Firewalls Don't Stop Dragons Podcast

Web links are great, when you're on the web. But if you need to read off or write down a web address, or URL, to someone else, anything beyond a simple domain name is going to be way too complicated. Ideally, you want something short and memorable. Enter link-shortening services like Bitly, Owly and others. These services convert long, ugly URLs to short, simple, memorable links. Unfortunately, this also obscures the actual link. When you click a shortened link, you have no idea where it will take you. Today, I'll give you some tools that will allow you to determine the final destination and even see an image of the site without actually going there. In other news: TikTok group teaches people how to hot-wire Kia and Hyundai cars; Twitter charges users for the least-secure two-factor authentication method; scam authenticator apps proliferation on the app store; Apple devices are being stolen after surreptitiously learning the lock codes; Google to launch Android Privacy Sandbox beta; Mozilla discovers huge discrepancies between actual privacy policies and the 'nutrition label' summaries on top Android apps; supermarkets track tons of user data via loyalty cards and apps; we need to create a much more robust and resilient internet; and the CEO of Safing answers a user question about Portmaster and SPN. Article Links [Lifehacker] TikTokers Are Hot-Wiring These Hyundai and Kia Cars https://lifehacker.com/tiktokers-are-hot-wiring-these-hyundai-and-kia-cars-1850113943 [Mashable] Twitter to charge users for SMS two-factor authentication https://mashable.com/article/twitter-removes-sms-2fa [9to5mac.com] Scam authenticator app advertising on App Store: Sends all your QR codes to the developer https://9to5mac.com/2023/02/21/scam-authenticator-app/ [MacRumors] Apple Responds to Report About Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life' https://www.macrumors.com/2023/02/24/iphone-stolen-passcodes-report/ [The Verge] Google launches first Android beta for ad-tracking overhaul https://www.theverge.com/2023/2/14/23599027/google-android-privacy-sandbox-beta-advertising-tracking [foundation.mozilla.org] Mozilla Study: Data Privacy Labels for Most Top Apps in Google Play Store are False or Misleading [The Markup] Forget Milk and Eggs: Supermarkets Are Having a Fire Sale on Data About You https://themarkup.org/privacy/2023/02/16/forget-milk-and-eggs-supermarkets-are-having-a-fire-sale-on-data-about-you [Schneier Blog] What Will It Take? https://www.schneier.com/blog/archives/2023/02/what-will-it-take.html How to Reveal Shortened URLs: https://firewallsdontstopdragons.com/how-to-reveal-shortened-urls/ Further Info 2FA apps: https://lifehacker.com/the-best-authenticator-apps-for-iphone-and-android-1850140802  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:47: Book out of stock? 0:01:45: News rundown 0:04:09: Hot-Wiring Hyundai and Kia Cars 0:09:11: Twitter to charge users for SMS 2FA 0:12:58: Scam authenticator apps 0:18:13: Thieves Spying on iPhone Passcodes to 'Steal Your Entire Digital Life' 0:24:22: Google launches first Android beta for Privacy Sandbox 0:27:52: Data Privacy Labels in Google Play Store are False or Misleading 0:34:59: Supermarkets Are Having a Fire Sale on Data About You 0:44:41: Schneier: What Will It Take? 0:52:38: Dear Carey 0:55:53: Tip of the Week 1:01:21: Wrap up: merch store, previews

Social media wasn't always so bad. It didn't use to collect so much information. It didn't use to feed us content we didn't ask for in an attempt to maintain our attention. Doom scrolling, virtue signaling, algorithmic feeds and misinformation bots are not natural extensions of social media. So what went wrong? And better yet, how can we fix it? Today I'll discuss all of these topics and more with Suzie Dawson, the founder of Panquake.com. She's on a mission to solve all of these problems and restore the promise of social media to be a positive force for society and serve the users, not corporations or governments. Interview Notes Panquake: https://panquake.com/ A Personal Message from our Founder (Suzie): https://vimeo.com/770524936  What is Panquake? https://vimeo.com/503223746  The Social Dilemma (documentary): https://www.thesocialdilemma.com/  Mastodon: https://joinmastodon.org/  Fediverse: https://www.eff.org/deeplinks/2022/11/fediverse-could-be-awesome-if-we-dont-screw-it  Microsoft’s Decentralized Identity: https://learn.microsoft.com/en-us/azure/active-directory/verifiable-credentials/decentralized-identifier-overview Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:18: interview preview 0:05:24: What is Panquake.com and why did you create it? 0:06:25: When and why did social media platforms go wrong? 0:07:55: Why is our relationship with Big Tech such an abusive one? 0:10:09: Are algorithmic feeds inherently bad or just exposing human nature? 0:15:25: How does Facebook learn so much about us? 0:16:24: Without algorithmic feeds, how do I discover new content? 0:17:51: How do you convince people to pay for their social media platform? 0:21:27: What other things do people hate about modern social media platforms? 0:25:53: What does it mean to be 'shadow banned'? 0:27:32: How can we stop malicious bot behavior? 0:30:39: What's the best way to implement account verification? 0:34:59: How do we spark a backwards paradigm shift? 0:36:44: What is the role of social media platforms in moderating content? 0:40:00: How does moderation vary globally? 0:41:23: Is TikTok more dangerous to society than Twitter or Facebook? 0:47:21: What is the "Fediverse" and how does it work? 0:53:40: How important is data portability or ownership? 0:58:34: What's next for Panquake? 1:03:19: Suzie asks ME a question! 1:04:56: Interview wrap-up 1:05:41: patron bonus content and benefits 1:06:43: Swag Shop is OPEN! 1:08:43: Upcoming interviews

As a general rule, I would normally advise people to minimize the number of online accounts they have, including avoiding creating unnecessary accounts and closing accounts they no longer need. However, as a regular citizen, there are a handful of governmental accounts that exist for you already, whether you use them or not. And you should claim those accounts for yourself before bad guys do this on your behalf. Furthermore, as a home owner or modern consumer, you probably have several other accounts that you may never have claimed: utilities, financial institutions, medical portals, and more. Today I'll tell you where and why to plant your flag. In other news: Booking.com reservation data being used to scam customers; top background check service customers' data leaked; Finnish psychotherapy extortion suspect arrested; FTC takes on telehealth data sharing; the ACLU lobbies court to restrict Google geofence warrant data; Anker admits to Eufy camera security bugs; fake, malicious Bitwarden ads deliver malware; maker of stalkerware fined and forced to notify victims; NIST proposes security protocols for low-power IoT devices. I also answer a listener question about IPv4 vs IPv6. Article Links [Ars Technica] Mysterious leak of Booking.com reservation data is being used to scam customers https://arstechnica.com/information-technology/2023/02/mysterious-leak-of-booking-com-reservation-data-is-being-used-to-scam-customers/ [TechRadar] Top background check services hit by data breach https://www.techradar.com/news/top-background-check-services-hit-by-data-breach [Naked Security] Finnish psychotherapy extortion suspect arrested in France https://nakedsecurity.sophos.com/2023/02/06/finnish-psychotherapy-extortion-suspect-arrested-in-france/ [The Markup] The FTC Is Taking on Telehealth’s Data Sharing Problem—​Starting with GoodRx – The Markup https://themarkup.org/pixel-hunt/2023/02/01/the-ftc-is-taking-on-telehealths-data-sharing-problem-starting-with-goodrx [Computerworld] ACLU, public defenders push back against Google giving police your mobile data https://www.computerworld.com/article/3686535/aclu-public-defenders-push-back-against-google-giving-police-your-mobile-data.html [9to5mac.com] Anker admits to lying about Eufy security camera encryption; describes future plans https://9to5mac.com/2023/02/01/eufy-security-camera-encryption/ [PCWorld] Phony, malicious Bitwarden ads slip past Google’s watch https://www.pcworld.com/article/1487690/phony-bitwarden-ads-are-the-latest-to-slip-through-on-googles-watch.html [Electronic Frontier Foundation] Stalkerware Maker Fined $410k and Compelled to Notify Victims https://www.eff.org/deeplinks/2023/02/stalkerware-maker-fined-410k-and-compelled-notify-victims [ZDNet] Tiny IoT devices are getting their own special encryption algorithms https://www.zdnet.com/article/tiny-iot-devices-are-getting-their-own-special-encryption-algorithms/ Further Info Order the new 5th edition of my book! https://fdsd.me/book  OSINT Tools: https://inteltechniques.com/tools/index.html  WireGuard IPv6 help: https://stanislas.blog/2019/01/how-to-setup-vpn-server-wireguard-nat-ipv6/  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:29: News preview 0:03:58: Booking.com users being targeted with convincing scams 0:09:11: Top background check services hit by data breach 0:12:16: Finnish psychotherapy extortion suspect arrested 0:18:48: FTC Is Taking on Telehealth’s Data Sharing Problem 0:23:23: ACLU pushes back against Google geofence warrants 0:31:07: Anker admits to lying about Eufy security camera e...

The business of data mining and behavioral advertising has never been stronger or more ubiquitous. And yet, cracks are beginning to appear in the foundations of surveillance capitalism. Nowhere is this more evident than in the European Union where advertising behemoths like Google and Meta (parent company of Facebook) have suffered a series of legal defeats at the hands of aggressive privacy regulators. The GDPR has provided a framework for curtailing rampant abuses of the advertising industry and its promise is finally coming to fruition. Today I'll speak with Johnny Ryan from the Irish Council for Civil Liberties, who is fighting for all of us on the front lines of the war for privacy. Johnny Ryan works at the Irish Council for Civil Liberties and he was previously Chief Policy Officer at Brave. He has testified and spoken at the US Senate, the European Commission, and the European Parliament. Interview Notes Irish Regulators Fine Facebook $414 Million https://thehackernews.com/2023/01/irish-regulators-fine-facebook-414.html  Irish Council for Civil Liberties: https://www.iccl.ie/  Ep231: Selling You Out to the Highest Bidder https://podcast.firewallsdontstopdragons.com/2021/08/02/selling-you-out-to-the-highest-bidder/  Fair Information Practice Principles (FIPPs): https://en.wikipedia.org/wiki/FTC_fair_information_practice  Diesel-Gate: https://en.wikipedia.org/wiki/Volkswagen_emissions_scandal  Further Info Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:23: The 5th edition is OUT!! 0:02:50: Interview prep 0:05:02: Give us a refresher on how behavioral ads work 0:08:41: Why was Meta fined and will they be able to appeal? 0:18:40: How does tracking consent work now and how should it work? 0:26:25: How are these fines determined and why wasn't this one bigger? 0:29:52: What changes we will see as a result of this and by when? 0:32:45: Will this ruling affect other companies, as well? 0:34:11: Will this ruling affect more than just notice and consent? 0:36:19: Why can't we just go back to context-based ads? 0:41:15: Are behavior-based ads really more valuable? 0:43:52: Is there more private way to have targeted ads? 0:47:18: Will Google's new ad framework just solidify their dominance? 0:51:42: Won't intelligence agencies abuse all of the data collected about us? 0:57:41: Has surveillance capitalism peaked? What does the future look like? 1:02:02: Interview follow-up 1:03:32: Getting the book on people's radars

Every January, we celebrate privacy with Data Privacy Week. It has rightly expanded from Data Privacy Day. And of course every day should be data privacy day. In the news: The FBI shuts down a major ransomware group; new Windows malware steals passwords and other data; new Android malware can completely take over your device; a dangerous "malvertising" campaign mimics popular software to steal info; the previously-secret "no fly" list was leaked online; tens of thousands of PayPal accounts hacked via credential stuffing; T-Mobile admits to over 37M customer records stolen; and Twitter GodMode is back (or rather never really went away). I'll answer a Dear Carey question about Plain, the service that allows financial tech aggregators to access your account information and my Tip of the Week will explain Apple's new Advanced Data Protection feature. Article Links [NPR] FBI says it 'hacked the hackers' to shut down major ransomware group https://www.npr.org/2023/01/26/1151696092/fbi-says-it-hacked-the-hackers-to-shut-down-major-ransomware-group [Tom's Guide] This Windows malware is stealing passwords and other data — how to stay safe https://www.tomsguide.com/news/this-windows-malware-is-stealing-passwords-and-other-data-how-to-stay-safe [TechSpot] New malware dubbed "Hook" allows hijacking and real-time spying on Android devices https://www.techspot.com/news/97356-new-malware-dubbed-hook-allows-hijacking-real-time.html [TechRadar] This dangerous malvertising campaign mimicks popular software to steal victim info https://www.techradar.com/news/this-dangerous-malvertising-campaign-mimicks-popular-software-to-steal-victim-info [BleepingComputer] Secret terrorist watchlist with 2 million records exposed online https://www.bleepingcomputer.com/news/security/secret-terrorist-watchlist-with-2-million-records-exposed-online/ [BleepingComputer] PayPal accounts breached in large-scale credential stuffing attack https://www.bleepingcomputer.com/news/security/paypal-accounts-breached-in-large-scale-credential-stuffing-attack/ [Naked Security] T-Mobile admits to 37,000,000 customer records stolen by “bad actor” https://nakedsecurity.sophos.com/2023/01/20/t-mobile-admits-to-37000000-customer-records-stolen-by-bad-actor/ [9to5mac.com] Twitter GodMode still available to all engineers, following hack of Apple and other accounts https://9to5mac.com/2023/01/24/twitter-godmode/ Dear Carey: Is Plaid Safe? https://www.allthingssecured.com/reviews/security/is-plaid-safe-to-use/  Apple’s Advanced Data Protection: https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web  Apple recovery contact: https://support.apple.com/en-us/HT212513  Further Info ANNUAL LISTENER SURVEY!! https://fdsd.me/survey2023  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:04: News rundown 0:03:19: FBI shuts down Hive ransomware group 0:07:34: New Windows malware steals data 0:12:07: New Android malware that completely takes over device 0:15:43: Malvertising campaign mimicks popular software apps 0:19:44: Secret "no fly list" leaked online 0:24:26: PayPal accounts accessed via credential stuffing attack 0:28:06: T-Mobile admits 37M customer records stolen 0:31:31: Twitter's GodMode tool is still available to engineers 0:34:59: Dear Carey: Is Plaid safe? 0:45:41: Tip of the Week: Apple's Advanced Data Protection 0:53:54: 5th edition update and cool resources 0:56:56: How you can help

Our email addresses and cell phone numbers have become highly valuable identifiers for marketers. Like government-issued IDs, your email address and phone number are directly associated with your identity and you will probably have them for life. This makes them ideal for tracking you across websites and accounts. It's no wonder that you are asked to provide this information all the time, for the simplest things. So why not throw them off your trail by having multiple email addresses and phone numbers? It's not as hard as you think, and it's getting easier all the time. This is a privacy concept called aliasing and we'll delve into all the details with the CEO and founder of SimpleLogin, Son Nguyen Kim. Interview Notes SimpleLogin: https://simplelogin.io/  Proton & SimpleLogin: https://proton.me/support/create-simplelogin-account-proton-account  Data Privacy Week: https://firewallsdontstopdragons.com/data-privacy-day-checklist/  Fastmail Masked Email: https://www.fastmail.help/hc/en-us/articles/4406536368911-Masked-Email  Apply Private Relay: https://support.apple.com/en-us/HT212614  DuckDuckGo Private Email: https://spreadprivacy.com/introducing-email-protection-beta/  MySudo: https://mysudo.com/  Hushed: https://hushed.com/  Privacy.com: https://privacy.com/  Further Info ANNUAL LISTENER SURVEY!! https://fdsd.me/survey2023  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:37: Book updates 0:03:10: Interview setup 0:03:57: What is SimpleLogin ? 0:05:04: How are email addresses used to track us? 0:06:19: Why do we use email addresses as user names? 0:09:42: How do normal email services provide aliases? 0:11:18: How does email subaddressing work? 0:13:05: How do modern email aliases work? 0:16:34: Do replies to alias emails expore your real address? 0:20:05: How do you use aliases to manage spam? 0:22:38: Can emall alias services read my emails? 0:23:36: How do you know you can trust an email alias provider? 0:26:41: How can you use domain names and catch-all aliases to fight spam? 0:30:52: Why are email aliases sometimes rejected? 0:34:45: What happens to my aliases if the service goes away? 0:36:50: What are the security benefits of using aliases? 0:39:44: Why is it so hard to create a phone number alias? 0:42:52: How can I get a second phone number? 0:47:13: Why are phone aliases often rejected? 0:49:15: What other ways can we use aliasing to improve privacy? 0:52:27: interview wrap-up

It’s that time of year again! Time to put the past behind us and look forward to a brand new year, full of possibilities and hope! In today's show I'll throw out several tips for improving your privacy and security that you might want to put on your to-do list for 2023. I've also got a minor LastPass update and some thoughts on how we might make managing passwords easier and more robust. I'll answer a listener question on tracking in beta software. And then I'll cover several news stores: A government watchdog cracks many accounts in a federal agency with a cheap password cracking rig; NortonLifeLock is warning several users that hackers may have breached their accounts; Russian hackers suspected in Royal Mail attack; Iran's citizens being targeted with spyware in VPN apps; Windows 7 is finally totally dead; identity thieves find authentication bypass to access Experian credit reports; robot vacuum cleaner captured compromising pictures that ended up on social media; even the FBI is recommending ad blockers; dozens of telehealth companies sharing sensitive health information with Big Tech companies. Article Links [TechCrunch] A government watchdog spent $15,000 to crack a federal agency’s passwords in minutes https://techcrunch.com/2023/01/10/interior-department-watchdog-passwords/ [BleepingComputer] NortonLifeLock warns that hackers breached Password Manager accounts https://www.bleepingcomputer.com/news/security/nortonlifelock-warns-that-hackers-breached-password-manager-accounts/ [Metro] Russian hackers suspected to be behind Royal Mail cyber attack https://metro.co.uk/2023/01/13/russian-hackers-suspected-to-be-behind-royal-mail-cyber-attack-18093326/ [techmonitor.ai] Iran’s citizens targeted by EyeSpy spyware hidden in VPNs https://techmonitor.ai/technology/cybersecurity/eyespy-spyware-iran-vpn [Lifehacker] Windows 7 Is Officially Dead https://lifehacker.com/windows-7-is-officially-dead-1849966248 [briankrebs] Identity Thieves Bypassed Experian Security to View Credit Reports https://krebsonsecurity.com/2023/01/identity-thieves-bypassed-experian-security-to-view-credit-reports/ [Kaspersky] Rise of the robot vacuum cleaners https://www.kaspersky.co.uk/blog/robot-vacuum-privacy/25348/ Bonus: https://www.technologyreview.com/2023/01/10/1066500/roomba-irobot-robot-vacuum-beta-product-testers-consent-agreement-misled/  [TechCrunch] Even the FBI says you should use an ad blocker https://techcrunch.com/2022/12/22/fbi-ad-blocker/ [The Markup] “Out Of Control”: Dozens of Telehealth Startups Sent Sensitive Health Information to Big Tech Companies https://themarkup.org/privacy/2022/12/13/out-of-control-dozens-of-telehealth-startups-sent-sensitive-health-information-to-big-tech-companies Further Info ANNUAL LISTENER SURVEY!! https://fdsd.me/survey2023  Data Privacy Checklist: https://firewallsdontstopdragons.com/data-privacy-day-checklist/  BitWarden vault backup: https://community.bitwarden.com/t/how-to-a-users-guide-to-backing-up-your-bitwarden-vault/44083 Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:08: Big sale on pre-order of my book 0:03:05: Show preview 0:04:44: LastPass update 0:09:21: Password innovation ideas 0:13:59: watchdog cracks federal agency’s passwords in minutes 0:17:33: NortonLifeLock warns of account breaches 0:21:31: Russian hackers suspected in Royal Mail cyber attack 0:24:29: Iran’s citizens targeted by spyware in VPNs 0:26:53: Windows 7 Is Officially Dead

Facebook stock is down 65%, they just paid $725M to settle the Cambridge Analytica lawsuit, and they've just been fined over $400M by the EU. But that's not the worst part (for Meta). The EU and its General Data Protection Regulation (GDPR) is basically saying that its entire business model - surveillance capitalism - is wrong and must stop. That's the same business model used by Google, too. It really seems that the tide is finally turning in favor of user privacy as more nails are hammered into the coffin of behavior-based advertising. In other news: the first LastPass class actions lawsuit has been filed over the recently announced data breach; WhatsApp adds a feature to bypass internet censorship by repressive regimes; Pornhub is now requiring viewers from Louisiana to verifying the age via ID; data from up to 400M Twitter accounts is up for sale; a military device containing information including biometric scans of over 2000 people was bought on eBay for $68; Mom and daughter kicked out of Rockettes show in Radio City Music Hall. Plus, a Dear Carey question and my Tip of the Week. Article Links [TechRadar] LastPass is being sued following major cyberattack https://www.techradar.com/news/lastpass-is-being-sued-following-cyberattack [The Washington Post] WhatsApp adds feature to bypass internet censors in repressive regimes https://www.washingtonpost.com/technology/2023/01/06/whatsapp-proxy-server-address/ [The Verge] Meta agrees to pay $725 million to settle Cambridge Analytica class action lawsuit https://www.theverge.com/2022/12/23/23523862/meta-cambridge-analytica-class-action-lawsuit-settlement-725-million [The Hacker News] Irish Regulators Fine Facebook $414 Million for Forcing Users to Accept Targeted Ads https://thehackernews.com/2023/01/irish-regulators-fine-facebook-414.html [Ars Technica] Pornhub requires ID from Louisiana users to comply with state’s new porn law https://arstechnica.com/tech-policy/2023/01/no-porn-without-id-louisiana-law-forces-porn-sites-to-verify-users-ages/ [Naked Security] Twitter data of “+400 million unique users” up for sale – what to do? https://nakedsecurity.sophos.com/2022/12/28/twitter-data-of-400-million-unique-users-up-for-sale-what-to-do/ [The New York Times] For Sale on eBay: A Military Database of Fingerprints and Iris Scans https://www.nytimes.com/2022/12/27/technology/for-sale-on-ebay-a-military-database-of-fingerprints-and-iris-scans.html [Ars Technica] MSG defends using facial recognition to kick lawyer out of Rockettes show https://arstechnica.com/tech-policy/2022/12/facial-recognition-flags-girl-scout-mom-as-security-risk-at-rockettes-show/ [Lifehacker] You Can Disable Google Sign-in Pop-ups on All Websites https://lifehacker.com/you-can-disable-google-sign-in-pop-ups-on-all-websites-1849913714 Further Info ANNUAL LISTENER SURVEY!! https://fdsd.me/survey2023  LastPass breach info: https://firewallsdontstopdragons.com/special-lastpass-breach/  Peppering Your Passwords: https://firewallsdontstopdragons.com/password-manager-paranoia/  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:09: Show preview 0:03:01: LastPass updates and first law suit 0:12:22: WhatsApp adds feature allowing censorship bypass 0:15:19: Facebook settles Cambridge Analytica suit for $725M 0:16:50: Irish Regulators Fine Facebook $414 Million 0:21:34: Pornhub requires ID from Louisiana users 0:27:11: 400M+ Twitter users data for sale 0:35:22: Military device with biometric data found on eBay

Right before Christmas, LastPass dropped a bombshell report explaining that bad actors appeared to have made copies of LastPass users' encrypted password vaults. The information was a little short on key details, probably indicating that the investigation is ongoing and we will learn more in the coming weeks. However, we have already learned enough to know that the data breach did leak some important metadata contained in people's password vaults and that any users who had less-than-secure master passwords should be worried that the encrypted contents may now be vulnerable to disclosure. That is about as bad as it gets. Today I will speak with a cybersecurity and authentication expert from CISA about this breach: what we know, what we don't know, what we should learn from the incident, and (most importantly) what LastPass users should do about this. Bob Lord is a Senior Technical Advisor for the Cybersecurity and Infrastructure Security Agency (CISA) and former Chief Information Security Officer (CISO) for Yahoo.  Interview Notes SPECIAL REPORT: LastPass Breach: https://firewallsdontstopdragons.com/special-lastpass-breach/ Twitter thread investigating what’s encrypted and what’s not: https://twitter.com/UK_Daniel_Card/status/1606012536582656000 Write-up by a security researcher: https://www.pwndefend.com/2022/12/24/lastpass-breach-the-danger-of-metadata/ Mastodon technical thread #1: https://mastodon.social/@epixoip@infosec.exchange/109585049690097599 Mastodon technical thread #2: https://infosec.exchange/@WPalant/109590750504031700 My “diceware” passphrase generator: https://d20key.com/  My blog on creating strong passphrase: https://firewallsdontstopdragons.com/how-when-to-use-a-passphrase/  How to make stronger passwords: https://firewallsdontstopdragons.com/need-a-bigger-password-haystack/  Classic XKCD cartoons on passphrases: https://xkcd.com/936/  Consumer Reports Security Planner: https://securityplanner.consumerreports.org/ Further Info Follow me on social media: https://firewallsdontstopdragons.com/contact/  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:47: Ep300 giveaway updates 0:03:15: interview setup 0:08:17: What do we know about the LastPass breaches? 0:13:25: Were all LastPass users affected? 0:15:03: How is my LastPass data secured, exactly? 0:19:53: What is PBKDF2 and why are iterations important? 0:23:10: Did LastPass increase the iterations for all users over time? 0:26:46: Is any information in my password vault not encrypted? 0:29:35: How do I know if my vault password is strong enough? 0:36:13: What if I didn't have a strong vault password? What should I do? 0:41:47: Do we have any evidence that people's vaults have been cracked? 0:45:34: Did LastPass handle this properly? 0:50:50: What can the government do to help here? 0:53:30: Should LastPass users switch to a different service? 0:57:11: Will passwordless authentication solve this problem? 1:01:03: What are the key take-aways here? 1:02:37: My take on the breach and what you should do about it

All our devices and apps use the internet these days. But what are they doing on the internet, exactly? Who are they talking to? You'd be surprised. But there are tools which will not only let you see what they're up to, but also let you have fine-grain control over what communications you want to allow. But just the mere fact that they're sending and receiving data to and from multiple sources can be revealing, too. While VPN's are good for adding a layer of security, they're really not great at adding privacy - despite having "private" in the name. Thankfully, there's a new service that can help there, too. We'll be discussing network privacy and how we can improve it with the CEO of Safing, Raphael Fiedler. Raphael Fiedler is the CEO of Safing, a speaker on topics about privacy, and a regular co-host on an InfoSec podcast. Interview Notes Safing.io, Portmaster, Safing Privacy Network (SPN): https://safing.io/  Securitized podcast: https://www.securityzed.com/  The Hut Six Story: Breaking the Enigma Codes https://www.amazon.com/Hut-Six-Story-Breaking-Enigma/dp/0947712348  Naomi Brockwell, The Dark Side of VPNs: https://www.youtube.com/watch?v=8MHBMdTBlok  OSI Layer Model: https://en.wikipedia.org/wiki/OSI_model  Nym network: https://nymtech.net/  SPN white paper: https://safing.io/files/whitepaper/Gate17.pdf  Further Info 300th episode promotion: https://fdsd.me/ep300  Patron promotion: https://fdsd.me/coinpromo  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents 0:00:35: Promotions update - last call! 0:02:11: Interview preview 0:04:41: How did Safing start? What problems are you trying to solve? 0:07:57: What are the most likely threats to our home network? 0:10:12: Are our devices and apps tattling on us? 0:14:14: What can an application firewall do for us? 0:17:04: Given broad use of HTTPS, do we need VPNs like we used to? 0:19:30: Can we collect useful analytics and still preserve privacy? 0:23:46: Which VPN marketing claims are bogus or misleading? 0:29:31: How does a decentralized VPN work? 0:33:10: What is the value of a decentalized VPN? 0:35:13: How is your SPN different from a VPN? 0:41:10: Who owns the SPN exit nodes? 0:43:27: Can your SPN mix traffic amongst backbone providers? 0:48:18: Can an SPN do anything to prevent fingerprinting? 0:51:14: Does a multi-connection SPN confuse some websites or apps? 0:54:28: How does the SPN compare to Tor or Apply Private Relay? 1:00:22: What's the roadmap look like for Portmaster and SPN? 1:03:30: Wrap-up