Firewalls Don't Stop Dragons Podcast

Today, we're surrounded by strong encryption. Thanks to efforts like Let's Encrypt, almost all web communications today at encrypted. And thanks to wonderful privacy communications tools like Signal, we can share private thoughts instantly and securely with anyone on the planet. But this was not always the case. This secure, private, encryption-enabled future we're living now was far from certain 30 years ago when Phil Zimmermann created and freely released his email encryption tool Pretty Good Privacy (PGP). If not for Phil and a handful of others, we could very easily have lost the Crypto Wars of the 1990's and authoritarian mass surveillance could have been the norm. In today's show, Phil and I walk through the creation of PGP, the technological and political climate of that day, and the nerve-racking few years where Phil faced potential jail time for releasing "munitions grade" encryption to the world. We'll also discuss the literally life-saving impacts PGP has had over these last 30 years and how global law enforcement agencies and liberal democratic governments have revived the Crypto Wars. Phil Zimmermann is the creator of Pretty Good Privacy, which is still widely regarded as the gold standard for secure email communication. Phil went on to form Silent Circle and win several prestigious awards including US Privacy Champion and was inducted into the Cybersecurity Hall of Fame. Further Info Phil Zimmermann’s website: https://philzimmermann.com/ Phil’s announcement for the 30th anniversary of PGP: https://philzimmermann.com/EN/news/index.htmlPGP Web of Trust: https://en.wikipedia.org/wiki/Web_of_trust SNL Bass-o-matic skit: https://www.nbc.com/saturday-night-live/video/bassomatic/n8631 National Cybersecurity Awareness Month resources: https://www.cisa.gov/cybersecurity-awareness-month-resources Only ONE WEEK LEFT to snag your challenge coin!! https://firewallsdontstopdragons.com/my-challenge-coins-are-back/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Facebook had a horrible, no-good, very bad week. Not only did Facebook, Instagram and WhatsApp go completely offline for about six hours, a whistleblower came forward to show the world what most of us already knew: Facebook values money over its users' well being. And I have another story that backs that up, as well - one that you almost surely did not hear about. In other news: the FTC tells app makers to fess up when users private data gets loose; the governor of Missouri wants to sue a newspaper for revealing a horrible security flaw that exposed teachers' social security numbers; Apple's attempts to prevent user tracking on iOS are being undermined by unscrupulous apps; a company that you've never heard of with access to almost all cellular text messages was hacked over the course of five years; the VPN maker and VPN review industries are awash in conflicts of interest; Windows 11 is finally out, but it's not clear if and whether you should upgrade to it; and Firefox is searching for more ways to make money and stay alive, including adding more sponsored search suggestions for you to consider. Article Links FTC says health apps must notify consumers about data breaches — or face fines https://techcrunch.com/2021/09/16/ftc-says-health-apps-must-notify-consumers-if-their-data-is-breached-or-face-fines/ Missouri Governor Vows to Prosecute St. Louis Post-Dispatch for Reporting Security Vulnerability https://krebsonsecurity.com/2021/10/missouri-governor-vows-to-prosecute-st-louis-post-dispatch-for-reporting-security-vulnerability/ Investigation Finds Apple App Tracking Rules May Be Ineffective; IDFA Blocked, but Apps Frequently Access Other Identifiers https://www.cpomagazine.com/data-privacy/investigation-finds-apple-app-tracking-rules-may-be-ineffective-idfa-blocked-but-apps-frequently-access-other-identifiers/ Company That Routes Billions of Text Messages Quietly Says It Was Hacked https://www.vice.com/en/article/z3xpm8/company-that-routes-billions-of-text-messages-quietly-says-it-was-hacked Consolidation of the VPN industry spells trouble for the consumer, https://blog.windscribe.com/consolidation-of-the-vpn-industry-spells-trouble-for-the-consumer-57e638634cf0/Facebook has finally given a reason for the six-hour outage Monday https://www.theverge.com/2021/10/4/22709806/facebook-says-the-six-hour-outage Understanding How Facebook Disappeared from the Internet: https://blog.cloudflare.com/october-2021-facebook-outage/ Facebook bans developer behind Unfollow Everything tool https://www.theverge.com/2021/10/8/22716044/facebook-unfollow-everything-tool-louis-barclay-banned-for-lifeFacebook whistleblower Frances Haugen tells lawmakers that meaningful reform is necessary ‘for our common good’ https://www.washingtonpost.com/technology/2021/10/05/facebook-senate-hearing-frances-haugen/ Windows 11 compatibility: Check if your PC meets Microsoft's requirements https://www.cnet.com/tech/computing/windows-11-compatibility-check-if-your-pc-meets-microsofts-requirements/ Firefox Now Sends Your Address Bar Keystrokes to Mozilla https://www.howtogeek.com/760425/firefox-now-sends-your-address-bar-keystrokes-to-mozilla/ BONUS: Trust, but verify: An in-depth analysis of ExpressVPN's terrible, horrible, no good, very bad week https://www.zdnet.com/article/trust-but-verify-an-in-depth-analysis-of-expressvpns-terrible-horrible-no-good-very-bad-week/  Further Info National Cybersecurity Awareness Month resources: https://www.cisa.gov/cybersecurity-awareness-month-resources Only two weeks left to snag a challenge coin!! https://firewallsdontstopdragons.com/my-challenge-coins-are-back/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Today I have the great honor and pleasure of speaking with two luminaries in the field of privacy: Michelle Finneran Dennedy and Melanie Ensign. Between them, they have decades of experience managing privacy processes, policies, technology and communications within dozens of big name tech companies. I get their unique perspective on data privacy and the evolution of how these companies approach the problem of collecting and managing your data. Are things getting better or worse? How can companies earn the trust of their customers? Is data the new oil? And is it an asset or a liability? How can we have social media like Facebook and privacy at the same time? NOTE: I captured WAY more content from these two than I could fit into this one podcast. To get the full interview, become a patron! (And nab yourself a kick-butt challenge coin, too!) Michelle Dennedy was the first CPO for many global IT infrastructure companies including Oracle, McAfee, Intel & Cisco. Michelle is now a partner at Privatus.online and CEO at a Privacy Engineering startup in stealth mode. She is the co-author of The Privacy Engineer’s Manifesto and The Privacy Engineer’s Companion.  Melanie Ensign is the CEO of Discernible, helping cybersecurity & privacy teams better communicate with business leaders and consumers. She is also part of the DEF CON leadership team. Further Info Discernable: https://discernibleinc.com/ Privatus: https://privatus.online/ The Privacy Engineer’s Manifesto: https://www.amazon.com/Privacy-Engineers-Manifesto-Getting-Policy/dp/1430263555 The Rise of Privacy Tech (TROPT): https://www.riseofprivacytech.com/ Privacy is Power (book): https://firewallsdontstopdragons.com/privacy-is-power-review/ The Social Dilemma: https://www.thesocialdilemma.com/ The challenge coin promotion is BACK!! https://firewallsdontstopdragons.com/my-challenge-coins-are-back/Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

I admit it. I'm an Apple fan. Are they perfect? Definitely not. But in most cases, they're actually trying to be good. And at the end of the day, their business model doesn't rely on hoovering up your personal data. Apple just released a big update to its devices, iOS 15, and it's got some really cool security and privacy features. I'll tell you all about them in today's show. In other news: thousands of Netgear routers can be hacked via a Disney parental control feature even if you didn't ask for it; yet another company is scraping social media and public info to sell it to law enforcement; the NSA and CIA are warning their employees to block ads for cybersecurity reasons; Microsoft has rolled out a "passwordless" login system; EFF is ending support for its wonderful browser plugin HTTPS Everywhere - because HTTPS is now already everywhere; Amazon's new house robot, Astro, is a privacy nightmare (shocker); and this is the first week of National Cybersecurity Awareness Month in the US. Article Links National Cybersecurity Awareness Month, Week #1: Own your role in cybersecurity https://staysafeonline.org/wp-content/uploads/2020/04/Own-Your-Role-in-Cybersecurity_-Start-with-the-Basics-.pdf Thousands of Netgear routers can be hacked — here's what to do https://www.tomsguide.com/news/netgear-router-circle-patches Researcher drops three iOS zero-days that Apple refused to fix https://www.bleepingcomputer.com/news/security/researcher-drops-three-ios-zero-days-that-apple-refused-to-fix/ ShadowDragon: Inside the Social Media Surveillance Software That Can Watch Your Every Move https://theintercept.com/2021/09/21/surveillance-social-media-police-microsoft-shadowdragon-kaseware/ The NSA and CIA Use Ad Blockers Because Online Advertising Is So Dangerous https://www.vice.com/en/article/93ypke/the-nsa-and-cia-use-ad-blockers-because-online-advertising-is-so-dangerous You Can Now Sign-in to Your Microsoft Accounts Without a Password https://thehackernews.com/2021/09/you-can-now-sign-in-to-you-microsoft.html HTTPS Is Actually Everywhere https://www.eff.org/deeplinks/2021/09/https-actually-everywhere Amazon Astro is ‘terrible’ and will ‘throw itself down’ stairs, developers reportedly claim https://www.theverge.com/2021/9/28/22699284/amazon-astro-real-world-stairs-fragile-developer-claims-documents-tracking National Cybersecurity Awareness Month https://www.cisa.gov/cybersecurity-awareness-monthApple’s iOS 15 Privacy and Security features: https://firewallsdontstopdragons.com/ios-15-security-privacy-features/  Further Info The challenge coin promotion is BACK!! https://firewallsdontstopdragons.com/my-challenge-coins-are-back/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Apple was set to roll out controversial new on-device scanning technology in iOS 15 last week, but thanks to pushback from groups like the Electronic Frontier Foundation and people like you, Apple has since thought better of it and backed down. It's not clear when or if these "child safety" features will come to iPhones, but in the meantime we can hope that Apple will listen carefully to our concerns before proceeding. Today I'll speak with Jason Kelley from the EFF about Apple's proposed technology, the problem of child sexual abuse material (CSAM), and why Apple's proposed solution was so problematic. Jason Kelley guides EFF’s social media tactics, develops EFF’s online digital advocacy, and writes about various forms of governmental and private surveillance and tracking. Further Info Donate to EFF! https://supporters.eff.org/donate/join-4 EFF's Perspectives event: https://www.eff.org/event/perspectives-encryption-and-child-safety Sign the petition to stop Apple’s poorly-designed child safety features: https://www.eff.org/deeplinks/2021/09/dont-stop-now-join-eff-fight-future-apple-protests-nationwide Fight for the Future’s #noSpyPhone coverage: https://www.fightforthefuture.org/news/2021-09-13-photos-video-protests-hit-apple-stores-across/ Child Rights International Network (CRIN): https://home.crin.org/ Detailed new review of my book: https://parmsam.medium.com/notes-from-reading-firewalls-dont-stop-dragons-f69ae0d4bf0a Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

It's really easy to complain about the sadly insecure state of many of our products and services, but the fact is that doing security right is hard - even when you're trying to get it right. Part of the problem is that there are just so many things to secure, even on a single product or service. Today we're going to discuss several recent security issues with popular products, and why getting it right can be such a daunting task. In today's show: a universal decryption key for all REvil ransomware victims prior to July 13th is now available; Microsoft patched a nasty security bug in all of its Windows OS versions, but it's still being actively exploited (hint: patch now!); it was recently argued that WhatsApp's end-to-end encryption has a "backdoor", but I'll explain why that's not true; a home security system maker refuses to patch a bug that would allow an attacker to disable your system just by knowing (or guessing) your email address; ProtonMail is forced to alter its "no IP logging" marketing in the face of a recent incident involving a French activist's account; new Mac malware has emerged that uses poisoned search results to trick its victims; and for my tip of the week, I'll tell you about a new fourth credit bureau where you should freeze your credit report. Article Links Free REvil ransomware master decrypter released for past victims https://www.bleepingcomputer.com/news/security/free-revil-ransomware-master-decrypter-released-for-past-victims/ Recently reported Microsoft zero-day gaining popularity with attackers, Kaspersky says https://www.msn.com/en-us/news/technology/recently-reported-microsoft-zero-day-gaining-popularity-with-attackers-kaspersky-says/ar-AAOyUvR WhatsApp Fixes Its Biggest Encryption Loophole https://www.wired.com/story/whatsapp-end-to-end-encrypted-backups/ No, Facebook Isn't Reading Your Private WhatsApp Messages. The Problem Is Much Worse https://www.inc.com/jason-aten/no-facebook-isnt-reading-your-private-whatsapp-messages-problem-is-much-worse.html Pwned! The home security system that can be hacked with your email address https://nakedsecurity.sophos.com/2021/09/02/pwned-the-home-security-system-that-can-be-hacked-with-your-email-address/  ProtonMail Amends Its Policy After Giving Up an Activist’s Data https://www.wired.com/story/protonmail-amends-policy-after-giving-up-activists-data/ New Mac malware spreads via search results https://www.tomsguide.com/news/mac-malware-fake-iterm2Tip of the week: https://firewallsdontstopdragons.com/freeze-you-credit-at-innovis-too/  Further Info Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerStay tuned for a new challenge coin promotion! https://firewallsdontstopdragons.com/get-your-official-challenge-coin/ Generate secure passphrases! https://d20key.com/#/

Ever paired your phone to a rental car? Did you erase all the data from the last car you sold or turned in at the end of your lease? Do you know what data you car is sending to the cloud wireless right now? Cars have become a privacy nightmare. Andrea Amico is the founder of a company called Privacy 4 Cars and today he'll help us understand all the data you car is hoovering up - from your phone, your driving habits, your location, and even your facial expressions (no, really). And thankfully, his company also gives you a powerful tool to find and delete the data exhaust you've generated, probably without even realizing it. Andrea Amico is one of the nation’s leading authorities on vehicle privacy and cybersecurity. He is also the founder of Privacy4Cars, the first and only privacy-tech company focused on identifying the challenges posed by vehicle data. Further Info Privacy4Cars: https://privacy4cars.com/Assert Your Data Rights! https://privacy4cars.com/personal-use/assert-your-data-rights/ Twitter: https://twitter.com/privacy4carsFree CCPA Agent: https://freeccpaagent.com/ Auto ISAC: https://automotiveisac.com/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

For many people, privacy is just a vague concept. But it can literally be a matter of life and death. It deserves your attention, your consideration and (crucially) your support. Technology has vastly improved our daily lives, but some of it also threatens to undermine our basic human rights and even our democracy/society. We need to understand the implications of the laws we pass - and the laws we aren't passing. Today, I'll talk about several stories with a common theme: privacy matters. Of course, I'll also cover several security-related topics this week, as well: I'll tell you how to completely hack someone's Windows PC with a gaming mouse; Microsoft's Azure cloud service left thousands of customers' data completely exposed; new and disturbing details emerge about the role of NSA-pushed backdoors in the massive Juniper breach of 2015; Australia considers making state ID required for social media accounts; Google tries to cut off access to account data that endangers US helpers in Afghanistan; Apple partners with 8 US states to incorporate state IDs into Apple Wallet; Apple has thankfully delayed its rollout of on-device surveillance technology aimed at stemming child porn; the FTC comes down hard on a stalkerware company; and I take a moment to reflect on the 20th anniversary of 9/11. My Tip of the Week explains how to quickly disable biometric unlocking of your smartphone. Article Links Not just Razer: SteelSeries mice, keyboards hijack Windows 10 too — what you can do https://www.tomsguide.com/news/steelseries-windows-privilege-escalationMicrosoft Azure cloud vulnerability is the ‘worst you can imagine’ https://www.theverge.com/2021/8/27/22644161/microsoft-azure-database-vulnerabilty-chaosdbJuniper Breach Mystery Starts to Clear With New Details on Hackers and U.S. Role https://finance.yahoo.com/news/juniper-breach-mystery-starts-clear-130016591.html Australia Considers Social Media ID Requirement https://www.infosecurity-magazine.com/news/australia-considers-social-media Google locks Afghan government email accounts as concerns grow over the Taliban tracking down their enemies https://www.businessinsider.com/google-locks-afghan-government-email-accounts-to-block-taliban-report-2021-9Opinion: It’s dangerously stupid to put your state ID in your Apple Wallet https://thenextweb.com/news/dangerously-stupid-state-id-in-your-apple-walletMillions of smartphones, laptops, trucks, planes affected by new Bluetooth flaws — what you need to know https://www.tomsguide.com/news/braktooth-bluetooth-flawsApple cares about privacy, unless you work at Apple https://www.theverge.com/22648265/apple-employee-privacy-icloud-idApple backs down on CSAM features, postpones launch https://appleinsider.com/articles/21/09/03/apple-backs-dowVictory! Federal Trade Commission Bans Stalkerware Company from Conducting Business https://www.eff.org/deeplinks/2021/09/victory-federal-trade-commission-bans-stalkerware-company-conducting-business ‘Panic made us vulnerable’: how 9/11 made the US surveillance state – and the Americans who fought backhttps://www.theguardian.com/world/2021/sep/04/surveillance-state-september-11-panic-made-us-vulnerable  Further Info Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Computers are supposed to be completely predictable. When you tell it to do something, it should do exactly that - over and over again, if necessary - in the same way, with the same result. This is the nature of computer programming. But this predictability can allow computer criminals to interrupt a computer's processing and divert it to do nefarious things. If you know exactly where to poke the system, predicting where and how it does it's processing, you can effectively rewire it to do your bidding. This is the basic attack methodology that lets bad guys insert their malware into our systems. But what if we were able to randomly perturb a computer's processing on a periodic basis, making it effectively unpredictable? This is the essence of a new computer architecture called Morpheus that may one day make all of our computers and computerized devices much, much harder to hack. Today, Todd Austin will explain how this brilliant defense mechanism works and how it was inspired by the human body's immune system. Todd Austin is a Professor of Electrical Engineering and Computer Science at the University of Michigan in Ann Arbor. His research interests include computer architecture, robust and secure system design, hardware and software verification, and performance analysis tools and techniques. Todd is also co-founder of Agita Labs, a startup developing privacy-enhanced computation technologies that help ease the tension between data discovery and personal privacy. Further Info Morpheus article: https://spectrum.ieee.org/morpheus-turns-a-cpu-into-a-rubiks-cube-to-defeat-hackers Morpheus video: https://www.youtube.com/watch?v=v2mLm2QqsVo DARPA SSITH program: https://www.darpa.mil/program/ssith Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

How far would you go to protect your children from sexual predators? How much privacy would you give up to try to prevent the sharing of child pornography? We are now faced squarely with those questions because Apple has just announced some new initiatives that it believes will curb the viewing and sharing of pornographic images. But we need to be extremely careful here. The Four Horsemen of the Infocalypse are pedophiles, terrorists, drug dealers and organized crime. When someone asks you what privacy and civil liberties you would be willing to give up to stop these undeniably bad things, you need to replace their bogeyman with other straw men and make sure your convictions still hold. Technologies that can be used to stop something you hate today can also be used to stop things you don't tomorrow. Today I'll discuss Apple's new "child safety" initiatives and explain why I think they're making the wrong tradeoffs. And also why they are actually not that effective and even potentially harmful to children. In other news: Both T-Mobile and AT&T appear to have suffered massive data breaches of current and even prospective customers; Microsoft's PrintNightmare continues, despite several attempts to fix the issues; millions of home routers, web cams and baby monitors are vulnerable to a new attacks; Facebook is trying to help Afgans hide their friends lists in the face of Taliban reprisals; your IoT devices are horrible with random numbers, and that's a huge security risk; a secret terrorist watch list with almost 2 million people has leaked; and the OAuth web app authentication system is ripe for hacking, potentially putting several of your accounts at risk. Article Links Blocking the Exploitation of PrintNightmare https://securityboulevard.com/2021/08/blocking-the-exploitation-of-printnightmare/Disabling your Print Spooler (see “Workarounds”): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527Millions of home Wi-Fi routers under attack by botnet malware https://www.tomsguide.com/news/arcadyan-router-malwareSEE ALSO: Router Security: https://routersecurity.org/ T-Mobile Data Breach: 100 Million Customer Data Records Compromised Including Social Security, Driver’s License & Unique Device Numbers https://www.cpomagazine.com/cyber-security/t-mobile-data-breach-100-million-customer-data-records-compromised-including-social-security-drivers-license-unique-device-numbers/Hacker Selling Private Data Allegedly from 70 Million AT&T Customers https://restoreprivacy.com/att-data-breach-70-million-customers/ Millions of Web Camera and Baby Monitor Feeds Are Exposed https://www.wired.com/story/kalay-iot-bug-video-feeds/ Secret terrorist watchlist with 2 million records exposed online https://www.bleepingcomputer.com/news/security/secret-terrorist-watchlist-with-2-million-records-exposed-online/ To protect users, Facebook says it’s hiding friends lists on accounts in Afghanistan https://www.nytimes.com/2021/08/20/world/asia/afghanistan-facebook.html Web apps have become so complex that they're unsafe to use, researchers say https://www.tomsguide.com/news/unsafe-web-apps-oauth DEFCON “You’re doing IoT RNG” paper: https://labs.bishopfox.com/tech-blog/youre-doing-iot-rng Apple’s New ‘Child Safety’ Initiatives, and the Slippery Slope https://daringfireball.net/2021/08/apple_child_safety_initiatives_slippery_slopeWe built a system like Apple’s to flag child sexual abuse material — and concluded the tech was dangerous https://www.washingtonpost.com/opinions/2021/08/19/apple-csam-abuse-encryption-security-privacy-dangerous/Open letter to Apple from 90+ world orgs https://cdt.org/insights/international-coalition-calls-on-apple-to-abandon-plan-to-build-surveillance-capabilities-into-iphones-ipads-and-other-products/ Tell Apple not to scan our phones: https://act.eff.org/action/tell-apple-don-t-scan-our-phones  Further Info Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to ...