Firewalls Don't Stop Dragons Podcast

Is it possible for you to view your FLoC ID right now? And if so, can you decode this ID to understand what Google is learning about you from it? Does FLoC require your consent or cooperation from the sites you're visiting? Are there tools to block this and, if so, how effective are they? In part 2 of my discussion with EFF's Bennett Cyphers, we'll answer these questions and many more. Google's FLoC proposal depends on Google being a "benevolent and omniscient overseer", which is a bad bet. Even if Google manages to get the technology right and carefully avoids tracking "sensitive" info, there's nothing saying it won't change this later - on purpose or by accident or both. And given the rabid desire by data mining companies to monetize your information, FLoC may enable new forms of tracking and fingerprinting. Bennett Cyphers is a staff technologist on the Tech Projects team. He works with a variety of teams across EFF, focusing on consumer privacy, competition, and state legislation. He also assists with development on Privacy Badger. Outside of work he has hobbies and likes fun. Further Info: Ditch Chrome, switch to Firefox: https://firewallsdontstopdragons.com/its-time-switch-to-firefox/ Donate to Mozilla (Firefox): https://donate.mozilla.org/en-US/Am I FLoC’d? https://amifloced.org/ Disable Amazon’s Sidewalk: https://www.amazon.com/gp/help/customer/display.html?nodeId=GZ4VSNFMBDHLRJUK HUGE sale on my book right now! Use code SUMMER2021: https://www.apress.com/us/book/9781484261880Would you like me to speak to your group about security and/or privacy? http://bit.ly/Firewalls-SpeakerGet your custom d20 challenge coin! https://firewallsdontstopdragons.com/get-your-official-challenge-coin/ Generate secure passphrases! https://d20key.com/#/Become a Patron! https://www.patreon.com/FirewallsDontStopDragons

The public has voted and the results are in: people do not want to be tracked. In response, like pop-up ads before them, third party cookies are now being blocked by default by just about every browser - except Chrome. Google (who owns Chrome) is an ad company who relies on web tracking to make 90% of their revenue. With the writing on the wall, they and other ad tech companies are scrambling to find other ways to track people. Google has proposed a new system they call Federated Learning of Cohorts, or FLoC, which they claim can replace most of the tracking capability of third party cookies while somehow managing to preserve users' privacy. Today, I will discuss this new proposal with Bennett Cyphers of the Electronic Frontier Foundation: how it works, how they are rolling it out, and why EFF believes that FLoC is not the way to go. Bennett Cyphers is a staff technologist on the Tech Projects team. He works with a variety of teams across EFF, focusing on consumer privacy, competition, and state legislation. He also assists with development on Privacy Badger. Outside of work he has hobbies and likes fun. Further Info: Get your custom d20 challenge coin! https://firewallsdontstopdragons.com/get-your-official-challenge-coin/ Become a patron! https://www.patreon.com/FirewallsDontStopDragons Would you like me to come speak to your group about security and/privacy? http://bit.ly/Firewalls-SpeakerGoogle’s “Sensitivity of Cohorts” paper: https://docs.google.com/a/google.com/viewer?a=v&pid=sites&srcid=Y2hyb21pdW0ub3JnfGRldnxneDo1Mzg4MjYzOWI2MzU2NDgw Google’s FLoC API spec: https://github.com/WICG/floc Am I FLoC’d? https://amifloced.org/ Opt out of NHS data sharing: https://www.ft.com/content/9fee812f-6975-49ce-915c-aeb25d3dd748

Today is the day we've all been waiting for! The super-secret, highly-collectible, security-enhancing device is finally HERE!! For a short period of time, I will be offering a very limited edition challenge coins to my patrons. Not only is the coin itself amazingly cool, it can also help you generate secure passphrases using my brand new website d20key.com! Listen in today for all the details, as well as my tip of the week for how and when to use passphrases (instead of passwords)! In other news: The Colonial Pipeline is open again after a nasty ransomware attack by the DarkSide group; President Biden signs a landmark executive order to strength cybersecurity for the US government and anyone who sells to them; the HSE in Ireland is hit with a ransomware attack, too; Microsoft warns of a fake ransomware infection that just steals data; apparently when give a real, clear choice, almost no one wants apps to track them (Apple's App Tracking Transparency update); Veritone launches a creepy new deep-fake voice service for celebrities; Eufy camera bug crosses wires and shows people the wrong camera feeds (as in, from cameras they don't own); and Amazon is enabling its Sidewalk mesh network by default - and I'll tell you how to disable it. Further Info Get your own Firewalls Don’t Stop Dragons Challenge Coin! https://www.patreon.com/FirewallsDontStopDragons How and When to Use a Passphrase: https://firewallsdontstopdragons.com/how-when-to-use-a-passphrase/ Generate a secure passphrase!  https://d20key.com/ Check out my Malwarebytes interview! https://blog.malwarebytes.com/category/podcast/ Threat Technology’s list of 20 Best Security Podcasts: https://threat.technology/20-best-computer-security-podcasts-of-2021/ FAQ: DarkSide Ransomware Group and Colonial Pipeline https://www.eff.org/deeplinks/2021/05/faq-darkside-ransomware-group-and-colonial-pipeline DarkSide group that attacked Colonial Pipeline drops from sight online https://www.washingtonpost.com/technology/2021/05/14/darkside-ransomware-shutting-down/ Biden signs executive order to strengthen US cybersecurity https://arstechnica.com/information-technology/2021/05/biden-signs-executive-order-to-strengthen-us-cybersecurity/ Irish cyber-attack: Hackers bail out Irish health service for free https://www.bbc.com/news/world-europe-57197688 Microsoft Warns of Data Stealing Malware That Pretends to Be Ransomware https://thehackernews.com/2021/05/microsoft-warns-of-data-stealing.html Americans Actually Want Privacy. Shocking. https://www.nytimes.com/2021/05/20/opinion/apple-facebook-ios-privacy.html  Coalition Launches ‘Dark Patterns’ Tip Line to Expose Deceptive Technology Design https://www.eff.org/press/releases/coalition-launches-dark-patterns-tip-line-expose-deceptive-technology-design Veritone launches new platform to let celebrities and influencers clone their voice with AI https://www.theverge.com/2021/5/14/22432180/voice-clone-deepfake-celebrities-influencers-veritone-ai-platform Eufy camera owners report video mixups https://nakedsecurity.sophos.com/2021/05/17/those-arent-my-kids-eufy-camera-owners-report-video-mixups/ Here’s Anker’s apology after 712 Eufy customers had camera feeds exposed to strangers https://www.theverge.com/2021/5/19/22444164/eufy-security-camera-glitch-privacy-feed-exposed-statement-detailsAmazon's Sidewalk Network Is Turned On by Default. Here's How to Turn It Off https://www.inc.com/jason-aten/amazons-sidewalk-network-is-turned-on-by-default-heres-how-to-turn-it-off.html

What is Tor, exactly? How and why would I use it? And what the heck is a Tor node? In part 2 of my talk with Alison from the Library Freedom Project, we'll discuss why libraries are so important in the fight for privacy and how they're using technologies like Tor to keep its patron's (and even other's) web browsing anonymous. We'll talk about why it's important to do a self-assessment of your particular "threat model" and Alison will provide some time-tested tips for improving your security and privacy. Oh, and we'll talk about what all of this has to do with the so-called Streisand Effect! Alison Macrina is a librarian, internet activist, and founder and director of Library Freedom project. Alison is passionate about fighting surveillance and connecting privacy issues to other struggles for justice and an analysis of power. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragonsLibrary Freedom project: https://libraryfreedom.org/ Library Freedom wiki: https://libraryfreedom.wiki/ Library Freedom Institute GitHub page: https://github.com/alisonLFP/libraryfreedominstitute Library Freedom Institute on Vimeo: https://vimeo.com/libraryfreedominstitute Discover your threat model: https://ssd.eff.org/en/module/your-security-plan Download Tor Browser: https://www.torproject.org/download/

Want to read a book without your reading history being tracked? Do you need to surf the web with complete anonymity? If so, then look no further than your local public library. You have the right to research and collaborate on politically or socially sensitive topics without fearing your government or even your local community - and your local public libraries are there to help. Today I'll discuss the topics of intellectual freedom, access to information, and the right to privacy with the founder of the Library Freedom Project. We'll discuss book banning, media consolidation, mass surveillance, access to your library records by law enforcement, and even the lethal dangers of furniture! Alison Macrina is a librarian, internet activist, and founder and director of Library Freedom project. Alison is passionate about fighting surveillance and connecting privacy issues to other struggles for justice and an analysis of power. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragonsLibrary Freedom project: https://libraryfreedom.org/ Library Freedom wiki: https://libraryfreedom.wiki/ Library Freedom Institute GitHub page: https://github.com/alisonLFP/libraryfreedominstitute Library Freedom Institute on Vimeo: https://vimeo.com/libraryfreedominstitute Noam Chomsky propaganda model: https://en.wikipedia.org/wiki/Propaganda_model Terrorism vs furniture-related deaths: https://www.washingtonpost.com/news/monkey-cage/wp/2015/11/23/youre-more-likely-to-be-fatally-crushed-by-furniture-than-killed-by-a-terrorist/

After what seemed like forever, Apple has finally released its App Tracking Transparency (ATT) feature which requires apps to get your permission to track you across other apps and websites. This was announced last year and delayed by several months to allow app makers to come into compliance (particularly Facebook). Today I'll tell you what this feature does and doesn't do, and of course, how to enable it. Tons of other security and privacy news to cover today, as well: A nasty bug was just fixed in macOS (update now!!); Firefox fixes a bug that could allow fake HTTPS lock icons and therefore compromise security; Facebook Messenger users have been targeted with a major scam; Codecov hack is just the latest in software supply chain attacks that threaten hundreds of companies and their customers; bad guys hacked ad servers to serve up malware; the US Postal Service is running a 'covert operations program' that monitors social media accounts; more US federal agencies are turning to private companies to buy data on people and bypass the 4th Amendment; Emotet malware has been taken down; the FBI has been hacking company servers without their consent (but with a warrant) to try to fix Exchange server hacks; some promising new AI regulations have cropped up in Europe and the US; Signal expertly trolls and hamstrings Cellebrite; and finally, Apple's long-awaited AirTags have finally been released, but the anti-stalker protections seem to fall short, particularly for Android owners. Further Info: A macOS major security bug has just been fixed - UPDATE NOW! https://www.forbes.com/sites/thomasbrewster/2021/04/26/update-your-mac-now-the-worst-hack-in-years-hits-apple-computers/Mozilla Fixes Firefox Flaw That Allowed Spoofing of HTTPS Browser Padlock https://threatpost.com/mozilla-fixes-firefox-flaw/165501/Facebook Messenger users targeted by a large-scale scam https://www.helpnetsecurity.com/2021/04/20/facebook-messenger-scam/Codecov hackers breached hundreds of restricted customer sites https://www.reuters.com/technology/codecov-hackers-breached-hundreds-restricted-customer-sites-sources-2021-04-19/120 Compromised Ad Servers Target Millions of Internet Users https://thehackernews.com/2021/04/120-compromised-ad-servers-target.htmlThe Postal Service is running a 'covert operations program' that monitors Americans' social media posts https://news.yahoo.com/the-postal-service-is-running-a-running-a-covert-operations-program-that-monitors-americans-social-media-posts-160022919.htmlFederal Agencies Are Secretly Buying Consumer Data https://www.brennancenter.org/our-work/analysis-opinion/federal-agencies-are-secretly-buying-consumer-dataEmotet Malware Taken Down By Global Law Enforcement Effort https://www.cpomagazine.com/cyber-security/emotet-malware-taken-down-by-global-law-enforcement-effort-cleanup-patch-pushed-to-1-6-million-infected-devices/Are we safer with the FBI accessing our computers without consent? https://thenextweb.com/news/are-we-safer-with-the-fbi-accessing-our-computers-without-consent-syndicationThe sun is setting on A.I.’s Wild West https://fortune.com/2021/04/27/the-sun-is-setting-on-a-i-s-wild-west/Signal professionally trolls and screws Cellebrite: https://signal.org/blog/cellebrite-vulnerabilities/ AirTags are scarily good at tracking items and ... people. I know because I tried. https://mashable.com/review/apple-airtags-review/ Apple reveals more about AirTag stalking protections as domestic abuse concerns expressed https://9to5mac.com/2021/04/30/airtag-stalking-protections/

While law enforcement touts the benefits of cell site simulators, today we will talk about the negative impacts, as well. While the actual impacts are not documented due to secrecy, we have to wonder whether Stingrays could interfere with critical communications like 911 calls, for example. We also must understand that any tool can be used for good and for evil, by the "good guys" as well as the "bad guys". In an effort to bring more transparency, Cooper created Crocodile Hunter (a reference to Steve Irwin, who was tragically killed by a real-life stingray). Cooper explains how it works and how anyone can make one. And finally we'll talk about why it's so important to get out there and fight for more transparency. Cooper shows us what a difference this can make in your community with two very different situations in two US cities. Cooper Quintin is a security researcher and Senior Staff Technologist with the EFF Threat Lab. He has worked on projects such as Privacy Badger, Canary Watch, and analysis of state sponsored malware campaigns such as Dark Caracal. He has also performed security trainings for activists, non profit workers and ordinary folks, and given talks about security research at security conferences around the world. He previously worked building websites for non-profits, such as Greenpeace, Adbusters, and the Chelsea Manning Support Network. Cooper was also an editor and contributor to the hacktivist journal, “Hack this Zine.” He has spoken at multiple black hat conferences about security issues ranging from IMSI Catchers to Malware attacks against journalists. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragonsElectronic Frontier Foundation (EFF): https://www.eff.org/ EFF’s Electronic Frontier Alliance: https://www.eff.org/electronic-frontier-alliance Crocodile Hunter project: https://github.com/EFForg/crocodilehunterHow IMSI catchers work: https://www.eff.org/wp/gotta-catch-em-all-understanding-how-imsi-catchers-exploit-cell-networksEFF page on IMSI catchers: https://www.eff.org/pages/cell-site-simulatorsimsi-catchersWhy 5g won’t help: https://www.eff.org/deeplinks/2019/01/5g-protocol-may-still-be-vulnerable-imsi-catchersDIGITS documentary: https://curiositystream.com/video/1720My new Apress video: Maximum Privacy with End-to-End Encryption https://link.springer.com/video/10.1007/978-1-4842-7034-9

The single easiest way to track someone today is using their cell phone. We have them with us at all times and in order for them to work, they must be tracked by the cell phone network. When law enforcement wants to identify people at a protest or hanging around a particular area, they could take the time to get a warrant to present to multiple cell phone providers. Or they could simply bring in a portable, fake cell site. Any cell phones in the area will reveal their location to all nearby cell sites, and the owners of those phones will be none the wiser. The use of cell site simulators (often known by a particularly popular model called a "Stingray") is heavily shrouded in secrecy. Even their very existence was denied for years. Today, we'll talk with a man who has made it his mission to uncover the use of such devices. We'll talk about how they work, why they're so hard to detect, and the broader implications of their use by police and sheriff's departments with little to no oversight. Cooper Quintin is a security researcher and Senior Staff Technologist with the EFF Threat Lab. He has worked on projects such as Privacy Badger, Canary Watch, and analysis of state sponsored malware campaigns such as Dark Caracal. He has also performed security trainings for activists, non profit workers and ordinary folks, and given talks about security research at security conferences around the world. He previously worked building websites for non-profits, such as Greenpeace, Adbusters, and the Chelsea Manning Support Network. Cooper was also an editor and contributor to the hacktivist journal, "Hack this Zine." He has spoken at multiple black hat conferences about security issues ranging from IMSI Catchers to Malware attacks against journalists. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragonsElectronic Frontier Foundation (EFF): https://www.eff.org/ EFF’s Electronic Frontier Alliance: https://www.eff.org/electronic-frontier-alliance Crocodile Hunter project: https://github.com/EFForg/crocodilehunterHow IMSI catchers work: https://www.eff.org/wp/gotta-catch-em-all-understanding-how-imsi-catchers-exploit-cell-networksEFF page on IMSI catchers: https://www.eff.org/pages/cell-site-simulatorsimsi-catchersWhy 5g won't help: https://www.eff.org/deeplinks/2019/01/5g-protocol-may-still-be-vulnerable-imsi-catchersSea Glass project: https://seaglass.cs.washington.edu/ Sitch project: https://sensor.readthedocs.io/en/latest/ My new Apress video: Maximum Privacy with End-to-End Encryption https://link.springer.com/video/10.1007/978-1-4842-7034-9

Lots of news to cover today... and to me the common thread seems to be a lack of proper security and privacy. So the theme today is "trust no one". And the idea there isn't really personal trust, but computer trust, algorithm trust, procedural trust. We need to engineer our systems and processes around the idea that data is a toxic asset that loves to find ways to leak. Assume that you will be hacked. Assume an employee will do something stupid or go rogue. Assume the "bad guys" will find a way to bypass your main security barrier, so you need to have a second, and possible third barrier in place. Today I'll tell you about yet another massive Facebook and LinkedIn data leak; a new vaccine survey scam to watch out for; some new and troubling ransomware tactics to force victims to pay even if they have good data backups; a hacker site that sold credit cards and social security numbers was itself hacked; LexisNexis and Clearview AI have been working very closely with law enforcement, including ICE; and the ACLU has been caught sharing their own user's data with (of all companies) Facebook. And finally, I review the fantastic new book, Privacy is Power by Carissa Véliz. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragons Privacy is Power book review: https://firewallsdontstopdragons.com/privacy-is-power-review/ Were you part of a data breach? https://haveibeenpwned.com/ Articles quoted today:Don’t Fall for the 'Vaccine Survey' Scam https://twocents.lifehacker.com/don-t-fall-for-the-vaccine-survey-scam-1846620925 Ransomware gang leaks data from Stanford, Maryland universities https://www.bleepingcomputer.com/news/security/ransomware-gang-leaks-data-from-stanford-maryland-universities/ Ransom Gangs Emailing Victim Customers for Leverage https://krebsonsecurity.com/2021/04/ransom-gangs-emailing-victim-customers-for-leverage/ Facebook Says Leak of 533 Million Users’ Data Wasn’t a Hack. https://www.wsj.com/articles/facebook-says-leak-of-533-million-users-data-wasnt-a-hack-does-it-matter-11617910106 , https://www.bleepingcomputer.com/news/security/533-million-facebook-users-phone-numbers-leaked-on-hacker-forum/  Another 500 million accounts have leaked online, and LinkedIn’s in the hot seat https://www.theverge.com/2021/4/8/22374464/linkedin-data-leak-500-million-accounts-scraped-microsoft 70,000 SSNs, 600,000 Credit Card Records Leaked After Stolen-Data Hub Gets Hacked https://gizmodo.com/70-000-ssns-600-000-credit-card-records-leaked-after-s-1846638234 LexisNexis to Provide Giant Database of Personal Information to ICE https://theintercept.com/2021/04/02/ice-database-surveillance-lexisnexis/ Clearview AI used by police https://www.buzzfeednews.com/article/ryanmac/clearview-ai-local-police-facial-recognition ACLU, a defender of digital privacy, reveals that it shares user data with Facebook https://fortune.com/2021/04/02/aclu-shares-data-facebook-third-parties-digital-privacy/

There are many business models and businesses that we curtail because they can be dangerous to people or democracy or society. Even rights enshrined in the US Constitution have reasonable limits. Now that it's become evident how engagement-optimized and algorithm-driven social media is ripping at the very fabric of our democracy, it's time for an intervention. Today, Phil Zimmermann (creator of PGP) will explain why things have gotten so bad and what we need to do to fix it and save civil society. Phil Zimmermann is the creator of Pretty Good Privacy. PGP is still widely regarded as the gold standard for secure email communication and caused quite a controversy when it was introduced in the early 1990s. Phil went on to form Silent Circle and win several prestigious awards including US Privacy Champion and was inducted into the Cybersecurity Hall of Fame. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragons About Phil Zimmermann: https://www.philzimmermann.com/EN/background/index.htmlRead Crypto by Steven Levy: https://amzn.to/2PyAjKE Silent Circle: https://www.silentcircle.com/ Okuna update: https://medium.com/okuna/the-path-forward-8d56ccf37b5c Check out Somus.app: https://www.somus.app/ Watch The Social Dilemma: https://www.netflix.com/title/81254224 Watch The Great Hack: https://www.netflix.com/Title/80117542 Foundation for Individual Rights in Education (FIRE): https://www.thefire.org/