Firewalls Don't Stop Dragons Podcast

We are being tracked constantly by our cell phones. We willingly carry supercomputers in our pockets 24/7, and these devices are chock full of sensors and radios that are tattling on us. Sometimes on purpose, sometimes incidentally, and sometimes maliciously. Apps for brick and mortar stores are tracking you within their stores, noting where you go, how long you stay in some locations, and where you don’t go. Other apps track your global location and sell it to third parties. Apps to keep tabs on kids can also be used to stalk significant others. And spyware is used to track journalists, dissidents and “people of interest” by authoritarian governments. If all of that weren’t bad enough, there are several cheap electronic devices that anyone can buy and hide on you to track your movements. Today I’ll talk about all of this tracking and stalking with David Ruiz from Malwarebytes, and we’ll give you some tips on how to avoid it. David Ruiz is an online privacy advocate for Malwarebytes, where he writes about online privacy, cybersecurity, and the laws and proposed legislation that regulate how data is stored, shared, and accessed. Further Info Malwarebytes blog: https://blog.malwarebytes.com/ Malwarebytes podcast: https://blog.malwarebytes.com/category/podcast/  David Ruiz interviews me: https://blog.malwarebytes.com/podcast/2022/03/de-googling-carey-parkers-and-your-life-lock-and-code-s03e06/  Coalition Against Stalkerware: https://stopstalkerware.org/  Malwarebytes detection software: https://www.malwarebytes.com/mwb-download  Stalkerware-type detections hit record high in 2021, but fell in second half https://blog.malwarebytes.com/stalkerware/2022/04/stalkerware-type-detections-hit-record-high-in-2021-but-fell-in-second-half/  Kashmir Hill article: https://www.nytimes.com/2022/02/11/technology/airtags-gps-surveillance.html  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/or privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

Security isn’t a big differentiator today when choosing a web browser. First of all, 3 of the top 5 browsers all use the same engine – Chrome, Edge and Opera are all based on Chromium. Second, there’s no real conflict of interest between browser makers and browser users when it comes to security – it’s a win-win situation. Also, most browsers today are plenty fast enough and come with similar user features. So to me, the real differentiator when choosing a web browser is privacy. Today I’ll give you my top choices for the most privacy-respecting web browser. (Spoiler alert: Chrome didn’t make the list.) NOTE: I’m giving away TEN free subscriptions to ProtonMail plus! All you have to do to enter is sign up for a free ProtonMail account here and then shoot me an email from your new account (send it to proton at firewallsdontstopdragons.com)! That’s it! Do it by 11:59AM Eastern Time on May 6th. In other news: The US and 60 other countries have signed an aspiration Declaration for the Future of the Internet; in a twist of fate, Russia is now the target of global hacking; another nasty Java zero-day bug has been found; leaked Cellebrite documents detail which iPhones they can hack into; Amazon and third parties are mining your Alexa requests for personal data; Microsoft is going to add a free VPN to its Edge browser; Facebook is pulling detailed user data from the US college financial aid site FAFSA; and apparently Facebook has no clue how to tell the source of all the data it collects (making it impossible to comply with privacy regulations); Google is now giving you a way to remove some person info from its searches; and Brave and DuckDuckGo are both blocking Google “AMP” links which collect data about the sites you visit. Article Links EFF Statement on the Declaration for the Future of the Internet https://www.eff.org/deeplinks/2022/04/eff-statement-declaration-future-internet  Declaration for the Future of the Internet: https://www.whitehouse.gov/wp-content/uploads/2022/04/Declaration-for-the-Future-for-the-Internet_Launch-Event-Signing-Version_FINAL.pdf  Russia Is Being Hacked at an Unprecedented Scale https://www.wired.co.uk/article/russia-hacked-attacks  Java Cryptography Implementation Mistake Allows Digital-Signature Forgeries https://www.schneier.com/blog/archives/2022/04/java-cryptography-implementation-mistake-allows-digital-signature-forgeries.html  Cellebrite iPhone cracking: Here’s which models the kit can unlock and access, and how to protect your data https://9to5mac.com/2022/04/29/cellebrite-iphone-cracking/  Report: Amazon and third parties use Alexa voice data for ads while Siri respects privacy https://9to5mac.com/2022/04/29/amazon-alexa-voice-data-used-for-ads/  Microsoft Is Adding a Free VPN to the Edge Browser https://www.pcmag.com/news/microsoft-is-adding-a-free-vpn-to-the-edge-browser  Go read this exposé on how FAFSA got caught sending personal info to Facebook https://www.theverge.com/2022/4/29/23048305/fafsa-facebook-department-of-education-us-student-financial-aid-meta-tracking-pixel  Applied for Student Aid Online? Facebook Saw You https://themarkup.org/pixel-hunt/2022/04/28/applied-for-student-aid-online-facebook-saw-you  Facebook doesn’t know what most of its user data is used for https://appleinsider.com/articles/22/04/27/facebook-doesnt-know-what-most-of-its-user-data-is-used-for  You can now ask Google to remove your phone number from search https://www.androidauthority.com/google-search-remove-phone-number-3158456/  Google request site: https://support.google.com/websearch/answer/9673730  Brave, DuckDuckGo updates target Google AMP sites in privacy push https://www.macworld.com/article/633804/brave-duckduckgo-updates-target-google-amp-sites-in-privacy-push.html  Which Is the Most Private Browser? https://firewallsdontstopdragons.com/which-is-the-most-private-browser/  Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

Google and Facebook will swear up and down that they do not sell your data. While technically true, they do sell access to your data. Basically, your data is private from everyone – but them. And that’s a crucial caveat. To have true privacy, you want to work with a company who has absolutely minimal access to your data. You want privacy by design. And this is not easy to do with a very old internet standard like email. Proton has been offering truly private email for almost a decade (ProtonMail) and over the years has added many other features like a VPN and calendar, making them a true privacy-respecting alternative to the likes of Google. Today I’ll speak with Proton’s founder and CEO, Dr. Andy Yen, about the importance of privacy as a human right and the delicate balance between privacy and the needs of law enforcement. I’ll ask him how to evaluate products for privacy and what can we can all do to bring about a better future where we can express ourselves freely. Dr. Andy Yen is the founder and CEO of Proton. He was a scientist at CERN, has a PhD in physics from Harvard University, and he has long worked to advance privacy and freedom online.  Further Info ProtonMail: https://protonmail.com/  Proton & SimpleLogin join forces: https://protonmail.com/blog/proton-and-simplelogin-join-forces/  Check out my security-enhancing challenge coins! https://d20key.com/#/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker

When people don’t understand how something works, it can be easy to be afraid of the consequences of that thing not working right. And this also makes them ripe targets for being frightened by hucksters who will then happily sell them a solution for the problem. This was the trade of snake oil salesmen back in the day – selling cures for ailments that didn’t exist or that didn’t actually improve the consumer’s health. The realm of computers is rife with cybersecurity snake oil, as well, and one of the most lucrative products is a virtual private network (VPN) service. Today I’m going to help you understand just what a VPN is and (perhaps more importantly) what it is not. In other news: T-Mobile tried to buy their hacked customer data back (and failed); the feds have discovered a troubling and powerful new hacking toolkit for industrial control systems; 8 million Cash App users may have had their data exposed; Pegasus spyware was discovered on the devices of EU officials; a company is offering to install chips under your skin that will allow you to pay for stuff with your hand; a scathing article about a security failure by Wyze web cams; and hackers are using fake Emergency Data Requests to get your data from tech companies. Article Links T-Mobile Secretly Bought Its Customer Data from Hackers to Stop Leak. It Failed. https://www.vice.com/en/article/k7w9mv/tmobile-hacked-bought-data-mandiant  Feds Uncover a ‘Swiss Army Knife’ for Hacking Industrial Control Systems https://www.wired.com/story/pipedream-ics-malware/  Over 8 Million Cash App Users Potentially Exposed in a Data Breach After a Former Employee Downloaded Customer Information https://www.cpomagazine.com/cyber-security/over-8-million-cash-app-users-potentially-exposed-in-a-data-breach-after-a-former-employee-downloaded-customer-information/  Pegasus spyware hacked iPhones of senior EU officials, who were alerted by Apple https://9to5mac.com/2022/04/11/pegasus-spyware-hacked-iphones-of-senior-eu-officials/  The microchip implants that let you pay with your hand https://www.bbc.com/news/business-61008730  I’m done with Wyze https://www.theverge.com/23003418/wyze-cam-v1-vulnerability-no-patch-bitdefender-responsible-disclosure  Hackers Using Fake Police Data Requests against Tech Companies https://www.schneier.com/blog/archives/2022/04/hackers-using-fake-police-data-requests-against-tech-companies.html  VPNs are digital ‘snake oil,’ expert claims — here’s why https://www.tomsguide.com/news/vpn-big-claims-truth-shmoocon22  What a VPN Is (and Isn’t): https://firewallsdontstopdragons.com/what-a-vpn-is-and-isnt/  Further Info John Oliver on data brokers: https://www.youtube.com/watch?v=wqn3gR1WTcA  Mullvad VPN: https://mullvad.net/ IVPN: https://www.ivpn.net/ ProtonVPN: https://protonvpn.com/  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ 

Today, most of us take the internet – and access to the internet – for granted. It’s ubiquitous. However, the current war in Ukraine has (hopefully) made us realize that things can change dramatically overnight. While we can always hope for the best, we should be at least minimally prepared for the worst. I’m not suggesting we all prepare for military invasion, but there are much more likely scenarios that might lead to power and communications infrastructure problems like bad storms, natural disasters, and even radical political shifts in democratic countries. Understanding the fundamentals of how our digital world works can help us be more resilient in the face of emergencies. Today I’ll be speaking with a lead cybersecurity instructor from the Tech Learning Collective about some lessons we can learn from the current Russia-Ukraine conflict and be better prepared for digital disruption. Further Info Tech Learning Collective: https://techlearningcollective.com/  How to Prepare for a Power Outage: https://firewallsdontstopdragons.com/how-to-prepare-for-power-outage/  Download Wikipedia: https://wiki.kiwix.org/wiki/Content_in_all_languages  VulnHub downloadable, free CTFs: https://www.vulnhub.com/  Black Hills Infosec: https://www.blackhillsinfosec.com/  Crypto-Gram by Bruce Schneier: https://www.schneier.com/crypto-gram/  Code: The Hidden Language of Computer Hardware and Software:  https://www.amazon.com/Code-Language-Computer-Hardware-Software/dp/0735611319  The Art of Exploitation: https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

I wrap up my de-Google project this week with two biggies: Google Drive and Google Docs. I decided to reduce my Google data footprint as one of my 2022 New Year’s resolutions, so I’ve done a ton of research to replace all the major Google services with privacy-respecting alternatives. My hope is that you can use this information to reduce your own Google data exposure (and help your friends and family, while you’re at it). In other news: UK police arrested seven people that may be tied to the Lapsus$ hacking group; the FCC has flagged Kaspersky software as a risk to national security; a very tricky new phishing technique tricks you into giving up your Facebook, Apple and Google credentials; an open-source software developer makes the dubious decision to target Russian users with “protestware”; the US passes a much-needed cybersecurity regulation (that takes way too long to come into effect); the Russia-based Yandex search engine is harvesting user details from many people, even those not using its search engine; app developers and cloud service providers are leaving your data lying around for anyone to find; and Google is testing its new tracking platform called Topics, which they will use to eventually replace third party cookies. Article Links UK police arrest 7 hacking suspects – have they bust the LAPSUS$ gang? https://nakedsecurity.sophos.com/2022/03/25/uk-police-arrest-7-hacking-suspects-have-they-bust-the-lapsus-gang/  FCC flags Russian cybersecurity firm Kaspersky as risk to national security https://mashable.com/article/fcc-bans-kaspersky-antivirus   This ‘browser in browser’ attack will steal your passwords — here’s how to avoid it https://www.tomsguide.com/news/bitb-phishing-attack Developer Sabotages Open-Source Software Package https://www.schneier.com/blog/archives/2022/03/developer-sabotages-open-source-software-package.html US Passes “Game-Changing” Cyber Incident Reporting Legislation https://www.infosecurity-magazine.com/news/us-cyber-incident-reporting/  Yandex is sending data harvested from millions of iOS users to Russia https://9to5mac.com/2022/03/29/yandex-is-sending-data-from-ios-users/  Your personal data is exposed to hackers — alarming report reveals mobile apps are not protecting your info https://www.laptopmag.com/news/your-personal-data-is-exposed-to-hackers-alarming-report-reveals-mobile-apps-are-not-protecting-your-info  Chrome’s “Topics” advertising system is here, whether you want it or not https://arstechnica.com/gadgets/2022/03/googles-topics-advertising-system-starts-rolling-out-to-chrome-canary/  De-Google My Life, Part 4: https://firewallsdontstopdragons.com/de-google-my-life-part-4  Further Info Crypotmator: https://cryptomator.org/ Sync.com: https://www.sync.com/  ONLYOFFICE: https://www.onlyoffice.com/  NextCloud: https://nextcloud.com/  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker

Today I’m speaking with a fellow privacy evangelist: Henry from Techlore. Like me, Henry and his team are on a mission to teach regular, everyday people how to secure their data and improve their privacy. Henry and I have a frank discussion about the importance of privacy today and the struggles we have when deciding which privacy-oriented products to recommend. First of all, everyone’s privacy “threat model” is different. Second, many people still don’t understand the true impacts of privacy failures – to themselves and to society in general. Privacy isn’t just a “me” thing – it’s also very much a “we” thing. And if all of that weren’t enough, privacy advocates argue constantly (and often heatedly) about the proper litmus tests to use when evaluating privacy-oriented products. Today, Henry and I will discuss what frustrates us and what gives us hope in the highly nuanced realm of privacy. Further Info Podcast 5th Anniversary Giveaway! https://firewallsdontstopdragons.com/5th-anniversary-giveaway/  Techlore: https://techlore.tech/  Support Techlore! https://www.patreon.com/techlore Simple Login: https://simplelogin.io/ MySudo: https://mysudo.com/  Privacy.com: https://privacy.com/  Malwarebytes Lock & Code podcast: https://blog.malwarebytes.com/category/podcast/  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

One of my New Year’s resolutions for 2022 is to reduce my Google footprint – to try to de-Google my life as best I can – and hopefully inspire you to do the same. In today’s show, I’ll talk about replacing Google’s many communications apps (Meet, Hangouts, Chat, Talk), Google Authenticator (the Kleenex of 2FA apps), Google Maps and Waze, and YouTube. In security and privacy news: ISPs in the UK are complaining about Apple’s Private Relay feature; the Federal Trade Commission has a new weapon to fight algorithmic data mining; if someone tricks you into sending them money via Zelle, your bank probably won’t give it back; Russia has issued a state-sponsored “trusted root CA” that could undermine privacy in Russia for a decade; the EFF weighs in on attempts to cut off Russia (and its citizens) from the internet; DuckDuckGo took a controversial step to down-rate Russian mis/disinformation in its search results; Google is mining info from receipts and invoices in your email; and Google is also mining data from your dialer and messaging apps on Android. Article Links UK Network Operators Target iCloud Private Relay in Complaint to Regulator https://www.macrumors.com/2022/03/13/uk-network-operators-target-icloud-private-relay/  The FTC’s new enforcement weapon spells death for algorithms https://www.protocol.com/policy/ftc-algorithm-destroy-data-privacy  Fraud is flourishing on Zelle. The banks say it’s not their problem. https://www.seattletimes.com/business/fraud-is-flourishing-on-zelle-the-banks-say-its-not-their-problem/  You Should Not Trust Russia’s New “Trusted Root CA” https://www.eff.org/deeplinks/2022/03/you-should-not-trust-russias-new-trusted-root-ca  Wartime Is a Bad Time To Mess With the Internet https://www.eff.org/deeplinks/2022/03/wartime-bad-time-mess-internet  DuckDuckGo down-ranks sites spreading Russian propaganda https://www.bleepingcomputer.com/news/technology/duckduckgo-down-ranks-sites-spreading-russian-propaganda/  Gmail tracking: Google keeps records of everything you buy. Here is how to delete this information. https://tutanota.com/blog/posts/gmail-tracks-everything-you-buy/  Google to make changes to apps after TCD study finds privacy issues https://www.irishtimes.com/business/technology/google-to-make-changes-to-apps-after-tcd-study-finds-privacy-issues-1.4826225  De-Google My Life, Part 3: https://firewallsdontstopdragons.com/de-google-my-life-part-3/ Further Info Podcast 5th Anniversary Giveaway! https://firewallsdontstopdragons.com/5th-anniversary-giveaway/  My Lock & Code podcast interview: https://blog.malwarebytes.com/podcast/2022/03/de-googling-carey-parkers-and-your-life-lock-and-code-s03e06/  Data Privacy for Cars: https://podcast.firewallsdontstopdragons.com/2021/09/13/driving-data-privacy-for-cars/  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ 

We didn’t use to think too much about physical computer security because most computers were safely stored in our homes or businesses. But many people today use laptops which can be lost or stolen while traveling or toting them back and forth to work. Having physical access to a computer makes it much easier for bad guys to hack into them and steal our data. By “sniffing” the data signals on the wires in computer motherboards, bad guys can actually pull out security keys that would allow them to bypass encrypted hard drives and account authentication. To combat this, Microsoft’s Pluton project makes this data exfiltration much, much harder by embedding the security circuitry directly into the CPU chip where the “wires” are microscopic and embedded in plastic casings. Tony Chen is a software engineer and security architect in the Microsoft core operating systems team. He’s was the development lead responsible for Xbox One security that worked with the hardware team and AMD to successfully launch the Xbox One console in 2013 which has not been hacked for piracy or cheating for over 5 years. Further Info MIcrosoft’s Pluton project: https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/ Podcast 5th Anniversary Giveaway! https://firewallsdontstopdragons.com/5th-anniversary-giveaway/ Malwarebytes Lock & Code podcast: https://blog.malwarebytes.com/category/podcast/  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

As my de-Google project progresses, I realized that I skipped the most important step: reconnaissance. Before you can de-Google your life, you need to first make a list of the Google products and services you interact with – and not all of them have “Google” in their names. Google also owns YouTube, Waze, Nest, Fitbit, Chromebooks, and much more. Furthermore, you need to know and understand what information Google already knows about you. And while you’re doing that, you should delete all the existing data and prevent further collection. Thankfully, Google provides several tools to help you do this (most likely due to regulations like GDPR and CCPA). I’ll help you create your personal de-Google to-do list. In other news: today I’m launching a massive giveaway promotion to celebrate the 5th anniversary of the podcast!! Also, 100 million Samsung phones shipped with horrible security flaws; Nvidia hackers are pressuring the company to turn off cryptocurrency mining limitations; the (Russian) Conti and TrickBot ransomware operations have been hacked; details of 120,000 Russian soldiers in Ukraine have been leaked (on purpose); the US Senate has passed landmark cybersecurity legislation in light of the rising cyber warfare threat; and the ACLU has published a sobering report about a mass surveillance company called Flock (no relation to Google’s FLoC). Article Links 100 Million Samsung Phones Shipped With Flawed Encryption https://www.cpomagazine.com/cyber-security/100-million-samsung-phones-shipped-with-flawed-encryption-galaxy-s8-to-s21-series-cryptographic-keys-trivial-to-expose/  Nvidia Hackers Threaten to Release Mining-Limiter Killer https://www.tomshardware.com/news/nvidia-hackers-threaten-to-release-lhr-performance-limiter  Conti Ransomware source code leaked by Ukrainian researcher https://www.bleepingcomputer.com/news/security/conti-ransomware-source-code-leaked-by-ukrainian-researcher/  Details of ‘120,000 Russian soldiers’ leaked by Ukrainian media https://www.theregister.com/2022/03/02/russian_soldier_leaks/  Senate passes cybersecurity act forcing orgs to report cyberattacks, ransom payments https://www.zdnet.com/article/senate-passes-cybersecurity-act-forcing-critical-infrastructure-orgs-to-report-cyberattacks-ransom-payments/  Fast-Growing Company Flock is Building a New AI-Driven Mass-Surveillance System https://www.aclu.org/report/fast-growing-company-flock-building-new-ai-driven-mass-surveillance-system  My De-Google Strategy: https://firewallsdontstopdragons.com/my-de-google-strategy/  Lawrence Lessig’s article: https://medium.lessig.org/crowdsourced-war-b5774c0ca7b5  Further Info 5th Anniversary Giveaway!! Details will be posted this week on my blog – keep your eye out on my main website! https://firewallsdontstopdragons.com/ Check out Techlore: https://techlore.tech/  Conti Ransomware report from Krebs On Security:  https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/  https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-ii-the-office/  https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-iii-weaponry/  Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/