Firewalls Don't Stop Dragons Podcast

The FBI is once again trash-talking Apple for not helping them in their investigation of a terrorist - this time, the alleged perpetrator of the Pensacola shooting. However, like the San Bernardino shooting a few years ago, Apple has actually done everything in its power to aid law enforcement. The issue is the "in its power" part. The FBI and DOJ would prefer that Apple (and therefore they) would have more power to unlock and decrypt iOS devices. We'll discuss this and a recent ruling against the FBI in another phone-related case. In other news: the Senate narrowly defeated a bill amendment that would protect your web history from government surveillance; 83% of users store their passwords in their heads (meaning their passwords suck); Firefox will soon tell you when sign-up forms are truncating your long passwords; Microsoft warns of a nasty new COVID-19-related phishing scheme that can take over your entire computer; and secure messaging app Signal has added a new security PIN to protect your account an

Intel created the Thunderbolt protocol to give us blazingly fast data transfer and other interesting features. Thunderbolt usually comes with the newer USB-C ports, common on laptops, especially Macbooks. Unfortunately, researchers have found a major flaw affecting all computers that will allow bad guys to gain access to your computer in just a few minutes with a few hundred dollars of common equipment. Most computers built in 2019 and later are capable of blocking this attack, but not many have implemented it. Apple computers are safe, unless they're in Bootcamp mode running Windows or Linux. I'll go over the details of this "evil maid" attack and provide several tips for securing your computers. In other news: Mozilla is adding a couple cool new privacy features to Firefox; Microsoft is rolling out some security and privacy in its coming May release; Google Authenticator finally provides a way to transfer accounts (sorta); Clearview AI is quickly backpedaling is data collection on Illinois residents; and

In part two of my interview with Malwarebyte's David Ruiz, he tells us how to avoid the scams we discussed last week. And then we move on to discuss the potentially serious privacy issues that could come from the emerging surveillance regimes, designed to help us curb the spread of the coronavirus. David Ruiz is a content writer for Malwarebytes, covering online privacy, cybersecurity, and the laws - and proposed legislation - that regulate how data is stored, shared and accessed. He previously worked for Electronic Frontier Foundation, where he wrote and analyzed policy about NSA surveillance, encryption, and cross-border data transfer. Further Info: Malwarebytes blog: https://blog.malwarebytes.com/author/davidruiz/Malwarebytes antivirus: https://www.malwarebytes.com/for-home/products/Malwarebytes "Lock and Code" podcast: https://podcasts.apple.com/us/podcast/lock-and-code/id1500049667

In times of great fear and anxiety, we need to be especially vigilant against snail oil salesmen. Never letting a good crisis go to waste, the bad guys are capitalizing on the chaos to lure us into downloading malware and buying fraudulent (or even harmful) advice and products. In part one of my interview with Malwarebyte's David Ruiz, we talk about the explosion of COVID-19-related phishing scams and malware campaigns, including tips on how to avoid being a victim. David Ruiz is a content writer for Malwarebytes, covering online privacy, cybersecurity, and the laws - and proposed legislation - that regulate how data is stored, shared and accessed. He previously worked for Electronic Frontier Foundation, where he wrote and analyzed policy about NSA surveillance, encryption, and cross-border data transfer. Further Info: Malwarebytes blog: https://blog.malwarebytes.com/author/davidruiz/Malwarebytes antivirus: https://www.malwarebytes.com/for-home/products/

Every time there's a data breach at a company or service where you do business, there's a chance that the bad guys will reverse engineer your password. And once they do that, they will almost surely try to use that email and password combination to log into dozens of other sites - a hacking technique called credential stuffing. And why do they do this? Because they know most people reuse the same password over and over again. Troy Hunt has created a free service called "Have I Been Pwned" that collects information from all of these breaches so that we can find out whether our email address has been included in any of these hacks. I originally interviewed Troy over a year ago on the topic of database breaches and how to protect yourself against them, and sadly this is just as relevant today as it was then. So I brought this back as an encore performance! Troy Hunt is an Australian Microsoft Regional Director and Microsoft Most Valuable Professional for Developer Security. You'll regularly find Troy in t

The bad guys are having a field day with all the coronavirus hubbub, using our fears and anxieties to trick us into clicking bad links, downloading infected files, or installing malware. While the topic is new, the techniques are the same: phishing. Using cleverly disguised emails and text messages, bad guys trick us into giving up credit card and social security numbers, login credentials, and other sensitive information. In today's show, I'll give you several ways to spot these scams. In other news: a new massive data breach contains records on 1.2 billion people; Microsoft released a new version of Windows Defender which is broken for some people; there's been an attack on some Linksys routers; and as if regular ransomware wasn't bad enough, the bad guys are now using a new "double extortion" tactic that really puts you in a bind. Further Info: Flatten the Curve Summit: https://flattenthecurve.tech/

As health services and society in general struggle to cope with the coronavirus pandemic, people are desperately seeking new and inventive ways to curb the spread of the disease. A tried and true tool of epidemiologists is contact tracing: interviewing infected subjects in order to create lists of people they've had contact with in recent days and weeks. But people's memories are notoriously sketchy and they may not even know all the names, let alone contact information. Google and Apple have united to propose a technical solution. Android phones and iPhones will silently record anonymous identifiers of every other device they come near, in hopes of eventually notifying those device owners if a person later tests positive for COVID-19. But doing this in a way that preserves privacy and resists mass surveillance is difficult. I'll walk through the technical and social implications of their proposal. In other news: Zoom is working hard to fix their privacy and security issues (and repair their reputation); b

During our global COVID-19 self-quarantining, video conferencing usage has exploded. I've tried to find hard statistics, but they're rising so fast that anything I post now will be stale tomorrow. That said, I've seen usage growth figures as high as 400%. And since we're all staying home now (right?), video chatting is a great way to get some some social time with friends and family. But many of the most popular video chat services are lacking in security, privacy, or both (I'm looking at you, Zoom). I'll give you a handful of good options that are all end-to-end encrypted. In other news: over 12,000 Android apps were found to have some sort of backdoor; Cloudflare introduces 1.1.1.1 for Families; Marriott announces yet another major data breach; Google is using its vast hoard of location data to track our social distancing success (or failure); EFF issues some timely warnings about guarding our civil liberties when responding to this crisis; and the FBI is warning us to watch out for coronavirus-related s

Wouldn't it be nice if privacy wasn't an afterthought? What if user privacy was built in from the get go? What if the entire design assumed that you didn't want anyone selling your data - and respected those wishes? That's the world of Privacy by Design - a concept pioneered in the mid-1990's by Dr. Ann Cavoukian. This may seem like an unattainable Utopian future, but Ann's infectious optimism may just convince you otherwise. Adding privacy doesn't mean sacrificing security or functionality, if done properly. Today we discuss the concepts of Privacy by Design and how we can achieve it. Dr. Ann Cavoukian is recognized as one of the world’s leading privacy experts. Dr. Cavoukian served an unprecedented three terms as the Information & Privacy Commissioner of Ontario, Canada. There she created Privacy by Design, a framework that seeks to proactively embed privacy into the design specifications of information technologies. In 2010, International Privacy Regulators unanimously passed a Resolution recognizing Pr

Never let a good crisis go to waste. Though normally applied to politics, it can be equally applied to opportunistic cyber criminals. With the world transfixed by and anxious about this nasty virus, bad guys are seizing on our fears to make a quick buck. From ransomware-laden virus tracking apps to actually threatening to infect families directly with the actual virus, COVID-19 is becoming a gold mine for unscrupulous hackers. We need to be extra vigilant and warn our loved ones to do the same. In other news... connected cars are tapping into your driving data to make more money; a $3 robot lawyer can help you exercises your CCPA rights; the Brave browser will be implementing some novel fingerprinting protections; Firefox had created a privacy container for Facebook; and not to miss a good crisis, the US government is looking to weaken our civil liberties in the name of virus tracking.

In part 1 of this interview, Hayley Tsukayama walked us through the details of the new California Consumer Privacy Act (CCPA). In part 2, we discuss how this law will affect many of us who are not California residents and how it's influencing potential legislation in other states and even at the federal level. We also discuss how CCPA can synergize with other state laws and be used as a tool for journalists to expose data brokers to the light of scrutiny. Hayley Tsukayama is a legislative activist for the Electronic Frontier Foundation, focusing on state legislation. Prior to joining EFF, she spent nearly eight years as a consumer technology reporter at The Washington Post writing stories on the industry's largest companies. Hayley has an MA in journalism from the University of Missouri and a BA in history from Vassar College. She was a 2010 recipient of the White House Correspondents' Association scholarship. Further Info Donate to the EFF: https://supporters.eff.org/donate/ Robot Lawyer to sue data

On January 1st, 2020, the California Consumer Privacy Act (CCPA) went into effect. While not perfect, the CCPA is a landmark piece of legislation for the United States, even though legally it only protect California residents. I will dig into the details of this bill - both the good and the bad - in part one of my delightful interview with Hayley Tsukayama from the EFF. Hayley Tsukayama is a legislative activist for the Electronic Frontier Foundation, focusing on state legislation. Prior to joining EFF, she spent nearly eight years as a consumer technology reporter at The Washington Post writing stories on the industry's largest companies. Hayley has an MA in journalism from the University of Missouri and a BA in history from Vassar College. She was a 2010 recipient of the White House Correspondents' Association scholarship. Further Info Donate to the EFF: https://supporters.eff.org/donate/ Robot Lawyer to sue data hoarders: https://fortune.com/2020/03/05/delete-location-data-privacy-personal-informa

A few weeks ago, the New York Times published a bombshell article about a small startup called Clearview AI who was using a massive database of three billion faces scraped from several social media sites to offer a creepy facial recognition app. Just one snapshot of some stranger's face could immediately identify that person - not just name, but potential location, age, other images, social media pages, and even a list of friends and family. Clearview claimed to only sell this service to law enforcement agencies, mostly in the US and Canada. However, this week Buzzfeed News obtained the company's client list, and it contained several non-law enforcement agencies and dozens of clients outside of North America. In other news: the latest Windows 10 update has caused many serious problems; leaked documents show how big companies are buying our credit card data; up to a billion WiFi devices have a critical security bug; the FCC says it will fine the four big US cellular carriers $200M for selling your location

it's not cheap or easy to get your iPhone repaired - largely because there's not a lot of real competition in the iPhone repair market. That's no accident. Owners of modern John Deere tractors have really only one option: John Deere. Why? There's no good technical reason. There's really no good legal reason either, but laws like the Digital Millennium Copyright Act (DMCA) and the Computer Fraud and Abuse Act (CFAA) have been abused to give these companies inordinate say over who can perform repairs on their products. In part 2 of my interview with the EFF's Cory Doctorow, we discuss the right to repair and wrap up our overall discussion with possible solutions and action items for the concerned consumer. Cory Doctorow is a science fiction author, activist, journalist and blogger. He’s the author of several novels including HOMELAND, LITTLE BROTHER and WALKAWAY. He is the former European director of the Electronic Frontier Foundation and co-founded the UK Open Rights Group. Further Info: Adversarial I

Here's a riddle for you: when does something you paid good money not actually belong to you? Answer: when that device is part of the Internet of Things. Why? Because without the express permission and continued support of the company that sold you that device, it becomes a worthless piece of junk. All of our modern "smart" devices are inextricably tied to their cloud-based services and automatic software updates. In part 1 of my interview with Cory Doctorow, we'll talk about how we got into this situation, including several shocking examples. Cory Doctorow is a science fiction author, activist, journalist and blogger. He’s the author of several novels including HOMELAND, LITTLE BROTHER and WALKAWAY. He is the former European director of the Electronic Frontier Foundation and co-founded the UK Open Rights Group. Further Info: Adversarial Interoperability: https://www.eff.org/deeplinks/2019/10/adversarial-interoperability Donate to EFF: https://supporters.eff.org/donate

It's that time of year again: tax time! And that means it's also time for tax scams. I'll give you some tips on how to avoid them, and also help you find the real "Free File" versions of your favorite online tax filing software. In other news: a German man fooled Google Maps with a wagon full of phones; Hue smart bulbs patched a serious vulnerability; Ring doorbell offers more security and privacy controls; a nasty Android Bluetooth vulnerability found and fixed; extracting data from a computer using screen brightness; and the US government's use of third-party location trackers. Further Info ProPublica interview on history of Free File: http://podcast.firewallsdontstopdragons.com/2020/01/13/why-free-file-isnt-free/Free File: https://firewallsdontstopdragons.com/how-to-really-free-file-your-taxes/Avoid tax scams: https://firewallsdontstopdragons.com/preventing-tax-return-fraud/Winston Privacy: https://winstonprivacy.com/

We install antivirus software to protect us, not exploit us. Like a bodyguard, AV programs needs full, unfettered access to everything in order to properly do the job. That requires complete and absolute trust. And probably a non-disclosure agreement. Unfortunately, antivirus software doesn't offer you an NDA promise. Avast, the maker of one of the top five AV software applications, has recently been shown to collect and sell entensive customer information to third parties. While they claim to anonymize the data, it's often easy to re-identify people when correlating this data with other databases. Thanks to some reporting by Vice and PCMag, Avast is shutting down this lucrative side business after a serious backlash. I'll tell you how you can mitigate your exposure to rampant data sharing. In other news, Sonos angers many long-time customers by declaring an end to supporting older devices; over 250M customer records have been exposed on five public servers with zero protections for about 14 years; Clearvi

Happy Data Privacy Day! My guest today is none other than Bruce Schneier: world renowned security guru and author of several great books, including the Data and Goliath and Click Here to Kill Everybody! Bruce and I discuss the current state of data privacy and what it's going to take to rein in the corporations that are buying and selling our data with abandon. Bruce Schneier is an internationally renowned security technologist Bruce Schneier has authored over one dozen books--most recently Click Here to Kill Everybody--and hundreds of articles, essays, and academic papers. His influential newsletter Crypto-Gram and his blog Schneier on Security are read by over 250,000 people. Further Information: Transcript of my interview with Bruce Schneier: http://podcast.firewallsdontstopdragons.com/wp-content/uploads/2019/01/Ep100-interview.txtData Privacy Day Checklist: https://firewallsdontstopdragons.com/data-privacy-day-checklist/

A small company has amassed over 3 billion online photos from social media and other public sources, creating perhaps the largest facial database in existence - far larger than even the FBI's database. The images are often connected to a person's full name, address, and people they know. The company, called Clearview, has sold access to this database to over 600 law enforcement agencies, allowing them to quickly identify someone from a single picture. While this has allowed them to solve several cases, it also means that we have basically lost the ability to be anonymous in public. There are no rules around this - but there need to be. In other news, if you haven't updated Windows in the last week, you need to do it right now; same goes for Internet Explorer (though you should really just switch to Firefox); Apple and FBI are once again facing off over iPhone encryption; the vast majority of modern cable modems are vulnerable to a devastating hack; and for at least this year, you shouldn't abbreviate with

The IRS already knows what I made, what taxes I've paid, and even what my mortgage interest was last year. Why do I have to fill out tax forms? Turns out there's a very specific reason, and you're not going to like it. At the turn of the century, tax preparers like TurboTax and H&R Block negotiated a deal with the US government that prevented this very thing. In exchange, these tax companies agreed to offer a "Free File" online tax program for most tax filers. But while perhaps honoring the letter of that agreement, they used dark patterns and other subtle psychological tricks to push tax payers into pricey, unnecessary tax applications. Justin Elliott from ProPublica will explain the sordid history of "free" online tax preparation and the cat-and-mouse game companies like Intuit (maker of TurboTax) have been playing with regulators. Justin Elliott has been a reporter since 2012 with ProPublica, where he has covered money and influence in the Obama and Trump administrations, the American Red Cross and Tur