the Privacy Lab initiative. He has been involved in Free and Open-Source Software (FOSS) for approximately two decades, including volunteer work for the Free Software Foundation and FreedomBox Foundation. Show Links Panquake: https://panquake.com/ Yale Privacy Lab: https://privacylab.yale.edu/ It’s FOSS website: https://itsfoss.com/ Free Software Foundation: https://www.fsf.org/ Intro to Linux classes: https://itsfoss.com/free-linux-training-courses/ Windows Subsystem for Linux: https://docs.microsoft.com/en-us/windows/wsl/about System 76: https://system76.com/ Purism: https://puri.sm/ Lineage OS: https://lineageos.org/ Graphene OS: https://grapheneos.org/ Calyx OS: https://calyxos.org/ F-Droid: https://f-droid.org/ LibreOffice: https://www.libreoffice.org/ VLC Media Player: https://www.videolan.org/vlc/ Audacity audio editor: https://www.audacityteam.org/ GIMP photo editor: https://www.gimp.org/ Inkscape illustrator: https://inkscape.org/ CryptPad: https://cryptpad.fr/ Further Info Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

One of my New Year’s Resolutions for 2022 is to minimize my Google footprint. In reality, it’s very difficulty to completely avoid Google products, if you include things like Google Analytics, Google’s cloud computing, and other services that we may not directly choose. But thankfully, there are many excellent, privacy-respecting alternatives to Google’s more well-known products and services. In today’s show, I’ll start with some of the most basic ones: Google Search, Google Chrome browser, and Android. In other news: Google beats Apple to offering a way to disable insecure 2G cellular connections; people are selling “silent” AirTags that won’t beep to let you know they’re near (which could be better for stalking people); Facebook reported its first ever loss in subscribers along with a $10 billion loss due to people opting out of ad tracking; privacy advocates scored a huge win in the European Union against advertisers collecting and sharing your data; the IRS may be rethinking its coming requirement for facial recognition-based authentication after pushback; the FBI admits to evaluating NSO Group’s nasty Pegasus cell phone spyware; Kaspersky finds several serious vulnerabilities in wearable medical devices; and Google has abandoned its FLoC web tracking system for a much more privacy-respecting version called Topics. Article Links EFF praises Android’s new 2G kill switch, wants Apple to follow suit https://arstechnica.com/gadgets/2022/01/eff-praises-androids-new-2g-kill-switch-wants-apple-to-follow-suit/ Sale of ‘Silent AirTags’ on eBay and Etsy Raises Privacy Concerns https://www.macrumors.com/2022/02/03/silent-airtags-privacy-concerns/ Facebook lost daily users for the first time ever last quarter https://www.theverge.com/2022/2/2/22914970/facebook-app-loses-daily-users-first-time-earnings A Change by Apple Is Tormenting Internet Companies, Especially Meta https://www.nytimes.com/2022/02/03/technology/apple-privacy-changes-meta.html Regulators find Europe’s ad-tech industry acted unlawfully https://www.engadget.com/european-union-gdpr-ad-tech-unlawful-iccl-iab-europe-125735068.html Treasury Weighing Alternatives to ID.me Over Privacy Concerns https://www.bloomberg.com/news/articles/2022-01-28/treasury-weighing-id-me-alternatives-over-privacy-concerns FBI acknowledges it tested NSO Group’s spyware https://www.washingtonpost.com/technology/2022/02/02/pegasus-fbi-nso-test/ Unpatched Security Bugs in Medical Wearables Allow Patient Tracking, Data Theft https://threatpost.com/unpatched-security-bugs-medical-wearables-patient-tracking-data-theft/178150/ Google abandons FLoC, introduces Topics API to replace tracking cookies https://www.theverge.com/2022/1/25/22900567/google-floc-abandon-topics-api-cookies-tracking De-Google My Life, Part 1: https://firewallsdontstopdragons.com/de-google-my-life-part-1/ Apple’s new Personal Safety User Guide: https://support.apple.com/guide/personal-safety/welcome/web Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ 

We tell our search engines a lot of very personal things. They arguably know more about us than our best friends and significant others do. A history of your search terms can reveal so much about you, especially when viewed over the course of days, months and even years. And unfortunately, companies like Google use this privileged position to better target us with advertisements. This may seem innocuous, today’s guest, Kelly Finnerty, will explain how this data collection can lead to some truly creepy outcomes and even emotional harm. But it doesn’t have to be that way. There are search engines and other tools that don’t track your history and sell you out. And there is hope for a brighter, privacy-respecting future. Kelly Finnerty is the director of brand for Startpage, a global privacy technology company that provides search and browsing products that protect people’s personal data. Kelly is a #techforgood advocate that believes privacy is a worldwide human right. Episode Links Startpage browser extension: https://add.startpage.com/protection/  What does your search engine know about you? https://www.startpage.com/privacy-please/startpage-articles/what-does-your-search-engine-know-about-you  Startpage data flow: https://support.startpage.com/index.php?/en/Knowledgebase/Article/View/1276/0/how-startpage-processes-and-protects-your-data Interview with System1 CEO: https://thinkprivacy.ch/system1-interview/  Terms of Service; Didn’t Read: https://tosdr.org/  EFF’s Surveillance Self Defense: https://ssd.eff.org/  Further Info Annual listener survey: https://bit.ly/Firewalls-survey-2022 Carey’s 2022 Privacy Blog: https://firewallsdontstopdragons.com/data-privacy-week-2022/  Carey’s Privacy Checklist: https://firewallsdontstopdragons.com/data-privacy-day-checklist/  Data Privacy Week: https://staysafeonline.org/data-privacy-week/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

Personal data privacy isn’t going to just happen on its own. We have to somehow collectively construct it. But how? Will it require regulation or can consumers drive change by consciously choosing privacy-respecting products and services? When it comes to regulations, why are things so different in the European Union versus the US and other global markets? What do privacy teams look like in modern corporations and how should they function? I’ll pose these and many other questions to my guest, Whitney Merrill, who brings unique experience on privacy from both the private sector and the federal government. Whitney Merrill is a data protection officer, privacy attorney, hacker, and the co-founder of the Crypto & Privacy Village. She loves privacy and is glad the world is getting excited about it, too. Podcast Links Carey’s 2022 Privacy Blog: https://firewallsdontstopdragons.com/data-privacy-week-2022/  Carey’s Privacy Checklist: https://firewallsdontstopdragons.com/data-privacy-day-checklist/  Data Privacy Week: https://staysafeonline.org/data-privacy-week/ FTC Privacy & Security: https://www.ftc.gov/tips-advice/business-center/privacy-and-security  EFF Surveillance Self Defense Guide: https://ssd.eff.org/ ACLU Privacy & Technology: https://www.aclu.org/issues/privacy-technology  IAPP Resources: https://iapp.org/resources/  European Data Protection Board: https://edpb.europa.eu/edpb_en  Data Protocol: https://dataprotocol.com/  The Gamification of Everything: https://lifehacker.com/how-gamification-of-everything-is-manipulating-you-and-1848352808  Further Info Annual listener survey: https://bit.ly/Firewalls-survey-2022 Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ 

Of course, every week should be “data privacy week”, but we do set aside a specific time each year to focus on privacy – particularly educating as many people as possible about it. Until this year, we only dedicated one day for this – but as of 2022, it’s been promoted to an entire week! Data Privacy Week runs from January 24-28, so today I’m going to prep you for it with several of my top privacy protection tips! In the news: the FBI uses foreign intelligence services to sidestep US surveillance restrictions; Russia takes down the REvil ransomware outfit as the United State’s request; Google gives Android users the ability to disable insecure 2G cell connections; Subaru is sued in Illinois for capturing driver’s biometric information with consent; lawmakers propose legislation to simplify and standardize terms of services agreements; and the Ponemon Institute releases the results of a recent poll on what people worry about with relation to privacy and what they feel should be done about it. Article Links Using Foreign Nationals to Bypass US Surveillance Restrictions https://www.schneier.com/blog/archives/2022/01/using-foreign-nationals-to-bypass-us-surveillance-restrictions.html  Russia’s FSB says it has taken down REvil hacker group at US request https://www.theverge.com/2022/1/14/22883675/russia-fsb-revil-hacker-group-ransomware-us-request-fbi-doj  VICTORY: Google Releases “disable 2g” Feature for New Android Smartphones https://www.eff.org/deeplinks/2022/01/victory-google-releases-disable-2g-feature-new-android-smartphones  Class action: Subaru DriverFocus system improperly scans driver’s faces, eyes https://cookcountyrecord.com/stories/613746211-class-action-subaru-driverfocus-system-improperly-scans-driver-s-faces-eyes  Lawmakers Come After Companies’ Terms of Service With New TLDR Bill https://www.gizmodo.com.au/2022/01/lawmakers-come-after-companies-terms-of-service-with-new-tldr-bill/  New Ponemon Institute Report Indicates Major Consumer Privacy Gap https://www.cpomagazine.com/data-privacy/new-ponemon-institute-report-indicates-major-consumer-privacy-gap/  Further Info Data Privacy Week: https://staysafeonline.org/data-privacy-week/about-dpw/  My Data Privacy checklist: https://firewallsdontstopdragons.com/data-privacy-day-checklist/  DNA service impacts: https://thenib.com/its-all-relatives/  Annual listener survey: https://bit.ly/Firewalls-survey-2022 Hunting for Stingrays podcast: https://podcast.firewallsdontstopdragons.com/2021/04/19/hunting-for-stingrays-part-1/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

It’s the start of a brand new calendar year! And therefore it’s time to engage in that annual ritual of planning to do better this year by making our list of New Year’s Resolutions. To help you with the cybersecurity and privacy items on your list (an area where we all need major improvement), I will share with you my personal list of cyber goals for 2022. Yes, even security advocates can suffer from the “do as I say, not as I do” syndrome. We’re all human, and there are plenty of things that I still need to get done – things that you probably need to do, too. I’ll also catch you up on the latest security and privacy news: several articles popped up about a supposed data breach at LastPass that turned out to be incorrect; the US Federal Trade Commission is getting very serious about fining companies with lax cybersecurity practices in light of the Log4J/Log4Shell nightmare; clever scammers in Texas are tricking motorists into paying the wrong people for parking; Norton 360 and other antivirus software packages have started pre-installing cryptocurrency mining software on their customers’ computers; TurboTax is the second major tax-filing software service to drop out of the federal Free File program; Google’s adoption of the Manifest V3 specification gives users yet another reason not to use their Chrome browser; and a lawsuit in California alleges that Google’s exclusive search engine deal with Apple is stifling competition and harming consumers. Article Links LastPass says there’s no data breach, so your passwords were not hacked https://bgr.com/tech/lastpass-says-theres-no-data-breach-so-your-passwords-were-not-hacked/?bgr-partner=flipboard  FTC to Go After Companies that Ignore Log4j https://threatpost.com/ftc-pursue-companies-log4j/177368/  QR code scammers hitting on-street parking in Texas cities https://www.click2houston.com/news/local/2022/01/05/qr-code-scammers-hitting-on-street-parking-in-texas-cities-this-is-what-houston-officials-want-you-to-know/  Norton 360 Now Comes With a Cryptominer https://krebsonsecurity.com/2022/01/norton-360-now-comes-with-a-cryptominer/  500M Avira Antivirus Users Introduced to Cryptomining https://krebsonsecurity.com/2022/01/500m-avira-antivirus-users-introduced-to-cryptomining/  Want to file your tax return for free? TurboTax opts out of major program https://www.freep.com/story/money/personal-finance/susan-tompor/2022/01/05/how-file-your-tax-return-free-turbotax/9077019002/  Podcast on Free File report from Pro Publica: https://podcast.firewallsdontstopdragons.com/2020/01/13/why-free-file-isnt-free/  Google makes the perfect case for why you shouldn’t use Chrome https://www.techrepublic.com/article/google-makes-the-perfect-case-for-why-you-shouldnt-use-chrome/  Google Basically Pays Apple to Stay Out of the Search Engine Business, Class Action Lawsuit Alleges https://www.macrumors.com/2022/01/05/google-pays-apple-stay-out-of-search/  Betty White on MFA: https://www.youtube.com/watch?v=DmIDtDAYTPA  Further Info Annual listener survey: https://bit.ly/Firewalls-survey-2022 Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/or privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

Navigating the online world today is hard enough as an adult. But it’s way worse for kids. Not only are they short on life experiences that would give them the context they need, but as students during a pandemic, their privacy rights are being sorely tested by new “edtech” apps and services. Today I speak with Jill Bronfman from Common Sense Media about their new report on the state of privacy for kids. Their research is quite comprehensive – and (spoiler alert) the results aren’t great. Obviously, this report is helpful for parents, educators and policy makers – but much of what’s covered here is useful knowledge for anyone. Jill Bronfman is Privacy Counsel at Common Sense Media, teaches Media Ethics and Privacy Law. Further Info 2021 State of Kid’s Privacy: https://www.commonsensemedia.org/research/state-of-kids-privacy-2021 Common Sense Media: https://www.commonsensemedia.org/ Common Sense Privacy Program: https://privacy.commonsense.org/ Boston COVID in the waste water: https://www.msn.com/en-us/weather/topstories/how-fast-is-covid-surging-in-boston-this-chart-shows-the-spike-after-christmas/ar-AAShL4P Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

We’ve come to the end of another year. As we take a breather and gather with family and friends for the holidays, it’s a good time to look back over the year that just passed. I’ve collected a handful of snippets from some of my favorite shows from this year, along with some a little commentary. If you’re new to the show, you can catch up on some stuff you may have missed. Or if you’d like to introduce someone else to the podcast, this would be a great one to share. You can find all the original, full-length episodes using the links below. Best Of Episodes Ep206, Feb 8 – Troy Hunt, De-Platforming: https://podcast.firewallsdontstopdragons.com/2021/02/08/free-speech-deplatforming/ Ep214, Apr 5 – Phil Zimmerman, Social media is ruining society https://podcast.firewallsdontstopdragons.com/2021/04/05/social-media-is-ruining-society Ep219, May 10 – Alison Macrina, library freedom ​​https://podcast.firewallsdontstopdragons.com/2021/05/10/protecting-intellectual-freedom-part-1/  Ep232, Aug 9 – DEFCON – understanding hackers https://podcast.firewallsdontstopdragons.com/2021/08/11/understanding-hackers-hacking/  Ep233, Aug 16 – DEFCON – Jeff Moss interview https://podcast.firewallsdontstopdragons.com/2021/08/16/on-a-dark-tangent/ Ep235, Aug 30 – Morpheus – Todd Austin https://podcast.firewallsdontstopdragons.com/2021/08/30/morpheus-securing-cpus-with-entropy/ Ep237, Sep 13 – Privacy for Cars – Andrea Amico https://podcast.firewallsdontstopdragons.com/2021/09/13/driving-data-privacy-for-cars/ Ep245, Nov 8 – Harri Hursti https://podcast.firewallsdontstopdragons.com/2021/11/08/restoring-trust-in-our-elections/  Ep200, Dec 27, 2020 – Bruce Schneier https://podcast.firewallsdontstopdragons.com/2020/12/28/200th-podcast-new-years-2021/  Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

The internet is on fire this week. The worst cybersecurity vulnerability of the last ten years (and perhaps more) has kicked the internet ant hill. Companies around the globe – big and small – are scrambling to repair a gaping hole in a ridiculously mundane but widely popular open source tool called Log4J. What it is and what does it mean for you? I’ll get into all of that today. In other news: many popular wireless home routers are riddled with security bugs (update your firmware now); family “safety” app Life360 is selling your detailed location data; Consumer Reports released a comprehensive report on VPN security and privacy; Firefox just got a lot more secure; LastPass is once again an independent company; Apple released a lot of cool security and privacy features for iOS and macOS; and Verizon just opted you into a program for tracking you – and how you can opt out. (I’ll touch on T-Mobile and AT&T tracking, too.) Article Links Op-Ed: What a house cat can teach us about cybersecurity https://www.latimes.com/opinion/story/2021-11-07/op-ed-what-a-house-cat-can-teach-us-about-cybersecurity  Nine WiFi routers used by millions were vulnerable to 226 flaws https://www.bleepingcomputer.com/news/security/nine-wifi-routers-used-by-millions-were-vulnerable-to-226-flaws/  The Popular Family Safety App Life360 Is Selling Precise Location Data on Its Tens of Millions of Users https://themarkup.org/privacy/2021/12/06/the-popular-family-safety-app-life360-is-selling-precise-location-data-on-its-tens-of-millions-of-user  Consumer Reports exhaustive report on VPNs https://www.consumerreports.org/vpn-services/mullvad-ivpn-mozilla-vpn-top-consumer-reports-vpn-testing-a9588707317/  The new Firefox 95 might be the most secure web browser on the market https://www.techrepublic.com/article/the-new-firefox-95-might-be-the-most-secure-web-browser-on-the-market/  The Log4Shell 0-day, four days on: What is it, and how bad is it really? https://arstechnica.com/information-technology/2021/12/the-log4shell-zeroday-4-days-on-what-is-it-and-how-bad-is-it-really/  Widely-Used Kronos Payroll Provider Down for “Weeks” Due to Ransomware Attack; Was Log4Shell Involved? https://www.cpomagazine.com/cyber-security/widely-used-kronos-payroll-provider-down-for-weeks-due-to-ransomware-attack-was-log4shell-involved/  LastPass is going to become an independent company https://www.theverge.com/2021/12/14/22833319/lastpass-independent-company-logmein How to Use App Privacy Report in the iOS 15.2 Beta https://www.macrumors.com/guide/app-privacy-report/ iOS 15.2 Beta 2 Lets Your Family Access Your Data If You Pass Away https://www.macrumors.com/2021/11/09/ios-15-2-legacy-contact/  Hide My Email Available in Mail App With New iOS 15.2 and macOS Monterey 12.1 Betas https://www.macrumors.com/2021/11/09/macos-monterey-12-1-beta-2-hide-my-email/  iOS 15.2 Beta Adds Messages Communication Safety Feature for Kids https://www.macrumors.com/2021/11/09/apple-messages-communication-safety-ios-15-2/  Verizon May Have Just Enrolled You in a Data-Collection Scheme–Here’s How to Get Out https://gizmodo.com/verizon-may-have-just-enrolled-you-in-a-data-collection-1848156157  Further Info Still looking for holiday gifts? https://firewallsdontstopdragons.com/best-worst-gifts-2021/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

The rampant collection and sharing of personal data is not just a creepy nuisance. Surveillance capitalism has actually had seriously deleterious effects on society and democracy. In the United States, we have certain rights enshrined in the Constitution that are supposed to protect citizens against unreasonable search and seizure. Law enforcement and intelligence agencies are supposed to have to jump through some non-trivial legal hoops in order to access our personal data. But with a massive market for gathering and correlating your location, purchase history, web surfing habits, search history, and more, it’s become trivial to circumvent these pesky road blocks by just buying the information from data brokers. In an important and landmark report from the Center for Democracy and Technology, the end run around our supposed rights has become frighteningly clear. Today I speak with Dhanaraj Thakur about this report and what it means for our democracy. Dhanaraj Thakur is Research Director at the Center for Democracy & Technology, where he leads research that advances human rights and civil liberties online. Further Info CDT Report on Legal Loopholes: https://cdt.org/insights/report-legal-loopholes-and-data-for-dollars-how-law-enforcement-and-intelligence-agencies-are-buying-your-data-from-brokers/  Center for Democracy  & Technology: https://cdt.org/  Patriot Act Turns 20 panel discussion: https://www.youtube.com/watch?v=xaUIvxLdGCQ My particular question at the panel: https://www.youtube.com/watch?v=xaUIvxLdGCQ&t=4783s  Best & Worst Gifts Guide for 2021: https://firewallsdontstopdragons.com/best-worst-gifts-2021/  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

Transparency is critical when it comes to trust – and right now, particularly in the United States, we’re having some real issues with trust in our elections. Most of our election systems today are completely opaque in terms of their hardware and software design because they’re made by private companies who want to protect their intellectual property. But this secrecy also seriously impedes independent third parties from being able to test and verify these devices that are crucial to our democracy, and therefore contributes to the distrust in our election outcomes. Microsoft is working to change this with a program called ElectionGuard – a free and open source software framework that would allow any company (existing or new) to create robust and secure election systems. Not only can security researchers, journalists and democracy activists review and test the code, but the system actually provides technical capabilities that would allow voters and watchdog groups with a secure and private method for verifying that all votes were counted correctly. And that’s just part of what Microsoft is doing to defend democratic processes as part of their Democracy Forward program. Ethan Chumley is a Senior Security Strategist for Microsoft’s Democracy Forward Program, leading the team’s Critical Institution cybersecurity programs. He works at the intersection of cybersecurity, policy, and technology in support of open and secure elections by working with political campaigns, elections organizations, think tanks, NGOs, disinformation researchers, and tech industry partners. Further Info Microsoft ElectionGuard: https://www.electionguard.vote/ Microsoft’s Democracy Forward program: https://news.microsoft.com/on-the-issues/topic/defending-democracy-program/ Contact Microsoft about ElectionGuard: [email protected] Contact Microsoft about protecting elections: [email protected] ElectionGuard code: https://github.com/microsoft/electionguard Harri Hursti interview: https://podcast.firewallsdontstopdragons.com/2021/11/08/restoring-trust-in-our-elections/ Article on brute forcing debit card numbers: https://www.techspot.com/news/92476-hackers-brute-force-guessing-payment-card-numbers-there.html Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

Credit cards are more secure than debit cards. I’ve said this in my book, my podcast, my blog and my seminars. Credit card transactions are loans – you’re not out any money if a fraudulent charge comes through (assuming you or the credit card company catches it first). With debit cards, any fraud activity will actually take your money from your account – it’s gone and you have to convince your bank to give it back. And so, I almost never use my debit card. And yet, I was still hacked. My card wasn’t stolen or cloned with a skimmer. The number wasn’t leaked in a hack. The bad guys somehow managed to guess my card number. And then they got clever and drained my bank account. I’ll give you the details today and give you some pointers for avoiding being bitten the same way I was. In other news: bad guys have come up with some very clever ways to drain your bank accounts using Zelle and text messages; they’ve also used similar techniques to disable the Find My feature on stolen iPhones; Apple is suing Israeli hacking company NSO Group over their Pegasus spyware; attackers apparently don’t try guessing passwords longer than about 10 characters; GoDaddy admits to a major breach, but in a dumb way; there’s a nasty new Windows bug that was give up by an upset security researcher; there’s a powerful IoT malware that appears to be lurking on the internet; Microsoft Windows is doing some shady stuff to force you to use Edge browser and give up your data; and Vizio makes more money off your TV data than off the TV itself. Article Links The ‘Zelle Fraud’ Scam: How it Works, How to Fight Back https://krebsonsecurity.com/2021/11/the-zelle-fraud-scam-how-it-works-how-to-fight-back/  iPhone thieves are using this trick to disable Find My on stolen devices https://www.imore.com/iphone-thieves-are-using-trick-disable-find-my-stolen-devices  Apple sues NSO Group for attacking iPhones with Pegasus spyware https://www.theverge.com/2021/11/23/22798917/apple-nso-group-spyware-pegasus-cybersecurity-research  Apple will alert users exposed to state-sponsored spyware attacks https://appleinsider.com/articles/21/11/25/apple-will-alert-users-exposed-to-state-sponsored-spyware-attacks  Attackers don’t bother brute-forcing long passwords https://therecord.media/attackers-dont-bother-brute-forcing-long-passwords-microsoft-engineer-says/  GoDaddy admits to password breach: check your Managed WordPress site! https://nakedsecurity.sophos.com/2021/11/23/godaddy-admits-to-password-breach-check-your-managed-wordpress-site/  New Windows zero-day with public exploit lets you become an admin https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/  This mysterious malware could threaten millions of routers and IoT devices https://www.zdnet.com/article/this-mysterious-malware-could-threaten-millions-of-routers-and-iot-devices/  Microsoft Enables Edge Sync By Default, Hoovering Up Your Data in the Process https://www.extremetech.com/computing/329162-microsoft-enables-edge-sync-by-default-hoovering-up-your-data-in-the-process?source=Computing  Vizio is making more money selling your data than it is selling TVs https://knowtechie.com/vizio-is-making-more-money-selling-your-data-than-it-is-selling-tvs/  My Debit Card Was Hacked: https://firewallsdontstopdragons.com/my-debit-card-was-hacked/ Further Info HUGE sale on my book! 9.99/6.99: https://link.springer.com/book/10.1007/978-1-4842-6189-7 Give Thanks and Donate https://firewallsdontstopdragons.com/give-thanks-donate/ Best & Worst Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ 

When you think about improving your privacy and protecting your personal information, it’s important to realize that it will also improve your security. According to Craig Danuloff, CEO of The Privacy Co. and maker of the Priiv app, privacy harms fall into at least four different buckets: personal data leaks (embarrassment and reputation harm), online tracking (targeted ads and manipulation), financial accounts (including fraud and identity theft), and harassment (stalking, bullying, even physical threats). Today Craig will offer his opinions on the state of privacy today and provide several of his top tips for protecting your privacy and increasing your security. Craig Danuloff is a technology entrepreneur who has founded a series of tech companies including desktop publishing, e-commerce, ad-tech, identity, and now consumer privacy. Craig is a graduate of the University of Colorado Leeds School of Business, and the author of over 20 computer books. Further Info Priiv app: https://www.theprivacy.co/priiv HUGE sale on my book! 9.99/6.99: https://link.springer.com/book/10.1007/978-1-4842-6189-7 Give Thanks and Donate https://firewallsdontstopdragons.com/give-thanks-donate/ Best & Worst Gift Guide for 2021: https://firewallsdontstopdragons.com/best-worst-gifts-2021/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

The gift-giving season is officially upon us, and with covid supply chain issues, if you’re going to order gifts, you need to get on it. And in today’s show, I’ll share the highlights of my annual Best & Worst Gift Guide where I focus on the privacy and security of popular gifts. You won’t be surprised at a lot of the items on my naughty list, but I’ll bet you’ll find some interesting ideas from the nice list that you can give your loved ones this holiday season. I will also cover several news items – many of them actually good news! A new bipartisan bill would allow people to disable news feeds based on algorithms; Apple has dialed back some of it’s well-intentioned but poorly-implemented child safety features; Facebook will remove many sensitive categories for targeted ads and stop using facial recognition; several people associate with the Kaseya ransomware hack have been arrested; and 23andme’s DNA database (your DNA) may be leveraged foro a lucrative pharmaceutical business. Article Links New bipartisan bill takes aim at algorithms https://www.axios.com/algorithm-bill-house-bipartisan-5293581e-430f-4ea1-8477-bd9adb63519c.html Apple Has Listened And Will Retract Some Harmful Phone-Scanning https://www.eff.org/deeplinks/2021/11/apple-has-listened-and-will-retract-some-harmful-phone-scanning Facebook-parent Meta will remove the ability to target ads based on sensitive categories https://www.cnn.com/2021/11/09/tech/meta-facebook-ad-targeting-change/index.html Facebook shutting down face recognition efforts & deleting data https://appleinsider.com/articles/21/11/02/facebook-shutting-down-face-recognition-efforts-deleting-data Meta to continue use of facial recognition technology: https://appleinsider.com/articles/21/11/04/meta-to-continue-use-of-facial-recognition-technology Kaseya ransomware suspect nabbed in Poland, $6m seized from absent colleague https://nakedsecurity.sophos.com/2021/11/08/kaseya-ransomware-suspect-nabbed-in-poland-6m-seized-from-absent-colleague/ All Those 23andMe Spit Tests Were Part of a Bigger Plan https://www.bloomberg.com/news/features/2021-11-04/23andme-to-use-dna-tests-to-make-cancer-drugs Further Info My annual Best & Worst Gift Guide is out for 2021! https://firewallsdontstopdragons.com/best-worst-gifts-2021/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

Nothing is arguably more fundamental to a democracy than voting. But it’s not enough to have a secure election. The electorate also needs to trust that the results are valid. In the United States today, that trust is in short supply – many people believe that the 2020 election was rigged. On one hand, many of our electronic voting systems are demonstrably insecure and trivially capable of being hacked. On the other, our cybersecurity experts, government agencies and election officials are telling us that the 2020 election was one of the most secure in US history and voter fraud almost never happens. So which is it? How do we reconcile these two seemingly incongruent positions? Today I’ll ask these questions and more of computer and election security guru Harri Hursti. Harri has investigated and hacked several popular election systems used in the US and runs the Voting Machine Hacking Village at the annual DEF CON hacking conference. He’s also officially observed many elections around the world and participated in several high profile audits. As if that weren’t enough, Harri’s been featured in two separate HBO documentaries on election security and is co-founder of the Election Integrity Foundation. I met Harri at DEF CON 29 and I was thrilled when he agreed to come on the show. Further Info Harri Hursti: https://en.wikipedia.org/wiki/Harri_Hursti Election Integrity Foundation https://electionintegrityfoundation.org/ California voting system review (“top to bottom”): https://www.sos.ca.gov/elections/voting-systems/oversight/top-bottom-review Ohio voting system review (“Everest”): https://www.eac.gov/documents/2017/03/21/everest-report-state-voting-systems-voting-technology New Hampshire election audit: http://doj.nh.gov/sb43/documents/20210713-sb43-forensic-audit-report.pdf Kill Chain: The Cyber War on America’s Elections (HBO documentary, 2020) https://www.hbo.com/documentaries/kill-chain-the-cyber-war-on-americas-elections Hacking Democracy (HBO documentary, 2006) https://www.youtube.com/watch?v=b_gb_w_L9NE Election Administration and Voting Survey 2020: https://www.eac.gov/research-and-data/studies-and-reports Voluntary Voting System Guidelines: https://www.eac.gov/voting-equipment/voluntary-voting-system-guidelines CISA, Election Security Rumor vs Reality: https://www.cisa.gov/rumorcontrol 2020 election security reports: https://www.brennancenter.org/our-work/research-reports/its-official-election-was-secure DEF CON 25 Voting Machine Hacking Village Report: https://archive.org/download/DEFCON25VotingVillageReport/DEF%20CON%2025%20voting%20village%20report.pdf Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

There were lots of scary computer security and privacy stories in the news this week, coinciding nicely with Halloween. We’ll start off with an unfortunate new cybersecurity term: killware. This is software whose end result is actual physical harm to human beings, including death. Sadly, this is now a thing. And I don’t know about you, but Mark Zuckerberg’s vision of the future (the “metaverse”) is pretty damn scary, too. In other news: a hacker seems to have stolen the government identity information for every person in Argentina; a New York Times journalist explains how his iPhone has been hacked multiple times by the NSO Group and what he does to protect himself (and his sources); the FBI, the Secret Service and other “like-minded countries” seem to have finally taken down the REvil ransomware gang for good; Facebook has changed its name to “Meta”; link previews in chat apps can actually cause serious security and privacy problems; Delta Airlines and UK schools are normalizing the use of facial recognition for mundane purposes; your ISP is collecting tons of information about you in the US because we let them; and finally, I demystify and debunk the “dangers” of QR codes. Article Links Killware: What You Need to Know https://adamlevin.com/2021/10/15/killware-what-you-need-to-know/ Hacker steals government ID database for Argentina’s entire population https://therecord.media/hacker-steals-government-id-database-for-argentinas-entire-population/  NYT journalist describes his iPhone being hacked, and the precautions he now takes https://9to5mac.com/2021/10/25/nyt-journalist-describes-his-iphone-being-hacked-and-the-precautions-he-now-takes/  FBI, others crush REvil using ransomware gang’s favorite tactic against it https://arstechnica.com/tech-policy/2021/10/fbi-others-crush-revil-using-ransomware-gangs-favorite-tactic-against-it/  Facebook changes its name to Meta: https://www.inc.com/jason-aten/5-things-mark-zuckerberg-said-about-his-plan-for-metaverse-that-should-make-you-very-worried.html  Link Previews in Popular Messaging Apps May Lead to Security Vulnerabilities https://www.macrumors.com/2020/10/26/link-previews-may-lead-to-security-vulnerabilities/  Delta Air Lines partners with TSA PreCheck to launch biometrics-based bag drops https://finance.yahoo.com/news/delta-air-lines-partners-tsa-164655619.html  UK schools are using facial recognition to take pupils’ lunch money https://www.theverge.com/2021/10/18/22732330/uk-schools-facial-recognition-lunch-payments-north-ayrshire  Location Data Firm Got GPS Data From Apps Even When People Opted Out https://www.vice.com/en/article/5dgmqz/huq-location-data-opt-out-no-consent  Internet service providers have so much data on you https://www.protocol.com/policy/isp-ftc-data  Beware QR Code… Articles: https://firewallsdontstopdragons.com/beware-qr-code-articles/  Further Info Only ONE DAY LEFT to snag your challenge coin!! The promotion ends at 11pm Eastern Time on Tuesday, November 2nd! https://firewallsdontstopdragons.com/my-challenge-coins-are-back/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

Today, we’re surrounded by strong encryption. Thanks to efforts like Let’s Encrypt, almost all web communications today at encrypted. And thanks to wonderful privacy communications tools like Signal, we can share private thoughts instantly and securely with anyone on the planet. But this was not always the case. This secure, private, encryption-enabled future we’re living now was far from certain 30 years ago when Phil Zimmermann created and freely released his email encryption tool Pretty Good Privacy (PGP). If not for Phil and a handful of others, we could very easily have lost the Crypto Wars of the 1990’s and authoritarian mass surveillance could have been the norm. In today’s show, Phil and I walk through the creation of PGP, the technological and political climate of that day, and the nerve-racking few years where Phil faced potential jail time for releasing “munitions grade” encryption to the world. We’ll also discuss the literally life-saving impacts PGP has had over these last 30 years and how global law enforcement agencies and liberal democratic governments have revived the Crypto Wars. Phil Zimmermann is the creator of Pretty Good Privacy, which is still widely regarded as the gold standard for secure email communication. Phil went on to form Silent Circle and win several prestigious awards including US Privacy Champion and was inducted into the Cybersecurity Hall of Fame. Further Info Phil Zimmermann’s website: https://philzimmermann.com/  Phil’s announcement for the 30th anniversary of PGP: https://philzimmermann.com/EN/news/index.html PGP Web of Trust: https://en.wikipedia.org/wiki/Web_of_trust  SNL Bass-o-matic skit: https://www.nbc.com/saturday-night-live/video/bassomatic/n8631  National Cybersecurity Awareness Month resources: https://www.cisa.gov/cybersecurity-awareness-month-resources  Only ONE WEEK LEFT to snag your challenge coin!! https://firewallsdontstopdragons.com/my-challenge-coins-are-back/  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ 

Facebook had a horrible, no-good, very bad week. Not only did Facebook, Instagram and WhatsApp go completely offline for about six hours, a whistleblower came forward to show the world what most of us already knew: Facebook values money over its users’ well being. And I have another story that backs that up, as well – one that you almost surely did not hear about. In other news: the FTC tells app makers to fess up when users private data gets loose; the governor of Missouri wants to sue a newspaper for revealing a horrible security flaw that exposed teachers’ social security numbers; Apple’s attempts to prevent user tracking on iOS are being undermined by unscrupulous apps; a company that you’ve never heard of with access to almost all cellular text messages was hacked over the course of five years; the VPN maker and VPN review industries are awash in conflicts of interest; Windows 11 is finally out, but it’s not clear if and whether you should upgrade to it; and Firefox is searching for more ways to make money and stay alive, including adding more sponsored search suggestions for you to consider. Article Links FTC says health apps must notify consumers about data breaches — or face fines https://techcrunch.com/2021/09/16/ftc-says-health-apps-must-notify-consumers-if-their-data-is-breached-or-face-fines/  Missouri Governor Vows to Prosecute St. Louis Post-Dispatch for Reporting Security Vulnerability https://krebsonsecurity.com/2021/10/missouri-governor-vows-to-prosecute-st-louis-post-dispatch-for-reporting-security-vulnerability/  Investigation Finds Apple App Tracking Rules May Be Ineffective; IDFA Blocked, but Apps Frequently Access Other Identifiers https://www.cpomagazine.com/data-privacy/investigation-finds-apple-app-tracking-rules-may-be-ineffective-idfa-blocked-but-apps-frequently-access-other-identifiers/  Company That Routes Billions of Text Messages Quietly Says It Was Hacked https://www.vice.com/en/article/z3xpm8/company-that-routes-billions-of-text-messages-quietly-says-it-was-hacked  Consolidation of the VPN industry spells trouble for the consumer, https://blog.windscribe.com/consolidation-of-the-vpn-industry-spells-trouble-for-the-consumer-57e638634cf0/ Facebook has finally given a reason for the six-hour outage Monday https://www.theverge.com/2021/10/4/22709806/facebook-says-the-six-hour-outage  Understanding How Facebook Disappeared from the Internet: https://blog.cloudflare.com/october-2021-facebook-outage/  Facebook bans developer behind Unfollow Everything tool https://www.theverge.com/2021/10/8/22716044/facebook-unfollow-everything-tool-louis-barclay-banned-for-life Facebook whistleblower Frances Haugen tells lawmakers that meaningful reform is necessary ‘for our common good’ https://www.washingtonpost.com/technology/2021/10/05/facebook-senate-hearing-frances-haugen/  Windows 11 compatibility: Check if your PC meets Microsoft’s requirements https://www.cnet.com/tech/computing/windows-11-compatibility-check-if-your-pc-meets-microsofts-requirements/  Firefox Now Sends Your Address Bar Keystrokes to Mozilla https://www.howtogeek.com/760425/firefox-now-sends-your-address-bar-keystrokes-to-mozilla/  BONUS: Trust, but verify: An in-depth analysis of ExpressVPN’s terrible, horrible, no good, very bad week https://www.zdnet.com/article/trust-but-verify-an-in-depth-analysis-of-expressvpns-terrible-horrible-no-good-very-bad-week/  Further Info National Cybersecurity Awareness Month resources: https://www.cisa.gov/cybersecurity-awareness-month-resources  Only two weeks left to snag a challenge coin!! https://firewallsdontstopdragons.com/my-challenge-coins-are-back/  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

Today I have the great honor and pleasure of speaking with two luminaries in the field of privacy: Michelle Finneran Dennedy and Melanie Ensign. Between them, they have decades of experience managing privacy processes, policies, technology and communications within dozens of big name tech companies. I get their unique perspective on data privacy and the evolution of how these companies approach the problem of collecting and managing your data. Are things getting better or worse? How can companies earn the trust of their customers? Is data the new oil? And is it an asset or a liability? How can we have social media like Facebook and privacy at the same time? NOTE: I captured WAY more content from these two than I could fit into this one podcast. To get the full interview, become a patron! (And nab yourself a kick-butt challenge coin, too!) Michelle Dennedy was the first CPO for many global IT infrastructure companies including Oracle, McAfee, Intel & Cisco. Michelle is now a partner at Privatus.online and CEO at a Privacy Engineering startup in stealth mode. She is the co-author of The Privacy Engineer’s Manifesto and The Privacy Engineer’s Companion.  Melanie Ensign is the CEO of Discernible, helping cybersecurity & privacy teams better communicate with business leaders and consumers. She is also part of the DEF CON leadership team. Further Info Discernable: https://discernibleinc.com/ Privatus: https://privatus.online/ The Privacy Engineer’s Manifesto: https://www.amazon.com/Privacy-Engineers-Manifesto-Getting-Policy/dp/1430263555  The Rise of Privacy Tech (TROPT): https://www.riseofprivacytech.com/  Privacy is Power (book): https://firewallsdontstopdragons.com/privacy-is-power-review/ The Social Dilemma: https://www.thesocialdilemma.com/ The challenge coin promotion is BACK!! https://firewallsdontstopdragons.com/my-challenge-coins-are-back/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

I admit it. I’m an Apple fan. Are they perfect? Definitely not. But in most cases, they’re actually trying to be good. And at the end of the day, their business model doesn’t rely on hoovering up your personal data. Apple just released a big update to its devices, iOS 15, and it’s got some really cool security and privacy features. I’ll tell you all about them in today’s show. In other news: thousands of Netgear routers can be hacked via a Disney parental control feature even if you didn’t ask for it; yet another company is scraping social media and public info to sell it to law enforcement; the NSA and CIA are warning their employees to block ads for cybersecurity reasons; Microsoft has rolled out a “passwordless” login system; EFF is ending support for its wonderful browser plugin HTTPS Everywhere – because HTTPS is now already everywhere; Amazon’s new house robot, Astro, is a privacy nightmare (shocker); and this is the first week of National Cybersecurity Awareness Month in the US. Article Links National Cybersecurity Awareness Month, Week #1: Own your role in cybersecurity https://staysafeonline.org/wp-content/uploads/2020/04/Own-Your-Role-in-Cybersecurity_-Start-with-the-Basics-.pdf  Thousands of Netgear routers can be hacked — here’s what to do https://www.tomsguide.com/news/netgear-router-circle-patches  Researcher drops three iOS zero-days that Apple refused to fix https://www.bleepingcomputer.com/news/security/researcher-drops-three-ios-zero-days-that-apple-refused-to-fix/  ShadowDragon: Inside the Social Media Surveillance Software That Can Watch Your Every Move https://theintercept.com/2021/09/21/surveillance-social-media-police-microsoft-shadowdragon-kaseware/  The NSA and CIA Use Ad Blockers Because Online Advertising Is So Dangerous https://www.vice.com/en/article/93ypke/the-nsa-and-cia-use-ad-blockers-because-online-advertising-is-so-dangerous  You Can Now Sign-in to Your Microsoft Accounts Without a Password https://thehackernews.com/2021/09/you-can-now-sign-in-to-you-microsoft.html  HTTPS Is Actually Everywhere https://www.eff.org/deeplinks/2021/09/https-actually-everywhere  Amazon Astro is ‘terrible’ and will ‘throw itself down’ stairs, developers reportedly claim https://www.theverge.com/2021/9/28/22699284/amazon-astro-real-world-stairs-fragile-developer-claims-documents-tracking  National Cybersecurity Awareness Month https://www.cisa.gov/cybersecurity-awareness-month Apple’s iOS 15 Privacy and Security features: https://firewallsdontstopdragons.com/ios-15-security-privacy-features/  Further Info The challenge coin promotion is BACK!! https://firewallsdontstopdragons.com/my-challenge-coins-are-back/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

Apple was set to roll out controversial new on-device scanning technology in iOS 15 last week, but thanks to pushback from groups like the Electronic Frontier Foundation and people like you, Apple has since thought better of it and backed down. It’s not clear when or if these “child safety” features will come to iPhones, but in the meantime we can hope that Apple will listen carefully to our concerns before proceeding. Today I’ll speak with Jason Kelley from the EFF about Apple’s proposed technology, the problem of child sexual abuse material (CSAM), and why Apple’s proposed solution was so problematic. Jason Kelley guides EFF’s social media tactics, develops EFF’s online digital advocacy, and writes about various forms of governmental and private surveillance and tracking. Further Info Donate to EFF! https://supporters.eff.org/donate/join-4 EFF’s Perspectives event: https://www.eff.org/event/perspectives-encryption-and-child-safety  Sign the petition to stop Apple’s poorly-designed child safety features: https://www.eff.org/deeplinks/2021/09/dont-stop-now-join-eff-fight-future-apple-protests-nationwide  Fight for the Future’s #noSpyPhone coverage: https://www.fightforthefuture.org/news/2021-09-13-photos-video-protests-hit-apple-stores-across/  Child Rights International Network (CRIN): https://home.crin.org/  Detailed new review of my book: https://parmsam.medium.com/notes-from-reading-firewalls-dont-stop-dragons-f69ae0d4bf0a  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

It’s really easy to complain about the sadly insecure state of many of our products and services, but the fact is that doing security right is hard – even when you’re trying to get it right. Part of the problem is that there are just so many things to secure, even on a single product or service. Today we’re going to discuss several recent security issues with popular products, and why getting it right can be such a daunting task. In today’s show: a universal decryption key for all REvil ransomware victims prior to July 13th is now available; Microsoft patched a nasty security bug in all of its Windows OS versions, but it’s still being actively exploited (hint: patch now!); it was recently argued that WhatsApp’s end-to-end encryption has a “backdoor”, but I’ll explain why that’s not true; a home security system maker refuses to patch a bug that would allow an attacker to disable your system just by knowing (or guessing) your email address; ProtonMail is forced to alter its “no IP logging” marketing in the face of a recent incident involving a French activist’s account; new Mac malware has emerged that uses poisoned search results to trick its victims; and for my tip of the week, I’ll tell you about a new fourth credit bureau where you should freeze your credit report. Article Links Free REvil ransomware master decrypter released for past victims https://www.bleepingcomputer.com/news/security/free-revil-ransomware-master-decrypter-released-for-past-victims/  Recently reported Microsoft zero-day gaining popularity with attackers, Kaspersky says https://www.msn.com/en-us/news/technology/recently-reported-microsoft-zero-day-gaining-popularity-with-attackers-kaspersky-says/ar-AAOyUvR  WhatsApp Fixes Its Biggest Encryption Loophole https://www.wired.com/story/whatsapp-end-to-end-encrypted-backups/  No, Facebook Isn’t Reading Your Private WhatsApp Messages. The Problem Is Much Worse https://www.inc.com/jason-aten/no-facebook-isnt-reading-your-private-whatsapp-messages-problem-is-much-worse.html  Pwned! The home security system that can be hacked with your email address https://nakedsecurity.sophos.com/2021/09/02/pwned-the-home-security-system-that-can-be-hacked-with-your-email-address/   ProtonMail Amends Its Policy After Giving Up an Activist’s Data https://www.wired.com/story/protonmail-amends-policy-after-giving-up-activists-data/  New Mac malware spreads via search results https://www.tomsguide.com/news/mac-malware-fake-iterm2 Tip of the week: https://firewallsdontstopdragons.com/freeze-you-credit-at-innovis-too/  Further Info Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Stay tuned for a new challenge coin promotion! https://firewallsdontstopdragons.com/get-your-official-challenge-coin/ Generate secure passphrases! https://d20key.com/#/

Ever paired your phone to a rental car? Did you erase all the data from the last car you sold or turned in at the end of your lease? Do you know what data you car is sending to the cloud wireless right now? Cars have become a privacy nightmare. Andrea Amico is the founder of a company called Privacy 4 Cars and today he’ll help us understand all the data you car is hoovering up – from your phone, your driving habits, your location, and even your facial expressions (no, really). And thankfully, his company also gives you a powerful tool to find and delete the data exhaust you’ve generated, probably without even realizing it. Andrea Amico is one of the nation’s leading authorities on vehicle privacy and cybersecurity. He is also the founder of Privacy4Cars, the first and only privacy-tech company focused on identifying the challenges posed by vehicle data. Further Info Privacy4Cars: https://privacy4cars.com/ Assert Your Data Rights! https://privacy4cars.com/personal-use/assert-your-data-rights/  Twitter: https://twitter.com/privacy4cars Free CCPA Agent: https://freeccpaagent.com/  Auto ISAC: https://automotiveisac.com/  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

For many people, privacy is just a vague concept. But it can literally be a matter of life and death. It deserves your attention, your consideration and (crucially) your support. Technology has vastly improved our daily lives, but some of it also threatens to undermine our basic human rights and even our democracy/society. We need to understand the implications of the laws we pass – and the laws we aren’t passing. Today, I’ll talk about several stories with a common theme: privacy matters. Of course, I’ll also cover several security-related topics this week, as well: I’ll tell you how to completely hack someone’s Windows PC with a gaming mouse; Microsoft’s Azure cloud service left thousands of customers’ data completely exposed; new and disturbing details emerge about the role of NSA-pushed backdoors in the massive Juniper breach of 2015; Australia considers making state ID required for social media accounts; Google tries to cut off access to account data that endangers US helpers in Afghanistan; Apple partners with 8 US states to incorporate state IDs into Apple Wallet; Apple has thankfully delayed its rollout of on-device surveillance technology aimed at stemming child porn; the FTC comes down hard on a stalkerware company; and I take a moment to reflect on the 20th anniversary of 9/11. My Tip of the Week explains how to quickly disable biometric unlocking of your smartphone. Article Links Not just Razer: SteelSeries mice, keyboards hijack Windows 10 too — what you can do https://www.tomsguide.com/news/steelseries-windows-privilege-escalation Microsoft Azure cloud vulnerability is the ‘worst you can imagine’ https://www.theverge.com/2021/8/27/22644161/microsoft-azure-database-vulnerabilty-chaosdb Juniper Breach Mystery Starts to Clear With New Details on Hackers and U.S. Role https://finance.yahoo.com/news/juniper-breach-mystery-starts-clear-130016591.html  Australia Considers Social Media ID Requirement https://www.infosecurity-magazine.com/news/australia-considers-social-media  Google locks Afghan government email accounts as concerns grow over the Taliban tracking down their enemies https://www.businessinsider.com/google-locks-afghan-government-email-accounts-to-block-taliban-report-2021-9 Opinion: It’s dangerously stupid to put your state ID in your Apple Wallet https://thenextweb.com/news/dangerously-stupid-state-id-in-your-apple-wallet Millions of smartphones, laptops, trucks, planes affected by new Bluetooth flaws — what you need to know https://www.tomsguide.com/news/braktooth-bluetooth-flaws Apple cares about privacy, unless you work at Apple https://www.theverge.com/22648265/apple-employee-privacy-icloud-id Apple backs down on CSAM features, postpones launch https://appleinsider.com/articles/21/09/03/apple-backs-dow Victory! Federal Trade Commission Bans Stalkerware Company from Conducting Business https://www.eff.org/deeplinks/2021/09/victory-federal-trade-commission-bans-stalkerware-company-conducting-business  ‘Panic made us vulnerable’: how 9/11 made the US surveillance state – and the Americans who fought backhttps://www.theguardian.com/world/2021/sep/04/surveillance-state-september-11-panic-made-us-vulnerable  Further Info Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ 

Computers are supposed to be completely predictable. When you tell it to do something, it should do exactly that – over and over again, if necessary – in the same way, with the same result. This is the nature of computer programming. But this predictability can allow computer criminals to interrupt a computer’s processing and divert it to do nefarious things. If you know exactly where to poke the system, predicting where and how it does it’s processing, you can effectively rewire it to do your bidding. This is the basic attack methodology that lets bad guys insert their malware into our systems. But what if we were able to randomly perturb a computer’s processing on a periodic basis, making it effectively unpredictable? This is the essence of a new computer architecture called Morpheus that may one day make all of our computers and computerized devices much, much harder to hack. Today, Todd Austin will explain how this brilliant defense mechanism works and how it was inspired by the human body’s immune system. Todd Austin is a Professor of Electrical Engineering and Computer Science at the University of Michigan in Ann Arbor. His research interests include computer architecture, robust and secure system design, hardware and software verification, and performance analysis tools and techniques. Todd is also co-founder of Agita Labs, a startup developing privacy-enhanced computation technologies that help ease the tension between data discovery and personal privacy. Further Info Morpheus article: https://spectrum.ieee.org/morpheus-turns-a-cpu-into-a-rubiks-cube-to-defeat-hackers Morpheus video: https://www.youtube.com/watch?v=v2mLm2QqsVo DARPA SSITH program: https://www.darpa.mil/program/ssith Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/