Firewalls Don't Stop Dragons Podcast

Marketing firms love to tell us that we control our privacy - you simply need to opt out of tracking! Like Dorothy, we've had the power all along. Just click your heels three times and uncheck all those pesky tracking options under Settings... somewhere. Which, statistically speaking, no one ever does. It's the Tyranny of the Default. I'll discuss why it's so hard. (Spoiler alert, it's on purpose.) Also in today's show: Apple massively expands its bug bounty program; several "air gapped" US elections systems found on the internet; Instagram pulls a Cambridge Analytica move; watch out for fake Equifax settlement sites; another sex hook-up app exposes its user's private information; and it's time to update your Android devices (if you can). Further Info: Instagram data leak: https://www.businessinsider.com/startup-hyp3r-saving-instagram-users-stories-tracking-locations-2019-8Election Systems exposed online: https://www.vice.com/en_us/article/3kxzk9/exclusive-critical-us-election-systems-have-been-left-

In today's show, I'll discuss the Capitol One hack that affected over 100 million card users and applicants. I'll also cover the latest in the backlash against Apple, Google and Amazon over humans listening in on your private digital assistant voice recordings. The Ring doorbell, whose parent company was bought by Amazon, is quickly becoming a darling of local law enforcement agencies due to its ability to share surveillance footage. School districts are being hit with ransomware and being bilked for hundreds of thousands of dollars. And finally, Netflix has created a sobering documentary about the Facebook and Cambridge Analytics scandal, covering not just the 2016 US elections but also Brexit and many other voter influence campaigns around the globe. Further Info: The Great Hack on Netflix: https://www.netflix.com/Title/80117542RSA Conference Blog book review: https://www.rsaconference.com/blogs/bens-book-of-the-month-review-of-firewalls-dont-stop-dragons-a-step-by-step-guide-to-computer-security-for-

Two years after the massive Equifax breach, the Federal Trade Commission (FTC) has reached a tentative settlement that will purportedly provide some restitution to the 148 million Americans who whose data was leaked. Unfortunately, there are lots of little devils in the details - not to mention the this settlement has yet to be approved. However, you can (and probably should) go ahead and submit your claim. I'll give you all the details and tell you how do it. In other news, Firefox is coming out with a premium, for-pay version of its privacy-centric web browser, the Pentagon has revealed technology that will allow them to identify people surreptitiously from up to 200 meters away, some of your Apple's Siri recordings are being listened to by real humans, I'll give my take on the FaceApp scandal, and finally, if you have a Logitech wireless keyboard or mouse, you're going to watch to update the software to patch a nasty bug. Further Info: Logitech Wireless Keyboard/Mouse security update: https://supp

In the second half of my interview with Winston Privacy CEO Richard Stokes, we talk about why your data is so valuable to advertisers and what you can do to limit all this tracking. In particular, we'll discuss the Winston box which acts as a sort of force field around your home network, preventing all your "smart" and "internet of things" devices from reporting on your every move. Richard is the CEO and founder of Winston Privacy. Previously, he was the founder of AdGooroo.com, one of the first digital market research services, and later became the Global Head of Innovation for Kantar Media. He founded Winston Privacy in response to the increasing abuses of privacy taking place in the AdTech industry. Additionally, he's the author of "The Ultimate Guide to Pay-Per-Click Advertising". He has a Computer Science degree from the University of Illinois at Champaign-Urbana and an MBA from Kellogg / Northwestern University. Further Info: Winston Privacy: https://winstonprivacy.com/Pre-Order: https://www.in

Protecting your privacy today is hard. It's really hard. It's too hard. Every 'smart' device you own is tattling on you, constantly, to dozens of companies. Your phone, your tablet, your PC, your TV, your streaming box, your DVR, your smart thermostat, your internet-connected medical devices... The list goes on and it gets longer every day. What if you could not only see all these illicit communications but also block them all, in one feel swoop? In part one of my interview with Richard Stokes, this former AdTech CEO will reveal what finally caused him to not only leave the industry but to develop a promising new product that puts users back in control of their privacy. Richard is the CEO and founder of Winston Privacy. Previously, he was the founder of AdGooroo.com, one of the first digital market research services, and later became the Global Head of Innovation for Kantar Media. He founded Winston Privacy in response to the increasing abuses of privacy taking place in the AdTech industry. Additionally, h

The US government is once again looking to break or hobble encrypted communications in the name of national security and law enforcement. They claim that we're "going dark" - that modern end-to-end encryption used in apps like Signal and Wickr that protect user privacy are preventing them from keeping us safe and bringing the bad guys to justice. Cryptographers and technology companies have soundly squashed the idea of putting "backdoors" in these systems that supposedly only the "good guys" can go through. But now these agencies have come up with a proposal that neatly sidesteps these issues: they simply want to be added as another "end" to the end-to-end scrambled session. A "ghost" in the chat, and BCC that neither of the original participants are made aware of. But this has several problems, as well. In other news, FigLeaf has conducted a survey of users about online privacy that shows major shifts in thinking since just before the Cambridge Analytica/Facebook scandal; "pre-saving" new releases on Spot

Why do most VPN apps suck so badly? How do you know which VPN service providers you can trust with your privacy? How is it that our internet service providers know so much about our web surfing habits? Today I explore these questions and more with John Graham-Cumming, the CTO of the internet performance and security company. He will also tell us about a new VPN service coming soon from Cloudflare called Warp that may finally address all of these problems. John is a computer programmer and author. He studied mathematics and computation at Oxford and stayed for a doctorate in computer security. As a programmer he has worked in Silicon Valley and New York, the UK, Germany, and France. His open source POPFile program won a Jolt Productivity Award in 2004. John is the author of a travel book for scientists published in 2009 called The Geek Atlas. Further Info: Cloudflare's 1.1.1.1 App: https://1.1.1.1/Cloudflare's Crypto Week Blog: https://blog.cloudflare.com/welcome-to-crypto-week-2019/ Big Brother 2.0:

How many of your "smart" devices are smart enough to update their own software? For that matter, how many of them can upgrade at all? It's a good bet that most of them run some flavor of the free and open-source Linux operating system. A nasty bug was just found that affects almost all Linux systems, allowing a simple remote command to bring the system to its knees. There have been other bugs found in Linux and there will be more. If your device's software can't be updated, it will always be vulnerable. I'll go over some basic IoT security tips to mitigate your vulnerability, but in the end, older IoT devices that can't be upgraded should just be pitched. In other news, Firefox just patched two critical vulnerabilities, Dell's built-in remote assistance software can be remotely hacked, Venmo transactions are still painfully public by default, a Spanish soccer apps turns its fans into unwitting narcs, and Facebook has launched a new cryptocurrency called Libra.

In today's show I have a sobering discussion with the EFF's Eva Galperin about the rise of stalkerware (sometimes called "spouseware"). It's become all too easy for abusive, unscrupulous people to spy on their significant others, tracking their every move, monitoring all their communications. We'll talk about how our phones can be subverted and what measures you can take to prevent it. Eva also provides practical and prudent advice for people who suspect they may be victims of stalkerware. Eva Galperin is EFF's Director of Cybersecurity. Prior to 2007, when she came to work for EFF, Eva worked in security and IT in Silicon Valley and earned degrees in Political Science and International Relations from SFSU. Her work is primarily focused on providing privacy and security for vulnerable populations around the world. To that end, she has applied the combination of her political science and technical background to everything from organizing EFF's Tor Relay Challenge, to writing privacy and security training ma

Google Chrome is the most popular web browser on the planet by far, used by about two thirds of all web surfers. But Google is an advertising company and ad blockers are a direct threat to their business model. Google is planning to make a highly controversial change to Chrome's plugin framework that would break some popular ad blocking extensions like uBlock Origin, forcing them to use much less effective techniques for blocking ads. Compare that to Mozilla's Firefox browser, which just announced even more built-in tracking and ad-blocking capabilities - many of which will be on by default. The evidence is clear: Firefox respects your privacy and is giving your more and more tools with which to protect it; Chrome is doing the opposite. It's time to switch to Firefox and ditch Chrome. In other news, Maine has just signed bill into law which will require internet service providers to get your explicit consent before collecting and selling your web surfing data, Apple has announced several privacy-enhanci

Is it possible to hide your tracks online? Is it even worth the effort to try? How do you know which companies, products and services you can trust? Is government regulation the answer? We'll address all of these questions today in part 2 of my interview with David Ruiz. David will give you several great resources for getting more informed and also for getting more involved in the fight for privacy. David Ruiz is a pro-privacy, pro-security writer for Malwarebytes Labs, where he covers online privacy, legislation, and the interplay between technology and the law. Further Info Who Has Your Back? https://www.eff.org/who-has-your-back-2018Privacy Not Included: https://foundation.mozilla.org/en/privacynotincluded/Terms of Service; Didn't Read: https://tosdr.org/Malwarebytes poll on privacy: https://blog.malwarebytes.com/security-world/2019/03/labs-survey-finds-privacy-concerns-distrust-of-social-media-rampant-with-all-age-groups/Top 6 Takeaways from poll: https://blog.malwarebytes.com/101/2019/05/the-t

In January of this year, Malwarebytes (a world-class antivirus software maker) conducted a massive poll on privacy that included 4000 people from 66 different countries. On today's show, I will delve into the key takeaways from this poll and some rather (pleasantly) surprising results. (Tune in next week for part 2.) David Ruiz is a pro-privacy, pro-security writer for Malwarebytes Labs, where he covers online privacy, legislation, and the interplay between technology and the law. Further Info Malwarebytes poll on privacy: https://blog.malwarebytes.com/security-world/2019/03/labs-survey-finds-privacy-concerns-distrust-of-social-media-rampant-with-all-age-groups/Top 6 Takeaways from poll: https://blog.malwarebytes.com/101/2019/05/the-top-six-takeaways-for-user-privacy/

It shouldn't surprise you to learn that Google can read your Gmail. You may even realize that Google is scanning your emails for things like trip itineraries, which allows them to automatically add flights and hotel reservations to your Google Calendar, for example. But you may not realize how much other juicy info is there to be mined, like online purchases. Every email receipt you've received since you've had your Gmail account has almost surely been parsed and indexed. In today's show, I'll tell you how you can view this history and even delete it (painful as it may be). In other news, an FCC commissioner has released an update on the selling of location data by cell phone providers, San Francisco is poised to become the first major US city to ban the government use of facial recognition systems, and many popular games have been found to give away tons of user data. Further Info Check your Google purchase history: https://myaccount.google.com/purchases

Facebook co-founder Chris Hughes makes a heartfelt and cogent argument for breaking up the world's dominant social media company, Facebook. The litmus test for the US Government has focused too much on impact to consumer pricing, which has little to do with "free" services such as Facebook. It's time to also consider social and consumer impact. In other news, a photo storage service has been caught using your images to train facial recognition systems without proper disclosure, Google has unveiled plans to allow users to auto-delete certain sensitive user data after a specified number of months, and Facebook has cranked up the creepy factor by encouraging you to identity up to nine of your friends that you are secretly crushing on. Further Info New York Times Privacy Project: https://www.nytimes.com/2019/05/07/opinion/google-sundar-pichai-privacy.htmlIt's Time to Break Up Facebook: https://www.nytimes.com/2019/05/09/opinion/sunday/chris-hughes-facebook-zuckerberg.htmlFirewalls Don't Stop Dragons link

A disturbing study in the JAMA Network Open journal showed that almost all of 36 mental health apps they downloaded were sharing your data to some extent - many without proper or even any disclosure. Many shared basic data with Facebook and Google, and a few shared very sensitive information like health diaries and self reports of substance abuse. I'll give you some tips on how you can protect yourself. In other news, Firefox plugins were all shut off over the weekend due to a Mozilla certificate expiring, bad guys are using Google ads to trick you into paying money to fake customer support sites, data from 80M US households was found lying around on Microsoft servers, and Princeton has a cool new app that will tell you which of your IoT devices may be snitching on you. Further Info Terms of Service; Didn't Read: https://tosdr.org/ Princeton IoT Inspector: https://iot-inspector.princeton.edu/Spring Cleaning for you apps: https://firewallsdontstopdragons.com/close-security-holes/

Facebook has once again gone too far and, when caught, asked for forgiveness and promised to change. First it was revealed that Facebook has been requesting since May 2016 that new users provide their email account passwords in order to verify their email addresses - without giving any obvious way to opt out. When caught, they said they would stop doing this. However, it was then revealed that Facebook "unintentionally" hoovered up the email contact lists of 1.5 million Facebook users that gave them their email passwords! I'll tell you how you can review and delete any contacts you've shared (intentionally or otherwise) with Facebook... as well as how to just delete Facebook! In other news, Microsoft has dropped the requirement to periodically change your password in Windows 10, another IoT vulnerability has been found that affects millions of devices, I have an update on the supposed Amazon employee Echo spying, and finally I'll explain why browser makers are throwing in the towel and allowing 'ping' trac

How do you deal with the threat of identity theft? Follow Adam Levin's 3 M's: 1) minimize your exposure, 2) monitor your accounts, and 3) manage the damage. We discuss these techniques and much more in part two of my interview with Adam Levin, author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves. Adam Levin is a consumer advocate with more than 40 years of experience in security, privacy, personal finance and many other things. He is the former director of the New Jersey Division of Consumer Affairs and current chairman and founder of CyberScout. You may have seen Adam on one of his several TV appearances, as well. Further Info: Adam Levin's website: https://adamlevin.com/Adam's book, Swiped: https://adamlevin.com/swiped-book-adam-levin/CyberScout: https://www.cyberscout.com/ Bruce Schneier's Data and GoliathKevin Mitnick's The Art of InvisibilityBrian Kreb's Spam Nation and his blogIdentity Theft Resource CenterConsumer Federation of AmericaPrivacy Ri

Identity theft is arguably one of the worst cyber crimes in terms of deep and lasting impact to the victim. This runs the gamut from simple credit card fraud to committing crimes in someone else's name. We'll talk about the entire spectrum today in part one of my interview with Adam Levin, author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves. Adam Levin is a consumer advocate with more than 40 years of experience in security, privacy, personal finance and many other things. He is the former director of the New Jersey Division of Consumer Affairs and current chairman and founder of CyberScout. You may have seen Adam on one of his several TV appearances, as well. Further Info: Adam Levin's website: https://adamlevin.com/Adam's book, Swiped: https://adamlevin.com/swiped-book-adam-levin/CyberScout: https://www.cyberscout.com/

Bad guys have been using scary emails and pop-up messages to bilk unsuspecting victims of millions of dollars for a long time now. But recent scams purporting to be from the CIA have taken things to a new level. In today's show, I'll walk you through one variant of this scam and teach you how to spot similar scare scams. In other news, government spyware has made its way into everyday apps on the Google Play Store, WinRAR has a serious bug that you need to patch, hundreds of millions of Facebook records were found lying around unprotected in the cloud, ASUS computer users were targeted by ShadowHammer malware, and Cloudflare has a new mobile VPN app you should take a look at. Further Info Install and configure Cloudflare's 1.1.1.1 DNS: https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/ASUS malware checker: https://shadowhammer.kaspersky.com/

How often have you run across something so obviously bad or behind the times that you just want to scream: Hey, fix this already! Electronic Frontier Foundation to the rescue! Gennie Gebhart explains the EFF's new #FixItAlready campaign - a "most wanted" list of no-brainer bugs and shortcomings in today's most popular services and products that just should not be. Examples include no end-to-end encryption of Twitter DMs, using two-factor Facebook phone numbers for marketing, and not being able to set your own password on iCloud or Windows 10 hard drive encryption. Gennie Gebhart is the Associate Director of Research at the Electronic Frontier Foundation, where she does research and advocacy on consumer privacy and security issues. She holds a Master of Library and Information Science from the University of Washington. Further Info: Fix It Already! https://fixitalready.eff.org/Donate to EFF: https://supporters.eff.org/donate/join-eff-4