Firewalls Don't Stop Dragons Podcast

Tis the season for giving… and unfortunately, also for taking. Scammers tend to be extremely active during the holiday season. We’re buying lots of stuff online, having lots of packages delivered. We’re away from our homes for extended periods of time. We’re giving money to charities. We’re firing up new tech toys. The bad guys know this and are happy to take advantage of our chaotic holiday schedule and unusual levels of spending and giving. I’ll give you some top tips to avoid being a victim this holiday season. In other news: the SFPD wants to arm its law enforcement robots; the TSA is expanding the use of facial recognition at airports; Microsoft warns of malware coming from Google Ads; a new study shows that computer repair shops may be accessing your personal data; WhatsApp data breach affects nearly 500M users; Twitter data breach was far worse than reported; Meta shuts down covert US propaganda operation; US watchdog raises warning for offshore oil and gas rig security; a new malware campaign bypasses Windows protections; LastPass admits to customer data breach caused by previous breach; and Anker’s Eufy cameras caught sending data to cloud without user consent. Article Links [Electronic Frontier Foundation] Red Alert: The SFPD want the power to kill with robots https://www.eff.org/deeplinks/2022/11/red-alert-sfpd-want-power-kill-robots [The Washington Post] TSA now wants to scan your face at security. Here are your rights. https://www.washingtonpost.com/technology/2022/12/02/tsa-security-face-recognition/ [BleepingComputer] Brave starts showing “privacy-preserving” ads in search results https://www.bleepingcomputer.com/news/technology/brave-starts-showing-privacy-preserving-ads-in-search-results/ [Tech.co] Microsoft Warns Hackers Use Google Ads to Deliver Ransomware https://tech.co/news/microsoft-warns-hackers-google-ads-ransomware [Ars Technica] Thinking about taking your computer to the repair shop? Be very afraid https://arstechnica.com/information-technology/2022/11/half-of-computer-repairs-result-in-snooping-of-sensitive-data-study-finds/ [TechRadar] WhatsApp data breach sees nearly 500 million user records up for sale https://www.techradar.com/news/whatsapp-data-breach-sees-nearly-500-million-user-records-up-for-sale [9to5mac.com] Massive Twitter data breach was far worse than reported, reveal security researchers https://9to5mac.com/2022/11/25/massive-twitter-data-breach/ [BleepingComputer] Meta links U.S. military with covert Facebook influence operation https://www.bleepingcomputer.com/news/security/meta-links-us-military-with-covert-facebook-influence-operation/ [TechCrunch] US offshore oil and gas rigs at ‘significant’ risk of cyberattacks, warns watchdog https://techcrunch.com/2022/11/22/offshore-oil-gas-cyberattacks-watchdog/ [TechRadar] This new malware is able to bypass all of Microsoft’s security warnings https://www.techradar.com/news/this-new-malware-is-able-to-bypass-all-of-microsofts-security-warnings [Naked Security] LastPass admits to customer data breach caused by previous breach https://nakedsecurity.sophos.com/2022/12/02/lastpass-admits-to-customer-data-breach-caused-by-previous-breach/ [MacRumors] Anker’s Eufy Cameras Caught Uploading Content to the Cloud Without User Consent https://www.macrumors.com/2022/11/29/eufy-camera-cloud-uploads-no-user-consent/ Tip of the Week: Tis the Season for Scams: https://firewallsdontstopdragons.com/how-to-avoid-holiday-scams/ Further Info Boston Dynamics robodog: https://www.youtube.com/watch?v=6Zbhvaac68Y  This Person Doesn’t Exist: https://thispersondoesnotexist.com/  300th episode promotion: https://fdsd.me/ep300  Patron promotion: https://fdsd.me/coinpromo  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://fdsd.me/newsletter  Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:37: Contest, promo updates 0:01:20: Update Chrome, iOS 0:01:51: News rundown 0:03:53: SFPD wants to arm its robots 0:08:18: TSA to expand use of facial recognition at airports 0:15:12: Brave to start showing “privacy-preserving” ads 0:17:45: Google Ads being used to deliver malware 0:21:17: Computer repair shops may be accessing your private data 0:29:17: WhatsApp data for nearly 500M users breached 0:30:59: Twitter data breach far worse than reported 0:35:03: Meta removes US military covert influence operation 0:38:12: US watchdog warns of offshore oil and gas rig vulnerabilities 0:41:32: New malware evades Microsoft protections for downloaded files 0:44:12: LastPass admits to customer data breach caused by previous breach 0:50:01: Eufy cameras caught sending data to cloud without user consent 0:59:56: Tip of the Week: Avoiding Holiday Scams 1:06:19: Wrap-up and look ahead

I can’t believe I’ve been doing this for 300 weeks – almost 6 years now! And returning for his 3rd “podcentennial” episode is world-renowned security guru Bruce Schneier! Today we’ll discuss hacking – not just in the realm of computers, but in legal, political, social and economic spaces. And then we’ll talk about how artificial intelligence and computer automation are starting to play a significant role in hacking all of these realms. Computers and AI expand the scope, scale and speed of hacking and we’re honestly not prepared for it. To celebrate the 300th episode and the coming release of the 5th edition of my book, today I’m kicking off a big giveaway with lots of prizes and a killer promotion for patrons on Patreon! (See below for links.) Bruce Schneier is an internationally renowned technologist and security guru. He is the author of over one dozen books, including his latest, A Hacker’s Mind, due out in February, I believe. He has testified before Congress and has served on several government committees and corporate boards, written many seminal papers, has a very popular blog called Crypto-Gram, and last but not least, Bruce is the Chief of Security Architecture at Inrupt.  Further Info 300th episode promotion: https://firewallsdontstopdragons.com/enter-to-win-300th-podcast-giveaway/ Patron promotion: https://www.patreon.com/posts/december-patron-75151773 The Coming AI Hackers: https://www.schneier.com/academic/archives/2021/04/the-coming-ai-hackers.html  A Hacker’s Mind book: https://www.schneier.com/books/a-hackers-mind/  Give the gift of security & privacy: https://firewallsdontstopdragons.com/give-the-gift-of-security-and-privacy/ Check out my Best & Worst Gifts Guide for 2022: https://firewallsdontstopdragons.com/best-worst-gifts-2022/ The Coming AI Hackers: https://www.schneier.com/academic/archives/2021/04/the-coming-ai-hackers.html  A Hacker’s Mind book: https://www.schneier.com/books/a-hackers-mind/  The Trolley Problem: https://en.wikipedia.org/wiki/Trolley_problem  Gödel’s incompleteness theorems: https://en.wikipedia.org/wiki/G%C3%B6del’s_incompleteness_theorems  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:31: Interview preview 0:02:29: Interview start 0:03:13: How does hacking differ from inventing or just cheating? 0:07:14: What is artificial intelligence and when will it be like teh sci-fi version? 0:11:32: Do we have to worry about AI replacing us or taking over? 0:13:57: Can we program human values into AI systems? 0:18:09: Why are reward and goal alignment so crucial for AI? 0:20:28: Will we ever implicitly trust AI if we can’t explain its answers? 0:25:37: Do we put too much trust in some AI systems? 0:27:59: How might AI systems be used to hack financial or political systems? 0:33:26: Can we govern AI systems with human laws? 0:36:40: Are non-computer systems more susceptible to hacks due to uncodified norms? 0:42:41: Can AI think outside the box if it doesn’t understand the box? 0:48:05: How does terrorism hack our brains and how do we prevent that? 0:53:35: What are some Utopian possibilities for AI? 0:55:08: How do we get more public interest technologists? 0:56:28: Interview wrap-up 0:58:19: 300th podcast giveaway! 1:01:49: Patron promotion!

Black Friday is just around the corner, which marks the unofficial launch of the holiday shopping season. As you’re considering what gifts to give to your loved ones this year, I want to make sure you’re thinking about the privacy and security aspects. To that end, I have updated my annual Best and Worst Gift Guide and I will go over the highlights in this episode for my Tip of the Week. But I also have a special new gift idea this year: security and privacy coupons that you can download and give to your loved ones! In the news: USPS tells customers to avoid using the big blue mailboxes for gifts and important letters during the holiday season; Google pays nearly $400M fine to 40 states who sued over location tracking; Medibank refuses to pay ransom for data and criminals are starting to leak sensitive medical records online; TransUnion reports a data breach; FBI director warns that TikTok is a national security risk; Lenovo laptops are exposed to UEFI malware risks (update now); a mysterious company with government ties and a history of spying has become a root certificate authority; the British government is scanning its citizens devices looking for vulnerabilities in hopes of fixing them; almost 50% of all Mac malware can be traced to a single, security application; Apple apps are sending tons of analytics data to Apple even when analytics are disabled; I answer a listener question (Dear Carey) about the best Mastodon clients, in the wake of the Twitter collapse. Article Links [Lifehacker] Avoid Using Blue Mailboxes During the Holidays, USPS Warns https://lifehacker.com/avoid-using-blue-mailboxes-during-the-holidays-usps-wa-1849773201 [The Hacker News] Google to Pay $391 Million Privacy Fine for Secretly Tracking Users’ Location https://thehackernews.com/2022/11/google-to-pays-391-million-privacy-fine.html [CPO Magazine] Medibank Refuses Ransom Payments, Hackers Leak Stolen Health Data to Dark Web https://www.cpomagazine.com/cyber-security/medibank-refuses-ransom-payments-hackers-leak-stolen-health-data-to-dark-web/ [BGR] TransUnion data breach compromises financial information of consumers https://bgr.com/tech/transunion-data-breach-compromises-financial-information-of-consumers/ [USA TODAY] FBI director says TikTok poses national security threat, and he’s ‘extremely concerned’ https://www.usatoday.com/story/tech/2022/11/16/tiktok-poses-national-security-threat-fbi/10709987002/ [Ars Technica] Lenovo driver goof poses security risk for users of 25 notebook models https://arstechnica.com/information-technology/2022/11/lenovo-patches-secure-boot-vulnerabilities-that-imperil-25-notebook-models/ [The Washington Post] Mysterious company with government ties plays key internet role https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addresses-government-connections/ [Bleeping Computer] British govt is scanning all Internet devices hosted in UK https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/british-govt-is-scanning-all-internet-devices-hosted-in-uk/amp/ [Tom’s Guide] Almost 50% of macOS malware reportedly comes from single app — delete it now https://www.tomsguide.com/news/new-report-says-nearly-half-of-macos-malware-comes-from-single-app-delete-it-now [Gizmodo] Apple Is Tracking You Even When Its Own Privacy Settings Say It’s Not, New Research Says https://gizmodo.com/apple-iphone-analytics-tracking-even-when-off-app-store-1849757558 Dear Carey: Mastodon clients. https://joinmastodon.org/apps  https://bilge.world/mastodon-ios-apps  Further Info Best & Worst Gifts for 2022: https://firewallsdontstopdragons.com/best–worst-gifts-2022/ Privacy & Security Coupons: https://fdsd.me/coupons  Give thanks and donate! https://firewallsdontstopdragons.com/give-thanks-donate/  Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://firewallsdontstopdragons.com/buy-the-book/  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:33: 5th edition update 0:03:38: QR code scam update 0:05:03: Twitter and FTX 0:06:07: News rundown 0:08:11: USPS says you should avoid blue mailboxes for holiday gifts 0:10:48: Google to pay $391M privacy fine to settle suit 0:13:05: Medibank refuses to pay ransom, data starts being posted 0:17:38: TransUnion data breach 0:20:46: FBI directory says TikTok is a national security threat 0:23:40: Lenovo UEFI bug found, patch immediately 0:27:29: Mysterious company with gov’t ties wants to mint certificates 0:39:40: British government to scan internet for vulnerable devices 0:44:29: 50% of Mac malware comes from a single app 0:47:45: Apple apps track you even with analytics turned off 0:54:46: Tip of the Week: Best & Worst Gifts 1:06:20: Security & Privacy Coupons 1:10:27: Dear Carey: Mastodon client?

Connected computers have changed the world perhaps more than any other single invention. The impacts of nearly instant global communication and effectively infinite, perfect storage of information are at once undeniable and difficult to fully comprehend. And yet, technologists, bureaucrats and corporate leaders make decisions on a daily basis that should be considering the repercussions. Just because you can do something doesn’t mean you should. Today, we’ll discuss the digitization of the world and some of the more important impacts it has had and is having on society with the authors of the book Blown to Bits: Your Life, Liberty, and Happiness After the Digital Explosion. Harry Lewis, former Dean of Harvard College, is Gordon McKay Professor of Computer Science at Harvard. Ken Ledeen is the Chairman and Chief Executive Officer at Nevo Technologies, Inc., a software development and information technology consulting firm located in Cambridge, Massachusetts. Wendy Seltzer is Strategy Lead and Counsel to the World Wide Web Consortium (W3C) at MIT, improving the Web’s security, availability, and interoperability through standards. Further Info Buy or download Blown to Bits: https://www.bitsbook.com/thebook/  Weird Marketing Tales interviewed me: https://weirdmarketingtales.com/why-firewalls-dont-stop-dragons-carey-parker-privacy-security/   Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:16: interview start 0:04:03: What brought you all together to write this book? 0:05:28: What are the biggest changes since the first edition? 0:10:04: What were the impacts of the Edward Snowden revelations? 0:12:44: How do we resolve the tension between privacy and law enforcement? 0:16:43: Are computer systems free from bias? 0:19:22: How do algorithms impact judicial decisions? 0:20:45: Why is it hard to explain how AI systems make decisions? 0:28:33: What is net neutrality and who are the gatekeepers today on the internet? 0:31:59: Have we lost the original Utopian ideal of the internet? 0:35:41: How have content moderation and personalization affected our experience? 0:40:48: How do these companies hyper-personalize the web? 0:45:44: Are we changing our own behaviors to game the algorithms? 0:47:35: Are bits more fragile than parchment and cave paintings? 0:53:29: What gives you hope? What keeps you up at night? 0:58:12: Interview wrap-up 0:59:34: Upcoming shows, promotions, interviews

QR codes are not inherently dangerous. They’re effectively links we can click in the real world using the camera app on our phone. Like hyperlinks on a web page, QR code “links” can take you to good websites or bad websites. They can also disguise their ultimate destination by using URL shortening services like bitly or owly. But now “free” QR code generator websites – that is, sites that will let you create one of these QR codes by entering the HTTP link you want it to take people to – are using these redirects to basically hold your QR code for ransom. The QR codes they give you use the redirect links to insert themselves into the middle – and after some time, they will stop working until you subscribe and pay them money. If you’ve already printed these codes on hundreds of business cards or dozens of plaques for your restaurant, they they’ve really got you over a barrel. I’ll help you avoid these scams. In other news: Microsort warns that attackers are quickly leveraging newly reported zero-days; some Chrome extensions are making money by inserting affiliate links for thousands of websites; Microsoft appears to be readying a useful PC cleanup tool for release; Apple clarifies its policy on security updates for older OS releases; a report details how hidden AI algorithms are affecting the lives of DC residents; facial recognition systems are being installed in many soccer stadiums; Uber is planning to bombard their users with ads; Clearview AI has been fined 30M euros by France; Apple is ramping up its own ads on its various apps and devices; and I answer another Dear Carey question, this one on the case that is bringing Section 230 in front of the Supreme Court. Article Links [Hacker News] Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities https://thehackernews.com/2022/11/microsoft-warns-of-uptick-in-hackers.html [BleepingComputer] Chrome extensions with 1 million installs hijack targets’ browsers https://www.bleepingcomputer.com/news/security/chrome-extensions-with-1-million-installs-hijack-targets-browsers/ [PCWorld] Microsoft’s surprise PC Manager system optimizer takes aim at CCleaner https://www.pcworld.com/a rticle/1360140/microsoft-releases-beta-of-a-ccleaner-style-pc-manager-tool.html [Ars Technica] Apple clarifies security update policy: Only the latest OSes are fully patched https://arstechnica.com/gadgets/2022/10/apple-clarifies-security-update-policy-only-the-latest-oses-are-fully-patched/ [WIRED] Algorithms Quietly Run the City of DC—and Maybe Your Hometown https://www.wired.com/story/algorithms-quietly-run-the-city-of-dc-and-maybe-your-hometown/ [WIRED] Soccer Fans, You’re Being Watched https://www.wired.com/story/soccer-world-cup-biometric-surveillance/ [Gizmodo] Uber Plans to Advertise to You At Every Stage of Your Ride, Using Your Own Data https://gizmodo.com/uber-ads-ride-share-uber-eats-1849678092 [Naked Security] Clearview AI image-scraping face recognition service hit with €20m fine in France https://nakedsecurity.sophos.com/2022/10/26/clearview-ai-image-scraping-face-recognition-service-hit-with-e20m-fine-in-france/ [Lifehacker] How to Block Apple’s Own Ads on Your iPhone https://lifehacker.com/how-to-block-apple-s-own-ads-on-your-iphone-1849703889 Tip of the Week: https://firewallsdontstopdragons.com/qr-code-scams-revisited/ Further Info Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:42: Countdown to 300 0:00:57: Twitter dumpster fire 0:01:25: 5th edition update 0:02:47: News preview 0:04:38: Attackers rapidly exploiting 0-day bugs 0:08:43: Chrome extensions committed click fraud 0:14:50: New Microsoft PC Cleaner tool coming 0:17:23: Apple doesn’t fix all bugs on older OS releases 0:21:11: Secret algorithms that affect our lives 0:27:23: Facial recognition spreading to many sports stadiums 0:33:12: Uber plans to show you ads everywhere 0:37:33: Clearview AI fined 20M Euros by France 0:41:49: Apple to do more advertising in their apps 0:44:18: Tip of the Week: QR codes hold links for ransom 0:51:31: Dear Carey 0:57:42: Upcoming stuff

It’s easy to tell people to use this or that privacy tool, but this always assumes that you trust the service that is providing that tool. How can mere mortals ever hope to obtain sufficient knowledge of the inner workings of these products and service providers that would allow them to make an informed decision? Today, I’ll ask Adrianus Warmenhoven from Nord VPN that question, along with questions about normalizing surveillance and what privacy really means in our digital internet society. Adrianus Warmenhoven is a Defensive Strategist and Threat Intelligence Manager at NordVPN. He is responsible for getting the most relevant IOCs (Indicators of Compromise), malware samples and their indicators and generally mapping out the threat landscape for the company’s customers. Interview Links Nord VPN: https://nordvpn.com/ The Follower: https://driesdepoorter.be/thefollower/  Five-Eyes Countries: https://en.wikipedia.org/wiki/Five_Eyes  Electronic Frontier Foundation: https://www.eff.org/  Mozilla Foundation: https://foundation.mozilla.org/en/  Give thanks and donate: https://firewallsdontstopdragons.com/give-thanks-donate/  Further Info Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:26: Elon Musk buys Twitter 0:01:31: What is Mastodon? 0:02:36: Interview preview 0:04:13: Tell us about Nord and what you do there 0:05:25: What is most misunderstood about privacy? 0:07:53: How does my privacy overlap your privacy? 0:10:08: What threats to privacy aren’t getting enough attention? 0:13:02: Doesn’t capitalism require companies to monetize our data? 0:16:26: Is it possible compartmentalize our lives today? 0:18:32: Why can’t we learn that just because we can doesn’t mean we should? 0:22:09: How does privacy in the physical world differ from online? 0:24:21: Have we normalized surveillance for the younger generation? 0:30:22: How do we know which companies to trust with our privacy? 0:38:11: How can companies avoid gathering user data? 0:42:47: How important is transparency for consumers? 0:45:48: How do VPNs work and how do they fail? 0:48:46: How important is it for privacy companies to be in favorable jurisdictions? 0:52:19: How can I get more involved with privacy rights? 0:56:03: What gives you hope? 0:57:59: Bonus content 0:58:54: Interview wrapup 1:01:51: Give thanks and donate 1:03:17: Dear Carey – ask me a question 1:04:13: Upcoming stuff

This is going to sound bonkers, even though you’re used to so many things tracking you… web pages, emails, and apps… but I’m here to tell you that while you’re watching your TV, your TV is also watching you. Or I guess more accurately, your TV is watching what you’re watching. Even if you’re not using the built-in smart apps, if you’re just piping pixels in from an external box, your TV can recognize the movies and shows being displayed. And it’s taking meticulous taking notes and selling that data. It’s called Automatic Content Recognition and “post-purchase monetization”. It’s sorta like the Shazam music recognition app, but for TV shows and movies. I’ll tell you what you can do to stop it. In other news: a tricky new ransomware campaign is targeting home Windows users; Signal is removing support for SMS text messaging; Toyota user app data was exposed for years; the White House unveiled a new cybersecurity rating system for consumer products; Apple privacy is better than most, but still falls short; a privacy researcher tries and fails to keep her pregnancy secret from marketers; companies in the UK are tailoring real-life billboards using cameras and AI; relief funds were sent to people impacted by Hurricane Ian using AI algorithms; Facebook’s new VR headset will mine your facial expressions for marketing; Wired article gives tips for avoiding student surveillance tools. Article Links [ZDNet] This unusual ransomware attack targets home PCs, so beware https://www.zdnet.com/article/this-unusual-ransomware-attack-targets-home-pcs-so-beware/ [Signal] Removing SMS support from Signal Android (soon) https://signal.org/blog/sms-removal-android/ [BleepingComputer] Toyota discloses data leak after access key exposed on GitHub https://www.bleepingcomputer.com/news/security/toyota-discloses-data-leak-after-access-key-exposed-on-github/ [CyberScoop] White House to unveil ambitious cybersecurity labeling effort modeled after Energy Star https://www.cyberscoop.com/white-house-to-unveil-internet-of-things-labeling/ [The Atlantic] I Tried to Keep My Pregnancy Secret https://www.theatlantic.com/ideas/archive/2022/10/can-you-hide-your-pregnancy-era-big-data/671692/ [The Guardian] Apple says it prioritizes privacy. Experts say gaps remain https://www.theguardian.com/technology/2022/sep/23/apple-user-data-law-enforcement-falling-short [VICE] Companies in the UK Are Mining Users’ Personal Data to Place Billboard Ads https://www.vice.com/en/article/n7zqmb/companies-in-the-uk-are-mining-users-personal-data-to-place-billboard-ads [WIRED UK] Hurricane Ian Destroyed Their Homes. Algorithms Sent Them Money https://www.wired.co.uk/article/hurricane-ian-destroyed-homes-google-algorithms-sent-money [Gizmodo] Meta’s New Headset Will Track Your Eyes for Targeted Ads https://gizmodo.com/meta-quest-pro-vr-headset-track-eyes-ads-facebook-1849654424 [WIRED] How to Protect Yourself If Your School Uses Surveillance Tech https://www.wired.com/story/how-to-protect-yourself-school-surveillance-tech-privacy/ Tip of the Week: https://firewallsdontstopdragons.com/your-tv-is-watching-you/ Further Info Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:27: News rundown 0:03:40: Sneaky new Windows ransomware targets home users 0:07:20: Signal drops support for SMS on Android 0:14:53: Toyota leak exposed car app data for 5 years 0:18:27: White House cybersecurity product labeling initiative 0:21:54: Privacy scholar tries and fails to keep pregnancy secret 0:28:28: Apple still had glaring privacy holes 0:33:57: UK billboards target content using cameras and AI 0:38:56: Hurricane Ian relief funds sent using AI automation 0:45:23: Facebook VR headset reads your facial expressions 0:51:30: Protecting yourself from school surveillance 0:56:23: Tip of the Week: Your TV is Watching You 1:05:06: Dear Carey 1:08:42: Upcoming book, coin promotions

We talk a lot about security and privacy on my show, but we don’t talk enough about these subjects in relation to students and schools. Schools are tragically underfunded and can’t afford to hire cybersecurity experts, let alone privacy experts. Students are minors who lack the legal rights and life experience to push back against horrific privacy invasions brought on by remote learning and in-home test proctoring. The laws in the US are woefully outdated and we too often assume that what is legal is the same as what is right and just. Today, I’ll discuss these challenges and ethical dilemmas with Doug Levin. Doug Levin is co-founder and national director of the K12 Security Information eXchange (K12 SIX), a national non-profit dedicated solely to helping schools protect themselves from emerging cybersecurity threats. Interview Links: K12 SIX: https://www.k12six.org/ Annual “State of K-12 Cybersecurity Report’: https://www.k12six.org/the-report  K-12 Essentials Series: https://www.k12six.org/essentials-series  Public event calendar: https://www.k12six.org/events  US Department of Education, Privacy Technical Assistance Center: https://studentprivacy.ed.gov/  CISA K-12 Cybersecurity Resources: https://www.cisa.gov/stopransomware/k-12-resources  CISA Back to School Campaign: https://www.cisa.gov/r8-virtual-back-school-campaign-2022  US GAO: “Critical Infrastructure Protection: Education Should Take Additional Steps to Help Protect K-12 Schools from Cyber Threats” https://www.gao.gov/products/gao-22-105024  EFF: Student Privacy Resources https://www.eff.org/issues/student-privacy  CDT: Student Privacy Resources https://cdt.org/area-of-focus/privacy-data/student-privacy/  EPIC: Student Privacy https://epic.org/issues/data-protection/student-privacy / Algorithmic Justice League: https://www.ajl.org/  The Markup: https://themarkup.org/machine-learning/2022/01/19/help-us-investigate-the-ed-tech-industry  Fight for the Future, which e.g., runs this campaign: https://www.baneproctoring.com/  ACLU: https://www.nyclu.org/en/issues/education-policy-center/technology-schools  Further Info Send me your questions! https://fdsd.me/qna  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:03:24: Pre-interview definition of terms 0:05:07: What is K12SIX about? 0:10:52: What are the biggest security threats for schools? 0:17:15: What about security threats for teachers and students? 0:21:58: What are your top security recommendations for schools? 0:30:01: What are the major impediments for schools improving cybersecurity? 0:33:20: How can schools systems best share info and help one another? 0:37:41: What are the main privacy threats for students? 0:46:25: How is student data being used (or abused)? 0:48:36: How do AI systems fail when it comes to minority populations? 0:51:32: How can students and parents assert their privacy rights? 0:56:03: What resources can you recomment for schools and students? 0:59:39: Interview wrap-up 1:00:40: Not reusing user names and passwords 1:02:20: Preview of upcoming shows, promotions

Cold hard cash is becoming more and more rare these days. People just don’t carry it around much any more. So how do you split a bill at a restaurant or buy from a street vendor? Many people today use mobile payment apps like Venmo, Apple Pay, PayPal, the Cash App, or a service promoted by many US banks called Zelle. While convenient, are these payment systems safe? Most of them actually are pretty secure (though some of them are not very private, like Venmo). But because most of these apps draw directly from your bank account, if you send money to the wrong person, either by mistake or because you were scammed, that money is pretty much gone. Ironically, this is very much like physical cash. Specifically, protections many people assume they have against fraudulent bank transactions don’t really apply. You explicitly made the transfer and therefore many banks will not reimburse you for the loss. In other news: Optus confirms massive data breach; Optus breach triggers privacy regulation review in Australia; Facebook shuts down propaganda campaigns from Russia and China; Facebook warns 1M users of potential credential theft; Google will be migrating Fitbit customers to Google accounts; Microsoft adds new protections to warn you of PC password reuse and insecure storage; the FTC is pushing for new rules around location data collection and sharing; Google releases new tool to help purge personal information from its search results. Article Links [BleepingComputer] Optus confirms 2.1 million ID numbers exposed in data breach https://www.bleepingcomputer.com/news/security/optus-confirms-21-million-id-numbers-exposed-in-data-breach/ [The Verge] Australia to overhaul privacy laws after massive data breach https://www.theverge.com/2022/9/26/23372868/australian-hack-disclosure-privacy-laws-optus-data-breach [Hacker News] Facebook Shuts Down Covert Political ‘Influence Operations’ from Russia and China https://thehackernews.com/2022/09/facebook-shuts-down-covert-political.html [9to5mac.com] Facebook security warning for 1M users: Scam apps stole login credentials https://9to5mac.com/2022/10/07/facebook-security-warning/ [Hacker News] Google to Make Account Login Mandatory for New Fitbit Users in 2023 https://thehackernews.com/2022/09/google-to-make-account-login-mandatory.html [Lifehacker] Microsoft Has a New Trick for Keeping Your Password Safe https://lifehacker.com/microsoft-has-a-new-trick-for-keeping-your-password-saf-1849580498 [Bloomberg] FTC Joins Push for Rules on Trade of Smartphone Location Data https://www.bloomberg.com/news/articles/2022-09-16/location-data-rules-draw-ftc-s-attention-post-roe [The Verge] In 2023, Google can notify you if personal info pops up in search https://www.theverge.com/2022/9/28/23377208/google-results-about-you-notifications-personal-info [briankrebs] Report: Big U.S. Banks Are Stiffing Account Takeover Victims https://krebsonsecurity.com/2022/10/report-big-u-s-banks-are-stiffing-account-takeover-victims/ Further Info National Cybersecurity Awareness Month: https://www.cisa.gov/cybersecurity-awareness-month Consumer Reports: payment apps: https://www.consumerreports.org/digital-payments/how-to-safely-pay-for-goods-and-services-with-someone-you-dont-know/   Send me your questions! https://fdsd.me/qna  Support me! https://fdsd.me/support  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest  Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:42: News rundown 0:02:49: 10 Million Optus users affected by breach 0:06:04: Optus breached via open web interface 0:10:28: Facebook shuts down political influence campaigns 0:13:38: Facebook warns 1M users of potential credential theft 0:18:42: Google to require Fitbit users to log in with Google account 0:20:45: Microsoft releases new password protections in Windows 0:25:46: FTC pushing new rules on sharing location data 0:31:44: Google tool helps remove personal info from search results 0:33:50: Banks rarely refund money from Zelle scams 0:39:37: Tip of the Week 0:44:31: Q&A: Is Apple’s Time Machine safe against ransomware? 0:48:27: Q&A: Can I trust my bank’s data access provider? 0:53:45: 5th edition of the book

Cybersecurity is the only technical, professional occupation I know of where practitioners routinely sharpen their skills through open competitions. The contests are based on the classic capture the flag game – except the flags are all virtual and capturing them involves hacking computers. Also unlike most other technical careers, cybersecurity is a high-paying profession that doesn’t require a university degree or formal training. There are literally hundreds of thousands of unfilled cybersecurity jobs right now. You can also just dabble in cybersecurity, making money from bug bounty programs. Or you can just hack for the fun of it – in a completely safe and legal environment. Jordan will tell you all about it in today’s show! Jordan Wiens has been a reverse engineer, vulnerability researcher, network security engineer, three-time DEF CON CTF winner, even a technical magazine writer but now he’s mostly a has-been CTF player who loves to talk about them. He has been the CTF expert for the first three years of HackASat and he was one of the founders of Vector 35, the company that makes Binary Ninja. Interview Links Hack-A-Sat 3: https://hackasat.com/  Satellite hacked using $25 hardware: https://threatpost.com/starlink-hack/180389/  Decommissioned satellite hacked to broadcast movie: https://www.independent.co.uk/tech/hack-satellite-hijack-def-con-b2147595.html  Student Rick-Rolls school: https://www.malwarebytes.com/blog/news/2021/10/high-school-student-rickrolls-entire-school-district-and-gets-praised  Hack-A-Sat 2 interview: https://podcast.firewallsdontstopdragons.com/2021/06/21/hacking-satellites-for-fun-profit/  Plaid CTF: https://plaidctf.com/  CTFTime.org: https://ctftime.org/  Pwnable.kr: https://pwnable.kr/  Pwnable.tw: https://pwnable.tw/  Reversing.kr: http://reversing.kr/  Shodan: https://www.shodan.io/ Burp Suite: https://portswigger.net/burp  Wireshark: https://www.wireshark.org/  Binary Ninja: https://binary.ninja/  Metasploit: https://www.metasploit.com/  Nmap: https://nmap.org/  Live Overflow: https://liveoverflow.com/  TryHackMe: https://tryhackme.com/  Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Support my work! https://firewallsdontstopdragons.com/support/ Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:03: Interview setup 0:04:25: What is Hack-A-Sat? 0:08:44: How has the Hack-A-Sat program evolved? 0:12:58: How did CTF’s start out and when did they become popular? 0:17:37: Why do we have so many unfilled cybersecurity jobs? 0:21:15: Do you need a college degree to work in cybersecurity? 0:29:39: What’s a black hat hacker vs white hat? What’s a red team or blue team? 0:32:15: How do CTF’s actually work? What is a flag and how do I capture it? 0:38:05: Are they beginner CTFs that are free to try? 0:44:38: What sorts of tools do hackers use in CTFs and in real hacking? 0:51:57: How do hackers chain together multiple exploits? 0:56:26: What’s your advice to someone who would like to try a CTF? 1:00:36: What’s next for Hack-A-Sat? 1:02:25: interview wrapup 1:04:07: What is Rick-Rolling? 1:05:23: Try a CTF, go to a hacker con!