Firewalls Don't Stop Dragons Podcast

Personal data privacy isn't going to just happen on its own. We have to somehow collectively construct it. But how? Will it require regulation or can consumers drive change by consciously choosing privacy-respecting products and services? When it comes to regulations, why are things so different in the European Union versus the US and other global markets? What do privacy teams look like in modern corporations and how should they function? I'll pose these and many other questions to my guest, Whitney Merrill, who brings unique experience on privacy from both the private sector and the federal government. Whitney Merrill is a data protection officer, privacy attorney, hacker, and the co-founder of the Crypto & Privacy Village. She loves privacy and is glad the world is getting excited about it, too. Podcast Links Carey’s 2022 Privacy Blog: https://firewallsdontstopdragons.com/data-privacy-week-2022/ Carey’s Privacy Checklist: https://firewallsdontstopdragons.com/data-privacy-day-checklist/ Data Privacy Week: https://staysafeonline.org/data-privacy-week/FTC Privacy & Security: https://www.ftc.gov/tips-advice/business-center/privacy-and-security EFF Surveillance Self Defense Guide: https://ssd.eff.org/ACLU Privacy & Technology: https://www.aclu.org/issues/privacy-technology IAPP Resources: https://iapp.org/resources/ European Data Protection Board: https://edpb.europa.eu/edpb_en Data Protocol: https://dataprotocol.com/ The Gamification of Everything: https://lifehacker.com/how-gamification-of-everything-is-manipulating-you-and-1848352808  Further Info Annual listener survey: https://bit.ly/Firewalls-survey-2022Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Of course, every week should be "data privacy week", but we do set aside a specific time each year to focus on privacy - particularly educating as many people as possible about it. Until this year, we only dedicated one day for this - but as of 2022, it's been promoted to an entire week! Data Privacy Week runs from January 24-28, so today I'm going to prep you for it with several of my top privacy protection tips! In the news: the FBI uses foreign intelligence services to sidestep US surveillance restrictions; Russia takes down the REvil ransomware outfit as the United State's request; Google gives Android users the ability to disable insecure 2G cell connections; Subaru is sued in Illinois for capturing driver's biometric information with consent; lawmakers propose legislation to simplify and standardize terms of services agreements; and the Ponemon Institute releases the results of a recent poll on what people worry about with relation to privacy and what they feel should be done about it. Article Links Using Foreign Nationals to Bypass US Surveillance Restrictions https://www.schneier.com/blog/archives/2022/01/using-foreign-nationals-to-bypass-us-surveillance-restrictions.html Russia’s FSB says it has taken down REvil hacker group at US request https://www.theverge.com/2022/1/14/22883675/russia-fsb-revil-hacker-group-ransomware-us-request-fbi-doj VICTORY: Google Releases “disable 2g” Feature for New Android Smartphones https://www.eff.org/deeplinks/2022/01/victory-google-releases-disable-2g-feature-new-android-smartphones Class action: Subaru DriverFocus system improperly scans driver's faces, eyes https://cookcountyrecord.com/stories/613746211-class-action-subaru-driverfocus-system-improperly-scans-driver-s-faces-eyes Lawmakers Come After Companies’ Terms of Service With New TLDR Bill https://www.gizmodo.com.au/2022/01/lawmakers-come-after-companies-terms-of-service-with-new-tldr-bill/ New Ponemon Institute Report Indicates Major Consumer Privacy Gap https://www.cpomagazine.com/data-privacy/new-ponemon-institute-report-indicates-major-consumer-privacy-gap/  Further Info Data Privacy Week: https://staysafeonline.org/data-privacy-week/about-dpw/ My Data Privacy checklist: https://firewallsdontstopdragons.com/data-privacy-day-checklist/ DNA service impacts: https://thenib.com/its-all-relatives/ Annual listener survey: https://bit.ly/Firewalls-survey-2022Hunting for Stingrays podcast: https://podcast.firewallsdontstopdragons.com/2021/04/19/hunting-for-stingrays-part-1/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

It's the start of a brand new calendar year! And therefore it's time to engage in that annual ritual of planning to do better this year by making our list of New Year's Resolutions. To help you with the cybersecurity and privacy items on your list (an area where we all need major improvement), I will share with you my personal list of cyber goals for 2022. Yes, even security advocates can suffer from the "do as I say, not as I do" syndrome. We're all human, and there are plenty of things that I still need to get done - things that you probably need to do, too. I'll also catch you up on the latest security and privacy news: several articles popped up about a supposed data breach at LastPass that turned out to be incorrect; the US Federal Trade Commission is getting very serious about fining companies with lax cybersecurity practices in light of the Log4J/Log4Shell nightmare; clever scammers in Texas are tricking motorists into paying the wrong people for parking; Norton 360 and other antivirus software packages have started pre-installing cryptocurrency mining software on their customers' computers; TurboTax is the second major tax-filing software service to drop out of the federal Free File program; Google's adoption of the Manifest V3 specification gives users yet another reason not to use their Chrome browser; and a lawsuit in California alleges that Google's exclusive search engine deal with Apple is stifling competition and harming consumers. Article Links LastPass says there’s no data breach, so your passwords were not hacked https://bgr.com/tech/lastpass-says-theres-no-data-breach-so-your-passwords-were-not-hacked/?bgr-partner=flipboard FTC to Go After Companies that Ignore Log4j https://threatpost.com/ftc-pursue-companies-log4j/177368/ QR code scammers hitting on-street parking in Texas cities https://www.click2houston.com/news/local/2022/01/05/qr-code-scammers-hitting-on-street-parking-in-texas-cities-this-is-what-houston-officials-want-you-to-know/ Norton 360 Now Comes With a Cryptominer https://krebsonsecurity.com/2022/01/norton-360-now-comes-with-a-cryptominer/ 500M Avira Antivirus Users Introduced to Cryptomining https://krebsonsecurity.com/2022/01/500m-avira-antivirus-users-introduced-to-cryptomining/ Want to file your tax return for free? TurboTax opts out of major program https://www.freep.com/story/money/personal-finance/susan-tompor/2022/01/05/how-file-your-tax-return-free-turbotax/9077019002/ Podcast on Free File report from Pro Publica: https://podcast.firewallsdontstopdragons.com/2020/01/13/why-free-file-isnt-free/ Google makes the perfect case for why you shouldn't use Chrome https://www.techrepublic.com/article/google-makes-the-perfect-case-for-why-you-shouldnt-use-chrome/ Google Basically Pays Apple to Stay Out of the Search Engine Business, Class Action Lawsuit Alleges https://www.macrumors.com/2022/01/05/google-pays-apple-stay-out-of-search/ Betty White on MFA: https://www.youtube.com/watch?v=DmIDtDAYTPA  Further Info Annual listener survey: https://bit.ly/Firewalls-survey-2022Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/or privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Navigating the online world today is hard enough as an adult. But it's way worse for kids. Not only are they short on life experiences that would give them the context they need, but as students during a pandemic, their privacy rights are being sorely tested by new "edtech" apps and services. Today I speak with Jill Bronfman from Common Sense Media about their new report on the state of privacy for kids. Their research is quite comprehensive - and (spoiler alert) the results aren't great. Obviously, this report is helpful for parents, educators and policy makers - but much of what's covered here is useful knowledge for anyone. Jill Bronfman is Privacy Counsel at Common Sense Media, teaches Media Ethics and Privacy Law. Further Info 2021 State of Kid’s Privacy: https://www.commonsensemedia.org/research/state-of-kids-privacy-2021 Common Sense Media: https://www.commonsensemedia.org/ Common Sense Privacy Program: https://privacy.commonsense.org/Boston COVID in the waste water: https://www.msn.com/en-us/weather/topstories/how-fast-is-covid-surging-in-boston-this-chart-shows-the-spike-after-christmas/ar-AAShL4P Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

We've come to the end of another year. As we take a breather and gather with family and friends for the holidays, it's a good time to look back over the year that just passed. I've collected a handful of snippets from some of my favorite shows from this year, along with some a little commentary. If you're new to the show, you can catch up on some stuff you may have missed. Or if you'd like to introduce someone else to the podcast, this would be a great one to share. You can find all the original, full-length episodes using the links below. Best Of Episodes Ep206, Feb 8 - Troy Hunt, De-Platforming: https://podcast.firewallsdontstopdragons.com/2021/02/08/free-speech-deplatforming/Ep214, Apr 5 - Phil Zimmerman, Social media is ruining society https://podcast.firewallsdontstopdragons.com/2021/04/05/social-media-is-ruining-societyEp219, May 10 - Alison Macrina, library freedom ​​https://podcast.firewallsdontstopdragons.com/2021/05/10/protecting-intellectual-freedom-part-1/ Ep232, Aug 9 - DEFCON - understanding hackers https://podcast.firewallsdontstopdragons.com/2021/08/11/understanding-hackers-hacking/ Ep233, Aug 16 - DEFCON - Jeff Moss interview https://podcast.firewallsdontstopdragons.com/2021/08/16/on-a-dark-tangent/Ep235, Aug 30 - Morpheus - Todd Austin https://podcast.firewallsdontstopdragons.com/2021/08/30/morpheus-securing-cpus-with-entropy/Ep237, Sep 13 - Privacy for Cars - Andrea Amico https://podcast.firewallsdontstopdragons.com/2021/09/13/driving-data-privacy-for-cars/Ep245, Nov 8 - Harri Hursti https://podcast.firewallsdontstopdragons.com/2021/11/08/restoring-trust-in-our-elections/ Ep200, Dec 27, 2020 - Bruce Schneier https://podcast.firewallsdontstopdragons.com/2020/12/28/200th-podcast-new-years-2021/  Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

The internet is on fire this week. The worst cybersecurity vulnerability of the last ten years (and perhaps more) has kicked the internet ant hill. Companies around the globe - big and small - are scrambling to repair a gaping hole in a ridiculously mundane but widely popular open source tool called Log4J. What it is and what does it mean for you? I'll get into all of that today. In other news: many popular wireless home routers are riddled with security bugs (update your firmware now); family "safety" app Life360 is selling your detailed location data; Consumer Reports released a comprehensive report on VPN security and privacy; Firefox just got a lot more secure; LastPass is once again an independent company; Apple released a lot of cool security and privacy features for iOS and macOS; and Verizon just opted you into a program for tracking you - and how you can opt out. (I'll touch on T-Mobile and AT&T tracking, too.) Article Links Op-Ed: What a house cat can teach us about cybersecurity https://www.latimes.com/opinion/story/2021-11-07/op-ed-what-a-house-cat-can-teach-us-about-cybersecurity Nine WiFi routers used by millions were vulnerable to 226 flaws https://www.bleepingcomputer.com/news/security/nine-wifi-routers-used-by-millions-were-vulnerable-to-226-flaws/ The Popular Family Safety App Life360 Is Selling Precise Location Data on Its Tens of Millions of Users https://themarkup.org/privacy/2021/12/06/the-popular-family-safety-app-life360-is-selling-precise-location-data-on-its-tens-of-millions-of-user Consumer Reports exhaustive report on VPNs https://www.consumerreports.org/vpn-services/mullvad-ivpn-mozilla-vpn-top-consumer-reports-vpn-testing-a9588707317/ The new Firefox 95 might be the most secure web browser on the market https://www.techrepublic.com/article/the-new-firefox-95-might-be-the-most-secure-web-browser-on-the-market/ The Log4Shell 0-day, four days on: What is it, and how bad is it really? https://arstechnica.com/information-technology/2021/12/the-log4shell-zeroday-4-days-on-what-is-it-and-how-bad-is-it-really/ Widely-Used Kronos Payroll Provider Down for “Weeks” Due to Ransomware Attack; Was Log4Shell Involved? https://www.cpomagazine.com/cyber-security/widely-used-kronos-payroll-provider-down-for-weeks-due-to-ransomware-attack-was-log4shell-involved/ LastPass is going to become an independent company https://www.theverge.com/2021/12/14/22833319/lastpass-independent-company-logmeinHow to Use App Privacy Report in the iOS 15.2 Beta https://www.macrumors.com/guide/app-privacy-report/iOS 15.2 Beta 2 Lets Your Family Access Your Data If You Pass Away https://www.macrumors.com/2021/11/09/ios-15-2-legacy-contact/ Hide My Email Available in Mail App With New iOS 15.2 and macOS Monterey 12.1 Betas https://www.macrumors.com/2021/11/09/macos-monterey-12-1-beta-2-hide-my-email/ iOS 15.2 Beta Adds Messages Communication Safety Feature for Kids https://www.macrumors.com/2021/11/09/apple-messages-communication-safety-ios-15-2/ Verizon May Have Just Enrolled You in a Data-Collection Scheme–Here's How to Get Out https://gizmodo.com/verizon-may-have-just-enrolled-you-in-a-data-collection-1848156157  Further Info Still looking for holiday gifts? https://firewallsdontstopdragons.com/best-worst-gifts-2021/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

The rampant collection and sharing of personal data is not just a creepy nuisance. Surveillance capitalism has actually had seriously deleterious effects on society and democracy. In the United States, we have certain rights enshrined in the Constitution that are supposed to protect citizens against unreasonable search and seizure. Law enforcement and intelligence agencies are supposed to have to jump through some non-trivial legal hoops in order to access our personal data. But with a massive market for gathering and correlating your location, purchase history, web surfing habits, search history, and more, it's become trivial to circumvent these pesky road blocks by just buying the information from data brokers. In an important and landmark report from the Center for Democracy and Technology, the end run around our supposed rights has become frighteningly clear. Today I speak with Dhanaraj Thakur about this report and what it means for our democracy. Dhanaraj Thakur is Research Director at the Center for Democracy & Technology, where he leads research that advances human rights and civil liberties online. Further Info CDT Report on Legal Loopholes: https://cdt.org/insights/report-legal-loopholes-and-data-for-dollars-how-law-enforcement-and-intelligence-agencies-are-buying-your-data-from-brokers/ Center for Democracy  & Technology: https://cdt.org/ Patriot Act Turns 20 panel discussion: https://www.youtube.com/watch?v=xaUIvxLdGCQMy particular question at the panel: https://www.youtube.com/watch?v=xaUIvxLdGCQ&t=4783s Best & Worst Gifts Guide for 2021: https://firewallsdontstopdragons.com/best-worst-gifts-2021/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Transparency is critical when it comes to trust - and right now, particularly in the United States, we're having some real issues with trust in our elections. Most of our election systems today are completely opaque in terms of their hardware and software design because they're made by private companies who want to protect their intellectual property. But this secrecy also seriously impedes independent third parties from being able to test and verify these devices that are crucial to our democracy, and therefore contributes to the distrust in our election outcomes. Microsoft is working to change this with a program called ElectionGuard - a free and open source software framework that would allow any company (existing or new) to create robust and secure election systems. Not only can security researchers, journalists and democracy activists review and test the code, but the system actually provides technical capabilities that would allow voters and watchdog groups with a secure and private method for verifying that all votes were counted correctly. And that's just part of what Microsoft is doing to defend democratic processes as part of their Democracy Forward program. Ethan Chumley is a Senior Security Strategist for Microsoft’s Democracy Forward Program, leading the team’s Critical Institution cybersecurity programs. He works at the intersection of cybersecurity, policy, and technology in support of open and secure elections by working with political campaigns, elections organizations, think tanks, NGOs, disinformation researchers, and tech industry partners. Further Info Microsoft ElectionGuard: https://www.electionguard.vote/ Microsoft's Democracy Forward program: https://news.microsoft.com/on-the-issues/topic/defending-democracy-program/ Contact Microsoft about ElectionGuard: electionguard@microsoft.com Contact Microsoft about protecting elections: protectelections@microsoft.com ElectionGuard code: https://github.com/microsoft/electionguard Harri Hursti interview: https://podcast.firewallsdontstopdragons.com/2021/11/08/restoring-trust-in-our-elections/ Article on brute forcing debit card numbers: https://www.techspot.com/news/92476-hackers-brute-force-guessing-payment-card-numbers-there.html Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Credit cards are more secure than debit cards. I've said this in my book, my podcast, my blog and my seminars. Credit card transactions are loans - you're not out any money if a fraudulent charge comes through (assuming you or the credit card company catches it first). With debit cards, any fraud activity will actually take your money from your account - it's gone and you have to convince your bank to give it back. And so, I almost never use my debit card. And yet, I was still hacked. My card wasn't stolen or cloned with a skimmer. The number wasn't leaked in a hack. The bad guys somehow managed to guess my card number. And then they got clever and drained my bank account. I'll give you the details today and give you some pointers for avoiding being bitten the same way I was. In other news: bad guys have come up with some very clever ways to drain your bank accounts using Zelle and text messages; they've also used similar techniques to disable the Find My feature on stolen iPhones; Apple is suing Israeli hacking company NSO Group over their Pegasus spyware; attackers apparently don't try guessing passwords longer than about 10 characters; GoDaddy admits to a major breach, but in a dumb way; there's a nasty new Windows bug that was give up by an upset security researcher; there's a powerful IoT malware that appears to be lurking on the internet; Microsoft Windows is doing some shady stuff to force you to use Edge browser and give up your data; and Vizio makes more money off your TV data than off the TV itself. Article Links The ‘Zelle Fraud’ Scam: How it Works, How to Fight Back https://krebsonsecurity.com/2021/11/the-zelle-fraud-scam-how-it-works-how-to-fight-back/ iPhone thieves are using this trick to disable Find My on stolen devices https://www.imore.com/iphone-thieves-are-using-trick-disable-find-my-stolen-devices Apple sues NSO Group for attacking iPhones with Pegasus spyware https://www.theverge.com/2021/11/23/22798917/apple-nso-group-spyware-pegasus-cybersecurity-research Apple will alert users exposed to state-sponsored spyware attacks https://appleinsider.com/articles/21/11/25/apple-will-alert-users-exposed-to-state-sponsored-spyware-attacks Attackers don’t bother brute-forcing long passwords https://therecord.media/attackers-dont-bother-brute-forcing-long-passwords-microsoft-engineer-says/ GoDaddy admits to password breach: check your Managed WordPress site! https://nakedsecurity.sophos.com/2021/11/23/godaddy-admits-to-password-breach-check-your-managed-wordpress-site/ New Windows zero-day with public exploit lets you become an admin https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/ This mysterious malware could threaten millions of routers and IoT devices https://www.zdnet.com/article/this-mysterious-malware-could-threaten-millions-of-routers-and-iot-devices/ Microsoft Enables Edge Sync By Default, Hoovering Up Your Data in the Process https://www.extremetech.com/computing/329162-microsoft-enables-edge-sync-by-default-hoovering-up-your-data-in-the-process?source=Computing Vizio is making more money selling your data than it is selling TVs https://knowtechie.com/vizio-is-making-more-money-selling-your-data-than-it-is-selling-tvs/ My Debit Card Was Hacked: https://firewallsdontstopdragons.com/my-debit-card-was-hacked/ Further Info HUGE sale on my book! 9.99/6.99: https://link.springer.com/book/10.1007/978-1-4842-6189-7Give Thanks and Donate https://firewallsdontstopdragons.com/give-thanks-donate/ Best & WorstBecome a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

When you think about improving your privacy and protecting your personal information, it's important to realize that it will also improve your security. According to Craig Danuloff, CEO of The Privacy Co. and maker of the Priiv app, privacy harms fall into at least four different buckets: personal data leaks (embarrassment and reputation harm), online tracking (targeted ads and manipulation), financial accounts (including fraud and identity theft), and harassment (stalking, bullying, even physical threats). Today Craig will offer his opinions on the state of privacy today and provide several of his top tips for protecting your privacy and increasing your security. Craig Danuloff is a technology entrepreneur who has founded a series of tech companies including desktop publishing, e-commerce, ad-tech, identity, and now consumer privacy. Craig is a graduate of the University of Colorado Leeds School of Business, and the author of over 20 computer books. Further Info Priiv app: https://www.theprivacy.co/priiv HUGE sale on my book! 9.99/6.99: https://link.springer.com/book/10.1007/978-1-4842-6189-7 Give Thanks and Donate https://firewallsdontstopdragons.com/give-thanks-donate/ Best & WorstGift Guide for 2021: https://firewallsdontstopdragons.com/best-worst-gifts-2021/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/