Firewalls Don't Stop Dragons Podcast

Today's news headlines are littered with stories on massive cybersecurity failures: SolarWinds, Microsoft Exchange, Colonial Pipeline, data breaches, ransomware... Are the bad guys ramping up their game? Or are we just really bad at cybersecurity? (Or both?) How do we fix this? Who can lead the charge to improve our cyber defenses and fend off these attacks? Where do we learn best practices? Can new tools like Artificial Intelligence (AI) help us be more secure - or will these tools benefit the bad guys more? In today's show, I discuss the current sorry state of cybersecurity and it's foggy future with Josh Jackson from 6clicks! Josh Jackson is an avid student of law, policy, and regulations. He is a speaker on Artificial Intelligence and Automation and a teacher on the Legal and Regulatory Environment of Business. He is passionate about ethics and agency law, and corporate and regulatory risk. Further Info: 6clicks: https://www.6clicks.io/ Cybersecurity Maturity Model: https://www.acq.osd.mil/cmmc/draft.html Internet of Things Cybersecurity Improvement Act of 2020: https://www.congress.gov/bill/116th-congress/house-bill/1668/text Only three days to get your challenge coin!! https://firewallsdontstopdragons.com/get-your-official-challenge-coin/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Are satellites really just IoT devices in space? They're small computers and connected to the internet, not unlike Nest thermostats, baby video monitors, and smart toasters. You'd think that they'd be a lot more complex and secure... but are they really? My two guests today are running a program to test that very question, and in the process, try to make our military and commercial satellites more secure. We don't think about it, but satellites play a crucial role in our daily lives. GPS satellites are used by airplanes, ships and even agricultural machinery. Weather satellites allow us to predict the path of severe storms and save countless lives. We take them for granted, but these orbiting computers are critical in our modern lives. The Hack-A-Sat contest was created to help ensure the security of these systems. Anyone can enter - and time to register for this year's tournament is running out! Carl Rodio Jr. is Principal Cyber Security Engineer for The MITRE Corporation, supporting the US Space Force Defensive Cyber Operations for Space Systems (DCO-S) program.  MITRE operates Federally Funded Research and Development Centers (FFRDC's), which support the US government in a variety of capacities. Jason Williams is a Security Researcher, Engineer, and CEO of Cromulence LLC and member of Legitimate Business Syndicate (organizers of DEF CON CTF 2012-2017). 15+ years experience in cybersecurity and vulnerability research. Further Info Hack-A-Sat 2: https://www.hackasat.com/ US Digital Service: https://www.usds.gov/Cromulence LLC: https://cromulence.com/MITRE Corp: https://www.mitre.org/HUGE sale on my book right now! Use code SUMMER2021: https://www.apress.com/us/book/9781484261880 Get your custom d20 challenge coin! https://firewallsdontstopdragons.com/get-your-official-challenge-coin/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGenerate secure passphrases! https://d20key.com/#/

Payment apps are fairly secure & very convenient, but NOT private. And Venmo is the worst. Venmo is the only payment app that is primarily a "social" app. That's shorthand for "share as much info as possible, with as many people as possible". If you weren't already aware, all Venmo transactions are public by default. (That might come as an unwelcome surprise to the third of millennials who have used Venmo to pay for drugs.) Your Venmo friends list is also public by default, as Joe Biden recently discovered. But perhaps due to that event, Venmo at least now gives you a way to make it private. I'll tell you how to change this and other Venmo privacy settings - and also which apps are better at privacy. Lots of other news to cover today: Amazon Sidewalk has been activated for all new Echo and Ring devices (like it or not), but you can turn it off; Amazon Ring is offering more transparency on requests for video footage by law enforcement; Apple addresses some of the "stalker" privacy concerns with AirTags; apps are sidestepping Apple's new App Tracking Transparency (shocker); TikTok just changed its privacy policy to mention the collection of your biometric info, including "faceprints" and "voiceprints"; we found out how the hackers got into the Colonial Pipeline computers and (maybe) how the FBI managed to get back some of the ransom money; the FBI secretly ran an encrypted communication platform marketed to criminals called Anom; and a new facial recognition service allows you (or come creeper) to search the web for anyone's face for free. Article Links Amazon is about to share your Internet connection with neighbors. Here’s how to turn it off. https://www.washingtonpost.com/technology/2021/06/07/amazon-sidewalk-network/ Ring will require police & fire departments to make public requests for video footage https://appleinsider.com/articles/21/06/03/ring-will-require-police-fire-departments-to-make-public-requests-for-video-footage Apple announces AirTag privacy improvements, Android app coming this year https://9to5mac.com/2021/06/03/airtag-privacy-improvements-sound-android-app/  How to Check Your AirTags Firmware Version https://www.macrumors.com/how-to/check-airtags-firmware-version/ Apps Continuing to Track Users Despite Apple's Privacy Prompt https://www.macrumors.com/2021/06/07/apps-continuing-to-track-users/ WhatsApp is getting a crafty new way to verify your identity https://www.techradar.com/news/whatsapp-is-getting-a-crafty-new-way-to-verify-your-identity TikTok just gave itself permission to collect biometric data on U.S. users, including ‘faceprints and voiceprints’ https://techcrunch.com/2021/06/03/tiktok-just-gave-itself-permission-to-collect-biometric-data-on-u-s-users-including-faceprints-and-voiceprints/ Ransomware attackers used compromised password to access Colonial Pipeline network https://www.cnn.com/2021/06/04/politics/colonial-pipeline-ransomware-attack-password/index.html How could the FBI recover BTC from Colonial’s ransomware payment? https://nakedsecurity.sophos.com/2021/06/09/how-could-the-fbi-recover-btc-from-colonials-ransomware-payment/ The FBI's Anom Stunt Rattles the Encryption Debate https://www.wired.com/story/fbi-anom-phone-network-encryption-debate/  This facial recognition website can turn anyone into a cop - or a stalker https://news.yahoo.com/facial-recognition-website-turn-anyone-113646451.html VICTORY: You Can Now Make Your Venmo Friends List Private. Here’s How. https://www.eff.org/deeplinks/2021/06/victory-you-can-now-make-your-venmo-friends-list-private-heres-how  Further Info HUGE sale on my book right now (55% off)! Use code SUMMER2021: https://www.apress.com/us/book/9781484261880 Get your custom d20 challenge coin! https://firewallsdontstopdragons.com/get-your-official-challenge-coin/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to speak to your group about security and/or privacy? http://bit.

Is it possible for you to view your FLoC ID right now? And if so, can you decode this ID to understand what Google is learning about you from it? Does FLoC require your consent or cooperation from the sites you're visiting? Are there tools to block this and, if so, how effective are they? In part 2 of my discussion with EFF's Bennett Cyphers, we'll answer these questions and many more. Google's FLoC proposal depends on Google being a "benevolent and omniscient overseer", which is a bad bet. Even if Google manages to get the technology right and carefully avoids tracking "sensitive" info, there's nothing saying it won't change this later - on purpose or by accident or both. And given the rabid desire by data mining companies to monetize your information, FLoC may enable new forms of tracking and fingerprinting. Bennett Cyphers is a staff technologist on the Tech Projects team. He works with a variety of teams across EFF, focusing on consumer privacy, competition, and state legislation. He also assists with development on Privacy Badger. Outside of work he has hobbies and likes fun. Further Info: Ditch Chrome, switch to Firefox: https://firewallsdontstopdragons.com/its-time-switch-to-firefox/ Donate to Mozilla (Firefox): https://donate.mozilla.org/en-US/Am I FLoC’d? https://amifloced.org/ Disable Amazon’s Sidewalk: https://www.amazon.com/gp/help/customer/display.html?nodeId=GZ4VSNFMBDHLRJUK HUGE sale on my book right now! Use code SUMMER2021: https://www.apress.com/us/book/9781484261880Would you like me to speak to your group about security and/or privacy? http://bit.ly/Firewalls-SpeakerGet your custom d20 challenge coin! https://firewallsdontstopdragons.com/get-your-official-challenge-coin/ Generate secure passphrases! https://d20key.com/#/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons

The public has voted and the results are in: people do not want to be tracked. In response, like pop-up ads before them, third party cookies are now being blocked by default by just about every browser - except Chrome. Google (who owns Chrome) is an ad company who relies on web tracking to make 90% of their revenue. With the writing on the wall, they and other ad tech companies are scrambling to find other ways to track people. Google has proposed a new system they call Federated Learning of Cohorts, or FLoC, which they claim can replace most of the tracking capability of third party cookies while somehow managing to preserve users' privacy. Today, I will discuss this new proposal with Bennett Cyphers of the Electronic Frontier Foundation: how it works, how they are rolling it out, and why EFF believes that FLoC is not the way to go. Bennett Cyphers is a staff technologist on the Tech Projects team. He works with a variety of teams across EFF, focusing on consumer privacy, competition, and state legislation. He also assists with development on Privacy Badger. Outside of work he has hobbies and likes fun. Further Info: Get your custom d20 challenge coin! https://firewallsdontstopdragons.com/get-your-official-challenge-coin/ Become a patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to come speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGoogle’s “Sensitivity of Cohorts” paper: https://docs.google.com/a/google.com/viewer?a=v&pid=sites&srcid=Y2hyb21pdW0ub3JnfGRldnxneDo1Mzg4MjYzOWI2MzU2NDgw Google’s FLoC API spec: https://github.com/WICG/floc Am I FLoC’d? https://amifloced.org/ Opt out of NHS data sharing: https://www.ft.com/content/9fee812f-6975-49ce-915c-aeb25d3dd748

Today is the day we've all been waiting for! The super-secret, highly-collectible, security-enhancing device is finally HERE!! For a short period of time, I will be offering a very limited edition challenge coins to my patrons. Not only is the coin itself amazingly cool, it can also help you generate secure passphrases using my brand new website d20key.com! Listen in today for all the details, as well as my tip of the week for how and when to use passphrases (instead of passwords)! In other news: The Colonial Pipeline is open again after a nasty ransomware attack by the DarkSide group; President Biden signs a landmark executive order to strength cybersecurity for the US government and anyone who sells to them; the HSE in Ireland is hit with a ransomware attack, too; Microsoft warns of a fake ransomware infection that just steals data; apparently when give a real, clear choice, almost no one wants apps to track them (Apple's App Tracking Transparency update); Veritone launches a creepy new deep-fake voice service for celebrities; Eufy camera bug crosses wires and shows people the wrong camera feeds (as in, from cameras they don't own); and Amazon is enabling its Sidewalk mesh network by default - and I'll tell you how to disable it. Further Info Get your own Firewalls Don’t Stop Dragons Challenge Coin! https://www.patreon.com/FirewallsDontStopDragons How and When to Use a Passphrase: https://firewallsdontstopdragons.com/how-when-to-use-a-passphrase/ Generate a secure passphrase!  https://d20key.com/ Check out my Malwarebytes interview! https://blog.malwarebytes.com/category/podcast/ Threat Technology’s list of 20 Best Security Podcasts: https://threat.technology/20-best-computer-security-podcasts-of-2021/ FAQ: DarkSide Ransomware Group and Colonial Pipeline https://www.eff.org/deeplinks/2021/05/faq-darkside-ransomware-group-and-colonial-pipeline DarkSide group that attacked Colonial Pipeline drops from sight online https://www.washingtonpost.com/technology/2021/05/14/darkside-ransomware-shutting-down/ Biden signs executive order to strengthen US cybersecurity https://arstechnica.com/information-technology/2021/05/biden-signs-executive-order-to-strengthen-us-cybersecurity/ Irish cyber-attack: Hackers bail out Irish health service for free https://www.bbc.com/news/world-europe-57197688 Microsoft Warns of Data Stealing Malware That Pretends to Be Ransomware https://thehackernews.com/2021/05/microsoft-warns-of-data-stealing.html Americans Actually Want Privacy. Shocking. https://www.nytimes.com/2021/05/20/opinion/apple-facebook-ios-privacy.html  Coalition Launches ‘Dark Patterns’ Tip Line to Expose Deceptive Technology Design https://www.eff.org/press/releases/coalition-launches-dark-patterns-tip-line-expose-deceptive-technology-design Veritone launches new platform to let celebrities and influencers clone their voice with AI https://www.theverge.com/2021/5/14/22432180/voice-clone-deepfake-celebrities-influencers-veritone-ai-platform Eufy camera owners report video mixups https://nakedsecurity.sophos.com/2021/05/17/those-arent-my-kids-eufy-camera-owners-report-video-mixups/ Here’s Anker’s apology after 712 Eufy customers had camera feeds exposed to strangers https://www.theverge.com/2021/5/19/22444164/eufy-security-camera-glitch-privacy-feed-exposed-statement-detailsAmazon's Sidewalk Network Is Turned On by Default. Here's How to Turn It Off https://www.inc.com/jason-aten/amazons-sidewalk-network-is-turned-on-by-default-heres-how-to-turn-it-off.html

What is Tor, exactly? How and why would I use it? And what the heck is a Tor node? In part 2 of my talk with Alison from the Library Freedom Project, we'll discuss why libraries are so important in the fight for privacy and how they're using technologies like Tor to keep its patron's (and even other's) web browsing anonymous. We'll talk about why it's important to do a self-assessment of your particular "threat model" and Alison will provide some time-tested tips for improving your security and privacy. Oh, and we'll talk about what all of this has to do with the so-called Streisand Effect! Alison Macrina is a librarian, internet activist, and founder and director of Library Freedom project. Alison is passionate about fighting surveillance and connecting privacy issues to other struggles for justice and an analysis of power. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragonsLibrary Freedom project: https://libraryfreedom.org/ Library Freedom wiki: https://libraryfreedom.wiki/ Library Freedom Institute GitHub page: https://github.com/alisonLFP/libraryfreedominstitute Library Freedom Institute on Vimeo: https://vimeo.com/libraryfreedominstitute Discover your threat model: https://ssd.eff.org/en/module/your-security-plan Download Tor Browser: https://www.torproject.org/download/

Want to read a book without your reading history being tracked? Do you need to surf the web with complete anonymity? If so, then look no further than your local public library. You have the right to research and collaborate on politically or socially sensitive topics without fearing your government or even your local community - and your local public libraries are there to help. Today I'll discuss the topics of intellectual freedom, access to information, and the right to privacy with the founder of the Library Freedom Project. We'll discuss book banning, media consolidation, mass surveillance, access to your library records by law enforcement, and even the lethal dangers of furniture! Alison Macrina is a librarian, internet activist, and founder and director of Library Freedom project. Alison is passionate about fighting surveillance and connecting privacy issues to other struggles for justice and an analysis of power. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragonsLibrary Freedom project: https://libraryfreedom.org/ Library Freedom wiki: https://libraryfreedom.wiki/ Library Freedom Institute GitHub page: https://github.com/alisonLFP/libraryfreedominstitute Library Freedom Institute on Vimeo: https://vimeo.com/libraryfreedominstitute Noam Chomsky propaganda model: https://en.wikipedia.org/wiki/Propaganda_model Terrorism vs furniture-related deaths: https://www.washingtonpost.com/news/monkey-cage/wp/2015/11/23/youre-more-likely-to-be-fatally-crushed-by-furniture-than-killed-by-a-terrorist/

After what seemed like forever, Apple has finally released its App Tracking Transparency (ATT) feature which requires apps to get your permission to track you across other apps and websites. This was announced last year and delayed by several months to allow app makers to come into compliance (particularly Facebook). Today I'll tell you what this feature does and doesn't do, and of course, how to enable it. Tons of other security and privacy news to cover today, as well: A nasty bug was just fixed in macOS (update now!!); Firefox fixes a bug that could allow fake HTTPS lock icons and therefore compromise security; Facebook Messenger users have been targeted with a major scam; Codecov hack is just the latest in software supply chain attacks that threaten hundreds of companies and their customers; bad guys hacked ad servers to serve up malware; the US Postal Service is running a 'covert operations program' that monitors social media accounts; more US federal agencies are turning to private companies to buy data on people and bypass the 4th Amendment; Emotet malware has been taken down; the FBI has been hacking company servers without their consent (but with a warrant) to try to fix Exchange server hacks; some promising new AI regulations have cropped up in Europe and the US; Signal expertly trolls and hamstrings Cellebrite; and finally, Apple's long-awaited AirTags have finally been released, but the anti-stalker protections seem to fall short, particularly for Android owners. Further Info: A macOS major security bug has just been fixed - UPDATE NOW! https://www.forbes.com/sites/thomasbrewster/2021/04/26/update-your-mac-now-the-worst-hack-in-years-hits-apple-computers/Mozilla Fixes Firefox Flaw That Allowed Spoofing of HTTPS Browser Padlock https://threatpost.com/mozilla-fixes-firefox-flaw/165501/Facebook Messenger users targeted by a large-scale scam https://www.helpnetsecurity.com/2021/04/20/facebook-messenger-scam/Codecov hackers breached hundreds of restricted customer sites https://www.reuters.com/technology/codecov-hackers-breached-hundreds-restricted-customer-sites-sources-2021-04-19/120 Compromised Ad Servers Target Millions of Internet Users https://thehackernews.com/2021/04/120-compromised-ad-servers-target.htmlThe Postal Service is running a 'covert operations program' that monitors Americans' social media posts https://news.yahoo.com/the-postal-service-is-running-a-running-a-covert-operations-program-that-monitors-americans-social-media-posts-160022919.htmlFederal Agencies Are Secretly Buying Consumer Data https://www.brennancenter.org/our-work/analysis-opinion/federal-agencies-are-secretly-buying-consumer-dataEmotet Malware Taken Down By Global Law Enforcement Effort https://www.cpomagazine.com/cyber-security/emotet-malware-taken-down-by-global-law-enforcement-effort-cleanup-patch-pushed-to-1-6-million-infected-devices/Are we safer with the FBI accessing our computers without consent? https://thenextweb.com/news/are-we-safer-with-the-fbi-accessing-our-computers-without-consent-syndicationThe sun is setting on A.I.’s Wild West https://fortune.com/2021/04/27/the-sun-is-setting-on-a-i-s-wild-west/Signal professionally trolls and screws Cellebrite: https://signal.org/blog/cellebrite-vulnerabilities/ AirTags are scarily good at tracking items and ... people. I know because I tried. https://mashable.com/review/apple-airtags-review/ Apple reveals more about AirTag stalking protections as domestic abuse concerns expressed https://9to5mac.com/2021/04/30/airtag-stalking-protections/

While law enforcement touts the benefits of cell site simulators, today we will talk about the negative impacts, as well. While the actual impacts are not documented due to secrecy, we have to wonder whether Stingrays could interfere with critical communications like 911 calls, for example. We also must understand that any tool can be used for good and for evil, by the "good guys" as well as the "bad guys". In an effort to bring more transparency, Cooper created Crocodile Hunter (a reference to Steve Irwin, who was tragically killed by a real-life stingray). Cooper explains how it works and how anyone can make one. And finally we'll talk about why it's so important to get out there and fight for more transparency. Cooper shows us what a difference this can make in your community with two very different situations in two US cities. Cooper Quintin is a security researcher and Senior Staff Technologist with the EFF Threat Lab. He has worked on projects such as Privacy Badger, Canary Watch, and analysis of state sponsored malware campaigns such as Dark Caracal. He has also performed security trainings for activists, non profit workers and ordinary folks, and given talks about security research at security conferences around the world. He previously worked building websites for non-profits, such as Greenpeace, Adbusters, and the Chelsea Manning Support Network. Cooper was also an editor and contributor to the hacktivist journal, “Hack this Zine.” He has spoken at multiple black hat conferences about security issues ranging from IMSI Catchers to Malware attacks against journalists. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragonsElectronic Frontier Foundation (EFF): https://www.eff.org/ EFF’s Electronic Frontier Alliance: https://www.eff.org/electronic-frontier-alliance Crocodile Hunter project: https://github.com/EFForg/crocodilehunterHow IMSI catchers work: https://www.eff.org/wp/gotta-catch-em-all-understanding-how-imsi-catchers-exploit-cell-networksEFF page on IMSI catchers: https://www.eff.org/pages/cell-site-simulatorsimsi-catchersWhy 5g won’t help: https://www.eff.org/deeplinks/2019/01/5g-protocol-may-still-be-vulnerable-imsi-catchersDIGITS documentary: https://curiositystream.com/video/1720My new Apress video: Maximum Privacy with End-to-End Encryption https://link.springer.com/video/10.1007/978-1-4842-7034-9