Firewalls Don't Stop Dragons Podcast

A little over 20 years ago, Charles Petzold wrote what would become a classic book on understanding modern computers and the software that drives them. Computers have become essential to daily life and inhabit more and more of the devices we use every day. Every "smart" device you own contains a computer running software. While these little silicon chips and the binary code running them seem like magic, they're really just a series of simple building blocks chained together to accomplish a task. Having a basic understanding of these concepts can give us a lot more perspective on how computers can be used and abused, programmed and subverted. When I learned that Charles was releasing a fully updated 2nd edition of Code, I asked him to come on the show to give us all a historical overview of computers and software. He graciously agreed. The concepts of computing and programming go back a lot further than you might think. Today we'll learn about this and much more. Charles Petzold is the author of the boo

Password manager software maker LastPass suffered a data breach last week, which understandably made their customers very nervous - and caused some people to question the decision to put all their passwords in one digital basket. In today's show, I'll explain why this particular breach was not a threat to anyone's passwords and why you should still use a high quality password manager. In other news: Former security chief blows the whistle on Twitter; major VPN providers are pulling out of India over surveillance law issues; a set of popular Chrome extensions caught committing click fraud; Google's new Chrome extension restrictions threaten to hobble ad blockers; a father's Google accounts are deleted over false AI-flagged CSAM; US Federal Trade Commission sues a data broker over lax protection of location data; EFF finds another data broker selling location data to law enforcement; Google launches bug bounty program for open source software projects; DuckDuckGo's email privacy protection feature now availa

Thirty years ago, a young hacker named Jeff Moss (aka The Dark Tangent) threw a party in the desert of Nevada to commemorate the demise of a bulletin board system called PlatinumNet. Unlike the other handful of hacker conferences in that time, this one would be on the West Coast and open to everyone. Over the next three decades, DEF CON would become the preeminent hacker convention for the US (possibly the world), drawing upwards of 30,000 attendees. Along with its more-corporate spinoff Black Hat and related BSides conference, the back-to-back conferences are affectionately referred to as Hacker Summer Camp. In today's show, I'll walk down memory lane with Jeff, discussing the ups and downs he's experienced and delve into what this has all meant to him, personally. Oh yeah... and also the incident involving strippers and hacking the power grid. Further Info Amulet of Entropy badge: ​https://amuletofentropy.com/ DEF CON documentary: https://www.youtube.com/watch?v=SUhyeY0FsvwMy first trip to DEF CON: ht

If it's August in Las Vegas, it's time for Hacker Summer Camp. There are three hacker conferences that coordinate to happen next to each other every year: BSides Las Vegas, Black Hat and DEF CON. My first trip to DEF CON was last year and I was hooked - I hope to go back every year. This was the big 30th anniversary of DEF CON and several of the news stories this week came from one of these hacker conferences. And next week I'll air my wonderful interview with DEF CON's CEO and Founder, Jeff Moss (aka The Dark Tangent). In the news this week: Several malicious Mac apps have slipped through Apple's App Store security checks and contain malware - you should delete them ASAP; iOS VPN apps aren't properly securing connections made before activating the VPN; TikTok's in-app browser injects JavaScript code that could enable it to snoop on your session, including capturing keystrokes; Cisco's network breach has lessons for all of us; Signal's use of phone numbers as identifiers highlighted due to breach at Twilio

There's no doubt that the internet has enabled criminals to share illicit and vile content with ease. The advent of high-quality end-to-end encrypted communications has made sharing this material harder for law enforcement to police. But the solution is not to cripple this technology, which is essential for security, privacy and even democracy. Today I'll discuss this thorny issue with Dhanaraj Thakur from the Center for Democracy and Technology. We'll talk about several dangerous proposals currently being considered in the US and Europe, and some potential solutions that can limit criminal behavior while preserving security and our right to privacy. Dhanaraj Thakur is Research Director at the Center for Democracy & Technology, where he leads research that advances human rights and civil liberties online. Further Info Outside Looking In: Approaches to Content Moderation in End-to-End Encrypted Systems: https://cdt.org/insights/outside-looking-in-approaches-to-content-moderation-in-end-to-end-encrypte

All software has bugs, so the more software you have installed, the more bugs you have. It's not just the bugs in any individual application, but it's also magnified by interactions between some applications. Thankfully, the converse is also true: the less software you have installed, the fewer bugs you have (statistically, anyway). How many apps have you installed because they were free? How many apps came installed with your PC that you never use? How about companion apps for products you no longer own? Or maybe apps you installed years ago that you've forgotten about. You need to review all of your apps and get rid of anything you aren't using. You can always reinstall them later, if necessary. But removing unused apps will also remove any software bugs and vulnerabilities that inevitably come with them. (It's also one less app to gather and sell personal data.) In other news: Amazon is looking to buy the maker of Roomba robotic vacuums that know the map of your home; Amazon is also hoping to buy a medi

Cameras are everywhere. Every person you pass on the street has a camera on their phone and security cameras are everywhere. They're so cheap and small now, and most of them are connected to the cloud. Not only does that mean they basically have unlimited storage, but it also opens the door for computers to process those images and footage looking for faces. Today, I'll speak with Nate Wessler from the ACLU about the implications of this technological perfect storm on our privacy and what rights we actually have today with regard to facial recognition and use of these systems by law enforcement. Nate Wessler is a deputy director with the ACLU’s Speech, Privacy, and Technology Project, where he focuses on litigation and advocacy around surveillance and privacy issues, including government searches of electronic devices, requests for sensitive data held by third parties, and use of surveillance technologies. Further Info ACLU suit against Clearview AI: https://iapp.org/news/a/aclu-files-class-action-vs

The "rolling code" technology used to remotely open and lock your car is supposed to prevent hacking. Unfortunately, Honda has a pretty serious vulnerability in their cars that apparently allows anyone with a little talent and cheap hacking tools to get into your car - and maybe even start it (though not actually drive it away). If correct, this vulnerability affects probably all Hondas made over the last 10 years. So far, Honda has denied that this is a problem, but many researchers have reproduced the hack. In other news: cheap, Chinese-made GPS vehicle trackers are vulnerable to remote hacking; Chrome, Edge and Safari browsers fix serious 0-day bugs; Twitter data breach info on 5.4M users is up for sale on the dark web; Windows getting a crucial security update to make important security feature on by default; the Conti ransomware gang is attacking the entire country of Costa Rica; Facebook quickly bypasses Firefox's URL tracking removal feature; Tor Browser adds a useful feature that will help people i

We take that little box that connects our home to the internet for granted. But in reality, it's often the only thing hiding our computers and vulnerable IoT devices from automated, remote attacks. This "internet background radiation" is ever present - a massive network of malicious or compromised devices, constantly scanning the internet for exposed and ill-protected systems. Today, we'll discuss routers, firewalls and other common aspects of home network security with the CEO of CrowdSec. He'll also explain how we can enable these devices to share information in a sort of global neighborhood watch program, distributing information about bad actors to better protect us all. Philippe Humeau graduated as an IT security engineer in 1999 in Cyber security. He then created his first company, dedicated to red team penetration testing and high-security hosting. After selling his first company, his eternal crushes for Cybersecurity led him to create CrowdSec in 2020. This open-source editor creates a participativ

This week we'll talk about three significant new data breaches. Each of these data leaks are important in different ways, but the trend is clear: data wants to be free. First of all, we need to stop collecting so damn much of it. But second, we need to make it more expensive for data-collectors who are criminally negligent with the protection of our data. Right now, it's cheaper to let it escape than to spend time, effort and money to protect it. (In my Tip of the Week, I'll tell you about a great free tool that will let you protect your own data.) In other news: Google patches some serious zero-day Chrome bugs and I'll explain how they work; personal data for many California gun owners was leaked; Marriott suffered yet another customer data breach; personal data on over 1 billion people in China is up for sale; Crypto exchange Coinbase is sharing info with US immigration enforcers; a sophisticated malware named ZouRAT is infecting SOHO routers; a new Windows worm appears to be coming from infected USB dev

While many of us prefer order in our lives, at least most of the time, we sometimes need a little chaos. Specifically, we need a source of true randomness in order to properly drive many of our cryptographic systems - to secure our digital communications, for example. And while computers are very good at doing what we tell them to do, they suck at being unpredictable. Therefore we have to find other ways to inject a little chaos. Today I will discuss these concepts with Joe Long, founder and CEO of HackerBoxes.com. Along the way, we'll share stories of hardware hacking and our love of electronics tinkering. And then we'll reveal a totally geeky project we've been working on together for many months now that we dubbed the Amulet of Entropy! Joe Long is a professional engineer, patent attorney, and hardware hacker.  He has decades of expertise in electronics which he has taught to over a million students around the world.  Joe is the founder of HackerBoxes - a company that provides kits, workshops, and month

Firefox officially rolled out its Total Cookie Protection feature last week, which is a clever and elegant solution for blocking tracking using third party cookies. Unfortunately... it doesn't seem to be working for me when I tested it. There are at least a couple reasons for why this might be, and a workaround, both of which I will discuss in today's Tip of the Week. Also: A drunk employee lost a flash drive with half a million customer's data in Japan; a TikTok leak appears to show that even with US user data being "moved" to US soil, engineers in China can still access it; a new voicemail scam tries to trick you into giving up your Microsoft account credentials; MEGA fixes several flaws which might allow a rogue employee to view your data; 56 security flaws in industrial systems could impact thousands of devices around the world; Google Password Manager now allows for client-side encryption; Microsoft's Defender is now available for non-Windows devices (for a fee); T-Mobile is the latest to use its priv

Everyone hates dealing with passwords, and yet they've been the de facto standard of computer authentication for decades. But there's light at the end of this long tunnel. There is a passwordless future where we can log in to our accounts using just our smartphones. In this future, it won't matter if websites are breached because there will be no password databases to steal. Even phishing will be a thing of the past. And thankfully, that future isn't far away. Today I'll discuss where we are, how we got here, and where we're going with Yubico's Derek Hanson. Derek Hanson has been involved in the identity and security industry for over ten years.  He has been building networks and deploying computer systems since the mid-90s and now is an advocate for how you can best protect them. And he is now the VP of Solutions Architecture and Alliances at Yubico. Further Info Yubico/YubiKey: https://www.yubico.com/ NIST password guidelines: https://www.infosecurity-magazine.com/blogs/nist-password-guidelines/ OP

I preach about using password managers constantly - because they really are a fantastic tool for increasing your security. Humans suck at creating memorable passwords that are not also easy to guess. But the idea of putting all your juicy secrets into a digital vault that is controlled by a third party and synchronizing through the cloud may not sit well with you. And I totally get that. It's a very valid concern. But what if there were a way to have your cake and eat it, too? (I never understood that expression... what good is having cake if you can't eat it, right?) I'll explain a simple technique using cryptographic "pepper" that will allow you to use a password manager, even if you don't trust it. In other news: US water utilities are woefully unprepared for cyberattacks; paper ballots are essential for secure elections, but not sufficient; PDFs are being used to cleverly hide keylogging malware; Chinese hackers have infiltrated many global telecom companies for years; Australia's new "secure" digital

Everyone has heard of Bitcoin, but almost no one understands what the heck is actually is. Today I'm interviewing Seth from Seth for Privacy who knows cryptocurrency backwards and forwards. Seth is also a privacy advocate who understands the broader implications of digital currency. I'll ask him to explain how cryptocurrency works, what the blockchain is, how crypto mining affects our environment, whether cryptocurrency is truly anonymous, and how cryptocurrency has any value whatsoever - and much more! Seth is a privacy educator, Monero contributor, and host of the Opt Out podcast. Further Info Opt Out podcast, https://optoutpod.comSeth’s bio: https://sethforprivacy.com/about/ Seth’s Twitter feed: https://twitter.com/sethforprivacy Why Cryptocurrencies? https://whycryptocurrencies.com/toc.html Local Monero: https://localmonero.co/ Cryptocurrency ATMs: https://coinatmradar.com/ Bitcoin energy consumption: https://niccarter.info/topics/#energy Was Bitcoin Created by This International Drug Dealer? ht

Modern smartphones have a potentially life-saving feature called "SOS" or "Emergency" mode that can give first responders critical medical information and automatically dial your country's emergency phone number. It can report your location and even notify selected contacts. In today's show, I'll share a story from one woman who believes this mode saved her life. It's easy to use and set up, but it won't do you any good if you don't know about it. I'll tell you everything you need to know. In other news: Clearview AI is looking to expand its services to schools, banks and other institutions that wish to authenticate people; MasterCard is launching a new facial recognition system that will allow users to pay "with a smile"; the US Department of Justice has finally issued long-overdue guidance on common sense limitations for prosecuting security researchers and regular people who might run afoul of the tragically over-broad Computer Fraud and Abuse Act (CFAA); Twitter has been fined and Google has been sued

There's a lot we can glean from history but sometimes it's not as obvious as you might think. For example, did you know that until the mid-1800's, most of Americans hated tomatoes and that ketchup was originally made from mushrooms? The story behind how Americans came to love tomatoes is quite fascinating, but what is perhaps most interesting is the way our guest applies this knowledge to the realm of cybersecurity. Today we will also learn how one of the most powerful cryptographic techniques to this day originated in the time of the telegraph. Along the way, we'll discuss how humans choose their passwords, how they should be creating passwords, and how often we should be changing our passwords. Anthony Collette is a Senior Consent Form Editor at the largest Institutional Review Board (IRB) in the United States. This regulatory agency has reviewed over 1,000 COVID-19 research studies, conducted at more than 12,000 locations. Mr. Collette analyzes complex medical documents, synthesizes the central concepts

When we surf the web today - on our computers or smartphones - we are mercilessly tracked. Marketing firms and data brokers are hoovering up ungodly amounts of our personal data, selling it, trading it and mining it to derive even more about us. Many offer some way to limit or stop this wanton data collection, but good luck figuring out how - let alone even knowing who to ask. Wouldn't it be nice if you could just click one button and tell everyone to leave you alone? Of course, we tried this a decade ago with Do Not Track, but there were no regulations in place to require companies to respect it. While we have a long way to go, some regions do now have privacy laws - and now we have a new way to invoke our privacy rights: Global Privacy Control. Today, I'll tell you how to enable this on your devices and tell data miners to get lost. In other news: Clearview AI has been forced to cut back on its creepy facial recognition software; the EU is proposing dangerous new surveillance requirements in the name of

We are being tracked constantly by our cell phones. We willingly carry supercomputers in our pockets 24/7, and these devices are chock full of sensors and radios that are tattling on us. Sometimes on purpose, sometimes incidentally, and sometimes maliciously. Apps for brick and mortar stores are tracking you within their stores, noting where you go, how long you stay in some locations, and where you don't go. Other apps track your global location and sell it to third parties. Apps to keep tabs on kids can also be used to stalk significant others. And spyware is used to track journalists, dissidents and "people of interest" by authoritarian governments. If all of that weren't bad enough, there are several cheap electronic devices that anyone can buy and hide on you to track your movements. Today I'll talk about all of this tracking and stalking with David Ruiz from Malwarebytes, and we'll give you some tips on how to avoid it. David Ruiz is an online privacy advocate for Malwarebytes, where he writes about

Security isn't a big differentiator today when choosing a web browser. First of all, 3 of the top 5 browsers all use the same engine - Chrome, Edge and Opera are all based on Chromium. Second, there's no real conflict of interest between browser makers and browser users when it comes to security - it's a win-win situation. Also, most browsers today are plenty fast enough and come with similar user features. So to me, the real differentiator when choosing a web browser is privacy. Today I'll give you my top choices for the most privacy-respecting web browser. (Spoiler alert: Chrome didn't make the list.) NOTE: I'm giving away TEN free subscriptions to ProtonMail plus! All you have to do to enter is sign up for a free ProtonMail account here and then shoot me an email from your new account (send it to proton at firewallsdontstopdragons.com)! That's it! Do it by 11:59AM Eastern Time on May 6th. In other news: The US and 60 other countries have signed an aspiration Declaration for the Future of the Internet