Firewalls Don't Stop Dragons Podcast

Passwords, two-factor authentication and even passkeys don't matter if you can access someone's account by answering three simple account recovery questions. Also, just about every account today has a way to reset your password, no matter how strong it is, if you can gain access to someone's email account. Until we can remove these weak links, it doesn't matter how secure our regular authentication schemes are. In the news: old A&T breach data is making the rounds; Apple Silicon chips have a security flaw baked into the hardware; two very popular digital safe locks come with backdoor codes; Twitter/X is failing to properly check posted links that redirect to scam sites; a court rules that external continuous camera surveillance of your house doesn't require a warrant; searches for VPNs spike after PornHub pulls out of Texas; a blockbuster NY Times article brings much needed attention to data collection in cars; AirBnB implements a blanket camera ban. And I announce a killer new patron promotion! Click t

The United States has no general data privacy laws. However, we do have some sector-specific regulations, including HIPAA for health data. But there are many misconceptions about HIPAA. For example, the "P" in HIPAA does not stand for Privacy - it stands for Portability. So, what information does HIPAA cover? Which healthcare and related service providers are governed by HIPAA? And most importantly, what can you do to protect your medical and health data? Today we'll dive deep into this subject with Kate Black, a data, privacy & health lawyer and a strategic advisor in the health data field. Interview Notes Kate Black: https://www.linkedin.com/in/kate-black-sfo/  Washington’s My Health, My Data law: https://hintzelaw.com/blog/2023/4/9/wa-my-health-my-data-act-pt1-overview  HIPAA rights: https://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html  STAT medical news: https://www.statnews.com/  Further Info Check out my dragon challenge coins! https://fdsd.me/coi

Two-factor authentication (2FA) is a fantastic way to improve the security of your online accounts. However, if you lose access to the device containing your authenticator app, you may lose access to your 2FA-protected accounts. You need to backup the seed codes used to set up each account. I'll give you several methods for doing this. In the news: FBI uses smartphone push notifications to track down criminals; Roku TVs block all access until users consent to force arbitration; cheap video doorbells have horrible security; AI can be used to determine where photos were taken; vending machine caught using facial recognition; what happens to your data when a data broker goes bankrupt; your personal information that is publicly available; New Jersey passes motor vehicle data deletion law; Proton Mail's new email aliasing feature; in Canada, police now need warrant to get a person's IP address; US cracks down on commercial spyware firm; NSO Group forced to hand over source code to Meta in legal case; Authy is s

With the rise of IoT and tracking technologies (both online and in the real word), we are generating staggering amounts of highly personal information. This massive trove of juicy data has drawn the attention of several interested parties outside the realm of consumer marketing. Like chum in the water, it's created a feeding frenzy from data aggregators as well as from law enforcement and intelligence agencies, both foreign and domestic. The journalists at 404 Media have published several blockbuster articles on this data ecosystem which have triggered backlashes from lawmakers and consumers alike. Today I'll speak with two of the founders: Justin Cox and Jason Koebler. Interview Notes 404 Media: https://www.404media.co/  404 Media podcast: https://www.404media.co/the-404-media-podcast/ 404 Media support: https://www.404media.co/faq/  Formation of 404 Media: https://www.nytimes.com/2023/08/22/business/media/404-media-vice-motherboard.html  Further Info Send me your questions! https://f

Artificial Intelligence is the buzzword of the day. Since the launch of ChatGPT in November 2022, there has been a flood of AI-based tools and services. Many tech firms are racing to build AI into their products without considering the consequences, let alone taking the time to build in guardrails for privacy and security. Today, I'll tell you about some of the risks, how to mitigate them and explain why you should spend some time playing with AI tools so we can understand how they do (and don't) work. In other news: Wyze home webcams had yet another security breach; Poland's PM calls out illegal use of Pegasus spyware by opposition party; US military finally notifies 20,000 of email data breach; Skiff was bought by Notion and will shut down services; FTC fines Avast antivirus $16.5M for mining user data; Backdoors in encryption violate human rights according to EU court; LockBit ransomware servers were taken over by multinational law enforcement efforts; Apple's iMessage gaining quantum computer resistant

Modern cars are chock full of sensors and connected to the internet via built-in cellular modems. That's a recipe for massive data collection. Last September, Mozilla's Privacy Not Included team released a blockbuster report how much data our cars were gathering and it was absolutely staggering. According to the hard-to-find privacy policies, your car can collect extremely personal information including precise location, contact lists from your phone, call and message data, and - believe it or not - even "sexual activity". Today, I'll walk through this report and its implications with the head of Mozilla's Privacy Not Included project, Jen Caltrider. Interview Notes Mozilla’s Privacy Not Included: https://foundation.mozilla.org/en/privacynotincluded/  Mozilla’s car report: https://foundation.mozilla.org/en/privacynotincluded/articles/its-official-cars-are-the-worst-product-category-we-have-ever-reviewed-for-privacy/  Mozilla's report on AI chatbots: https://foundation.mozilla.org/en/privacynotinc

It's tax time here again in the USA, and therefore it's also time for tax scams. I'll explain how to recognize common tax scams, how to respond to them, how to prevent scammers from taking over your IRS account and even filing fraudulent tax returns in your name. In other news: the Mother of All Breaches (MOAB) contains 26 billion records; 23andMe is in trouble after massive data breach and pending class action lawsuits; a viral story about a smart toothbrush botnet isn't true... but could have been; a clever hack of older computer TPM modules could expose encrypted hard drive data (but it's not easy to do); Malwarebytes has issued their 2024 malware report; the FBI and CISA are raising the alarm over Chinese hackers and key US infrastructure, as well as taking action to prevent it; you might want to consider creating a family password to defeat voice clone scams; Mozilla has released a new data deletion service; and Privacy4Cars has an interesting new mechanism for universally opting out of data collecti

Are Macs really safer than PCs? What should you do to make your Mac more secure? How do you know if your Mac has a virus? And how do you know which security apps you can trust? I'll dig into all of these questions and more today with Mac security guru Patrick Wardle. Patrick Wardle is the founder of the Objective-See Foundation. Having worked at NASA and the NSA, as well as presented at countless security conferences Patrick is passionate about all things related to macOS security, writing books on macOS malware, and releasing free open-source security tools to protect Mac users. Interview Notes Objective See (free Mac tools): https://objective-see.org/  The Art of Mac Malware (book): https://taomm.org/  Objective by the Sea conference: https://objectivebythesea.org/  Apple’s Malware protections: https://support.apple.com/guide/security/protecting-against-malware-sec469d47bd8/1/web/1  Reinstall macOS in Recovery Mode: https://support.apple.com/en-us/HT204904  Jamf presentation on Appl

While every week is Data Privacy Week here at Firewalls Don't Stop Dragons, the rest of the world stops to join us in focusing on how and why to protect your personal data. I'll give you some of my top privacy tips and refer you to a lot of top privacy resources. In the news: Microsoft executives' emails are hacked by a nation-state actor; Facebook is gathering even more data with the help of other companies; a company is using real-time bidding to track us and sell to intelligence agencies; Mozilla outlines how incumbent browser owners tilt the playing field in favor of the owner; the EU is driving major changes to how iOS will work (but only in the EU); Brave browser simplifies its anti-fingerprinting options; Facebook limits how adult strangers can DM minors; FTC brings actions against GoodRx and Intuit; Samsung matches Google's 7-year OS update update promise; and Apple rolls out Stolen Device Protection feature. Article Links [msrc.microsoft.com] Microsoft Actions Following Attack by Nation S

Drones are everywhere today. Cheap and tiny accelerometers, gyroscopes and processors have allowed us to create drones that anyone can afford and everyone can fly. Drones have been used by law enforcement and military forces, as well - for surveillance but also for killing. With the rapid development of AI technologies, what happens when we make these drones autonomous? What are the implications for privacy and security? I'll discuss this and more with Nick Weaver, computer and cybersecurity expert, and chief mad scientist at Skerry Technologies. Interview Notes Nick Weaver: https://www1.icsi.berkeley.edu/~nweaver/  NYPD drone use: https://www.washingtonpost.com/nation/2023/09/01/drones-labor-day-parties-new-york/  AI drone “kills” its operator: https://www.reuters.com/article/factcheck-ai-drone-kills/fact-check-simulation-of-ai-drone-killing-its-human-operator-was-hypothetical-air-force-says-idUSL1N38023R/  The Future of Drone Warfare: https://www.schneier.com/blog/archives/2023/10/the-future

The new year is here! And I've got a handful of solid tips for you that you should absolutely plan to accomplish in 2024! I also have a lot of news to catch you up on: 23andMe blames its customers for their data breach; Burger King in Brazil using facial recognition to offer discounts based on how hungover you look; Russian agents hack live webcams to hone in on targets in Ukraine; fake celebrity ads for medicare scam on YouTube; Facebook's Link History is a confusing new tracking feature; FTC orders location data broker to stop selling your info; Google new location history changes may spell the end for geofence warrants; AirDrop anonymity cracked by China; well-hidden iPhone backdoor discovered by Kaspersky; UK tries to further expand surveillance capabilities; the Beeper Mini messaging saga is over; and a marketing company is offering to listen in on real time conversations to target ads. Article Links [TechCrunch] 23andMe tells victims it’s their fault that their data was breached https://techcr

Data breaches are usually produced by hackers looking for financial gain. Data leaks, on the other hand, are usually published by whistleblowers or perhaps accidentally disclosed via negligence. Journalists today are inundated by such data leaks - to the point where specialized tools and techniques are required to parse through the piles of digital detritus to ascertain the value and import that they may represent. Micah Lee has been performing this function for The Intercept for many years, including analyzing the Snowden documents. And he has just released a book that outlines the tools, techniques and procedures he uses for this arduous process. Today we discuss the importance and impact of whistleblowers, the state of data leaks today, and how it has impacted modern journalism. Interview Notes Micah’s book: https://hacksandleaks.com/  Excerpt article: https://theintercept.com/2023/12/16/hacked-datasets-verification/  Micah’s GIthub project: https://github.com/micahflee/hacks-leaks-and-revelat

Every week, I record a special, private bonus podcast for my patrons. Until today, all of that content was restricted to my supporters. But today I've got a sampler platter of some of the best snippets from my bonus Q&A with my interview guests, along with an episode of my more-technical bonus series I call Merlin's Musings. You'll hear from Josh Corman (CISA and I Am the Cavalry), Ernesto Falcon (EFF and CA Senate candidate), Omega and Deth Veggie (Cult of the Dead Cow), Michael Littman (AI expert from Brown Univ) and Cory Doctorow (author and activist), plus the strange story of the ProxyHam. Podcast Links These are links to the public podcasts associated with the bonus clips I played today along with some related links. Ep332, Josh Corman: https://podcast.firewallsdontstopdragons.com/2023/07/10/national-cyber-strategy/  Cyberattacks on hospitals are growing threats to patient safety, experts say : https://abcnews.go.com/Health/cyberattacks-hospitals-growing-threats-patient-safety-experts/story

Today, I dip back into the archives to bring you a classic interview from the first year of this podcast. In Episode 21 (Aug 2017) I interviewed Ladar Levison, the founder of the secure email service Lavabit. He started Lavabit in 2004 as one of the first truly secure, end-to-end encrypted email services focused on the privacy of users, almost ten years before Proton Mail launched. But when the FBI came (literally) knocking in 2013 asking him to subvert the encryption so that they could monitor his users (in particular a guy named Edward Snowden), Ladar decided to shut down Lavabit instead of complying. Ladar relaunched Lavabit in 2021 and I interviewed him that summer about his company, the right to privacy, the story of the shutdown, and much more. It's as relevant today as it was then. Interview Notes Lavabit: https://lavabit.com/  Lavabit history: https://en.wikipedia.org/wiki/Lavabit  Mr Peaboy and the Wayback Machine: https://en.wikipedia.org/wiki/Mister_Peabody  Further Info Send m

I've culled through the podcasts from the last year and put together an hour's worth of the best content! Here's a nice little charcuterie sampler of the top interview segments from 2023. Episode Links Ep347 (Oct 16) What’s Your Threat Model? https://podcast.firewallsdontstopdragons.com/2023/10/16/whats-your-threat-model/  Ep342 (Sep 18) Your Face Belongs to Us https://podcast.firewallsdontstopdragons.com/2023/09/18/your-face-belongs-to-us/  Ep336 (Aug 7) Cult of the Dead Cow https://podcast.firewallsdontstopdragons.com/2023/08/07/cult-of-the-dead-cow/  Ep348 (Oct 30) Reclaiming the Internet https://podcast.firewallsdontstopdragons.com/2023/10/30/reclaiming-the-internet/  Ep324 (May 15) - Probing the Ministry of Truth https://podcast.firewallsdontstopdragons.com/2023/05/15/probing-the-ministry-of-truth/  Ep338 (Aug 21) Demystifying AI https://podcast.firewallsdontstopdragons.com/2023/08/21/demystifying-ai/  Further Info Send me your questions! https://fdsd.me/qna  Check out my

We here in the US like to believe that we're the gold standard for democracy. And yet, in recent years, much of the electorate has lost faith in the outcome of our elections. Many security researchers have found concerning vulnerabilities in our voting systems, and yet we have no evidence that those vulnerabilities have actually been exploited. Many people believe that people are voting multiple times or that ineligible people are voting, and yet study after study shows that voter fraud is nearly non-existent. How can we restore trust in our election results? What changes must we make to our election systems and processes to promote complete transparency and remove doubt? Today I'll dig deep into this complicated topic with Ben Adida, founder and Executive Director of VotingWorks. Interview Notes VotingWorks: https://www.voting.works/ Risk Limiting Audits with ARLO:  https://www.voting.works/risk-limiting-audits  Verified Voting, Verifier tool: https://verifiedvoting.org/verifier/  Ben’s PhD t

Your online account credentials have two parts: a user name and a password. Today, most online providers force you to use your email address for your user name. This gives the service provider a guaranteed way to contact (and spam) their users, but it also means that bad guys know half of all your credentials and data brokers have a unique ID to track you across all your accounts. Today I'll explain the value of using email aliases for your online user names. In other news: Iranian hackers attack US water plant; CISA launches program to address critical infrastructure threats; Google Drive users report missing data; Plex users fear new feature will leak p0rn watching habits; several articles on the ease of using data broker tools to spy on just about anyone, creating privacy and national security problems; smart mattress company CEO inadvertently reveals extent of data collection; concerns about IoT device sold with a home; overblown fears over Apple's new NameDrop feature; Zelle offering refunds to some s

City governments are relying more and more on a vast network of sensors to tell them what's going on: stop light cameras, gunshot detectors, air quality sensors, license plate readers, automated toll booths, and much more. While these technologies can help the powers that be allocate precious resources and gain helpful insights, they can also lead to over-policing, chilling of free speech and mass warrantless surveillance. Today I'll discuss the dangers of smart cities with Eleni Manis from the Surveillance Technology Oversight Project (STOP). Interview Notes Surveillance Technology Oversight Project: https://www.stopspying.org/  S.T.O.P.'s Beginner’s Guide to the All-Too-Dumb World of Smart Cities: www.justcities.tech  CCOPS laws: https://www.eff.org/issues/community-control-police-surveillance-ccops  Further Info Best & Worst Gifts for 2023: https://firewallsdontstopdragons.com/best-worst-gifts-2023/ Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gif

The holiday gift-giving season is upon us - and therefore it's time for my annual guide on the best and worst gifts for your loved ones, at least in terms of security and privacy. There are some perennial favs on the nice and naughty lists, but there are some newcomers, as well. And I've got some top tips for how to shop for privacy-respecting, security-protecting products! I've even got some ideas for free and helpful stocking stuffers. In the news: FCC tried to protect consumers from SIM-swap attacks; cheap children's tablet came with malware and data mining software; medical transcription service has data of 9M patients exposed; hackers hold data from plastic surgeon patients for ransom, including nude photos; FTC filing in Kochava case unsealed showing 'staggering' amount of data for sale; Bitwarden announces support for passkeys; Article 45 of eIDAS 2.0 bill will completely undermine internet security in the EU. Article Links [The Hacker News] FCC Enforces Stronger Rules to Protect Customers Ag

Today there is a thriving market for legal, for-profit smartphone spyware (aka mercenary spyware). Companies like the NSO Group are free to create and sell highly sophisticated, zero-click malware such as Pegasus which has been used to spy on dissidents, politicians, activists and journalists around the world. There are also several apps available to parents to track their children, but are often used to abuse or stalk adult partners or ex-lovers. Today I'll discuss the state of these malicious apps, ways to protect our smartphones and even detect such spyware after the fact with the co-founders of iVerify, Danny Rogers and Rocky Cole. Interview Notes iVerify app: https://www.iverify.io/consumer xkcd “Security” cartoon: https://xkcd.com/538/  Moxie Marlinspike (Signal) on Cellebrite tool: https://signal.org/blog/cellebrite-vulnerabilities/  Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  G