Firewalls Don't Stop Dragons Podcast

There's a lot we can glean from history but sometimes it's not as obvious as you might think. For example, did you know that until the mid-1800's, most of Americans hated tomatoes and that ketchup was originally made from mushrooms? The story behind how Americans came to love tomatoes is quite fascinating, but what is perhaps most interesting is the way our guest applies this knowledge to the realm of cybersecurity. Today we will also learn how one of the most powerful cryptographic techniques to this day originated in the time of the telegraph. Along the way, we'll discuss how humans choose their passwords, how they should be creating passwords, and how often we should be changing our passwords. Anthony Collette is a Senior Consent Form Editor at the largest Institutional Review Board (IRB) in the United States. This regulatory agency has reviewed over 1,000 COVID-19 research studies, conducted at more than 12,000 locations. Mr. Collette analyzes complex medical documents, synthesizes the central concepts, and translates technical jargon into relatable language directed to the non-technical research participant. These skills transfer perfectly to the task of analyzing and understanding the conflicting and often outdated advice given about passwords, stripping away what’s unnecessary, and getting down to the actionable core of the issues. Interview Links Anthony Collette: https://www.linkedin.com/in/tonycollette/ Loistava Information Security website: www.LositavaInfoSecurity.comCASTALOT™ Dice Landing Page: https://www.castalotdice.com?utm_source=dragons1 CASTALOT™ Dice Facebook VIP Group: https://www.facebook.com/groups/1317312032055849The History of Tomatoes in America: https://www.amazon.com/Tomato-America-History-Culture-Cookery/dp/1570030006/ NY Times, Secret Life of Passwords: https://www.nytimes.com/2014/11/19/magazine/the-secret-life-of-passwords.html A Look at Telegraph Codes (Steven Bellovin): https://www.cs.columbia.edu/~smb/papers/codebooks.pdf DFLEKT Keyless Entry Protection: https://www.duku.co.uk/dflekt Further Info Get your Dragon Challenge Coin!! https://firewallsdontstopdragons.com/return-of-the-dragon-coins/ Generate secure passphrases! https://d20key.com/#/ Amulet of Entropy teaser: https://twitter.com/HackerBoxes/status/1523318662807298051?s=20&t=dwQFy7ieRMGjRCqgAR7btQ

When we surf the web today - on our computers or smartphones - we are mercilessly tracked. Marketing firms and data brokers are hoovering up ungodly amounts of our personal data, selling it, trading it and mining it to derive even more about us. Many offer some way to limit or stop this wanton data collection, but good luck figuring out how - let alone even knowing who to ask. Wouldn't it be nice if you could just click one button and tell everyone to leave you alone? Of course, we tried this a decade ago with Do Not Track, but there were no regulations in place to require companies to respect it. While we have a long way to go, some regions do now have privacy laws - and now we have a new way to invoke our privacy rights: Global Privacy Control. Today, I'll tell you how to enable this on your devices and tell data miners to get lost. In other news: Clearview AI has been forced to cut back on its creepy facial recognition software; the EU is proposing dangerous new surveillance requirements in the name of child safety; if you have an HP computer, you need to check for BIOS software updates ASAP; automated vehicles are outfitted with tons of video cameras, and law enforcement have been using this data for investigations; thousands of popular websites are saving data from online forms even if you don't click 'submit'; the CDC has been buying cell phone location data to track compliance with covid curfews and more; data from period-tracking apps may soon be used against people seeking abortions if Roe v. Wade is struck down in the US; Facebook is ending some location-based services (though still collecting your location data); Chinese hackers have stolen hundreds of billions of dollars in intellectual property, including military, manufacturing and pharmaceutical info; and mental health apps aren't taking proper care of your very personal data. Article Links [Engadget] Clearview AI agrees to limit sales of facial recognition data in the US https://www.engadget.com/clearview-ai-agrees-to-limit-sales-of-facial-recognition-data-in-the-us-173357030.html[Electronic Frontier Foundation] The EU Commission’s New Proposal Would Undermine Encryption And Scan Our Messages https://www.eff.org/deeplinks/2022/05/eu-commissions-new-proposal-would-undermine-encryption-and-scan-our-messages[TechSpot] HP pushes out BIOS update addressing high-severity vulnerabilities affecting 200+ models https://www.techspot.com/news/94561-hp-pushes-out-bios-update-addressing-high-severity.html[VICE] San Francisco Police Are Using Driverless Cars As Mobile Surveillance Cameras https://www.vice.com/en/article/v7dw8x/san-francisco-police-are-using-driverless-cars-as-mobile-surveillance-cameras[WIRED] Thousands of Popular Websites See What You Type—Before You Hit Submit https://www.wired.com/story/leaky-forms-keyloggers-meta-tiktok-pixel-study/[None] CDC tracked Americans’ phones to see if they followed COVID-19 lockdowns https://www.mlive.com/news/2022/05/cdc-tracked-americans-phones-to-see-if-they-followed-covid-19-lockdowns.html[VICE] Data Broker SafeGraph Stops Selling Location Data of People Who Visit Planned Parenthood https://www.vice.com/en/article/88gyn5/data-broker-safegraph-stops-selling-location-data-of-people-who-visit-planned-parenthood[NPR] How period tracking apps and data privacy fit into a post-Roe v. Wade climate https://www.npr.org/2022/05/10/1097482967/roe-v-wade-supreme-court-abortion-period-apps[9to5mac.com] Facebook to discontinue Nearby Friends and other location-based features https://9to5mac.com/2022/05/05/facebook-to-discontinue-nearby-friends-and-other-location-based-features/[CBS News] Chinese hackers took trillions in intellectual property from about 30 multinational companies https://www.cbsnews.com/news/chinese-hackers-took-trillions-in-intellectual-property-from-about-30-multinational-companies/[The Verge] Mental health apps have terrible privacy protections, report finds https://www.theverge.

We are being tracked constantly by our cell phones. We willingly carry supercomputers in our pockets 24/7, and these devices are chock full of sensors and radios that are tattling on us. Sometimes on purpose, sometimes incidentally, and sometimes maliciously. Apps for brick and mortar stores are tracking you within their stores, noting where you go, how long you stay in some locations, and where you don't go. Other apps track your global location and sell it to third parties. Apps to keep tabs on kids can also be used to stalk significant others. And spyware is used to track journalists, dissidents and "people of interest" by authoritarian governments. If all of that weren't bad enough, there are several cheap electronic devices that anyone can buy and hide on you to track your movements. Today I'll talk about all of this tracking and stalking with David Ruiz from Malwarebytes, and we'll give you some tips on how to avoid it. David Ruiz is an online privacy advocate for Malwarebytes, where he writes about online privacy, cybersecurity, and the laws and proposed legislation that regulate how data is stored, shared, and accessed. Further Info Malwarebytes blog: https://blog.malwarebytes.com/Malwarebytes podcast: https://blog.malwarebytes.com/category/podcast/ David Ruiz interviews me: https://blog.malwarebytes.com/podcast/2022/03/de-googling-carey-parkers-and-your-life-lock-and-code-s03e06/ Coalition Against Stalkerware: https://stopstalkerware.org/ Malwarebytes detection software: https://www.malwarebytes.com/mwb-download Stalkerware-type detections hit record high in 2021, but fell in second half https://blog.malwarebytes.com/stalkerware/2022/04/stalkerware-type-detections-hit-record-high-in-2021-but-fell-in-second-half/ Kashmir Hill article: https://www.nytimes.com/2022/02/11/technology/airtags-gps-surveillance.html Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/or privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Security isn't a big differentiator today when choosing a web browser. First of all, 3 of the top 5 browsers all use the same engine - Chrome, Edge and Opera are all based on Chromium. Second, there's no real conflict of interest between browser makers and browser users when it comes to security - it's a win-win situation. Also, most browsers today are plenty fast enough and come with similar user features. So to me, the real differentiator when choosing a web browser is privacy. Today I'll give you my top choices for the most privacy-respecting web browser. (Spoiler alert: Chrome didn't make the list.) NOTE: I'm giving away TEN free subscriptions to ProtonMail plus! All you have to do to enter is sign up for a free ProtonMail account here and then shoot me an email from your new account (send it to proton at firewallsdontstopdragons.com)! That's it! Do it by 11:59AM Eastern Time on May 6th. In other news: The US and 60 other countries have signed an aspiration Declaration for the Future of the Internet; in a twist of fate, Russia is now the target of global hacking; another nasty Java zero-day bug has been found; leaked Cellebrite documents detail which iPhones they can hack into; Amazon and third parties are mining your Alexa requests for personal data; Microsoft is going to add a free VPN to its Edge browser; Facebook is pulling detailed user data from the US college financial aid site FAFSA; and apparently Facebook has no clue how to tell the source of all the data it collects (making it impossible to comply with privacy regulations); Google is now giving you a way to remove some person info from its searches; and Brave and DuckDuckGo are both blocking Google "AMP" links which collect data about the sites you visit. Article Links EFF Statement on the Declaration for the Future of the Internet https://www.eff.org/deeplinks/2022/04/eff-statement-declaration-future-internet Declaration for the Future of the Internet: https://www.whitehouse.gov/wp-content/uploads/2022/04/Declaration-for-the-Future-for-the-Internet_Launch-Event-Signing-Version_FINAL.pdf Russia Is Being Hacked at an Unprecedented Scale https://www.wired.co.uk/article/russia-hacked-attacks Java Cryptography Implementation Mistake Allows Digital-Signature Forgeries https://www.schneier.com/blog/archives/2022/04/java-cryptography-implementation-mistake-allows-digital-signature-forgeries.html Cellebrite iPhone cracking: Here’s which models the kit can unlock and access, and how to protect your data https://9to5mac.com/2022/04/29/cellebrite-iphone-cracking/ Report: Amazon and third parties use Alexa voice data for ads while Siri respects privacy https://9to5mac.com/2022/04/29/amazon-alexa-voice-data-used-for-ads/ Microsoft Is Adding a Free VPN to the Edge Browser https://www.pcmag.com/news/microsoft-is-adding-a-free-vpn-to-the-edge-browser Go read this exposé on how FAFSA got caught sending personal info to Facebook https://www.theverge.com/2022/4/29/23048305/fafsa-facebook-department-of-education-us-student-financial-aid-meta-tracking-pixel Applied for Student Aid Online? Facebook Saw You https://themarkup.org/pixel-hunt/2022/04/28/applied-for-student-aid-online-facebook-saw-you Facebook doesn't know what most of its user data is used for https://appleinsider.com/articles/22/04/27/facebook-doesnt-know-what-most-of-its-user-data-is-used-for You can now ask Google to remove your phone number from search https://www.androidauthority.com/google-search-remove-phone-number-3158456/ Google request site: https://support.google.com/websearch/answer/9673730 Brave, DuckDuckGo updates target Google AMP sites in privacy push https://www.macworld.com/article/633804/brave-duckduckgo-updates-target-google-amp-sites-in-privacy-push.html Which Is the Most Private Browser? https://firewallsdontstopdragons.com/which-is-the-most-private-browser/  Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.

Google and Facebook will swear up and down that they do not sell your data. While technically true, they do sell access to your data. Basically, your data is private from everyone - but them. And that's a crucial caveat. To have true privacy, you want to work with a company who has absolutely minimal access to your data. You want privacy by design. And this is not easy to do with a very old internet standard like email. Proton has been offering truly private email for almost a decade (ProtonMail) and over the years has added many other features like a VPN and calendar, making them a true privacy-respecting alternative to the likes of Google. Today I'll speak with Proton's founder and CEO, Dr. Andy Yen, about the importance of privacy as a human right and the delicate balance between privacy and the needs of law enforcement. I'll ask him how to evaluate products for privacy and what can we can all do to bring about a better future where we can express ourselves freely. Dr. Andy Yen is the founder and CEO of Proton. He was a scientist at CERN, has a PhD in physics from Harvard University, and he has long worked to advance privacy and freedom online.  Further Info ProtonMail: https://protonmail.com/ Proton & SimpleLogin join forces: https://protonmail.com/blog/proton-and-simplelogin-join-forces/ Check out my security-enhancing challenge coins! https://d20key.com/#/Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker

When people don't understand how something works, it can be easy to be afraid of the consequences of that thing not working right. And this also makes them ripe targets for being frightened by hucksters who will then happily sell them a solution for the problem. This was the trade of snake oil salesmen back in the day - selling cures for ailments that didn't exist or that didn't actually improve the consumer's health. The realm of computers is rife with cybersecurity snake oil, as well, and one of the most lucrative products is a virtual private network (VPN) service. Today I'm going to help you understand just what a VPN is and (perhaps more importantly) what it is not. In other news: T-Mobile tried to buy their hacked customer data back (and failed); the feds have discovered a troubling and powerful new hacking toolkit for industrial control systems; 8 million Cash App users may have had their data exposed; Pegasus spyware was discovered on the devices of EU officials; a company is offering to install chips under your skin that will allow you to pay for stuff with your hand; a scathing article about a security failure by Wyze web cams; and hackers are using fake Emergency Data Requests to get your data from tech companies. Article Links T-Mobile Secretly Bought Its Customer Data from Hackers to Stop Leak. It Failed. https://www.vice.com/en/article/k7w9mv/tmobile-hacked-bought-data-mandiant Feds Uncover a ‘Swiss Army Knife’ for Hacking Industrial Control Systems https://www.wired.com/story/pipedream-ics-malware/ Over 8 Million Cash App Users Potentially Exposed in a Data Breach After a Former Employee Downloaded Customer Information https://www.cpomagazine.com/cyber-security/over-8-million-cash-app-users-potentially-exposed-in-a-data-breach-after-a-former-employee-downloaded-customer-information/ Pegasus spyware hacked iPhones of senior EU officials, who were alerted by Apple https://9to5mac.com/2022/04/11/pegasus-spyware-hacked-iphones-of-senior-eu-officials/ The microchip implants that let you pay with your hand https://www.bbc.com/news/business-61008730 I’m done with Wyze https://www.theverge.com/23003418/wyze-cam-v1-vulnerability-no-patch-bitdefender-responsible-disclosure Hackers Using Fake Police Data Requests against Tech Companies https://www.schneier.com/blog/archives/2022/04/hackers-using-fake-police-data-requests-against-tech-companies.html VPNs are digital 'snake oil,' expert claims — here's why https://www.tomsguide.com/news/vpn-big-claims-truth-shmoocon22 What a VPN Is (and Isn’t): https://firewallsdontstopdragons.com/what-a-vpn-is-and-isnt/  Further Info John Oliver on data brokers: https://www.youtube.com/watch?v=wqn3gR1WTcA Mullvad VPN: https://mullvad.net/IVPN: https://www.ivpn.net/ProtonVPN: https://protonvpn.com/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Today, most of us take the internet - and access to the internet - for granted. It's ubiquitous. However, the current war in Ukraine has (hopefully) made us realize that things can change dramatically overnight. While we can always hope for the best, we should be at least minimally prepared for the worst. I'm not suggesting we all prepare for military invasion, but there are much more likely scenarios that might lead to power and communications infrastructure problems like bad storms, natural disasters, and even radical political shifts in democratic countries. Understanding the fundamentals of how our digital world works can help us be more resilient in the face of emergencies. Today I'll be speaking with a lead cybersecurity instructor from the Tech Learning Collective about some lessons we can learn from the current Russia-Ukraine conflict and be better prepared for digital disruption. Further Info Tech Learning Collective: https://techlearningcollective.com/ How to Prepare for a Power Outage: https://firewallsdontstopdragons.com/how-to-prepare-for-power-outage/ Download Wikipedia: https://wiki.kiwix.org/wiki/Content_in_all_languages VulnHub downloadable, free CTFs: https://www.vulnhub.com/ Black Hills Infosec: https://www.blackhillsinfosec.com/ Crypto-Gram by Bruce Schneier: https://www.schneier.com/crypto-gram/ Code: The Hidden Language of Computer Hardware and Software:  https://www.amazon.com/Code-Language-Computer-Hardware-Software/dp/0735611319 The Art of Exploitation: https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441 Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

I wrap up my de-Google project this week with two biggies: Google Drive and Google Docs. I decided to reduce my Google data footprint as one of my 2022 New Year's resolutions, so I've done a ton of research to replace all the major Google services with privacy-respecting alternatives. My hope is that you can use this information to reduce your own Google data exposure (and help your friends and family, while you're at it). In other news: UK police arrested seven people that may be tied to the Lapsus$ hacking group; the FCC has flagged Kaspersky software as a risk to national security; a very tricky new phishing technique tricks you into giving up your Facebook, Apple and Google credentials; an open-source software developer makes the dubious decision to target Russian users with "protestware"; the US passes a much-needed cybersecurity regulation (that takes way too long to come into effect); the Russia-based Yandex search engine is harvesting user details from many people, even those not using its search engine; app developers and cloud service providers are leaving your data lying around for anyone to find; and Google is testing its new tracking platform called Topics, which they will use to eventually replace third party cookies. Article Links UK police arrest 7 hacking suspects – have they bust the LAPSUS$ gang? https://nakedsecurity.sophos.com/2022/03/25/uk-police-arrest-7-hacking-suspects-have-they-bust-the-lapsus-gang/ FCC flags Russian cybersecurity firm Kaspersky as risk to national security https://mashable.com/article/fcc-bans-kaspersky-antivirus  This 'browser in browser' attack will steal your passwords — here's how to avoid it https://www.tomsguide.com/news/bitb-phishing-attackDeveloper Sabotages Open-Source Software Package https://www.schneier.com/blog/archives/2022/03/developer-sabotages-open-source-software-package.htmlUS Passes "Game-Changing" Cyber Incident Reporting Legislation https://www.infosecurity-magazine.com/news/us-cyber-incident-reporting/ Yandex is sending data harvested from millions of iOS users to Russia https://9to5mac.com/2022/03/29/yandex-is-sending-data-from-ios-users/ Your personal data is exposed to hackers — alarming report reveals mobile apps are not protecting your info https://www.laptopmag.com/news/your-personal-data-is-exposed-to-hackers-alarming-report-reveals-mobile-apps-are-not-protecting-your-info Chrome’s “Topics” advertising system is here, whether you want it or not https://arstechnica.com/gadgets/2022/03/googles-topics-advertising-system-starts-rolling-out-to-chrome-canary/ De-Google My Life, Part 4: https://firewallsdontstopdragons.com/de-google-my-life-part-4  Further Info Crypotmator: https://cryptomator.org/Sync.com: https://www.sync.com/ ONLYOFFICE: https://www.onlyoffice.com/ NextCloud: https://nextcloud.com/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker

Today I'm speaking with a fellow privacy evangelist: Henry from Techlore. Like me, Henry and his team are on a mission to teach regular, everyday people how to secure their data and improve their privacy. Henry and I have a frank discussion about the importance of privacy today and the struggles we have when deciding which privacy-oriented products to recommend. First of all, everyone's privacy "threat model" is different. Second, many people still don't understand the true impacts of privacy failures - to themselves and to society in general. Privacy isn't just a "me" thing - it's also very much a "we" thing. And if all of that weren't enough, privacy advocates argue constantly (and often heatedly) about the proper litmus tests to use when evaluating privacy-oriented products. Today, Henry and I will discuss what frustrates us and what gives us hope in the highly nuanced realm of privacy. Further Info Podcast 5th Anniversary Giveaway! https://firewallsdontstopdragons.com/5th-anniversary-giveaway/ Techlore: https://techlore.tech/ Support Techlore! https://www.patreon.com/techlore Simple Login: https://simplelogin.io/MySudo: https://mysudo.com/ Privacy.com: https://privacy.com/ Malwarebytes Lock & Code podcast: https://blog.malwarebytes.com/category/podcast/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

One of my New Year's resolutions for 2022 is to reduce my Google footprint - to try to de-Google my life as best I can - and hopefully inspire you to do the same. In today's show, I'll talk about replacing Google's many communications apps (Meet, Hangouts, Chat, Talk), Google Authenticator (the Kleenex of 2FA apps), Google Maps and Waze, and YouTube. In security and privacy news: ISPs in the UK are complaining about Apple's Private Relay feature; the Federal Trade Commission has a new weapon to fight algorithmic data mining; if someone tricks you into sending them money via Zelle, your bank probably won't give it back; Russia has issued a state-sponsored "trusted root CA" that could undermine privacy in Russia for a decade; the EFF weighs in on attempts to cut off Russia (and its citizens) from the internet; DuckDuckGo took a controversial step to down-rate Russian mis/disinformation in its search results; Google is mining info from receipts and invoices in your email; and Google is also mining data from your dialer and messaging apps on Android. Article Links UK Network Operators Target iCloud Private Relay in Complaint to Regulator https://www.macrumors.com/2022/03/13/uk-network-operators-target-icloud-private-relay/ The FTC’s new enforcement weapon spells death for algorithms https://www.protocol.com/policy/ftc-algorithm-destroy-data-privacy Fraud is flourishing on Zelle. The banks say it’s not their problem. https://www.seattletimes.com/business/fraud-is-flourishing-on-zelle-the-banks-say-its-not-their-problem/ You Should Not Trust Russia’s New “Trusted Root CA” https://www.eff.org/deeplinks/2022/03/you-should-not-trust-russias-new-trusted-root-ca Wartime Is a Bad Time To Mess With the Internet https://www.eff.org/deeplinks/2022/03/wartime-bad-time-mess-internet DuckDuckGo down-ranks sites spreading Russian propaganda https://www.bleepingcomputer.com/news/technology/duckduckgo-down-ranks-sites-spreading-russian-propaganda/ Gmail tracking: Google keeps records of everything you buy. Here is how to delete this information. https://tutanota.com/blog/posts/gmail-tracks-everything-you-buy/ Google to make changes to apps after TCD study finds privacy issues https://www.irishtimes.com/business/technology/google-to-make-changes-to-apps-after-tcd-study-finds-privacy-issues-1.4826225 De-Google My Life, Part 3: https://firewallsdontstopdragons.com/de-google-my-life-part-3/ Further Info Podcast 5th Anniversary Giveaway! https://firewallsdontstopdragons.com/5th-anniversary-giveaway/ My Lock & Code podcast interview: https://blog.malwarebytes.com/podcast/2022/03/de-googling-carey-parkers-and-your-life-lock-and-code-s03e06/ Data Privacy for Cars: https://podcast.firewallsdontstopdragons.com/2021/09/13/driving-data-privacy-for-cars/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/