Firewalls Don't Stop Dragons Podcast

Today I wrap up my four-part series on how to secure your home network. We’ve enumerated our devices, gotten rid of stuff we don’t need, assessed the state of our devices and now it’s time to actually remediate any vulnerabilities we found. I’ll walk you through everything you need to do. In other news: Chrome’s Topics API has rolled out (and I’ll tell you how to shut it off); Apple fixes two zero-day, zero-click exploits; FBI dismantles and even fixes the Qakbot malware network; the UK backs down on requirements to undermine end-to-end encryption; Macs are being targeted with a malvertising campaign; LastPass breach seems to be behind crypto wallet stealing; Apple reveals why it abandoned its CSAM scanning feature; Kias and Hyundais are being stolen left and right and are being sued; new cars are a privacy nightmare; Chrome extensions are able to steal private data from web pages. Article Links [The Verge] How to disable Chrome’s new targeted ad tracking https://www.theverge.com/23860050/chrome-ads-topics-sandbox [citizenlab.ca] NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/ [TechCrunch] FBI operation tricked thousands of computers infected by Qakbot into uninstalling the malware https://techcrunch.com/2023/08/29/fbi-operation-qakbot-uninstall/ [AppleInsider] UK backs down from nonsensical law after threats from Apple, WhatsApp https://appleinsider.com/articles/23/09/06/uk-backs-down-from-nonsensical-law-after-threats-from-apple-whatsapp [Tom’s Guide] Macs under threat from malicious ads spreading malware — don’t fall for this https://www.tomsguide.com/news/macs-under-threat-from-malicious-ads-spreading-malware-dont-fall-for-this [briankrebs] Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/ [WIRED] Apple’s Decision to Kill Its CSAM Photo-Scanning Tool Sparks Fresh Controversy https://www.wired.com/story/apple-csam-scanning-heat-initiative-letter/ [VICE] Kias and Hyundais Keep Getting Stolen by the Thousands and Cities Are Suing https://www.vice.com/en/article/93kdmp/kias-and-hyundais-keep-getting-stolen-by-the-thousands-and-cities-are-suing [Gizmodo] If You’ve Got a New Car, It’s a Data Privacy Nightmare https://gizmodo.com/mozilla-new-cars-data-privacy-report-1850805416 [techxplore.com] Researchers issue warning over Chrome extensions that access private data https://techxplore.com/news/2023-09-issue-chrome-extensions-access-private.html Tip of the Week: Remediate Your Network: https://firewallsdontstopdragons.com/secure-your-network-4-remediate/ Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:29: Kashmir Hill interview coming 0:01:40: News rundown 0:04:32: How to disable Chrome’s new targeted ad tracking 0:07:12: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild 0:10:36: FBI operation dismantles Qakbot botnet 0:13:51: UK backs down from nonsensical law after threats from Apple, WhatsApp 0:17:10: Macs under threat from malicious ads spreading malware 0:23:03: Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach 0:28:51: Apple’s Decision to Kill Its CSAM Photo-Scanning Tool Sparks Fresh Controversy 0:36:30: Kias and Hyundais Keep Getting Stolen by the Thousands and Cities Are Suing 0:41:41: If You’ve Got a New Car, It’s a Data Privacy Nightmare 0:48:04: Researchers issue warning over Chrome extensions that access private data 0:56:03: Tip of the Week: Remeidate Your Network 1:05:05: Wrap-up

In the US today we’re dealing with a completely unfettered free-for-all of data harvesting. Without meaningful privacy regulations like the EU’s GDPR, our private information is being collected, collated, packaged and sold by data brokers to all comers. Ad companies like Google and Facebook collect and hoard our data to sell targeted ads for high profits without commensurate benefits to the people placing the ads. How does it all work? What’s our data worth? And how can we protect it? I’ll discuss all of this and more with my guest, Tom Kemp. Tom Kemp is a Silicon Valley-based entrepreneur, investor, and policy advisor. Tom is also the author of Containing Big Tech: How to Protect Our Civil Rights, Economy, and Democracy. Interview Notes Containing Big Tech:: https://www.tomkemp.ai/containing-big-tech  Let’s Make Privacy Easy: https://techpolicy.press/lets-make-privacy-easy/  LinkedIn panel discussion on AI and privacy regulation in the US: https://www.linkedin.com/events/thestateofusprivacy-airegulatio7087548531820941312/  SB362 (Delete Act): https://www.darkreading.com/endpoint/why-the-california-delete-act-matters  Tom’s post on SB362: https://www.linkedin.com/posts/tomkemp_sb362-databrokers-privacy-activity-7103448636260302848-Qg6p Global Privacy Control: https://firewallsdontstopdragons.com/how-to-enable-global-privacy-control/  Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:20: Follow me on Bluesky? 0:01:32: Interview preview 0:02:59: What are data brokers? Would we recognize their names? 0:06:07: How big is the data broker industry? 0:08:35: You say there are 5 different types of data brokers – what are they? 0:12:10: Are there financial data brokers outside the US? 0:15:53: Are we granting permission for data collection without realizing it? 0:18:44: Who is making money off our data and what is it really worth? 0:21:56: Who is selling our data out the back door? 0:26:50: Why is location data so valuable? 0:28:40: How much of my data is raw and how much is inferred or extrapolated? 0:33:06: How often do data records contain errors? 0:36:24: How much of our personal data is publicly available? 0:38:46: Can we have an ad-based web economy and privacy, too? 0:44:56: Our behavior ads really worth more than contextual ads? 0:48:08: Can antitrust laws be leveraged against data collection? 0:50:46: Can laws requiring transparency in data collection be a stepping stone? 0:56:14: Why can’t we pass a federal privacy law? 0:58:25: What can we do right now to limit data collection? 1:01:50: What else does your book cover? 1:05:28: Interview wrap-up 1:06:01: Delete Act (SB362) Udpate 1:06:58: A note on warranty registrations 1:08:11: Global Privacy Control article 1:08:28: Patron podcast teaser 1:08:50: Look ahead

In the third part of my series on securing your home network, we’ll assess your security and privacy vulnerabilities. In prior weeks, we’ve exhaustively listed our network devices (Scan) and removed any devices that we no longer need or don’t need to be “smart” (Simplify). Now it’s time to investigate the remaining devices and think about what we need to do to secure them. In other news: an old Mac malware info stealer is back; thousands of Android apps are evading detection using an interesting technique; Illinois just passed a law allowing doxing victims to sue perpetrators for damages; Meta plans to roll out end-to-end encryption for Messenger by year’s end; LinkedIn accounts are being targeted for takeover; Intel’s GPU driver collects personal info by default; Tesla suffers data breach of 75,000 current and former employees; police are accessing DNA databases even for people who opted out of this access; Pennsylvania court says police been to be transparent about social media monitoring; Kansas newspaper raid by police teaches us how better to encrypt our data; hackers are selling credit report info on just about any American; NSA director tells employees to spy “with dignity and respect”. Article Links [TechRadar] One of the worst Mac malware strains is back and hiding as a productivity app – so beware https://www.techradar.com/pro/security/one-of-the-worst-mac-malware-strains-is-back-and-hiding-as-a-productivity-app-so-beware [Tom’s Guide] Thousands of Android malware apps use stealthy APKs to bypass security, study finds https://www.tomsguide.com/news/thousands-of-android-malware-apps-use-stealthy-apks-to-bypass-security-study-finds [Ars Technica] Illinois just made it possible to sue people for doxxing attacks https://arstechnica.com/tech-policy/2023/08/illinois-just-made-it-possible-to-sue-people-for-doxxing-attacks/ [TechCrunch] Meta plans to roll out default end-to-end encryption for Messenger by the end of the year https://techcrunch.com/2023/08/22/meta-plans-to-roll-out-default-end-to-end-encryption-for-messenger-by-the-end-of-the-year/ [TechRadar] LinkedIn user accounts have been taken over in huge hacking campaign https://www.techradar.com/pro/security/linkedin-user-accounts-have-been-taken-over-in-huge-hacking-campaign [extremetech.com] Intel’s GPU Drivers Now Collect Telemetry https://www.extremetech.com/gaming/intels-gpu-drivers-now-collect-telemetry-including-how-you-use-your-computer [TechCrunch] Tesla says data breach impacting 75,000 employees was an insider job https://techcrunch.com/2023/08/21/tesla-breach-employee-insider/ [BBC] Why US tech giants are threatening to quit the UK https://www.bbc.com/news/technology-66304002 [The Intercept] Police Are Getting DNA Data From People Who Think They Opted Out https://theintercept.com/2023/08/18/gedmatch-dna-police-forensic-genetic-genealogy/ [The Associated Press] A Pennsylvania court says state police can’t hide how it monitors social media https://apnews.com/article/pennsylvania-police-aclu-social-media-monitoring-1508189aba86cc776e19892b4a2b358a [freedom.press] What a newsroom police raid teaches us about encrypting our devices https://freedom.press/training/blog/marion-record-police-raid/ [404media.co] The Secret Weapon Hackers Can Use to Dox Nearly Anyone in America for $15 https://www.404media.co/the-secret-weapon-hackers-can-use-to-dox-nearly-anyone-in-america-for-15-tlo-usinfosearch-transunion/ [The Intercept] NSA Orders Employees to Spy on the World “With Dignity and Respect” https://theintercept.com/2023/08/25/nsa-spy-dignity-respect/ Tip of the Week: Securing Your Network 3: Assess: https://firewallsdontstopdragons.com/secure-your-network-3-assess/  Further Info Dragon Challenge Coin promotion: https://fdsd.me/promo823 Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:52: News rundown 0:03:09: One of the worst Mac malware strains is back 0:06:15: Android malware apps use stealthy APKs to bypass security 0:09:17: Illinois now allows you to sue for doxxing attacks 0:13:59: Meta to roll out default E2EE for Messenger by year’s end 0:17:06: LinkedIn accounts taken over in huge hacking campaign 0:19:39: Intel’s GPU Drivers Now Collect Telemetry 0:23:34: Data breach impacting 75,000 Tesla employees was inside job 0:26:39: Why US tech giants are threatening to quit the UK 0:29:26: Police Are Getting DNA Data From People Who Think They Opted Out 0:34:58: PA court says state police can’t hide how it monitors social media 0:37:13: What a newsroom police raid teaches us about security 0:42:58: The Tool Hackers Can Use to Dox Nearly Anyone in America 0:49:14: NSA Orders Employees to Spy “With Dignity and Respect” 0:51:40: Need more Dear Carey questions! 0:52:01: Tip of the Week 0:57:01: Wrap up

AI expert Michael Littman explains what AI is and isn't, how it works, and discusses concerns about job displacement and malicious use. They delve into the rise of AI tools in image generation, explore biases in language models, and discuss safeguards against misuse of AI. Listeners can also learn how to get started with AI using publicly available tools and chat bots integrated with search engines.

Every summer, hackers from around the US and around the globe descend on Las Vegas, Nevada, for a series of computer security conferences which are lovingly referred to as hacker summer camp. These conferences – BSides Las Vegas, BlackHat and DEF CON – run for over a week, each overlapping the other. They bring top tier security researchers, government and industry leaders, and eager hackers to learn about new vulnerabilities, new defense mechanisms, and everything in between. There are contests and parties galore, allowing hackers to test their skills and network with others. Today I’ll tell you about my trip to BSides and DEF CON in 2023. Article Links [securityweek.com] Downfall: New Intel CPU Attack Exposing Sensitive Information https://www.securityweek.com/downfall-new-intel-cpu-attack-exposing-sensitive-information/ [9to5mac.com] Mac malware can easily bypass Apple’s Background Task Manager, says security researcher https://9to5mac.com/2023/08/14/mac-malware-background-task-manager/ [whitehouse.gov] Biden-⁠Harris Administration Launches Artificial Intelligence Cyber Challenge to Protect America’s Critical Software https://www.whitehouse.gov/briefing-room/statements-releases/2023/08/09/biden-harris-administration-launches-artificial-intelligence-cyber-challenge-to-protect-americas-critical-software/ Donate to Maui wildfire relief fund: https://www.gofundme.com/f/5auw5q-maui-wildfire-relief-fund  Veilid project (cDc): https://veilid.com/  Back Orifice: https://en.wikipedia.org/wiki/Back_Orifice  Namecheck from Steve Gibson: https://youtu.be/hGyVuszu0F8?t=6240  CalyxOS mention: https://en.wikipedia.org/wiki/CalyxOS Tom Kemp on LinkedIn Live: https://www.tomkemp.ai/blog/2023/7/19/live-event-the-state-of-us-privacy-and-ai-regulation  Further Info Dragon Challenge Coin promotion: https://fdsd.me/promo823  Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:04: Preview 0:01:27: Look ma, I’m on Wikipedia! 0:02:16: Steve Gibson reads FDSD 0:03:16: Show overview 0:04:29: What is Hacker Summer Camp? 0:06:21: Using Lockdown Mode on Apple 0:07:20: BSides Las Vegas 2023, Josh Corman, et al 0:08:28: BSides pool party 0:09:44: I skipped out on linecon 0:11:36: I skipped the merch line, too 0:12:36: Darknet Diaries meets FDSD 0:13:13: r00t party! 0:15:14: cDc announces Veilid platform 0:18:48: Voting Village, brush with Chris Krebs 0:20:34: Interview with Nick Oles 0:22:49: Meet Joe Gray (“Practical Social Engineering” author) 0:23:22: cDc Veilid launch party 0:24:19: Checking in the the Hack-a-Sat team 0:38:00: EFF Tech Trivia 0:38:37: Hacker Jeopardy 0:40:11: Evacuation of Caesar’s Forum 0:41:50: Closing ceremonies 0:42:48: No swag or amulet sightings 0:43:31: Downfall: New Intel CPU Attack Exposing Sensitive Information 0:47:24: Mac malware can easily bypass Apple’s Background Task Manager 0:52:22: Maui wildfire relief fund 0:53:01: DARPA Launches AI Cyber Challenge 0:54:07: Looking ahead 0:55:28: Dragon coin promotion is ending soon

In the early 1980s, personal computers started entering our homes. Prior to the internet and services like America On Line (AOL), there were online bulletin board systems (BBS) where people could share text files via phone modem connections. Of course, if you wanted to connect to a BBS outside your home area code, you would have to dial long distance – which at the time could be prohibitively expensive. Necessity is the mother of invention and it’s no coincidence that some of the earliest hacking was of the phone system to get free long distance calls. One of the first named groups of hackers was The Cult of the Dead Cow (aka, cDc). Today I’ll reminisce about the old days with two prominent members of cDc: Deth Veggie and Omega. We’ll talk about what it was like in the days prior to the internet, how hackers think, and how hacking has evolved over the years. We’ll talk about how cDc pioneered the hactivist movement and how their group overlapped and interacted with other famous groups like L0pht Heavy Industries, Masters of Deception (MOD), Legion of Doom (LOD) and much, much more. Interview Notes The Cult of the Dead Cow: https://cultdeadcow.com/ “The Cult of the Dead Cow” book: https://www.hachettebookgroup.com/titles/joseph-menn/cult-of-the-dead-cow/9781549169991/ cDc text files: http://textfiles.com/groups/CDC/ The Hacker’s Manifesto: http://phrack.org/issues/7/3.html  Hactivismo Declaration: https://web.archive.org/web/20090502054355/http://www.cultdeadcow.com/cDc_files/declaration.html  cDc’s unofficial suggested reading/viewing list: https://fdsd.me/cdclist  Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:43: Interview prep 0:03:51: How did cDc start and where did it get its name? 0:08:11: How did you get involved with cDc? 0:11:15: What is a BBS? What are textfiles? 0:15:36: What sort of information did these textfiles contain? 0:23:46: What really happened in the Hacker Wars? 0:25:28: How did phone phreaking work? 0:29:43: How did you choose your handle? When did you first use it in public? 0:37:47: Two things War Games got right 0:38:38: Blue boxes and red boxes 0:40:26: What did your friends & family think? How have perceptions of hackers changed? 0:45:16: What is hacktivism? What sort of hactivist behavior is acceptable? 0:51:58: What are some examples of hactivism? 0:55:19: What are some signs that I might enjoy hacking? 1:01:49: Hacking in the real world, questioning everything. 1:04:38: Books and movies with accurate portrayals of hackers & hacking? 1:11:14: Interview wrap-up 1:12:46: Patron bonus material & promo 1:16:04: Next week’s show may be delayed

Last time, I told you how to enumerate all the devices on your home network. Before we go to the trouble of analyzing and mitigating their vulnerabilities, we should take the opportunity to cull the inventory. Do you really need all of these devices? Or could you forego the “smart” features that require them to be connected to your network? Today we’ll talk about reducing your attack surface before we bother trying to secure it. In other news: the White House announces new cybersecurity labeling program; the SEC mandates a 4-day reporting window for cyber attacks; EFF opposes a bill that threatens our privacy; stolen Microsoft signing keys behind a set of targeted US government email hacks; more details emerge about Facebook mining Onano VPN for user data; TETRA radios used for decades revealed to have deliberately weakened encryption; ALPR data now being used with AI algorithms to guess which cars might contain criminals; Apple threatens to pull Facetime, Messages from UK over proposed surveillance law changes; Google’s Web Integrity API causes a stir; Apple to require justification for use of some APIs that might compromise user privacy. Article Links [whitehouse.gov] Biden-⁠Harris Administration Announces Cybersecurity Labeling Program for Smart Devices to Protect American Consumers https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/18/biden-harris-administration-announces-cybersecurity-labeling-program-for-smart-devices-to-protect-american-consumers/ [The Hacker News] New SEC Rules Require U.S. Companies to Reveal Cyber Attacks Within 4 Days https://thehackernews.com/2023/07/new-sec-rules-require-us-companies-to.html [Electronic Frontier Foundation] Amended Cooper Davis Act Is a Direct Threat to Encryption https://www.eff.org/deeplinks/2023/07/amended-cooper-davis-act-direct-threat-encryption [TechCrunch] Microsoft lost its keys, and the government got hacked https://techcrunch.com/2023/07/17/microsoft-lost-keys-government-hacked/ [Financial Review] Facebook admits it used app to ‘know nearly everything’ about users https://www.afr.com/companies/media-and-marketing/facebook-admits-it-used-app-to-know-nearly-everything-about-users-20230713-p5do2a [WIRED] Code Kept Secret for Years Reveals Its Flaw—a Backdoor https://www.wired.com/story/tetra-radio-encryption-backdoor/ [Forbes] This AI Watches Millions Of Cars Daily And Tells Cops If You’re Driving Like A Criminal https://www.forbes.com/sites/thomasbrewster/2023/07/17/license-plate-reader-ai-criminal/ [MacRumors] Apple Threatens to Pull FaceTime and iMessage in the UK Over Proposed Surveillance Law Changes https://www.macrumors.com/2023/07/20/apple-threatens-to-pull-facetime-and-imessage-uk/ [Ars Technica] Google’s nightmare “Web Integrity API” wants a DRM gatekeeper for the web https://arstechnica.com/gadgets/2023/07/googles-web-integrity-api-sounds-like-drm-for-the-web/ [MacRumors] Apple Developers Required to Justify Use of Some APIs in Latest Move to Boost Privacy https://www.macrumors.com/2023/07/28/developers-required-to-justify-api-use/ Tip of the Week: Less is More: https://firewallsdontstopdragons.com/secure-your-network-2-simplify/ Further Info Stop the bad bills: https://www.eff.org/deeplinks/2023/07/you-can-help-stop-these-bad-internet-bills  Dragon Challenge Coin Promo! https://fdsd.me/promo823  Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Table of Contents Add time-based list of markers.

Despite growing demand from US citizens for privacy protections, the federal government has failed repeatedly to enact basic privacy laws. However, one US state – California – has led the charge on privacy and passed regulations that have benefited people outside the state. Today I’ll speak with Ernesto Falcon who is currently running for California State Senate in District 7. He has decades of experience in public policy, particularly in the realm of privacy rights, both in politics and with the Electronic Frontier Foundation. We’ll talk about how the legislative sausage is made, why we can’t seem to pass privacy regulations, how lobbyists influence policy, and much more. Disclaimer: Views, opinions, or statements expressed are solely those of the candidate and not of his employer at the Electronic Frontier Foundation. Interview Notes Ernesto Falcon’s campaign website: https://www.ernestofalcon.com/  California Consumer Privacy Act: https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act  California Privacy Rights Act: https://en.wikipedia.org/wiki/California_Privacy_Rights_Act  Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:16: Interview prep 0:02:40: Tell us about your CA Senate campaign 0:10:56: How have CA privacy laws impacted the greater US? 0:15:45: How do we regain control over our data? 0:17:59: What is preventing a good federal privacy law? 0:24:36: What are the dangers of all this personal data being hoarded? 0:31:01: How does HIPAA actually work? What doesn’t it cover? 0:33:01: What is the EARN IT Act and why does EFF oppose it? 0:37:58: How do child safety laws undermine privacy? 0:40:41: How are legal wire taps different from backdoors in encryption? 0:43:10: Won’t repressive regimes abuse encryption backdoors? 0:44:45: Is on-device scanning a valid compromise solution? 0:47:07: Will we ever win the Crypto Wars? 0:48:59: How can we best support the privacy cause? 0:52:00: Would more privacy transparency be a good first step? 0:54:35: Are monopolies part of the problem here? 0:58:53: What’s next for you and your senate campaign? 1:00:42: Post interview wrap-up 1:01:46: Go talk to your representative! 1:02:55: Dragon Challenge Coin Promotion!

The Internet of Things (IoT) has added internet connections to lots of home devices. Each and every one of those devices runs software on a computer chip. Almost all software has bugs and those bugs may be exploitable by bad guys. We’re going to take another look at protecting our home networks using a simple, logical methodology. Step one: SCAN. That is, first of all, we need to understand the scope of the problem by enumerating all of the devices on your home network. I’ll explain how to do that. In other news: Apple re-releases security update after web glitch; EV chargers are vulnerable to hacking which could have significant impacts; tax prep firms shared ‘extraordinarily sensitive’ data with Meta; Meta’s new Threads service collects tons of personal info and employs dark patterns to hook you in; France passes law giving law enforcement access to private device cameras, mics and locations; police are collecting and selling personal info, bypassing the 4th Amendment and sharing across state lines; Massachusetts weighs outright ban on selling user location data; printers and printing services may be mining your documents for data. Article Links [MacRumors] Apple Releases Revised iOS and macOS Security Updates to Fix Actively Exploited Vulnerability and Safari Bug https://www.macrumors.com/2023/07/12/apple-releases-revised-security-updates/ [WIRED] EV Charger Hacking Poses a ‘Catastrophic’ Risk https://www.wired.com/story/electric-vehicle-charging-station-hacks/ [The Associated Press] 3 tax prep firms shared ‘extraordinarily sensitive’ data about taxpayers with Meta, lawmakers say https://apnews.com/article/irs-taxpayer-tax-preparation-meta-congress-9315cfca7a0942ab89f765d183fbf822 [Ars Technica] How Threads’ privacy policy compares to Twitter’s (and its rivals’) https://arstechnica.com/security/2023/07/how-threads-privacy-policy-compares-to-twitters-and-its-rivals/ [Yanko Design] The ‘Threads’ App is FILLED With Deceptive Dark Design Patterns – We Spotted More Than TEN https://www.yankodesign.com/2023/07/07/the-threads-app-is-filled-with-deceptive-dark-design-patterns-we-spotted-more-than-ten/ [Gizmodo] France Passes New Bill Allowing Police to Remotely Activate Cameras on Citizens’ Phones https://gizmodo.com/france-bill-allows-police-access-phones-camera-gps-1850609772 [Tampa Bay Times] Hillsborough, Clearwater police monitoring private security cameras https://www.tampabay.com/news/hillsborough/2023/07/10/hillsborough-clearwater-police-monitoring-private-security-cameras/ [New York Daily News] NYPD seeks to grab cell phone IDs from people under arrest or in custody; push for IMEI numbers raises concerns https://www.nydailynews.com/new-york/nyc-crime/ny-nypd-campaign-cellphone-idenfiication-numbers-controversy-20230708-yltabdlozfbppeoodxymyub3zq-story.html [The Sacramento Bee] California cops illegally share data with anti-abortion states https://www.sacbee.com/news/politics-government/capitol-alert/article275795726.html [Engadget] Massachusetts weighs outright ban on selling user location data https://www.engadget.com/massachusetts-weighs-outright-ban-on-selling-user-location-data-191637974.html [The Washington Post] Your printing service might read your documents. Here’s what to know. https://www.washingtonpost.com/technology/2023/07/10/printing-privacy-security-printed-documents/ Tip of the Week: IoT Inventory https://firewallsdontstopdragons.com/secure-your-network-part-1-scan/ Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:45: News preview 0:03:37: Apple Releases Revised iOS and macOS Security Updates 0:07:30: EV Charger Hacking Poses a ‘Catastrophic’ Risk 0:13:27: 3 tax prep firms shared ‘extraordinarily sensitive’ data with Meta 0:17:10: How Threads’ privacy policy compares to Twitter’s 0:22:15: ‘Threads’ App is FILLED With Deceptive Dark Design Patterns 0:28:53: France Passes New Bill Allowing Police to Remotely Activate Cameras on Citizens’ Phones 0:31:30: Tampa Bay area police monitoring private security cameras 0:35:31: NYPD seeks to grab cell phone IDs from people under arrest or in custody 0:42:19: California cops illegally share data with anti-abortion states 0:46:14: Massachusetts weighs outright ban on selling user location data 0:49:50: Your printing service might read your documents 0:56:29: Tip of the Week: IoT Inventory 1:07:54: Dragon Coin promo coming soon

After lengthy negotiations and revisions, the White House has finally released its National Cybersecurity Strategy document, outlining it’s priorities and goals. It’s a wide-ranging and ambitious document consisting of five major areas of focus, or “pillars”. What’s new here? What will it mean for businesses and critical infrastructure? And what does this mean for you and I? Today I’ll cover all of that and more with Josh Corman from I Am the Cavalry and formerly with the US Cybersecurity and Infrastructure Security Agency (CISA). Interview Notes National Security Strategy doc: https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf Consequential Cybersecurity: https://claroty.com/blog/consequential-cybersecurity-brace-yourself-for-the-white-house-national-cybersecurity-strategy  PPD-21: https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil  Known Exploited Vulnerabilities catalog : https://www.cisa.gov/known-exploited-vulnerabilities-catalog  Swimming with Sharks TED talk: https://www.youtube.com/watch?v=rZ6xoAtdF3o  I Am the Cavalry: https://iamthecavalry.org/  CISA Secure by Design: https://www.cisa.gov/securebydesign Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gift of privacy and security: https://fdsd.me/coupons  Send me your questions! https://fdsd.me/qna  Support our mission! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:55: Interview setup 0:04:00: What is this strategy document, at a high level? 0:14:02: What are some of the more important or novels aspects? 0:18:05: Do agencies have the budget and authority to implement these strategies? 0:22:11: Will having a gov’t backstop actually encourage attacks or discourage preparation? 0:30:40: Should the gov’t actively scan US firms/orgs for vulnerabilities? 0:36:56: What should we do about the marketplace for zero-day hacks? 0:39:52: How aggressive should the US be against hackers? 0:41:03: What is NOT addressed by this strategy? 0:45:55: How should be manage our dependencies on foreign software and hardware? 0:52:59: What can everyday people take away from these strategies? 0:59:50: Has this document already had impacts? How do we monitor progress? 1:03:56: Interview wrap-up 1:07:40: Looking ahead