Firewalls Don't Stop Dragons Podcast

Google and Facebook will swear up and down that they do not sell your data. While technically true, they do sell access to your data. Basically, your data is private from everyone - but them. And that's a crucial caveat. To have true privacy, you want to work with a company who has absolutely minimal access to your data. You want privacy by design. And this is not easy to do with a very old internet standard like email. Proton has been offering truly private email for almost a decade (ProtonMail) and over the years has added many other features like a VPN and calendar, making them a true privacy-respecting alternative to the likes of Google. Today I'll speak with Proton's founder and CEO, Dr. Andy Yen, about the importance of privacy as a human right and the delicate balance between privacy and the needs of law enforcement. I'll ask him how to evaluate products for privacy and what can we can all do to bring about a better future where we can express ourselves freely. Dr. Andy Yen is the founder and CEO of

When people don't understand how something works, it can be easy to be afraid of the consequences of that thing not working right. And this also makes them ripe targets for being frightened by hucksters who will then happily sell them a solution for the problem. This was the trade of snake oil salesmen back in the day - selling cures for ailments that didn't exist or that didn't actually improve the consumer's health. The realm of computers is rife with cybersecurity snake oil, as well, and one of the most lucrative products is a virtual private network (VPN) service. Today I'm going to help you understand just what a VPN is and (perhaps more importantly) what it is not. In other news: T-Mobile tried to buy their hacked customer data back (and failed); the feds have discovered a troubling and powerful new hacking toolkit for industrial control systems; 8 million Cash App users may have had their data exposed; Pegasus spyware was discovered on the devices of EU officials; a company is offering to install ch

Today, most of us take the internet - and access to the internet - for granted. It's ubiquitous. However, the current war in Ukraine has (hopefully) made us realize that things can change dramatically overnight. While we can always hope for the best, we should be at least minimally prepared for the worst. I'm not suggesting we all prepare for military invasion, but there are much more likely scenarios that might lead to power and communications infrastructure problems like bad storms, natural disasters, and even radical political shifts in democratic countries. Understanding the fundamentals of how our digital world works can help us be more resilient in the face of emergencies. Today I'll be speaking with a lead cybersecurity instructor from the Tech Learning Collective about some lessons we can learn from the current Russia-Ukraine conflict and be better prepared for digital disruption. Further Info Tech Learning Collective: https://techlearningcollective.com/ How to Prepare for a Power Outage: https:

I wrap up my de-Google project this week with two biggies: Google Drive and Google Docs. I decided to reduce my Google data footprint as one of my 2022 New Year's resolutions, so I've done a ton of research to replace all the major Google services with privacy-respecting alternatives. My hope is that you can use this information to reduce your own Google data exposure (and help your friends and family, while you're at it). In other news: UK police arrested seven people that may be tied to the Lapsus$ hacking group; the FCC has flagged Kaspersky software as a risk to national security; a very tricky new phishing technique tricks you into giving up your Facebook, Apple and Google credentials; an open-source software developer makes the dubious decision to target Russian users with "protestware"; the US passes a much-needed cybersecurity regulation (that takes way too long to come into effect); the Russia-based Yandex search engine is harvesting user details from many people, even those not using its search e

Today I'm speaking with a fellow privacy evangelist: Henry from Techlore. Like me, Henry and his team are on a mission to teach regular, everyday people how to secure their data and improve their privacy. Henry and I have a frank discussion about the importance of privacy today and the struggles we have when deciding which privacy-oriented products to recommend. First of all, everyone's privacy "threat model" is different. Second, many people still don't understand the true impacts of privacy failures - to themselves and to society in general. Privacy isn't just a "me" thing - it's also very much a "we" thing. And if all of that weren't enough, privacy advocates argue constantly (and often heatedly) about the proper litmus tests to use when evaluating privacy-oriented products. Today, Henry and I will discuss what frustrates us and what gives us hope in the highly nuanced realm of privacy. Further Info Podcast 5th Anniversary Giveaway! https://firewallsdontstopdragons.com/5th-anniversary-giveaway/ Techl

One of my New Year's resolutions for 2022 is to reduce my Google footprint - to try to de-Google my life as best I can - and hopefully inspire you to do the same. In today's show, I'll talk about replacing Google's many communications apps (Meet, Hangouts, Chat, Talk), Google Authenticator (the Kleenex of 2FA apps), Google Maps and Waze, and YouTube. In security and privacy news: ISPs in the UK are complaining about Apple's Private Relay feature; the Federal Trade Commission has a new weapon to fight algorithmic data mining; if someone tricks you into sending them money via Zelle, your bank probably won't give it back; Russia has issued a state-sponsored "trusted root CA" that could undermine privacy in Russia for a decade; the EFF weighs in on attempts to cut off Russia (and its citizens) from the internet; DuckDuckGo took a controversial step to down-rate Russian mis/disinformation in its search results; Google is mining info from receipts and invoices in your email; and Google is also mining data from y

We didn't use to think too much about physical computer security because most computers were safely stored in our homes or businesses. But many people today use laptops which can be lost or stolen while traveling or toting them back and forth to work. Having physical access to a computer makes it much easier for bad guys to hack into them and steal our data. By "sniffing" the data signals on the wires in computer motherboards, bad guys can actually pull out security keys that would allow them to bypass encrypted hard drives and account authentication. To combat this, Microsoft's Pluton project makes this data exfiltration much, much harder by embedding the security circuitry directly into the CPU chip where the "wires" are microscopic and embedded in plastic casings. Tony Chen is a software engineer and security architect in the Microsoft core operating systems team. He's was the development lead responsible for Xbox One security that worked with the hardware team and AMD to successfully launch the Xbox On

As my de-Google project progresses, I realized that I skipped the most important step: reconnaissance. Before you can de-Google your life, you need to first make a list of the Google products and services you interact with - and not all of them have "Google" in their names. Google also owns YouTube, Waze, Nest, Fitbit, Chromebooks, and much more. Furthermore, you need to know and understand what information Google already knows about you. And while you're doing that, you should delete all the existing data and prevent further collection. Thankfully, Google provides several tools to help you do this (most likely due to regulations like GDPR and CCPA). I'll help you create your personal de-Google to-do list. In other news: today I'm launching a massive giveaway promotion to celebrate the 5th anniversary of the podcast!! Also, 100 million Samsung phones shipped with horrible security flaws; Nvidia hackers are pressuring the company to turn off cryptocurrency mining limitations; the (Russian) Conti and TrickBo

Your cell phone is a super computer and phenomenally powerful tracking device. Even George Orwell wouldn't have dreamed that telescreens would be pocket sized and that citizens would willingly carry them 24/7. That one device knows all about you and has access to your most personal and critical information, including contacts, emails, social media, financial accounts, medical information, and much more. Furthermore, these devices are often used to secure our accounts through two-factor authentication. Stealing or cloning someone's mobile phone can have dire consequences. Therefore, it's crucial that we protect it. Today, I'll speak with Habeeb Awan whose company Efani is dedicated to providing secure phones and cell service to its VIP clientele, and we'll get his insights into the security risks and mitigation techniques of the mobile world. Haseeb Awan built one of the first and largest bitcoin ATMs - Bitaccess - which has 8000+ locations in 15 countries. He is also the CEO of Efani, America's most secure

One of my big goals for 2022 was to minimize my Google footprint. In the last news show, I covered Google Search, Chrome and Android. In today's show, I'll tackle two other big ones: Google's email (Gmail) and calendar (Gcal) services (and Google's contacts, for good measure). I actually replaced Gmail with two different services, because they each address two different needs I have. In others news: Microsoft finally disables Word and Excel macros by default for any file downloaded from the internet; the IRS backs off it's requirement for using facial recognition to authenticate to the IRS website; Missouri's prosecutor declines to prosecute the reporter who pointed out a state website which gave away social security numbers for some state employees; Kashmir Hill compares the relative privacy and tracking capabilities of AirTags, Tile and a cheap GPS tracker; two US senators are decrying a newly declassified report of a CIA program that surveils American citizens in bulk; a remote test proctoring company

You may not know it, but our world has already been basically taken over by free and open source software, or FOSS - specifically, the Linux operating system. Just about every single electronic appliance or device today, from your smartphone to your smart toaster, is running some flavor of the Linux operating system. Furthermore, open source software projects are the bedrock of many for-profit software applications, operating systems, mobile apps and web apps. It's everywhere, and yet you probably know very little about it. Today, Sean O'Brien will give us a little FOSS history lesson, explain why supporting this movement is so important, and even tell us how we might replace some pricey and user-hostile popular software with top-notch free and open alternatives. Sean O’Brien is a lecturer in Cybersecurity at Yale Law School and Chief Security Officer at Panquake.com  He is a Visiting Fellow at the Information Society Project at Yale Law School, where he founded and leads the Privacy Lab initiative.  He ha

One of my New Year's Resolutions for 2022 is to minimize my Google footprint. In reality, it's very difficulty to completely avoid Google products, if you include things like Google Analytics, Google's cloud computing, and other services that we may not directly choose. But thankfully, there are many excellent, privacy-respecting alternatives to Google's more well-known products and services. In today's show, I'll start with some of the most basic ones: Google Search, Google Chrome browser, and Android. In other news: Google beats Apple to offering a way to disable insecure 2G cellular connections; people are selling "silent" AirTags that won't beep to let you know they're near (which could be better for stalking people); Facebook reported its first ever loss in subscribers along with a $10 billion loss due to people opting out of ad tracking; privacy advocates scored a huge win in the European Union against advertisers collecting and sharing your data; the IRS may be rethinking its coming requirement for

We tell our search engines a lot of very personal things. They arguably know more about us than our best friends and significant others do. A history of your search terms can reveal so much about you, especially when viewed over the course of days, months and even years. And unfortunately, companies like Google use this privileged position to better target us with advertisements. This may seem innocuous, today's guest, Kelly Finnerty, will explain how this data collection can lead to some truly creepy outcomes and even emotional harm. But it doesn't have to be that way. There are search engines and other tools that don't track your history and sell you out. And there is hope for a brighter, privacy-respecting future. Kelly Finnerty is the director of brand for Startpage, a global privacy technology company that provides search and browsing products that protect people's personal data. Kelly is a #techforgood advocate that believes privacy is a worldwide human right. Episode Links Startpage browser ex

Personal data privacy isn't going to just happen on its own. We have to somehow collectively construct it. But how? Will it require regulation or can consumers drive change by consciously choosing privacy-respecting products and services? When it comes to regulations, why are things so different in the European Union versus the US and other global markets? What do privacy teams look like in modern corporations and how should they function? I'll pose these and many other questions to my guest, Whitney Merrill, who brings unique experience on privacy from both the private sector and the federal government. Whitney Merrill is a data protection officer, privacy attorney, hacker, and the co-founder of the Crypto & Privacy Village. She loves privacy and is glad the world is getting excited about it, too. Podcast Links Carey’s 2022 Privacy Blog: https://firewallsdontstopdragons.com/data-privacy-week-2022/ Carey’s Privacy Checklist: https://firewallsdontstopdragons.com/data-privacy-day-checklist/ Data Privac

Of course, every week should be "data privacy week", but we do set aside a specific time each year to focus on privacy - particularly educating as many people as possible about it. Until this year, we only dedicated one day for this - but as of 2022, it's been promoted to an entire week! Data Privacy Week runs from January 24-28, so today I'm going to prep you for it with several of my top privacy protection tips! In the news: the FBI uses foreign intelligence services to sidestep US surveillance restrictions; Russia takes down the REvil ransomware outfit as the United State's request; Google gives Android users the ability to disable insecure 2G cell connections; Subaru is sued in Illinois for capturing driver's biometric information with consent; lawmakers propose legislation to simplify and standardize terms of services agreements; and the Ponemon Institute releases the results of a recent poll on what people worry about with relation to privacy and what they feel should be done about it. Article Lin

It's the start of a brand new calendar year! And therefore it's time to engage in that annual ritual of planning to do better this year by making our list of New Year's Resolutions. To help you with the cybersecurity and privacy items on your list (an area where we all need major improvement), I will share with you my personal list of cyber goals for 2022. Yes, even security advocates can suffer from the "do as I say, not as I do" syndrome. We're all human, and there are plenty of things that I still need to get done - things that you probably need to do, too. I'll also catch you up on the latest security and privacy news: several articles popped up about a supposed data breach at LastPass that turned out to be incorrect; the US Federal Trade Commission is getting very serious about fining companies with lax cybersecurity practices in light of the Log4J/Log4Shell nightmare; clever scammers in Texas are tricking motorists into paying the wrong people for parking; Norton 360 and other antivirus software pack

Navigating the online world today is hard enough as an adult. But it's way worse for kids. Not only are they short on life experiences that would give them the context they need, but as students during a pandemic, their privacy rights are being sorely tested by new "edtech" apps and services. Today I speak with Jill Bronfman from Common Sense Media about their new report on the state of privacy for kids. Their research is quite comprehensive - and (spoiler alert) the results aren't great. Obviously, this report is helpful for parents, educators and policy makers - but much of what's covered here is useful knowledge for anyone. Jill Bronfman is Privacy Counsel at Common Sense Media, teaches Media Ethics and Privacy Law. Further Info 2021 State of Kid’s Privacy: https://www.commonsensemedia.org/research/state-of-kids-privacy-2021 Common Sense Media: https://www.commonsensemedia.org/ Common Sense Privacy Program: https://privacy.commonsense.org/Boston COVID in the waste water: https://www.msn.com/en-us/

We've come to the end of another year. As we take a breather and gather with family and friends for the holidays, it's a good time to look back over the year that just passed. I've collected a handful of snippets from some of my favorite shows from this year, along with some a little commentary. If you're new to the show, you can catch up on some stuff you may have missed. Or if you'd like to introduce someone else to the podcast, this would be a great one to share. You can find all the original, full-length episodes using the links below. Best Of Episodes Ep206, Feb 8 - Troy Hunt, De-Platforming: https://podcast.firewallsdontstopdragons.com/2021/02/08/free-speech-deplatforming/Ep214, Apr 5 - Phil Zimmerman, Social media is ruining society https://podcast.firewallsdontstopdragons.com/2021/04/05/social-media-is-ruining-societyEp219, May 10 - Alison Macrina, library freedom ​​https://podcast.firewallsdontstopdragons.com/2021/05/10/protecting-intellectual-freedom-part-1/ Ep232, Aug 9 - DEFCON - under

The internet is on fire this week. The worst cybersecurity vulnerability of the last ten years (and perhaps more) has kicked the internet ant hill. Companies around the globe - big and small - are scrambling to repair a gaping hole in a ridiculously mundane but widely popular open source tool called Log4J. What it is and what does it mean for you? I'll get into all of that today. In other news: many popular wireless home routers are riddled with security bugs (update your firmware now); family "safety" app Life360 is selling your detailed location data; Consumer Reports released a comprehensive report on VPN security and privacy; Firefox just got a lot more secure; LastPass is once again an independent company; Apple released a lot of cool security and privacy features for iOS and macOS; and Verizon just opted you into a program for tracking you - and how you can opt out. (I'll touch on T-Mobile and AT&T tracking, too.) Article Links Op-Ed: What a house cat can teach us about cybersecurity https://ww

The rampant collection and sharing of personal data is not just a creepy nuisance. Surveillance capitalism has actually had seriously deleterious effects on society and democracy. In the United States, we have certain rights enshrined in the Constitution that are supposed to protect citizens against unreasonable search and seizure. Law enforcement and intelligence agencies are supposed to have to jump through some non-trivial legal hoops in order to access our personal data. But with a massive market for gathering and correlating your location, purchase history, web surfing habits, search history, and more, it's become trivial to circumvent these pesky road blocks by just buying the information from data brokers. In an important and landmark report from the Center for Democracy and Technology, the end run around our supposed rights has become frighteningly clear. Today I speak with Dhanaraj Thakur about this report and what it means for our democracy. Dhanaraj Thakur is Research Director at the Center for