Firewalls Don't Stop Dragons Podcast

How far would you go to protect your children from sexual predators? How much privacy would you give up to try to prevent the sharing of child pornography? We are now faced squarely with those questions because Apple has just announced some new initiatives that it believes will curb the viewing and sharing of pornographic images. But we need to be extremely careful here. The Four Horsemen of the Infocalypse are pedophiles, terrorists, drug dealers and organized crime. When someone asks you what privacy and civil liberties you would be willing to give up to stop these undeniably bad things, you need to replace their bogeyman with other straw men and make sure your convictions still hold. Technologies that can be used to stop something you hate today can also be used to stop things you don’t tomorrow. Today I’ll discuss Apple’s new “child safety” initiatives and explain why I think they’re making the wrong tradeoffs. And also why they are actually not that effective and even potentially harmful to children. In other news: Both T-Mobile and AT&T appear to have suffered massive data breaches of current and even prospective customers; Microsoft’s PrintNightmare continues, despite several attempts to fix the issues; millions of home routers, web cams and baby monitors are vulnerable to a new attacks; Facebook is trying to help Afgans hide their friends lists in the face of Taliban reprisals; your IoT devices are horrible with random numbers, and that’s a huge security risk; a secret terrorist watch list with almost 2 million people has leaked; and the OAuth web app authentication system is ripe for hacking, potentially putting several of your accounts at risk. Article Links Blocking the Exploitation of PrintNightmare https://securityboulevard.com/2021/08/blocking-the-exploitation-of-printnightmare/ Disabling your Print Spooler (see “Workarounds”): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 Millions of home Wi-Fi routers under attack by botnet malware https://www.tomsguide.com/news/arcadyan-router-malware SEE ALSO: Router Security: https://routersecurity.org/  T-Mobile Data Breach: 100 Million Customer Data Records Compromised Including Social Security, Driver’s License & Unique Device Numbers https://www.cpomagazine.com/cyber-security/t-mobile-data-breach-100-million-customer-data-records-compromised-including-social-security-drivers-license-unique-device-numbers/ Hacker Selling Private Data Allegedly from 70 Million AT&T Customers https://restoreprivacy.com/att-data-breach-70-million-customers/  Millions of Web Camera and Baby Monitor Feeds Are Exposed https://www.wired.com/story/kalay-iot-bug-video-feeds/  Secret terrorist watchlist with 2 million records exposed online https://www.bleepingcomputer.com/news/security/secret-terrorist-watchlist-with-2-million-records-exposed-online/  To protect users, Facebook says it’s hiding friends lists on accounts in Afghanistan https://www.nytimes.com/2021/08/20/world/asia/afghanistan-facebook.html  Web apps have become so complex that they’re unsafe to use, researchers say https://www.tomsguide.com/news/unsafe-web-apps-oauth  DEFCON “You’re doing IoT RNG” paper: https://labs.bishopfox.com/tech-blog/youre-doing-iot-rng  Apple’s New ‘Child Safety’ Initiatives, and the Slippery Slope https://daringfireball.net/2021/08/apple_child_safety_initiatives_slippery_slope We built a system like Apple’s to flag child sexual abuse material — and concluded the tech was dangerous https://www.washingtonpost.com/opinions/2021/08/19/apple-csam-abuse-encryption-security-privacy-dangerous/ Open letter to Apple from 90+ world orgs https://cdt.org/insights/international-coalition-calls-on-apple-to-abandon-plan-to-build-surveillance-capabilities-into-iphones-ipads-and-other-products/  Tell Apple not to scan our phones: https://act.eff.org/action/tell-apple-don-t-scan-our-phones  Further Info Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ 

Are hackers born or are they made? What is the essence of a true hacker? Today I explore these topics and more with the founder of both DEFCON and Black Hat, Jeff Moss – also known as The Dark Tangent. I also ask Jeff why we seem to suck at cybersecurity, what his top tips are for staying safe online, when DEFCON evolved to be bigger than its founder, how DEFCON has managed to stay focused on its attendees all these years, and how he plans to find a worthy successor to run the DEFCON conference when he inevitably steps aside. Further Info DEFCON documentary: https://www.youtube.com/watch?v=3ctQOmjQyYg  Privacy is Power, book by Carissa Véliz : https://www.amazon.com/Privacy-Power-Should-Take-Control/dp/1612199151  My review of Privacy is Power: https://firewallsdontstopdragons.com/privacy-is-power-review/  The Value of Privacy, by Bruce Schneier: https://www.schneier.com/blog/archives/2006/05/the_value_of_pr.html  TED Talk on Privacy by Glenn Greenwald: https://www.ted.com/talks/glenn_greenwald_why_privacy_matters  Hackers, book by Steven Levy: https://www.amazon.com/Hackers-Computer-Revolution-Steven-Levy/dp/1449388396  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

What is a hacker, exactly? What does it mean to hack something? With all the ransomware attacks and election meddling in the headlines, it’s easy to paint all hackers with a broad brush as malicious, self-serving computer criminals. And to be clear, many computer criminals are definitely hackers (some aren’t). But the real definition of hacker, the original notion of hacking itself, is something quite different. Nowhere is this more evident than at DEFCON, one of the world’s largest hacking conferences. I’ve been wanting to go to DEFCON for many years, but finally made my pilgrimage to Las Vegas this year for DEFCON 29. My goal was to document first hand, not just the conference, but the culture and the hackers themselves. Because unlike most trade conferences, DEFCON is really about the attendees and the betterment of their craft. Today’s show is a non-technical exploration of what it means to be a hacker and why you might aspire to be one yourself. Further Info DEFCON documentary: https://www.youtube.com/watch?v=3ctQOmjQyYg DEFCON 29: https://defcon.org/html/defcon-29/dc-29-index.html DEFCON 29 media: https://media.defcon.org/DEF%20CON%2029/ Making the DEF CON 29 Badge: https://www.youtube.com/watch?v=H3kdq40PY3s Soundtrack https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20music/ Preparing for Hacker Summer Camp: https://theplaceboeffects.wordpress.com/2019/07/13/preparing-for-hacker-summer-camp/ Hack-A-Day badge article: https://hackaday.com/2021/08/05/hands-on-def-con-29-badge-embraces-the-new-normal/ DC Tin Foil Hat: @DC_Tin_Foil_Hat (Twitter) Hackerboxes.com: https://hackerboxes.com/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Generate secure passphrases! https://d20key.com/#/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker

Every time you load a web page, your personal data is being shared with thousands of companies. The ad spaces on the page are being auctioned off to the highest bidder in fractions of a second. The Irish Council for Civil Liberties calls this the biggest data breach in history, and is suing the ad tech companies on your behalf to stop this needlessly invasive and dangerous practice. My guest Johnny Ryan will explain how this real-time bidding process works and has insider documentation on the types of extremely personal data that’s being shared in order to target those ads to you. Dr Johnny Ryan is a Senior Fellow at the Irish Council for Civil Liberties, and a Senior Fellow at the Open Markets Institute. He is focused on surveillance, data rights, competition/anti-trust, and privacy. He is former Chief Policy & Industry Relations Officer at Brave, the private web browser. Dr Ryan led Brave’s campaign for GDPR enforcement, and liaised with government and industry colleagues globally. Previously, Dr. Ryan worked in adtech, media, and policy. His previous roles included Chief Innovation Officer of The Irish Times and Senior Researcher at the Institute of International & European Affairs (IIEA). Further Info: Irish Council for Civil Liberties lawsuit: https://www.iccl.ie/rtb-june-2021/ Johnny Ryan: https://www.iccl.ie/staff/dr-johnny-ryan/ IAB Audience Taxonomy: https://www.iab.com/guidelines/audience-taxonomy/ IAB Content Taxonomy: https://www.iab.com/guidelines/content-taxonomy/ OpenRTB 3.0 spec: https://github.com/InteractiveAdvertisingBureau/openrtb Browser plugin: https://chrome.google.com/webstore/detail/bidfilter-header-bidding/addamgcbhieigmdmmaooppajdocgggck FTC’s data broker report from 2014: Data Brokers: A Call for Transparency and Accountability Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

Your phone number is arguably as strong a personal identifier as your social security number, passport number or email address. These are things we almost never change any more – meaning that it’s an identifier for life. Our cell phones contain a ton of personal information, including our locations (not just now, but over time). Today I’ll help you understand why it’s so important to protect your cell phone number and digital contact lists. In other news: you need to update everything again… Apple, Microsoft, Google, Adobe; REvil ransomware gang has disappeared completely from the dark web – and possibly not coincidentally, Kaseya has obtained a universal decryption key for all of it’s customers (REvil victims); the Pegasus Project appears to have unveiled serious abuses of the NSO Group’s spyware; Venmo finally gets rid of the public transaction list; the FBI is using cell site simulators to track cars; and it turns out that it’s easy and highly profitable to re-associate people with supposedly anonymous data sets. Article Links Apple fixes bug that breaks iPhone WiFi when joining rogue hotspots https://www.bleepingcomputer.com/news/security/apple-fixes-bug-that-breaks-iphone-wifi-when-joining-rogue-hotspots/  Revil Ransomware Group Missing From Dark Web; Temporary Vacation, or Permanently Out of Business? https://www.cpomagazine.com/cyber-security/revil-ransomware-group-missing-from-dark-web-temporary-vacation-or-permanently-out-of-business/  The Kaseya Ransomware Nightmare Is Almost Over https://www.wired.com/story/kaseya-ransomware-nightmare-is-almost-over/  Takeaways from the Pegasus Project https://www.washingtonpost.com/investigations/2021/07/18/takeaways-nso-pegasus-project/  How to Protect Yourself From the New Windows 10 and 11 Security Bug https://lifehacker.com/how-to-protect-yourself-from-the-new-windows-10-and-11-1847338342  Venmo removes its global, public feed as part of a major redesign https://techcrunch.com/2021/07/20/venmo-removes-its-global-public-feed-in-a-significant-app-redesign/  The FBI Is Locating Cars By Spying On Their WiFi https://www.forbes.com/sites/thomasbrewster/2021/07/22/the-fbi-is-using-stingray-smartphone-surveillance-to-locate-cars-and-spy-on-their-wifi/?sh=113ea16335c8  Inside the Industry That Unmasks People at Scale https://www.vice.com/en/article/epnmvz/industry-unmasks-at-scale-maid-to-pii  A priest’s phone location data outed his private life. It could happen to anyone. https://www.washingtonpost.com/technology/2021/07/22/data-phones-leaks-church/  Connected cars: What happens to your data after you leave your rental car behind? https://www.zdnet.com/article/connected-cars-what-happens-to-your-data-after-you-leave-your-rental-car/  Privacy International 2017 study: http://privacyinternational.org/sites/default/files/2017-12/cars_briefing.pdf  Further Info Who’s making money on ransomware? https://ransomwhe.re/  No More Ransom: https://www.nomoreransom.org/  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ 

The first step to solving any problem is gathering as much information as you can. Unfortunately, today we’re basically flying blind when it comes to identifying and resolving latent software bugs in our systems. Software today is made up of dozens if not hundreds of distinct components. Like automobiles, these piece parts can come from many different vendors. And even the parts from those vendors are likely themselves made up of many sub-components from yet other vendors. But you can bet that Ford and Toyota have a complete and accurate list of each and every one of the components in their vehicles – knowing who made them, which lot or batch they were from, which revision of the part they have, and so on. Because at the end of the day, the auto maker is responsible for knowing this in case there’s a safety issue. This is not true for software makers… yet. Allan Friedman and his team at the National Telecommunications and Information Administration (NTIA, a part of the Dept. of Commerce) are trying to change that. Allan Friedman is the Director of Cybersecurity Initiatives at the National Telecommunications and Information Administration, which is part of the US department of Commerce,. There he coordinates cross-sector efforts to address key challenges in the cybersecurity ecosystem. Further Info NTIA’s SBOM website: https://www.ntia.gov/sbom Twitter #SBOM: https://twitter.com/search?q=%23SBOM Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/or privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

Just when you thought it couldn’t get worse, the bad guys say “hold my beer”. The REvil gang has managed to pull off what appears to be the biggest ransomware infection ever through a clever supply chain attack on a company you’ve never heard of called Kaseya. Kaseya is what we call a Managed Service Provider, or MSP. They manage software and IT functions for lots of small-to-medium sized businesses, so that those companies don’t have to. But this also gives MSP’s a very privileged security position, making it a prime target for bad guys wanting to infect a lot of companies with a single hack. Today I’ll catch you up on this ongoing horror show and give you some tips on how to avoid becoming a ransomware victim yourself. In other news: Kaspersky Password Manager (KPM) was found to have a bad bug making its generated passwords a lot easier to crack; I’ll tell you about how some Brazilian iPhone thieves came up with a clever way to hack your accounts; Google has delayed FLoC and blocking of third-party cookies for at least two years; a Microsoft exec tells the US Congress about how law enforcement and intelligence agencies make thousands of gag-order-restricted demands for data every year; a research group discovers that an old cell phone encryption standard was intentionally weakened to allow easier cracking; Microsoft’s PrintNightmare bug is still not fully patched and the back story is a comedy of errors; and with hurricane season upon us, I’ll point you to some great tips on preparing for power outages. Article Links A popular password manager screwed up, but there’s an easy fix https://mashable.com/article/kaspersky-password-manager-security-bug  Brazilian iPhone thieves demonstrate importance of responsible password practices https://appleinsider.com/articles/21/07/07/brazilian-iphone-thieves-demonstrate-importance-of-responsible-password-practices  Why Google Can’t Bring Itself to Make the Internet Respect Your Privacy https://www.inc.com/jason-aten/why-google-cant-bring-itself-to-make-internet-respect-your-privacy.html  Microsoft exec: Targeting of Americans’ records ‘routine’ https://apnews.com/article/government-and-politics-technology-business-ed50baf4ffb09ca50cda9b8a262c54ad  Bombshell Report Finds Phone Network Encryption Was Deliberately Weakened https://www.vice.com/en/article/4avnan/bombshell-report-finds-phone-network-encryption-was-deliberately-weakened  PrintNightmare official patch is out – update now? https://nakedsecurity.sophos.com/2021/07/07/printnightmare-official-patch-is-out-update-now/  Up to 1,500 businesses infected in one of the worst ransomware attacks ever https://arstechnica.com/gadgets/2021/07/up-to-1500-businesses-infected-in-one-of-the-worst-ransomware-attacks-ever/  Further Info Microsoft PrintNightmare patch: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527  CISA, FBI share guidance for victims of Kaseya ransomware attack https://www.bleepingcomputer.com/news/security/cisa-fbi-share-guidance-for-victims-of-kaseya-ransomware-attack/  Ransomware Defense: Top 5 Things to Do Right Now https://threatpost.com/ransomware-defense-top-5-tips/167536/  How to prepare for a power outage: https://firewallsdontstopdragons.com/how-to-prepare-for-power-outage/  How to safely download software: https://firewallsdontstopdragons.com/how-to-safely-download-software/  Sign up for the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ 

Robocalls are the bane of my existence. I get so many spam calls that I’ve just stopped answering my home phone altogether. I’ve given out my cell number to fewer people, so thankfully I get fewer junk calls there. But I still won’t answer any calls unless I recognize the number. Why is it so easy to spoof caller ID? Well, starting July 1st in the US, mobile carriers are now required to implement a new(ish) set of technologies to make that more difficult: “Stir” (“secure telephone identity revisited”) and “Shaken” (“signature-based handling of asserted information using tokens”). While not perfect, they should at least help identify shady callers. In today’s Tip of the Week, I’ll give you some other options for blocking spam calls, as well. Lots of other (mostly bad) cybersecurity news to cover today: Someone scraped a ton of LinkedIn data from over 700M LinkedIn subscribers (about 92% of total users) and posted it for $5000; a very odd and specific WiFi SSID could break your iPhone; 30M Dell computers are vulnerable to a nasty BIOS attack; many users of the old WD My Book Live storage drives have had all their data erased; the REvil ransomware gang has attacked at least 200 companies with a new supply chain hack; Microsoft tries and fails miserably to fix a bad printer server bug (“PrintNightmare”), Russian hackers are constantly trying to brute force your bad passwords; and finally, the USA’s CISA is warning manufacturers of ThroughTek devices about an exploitable vulnerability in several webcams and IoT devices. Article Links Data Scraping Yields 700 Million LinkedIn Profiles for Sale on Dark Web; About 92% Of Platform Users, but Mostly Public Information https://www.cpomagazine.com/cyber-security/data-scraping-yields-700-million-linkedin Beware! Connecting to This Wireless Network Can Break Your iPhone’s Wi-Fi Feature https://thehackernews.com/2021/06/beware-connecting-to-this-wireless.html  30M Dell Devices at Risk for Remote BIOS Attacks, RCE https://threatpost.com/dell-bios-attacks-rce/167195/  Western Digital My Book Live devices being remotely wiped by attackers https://appleinsider.com/articles/21/06/25/western-digital-my-book-live-devices-being-remotely-wiped-by-attackers  REvil ransomware hits 200 companies in MSP supply-chain attack https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-200-companies-in-msp-supply-chain-attack/  How to Avoid Windows’ ‘PrintNightmare’ Security Threat https://lifehacker.com/how-to-avoid-windows-printnightmare-security-threat-1847221653  Russian Hackers Are Trying to Brute-Force Hundreds of Networks https://www.wired.com/story/fancy-bear-russia-brute-force-hacking/  CISA warns manufacturers of ThroughTek vulnerability (webcams) https://www.zdnet.com/article/cisa-warns-manufacturers-of-throughtek-vulnerability/  Robocalls are out of control. But that could all change today https://www.cnet.com/news/robocalls-are-out-of-control-but-that-could-all-change-today/  Further Info Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ 

Today’s news headlines are littered with stories on massive cybersecurity failures: SolarWinds, Microsoft Exchange, Colonial Pipeline, data breaches, ransomware… Are the bad guys ramping up their game? Or are we just really bad at cybersecurity? (Or both?) How do we fix this? Who can lead the charge to improve our cyber defenses and fend off these attacks? Where do we learn best practices? Can new tools like Artificial Intelligence (AI) help us be more secure – or will these tools benefit the bad guys more? In today’s show, I discuss the current sorry state of cybersecurity and it’s foggy future with Josh Jackson from 6clicks! Josh Jackson is an avid student of law, policy, and regulations. He is a speaker on Artificial Intelligence and Automation and a teacher on the Legal and Regulatory Environment of Business. He is passionate about ethics and agency law, and corporate and regulatory risk. Further Info: 6clicks: https://www.6clicks.io/ Cybersecurity Maturity Model: https://www.acq.osd.mil/cmmc/draft.html Internet of Things Cybersecurity Improvement Act of 2020: https://www.congress.gov/bill/116th-congress/house-bill/1668/text Only three days to get your challenge coin!! https://firewallsdontstopdragons.com/get-your-official-challenge-coin/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

Are satellites really just IoT devices in space? They’re small computers and connected to the internet, not unlike Nest thermostats, baby video monitors, and smart toasters. You’d think that they’d be a lot more complex and secure… but are they really? My two guests today are running a program to test that very question, and in the process, try to make our military and commercial satellites more secure. We don’t think about it, but satellites play a crucial role in our daily lives. GPS satellites are used by airplanes, ships and even agricultural machinery. Weather satellites allow us to predict the path of severe storms and save countless lives. We take them for granted, but these orbiting computers are critical in our modern lives. The Hack-A-Sat contest was created to help ensure the security of these systems. Anyone can enter – and time to register for this year’s tournament is running out! Carl Rodio Jr. is Principal Cyber Security Engineer for The MITRE Corporation, supporting the US Space Force Defensive Cyber Operations for Space Systems (DCO-S) program.  MITRE operates Federally Funded Research and Development Centers (FFRDC’s), which support the US government in a variety of capacities. Jason Williams is a Security Researcher, Engineer, and CEO of Cromulence LLC and member of Legitimate Business Syndicate (organizers of DEF CON CTF 2012-2017). 15+ years experience in cybersecurity and vulnerability research. Further Info Hack-A-Sat 2: https://www.hackasat.com/  US Digital Service: https://www.usds.gov/ Cromulence LLC: https://cromulence.com/ MITRE Corp: https://www.mitre.org/ HUGE sale on my book right now! Use code SUMMER2021: https://www.apress.com/us/book/9781484261880  Get your custom d20 challenge coin! https://firewallsdontstopdragons.com/get-your-official-challenge-coin/  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

Payment apps are fairly secure & very convenient, but NOT private. And Venmo is the worst. Venmo is the only payment app that is primarily a “social” app. That’s shorthand for “share as much info as possible, with as many people as possible”. If you weren’t already aware, all Venmo transactions are public by default. (That might come as an unwelcome surprise to the third of millennials who have used Venmo to pay for drugs.) Your Venmo friends list is also public by default, as Joe Biden recently discovered. But perhaps due to that event, Venmo at least now gives you a way to make it private. I’ll tell you how to change this and other Venmo privacy settings – and also which apps are better at privacy. Lots of other news to cover today: Amazon Sidewalk has been activated for all new Echo and Ring devices (like it or not), but you can turn it off; Amazon Ring is offering more transparency on requests for video footage by law enforcement; Apple addresses some of the “stalker” privacy concerns with AirTags; apps are sidestepping Apple’s new App Tracking Transparency (shocker); TikTok just changed its privacy policy to mention the collection of your biometric info, including “faceprints” and “voiceprints”; we found out how the hackers got into the Colonial Pipeline computers and (maybe) how the FBI managed to get back some of the ransom money; the FBI secretly ran an encrypted communication platform marketed to criminals called Anom; and a new facial recognition service allows you (or come creeper) to search the web for anyone’s face for free. Article Links Amazon is about to share your Internet connection with neighbors. Here’s how to turn it off. https://www.washingtonpost.com/technology/2021/06/07/amazon-sidewalk-network/  Ring will require police & fire departments to make public requests for video footage https://appleinsider.com/articles/21/06/03/ring-will-require-police-fire-departments-to-make-public-requests-for-video-footage  Apple announces AirTag privacy improvements, Android app coming this year https://9to5mac.com/2021/06/03/airtag-privacy-improvements-sound-android-app/   How to Check Your AirTags Firmware Version https://www.macrumors.com/how-to/check-airtags-firmware-version/  Apps Continuing to Track Users Despite Apple’s Privacy Prompt https://www.macrumors.com/2021/06/07/apps-continuing-to-track-users/  WhatsApp is getting a crafty new way to verify your identity https://www.techradar.com/news/whatsapp-is-getting-a-crafty-new-way-to-verify-your-identity  TikTok just gave itself permission to collect biometric data on U.S. users, including ‘faceprints and voiceprints’ https://techcrunch.com/2021/06/03/tiktok-just-gave-itself-permission-to-collect-biometric-data-on-u-s-users-including-faceprints-and-voiceprints/  Ransomware attackers used compromised password to access Colonial Pipeline network https://www.cnn.com/2021/06/04/politics/colonial-pipeline-ransomware-attack-password/index.html  How could the FBI recover BTC from Colonial’s ransomware payment? https://nakedsecurity.sophos.com/2021/06/09/how-could-the-fbi-recover-btc-from-colonials-ransomware-payment/  The FBI’s Anom Stunt Rattles the Encryption Debate https://www.wired.com/story/fbi-anom-phone-network-encryption-debate/   This facial recognition website can turn anyone into a cop – or a stalker https://news.yahoo.com/facial-recognition-website-turn-anyone-113646451.html  VICTORY: You Can Now Make Your Venmo Friends List Private. Here’s How. https://www.eff.org/deeplinks/2021/06/victory-you-can-now-make-your-venmo-friends-list-private-heres-how  Further Info HUGE sale on my book right now (55% off)! Use code SUMMER2021: https://www.apress.com/us/book/9781484261880 Get your custom d20 challenge coin! https://firewallsdontstopdragons.com/get-your-official-challenge-coin/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/or privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

Is it possible for you to view your FLoC ID right now? And if so, can you decode this ID to understand what Google is learning about you from it? Does FLoC require your consent or cooperation from the sites you’re visiting? Are there tools to block this and, if so, how effective are they? In part 2 of my discussion with EFF’s Bennett Cyphers, we’ll answer these questions and many more. Google’s FLoC proposal depends on Google being a “benevolent and omniscient overseer”, which is a bad bet. Even if Google manages to get the technology right and carefully avoids tracking “sensitive” info, there’s nothing saying it won’t change this later – on purpose or by accident or both. And given the rabid desire by data mining companies to monetize your information, FLoC may enable new forms of tracking and fingerprinting. Bennett Cyphers is a staff technologist on the Tech Projects team. He works with a variety of teams across EFF, focusing on consumer privacy, competition, and state legislation. He also assists with development on Privacy Badger. Outside of work he has hobbies and likes fun. Further Info: Ditch Chrome, switch to Firefox: https://firewallsdontstopdragons.com/its-time-switch-to-firefox/ Donate to Mozilla (Firefox): https://donate.mozilla.org/en-US/ Am I FLoC’d? https://amifloced.org/ Disable Amazon’s Sidewalk: https://www.amazon.com/gp/help/customer/display.html?nodeId=GZ4VSNFMBDHLRJUK HUGE sale on my book right now! Use code SUMMER2021: https://www.apress.com/us/book/9781484261880 Would you like me to speak to your group about security and/or privacy? http://bit.ly/Firewalls-Speaker Get your custom d20 challenge coin! https://firewallsdontstopdragons.com/get-your-official-challenge-coin/ Generate secure passphrases! https://d20key.com/#/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons

The public has voted and the results are in: people do not want to be tracked. In response, like pop-up ads before them, third party cookies are now being blocked by default by just about every browser – except Chrome. Google (who owns Chrome) is an ad company who relies on web tracking to make 90% of their revenue. With the writing on the wall, they and other ad tech companies are scrambling to find other ways to track people. Google has proposed a new system they call Federated Learning of Cohorts, or FLoC, which they claim can replace most of the tracking capability of third party cookies while somehow managing to preserve users’ privacy. Today, I will discuss this new proposal with Bennett Cyphers of the Electronic Frontier Foundation: how it works, how they are rolling it out, and why EFF believes that FLoC is not the way to go. Bennett Cyphers is a staff technologist on the Tech Projects team. He works with a variety of teams across EFF, focusing on consumer privacy, competition, and state legislation. He also assists with development on Privacy Badger. Outside of work he has hobbies and likes fun. Further Info: Get your custom d20 challenge coin! https://firewallsdontstopdragons.com/get-your-official-challenge-coin/ Become a patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to come speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Google’s “Sensitivity of Cohorts” paper: https://docs.google.com/a/google.com/viewer?a=v&pid=sites&srcid=Y2hyb21pdW0ub3JnfGRldnxneDo1Mzg4MjYzOWI2MzU2NDgw Google’s FLoC API spec: https://github.com/WICG/floc Am I FLoC’d? https://amifloced.org/ Opt out of NHS data sharing: https://www.ft.com/content/9fee812f-6975-49ce-915c-aeb25d3dd748

Today is the day we’ve all been waiting for! The super-secret, highly-collectible, security-enhancing device is finally HERE!! For a short period of time, I will be offering a very limited edition challenge coins to my patrons. Not only is the coin itself amazingly cool, it can also help you generate secure passphrases using my brand new website d20key.com! Listen in today for all the details, as well as my tip of the week for how and when to use passphrases (instead of passwords)! In other news: The Colonial Pipeline is open again after a nasty ransomware attack by the DarkSide group; President Biden signs a landmark executive order to strength cybersecurity for the US government and anyone who sells to them; the HSE in Ireland is hit with a ransomware attack, too; Microsoft warns of a fake ransomware infection that just steals data; apparently when give a real, clear choice, almost no one wants apps to track them (Apple’s App Tracking Transparency update); Veritone launches a creepy new deep-fake voice service for celebrities; Eufy camera bug crosses wires and shows people the wrong camera feeds (as in, from cameras they don’t own); and Amazon is enabling its Sidewalk mesh network by default – and I’ll tell you how to disable it. Further Info Get your own Firewalls Don’t Stop Dragons Challenge Coin! https://www.patreon.com/FirewallsDontStopDragons  How and When to Use a Passphrase: https://firewallsdontstopdragons.com/how-when-to-use-a-passphrase/  Generate a secure passphrase!  https://d20key.com/  Check out my Malwarebytes interview! https://blog.malwarebytes.com/category/podcast/  Threat Technology’s list of 20 Best Security Podcasts: https://threat.technology/20-best-computer-security-podcasts-of-2021/  FAQ: DarkSide Ransomware Group and Colonial Pipeline https://www.eff.org/deeplinks/2021/05/faq-darkside-ransomware-group-and-colonial-pipeline  DarkSide group that attacked Colonial Pipeline drops from sight online https://www.washingtonpost.com/technology/2021/05/14/darkside-ransomware-shutting-down/  Biden signs executive order to strengthen US cybersecurity https://arstechnica.com/information-technology/2021/05/biden-signs-executive-order-to-strengthen-us-cybersecurity/  Irish cyber-attack: Hackers bail out Irish health service for free https://www.bbc.com/news/world-europe-57197688  Microsoft Warns of Data Stealing Malware That Pretends to Be Ransomware https://thehackernews.com/2021/05/microsoft-warns-of-data-stealing.html  Americans Actually Want Privacy. Shocking. https://www.nytimes.com/2021/05/20/opinion/apple-facebook-ios-privacy.html   Coalition Launches ‘Dark Patterns’ Tip Line to Expose Deceptive Technology Design https://www.eff.org/press/releases/coalition-launches-dark-patterns-tip-line-expose-deceptive-technology-design  Veritone launches new platform to let celebrities and influencers clone their voice with AI https://www.theverge.com/2021/5/14/22432180/voice-clone-deepfake-celebrities-influencers-veritone-ai-platform  Eufy camera owners report video mixups https://nakedsecurity.sophos.com/2021/05/17/those-arent-my-kids-eufy-camera-owners-report-video-mixups/  Here’s Anker’s apology after 712 Eufy customers had camera feeds exposed to strangers https://www.theverge.com/2021/5/19/22444164/eufy-security-camera-glitch-privacy-feed-exposed-statement-details Amazon’s Sidewalk Network Is Turned On by Default. Here’s How to Turn It Off https://www.inc.com/jason-aten/amazons-sidewalk-network-is-turned-on-by-default-heres-how-to-turn-it-off.html

What is Tor, exactly? How and why would I use it? And what the heck is a Tor node? In part 2 of my talk with Alison from the Library Freedom Project, we’ll discuss why libraries are so important in the fight for privacy and how they’re using technologies like Tor to keep its patron’s (and even other’s) web browsing anonymous. We’ll talk about why it’s important to do a self-assessment of your particular “threat model” and Alison will provide some time-tested tips for improving your security and privacy. Oh, and we’ll talk about what all of this has to do with the so-called Streisand Effect! Alison Macrina is a librarian, internet activist, and founder and director of Library Freedom project. Alison is passionate about fighting surveillance and connecting privacy issues to other struggles for justice and an analysis of power. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragons Library Freedom project: https://libraryfreedom.org/ Library Freedom wiki: https://libraryfreedom.wiki/ Library Freedom Institute GitHub page: https://github.com/alisonLFP/libraryfreedominstitute Library Freedom Institute on Vimeo: https://vimeo.com/libraryfreedominstitute Discover your threat model: https://ssd.eff.org/en/module/your-security-plan Download Tor Browser: https://www.torproject.org/download/

Want to read a book without your reading history being tracked? Do you need to surf the web with complete anonymity? If so, then look no further than your local public library. You have the right to research and collaborate on politically or socially sensitive topics without fearing your government or even your local community – and your local public libraries are there to help. Today I’ll discuss the topics of intellectual freedom, access to information, and the right to privacy with the founder of the Library Freedom Project. We’ll discuss book banning, media consolidation, mass surveillance, access to your library records by law enforcement, and even the lethal dangers of furniture! Alison Macrina is a librarian, internet activist, and founder and director of Library Freedom project. Alison is passionate about fighting surveillance and connecting privacy issues to other struggles for justice and an analysis of power. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragons Library Freedom project: https://libraryfreedom.org/ Library Freedom wiki: https://libraryfreedom.wiki/ Library Freedom Institute GitHub page: https://github.com/alisonLFP/libraryfreedominstitute Library Freedom Institute on Vimeo: https://vimeo.com/libraryfreedominstitute Noam Chomsky propaganda model: https://en.wikipedia.org/wiki/Propaganda_model Terrorism vs furniture-related deaths: https://www.washingtonpost.com/news/monkey-cage/wp/2015/11/23/youre-more-likely-to-be-fatally-crushed-by-furniture-than-killed-by-a-terrorist/

After what seemed like forever, Apple has finally released its App Tracking Transparency (ATT) feature which requires apps to get your permission to track you across other apps and websites. This was announced last year and delayed by several months to allow app makers to come into compliance (particularly Facebook). Today I’ll tell you what this feature does and doesn’t do, and of course, how to enable it. Tons of other security and privacy news to cover today, as well: A nasty bug was just fixed in macOS (update now!!); Firefox fixes a bug that could allow fake HTTPS lock icons and therefore compromise security; Facebook Messenger users have been targeted with a major scam; Codecov hack is just the latest in software supply chain attacks that threaten hundreds of companies and their customers; bad guys hacked ad servers to serve up malware; the US Postal Service is running a ‘covert operations program’ that monitors social media accounts; more US federal agencies are turning to private companies to buy data on people and bypass the 4th Amendment; Emotet malware has been taken down; the FBI has been hacking company servers without their consent (but with a warrant) to try to fix Exchange server hacks; some promising new AI regulations have cropped up in Europe and the US; Signal expertly trolls and hamstrings Cellebrite; and finally, Apple’s long-awaited AirTags have finally been released, but the anti-stalker protections seem to fall short, particularly for Android owners. Further Info: A macOS major security bug has just been fixed – UPDATE NOW! https://www.forbes.com/sites/thomasbrewster/2021/04/26/update-your-mac-now-the-worst-hack-in-years-hits-apple-computers/ Mozilla Fixes Firefox Flaw That Allowed Spoofing of HTTPS Browser Padlock https://threatpost.com/mozilla-fixes-firefox-flaw/165501/ Facebook Messenger users targeted by a large-scale scam https://www.helpnetsecurity.com/2021/04/20/facebook-messenger-scam/ Codecov hackers breached hundreds of restricted customer sites https://www.reuters.com/technology/codecov-hackers-breached-hundreds-restricted-customer-sites-sources-2021-04-19/ 120 Compromised Ad Servers Target Millions of Internet Users https://thehackernews.com/2021/04/120-compromised-ad-servers-target.html The Postal Service is running a ‘covert operations program’ that monitors Americans’ social media posts https://news.yahoo.com/the-postal-service-is-running-a-running-a-covert-operations-program-that-monitors-americans-social-media-posts-160022919.html Federal Agencies Are Secretly Buying Consumer Data https://www.brennancenter.org/our-work/analysis-opinion/federal-agencies-are-secretly-buying-consumer-data Emotet Malware Taken Down By Global Law Enforcement Effort https://www.cpomagazine.com/cyber-security/emotet-malware-taken-down-by-global-law-enforcement-effort-cleanup-patch-pushed-to-1-6-million-infected-devices/ Are we safer with the FBI accessing our computers without consent? https://thenextweb.com/news/are-we-safer-with-the-fbi-accessing-our-computers-without-consent-syndication The sun is setting on A.I.’s Wild West https://fortune.com/2021/04/27/the-sun-is-setting-on-a-i-s-wild-west/ Signal professionally trolls and screws Cellebrite: https://signal.org/blog/cellebrite-vulnerabilities/ AirTags are scarily good at tracking items and … people. I know because I tried. https://mashable.com/review/apple-airtags-review/ Apple reveals more about AirTag stalking protections as domestic abuse concerns expressed https://9to5mac.com/2021/04/30/airtag-stalking-protections/

While law enforcement touts the benefits of cell site simulators, today we will talk about the negative impacts, as well. While the actual impacts are not documented due to secrecy, we have to wonder whether Stingrays could interfere with critical communications like 911 calls, for example. We also must understand that any tool can be used for good and for evil, by the “good guys” as well as the “bad guys”. In an effort to bring more transparency, Cooper created Crocodile Hunter (a reference to Steve Irwin, who was tragically killed by a real-life stingray). Cooper explains how it works and how anyone can make one. And finally we’ll talk about why it’s so important to get out there and fight for more transparency. Cooper shows us what a difference this can make in your community with two very different situations in two US cities. Cooper Quintin is a security researcher and Senior Staff Technologist with the EFF Threat Lab. He has worked on projects such as Privacy Badger, Canary Watch, and analysis of state sponsored malware campaigns such as Dark Caracal. He has also performed security trainings for activists, non profit workers and ordinary folks, and given talks about security research at security conferences around the world. He previously worked building websites for non-profits, such as Greenpeace, Adbusters, and the Chelsea Manning Support Network. Cooper was also an editor and contributor to the hacktivist journal, “Hack this Zine.” He has spoken at multiple black hat conferences about security issues ranging from IMSI Catchers to Malware attacks against journalists. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragons Electronic Frontier Foundation (EFF): https://www.eff.org/ EFF’s Electronic Frontier Alliance: https://www.eff.org/electronic-frontier-alliance Crocodile Hunter project: https://github.com/EFForg/crocodilehunter How IMSI catchers work: https://www.eff.org/wp/gotta-catch-em-all-understanding-how-imsi-catchers-exploit-cell-networks EFF page on IMSI catchers: https://www.eff.org/pages/cell-site-simulatorsimsi-catchers Why 5g won’t help: https://www.eff.org/deeplinks/2019/01/5g-protocol-may-still-be-vulnerable-imsi-catchers DIGITS documentary: https://curiositystream.com/video/1720 My new Apress video: Maximum Privacy with End-to-End Encryption https://link.springer.com/video/10.1007/978-1-4842-7034-9

The single easiest way to track someone today is using their cell phone. We have them with us at all times and in order for them to work, they must be tracked by the cell phone network. When law enforcement wants to identify people at a protest or hanging around a particular area, they could take the time to get a warrant to present to multiple cell phone providers. Or they could simply bring in a portable, fake cell site. Any cell phones in the area will reveal their location to all nearby cell sites, and the owners of those phones will be none the wiser. The use of cell site simulators (often known by a particularly popular model called a “Stingray”) is heavily shrouded in secrecy. Even their very existence was denied for years. Today, we’ll talk with a man who has made it his mission to uncover the use of such devices. We’ll talk about how they work, why they’re so hard to detect, and the broader implications of their use by police and sheriff’s departments with little to no oversight. Cooper Quintin is a security researcher and Senior Staff Technologist with the EFF Threat Lab. He has worked on projects such as Privacy Badger, Canary Watch, and analysis of state sponsored malware campaigns such as Dark Caracal. He has also performed security trainings for activists, non profit workers and ordinary folks, and given talks about security research at security conferences around the world. He previously worked building websites for non-profits, such as Greenpeace, Adbusters, and the Chelsea Manning Support Network. Cooper was also an editor and contributor to the hacktivist journal, “Hack this Zine.” He has spoken at multiple black hat conferences about security issues ranging from IMSI Catchers to Malware attacks against journalists. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragons Electronic Frontier Foundation (EFF): https://www.eff.org/  EFF’s Electronic Frontier Alliance: https://www.eff.org/electronic-frontier-alliance  Crocodile Hunter project: https://github.com/EFForg/crocodilehunter How IMSI catchers work: https://www.eff.org/wp/gotta-catch-em-all-understanding-how-imsi-catchers-exploit-cell-networks EFF page on IMSI catchers: https://www.eff.org/pages/cell-site-simulatorsimsi-catchers Why 5g won’t help: https://www.eff.org/deeplinks/2019/01/5g-protocol-may-still-be-vulnerable-imsi-catchers Sea Glass project: https://seaglass.cs.washington.edu/  Sitch project: https://sensor.readthedocs.io/en/latest/  My new Apress video: Maximum Privacy with End-to-End Encryption https://link.springer.com/video/10.1007/978-1-4842-7034-9 

Lots of news to cover today… and to me the common thread seems to be a lack of proper security and privacy. So the theme today is “trust no one”. And the idea there isn’t really personal trust, but computer trust, algorithm trust, procedural trust. We need to engineer our systems and processes around the idea that data is a toxic asset that loves to find ways to leak. Assume that you will be hacked. Assume an employee will do something stupid or go rogue. Assume the “bad guys” will find a way to bypass your main security barrier, so you need to have a second, and possible third barrier in place. Today I’ll tell you about yet another massive Facebook and LinkedIn data leak; a new vaccine survey scam to watch out for; some new and troubling ransomware tactics to force victims to pay even if they have good data backups; a hacker site that sold credit cards and social security numbers was itself hacked; LexisNexis and Clearview AI have been working very closely with law enforcement, including ICE; and the ACLU has been caught sharing their own user’s data with (of all companies) Facebook. And finally, I review the fantastic new book, Privacy is Power by Carissa Véliz. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragons Privacy is Power book review: https://firewallsdontstopdragons.com/privacy-is-power-review/ Were you part of a data breach? https://haveibeenpwned.com/ Articles quoted today: Don’t Fall for the ‘Vaccine Survey’ Scam https://twocents.lifehacker.com/don-t-fall-for-the-vaccine-survey-scam-1846620925 Ransomware gang leaks data from Stanford, Maryland universities https://www.bleepingcomputer.com/news/security/ransomware-gang-leaks-data-from-stanford-maryland-universities/ Ransom Gangs Emailing Victim Customers for Leverage https://krebsonsecurity.com/2021/04/ransom-gangs-emailing-victim-customers-for-leverage/ Facebook Says Leak of 533 Million Users’ Data Wasn’t a Hack. https://www.wsj.com/articles/facebook-says-leak-of-533-million-users-data-wasnt-a-hack-does-it-matter-11617910106 , https://www.bleepingcomputer.com/news/security/533-million-facebook-users-phone-numbers-leaked-on-hacker-forum/ Another 500 million accounts have leaked online, and LinkedIn’s in the hot seat https://www.theverge.com/2021/4/8/22374464/linkedin-data-leak-500-million-accounts-scraped-microsoft 70,000 SSNs, 600,000 Credit Card Records Leaked After Stolen-Data Hub Gets Hacked https://gizmodo.com/70-000-ssns-600-000-credit-card-records-leaked-after-s-1846638234 LexisNexis to Provide Giant Database of Personal Information to ICE https://theintercept.com/2021/04/02/ice-database-surveillance-lexisnexis/ Clearview AI used by police https://www.buzzfeednews.com/article/ryanmac/clearview-ai-local-police-facial-recognition ACLU, a defender of digital privacy, reveals that it shares user data with Facebook https://fortune.com/2021/04/02/aclu-shares-data-facebook-third-parties-digital-privacy/

There are many business models and businesses that we curtail because they can be dangerous to people or democracy or society. Even rights enshrined in the US Constitution have reasonable limits. Now that it’s become evident how engagement-optimized and algorithm-driven social media is ripping at the very fabric of our democracy, it’s time for an intervention. Today, Phil Zimmermann (creator of PGP) will explain why things have gotten so bad and what we need to do to fix it and save civil society. Phil Zimmermann is the creator of Pretty Good Privacy. PGP is still widely regarded as the gold standard for secure email communication and caused quite a controversy when it was introduced in the early 1990s. Phil went on to form Silent Circle and win several prestigious awards including US Privacy Champion and was inducted into the Cybersecurity Hall of Fame. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragons About Phil Zimmermann: https://www.philzimmermann.com/EN/background/index.html Read Crypto by Steven Levy: https://amzn.to/2PyAjKE Silent Circle: https://www.silentcircle.com/ Okuna update: https://medium.com/okuna/the-path-forward-8d56ccf37b5c Check out Somus.app: https://www.somus.app/ Watch The Social Dilemma: https://www.netflix.com/title/81254224 Watch The Great Hack: https://www.netflix.com/Title/80117542 Foundation for Individual Rights in Education (FIRE): https://www.thefire.org/

Passwords suck and humans aren’t good at using them. Password managers can help a lot, but to truly improve your account security these days, you need to add defense in depth. The easiest way to do that today is to enable two-factor authentication, or 2FA. Many websites have supported 2FA for years, but as hacking has gotten more aggressive and password databases are being stolen more often, the popularity of 2FA has grown significantly in the last year or two. Unfortunately, many 2FA systems rely on the lowest common denominator for implementing the PIN code system: SMS or text messaging. SMS is very old, but also very widely used and supported. It’s never been terribly secure, but recently some clever security researchers have discovered a simple and cheap way to steal your text messages. Like, for $16. I’ll explain this hack and tell you how and why you should switch to the much more secure Time-based one-time-password (TOTP) system for 2FA. In other news: I’ll update you on the massive Microsoft Exchange hack; I’ll cover a couple stories about Apple bowing to pressure from foreign powers; thousands of surveillance cameras hacked in major corporations, schools, hospitals and even jails; a clever technique to identify deepfake videos; two welcome new privacy features in Firefox; Amazon’s take-it-or-leave-it driver surveillance demands; opting out of T-Mobile’s new data grab; and Texas making hundreds of millions of dollars off their citizens’ data. Further Info Amazing Tom Cruise deep fake videos: https://www.tiktok.com/@deeptomcruise Stop using SMS for 2FA: https://firewallsdontstopdragons.com/stop-using-text-messages-for-2fa/ First interview with PGP’s Phil Zimmermann: https://podcast.firewallsdontstopdragons.com/2018/05/07/we-now-live-in-the-golden-age-of-surveillance/ Microsoft: 92% of Exchange servers safe from ProxyLogon attacks https://www.bleepingcomputer.com/news/security/microsoft-92-percent-of-exchange-servers-safe-from-proxylogon-attacks/ Apple Provides Timeline for ProtonVPN App Update, Suggesting App Store Rejection Was Unrelated to Current Events in Myanmar https://www.macrumors.com/2021/03/25/apple-responds-protonvpn-app-update-rejection/ Apple Bent the Rules for Russia—and Other Countries Will Take Note https://www.wired.com/story/apple-russia-iphone-apps-law/ Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams?sref=iKB6XOvf Scientists developed a clever way to detect Deepfakes by analyzing light reflections in the eyes https://thenextweb.com/neural/2021/03/11/ai-detects-deepfakes-analyzing-light-reflections-in-the-cornea-eyes-gans-thispersondoesnotexist/ Firefox 87 introduces new SmartBlock tracker blocking mechanism https://appleinsider.com/articles/21/03/24/firefox-87-launches-introduces-new-smartblock-tracker-blocking-mechanism Mozilla Firefox tweaks Referrer Policy to shore up user privacy https://www.zdnet.com/article/mozilla-firefox-tweaks-referrer-policy-to-shore-up-user-privacy/ Amazon Delivery Drivers Forced to Sign ‘Biometric Consent’ Form or Lose Job https://www.vice.com/en/article/dy8n3j/amazon-delivery-drivers-forced-to-sign-biometric-consent-form-or-lose-job It’s mind-blowing how many millions of dollars Texas makes each year selling your personal data https://www.dallasnews.com/news/watchdog/2021/03/19/its-mind-blowing-how-many-millions-of-dollars-texas-makes-each-year-selling-your-personal-data/ U.S. Carriers Fix SMS Routing Vulnerability That Let Hackers Hijack Texts https://www.macrumors.com/2021/03/25/sms-routing-vulnerability-fix/

Given that we’re using computer algorithms to evaluate humans, can these systems be gamed or fooled? And is it possible that computers are less biased that humans? On any given day, humans can be distracted, tired, sick or just flat out biased against people for any number of reasons. Should these systems be more transparent? How do we know if they’re being fair? Do we need to regulate these services? Is there a happy medium here? And finally, if you feel that you’ve been unfairly discriminated against by these systems, is there anything you can do about it? John Davisson is Senior Counsel at EPIC. John works on a variety of appellate litigation and Freedom of Information Act cases. John first came to EPIC in 2015 as a clerk in the Internet Public Interest Opportunities Program. He has previously clerked at Levine Sullivan Koch & Schulz, served as a student attorney in the Civil Rights Section of Georgetown’s Institute for Public Representation, and interned at the Appignani Humanist Legal Center. John is a 2016 magna cum laude graduate of Georgetown University Law Center, where he was managing editor of the Georgetown Journal on Poverty Law & Policy, a Georgetown Law Fellow, and an NGO observer to the 9/11 military commission at Naval Station Guantanamo Bay. He worked as a journalist before entering the law and earned his B.A. at Columbia University. John is a member of the New York and District of Columbia bars. Further Info: Electronic Privacy Information Center: https://epic.org/ Become a patron! https://www.patreon.com/FirewallsDontStopDragons Follow me! https://twitter.com/FirewallDragons https://www.facebook.com/FirewallsDontStopDragons https://bit.ly/Firewalls-YouTube

Convincing a human to hire you is hard enough. Can you imagine trying to convince a computer? Artificial intelligence is now being used to automate the screening of job candidates, evaluating cognitive ability, vocabulary, and even emotional intelligence. This new “hiretech” promises to weed out the bad applicants and flag the good ones by analyzing not just the substance of answers to interview questions, but also the manor in which you respond – your cadence, your word choices, your tone, your speech patterns, and perhaps even your facial expressions and body language. What could possibly go wrong? We’ll discuss this and more today with John Davisson from the Electronic Privacy Information Center. John Davisson is Senior Counsel at EPIC. John works on a variety of appellate litigation and Freedom of Information Act cases. John first came to EPIC in 2015 as a clerk in the Internet Public Interest Opportunities Program. He has previously clerked at Levine Sullivan Koch & Schulz, served as a student attorney in the Civil Rights Section of Georgetown’s Institute for Public Representation, and interned at the Appignani Humanist Legal Center. John is a 2016 magna cum laude graduate of Georgetown University Law Center, where he was managing editor of the Georgetown Journal on Poverty Law & Policy, a Georgetown Law Fellow, and an NGO observer to the 9/11 military commission at Naval Station Guantanamo Bay. He worked as a journalist before entering the law and earned his B.A. at Columbia University. John is a member of the New York and District of Columbia bars. Further Info: Electronic Privacy Information Center: https://epic.org/  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Weapons of Math Destruction: https://www.amazon.com/Weapons-Math-Destruction-Increases-Inequality/dp/0553418815

Ep210. I’ve recommended LastPass for years – since I wrote my book and every day since. Until now. There are several good (secure and private) password managers out there. But LastPass was the full package: a free tier that had all the functionality most people need and for-pay tiers that had very useful extras. But now they’re hobbling the free version by only allowing you to use it on one type of device: either a mobile device or a computer, but not both. To me, that makes the free tier useless. LastPass’s Android app was also found to contain seven different trackers. That was the last straw for me. In today’s episode, I’ll tell you my new recommendations and give you an important tip on making the switch. In other news: a new law in Australia aims to force Google and Facebook to pay for news links; SolarWinds is blaming an intern for using a horrible password; SMS tax scams are picking up; Alexa Skills have serious privacy and security issues; adtech companies are scrambling to avoid telling you that you’re being tracked on iOS; cops use copyright filters to prevent being recorded; a new company is creating a nationwide surveillance system; pharmacies are capitalizing on the COVID vaccine to get your data for marketing; Firefox 86 has a killer new system to prevent third party cookie tracking; however, adtech is exploiting a loophole in DNS to turn third party cookies into first party cookies. Further Info: Switching to Bitwarden: https://firewallsdontstopdragons.com/?p=2447 Chat with me on Discord and get exclusive content! https://www.patreon.com/FirewallsDontStopDragons SMS tax scam unmasked: Bogus but believable – don’t fall for it! https://nakedsecurity.sophos.com/2021/02/12/sms-tax-scam-unmasked-bogus-but-believable-dont-fall-for-it/ Alexa Skills: Security gaps and data protection problems https://www.helpnetsecurity.com/2021/03/02/alexa-skills-security/ Ongoing & enormous Microsoft Exchange server hack hits 30,000 US groups https://appleinsider.com/articles/21/03/06/microsoft-exchange-server-hack-affects-over-30000-us-organizations Post-IDFA Alliance will address concerns of mobile app and game marketers https://venturebeat.com/2021/02/17/post-idfa-alliance-will-address-concerns-of-mobile-app-and-game-marketers/ Judge approves $650m settlement of privacy lawsuit against Facebook https://www.theguardian.com/technology/2021/feb/27/facebook-illinois-privacy-lawsuit-settlement Cops Using Music to Try to Stop Being Filmed Is Just the Tip of the Iceberg https://www.eff.org/deeplinks/2021/02/cops-using-music-try-stop-being-filmed-just-tip-iceberg Inside ‘TALON,’ the Nationwide Network of AI-Enabled Surveillance Cameras https://www.vice.com/en/article/bvx4bq/talon-flock-safety-cameras-police-license-plate-reader You got a vaccine. Walgreens got your data. (Recode) https://www.vox.com/recode/22310281/covid-vaccine-walgreens-cvs-rite-aid-walmart-data Firefox’s Total Cookie Protection aims to stop tracking between multiple sites https://www.engadget.com/firefox-total-cookie-protection-stop-tracking-websites-140044979.html Online Trackers Increasingly Switching to Invasive CNAME Cloaking Technique https://thehackernews.com/2021/02/online-trackers-increasingly-switching.html Changes to LastPass Free https://blog.lastpass.com/2021/02/changes-to-lastpass-free/ Security researcher raises questions about trackers in LastPass Android app https://appleinsider.com/articles/21/02/26/security-raises-questions-about-trackers-in-lastpass-android-app

In the second half of my interview with the Tech Learning Collective, we delve into their course curriculum a bit, and then discuss why they teach what they teach and how they approach these topics in a unique and meaningful way. We also examine the notion of “ethical hacking” and how this term can be used to whitewash some truly unethical and immoral products and services. Finally, we discuss why it’s important to know how to perform cyber attacks in order to properly defend against them. These classes are truly like nothing else you’ll find online. Check out one of their workshops for yourself (and support their important work in the process)! Technology, taught collectively. Looking to get certified? Look elsewhere. Looking to spark a revolution? We’ll show you how to become more powerful than the most well-funded adversaries, including corporate- and government-backed opponents. Further Info Tech Learning Collective: https://techlearningcollective.com/ Support me on Patreon! https://www.patreon.com/FirewallsDontStopDragons The Privacy Issue’s Essential Privacy Podcasts: https://theprivacyissue.com/privacy-and-society/download-privacy-security-podcasts Transcript: https://techlearningcollective.com/2021/04/06/firewalls-dont-stop-dragons-interviews-tech-learning-collective-part-2.html

I first learned of the Tech Learning Collective at a privacy conference in late 2020. I struck up a conversation with one of its representatives and ended up taking one of their wonderful workshops in January. The TLC offers some top-notch courses on computers with a focus on cybersecurity. Unlike college courses or cybersecurity certification courses, TLC offers eminently practical and affordable content, focused squarely on doing. It’s like the difference between taking a karate class to earn colored belts and taking a personal self defense class to actually protect yourself. But it’s also much more than that, and hard to describe. You’ll have to listen to this interview to truly understand! From their website… Technology, taught collectively. Looking to get certified? Look elsewhere. Looking to spark a revolution? We’ll show you how to become more powerful than the most well-funded adversaries, including corporate- and government-backed opponents. Further Info Tech Learning Collective: https://techlearningcollective.com/ The Privacy Issue’s Essential Privacy Podcasts: https://theprivacyissue.com/privacy-and-society/download-privacy-security-podcasts Transcript: https://techlearningcollective.com/2021/04/06/firewalls-dont-stop-dragons-interviews-tech-learning-collective-part-1.html

Ep207. Clearview AI – the company that has hoovered up every face it can find on the internet to create a creepy person identifying app – is back in the news. Canada and the EU have decided that Clearview has gone too far and needs to allow its users to opt out and even delete all the data they have, upon request. It’s a welcome development, but unfortunately only available to California residents in the US (plus Canada and the EU). I’ll tell you how to delete your data. In other news: Google uncovers a killer security feature in iOS 14 called BlastDoor; Amazon is expanding its “surveillance empire” in a massive and creepy way; someone “hacked” a water treatment plant in Florida trying (and failing) to poison its citizens; a bad bug has been found in a popular Wi-Fi iOT chip; a new phishing attack uses Morse code to hide its malicious web links; Facebook’s “Supreme Court” has rendered its first set of rulings; and Clubhouse, the latest social media craze, is using some intrusive techniques to find more members. Also, I’ve got several tips for tax time in the US, including avoiding scams and safely transferring your financial data. Further Info Opt out of Clearview AI and delete your data: https://clearview.ai/privacy/requests Avoid tax scams: https://firewallsdontstopdragons.com/its-tax-scam-time-again/ Send files securely: https://firewallsdontstopdragons.com/how-to-send-files-securely-like-tax-info/ Get your IRS IP PIN: https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin

Episode 206. The social media events around the January 6th storming of the US Capitol have sparked raging, divisive debates in the US. But the banning of individuals and the deplatforming of apps and groups are not new phenomenons. The Right of Free Speech that is enshrined in the First Amendment to the US Constitution is not limitless. It does have legal boundaries. And private companies, even monopolies, have the legal right to control access to their platforms. But does that make it right? Today, I will wade into this decidedly thorny issue with Troy Hunt, who brings a plethora of global technology and security experience to the debate. Troy Hunt is an Australian Microsoft Regional Director and a Most Valuable Professional awardee for Developer Security. He’s a blogger, international speaker and author of several online courses, and he runs the very valuable internet security service HaveIBeenPwned. Further Info Troy Hunt’s blog on deplatforming: https://www.troyhunt.com/weekly-update-226/  EFF’s take: https://www.eff.org/deeplinks/2019/05/censorship-cant-be-only-answer-disinformation-online Legal limits of free speech: https://en.wikipedia.org/wiki/United_States_free_speech_exceptions  Listener survey: https://bit.ly/Firewalls-survey-2021  Patron survey: http://bit.ly/Firewalls-patron-survey-2021

Tracking and data mining has gotten way out of hand. We’re not only being tracked online, we’re now being tracked around the real world, too. We’re truly living in a panopticon – and it’s not good for us as individuals or as a democratic society. Today I’ll cover several stories that make it clear that we’ve hit a tipping point. It has to stop. And it’s going to require all of us putting pressure on our representatives to lay down some common sense rules to curb surveillance capitalism. In today’s news: One week left to send in your podcast listener survey; update all your iOS devices ASAP; Apple walks back a controversial OS change that would have allowed some Apple apps to bypass firewalls and VPNs; Microsoft is touting a new Edge browser feature that notifies you when your passwords have been breached; an innocuous-looking police robot is actually paving the way towards chilling mass surveillance; another US intelligence agency has been caught buying the location data of US citizens from data brokers; Apple’s efforts at improving user privacy are ruffling more feathers at Google and Facebook. Further Info New Years Resolution ideas for 2021: https://firewallsdontstopdragons.com/new-years-resolutions-2021/ Data Privacy Day checklist: https://firewallsdontstopdragons.com/data-privacy-day-checklist/ Listener survey: https://bit.ly/Firewalls-survey-2021 Patron survey: http://bit.ly/Firewalls-patron-survey-2021

We all love to beat up on Facebook over user privacy, but the real granddaddy of them all is Google. Google is everywhere. And they almost surely know way more about you than any other company on the planet. In addition to all the “G” apps and services that you know about, Google also owns Android, Chrome browser, Waze, Nest and YouTube. It’s extremely hard to avoid using Google. But there are alternatives that will respect your privacy – and today I’ll give you a long list of viable options. And with international Data Privacy Day happening this week (Jan 28th), it’s a great time to take back control of your data. In other news: Some malicious Chrome extensions have been scraping Facebook data, a man working for ADT has been caught spying on women using the security cameras he helped to install, Google seems to be dragging their heels on updating their iOS app privacy labels, Malwarebytes says they’ve been hacked by the same group behind the SolarWinds hacks, WhatsApp has upset many of their users with a new privacy ultimatum, and I’ll delve into the national security implications of the recent US Capitol breach. Further Info Listener survey: https://bit.ly/Firewalls-survey-2021 Patron survey: http://bit.ly/Firewalls-patron-survey-2021 My Data Privacy Day Checklist: https://firewallsdontstopdragons.com/data-privacy-day-checklist/ Google Alternatives: https://restoreprivacy.com/google-alternatives/ Restore Privacy tools: https://restoreprivacy.com/privacy-tools/ No More Google: https://nomoregoogle.com/ Just Get My Data: https://justgetmydata.com/ Just Delete Me: https://justdeleteme.xyz/

So I want to switch to a new, privacy-respecting email service. How do I even do that? What happens to all the email I have now? What about my calendar and contacts? Am I going to have to change my email address every time I change email providers? In part 2 of my interview with Fastmail’s COO Helen Horstmann-Allen, we’ll answer these questions and also address the thorny issue of privileged access by law enforcement. Helen Horstmann-Allen is the Chief Operating Officer at Fastmail where she provides overall business strategy and product direction for Fastmail and its suite of products. Before Fastmail, she ran her company, Pobox, an email forwarding service, for 20 years before Fastmail acquired it in 2015. Helen graduated from the Wharton School of Business and currently serves on several nonprofit boards in the Philadelphia area. Further Info 2021 Listener Survey: http://bit.ly/Firewalls-survey-2021 New Year’s Resolutions 2021: https://firewallsdontstopdragons.com/new-years-resolutions-2021/ No More Google: https://nomoregoogle.com/ Sign up for Fastmail (referral link): https://ref.fm/u18721448

What could I learn about you if I read all your emails? Like, all of them. Since you started sending email. Beyond private conversations, I would also likely know every web site you have a relationship or account with, every online purchase you’ve made, every club or organization you’ve been a part of, and all the appointments you’ve made. I can also make a pretty comprehensive list of everyone you know. And that’s just the tip of the iceberg. If I analyze the content of your emails, I could almost certainly determine your political leanings, sexual preferences, religion, income, location(s), and more. So why don’t we put more thought into choosing our email provider? In part one of my interview with Fastmail’s COO, Helen Horstmann-Allen, we’ll discuss how email privacy really works and why it’s so crucially important. Helen Horstmann-Allen is the Chief Operating Officer at FastMail where she provides overall business strategy and product direction for Fastmail and its suite of products. Before Fastmail, she ran her company, Pobox, an email forwarding service, for 20 years before Fastmail acquired it in 2015. Helen graduated from the Wharton School of Business and currently serves on several nonprofit boards in the Philadelphia area. Further Info CONTEST LINK!! http://bit.ly/Firewalls-200 New Year’s Resolutions 2021: https://firewallsdontstopdragons.com/new-years-resolutions-2021/ No More Google: https://nomoregoogle.com/ Sign up for Fastmail (referral link): https://ref.fm/u18721448 Arnold’s take: https://www.youtube.com/watch?v=mz3zFsTp2Pk

The Russian SVR has had backdoor access to hundreds if not thousands of government and corporate networks for nearly nine months. And if not for private security firm FireEye, we might never have known. The SolarWinds supply chain hack may be the biggest, most consequential cybersecurity event ever. And it will literally be years before we understand the full impacts. However, from what we know so far, this was not an “attack” or “act of war” … it was straight-up espionage, which is widely accepted as normal during peacetime. The US does this all the time, as do all modern nations. And yet, espionage and infiltration are the first steps in any actual attack. It’s a fine line. We’ll discuss it today. In other news: Adobe Flash is finally dead – it’s time to remove it; Facebook is being sued by almost all 50 states and the Federal Trade Commission; butt-flap pajamas flooded internet ads; GoDaddy plays a cruel Christmas prank on its employees; Microsoft, McAfee and many others have joined forces to fight ransomware; and Signal messenger was NOT hacked by Cellebrite. Further Info CONTEST LINK!! http://bit.ly/Firewalls-200 Follow me on Facebook!! https://bit.ly/Firewalls-Facebook Follow me on YouTube!! https://bit.ly/Firewalls-YouTube New Year’s Resolutions 2021: https://firewallsdontstopdragons.com/new-years-resolutions-2021/ Uninstall Adobe Flash: Windows: https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html Mac: https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html

The dumpster fire that was 2020 is almost behind us, and it’s time to look forward to a brighter future in 2021! By a stroke of fortuitous coincidence, this is also my 200th podcast! To celebrate these two important milestones, we have a world-renowned security guru for our guest, Bruce Schneier, and I’ll be giving away over $1800 worth of great stuff to help you improve your privacy and security in 2021! And if all of that weren’t enough, I’ll also be sharing with you several top-notch to-do list ideas for your 2021 New Year’s resolutions – not just from myself, but from several top industry experts! It’s an amazing star-studded, prize-riddled, info-packed podcast! Special Guest Appearances By: Bruce Schneier (Chief of Security Architecture at Inrupt) Dr Ann Cavoukian (Executive Director at Global Privacy & Security by Design Centre) Dr Andy Yen (CEO/Co-Founder ProtonMail) Cory Doctorow (author & activist) David Ruiz (Malwarebytes) Helen Horstmann-Allen (COO Fastmail) Beah Burger-Lenehan (Director, Product at DuckDuckGo) Marshall Erwin (Chief Security Officer, Mozilla) Todd Weaver (Founder/CEO Purism) Rich Stokes (Founder/CEO Winston Privacy) Further Info: CONTEST LINK!! http://bit.ly/Firewalls-200 Contest info: https://firewallsdontstopdragons.com/new-years-2021-giveaway/ New Year’s Resolutions 2021: https://firewallsdontstopdragons.com/new-years-resolutions-2021/ Inrupt: https://inrupt.com/solid Solid Project: https://solidproject.org/ Follow me on Facebook!! https://bit.ly/Firewalls-Facebook Follow me on YouTube!! https://bit.ly/Firewalls-YouTube

I’ve painstakingly scoured the last 50 episodes to select the best of the best, the cream of the crop, the top tips for the year 2020! If you’re already a subscriber, this will be a great refresher – and maybe give you a chance to do some of those things you had meant to do but somehow never got around to doing it! And if you’re a new subscriber, then you can catch up on some of what you missed! This would also be a great episode to share with friends and family who you feel might also benefit from improving their cyber security and data privacy! Enjoy! And Happy Holidays!! Further Info Don’t miss the HUGE 200th episode next week! https://firewallsdontstopdragons.com/200th-podcast-a-brighter-future/ Follow me on Facebook!! https://bit.ly/Firewalls-Facebook Follow me on YouTube!! https://bit.ly/Firewalls-YouTube

One today’s show, Ben Moskowitz from Consumer Reports will tell us about an extremely useful tool they’ve created to help you improve your personal security and privacy, customized to your particular needs, called the Security Scanner. Just answer a few simple questions and it will give you a checklist of specific ways to be more secure, ranked by time, effort and cost. Consumer Reports is also pioneering a comprehensive, open-source program that will allow consumers, manufacturers, advocacy organizations, and more to formally evaluate the privacy and security aspects of products and services. This will allow buyers to compare products more accurately and give manufacturers incentives to make better products. Benjamin Moskowitz is the Director of Consumer Reports’ Digital Lab, a major initiative to expand CR’s work on privacy, digital security, and emerging concerns in digital consumer protection. Previously, he served as Director of Development for Innovation for the International Rescue Committee, where he secured more than $29 million in funding as a founding member of the Airbel Center—a research and development unit that designs, tests, and scales life-changing solutions for refugees and people affected by conflict. Further Info Consumer Reports Security Planner: https://securityplanner.consumerreports.org/  The Digital Standard: https://thedigitalstandard.org/  Virtual screening of Coded Bias: https://action.consumerreports.org/coded_bias  Contribute! https://digital-lab.consumerreports.org/  Become a CR Member: https://www.consumerreports.org/membership  Privacy Front & Center study: https://thedigitalstandard.org/downloads/CR_PrivacyFrontAndCenter_102020_vf.pdf  Best & Worst Gift Guide 2020: https://firewallsdontstopdragons.com/best-worst-gifts-2020/  Follow me on Facebook!! https://bit.ly/Firewalls-Facebook  Follow me on YouTube!! https://bit.ly/Firewalls-YouTube Request book for review: https://form.jotform.com/203127587895064

Are consumers really concerned about security and privacy in the products they buy? And if so, how could manufacturers capitalize on these attributes to sell more of their products? Consumer Reports has recently published an important, comprehensive study of consumer attitudes towards privacy and security, including the historical evolution of these feelings. The result is a roadmap which companies can use to better serve this fast-growing market. Today we’ll discuss this study and its implications with Ben Moskowitz from CR’s Digital Lab. Benjamin Moskowitz is the Director of Consumer Reports’ Digital Lab, a major initiative to expand CR’s work on privacy, digital security, and emerging concerns in digital consumer protection. Previously, he served as Director of Development for Innovation for the International Rescue Committee, where he secured more than $29 million in funding as a founding member of the Airbel Center—a research and development unit that designs, tests, and scales life-changing solutions for refugees and people affected by conflict. Further Info: Privacy Front & Center study: https://thedigitalstandard.org/downloads/CR_PrivacyFrontAndCenter_102020_vf.pdf Consumer Reports Security Planner: https://securityplanner.consumerreports.org/ The Digital Standard: https://thedigitalstandard.org/ Virtual screening of Coded Bias: https://action.consumerreports.org/coded_bias Contribute! https://digital-lab.consumerreports.org/ Become a CR Member: https://www.consumerreports.org/membership My new YouTube Channel: https://www.youtube.com/channel/UC0aUElaV7hDubXSpDJkiSrA Request book for review: https://form.jotform.com/203127587895064

Looking for fun gifts that won’t also be gifts to hackers and data miners? In today’s show, I’ll list off the top products and services from my annual Naughty & Nice gifts guide! Every year, I review several popular gifts and give you my recommendations on which ones to buy and which ones to avoid like the plague (or the pandemic?). In other news: Spotify has been hacked and you should change your password; Google is looking to add end-to-end encryption to its new Android RCS messaging system; an important new IoT security bill is waiting for the President’s signature; 27.7M Texans’ driver’s license info has been stolen; the IRS and the US military have been doing an end run around the US Constitution to obtain location information on thousands of people including US citizens without a warrant; Apple lowers its App Store commission to 15% for the vast majority of developers; Apple has responded to the blow back concerning its security validation on macOS Big Sur; and now is the time to download and enable your state’s COVID-19 tracing app. Further Info: Best & Worst Gifts for 2020: https://firewallsdontstopdragons.com/best-worst-gifts-2020/  COVID-tracing app story, Washington Post: https://www.washingtonpost.com/technology/2020/11/18/coronavirus-app-exposure-alerts/ Setting up a Pi-Hole server: https://www.smarthomebeginner.com/pi-hole-setup-guide/ 

So, what can we do about these dark patterns? Are there technical solutions to this problem? Or will this require regulations? Or perhaps we just need to train our engineers and consumers better? In part 2 of my interview with Dr. Colin Gray of Purdue University, we talk about some possible solutions to the dark patterns problem, as well as tips and tricks for avoiding them. Colin also shares several interesting resources for further study. Colin M. Gray is an Assistant Professor at Purdue University in the Department of Computer Graphics Technology. He is program lead for an undergraduate major and graduate concentration in UX Design. He holds a PhD in Instructional Systems Technology from Indiana University Bloomington, a MEd in Educational Technology from University of South Carolina, and a MA in Graphic Design from Savannah College of Art & Design. He has worked as an art director, contract designer, and trainer, and his involvement in design work informs his research on design activity and how design capability is learned. His research focuses on the ways in which the pedagogy and practice of designers informs the development of design ability, particularly in relation to ethics, design knowledge, and professional identity formation. Further Info: Colin’s home page: https://colingray.me Dark Patterns: https://darkpatterns.uxp2.com Dark Patterns (Brignull): https://darkpatterns.org/ Give Thanks: https://firewallsdontstopdragons.com/give-thanks-donate/ Rachel Maddow’s plea: https://www.nbcnews.com/feature/nbc-out/rachel-maddow-says-her-partner-has-covid-19-one-point-n1248375 COVID-19 risk assessment tool: https://covid19risk.biosci.gatech.edu/ Facebook’s Social Contagion experiment: https://www.forbes.com/sites/kashmirhill/2014/06/30/facebook-only-got-permission-to-do-research-on-users-after-emotion-manipulation-study/ Evil By Design: https://www.amazon.com/Evil-Design-Interaction-Lead-Temptation/dp/1118422147 Design Justice: https://design-justice.pubpub.org/ Data Feminism: https://data-feminism.mitpress.mit.edu/ Michael Sandel’s Justice course: http://justiceharvard.org/justicecourse/

Are you tired of being pestered to allow notifications or access to your location? Do you wonder why you have to give your credit card number in order to sign up for “free” trials? Why weren’t you told about the shipping costs until the very last screen in the purchase process? Are you sure that you didn’t intend to sign up for all those newsletters? You’re not alone, and you’re not simply being subjected to clever marketing. You’ve been the victim of dark patterns: specific, scientifically-proven techniques designed to favor shareholder value over user value. In part 1 of my interview with Dr. Colin Gray, we’ll discuss all the ways in which we’re being manipulated and why, as mere humans, we’re horribly outmatched. Colin M. Gray is an Assistant Professor at Purdue University in the Department of Computer Graphics Technology. He is program lead for an undergraduate major and graduate concentration in UX Design. He holds a PhD in Instructional Systems Technology from Indiana University Bloomington, a MEd in Educational Technology from University of South Carolina, and a MA in Graphic Design from Savannah College of Art & Design. He has worked as an art director, contract designer, and trainer, and his involvement in design work informs his research on design activity and how design capability is learned. His research focuses on the ways in which the pedagogy and practice of designers informs the development of design ability, particularly in relation to ethics, design knowledge, and professional identity formation. Further Info: Dr. Colin Gray’s home page: https://colingray.me Dark Patterns: https://darkpatterns.uxp2.com Dark Patterns (Brignull): https://darkpatterns.org/ Facebook’s Social Contagion experiment: https://www.forbes.com/sites/kashmirhill/2014/06/30/facebook-only-got-permission-to-do-research-on-users-after-emotion-manipulation-study/

Zoom went from an obscure teleconferencing company to a household word when the pandemic hit. Zoom wasn’t the best videoconferencing app by any means. But it was dead simple to use and kinda fun to say. For better or worse, it became the de facto tool for many of us to keep in touch. Over that time, Zoom has made many important improvements. This week it has finally rolled out what appears to be true end-to-end encryption (E2EE). Today I’ll tell you how to enable this new feature. In other news: Be sure to update your iPhones to iOS 14.2; also be sure to keep Google Chrome and Windows 10 up to date; Adobe Flash is finally almost gone; police in Jackson, Mississippi are trialing a program to directly tap into people’s private security cameras like Ring video doorbells; the NSA and FBI have been burned by the very backdoors they added; and California’s Prop 24 passes, beefing up privacy protections for its citizens (and probably for all of us). Further Info (for podcast page) How to enable Zoom end-to-end encryption: https://firewallsdontstopdragons.com/zoom-now-with-actual-privacy/ Best & Worst Gifts from last year: https://firewallsdontstopdragons.com/best-worst-gifts-2019/ Please add a nice review on my new book!! https://www.amazon.com/gp/product/1484261887

For better or for worse, the internet today is funded by advertising. While ads can be annoying, the real issue isn’t having to watch ads – it’s when then ads watch us. AdTech today is premised on invasive personal data collection. Companies like Google and Facebook amass voluminous dossiers on each of us, and sell highly-targeted ads based on our income, gender, age, location, buying habits, personal interests, sexual orientation, and much, much more. But it doesn’t have to be that way. And Cloudflare is going to show us how. Today, I’ll talk again with the CTO, John Graham-Cumming, about Cloudflare Radar and much more. John Graham-Cumming is a British software engineer and writer best known for starting a successful petition to the Government of the United Kingdom asking for an apology for its persecution of Alan Turing. As of 2020, he serves as Chief Technology Officer (CTO) at Cloudflare. Further Info: Cloudflare Radar: Election 2020 https://radar.cloudflare.com/election-2020 Cloudflare 1.1.1.1 DNS and Warp VPN: https://1.1.1.1/ VOTE! https://www.vote.org/

In the second half of my interview with the EFF’s Lindsay Oliver and Jason Kelley, we talk about how these draconian surveillance systems put several students at a distinct disadvantage and how the teacher themselves feel about all of this. How might all of this normalize surveillance for young people? Can the invisible hand of the market resolve some of these issues? What should the policies be around proctoring and the use of these surveillance apps? How can we push back and demand change most effectively? Lindsay Oliver is the Project Manager for EFF’s activism team, and works on the self-help resource Surveillance Self-Defense, Security Education Companion, and student privacy. Jason Kelley guides EFF’s social media tactics and develops EFF’s online digital advocacy, and writes about various forms of governmental and private surveillance and tracking. Further Info: VOTE! https://www.vote.org/ Cybersecurity & Infrastructure Security Agency tip sheets: https://www.cisa.gov/national-cybersecurity-awareness-month-resources Surveillance Self Defense for students: https://ssd.eff.org/en/module/privacy-students Electronic Frontier Alliance: https://supporters.eff.org/join-efa This article has TONS of student privacy resources: https://www.eff.org/deeplinks/2020/09/students-are-pushing-back-against-proctoring-surveillance-apps

In this time of COVID19, we’ve all had to learn to work and learn from home. But how do our bosses know we’re not screwing around instead of working? How do our teachers know we’re not cheating? It turns out that they’re both willing to go to extremely intrusive measures to try to figure that out. Home and mobile device surveillance technology is booming thanks to this global pandemic, as we will learn from talking to the EFF’s Lindsay Oliver and Jason Kelley. They have been investigating the serious impacts these products and services are having on our privacy and overall fairness for students and employees. Lindsay Oliver is the Project Manager for EFF’s activism team, and works on the self-help resource Surveillance Self-Defense, Security Education Companion, and student privacy. Jason Kelley guides EFF’s social media tactics and develops EFF’s online digital advocacy, and writes about various forms of governmental and private surveillance and tracking. Further Info: Surveillance Self Defense for students: https://ssd.eff.org/en/module/privacy-students Electronic Frontier Alliance: https://supporters.eff.org/join-efa This article has TONS of student privacy resources: https://www.eff.org/deeplinks/2020/09/students-are-pushing-back-against-proctoring-surveillance-apps National Cybersecurity Awareness Month: https://www.cisa.gov/national-cybersecurity-awareness-month-resources

October is National Cybersecurity Awareness Month! The theme this year is: if you connect it, protect it! And given how popular IoT devices are these days, and also how horrid their security usually is, this advice has never been more important. In today’s show, I’ll walk through some top cyber tips for protecting your devices and your home network. And there’s a TON of news, as well: I’ll update you on the “App Fairness” campaign from Epic, Protonmail, Spotify and others; watch out for fake Android messaging apps made to look like Threema or Telegram; Google’s Chrome browser gets slammed for its poor privacy protections; Google is now giving out lists of people who searched on particular terms to law enforcement; Amazon is adding some new privacy options to their Alexa products, while also introducing a super-creepy home spy drone; should you let your insurance company track you? (spoiler: no); and Apple’s T2 chip is found to have a severe, unfixable security flaw. Further Info: Cybersecurity & Infrastructure Security Agency (CISA) tip sheets: https://www.cisa.gov/publication/national-cybersecurity-awareness-month-publications Get 20% off my new book at Apress using code Dragons2020. https://www.apress.com/us/book/9781484261880 Google Chrome: the Anti-Privacy Browser: https://theprivacy.com/2020/09/14/google-chrome-the-anti-privacy-browser/?hss_channel=tw-976856456740864004 Coalition for App Fairness’s 10 principles examined: https://appleinsider.com/articles/20/10/05/breaking-down-the-coalition-for-app-fairness-issues-with-apple

What do Apple, Tyson Foods and Worldwide Wrestling (WWE) all have in common? And what is “chickenization”? In part 2 of my interview with Cory Doctorow, he explains how some markets in the US economy are completely distorted by dominant sellers as well as dominant buyers. Seeing all of these specific markets as facets of a single economic problem, we can find common cause and perhaps a common solution. Cory Doctorow (craphound.com) is a science fiction author, activist, and journalist. He is the author of RADICALIZED and WALKAWAY, science fiction for adults, a YA graphic novel called IN REAL LIFE, the nonfiction business book INFORMATION DOESN’T WANT TO BE FREE, and young adult novels like HOMELAND, PIRATE CINEMA and LITTLE BROTHER. His latest book is POESY THE MONSTER SLAYER, a picture book for young readers. His next book is ATTACK SURFACE, an adult sequel to LITTLE BROTHER. He maintains a daily blog at Pluralistic.net. He works for the Electronic Frontier Foundation, is a MIT Media Lab Research Affiliate, is a Visiting Professor of Computer Science at Open University, a Visiting Professor of Practice at the University of North Carolina’s School of Library and Information Science and co-founded the UK Open Rights Group. Born in Toronto, Canada, he now lives in Los Angeles. Further Info: Buy Attack Surface: https://us.macmillan.com/books/9781250757531 Back Attack Surface audio book: https://www.kickstarter.com/projects/doctorow/attack-surface-audiobook-for-the-third-little-brother-book Buy Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Watch The Social Dilemma!: https://www.netflix.com/title/81254224 Donate to EFF: https://supporters.eff.org/donate/join-4 Be very wary of disinformation right now: https://firewallsdontstopdragons.com/fake-news-be-highly-wary-right-now/ VOTE!! https://www.vote.org/

Apple and Epic Games are locked in an epic legal (and PR) battle that may determine the future of the App Store, the Google Play Store, and several other game distribution networks. At the heart of this debate is the disproportionate influence the app store owner has over the apps in their store, including demanding a hefty cut of the app maker’s profits. How did we get to this place? How does this distort the market for software? When did “contempt of business model” become a felony? Today I’ll discuss this and more with EFF’s Cory Doctorow. Cory Doctorow (craphound.com) is a science fiction author, activist, and journalist. He is the author of RADICALIZED and WALKAWAY, science fiction for adults, a YA graphic novel called IN REAL LIFE, the nonfiction business book INFORMATION DOESN’T WANT TO BE FREE, and young adult novels like HOMELAND, PIRATE CINEMA and LITTLE BROTHER. His latest book is POESY THE MONSTER SLAYER, a picture book for young readers. His next book is ATTACK SURFACE, an adult sequel to LITTLE BROTHER. He maintains a daily blog at Pluralistic.net. He works for the Electronic Frontier Foundation, is a MIT Media Lab Research Affiliate, is a Visiting Professor of Computer Science at Open University, a Visiting Professor of Practice at the University of North Carolina’s School of Library and Information Science and co-founded the UK Open Rights Group. Born in Toronto, Canada, he now lives in Los Angeles. Further Info: Buy Attack Surface: https://us.macmillan.com/books/9781250757531 Back Attack Surface audio book: https://www.kickstarter.com/projects/doctorow/attack-surface-audiobook-for-the-third-little-brother-book Enter to win a free copy of my book: https://bit.ly/firewalls4 Buy Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Watch The Social Dilemma!: https://www.netflix.com/title/81254224 Donate to EFF: https://supporters.eff.org/donate/join-4 VOTE!! https://www.vote.org/

If you’re a Windows PC user, you know the term “bloatware”, or maybe “crapware”. Every consumer PC comes chock full of it. Free trials of games, cloud storage services and antivirus software. Half a dozen “helper” apps from the PC manufacturer. Pre-installed calling, chat, and shopping services. It’s a mess. But they’re not just annoying. They can slow down your computer’s startup and shutdown, and waste precious battery life on laptops. Today I’ll share two ways to take out this trash. In other news: Android 11 and iOS 14 are out, and have neat new security and privacy features; Google is blocking W3C efforts to improve your privacy while also blocking resource-hogging ads in Chrome and blocking stalkerware apps in the Google Play Store; the FBI is now worried that video doorbells may actually let people spy on them; Facebook will try to ban deepfake political videos; and the US House unanimously passes a much-needed IoT security bill.

Enterprising scammers have found some very clever ways to trick you into believing your computer needs fixing, when in reality it’s just fine. Using various techniques, fake web pop-up alerts can cause your browser or computer to seem sluggish or malfunctioning. And then you get a helpful pop-up alerting you of a serious problem and offering to help you fix it – for a fee. I’ll tell you how to spot these fakes and how to recover from the issues they’ve inflicted. In other news: there’s a new and nasty Bluetooth bug, Emotet malware infections are spiking, Apple accidentally notarized malware in its App Store, Apple chooses to delay it’s key privacy feature on iOS 14 due to push back from marketing companies like Facebook, the Epic/Apple battle ratchets up yet again, a US circuit court rules that warrantless wiretapping is illegal, Portland enacts the country’s strictest ban on facial recognition technology, and the secure messaging app Threema has decided to go open source. Further Info: Order the 4th edition of my book: https://www.apress.com/us/book/9781484261880 Enter my book giveaway! http://bit.ly/firewalls4