Firewalls Don't Stop Dragons Podcast

Use of facial recognition technology (FRT) is exploding around the globe. While touted as a convenience for checking in for a flight or crossing the border, the opportunities for abuse are staggering. People act differently when they feel they’re being watched. There’s a reason we have sayings like “dance like no one is watching”. But US agencies like TSA and CBP have gained access to treasure troves of faces from DMV and passport databases, without ever asking our permission, and they’re rolling out FRT across the nation. There are no laws or regulations on the use of this technology, and little thought being given to how constant, mass surveillance will affect our democratic and human rights. In the first part of my two-part interview with Jeremie Scott (EPIC), we’ll discuss how we got here. Jeramie Scott is Senior Counsel at EPIC and Director of the EPIC Domestic Surveillance Project. His work focuses on the privacy issues implicated by domestic surveillance programs with a particular focus on drones, AI, biometrics, and social media monitoring. Mr. Scott regularly litigates open government cases and cases arising under the Administrative Procedure Act. He is also a co-editor of “Privacy in the Modern Age: The Search for Solutions” and the author of “Social Media and Government Surveillance: The Case for Better Privacy Protections of Our Newest Public Space.” Prior to joining EPIC, Mr. Scott graduated from the New York University Law School where he was a clinic intern at the Brennan Center’s Liberty and National Security Program. His work at the Brennan Center focused on civil liberty issues arising from local law enforcement surveillance. Further Info: Electronic Privacy Information Center (EPIC): https://epic.org Privacy in the Modern Age: The Search for Solutions: https://www.amazon.com/Privacy-Modern-Age-Search-Solutions/dp/1620971070

No doubt sensing the impending US privacy regulations, Google has released a plan to “enhance” user privacy… by finding different ways to track you. Instead of relying on cookies and fingerprinting, Google proposes that we just come out in the open and formalize tracking technologies. While that could give users more transparency and a modicum of control, the bottom line is that Google is really just trying desperately to save its business model (ads based on tracking). While there are actually some good ideas in their proposal, many of the technologies they’re putting forward could be even worse for your privacy than the current schemes. Today I’ll walk through the EFF’s excellent analysis of these propositions and give my own take. Further Info: EFF: Don’t Play in Google’s Privacy Sandbox: https://www.eff.org/deeplinks/2019/08/dont-play-googles-privacy-sandbox-1 EFF’s Panopticlick tool: https://panopticlick.eff.org/

Today we speak with EFF’s Matthew Guariglia about the creepy new partnership between Amazon’s Ring Doorbell division and local law enforcement. Recent disclosures reveal that Amazon has partnered with over 400 police agencies to market their product and share surveillance footage. While these footage requests can supposedly be refused by the Ring owners, there appear to be circumstances where Amazon will provide footage without consent. The marketing of Ring has changed from convenience to an automated neighborhood watch program, where the police have been coached in how to drum up interest in the product and to assuage fears over sharing their private footage. Matthew Guariglia is a policy analyst for surveillance and privacy at the Electronic Frontier Foundation. He is also a visiting research scholar at the University of California-Berkeley and holds a PhD in U.S. history. His work focuses on the relationship between race, immigration, policing and government surveillance in the past and present. You can find his writing in the Washington Post, VICE, and the Freedom of information-centered outlet MuckRock. To find his writing you can follow him on Twitter at @mguariglia or visit MatthewGuariglia.com. Further Info EFF’s Street Level Surveillance : https://www.eff.org/issues/street-level-surveillance Protecting Civic Spaces: https://privacyinternational.org/long-read/2852/protecting-civic-spaces

Evaluating VPN providers on privacy is really, really hard. Even if you read all their privacy claims, how do you know if they’re telling the truth? I’ve read many reviews on many sites, but the recent review from The Wirecutter is the most comprehensive and helpful review I’ve ever come across. It focused first and foremost on privacy – something many other reviews fail to do, instead focusing on more readily verifiable aspects like speed, number of servers, and cost. In recent years, some top VPN providers have turned to third party, independent auditors to verify their privacy claims and published the results. This is what allows for a truly privacy-focused review. Many top contenders like ExpressVPN and NordVPN didn’t make the cut due to lack of transparency compared to the providers that topped Wirecutter’s list. Who won? Listen to today’s show to find out. In other news, iPhones have been vulnerable to some nasty website hacks for several years, Facebook finally releases a tool to manage your “off-Facebook” data (though it fails), Kaspersky antivirus products have been marking all their users with a unique, trackable ID, and Kazakhstan tries to implement mass surveillance of its citizens and ends up being foiled (thankfully) by the three major browser makers. Further Info: Choosing a VPN Provider: https://firewallsdontstopdragons.com/choosing-a-vpn-service/

In the second half of my interview with EFF’s Aaron Mackey, we’ll discuss why our federal agencies are not enforcing the laws already on the books that should be protecting your privacy, the real implications of tracking someone’s location, other ways in which we’re tracked, and how you – as a consumer and citizen – can best defend yourself and advocate for better enforcement and protections. Aaron Mackey works on free speech, privacy, government surveillance and transparency. Before joining EFF in 2015, Aaron was in Washington, D.C. where he worked on speech, privacy, and freedom of information issues at the Reporters Committee for Freedom of the Press and the Institute for Public Representation at Georgetown Law. Aaron graduated from Berkeley Law in 2012, where he worked for EFF while a student in the Samuelson Law, Technology & Public Policy Clinic. He also holds an LLM from Georgetown Law. Prior to law school, Aaron was a journalist at the Arizona Daily Star in Tucson, Arizona. He received his undergraduate degree in journalism and English from the University of Arizona in 2006, where he met his amazing wife, Ashley. They have two young children. Further Info: Donate to EFF: https://supporters.eff.org/donate/ Surveillance Self Defense Guide: https://ssd.eff.org EFF’s California lawsuit: https://www.eff.org/cases/geolocation-privacy Report abused location information: [email protected] EFF IMSI Catcher white paper: https://www.eff.org/files/2019/07/09/whitepaper_imsicatchers_eff_0.pdf

In January 2019, Motherboard broke a story about how cellular providers were allowing your location information to be sold to several third parties, effectively allowing anyone to buy the real-time location of any cell phone. The Electronic Frontier Foundation has brought a suit against AT&T and others, claiming that this practice broke several state and federal laws. Today in part one of my interview with the EFF’s Aaron Mackey, we’ll discuss this case and why our location data can expose so much about us. Aaron Mackey works on free speech, privacy, government surveillance and transparency. Before joining EFF in 2015, Aaron was in Washington, D.C. where he worked on speech, privacy, and freedom of information issues at the Reporters Committee for Freedom of the Press and the Institute for Public Representation at Georgetown Law. Aaron graduated from Berkeley Law in 2012, where he worked for EFF while a student in the Samuelson Law, Technology & Public Policy Clinic. He also holds an LLM from Georgetown Law. Prior to law school, Aaron was a journalist at the Arizona Daily Star in Tucson, Arizona. He received his undergraduate degree in journalism and English from the University of Arizona in 2006, where he met his amazing wife, Ashley. They have two young children. Further Info: Donate to EFF: https://supporters.eff.org/donate/ Surveillance Self Defense Guide: https://ssd.eff.org EFF’s California lawsuit: https://www.eff.org/cases/geolocation-privacy Report abused location information: [email protected]

Marketing firms love to tell us that we control our privacy – you simply need to opt out of tracking! Like Dorothy, we’ve had the power all along. Just click your heels three times and uncheck all those pesky tracking options under Settings… somewhere. Which, statistically speaking, no one ever does. It’s the Tyranny of the Default. I’ll discuss why it’s so hard. (Spoiler alert, it’s on purpose.) Also in today’s show: Apple massively expands its bug bounty program; several “air gapped” US elections systems found on the internet; Instagram pulls a Cambridge Analytica move; watch out for fake Equifax settlement sites; another sex hook-up app exposes its user’s private information; and it’s time to update your Android devices (if you can). Further Info: Instagram data leak: https://www.businessinsider.com/startup-hyp3r-saving-instagram-users-stories-tracking-locations-2019-8 Election Systems exposed online: https://www.vice.com/en_us/article/3kxzk9/exclusive-critical-us-election-systems-have-been-left-exposed-online-despite-official-denials Official FTC/Equifax settlement site: https://ftc.gov/equifax or https://www.equifaxbreachsettlement.com/ Changing WiFi Router (and other IoT) default passwords: https://firewallsdontstopdragons.com/the-s-in-iot-is-for-security/ The Cop Out that is Opt Out: https://firewallsdontstopdragons.com

In today’s show, I’ll discuss the Capitol One hack that affected over 100 million card users and applicants. I’ll also cover the latest in the backlash against Apple, Google and Amazon over humans listening in on your private digital assistant voice recordings. The Ring doorbell, whose parent company was bought by Amazon, is quickly becoming a darling of local law enforcement agencies due to its ability to share surveillance footage. School districts are being hit with ransomware and being bilked for hundreds of thousands of dollars. And finally, Netflix has created a sobering documentary about the Facebook and Cambridge Analytics scandal, covering not just the 2016 US elections but also Brexit and many other voter influence campaigns around the globe. Further Info: The Great Hack on Netflix: https://www.netflix.com/Title/80117542 RSA Conference Blog book review: https://www.rsaconference.com/blogs/bens-book-of-the-month-review-of-firewalls-dont-stop-dragons-a-step-by-step-guide-to-computer-security-for-non-techies Apress Beginner’s Book series: https://www.amazon.com/stores/page/7383A13D-EAFC-426B-A944-5B6C1B6886E9

Two years after the massive Equifax breach, the Federal Trade Commission (FTC) has reached a tentative settlement that will purportedly provide some restitution to the 148 million Americans who whose data was leaked. Unfortunately, there are lots of little devils in the details – not to mention the this settlement has yet to be approved. However, you can (and probably should) go ahead and submit your claim. I’ll give you all the details and tell you how do it. In other news, Firefox is coming out with a premium, for-pay version of its privacy-centric web browser, the Pentagon has revealed technology that will allow them to identify people surreptitiously from up to 200 meters away, some of your Apple’s Siri recordings are being listened to by real humans, I’ll give my take on the FaceApp scandal, and finally, if you have a Logitech wireless keyboard or mouse, you’re going to watch to update the software to patch a nasty bug. Further Info: Logitech Wireless Keyboard/Mouse security update: https://support.logi.com/hc/en-001/community/posts/360032078393-Logitech-Response-to-Research-Findings Equifax settlement claim site: https://www.equifaxbreachsettlement.com/ Free (official) annual credits reports: https://www.annualcreditreport.com/index.action

In the second half of my interview with Winston Privacy CEO Richard Stokes, we talk about why your data is so valuable to advertisers and what you can do to limit all this tracking. In particular, we’ll discuss the Winston box which acts as a sort of force field around your home network, preventing all your “smart” and “internet of things” devices from reporting on your every move. Richard is the CEO and founder of Winston Privacy. Previously, he was the founder of AdGooroo.com, one of the first digital market research services, and later became the Global Head of Innovation for Kantar Media. He founded Winston Privacy in response to the increasing abuses of privacy taking place in the AdTech industry. Additionally, he’s the author of “The Ultimate Guide to Pay-Per-Click Advertising”. He has a Computer Science degree from the University of Illinois at Champaign-Urbana and an MBA from Kellogg / Northwestern University. Further Info: Winston Privacy: https://winstonprivacy.com/ Pre-Order: https://www.indiegogo.com/projects/winston-take-back-control-of-your-online-privacy#/

Protecting your privacy today is hard. It’s really hard. It’s too hard. Every ‘smart’ device you own is tattling on you, constantly, to dozens of companies. Your phone, your tablet, your PC, your TV, your streaming box, your DVR, your smart thermostat, your internet-connected medical devices… The list goes on and it gets longer every day. What if you could not only see all these illicit communications but also block them all, in one feel swoop? In part one of my interview with Richard Stokes, this former AdTech CEO will reveal what finally caused him to not only leave the industry but to develop a promising new product that puts users back in control of their privacy. Richard is the CEO and founder of Winston Privacy. Previously, he was the founder of AdGooroo.com, one of the first digital market research services, and later became the Global Head of Innovation for Kantar Media. He founded Winston Privacy in response to the increasing abuses of privacy taking place in the AdTech industry. Additionally, he’s the author of “The Ultimate Guide to Pay-Per-Click Advertising”. He has a Computer Science degree from the University of Illinois at Champaign-Urbana and an MBA from Kellogg / Northwestern University. Further Info: Winston Privacy: https://winstonprivacy.com/ Pre-Order: https://www.indiegogo.com/projects/winston-take-back-control-of-your-online-privacy#/

The US government is once again looking to break or hobble encrypted communications in the name of national security and law enforcement. They claim that we’re “going dark” – that modern end-to-end encryption used in apps like Signal and Wickr that protect user privacy are preventing them from keeping us safe and bringing the bad guys to justice. Cryptographers and technology companies have soundly squashed the idea of putting “backdoors” in these systems that supposedly only the “good guys” can go through. But now these agencies have come up with a proposal that neatly sidesteps these issues: they simply want to be added as another “end” to the end-to-end scrambled session. A “ghost” in the chat, and BCC that neither of the original participants are made aware of. But this has several problems, as well. In other news, FigLeaf has conducted a survey of users about online privacy that shows major shifts in thinking since just before the Cambridge Analytica/Facebook scandal; “pre-saving” new releases on Spotify and other music streaming services is allowing music companies unbelievable access to your personal info; and Mozilla (maker of Firefox) has created a creative tool that let’s you fool online advertisers into thinking you’re someone completely different.

Why do most VPN apps suck so badly? How do you know which VPN service providers you can trust with your privacy? How is it that our internet service providers know so much about our web surfing habits? Today I explore these questions and more with John Graham-Cumming, the CTO of the internet performance and security company. He will also tell us about a new VPN service coming soon from Cloudflare called Warp that may finally address all of these problems. John is a computer programmer and author. He studied mathematics and computation at Oxford and stayed for a doctorate in computer security. As a programmer he has worked in Silicon Valley and New York, the UK, Germany, and France. His open source POPFile program won a Jolt Productivity Award in 2004. John is the author of a travel book for scientists published in 2009 called The Geek Atlas. Further Info: Cloudflare’s 1.1.1.1 App: https://1.1.1.1/ Cloudflare’s Crypto Week Blog: https://blog.cloudflare.com/welcome-to-crypto-week-2019/ Big Brother 2.0: https://firewallsdontstopdragons.com/big-brother-2-0/

How many of your “smart” devices are smart enough to update their own software? For that matter, how many of them can upgrade at all? It’s a good bet that most of them run some flavor of the free and open-source Linux operating system. A nasty bug was just found that affects almost all Linux systems, allowing a simple remote command to bring the system to its knees. There have been other bugs found in Linux and there will be more. If your device’s software can’t be updated, it will always be vulnerable. I’ll go over some basic IoT security tips to mitigate your vulnerability, but in the end, older IoT devices that can’t be upgraded should just be pitched. In other news, Firefox just patched two critical vulnerabilities, Dell’s built-in remote assistance software can be remotely hacked, Venmo transactions are still painfully public by default, a Spanish soccer apps turns its fans into unwitting narcs, and Facebook has launched a new cryptocurrency called Libra.

In today’s show I have a sobering discussion with the EFF’s Eva Galperin about the rise of stalkerware (sometimes called “spouseware”). It’s become all too easy for abusive, unscrupulous people to spy on their significant others, tracking their every move, monitoring all their communications. We’ll talk about how our phones can be subverted and what measures you can take to prevent it. Eva also provides practical and prudent advice for people who suspect they may be victims of stalkerware. Eva Galperin is EFF’s Director of Cybersecurity. Prior to 2007, when she came to work for EFF, Eva worked in security and IT in Silicon Valley and earned degrees in Political Science and International Relations from SFSU. Her work is primarily focused on providing privacy and security for vulnerable populations around the world. To that end, she has applied the combination of her political science and technical background to everything from organizing EFF’s Tor Relay Challenge, to writing privacy and security training materials (including Surveillance Self Defense and the Digital First Aid Kit), and publishing research on malware in Syria, Vietnam, Kazakhstan. When she is not collecting new and exotic malware, she practices aerial circus arts and learning new languages. Further Info Surveillance Self Defense: https://ssd.eff.org/ EFF Newsletter: https://supporters.eff.org/subscribe Donate to the EFF: https://supporters.eff.org/donate/

Google Chrome is the most popular web browser on the planet by far, used by about two thirds of all web surfers. But Google is an advertising company and ad blockers are a direct threat to their business model. Google is planning to make a highly controversial change to Chrome’s plugin framework that would break some popular ad blocking extensions like uBlock Origin, forcing them to use much less effective techniques for blocking ads. Compare that to Mozilla’s Firefox browser, which just announced even more built-in tracking and ad-blocking capabilities – many of which will be on by default. The evidence is clear: Firefox respects your privacy and is giving your more and more tools with which to protect it; Chrome is doing the opposite. It’s time to switch to Firefox and ditch Chrome. In other news, Maine has just signed bill into law which will require internet service providers to get your explicit consent before collecting and selling your web surfing data, Apple has announced several privacy-enhancing features to debut in iOS 13 this fall, and Windows Remote Desktop Services are under attack by hackers. Further Info: Patch your old Windows Systems Now! https://firewallsdontstopdragons.com/a-worrisome-windows-worm/ Switch from Google Chrome to Firefox: https://firewallsdontstopdragons.com/its-time-switch-to-firefox/ Firefox’s content blocking settings: https://support.mozilla.org/en-US/kb/content-blocking

Is it possible to hide your tracks online? Is it even worth the effort to try? How do you know which companies, products and services you can trust? Is government regulation the answer? We’ll address all of these questions today in part 2 of my interview with David Ruiz. David will give you several great resources for getting more informed and also for getting more involved in the fight for privacy. David Ruiz is a pro-privacy, pro-security writer for Malwarebytes Labs, where he covers online privacy, legislation, and the interplay between technology and the law. Further Info Who Has Your Back? https://www.eff.org/who-has-your-back-2018 Privacy Not Included: https://foundation.mozilla.org/en/privacynotincluded/ Terms of Service; Didn’t Read: https://tosdr.org/ Malwarebytes poll on privacy: https://blog.malwarebytes.com/security-world/2019/03/labs-survey-finds-privacy-concerns-distrust-of-social-media-rampant-with-all-age-groups/ Top 6 Takeaways from poll: https://blog.malwarebytes.com/101/2019/05/the-top-six-takeaways-for-user-privacy/ Help me to help you! https://www.patreon.com/FirewallsDontStopDragons

In January of this year, Malwarebytes (a world-class antivirus software maker) conducted a massive poll on privacy that included 4000 people from 66 different countries. On today’s show, I will delve into the key takeaways from this poll and some rather (pleasantly) surprising results. (Tune in next week for part 2.) David Ruiz is a pro-privacy, pro-security writer for Malwarebytes Labs, where he covers online privacy, legislation, and the interplay between technology and the law. Further Info Malwarebytes poll on privacy: https://blog.malwarebytes.com/security-world/2019/03/labs-survey-finds-privacy-concerns-distrust-of-social-media-rampant-with-all-age-groups/ Top 6 Takeaways from poll: https://blog.malwarebytes.com/101/2019/05/the-top-six-takeaways-for-user-privacy/

It shouldn’t surprise you to learn that Google can read your Gmail. You may even realize that Google is scanning your emails for things like trip itineraries, which allows them to automatically add flights and hotel reservations to your Google Calendar, for example. But you may not realize how much other juicy info is there to be mined, like online purchases. Every email receipt you’ve received since you’ve had your Gmail account has almost surely been parsed and indexed. In today’s show, I’ll tell you how you can view this history and even delete it (painful as it may be). In other news, an FCC commissioner has released an update on the selling of location data by cell phone providers, San Francisco is poised to become the first major US city to ban the government use of facial recognition systems, and many popular games have been found to give away tons of user data. Further Info Check your Google purchase history: https://myaccount.google.com/purchases

Facebook co-founder Chris Hughes makes a heartfelt and cogent argument for breaking up the world’s dominant social media company, Facebook. The litmus test for the US Government has focused too much on impact to consumer pricing, which has little to do with “free” services such as Facebook. It’s time to also consider social and consumer impact. In other news, a photo storage service has been caught using your images to train facial recognition systems without proper disclosure, Google has unveiled plans to allow users to auto-delete certain sensitive user data after a specified number of months, and Facebook has cranked up the creepy factor by encouraging you to identity up to nine of your friends that you are secretly crushing on. Further Info New York Times Privacy Project: https://www.nytimes.com/2019/05/07/opinion/google-sundar-pichai-privacy.html It’s Time to Break Up Facebook: https://www.nytimes.com/2019/05/09/opinion/sunday/chris-hughes-facebook-zuckerberg.html Firewalls Don’t Stop Dragons links & errata: https://github.com/Apress/firewalls-dont-stop-dragons

A disturbing study in the JAMA Network Open journal showed that almost all of 36 mental health apps they downloaded were sharing your data to some extent – many without proper or even any disclosure. Many shared basic data with Facebook and Google, and a few shared very sensitive information like health diaries and self reports of substance abuse. I’ll give you some tips on how you can protect yourself. In other news, Firefox plugins were all shut off over the weekend due to a Mozilla certificate expiring, bad guys are using Google ads to trick you into paying money to fake customer support sites, data from 80M US households was found lying around on Microsoft servers, and Princeton has a cool new app that will tell you which of your IoT devices may be snitching on you. Further Info Terms of Service; Didn’t Read: https://tosdr.org/ Princeton IoT Inspector: https://iot-inspector.princeton.edu/ Spring Cleaning for you apps: https://firewallsdontstopdragons.com/close-security-holes/

Facebook has once again gone too far and, when caught, asked for forgiveness and promised to change. First it was revealed that Facebook has been requesting since May 2016 that new users provide their email account passwords in order to verify their email addresses – without giving any obvious way to opt out. When caught, they said they would stop doing this. However, it was then revealed that Facebook “unintentionally” hoovered up the email contact lists of 1.5 million Facebook users that gave them their email passwords! I’ll tell you how you can review and delete any contacts you’ve shared (intentionally or otherwise) with Facebook… as well as how to just delete Facebook! In other news, Microsoft has dropped the requirement to periodically change your password in Windows 10, another IoT vulnerability has been found that affects millions of devices, I have an update on the supposed Amazon employee Echo spying, and finally I’ll explain why browser makers are throwing in the towel and allowing ‘ping’ tracking (and how you can still block this).

How do you deal with the threat of identity theft? Follow Adam Levin’s 3 M’s: 1) minimize your exposure, 2) monitor your accounts, and 3) manage the damage. We discuss these techniques and much more in part two of my interview with Adam Levin, author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves. Adam Levin is a consumer advocate with more than 40 years of experience in security, privacy, personal finance and many other things. He is the former director of the New Jersey Division of Consumer Affairs and current chairman and founder of CyberScout. You may have seen Adam on one of his several TV appearances, as well. Further Info: Adam Levin’s website: https://adamlevin.com/ Adam’s book, Swiped: https://adamlevin.com/swiped-book-adam-levin/ CyberScout: https://www.cyberscout.com/ Bruce Schneier’s Data and Goliath Kevin Mitnick’s The Art of Invisibility Brian Kreb’s Spam Nation and his blog Identity Theft Resource Center Consumer Federation of America Privacy Rights Clearinghouse

Identity theft is arguably one of the worst cyber crimes in terms of deep and lasting impact to the victim. This runs the gamut from simple credit card fraud to committing crimes in someone else’s name. We’ll talk about the entire spectrum today in part one of my interview with Adam Levin, author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves. Adam Levin is a consumer advocate with more than 40 years of experience in security, privacy, personal finance and many other things. He is the former director of the New Jersey Division of Consumer Affairs and current chairman and founder of CyberScout. You may have seen Adam on one of his several TV appearances, as well. Further Info: Adam Levin’s website: https://adamlevin.com/ Adam’s book, Swiped: https://adamlevin.com/swiped-book-adam-levin/ CyberScout: https://www.cyberscout.com/

Bad guys have been using scary emails and pop-up messages to bilk unsuspecting victims of millions of dollars for a long time now. But recent scams purporting to be from the CIA have taken things to a new level. In today’s show, I’ll walk you through one variant of this scam and teach you how to spot similar scare scams. In other news, government spyware has made its way into everyday apps on the Google Play Store, WinRAR has a serious bug that you need to patch, hundreds of millions of Facebook records were found lying around unprotected in the cloud, ASUS computer users were targeted by ShadowHammer malware, and Cloudflare has a new mobile VPN app you should take a look at. Further Info Install and configure Cloudflare’s 1.1.1.1 DNS: https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/ ASUS malware checker: https://shadowhammer.kaspersky.com/

How often have you run across something so obviously bad or behind the times that you just want to scream: Hey, fix this already! Electronic Frontier Foundation to the rescue! Gennie Gebhart explains the EFF’s new #FixItAlready campaign – a “most wanted” list of no-brainer bugs and shortcomings in today’s most popular services and products that just should not be. Examples include no end-to-end encryption of Twitter DMs, using two-factor Facebook phone numbers for marketing, and not being able to set your own password on iCloud or Windows 10 hard drive encryption. Gennie Gebhart is the Associate Director of Research at the Electronic Frontier Foundation, where she does research and advocacy on consumer privacy and security issues. She holds a Master of Library and Information Science from the University of Washington. Further Info: Fix It Already! https://fixitalready.eff.org/ Donate to EFF: https://supporters.eff.org/donate/join-eff-4

What happens to your digital life when you die? The answer is only slightly less philosophical than what happens to your soul. The laws, as least in the US, haven’t kept up with the times and there aren’t clear rules for who has legal rights to your online accounts or the files you’ve stored in the cloud. In today’s episode, I’ll tell you how to prepare for your inevitable digital afterlife. In other news, Facebook revealed that 100’s of millions of its users passwords were left open on internal servers, ransomware has hit one of the world’s largest producers of aluminum, the Pwn2Own bug hunt contest shows us how to do responsible disclosures, a critical flaw has been found in implanted defibrillators leaving them vulnerable to hacking, and DARPA is hoping to fix our broken voting systems. Further Reading My blog article on Digital Afterlife: https://firewallsdontstopdragons.com/preparing-for-your-digital-afterlife/ Facebook’s password screwup: https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/ Critical defibrillator bugs: https://arstechnica.com/information-technology/2019/03/critical-flaw-lets-hackers-control-lifesaving-devices-implanted-inside-patients

In second half of my interview with EFF’s Bill Budington, Bill helps us understand how we can at least attempt to disguise ourselves on the web and basically try to blend in with the crowd. We’ll also see how tools like EFF’s Panopticlick can hep us pinpoint the things that are making us stand out, which enables us to be tracked more easily. Finally, we’ll discuss several browsers and plugins that can help you preserve your privacy. If you missed Part 1, you can listen to it here: http://podcast.firewallsdontstopdragons.com/2019/03/10/enter-the-panopticon-pt1/. Guest Bio: Bill is a Senior Staff Technologist at the Electronic Frontier Foundation (EFF). He works on privacy and security-enhancing projects, such as the HTTPS Everywhere browser add-on and Panopticlick, a tool that alerts users users to how vulnerable they are to browser tracking. He has also contributed to projects such as Let’s Encrypt and SecureDrop. Further Info: Is your browser giving you away? EFF’s Panopticlick will tell you: https://panopticlick.eff.org EFF’s Surveillance Self Defense guide – learn how to keep yourself safe online! https://ssd.eff.org/ Help EFF to help you: https://supporters.eff.org/

In the first part of my discussion with Bill Budington from the EFF, we’re going to talk about some of the key ways in which we are tracked around the web as we surf from site to site. I’ll ask Bill who is tracking up, why they’re tracking us, and we’ll get into some of the clever and downright devious methods by which we are tracked and recognized on the web. In part 2 (next week) Bill will help us understand why it’s so hard to disguise ourselves on the web and how tools like EFF’s Panopticlick can show us what’s going on under the covers. We’ll also offer up some solutions or at least mitigations for all this tracking. Guest Bio: Bill is a Senior Staff Technologist at the Electronic Frontier Foundation (EFF). He works on privacy and security-enhancing projects, such as the HTTPS Everywhere browser add-on and Panopticlick, a tool that alerts users users to how vulnerable they are to browser tracking. He has also contributed to projects such as Let’s Encrypt and SecureDrop. Further Info: Is your browser giving you away? EFF’s Panopticlick will tell you: https://panopticlick.eff.org EFF’s Surveillance Self Defense guide – learn how to keep yourself safe online! https://ssd.eff.org/ Help EFF to help you: https://supporters.eff.org/donate/join-4

The Mayor of Tampa, Florida, had this Twitter account hacked due to “the usual weaknesses, including poor passwords.” The hackers used the account to tweet pornographic images and even an incoming ballistic missile alert. Comcast’s Xfinity Mobile service used a default account security PIN of “0000”, which allowed several customers to have their accounts taken over. You not only need strong passwords, you need strong second factor authentication. That’s defense in depth. In other news, Microsoft’s Edge browser was found to have a whitelist for almost 60 websites that bypass the Flash Player click-to-run protections, a Canadian province is allowing the mass sale of anonymized medical records, the fast Thunderbolt USBC ports are found to be vulnerable to a memory access hack called Thunderclap.

Artificial Intelligence (AI) has been around for decades, but has only recently begun to fulfill the promise of truly replicating human-like decision making. The Information Age has generated enormous quantities of data and modern technology has given us unprecedented power to ingest and analyze this data. AI systems today control airplanes, financial and insurance systems, and even criminal sentencing recommendations. We can use AI to conduct law enforcement and intelligence gather operations. AI has even generated audio, video and photos that are completely fake but nearly impossible for a human to detect. Our guest today, Lorraine Kisselburgh, is working with international organization to define common-sense guidelines for the creation and use of these AI systems, to maximize potential and minimize abuse. Lorraine Kisselburgh (Ph.D., Purdue University) is a Scholar with the Electronic Privacy Information Center in Washington, D.C., a former professor of media, technology, and society, and a visiting lecturer in the Center for Entrepreneurship at Purdue University. She studies the social implications of emerging technologies, including privacy and ethics in emerging technology contexts. Her research has been awarded funding from the National Science Foundation and the Department of Homeland Security, and recognized by the National Academy of Engineering. She currently serves on the executive committee of Association of Computing Machinery’s (ACM) US Technology Policy Committee (USTPC) and was a member of the ACM Task Force on Code of Ethics. Email: [email protected] Website: www.lkisselburgh.net Twitter: @lkisselburgh, @EPICPrivacy Facebook: EPICPrivacy Further Information: Universal Guidelines for AI: https://thepublicvoice.org/AI-universal-guidelines/ Electronic Privacy Informantion Center (EPIC): https://www.epic.org/ “Deep Fake” Obama PSA: https://www.youtube.com/watch?v=cQ54GDm1eL0 Lyrebird fake Trump and Obama voices: https://soundcloud.com/user-535691776/dialog OpenAI fake news articles: https://arstechnica.com/information-technology/2019/02/researchers-scared-by-their-own-work-hold-back-deepfakes-for-text-ai/ AI Now Institute: https://ainowinstitute.org/ Berkman Klein Center for Internet and Society: https://cyber.harvard.edu/ Data & Society Intelligence and Autonomy Initiative: https://autonomy.datasociety.net/ WEF’s AI and Machine Learning: https://www.weforum.org/communities/artificial-intelligence-and-machine-learning

The European Union has recalled a GPS smart watch meant to be worn by children so that their parents can keep tabs on them. Unfortunately, due to horrible security, anyone can track these watches – and even send messages to the children. The Internet of Things (IoT) is well-known for having lax or non-existent security protections. Connecting our children’s toys to the internet in this manner is raising serious (and valid) privacy concerns. In other news, there’s a devious new Facebook and Google phishing scam that would fool many pros, the Chrome browser will soon help you spot fake look-alike websites, Apple cracks down on apps that surreptitiously record their users’ interactions with their apps, and many modern Android phones are vulnerable to hacking simply by loading a malicious image. Help Me to Help You! Visit my page on Patreon for details: https://www.patreon.com/FirewallsDontStopDragons

Last week I told you about the literally billions of email addresses and passwords that were released by hackers as “Collections 1-5”. I also told you how you can check to see if your information was contained in these (or other dumped data) by checking haveibeenpwnd.com. And today I’m interviewing the man behind this wonderful, free service: Troy Hunt! He tells us how he gets his hands on all of this data and what we should be doing to mitigate the damage from these inevitable breaches. The worst thing you can do? Reusing passwords on multiple sites! In today’s episode, I also reveal the winners of my Pod-Centennial contest! Five lucky people will be getting signed copies of my book, signed copies of Bruce Schneier’s latest book (Click Here to Kill Everybody), and a selection of other cybersecurity books! Troy Hunt is an Australian Microsoft Regional Director and Microsoft Most Valuable Professional for Developer Security. You’ll regularly find Troy in the press talking about security and even testifying before US Congress on the impact of data breaches. Further Info HaveIBeenPwned.com Ethics of running a data breach search service: https://www.troyhunt.com/the-ethics-of-running-a-data-breach-search-service/ Authentication evolved: https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/

Last week we saw perhaps the single largest data breach dump in history, close on the heels of another massive data disclosure from the same group. Dubbed “Collections 1-5”, together these data dumps represent literally billions of unique user email addresses and passwords. Using the online tool Have I Been Pwned will tell you whether your email address or password is contained in this hacker’s treasure trove. I will also tell you how you can mitigate the damage from this and future breaches. In other news, Apple’s FaceTime app contains a huge bug that could let other people eavesdrop on you and potentially even view you through your camera; Google and Firefox are offering competing visions of browser privacy with controversial new features; and a recent Mac malvertising campaign is using a classic technique called steganography to disguise its malicious intentions. Further Information Have I Been Pwned: https://haveibeenpwned.com/ Pod-Centennial Contest Details: https://firewallsdontstopdragons.com/celebrate-my-pod-centennial/ CLICK HERE TO ENTER the PodCentennial Contest!

We’re celebrating international Data Privacy Day along with the 100th episode of Firewalls Don’t Stop Dragons! And what a show we have! My guest today is none other than Bruce Schneier: internationally renowned security technologist and author of 14 books, including the best-seller Click Here to Kill Everybody)! Bruce and I discuss the current state of data privacy and what it’s going to take to rein in the corporations that are buying and selling our data with abandon. In this show I will also walk through my personal privacy checklist, including several things you could do RIGHT NOW to improve your online privacy. Along the way, I will share some tips from some of my favorite past guests on the show. But that’s not all! To celebrate my Pod-Centennial, I’m giving away 5 signed copies of my book as well as 5 signed copies of Bruce’s latest book, a stack of some of my favorite cybersecurity books, and MORE! You have to listen to this show to learn how to enter the contest – so there’s no better time to subscribe and listen! Further Information: Transcript of my interview with Bruce Schneier: http://podcast.firewallsdontstopdragons.com/wp-content/uploads/2019/01/Ep100-interview.txt Data Privacy Day Checklist: https://firewallsdontstopdragons.com/data-privacy-day-checklist/ Pod-Centennial Contest Details: https://firewallsdontstopdragons.com/celebrate-my-pod-centennial/ CLICK HERE TO ENTER Bruce Schneier interview transcriptDownload

Ancestry analysis firm 23andMe has just inked a 4-year, $300M deal to share its DNA samples with the colossal pharmaceutical company GlaxoSmithKline. What are they going to do your genetic material? Good question. Did you carefully read and understand your Terms of Service? Sure you did. I’ll tell you how you can ask 23andMe (or Ancestry.com) to discard your samples. In other news, some users are finding that they aren’t allowed to delete their Facebook apps from their phones, a new federal case has strengthened your privacy rights when it comes to phone searches, and the Weather Channel app has been selling your location data to third parties.

Last month Australia passed a sweeping surveillance law, quickly and without meaningful debate, called the Assistance and Access Act. Like the UK’s Investigatory Powers Act of 2016. this law aims to give authorities unprecedented power to force makers of messaging services to break their software and lie to their users. Danny O’Brien, International Director for the Electronic Frontier Foundation, helps us understand the true implications of these law and why they are truly harmful to democracy. Guest Information Danny O’Brien has been an activist for online free speech and privacy for over 20 years. In his home country of the UK, he fought against repressive anti-encryption law, and helped make the UK Parliament more transparent with FaxYourMP. He was EFF’s activist from 2005 to 2007, and its international outreach coordinator from 2007-2009. After three years working to protect at-risk online reporters with the Committee to Protect Journalists, he returned to EFF in 2013 to supervise EFF’s global strategy. He is also the co-founder of the Open Rights Group, Britain’s own digital civil liberties organization. Twitter: @EFF, @mala Website: https://www.eff.org/ Further Information: Truly Secure Messaging: https://firewallsdontstopdragons.com/truly-secure-mobile-calls-and-messaging-for-free/ Why Privacy Matters (TED Talk): https://www.ted.com/talks/glenn_greenwald_why_privacy_matters The Value of Privacy: https://www.schneier.com/blog/archives/2006/05/the_value_of_pr.html Donate to the EFF! https://supporters.eff.org/donate/join-4

Just because you’re not paranoid doesn’t mean they’re not following you. A new study by Digital Content Next and Vanderbilt University shows just how much and how often Google apps on Android phones are tattling on you. Even an idle phone contacted Google 340 times a day. But can you avoid this by using Apple phones? Not completely. In other news, Microsoft’s Bali project aims to give users complete control over their data, Amazon’s Ring Doorbell may call the cops on “suspicious” people, and a new Apple phone phishing scam looks amazingly legitimate. Further Info Prying Yourself from Google’s Clutches: http://podcast.firewallsdontstopdragons.com/2018/09/17/prying-yourself-from-googles-clutches/ New Year’s (Cyber) Resolutions: https://firewallsdontstopdragons.com/new-years-resolutions-2019/

It’s that time of year again – time to make your New Years Resolutions! You know all those really important things I’ve been telling you to do, but you haven’t done? Well, I’m listing out the top ones on today’s show – and challenging each of you to check them off this year! There’s also a lot of news to catch you up on: why the green padlock symbol doesn’t mean what you think it does, an update on the SuperMicro computer spy chips, fitness apps stealing $120 from its users, scammers calling seniors pretending to be grandkids, US border agents not taking care of your private data, and a stunning NY Times study about all the apps that are tracking your location Further Reading NY Times article on location tracking: https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html Review my podcast! https://itunes.apple.com/us/podcast/firewalls-dont-stop-dragons-podcast/id1213366517?mt=2# Worst passwords of 2018: https://www.teamsid.com/100-worst-passwords/

Several US states are trialing programs to replace the venerable plastic driver’s license card with a new smartphone app. Unlike the “dumb” physical cards, the app would always be up to date. One study showed that 77% of all US adults have a smartphone. If you’re an adult under the age of 30, that percentage jumps to 94%. But as our guest, Chad Marlow, explains this is a solution in search of a problem. It comes with significant risks for both privacy and democracy. Guest Info: Chad Marlow (ACLU) Chad Marlow is a senior advocacy and policy counsel at the ACLU. He principally focuses on privacy, surveillance, and technology issues. His work on issues ranging from net neutrality and police body cameras to government surveillance and consumer privacy has been a frequent subject of national and international media coverage. He is the author of fifteen ACLU model bills. He spearheaded the ACLU’s nationwide #TakeCTRL and Community Control Over Police Surveillance (CCOPS) campaigns. Twitter: @chadaaronmarlow, @ACLU Website: ACLU.org Further Reading Could Plastic Driver’s Licenses Become a Thing of the Past? : https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2018/11/20/could-plastic-drivers-licenses-become-a-thing-of-the-past Why Privacy Matters (TED Talk): https://www.ted.com/talks/glenn_greenwald_why_privacy_matters

It’s bad enough that online ads are watching us, but now billboards and other real world ads are watching us, too. Using video cameras and signals from our smart devices, marketers are tailoring their billboards and digital signage based on our appearance and even our identity. Sean O’Brien from Yale Privacy Lab explains how this is done and the significant privacy implications of this practice. He’ll also tell you how you to protect our privacy. Sean O’Brien is a Lecturer in Law at Yale Law School with expertise in cybersecurity, privacy, and mobile device forensics. He is Director of Business Development at Purism SPC, a company dedicated to digital privacy and security and founder of Yale Privacy Lab. Twitter: @YalePrivacyLab Yale Privacy Lab: https://privacylab.yale.edu Citizen FOSS guide: https://github.com/YalePrivacyLab/citizen-foss Original article from Medium: https://medium.com/s/thenewnew/irl-ads-are-taking-scary-inspiration-from-social-media-7088e8241beb

Marriott reports this week that it has exposed up to 500 million Starwood guests’ data going back as far as 2014. Affected hotels include Sheraton, Westin, W Hotels, Starwood timeshares and more, While it’s still not clear how much data may have been stolen, what is clear is that corporations are still not guarding their data properly. In today’s show, I’ll tell you what sort of customer information was vulnerable and what you can do to protect yourself. In other news, Ford’s CEO voices plans to monetize their customers’ data, the USPS has a mail preview service that you’ll want to sign up for before the bad guys do it on your behalf, and if you’ve ever had the creepy feeling that customer support reps can see what you’re typing in chat support before you send it… it’s because they can! More Info: Starwood’s breach info page: https://info.starwoodhotels.com How to freeze your credit: https://firewallsdontstopdragons.com/using-credit-freeze-for-self-defense/ Best & Worst gifts for 2018: https://firewallsdontstopdragons.com/best-worst-gifts-2018/

Our mobile phones today are chock full of private information and are constantly tattling about our whereabouts and activities. Most phones today have GPS, WiFi, Bluetooth, motion detectors, magnetic field detectors, microphones, cameras, and of course cellular radios. Some even have facial recognition built right in. With all this personal data and telemetry information, is it even possible to prevent tracking and information leakage? Today we discuss these topics and more with Daniel Davis from DuckDuckGo – a company dedicated to protecting your privacy. He and I discuss DuckDuckGo’s new privacy-focused smartphone app, along with other tips and techniques to guard your privacy on your mobile devices. Daniel Davis is a Community Manager at DuckDuckGo, the Internet privacy company helping you take control of your personal information online. DuckDuckGo has its roots as the search engine that doesn’t track you, and has expanded to protect you no matter where the Internet takes you. For Further Insight: Website: https://duckduckgo.com Twitter URL: https://twitter.com/duckduckgo LinkedIn URL: https://www.linkedin.com/company/duck-duck-go DuckDuckGo Privacy Essentials: https://duckduckgo.com/app Help me to help you! Visit: https://patreon.com/FirewallsDontStopDragons

The gift-giving season is once again upon us! “Smart” devices make great presents, but you want to make sure that you’re not also giving a gift to the hackers out there! In this special, annual holiday episode, I’ll tell you about some of the best and the worst holiday gifts and accessories, from a security and privacy viewpoint. Thinking about giving someone a DNA analysis kit? You might want to think twice! Which computers and smart devices are the most secure? And are there products I can buy to help make them more secure? You bet! I have all the angles covered for you in this week’s show! See also my blog article: The Best & Worst Gifts for 2018

Just because the caller ID says it’s the IRS or the Social Security Administration, don’t believe it. It’s almost surely a scammer trying to get your money or information. Government agencies don’t call people to confirm information in their records about you or with threats if you don’t pay up. And the caller ID information you see often has no relation whatsoever to who is actually calling or where they’re calling from. In today’s episode, I’ll tell you how to handle these scammer calls. I’ll also tell you about a massive, nationwide database of biometrics that was just created, how Consumer Reports and Mozilla are helping you to make smart security and privacy decisions on new products, and how a PhD from MIT is on a mission to fix our horrendously insecure voting systems.

Your physical world is governed by many laws and regulations that protect your freedom and privacy. Why should the digital world be any different? Todd Weaver, CEO and Found of Purism, explains how Big Tech managed to write the rules for the digital world and why those rules are at odds with your freedom, security and privacy. But it doesn’t have to be this way. As citizens, we can force those representing us to protect our digital civil rights. As consumers, we have options for computers and smartphones you can buy right now that will assert your digital civil rights. Serial entrepreneur and successful businessman, Todd has been recognized for his visionary strategy, technical leadership, and relentless drive, with more than 20 years of entrepreneurial experience, using, installing, and promoting Free Software. Todd has consistently predicted market directions and executed disruptive technologies in a wide range of industries, including in-store entertainment, collaborative financial solutions, and starting the first online cable company. Todd has a deep understanding of the hardware manufacturing process, and an unwavering belief for users to retain their essential freedoms via free software, making Purism (the marriage of high quality hardware and free software), his most ambitious, disruptive, and exciting venture yet. For Further Insight: The Future of Computing and Why You Should Care: https://www.youtube.com/watch?v=nFwBh9QZTwg Purism products: https://puri.sm/products/ Website: https://puri.sm Twitter URL: https://twitter.com/Puri_sm

We all know how marketers are tracking our every move on the world wide web. But now they’re starting to track you in the real world, too. Security cameras exist everywhere, but companies have now decided to add facial recognition software to those systems in order to track where you go, what you look at, who you’re with and how effective their ads are. I’ll also tell you why the Firefox browser is taking bold new steps to protect your web browsing privacy and how Apple’s CEO Tim Cook believes tech companies must take steps to safeguard their customer’s data. For Further Insight: Tim Cook’s speech on privacy: https://www.youtube.com/watch?v=kVhOLkIs20A Help me to help you! Visit: https://patreon.com/FirewallsDontStopDragons

The reports of net neutrality’s death have been greatly exaggerated. We still have time for Congress to reinstate the federal rules that were struck down by the FCC. In the meantime, states like California are taking matters into their own hands, passing landmark state-level legislation to preserve a level playing field on the Internet. Ernesto Falcon from the Electronic Frontier Foundation (EFF) explains why Net Neutrality is not dead and how states are stepping in to try to fill the gap. Prior to joining EFF, Ernesto worked as a legislative staffer for two Members of Congress (2004-2010). He then became Vice President of Government Affairs at Public Knowledge where he advocated on behalf of consumers on copyright issues and broadband competition. During his tenure, Public Knowledge was successful in achieving one of the largest consumer victories in telecom policy by defeating AT&T’s merger with T-Mobile. The following year, PK and EFF scored a major victory for consumers by rallying the Internet community to defeat the Stop Online Piracy Act (SOPA). After eight years in Washington DC, he returned to his home state of California to go to law school at McGeorge School of Law in order to strengthen his digital rights advocacy. Now, as an attorney, he is excited to rejoin the fight for consumers and Internet freedom. For Further Insight: Website: https://eff.org/ Follow on Twitter: https://twitter.com/EFFFalcon LinkedIn: https://www.linkedin.com/in/ernestofalcon/

Bloomberg claims that Chinese manufacturers have implanted tiny spy chips into many of our computer systems. Apple, Amazon and others strenuously deny this. Who’s telling the truth? In today’s show, I’ll cover both sides of this story, discuss the various ways in which our global manufacturing and supply chain systems could be compromised, and delve into the several deeper considerations for these sorts of stories. In other news, Facebook has lowered its estimate of the number of users affected by the recent breach to a mere 29 million, Google has shuttered its flagging Google+ service after news of a breach leaked last week, I give you the highlights of my 320-page LexisNexis dossier, and finally I give you several tips for patching holes in your defenses in honor of National Cybersecurity Awareness Month. For Further Insight: Deleting your Google+ account: https://www.cnet.com/how-to/how-to-delete-your-google-account-data-breach/ Supply chain security 101: https://krebsonsecurity.com/2018/10/supply-chain-security-101-an-experts-view/ Make sure you’re registered to vote! https://votesaveamerica.com/verify Help me to help you! Visit: https://patreon.com/FirewallsDontStopDragons

Ransomware, the malware that locks up your data and hold it for ransom, has been growing by leaps and bounds in the past few years, WHY? Because it works. Hackers trick you into installing the malware which encrypts your most precious files and demands that you pay Bitcoin to get the key that unlocks them. It’s like a burglar broke into your house and put all your valuables in a safe in your living room, demanding payment for the combination. Allan Liska explains why ransomware has become a favorite tool of both hackers and nation states, how to protect your computers, and even what you can do if you are unfortunate enough to be infected. Allan Liska is an intelligence analyst at Recorded Future. Allan has more than 15 years’ experience in information security and has worked as both a blue teamer and a red teamer for the intelligence community and the private sector. Allan has helped countless organizations improve their security posture using more effective and integrated intelligence. Allan is also one of the organizers of BSides Bordeaux and has presented at security conferences around the world on a variety of topics. He is the author of The Practice of Network Security, Building an Intelligence-Led Security Program, and Securing NTP: A Quickstart Guide and the co-author of DNS Security: Defending the Domain Name System and Ransomware: Defending Against Digital Extortion. For Further Insight: Ransomwhere (Ransomware protection for Mac): https://objective-see.com/products/ransomwhere.html No More Ransom (if you get infected): https://www.nomoreransom.org/ Website: www.bsidesbdx.org Twitter: https://twitter.com/uuallan LinkedIn: https://www.linkedin.com/in/allan2/