Firewalls Don't Stop Dragons Podcast

Apple just released a major update to its iPhone operating system, iOS 16. This release has some really important security and privacy features, including Passkeys, Lockdown Mode and Safety Check. I’ll give you an overview of these features. In other news: D-Link routers have a major vulnerability that’s being actively exploited; Uber was completely pwned by a cocky 18-year old hacker; Morgan Stanley was fined $35 million for failing to delete user data from hundreds of hard drives before reselling them; Chrome and Edge may be sending your form data back to Google and Microsoft; a new voice AI tool lets you change your voice to sound like someone else; health apps are sharing your personal data and HIPAA isn’t helping; the US military is using yet another data broker to buy incredibly detailed information on almost all internet users; US border agents can search your phone and even copy your phone’s data, and may save that info for 15 years; your car is coughing up tons of personal and auto data to dozens of data companies; Intel’s new AI will be used to find students who are confused or even emotionally distressed. Article Links [BleepingComputer] Moobot botnet is coming for your unpatched D-Link router https://www.bleepingcomputer.com/news/security/moobot-botnet-is-coming-for-your-unpatched-d-link-router/ [WIRED] The Uber Hack’s Devastation Is Just Starting to Reveal Itself https://www.wired.com/story/uber-hack-mfa-phishing/ [Ars Technica] $35M fine for Morgan Stanley after unencrypted, unwiped hard drives are auctioned https://arstechnica.com/information-technology/2022/09/morgan-stanley-pays-35m-penalty-for-extensive-failure-to-safeguard-customer-data/ [BleepingComputer] Google, Microsoft can get your passwords via web browser’s spellcheck https://www.bleepingcomputer.com/news/security/google-microsoft-can-get-your-passwords-via-web-browsers-spellcheck/ [Ars Technica] With Koe Recast, you can change your voice as easily as your clothing https://arstechnica.com/information-technology/2022/09/with-koe-recast-you-can-change-your-voice-as-easily-as-your-clothing/ [The Washington Post] Health apps share your concerns with advertisers. HIPAA can’t stop it. https://www.washingtonpost.com/technology/2022/09/22/health-apps-privacy/ [VICE] Revealed: U.S. Military Bought Mass Monitoring Tool That Includes Internet Browsing, Email Data https://www.vice.com/en/article/y3pnkw/us-military-bought-mass-monitoring-augury-team-cymru-browsing-email-data [Engadget] US border forces are seizing Americans’ phone data and storing it for 15 years https://www.engadget.com/us-border-forces-traveler-data-15-years-085106938.html [The Washington Post] How to prevent customs agents from copying your phone’s content https://www.washingtonpost.com/technology/2022/09/18/phone-data-privacy-customs/ [The Markup] Who Is Collecting Data from Your Car? – The Markup https://themarkup.org/the-breakdown/2022/07/27/who-is-collecting-data-from-your-car [Protocol] Intel thinks its AI knows what students think and feel in class https://www.protocol.com/enterprise/emotion-ai-school-intel-edutech Tip of the Week: https://firewallsdontstopdragons.com/ios-16-privacy-security/ Further Info Koe Recast web demo: https://koe.ai/recast/  100-mile US border zone: https://www.aclu.org/other/constitution-100-mile-border-zone  Tech Model Railroad Club: https://en.wikipedia.org/wiki/Tech_Model_Railroad_Club  Send me your questions! https://firewallsdontstopdragons.com/dear-carey-podcast-qa/     Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:54: News rundown 0:05:53: Major D-Link router vulnerability 0:08:43: Uber hacked by 18-year old 0:12:23: Morgan Stanley fined $35 million for mishandling customer data 0:16:53: Google and Microsoft browser spell checkers may see personal data 0:23:11: Tool allows you to change your voice to sound like someone else 0:30:16: Health apps are sharing your personal, sensitive information 0:37:05: Yet another data broker selling tons of info to US government 0:43:30: CBP copies your device data and may store it for 15 years 0:47:56: How to guard your phone data at international borders 0:54:32: Your car data is up for sale by multiple third parties 1:00:17: Schools use face AI to find bored or troubled students 1:05:15: New privacy and security features of iOS 16 1:16:18: Send me your questions! 1:20:15: Upcoming interviews

You may not be into cryptocurrency, but a recent incident involving a so-called “cryptocurrency mixer” has some important implications for privacy and free speech. Today we’ll examine the relative anonymity of cryptocurrency transactions, tools that can be used to enhance that anonymity, and why the code that created these tools – and the services that might host them – must be protected under the First Amendment. Along the way, we’ll explore the limits of free speech in the US and some interesting attempts to capture those rights. Kurt Opsahl is the Deputy Executive Director and General Counsel of the Electronic Frontier Foundation, the leading nonprofit defending digital privacy, free speech, and innovation. Interview Links Coin Center article on Tornado Cash: https://www.coincenter.org/analysis-what-is-and-what-is-not-a-sanctionable-entity-in-the-tornado-cash-case/  Electronic Frontier Foundation: https://www.eff.org/  Code, Speech, and the Tornado Cash Mixer https://www.eff.org/deeplinks/2022/08/code-speech-and-tornado-cash-mixer  Treasury Dept sued over Tornado Cash sanctions: https://fortune.com/2022/09/08/coinbase-employees-and-ethereum-backers-sue-u-s-treasury-over-tornado-cash-sanctions/  Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:42: Interview setup 0:02:43: How anonymous are cryptocurrency transactions? 0:07:30: What is a cryptocurrency mixer and why would I use one? 0:10:34: Kurt’s thoughts on “going dark” 0:12:45: Physical currency is not technically anonymous, either 0:14:07: How did the White House try to fix this problem? 0:15:27: Who is OFAC and what is the SDN list? 0:16:57: Who or what is Tornado Cash? 0:20:23: What about Tornado Cash drew scrunity from the US Gov’t? 0:22:08: How does all of this relate to free speech? 0:26:22: One of the developers was arrested – what’s the EFF’s take on this? 0:29:14: Is a platform responsible for illegal activities related to content they host? 0:31:18: What’s the limit of free speech when it comes to software code? 0:41:00: What free speech rights to platforms themselves have? 0:44:42: What about attempts to turn code into books or T-shirts to gain protection? 0:48:04: What’s next for the Tornado Cash case? 0:55:12: Interview wrap-up 0:55:46: Looking ahead

A little over 20 years ago, Charles Petzold wrote what would become a classic book on understanding modern computers and the software that drives them. Computers have become essential to daily life and inhabit more and more of the devices we use every day. Every “smart” device you own contains a computer running software. While these little silicon chips and the binary code running them seem like magic, they’re really just a series of simple building blocks chained together to accomplish a task. Having a basic understanding of these concepts can give us a lot more perspective on how computers can be used and abused, programmed and subverted. When I learned that Charles was releasing a fully updated 2nd edition of Code, I asked him to come on the show to give us all a historical overview of computers and software. He graciously agreed. The concepts of computing and programming go back a lot further than you might think. Today we’ll learn about this and much more. Charles Petzold is the author of the books Code, The Annotated Turing, and numerous programming tutorials involving Microsoft Windows. Interview Notes Code: The Hidden Language of Computer Hardware and Software: https://www.charlespetzold.com/books/  Companion website: https://codehiddenlanguage.com/  The Annotated Turing: https://www.charlespetzold.com/AnnotatedTuring/  Alan Turing: https://en.wikipedia.org/wiki/Alan_Turing  Ada Lovelace: https://en.wikipedia.org/wiki/Ada_Lovelace  Delay Line Mercury Storage: https://en.wikipedia.org/wiki/Delay-line_memory#Mercury_delay_lines  Steganography: https://en.wikipedia.org/wiki/Steganography  Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:08: Hold off on iOS 16 update 0:02:47: Preview of today’s interview 0:05:49: Why did you write this book and who was your target audience? 0:11:03: Why should we understand the basics of computing? 0:12:39: What IS a “computer”, fundamentally? 0:16:35: Where did computers start, historically? 0:19:21: What’s the origin of software and programming computers? 0:22:14: How did we store computer programs before hard drives? 0:25:30: How did encoding enable us to communicate over large distances? 0:30:00: How do we measure progress in computing? 0:34:24: How did you decide how to lay out the concepts in the book? 0:39:29: How can understanding computers help us be more secure? 0:43:17: What does the future of computing look like? 0:49:58: What will your next book be about? 0:53:55: Interview wrap-up 0:54:53: My Google rant 0:58:03: A bit on steganography and codes 0:59:41: Upcoming shows, schedule change

Password manager software maker LastPass suffered a data breach last week, which understandably made their customers very nervous – and caused some people to question the decision to put all their passwords in one digital basket. In today’s show, I’ll explain why this particular breach was not a threat to anyone’s passwords and why you should still use a high quality password manager. In other news: Former security chief blows the whistle on Twitter; major VPN providers are pulling out of India over surveillance law issues; a set of popular Chrome extensions caught committing click fraud; Google’s new Chrome extension restrictions threaten to hobble ad blockers; a father’s Google accounts are deleted over false AI-flagged CSAM; US Federal Trade Commission sues a data broker over lax protection of location data; EFF finds another data broker selling location data to law enforcement; Google launches bug bounty program for open source software projects; DuckDuckGo’s email privacy protection feature now available to all; Ohio judge rules that scanning students’ rooms before tests is illegal; a flight to Cabo is nearly grounded thanks to a passenger sending dick pics to other passengers, including one of the pilots. Article Links [The Washington Post] Former security chief claims Twitter buried ‘egregious deficiencies’ https://www.washingtonpost.com/technology/interactive/2022/twitter-whistleblower-sec-spam/ [9to5mac.com] Major VPN services shut down in India over anti-privacy law; Apple hasn’t yet commented https://9to5mac.com/2022/09/01/major-vpn-services/ [BleepingComputer] Chrome extensions with 1.4 million installs steal browsing data https://www.bleepingcomputer.com/news/security/chrome-extensions-with-14-million-installs-steal-browsing-data/ [BleepingComputer] AdGuard’s new ad blocker struggles with Google’s Manifest v3 rules https://www.bleepingcomputer.com/news/security/adguard-s-new-ad-blocker-struggles-with-google-s-manifest-v3-rules/ [The New York Times] A Dad Took Photos of His Naked Toddler for the Doctor. Google Flagged Him as a Criminal. https://www.nytimes.com/2022/08/21/technology/google-surveillance-toddler-photo.html [Reuters] U.S. FTC sues data broker Kochava for alleged sale of sensitive data https://www.reuters.com/legal/us-ftc-sues-data-broker-kochava-alleged-sale-sensitive-data-2022-08-29/ [Electronic Frontier Foundation] Data Broker Helps Police See Everywhere You’ve Been with the Click of a Mouse: EFF Investigation https://www.eff.org/press/releases/data-broker-helps-police-see-everywhere-youve-been-click-mouse-eff-investigation [Naked Security] LastPass source code breach – do we still recommend password managers? https://nakedsecurity.sophos.com/2022/08/29/lastpass-source-code-breach-do-we-still-recommend-password-managers/ [Decipher] Google Launches Bug Bounty Program For Open Source Projects https://duo.com/decipher/google-launches-bug-bounty-program-for-its-open-source-projects [Spread Privacy] Protect Your Inbox: DuckDuckGo Email Protection Beta Now Open to All! https://spreadprivacy.com/protect-your-inbox-with-duckduckgo-email-protection/ [The Verge] University can’t scan students’ rooms during remote tests, judge rules https://www.theverge.com/2022/8/23/23318067/cleveland-state-university-online-proctoring-decision-room-scan [VICE] Creeps Airdropping Dick Pics Just Made Flying Even Worse https://www.vice.com/en/article/3adag9/southwest-tiktok-video-pilot-airdropped-nudes Tip of the Week: How to Prevent Cyberflashing https://firewallsdontstopdragons.com/how-to-prevent-cyberflashing/  Further Info Peppering Your Passwords: https://firewallsdontstopdragons.com/password-manager-paranoia/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:32: Update Google Chrome and older iPhones 0:05:48: Twitter whistleblower 0:10:29: Major VPN services shutting down in India 0:14:00: Popular Chrome extensions committing link fraud 0:16:51: Google Chrome changes will limit ad blockers 0:23:38: Father loses Google accounts of false CSAM flagging by AI 0:27:22: FTC sues data broker 0:30:17: EFF research uncovers more police purchases of location data 0:34:55: LastPass source code breach 0:46:43: Google launches bug bounty for open source software 0:49:51: DuckDuckGo email privacy feature now open to all 0:55:55: Court blocks scanning of students’ rooms during remote tests 1:00:43: Cyberflashing nearly grounds flight 1:05:35: Notes on upcoming interviews and shows

Thirty years ago, a young hacker named Jeff Moss (aka The Dark Tangent) threw a party in the desert of Nevada to commemorate the demise of a bulletin board system called PlatinumNet. Unlike the other handful of hacker conferences in that time, this one would be on the West Coast and open to everyone. Over the next three decades, DEF CON would become the preeminent hacker convention for the US (possibly the world), drawing upwards of 30,000 attendees. Along with its more-corporate spinoff Black Hat and related BSides conference, the back-to-back conferences are affectionately referred to as Hacker Summer Camp. In today’s show, I’ll walk down memory lane with Jeff, discussing the ups and downs he’s experienced and delve into what this has all meant to him, personally. Oh yeah… and also the incident involving strippers and hacking the power grid. Further Info Amulet of Entropy badge: ​https://amuletofentropy.com/  DEF CON documentary: https://www.youtube.com/watch?v=SUhyeY0Fsvw My first trip to DEF CON: https://podcast.firewallsdontstopdragons.com/2021/08/11/understanding-hackers-hacking/  Last year’s interview with Jeff Moss: https://podcast.firewallsdontstopdragons.com/2021/08/16/on-a-dark-tangent/  Hackers, book by Steven Levy: https://www.amazon.com/Hackers-Computer-Revolution-Steven-Levy/dp/1449388396 Legion of Doom (LOD) vs Masters of Deception (MOD): ​​https://en.wikipedia.org/wiki/Great_Hacker_War  SATAN tool: https://en.wikipedia.org/wiki/Security_Administrator_Tool_for_Analyzing_Networks A brief history of hacking: https://encyclopedia.kaspersky.com/knowledge/a-brief-history-of-hacking/  Cap’N Crunch whistle: https://www.thingiverse.com/thing:2630646  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:31: Hacker Summer Camp 0:03:30: pre-interview things of note 0:05:31: DEF CON, the early years 0:12:02: How had DEF CON changed since the beginning? 0:16:08: What’s the closest DEF CON ever came to ending? 0:24:44: Why is DEF CON so full of shennanigans? 0:26:49: What has DEF CON meant to you, personally? 0:32:02: Thoughts on the DEF CON culture 0:37:13: What’s your “Jeff sense” on choosing the best people? 0:39:50: What’s in the future for DEF CON? 0:46:13: What speakers have you always wanted but couldn’t get? 0:51:04: learning more about hackers and hacking 0:53:50: Where does “2600” come from? 0:57:18: Important notes for new listeners

If it’s August in Las Vegas, it’s time for Hacker Summer Camp. There are three hacker conferences that coordinate to happen next to each other every year: BSides Las Vegas, Black Hat and DEF CON. My first trip to DEF CON was last year and I was hooked – I hope to go back every year. This was the big 30th anniversary of DEF CON and several of the news stories this week came from one of these hacker conferences. And next week I’ll air my wonderful interview with DEF CON’s CEO and Founder, Jeff Moss (aka The Dark Tangent). In the news this week: Several malicious Mac apps have slipped through Apple’s App Store security checks and contain malware – you should delete them ASAP; iOS VPN apps aren’t properly securing connections made before activating the VPN; TikTok’s in-app browser injects JavaScript code that could enable it to snoop on your session, including capturing keystrokes; Cisco’s network breach has lessons for all of us; Signal’s use of phone numbers as identifiers highlighted due to breach at Twilio; a new jailbreak has been found on John Deere tractors that might allow farmers to service their own equipment; Amazon is planning to release a reality TV show based on Ring doorbell footage; a digital hallway pass allows schools to intrusively monitor its students; and law enforcement is tapping into DNA databases of the blood samples taken at birth by hospitals to solve crimes. Article Links [Tom’s Guide] These Mac apps are secretly spreading malware — delete them now https://www.tomsguide.com/news/these-mac-apps-are-secretly-spreading-malware-delete-them-now [Ars Technica] iOS VPNs have leaked traffic for years, researcher claims [Updated] https://arstechnica.com/information-technology/2022/08/ios-vpns-still-leak-traffic-more-than-2-years-later-researcher-claims/ [Forbes] TikTok’s In-App Browser Includes Code That Can Monitor Your Keystrokes, Researcher Says https://www.forbes.com/sites/richardnieva/2022/08/18/tiktok-in-app-browser-research/ [None] Cisco Confirms Network Breach Via Hacked Employee Google Account https://threatpost.com/cisco-network-breach-google/180385/ [TechCrunch] Signal says 1,900 users’ phone numbers exposed by Twilio breach https://techcrunch.com/2022/08/15/signal-phone-number-exposed-twilio/ [Ars Technica] A new jailbreak for John Deere tractors rides the right-to-repair wave https://arstechnica.com/information-technology/2022/08/a-new-jailbreak-for-john-deere-tractors-rides-the-right-to-repair-wave/ [VICE] ‘Ring Nation’ Is Amazon’s Reality Show for Our Surveillance Dystopia https://www.vice.com/en/article/7k8x49/ring-nation-is-amazons-reality-show-for-our-surveillance-dystopia [VICE] A Tool That Monitors How Long Kids Are in the Bathroom Is Now in 1,000 American Schools https://www.vice.com/en/article/dy73n7/ehallpass-1000-thousand-schools-monitor-bathroom [WIRED] Police Used a Baby’s DNA to Investigate Its Father for a Crime https://www.wired.com/story/police-used-a-babys-dna-to-investigate-its-father-for-a-crime/ Tip of the Week: https://firewallsdontstopdragons.com/be-my-guest-no-i-insist/ Further Info A few Amulets of Entropy are still left: https://hackerboxes.com/collections/past-hackerboxes/products/hackerbox-0080-entropy Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:17: DEFCON 30 notes 0:03:00: Quick security notes 0:03:46: News run down 0:06:50: Delete these Apple apps immediately 0:10:44: iOS VPN apps fail to secure old connections 0:15:00: TikTok’s in-app browser able to record private info 0:20:49: Cisco breach due to employee Google account hack 0:25:08: Signal says 1900 users’ phone numbers exposed 0:28:15: Hacker reports vulnerability in John Deere equipment 0:32:04: Amazon’s new Ring video reality show 0:36:27: e-HallPass monitors students bathroom breaks 0:39:27: US baby DNA being used by law enforcement 0:44:54: Tip of the Week 0:51:51: Wrap up

There’s no doubt that the internet has enabled criminals to share illicit and vile content with ease. The advent of high-quality end-to-end encrypted communications has made sharing this material harder for law enforcement to police. But the solution is not to cripple this technology, which is essential for security, privacy and even democracy. Today I’ll discuss this thorny issue with Dhanaraj Thakur from the Center for Democracy and Technology. We’ll talk about several dangerous proposals currently being considered in the US and Europe, and some potential solutions that can limit criminal behavior while preserving security and our right to privacy. Dhanaraj Thakur is Research Director at the Center for Democracy & Technology, where he leads research that advances human rights and civil liberties online. Further Info Outside Looking In: Approaches to Content Moderation in End-to-End Encrypted Systems: https://cdt.org/insights/outside-looking-in-approaches-to-content-moderation-in-end-to-end-encrypted-systems/  End Run Around Your Rights: https://podcast.firewallsdontstopdragons.com/2021/12/13/end-run-around-your-rights/  Center for Democracy & Technology: https://cdt.org/  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:19: Rebranding rolling out 0:02:11: Why is content moderation coming to the fore? 0:05:11: What are the types of content we’re trying to control? 0:08:30: How is automated copyright detection being abused by police? 0:09:49: What are the phases of content moderation? 0:12:01: How can content moderation scale on huge platforms? 0:15:14: How does moderation differ inside vs outside the US? 0:18:12: What is the platform liability for content? 0:21:33: How good is automated content filtering? 0:25:01: When does moderation become censorship? 0:27:52: Can social media companies block or allow whatever they want? 0:30:53: What does end-to-end encryption really mean? 0:34:42: How important is metadata for identifying illicit content? 0:37:26: What are the current legislative proposals around content moderation? 0:41:13: How can we comply with these orders without losing privacy? 0:46:09: So where do we draw the line? 0:48:44: How did we police this before the internet? 0:49:34: How can I learn more and get involved? 0:51:57: Listener mailbag coming soon! 0:52:49: Preview of coming shows

All software has bugs, so the more software you have installed, the more bugs you have. It’s not just the bugs in any individual application, but it’s also magnified by interactions between some applications. Thankfully, the converse is also true: the less software you have installed, the fewer bugs you have (statistically, anyway). How many apps have you installed because they were free? How many apps came installed with your PC that you never use? How about companion apps for products you no longer own? Or maybe apps you installed years ago that you’ve forgotten about. You need to review all of your apps and get rid of anything you aren’t using. You can always reinstall them later, if necessary. But removing unused apps will also remove any software bugs and vulnerabilities that inevitably come with them. (It’s also one less app to gather and sell personal data.) In other news: Amazon is looking to buy the maker of Roomba robotic vacuums that know the map of your home; Amazon is also hoping to buy a medical company to start directly providing healthcare; Google once again delays removing support for 3rd party cookies in Chrome; a candidate post-quantum computing encryption algorithm was defeated in an hour with a regular PC; open source software is used everywhere, but is getting very little security support; hackers act on patched bugs within minutes; our cars are collecting and sharing tons of detailed information about us and our driving habits; Samsung has implemented a “repair mode” to protect your data while your phone is in the shop; and a new Android malware is contained in several “cleaner” apps. Article Links [Mashable] Amazon vacuums up Roomba maker iRobot, sparking immediate privacy concerns https://mashable.com/article/amazon-irobot-acquisition-roomba-privacy [Time] Amazon’s Dangerous Ambition to Dominate Healthcare https://time.com/6201575/amazons-dangerous-ambition-to-dominate-healthcare/ [HackerNews] Google Delays Blocking 3rd-Party Cookies in Chrome Browser Until 2024 https://thehackernews.com/2022/07/google-delays-blocking-3rd-party.html [Ars Technica] Post-quantum encryption contender is taken out by single-core PC and 1 hour https://arstechnica.com/information-technology/2022/08/sike-once-a-post-quantum-encryption-contender-is-koed-in-nist-smackdown/ [Ars Technica] Samsung’s “repair mode” lets technicians look at your phone, not your data https://arstechnica.com/gadgets/2022/07/samsungs-repair-mode-lets-technicians-look-at-your-phone-not-your-data/ [Lawfare] Open-Source Security: How Digital Infrastructure Is Built on a House of Cards https://www.lawfareblog.com/open-source-security-how-digital-infrastructure-built-house-cards [ZDNet] Race against time: Hackers start hunting for victims just 15 minutes after a bug is disclosed https://www.zdnet.com/article/race-against-time-hackers-start-hunting-for-victims-just-15-minutes-after-a-bug-is-disclosed/ [The Markup] Who Is Collecting Data from Your Car? – The Markup https://themarkup.org/the-breakdown/2022/07/27/who-is-collecting-data-from-your-car [Ars Technica] T-Mobile to pay $500M for one of the largest data breaches in US history https://arstechnica.com/tech-policy/2022/07/t-mobile-to-pay-500m-for-one-of-the-largest-data-breaches-in-us-history/ [Tom’s Guide] Millions infected by ‘auto-starting’ Android malware — delete these apps now https://www.tomsguide.com/news/millions-infected-by-auto-starting-android-malware-delete-these-apps-now Tip of the Week: https://firewallsdontstopdragons.com/deleting-your-way-to-better-security/  Further Info Mac AppCleaner: https://freemacsoft.net/appcleaner/  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:30: DEF CON 30 is here! 0:03:20: News rundown 0:05:55: Amazon to buy iRobot, maker of Roomba 0:11:22: Amazon to get into healthcare 0:16:12: Google again delays removal of 3rd party cookies from Chrome 0:18:20: Post-quantum cryptography algorithms being vetted 0:23:51: Samsung’s “repair mode” protects your data 0:26:53: Open source software needs security support 0:32:36: Hackers pounce on newly-fixed bugs 0:35:23: Your car is collecting and shareing your driving data 0:42:44: T-Mobile fined $500M for data breach 0:46:46: New Android malware embedded in “cleaner” apps 0:49:53: Tip of the Week: Delete unused apps 0:57:29: Preview of next week’s interview 0:57:54: Drinks w/ me at DEF CON!

Cameras are everywhere. Every person you pass on the street has a camera on their phone and security cameras are everywhere. They’re so cheap and small now, and most of them are connected to the cloud. Not only does that mean they basically have unlimited storage, but it also opens the door for computers to process those images and footage looking for faces. Today, I’ll speak with Nate Wessler from the ACLU about the implications of this technological perfect storm on our privacy and what rights we actually have today with regard to facial recognition and use of these systems by law enforcement. Nate Wessler is a deputy director with the ACLU’s Speech, Privacy, and Technology Project, where he focuses on litigation and advocacy around surveillance and privacy issues, including government searches of electronic devices, requests for sensitive data held by third parties, and use of surveillance technologies. Further Info ACLU suit against Clearview AI: https://iapp.org/news/a/aclu-files-class-action-vs-clearview-ai-under-biometric-privacy-law/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:41: DEF CON updates 0:03:18: Interview start 0:05:46: Carpenter v. US case 0:10:13: What’s my expectation of privacy in public spaces? 0:17:30: Private right of action 0:18:58: What rights do I have for online photos of me? 0:21:54: Aren’t we enabling facial recognition by tagging people? 0:23:47: Is there any solution beyond regulation? 0:27:16: Who is Clearview AI and what are they doing? 0:32:24: ACLU’s lawsuit win against Clearview AI 0:38:57: Is it possible to limit this tech to just “the good guys”? 0:43:00: This guy looks like Woody Harrelson! 0:47:07: What about the good uses for this tech? 0:53:09: What about 1-to-1 facial matching services? 0:56:20: So what can we, as citizens, do about all of this? 0:58:22: When should we reach out to the ACLU? 1:00:26: Wrap up

The “rolling code” technology used to remotely open and lock your car is supposed to prevent hacking. Unfortunately, Honda has a pretty serious vulnerability in their cars that apparently allows anyone with a little talent and cheap hacking tools to get into your car – and maybe even start it (though not actually drive it away). If correct, this vulnerability affects probably all Hondas made over the last 10 years. So far, Honda has denied that this is a problem, but many researchers have reproduced the hack. In other news: cheap, Chinese-made GPS vehicle trackers are vulnerable to remote hacking; Chrome, Edge and Safari browsers fix serious 0-day bugs; Twitter data breach info on 5.4M users is up for sale on the dark web; Windows getting a crucial security update to make important security feature on by default; the Conti ransomware gang is attacking the entire country of Costa Rica; Facebook quickly bypasses Firefox’s URL tracking removal feature; Tor Browser adds a useful feature that will help people in repressive countries; Google appears ready to stop blocking political spam emails; Amazon admits to giving Ring video to law enforcement without consent or a warrant; a complicated, targeted web browser trick can be used to identify website visitors. Article Links [U.S. News & World Report] Researchers: Chinese-Made GPS Tracker Highly Vulnerable https://www.usnews.com/news/business/articles/2022-07-19/researchers-chinese-made-gps-tracker-highly-vulnerable [Ars Technica] 0-day used to infect Chrome users could pose threat to Edge and Safari users, too https://arstechnica.com/information-technology/2022/07/exploit-seller-used-chrome-exploit-and-2-other-0-days-to-infect-journalists/ [9to5mac.com] Twitter data breach exposes contact details for 5.4M accounts; on sale for $30k https://9to5mac.com/2022/07/22/twitter-data-breach/ [ZDNet] Windows 11 is getting a new security setting to block ransomware attacks https://www.zdnet.com/article/windows-11-is-getting-a-new-security-setting-to-block-ransomware-attacks/ [ThreatPost] Conti’s Reign of Chaos: Costa Rica in the Crosshairs https://threatpost.com/contis-costa-rica/180258/ [Schneier Blog] Facebook Is Now Encrypting Links to Prevent URL Stripping https://www.schneier.com/blog/archives/2022/07/facebook-is-now-encrypting-links-to-prevent-url-stripping.html [None] Tor Browser Adds Automatic Censorship Circumvention https://www.infosecurity-magazine.com/news/tor-browser-automatic-censorship/ [Inc. Magazine] Google Revealed Plans for a Big Change to Gmail That Almost Nobody Wants. You Have 19 Days to Object https://www.inc.com/bill-murphy-jr/google-revealed-plans-for-a-big-change-to-gmail-that-almost-nobody-wants-you-have-19-days-to-object.html [The Intercept] Amazon Admits Giving Ring Camera Footage to Police Without a Warrant or Consent https://theintercept.com/2022/07/13/amazon-ring-camera-footage-police-ed-markey/ [The Drive] I Tried the Honda Keyfob Hack on My Own Car. It Totally Worked https://www.thedrive.com/news/i-tried-the-honda-keyfob-hack-on-my-own-car-it-totally-worked [WIRED] A New Attack Can Unmask Anonymous Users on Any Major Browser https://www.wired.com/story/web-deanonymization-side-channel-attack-njit/ Tip of the Week: More Uses for Password Vaults: https://firewallsdontstopdragons.com/more-uses-for-password-vaults/ Further Info Amulet of Entropy!!: https://amuletofentropy.com/  Peppering your passwords: https://firewallsdontstopdragons.com/password-manager-paranoia/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Donate directly with Monero! https://firewallsdontstopdragons.com/contact/  Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:02: Bad Bugs in GPS Vehicle Trackers 0:07:16: Zero-Day Bugs in Chrome, Edge, Safari 0:12:47: Twitter data breach affect 5.4M users 0:15:20: Windows new default RDP security setting 0:19:11: Conti gang attacks Costa Rica 0:23:40: Facebook defeats URL tracker removal technique 0:26:31: new Tor Browser feature 0:28:51: Google wants to allow political spam 0:34:08: Ring video given to police without warrant or consent 0:39:17: How to hack just about any modern Honda 0:50:43: Targeted, sophisticated web tracking hack 0:57:59: Tip of the Week 1:08:01: Wrap-up, DEF CON