Firewalls Don't Stop Dragons Podcast

If for some reason you haven't started using a password manager yet, it's time to make the move. But how can you trust all these important secrets to some unknown company? How can you be sure that your password vault will be safe in a cloud-based service? And finally, how do you figure out which service is best for you? Today I'll ask Kasey Babcock from Bitwarden all those questions. We'll also talk about two-factor authentication and newer "passkeys" technology, Argon2 vs PBKDF2, and even how you might self-host a solution like Bitwarden if you want to have full control. Kasey Babcock is a Product Marketing Manager at Bitwarden, and she has many years of experience working at software start-ups in the cybersecurity and project portfolio management industries, working with product and engineering teams to communicate meaningful cybersecurity information and product updates. Interview Notes Bitwarden Personal: https://bitwarden.com/products/personal/  Bitwarden Secrets Manager: https://bitwarden.com/products/secrets-manager/  Bitwarden blog article: https://bitwarden.com/blog/accelerating-value-for-bitwarden-users-bitwarden-raises-usd100-million/  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:02: Pre-interview notes 0:02:21: Why should people entrust their credentials to a password manager? 0:07:49: What is Argon2 and how does it compare to PBKDF2? 0:09:15: How can regular people evaluate the security of software products? 0:14:34: How important is it for security software to be open-source? 0:16:32: How do third party security audits work? 0:18:48: What is "pen testing"? 0:19:16: How much control do audited companies have over releasing audit results? 0:20:35: What are the benefits of self-hosting a solution like Bitwarden? 0:23:55: Should we trust cloud-based password vault storage? 0:25:29: What are some red flags to look for when evaluating security companies? 0:27:36: Bitwarden recently received $100M in funding - has this changed your focus? 0:30:57: What is "secrets management" for software developers? 0:33:31: What is "passwordless" and is it phishing-proof? 0:39:18: How do I set up and use passkeys? 0:44:09: How long before we can use passkeys? 0:45:42: Will passwordless systems still require two-factor auth? 0:48:22: What's next for Bitwarden? What features can we look forward to? 0:50:06: Interview wrap-up

Our devices are connected to the Internet 24/7 and the only thing separating them from the bad guys is usually your home router. In the era of smart devices and the Internet of Things (IoT), we also now have many more doohickeys connected to the Internet - most of them with crappy security. If one of those devices is compromised, the bad guys now have a beachhead from which to probe and attack all your other devices. In today's show, we'll review some important cybersecurity tips for our home network and connected devices. In other news: police raid homes of alleged ransomware gang; locally exploitable TPM 2.0 security flaws found; White House unveils comprehensive cybersecurity strategy; new LastPass breach details show specific employee was targeted at home; browser synchronization features may compromise employer systems; Catholic group buys data to target gay priests; private home webcams are a goldmine for police evidence gathering; telehealth companies leak sensitive patient data; ICE and Secret Service admit to using cell-site simulators to collect mass surveillance data. Article Links [The Verge] Police raid homes of alleged hackers who attacked hospital systems https://www.theverge.com/2023/3/6/23627238/hackers-ransomware-raid-german-ukrainian-police [TechSpot] Two security flaws in the TPM 2.0 specs put cryptographic keys at risk https://www.techspot.com/news/97824-two-security-flaws-tpm-20-specs-put-cryptographic.html [The Washington Post] Biden unveils cyber strategy that takes more aggressive regulatory approach https://www.washingtonpost.com/national-security/2023/03/02/cybersecurity-biden/ [Ars Technica] LastPass says employee’s home computer was hacked and corporate vault taken https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/ [Kaspersky] Disable browser synchronization in the office https://www.kaspersky.com/blog/disable-browser-sync-enterprise/47460/ [The Washington Post] Catholic group spent millions on app data that tracked gay priests https://www.washingtonpost.com/dc-md-va/2023/03/09/catholics-gay-priests-grindr-data-bishops/ [Electronic Frontier Foundation] Report: ICE and the Secret Service Conducted Illegal Surveillance of Cell Phones https://www.eff.org/deeplinks/2023/03/report-ice-and-secret-service-conducted-illegal-surveillance-cell-phones [POLITICO] The privacy loophole in your doorbell https://www.politico.com/news/2023/03/07/privacy-loophole-ring-doorbell-00084979 [TechCrunch] Telehealth startup Cerebral shared millions of patients’ data with advertisers https://techcrunch.com/2023/03/10/cerebral-shared-millions-patient-data-advertisers/ [NPR] Personal information of members of Congress exposed in health data breach https://www.npr.org/2023/03/09/1162191035/personal-information-of-u-s-house-members-exposed-in-health-data-breach Securing Your Home Network: https://firewallsdontstopdragons.com/how-to-secure-your-home-network/  Further Info Apple’s HomeKit Secure Video: https://support.apple.com/en-us/HT210538 Shodan: https://www.shodan.io/ What’s My IP? https://www.whatismyip.com/ NSA home network security (PDF): https://media.defense.gov/2023/Feb/22/2003165170/-1/-1/0/CSI_BEST_PRACTICES_FOR_SECURING_YOUR_HOME_NETWORK.PDF What a VPN Is (and Isn't): https://firewallsdontstopdragons.com/what-a-vpn-is-and-isnt/ Get your Dragon Swag! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show.

Privacy advocates like me implore people to use secure apps that protect their data. But how difficult is it to actually create those apps? How do you balance security and privacy against sharing features and ease of use? How do you earn the trust of your users and how do you keep that trust? When does being private begin to negatively impact your ability to participate in society? Today I'll ask Mo, the creator of the secure note-taking app Standard Notes, all of these questions and more - including his personal thoughts for how best to organize and back up your notes and other data. Interview Notes Standard Notes: https://standardnotes.com/  Write Fearlessly (blog article): https://standardnotes.com/why-encrypted  Standard Notes YouTube channel: https://www.youtube.com/@standardnotes  Second Brain note taking styles: https://fortelabs.com/blog/the-4-notetaking-styles-how-to-choose-a-digital-notes-app-as-your-second-brain/  Tresosit secure cloud storage: https://tresorit.com/individuals Sync.com secure cloud storage: https://sync.com/  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:19: What is Standard Notes and how is it different? 0:06:19: What is true end-to-end encryption? 0:08:35: What does privacy mean to you? 0:14:14: What do people misunderstand most about privacy? 0:17:43: How do you secure a web app? 0:23:08: Does security preclude any popular app features? 0:27:31: Should we really encrypt everything? 0:33:30: How do you earn and keep your users' trust? 0:37:57: How important is humility and honesty in security marketing? 0:39:42: What is your note taking organizational strategy? 0:47:03: How do you figure out what organizational style works for you? 0:50:43: How do you make sure all your data is backed up and findable? 0:56:17: What does the future hold for privacy? 1:01:04: What's next for Standard Notes? 1:05:06: Interview wrap-up

Web links are great, when you're on the web. But if you need to read off or write down a web address, or URL, to someone else, anything beyond a simple domain name is going to be way too complicated. Ideally, you want something short and memorable. Enter link-shortening services like Bitly, Owly and others. These services convert long, ugly URLs to short, simple, memorable links. Unfortunately, this also obscures the actual link. When you click a shortened link, you have no idea where it will take you. Today, I'll give you some tools that will allow you to determine the final destination and even see an image of the site without actually going there. In other news: TikTok group teaches people how to hot-wire Kia and Hyundai cars; Twitter charges users for the least-secure two-factor authentication method; scam authenticator apps proliferation on the app store; Apple devices are being stolen after surreptitiously learning the lock codes; Google to launch Android Privacy Sandbox beta; Mozilla discovers huge discrepancies between actual privacy policies and the 'nutrition label' summaries on top Android apps; supermarkets track tons of user data via loyalty cards and apps; we need to create a much more robust and resilient internet; and the CEO of Safing answers a user question about Portmaster and SPN. Article Links [Lifehacker] TikTokers Are Hot-Wiring These Hyundai and Kia Cars https://lifehacker.com/tiktokers-are-hot-wiring-these-hyundai-and-kia-cars-1850113943 [Mashable] Twitter to charge users for SMS two-factor authentication https://mashable.com/article/twitter-removes-sms-2fa [9to5mac.com] Scam authenticator app advertising on App Store: Sends all your QR codes to the developer https://9to5mac.com/2023/02/21/scam-authenticator-app/ [MacRumors] Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life' https://www.macrumors.com/2023/02/24/iphone-stolen-passcodes-report/ [The Verge] Google launches first Android beta for ad-tracking overhaul https://www.theverge.com/2023/2/14/23599027/google-android-privacy-sandbox-beta-advertising-tracking [foundation.mozilla.org] Mozilla Study: Data Privacy Labels for Most Top Apps in Google Play Store are False or Misleading [The Markup] Forget Milk and Eggs: Supermarkets Are Having a Fire Sale on Data About You https://themarkup.org/privacy/2023/02/16/forget-milk-and-eggs-supermarkets-are-having-a-fire-sale-on-data-about-you [Schneier Blog] What Will It Take? https://www.schneier.com/blog/archives/2023/02/what-will-it-take.html How to Reveal Shortened URLs: https://firewallsdontstopdragons.com/how-to-reveal-shortened-urls/ Further Info 2FA apps: https://lifehacker.com/the-best-authenticator-apps-for-iphone-and-android-1850140802  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:47: Book out of stock? 0:01:45: News rundown 0:04:09: Hot-Wiring Hyundai and Kia Cars 0:09:11: Twitter to charge users for SMS 2FA 0:12:58: Scam authenticator apps 0:18:13: Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life' 0:24:22: Google launches first Android beta for Privacy Sandbox 0:27:52: Data Privacy Labels in Google Play Store are False or Misleading 0:34:59: Supermarkets Are Having a Fire Sale on Data About You 0:44:41: Schneier: What Will It Take? 0:52:38: Dear Carey 0:55:53: Tip of the Week 1:01:21: Wrap up: merch store, previews

Social media wasn't always so bad. It didn't use to collect so much information. It didn't use to feed us content we didn't ask for in an attempt to maintain our attention. Doom scrolling, virtue signaling, algorithmic feeds and misinformation bots are not natural extensions of social media. So what went wrong? And better yet, how can we fix it? Today I'll discuss all of these topics and more with Suzie Dawson, the founder of Panquake.com. She's on a mission to solve all of these problems and restore the promise of social media to be a positive force for society and serve the users, not corporations or governments. Interview Notes Panquake: https://panquake.com/ A Personal Message from our Founder (Suzie): https://vimeo.com/770524936  What is Panquake? https://vimeo.com/503223746  The Social Dilemma (documentary): https://www.thesocialdilemma.com/  Mastodon: https://joinmastodon.org/  Fediverse: https://www.eff.org/deeplinks/2022/11/fediverse-could-be-awesome-if-we-dont-screw-it  Microsoft’s Decentralized Identity: https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/decentralized-identifier-overview Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:18: interview preview 0:05:24: What is Panquake.com and why did you create it? 0:06:25: When and why did social media platforms go wrong? 0:07:55: Why is our relationship with Big Tech such an abusive one? 0:10:09: Are algorithmic feeds inherently bad or just exposing human nature? 0:15:25: How does Facebook learn so much about us? 0:16:24: Without algorithmic feeds, how do I discover new content? 0:17:51: How do you convince people to pay for their social media platform? 0:21:27: What other things do people hate about modern social media platforms? 0:25:53: What does it mean to be 'shadow banned'? 0:27:32: How can we stop malicious bot behavior? 0:30:39: What's the best way to implement account verification? 0:34:59: How do we spark a backwards paradigm shift? 0:36:44: What is the role of social media platforms in moderating content? 0:40:00: How does moderation vary globally? 0:41:23: Is TikTok more dangerous to society than Twitter or Facebook? 0:47:21: What is the "Fediverse" and how does it work? 0:53:40: How important is data portability or ownership? 0:58:34: What's next for Panquake? 1:03:19: Suzie asks ME a question! 1:04:56: Interview wrap-up 1:05:41: patron bonus content and benefits 1:06:43: Swag Shop is OPEN! 1:08:43: Upcoming interviews

As a general rule, I would normally advise people to minimize the number of online accounts they have, including avoiding creating unnecessary accounts and closing accounts they no longer need. However, as a regular citizen, there are a handful of governmental accounts that exist for you already, whether you use them or not. And you should claim those accounts for yourself before bad guys do this on your behalf. Furthermore, as a home owner or modern consumer, you probably have several other accounts that you may never have claimed: utilities, financial institutions, medical portals, and more. Today I'll tell you where and why to plant your flag. In other news: Booking.com reservation data being used to scam customers; top background check service customers' data leaked; Finnish psychotherapy extortion suspect arrested; FTC takes on telehealth data sharing; the ACLU lobbies court to restrict Google geofence warrant data; Anker admits to Eufy camera security bugs; fake, malicious Bitwarden ads deliver malware; maker of stalkerware fined and forced to notify victims; NIST proposes security protocols for low-power IoT devices. I also answer a listener question about IPv4 vs IPv6. Article Links [Ars Technica] Mysterious leak of Booking.com reservation data is being used to scam customers https://arstechnica.com/information-technology/2023/02/mysterious-leak-of-booking-com-reservation-data-is-being-used-to-scam-customers/ [TechRadar] Top background check services hit by data breach https://www.techradar.com/news/top-background-check-services-hit-by-data-breach [Naked Security] Finnish psychotherapy extortion suspect arrested in France https://nakedsecurity.sophos.com/2023/02/06/finnish-psychotherapy-extortion-suspect-arrested-in-france/ [The Markup] The FTC Is Taking on Telehealth’s Data Sharing Problem—​Starting with GoodRx – The Markup https://themarkup.org/pixel-hunt/2023/02/01/the-ftc-is-taking-on-telehealths-data-sharing-problem-starting-with-goodrx [Computerworld] ACLU, public defenders push back against Google giving police your mobile data https://www.computerworld.com/article/3686535/aclu-public-defenders-push-back-against-google-giving-police-your-mobile-data.html [9to5mac.com] Anker admits to lying about Eufy security camera encryption; describes future plans https://9to5mac.com/2023/02/01/eufy-security-camera-encryption/ [PCWorld] Phony, malicious Bitwarden ads slip past Google’s watch https://www.pcworld.com/article/1487690/phony-bitwarden-ads-are-the-latest-to-slip-through-on-googles-watch.html [Electronic Frontier Foundation] Stalkerware Maker Fined $410k and Compelled to Notify Victims https://www.eff.org/deeplinks/2023/02/stalkerware-maker-fined-410k-and-compelled-notify-victims [ZDNet] Tiny IoT devices are getting their own special encryption algorithms https://www.zdnet.com/article/tiny-iot-devices-are-getting-their-own-special-encryption-algorithms/ Further Info Order the new 5th edition of my book! https://fdsd.me/book  OSINT Tools: https://inteltechniques.com/tools/index.html  WireGuard IPv6 help: https://stanislas.blog/2019/01/how-to-setup-vpn-server-wireguard-nat-ipv6/  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:29: News preview 0:03:58: Booking.com users being targeted with convincing scams 0:09:11: Top background check services hit by data breach 0:12:16: Finnish psychotherapy extortion suspect arrested 0:18:48: FTC Is Taking on Telehealth’s Data Sharing Problem 0:23:23: ACLU pushes back against Google geofence warrants 0:31:07: Anker admits to lying about Eufy security camera e...

The business of data mining and behavioral advertising has never been stronger or more ubiquitous. And yet, cracks are beginning to appear in the foundations of surveillance capitalism. Nowhere is this more evident than in the European Union where advertising behemoths like Google and Meta (parent company of Facebook) have suffered a series of legal defeats at the hands of aggressive privacy regulators. The GDPR has provided a framework for curtailing rampant abuses of the advertising industry and its promise is finally coming to fruition. Today I'll speak with Johnny Ryan from the Irish Council for Civil Liberties, who is fighting for all of us on the front lines of the war for privacy. Johnny Ryan works at the Irish Council for Civil Liberties and he was previously Chief Policy Officer at Brave. He has testified and spoken at the US Senate, the European Commission, and the European Parliament. Interview Notes Irish Regulators Fine Facebook $414 Million https://thehackernews.com/2023/01/irish-regulators-fine-facebook-414.html  Irish Council for Civil Liberties: https://www.iccl.ie/  Ep231: Selling You Out to the Highest Bidder https://podcast.firewallsdontstopdragons.com/2021/08/02/selling-you-out-to-the-highest-bidder/  Fair Information Practice Principles (FIPPs): https://en.wikipedia.org/wiki/FTC_fair_information_practice  Diesel-Gate: https://en.wikipedia.org/wiki/Volkswagen_emissions_scandal  Further Info Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:23: The 5th edition is OUT!! 0:02:50: Interview prep 0:05:02: Give us a refresher on how behavioral ads work 0:08:41: Why was Meta fined and will they be able to appeal? 0:18:40: How does tracking consent work now and how should it work? 0:26:25: How are these fines determined and why wasn't this one bigger? 0:29:52: What changes we will see as a result of this and by when? 0:32:45: Will this ruling affect other companies, as well? 0:34:11: Will this ruling affect more than just notice and consent? 0:36:19: Why can't we just go back to context-based ads? 0:41:15: Are behavior-based ads really more valuable? 0:43:52: Is there more private way to have targeted ads? 0:47:18: Will Google's new ad framework just solidify their dominance? 0:51:42: Won't intelligence agencies abuse all of the data collected about us? 0:57:41: Has surveillance capitalism peaked? What does the future look like? 1:02:02: Interview follow-up 1:03:32: Getting the book on people's radars

Every January, we celebrate privacy with Data Privacy Week. It has rightly expanded from Data Privacy Day. And of course every day should be data privacy day. In the news: The FBI shuts down a major ransomware group; new Windows malware steals passwords and other data; new Android malware can completely take over your device; a dangerous "malvertising" campaign mimics popular software to steal info; the previously-secret "no fly" list was leaked online; tens of thousands of PayPal accounts hacked via credential stuffing; T-Mobile admits to over 37M customer records stolen; and Twitter GodMode is back (or rather never really went away). I'll answer a Dear Carey question about Plain, the service that allows financial tech aggregators to access your account information and my Tip of the Week will explain Apple's new Advanced Data Protection feature. Article Links [NPR] FBI says it 'hacked the hackers' to shut down major ransomware group https://www.npr.org/2023/01/26/1151696092/fbi-says-it-hacked-the-hackers-to-shut-down-major-ransomware-group [Tom's Guide] This Windows malware is stealing passwords and other data — how to stay safe https://www.tomsguide.com/news/this-windows-malware-is-stealing-passwords-and-other-data-how-to-stay-safe [TechSpot] New malware dubbed "Hook" allows hijacking and real-time spying on Android devices https://www.techspot.com/news/97356-new-malware-dubbed-hook-allows-hijacking-real-time.html [TechRadar] This dangerous malvertising campaign mimicks popular software to steal victim info https://www.techradar.com/news/this-dangerous-malvertising-campaign-mimicks-popular-software-to-steal-victim-info [BleepingComputer] Secret terrorist watchlist with 2 million records exposed online https://www.bleepingcomputer.com/news/security/secret-terrorist-watchlist-with-2-million-records-exposed-online/ [BleepingComputer] PayPal accounts breached in large-scale credential stuffing attack https://www.bleepingcomputer.com/news/security/paypal-accounts-breached-in-large-scale-credential-stuffing-attack/ [Naked Security] T-Mobile admits to 37,000,000 customer records stolen by “bad actor” https://nakedsecurity.sophos.com/2023/01/20/t-mobile-admits-to-37000000-customer-records-stolen-by-bad-actor/ [9to5mac.com] Twitter GodMode still available to all engineers, following hack of Apple and other accounts https://9to5mac.com/2023/01/24/twitter-godmode/ Dear Carey: Is Plaid Safe? https://www.allthingssecured.com/reviews/security/is-plaid-safe-to-use/  Apple’s Advanced Data Protection: https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web  Apple recovery contact: https://support.apple.com/en-us/HT212513  Further Info ANNUAL LISTENER SURVEY!! https://fdsd.me/survey2023  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:04: News rundown 0:03:19: FBI shuts down Hive ransomware group 0:07:34: New Windows malware steals data 0:12:07: New Android malware that completely takes over device 0:15:43: Malvertising campaign mimicks popular software apps 0:19:44: Secret "no fly list" leaked online 0:24:26: PayPal accounts accessed via credential stuffing attack 0:28:06: T-Mobile admits 37M customer records stolen 0:31:31: Twitter's GodMode tool is still available to engineers 0:34:59: Dear Carey: Is Plaid safe? 0:45:41: Tip of the Week: Apple's Advanced Data Protection 0:53:54: 5th edition update and cool resources 0:56:56: How you can help

Our email addresses and cell phone numbers have become highly valuable identifiers for marketers. Like government-issued IDs, your email address and phone number are directly associated with your identity and you will probably have them for life. This makes them ideal for tracking you across websites and accounts. It's no wonder that you are asked to provide this information all the time, for the simplest things. So why not throw them off your trail by having multiple email addresses and phone numbers? It's not as hard as you think, and it's getting easier all the time. This is a privacy concept called aliasing and we'll delve into all the details with the CEO and founder of SimpleLogin, Son Nguyen Kim. Interview Notes SimpleLogin: https://simplelogin.io/  Proton & SimpleLogin: https://proton.me/support/create-simplelogin-account-proton-account  Data Privacy Week: https://firewallsdontstopdragons.com/data-privacy-day-checklist/  Fastmail Masked Email: https://www.fastmail.help/hc/en-us/articles/4406536368911-Masked-Email  Apply Private Relay: https://support.apple.com/en-us/HT212614  DuckDuckGo Private Email: https://spreadprivacy.com/introducing-email-protection-beta/  MySudo: https://mysudo.com/  Hushed: https://hushed.com/  Privacy.com: https://privacy.com/  Further Info ANNUAL LISTENER SURVEY!! https://fdsd.me/survey2023  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:37: Book updates 0:03:10: Interview setup 0:03:57: What is SimpleLogin ? 0:05:04: How are email addresses used to track us? 0:06:19: Why do we use email addresses as user names? 0:09:42: How do normal email services provide aliases? 0:11:18: How does email subaddressing work? 0:13:05: How do modern email aliases work? 0:16:34: Do replies to alias emails expore your real address? 0:20:05: How do you use aliases to manage spam? 0:22:38: Can emall alias services read my emails? 0:23:36: How do you know you can trust an email alias provider? 0:26:41: How can you use domain names and catch-all aliases to fight spam? 0:30:52: Why are email aliases sometimes rejected? 0:34:45: What happens to my aliases if the service goes away? 0:36:50: What are the security benefits of using aliases? 0:39:44: Why is it so hard to create a phone number alias? 0:42:52: How can I get a second phone number? 0:47:13: Why are phone aliases often rejected? 0:49:15: What other ways can we use aliasing to improve privacy? 0:52:27: interview wrap-up

It’s that time of year again! Time to put the past behind us and look forward to a brand new year, full of possibilities and hope! In today's show I'll throw out several tips for improving your privacy and security that you might want to put on your to-do list for 2023. I've also got a minor LastPass update and some thoughts on how we might make managing passwords easier and more robust. I'll answer a listener question on tracking in beta software. And then I'll cover several news stores: A government watchdog cracks many accounts in a federal agency with a cheap password cracking rig; NortonLifeLock is warning several users that hackers may have breached their accounts; Russian hackers suspected in Royal Mail attack; Iran's citizens being targeted with spyware in VPN apps; Windows 7 is finally totally dead; identity thieves find authentication bypass to access Experian credit reports; robot vacuum cleaner captured compromising pictures that ended up on social media; even the FBI is recommending ad blockers; dozens of telehealth companies sharing sensitive health information with Big Tech companies. Article Links [TechCrunch] A government watchdog spent $15,000 to crack a federal agency’s passwords in minutes https://techcrunch.com/2023/01/10/interior-department-watchdog-passwords/ [BleepingComputer] NortonLifeLock warns that hackers breached Password Manager accounts https://www.bleepingcomputer.com/news/security/nortonlifelock-warns-that-hackers-breached-password-manager-accounts/ [Metro] Russian hackers suspected to be behind Royal Mail cyber attack https://metro.co.uk/2023/01/13/russian-hackers-suspected-to-be-behind-royal-mail-cyber-attack-18093326/ [techmonitor.ai] Iran’s citizens targeted by EyeSpy spyware hidden in VPNs https://techmonitor.ai/technology/cybersecurity/eyespy-spyware-iran-vpn [Lifehacker] Windows 7 Is Officially Dead https://lifehacker.com/windows-7-is-officially-dead-1849966248 [briankrebs] Identity Thieves Bypassed Experian Security to View Credit Reports https://krebsonsecurity.com/2023/01/identity-thieves-bypassed-experian-security-to-view-credit-reports/ [Kaspersky] Rise of the robot vacuum cleaners https://www.kaspersky.co.uk/blog/robot-vacuum-privacy/25348/ Bonus: https://www.technologyreview.com/2023/01/10/1066500/roomba-irobot-robot-vacuum-beta-product-testers-consent-agreement-misled/  [TechCrunch] Even the FBI says you should use an ad blocker https://techcrunch.com/2022/12/22/fbi-ad-blocker/ [The Markup] “Out Of Control”: Dozens of Telehealth Startups Sent Sensitive Health Information to Big Tech Companies https://themarkup.org/privacy/2022/12/13/out-of-control-dozens-of-telehealth-startups-sent-sensitive-health-information-to-big-tech-companies Further Info ANNUAL LISTENER SURVEY!! https://fdsd.me/survey2023  Data Privacy Checklist: https://firewallsdontstopdragons.com/data-privacy-day-checklist/  BitWarden vault backup: https://community.bitwarden.com/t/how-to-a-users-guide-to-backing-up-your-bitwarden-vault/44083 Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:08: Big sale on pre-order of my book 0:03:05: Show preview 0:04:44: LastPass update 0:09:21: Password innovation ideas 0:13:59: watchdog cracks federal agency’s passwords in minutes 0:17:33: NortonLifeLock warns of account breaches 0:21:31: Russian hackers suspected in Royal Mail cyber attack 0:24:29: Iran’s citizens targeted by spyware in VPNs 0:26:53: Windows 7 Is Officially Dead