Firewalls Don't Stop Dragons Podcast

The first step to solving any problem is gathering as much information as you can. Unfortunately, today we're basically flying blind when it comes to identifying and resolving latent software bugs in our systems. Software today is made up of dozens if not hundreds of distinct components. Like automobiles, these piece parts can come from many different vendors. And even the parts from those vendors are likely themselves made up of many sub-components from yet other vendors. But you can bet that Ford and Toyota have a complete and accurate list of each and every one of the components in their vehicles - knowing who made them, which lot or batch they were from, which revision of the part they have, and so on. Because at the end of the day, the auto maker is responsible for knowing this in case there's a safety issue. This is not true for software makers... yet. Allan Friedman and his team at the National Telecommunications and Information Administration (NTIA, a part of the Dept. of Commerce) are trying to chang

Just when you thought it couldn't get worse, the bad guys say "hold my beer". The REvil gang has managed to pull off what appears to be the biggest ransomware infection ever through a clever supply chain attack on a company you've never heard of called Kaseya. Kaseya is what we call a Managed Service Provider, or MSP. They manage software and IT functions for lots of small-to-medium sized businesses, so that those companies don't have to. But this also gives MSP's a very privileged security position, making it a prime target for bad guys wanting to infect a lot of companies with a single hack. Today I'll catch you up on this ongoing horror show and give you some tips on how to avoid becoming a ransomware victim yourself. In other news: Kaspersky Password Manager (KPM) was found to have a bad bug making its generated passwords a lot easier to crack; I'll tell you about how some Brazilian iPhone thieves came up with a clever way to hack your accounts; Google has delayed FLoC and blocking of third-party cooki

Robocalls are the bane of my existence. I get so many spam calls that I've just stopped answering my home phone altogether. I've given out my cell number to fewer people, so thankfully I get fewer junk calls there. But I still won't answer any calls unless I recognize the number. Why is it so easy to spoof caller ID? Well, starting July 1st in the US, mobile carriers are now required to implement a new(ish) set of technologies to make that more difficult: "Stir" ("secure telephone identity revisited") and "Shaken" ("signature-based handling of asserted information using tokens"). While not perfect, they should at least help identify shady callers. In today's Tip of the Week, I'll give you some other options for blocking spam calls, as well. Lots of other (mostly bad) cybersecurity news to cover today: Someone scraped a ton of LinkedIn data from over 700M LinkedIn subscribers (about 92% of total users) and posted it for $5000; a very odd and specific WiFi SSID could break your iPhone; 30M Dell computers are

Today's news headlines are littered with stories on massive cybersecurity failures: SolarWinds, Microsoft Exchange, Colonial Pipeline, data breaches, ransomware... Are the bad guys ramping up their game? Or are we just really bad at cybersecurity? (Or both?) How do we fix this? Who can lead the charge to improve our cyber defenses and fend off these attacks? Where do we learn best practices? Can new tools like Artificial Intelligence (AI) help us be more secure - or will these tools benefit the bad guys more? In today's show, I discuss the current sorry state of cybersecurity and it's foggy future with Josh Jackson from 6clicks! Josh Jackson is an avid student of law, policy, and regulations. He is a speaker on Artificial Intelligence and Automation and a teacher on the Legal and Regulatory Environment of Business. He is passionate about ethics and agency law, and corporate and regulatory risk. Further Info: 6clicks: https://www.6clicks.io/ Cybersecurity Maturity Model: https://www.acq.osd.mil/cmmc/d

Are satellites really just IoT devices in space? They're small computers and connected to the internet, not unlike Nest thermostats, baby video monitors, and smart toasters. You'd think that they'd be a lot more complex and secure... but are they really? My two guests today are running a program to test that very question, and in the process, try to make our military and commercial satellites more secure. We don't think about it, but satellites play a crucial role in our daily lives. GPS satellites are used by airplanes, ships and even agricultural machinery. Weather satellites allow us to predict the path of severe storms and save countless lives. We take them for granted, but these orbiting computers are critical in our modern lives. The Hack-A-Sat contest was created to help ensure the security of these systems. Anyone can enter - and time to register for this year's tournament is running out! Carl Rodio Jr. is Principal Cyber Security Engineer for The MITRE Corporation, supporting the US Space Force De

Payment apps are fairly secure & very convenient, but NOT private. And Venmo is the worst. Venmo is the only payment app that is primarily a "social" app. That's shorthand for "share as much info as possible, with as many people as possible". If you weren't already aware, all Venmo transactions are public by default. (That might come as an unwelcome surprise to the third of millennials who have used Venmo to pay for drugs.) Your Venmo friends list is also public by default, as Joe Biden recently discovered. But perhaps due to that event, Venmo at least now gives you a way to make it private. I'll tell you how to change this and other Venmo privacy settings - and also which apps are better at privacy. Lots of other news to cover today: Amazon Sidewalk has been activated for all new Echo and Ring devices (like it or not), but you can turn it off; Amazon Ring is offering more transparency on requests for video footage by law enforcement; Apple addresses some of the "stalker" privacy concerns with AirTags; app

Is it possible for you to view your FLoC ID right now? And if so, can you decode this ID to understand what Google is learning about you from it? Does FLoC require your consent or cooperation from the sites you're visiting? Are there tools to block this and, if so, how effective are they? In part 2 of my discussion with EFF's Bennett Cyphers, we'll answer these questions and many more. Google's FLoC proposal depends on Google being a "benevolent and omniscient overseer", which is a bad bet. Even if Google manages to get the technology right and carefully avoids tracking "sensitive" info, there's nothing saying it won't change this later - on purpose or by accident or both. And given the rabid desire by data mining companies to monetize your information, FLoC may enable new forms of tracking and fingerprinting. Bennett Cyphers is a staff technologist on the Tech Projects team. He works with a variety of teams across EFF, focusing on consumer privacy, competition, and state legislation. He also assists wi

The public has voted and the results are in: people do not want to be tracked. In response, like pop-up ads before them, third party cookies are now being blocked by default by just about every browser - except Chrome. Google (who owns Chrome) is an ad company who relies on web tracking to make 90% of their revenue. With the writing on the wall, they and other ad tech companies are scrambling to find other ways to track people. Google has proposed a new system they call Federated Learning of Cohorts, or FLoC, which they claim can replace most of the tracking capability of third party cookies while somehow managing to preserve users' privacy. Today, I will discuss this new proposal with Bennett Cyphers of the Electronic Frontier Foundation: how it works, how they are rolling it out, and why EFF believes that FLoC is not the way to go. Bennett Cyphers is a staff technologist on the Tech Projects team. He works with a variety of teams across EFF, focusing on consumer privacy, competition, and state legislati

Today is the day we've all been waiting for! The super-secret, highly-collectible, security-enhancing device is finally HERE!! For a short period of time, I will be offering a very limited edition challenge coins to my patrons. Not only is the coin itself amazingly cool, it can also help you generate secure passphrases using my brand new website d20key.com! Listen in today for all the details, as well as my tip of the week for how and when to use passphrases (instead of passwords)! In other news: The Colonial Pipeline is open again after a nasty ransomware attack by the DarkSide group; President Biden signs a landmark executive order to strength cybersecurity for the US government and anyone who sells to them; the HSE in Ireland is hit with a ransomware attack, too; Microsoft warns of a fake ransomware infection that just steals data; apparently when give a real, clear choice, almost no one wants apps to track them (Apple's App Tracking Transparency update); Veritone launches a creepy new deep-fake voice s

What is Tor, exactly? How and why would I use it? And what the heck is a Tor node? In part 2 of my talk with Alison from the Library Freedom Project, we'll discuss why libraries are so important in the fight for privacy and how they're using technologies like Tor to keep its patron's (and even other's) web browsing anonymous. We'll talk about why it's important to do a self-assessment of your particular "threat model" and Alison will provide some time-tested tips for improving your security and privacy. Oh, and we'll talk about what all of this has to do with the so-called Streisand Effect! Alison Macrina is a librarian, internet activist, and founder and director of Library Freedom project. Alison is passionate about fighting surveillance and connecting privacy issues to other struggles for justice and an analysis of power. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragonsLibrary Freedom project: https://libraryfreedom.org/ Library Freedom wiki: https://libraryfreedom.wi

Want to read a book without your reading history being tracked? Do you need to surf the web with complete anonymity? If so, then look no further than your local public library. You have the right to research and collaborate on politically or socially sensitive topics without fearing your government or even your local community - and your local public libraries are there to help. Today I'll discuss the topics of intellectual freedom, access to information, and the right to privacy with the founder of the Library Freedom Project. We'll discuss book banning, media consolidation, mass surveillance, access to your library records by law enforcement, and even the lethal dangers of furniture! Alison Macrina is a librarian, internet activist, and founder and director of Library Freedom project. Alison is passionate about fighting surveillance and connecting privacy issues to other struggles for justice and an analysis of power. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragonsLib

After what seemed like forever, Apple has finally released its App Tracking Transparency (ATT) feature which requires apps to get your permission to track you across other apps and websites. This was announced last year and delayed by several months to allow app makers to come into compliance (particularly Facebook). Today I'll tell you what this feature does and doesn't do, and of course, how to enable it. Tons of other security and privacy news to cover today, as well: A nasty bug was just fixed in macOS (update now!!); Firefox fixes a bug that could allow fake HTTPS lock icons and therefore compromise security; Facebook Messenger users have been targeted with a major scam; Codecov hack is just the latest in software supply chain attacks that threaten hundreds of companies and their customers; bad guys hacked ad servers to serve up malware; the US Postal Service is running a 'covert operations program' that monitors social media accounts; more US federal agencies are turning to private companies to buy d

While law enforcement touts the benefits of cell site simulators, today we will talk about the negative impacts, as well. While the actual impacts are not documented due to secrecy, we have to wonder whether Stingrays could interfere with critical communications like 911 calls, for example. We also must understand that any tool can be used for good and for evil, by the "good guys" as well as the "bad guys". In an effort to bring more transparency, Cooper created Crocodile Hunter (a reference to Steve Irwin, who was tragically killed by a real-life stingray). Cooper explains how it works and how anyone can make one. And finally we'll talk about why it's so important to get out there and fight for more transparency. Cooper shows us what a difference this can make in your community with two very different situations in two US cities. Cooper Quintin is a security researcher and Senior Staff Technologist with the EFF Threat Lab. He has worked on projects such as Privacy Badger, Canary Watch, and analysis of sta

The single easiest way to track someone today is using their cell phone. We have them with us at all times and in order for them to work, they must be tracked by the cell phone network. When law enforcement wants to identify people at a protest or hanging around a particular area, they could take the time to get a warrant to present to multiple cell phone providers. Or they could simply bring in a portable, fake cell site. Any cell phones in the area will reveal their location to all nearby cell sites, and the owners of those phones will be none the wiser. The use of cell site simulators (often known by a particularly popular model called a "Stingray") is heavily shrouded in secrecy. Even their very existence was denied for years. Today, we'll talk with a man who has made it his mission to uncover the use of such devices. We'll talk about how they work, why they're so hard to detect, and the broader implications of their use by police and sheriff's departments with little to no oversight. Cooper Quintin is

Lots of news to cover today... and to me the common thread seems to be a lack of proper security and privacy. So the theme today is "trust no one". And the idea there isn't really personal trust, but computer trust, algorithm trust, procedural trust. We need to engineer our systems and processes around the idea that data is a toxic asset that loves to find ways to leak. Assume that you will be hacked. Assume an employee will do something stupid or go rogue. Assume the "bad guys" will find a way to bypass your main security barrier, so you need to have a second, and possible third barrier in place. Today I'll tell you about yet another massive Facebook and LinkedIn data leak; a new vaccine survey scam to watch out for; some new and troubling ransomware tactics to force victims to pay even if they have good data backups; a hacker site that sold credit cards and social security numbers was itself hacked; LexisNexis and Clearview AI have been working very closely with law enforcement, including ICE; and the AC

There are many business models and businesses that we curtail because they can be dangerous to people or democracy or society. Even rights enshrined in the US Constitution have reasonable limits. Now that it's become evident how engagement-optimized and algorithm-driven social media is ripping at the very fabric of our democracy, it's time for an intervention. Today, Phil Zimmermann (creator of PGP) will explain why things have gotten so bad and what we need to do to fix it and save civil society. Phil Zimmermann is the creator of Pretty Good Privacy. PGP is still widely regarded as the gold standard for secure email communication and caused quite a controversy when it was introduced in the early 1990s. Phil went on to form Silent Circle and win several prestigious awards including US Privacy Champion and was inducted into the Cybersecurity Hall of Fame. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragons About Phil Zimmermann: https://www.philzimmermann.com/EN/background/i

Passwords suck and humans aren't good at using them. Password managers can help a lot, but to truly improve your account security these days, you need to add defense in depth. The easiest way to do that today is to enable two-factor authentication, or 2FA. Many websites have supported 2FA for years, but as hacking has gotten more aggressive and password databases are being stolen more often, the popularity of 2FA has grown significantly in the last year or two. Unfortunately, many 2FA systems rely on the lowest common denominator for implementing the PIN code system: SMS or text messaging. SMS is very old, but also very widely used and supported. It's never been terribly secure, but recently some clever security researchers have discovered a simple and cheap way to steal your text messages. Like, for $16. I'll explain this hack and tell you how and why you should switch to the much more secure Time-based one-time-password (TOTP) system for 2FA. In other news: I'll update you on the massive Microsoft Exchan

Given that we're using computer algorithms to evaluate humans, can these systems be gamed or fooled? And is it possible that computers are less biased that humans? On any given day, humans can be distracted, tired, sick or just flat out biased against people for any number of reasons. Should these systems be more transparent? How do we know if they're being fair? Do we need to regulate these services? Is there a happy medium here? And finally, if you feel that you've been unfairly discriminated against by these systems, is there anything you can do about it? John Davisson is Senior Counsel at EPIC. John works on a variety of appellate litigation and Freedom of Information Act cases. John first came to EPIC in 2015 as a clerk in the Internet Public Interest Opportunities Program. He has previously clerked at Levine Sullivan Koch & Schulz, served as a student attorney in the Civil Rights Section of Georgetown’s Institute for Public Representation, and interned at the Appignani Humanist Legal Center. John is

Convincing a human to hire you is hard enough. Can you imagine trying to convince a computer? Artificial intelligence is now being used to automate the screening of job candidates, evaluating cognitive ability, vocabulary, and even emotional intelligence. This new "hiretech" promises to weed out the bad applicants and flag the good ones by analyzing not just the substance of answers to interview questions, but also the manor in which you respond - your cadence, your word choices, your tone, your speech patterns, and perhaps even your facial expressions and body language. What could possibly go wrong? We'll discuss this and more today with John Davisson from the Electronic Privacy Information Center. John Davisson is Senior Counsel at EPIC. John works on a variety of appellate litigation and Freedom of Information Act cases. John first came to EPIC in 2015 as a clerk in the Internet Public Interest Opportunities Program. He has previously clerked at Levine Sullivan Koch & Schulz, served as a student attorne

Ep210. I've recommended LastPass for years - since I wrote my book and every day since. Until now. There are several good (secure and private) password managers out there. But LastPass was the full package: a free tier that had all the functionality most people need and for-pay tiers that had very useful extras. But now they're hobbling the free version by only allowing you to use it on one type of device: either a mobile device or a computer, but not both. To me, that makes the free tier useless. LastPass's Android app was also found to contain seven different trackers. That was the last straw for me. In today's episode, I'll tell you my new recommendations and give you an important tip on making the switch. In other news: a new law in Australia aims to force Google and Facebook to pay for news links; SolarWinds is blaming an intern for using a horrible password; SMS tax scams are picking up; Alexa Skills have serious privacy and security issues; adtech companies are scrambling to avoid telling you that y