Firewalls Don't Stop Dragons Podcast

Transparency is critical when it comes to trust - and right now, particularly in the United States, we're having some real issues with trust in our elections. Most of our election systems today are completely opaque in terms of their hardware and software design because they're made by private companies who want to protect their intellectual property. But this secrecy also seriously impedes independent third parties from being able to test and verify these devices that are crucial to our democracy, and therefore contributes to the distrust in our election outcomes. Microsoft is working to change this with a program called ElectionGuard - a free and open source software framework that would allow any company (existing or new) to create robust and secure election systems. Not only can security researchers, journalists and democracy activists review and test the code, but the system actually provides technical capabilities that would allow voters and watchdog groups with a secure and private method for verifying

Credit cards are more secure than debit cards. I've said this in my book, my podcast, my blog and my seminars. Credit card transactions are loans - you're not out any money if a fraudulent charge comes through (assuming you or the credit card company catches it first). With debit cards, any fraud activity will actually take your money from your account - it's gone and you have to convince your bank to give it back. And so, I almost never use my debit card. And yet, I was still hacked. My card wasn't stolen or cloned with a skimmer. The number wasn't leaked in a hack. The bad guys somehow managed to guess my card number. And then they got clever and drained my bank account. I'll give you the details today and give you some pointers for avoiding being bitten the same way I was. In other news: bad guys have come up with some very clever ways to drain your bank accounts using Zelle and text messages; they've also used similar techniques to disable the Find My feature on stolen iPhones; Apple is suing Israeli h

When you think about improving your privacy and protecting your personal information, it's important to realize that it will also improve your security. According to Craig Danuloff, CEO of The Privacy Co. and maker of the Priiv app, privacy harms fall into at least four different buckets: personal data leaks (embarrassment and reputation harm), online tracking (targeted ads and manipulation), financial accounts (including fraud and identity theft), and harassment (stalking, bullying, even physical threats). Today Craig will offer his opinions on the state of privacy today and provide several of his top tips for protecting your privacy and increasing your security. Craig Danuloff is a technology entrepreneur who has founded a series of tech companies including desktop publishing, e-commerce, ad-tech, identity, and now consumer privacy. Craig is a graduate of the University of Colorado Leeds School of Business, and the author of over 20 computer books. Further Info Priiv app: https://www.theprivacy.co/

The gift-giving season is officially upon us, and with covid supply chain issues, if you're going to order gifts, you need to get on it. And in today's show, I'll share the highlights of my annual Best & Worst Gift Guide where I focus on the privacy and security of popular gifts. You won't be surprised at a lot of the items on my naughty list, but I'll bet you'll find some interesting ideas from the nice list that you can give your loved ones this holiday season. I will also cover several news items - many of them actually good news! A new bipartisan bill would allow people to disable news feeds based on algorithms; Apple has dialed back some of it's well-intentioned but poorly-implemented child safety features; Facebook will remove many sensitive categories for targeted ads and stop using facial recognition; several people associate with the Kaseya ransomware hack have been arrested; and 23andme's DNA database (your DNA) may be leveraged foro a lucrative pharmaceutical business. Article Links New bi

Nothing is arguably more fundamental to a democracy than voting. But it's not enough to have a secure election. The electorate also needs to trust that the results are valid. In the United States today, that trust is in short supply - many people believe that the 2020 election was rigged. On one hand, many of our electronic voting systems are demonstrably insecure and trivially capable of being hacked. On the other, our cybersecurity experts, government agencies and election officials are telling us that the 2020 election was one of the most secure in US history and voter fraud almost never happens. So which is it? How do we reconcile these two seemingly incongruent positions? Today I'll ask these questions and more of computer and election security guru Harri Hursti. Harri has investigated and hacked several popular election systems used in the US and runs the Voting Machine Hacking Village at the annual DEF CON hacking conference. He's also officially observed many elections around the world and particip

There were lots of scary computer security and privacy stories in the news this week, coinciding nicely with Halloween. We'll start off with an unfortunate new cybersecurity term: killware. This is software whose end result is actual physical harm to human beings, including death. Sadly, this is now a thing. And I don't know about you, but Mark Zuckerberg's vision of the future (the "metaverse") is pretty damn scary, too. In other news: a hacker seems to have stolen the government identity information for every person in Argentina; a New York Times journalist explains how his iPhone has been hacked multiple times by the NSO Group and what he does to protect himself (and his sources); the FBI, the Secret Service and other "like-minded countries" seem to have finally taken down the REvil ransomware gang for good; Facebook has changed its name to "Meta"; link previews in chat apps can actually cause serious security and privacy problems; Delta Airlines and UK schools are normalizing the use of facial recognit

Today, we're surrounded by strong encryption. Thanks to efforts like Let's Encrypt, almost all web communications today at encrypted. And thanks to wonderful privacy communications tools like Signal, we can share private thoughts instantly and securely with anyone on the planet. But this was not always the case. This secure, private, encryption-enabled future we're living now was far from certain 30 years ago when Phil Zimmermann created and freely released his email encryption tool Pretty Good Privacy (PGP). If not for Phil and a handful of others, we could very easily have lost the Crypto Wars of the 1990's and authoritarian mass surveillance could have been the norm. In today's show, Phil and I walk through the creation of PGP, the technological and political climate of that day, and the nerve-racking few years where Phil faced potential jail time for releasing "munitions grade" encryption to the world. We'll also discuss the literally life-saving impacts PGP has had over these last 30 years and how glo

Facebook had a horrible, no-good, very bad week. Not only did Facebook, Instagram and WhatsApp go completely offline for about six hours, a whistleblower came forward to show the world what most of us already knew: Facebook values money over its users' well being. And I have another story that backs that up, as well - one that you almost surely did not hear about. In other news: the FTC tells app makers to fess up when users private data gets loose; the governor of Missouri wants to sue a newspaper for revealing a horrible security flaw that exposed teachers' social security numbers; Apple's attempts to prevent user tracking on iOS are being undermined by unscrupulous apps; a company that you've never heard of with access to almost all cellular text messages was hacked over the course of five years; the VPN maker and VPN review industries are awash in conflicts of interest; Windows 11 is finally out, but it's not clear if and whether you should upgrade to it; and Firefox is searching for more ways to make

Today I have the great honor and pleasure of speaking with two luminaries in the field of privacy: Michelle Finneran Dennedy and Melanie Ensign. Between them, they have decades of experience managing privacy processes, policies, technology and communications within dozens of big name tech companies. I get their unique perspective on data privacy and the evolution of how these companies approach the problem of collecting and managing your data. Are things getting better or worse? How can companies earn the trust of their customers? Is data the new oil? And is it an asset or a liability? How can we have social media like Facebook and privacy at the same time? NOTE: I captured WAY more content from these two than I could fit into this one podcast. To get the full interview, become a patron! (And nab yourself a kick-butt challenge coin, too!) Michelle Dennedy was the first CPO for many global IT infrastructure companies including Oracle, McAfee, Intel & Cisco. Michelle is now a partner at Privatus.online an

I admit it. I'm an Apple fan. Are they perfect? Definitely not. But in most cases, they're actually trying to be good. And at the end of the day, their business model doesn't rely on hoovering up your personal data. Apple just released a big update to its devices, iOS 15, and it's got some really cool security and privacy features. I'll tell you all about them in today's show. In other news: thousands of Netgear routers can be hacked via a Disney parental control feature even if you didn't ask for it; yet another company is scraping social media and public info to sell it to law enforcement; the NSA and CIA are warning their employees to block ads for cybersecurity reasons; Microsoft has rolled out a "passwordless" login system; EFF is ending support for its wonderful browser plugin HTTPS Everywhere - because HTTPS is now already everywhere; Amazon's new house robot, Astro, is a privacy nightmare (shocker); and this is the first week of National Cybersecurity Awareness Month in the US. Article Links

Apple was set to roll out controversial new on-device scanning technology in iOS 15 last week, but thanks to pushback from groups like the Electronic Frontier Foundation and people like you, Apple has since thought better of it and backed down. It's not clear when or if these "child safety" features will come to iPhones, but in the meantime we can hope that Apple will listen carefully to our concerns before proceeding. Today I'll speak with Jason Kelley from the EFF about Apple's proposed technology, the problem of child sexual abuse material (CSAM), and why Apple's proposed solution was so problematic. Jason Kelley guides EFF’s social media tactics, develops EFF’s online digital advocacy, and writes about various forms of governmental and private surveillance and tracking. Further Info Donate to EFF! https://supporters.eff.org/donate/join-4 EFF's Perspectives event: https://www.eff.org/event/perspectives-encryption-and-child-safety Sign the petition to stop Apple’s poorly-designed child safety featu

It's really easy to complain about the sadly insecure state of many of our products and services, but the fact is that doing security right is hard - even when you're trying to get it right. Part of the problem is that there are just so many things to secure, even on a single product or service. Today we're going to discuss several recent security issues with popular products, and why getting it right can be such a daunting task. In today's show: a universal decryption key for all REvil ransomware victims prior to July 13th is now available; Microsoft patched a nasty security bug in all of its Windows OS versions, but it's still being actively exploited (hint: patch now!); it was recently argued that WhatsApp's end-to-end encryption has a "backdoor", but I'll explain why that's not true; a home security system maker refuses to patch a bug that would allow an attacker to disable your system just by knowing (or guessing) your email address; ProtonMail is forced to alter its "no IP logging" marketing in the f

Ever paired your phone to a rental car? Did you erase all the data from the last car you sold or turned in at the end of your lease? Do you know what data you car is sending to the cloud wireless right now? Cars have become a privacy nightmare. Andrea Amico is the founder of a company called Privacy 4 Cars and today he'll help us understand all the data you car is hoovering up - from your phone, your driving habits, your location, and even your facial expressions (no, really). And thankfully, his company also gives you a powerful tool to find and delete the data exhaust you've generated, probably without even realizing it. Andrea Amico is one of the nation’s leading authorities on vehicle privacy and cybersecurity. He is also the founder of Privacy4Cars, the first and only privacy-tech company focused on identifying the challenges posed by vehicle data. Further Info Privacy4Cars: https://privacy4cars.com/Assert Your Data Rights! https://privacy4cars.com/personal-use/assert-your-data-rights/ Twitter:

For many people, privacy is just a vague concept. But it can literally be a matter of life and death. It deserves your attention, your consideration and (crucially) your support. Technology has vastly improved our daily lives, but some of it also threatens to undermine our basic human rights and even our democracy/society. We need to understand the implications of the laws we pass - and the laws we aren't passing. Today, I'll talk about several stories with a common theme: privacy matters. Of course, I'll also cover several security-related topics this week, as well: I'll tell you how to completely hack someone's Windows PC with a gaming mouse; Microsoft's Azure cloud service left thousands of customers' data completely exposed; new and disturbing details emerge about the role of NSA-pushed backdoors in the massive Juniper breach of 2015; Australia considers making state ID required for social media accounts; Google tries to cut off access to account data that endangers US helpers in Afghanistan; Apple pa

Computers are supposed to be completely predictable. When you tell it to do something, it should do exactly that - over and over again, if necessary - in the same way, with the same result. This is the nature of computer programming. But this predictability can allow computer criminals to interrupt a computer's processing and divert it to do nefarious things. If you know exactly where to poke the system, predicting where and how it does it's processing, you can effectively rewire it to do your bidding. This is the basic attack methodology that lets bad guys insert their malware into our systems. But what if we were able to randomly perturb a computer's processing on a periodic basis, making it effectively unpredictable? This is the essence of a new computer architecture called Morpheus that may one day make all of our computers and computerized devices much, much harder to hack. Today, Todd Austin will explain how this brilliant defense mechanism works and how it was inspired by the human body's immune system

How far would you go to protect your children from sexual predators? How much privacy would you give up to try to prevent the sharing of child pornography? We are now faced squarely with those questions because Apple has just announced some new initiatives that it believes will curb the viewing and sharing of pornographic images. But we need to be extremely careful here. The Four Horsemen of the Infocalypse are pedophiles, terrorists, drug dealers and organized crime. When someone asks you what privacy and civil liberties you would be willing to give up to stop these undeniably bad things, you need to replace their bogeyman with other straw men and make sure your convictions still hold. Technologies that can be used to stop something you hate today can also be used to stop things you don't tomorrow. Today I'll discuss Apple's new "child safety" initiatives and explain why I think they're making the wrong tradeoffs. And also why they are actually not that effective and even potentially harmful to children.

Are hackers born or are they made? What is the essence of a true hacker? Today I explore these topics and more with the founder of both DEFCON and Black Hat, Jeff Moss - also known as The Dark Tangent. I also ask Jeff why we seem to suck at cybersecurity, what his top tips are for staying safe online, when DEFCON evolved to be bigger than its founder, how DEFCON has managed to stay focused on its attendees all these years, and how he plans to find a worthy successor to run the DEFCON conference when he inevitably steps aside. Further Info DEFCON documentary: https://www.youtube.com/watch?v=3ctQOmjQyYg Privacy is Power, book by Carissa Véliz : https://www.amazon.com/Privacy-Power-Should-Take-Control/dp/1612199151 My review of Privacy is Power: https://firewallsdontstopdragons.com/privacy-is-power-review/ The Value of Privacy, by Bruce Schneier: https://www.schneier.com/blog/archives/2006/05/the_value_of_pr.html TED Talk on Privacy by Glenn Greenwald: https://www.ted.com/talks/glenn_greenwald_why_privacy_

What is a hacker, exactly? What does it mean to hack something? With all the ransomware attacks and election meddling in the headlines, it's easy to paint all hackers with a broad brush as malicious, self-serving computer criminals. And to be clear, many computer criminals are definitely hackers (some aren't). But the real definition of hacker, the original notion of hacking itself, is something quite different. Nowhere is this more evident than at DEFCON, one of the world's largest hacking conferences. I've been wanting to go to DEFCON for many years, but finally made my pilgrimage to Las Vegas this year for DEFCON 29. My goal was to document first hand, not just the conference, but the culture and the hackers themselves. Because unlike most trade conferences, DEFCON is really about the attendees and the betterment of their craft. Today's show is a non-technical exploration of what it means to be a hacker and why you might aspire to be one yourself. Further Info DEFCON documentary: https://www.youtube.

Every time you load a web page, your personal data is being shared with thousands of companies. The ad spaces on the page are being auctioned off to the highest bidder in fractions of a second. The Irish Council for Civil Liberties calls this the biggest data breach in histor, and is suing the ad tech companies on your behalf to stop this needlessly invasive and dangerous practice. My guest Johnny Ryan will explain how this real-time bidding process works and has insider documentation on the types of extremely personal data that's being shared in order to target those ads to you. Dr Johnny Ryan is a Senior Fellow at the Irish Council for Civil Liberties, and a Senior Fellow at the Open Markets Institute. He is focused on surveillance, data rights, competition/anti-trust, and privacy. He is former Chief Policy & Industry Relations Officer at Brave, the private web browser. Dr Ryan led Brave’s campaign for GDPR enforcement, and liaised with government and industry colleagues globally. Previously, Dr. Ryan wo

Your phone number is arguably as strong a personal identifier as your social security number, passport number or email address. These are things we almost never change any more - meaning that it's an identifier for life. Our cell phones contain a ton of personal information, including our locations (not just now, but over time). Today I'll help you understand why it's so important to protect your cell phone number and digital contact lists. In other news: you need to update everything again... Apple, Microsoft, Google, Adobe; REvil ransomware gang has disappeared completely from the dark web - and possibly not coincidentally, Kaseya has obtained a universal decryption key for all of it's customers (REvil victims); the Pegasus Project appears to have unveiled serious abuses of the NSO Group's spyware; Venmo finally gets rid of the public transaction list; the FBI is using cell site simulators to track cars; and it turns out that it's easy and highly profitable to re-associate people with supposedly anonymou