Firewalls Don't Stop Dragons Podcast

The year is almost over and as we head into the holiday season I wanted to reminisce with some of my favorite snippets from the last year! Unlike in previous 'best of' shows, I've actually included some new snippets from my private podcast, to give you a little taste of the bonus content that I create for my patrons! The links in the show notes will take you to the full episodes, including all the relevant 'further information' links associated with them. Happy holidays, everyone!! Article Links Ep267: Luck Favors the Prepared https://podcast.firewallsdontstopdragons.com/2022/04/11/luck-favors-the-prepared/  Ep279: Necessary Chaos: https://podcast.firewallsdontstopdragons.com/2022/07/04/necessary-chaos/  Ep272: Tomatoes & Telegraphs: https://podcast.firewallsdontstopdragons.com/2022/05/23/tomatoes-telegraphs/  Ep275: Cryptocurrency 101: https://podcast.firewallsdontstopdragons.com/2022/06/06/cryptocurrency-101/  Ep283: How to Stop Tracking & Stalking: https://podcast.firewallsdontstopdragons.com/2022/05/09/how-to-stop-tracking-stalking/  Ep287: The Night the Lights Went Out in Vegas: https://podcast.firewallsdontstopdragons.com/2022/08/29/the-night-the-lights-went-out-in-vegas/  Ep289: Decoding Computers & Software: https://podcast.firewallsdontstopdragons.com/2022/09/12/decoding-computers-software/  Ep292: Capture the Flag for Fun & Profit: https://podcast.firewallsdontstopdragons.com/2022/10/03/capture-the-flag-for-fun-profit/ Steganography: https://en.wikipedia.org/wiki/Steganography Further Info Give the gift of security and privacy! https://fdsd.me/coupons  300th episode promotion: https://fdsd.me/ep300  Patron promotion: https://fdsd.me/coinpromo  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don't Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:17: Ep267: How the internet works 0:10:23: Ep279: Getting into electronics and hacking 0:16:22: Ep273: The invention of the one-time pad 0:24:36: Ep275: Why do we need cryptocurrency? 0:30:26: Ep283 BONUS: What's it like arguing in front of the Supreme Court? 0:35:33: Ep283: This suspect looks just like Woody Harrelson! 0:40:26: Ep287: The time DEF CON almost ended 0:49:15: Ep289: The historical origins of software and storage 0:56:28: Ep292: Ender's Game-ing a hacker tournament 1:02:20: Ep288 Merlin's Musings: Steganography 1:10:39: Wrap-up

Today when computer systems fail, they can cause real, physical harm. In just the last few years, we've seen cyber attacks interfere with our food supply, tamper with city water supplies, and disrupt gas pipelines. While cheap consumer electronics often have poor security, medical devices like insulin pumps and pacemakers are also vulnerable to attack - and the consequences of failure can be lethal. The free market doesn't reward better security. Regulations are weak or nonexistent, regulators are understaffed and underfunded. Targeted organizations lack sufficient funding, training and personnel to prepare and respond. They need help. I Am the Cavalry aims to engage technologists and hackers to ride to the rescue. Joshua Corman is VP of Cyber Safety Strategy at Claroty, Founder of I am The Cavalry, and formerly served as Chief Strategist for CISA regarding COVID, healthcare, and public safety. Interview Links I Am The Cavalry: https://iamthecavalry.org/  BSides 2022 Cavalry presentation: https://www.youtube.com/watch?v=aw3egJej7so  The Cavalry Isn't Coming (DEF CON 21 talk): https://www.youtube.com/watch?v=2kMGdkOMSK0  Rugged Software Manifesto: https://github.com/rugged-software/rugged-software.github.io  CISA Bad Practices: https://www.cisa.gov/BadPractices  CISA Information Sharing and Awareness: https://www.cisa.gov/information-sharing-and-awareness  Maslow's Hierarchy of Needs: https://www.simplypsychology.org/maslow.html  Click Here to Kill Everyone: https://www.schneier.com/books/click-here/  SBOM interview: https://podcast.firewallsdontstopdragons.com/2021/07/19/its-time-to-drop-the-sbom/  My Jeff Moss interview: https://podcast.firewallsdontstopdragons.com/2022/08/29/the-night-the-lights-went-out-in-vegas/  Further Info 300th episode promotion: https://fdsd.me/ep300  Patron promotion: https://fdsd.me/coinpromo  Send me your questions! https://fdsd.me/qna  Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don't Stop Dragons: https://fdsd.me/book  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:28: Giveaway and promotion update 0:02:46: Holiday gift ideas 0:03:59: Interview preview 0:08:35: How did I Am the Cavalry get started? 0:16:52: How does focusing on physical harms change your approach to cybersecurity? 0:20:33: Why is it so important to 'meet people where they are'? 0:23:40: How do you best help organizations that are target rich but cyber poor? 0:31:47: What is the crawl, walk, run progression? 0:34:33: Why is it so important to compartmentalize systems? 0:35:56: How do we do a better job of designing security in from the start? 0:39:01: Is it safer for small companies to use managed services? 0:42:17: What role should the government play here? 0:52:57: If I want to get help for my organization, where should I go? 0:58:18: What's next for the Cavalry and how can I get involved? 1:05:09: Interview wrap-up 1:06:35: Book recommendations 1:07:43: Preview of upcoming shows

Tis the season for giving... and unfortunately, also for taking. Scammers tend to be extremely active during the holiday season. We're buying lots of stuff online, having lots of packages delivered. We're away from our homes for extended periods of time. We're giving money to charities. We're firing up new tech toys. The bad guys know this and are happy to take advantage of our chaotic holiday schedule and unusual levels of spending and giving. I'll give you some top tips to avoid being a victim this holiday season. In other news: the SFPD wants to arm its law enforcement robots; the TSA is expanding the use of facial recognition at airports; Microsoft warns of malware coming from Google Ads; a new study shows that computer repair shops may be accessing your personal data; WhatsApp data breach affects nearly 500M users; Twitter data breach was far worse than reported; Meta shuts down covert US propaganda operation; US watchdog raises warning for offshore oil and gas rig security; a new malware campaign bypasses Windows protections; LastPass admits to customer data breach caused by previous breach; and Anker's Eufy cameras caught sending data to cloud without user consent. Article Links [Electronic Frontier Foundation] Red Alert: The SFPD want the power to kill with robots https://www.eff.org/deeplinks/2022/11/red-alert-sfpd-want-power-kill-robots [The Washington Post] TSA now wants to scan your face at security. Here are your rights. https://www.washingtonpost.com/technology/2022/12/02/tsa-security-face-recognition/ [BleepingComputer] Brave starts showing "privacy-preserving" ads in search results https://www.bleepingcomputer.com/news/technology/brave-starts-showing-privacy-preserving-ads-in-search-results/ [Tech.co] Microsoft Warns Hackers Use Google Ads to Deliver Ransomware https://tech.co/news/microsoft-warns-hackers-google-ads-ransomware [Ars Technica] Thinking about taking your computer to the repair shop? Be very afraid https://arstechnica.com/information-technology/2022/11/half-of-computer-repairs-result-in-snooping-of-sensitive-data-study-finds/ [TechRadar] WhatsApp data breach sees nearly 500 million user records up for sale https://www.techradar.com/news/whatsapp-data-breach-sees-nearly-500-million-user-records-up-for-sale [9to5mac.com] Massive Twitter data breach was far worse than reported, reveal security researchers https://9to5mac.com/2022/11/25/massive-twitter-data-breach/ [BleepingComputer] Meta links U.S. military with covert Facebook influence operation https://www.bleepingcomputer.com/news/security/meta-links-us-military-with-covert-facebook-influence-operation/ [TechCrunch] US offshore oil and gas rigs at ‘significant' risk of cyberattacks, warns watchdog https://techcrunch.com/2022/11/22/offshore-oil-gas-cyberattacks-watchdog/ [TechRadar] This new malware is able to bypass all of Microsoft's security warnings https://www.techradar.com/news/this-new-malware-is-able-to-bypass-all-of-microsofts-security-warnings [Naked Security] LastPass admits to customer data breach caused by previous breach https://nakedsecurity.sophos.com/2022/12/02/lastpass-admits-to-customer-data-breach-caused-by-previous-breach/ [MacRumors] Anker's Eufy Cameras Caught Uploading Content to the Cloud Without User Consent https://www.macrumors.com/2022/11/29/eufy-camera-cloud-uploads-no-user-consent/ Tip of the Week: Tis the Season for Scams: https://firewallsdontstopdragons.com/how-to-avoid-holiday-scams/ Further Info Boston Dynamics robodog: https://www.youtube.com/watch?v=6Zbhvaac68Y  This Person Doesn't Exist: https://thispersondoesnotexist.com/  300th episode promotion: https://fdsd.me/ep300  Patron promotion: https://fdsd.me/coinpromo  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don't Stop Dragons: https://fdsd.me/book 

I can't believe I've been doing this for 300 weeks - almost 6 years now! And returning for his 3rd "podcentennial" episode is world-renowned security guru Bruce Schneier! Today we'll discuss hacking - not just in the realm of computers, but in legal, political, social and economic spaces. And then we'll talk about how artificial intelligence and computer automation are starting to play a significant role in hacking all of these realms. Computers and AI expand the scope, scale and speed of hacking and we're honestly not prepared for it. To celebrate the 300th episode and the coming release of the 5th edition of my book, today I'm kicking off a big giveaway with lots of prizes and a killer promotion for patrons on Patreon! (See below for links.) Bruce Schneier is an internationally renowned technologist and security guru. He is the author of over one dozen books, including his latest, A Hacker's Mind, due out in February, I believe. He has testified before Congress and has served on several government committees and corporate boards, written many seminal papers, has a very popular blog called Crypto-Gram, and last but not least, Bruce is the Chief of Security Architecture at Inrupt.  Further Info 300th episode promotion: https://firewallsdontstopdragons.com/enter-to-win-300th-podcast-giveaway/ Patron promotion: https://www.patreon.com/posts/december-patron-75151773 The Coming AI Hackers: https://www.schneier.com/academic/archives/2021/04/the-coming-ai-hackers.html  A Hacker's Mind book: https://www.schneier.com/books/a-hackers-mind/  Give the gift of security & privacy: https://firewallsdontstopdragons.com/give-the-gift-of-security-and-privacy/ Check out my Best & Worst Gifts Guide for 2022: https://firewallsdontstopdragons.com/best-worst-gifts-2022/ The Coming AI Hackers: https://www.schneier.com/academic/archives/2021/04/the-coming-ai-hackers.html  A Hacker's Mind book: https://www.schneier.com/books/a-hackers-mind/  The Trolley Problem: https://en.wikipedia.org/wiki/Trolley_problem  Gödel's incompleteness theorems: https://en.wikipedia.org/wiki/G%C3%B6del's_incompleteness_theorems  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don't Stop Dragons: https://www.amazon.com/gp/product/1484261887  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:31: Interview preview 0:02:29: Interview start 0:03:13: How does hacking differ from inventing or just cheating? 0:07:14: What is artificial intelligence and when will it be like teh sci-fi version? 0:11:32: Do we have to worry about AI replacing us or taking over? 0:13:57: Can we program human values into AI systems? 0:18:09: Why are reward and goal alignment so crucial for AI? 0:20:28: Will we ever implicitly trust AI if we can't explain its answers? 0:25:37: Do we put too much trust in some AI systems? 0:27:59: How might AI systems be used to hack financial or political systems? 0:33:26: Can we govern AI systems with human laws? 0:36:40: Are non-computer systems more susceptible to hacks due to uncodified norms? 0:42:41: Can AI think outside the box if it doesn't understand the box? 0:48:05: How does terrorism hack our brains and how do we prevent that? 0:53:35: What are some Utopian possibilities for AI? 0:55:08: How do we get more public interest technologists? 0:56:28: Interview wrap-up 0:58:19: 300th podcast giveaway! 1:01:49: Patron promotion!

Black Friday is just around the corner, which marks the unofficial launch of the holiday shopping season. As you're considering what gifts to give to your loved ones this year, I want to make sure you're thinking about the privacy and security aspects. To that end, I have updated my annual Best and Worst Gift Guide and I will go over the highlights in this episode for my Tip of the Week. But I also have a special new gift idea this year: security and privacy coupons that you can download and give to your loved ones! In the news: USPS tells customers to avoid using the big blue mailboxes for gifts and important letters during the holiday season; Google pays nearly $400M fine to 40 states who sued over location tracking; Medibank refuses to pay ransom for data and criminals are starting to leak sensitive medical records online; TransUnion reports a data breach; FBI director warns that TikTok is a national security risk; Lenovo laptops are exposed to UEFI malware risks (update now); a mysterious company with government ties and a history of spying has become a root certificate authority; the British government is scanning its citizens devices looking for vulnerabilities in hopes of fixing them; almost 50% of all Mac malware can be traced to a single, security application; Apple apps are sending tons of analytics data to Apple even when analytics are disabled; I answer a listener question (Dear Carey) about the best Mastodon clients, in the wake of the Twitter collapse. Article Links [Lifehacker] Avoid Using Blue Mailboxes During the Holidays, USPS Warns https://lifehacker.com/avoid-using-blue-mailboxes-during-the-holidays-usps-wa-1849773201 [The Hacker News] Google to Pay $391 Million Privacy Fine for Secretly Tracking Users' Location https://thehackernews.com/2022/11/google-to-pays-391-million-privacy-fine.html [CPO Magazine] Medibank Refuses Ransom Payments, Hackers Leak Stolen Health Data to Dark Web https://www.cpomagazine.com/cyber-security/medibank-refuses-ransom-payments-hackers-leak-stolen-health-data-to-dark-web/ [BGR] TransUnion data breach compromises financial information of consumers https://bgr.com/tech/transunion-data-breach-compromises-financial-information-of-consumers/ [USA TODAY] FBI director says TikTok poses national security threat, and he's 'extremely concerned' https://www.usatoday.com/story/tech/2022/11/16/tiktok-poses-national-security-threat-fbi/10709987002/ [Ars Technica] Lenovo driver goof poses security risk for users of 25 notebook models https://arstechnica.com/information-technology/2022/11/lenovo-patches-secure-boot-vulnerabilities-that-imperil-25-notebook-models/ [The Washington Post] Mysterious company with government ties plays key internet role https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addresses-government-connections/ [Bleeping Computer] British govt is scanning all Internet devices hosted in UK https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/british-govt-is-scanning-all-internet-devices-hosted-in-uk/amp/ [Tom's Guide] Almost 50% of macOS malware reportedly comes from single app — delete it now https://www.tomsguide.com/news/new-report-says-nearly-half-of-macos-malware-comes-from-single-app-delete-it-now [Gizmodo] Apple Is Tracking You Even When Its Own Privacy Settings Say It's Not, New Research Says https://gizmodo.com/apple-iphone-analytics-tracking-even-when-off-app-store-1849757558 Dear Carey: Mastodon clients. https://joinmastodon.org/apps  https://bilge.world/mastodon-ios-apps  Further Info Best & Worst Gifts for 2022: https://firewallsdontstopdragons.com/best--worst-gifts-2022/ Privacy & Security Coupons: https://fdsd.me/coupons  Give thanks and donate! https://firewallsdontstopdragons.com/give-thanks-donate/  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://firewallsdo...

Connected computers have changed the world perhaps more than any other single invention. The impacts of nearly instant global communication and effectively infinite, perfect storage of information are at once undeniable and difficult to fully comprehend. And yet, technologists, bureaucrats and corporate leaders make decisions on a daily basis that should be considering the repercussions. Just because you can do something doesn't mean you should. Today, we'll discuss the digitization of the world and some of the more important impacts it has had and is having on society with the authors of the book Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion. Harry Lewis, former Dean of Harvard College, is Gordon McKay Professor of Computer Science at Harvard. Ken Ledeen is the Chairman and Chief Executive Officer at Nevo Technologies, Inc., a software development and information technology consulting firm located in Cambridge, Massachusetts. Wendy Seltzer is Strategy Lead and Counsel to the World Wide Web Consortium (W3C) at MIT, improving the Web's security, availability, and interoperability through standards. Further Info Buy or download Blown to Bits: https://www.bitsbook.com/thebook/  Weird Marketing Tales interviewed me: https://weirdmarketingtales.com/why-firewalls-dont-stop-dragons-carey-parker-privacy-security/   Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don't Stop Dragons: https://www.amazon.com/gp/product/1484261887  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:16: interview start 0:04:03: What brought you all together to write this book? 0:05:28: What are the biggest changes since the first edition? 0:10:04: What were the impacts of the Edward Snowden revelations? 0:12:44: How do we resolve the tension between privacy and law enforcement? 0:16:43: Are computer systems free from bias? 0:19:22: How do algorithms impact judicial decisions? 0:20:45: Why is it hard to explain how AI systems make decisions? 0:28:33: What is net neutrality and who are the gatekeepers today on the internet? 0:31:59: Have we lost the original Utopian ideal of the internet? 0:35:41: How have content moderation and personalization affected our experience? 0:40:48: How do these companies hyper-personalize the web? 0:45:44: Are we changing our own behaviors to game the algorithms? 0:47:35: Are bits more fragile than parchment and cave paintings? 0:53:29: What gives you hope? What keeps you up at night? 0:58:12: Interview wrap-up 0:59:34: Upcoming shows, promotions, interviews

QR codes are not inherently dangerous. They're effectively links we can click in the real world using the camera app on our phone. Like hyperlinks on a web page, QR code "links" can take you to good websites or bad websites. They can also disguise their ultimate destination by using URL shortening services like bitly or owly. But now "free" QR code generator websites - that is, sites that will let you create one of these QR codes by entering the HTTP link you want it to take people to - are using these redirects to basically hold your QR code for ransom. The QR codes they give you use the redirect links to insert themselves into the middle - and after some time, they will stop working until you subscribe and pay them money. If you've already printed these codes on hundreds of business cards or dozens of plaques for your restaurant, they they've really got you over a barrel. I'll help you avoid these scams. In other news: Microsort warns that attackers are quickly leveraging newly reported zero-days; some Chrome extensions are making money by inserting affiliate links for thousands of websites; Microsoft appears to be readying a useful PC cleanup tool for release; Apple clarifies its policy on security updates for older OS releases; a report details how hidden AI algorithms are affecting the lives of DC residents; facial recognition systems are being installed in many soccer stadiums; Uber is planning to bombard their users with ads; Clearview AI has been fined 30M euros by France; Apple is ramping up its own ads on its various apps and devices; and I answer another Dear Carey question, this one on the case that is bringing Section 230 in front of the Supreme Court. Article Links [Hacker News] Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities https://thehackernews.com/2022/11/microsoft-warns-of-uptick-in-hackers.html [BleepingComputer] Chrome extensions with 1 million installs hijack targets' browsers https://www.bleepingcomputer.com/news/security/chrome-extensions-with-1-million-installs-hijack-targets-browsers/ [PCWorld] Microsoft's surprise PC Manager system optimizer takes aim at CCleaner https://www.pcworld.com/a rticle/1360140/microsoft-releases-beta-of-a-ccleaner-style-pc-manager-tool.html [Ars Technica] Apple clarifies security update policy: Only the latest OSes are fully patched https://arstechnica.com/gadgets/2022/10/apple-clarifies-security-update-policy-only-the-latest-oses-are-fully-patched/ [WIRED] Algorithms Quietly Run the City of DC—and Maybe Your Hometown https://www.wired.com/story/algorithms-quietly-run-the-city-of-dc-and-maybe-your-hometown/ [WIRED] Soccer Fans, You're Being Watched https://www.wired.com/story/soccer-world-cup-biometric-surveillance/ [Gizmodo] Uber Plans to Advertise to You At Every Stage of Your Ride, Using Your Own Data https://gizmodo.com/uber-ads-ride-share-uber-eats-1849678092 [Naked Security] Clearview AI image-scraping face recognition service hit with €20m fine in France https://nakedsecurity.sophos.com/2022/10/26/clearview-ai-image-scraping-face-recognition-service-hit-with-e20m-fine-in-france/ [Lifehacker] How to Block Apple's Own Ads on Your iPhone https://lifehacker.com/how-to-block-apple-s-own-ads-on-your-iphone-1849703889 Tip of the Week: https://firewallsdontstopdragons.com/qr-code-scams-revisited/ Further Info Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don't Stop Dragons: https://www.amazon.com/gp/product/1484261887  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:42: Countdown to 300

It's easy to tell people to use this or that privacy tool, but this always assumes that you trust the service that is providing that tool. How can mere mortals ever hope to obtain sufficient knowledge of the inner workings of these products and service providers that would allow them to make an informed decision? Today, I'll ask Adrianus Warmenhoven from Nord VPN that question, along with questions about normalizing surveillance and what privacy really means in our digital internet society. Adrianus Warmenhoven is a Defensive Strategist and Threat Intelligence Manager at NordVPN. He is responsible for getting the most relevant IOCs (Indicators of Compromise), malware samples and their indicators and generally mapping out the threat landscape for the company's customers. Interview Links Nord VPN: https://nordvpn.com/The Follower: https://driesdepoorter.be/thefollower/ Five-Eyes Countries: https://en.wikipedia.org/wiki/Five_Eyes Electronic Frontier Foundation: https://www.eff.org/ Mozilla Foundation: https://foundation.mozilla.org/en/ Give thanks and donate: https://firewallsdontstopdragons.com/give-thanks-donate/  Further Info Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don't Stop Dragons: https://www.amazon.com/gp/product/1484261887 Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:26: Elon Musk buys Twitter0:01:31: What is Mastodon?0:02:36: Interview preview0:04:13: Tell us about Nord and what you do there0:05:25: What is most misunderstood about privacy?0:07:53: How does my privacy overlap your privacy?0:10:08: What threats to privacy aren't getting enough attention?0:13:02: Doesn't capitalism require companies to monetize our data?0:16:26: Is it possible compartmentalize our lives today?0:18:32: Why can't we learn that just because we can doesn't mean we should?0:22:09: How does privacy in the physical world differ from online?0:24:21: Have we normalized surveillance for the younger generation?0:30:22: How do we know which companies to trust with our privacy?0:38:11: How can companies avoid gathering user data?0:42:47: How important is transparency for consumers?0:45:48: How do VPNs work and how do they fail?0:48:46: How important is it for privacy companies to be in favorable jurisdictions?0:52:19: How can I get more involved with privacy rights?0:56:03: What gives you hope?0:57:59: Bonus content0:58:54: Interview wrapup1:01:51: Give thanks and donate1:03:17: Dear Carey - ask me a question1:04:13: Upcoming stuff

This is going to sound bonkers, even though you're used to so many things tracking you... web pages, emails, and apps... but I'm here to tell you that while you're watching your TV, your TV is also watching you. Or I guess more accurately, your TV is watching what you're watching. Even if you're not using the built-in smart apps, if you're just piping pixels in from an external box, your TV can recognize the movies and shows being displayed. And it's taking meticulous taking notes and selling that data. It's called Automatic Content Recognition and "post-purchase monetization". It's sorta like the Shazam music recognition app, but for TV shows and movies. I'll tell you what you can do to stop it. In other news: a tricky new ransomware campaign is targeting home Windows users; Signal is removing support for SMS text messaging; Toyota user app data was exposed for years; the White House unveiled a new cybersecurity rating system for consumer products; Apple privacy is better than most, but still falls short; a privacy researcher tries and fails to keep her pregnancy secret from marketers; companies in the UK are tailoring real-life billboards using cameras and AI; relief funds were sent to people impacted by Hurricane Ian using AI algorithms; Facebook's new VR headset will mine your facial expressions for marketing; Wired article gives tips for avoiding student surveillance tools. Article Links [ZDNet] This unusual ransomware attack targets home PCs, so beware https://www.zdnet.com/article/this-unusual-ransomware-attack-targets-home-pcs-so-beware/[Signal] Removing SMS support from Signal Android (soon) https://signal.org/blog/sms-removal-android/[BleepingComputer] Toyota discloses data leak after access key exposed on GitHub https://www.bleepingcomputer.com/news/security/toyota-discloses-data-leak-after-access-key-exposed-on-github/[CyberScoop] White House to unveil ambitious cybersecurity labeling effort modeled after Energy Star https://www.cyberscoop.com/white-house-to-unveil-internet-of-things-labeling/[The Atlantic] I Tried to Keep My Pregnancy Secret https://www.theatlantic.com/ideas/archive/2022/10/can-you-hide-your-pregnancy-era-big-data/671692/[The Guardian] Apple says it prioritizes privacy. Experts say gaps remain https://www.theguardian.com/technology/2022/sep/23/apple-user-data-law-enforcement-falling-short[VICE] Companies in the UK Are Mining Users' Personal Data to Place Billboard Ads https://www.vice.com/en/article/n7zqmb/companies-in-the-uk-are-mining-users-personal-data-to-place-billboard-ads[WIRED UK] Hurricane Ian Destroyed Their Homes. Algorithms Sent Them Money https://www.wired.co.uk/article/hurricane-ian-destroyed-homes-google-algorithms-sent-money[Gizmodo] Meta's New Headset Will Track Your Eyes for Targeted Ads https://gizmodo.com/meta-quest-pro-vr-headset-track-eyes-ads-facebook-1849654424[WIRED] How to Protect Yourself If Your School Uses Surveillance Tech https://www.wired.com/story/how-to-protect-yourself-school-surveillance-tech-privacy/Tip of the Week: https://firewallsdontstopdragons.com/your-tv-is-watching-you/ Further Info Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don't Stop Dragons: https://www.amazon.com/gp/product/1484261887 Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:27: News rundown0:03:40: Sneaky new Windows ransomware targets home users0:07:20: Signal drops support for SMS on Android0:14:53: Toyota leak exposed car app data for 5 years0:18:27: White House cybersecurity product labeling initiative0:21:54: Privacy scholar tries and fails to keep pregnancy secret0:28:28: Apple still had glaring privacy holes0:33:...

We talk a lot about security and privacy on my show, but we don't talk enough about these subjects in relation to students and schools. Schools are tragically underfunded and can't afford to hire cybersecurity experts, let alone privacy experts. Students are minors who lack the legal rights and life experience to push back against horrific privacy invasions brought on by remote learning and in-home test proctoring. The laws in the US are woefully outdated and we too often assume that what is legal is the same as what is right and just. Today, I'll discuss these challenges and ethical dilemmas with Doug Levin. Doug Levin is co-founder and national director of the K12 Security Information eXchange (K12 SIX), a national non-profit dedicated solely to helping schools protect themselves from emerging cybersecurity threats. Interview Links: K12 SIX: https://www.k12six.org/Annual “State of K-12 Cybersecurity Report': https://www.k12six.org/the-report K-12 Essentials Series: https://www.k12six.org/essentials-series Public event calendar: https://www.k12six.org/events US Department of Education, Privacy Technical Assistance Center: https://studentprivacy.ed.gov/ CISA K-12 Cybersecurity Resources: https://www.cisa.gov/stopransomware/k-12-resources CISA Back to School Campaign: https://www.cisa.gov/r8-virtual-back-school-campaign-2022 US GAO: “Critical Infrastructure Protection: Education Should Take Additional Steps to Help Protect K-12 Schools from Cyber Threats” https://www.gao.gov/products/gao-22-105024 EFF: Student Privacy Resources https://www.eff.org/issues/student-privacy CDT: Student Privacy Resources https://cdt.org/area-of-focus/privacy-data/student-privacy/ EPIC: Student Privacy https://epic.org/issues/data-protection/student-privacy /Algorithmic Justice League: https://www.ajl.org/ The Markup: https://themarkup.org/machine-learning/2022/01/19/help-us-investigate-the-ed-tech-industry Fight for the Future, which e.g., runs this campaign: https://www.baneproctoring.com/ ACLU: https://www.nyclu.org/en/issues/education-policy-center/technology-schools  Further Info Send me your questions! https://fdsd.me/qna Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don't Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:24: Pre-interview definition of terms0:05:07: What is K12SIX about?0:10:52: What are the biggest security threats for schools?0:17:15: What about security threats for teachers and students?0:21:58: What are your top security recommendations for schools?0:30:01: What are the major impediments for schools improving cybersecurity?0:33:20: How can schools systems best share info and help one another?0:37:41: What are the main privacy threats for students?0:46:25: How is student data being used (or abused)?0:48:36: How do AI systems fail when it comes to minority populations?0:51:32: How can students and parents assert their privacy rights?0:56:03: What resources can you recomment for schools and students?0:59:39: Interview wrap-up1:00:40: Not reusing user names and passwords1:02:20: Preview of upcoming shows, promotions

Cold hard cash is becoming more and more rare these days. People just don't carry it around much any more. So how do you split a bill at a restaurant or buy from a street vendor? Many people today use mobile payment apps like Venmo, Apple Pay, PayPal, the Cash App, or a service promoted by many US banks called Zelle. While convenient, are these payment systems safe? Most of them actually are pretty secure (though some of them are not very private, like Venmo). But because most of these apps draw directly from your bank account, if you send money to the wrong person, either by mistake or because you were scammed, that money is pretty much gone. Ironically, this is very much like physical cash. Specifically, protections many people assume they have against fraudulent bank transactions don't really apply. You explicitly made the transfer and therefore many banks will not reimburse you for the loss. In other news: Optus confirms massive data breach; Optus breach triggers privacy regulation review in Australia; Facebook shuts down propaganda campaigns from Russia and China; Facebook warns 1M users of potential credential theft; Google will be migrating Fitbit customers to Google accounts; Microsoft adds new protections to warn you of PC password reuse and insecure storage; the FTC is pushing for new rules around location data collection and sharing; Google releases new tool to help purge personal information from its search results. Article Links [BleepingComputer] Optus confirms 2.1 million ID numbers exposed in data breach https://www.bleepingcomputer.com/news/security/optus-confirms-21-million-id-numbers-exposed-in-data-breach/[The Verge] Australia to overhaul privacy laws after massive data breach https://www.theverge.com/2022/9/26/23372868/australian-hack-disclosure-privacy-laws-optus-data-breach[Hacker News] Facebook Shuts Down Covert Political 'Influence Operations' from Russia and China https://thehackernews.com/2022/09/facebook-shuts-down-covert-political.html[9to5mac.com] Facebook security warning for 1M users: Scam apps stole login credentials https://9to5mac.com/2022/10/07/facebook-security-warning/[Hacker News] Google to Make Account Login Mandatory for New Fitbit Users in 2023 https://thehackernews.com/2022/09/google-to-make-account-login-mandatory.html[Lifehacker] Microsoft Has a New Trick for Keeping Your Password Safe https://lifehacker.com/microsoft-has-a-new-trick-for-keeping-your-password-saf-1849580498[Bloomberg] FTC Joins Push for Rules on Trade of Smartphone Location Data https://www.bloomberg.com/news/articles/2022-09-16/location-data-rules-draw-ftc-s-attention-post-roe[The Verge] In 2023, Google can notify you if personal info pops up in search https://www.theverge.com/2022/9/28/23377208/google-results-about-you-notifications-personal-info[briankrebs] Report: Big U.S. Banks Are Stiffing Account Takeover Victims https://krebsonsecurity.com/2022/10/report-big-u-s-banks-are-stiffing-account-takeover-victims/ Further Info National Cybersecurity Awareness Month: https://www.cisa.gov/cybersecurity-awareness-monthConsumer Reports: payment apps: https://www.consumerreports.org/digital-payments/how-to-safely-pay-for-goods-and-services-with-someone-you-dont-know/  Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don't Stop Dragons: https://www.amazon.com/gp/product/1484261887 Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:42: News rundown0:02:49: 10 Million Optus users affected by breach0:06:04: Optus breached via open web interface0:10:28: Facebook shuts down political influence campaigns0:13:38: Facebook warns 1M users of potential credential the...

Cybersecurity is the only technical, professional occupation I know of where practitioners routinely sharpen their skills through open competitions. The contests are based on the classic capture the flag game - except the flags are all virtual and capturing them involves hacking computers. Also unlike most other technical careers, cybersecurity is a high-paying profession that doesn't require a university degree or formal training. There are literally hundreds of thousands of unfilled cybersecurity jobs right now. You can also just dabble in cybersecurity, making money from bug bounty programs. Or you can just hack for the fun of it - in a completely safe and legal environment. Jordan will tell you all about it in today's show! Jordan Wiens has been a reverse engineer, vulnerability researcher, network security engineer, three-time DEF CON CTF winner, even a technical magazine writer but now he's mostly a has-been CTF player who loves to talk about them. He has been the CTF expert for the first three years of HackASat and he was one of the founders of Vector 35, the company that makes Binary Ninja. Interview Links Hack-A-Sat 3: https://hackasat.com/ Satellite hacked using $25 hardware: https://threatpost.com/starlink-hack/180389/ Decommissioned satellite hacked to broadcast movie: https://www.independent.co.uk/tech/hack-satellite-hijack-def-con-b2147595.html Student Rick-Rolls school: https://www.malwarebytes.com/blog/news/2021/10/high-school-student-rickrolls-entire-school-district-and-gets-praised Hack-A-Sat 2 interview: https://podcast.firewallsdontstopdragons.com/2021/06/21/hacking-satellites-for-fun-profit/ Plaid CTF: https://plaidctf.com/ CTFTime.org: https://ctftime.org/ Pwnable.kr: https://pwnable.kr/ Pwnable.tw: https://pwnable.tw/ Reversing.kr: http://reversing.kr/ Shodan: https://www.shodan.io/Burp Suite: https://portswigger.net/burp Wireshark: https://www.wireshark.org/ Binary Ninja: https://binary.ninja/ Metasploit: https://www.metasploit.com/ Nmap: https://nmap.org/ Live Overflow: https://liveoverflow.com/ TryHackMe: https://tryhackme.com/  Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don't Stop Dragons: https://www.amazon.com/gp/product/1484261887 Support my work! https://firewallsdontstopdragons.com/support/ Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequestGenerate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:03: Interview setup0:04:25: What is Hack-A-Sat?0:08:44: How has the Hack-A-Sat program evolved?0:12:58: How did CTF's start out and when did they become popular?0:17:37: Why do we have so many unfilled cybersecurity jobs?0:21:15: Do you need a college degree to work in cybersecurity?0:29:39: What's a black hat hacker vs white hat? What's a red team or blue team?0:32:15: How do CTF's actually work? What is a flag and how do I capture it?0:38:05: Are they beginner CTFs that are free to try?0:44:38: What sorts of tools do hackers use in CTFs and in real hacking?0:51:57: How do hackers chain together multiple exploits?0:56:26: What's your advice to someone who would like to try a CTF?1:00:36: What's next for Hack-A-Sat?1:02:25: interview wrapup1:04:07: What is Rick-Rolling?1:05:23: Try a CTF, go to a hacker con!

Apple just released a major update to its iPhone operating system, iOS 16. This release has some really important security and privacy features, including Passkeys, Lockdown Mode and Safety Check. I'll give you an overview of these features. In other news: D-Link routers have a major vulnerability that's being actively exploited; Uber was completely pwned by a cocky 18-year old hacker; Morgan Stanley was fined $35 million for failing to delete user data from hundreds of hard drives before reselling them; Chrome and Edge may be sending your form data back to Google and Microsoft; a new voice AI tool lets you change your voice to sound like someone else; health apps are sharing your personal data and HIPAA isn't helping; the US military is using yet another data broker to buy incredibly detailed information on almost all internet users; US border agents can search your phone and even copy your phone's data, and may save that info for 15 years; your car is coughing up tons of personal and auto data to dozens of data companies; Intel's new AI will be used to find students who are confused or even emotionally distressed. Article Links [BleepingComputer] Moobot botnet is coming for your unpatched D-Link router https://www.bleepingcomputer.com/news/security/moobot-botnet-is-coming-for-your-unpatched-d-link-router/[WIRED] The Uber Hack's Devastation Is Just Starting to Reveal Itself https://www.wired.com/story/uber-hack-mfa-phishing/[Ars Technica] $35M fine for Morgan Stanley after unencrypted, unwiped hard drives are auctioned https://arstechnica.com/information-technology/2022/09/morgan-stanley-pays-35m-penalty-for-extensive-failure-to-safeguard-customer-data/[BleepingComputer] Google, Microsoft can get your passwords via web browser's spellcheck https://www.bleepingcomputer.com/news/security/google-microsoft-can-get-your-passwords-via-web-browsers-spellcheck/[Ars Technica] With Koe Recast, you can change your voice as easily as your clothing https://arstechnica.com/information-technology/2022/09/with-koe-recast-you-can-change-your-voice-as-easily-as-your-clothing/[The Washington Post] Health apps share your concerns with advertisers. HIPAA can't stop it. https://www.washingtonpost.com/technology/2022/09/22/health-apps-privacy/[VICE] Revealed: U.S. Military Bought Mass Monitoring Tool That Includes Internet Browsing, Email Data https://www.vice.com/en/article/y3pnkw/us-military-bought-mass-monitoring-augury-team-cymru-browsing-email-data[Engadget] US border forces are seizing Americans' phone data and storing it for 15 years https://www.engadget.com/us-border-forces-traveler-data-15-years-085106938.html[The Washington Post] How to prevent customs agents from copying your phone's content https://www.washingtonpost.com/technology/2022/09/18/phone-data-privacy-customs/[The Markup] Who Is Collecting Data from Your Car? – The Markup https://themarkup.org/the-breakdown/2022/07/27/who-is-collecting-data-from-your-car[Protocol] Intel thinks its AI knows what students think and feel in class https://www.protocol.com/enterprise/emotion-ai-school-intel-edutechTip of the Week: https://firewallsdontstopdragons.com/ios-16-privacy-security/ Further Info Koe Recast web demo: https://koe.ai/recast/ 100-mile US border zone: https://www.aclu.org/other/constitution-100-mile-border-zone Tech Model Railroad Club: https://en.wikipedia.org/wiki/Tech_Model_Railroad_Club Send me your questions! https://firewallsdontstopdragons.com/dear-carey-podcast-qa/    Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don't Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/ 

You may not be into cryptocurrency, but a recent incident involving a so-called "cryptocurrency mixer" has some important implications for privacy and free speech. Today we'll examine the relative anonymity of cryptocurrency transactions, tools that can be used to enhance that anonymity, and why the code that created these tools - and the services that might host them - must be protected under the First Amendment. Along the way, we'll explore the limits of free speech in the US and some interesting attempts to capture those rights. Kurt Opsahl is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation, the leading nonprofit defending digital privacy, free speech, and innovation. Interview Links Coin Center article on Tornado Cash: https://www.coincenter.org/analysis-what-is-and-what-is-not-a-sanctionable-entity-in-the-tornado-cash-case/ Electronic Frontier Foundation: https://www.eff.org/ Code, Speech, and the Tornado Cash Mixer https://www.eff.org/deeplinks/2022/08/code-speech-and-tornado-cash-mixer Treasury Dept sued over Tornado Cash sanctions: https://fortune.com/2022/09/08/coinbase-employees-and-ethereum-backers-sue-u-s-treasury-over-tornado-cash-sanctions/  Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don't Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:42: Interview setup0:02:43: How anonymous are cryptocurrency transactions?0:07:30: What is a cryptocurrency mixer and why would I use one?0:10:34: Kurt's thoughts on "going dark"0:12:45: Physical currency is not technically anonymous, either0:14:07: How did the White House try to fix this problem?0:15:27: Who is OFAC and what is the SDN list?0:16:57: Who or what is Tornado Cash?0:20:23: What about Tornado Cash drew scrunity from the US Gov't?0:22:08: How does all of this relate to free speech?0:26:22: One of the developers was arrested - what's the EFF's take on this?0:29:14: Is a platform responsible for illegal activities related to content they host?0:31:18: What's the limit of free speech when it comes to software code?0:41:00: What free speech rights to platforms themselves have?0:44:42: What about attempts to turn code into books or T-shirts to gain protection?0:48:04: What's next for the Tornado Cash case?0:55:12: Interview wrap-up0:55:46: Looking ahead

A little over 20 years ago, Charles Petzold wrote what would become a classic book on understanding modern computers and the software that drives them. Computers have become essential to daily life and inhabit more and more of the devices we use every day. Every "smart" device you own contains a computer running software. While these little silicon chips and the binary code running them seem like magic, they're really just a series of simple building blocks chained together to accomplish a task. Having a basic understanding of these concepts can give us a lot more perspective on how computers can be used and abused, programmed and subverted. When I learned that Charles was releasing a fully updated 2nd edition of Code, I asked him to come on the show to give us all a historical overview of computers and software. He graciously agreed. The concepts of computing and programming go back a lot further than you might think. Today we'll learn about this and much more. Charles Petzold is the author of the books Code, The Annotated Turing, and numerous programming tutorials involving Microsoft Windows. Interview Notes Code: The Hidden Language of Computer Hardware and Software: https://www.charlespetzold.com/books/ Companion website: https://codehiddenlanguage.com/ The Annotated Turing: https://www.charlespetzold.com/AnnotatedTuring/ Alan Turing: https://en.wikipedia.org/wiki/Alan_Turing Ada Lovelace: https://en.wikipedia.org/wiki/Ada_Lovelace Delay Line Mercury Storage: https://en.wikipedia.org/wiki/Delay-line_memory#Mercury_delay_lines Steganography: https://en.wikipedia.org/wiki/Steganography  Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don't Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:08: Hold off on iOS 16 update0:02:47: Preview of today's interview0:05:49: Why did you write this book and who was your target audience?0:11:03: Why should we understand the basics of computing?0:12:39: What IS a "computer", fundamentally?0:16:35: Where did computers start, historically?0:19:21: What's the origin of software and programming computers?0:22:14: How did we store computer programs before hard drives?0:25:30: How did encoding enable us to communicate over large distances?0:30:00: How do we measure progress in computing?0:34:24: How did you decide how to lay out the concepts in the book?0:39:29: How can understanding computers help us be more secure?0:43:17: What does the future of computing look like?0:49:58: What will your next book be about?0:53:55: Interview wrap-up0:54:53: My Google rant0:58:03: A bit on steganography and codes0:59:41: Upcoming shows, schedule change

Password manager software maker LastPass suffered a data breach last week, which understandably made their customers very nervous - and caused some people to question the decision to put all their passwords in one digital basket. In today's show, I'll explain why this particular breach was not a threat to anyone's passwords and why you should still use a high quality password manager. In other news: Former security chief blows the whistle on Twitter; major VPN providers are pulling out of India over surveillance law issues; a set of popular Chrome extensions caught committing click fraud; Google's new Chrome extension restrictions threaten to hobble ad blockers; a father's Google accounts are deleted over false AI-flagged CSAM; US Federal Trade Commission sues a data broker over lax protection of location data; EFF finds another data broker selling location data to law enforcement; Google launches bug bounty program for open source software projects; DuckDuckGo's email privacy protection feature now available to all; Ohio judge rules that scanning students' rooms before tests is illegal; a flight to Cabo is nearly grounded thanks to a passenger sending dick pics to other passengers, including one of the pilots. Article Links [The Washington Post] Former security chief claims Twitter buried ‘egregious deficiencies' https://www.washingtonpost.com/technology/interactive/2022/twitter-whistleblower-sec-spam/[9to5mac.com] Major VPN services shut down in India over anti-privacy law; Apple hasn't yet commented https://9to5mac.com/2022/09/01/major-vpn-services/[BleepingComputer] Chrome extensions with 1.4 million installs steal browsing data https://www.bleepingcomputer.com/news/security/chrome-extensions-with-14-million-installs-steal-browsing-data/[BleepingComputer] AdGuard's new ad blocker struggles with Google's Manifest v3 rules https://www.bleepingcomputer.com/news/security/adguard-s-new-ad-blocker-struggles-with-google-s-manifest-v3-rules/[The New York Times] A Dad Took Photos of His Naked Toddler for the Doctor. Google Flagged Him as a Criminal. https://www.nytimes.com/2022/08/21/technology/google-surveillance-toddler-photo.html[Reuters] U.S. FTC sues data broker Kochava for alleged sale of sensitive data https://www.reuters.com/legal/us-ftc-sues-data-broker-kochava-alleged-sale-sensitive-data-2022-08-29/[Electronic Frontier Foundation] Data Broker Helps Police See Everywhere You've Been with the Click of a Mouse: EFF Investigation https://www.eff.org/press/releases/data-broker-helps-police-see-everywhere-youve-been-click-mouse-eff-investigation[Naked Security] LastPass source code breach – do we still recommend password managers? https://nakedsecurity.sophos.com/2022/08/29/lastpass-source-code-breach-do-we-still-recommend-password-managers/[Decipher] Google Launches Bug Bounty Program For Open Source Projects https://duo.com/decipher/google-launches-bug-bounty-program-for-its-open-source-projects[Spread Privacy] Protect Your Inbox: DuckDuckGo Email Protection Beta Now Open to All! https://spreadprivacy.com/protect-your-inbox-with-duckduckgo-email-protection/[The Verge] University can't scan students' rooms during remote tests, judge rules https://www.theverge.com/2022/8/23/23318067/cleveland-state-university-online-proctoring-decision-room-scan[VICE] Creeps Airdropping Dick Pics Just Made Flying Even Worse https://www.vice.com/en/article/3adag9/southwest-tiktok-video-pilot-airdropped-nudesTip of the Week: How to Prevent Cyberflashing https://firewallsdontstopdragons.com/how-to-prevent-cyberflashing/  Further Info Peppering Your Passwords: https://firewallsdontstopdragons.com/password-manager-paranoia/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don't Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero!

Thirty years ago, a young hacker named Jeff Moss (aka The Dark Tangent) threw a party in the desert of Nevada to commemorate the demise of a bulletin board system called PlatinumNet. Unlike the other handful of hacker conferences in that time, this one would be on the West Coast and open to everyone. Over the next three decades, DEF CON would become the preeminent hacker convention for the US (possibly the world), drawing upwards of 30,000 attendees. Along with its more-corporate spinoff Black Hat and related BSides conference, the back-to-back conferences are affectionately referred to as Hacker Summer Camp. In today's show, I'll walk down memory lane with Jeff, discussing the ups and downs he's experienced and delve into what this has all meant to him, personally. Oh yeah... and also the incident involving strippers and hacking the power grid. Further Info Amulet of Entropy badge: ​https://amuletofentropy.com/ DEF CON documentary: https://www.youtube.com/watch?v=SUhyeY0FsvwMy first trip to DEF CON: https://podcast.firewallsdontstopdragons.com/2021/08/11/understanding-hackers-hacking/ Last year's interview with Jeff Moss: https://podcast.firewallsdontstopdragons.com/2021/08/16/on-a-dark-tangent/ Hackers, book by Steven Levy: https://www.amazon.com/Hackers-Computer-Revolution-Steven-Levy/dp/1449388396Legion of Doom (LOD) vs Masters of Deception (MOD): ​​https://en.wikipedia.org/wiki/Great_Hacker_War SATAN tool: https://en.wikipedia.org/wiki/Security_Administrator_Tool_for_Analyzing_NetworksA brief history of hacking: https://encyclopedia.kaspersky.com/knowledge/a-brief-history-of-hacking/ Cap'N Crunch whistle: https://www.thingiverse.com/thing:2630646 Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don't Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:31: Hacker Summer Camp0:03:30: pre-interview things of note0:05:31: DEF CON, the early years0:12:02: How had DEF CON changed since the beginning?0:16:08: What's the closest DEF CON ever came to ending?0:24:44: Why is DEF CON so full of shennanigans?0:26:49: What has DEF CON meant to you, personally?0:32:02: Thoughts on the DEF CON culture0:37:13: What's your "Jeff sense" on choosing the best people?0:39:50: What's in the future for DEF CON?0:46:13: What speakers have you always wanted but couldn't get?0:51:04: learning more about hackers and hacking0:53:50: Where does "2600" come from?0:57:18: Important notes for new listeners

If it's August in Las Vegas, it's time for Hacker Summer Camp. There are three hacker conferences that coordinate to happen next to each other every year: BSides Las Vegas, Black Hat and DEF CON. My first trip to DEF CON was last year and I was hooked - I hope to go back every year. This was the big 30th anniversary of DEF CON and several of the news stories this week came from one of these hacker conferences. And next week I'll air my wonderful interview with DEF CON's CEO and Founder, Jeff Moss (aka The Dark Tangent). In the news this week: Several malicious Mac apps have slipped through Apple's App Store security checks and contain malware - you should delete them ASAP; iOS VPN apps aren't properly securing connections made before activating the VPN; TikTok's in-app browser injects JavaScript code that could enable it to snoop on your session, including capturing keystrokes; Cisco's network breach has lessons for all of us; Signal's use of phone numbers as identifiers highlighted due to breach at Twilio; a new jailbreak has been found on John Deere tractors that might allow farmers to service their own equipment; Amazon is planning to release a reality TV show based on Ring doorbell footage; a digital hallway pass allows schools to intrusively monitor its students; and law enforcement is tapping into DNA databases of the blood samples taken at birth by hospitals to solve crimes. Article Links [Tom's Guide] These Mac apps are secretly spreading malware — delete them now https://www.tomsguide.com/news/these-mac-apps-are-secretly-spreading-malware-delete-them-now[Ars Technica] iOS VPNs have leaked traffic for years, researcher claims [Updated] https://arstechnica.com/information-technology/2022/08/ios-vpns-still-leak-traffic-more-than-2-years-later-researcher-claims/[Forbes] TikTok's In-App Browser Includes Code That Can Monitor Your Keystrokes, Researcher Says https://www.forbes.com/sites/richardnieva/2022/08/18/tiktok-in-app-browser-research/[None] Cisco Confirms Network Breach Via Hacked Employee Google Account https://threatpost.com/cisco-network-breach-google/180385/[TechCrunch] Signal says 1,900 users' phone numbers exposed by Twilio breach https://techcrunch.com/2022/08/15/signal-phone-number-exposed-twilio/[Ars Technica] A new jailbreak for John Deere tractors rides the right-to-repair wave https://arstechnica.com/information-technology/2022/08/a-new-jailbreak-for-john-deere-tractors-rides-the-right-to-repair-wave/[VICE] 'Ring Nation' Is Amazon's Reality Show for Our Surveillance Dystopia https://www.vice.com/en/article/7k8x49/ring-nation-is-amazons-reality-show-for-our-surveillance-dystopia[VICE] A Tool That Monitors How Long Kids Are in the Bathroom Is Now in 1,000 American Schools https://www.vice.com/en/article/dy73n7/ehallpass-1000-thousand-schools-monitor-bathroom[WIRED] Police Used a Baby's DNA to Investigate Its Father for a Crime https://www.wired.com/story/police-used-a-babys-dna-to-investigate-its-father-for-a-crime/Tip of the Week: https://firewallsdontstopdragons.com/be-my-guest-no-i-insist/ Further Info A few Amulets of Entropy are still left: https://hackerboxes.com/collections/past-hackerboxes/products/hackerbox-0080-entropySubscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don't Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:17: DEFCON 30 notes0:03:00: Quick security notes0:03:46: News run down0:06:50: Delete these Apple apps immediately0:10:44: iOS VPN apps fail to secure old connections0:15:00: TikTok's in-app browser a...

There's no doubt that the internet has enabled criminals to share illicit and vile content with ease. The advent of high-quality end-to-end encrypted communications has made sharing this material harder for law enforcement to police. But the solution is not to cripple this technology, which is essential for security, privacy and even democracy. Today I'll discuss this thorny issue with Dhanaraj Thakur from the Center for Democracy and Technology. We'll talk about several dangerous proposals currently being considered in the US and Europe, and some potential solutions that can limit criminal behavior while preserving security and our right to privacy. Dhanaraj Thakur is Research Director at the Center for Democracy & Technology, where he leads research that advances human rights and civil liberties online. Further Info Outside Looking In: Approaches to Content Moderation in End-to-End Encrypted Systems: https://cdt.org/insights/outside-looking-in-approaches-to-content-moderation-in-end-to-end-encrypted-systems/ End Run Around Your Rights: https://podcast.firewallsdontstopdragons.com/2021/12/13/end-run-around-your-rights/ Center for Democracy & Technology: https://cdt.org/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:19: Rebranding rolling out0:02:11: Why is content moderation coming to the fore?0:05:11: What are the types of content we're trying to control?0:08:30: How is automated copyright detection being abused by police?0:09:49: What are the phases of content moderation?0:12:01: How can content moderation scale on huge platforms?0:15:14: How does moderation differ inside vs outside the US?0:18:12: What is the platform liability for content?0:21:33: How good is automated content filtering?0:25:01: When does moderation become censorship?0:27:52: Can social media companies block or allow whatever they want?0:30:53: What does end-to-end encryption really mean?0:34:42: How important is metadata for identifying illicit content?0:37:26: What are the current legislative proposals around content moderation?0:41:13: How can we comply with these orders without losing privacy?0:46:09: So where do we draw the line?0:48:44: How did we police this before the internet?0:49:34: How can I learn more and get involved?0:51:57: Listener mailbag coming soon!0:52:49: Preview of coming shows

All software has bugs, so the more software you have installed, the more bugs you have. It's not just the bugs in any individual application, but it's also magnified by interactions between some applications. Thankfully, the converse is also true: the less software you have installed, the fewer bugs you have (statistically, anyway). How many apps have you installed because they were free? How many apps came installed with your PC that you never use? How about companion apps for products you no longer own? Or maybe apps you installed years ago that you've forgotten about. You need to review all of your apps and get rid of anything you aren't using. You can always reinstall them later, if necessary. But removing unused apps will also remove any software bugs and vulnerabilities that inevitably come with them. (It's also one less app to gather and sell personal data.) In other news: Amazon is looking to buy the maker of Roomba robotic vacuums that know the map of your home; Amazon is also hoping to buy a medical company to start directly providing healthcare; Google once again delays removing support for 3rd party cookies in Chrome; a candidate post-quantum computing encryption algorithm was defeated in an hour with a regular PC; open source software is used everywhere, but is getting very little security support; hackers act on patched bugs within minutes; our cars are collecting and sharing tons of detailed information about us and our driving habits; Samsung has implemented a "repair mode" to protect your data while your phone is in the shop; and a new Android malware is contained in several "cleaner" apps. Article Links [Mashable] Amazon vacuums up Roomba maker iRobot, sparking immediate privacy concerns https://mashable.com/article/amazon-irobot-acquisition-roomba-privacy[Time] Amazon's Dangerous Ambition to Dominate Healthcare https://time.com/6201575/amazons-dangerous-ambition-to-dominate-healthcare/[HackerNews] Google Delays Blocking 3rd-Party Cookies in Chrome Browser Until 2024 https://thehackernews.com/2022/07/google-delays-blocking-3rd-party.html[Ars Technica] Post-quantum encryption contender is taken out by single-core PC and 1 hour https://arstechnica.com/information-technology/2022/08/sike-once-a-post-quantum-encryption-contender-is-koed-in-nist-smackdown/[Ars Technica] Samsung's “repair mode” lets technicians look at your phone, not your data https://arstechnica.com/gadgets/2022/07/samsungs-repair-mode-lets-technicians-look-at-your-phone-not-your-data/[Lawfare] Open-Source Security: How Digital Infrastructure Is Built on a House of Cards https://www.lawfareblog.com/open-source-security-how-digital-infrastructure-built-house-cards[ZDNet] Race against time: Hackers start hunting for victims just 15 minutes after a bug is disclosed https://www.zdnet.com/article/race-against-time-hackers-start-hunting-for-victims-just-15-minutes-after-a-bug-is-disclosed/[The Markup] Who Is Collecting Data from Your Car? – The Markup https://themarkup.org/the-breakdown/2022/07/27/who-is-collecting-data-from-your-car[Ars Technica] T-Mobile to pay $500M for one of the largest data breaches in US history https://arstechnica.com/tech-policy/2022/07/t-mobile-to-pay-500m-for-one-of-the-largest-data-breaches-in-us-history/[Tom's Guide] Millions infected by 'auto-starting' Android malware — delete these apps now https://www.tomsguide.com/news/millions-infected-by-auto-starting-android-malware-delete-these-apps-nowTip of the Week: https://firewallsdontstopdragons.com/deleting-your-way-to-better-security/  Further Info Mac AppCleaner: https://freemacsoft.net/appcleaner/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don't Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Would you like me to speak to your g...

Cameras are everywhere. Every person you pass on the street has a camera on their phone and security cameras are everywhere. They're so cheap and small now, and most of them are connected to the cloud. Not only does that mean they basically have unlimited storage, but it also opens the door for computers to process those images and footage looking for faces. Today, I'll speak with Nate Wessler from the ACLU about the implications of this technological perfect storm on our privacy and what rights we actually have today with regard to facial recognition and use of these systems by law enforcement. Nate Wessler is a deputy director with the ACLU's Speech, Privacy, and Technology Project, where he focuses on litigation and advocacy around surveillance and privacy issues, including government searches of electronic devices, requests for sensitive data held by third parties, and use of surveillance technologies. Further Info ACLU suit against Clearview AI: https://iapp.org/news/a/aclu-files-class-action-vs-clearview-ai-under-biometric-privacy-law/Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:41: DEF CON updates0:03:18: Interview start0:05:46: Carpenter v. US case0:10:13: What's my expectation of privacy in public spaces?0:17:30: Private right of action0:18:58: What rights do I have for online photos of me?0:21:54: Aren't we enabling facial recognition by tagging people?0:23:47: Is there any solution beyond regulation?0:27:16: Who is Clearview AI and what are they doing?0:32:24: ACLU's lawsuit win against Clearview AI0:38:57: Is it possible to limit this tech to just "the good guys"?0:43:00: This guy looks like Woody Harrelson!0:47:07: What about the good uses for this tech?0:53:09: What about 1-to-1 facial matching services?0:56:20: So what can we, as citizens, do about all of this?0:58:22: When should we reach out to the ACLU?1:00:26: Wrap up

The "rolling code" technology used to remotely open and lock your car is supposed to prevent hacking. Unfortunately, Honda has a pretty serious vulnerability in their cars that apparently allows anyone with a little talent and cheap hacking tools to get into your car - and maybe even start it (though not actually drive it away). If correct, this vulnerability affects probably all Hondas made over the last 10 years. So far, Honda has denied that this is a problem, but many researchers have reproduced the hack. In other news: cheap, Chinese-made GPS vehicle trackers are vulnerable to remote hacking; Chrome, Edge and Safari browsers fix serious 0-day bugs; Twitter data breach info on 5.4M users is up for sale on the dark web; Windows getting a crucial security update to make important security feature on by default; the Conti ransomware gang is attacking the entire country of Costa Rica; Facebook quickly bypasses Firefox's URL tracking removal feature; Tor Browser adds a useful feature that will help people in repressive countries; Google appears ready to stop blocking political spam emails; Amazon admits to giving Ring video to law enforcement without consent or a warrant; a complicated, targeted web browser trick can be used to identify website visitors. Article Links [U.S. News & World Report] Researchers: Chinese-Made GPS Tracker Highly Vulnerable https://www.usnews.com/news/business/articles/2022-07-19/researchers-chinese-made-gps-tracker-highly-vulnerable[Ars Technica] 0-day used to infect Chrome users could pose threat to Edge and Safari users, too https://arstechnica.com/information-technology/2022/07/exploit-seller-used-chrome-exploit-and-2-other-0-days-to-infect-journalists/[9to5mac.com] Twitter data breach exposes contact details for 5.4M accounts; on sale for $30k https://9to5mac.com/2022/07/22/twitter-data-breach/[ZDNet] Windows 11 is getting a new security setting to block ransomware attacks https://www.zdnet.com/article/windows-11-is-getting-a-new-security-setting-to-block-ransomware-attacks/[ThreatPost] Conti's Reign of Chaos: Costa Rica in the Crosshairs https://threatpost.com/contis-costa-rica/180258/[Schneier Blog] Facebook Is Now Encrypting Links to Prevent URL Stripping https://www.schneier.com/blog/archives/2022/07/facebook-is-now-encrypting-links-to-prevent-url-stripping.html[None] Tor Browser Adds Automatic Censorship Circumvention https://www.infosecurity-magazine.com/news/tor-browser-automatic-censorship/[Inc. Magazine] Google Revealed Plans for a Big Change to Gmail That Almost Nobody Wants. You Have 19 Days to Object https://www.inc.com/bill-murphy-jr/google-revealed-plans-for-a-big-change-to-gmail-that-almost-nobody-wants-you-have-19-days-to-object.html[The Intercept] Amazon Admits Giving Ring Camera Footage to Police Without a Warrant or Consent https://theintercept.com/2022/07/13/amazon-ring-camera-footage-police-ed-markey/[The Drive] I Tried the Honda Keyfob Hack on My Own Car. It Totally Worked https://www.thedrive.com/news/i-tried-the-honda-keyfob-hack-on-my-own-car-it-totally-worked[WIRED] A New Attack Can Unmask Anonymous Users on Any Major Browser https://www.wired.com/story/web-deanonymization-side-channel-attack-njit/Tip of the Week: More Uses for Password Vaults: https://firewallsdontstopdragons.com/more-uses-for-password-vaults/ Further Info Amulet of Entropy!!: https://amuletofentropy.com/ Peppering your passwords: https://firewallsdontstopdragons.com/password-manager-paranoia/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Check out my book, Firewalls Don't Stop Dragons: https://www.amazon.com/gp/product/1484261887 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:02: Bad Bugs in GPS Vehicle Trackers0:07:16: Zero-Day Bugs in Chrome, Edge,

We take that little box that connects our home to the internet for granted. But in reality, it's often the only thing hiding our computers and vulnerable IoT devices from automated, remote attacks. This "internet background radiation" is ever present - a massive network of malicious or compromised devices, constantly scanning the internet for exposed and ill-protected systems. Today, we'll discuss routers, firewalls and other common aspects of home network security with the CEO of CrowdSec. He'll also explain how we can enable these devices to share information in a sort of global neighborhood watch program, distributing information about bad actors to better protect us all. Philippe Humeau graduated as an IT security engineer in 1999 in Cyber security. He then created his first company, dedicated to red team penetration testing and high-security hosting. After selling his first company, his eternal crushes for Cybersecurity led him to create CrowdSec in 2020. This open-source editor creates a participative IPS which generates a global, crowd-powered CTI. Further Info CrowdSec: https://crowdsec.net/ CrowdSec code repository: https://github.com/crowdsecurity/crowdsec Lulu reverse firewall: https://objective-see.org/products/lulu.html Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Amulet of Entropy!!:https://amuletofentropy.com/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:46: Update on Firefox Total Cookie Protection0:03:50: DEF CON coming soon0:04:47: Interview start0:06:49: What does a firewall do?0:10:18: Should I enable the firewall on my computer, too?0:14:18: What is Universal Plug and Play (uPnP?)0:16:04: What is Network Address Translation (NAT)?0:20:16: Hacker vs Cybercriminal?0:21:17: Internet Background Radiation0:26:19: Creating network silos0:29:28: Attacks from within0:32:15: Botnets and DDoS attacks0:35:37: What are the biggest network threats today?0:40:16: Who are the main threat actors?0:45:09: How does Crowdsec work?0:49:36: How quickly do agents share info?0:51:37: How does Crowdsec make money?0:53:03: Can you use Crowdsec on home routers?0:55:28: Are things getting better or worse?0:57:43: Top security tips?1:01:45: How do you poke a hole in a firewall?1:04:01: Setting up guest network1:07:48: Reverse firewalls1:09:07: Final word

This week we'll talk about three significant new data breaches. Each of these data leaks are important in different ways, but the trend is clear: data wants to be free. First of all, we need to stop collecting so damn much of it. But second, we need to make it more expensive for data-collectors who are criminally negligent with the protection of our data. Right now, it's cheaper to let it escape than to spend time, effort and money to protect it. (In my Tip of the Week, I'll tell you about a great free tool that will let you protect your own data.) In other news: Google patches some serious zero-day Chrome bugs and I'll explain how they work; personal data for many California gun owners was leaked; Marriott suffered yet another customer data breach; personal data on over 1 billion people in China is up for sale; Crypto exchange Coinbase is sharing info with US immigration enforcers; a sophisticated malware named ZouRAT is infecting SOHO routers; a new Windows worm appears to be coming from infected USB devices; a free decryptor has been released for AstraLocker and Yashma ransomware; Apple's new Lockdown mode shows real promise; and the US Immigration and Customs Enforcement agency has become a full-tilt mass surveillance organization. Article Links [Naked Security] Google patches “in-the-wild” Chrome zero-day – update now! https://nakedsecurity.sophos.com/2022/07/05/google-patches-in-the-wild-chrome-zero-day-update-now/[Gizmodo] California Gun Owners Had Lots of Their Data Exposed by the State Government https://gizmodo.com/california-gun-owners-data-exposed-state-justice-dept-1849124116[TechCrunch] Hotel giant Marriott confirms yet another data breach https://techcrunch.com/2022/07/06/marriott-breach-again/[ZDNet] Giant data breach? Leaked personal data of one billion people has been spotted for sale on the dark web https://www.zdnet.com/article/giant-data-breach-leaked-personal-data-of-one-billion-people-has-been-spotted-for-sale-on-the-dark-web/[The Intercept] Cryptocurrency Titan Coinbase Providing “Geo Tracking Data” to ICE https://theintercept.com/2022/06/29/crypto-coinbase-tracer-ice/[Ars Technica] A wide range of routers are under attack by new, unusually sophisticated malware https://arstechnica.com/information-technology/2022/06/a-wide-range-of-routers-are-under-attack-by-new-unusually-sophisticated-malware/[PCM] Hundreds of Windows Networks Are Infected With Raspberry Robin Worm https://www.pcmag.com/news/hundreds-of-windows-networks-are-infected-with-raspberry-robin-worm[BleepingComputer] Free decryptor released for AstraLocker, Yashma ransomware victims https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-astralocker-yashma-ransomware-victims/[9to5mac.com] Firefox now lets users remove tracking parameters from URLs to enhance privacy https://9to5mac.com/2022/06/29/tracking-parameters-urls-firefox/[Ars Technica] Why Lockdown mode from Apple is one of the coolest security ideas ever https://arstechnica.com/information-technology/2022/07/introducing-lockdown-from-apple-the-coolest-defense-youll-probably-never-use/Data-Driven Deportation in the 21st Century https://americandragnet.org/Tip of the Week: https://firewallsdontstopdragons.com/creating-a-file-vault-with-cryptomator/ Further Info Cryptomator: https://cryptomator.org/ Donate directly with Monero! https://firewallsdontstopdragons.com/contact/ Seth interview on cryptocurrency: https://podcast.firewallsdontstopdragons.com/2022/06/06/cryptocurrency-101/  Amulet of Entropy!!:https://amuletofentropy.com/ No More Ransom. A non-profit devoted to helping break ransomware crypto so that victims don't have to pay.ID Ransomware. A tool for identifying which ransomware you've been infected with and then guiding you to other resources for help.Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your...

While many of us prefer order in our lives, at least most of the time, we sometimes need a little chaos. Specifically, we need a source of true randomness in order to properly drive many of our cryptographic systems - to secure our digital communications, for example. And while computers are very good at doing what we tell them to do, they suck at being unpredictable. Therefore we have to find other ways to inject a little chaos. Today I will discuss these concepts with Joe Long, founder and CEO of HackerBoxes.com. Along the way, we'll share stories of hardware hacking and our love of electronics tinkering. And then we'll reveal a totally geeky project we've been working on together for many months now that we dubbed the Amulet of Entropy! Joe Long is a professional engineer, patent attorney, and hardware hacker.  He has decades of expertise in electronics which he has taught to over a million students around the world.  Joe is the founder of HackerBoxes - a company that provides kits, workshops, and monthly subscription boxes for building and learning electronics. Further Info Amulet of Entropy!!: https://amuletofentropy.com/HackerBox #0080: https://hackerboxes.com/products/hackerbox-0080-entropy Amulet GitHub repo: https://github.com/FirewallDragon/amulet-of-entropyHackerBoxes: https://hackerboxes.com/ Forrest Mims electronics books: https://www.forrestmims.com/ Humble Bundle electronics books: https://www.humblebundle.com/books/boards-coding-make-co-books HackADay: https://hackaday.com/DEF CON 30: https://defcon.org/html/defcon-30/dc-30-index.html Firewalls Don't Stop Dragons book: https://www.amazon.com/gp/product/1484261887 Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:04:23: Start of interview0:05:42: What is a hardware hacker?0:09:09: What got you into electronics?0:14:49: What do you need to get into electronics?0:21:46: What is entropy?0:24:36: Where do we find entropy in everyday life?0:28:18: Why is entropy important for cryptography?0:30:58: Why do computers suck at randomness?0:35:18: So how do we find true random values?0:38:42: What happens randomness fails?0:41:17: How we use patterns to efficiently encode things0:46:44: The Amulet of Entropy!0:51:53: Designing the project0:55:33: Fun uses of entropy0:56:41: How do I get one??0:57:53: Outro1:01:06: DEF CON 30 talk1:01:45: Electronics resources for newbies

Firefox officially rolled out its Total Cookie Protection feature last week, which is a clever and elegant solution for blocking tracking using third party cookies. Unfortunately... it doesn't seem to be working for me when I tested it. There are at least a couple reasons for why this might be, and a workaround, both of which I will discuss in today's Tip of the Week. Also: A drunk employee lost a flash drive with half a million customer's data in Japan; a TikTok leak appears to show that even with US user data being "moved" to US soil, engineers in China can still access it; a new voicemail scam tries to trick you into giving up your Microsoft account credentials; MEGA fixes several flaws which might allow a rogue employee to view your data; 56 security flaws in industrial systems could impact thousands of devices around the world; Google Password Manager now allows for client-side encryption; Microsoft's Defender is now available for non-Windows devices (for a fee); T-Mobile is the latest to use its privileged position to hoover up and sell customer data; spyware companies are proliferating; Facebook is receiving sensitive medical info from it's Meta Pixel; and vacation rentals are sadly great places for spycams, and I'll help you try to spot them. Article Links [The Guardian] Japanese city worker loses USB containing personal details of every resident https://www.theguardian.com/world/2022/jun/24/japanese-city-worker-loses-usb-containing-personal-details-of-every-resident[Gizmodo] TikTok Leak Alleges User Data Isn't Private: ‘Everything Is Seen in China' https://gizmodo.com/tiktok-china-oracle-bytedance-1849078477[Threatpost] Voicemail Scam Steals Microsoft Credentials https://threatpost.com/voicemail-phishing-scam-steals-microsoft-credentials/180005/[BleepingComputer] MEGA fixes critical flaws that allowed the decryption of user data https://www.bleepingcomputer.com/news/security/mega-fixes-critical-flaws-that-allowed-the-decryption-of-user-data/[BleepingComputer] Icefall: 56 flaws impact thousands of exposed industrial devices https://www.bleepingcomputer.com/news/security/icefall-56-flaws-impact-thousands-of-exposed-industrial-devices/[9to5Google] Google Password Manager starts offering on-device encryption on Android, iOS, and Chrome https://9to5google.com/2022/06/21/google-password-on-device-encryption/[PCM] WTF? Do I Have to Pay for Microsoft's Defender Antivirus Now? https://www.pcmag.com/news/wtf-do-i-have-to-pay-for-microsofts-defender-antivirus-now[The Verge] T-Mobile is selling your app usage data to advertisers — here's how to opt out https://www.theverge.com/2022/6/24/23181851/t-mobile-browsing-data-app-insights-marketing-opt-out[WIRED] Google Warns of New Spyware Targeting iOS and Android Users https://www.wired.com/story/hermit-spyware-rcs-labs/[The Markup] Facebook Is Receiving Sensitive Medical Information from Hospital Websites – The Markup https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-from-hospital-websites[USA TODAY] How to spot hidden surveillance cameras in your Airbnb, VRBO, or vacation rentals https://www.usatoday.com/story/tech/columnist/komando/2022/06/23/how-check-hidden-cameras-airbnb-vrbo-vacation-rentals/7652726001/ Further Info Tip of the Week: Total Cookie Protection? https://firewallsdontstopdragons.com/total-cookie-protection/Cookie Forensics Test: https://www.grc.com/cookies/forensics.htm Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:17: News topic summary0:04:47: Drunk worker loses customer data0:08:00: TikTok phone call leak0:12:04: Microsoft voicemail scam0:16:23: ...

Everyone hates dealing with passwords, and yet they've been the de facto standard of computer authentication for decades. But there's light at the end of this long tunnel. There is a passwordless future where we can log in to our accounts using just our smartphones. In this future, it won't matter if websites are breached because there will be no password databases to steal. Even phishing will be a thing of the past. And thankfully, that future isn't far away. Today I'll discuss where we are, how we got here, and where we're going with Yubico's Derek Hanson. Derek Hanson has been involved in the identity and security industry for over ten years.  He has been building networks and deploying computer systems since the mid-90s and now is an advocate for how you can best protect them. And he is now the VP of Solutions Architecture and Alliances at Yubico. Further Info Yubico/YubiKey: https://www.yubico.com/ NIST password guidelines: https://www.infosecurity-magazine.com/blogs/nist-password-guidelines/ OPM fingerprint database hack: https://www.wired.com/2015/09/opm-now-admits-5-6m-feds-fingerprints-stolen-hackers/ WebAuthn: https://webauthn.guide/ FIDO: https://fidoalliance.org/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/ Table of Contents (new!) Use these timestamps to jump to a particular section of the show. 0:01:01: Welcome new patrons!0:01:41: New table of contents0:03:40: Update Windows ASAP0:04:03: Pre-interview notes0:04:34: Interview start0:06:21: Why do we still use passwords?0:11:26: Why don't more people use password managers?0:15:25: NIST updates password recommendations0:17:50: Should we use biometrics for authentication?0:23:40: How do passwordless systems compare to what we have now?0:29:00: How does authentication work in a passwordless system?0:32:50: Have we settled on a single passwordless standard?0:37:24: How well is this new standard supported?0:40:41: How do I use this passwordless technology?0:43:00: How soon will we see passwordless logins?0:46:22: Which 2FA system is best and will we still need this going forward?0:51:33: What current technologies are best for securing our accounts?0:55:18: How do hardware keys work?1:00:42: OPM fingerprint hack1:01:48: Bonus content preview1:02:02: Upcoming shows

I preach about using password managers constantly - because they really are a fantastic tool for increasing your security. Humans suck at creating memorable passwords that are not also easy to guess. But the idea of putting all your juicy secrets into a digital vault that is controlled by a third party and synchronizing through the cloud may not sit well with you. And I totally get that. It's a very valid concern. But what if there were a way to have your cake and eat it, too? (I never understood that expression... what good is having cake if you can't eat it, right?) I'll explain a simple technique using cryptographic "pepper" that will allow you to use a password manager, even if you don't trust it. In other news: US water utilities are woefully unprepared for cyberattacks; paper ballots are essential for secure elections, but not sufficient; PDFs are being used to cleverly hide keylogging malware; Chinese hackers have infiltrated many global telecom companies for years; Australia's new "secure" digital driver's license is anything but; the FBI manages to recover half of the Colonial Pipeline ransom; a new facial search engine is on the scene, with even less protections than Clearview AI; and the Tim Horton's app stole a heck of a lot of user location data from its customers. Article Links U.S. Water Utilities Prime Cyberattack Target, Experts | Threatpost https://threatpost.com/water-cyberattack-target/179935/Do Ballot Barcodes Threaten Election Security? https://cdt.org/insights/do-ballot-barcodes-threaten-election-security/[BleepingComputer] PDF smuggles Microsoft Word doc to drop Snake Keylogger malware https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/[MIT Technology Review] Chinese hackers exploited years-old software flaws to break into telecom giants https://www.technologyreview.com/2022/06/08/1053375/chinese-hackers-exploited-years-old-software-flaws-to-break-into-telecom-giants/[Ars Technica] “Tough to forge” digital driver's license is… easy to forge https://arstechnica.com/information-technology/2022/05/digital-drivers-license-used-by-4m-australians-is-a-snap-to-forge/FBI Recovers $2.3 Million of Colonial Pipeline Ransomware Payment; Some Que https://www.cpomagazine.com/cyber-security/fbi-recovers-2-3-million-of-colonial-pipeline-ransomware-payment-some-questions-about-the-attack-answered/[The Mercury News] A face search engine anyone can use is alarmingly accurate https://www.mercurynews.com/2022/05/28/a-face-search-engine-anyone-can-use-is-alarmingly-accurate-2[CTV News] Tim Hortons app collected vast amounts of sensitive data: privacy watchdogs https://www.ctvnews.ca/business/tim-hortons-app-collected-vast-amounts-of-sensitive-data-privacy-watchdogs-1.5927716Pepper Your Passwords: https://firewallsdontstopdragons.com/password-manager-paranoia/  Further Info Only FIVE DAYS LEFT to get your dragon coin! https://firewallsdontstopdragons.com/return-of-the-dragon-coins/ Techlore interview: https://youtu.be/-GubGbuWBfk Exploits of a Mom (XKCD “Bobby Tables” cartoon): https://xkcd.com/327/Bobby Tables explanation: https://www.explainxkcd.com/wiki/index.php/Little_Bobby_Tables Generate secure passphrases! https://d20key.com/#/Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker

Everyone has heard of Bitcoin, but almost no one understands what the heck is actually is. Today I'm interviewing Seth from Seth for Privacy who knows cryptocurrency backwards and forwards. Seth is also a privacy advocate who understands the broader implications of digital currency. I'll ask him to explain how cryptocurrency works, what the blockchain is, how crypto mining affects our environment, whether cryptocurrency is truly anonymous, and how cryptocurrency has any value whatsoever - and much more! Seth is a privacy educator, Monero contributor, and host of the Opt Out podcast. Further Info Opt Out podcast, https://optoutpod.comSeth's bio: https://sethforprivacy.com/about/ Seth's Twitter feed: https://twitter.com/sethforprivacy Why Cryptocurrencies? https://whycryptocurrencies.com/toc.html Local Monero: https://localmonero.co/ Cryptocurrency ATMs: https://coinatmradar.com/ Bitcoin energy consumption: https://niccarter.info/topics/#energy Was Bitcoin Created by This International Drug Dealer? https://www.wired.com/story/was-bitcoin-created-by-this-international-drug-dealer-maybe/ XKCD comic - $5 wrench: https://xkcd.com/538/ Byzantine Generals Problem: https://en.wikipedia.org/wiki/Byzantine_fault Inside the Bitcoin Bust That Took Down the Web's Biggest Child Abuse Site https://www.wired.com/story/tracers-in-the-dark-welcome-to-video-crypto-anonymity-myth/ Hot Wallets vs Cold Wallets: https://appleinsider.com/articles/22/06/04/crypto-101-the-difference-between-hot-and-cold-wallets Microsoft unpatched vulnerability: https://www.kaspersky.com/blog/follina-cve-2022-30190-msdt/44461/  Dragon Coins & Passphrases Get your Dragon Challenge Coin!! https://firewallsdontstopdragons.com/return-of-the-dragon-coins/ Generate secure passphrases! https://d20key.com/#/

Modern smartphones have a potentially life-saving feature called "SOS" or "Emergency" mode that can give first responders critical medical information and automatically dial your country's emergency phone number. It can report your location and even notify selected contacts. In today's show, I'll share a story from one woman who believes this mode saved her life. It's easy to use and set up, but it won't do you any good if you don't know about it. I'll tell you everything you need to know. In other news: Clearview AI is looking to expand its services to schools, banks and other institutions that wish to authenticate people; MasterCard is launching a new facial recognition system that will allow users to pay "with a smile"; the US Department of Justice has finally issued long-overdue guidance on common sense limitations for prosecuting security researchers and regular people who might run afoul of the tragically over-broad Computer Fraud and Abuse Act (CFAA); Twitter has been fined and Google has been sued for abusing customer data; local governments forced children to use EdTech software that surreptitiously harvested their data and fed them behavior-based ads; DuckDuckGo is in damage control over reports that it isn't blocking some Microsoft web tracking due to an agreement which they legally can't discuss; there's a new Wells Fargo phishing campaign going around which seeks to gather tons of data that would easily enable identity thefts; and a security researcher has found a bug with the OAuth single-sign on functionality used by Facebook. Article Links [Gizmodo] Clearview AI Says It's Bringing Facial Recognition to Schools https://gizmodo.com/clearview-ai-facial-recognition-privacy-1848975528[The Guardian] Mastercard launches ‘smile to pay' system amid privacy concerns https://www.theguardian.com/technology/2022/may/17/mastercard-launches-smile-to-pay-amid-privacy-concerns[The Verge] Justice Department pledges not to charge security researchers with hacking crimes https://www.theverge.com/2022/5/19/23130910/justice-department-cfaa-hacking-law-guideline-limits-security-research[NPR] Twitter agrees to pay $150 million after FTC, DOJ accuse company of mishandling data https://www.npr.org/2022/05/25/1101275323/twitter-privacy-settlement-doj-ftc[None] Governments Harm Children's Rights in Online Learning https://www.hrw.org/news/2022/05/25/governments-harm-childrens-rights-online-learning[Review Geek] DuckDuckGo Isn't as Private as You Thought https://www.reviewgeek.com/118915/duckduckgo-isnt-as-private-as-you-thought/[Sky] Google sued for using the NHS data of 1.6 million Brits 'without their knowledge or consent' https://news.sky.com/story/google-sued-for-using-the-nhs-data-of-1-6-million-brits-without-their-knowledge-or-consent-12614525[None] Bank phishing and identity theft https://usa.kaspersky.com/blog/wells-fargo-phishing-identity-theft/26473/[Forbes] Security Warning For Facebook Users Who Login With Gmail OAuth Code https://www.forbes.com/sites/gordonkelly/2022/05/21/google-gmail-security-facebook-oauth-login-warning/[9to5mac.com] iPhone SOS credited with saving woman during assault attempt – Here's how to set it up https://9to5mac.com/2022/05/24/iphone-sos-how-to-set-it-up/Set up Emergency mode, Apple iPhone: https://support.apple.com/en-us/HT208076Set up Emergency mode, Google Pixel: https://support.google.com/pixelphone/answer/7055029Set up Emergency mode, Samsung Galaxy: https://www.samsung.com/us/support/answer/ANS00050849/  Further Info Get your Dragon Challenge Coin!! https://firewallsdontstopdragons.com/return-of-the-dragon-coins/ Generate secure passphrases! https://d20key.com/#/Amulet of Entropy teaser #2: https://twitter.com/HackerBoxes/status/1530341605567242240?s=20&t=OWW931j-mZk8cMRc6yp9bA Stop Using “Sign in with”: https://firewallsdontstopdragons.com/stop-using-sign-in-with/ EFF on facial recognition technology: ​​https://www.eff.org/deeplinks/2021/10/face-recognition-isnt-just-face-ide...

There's a lot we can glean from history but sometimes it's not as obvious as you might think. For example, did you know that until the mid-1800's, most of Americans hated tomatoes and that ketchup was originally made from mushrooms? The story behind how Americans came to love tomatoes is quite fascinating, but what is perhaps most interesting is the way our guest applies this knowledge to the realm of cybersecurity. Today we will also learn how one of the most powerful cryptographic techniques to this day originated in the time of the telegraph. Along the way, we'll discuss how humans choose their passwords, how they should be creating passwords, and how often we should be changing our passwords. Anthony Collette is a Senior Consent Form Editor at the largest Institutional Review Board (IRB) in the United States. This regulatory agency has reviewed over 1,000 COVID-19 research studies, conducted at more than 12,000 locations. Mr. Collette analyzes complex medical documents, synthesizes the central concepts, and translates technical jargon into relatable language directed to the non-technical research participant. These skills transfer perfectly to the task of analyzing and understanding the conflicting and often outdated advice given about passwords, stripping away what's unnecessary, and getting down to the actionable core of the issues. Interview Links Anthony Collette: https://www.linkedin.com/in/tonycollette/ Loistava Information Security website: www.LositavaInfoSecurity.comCASTALOT™ Dice Landing Page: https://www.castalotdice.com?utm_source=dragons1 CASTALOT™ Dice Facebook VIP Group: https://www.facebook.com/groups/1317312032055849The History of Tomatoes in America: https://www.amazon.com/Tomato-America-History-Culture-Cookery/dp/1570030006/ NY Times, Secret Life of Passwords: https://www.nytimes.com/2014/11/19/magazine/the-secret-life-of-passwords.html A Look at Telegraph Codes (Steven Bellovin): https://www.cs.columbia.edu/~smb/papers/codebooks.pdf DFLEKT Keyless Entry Protection: https://www.duku.co.uk/dflekt Further Info Get your Dragon Challenge Coin!! https://firewallsdontstopdragons.com/return-of-the-dragon-coins/ Generate secure passphrases! https://d20key.com/#/ Amulet of Entropy teaser: https://twitter.com/HackerBoxes/status/1523318662807298051?s=20&t=dwQFy7ieRMGjRCqgAR7btQ

When we surf the web today - on our computers or smartphones - we are mercilessly tracked. Marketing firms and data brokers are hoovering up ungodly amounts of our personal data, selling it, trading it and mining it to derive even more about us. Many offer some way to limit or stop this wanton data collection, but good luck figuring out how - let alone even knowing who to ask. Wouldn't it be nice if you could just click one button and tell everyone to leave you alone? Of course, we tried this a decade ago with Do Not Track, but there were no regulations in place to require companies to respect it. While we have a long way to go, some regions do now have privacy laws - and now we have a new way to invoke our privacy rights: Global Privacy Control. Today, I'll tell you how to enable this on your devices and tell data miners to get lost. In other news: Clearview AI has been forced to cut back on its creepy facial recognition software; the EU is proposing dangerous new surveillance requirements in the name of child safety; if you have an HP computer, you need to check for BIOS software updates ASAP; automated vehicles are outfitted with tons of video cameras, and law enforcement have been using this data for investigations; thousands of popular websites are saving data from online forms even if you don't click 'submit'; the CDC has been buying cell phone location data to track compliance with covid curfews and more; data from period-tracking apps may soon be used against people seeking abortions if Roe v. Wade is struck down in the US; Facebook is ending some location-based services (though still collecting your location data); Chinese hackers have stolen hundreds of billions of dollars in intellectual property, including military, manufacturing and pharmaceutical info; and mental health apps aren't taking proper care of your very personal data. Article Links [Engadget] Clearview AI agrees to limit sales of facial recognition data in the US https://www.engadget.com/clearview-ai-agrees-to-limit-sales-of-facial-recognition-data-in-the-us-173357030.html[Electronic Frontier Foundation] The EU Commission's New Proposal Would Undermine Encryption And Scan Our Messages https://www.eff.org/deeplinks/2022/05/eu-commissions-new-proposal-would-undermine-encryption-and-scan-our-messages[TechSpot] HP pushes out BIOS update addressing high-severity vulnerabilities affecting 200+ models https://www.techspot.com/news/94561-hp-pushes-out-bios-update-addressing-high-severity.html[VICE] San Francisco Police Are Using Driverless Cars As Mobile Surveillance Cameras https://www.vice.com/en/article/v7dw8x/san-francisco-police-are-using-driverless-cars-as-mobile-surveillance-cameras[WIRED] Thousands of Popular Websites See What You Type—Before You Hit Submit https://www.wired.com/story/leaky-forms-keyloggers-meta-tiktok-pixel-study/[None] CDC tracked Americans' phones to see if they followed COVID-19 lockdowns https://www.mlive.com/news/2022/05/cdc-tracked-americans-phones-to-see-if-they-followed-covid-19-lockdowns.html[VICE] Data Broker SafeGraph Stops Selling Location Data of People Who Visit Planned Parenthood https://www.vice.com/en/article/88gyn5/data-broker-safegraph-stops-selling-location-data-of-people-who-visit-planned-parenthood[NPR] How period tracking apps and data privacy fit into a post-Roe v. Wade climate https://www.npr.org/2022/05/10/1097482967/roe-v-wade-supreme-court-abortion-period-apps[9to5mac.com] Facebook to discontinue Nearby Friends and other location-based features https://9to5mac.com/2022/05/05/facebook-to-discontinue-nearby-friends-and-other-location-based-features/[CBS News] Chinese hackers took trillions in intellectual property from about 30 multinational companies https://www.cbsnews.com/news/chinese-hackers-took-trillions-in-intellectual-property-from-about-30-multinational-companies/[The Verge] Mental health apps have terrible privacy protections, report finds https://www.theverge.

We are being tracked constantly by our cell phones. We willingly carry supercomputers in our pockets 24/7, and these devices are chock full of sensors and radios that are tattling on us. Sometimes on purpose, sometimes incidentally, and sometimes maliciously. Apps for brick and mortar stores are tracking you within their stores, noting where you go, how long you stay in some locations, and where you don't go. Other apps track your global location and sell it to third parties. Apps to keep tabs on kids can also be used to stalk significant others. And spyware is used to track journalists, dissidents and "people of interest" by authoritarian governments. If all of that weren't bad enough, there are several cheap electronic devices that anyone can buy and hide on you to track your movements. Today I'll talk about all of this tracking and stalking with David Ruiz from Malwarebytes, and we'll give you some tips on how to avoid it. David Ruiz is an online privacy advocate for Malwarebytes, where he writes about online privacy, cybersecurity, and the laws and proposed legislation that regulate how data is stored, shared, and accessed. Further Info Malwarebytes blog: https://blog.malwarebytes.com/Malwarebytes podcast: https://blog.malwarebytes.com/category/podcast/ David Ruiz interviews me: https://blog.malwarebytes.com/podcast/2022/03/de-googling-carey-parkers-and-your-life-lock-and-code-s03e06/ Coalition Against Stalkerware: https://stopstalkerware.org/ Malwarebytes detection software: https://www.malwarebytes.com/mwb-download Stalkerware-type detections hit record high in 2021, but fell in second half https://blog.malwarebytes.com/stalkerware/2022/04/stalkerware-type-detections-hit-record-high-in-2021-but-fell-in-second-half/ Kashmir Hill article: https://www.nytimes.com/2022/02/11/technology/airtags-gps-surveillance.html Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/or privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Security isn't a big differentiator today when choosing a web browser. First of all, 3 of the top 5 browsers all use the same engine - Chrome, Edge and Opera are all based on Chromium. Second, there's no real conflict of interest between browser makers and browser users when it comes to security - it's a win-win situation. Also, most browsers today are plenty fast enough and come with similar user features. So to me, the real differentiator when choosing a web browser is privacy. Today I'll give you my top choices for the most privacy-respecting web browser. (Spoiler alert: Chrome didn't make the list.) NOTE: I'm giving away TEN free subscriptions to ProtonMail plus! All you have to do to enter is sign up for a free ProtonMail account here and then shoot me an email from your new account (send it to proton at firewallsdontstopdragons.com)! That's it! Do it by 11:59AM Eastern Time on May 6th. In other news: The US and 60 other countries have signed an aspiration Declaration for the Future of the Internet; in a twist of fate, Russia is now the target of global hacking; another nasty Java zero-day bug has been found; leaked Cellebrite documents detail which iPhones they can hack into; Amazon and third parties are mining your Alexa requests for personal data; Microsoft is going to add a free VPN to its Edge browser; Facebook is pulling detailed user data from the US college financial aid site FAFSA; and apparently Facebook has no clue how to tell the source of all the data it collects (making it impossible to comply with privacy regulations); Google is now giving you a way to remove some person info from its searches; and Brave and DuckDuckGo are both blocking Google "AMP" links which collect data about the sites you visit. Article Links EFF Statement on the Declaration for the Future of the Internet https://www.eff.org/deeplinks/2022/04/eff-statement-declaration-future-internet Declaration for the Future of the Internet: https://www.whitehouse.gov/wp-content/uploads/2022/04/Declaration-for-the-Future-for-the-Internet_Launch-Event-Signing-Version_FINAL.pdf Russia Is Being Hacked at an Unprecedented Scale https://www.wired.co.uk/article/russia-hacked-attacks Java Cryptography Implementation Mistake Allows Digital-Signature Forgeries https://www.schneier.com/blog/archives/2022/04/java-cryptography-implementation-mistake-allows-digital-signature-forgeries.html Cellebrite iPhone cracking: Here's which models the kit can unlock and access, and how to protect your data https://9to5mac.com/2022/04/29/cellebrite-iphone-cracking/ Report: Amazon and third parties use Alexa voice data for ads while Siri respects privacy https://9to5mac.com/2022/04/29/amazon-alexa-voice-data-used-for-ads/ Microsoft Is Adding a Free VPN to the Edge Browser https://www.pcmag.com/news/microsoft-is-adding-a-free-vpn-to-the-edge-browser Go read this exposé on how FAFSA got caught sending personal info to Facebook https://www.theverge.com/2022/4/29/23048305/fafsa-facebook-department-of-education-us-student-financial-aid-meta-tracking-pixel Applied for Student Aid Online? Facebook Saw You https://themarkup.org/pixel-hunt/2022/04/28/applied-for-student-aid-online-facebook-saw-you Facebook doesn't know what most of its user data is used for https://appleinsider.com/articles/22/04/27/facebook-doesnt-know-what-most-of-its-user-data-is-used-for You can now ask Google to remove your phone number from search https://www.androidauthority.com/google-search-remove-phone-number-3158456/ Google request site: https://support.google.com/websearch/answer/9673730 Brave, DuckDuckGo updates target Google AMP sites in privacy push https://www.macworld.com/article/633804/brave-duckduckgo-updates-target-google-amp-sites-in-privacy-push.html Which Is the Most Private Browser? https://firewallsdontstopdragons.com/which-is-the-most-private-browser/  Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.

Google and Facebook will swear up and down that they do not sell your data. While technically true, they do sell access to your data. Basically, your data is private from everyone - but them. And that's a crucial caveat. To have true privacy, you want to work with a company who has absolutely minimal access to your data. You want privacy by design. And this is not easy to do with a very old internet standard like email. Proton has been offering truly private email for almost a decade (ProtonMail) and over the years has added many other features like a VPN and calendar, making them a true privacy-respecting alternative to the likes of Google. Today I'll speak with Proton's founder and CEO, Dr. Andy Yen, about the importance of privacy as a human right and the delicate balance between privacy and the needs of law enforcement. I'll ask him how to evaluate products for privacy and what can we can all do to bring about a better future where we can express ourselves freely. Dr. Andy Yen is the founder and CEO of Proton. He was a scientist at CERN, has a PhD in physics from Harvard University, and he has long worked to advance privacy and freedom online.  Further Info ProtonMail: https://protonmail.com/ Proton & SimpleLogin join forces: https://protonmail.com/blog/proton-and-simplelogin-join-forces/ Check out my security-enhancing challenge coins! https://d20key.com/#/Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker

When people don't understand how something works, it can be easy to be afraid of the consequences of that thing not working right. And this also makes them ripe targets for being frightened by hucksters who will then happily sell them a solution for the problem. This was the trade of snake oil salesmen back in the day - selling cures for ailments that didn't exist or that didn't actually improve the consumer's health. The realm of computers is rife with cybersecurity snake oil, as well, and one of the most lucrative products is a virtual private network (VPN) service. Today I'm going to help you understand just what a VPN is and (perhaps more importantly) what it is not. In other news: T-Mobile tried to buy their hacked customer data back (and failed); the feds have discovered a troubling and powerful new hacking toolkit for industrial control systems; 8 million Cash App users may have had their data exposed; Pegasus spyware was discovered on the devices of EU officials; a company is offering to install chips under your skin that will allow you to pay for stuff with your hand; a scathing article about a security failure by Wyze web cams; and hackers are using fake Emergency Data Requests to get your data from tech companies. Article Links T-Mobile Secretly Bought Its Customer Data from Hackers to Stop Leak. It Failed. https://www.vice.com/en/article/k7w9mv/tmobile-hacked-bought-data-mandiant Feds Uncover a ‘Swiss Army Knife' for Hacking Industrial Control Systems https://www.wired.com/story/pipedream-ics-malware/ Over 8 Million Cash App Users Potentially Exposed in a Data Breach After a Former Employee Downloaded Customer Information https://www.cpomagazine.com/cyber-security/over-8-million-cash-app-users-potentially-exposed-in-a-data-breach-after-a-former-employee-downloaded-customer-information/ Pegasus spyware hacked iPhones of senior EU officials, who were alerted by Apple https://9to5mac.com/2022/04/11/pegasus-spyware-hacked-iphones-of-senior-eu-officials/ The microchip implants that let you pay with your hand https://www.bbc.com/news/business-61008730 I'm done with Wyze https://www.theverge.com/23003418/wyze-cam-v1-vulnerability-no-patch-bitdefender-responsible-disclosure Hackers Using Fake Police Data Requests against Tech Companies https://www.schneier.com/blog/archives/2022/04/hackers-using-fake-police-data-requests-against-tech-companies.html VPNs are digital 'snake oil,' expert claims — here's why https://www.tomsguide.com/news/vpn-big-claims-truth-shmoocon22 What a VPN Is (and Isn't): https://firewallsdontstopdragons.com/what-a-vpn-is-and-isnt/  Further Info John Oliver on data brokers: https://www.youtube.com/watch?v=wqn3gR1WTcA Mullvad VPN: https://mullvad.net/IVPN: https://www.ivpn.net/ProtonVPN: https://protonvpn.com/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/ 

Today, most of us take the internet - and access to the internet - for granted. It's ubiquitous. However, the current war in Ukraine has (hopefully) made us realize that things can change dramatically overnight. While we can always hope for the best, we should be at least minimally prepared for the worst. I'm not suggesting we all prepare for military invasion, but there are much more likely scenarios that might lead to power and communications infrastructure problems like bad storms, natural disasters, and even radical political shifts in democratic countries. Understanding the fundamentals of how our digital world works can help us be more resilient in the face of emergencies. Today I'll be speaking with a lead cybersecurity instructor from the Tech Learning Collective about some lessons we can learn from the current Russia-Ukraine conflict and be better prepared for digital disruption. Further Info Tech Learning Collective: https://techlearningcollective.com/ How to Prepare for a Power Outage: https://firewallsdontstopdragons.com/how-to-prepare-for-power-outage/ Download Wikipedia: https://wiki.kiwix.org/wiki/Content_in_all_languages VulnHub downloadable, free CTFs: https://www.vulnhub.com/ Black Hills Infosec: https://www.blackhillsinfosec.com/ Crypto-Gram by Bruce Schneier: https://www.schneier.com/crypto-gram/ Code: The Hidden Language of Computer Hardware and Software:  https://www.amazon.com/Code-Language-Computer-Hardware-Software/dp/0735611319 The Art of Exploitation: https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441 Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

I wrap up my de-Google project this week with two biggies: Google Drive and Google Docs. I decided to reduce my Google data footprint as one of my 2022 New Year's resolutions, so I've done a ton of research to replace all the major Google services with privacy-respecting alternatives. My hope is that you can use this information to reduce your own Google data exposure (and help your friends and family, while you're at it). In other news: UK police arrested seven people that may be tied to the Lapsus$ hacking group; the FCC has flagged Kaspersky software as a risk to national security; a very tricky new phishing technique tricks you into giving up your Facebook, Apple and Google credentials; an open-source software developer makes the dubious decision to target Russian users with "protestware"; the US passes a much-needed cybersecurity regulation (that takes way too long to come into effect); the Russia-based Yandex search engine is harvesting user details from many people, even those not using its search engine; app developers and cloud service providers are leaving your data lying around for anyone to find; and Google is testing its new tracking platform called Topics, which they will use to eventually replace third party cookies. Article Links UK police arrest 7 hacking suspects – have they bust the LAPSUS$ gang? https://nakedsecurity.sophos.com/2022/03/25/uk-police-arrest-7-hacking-suspects-have-they-bust-the-lapsus-gang/ FCC flags Russian cybersecurity firm Kaspersky as risk to national security https://mashable.com/article/fcc-bans-kaspersky-antivirus  This 'browser in browser' attack will steal your passwords — here's how to avoid it https://www.tomsguide.com/news/bitb-phishing-attackDeveloper Sabotages Open-Source Software Package https://www.schneier.com/blog/archives/2022/03/developer-sabotages-open-source-software-package.htmlUS Passes "Game-Changing" Cyber Incident Reporting Legislation https://www.infosecurity-magazine.com/news/us-cyber-incident-reporting/ Yandex is sending data harvested from millions of iOS users to Russia https://9to5mac.com/2022/03/29/yandex-is-sending-data-from-ios-users/ Your personal data is exposed to hackers — alarming report reveals mobile apps are not protecting your info https://www.laptopmag.com/news/your-personal-data-is-exposed-to-hackers-alarming-report-reveals-mobile-apps-are-not-protecting-your-info Chrome's “Topics” advertising system is here, whether you want it or not https://arstechnica.com/gadgets/2022/03/googles-topics-advertising-system-starts-rolling-out-to-chrome-canary/ De-Google My Life, Part 4: https://firewallsdontstopdragons.com/de-google-my-life-part-4  Further Info Crypotmator: https://cryptomator.org/Sync.com: https://www.sync.com/ ONLYOFFICE: https://www.onlyoffice.com/ NextCloud: https://nextcloud.com/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker

Today I'm speaking with a fellow privacy evangelist: Henry from Techlore. Like me, Henry and his team are on a mission to teach regular, everyday people how to secure their data and improve their privacy. Henry and I have a frank discussion about the importance of privacy today and the struggles we have when deciding which privacy-oriented products to recommend. First of all, everyone's privacy "threat model" is different. Second, many people still don't understand the true impacts of privacy failures - to themselves and to society in general. Privacy isn't just a "me" thing - it's also very much a "we" thing. And if all of that weren't enough, privacy advocates argue constantly (and often heatedly) about the proper litmus tests to use when evaluating privacy-oriented products. Today, Henry and I will discuss what frustrates us and what gives us hope in the highly nuanced realm of privacy. Further Info Podcast 5th Anniversary Giveaway! https://firewallsdontstopdragons.com/5th-anniversary-giveaway/ Techlore: https://techlore.tech/ Support Techlore! https://www.patreon.com/techlore Simple Login: https://simplelogin.io/MySudo: https://mysudo.com/ Privacy.com: https://privacy.com/ Malwarebytes Lock & Code podcast: https://blog.malwarebytes.com/category/podcast/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

One of my New Year's resolutions for 2022 is to reduce my Google footprint - to try to de-Google my life as best I can - and hopefully inspire you to do the same. In today's show, I'll talk about replacing Google's many communications apps (Meet, Hangouts, Chat, Talk), Google Authenticator (the Kleenex of 2FA apps), Google Maps and Waze, and YouTube. In security and privacy news: ISPs in the UK are complaining about Apple's Private Relay feature; the Federal Trade Commission has a new weapon to fight algorithmic data mining; if someone tricks you into sending them money via Zelle, your bank probably won't give it back; Russia has issued a state-sponsored "trusted root CA" that could undermine privacy in Russia for a decade; the EFF weighs in on attempts to cut off Russia (and its citizens) from the internet; DuckDuckGo took a controversial step to down-rate Russian mis/disinformation in its search results; Google is mining info from receipts and invoices in your email; and Google is also mining data from your dialer and messaging apps on Android. Article Links UK Network Operators Target iCloud Private Relay in Complaint to Regulator https://www.macrumors.com/2022/03/13/uk-network-operators-target-icloud-private-relay/ The FTC's new enforcement weapon spells death for algorithms https://www.protocol.com/policy/ftc-algorithm-destroy-data-privacy Fraud is flourishing on Zelle. The banks say it's not their problem. https://www.seattletimes.com/business/fraud-is-flourishing-on-zelle-the-banks-say-its-not-their-problem/ You Should Not Trust Russia's New “Trusted Root CA” https://www.eff.org/deeplinks/2022/03/you-should-not-trust-russias-new-trusted-root-ca Wartime Is a Bad Time To Mess With the Internet https://www.eff.org/deeplinks/2022/03/wartime-bad-time-mess-internet DuckDuckGo down-ranks sites spreading Russian propaganda https://www.bleepingcomputer.com/news/technology/duckduckgo-down-ranks-sites-spreading-russian-propaganda/ Gmail tracking: Google keeps records of everything you buy. Here is how to delete this information. https://tutanota.com/blog/posts/gmail-tracks-everything-you-buy/ Google to make changes to apps after TCD study finds privacy issues https://www.irishtimes.com/business/technology/google-to-make-changes-to-apps-after-tcd-study-finds-privacy-issues-1.4826225 De-Google My Life, Part 3: https://firewallsdontstopdragons.com/de-google-my-life-part-3/ Further Info Podcast 5th Anniversary Giveaway! https://firewallsdontstopdragons.com/5th-anniversary-giveaway/ My Lock & Code podcast interview: https://blog.malwarebytes.com/podcast/2022/03/de-googling-carey-parkers-and-your-life-lock-and-code-s03e06/ Data Privacy for Cars: https://podcast.firewallsdontstopdragons.com/2021/09/13/driving-data-privacy-for-cars/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/ 

We didn't use to think too much about physical computer security because most computers were safely stored in our homes or businesses. But many people today use laptops which can be lost or stolen while traveling or toting them back and forth to work. Having physical access to a computer makes it much easier for bad guys to hack into them and steal our data. By "sniffing" the data signals on the wires in computer motherboards, bad guys can actually pull out security keys that would allow them to bypass encrypted hard drives and account authentication. To combat this, Microsoft's Pluton project makes this data exfiltration much, much harder by embedding the security circuitry directly into the CPU chip where the "wires" are microscopic and embedded in plastic casings. Tony Chen is a software engineer and security architect in the Microsoft core operating systems team. He's was the development lead responsible for Xbox One security that worked with the hardware team and AMD to successfully launch the Xbox One console in 2013 which has not been hacked for piracy or cheating for over 5 years. Further Info MIcrosoft's Pluton project: https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/ Podcast 5th Anniversary Giveaway! https://firewallsdontstopdragons.com/5th-anniversary-giveaway/Malwarebytes Lock & Code podcast: https://blog.malwarebytes.com/category/podcast/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

As my de-Google project progresses, I realized that I skipped the most important step: reconnaissance. Before you can de-Google your life, you need to first make a list of the Google products and services you interact with - and not all of them have "Google" in their names. Google also owns YouTube, Waze, Nest, Fitbit, Chromebooks, and much more. Furthermore, you need to know and understand what information Google already knows about you. And while you're doing that, you should delete all the existing data and prevent further collection. Thankfully, Google provides several tools to help you do this (most likely due to regulations like GDPR and CCPA). I'll help you create your personal de-Google to-do list. In other news: today I'm launching a massive giveaway promotion to celebrate the 5th anniversary of the podcast!! Also, 100 million Samsung phones shipped with horrible security flaws; Nvidia hackers are pressuring the company to turn off cryptocurrency mining limitations; the (Russian) Conti and TrickBot ransomware operations have been hacked; details of 120,000 Russian soldiers in Ukraine have been leaked (on purpose); the US Senate has passed landmark cybersecurity legislation in light of the rising cyber warfare threat; and the ACLU has published a sobering report about a mass surveillance company called Flock (no relation to Google's FLoC). Article Links 100 Million Samsung Phones Shipped With Flawed Encryption https://www.cpomagazine.com/cyber-security/100-million-samsung-phones-shipped-with-flawed-encryption-galaxy-s8-to-s21-series-cryptographic-keys-trivial-to-expose/ Nvidia Hackers Threaten to Release Mining-Limiter Killer https://www.tomshardware.com/news/nvidia-hackers-threaten-to-release-lhr-performance-limiter Conti Ransomware source code leaked by Ukrainian researcher https://www.bleepingcomputer.com/news/security/conti-ransomware-source-code-leaked-by-ukrainian-researcher/ Details of '120,000 Russian soldiers' leaked by Ukrainian media https://www.theregister.com/2022/03/02/russian_soldier_leaks/ Senate passes cybersecurity act forcing orgs to report cyberattacks, ransom payments https://www.zdnet.com/article/senate-passes-cybersecurity-act-forcing-critical-infrastructure-orgs-to-report-cyberattacks-ransom-payments/ Fast-Growing Company Flock is Building a New AI-Driven Mass-Surveillance System https://www.aclu.org/report/fast-growing-company-flock-building-new-ai-driven-mass-surveillance-system My De-Google Strategy: https://firewallsdontstopdragons.com/my-de-google-strategy/ Lawrence Lessig's article: https://medium.lessig.org/crowdsourced-war-b5774c0ca7b5  Further Info 5th Anniversary Giveaway!! Details will be posted this week on my blog - keep your eye out on my main website! https://firewallsdontstopdragons.com/ Check out Techlore: https://techlore.tech/ Conti Ransomware report from Krebs On Security: https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/ https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/ https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-iii-weaponry/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Your cell phone is a super computer and phenomenally powerful tracking device. Even George Orwell wouldn't have dreamed that telescreens would be pocket sized and that citizens would willingly carry them 24/7. That one device knows all about you and has access to your most personal and critical information, including contacts, emails, social media, financial accounts, medical information, and much more. Furthermore, these devices are often used to secure our accounts through two-factor authentication. Stealing or cloning someone's mobile phone can have dire consequences. Therefore, it's crucial that we protect it. Today, I'll speak with Habeeb Awan whose company Efani is dedicated to providing secure phones and cell service to its VIP clientele, and we'll get his insights into the security risks and mitigation techniques of the mobile world. Haseeb Awan built one of the first and largest bitcoin ATMs - Bitaccess - which has 8000+ locations in 15 countries. He is also the CEO of Efani, America's most secure and private cell phone service, which protects people against SIM Swaps, eavesdropping, and location tracking. Further Info Efani: https://www.efani.com/ My Startpage interview: https://www.startpage.com/privacy-please/privacy-advocate-articles/privacy-in-action-carey-parker-author-and-podcast-hostSubscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

One of my big goals for 2022 was to minimize my Google footprint. In the last news show, I covered Google Search, Chrome and Android. In today's show, I'll tackle two other big ones: Google's email (Gmail) and calendar (Gcal) services (and Google's contacts, for good measure). I actually replaced Gmail with two different services, because they each address two different needs I have. In others news: Microsoft finally disables Word and Excel macros by default for any file downloaded from the internet; the IRS backs off it's requirement for using facial recognition to authenticate to the IRS website; Missouri's prosecutor declines to prosecute the reporter who pointed out a state website which gave away social security numbers for some state employees; Kashmir Hill compares the relative privacy and tracking capabilities of AirTags, Tile and a cheap GPS tracker; two US senators are decrying a newly declassified report of a CIA program that surveils American citizens in bulk; a remote test proctoring company sinks to new lows; hundreds of Android apps were found to be tracking you using ultrasonic signals; and Google will be implementing a new privacy feature in Android that it claims is just as private as Apple's App Tracking Transparency, but will somehow preserve the ad-based web economy. Article Links Microsoft's Small Step to Disable Macros Is a Huge Win for Security https://www.wired.com/story/microsoft-disables-macros-default-security-phishing/ IRS To Ditch Biometric Requirement for Online Access https://krebsonsecurity.com/2022/02/irs-to-ditch-biometric-requirement-for-online-access/ Missouri prosecutor won't press charges against reporter who found flaw in state website https://www.kcur.org/politics-elections-and-government/2022-02-14/missouri-prosecutor-wont-press-charges-against-reporter-who-found-flaw-in-state-website New test shows AirTag's safety precautions are far better than Tile, other GPS trackers https://9to5mac.com/2022/02/11/airtag-safety-vs-tile/ T2 Mac security vulnerability means passwords can now be cracked https://9to5mac.com/2022/02/17/t2-mac-security-vulnerability-passware/ Senators say CIA has been collecting data in bulk in secret program https://thehill.com/homenews/administration/593833-senators-say-cia-has-been-collecting-american-data-in-bulk-in-secret A Network of Fake Test Answer Sites Is Trying to Incriminate Students https://themarkup.org/machine-learning/2022/02/15/a-network-of-fake-test-answer-sites-is-trying-to-incriminate-students Hundreds of apps spying on users with ultrasonic tracking technology https://www.komando.com/gadgets/hundreds-of-apps-spying-on-users-with-ultrasonic-tracking-technology/402030/ Google's New Plan for Android Privacy Doesn't Sound All That Private https://gizmodo.com/google-android-privacy-sandbox-apple-ios-meta-1848547922?rev=1645048008531 De-Google My LIfe (part 2): https://firewallsdontstopdragons.com/de-google-my-life-part-2/  Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

You may not know it, but our world has already been basically taken over by free and open source software, or FOSS - specifically, the Linux operating system. Just about every single electronic appliance or device today, from your smartphone to your smart toaster, is running some flavor of the Linux operating system. Furthermore, open source software projects are the bedrock of many for-profit software applications, operating systems, mobile apps and web apps. It's everywhere, and yet you probably know very little about it. Today, Sean O'Brien will give us a little FOSS history lesson, explain why supporting this movement is so important, and even tell us how we might replace some pricey and user-hostile popular software with top-notch free and open alternatives. Sean O'Brien is a lecturer in Cybersecurity at Yale Law School and Chief Security Officer at Panquake.com  He is a Visiting Fellow at the Information Society Project at Yale Law School, where he founded and leads the Privacy Lab initiative.  He has been involved in Free and Open-Source Software (FOSS) for approximately two decades, including volunteer work for the Free Software Foundation and FreedomBox Foundation. Show Links Panquake: https://panquake.com/ Yale Privacy Lab: https://privacylab.yale.edu/ It's FOSS website: https://itsfoss.com/ Free Software Foundation: https://www.fsf.org/ Intro to Linux classes: https://itsfoss.com/free-linux-training-courses/ Windows Subsystem for Linux: https://docs.microsoft.com/en-us/windows/wsl/about System 76: https://system76.com/Purism: https://puri.sm/ Lineage OS: https://lineageos.org/Graphene OS: https://grapheneos.org/ Calyx OS: https://calyxos.org/ F-Droid: https://f-droid.org/ LibreOffice: https://www.libreoffice.org/ VLC Media Player: https://www.videolan.org/vlc/ Audacity audio editor: https://www.audacityteam.org/GIMP photo editor: https://www.gimp.org/ Inkscape illustrator: https://inkscape.org/ CryptPad: https://cryptpad.fr/  Further Info Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

One of my New Year's Resolutions for 2022 is to minimize my Google footprint. In reality, it's very difficulty to completely avoid Google products, if you include things like Google Analytics, Google's cloud computing, and other services that we may not directly choose. But thankfully, there are many excellent, privacy-respecting alternatives to Google's more well-known products and services. In today's show, I'll start with some of the most basic ones: Google Search, Google Chrome browser, and Android. In other news: Google beats Apple to offering a way to disable insecure 2G cellular connections; people are selling "silent" AirTags that won't beep to let you know they're near (which could be better for stalking people); Facebook reported its first ever loss in subscribers along with a $10 billion loss due to people opting out of ad tracking; privacy advocates scored a huge win in the European Union against advertisers collecting and sharing your data; the IRS may be rethinking its coming requirement for facial recognition-based authentication after pushback; the FBI admits to evaluating NSO Group's nasty Pegasus cell phone spyware; Kaspersky finds several serious vulnerabilities in wearable medical devices; and Google has abandoned its FLoC web tracking system for a much more privacy-respecting version called Topics. Article Links EFF praises Android's new 2G kill switch, wants Apple to follow suit https://arstechnica.com/gadgets/2022/01/eff-praises-androids-new-2g-kill-switch-wants-apple-to-follow-suit/Sale of 'Silent AirTags' on eBay and Etsy Raises Privacy Concerns https://www.macrumors.com/2022/02/03/silent-airtags-privacy-concerns/Facebook lost daily users for the first time ever last quarter https://www.theverge.com/2022/2/2/22914970/facebook-app-loses-daily-users-first-time-earnings A Change by Apple Is Tormenting Internet Companies, Especially Meta https://www.nytimes.com/2022/02/03/technology/apple-privacy-changes-meta.html Regulators find Europe's ad-tech industry acted unlawfully https://www.engadget.com/european-union-gdpr-ad-tech-unlawful-iccl-iab-europe-125735068.htmlTreasury Weighing Alternatives to ID.me Over Privacy Concerns https://www.bloomberg.com/news/articles/2022-01-28/treasury-weighing-id-me-alternatives-over-privacy-concerns FBI acknowledges it tested NSO Group's spyware https://www.washingtonpost.com/technology/2022/02/02/pegasus-fbi-nso-test/ Unpatched Security Bugs in Medical Wearables Allow Patient Tracking, Data Theft https://threatpost.com/unpatched-security-bugs-medical-wearables-patient-tracking-data-theft/178150/ Google abandons FLoC, introduces Topics API to replace tracking cookies https://www.theverge.com/2022/1/25/22900567/google-floc-abandon-topics-api-cookies-tracking De-Google My Life, Part 1: https://firewallsdontstopdragons.com/de-google-my-life-part-1/Apple's new Personal Safety User Guide: https://support.apple.com/guide/personal-safety/welcome/web  Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/ 

We tell our search engines a lot of very personal things. They arguably know more about us than our best friends and significant others do. A history of your search terms can reveal so much about you, especially when viewed over the course of days, months and even years. And unfortunately, companies like Google use this privileged position to better target us with advertisements. This may seem innocuous, today's guest, Kelly Finnerty, will explain how this data collection can lead to some truly creepy outcomes and even emotional harm. But it doesn't have to be that way. There are search engines and other tools that don't track your history and sell you out. And there is hope for a brighter, privacy-respecting future. Kelly Finnerty is the director of brand for Startpage, a global privacy technology company that provides search and browsing products that protect people's personal data. Kelly is a #techforgood advocate that believes privacy is a worldwide human right. Episode Links Startpage browser extension: https://add.startpage.com/protection/ What does your search engine know about you? https://www.startpage.com/privacy-please/startpage-articles/what-does-your-search-engine-know-about-you Startpage data flow: https://support.startpage.com/index.php?/en/Knowledgebase/Article/View/1276/0/how-startpage-processes-and-protects-your-dataInterview with System1 CEO: https://thinkprivacy.ch/system1-interview/ Terms of Service; Didn't Read: https://tosdr.org/ EFF's Surveillance Self Defense: https://ssd.eff.org/  Further Info Annual listener survey: https://bit.ly/Firewalls-survey-2022Carey's 2022 Privacy Blog: https://firewallsdontstopdragons.com/data-privacy-week-2022/ Carey's Privacy Checklist: https://firewallsdontstopdragons.com/data-privacy-day-checklist/ Data Privacy Week: https://staysafeonline.org/data-privacy-week/Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Personal data privacy isn't going to just happen on its own. We have to somehow collectively construct it. But how? Will it require regulation or can consumers drive change by consciously choosing privacy-respecting products and services? When it comes to regulations, why are things so different in the European Union versus the US and other global markets? What do privacy teams look like in modern corporations and how should they function? I'll pose these and many other questions to my guest, Whitney Merrill, who brings unique experience on privacy from both the private sector and the federal government. Whitney Merrill is a data protection officer, privacy attorney, hacker, and the co-founder of the Crypto & Privacy Village. She loves privacy and is glad the world is getting excited about it, too. Podcast Links Carey's 2022 Privacy Blog: https://firewallsdontstopdragons.com/data-privacy-week-2022/ Carey's Privacy Checklist: https://firewallsdontstopdragons.com/data-privacy-day-checklist/ Data Privacy Week: https://staysafeonline.org/data-privacy-week/FTC Privacy & Security: https://www.ftc.gov/tips-advice/business-center/privacy-and-security EFF Surveillance Self Defense Guide: https://ssd.eff.org/ACLU Privacy & Technology: https://www.aclu.org/issues/privacy-technology IAPP Resources: https://iapp.org/resources/ European Data Protection Board: https://edpb.europa.eu/edpb_en Data Protocol: https://dataprotocol.com/ The Gamification of Everything: https://lifehacker.com/how-gamification-of-everything-is-manipulating-you-and-1848352808  Further Info Annual listener survey: https://bit.ly/Firewalls-survey-2022Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/ 

Of course, every week should be "data privacy week", but we do set aside a specific time each year to focus on privacy - particularly educating as many people as possible about it. Until this year, we only dedicated one day for this - but as of 2022, it's been promoted to an entire week! Data Privacy Week runs from January 24-28, so today I'm going to prep you for it with several of my top privacy protection tips! In the news: the FBI uses foreign intelligence services to sidestep US surveillance restrictions; Russia takes down the REvil ransomware outfit as the United State's request; Google gives Android users the ability to disable insecure 2G cell connections; Subaru is sued in Illinois for capturing driver's biometric information with consent; lawmakers propose legislation to simplify and standardize terms of services agreements; and the Ponemon Institute releases the results of a recent poll on what people worry about with relation to privacy and what they feel should be done about it. Article Links Using Foreign Nationals to Bypass US Surveillance Restrictions https://www.schneier.com/blog/archives/2022/01/using-foreign-nationals-to-bypass-us-surveillance-restrictions.html Russia's FSB says it has taken down REvil hacker group at US request https://www.theverge.com/2022/1/14/22883675/russia-fsb-revil-hacker-group-ransomware-us-request-fbi-doj VICTORY: Google Releases “disable 2g” Feature for New Android Smartphones https://www.eff.org/deeplinks/2022/01/victory-google-releases-disable-2g-feature-new-android-smartphones Class action: Subaru DriverFocus system improperly scans driver's faces, eyes https://cookcountyrecord.com/stories/613746211-class-action-subaru-driverfocus-system-improperly-scans-driver-s-faces-eyes Lawmakers Come After Companies' Terms of Service With New TLDR Bill https://www.gizmodo.com.au/2022/01/lawmakers-come-after-companies-terms-of-service-with-new-tldr-bill/ New Ponemon Institute Report Indicates Major Consumer Privacy Gap https://www.cpomagazine.com/data-privacy/new-ponemon-institute-report-indicates-major-consumer-privacy-gap/  Further Info Data Privacy Week: https://staysafeonline.org/data-privacy-week/about-dpw/ My Data Privacy checklist: https://firewallsdontstopdragons.com/data-privacy-day-checklist/ DNA service impacts: https://thenib.com/its-all-relatives/ Annual listener survey: https://bit.ly/Firewalls-survey-2022Hunting for Stingrays podcast: https://podcast.firewallsdontstopdragons.com/2021/04/19/hunting-for-stingrays-part-1/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

It's the start of a brand new calendar year! And therefore it's time to engage in that annual ritual of planning to do better this year by making our list of New Year's Resolutions. To help you with the cybersecurity and privacy items on your list (an area where we all need major improvement), I will share with you my personal list of cyber goals for 2022. Yes, even security advocates can suffer from the "do as I say, not as I do" syndrome. We're all human, and there are plenty of things that I still need to get done - things that you probably need to do, too. I'll also catch you up on the latest security and privacy news: several articles popped up about a supposed data breach at LastPass that turned out to be incorrect; the US Federal Trade Commission is getting very serious about fining companies with lax cybersecurity practices in light of the Log4J/Log4Shell nightmare; clever scammers in Texas are tricking motorists into paying the wrong people for parking; Norton 360 and other antivirus software packages have started pre-installing cryptocurrency mining software on their customers' computers; TurboTax is the second major tax-filing software service to drop out of the federal Free File program; Google's adoption of the Manifest V3 specification gives users yet another reason not to use their Chrome browser; and a lawsuit in California alleges that Google's exclusive search engine deal with Apple is stifling competition and harming consumers. Article Links LastPass says there's no data breach, so your passwords were not hacked https://bgr.com/tech/lastpass-says-theres-no-data-breach-so-your-passwords-were-not-hacked/?bgr-partner=flipboard FTC to Go After Companies that Ignore Log4j https://threatpost.com/ftc-pursue-companies-log4j/177368/ QR code scammers hitting on-street parking in Texas cities https://www.click2houston.com/news/local/2022/01/05/qr-code-scammers-hitting-on-street-parking-in-texas-cities-this-is-what-houston-officials-want-you-to-know/ Norton 360 Now Comes With a Cryptominer https://krebsonsecurity.com/2022/01/norton-360-now-comes-with-a-cryptominer/ 500M Avira Antivirus Users Introduced to Cryptomining https://krebsonsecurity.com/2022/01/500m-avira-antivirus-users-introduced-to-cryptomining/ Want to file your tax return for free? TurboTax opts out of major program https://www.freep.com/story/money/personal-finance/susan-tompor/2022/01/05/how-file-your-tax-return-free-turbotax/9077019002/ Podcast on Free File report from Pro Publica: https://podcast.firewallsdontstopdragons.com/2020/01/13/why-free-file-isnt-free/ Google makes the perfect case for why you shouldn't use Chrome https://www.techrepublic.com/article/google-makes-the-perfect-case-for-why-you-shouldnt-use-chrome/ Google Basically Pays Apple to Stay Out of the Search Engine Business, Class Action Lawsuit Alleges https://www.macrumors.com/2022/01/05/google-pays-apple-stay-out-of-search/ Betty White on MFA: https://www.youtube.com/watch?v=DmIDtDAYTPA  Further Info Annual listener survey: https://bit.ly/Firewalls-survey-2022Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/or privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Navigating the online world today is hard enough as an adult. But it's way worse for kids. Not only are they short on life experiences that would give them the context they need, but as students during a pandemic, their privacy rights are being sorely tested by new "edtech" apps and services. Today I speak with Jill Bronfman from Common Sense Media about their new report on the state of privacy for kids. Their research is quite comprehensive - and (spoiler alert) the results aren't great. Obviously, this report is helpful for parents, educators and policy makers - but much of what's covered here is useful knowledge for anyone. Jill Bronfman is Privacy Counsel at Common Sense Media, teaches Media Ethics and Privacy Law. Further Info 2021 State of Kid's Privacy: https://www.commonsensemedia.org/research/state-of-kids-privacy-2021 Common Sense Media: https://www.commonsensemedia.org/ Common Sense Privacy Program: https://privacy.commonsense.org/Boston COVID in the waste water: https://www.msn.com/en-us/weather/topstories/how-fast-is-covid-surging-in-boston-this-chart-shows-the-spike-after-christmas/ar-AAShL4P Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/