Firewalls Don't Stop Dragons Podcast

The holiday gift-giving season is upon us – and therefore it’s time for my annual guide on the best and worst gifts for your loved ones, at least in terms of security and privacy. There are some perennial favs on the nice and naughty lists, but there are some newcomers, as well. And I’ve got some top tips for how to shop for privacy-respecting, security-protecting products! I’ve even got some ideas for free and helpful stocking stuffers. In the news: FCC tried to protect consumers from SIM-swap attacks; cheap children’s tablet came with malware and data mining software; medical transcription service has data of 9M patients exposed; hackers hold data from plastic surgeon patients for ransom, including nude photos; FTC filing in Kochava case unsealed showing ‘staggering’ amount of data for sale; Bitwarden announces support for passkeys; Article 45 of eIDAS 2.0 bill will completely undermine internet security in the EU. Article Links [The Hacker News] FCC Enforces Stronger Rules to Protect Customers Against SIM Swapping Attacks https://thehackernews.com/2023/11/fcc-enforces-stronger-rules-to-protect.html [TechCrunch] Children’s tablet has malware and exposes kid’s data, researcher finds https://techcrunch.com/2023/11/16/childrens-tablet-has-malware-and-exposes-kids-data-researcher-finds/ [BleepingComputer] PJ&A says cyberattack exposed data of nearly 9 million patients https://www.bleepingcomputer.com/news/security/pj-and-a-says-cyberattack-exposed-data-of-nearly-9-million-patients/ [8newsnow.com] Hackers target Las Vegas plastic surgeons, post patient information, naked photos online https://www.8newsnow.com/investigators/hackers-target-las-vegas-plastic-surgeons-post-patient-information-naked-photos-online/ [Ars Technica] Data broker’s “staggering” sale of sensitive info exposed in unsealed FTC filing https://arstechnica.com/tech-policy/2023/11/data-brokers-staggering-sale-of-sensitive-info-exposed-in-unsealed-ftc-filing/ [bitwarden.com] Bitwarden launches passkey management https://bitwarden.com/blog/bitwarden-launches-passkey-management/ [Electronic Frontier Foundation] Article 45 Will Roll Back Web Security by 12 Years https://www.eff.org/deeplinks/2023/11/article-45-will-roll-back-web-security-12-years Best & Worst Gifts for 2023: https://firewallsdontstopdragons.com/best-worst-gifts-2023/  Further Info Give Thanks!: https://firewallsdontstopdragons.com/give-thanks-donate/  Consumer Reports Naughty List: https://foundation.mozilla.org/en/privacynotincluded/articles/our-longest-naughty-list-ever-the-2023-holiday-buyers-guide-is-here/  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:37: News run-down 0:03:18: FCC Enforces Stronger Rules to Protect Against SIM Swapping 0:06:39: Children’s tablet has malware and exposes kid’s data 0:11:22: Cyberattack exposed data of nearly 9 million patients 0:15:16: Hackers target plastic surgeons, post patient info, naked photos online 0:22:37: Data broker’s “staggering” sale of sensitive info exposed in unsealed FTC filing 0:27:10: Bitwarden launches passkey management 0:30:45: Article 45 Will Roll Back Web Security by 12 Years 0:39:00: Best & Worst Gifts for 2023 0:42:38: The Naughty List 0:47:50: The Nice List 0:59:14: Give thanks! 1:00:03: FDSD Merch sale! 1:00:25: Upcoming shows & promotion

Today there is a thriving market for legal, for-profit smartphone spyware (aka mercenary spyware). Companies like the NSO Group are free to create and sell highly sophisticated, zero-click malware such as Pegasus which has been used to spy on dissidents, politicians, activists and journalists around the world. There are also several apps available to parents to track their children, but are often used to abuse or stalk adult partners or ex-lovers. Today I’ll discuss the state of these malicious apps, ways to protect our smartphones and even detect such spyware after the fact with the co-founders of iVerify, Danny Rogers and Rocky Cole. Interview Notes iVerify app: https://www.iverify.io/consumer xkcd “Security” cartoon: https://xkcd.com/538/  Moxie Marlinspike (Signal) on Cellebrite tool: https://signal.org/blog/cellebrite-vulnerabilities/  Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:38: Interview setup 0:03:08: How does iVerify work and why did you create it? 0:07:10: What sort of people need protection like iVerify? 0:11:07: How do you know that you can trust a security app? 0:14:54: What do MDM profiles do to my phone? Is it reversible? 0:20:37: How dangerous are third-party app stores, compared to Apple/Google? 0:27:37: If an app I’ve installed is pulled from the app store, will I be notified? 0:28:50: How hard is it today to jailbreak a phone? 0:31:49: How do you tell if a phone has been hacked? 0:33:21: Can you detect if an app has escaped its sandbox? 0:38:09: What is the marketplace like for spyware? 0:41:36: Are phones getting harder to hack? 0:44:16: Is it possible to detect or prevent hacking via physical access? 0:49:11: How do Apple and Google phones compare on security? 0:52:08: How does Apple’s Lockdown Mode work? 0:54:47: Should governments outlaw the sale of mercenary spyware? 1:01:10: Should governments hoard 0-days or disclose them? 1:03:31: What are your top security tips for regular users? 1:05:44: What’s next for iVerify? 1:07:28: Wrap-up

The podcast discusses the risks and privacy concerns of connecting devices to the internet. It highlights recent security breaches and privacy issues with services like 1Password and genetic testing companies. The chapter also explores cybercriminal tactics, ad-blocking wars on YouTube, and the importance of contact key verification in iMessage. The podcast concludes with a discussion on the privacy concerns of cellular modems in IoT devices and the lack of control users have over their data.

What happened to the internet? It had so much promise. Social media and search results are full of stuff we never wanted to see. Surveillance capitalism is monetizing our most private information to serve us so many ads that we can never seem to consume the actual content. And if we’re all so unhappy with the incumbents, where are the competitors offering better service? Cory Doctorow helps us understand how the internet got so crappy and what we can do to fix it. Cory Doctorow is a science fiction author, activist, journalist and blogger at the site Pluralistic. He has written a bunch of great books, both fiction and non, including Little Brother, Red Team Blues and Chokepoint Capitalism. Interview Notes TikTok’s Ensh*tification: https://pluralistic.net/2023/01/21/potemkin-ai/#hey-guys  Cory’s blog: https://pluralistic.net/ Cory at DEF CON 31: https://www.youtube.com/watch?v=rimtaSgGz_4  The Internet Con: https://craphound.com/category/internetcon/  Chokepoint Capitalism: https://chokepointcapitalism.com/  Red Team Blues: https://craphound.com/category/novels/redteamblues/   Saving the News from Big Tech: https://www.eff.org/deeplinks/2023/04/saving-news-big-tech  Tracking Exposed: https://tracking.exposed/  Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:55: Defining some terms 0:03:57: Swear warning 0:04:25: What have you been up to since we last had you on the show? 0:07:58: What is ensh*tification? How does it work? 0:18:26: Have any companies actually completed the ensh*tification cycle? 0:22:36: Do we have concrete examples of interoperability breaking this cycle? 0:29:07: What percentage of oday are not what we asked for? 0:37:04: What happens to DRM’d content when the licencing company goes away? 0:39:19: How can we reverse engineer these algorithms? 0:41:04: How is social media promotion like a big carnival teddy bear? 0:44:28: Whatever happened to the Amazon Smile program? 0:45:58: What do you mean by the End-to-End Principle? 0:51:53: Isn’t ensh*tification just a natural result of modern capitalism? 0:54:02: Doesn’t capitalism require rules (aka regulations)? 0:57:18: So what are the solutions? How do we fix the internet? 1:02:46: Did we undermine antitrust by lowering the bar of consumer harm? 1:04:25: What can we do to help, as consumers and citizens? 1:07:06: Wrap-up 1:07:50: Looking ahead

Email is old and was never built for security and privacy. Thankfully there are several modern secure email services. My personal favorite is Proton Mail and I’ll explain to you today why you should really give it a try. I will also (finally) answer several interesting “Dear Carey” questions from listeners. In other news: If you use WinRAR, you need to update right away; hackers are targeting a company that brokers Emergency Data Requests between law enforcement and Big Tech companies; Google is forced to reveal user search history in a CO court case; Google is making passkeys the default, but you may want to wait; EFF asks MasterCard to stop selling our data; and Bruce Schneier has an insightful article around the rather heated discussions over the benefits and dangers of artificial intelligence. Article Links [Gizmodo] You Need to Update WinRAR, Right Now https://gizmodo.com/you-need-to-update-winrar-right-now-1850939201 [404media.co] Hackers Target Company That Vets Police Data Requests for Tech Giants https://www.404media.co/hackers-target-kodex-accounts-edrs/ [TechSpot] Google forced to reveal user search history in Colorado court ruling https://www.techspot.com/news/100529-google-forced-reveal-users-search-queries-colorado-court.html [blog.google] Passwordless by default: Make the switch to passkeys https://blog.google/technology/safety-security/passkeys-default-google-accounts/ [Electronic Frontier Foundation] Mastercard Should Stop Selling Our Data https://www.eff.org/deeplinks/2023/10/mastercard-should-stop-selling-our-data [Schneier Blog] AI Risks https://www.schneier.com/blog/archives/2023/10/ai-risks.html Tip of the Week: Try Proton https://firewallsdontstopdragons.com/its-time-to-try-proton/  Further Info De-Googling Your Life: https://firewallsdontstopdragons.com/reducing-my-google-footprint/  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:12: News rundown 0:02:38: You Need to Update WinRAR, Right Now 0:05:10: Hackers Target Company That Vets Police Data Requests for Tech Giants 0:11:22: Google forced to reveal user search history in Colorado court ruling 0:15:59: Google: Passwordless by default 0:21:48: EFF: Mastercard Should Stop Selling Our Data 0:25:59: Bruce Schneier: AI Risks 0:33:12: Mailbag!! 0:42:28: Tip of the Week: Try Proton 0:54:25: Wrap up, look ahead

There are several privacy-focused services available today. And the products we use have a dizzying array of privacy and security settings. How do you know which products you need and which vendors you can trust? How do you know which protections you need and which ones you don’t? It comes down to understanding your personal threat model. We each have different things to protect and different consequences for failure. Today I’ll speak with Andy Yen, CEO and founder of Proton, to help us figure out what we need. Interview Notes Proton Sentinel: https://proton.me/blog/sentinel-high-security-program  Privacy Decrypted #1: https://proton.me/blog/what-is-a-threat-model?ref=instantsearch  Private from Everyone (But Us):  https://podcast.firewallsdontstopdragons.com/2022/04/25/private-from-everyone-but-us/ Security Planner (threat model tool): https://innovation.consumerreports.org/initiatives/security-planner/  Ars Technica threat model series: https://arstechnica.com/features/2021/10/securing-your-digital-life-part-1/  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:03: Show preview0:01:44: Delete Act passes0:02:36: What new at Proton since we last spoke?0:07:00: How do you determine your personal threat model?0:09:21: How does Proton decide which threat models to address?0:13:40: How do you learn about all the possible security settings?0:15:37: How do you know which companies and products you can trust?0:18:11: How should VC money and buyouts affect our trust?0:22:30: What should tech reviewers be focusing on with privacy products?0:26:24: How important is a company’s location for privacy?0:28:47: Are technological solutions sufficient to protect our data?0:30:22: Has Proton received any pressure from governments to weaken privacy?0:33:27: Does Proton actively market to government officials?0:34:43: How can larger companies protect against insider threats?0:37:05: What’s your take on the LastPass breach?0:41:32: What is Proton Sentinel and who is it for?0:46:09: Will Sentinel be able to scale?0:47:31: Proton asks Sentinel users for personal information – is that safe?0:51:04: Can you share any specific Sentinel success stories?0:53:39: What other features would you like to add to Proton?0:58:30: Wrap-up1:00:11: Look ahead

Guest Nick Oles discusses recognizing and reporting phishing during national Cybersecurity Awareness Month. Other topics include malware-infected Android TV boxes, a data breach at 23andMe, illegal use of smartphone location data by US agencies, Meta's ad-free plans for Facebook and Instagram, FBI warnings about phantom hacker scams, Microsoft's AI tool that clones voices, the importance of upgrading to Windows 10, FCC's net neutrality plans, turning off Google's tracking system, and a new app from Consumer Reports for deleting personal data.

The weakest link in most cybersecurity systems is you – that is, human beings. And one of the primary ways that people are tricked into infecting their devices (and potentially then threatening other devices on the network) is through phishing. We’ve all seen the Nigerian Prince scams, but with AI tools like ChatGPT, scam emails are going to get a lot harder to spot. On today’s show, author and cybersecurity expert Nick Oles will teach us how to recognize phishing emails, introduce us to tools for detecting and protecting against phishing, and detail other techniques for defending against these sorts of attacks. All of this is just a taste of the top notch advice contained in his new book, “How to Catch a Phish”. Interview Notes How to Catch a Phish: https://www.amazon.com/How-Catch-Phish-Practical-Detecting/dp/1484293606  Win a free copy!! https://fdsd.me/catchaphish  Nick Oles on LinkedIn: https://www.linkedin.com/in/nick-o-8b5b6349/ National Cybersecurity Awareness Month: https://www.cisa.gov/cybersecurity-awareness-month  Virustotal URL scanner: https://www.virustotal.com/gui/home/url  URLscan.io: https://urlscan.io/ SANS PICERL Incident Response model (PDF): https://www.sans.org/media/score/504-incident-response-cycle.pdf  Malwarebytes personal: https://www.malwarebytes.com/getprotection  Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:45: Patron book club update0:02:11: Nat’l Cybersecurity Awareness Month0:02:48: What drove you to write the book?0:06:57: What really happens behind the scenes when I send an email?0:13:37: What are email headers and why would I want to look at them?0:17:13: How are email senders spoofed and can we prevent this?0:23:35: Do email clients have indicators for vetted senders?0:25:40: What is phishing and how can we recognize it?0:32:06: How has phishing evolved over the years?0:37:01: What are spearphishing and business email compromise?0:40:24: Do spam filters help at all with phishing emails?0:42:50: How do I know if I can trust any link or URL in an email?0:48:34: Are web email clients safer than dedicated email apps?0:51:35: How can we know which email attachments are safe to open?0:54:48: If I accidentally click a bad link or attachment, what then?0:59:11: How will AI impact phishing campaigns?1:01:13: Are things getting better or getting worse?1:04:08: Interview wrap-up1:07:44: Book giveaway details

Apple has just released a major update to its mobile operating system: iOS 17. There are tons of fun new features, but today I’ll walk you through some of the security and privacy enhancements. These include new protections in Lockdown Mode, the Check In feature which can alert loves ones if you fail to arrive at your destination, some privacy-enhancing web browser features, and support for securely sharing passwords and passkeys with others. In other news: a critical WebP vulnerability means we have to update most of our apps and devices; credit bureaus in the US now allow free weekly access to your credit reports; Proton announces a new, privacy-focused CAPTCHA service; the FTC puts data brokers on notice; LastPass is requiring their users to make their master passwords longer; password managers are still your best bet for web security, despite the LastPass debacle; Hyundai Pay seeks to make in-car payments a thing; and an interesting article from a privacy advocate claiming that privacy tools are too difficult to use. Article Links [MakeUseOf] Update Everything: This Critical WebP Vulnerability Affects Major Browsers and Apps https://www.makeuseof.com/critical-webp-vulnerability-affects-major-browsers-apps/ [Consumer Reports] Credit Bureaus Equifax, Experian, and TransUnion Announce Permanent, Free Weekly Access to Credit Reports https://www.consumerreports.org/money/credit-scores-reports/credit-bureaus-permanent-free-weekly-credit-report-access-a2226546788/ [proton.me] Introducing Proton CAPTCHA https://proton.me/blog/proton-captcha [The Washington Post] FTC consumer protection chief puts data brokers on notice https://www.washingtonpost.com/politics/2023/09/21/ftc-consumer-protection-chief-puts-data-brokers-notice/ [briankrebs] LastPass: ‘Horse Gone Barn Bolted’ is Strong Password https://krebsonsecurity.com/2023/09/lastpass-horse-gone-barn-bolted-is-strong-password/ [ZDNet] Why you can still trust (other) password managers, even after that LastPass mess https://www.zdnet.com/article/why-you-can-still-trust-other-password-managers-even-after-that-lastpass-mess/ [The Verge] ‘Hyundai Pay’ is the latest effort by car companies to make in-car payments a thing https://www.theverge.com/2023/9/6/23861412/hyundai-pay-parkopedia-in-car-payment [theprivacydad.com] Privacy Tools Are Not Worth the Hassle https://theprivacydad.com/privacy-tools-are-not-worth-the-hassle/ [TechCrunch] iOS 17 includes these new security and privacy features https://techcrunch.com/2023/09/18/ios-17-includes-these-new-security-and-privacy-features/ Tip of the Week: iOS 17 Security & Privacy: https://firewallsdontstopdragons.com/ios-17-security-privacy/ Further Info Secure Your Home Network article series: https://firewallsdontstopdragons.com/secure-your-network-part-1-scan/   Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:27: Delete Act update 0:00:59: BSides RDU 0:01:54: News rundown 0:04:20: Critical WebP Vulnerability Affects Major Browsers and Apps 0:12:22: Credit Bureaus Announce Permanent, Free Weekly Access to Credit Reports 0:17:24: Introducing Proton CAPTCHA 0:22:07: FTC consumer protection chief puts data brokers on notice 0:26:19: LastPass requiring users to create longer passwords 0:32:58: Why you can still trust (non-LastPass) password managers 0:43:01: ‘Hyundai Pay’ in-car payments coming 0:45:38: “Privacy Tools Are Not Worth the Hassle” 0:54:57: Tip of the Week: iOS 17 security & privacy features 1:01:25: Send me your Dear Carey questions 1:02:29: Looking ahead

When the New York Times broke the Clearview AI story in 2020, we suddenly had to face the reality that no one could truly be anonymous in public any more. This powerful app could take a picture of any face and find dozens of public images on the internet that they were in – even just in the background. And if those pictures were associated with a social media profile, we could identify the owner of the face along with their friends and family – all in an instant. Today I speak with Kashmir Hill about her investigation of this company and the sobering impacts of facial recognition technology in a world full of cameras, chronicled in her new book “Your Face Belongs to Us”. Interview Notes Your Face Belongs to Us: https://www.kashmirhill.com/book  Kashmir Hill facial recognition stories: https://www.kashmirhill.com/stories/face-recognition  Clearview AI, delete dead links: https://www.clearview.ai/privacy-and-requests  FRT used to track activity in coffee shop: https://www.linkedin.com/posts/endritrestelica_ai-tech-activity-7098293527951851520-Mejy/ PimEyes: https://pimeyes.com/  Fawkes masking tool: https://sandlab.cs.uchicago.edu/fawkes/  Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:37: Tell us about your beat at the New York Times 0:02:17: What is the Clearview app and what does it do? 0:05:12: How did you come to write about Clearview AI? 0:07:40: What happened when you first investigated this company? 0:11:46: How did Clearview AI obtain all these images of our faces? 0:14:24: Why are privacy advocates calling for a ban on this technology? 0:16:36: Do the makers of Clearview appreciate the privacy implications of their tool? 0:18:56: How did 9/11 influence our views on surveillance technology? 0:22:33: Who has access to the Clearview app? 0:24:14: How do we know who is using this tool? 0:25:22: How has Clearview tried to win approval for this tool? 0:27:37: What’s to stop others from copying this technology? 0:31:05: Wasn’t Clearview used to ban lawyers from venues in NYC? 0:33:13: Didn’t Illinois sue Clearview AI and win? 0:34:09: Where else is facial recognition being used today? 0:38:05: How often is FRT used in solving crimes in the US? 0:41:26: What about cases where FRT identifies the wrong person? 0:43:23: How accurate are these tools? What causes them to fail? 0:45:59: How accurate is Clearview compared to other tools? 0:47:02: How well does Clearview deal with facial hair, masks, etc? 0:50:01: What can we do to protect our faces online? 0:52:33: How well can Clearview pick out faces in the background? 0:54:41: What’s the future of privacy in a world full of cameras? 0:56:24: What can we do to rein in abuse of FRT? 0:58:00: Wrap up and a look ahead