Firewalls Don't Stop Dragons Podcast

Have you noticed Google getting really pushy lately with offers to "sign in with Google"? You're not alone. Many websites offer the ability to create a free account so that you can "personalize your experience", but lately Google has been popping up an very annoying window to prompt you to create this account by signing in with your Google account. First of all, you almost never need to create an account to view the site. But second, even if you do want to create an account, you shouldn't be linking that account with Google. You're creating a data sharing arrangement that is completely unnecessary and not in your best interests. I'll explain how to block these irritating popups (and many like them) for good. In other news: 1Password was not hacked, but recent messages might have worried you; new macOS malware stealer app; five things scammers hope you search for; Microsoft Edge is recording your web surfing data; Windows 10 will never receive another feature update; Microsoft is rewriting core Windows software in a memory-safe language; study claims 83% of passwords can be hacked in one second; Google adds support for passkeys; Apple issues first Rapid Security Response with confusing messages; NYPD hands out 500 free AirTags to combat auto thefts; Apple and Google partner on industry spec to thwart unwanted tracking devices; Google adds cloud backup for 2FA without end-to-end encryption; Amazon Clinic requires you to sign away privacy rights; Washington State pass health data privacy law; my take on recent efforts to undermine encryption and restrict access to social media. Article Links [Digital Trends] No, 1Password wasn’t hacked – here’s what really happened https://www.digitaltrends.com/computing/1password-secret-keys-not-hacked/ [9to5mac.com] PSA: ‘Atomic macOS Stealer’ malware can compromise iCloud Keychain passwords, credit cards, crypto wallets https://9to5mac.com/2023/04/28/atomic-macos-stealer-malware-steal-passwords/ [Lifehacker] Five Things Scammers Are Hoping You Google https://lifehacker.com/five-things-scammers-are-hoping-you-google-1850405964 [The Verge] Microsoft Edge is leaking the sites you visit to Bing https://www.theverge.com/2023/4/25/23697532/microsoft-edge-browser-url-leak-bing-privacy [Lifehacker] Microsoft Will Never Update Windows 10 Again (But You Can Keep Using It) https://lifehacker.com/microsoft-will-never-update-windows-10-again-but-you-c-1850386188 [theregister.com] Microsoft is busy rewriting core Windows code in memory-safe Rust https://www.theregister.com/2023/04/27/microsoft_windows_rust/ [9to5mac.com] Study reveals top 20 most used passwords; 83% can be cracked in a second https://9to5mac.com/2023/05/02/most-used-passwords-report/ [The Hacker News] Google Introduces Passwordless Secure Sign-In with Passkeys for Google Accounts https://thehackernews.com/2023/05/google-introduces-passwordless-secure.html [AppleInsider] Apple issues Rapid Security Response update for iOS 16.4.1, macOS 13.3.1 https://appleinsider.com/articles/23/05/01/apple-issues-rapid-security-response-update-for-ios-1641-macos-1331 [AppleInsider] New York hands out 500 AirTags in car theft crackdown https://appleinsider.com/articles/23/05/01/new-york-hands-out-500-airtags-in-car-theft-crackdown [Apple] Apple, Google partner on an industry specification to address unwanted tracking https://www.apple.com/newsroom/2023/05/apple-google-partner-on-an-industry-specification-to-address-unwanted-tracking/ [Gizmodo] Google’s New Two-Factor Authentication Isn’t End-to-End Encrypted, Tests Show https://gizmodo.com/google-authenticator-two-factor-not-end-encrypted-1850377102 [The Washington Post] To become an Amazon Clinic patient, first you sign away some privacy https://www.washingtonpost.com/technology/2023/05/01/amazon-clinic-hipaa-privacy/ [The Verge] Washington passes law requiring consent before companies collect health data https://www.theverge.

There's a big difference between mass surveillance and targeted surveillance based on a court-approved, limited-scope search warrant. But advances in technology have made warrant-less, dragnet surveillance exceptionally easy and stunningly effective. Local law enforcement agencies have deployed several types of surveillance systems in our communities, but have strongly resisted calls for transparency and oversight. Furthermore, police have simply bypassed the need for a warrant and pesky Fourth Amendment rights by just buying surveillance data from private companies. My guests today - Albert Fox Cahn and Evan Enzer, from the Surveillance Technology Oversight Project (S.T.O.P.) - will explain what's going on, why it's a danger to our privacy rights and democratic principles, and what we can do to fix it. Interview Notes Surveillance Technology Oversight Project: https://www.stopspying.org/  STOP on Twitter & TikTok: @STOPSpyingNY Donate to S.T.O.P.  https://www.stopspying.org/donate  STOP Trojan House report: https://www.stopspying.org/the-trojan-house  Public Oversight of Surveillance Technology (POST) Act: https://www.nyc.gov/site/nypd/about/about-nypd/policy/post-act.page  Community Control of Police Surveillance (CCOPS): https://www.eff.org/issues/community-control-police-surveillance-ccops  Electronic Frontier Alliance: https://www.eff.org/fight  EFF’s Atlas of Surveillance: https://atlasofsurveillance.org/  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:33: Interview setup 0:03:26: What is the Surveillance Technology Oversight Project? 0:07:57: What are the most common mass surveillance technologies? 0:10:15: How does Shot Spotter work and what are the dangers? 0:13:02: Do these technologies actually reduce crime? 0:14:38: Is law enforcement required to disclose info on these systems? 0:17:35: How transparent is the funding around these projects? 0:19:21: Who has access to this surveillance data? 0:21:20: 9/11 revealed a lack of data sharing - what's the right balance? 0:22:42: Is privately obtained surveillance data subject to 4th Amendment rights? 0:23:53: What is the "third party doctrine" and how does it apply here? 0:26:15: How does purchased data differ from data obtained via warrant? 0:27:56: How does the practice of "parallel construction" work? 0:29:22: What is my legal right to privacy when in public spaces? 0:31:09: What are my legal rights to "surveil" law enforcement? 0:32:44: How are police using copyright law to curtail video taping? 0:34:13: Who watches the watchers? Is there any oversight of mass surveillance? 0:36:52: How do you uncover surveillance use and abuse? 0:38:45: How can we mitigate consumer surveillance tech? 0:41:53: Are there any tools or techniques to mitigate public surveillance? 0:46:22: What's the solution here? How do we rein in mass surveillance? 0:50:06: How can people get involved in the fight against mass surveillance? 0:51:51: Interview wrap-up 0:54:51: Looking ahead

Our smartphones have become indispensable tools for our daily lives - so seeing that dreaded red battery indicator can induce some serious anxiety. But before you jack your phone into some public USB charging port, think twice. Those USB connections can pass data as well as power, and it's actually possible to hack your phone using those ubiquitous and innocent-looking ports. Is this common? Probably not. But it's also very easy to avoid. I'll give you several tips for staying safe, particularly while traveling. In other news: Mullvad VPN was subjected to a search warrant (but had no data to give up); Proton has announced that it has created a password manager; YubiCo is merging with another company and going public; Facebook probably owes you some money; Apple HomePods can tell you if your house is on fire; one of several Israeli spyware makers is shutting down; the US and several partner countries are urging device makers to adopt Security by Design principles; hackers use fake Chrome updates to install malware; the much-hyped Florida water treatment plant hack wasn't really a hack; clever thieves are stealing modern cars through headlamp connectors; and health care portal check-in vendors are tricking patients into allowing them to monetize very sensitive health data. Article Links [mullvad.net] Mullvad VPN was subject to a search warrant. Customer data not compromised https://mullvad.net/en/blog/2023/4/20/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised/ [proton.me] Proton Pass is now in beta https://proton.me/blog/proton-pass-beta [yubico.com] Yubico is merging with ACQ Bure: merged company intends to go public on Nasdaq First North Growth Market in Stockholm https://www.yubico.com/blog/yubico-is-merging-with-acq-bure/ [Lifehacker] Facebook Probably Owes You Money https://lifehacker.com/facebook-probably-owes-you-money-1850350640 [MacRumors] HomePod Can Now Alert You If Your Smoke Alarm Goes Off https://www.macrumors.com/2023/04/18/homepod-alert-smoke-alarm/ [The Hacker News] Israeli Spyware Vendor QuaDream to Shut Down Following Citizen Lab and Microsoft Expose https://thehackernews.com/2023/04/israeli-spyware-vendor-quadream-to-shut.html [cisa.gov] U.S. and International Partners Publish Secure-by-Design and -Default Principles and Approaches    https://www.cisa.gov/news-events/news/us-and-international-partners-publish-secure-design-and-default-principles-and-approaches [Tom's Guide] Hackers are using fake Chrome updates to spread malware — don’t fall for this https://www.tomsguide.com/news/hackers-are-using-fake-chrome-updates-to-spread-malware-dont-fall-for-this  [VICE] Much-Hyped Water Plant Hack Wasn't a Hack, Was Actually User Error, Official Says https://www.vice.com/en/article/y3wddv/much-hyped-water-plant-hack-wasnt-a-hack-was-actually-user-error-official-says [theregister.com] CAN do attitude: How thieves steal cars using network bus https://www.theregister.com/2023/04/06/can_injection_attack_car_theft/ [statnews.com] I declined to share my medical data with advertisers at my doctor’s office. One company claimed otherwise https://www.statnews.com/2023/04/07/medical-data-privacy-phreesia/ Tip of the Week: How to Avoid Juice Jacking https://firewallsdontstopdragons.com/how-to-avoid-juice-jacking/ Further Info Facebook settlement form: https://www.facebookuserprivacysettlement.com/#submit-claim  CISA Secure by Design, Secure by Default: https://www.cisa.gov/securebydesign  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.

As cybersecurity experts love to say, the "S" in "IoT" stands for security... meaning there is none. I've seen estimates that say there were almost 30 billion IoT devices on the internet in 2022. I have dozens of them on my home network alone. Each of these devices contains at least one computer, which is running potentially hackable software. And because these devices have internet connections, they are vulnerable to cyber attacks from anywhere on the planet. Today I'll ask Bill Niefert from Corellium how IoT devices differ from regular computers, how secure they are, what the risks are of insecure smart devices, and how we can make them better. Interview Notes Corellium: https://www.corellium.com/  Interesting IoT statistics: https://techjury.net/blog/internet-of-things-statistics/  Raspberry Pi: https://www.raspberrypi.org/  Fun RPi projects: https://www.pcworld.com/article/420028/10-practical-raspberry-pi-projects-anyone-can-do.html  Matter IoT standard: https://en.wikipedia.org/wiki/Matter_(standard)  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:40: Interview terminology preview 0:04:49: Tell us about Corellium and what you do there 0:09:34: What is an ARM processor? 0:12:23: How do IoT devices compare to regular computers? 0:16:03: How do you design for security in cheap, slow IoT devices? 0:20:10: Are IoT devices fundamentally more hackable than regular computers? 0:25:07: Does your home Wi-Fi router adequately shield IoT devices from hacking? 0:28:31: Should you put IoT devices on your guest network? 0:34:35: What are the real-world dangers of having compromised IoT devices? 0:37:34: What is the new Matter IoT framework all about? 0:43:47: Does the Matter standard come with improved cybersecurity? 0:45:30: What are the privacy concerns for IoT devices? 0:53:19: Should IoT manufacturers be held liable for security failures? 0:58:18: Wrap-up 0:59:16: What is a Raspberry Pi and what can I do with it? 1:01:25: Matter security and privacy 1:02:16: Bonus content

Right after releasing my episode on web fingerprinting, highly-respected VPN provider Mullvad teamed up with Tor to release a new web browser, specifically designed to protect your privacy - including attempting to block fingerprinting! Great timing, so I thought I'd give you my review of the Mullvad Browser - the good, the bad, and (yes) the ugly. In other news: Timely tips on spotting IRS phone scams; ultrasound attacks can hijack your smart speakers; brace yourself for a wave of more sophisticated AI-based scams; alcohol recover startups shared patients' data with advertisers; Google to require app developers to let you delete your account data; FBI's Operation Cookie Monster shuts down popular cybercrime forum; Facebook will grudgingly offer users in Europe to opt out of all tracking; the FDA is requiring medical device manufacturers to improve cybersecurity and support; and I answer a Dear Carey question about how to use a Mac mini as a server to host private versions of cloud apps. Article Links [NPR] No, the IRS isn't calling you. It isn't texting or emailing you, either https://www.npr.org/2023/04/07/1168353969/irs-scam-tax-day-imposter-how-to-avoid [Gizmodo] Ultrasound Attack Can Secretly Hijack Phones and Smart Speakers, Researchers Find https://gizmodo.com/ultrasound-attack-hacks-phones-siri-alexa-usenix-1850273055 [WIRED] Brace Yourself for a Tidal Wave of ChatGPT Email Scams https://www.wired.com/story/large-language-model-phishing-scams/ [TechCrunch] Alcohol recovery startups Monument and Tempest shared patients’ private data with advertisers https://techcrunch.com/2023/04/04/monument-tempest-alcohol-data-breach/ [Engadget] Google will require that Android apps let you delete your account and data https://www.engadget.com/google-will-require-that-android-apps-let-you-delete-your-account-and-data-170618841.html [CNN] ‘Operation Cookie Monster’: FBI seizes popular cybercrime forum used for large-scale identity theft https://www.cnn.com/2023/04/04/politics/genesis-market-fbi-seizure/index.html [BGR] Facebook and Instagram users can now opt out of tracking, but only in Europe https://bgr.com/tech/facebook-and-instagrams-users-can-now-opt-out-of-tracking-but-only-in-europe/ [scmagazine.com] FDA will refuse new medical devices for cybersecurity reasons on Oct. 1 https://www.scmagazine.com/news/device-security/fda-will-refuse-new-medical-devices-for-cybersecurity-reasons-on-oct-1 Tip of the Week: Mullvad Browser https://firewallsdontstopdragons.com/new-privacy-tool-mullvad-browser/ Further Info Watchman Privacy interview: https://www.youtube.com/watch?v=fByagxDetVI  Using ultrasound to drive away teens: https://www.today.com/news/controversial-mosquito-sonic-devices-deter-young-people-high-pitched-sounds-t157801  Train Siri to recognize your voice: https://support.apple.com/en-us/HT204753  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:22: Important software updates 0:01:13: Watchman Privacy interview 0:01:44: News preview 0:04:38: Beware IRS phone scams 0:09:42: New ultrasound attacks against digital assistants 0:17:51: Brace yourself for AI-enhanced email scams 0:27:45: Alcohol recovery startups shared patients' private data with advertisers 0:30:28: Google will require that Android apps delete your account and data 0:35:00: FBI Operation Cookie Monster shuts down popular...

On today's show, I'll take you behind the scenes of not one, not two, but three different privacy websites. I ask Nate from The New Oil and Niek from Privacy Guides how they deal with being a public figures advocating for privacy, how they set their personal standards for privacy products, and how they cope with people and product makers who complain about their recommendations (or lack thereof). I ask them about some favorite products that they've had to remove from their recommended lists and where they go to keep up to date on privacy topics and products. Finally, I ask them what gives them hope about the future of privacy and what keeps them up at night. Interview Notes The New Oil: https://thenewoil.org/  Privacy Guides: https://www.privacyguides.org/ Techlore: https://techlore.tech/  Panopticon: https://en.wikipedia.org/wiki/Panopticon Naomi Brockwell on VPNs: https://www.youtube.com/watch?v=8MHBMdTBlok  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:02: Transcriptions coming! 0:04:25: Introductions 0:05:55: As a private person, what's it like putting yourself out there? 0:09:13: How do you handle the haters? 0:12:09: How do you keep up to date on privacy and related products? 0:15:29: How often have you had to reverse product recommendations? 0:20:33: How do you set the threshold for how private a product should be? 0:26:10: Where do YOU go to learn about privacy products and topics? 0:31:19: A little humility goes a long way 0:33:25: Choosing a good VPN provider 0:37:44: Should people use antivirus software? If so, which ? 0:40:57: How do you set and enforce your product recommendation criteria? 0:47:27: Do you think your standards help to improve the market? 0:49:08: What gives you hope about the future? And what keeps you up at night? 0:55:10: What can I do to further the cause of privacy? 0:59:05: Interview wrap-up 1:00:32: Dear Carey: Top privacy guidelines and topics for discussion?

Marketers are desperately trying to follow us as we traverse the web. Tracking where we go and what we do allows them to better target us with ads. Browsers have built in protections to block older tracking techniques like cookies and tracking pixels, and so ad companies have had find new methods for identifying us across websites. Unfortunately, they've settled on a technique that is extremely difficult to defeat: fingerprinting. I'll explain what is, how it works, and what you can do to mitigate it. In other news: Google is warning Android users to update their devices right away in order to fix some truly nasty bugs; hackers are using malicious Chrome extensions to read your Gmail and potentially hack your Android device; popular fertility apps are collecting ridiculous amounts of highly personal data and sharing it with partners; scammers are using AI to simulate voices of people you know to steal your money; CISA has launched a great new ransomware vulnerability pilot program; I'll tell you why you should opt out of sharing your data with your mobile service provider; America's threatening to ban TikTok but this won't fix the real problem; the IRS is supposed to be moving away from ID.me authentication. Article Links [Naked Security] Dangerous Android phone 0-day bugs revealed – patch or work around them now! https://nakedsecurity.sophos.com/2023/03/17/dangerous-android-phone-0-day-bugs-revealed-patch-or-work-around-them-now/ [Tom's Guide] Hackers are stealing Gmail messages — delete this extension right now https://www.tomsguide.com/news/hackers-are-stealing-gmail-messages-delete-this-extension-right-now [The Conversation] Popular fertility apps are engaging in widespread misuse of data, including on sex, periods and pregnancy https://theconversation.com/popular-fertility-apps-are-engaging-in-widespread-misuse-of-data-including-on-sex-periods-and-pregnancy-202127 [consumer.ftc.gov] Scammers use AI to enhance their family emergency schemes https://consumer.ftc.gov/consumer-alerts/2023/03/scammers-use-ai-enhance-their-family-emergency-schemes [cisa.gov] CISA Establishes Ransomware Vulnerability Warning Pilot Program https://www.cisa.gov/news-events/news/cisa-establishes-ransomware-vulnerability-warning-pilot-program [briankrebs] Why You Should Opt Out of Sharing Data With Your Mobile Provider https://krebsonsecurity.com/2023/03/why-you-should-opt-out-of-sharing-data-with-your-mobile-provider/ [The Washington Post] America’s online privacy problems are much bigger than TikTok https://www.washingtonpost.com/technology/2023/03/24/tiktok-online-privacy-laws/ Dear Carey: IRS plans to approve use of Login-dot-gov as Tax Day nears https://www.fcw.com/it-modernization/2023/03/plans-approve-use-login-dot-gov-tax-day-nears/383934/  Tip of the Week: https://firewallsdontstopdragons.com/how-to-block-web-fingerprinting/  Further Info Syncthing: https://syncthing.net/  KeePassXC: https://keepassxc.org/  IP address black list check: https://whatismyipaddress.com/blacklist-check  EFF on TikTok: https://www.eff.org/deeplinks/2023/03/government-hasnt-justified-tiktok-ban Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:49: Local password vault sync solution 0:05:07: News preview 0:06:47: Dangerous Android Baseband Bugs Patched 0:18:19: Hackers stealing Gmail messages via browser plugin 0:22:29: Popular fertility apps are engaging in widespread misuse of data

If for some reason you haven't started using a password manager yet, it's time to make the move. But how can you trust all these important secrets to some unknown company? How can you be sure that your password vault will be safe in a cloud-based service? And finally, how do you figure out which service is best for you? Today I'll ask Kasey Babcock from Bitwarden all those questions. We'll also talk about two-factor authentication and newer "passkeys" technology, Argon2 vs PBKDF2, and even how you might self-host a solution like Bitwarden if you want to have full control. Kasey Babcock is a Product Marketing Manager at Bitwarden, and she has many years of experience working at software start-ups in the cybersecurity and project portfolio management industries, working with product and engineering teams to communicate meaningful cybersecurity information and product updates. Interview Notes Bitwarden Personal: https://bitwarden.com/products/personal/  Bitwarden Secrets Manager: https://bitwarden.com/products/secrets-manager/  Bitwarden blog article: https://bitwarden.com/blog/accelerating-value-for-bitwarden-users-bitwarden-raises-usd100-million/  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:02: Pre-interview notes 0:02:21: Why should people entrust their credentials to a password manager? 0:07:49: What is Argon2 and how does it compare to PBKDF2? 0:09:15: How can regular people evaluate the security of software products? 0:14:34: How important is it for security software to be open-source? 0:16:32: How do third party security audits work? 0:18:48: What is "pen testing"? 0:19:16: How much control do audited companies have over releasing audit results? 0:20:35: What are the benefits of self-hosting a solution like Bitwarden? 0:23:55: Should we trust cloud-based password vault storage? 0:25:29: What are some red flags to look for when evaluating security companies? 0:27:36: Bitwarden recently received $100M in funding - has this changed your focus? 0:30:57: What is "secrets management" for software developers? 0:33:31: What is "passwordless" and is it phishing-proof? 0:39:18: How do I set up and use passkeys? 0:44:09: How long before we can use passkeys? 0:45:42: Will passwordless systems still require two-factor auth? 0:48:22: What's next for Bitwarden? What features can we look forward to? 0:50:06: Interview wrap-up

Our devices are connected to the Internet 24/7 and the only thing separating them from the bad guys is usually your home router. In the era of smart devices and the Internet of Things (IoT), we also now have many more doohickeys connected to the Internet - most of them with crappy security. If one of those devices is compromised, the bad guys now have a beachhead from which to probe and attack all your other devices. In today's show, we'll review some important cybersecurity tips for our home network and connected devices. In other news: police raid homes of alleged ransomware gang; locally exploitable TPM 2.0 security flaws found; White House unveils comprehensive cybersecurity strategy; new LastPass breach details show specific employee was targeted at home; browser synchronization features may compromise employer systems; Catholic group buys data to target gay priests; private home webcams are a goldmine for police evidence gathering; telehealth companies leak sensitive patient data; ICE and Secret Service admit to using cell-site simulators to collect mass surveillance data. Article Links [The Verge] Police raid homes of alleged hackers who attacked hospital systems https://www.theverge.com/2023/3/6/23627238/hackers-ransomware-raid-german-ukrainian-police [TechSpot] Two security flaws in the TPM 2.0 specs put cryptographic keys at risk https://www.techspot.com/news/97824-two-security-flaws-tpm-20-specs-put-cryptographic.html [The Washington Post] Biden unveils cyber strategy that takes more aggressive regulatory approach https://www.washingtonpost.com/national-security/2023/03/02/cybersecurity-biden/ [Ars Technica] LastPass says employee’s home computer was hacked and corporate vault taken https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/ [Kaspersky] Disable browser synchronization in the office https://www.kaspersky.com/blog/disable-browser-sync-enterprise/47460/ [The Washington Post] Catholic group spent millions on app data that tracked gay priests https://www.washingtonpost.com/dc-md-va/2023/03/09/catholics-gay-priests-grindr-data-bishops/ [Electronic Frontier Foundation] Report: ICE and the Secret Service Conducted Illegal Surveillance of Cell Phones https://www.eff.org/deeplinks/2023/03/report-ice-and-secret-service-conducted-illegal-surveillance-cell-phones [POLITICO] The privacy loophole in your doorbell https://www.politico.com/news/2023/03/07/privacy-loophole-ring-doorbell-00084979 [TechCrunch] Telehealth startup Cerebral shared millions of patients’ data with advertisers https://techcrunch.com/2023/03/10/cerebral-shared-millions-patient-data-advertisers/ [NPR] Personal information of members of Congress exposed in health data breach https://www.npr.org/2023/03/09/1162191035/personal-information-of-u-s-house-members-exposed-in-health-data-breach Securing Your Home Network: https://firewallsdontstopdragons.com/how-to-secure-your-home-network/  Further Info Apple’s HomeKit Secure Video: https://support.apple.com/en-us/HT210538 Shodan: https://www.shodan.io/ What’s My IP? https://www.whatismyip.com/ NSA home network security (PDF): https://media.defense.gov/2023/Feb/22/2003165170/-1/-1/0/CSI_BEST_PRACTICES_FOR_SECURING_YOUR_HOME_NETWORK.PDF What a VPN Is (and Isn't): https://firewallsdontstopdragons.com/what-a-vpn-is-and-isnt/ Get your Dragon Swag! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show.

Privacy advocates like me implore people to use secure apps that protect their data. But how difficult is it to actually create those apps? How do you balance security and privacy against sharing features and ease of use? How do you earn the trust of your users and how do you keep that trust? When does being private begin to negatively impact your ability to participate in society? Today I'll ask Mo, the creator of the secure note-taking app Standard Notes, all of these questions and more - including his personal thoughts for how best to organize and back up your notes and other data. Interview Notes Standard Notes: https://standardnotes.com/  Write Fearlessly (blog article): https://standardnotes.com/why-encrypted  Standard Notes YouTube channel: https://www.youtube.com/@standardnotes  Second Brain note taking styles: https://fortelabs.com/blog/the-4-notetaking-styles-how-to-choose-a-digital-notes-app-as-your-second-brain/  Tresosit secure cloud storage: https://tresorit.com/individuals Sync.com secure cloud storage: https://sync.com/  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:19: What is Standard Notes and how is it different? 0:06:19: What is true end-to-end encryption? 0:08:35: What does privacy mean to you? 0:14:14: What do people misunderstand most about privacy? 0:17:43: How do you secure a web app? 0:23:08: Does security preclude any popular app features? 0:27:31: Should we really encrypt everything? 0:33:30: How do you earn and keep your users' trust? 0:37:57: How important is humility and honesty in security marketing? 0:39:42: What is your note taking organizational strategy? 0:47:03: How do you figure out what organizational style works for you? 0:50:43: How do you make sure all your data is backed up and findable? 0:56:17: What does the future hold for privacy? 1:01:04: What's next for Standard Notes? 1:05:06: Interview wrap-up