Firewalls Don't Stop Dragons Podcast

As a general rule, I would normally advise people to minimize the number of online accounts they have, including avoiding creating unnecessary accounts and closing accounts they no longer need. However, as a regular citizen, there are a handful of governmental accounts that exist for you already, whether you use them or not. And you should claim those accounts for yourself before bad guys do this on your behalf. Furthermore, as a home owner or modern consumer, you probably have several other accounts that you may never have claimed: utilities, financial institutions, medical portals, and more. Today I’ll tell you where and why to plant your flag. In other news: Booking.com reservation data being used to scam customers; top background check service customers’ data leaked; Finnish psychotherapy extortion suspect arrested; FTC takes on telehealth data sharing; the ACLU lobbies court to restrict Google geofence warrant data; Anker admits to Eufy camera security bugs; fake, malicious Bitwarden ads deliver malware; maker of stalkerware fined and forced to notify victims; NIST proposes security protocols for low-power IoT devices. I also answer a listener question about IPv4 vs IPv6. Article Links [Ars Technica] Mysterious leak of Booking.com reservation data is being used to scam customers https://arstechnica.com/information-technology/2023/02/mysterious-leak-of-booking-com-reservation-data-is-being-used-to-scam-customers/ [TechRadar] Top background check services hit by data breach https://www.techradar.com/news/top-background-check-services-hit-by-data-breach [Naked Security] Finnish psychotherapy extortion suspect arrested in France https://nakedsecurity.sophos.com/2023/02/06/finnish-psychotherapy-extortion-suspect-arrested-in-france/ [The Markup] The FTC Is Taking on Telehealth’s Data Sharing Problem—​Starting with GoodRx – The Markup https://themarkup.org/pixel-hunt/2023/02/01/the-ftc-is-taking-on-telehealths-data-sharing-problem-starting-with-goodrx [Computerworld] ACLU, public defenders push back against Google giving police your mobile data https://www.computerworld.com/article/3686535/aclu-public-defenders-push-back-against-google-giving-police-your-mobile-data.html [9to5mac.com] Anker admits to lying about Eufy security camera encryption; describes future plans https://9to5mac.com/2023/02/01/eufy-security-camera-encryption/ [PCWorld] Phony, malicious Bitwarden ads slip past Google’s watch https://www.pcworld.com/article/1487690/phony-bitwarden-ads-are-the-latest-to-slip-through-on-googles-watch.html [Electronic Frontier Foundation] Stalkerware Maker Fined $410k and Compelled to Notify Victims https://www.eff.org/deeplinks/2023/02/stalkerware-maker-fined-410k-and-compelled-notify-victims [ZDNet] Tiny IoT devices are getting their own special encryption algorithms https://www.zdnet.com/article/tiny-iot-devices-are-getting-their-own-special-encryption-algorithms/ Further Info Order the new 5th edition of my book! https://fdsd.me/book  OSINT Tools: https://inteltechniques.com/tools/index.html  WireGuard IPv6 help: https://stanislas.blog/2019/01/how-to-setup-vpn-server-wireguard-nat-ipv6/  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:29: News preview 0:03:58: Booking.com users being targeted with convincing scams 0:09:11: Top background check services hit by data breach 0:12:16: Finnish psychotherapy extortion suspect arrested 0:18:48: FTC Is Taking on Telehealth’s Data Sharing Problem 0:23:23: ACLU pushes back against Google geofence warrants 0:31:07: Anker admits to lying about Eufy security camera encryption 0:37:38: Phony, malicious Bitwarden ads slip past Google 0:41:05: Stalkerware Maker Fined $410k and Compelled to Notify Victims 0:44:43: IoT devices are getting their own special encryption algorithms 0:47:38: Dear Carey: IPv4 vs IPv6 0:55:01: Tip of the Week: Plant Your Flag 1:00:03: Wrap up

The business of data mining and behavioral advertising has never been stronger or more ubiquitous. And yet, cracks are beginning to appear in the foundations of surveillance capitalism. Nowhere is this more evident than in the European Union where advertising behemoths like Google and Meta (parent company of Facebook) have suffered a series of legal defeats at the hands of aggressive privacy regulators. The GDPR has provided a framework for curtailing rampant abuses of the advertising industry and its promise is finally coming to fruition. Today I’ll speak with Johnny Ryan from the Irish Council for Civil Liberties, who is fighting for all of us on the front lines of the war for privacy. Johnny Ryan works at the Irish Council for Civil Liberties and he was previously Chief Policy Officer at Brave. He has testified and spoken at the US Senate, the European Commission, and the European Parliament. Interview Notes Irish Regulators Fine Facebook $414 Million https://thehackernews.com/2023/01/irish-regulators-fine-facebook-414.html  Irish Council for Civil Liberties: https://www.iccl.ie/  Ep231: Selling You Out to the Highest Bidder https://podcast.firewallsdontstopdragons.com/2021/08/02/selling-you-out-to-the-highest-bidder/  Fair Information Practice Principles (FIPPs): https://en.wikipedia.org/wiki/FTC_fair_information_practice  Diesel-Gate: https://en.wikipedia.org/wiki/Volkswagen_emissions_scandal  Further Info Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:23: The 5th edition is OUT!! 0:02:50: Interview prep 0:05:02: Give us a refresher on how behavioral ads work 0:08:41: Why was Meta fined and will they be able to appeal? 0:18:40: How does tracking consent work now and how should it work? 0:26:25: How are these fines determined and why wasn’t this one bigger? 0:29:52: What changes we will see as a result of this and by when? 0:32:45: Will this ruling affect other companies, as well? 0:34:11: Will this ruling affect more than just notice and consent? 0:36:19: Why can’t we just go back to context-based ads? 0:41:15: Are behavior-based ads really more valuable? 0:43:52: Is there more private way to have targeted ads? 0:47:18: Will Google’s new ad framework just solidify their dominance? 0:51:42: Won’t intelligence agencies abuse all of the data collected about us? 0:57:41: Has surveillance capitalism peaked? What does the future look like? 1:02:02: Interview follow-up 1:03:32: Getting the book on people’s radars

Every January, we celebrate privacy with Data Privacy Week. It has rightly expanded from Data Privacy Day. And of course every day should be data privacy day. In the news: The FBI shuts down a major ransomware group; new Windows malware steals passwords and other data; new Android malware can completely take over your device; a dangerous “malvertising” campaign mimics popular software to steal info; the previously-secret “no fly” list was leaked online; tens of thousands of PayPal accounts hacked via credential stuffing; T-Mobile admits to over 37M customer records stolen; and Twitter GodMode is back (or rather never really went away). I’ll answer a Dear Carey question about Plain, the service that allows financial tech aggregators to access your account information and my Tip of the Week will explain Apple’s new Advanced Data Protection feature. Article Links [NPR] FBI says it ‘hacked the hackers’ to shut down major ransomware group https://www.npr.org/2023/01/26/1151696092/fbi-says-it-hacked-the-hackers-to-shut-down-major-ransomware-group [Tom’s Guide] This Windows malware is stealing passwords and other data — how to stay safe https://www.tomsguide.com/news/this-windows-malware-is-stealing-passwords-and-other-data-how-to-stay-safe [TechSpot] New malware dubbed “Hook” allows hijacking and real-time spying on Android devices https://www.techspot.com/news/97356-new-malware-dubbed-hook-allows-hijacking-real-time.html [TechRadar] This dangerous malvertising campaign mimicks popular software to steal victim info https://www.techradar.com/news/this-dangerous-malvertising-campaign-mimicks-popular-software-to-steal-victim-info [BleepingComputer] Secret terrorist watchlist with 2 million records exposed online https://www.bleepingcomputer.com/news/security/secret-terrorist-watchlist-with-2-million-records-exposed-online/ [BleepingComputer] PayPal accounts breached in large-scale credential stuffing attack https://www.bleepingcomputer.com/news/security/paypal-accounts-breached-in-large-scale-credential-stuffing-attack/ [Naked Security] T-Mobile admits to 37,000,000 customer records stolen by “bad actor” https://nakedsecurity.sophos.com/2023/01/20/t-mobile-admits-to-37000000-customer-records-stolen-by-bad-actor/ [9to5mac.com] Twitter GodMode still available to all engineers, following hack of Apple and other accounts https://9to5mac.com/2023/01/24/twitter-godmode/ Dear Carey: Is Plaid Safe? https://www.allthingssecured.com/reviews/security/is-plaid-safe-to-use/  Apple’s Advanced Data Protection: https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web  Apple recovery contact: https://support.apple.com/en-us/HT212513  Further Info ANNUAL LISTENER SURVEY!! https://fdsd.me/survey2023  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:04: News rundown 0:03:19: FBI shuts down Hive ransomware group 0:07:34: New Windows malware steals data 0:12:07: New Android malware that completely takes over device 0:15:43: Malvertising campaign mimicks popular software apps 0:19:44: Secret “no fly list” leaked online 0:24:26: PayPal accounts accessed via credential stuffing attack 0:28:06: T-Mobile admits 37M customer records stolen 0:31:31: Twitter’s GodMode tool is still available to engineers 0:34:59: Dear Carey: Is Plaid safe? 0:45:41: Tip of the Week: Apple’s Advanced Data Protection 0:53:54: 5th edition update and cool resources 0:56:56: How you can help

Our email addresses and cell phone numbers have become highly valuable identifiers for marketers. Like government-issued IDs, your email address and phone number are directly associated with your identity and you will probably have them for life. This makes them ideal for tracking you across websites and accounts. It’s no wonder that you are asked to provide this information all the time, for the simplest things. So why not throw them off your trail by having multiple email addresses and phone numbers? It’s not as hard as you think, and it’s getting easier all the time. This is a privacy concept called aliasing and we’ll delve into all the details with the CEO and founder of SimpleLogin, Son Nguyen Kim. Interview Notes SimpleLogin: https://simplelogin.io/  Proton & SimpleLogin: https://proton.me/support/create-simplelogin-account-proton-account  Data Privacy Week: https://firewallsdontstopdragons.com/data-privacy-day-checklist/  Fastmail Masked Email: https://www.fastmail.help/hc/en-us/articles/4406536368911-Masked-Email  Apply Private Relay: https://support.apple.com/en-us/HT212614  DuckDuckGo Private Email: https://spreadprivacy.com/introducing-email-protection-beta/  MySudo: https://mysudo.com/  Hushed: https://hushed.com/  Privacy.com: https://privacy.com/  Further Info ANNUAL LISTENER SURVEY!! https://fdsd.me/survey2023  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:37: Book updates 0:03:10: Interview setup 0:03:57: What is SimpleLogin ? 0:05:04: How are email addresses used to track us? 0:06:19: Why do we use email addresses as user names? 0:09:42: How do normal email services provide aliases? 0:11:18: How does email subaddressing work? 0:13:05: How do modern email aliases work? 0:16:34: Do replies to alias emails expore your real address? 0:20:05: How do you use aliases to manage spam? 0:22:38: Can emall alias services read my emails? 0:23:36: How do you know you can trust an email alias provider? 0:26:41: How can you use domain names and catch-all aliases to fight spam? 0:30:52: Why are email aliases sometimes rejected? 0:34:45: What happens to my aliases if the service goes away? 0:36:50: What are the security benefits of using aliases? 0:39:44: Why is it so hard to create a phone number alias? 0:42:52: How can I get a second phone number? 0:47:13: Why are phone aliases often rejected? 0:49:15: What other ways can we use aliasing to improve privacy? 0:52:27: interview wrap-up

It’s that time of year again! Time to put the past behind us and look forward to a brand new year, full of possibilities and hope! In today’s show I’ll throw out several tips for improving your privacy and security that you might want to put on your to-do list for 2023. I’ve also got a minor LastPass update and some thoughts on how we might make managing passwords easier and more robust. I’ll answer a listener question on tracking in beta software. And then I’ll cover several news stores: A government watchdog cracks many accounts in a federal agency with a cheap password cracking rig; NortonLifeLock is warning several users that hackers may have breached their accounts; Russian hackers suspected in Royal Mail attack; Iran’s citizens being targeted with spyware in VPN apps; Windows 7 is finally totally dead; identity thieves find authentication bypass to access Experian credit reports; robot vacuum cleaner captured compromising pictures that ended up on social media; even the FBI is recommending ad blockers; dozens of telehealth companies sharing sensitive health information with Big Tech companies. Article Links [TechCrunch] A government watchdog spent $15,000 to crack a federal agency’s passwords in minutes https://techcrunch.com/2023/01/10/interior-department-watchdog-passwords/ [BleepingComputer] NortonLifeLock warns that hackers breached Password Manager accounts https://www.bleepingcomputer.com/news/security/nortonlifelock-warns-that-hackers-breached-password-manager-accounts/ [Metro] Russian hackers suspected to be behind Royal Mail cyber attack https://metro.co.uk/2023/01/13/russian-hackers-suspected-to-be-behind-royal-mail-cyber-attack-18093326/ [techmonitor.ai] Iran’s citizens targeted by EyeSpy spyware hidden in VPNs https://techmonitor.ai/technology/cybersecurity/eyespy-spyware-iran-vpn [Lifehacker] Windows 7 Is Officially Dead https://lifehacker.com/windows-7-is-officially-dead-1849966248 [briankrebs] Identity Thieves Bypassed Experian Security to View Credit Reports https://krebsonsecurity.com/2023/01/identity-thieves-bypassed-experian-security-to-view-credit-reports/ [Kaspersky] Rise of the robot vacuum cleaners https://www.kaspersky.co.uk/blog/robot-vacuum-privacy/25348/ Bonus: https://www.technologyreview.com/2023/01/10/1066500/roomba-irobot-robot-vacuum-beta-product-testers-consent-agreement-misled/  [TechCrunch] Even the FBI says you should use an ad blocker https://techcrunch.com/2022/12/22/fbi-ad-blocker/ [The Markup] “Out Of Control”: Dozens of Telehealth Startups Sent Sensitive Health Information to Big Tech Companies https://themarkup.org/privacy/2022/12/13/out-of-control-dozens-of-telehealth-startups-sent-sensitive-health-information-to-big-tech-companies Further Info ANNUAL LISTENER SURVEY!! https://fdsd.me/survey2023  Data Privacy Checklist: https://firewallsdontstopdragons.com/data-privacy-day-checklist/  BitWarden vault backup: https://community.bitwarden.com/t/how-to-a-users-guide-to-backing-up-your-bitwarden-vault/44083 Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:08: Big sale on pre-order of my book 0:03:05: Show preview 0:04:44: LastPass update 0:09:21: Password innovation ideas 0:13:59: watchdog cracks federal agency’s passwords in minutes 0:17:33: NortonLifeLock warns of account breaches 0:21:31: Russian hackers suspected in Royal Mail cyber attack 0:24:29: Iran’s citizens targeted by spyware in VPNs 0:26:53: Windows 7 Is Officially Dead 0:30:26: Identity Thieves Bypassed Experian Security to View Credit Reports 0:35:06: Rise of the robot vacuum cleaners 0:40:54: Even the FBI says you should use an ad blocker 0:43:07: Telehealth Startups Sent Sensitive Health Info to Big Tech Companies 0:48:04: Dear Carey: Beta software tracking? 0:50:51: Tip of the Week: New Year’s Resolutions! 1:00:57: Wrap-up 1:01:33: Patron benefits

Facebook stock is down 65%, they just paid $725M to settle the Cambridge Analytica lawsuit, and they’ve just been fined over $400M by the EU. But that’s not the worst part (for Meta). The EU and its General Data Protection Regulation (GDPR) is basically saying that its entire business model – surveillance capitalism – is wrong and must stop. That’s the same business model used by Google, too. It really seems that the tide is finally turning in favor of user privacy as more nails are hammered into the coffin of behavior-based advertising. In other news: the first LastPass class actions lawsuit has been filed over the recently announced data breach; WhatsApp adds a feature to bypass internet censorship by repressive regimes; Pornhub is now requiring viewers from Louisiana to verifying the age via ID; data from up to 400M Twitter accounts is up for sale; a military device containing information including biometric scans of over 2000 people was bought on eBay for $68; Mom and daughter kicked out of Rockettes show in Radio City Music Hall. Plus, a Dear Carey question and my Tip of the Week. Article Links [TechRadar] LastPass is being sued following major cyberattack https://www.techradar.com/news/lastpass-is-being-sued-following-cyberattack [The Washington Post] WhatsApp adds feature to bypass internet censors in repressive regimes https://www.washingtonpost.com/technology/2023/01/06/whatsapp-proxy-server-address/ [The Verge] Meta agrees to pay $725 million to settle Cambridge Analytica class action lawsuit https://www.theverge.com/2022/12/23/23523862/meta-cambridge-analytica-class-action-lawsuit-settlement-725-million [The Hacker News] Irish Regulators Fine Facebook $414 Million for Forcing Users to Accept Targeted Ads https://thehackernews.com/2023/01/irish-regulators-fine-facebook-414.html [Ars Technica] Pornhub requires ID from Louisiana users to comply with state’s new porn law https://arstechnica.com/tech-policy/2023/01/no-porn-without-id-louisiana-law-forces-porn-sites-to-verify-users-ages/ [Naked Security] Twitter data of “+400 million unique users” up for sale – what to do? https://nakedsecurity.sophos.com/2022/12/28/twitter-data-of-400-million-unique-users-up-for-sale-what-to-do/ [The New York Times] For Sale on eBay: A Military Database of Fingerprints and Iris Scans https://www.nytimes.com/2022/12/27/technology/for-sale-on-ebay-a-military-database-of-fingerprints-and-iris-scans.html [Ars Technica] MSG defends using facial recognition to kick lawyer out of Rockettes show https://arstechnica.com/tech-policy/2022/12/facial-recognition-flags-girl-scout-mom-as-security-risk-at-rockettes-show/ [Lifehacker] You Can Disable Google Sign-in Pop-ups on All Websites https://lifehacker.com/you-can-disable-google-sign-in-pop-ups-on-all-websites-1849913714 Further Info ANNUAL LISTENER SURVEY!! https://fdsd.me/survey2023  LastPass breach info: https://firewallsdontstopdragons.com/special-lastpass-breach/  Peppering Your Passwords: https://firewallsdontstopdragons.com/password-manager-paranoia/  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:09: Show preview 0:03:01: LastPass updates and first law suit 0:12:22: WhatsApp adds feature allowing censorship bypass 0:15:19: Facebook settles Cambridge Analytica suit for $725M 0:16:50: Irish Regulators Fine Facebook $414 Million 0:21:34: Pornhub requires ID from Louisiana users 0:27:11: 400M+ Twitter users data for sale 0:35:22: Military device with biometric data found on eBay 0:40:37: Woman ejected from Rockettes show 0:44:12: Dear Carey: how do I improve my passwords? 0:49:05: Tip of the Week: Banishing Google’s “sign in” pop ups 0:54:40: Annual listener survey!! 0:55:34: Looking ahead 0:55:58: Book updates

Right before Christmas, LastPass dropped a bombshell report explaining that bad actors appeared to have made copies of LastPass users’ encrypted password vaults. The information was a little short on key details, probably indicating that the investigation is ongoing and we will learn more in the coming weeks. However, we have already learned enough to know that the data breach did leak some important metadata contained in people’s password vaults and that any users who had less-than-secure master passwords should be worried that the encrypted contents may now be vulnerable to disclosure. That is about as bad as it gets. Today I will speak with a cybersecurity and authentication expert from CISA about this breach: what we know, what we don’t know, what we should learn from the incident, and (most importantly) what LastPass users should do about this. Bob Lord is a Senior Technical Advisor for the Cybersecurity and Infrastructure Security Agency (CISA) and former Chief Information Security Officer (CISO) for Yahoo.  Interview Notes SPECIAL REPORT: LastPass Breach: https://firewallsdontstopdragons.com/special-lastpass-breach/ Twitter thread investigating what’s encrypted and what’s not: https://twitter.com/UK_Daniel_Card/status/1606012536582656000 Write-up by a security researcher: https://www.pwndefend.com/2022/12/24/lastpass-breach-the-danger-of-metadata/ Mastodon technical thread #1: https://mastodon.social/@epixoip@infosec.exchange/109585049690097599 Mastodon technical thread #2: https://infosec.exchange/@WPalant/109590750504031700 My “diceware” passphrase generator: https://d20key.com/  My blog on creating strong passphrase: https://firewallsdontstopdragons.com/how-when-to-use-a-passphrase/  How to make stronger passwords: https://firewallsdontstopdragons.com/need-a-bigger-password-haystack/  Classic XKCD cartoons on passphrases: https://xkcd.com/936/  Consumer Reports Security Planner: https://securityplanner.consumerreports.org/ Further Info Follow me on social media: https://firewallsdontstopdragons.com/contact/  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:47: Ep300 giveaway updates 0:03:15: interview setup 0:08:17: What do we know about the LastPass breaches? 0:13:25: Were all LastPass users affected? 0:15:03: How is my LastPass data secured, exactly? 0:19:53: What is PBKDF2 and why are iterations important? 0:23:10: Did LastPass increase the iterations for all users over time? 0:26:46: Is any information in my password vault not encrypted? 0:29:35: How do I know if my vault password is strong enough? 0:36:13: What if I didn’t have a strong vault password? What should I do? 0:41:47: Do we have any evidence that people’s vaults have been cracked? 0:45:34: Did LastPass handle this properly? 0:50:50: What can the government do to help here? 0:53:30: Should LastPass users switch to a different service? 0:57:11: Will passwordless authentication solve this problem? 1:01:03: What are the key take-aways here? 1:02:37: My take on the breach and what you should do about it

All our devices and apps use the internet these days. But what are they doing on the internet, exactly? Who are they talking to? You’d be surprised. But there are tools which will not only let you see what they’re up to, but also let you have fine-grain control over what communications you want to allow. But just the mere fact that they’re sending and receiving data to and from multiple sources can be revealing, too. While VPN’s are good for adding a layer of security, they’re really not great at adding privacy – despite having “private” in the name. Thankfully, there’s a new service that can help there, too. We’ll be discussing network privacy and how we can improve it with the CEO of Safing, Raphael Fiedler. Raphael Fiedler is the CEO of Safing, a speaker on topics about privacy, and a regular co-host on an InfoSec podcast. Interview Notes Safing.io, Portmaster, Safing Privacy Network (SPN): https://safing.io/  Securitized podcast: https://www.securityzed.com/  The Hut Six Story: Breaking the Enigma Codes https://www.amazon.com/Hut-Six-Story-Breaking-Enigma/dp/0947712348  Naomi Brockwell, The Dark Side of VPNs: https://www.youtube.com/watch?v=8MHBMdTBlok  OSI Layer Model: https://en.wikipedia.org/wiki/OSI_model  Nym network: https://nymtech.net/  SPN white paper: https://safing.io/files/whitepaper/Gate17.pdf  Further Info 300th episode promotion: https://fdsd.me/ep300  Patron promotion: https://fdsd.me/coinpromo  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents 0:00:35: Promotions update – last call! 0:02:11: Interview preview 0:04:41: How did Safing start? What problems are you trying to solve? 0:07:57: What are the most likely threats to our home network? 0:10:12: Are our devices and apps tattling on us? 0:14:14: What can an application firewall do for us? 0:17:04: Given broad use of HTTPS, do we need VPNs like we used to? 0:19:30: Can we collect useful analytics and still preserve privacy? 0:23:46: Which VPN marketing claims are bogus or misleading? 0:29:31: How does a decentralized VPN work? 0:33:10: What is the value of a decentalized VPN? 0:35:13: How is your SPN different from a VPN? 0:41:10: Who owns the SPN exit nodes? 0:43:27: Can your SPN mix traffic amongst backbone providers? 0:48:18: Can an SPN do anything to prevent fingerprinting? 0:51:14: Does a multi-connection SPN confuse some websites or apps? 0:54:28: How does the SPN compare to Tor or Apply Private Relay? 1:00:22: What’s the roadmap look like for Portmaster and SPN? 1:03:30: Wrap-up

The year is almost over and as we head into the holiday season I wanted to reminisce with some of my favorite snippets from the last year! Unlike in previous ‘best of’ shows, I’ve actually included some new snippets from my private podcast, to give you a little taste of the bonus content that I create for my patrons! The links in the show notes will take you to the full episodes, including all the relevant ‘further information’ links associated with them. Happy holidays, everyone!! Article Links Ep267: Luck Favors the Prepared https://podcast.firewallsdontstopdragons.com/2022/04/11/luck-favors-the-prepared/  Ep279: Necessary Chaos: https://podcast.firewallsdontstopdragons.com/2022/07/04/necessary-chaos/  Ep272: Tomatoes & Telegraphs: https://podcast.firewallsdontstopdragons.com/2022/05/23/tomatoes-telegraphs/  Ep275: Cryptocurrency 101: https://podcast.firewallsdontstopdragons.com/2022/06/06/cryptocurrency-101/  Ep283: No Place Left to Hide: https://podcast.firewallsdontstopdragons.com/2022/08/01/now-place-left-to-hide/ Ep287: The Night the Lights Went Out in Vegas: https://podcast.firewallsdontstopdragons.com/2022/08/29/the-night-the-lights-went-out-in-vegas/  Ep289: Decoding Computers & Software: https://podcast.firewallsdontstopdragons.com/2022/09/12/decoding-computers-software/  Ep292: Capture the Flag for Fun & Profit: https://podcast.firewallsdontstopdragons.com/2022/10/03/capture-the-flag-for-fun-profit/ Steganography: https://en.wikipedia.org/wiki/Steganography Further Info Give the gift of security and privacy! https://fdsd.me/coupons  300th episode promotion: https://fdsd.me/ep300  Patron promotion: https://fdsd.me/coinpromo  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:17: Ep267: How the internet works 0:10:23: Ep279: Getting into electronics and hacking 0:16:22: Ep273: The invention of the one-time pad 0:24:36: Ep275: Why do we need cryptocurrency? 0:30:26: Ep283 BONUS: What’s it like arguing in front of the Supreme Court? 0:35:33: Ep283: This suspect looks just like Woody Harrelson! 0:40:26: Ep287: The time DEF CON almost ended 0:49:15: Ep289: The historical origins of software and storage 0:56:28: Ep292: Ender’s Game-ing a hacker tournament 1:02:20: Ep288 Merlin’s Musings: Steganography 1:10:39: Wrap-up

Today when computer systems fail, they can cause real, physical harm. In just the last few years, we’ve seen cyber attacks interfere with our food supply, tamper with city water supplies, and disrupt gas pipelines. While cheap consumer electronics often have poor security, medical devices like insulin pumps and pacemakers are also vulnerable to attack – and the consequences of failure can be lethal. The free market doesn’t reward better security. Regulations are weak or nonexistent, regulators are understaffed and underfunded. Targeted organizations lack sufficient funding, training and personnel to prepare and respond. They need help. I Am the Cavalry aims to engage technologists and hackers to ride to the rescue. Joshua Corman is VP of Cyber Safety Strategy at Claroty, Founder of I am The Cavalry, and formerly served as Chief Strategist for CISA regarding COVID, healthcare, and public safety. Interview Links I Am The Cavalry: https://iamthecavalry.org/  BSides 2022 Cavalry presentation: https://www.youtube.com/watch?v=aw3egJej7so  The Cavalry Isn’t Coming (DEF CON 21 talk): https://www.youtube.com/watch?v=2kMGdkOMSK0  Rugged Software Manifesto: https://github.com/rugged-software/rugged-software.github.io  CISA Bad Practices: https://www.cisa.gov/BadPractices  CISA Information Sharing and Awareness: https://www.cisa.gov/information-sharing-and-awareness  Maslow’s Hierarchy of Needs: https://www.simplypsychology.org/maslow.html  Click Here to Kill Everyone: https://www.schneier.com/books/click-here/  SBOM interview: https://podcast.firewallsdontstopdragons.com/2021/07/19/its-time-to-drop-the-sbom/  My Jeff Moss interview: https://podcast.firewallsdontstopdragons.com/2022/08/29/the-night-the-lights-went-out-in-vegas/  Further Info 300th episode promotion: https://fdsd.me/ep300  Patron promotion: https://fdsd.me/coinpromo  Send me your questions! https://fdsd.me/qna  Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:28: Giveaway and promotion update 0:02:46: Holiday gift ideas 0:03:59: Interview preview 0:08:35: How did I Am the Cavalry get started? 0:16:52: How does focusing on physical harms change your approach to cybersecurity? 0:20:33: Why is it so important to ‘meet people where they are’? 0:23:40: How do you best help organizations that are target rich but cyber poor? 0:31:47: What is the crawl, walk, run progression? 0:34:33: Why is it so important to compartmentalize systems? 0:35:56: How do we do a better job of designing security in from the start? 0:39:01: Is it safer for small companies to use managed services? 0:42:17: What role should the government play here? 0:52:57: If I want to get help for my organization, where should I go? 0:58:18: What’s next for the Cavalry and how can I get involved? 1:05:09: Interview wrap-up 1:06:35: Book recommendations 1:07:43: Preview of upcoming shows