Firewalls Don't Stop Dragons Podcast

The gift-giving season is officially upon us, and with covid supply chain issues, if you're going to order gifts, you need to get on it. And in today's show, I'll share the highlights of my annual Best & Worst Gift Guide where I focus on the privacy and security of popular gifts. You won't be surprised at a lot of the items on my naughty list, but I'll bet you'll find some interesting ideas from the nice list that you can give your loved ones this holiday season. I will also cover several news items - many of them actually good news! A new bipartisan bill would allow people to disable news feeds based on algorithms; Apple has dialed back some of it's well-intentioned but poorly-implemented child safety features; Facebook will remove many sensitive categories for targeted ads and stop using facial recognition; several people associate with the Kaseya ransomware hack have been arrested; and 23andme's DNA database (your DNA) may be leveraged foro a lucrative pharmaceutical business. Article Links New bipartisan bill takes aim at algorithms https://www.axios.com/algorithm-bill-house-bipartisan-5293581e-430f-4ea1-8477-bd9adb63519c.html Apple Has Listened And Will Retract Some Harmful Phone-Scanning https://www.eff.org/deeplinks/2021/11/apple-has-listened-and-will-retract-some-harmful-phone-scanning Facebook-parent Meta will remove the ability to target ads based on sensitive categories https://www.cnn.com/2021/11/09/tech/meta-facebook-ad-targeting-change/index.html Facebook shutting down face recognition efforts & deleting data https://appleinsider.com/articles/21/11/02/facebook-shutting-down-face-recognition-efforts-deleting-data Meta to continue use of facial recognition technology: https://appleinsider.com/articles/21/11/04/meta-to-continue-use-of-facial-recognition-technology Kaseya ransomware suspect nabbed in Poland, $6m seized from absent colleague https://nakedsecurity.sophos.com/2021/11/08/kaseya-ransomware-suspect-nabbed-in-poland-6m-seized-from-absent-colleague/ All Those 23andMe Spit Tests Were Part of a Bigger Plan https://www.bloomberg.com/news/features/2021-11-04/23andme-to-use-dna-tests-to-make-cancer-drugs  Further Info My annual Best & Worst Gift Guide is out for 2021! https://firewallsdontstopdragons.com/best-worst-gifts-2021/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Nothing is arguably more fundamental to a democracy than voting. But it's not enough to have a secure election. The electorate also needs to trust that the results are valid. In the United States today, that trust is in short supply - many people believe that the 2020 election was rigged. On one hand, many of our electronic voting systems are demonstrably insecure and trivially capable of being hacked. On the other, our cybersecurity experts, government agencies and election officials are telling us that the 2020 election was one of the most secure in US history and voter fraud almost never happens. So which is it? How do we reconcile these two seemingly incongruent positions? Today I'll ask these questions and more of computer and election security guru Harri Hursti. Harri has investigated and hacked several popular election systems used in the US and runs the Voting Machine Hacking Village at the annual DEF CON hacking conference. He's also officially observed many elections around the world and participated in several high profile audits. As if that weren't enough, Harri's been featured in two separate HBO documentaries on election security and is co-founder of the Election Integrity Foundation. I met Harri at DEF CON 29 and I was thrilled when he agreed to come on the show. Further Info Harri Hursti: https://en.wikipedia.org/wiki/Harri_Hursti Election Integrity Foundation https://electionintegrityfoundation.org/ California voting system review (“top to bottom”): https://www.sos.ca.gov/elections/voting-systems/oversight/top-bottom-review Ohio voting system review (“Everest”): https://www.eac.gov/documents/2017/03/21/everest-report-state-voting-systems-voting-technology New Hampshire election audit: http://doj.nh.gov/sb43/documents/20210713-sb43-forensic-audit-report.pdf Kill Chain: The Cyber War on America's Elections (HBO documentary, 2020) https://www.hbo.com/documentaries/kill-chain-the-cyber-war-on-americas-elections Hacking Democracy (HBO documentary, 2006) https://www.youtube.com/watch?v=b_gb_w_L9NE Election Administration and Voting Survey 2020: https://www.eac.gov/research-and-data/studies-and-reports Voluntary Voting System Guidelines: https://www.eac.gov/voting-equipment/voluntary-voting-system-guidelines CISA, Election Security Rumor vs Reality: https://www.cisa.gov/rumorcontrol 2020 election security reports: https://www.brennancenter.org/our-work/research-reports/its-official-election-was-secure DEF CON 25 Voting Machine Hacking Village Report: https://archive.org/download/DEFCON25VotingVillageReport/DEF%20CON%2025%20voting%20village%20report.pdf Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

There were lots of scary computer security and privacy stories in the news this week, coinciding nicely with Halloween. We'll start off with an unfortunate new cybersecurity term: killware. This is software whose end result is actual physical harm to human beings, including death. Sadly, this is now a thing. And I don't know about you, but Mark Zuckerberg's vision of the future (the "metaverse") is pretty damn scary, too. In other news: a hacker seems to have stolen the government identity information for every person in Argentina; a New York Times journalist explains how his iPhone has been hacked multiple times by the NSO Group and what he does to protect himself (and his sources); the FBI, the Secret Service and other "like-minded countries" seem to have finally taken down the REvil ransomware gang for good; Facebook has changed its name to "Meta"; link previews in chat apps can actually cause serious security and privacy problems; Delta Airlines and UK schools are normalizing the use of facial recognition for mundane purposes; your ISP is collecting tons of information about you in the US because we let them; and finally, I demystify and debunk the "dangers" of QR codes. Article Links Killware: What You Need to Know https://adamlevin.com/2021/10/15/killware-what-you-need-to-know/Hacker steals government ID database for Argentina’s entire population https://therecord.media/hacker-steals-government-id-database-for-argentinas-entire-population/ NYT journalist describes his iPhone being hacked, and the precautions he now takes https://9to5mac.com/2021/10/25/nyt-journalist-describes-his-iphone-being-hacked-and-the-precautions-he-now-takes/ FBI, others crush REvil using ransomware gang’s favorite tactic against it https://arstechnica.com/tech-policy/2021/10/fbi-others-crush-revil-using-ransomware-gangs-favorite-tactic-against-it/ Facebook changes its name to Meta: https://www.inc.com/jason-aten/5-things-mark-zuckerberg-said-about-his-plan-for-metaverse-that-should-make-you-very-worried.html Link Previews in Popular Messaging Apps May Lead to Security Vulnerabilities https://www.macrumors.com/2020/10/26/link-previews-may-lead-to-security-vulnerabilities/ Delta Air Lines partners with TSA PreCheck to launch biometrics-based bag drops https://finance.yahoo.com/news/delta-air-lines-partners-tsa-164655619.html UK schools are using facial recognition to take pupils’ lunch money https://www.theverge.com/2021/10/18/22732330/uk-schools-facial-recognition-lunch-payments-north-ayrshire Location Data Firm Got GPS Data From Apps Even When People Opted Out https://www.vice.com/en/article/5dgmqz/huq-location-data-opt-out-no-consent Internet service providers have so much data on you https://www.protocol.com/policy/isp-ftc-data Beware QR Code… Articles: https://firewallsdontstopdragons.com/beware-qr-code-articles/  Further Info Only ONE DAY LEFT to snag your challenge coin!! The promotion ends at 11pm Eastern Time on Tuesday, November 2nd! https://firewallsdontstopdragons.com/my-challenge-coins-are-back/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Today, we're surrounded by strong encryption. Thanks to efforts like Let's Encrypt, almost all web communications today at encrypted. And thanks to wonderful privacy communications tools like Signal, we can share private thoughts instantly and securely with anyone on the planet. But this was not always the case. This secure, private, encryption-enabled future we're living now was far from certain 30 years ago when Phil Zimmermann created and freely released his email encryption tool Pretty Good Privacy (PGP). If not for Phil and a handful of others, we could very easily have lost the Crypto Wars of the 1990's and authoritarian mass surveillance could have been the norm. In today's show, Phil and I walk through the creation of PGP, the technological and political climate of that day, and the nerve-racking few years where Phil faced potential jail time for releasing "munitions grade" encryption to the world. We'll also discuss the literally life-saving impacts PGP has had over these last 30 years and how global law enforcement agencies and liberal democratic governments have revived the Crypto Wars. Phil Zimmermann is the creator of Pretty Good Privacy, which is still widely regarded as the gold standard for secure email communication. Phil went on to form Silent Circle and win several prestigious awards including US Privacy Champion and was inducted into the Cybersecurity Hall of Fame. Further Info Phil Zimmermann’s website: https://philzimmermann.com/ Phil’s announcement for the 30th anniversary of PGP: https://philzimmermann.com/EN/news/index.htmlPGP Web of Trust: https://en.wikipedia.org/wiki/Web_of_trust SNL Bass-o-matic skit: https://www.nbc.com/saturday-night-live/video/bassomatic/n8631 National Cybersecurity Awareness Month resources: https://www.cisa.gov/cybersecurity-awareness-month-resources Only ONE WEEK LEFT to snag your challenge coin!! https://firewallsdontstopdragons.com/my-challenge-coins-are-back/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Facebook had a horrible, no-good, very bad week. Not only did Facebook, Instagram and WhatsApp go completely offline for about six hours, a whistleblower came forward to show the world what most of us already knew: Facebook values money over its users' well being. And I have another story that backs that up, as well - one that you almost surely did not hear about. In other news: the FTC tells app makers to fess up when users private data gets loose; the governor of Missouri wants to sue a newspaper for revealing a horrible security flaw that exposed teachers' social security numbers; Apple's attempts to prevent user tracking on iOS are being undermined by unscrupulous apps; a company that you've never heard of with access to almost all cellular text messages was hacked over the course of five years; the VPN maker and VPN review industries are awash in conflicts of interest; Windows 11 is finally out, but it's not clear if and whether you should upgrade to it; and Firefox is searching for more ways to make money and stay alive, including adding more sponsored search suggestions for you to consider. Article Links FTC says health apps must notify consumers about data breaches — or face fines https://techcrunch.com/2021/09/16/ftc-says-health-apps-must-notify-consumers-if-their-data-is-breached-or-face-fines/ Missouri Governor Vows to Prosecute St. Louis Post-Dispatch for Reporting Security Vulnerability https://krebsonsecurity.com/2021/10/missouri-governor-vows-to-prosecute-st-louis-post-dispatch-for-reporting-security-vulnerability/ Investigation Finds Apple App Tracking Rules May Be Ineffective; IDFA Blocked, but Apps Frequently Access Other Identifiers https://www.cpomagazine.com/data-privacy/investigation-finds-apple-app-tracking-rules-may-be-ineffective-idfa-blocked-but-apps-frequently-access-other-identifiers/ Company That Routes Billions of Text Messages Quietly Says It Was Hacked https://www.vice.com/en/article/z3xpm8/company-that-routes-billions-of-text-messages-quietly-says-it-was-hacked Consolidation of the VPN industry spells trouble for the consumer, https://blog.windscribe.com/consolidation-of-the-vpn-industry-spells-trouble-for-the-consumer-57e638634cf0/Facebook has finally given a reason for the six-hour outage Monday https://www.theverge.com/2021/10/4/22709806/facebook-says-the-six-hour-outage Understanding How Facebook Disappeared from the Internet: https://blog.cloudflare.com/october-2021-facebook-outage/ Facebook bans developer behind Unfollow Everything tool https://www.theverge.com/2021/10/8/22716044/facebook-unfollow-everything-tool-louis-barclay-banned-for-lifeFacebook whistleblower Frances Haugen tells lawmakers that meaningful reform is necessary ‘for our common good’ https://www.washingtonpost.com/technology/2021/10/05/facebook-senate-hearing-frances-haugen/ Windows 11 compatibility: Check if your PC meets Microsoft's requirements https://www.cnet.com/tech/computing/windows-11-compatibility-check-if-your-pc-meets-microsofts-requirements/ Firefox Now Sends Your Address Bar Keystrokes to Mozilla https://www.howtogeek.com/760425/firefox-now-sends-your-address-bar-keystrokes-to-mozilla/ BONUS: Trust, but verify: An in-depth analysis of ExpressVPN's terrible, horrible, no good, very bad week https://www.zdnet.com/article/trust-but-verify-an-in-depth-analysis-of-expressvpns-terrible-horrible-no-good-very-bad-week/  Further Info National Cybersecurity Awareness Month resources: https://www.cisa.gov/cybersecurity-awareness-month-resources Only two weeks left to snag a challenge coin!! https://firewallsdontstopdragons.com/my-challenge-coins-are-back/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Today I have the great honor and pleasure of speaking with two luminaries in the field of privacy: Michelle Finneran Dennedy and Melanie Ensign. Between them, they have decades of experience managing privacy processes, policies, technology and communications within dozens of big name tech companies. I get their unique perspective on data privacy and the evolution of how these companies approach the problem of collecting and managing your data. Are things getting better or worse? How can companies earn the trust of their customers? Is data the new oil? And is it an asset or a liability? How can we have social media like Facebook and privacy at the same time? NOTE: I captured WAY more content from these two than I could fit into this one podcast. To get the full interview, become a patron! (And nab yourself a kick-butt challenge coin, too!) Michelle Dennedy was the first CPO for many global IT infrastructure companies including Oracle, McAfee, Intel & Cisco. Michelle is now a partner at Privatus.online and CEO at a Privacy Engineering startup in stealth mode. She is the co-author of The Privacy Engineer’s Manifesto and The Privacy Engineer’s Companion.  Melanie Ensign is the CEO of Discernible, helping cybersecurity & privacy teams better communicate with business leaders and consumers. She is also part of the DEF CON leadership team. Further Info Discernable: https://discernibleinc.com/ Privatus: https://privatus.online/ The Privacy Engineer’s Manifesto: https://www.amazon.com/Privacy-Engineers-Manifesto-Getting-Policy/dp/1430263555 The Rise of Privacy Tech (TROPT): https://www.riseofprivacytech.com/ Privacy is Power (book): https://firewallsdontstopdragons.com/privacy-is-power-review/ The Social Dilemma: https://www.thesocialdilemma.com/ The challenge coin promotion is BACK!! https://firewallsdontstopdragons.com/my-challenge-coins-are-back/Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

I admit it. I'm an Apple fan. Are they perfect? Definitely not. But in most cases, they're actually trying to be good. And at the end of the day, their business model doesn't rely on hoovering up your personal data. Apple just released a big update to its devices, iOS 15, and it's got some really cool security and privacy features. I'll tell you all about them in today's show. In other news: thousands of Netgear routers can be hacked via a Disney parental control feature even if you didn't ask for it; yet another company is scraping social media and public info to sell it to law enforcement; the NSA and CIA are warning their employees to block ads for cybersecurity reasons; Microsoft has rolled out a "passwordless" login system; EFF is ending support for its wonderful browser plugin HTTPS Everywhere - because HTTPS is now already everywhere; Amazon's new house robot, Astro, is a privacy nightmare (shocker); and this is the first week of National Cybersecurity Awareness Month in the US. Article Links National Cybersecurity Awareness Month, Week #1: Own your role in cybersecurity https://staysafeonline.org/wp-content/uploads/2020/04/Own-Your-Role-in-Cybersecurity_-Start-with-the-Basics-.pdf Thousands of Netgear routers can be hacked — here's what to do https://www.tomsguide.com/news/netgear-router-circle-patches Researcher drops three iOS zero-days that Apple refused to fix https://www.bleepingcomputer.com/news/security/researcher-drops-three-ios-zero-days-that-apple-refused-to-fix/ ShadowDragon: Inside the Social Media Surveillance Software That Can Watch Your Every Move https://theintercept.com/2021/09/21/surveillance-social-media-police-microsoft-shadowdragon-kaseware/ The NSA and CIA Use Ad Blockers Because Online Advertising Is So Dangerous https://www.vice.com/en/article/93ypke/the-nsa-and-cia-use-ad-blockers-because-online-advertising-is-so-dangerous You Can Now Sign-in to Your Microsoft Accounts Without a Password https://thehackernews.com/2021/09/you-can-now-sign-in-to-you-microsoft.html HTTPS Is Actually Everywhere https://www.eff.org/deeplinks/2021/09/https-actually-everywhere Amazon Astro is ‘terrible’ and will ‘throw itself down’ stairs, developers reportedly claim https://www.theverge.com/2021/9/28/22699284/amazon-astro-real-world-stairs-fragile-developer-claims-documents-tracking National Cybersecurity Awareness Month https://www.cisa.gov/cybersecurity-awareness-monthApple’s iOS 15 Privacy and Security features: https://firewallsdontstopdragons.com/ios-15-security-privacy-features/  Further Info The challenge coin promotion is BACK!! https://firewallsdontstopdragons.com/my-challenge-coins-are-back/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Apple was set to roll out controversial new on-device scanning technology in iOS 15 last week, but thanks to pushback from groups like the Electronic Frontier Foundation and people like you, Apple has since thought better of it and backed down. It's not clear when or if these "child safety" features will come to iPhones, but in the meantime we can hope that Apple will listen carefully to our concerns before proceeding. Today I'll speak with Jason Kelley from the EFF about Apple's proposed technology, the problem of child sexual abuse material (CSAM), and why Apple's proposed solution was so problematic. Jason Kelley guides EFF’s social media tactics, develops EFF’s online digital advocacy, and writes about various forms of governmental and private surveillance and tracking. Further Info Donate to EFF! https://supporters.eff.org/donate/join-4 EFF's Perspectives event: https://www.eff.org/event/perspectives-encryption-and-child-safety Sign the petition to stop Apple’s poorly-designed child safety features: https://www.eff.org/deeplinks/2021/09/dont-stop-now-join-eff-fight-future-apple-protests-nationwide Fight for the Future’s #noSpyPhone coverage: https://www.fightforthefuture.org/news/2021-09-13-photos-video-protests-hit-apple-stores-across/ Child Rights International Network (CRIN): https://home.crin.org/ Detailed new review of my book: https://parmsam.medium.com/notes-from-reading-firewalls-dont-stop-dragons-f69ae0d4bf0a Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

It's really easy to complain about the sadly insecure state of many of our products and services, but the fact is that doing security right is hard - even when you're trying to get it right. Part of the problem is that there are just so many things to secure, even on a single product or service. Today we're going to discuss several recent security issues with popular products, and why getting it right can be such a daunting task. In today's show: a universal decryption key for all REvil ransomware victims prior to July 13th is now available; Microsoft patched a nasty security bug in all of its Windows OS versions, but it's still being actively exploited (hint: patch now!); it was recently argued that WhatsApp's end-to-end encryption has a "backdoor", but I'll explain why that's not true; a home security system maker refuses to patch a bug that would allow an attacker to disable your system just by knowing (or guessing) your email address; ProtonMail is forced to alter its "no IP logging" marketing in the face of a recent incident involving a French activist's account; new Mac malware has emerged that uses poisoned search results to trick its victims; and for my tip of the week, I'll tell you about a new fourth credit bureau where you should freeze your credit report. Article Links Free REvil ransomware master decrypter released for past victims https://www.bleepingcomputer.com/news/security/free-revil-ransomware-master-decrypter-released-for-past-victims/ Recently reported Microsoft zero-day gaining popularity with attackers, Kaspersky says https://www.msn.com/en-us/news/technology/recently-reported-microsoft-zero-day-gaining-popularity-with-attackers-kaspersky-says/ar-AAOyUvR WhatsApp Fixes Its Biggest Encryption Loophole https://www.wired.com/story/whatsapp-end-to-end-encrypted-backups/ No, Facebook Isn't Reading Your Private WhatsApp Messages. The Problem Is Much Worse https://www.inc.com/jason-aten/no-facebook-isnt-reading-your-private-whatsapp-messages-problem-is-much-worse.html Pwned! The home security system that can be hacked with your email address https://nakedsecurity.sophos.com/2021/09/02/pwned-the-home-security-system-that-can-be-hacked-with-your-email-address/  ProtonMail Amends Its Policy After Giving Up an Activist’s Data https://www.wired.com/story/protonmail-amends-policy-after-giving-up-activists-data/ New Mac malware spreads via search results https://www.tomsguide.com/news/mac-malware-fake-iterm2Tip of the week: https://firewallsdontstopdragons.com/freeze-you-credit-at-innovis-too/  Further Info Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerStay tuned for a new challenge coin promotion! https://firewallsdontstopdragons.com/get-your-official-challenge-coin/ Generate secure passphrases! https://d20key.com/#/

Ever paired your phone to a rental car? Did you erase all the data from the last car you sold or turned in at the end of your lease? Do you know what data you car is sending to the cloud wireless right now? Cars have become a privacy nightmare. Andrea Amico is the founder of a company called Privacy 4 Cars and today he'll help us understand all the data you car is hoovering up - from your phone, your driving habits, your location, and even your facial expressions (no, really). And thankfully, his company also gives you a powerful tool to find and delete the data exhaust you've generated, probably without even realizing it. Andrea Amico is one of the nation’s leading authorities on vehicle privacy and cybersecurity. He is also the founder of Privacy4Cars, the first and only privacy-tech company focused on identifying the challenges posed by vehicle data. Further Info Privacy4Cars: https://privacy4cars.com/Assert Your Data Rights! https://privacy4cars.com/personal-use/assert-your-data-rights/ Twitter: https://twitter.com/privacy4carsFree CCPA Agent: https://freeccpaagent.com/ Auto ISAC: https://automotiveisac.com/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/