
Firewalls Don't Stop Dragons Podcast
A Podcast on Computer Security & Privacy for Non-Techies
Latest episodes

Sep 6, 2021 • 60min
Privacy Matters
For many people, privacy is just a vague concept. But it can literally be a matter of life and death. It deserves your attention, your consideration and (crucially) your support. Technology has vastly improved our daily lives, but some of it also threatens to undermine our basic human rights and even our democracy/society. We need to understand the implications of the laws we pass - and the laws we aren't passing. Today, I'll talk about several stories with a common theme: privacy matters.
Of course, I'll also cover several security-related topics this week, as well: I'll tell you how to completely hack someone's Windows PC with a gaming mouse; Microsoft's Azure cloud service left thousands of customers' data completely exposed; new and disturbing details emerge about the role of NSA-pushed backdoors in the massive Juniper breach of 2015; Australia considers making state ID required for social media accounts; Google tries to cut off access to account data that endangers US helpers in Afghanistan; Apple partners with 8 US states to incorporate state IDs into Apple Wallet; Apple has thankfully delayed its rollout of on-device surveillance technology aimed at stemming child porn; the FTC comes down hard on a stalkerware company; and I take a moment to reflect on the 20th anniversary of 9/11. My Tip of the Week explains how to quickly disable biometric unlocking of your smartphone.
Article Links
Not just Razer: SteelSeries mice, keyboards hijack Windows 10 too — what you can do https://www.tomsguide.com/news/steelseries-windows-privilege-escalationMicrosoft Azure cloud vulnerability is the ‘worst you can imagine’ https://www.theverge.com/2021/8/27/22644161/microsoft-azure-database-vulnerabilty-chaosdbJuniper Breach Mystery Starts to Clear With New Details on Hackers and U.S. Role https://finance.yahoo.com/news/juniper-breach-mystery-starts-clear-130016591.html Australia Considers Social Media ID Requirement https://www.infosecurity-magazine.com/news/australia-considers-social-media Google locks Afghan government email accounts as concerns grow over the Taliban tracking down their enemies https://www.businessinsider.com/google-locks-afghan-government-email-accounts-to-block-taliban-report-2021-9Opinion: It’s dangerously stupid to put your state ID in your Apple Wallet https://thenextweb.com/news/dangerously-stupid-state-id-in-your-apple-walletMillions of smartphones, laptops, trucks, planes affected by new Bluetooth flaws — what you need to know https://www.tomsguide.com/news/braktooth-bluetooth-flawsApple cares about privacy, unless you work at Apple https://www.theverge.com/22648265/apple-employee-privacy-icloud-idApple backs down on CSAM features, postpones launch https://appleinsider.com/articles/21/09/03/apple-backs-dowVictory! Federal Trade Commission Bans Stalkerware Company from Conducting Business https://www.eff.org/deeplinks/2021/09/victory-federal-trade-commission-bans-stalkerware-company-conducting-business ‘Panic made us vulnerable’: how 9/11 made the US surveillance state – and the Americans who fought backhttps://www.theguardian.com/world/2021/sep/04/surveillance-state-september-11-panic-made-us-vulnerable
Further Info
Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Aug 30, 2021 • 1h 4min
Morpheus: Securing CPUs with Entropy
Computers are supposed to be completely predictable. When you tell it to do something, it should do exactly that - over and over again, if necessary - in the same way, with the same result. This is the nature of computer programming. But this predictability can allow computer criminals to interrupt a computer's processing and divert it to do nefarious things. If you know exactly where to poke the system, predicting where and how it does it's processing, you can effectively rewire it to do your bidding. This is the basic attack methodology that lets bad guys insert their malware into our systems. But what if we were able to randomly perturb a computer's processing on a periodic basis, making it effectively unpredictable? This is the essence of a new computer architecture called Morpheus that may one day make all of our computers and computerized devices much, much harder to hack. Today, Todd Austin will explain how this brilliant defense mechanism works and how it was inspired by the human body's immune system.
Todd Austin is a Professor of Electrical Engineering and Computer Science at the University of Michigan in Ann Arbor. His research interests include computer architecture, robust and secure system design, hardware and software verification, and performance analysis tools and techniques. Todd is also co-founder of Agita Labs, a startup developing privacy-enhanced computation technologies that help ease the tension between data discovery and personal privacy.
Further Info
Morpheus article: https://spectrum.ieee.org/morpheus-turns-a-cpu-into-a-rubiks-cube-to-defeat-hackers Morpheus video: https://www.youtube.com/watch?v=v2mLm2QqsVo DARPA SSITH program: https://www.darpa.mil/program/ssith Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Aug 23, 2021 • 1h 24min
Beware the Four Horsemen
How far would you go to protect your children from sexual predators? How much privacy would you give up to try to prevent the sharing of child pornography? We are now faced squarely with those questions because Apple has just announced some new initiatives that it believes will curb the viewing and sharing of pornographic images. But we need to be extremely careful here. The Four Horsemen of the Infocalypse are pedophiles, terrorists, drug dealers and organized crime. When someone asks you what privacy and civil liberties you would be willing to give up to stop these undeniably bad things, you need to replace their bogeyman with other straw men and make sure your convictions still hold. Technologies that can be used to stop something you hate today can also be used to stop things you don't tomorrow. Today I'll discuss Apple's new "child safety" initiatives and explain why I think they're making the wrong tradeoffs. And also why they are actually not that effective and even potentially harmful to children.
In other news: Both T-Mobile and AT&T appear to have suffered massive data breaches of current and even prospective customers; Microsoft's PrintNightmare continues, despite several attempts to fix the issues; millions of home routers, web cams and baby monitors are vulnerable to a new attacks; Facebook is trying to help Afgans hide their friends lists in the face of Taliban reprisals; your IoT devices are horrible with random numbers, and that's a huge security risk; a secret terrorist watch list with almost 2 million people has leaked; and the OAuth web app authentication system is ripe for hacking, potentially putting several of your accounts at risk.
Article Links
Blocking the Exploitation of PrintNightmare https://securityboulevard.com/2021/08/blocking-the-exploitation-of-printnightmare/Disabling your Print Spooler (see “Workarounds”): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527Millions of home Wi-Fi routers under attack by botnet malware https://www.tomsguide.com/news/arcadyan-router-malwareSEE ALSO: Router Security: https://routersecurity.org/ T-Mobile Data Breach: 100 Million Customer Data Records Compromised Including Social Security, Driver’s License & Unique Device Numbers https://www.cpomagazine.com/cyber-security/t-mobile-data-breach-100-million-customer-data-records-compromised-including-social-security-drivers-license-unique-device-numbers/Hacker Selling Private Data Allegedly from 70 Million AT&T Customers https://restoreprivacy.com/att-data-breach-70-million-customers/ Millions of Web Camera and Baby Monitor Feeds Are Exposed https://www.wired.com/story/kalay-iot-bug-video-feeds/ Secret terrorist watchlist with 2 million records exposed online https://www.bleepingcomputer.com/news/security/secret-terrorist-watchlist-with-2-million-records-exposed-online/ To protect users, Facebook says it’s hiding friends lists on accounts in Afghanistan https://www.nytimes.com/2021/08/20/world/asia/afghanistan-facebook.html Web apps have become so complex that they're unsafe to use, researchers say https://www.tomsguide.com/news/unsafe-web-apps-oauth DEFCON “You’re doing IoT RNG” paper: https://labs.bishopfox.com/tech-blog/youre-doing-iot-rng Apple’s New ‘Child Safety’ Initiatives, and the Slippery Slope https://daringfireball.net/2021/08/apple_child_safety_initiatives_slippery_slopeWe built a system like Apple’s to flag child sexual abuse material — and concluded the tech was dangerous https://www.washingtonpost.com/opinions/2021/08/19/apple-csam-abuse-encryption-security-privacy-dangerous/Open letter to Apple from 90+ world orgs https://cdt.org/insights/international-coalition-calls-on-apple-to-abandon-plan-to-build-surveillance-capabilities-into-iphones-ipads-and-other-products/ Tell Apple not to scan our phones: https://act.eff.org/action/tell-apple-don-t-scan-our-phones
Further Info
Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to ...

Aug 16, 2021 • 1h 4min
On a Dark Tangent
Are hackers born or are they made? What is the essence of a true hacker? Today I explore these topics and more with the founder of both DEFCON and Black Hat, Jeff Moss - also known as The Dark Tangent. I also ask Jeff why we seem to suck at cybersecurity, what his top tips are for staying safe online, when DEFCON evolved to be bigger than its founder, how DEFCON has managed to stay focused on its attendees all these years, and how he plans to find a worthy successor to run the DEFCON conference when he inevitably steps aside.
Further Info
DEFCON documentary: https://www.youtube.com/watch?v=3ctQOmjQyYg Privacy is Power, book by Carissa Véliz : https://www.amazon.com/Privacy-Power-Should-Take-Control/dp/1612199151 My review of Privacy is Power: https://firewallsdontstopdragons.com/privacy-is-power-review/ The Value of Privacy, by Bruce Schneier: https://www.schneier.com/blog/archives/2006/05/the_value_of_pr.html TED Talk on Privacy by Glenn Greenwald: https://www.ted.com/talks/glenn_greenwald_why_privacy_matters Hackers, book by Steven Levy: https://www.amazon.com/Hackers-Computer-Revolution-Steven-Levy/dp/1449388396 Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Aug 11, 2021 • 1h 32min
Understanding Hackers & Hacking
What is a hacker, exactly? What does it mean to hack something? With all the ransomware attacks and election meddling in the headlines, it's easy to paint all hackers with a broad brush as malicious, self-serving computer criminals. And to be clear, many computer criminals are definitely hackers (some aren't). But the real definition of hacker, the original notion of hacking itself, is something quite different. Nowhere is this more evident than at DEFCON, one of the world's largest hacking conferences. I've been wanting to go to DEFCON for many years, but finally made my pilgrimage to Las Vegas this year for DEFCON 29. My goal was to document first hand, not just the conference, but the culture and the hackers themselves. Because unlike most trade conferences, DEFCON is really about the attendees and the betterment of their craft. Today's show is a non-technical exploration of what it means to be a hacker and why you might aspire to be one yourself.
Further Info
DEFCON documentary: https://www.youtube.com/watch?v=3ctQOmjQyYg DEFCON 29: https://defcon.org/html/defcon-29/dc-29-index.html DEFCON 29 media: https://media.defcon.org/DEF%20CON%2029/ Making the DEF CON 29 Badge: https://www.youtube.com/watch?v=H3kdq40PY3s Soundtrack https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20music/ Preparing for Hacker Summer Camp: https://theplaceboeffects.wordpress.com/2019/07/13/preparing-for-hacker-summer-camp/ Hack-A-Day badge article: https://hackaday.com/2021/08/05/hands-on-def-con-29-badge-embraces-the-new-normal/ DC Tin Foil Hat: @DC_Tin_Foil_Hat (Twitter)Hackerboxes.com: https://hackerboxes.com/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Generate secure passphrases! https://d20key.com/#/Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker

Aug 2, 2021 • 1h 32min
Selling You Out to the Highest Bidder
Every time you load a web page, your personal data is being shared with thousands of companies. The ad spaces on the page are being auctioned off to the highest bidder in fractions of a second. The Irish Council for Civil Liberties calls this the biggest data breach in history, and is suing the ad tech companies on your behalf to stop this needlessly invasive and dangerous practice. My guest Johnny Ryan will explain how this real-time bidding process works and has insider documentation on the types of extremely personal data that's being shared in order to target those ads to you.
Dr Johnny Ryan is a Senior Fellow at the Irish Council for Civil Liberties, and a Senior Fellow at the Open Markets Institute. He is focused on surveillance, data rights, competition/anti-trust, and privacy. He is former Chief Policy & Industry Relations Officer at Brave, the private web browser. Dr Ryan led Brave’s campaign for GDPR enforcement, and liaised with government and industry colleagues globally. Previously, Dr. Ryan worked in adtech, media, and policy. His previous roles included Chief Innovation Officer of The Irish Times and Senior Researcher at the Institute of International & European Affairs (IIEA).
Further Info:
Irish Council for Civil Liberties lawsuit: https://www.iccl.ie/rtb-june-2021/
Johnny Ryan: https://www.iccl.ie/staff/dr-johnny-ryan/
IAB Audience Taxonomy: https://www.iab.com/guidelines/audience-taxonomy/
IAB Content Taxonomy: https://www.iab.com/guidelines/content-taxonomy/
OpenRTB 3.0 spec: https://github.com/InteractiveAdvertisingBureau/openrtb
Browser plugin: https://chrome.google.com/webstore/detail/bidfilter-header-bidding/addamgcbhieigmdmmaooppajdocgggck
FTC’s data broker report from 2014: Data Brokers: A Call for Transparency and Accountability
Become a Patron! https://www.patreon.com/FirewallsDontStopDragons
Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker
Generate secure passphrases! https://d20key.com/#/

Jul 26, 2021 • 59min
Guard Your Digital Rolodex
Your phone number is arguably as strong a personal identifier as your social security number, passport number or email address. These are things we almost never change any more - meaning that it's an identifier for life. Our cell phones contain a ton of personal information, including our locations (not just now, but over time). Today I'll help you understand why it's so important to protect your cell phone number and digital contact lists.
In other news: you need to update everything again... Apple, Microsoft, Google, Adobe; REvil ransomware gang has disappeared completely from the dark web - and possibly not coincidentally, Kaseya has obtained a universal decryption key for all of it's customers (REvil victims); the Pegasus Project appears to have unveiled serious abuses of the NSO Group's spyware; Venmo finally gets rid of the public transaction list; the FBI is using cell site simulators to track cars; and it turns out that it's easy and highly profitable to re-associate people with supposedly anonymous data sets.
Article Links
Apple fixes bug that breaks iPhone WiFi when joining rogue hotspots https://www.bleepingcomputer.com/news/security/apple-fixes-bug-that-breaks-iphone-wifi-when-joining-rogue-hotspots/ Revil Ransomware Group Missing From Dark Web; Temporary Vacation, or Permanently Out of Business? https://www.cpomagazine.com/cyber-security/revil-ransomware-group-missing-from-dark-web-temporary-vacation-or-permanently-out-of-business/ The Kaseya Ransomware Nightmare Is Almost Over https://www.wired.com/story/kaseya-ransomware-nightmare-is-almost-over/ Takeaways from the Pegasus Project https://www.washingtonpost.com/investigations/2021/07/18/takeaways-nso-pegasus-project/ How to Protect Yourself From the New Windows 10 and 11 Security Bug https://lifehacker.com/how-to-protect-yourself-from-the-new-windows-10-and-11-1847338342 Venmo removes its global, public feed as part of a major redesign https://techcrunch.com/2021/07/20/venmo-removes-its-global-public-feed-in-a-significant-app-redesign/ The FBI Is Locating Cars By Spying On Their WiFi https://www.forbes.com/sites/thomasbrewster/2021/07/22/the-fbi-is-using-stingray-smartphone-surveillance-to-locate-cars-and-spy-on-their-wifi/?sh=113ea16335c8 Inside the Industry That Unmasks People at Scale https://www.vice.com/en/article/epnmvz/industry-unmasks-at-scale-maid-to-pii A priest’s phone location data outed his private life. It could happen to anyone. https://www.washingtonpost.com/technology/2021/07/22/data-phones-leaks-church/ Connected cars: What happens to your data after you leave your rental car behind? https://www.zdnet.com/article/connected-cars-what-happens-to-your-data-after-you-leave-your-rental-car/ Privacy International 2017 study: http://privacyinternational.org/sites/default/files/2017-12/cars_briefing.pdf
Further Info
Who’s making money on ransomware? https://ransomwhe.re/ No More Ransom: https://www.nomoreransom.org/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Jul 19, 2021 • 1h 10min
It’s Time to Drop the SBOM
The first step to solving any problem is gathering as much information as you can. Unfortunately, today we're basically flying blind when it comes to identifying and resolving latent software bugs in our systems. Software today is made up of dozens if not hundreds of distinct components. Like automobiles, these piece parts can come from many different vendors. And even the parts from those vendors are likely themselves made up of many sub-components from yet other vendors. But you can bet that Ford and Toyota have a complete and accurate list of each and every one of the components in their vehicles - knowing who made them, which lot or batch they were from, which revision of the part they have, and so on. Because at the end of the day, the auto maker is responsible for knowing this in case there's a safety issue. This is not true for software makers... yet. Allan Friedman and his team at the National Telecommunications and Information Administration (NTIA, a part of the Dept. of Commerce) are trying to change that.
Allan Friedman is the Director of Cybersecurity Initiatives at the National Telecommunications and Information Administration, which is part of the US department of Commerce,. There he coordinates cross-sector efforts to address key challenges in the cybersecurity ecosystem.
Further Info
NTIA’s SBOM website: https://www.ntia.gov/sbom Twitter #SBOM: https://twitter.com/search?q=%23SBOM Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/or privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Jul 12, 2021 • 1h
How to Keep Ransomware at Bay
Just when you thought it couldn't get worse, the bad guys say "hold my beer". The REvil gang has managed to pull off what appears to be the biggest ransomware infection ever through a clever supply chain attack on a company you've never heard of called Kaseya. Kaseya is what we call a Managed Service Provider, or MSP. They manage software and IT functions for lots of small-to-medium sized businesses, so that those companies don't have to. But this also gives MSP's a very privileged security position, making it a prime target for bad guys wanting to infect a lot of companies with a single hack. Today I'll catch you up on this ongoing horror show and give you some tips on how to avoid becoming a ransomware victim yourself.
In other news: Kaspersky Password Manager (KPM) was found to have a bad bug making its generated passwords a lot easier to crack; I'll tell you about how some Brazilian iPhone thieves came up with a clever way to hack your accounts; Google has delayed FLoC and blocking of third-party cookies for at least two years; a Microsoft exec tells the US Congress about how law enforcement and intelligence agencies make thousands of gag-order-restricted demands for data every year; a research group discovers that an old cell phone encryption standard was intentionally weakened to allow easier cracking; Microsoft's PrintNightmare bug is still not fully patched and the back story is a comedy of errors; and with hurricane season upon us, I'll point you to some great tips on preparing for power outages.
Article Links
A popular password manager screwed up, but there's an easy fix https://mashable.com/article/kaspersky-password-manager-security-bug Brazilian iPhone thieves demonstrate importance of responsible password practices https://appleinsider.com/articles/21/07/07/brazilian-iphone-thieves-demonstrate-importance-of-responsible-password-practices Why Google Can't Bring Itself to Make the Internet Respect Your Privacy https://www.inc.com/jason-aten/why-google-cant-bring-itself-to-make-internet-respect-your-privacy.html Microsoft exec: Targeting of Americans’ records ‘routine’ https://apnews.com/article/government-and-politics-technology-business-ed50baf4ffb09ca50cda9b8a262c54ad Bombshell Report Finds Phone Network Encryption Was Deliberately Weakened https://www.vice.com/en/article/4avnan/bombshell-report-finds-phone-network-encryption-was-deliberately-weakened PrintNightmare official patch is out – update now? https://nakedsecurity.sophos.com/2021/07/07/printnightmare-official-patch-is-out-update-now/ Up to 1,500 businesses infected in one of the worst ransomware attacks ever https://arstechnica.com/gadgets/2021/07/up-to-1500-businesses-infected-in-one-of-the-worst-ransomware-attacks-ever/
Further Info
Microsoft PrintNightmare patch: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 CISA, FBI share guidance for victims of Kaseya ransomware attack https://www.bleepingcomputer.com/news/security/cisa-fbi-share-guidance-for-victims-of-kaseya-ransomware-attack/ Ransomware Defense: Top 5 Things to Do Right Now https://threatpost.com/ransomware-defense-top-5-tips/167536/ How to prepare for a power outage: https://firewallsdontstopdragons.com/how-to-prepare-for-power-outage/ How to safely download software: https://firewallsdontstopdragons.com/how-to-safely-download-software/ Sign up for the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Jul 5, 2021 • 1h 11min
Make That Shaken AND Stirred
Robocalls are the bane of my existence. I get so many spam calls that I've just stopped answering my home phone altogether. I've given out my cell number to fewer people, so thankfully I get fewer junk calls there. But I still won't answer any calls unless I recognize the number. Why is it so easy to spoof caller ID? Well, starting July 1st in the US, mobile carriers are now required to implement a new(ish) set of technologies to make that more difficult: "Stir" ("secure telephone identity revisited") and "Shaken" ("signature-based handling of asserted information using tokens"). While not perfect, they should at least help identify shady callers. In today's Tip of the Week, I'll give you some other options for blocking spam calls, as well.
Lots of other (mostly bad) cybersecurity news to cover today: Someone scraped a ton of LinkedIn data from over 700M LinkedIn subscribers (about 92% of total users) and posted it for $5000; a very odd and specific WiFi SSID could break your iPhone; 30M Dell computers are vulnerable to a nasty BIOS attack; many users of the old WD My Book Live storage drives have had all their data erased; the REvil ransomware gang has attacked at least 200 companies with a new supply chain hack; Microsoft tries and fails miserably to fix a bad printer server bug ("PrintNightmare"), Russian hackers are constantly trying to brute force your bad passwords; and finally, the USA's CISA is warning manufacturers of ThroughTek devices about an exploitable vulnerability in several webcams and IoT devices.
Article Links
Data Scraping Yields 700 Million LinkedIn Profiles for Sale on Dark Web; About 92% Of Platform Users, but Mostly Public Information https://www.cpomagazine.com/cyber-security/data-scraping-yields-700-million-linkedinBeware! Connecting to This Wireless Network Can Break Your iPhone's Wi-Fi Feature https://thehackernews.com/2021/06/beware-connecting-to-this-wireless.html 30M Dell Devices at Risk for Remote BIOS Attacks, RCE https://threatpost.com/dell-bios-attacks-rce/167195/ Western Digital My Book Live devices being remotely wiped by attackers https://appleinsider.com/articles/21/06/25/western-digital-my-book-live-devices-being-remotely-wiped-by-attackers REvil ransomware hits 200 companies in MSP supply-chain attack https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-200-companies-in-msp-supply-chain-attack/ How to Avoid Windows' 'PrintNightmare' Security Threat https://lifehacker.com/how-to-avoid-windows-printnightmare-security-threat-1847221653 Russian Hackers Are Trying to Brute-Force Hundreds of Networks https://www.wired.com/story/fancy-bear-russia-brute-force-hacking/ CISA warns manufacturers of ThroughTek vulnerability (webcams) https://www.zdnet.com/article/cisa-warns-manufacturers-of-throughtek-vulnerability/ Robocalls are out of control. But that could all change today https://www.cnet.com/news/robocalls-are-out-of-control-but-that-could-all-change-today/
Further Info
Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/