Firewalls Don't Stop Dragons Podcast

Navigating the online world today is hard enough as an adult. But it's way worse for kids. Not only are they short on life experiences that would give them the context they need, but as students during a pandemic, their privacy rights are being sorely tested by new "edtech" apps and services. Today I speak with Jill Bronfman from Common Sense Media about their new report on the state of privacy for kids. Their research is quite comprehensive - and (spoiler alert) the results aren't great. Obviously, this report is helpful for parents, educators and policy makers - but much of what's covered here is useful knowledge for anyone. Jill Bronfman is Privacy Counsel at Common Sense Media, teaches Media Ethics and Privacy Law. Further Info 2021 State of Kid’s Privacy: https://www.commonsensemedia.org/research/state-of-kids-privacy-2021 Common Sense Media: https://www.commonsensemedia.org/ Common Sense Privacy Program: https://privacy.commonsense.org/Boston COVID in the waste water: https://www.msn.com/en-us/weather/topstories/how-fast-is-covid-surging-in-boston-this-chart-shows-the-spike-after-christmas/ar-AAShL4P Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

We've come to the end of another year. As we take a breather and gather with family and friends for the holidays, it's a good time to look back over the year that just passed. I've collected a handful of snippets from some of my favorite shows from this year, along with some a little commentary. If you're new to the show, you can catch up on some stuff you may have missed. Or if you'd like to introduce someone else to the podcast, this would be a great one to share. You can find all the original, full-length episodes using the links below. Best Of Episodes Ep206, Feb 8 - Troy Hunt, De-Platforming: https://podcast.firewallsdontstopdragons.com/2021/02/08/free-speech-deplatforming/Ep214, Apr 5 - Phil Zimmerman, Social media is ruining society https://podcast.firewallsdontstopdragons.com/2021/04/05/social-media-is-ruining-societyEp219, May 10 - Alison Macrina, library freedom ​​https://podcast.firewallsdontstopdragons.com/2021/05/10/protecting-intellectual-freedom-part-1/ Ep232, Aug 9 - DEFCON - understanding hackers https://podcast.firewallsdontstopdragons.com/2021/08/11/understanding-hackers-hacking/ Ep233, Aug 16 - DEFCON - Jeff Moss interview https://podcast.firewallsdontstopdragons.com/2021/08/16/on-a-dark-tangent/Ep235, Aug 30 - Morpheus - Todd Austin https://podcast.firewallsdontstopdragons.com/2021/08/30/morpheus-securing-cpus-with-entropy/Ep237, Sep 13 - Privacy for Cars - Andrea Amico https://podcast.firewallsdontstopdragons.com/2021/09/13/driving-data-privacy-for-cars/Ep245, Nov 8 - Harri Hursti https://podcast.firewallsdontstopdragons.com/2021/11/08/restoring-trust-in-our-elections/ Ep200, Dec 27, 2020 - Bruce Schneier https://podcast.firewallsdontstopdragons.com/2020/12/28/200th-podcast-new-years-2021/  Further Info Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

The internet is on fire this week. The worst cybersecurity vulnerability of the last ten years (and perhaps more) has kicked the internet ant hill. Companies around the globe - big and small - are scrambling to repair a gaping hole in a ridiculously mundane but widely popular open source tool called Log4J. What it is and what does it mean for you? I'll get into all of that today. In other news: many popular wireless home routers are riddled with security bugs (update your firmware now); family "safety" app Life360 is selling your detailed location data; Consumer Reports released a comprehensive report on VPN security and privacy; Firefox just got a lot more secure; LastPass is once again an independent company; Apple released a lot of cool security and privacy features for iOS and macOS; and Verizon just opted you into a program for tracking you - and how you can opt out. (I'll touch on T-Mobile and AT&T tracking, too.) Article Links Op-Ed: What a house cat can teach us about cybersecurity https://www.latimes.com/opinion/story/2021-11-07/op-ed-what-a-house-cat-can-teach-us-about-cybersecurity Nine WiFi routers used by millions were vulnerable to 226 flaws https://www.bleepingcomputer.com/news/security/nine-wifi-routers-used-by-millions-were-vulnerable-to-226-flaws/ The Popular Family Safety App Life360 Is Selling Precise Location Data on Its Tens of Millions of Users https://themarkup.org/privacy/2021/12/06/the-popular-family-safety-app-life360-is-selling-precise-location-data-on-its-tens-of-millions-of-user Consumer Reports exhaustive report on VPNs https://www.consumerreports.org/vpn-services/mullvad-ivpn-mozilla-vpn-top-consumer-reports-vpn-testing-a9588707317/ The new Firefox 95 might be the most secure web browser on the market https://www.techrepublic.com/article/the-new-firefox-95-might-be-the-most-secure-web-browser-on-the-market/ The Log4Shell 0-day, four days on: What is it, and how bad is it really? https://arstechnica.com/information-technology/2021/12/the-log4shell-zeroday-4-days-on-what-is-it-and-how-bad-is-it-really/ Widely-Used Kronos Payroll Provider Down for “Weeks” Due to Ransomware Attack; Was Log4Shell Involved? https://www.cpomagazine.com/cyber-security/widely-used-kronos-payroll-provider-down-for-weeks-due-to-ransomware-attack-was-log4shell-involved/ LastPass is going to become an independent company https://www.theverge.com/2021/12/14/22833319/lastpass-independent-company-logmeinHow to Use App Privacy Report in the iOS 15.2 Beta https://www.macrumors.com/guide/app-privacy-report/iOS 15.2 Beta 2 Lets Your Family Access Your Data If You Pass Away https://www.macrumors.com/2021/11/09/ios-15-2-legacy-contact/ Hide My Email Available in Mail App With New iOS 15.2 and macOS Monterey 12.1 Betas https://www.macrumors.com/2021/11/09/macos-monterey-12-1-beta-2-hide-my-email/ iOS 15.2 Beta Adds Messages Communication Safety Feature for Kids https://www.macrumors.com/2021/11/09/apple-messages-communication-safety-ios-15-2/ Verizon May Have Just Enrolled You in a Data-Collection Scheme–Here's How to Get Out https://gizmodo.com/verizon-may-have-just-enrolled-you-in-a-data-collection-1848156157  Further Info Still looking for holiday gifts? https://firewallsdontstopdragons.com/best-worst-gifts-2021/ Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

The rampant collection and sharing of personal data is not just a creepy nuisance. Surveillance capitalism has actually had seriously deleterious effects on society and democracy. In the United States, we have certain rights enshrined in the Constitution that are supposed to protect citizens against unreasonable search and seizure. Law enforcement and intelligence agencies are supposed to have to jump through some non-trivial legal hoops in order to access our personal data. But with a massive market for gathering and correlating your location, purchase history, web surfing habits, search history, and more, it's become trivial to circumvent these pesky road blocks by just buying the information from data brokers. In an important and landmark report from the Center for Democracy and Technology, the end run around our supposed rights has become frighteningly clear. Today I speak with Dhanaraj Thakur about this report and what it means for our democracy. Dhanaraj Thakur is Research Director at the Center for Democracy & Technology, where he leads research that advances human rights and civil liberties online. Further Info CDT Report on Legal Loopholes: https://cdt.org/insights/report-legal-loopholes-and-data-for-dollars-how-law-enforcement-and-intelligence-agencies-are-buying-your-data-from-brokers/ Center for Democracy  & Technology: https://cdt.org/ Patriot Act Turns 20 panel discussion: https://www.youtube.com/watch?v=xaUIvxLdGCQMy particular question at the panel: https://www.youtube.com/watch?v=xaUIvxLdGCQ&t=4783s Best & Worst Gifts Guide for 2021: https://firewallsdontstopdragons.com/best-worst-gifts-2021/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Transparency is critical when it comes to trust - and right now, particularly in the United States, we're having some real issues with trust in our elections. Most of our election systems today are completely opaque in terms of their hardware and software design because they're made by private companies who want to protect their intellectual property. But this secrecy also seriously impedes independent third parties from being able to test and verify these devices that are crucial to our democracy, and therefore contributes to the distrust in our election outcomes. Microsoft is working to change this with a program called ElectionGuard - a free and open source software framework that would allow any company (existing or new) to create robust and secure election systems. Not only can security researchers, journalists and democracy activists review and test the code, but the system actually provides technical capabilities that would allow voters and watchdog groups with a secure and private method for verifying that all votes were counted correctly. And that's just part of what Microsoft is doing to defend democratic processes as part of their Democracy Forward program. Ethan Chumley is a Senior Security Strategist for Microsoft’s Democracy Forward Program, leading the team’s Critical Institution cybersecurity programs. He works at the intersection of cybersecurity, policy, and technology in support of open and secure elections by working with political campaigns, elections organizations, think tanks, NGOs, disinformation researchers, and tech industry partners. Further Info Microsoft ElectionGuard: https://www.electionguard.vote/ Microsoft's Democracy Forward program: https://news.microsoft.com/on-the-issues/topic/defending-democracy-program/ Contact Microsoft about ElectionGuard: electionguard@microsoft.com Contact Microsoft about protecting elections: protectelections@microsoft.com ElectionGuard code: https://github.com/microsoft/electionguard Harri Hursti interview: https://podcast.firewallsdontstopdragons.com/2021/11/08/restoring-trust-in-our-elections/ Article on brute forcing debit card numbers: https://www.techspot.com/news/92476-hackers-brute-force-guessing-payment-card-numbers-there.html Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Credit cards are more secure than debit cards. I've said this in my book, my podcast, my blog and my seminars. Credit card transactions are loans - you're not out any money if a fraudulent charge comes through (assuming you or the credit card company catches it first). With debit cards, any fraud activity will actually take your money from your account - it's gone and you have to convince your bank to give it back. And so, I almost never use my debit card. And yet, I was still hacked. My card wasn't stolen or cloned with a skimmer. The number wasn't leaked in a hack. The bad guys somehow managed to guess my card number. And then they got clever and drained my bank account. I'll give you the details today and give you some pointers for avoiding being bitten the same way I was. In other news: bad guys have come up with some very clever ways to drain your bank accounts using Zelle and text messages; they've also used similar techniques to disable the Find My feature on stolen iPhones; Apple is suing Israeli hacking company NSO Group over their Pegasus spyware; attackers apparently don't try guessing passwords longer than about 10 characters; GoDaddy admits to a major breach, but in a dumb way; there's a nasty new Windows bug that was give up by an upset security researcher; there's a powerful IoT malware that appears to be lurking on the internet; Microsoft Windows is doing some shady stuff to force you to use Edge browser and give up your data; and Vizio makes more money off your TV data than off the TV itself. Article Links The ‘Zelle Fraud’ Scam: How it Works, How to Fight Back https://krebsonsecurity.com/2021/11/the-zelle-fraud-scam-how-it-works-how-to-fight-back/ iPhone thieves are using this trick to disable Find My on stolen devices https://www.imore.com/iphone-thieves-are-using-trick-disable-find-my-stolen-devices Apple sues NSO Group for attacking iPhones with Pegasus spyware https://www.theverge.com/2021/11/23/22798917/apple-nso-group-spyware-pegasus-cybersecurity-research Apple will alert users exposed to state-sponsored spyware attacks https://appleinsider.com/articles/21/11/25/apple-will-alert-users-exposed-to-state-sponsored-spyware-attacks Attackers don’t bother brute-forcing long passwords https://therecord.media/attackers-dont-bother-brute-forcing-long-passwords-microsoft-engineer-says/ GoDaddy admits to password breach: check your Managed WordPress site! https://nakedsecurity.sophos.com/2021/11/23/godaddy-admits-to-password-breach-check-your-managed-wordpress-site/ New Windows zero-day with public exploit lets you become an admin https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/ This mysterious malware could threaten millions of routers and IoT devices https://www.zdnet.com/article/this-mysterious-malware-could-threaten-millions-of-routers-and-iot-devices/ Microsoft Enables Edge Sync By Default, Hoovering Up Your Data in the Process https://www.extremetech.com/computing/329162-microsoft-enables-edge-sync-by-default-hoovering-up-your-data-in-the-process?source=Computing Vizio is making more money selling your data than it is selling TVs https://knowtechie.com/vizio-is-making-more-money-selling-your-data-than-it-is-selling-tvs/ My Debit Card Was Hacked: https://firewallsdontstopdragons.com/my-debit-card-was-hacked/ Further Info HUGE sale on my book! 9.99/6.99: https://link.springer.com/book/10.1007/978-1-4842-6189-7Give Thanks and Donate https://firewallsdontstopdragons.com/give-thanks-donate/ Best & WorstBecome a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

When you think about improving your privacy and protecting your personal information, it's important to realize that it will also improve your security. According to Craig Danuloff, CEO of The Privacy Co. and maker of the Priiv app, privacy harms fall into at least four different buckets: personal data leaks (embarrassment and reputation harm), online tracking (targeted ads and manipulation), financial accounts (including fraud and identity theft), and harassment (stalking, bullying, even physical threats). Today Craig will offer his opinions on the state of privacy today and provide several of his top tips for protecting your privacy and increasing your security. Craig Danuloff is a technology entrepreneur who has founded a series of tech companies including desktop publishing, e-commerce, ad-tech, identity, and now consumer privacy. Craig is a graduate of the University of Colorado Leeds School of Business, and the author of over 20 computer books. Further Info Priiv app: https://www.theprivacy.co/priiv HUGE sale on my book! 9.99/6.99: https://link.springer.com/book/10.1007/978-1-4842-6189-7 Give Thanks and Donate https://firewallsdontstopdragons.com/give-thanks-donate/ Best & WorstGift Guide for 2021: https://firewallsdontstopdragons.com/best-worst-gifts-2021/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

The gift-giving season is officially upon us, and with covid supply chain issues, if you're going to order gifts, you need to get on it. And in today's show, I'll share the highlights of my annual Best & Worst Gift Guide where I focus on the privacy and security of popular gifts. You won't be surprised at a lot of the items on my naughty list, but I'll bet you'll find some interesting ideas from the nice list that you can give your loved ones this holiday season. I will also cover several news items - many of them actually good news! A new bipartisan bill would allow people to disable news feeds based on algorithms; Apple has dialed back some of it's well-intentioned but poorly-implemented child safety features; Facebook will remove many sensitive categories for targeted ads and stop using facial recognition; several people associate with the Kaseya ransomware hack have been arrested; and 23andme's DNA database (your DNA) may be leveraged foro a lucrative pharmaceutical business. Article Links New bipartisan bill takes aim at algorithms https://www.axios.com/algorithm-bill-house-bipartisan-5293581e-430f-4ea1-8477-bd9adb63519c.html Apple Has Listened And Will Retract Some Harmful Phone-Scanning https://www.eff.org/deeplinks/2021/11/apple-has-listened-and-will-retract-some-harmful-phone-scanning Facebook-parent Meta will remove the ability to target ads based on sensitive categories https://www.cnn.com/2021/11/09/tech/meta-facebook-ad-targeting-change/index.html Facebook shutting down face recognition efforts & deleting data https://appleinsider.com/articles/21/11/02/facebook-shutting-down-face-recognition-efforts-deleting-data Meta to continue use of facial recognition technology: https://appleinsider.com/articles/21/11/04/meta-to-continue-use-of-facial-recognition-technology Kaseya ransomware suspect nabbed in Poland, $6m seized from absent colleague https://nakedsecurity.sophos.com/2021/11/08/kaseya-ransomware-suspect-nabbed-in-poland-6m-seized-from-absent-colleague/ All Those 23andMe Spit Tests Were Part of a Bigger Plan https://www.bloomberg.com/news/features/2021-11-04/23andme-to-use-dna-tests-to-make-cancer-drugs  Further Info My annual Best & Worst Gift Guide is out for 2021! https://firewallsdontstopdragons.com/best-worst-gifts-2021/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Nothing is arguably more fundamental to a democracy than voting. But it's not enough to have a secure election. The electorate also needs to trust that the results are valid. In the United States today, that trust is in short supply - many people believe that the 2020 election was rigged. On one hand, many of our electronic voting systems are demonstrably insecure and trivially capable of being hacked. On the other, our cybersecurity experts, government agencies and election officials are telling us that the 2020 election was one of the most secure in US history and voter fraud almost never happens. So which is it? How do we reconcile these two seemingly incongruent positions? Today I'll ask these questions and more of computer and election security guru Harri Hursti. Harri has investigated and hacked several popular election systems used in the US and runs the Voting Machine Hacking Village at the annual DEF CON hacking conference. He's also officially observed many elections around the world and participated in several high profile audits. As if that weren't enough, Harri's been featured in two separate HBO documentaries on election security and is co-founder of the Election Integrity Foundation. I met Harri at DEF CON 29 and I was thrilled when he agreed to come on the show. Further Info Harri Hursti: https://en.wikipedia.org/wiki/Harri_Hursti Election Integrity Foundation https://electionintegrityfoundation.org/ California voting system review (“top to bottom”): https://www.sos.ca.gov/elections/voting-systems/oversight/top-bottom-review Ohio voting system review (“Everest”): https://www.eac.gov/documents/2017/03/21/everest-report-state-voting-systems-voting-technology New Hampshire election audit: http://doj.nh.gov/sb43/documents/20210713-sb43-forensic-audit-report.pdf Kill Chain: The Cyber War on America's Elections (HBO documentary, 2020) https://www.hbo.com/documentaries/kill-chain-the-cyber-war-on-americas-elections Hacking Democracy (HBO documentary, 2006) https://www.youtube.com/watch?v=b_gb_w_L9NE Election Administration and Voting Survey 2020: https://www.eac.gov/research-and-data/studies-and-reports Voluntary Voting System Guidelines: https://www.eac.gov/voting-equipment/voluntary-voting-system-guidelines CISA, Election Security Rumor vs Reality: https://www.cisa.gov/rumorcontrol 2020 election security reports: https://www.brennancenter.org/our-work/research-reports/its-official-election-was-secure DEF CON 25 Voting Machine Hacking Village Report: https://archive.org/download/DEFCON25VotingVillageReport/DEF%20CON%2025%20voting%20village%20report.pdf Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

There were lots of scary computer security and privacy stories in the news this week, coinciding nicely with Halloween. We'll start off with an unfortunate new cybersecurity term: killware. This is software whose end result is actual physical harm to human beings, including death. Sadly, this is now a thing. And I don't know about you, but Mark Zuckerberg's vision of the future (the "metaverse") is pretty damn scary, too. In other news: a hacker seems to have stolen the government identity information for every person in Argentina; a New York Times journalist explains how his iPhone has been hacked multiple times by the NSO Group and what he does to protect himself (and his sources); the FBI, the Secret Service and other "like-minded countries" seem to have finally taken down the REvil ransomware gang for good; Facebook has changed its name to "Meta"; link previews in chat apps can actually cause serious security and privacy problems; Delta Airlines and UK schools are normalizing the use of facial recognition for mundane purposes; your ISP is collecting tons of information about you in the US because we let them; and finally, I demystify and debunk the "dangers" of QR codes. Article Links Killware: What You Need to Know https://adamlevin.com/2021/10/15/killware-what-you-need-to-know/Hacker steals government ID database for Argentina’s entire population https://therecord.media/hacker-steals-government-id-database-for-argentinas-entire-population/ NYT journalist describes his iPhone being hacked, and the precautions he now takes https://9to5mac.com/2021/10/25/nyt-journalist-describes-his-iphone-being-hacked-and-the-precautions-he-now-takes/ FBI, others crush REvil using ransomware gang’s favorite tactic against it https://arstechnica.com/tech-policy/2021/10/fbi-others-crush-revil-using-ransomware-gangs-favorite-tactic-against-it/ Facebook changes its name to Meta: https://www.inc.com/jason-aten/5-things-mark-zuckerberg-said-about-his-plan-for-metaverse-that-should-make-you-very-worried.html Link Previews in Popular Messaging Apps May Lead to Security Vulnerabilities https://www.macrumors.com/2020/10/26/link-previews-may-lead-to-security-vulnerabilities/ Delta Air Lines partners with TSA PreCheck to launch biometrics-based bag drops https://finance.yahoo.com/news/delta-air-lines-partners-tsa-164655619.html UK schools are using facial recognition to take pupils’ lunch money https://www.theverge.com/2021/10/18/22732330/uk-schools-facial-recognition-lunch-payments-north-ayrshire Location Data Firm Got GPS Data From Apps Even When People Opted Out https://www.vice.com/en/article/5dgmqz/huq-location-data-opt-out-no-consent Internet service providers have so much data on you https://www.protocol.com/policy/isp-ftc-data Beware QR Code… Articles: https://firewallsdontstopdragons.com/beware-qr-code-articles/  Further Info Only ONE DAY LEFT to snag your challenge coin!! The promotion ends at 11pm Eastern Time on Tuesday, November 2nd! https://firewallsdontstopdragons.com/my-challenge-coins-are-back/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/