Firewalls Don't Stop Dragons Podcast

The single easiest way to track someone today is using their cell phone. We have them with us at all times and in order for them to work, they must be tracked by the cell phone network. When law enforcement wants to identify people at a protest or hanging around a particular area, they could take the time to get a warrant to present to multiple cell phone providers. Or they could simply bring in a portable, fake cell site. Any cell phones in the area will reveal their location to all nearby cell sites, and the owners of those phones will be none the wiser. The use of cell site simulators (often known by a particularly popular model called a "Stingray") is heavily shrouded in secrecy. Even their very existence was denied for years. Today, we'll talk with a man who has made it his mission to uncover the use of such devices. We'll talk about how they work, why they're so hard to detect, and the broader implications of their use by police and sheriff's departments with little to no oversight. Cooper Quintin is a security researcher and Senior Staff Technologist with the EFF Threat Lab. He has worked on projects such as Privacy Badger, Canary Watch, and analysis of state sponsored malware campaigns such as Dark Caracal. He has also performed security trainings for activists, non profit workers and ordinary folks, and given talks about security research at security conferences around the world. He previously worked building websites for non-profits, such as Greenpeace, Adbusters, and the Chelsea Manning Support Network. Cooper was also an editor and contributor to the hacktivist journal, "Hack this Zine." He has spoken at multiple black hat conferences about security issues ranging from IMSI Catchers to Malware attacks against journalists. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragonsElectronic Frontier Foundation (EFF): https://www.eff.org/ EFF’s Electronic Frontier Alliance: https://www.eff.org/electronic-frontier-alliance Crocodile Hunter project: https://github.com/EFForg/crocodilehunterHow IMSI catchers work: https://www.eff.org/wp/gotta-catch-em-all-understanding-how-imsi-catchers-exploit-cell-networksEFF page on IMSI catchers: https://www.eff.org/pages/cell-site-simulatorsimsi-catchersWhy 5g won't help: https://www.eff.org/deeplinks/2019/01/5g-protocol-may-still-be-vulnerable-imsi-catchersSea Glass project: https://seaglass.cs.washington.edu/ Sitch project: https://sensor.readthedocs.io/en/latest/ My new Apress video: Maximum Privacy with End-to-End Encryption https://link.springer.com/video/10.1007/978-1-4842-7034-9

Lots of news to cover today... and to me the common thread seems to be a lack of proper security and privacy. So the theme today is "trust no one". And the idea there isn't really personal trust, but computer trust, algorithm trust, procedural trust. We need to engineer our systems and processes around the idea that data is a toxic asset that loves to find ways to leak. Assume that you will be hacked. Assume an employee will do something stupid or go rogue. Assume the "bad guys" will find a way to bypass your main security barrier, so you need to have a second, and possible third barrier in place. Today I'll tell you about yet another massive Facebook and LinkedIn data leak; a new vaccine survey scam to watch out for; some new and troubling ransomware tactics to force victims to pay even if they have good data backups; a hacker site that sold credit cards and social security numbers was itself hacked; LexisNexis and Clearview AI have been working very closely with law enforcement, including ICE; and the ACLU has been caught sharing their own user's data with (of all companies) Facebook. And finally, I review the fantastic new book, Privacy is Power by Carissa Véliz. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragons Privacy is Power book review: https://firewallsdontstopdragons.com/privacy-is-power-review/ Were you part of a data breach? https://haveibeenpwned.com/ Articles quoted today:Don’t Fall for the 'Vaccine Survey' Scam https://twocents.lifehacker.com/don-t-fall-for-the-vaccine-survey-scam-1846620925 Ransomware gang leaks data from Stanford, Maryland universities https://www.bleepingcomputer.com/news/security/ransomware-gang-leaks-data-from-stanford-maryland-universities/ Ransom Gangs Emailing Victim Customers for Leverage https://krebsonsecurity.com/2021/04/ransom-gangs-emailing-victim-customers-for-leverage/ Facebook Says Leak of 533 Million Users’ Data Wasn’t a Hack. https://www.wsj.com/articles/facebook-says-leak-of-533-million-users-data-wasnt-a-hack-does-it-matter-11617910106 , https://www.bleepingcomputer.com/news/security/533-million-facebook-users-phone-numbers-leaked-on-hacker-forum/  Another 500 million accounts have leaked online, and LinkedIn’s in the hot seat https://www.theverge.com/2021/4/8/22374464/linkedin-data-leak-500-million-accounts-scraped-microsoft 70,000 SSNs, 600,000 Credit Card Records Leaked After Stolen-Data Hub Gets Hacked https://gizmodo.com/70-000-ssns-600-000-credit-card-records-leaked-after-s-1846638234 LexisNexis to Provide Giant Database of Personal Information to ICE https://theintercept.com/2021/04/02/ice-database-surveillance-lexisnexis/ Clearview AI used by police https://www.buzzfeednews.com/article/ryanmac/clearview-ai-local-police-facial-recognition ACLU, a defender of digital privacy, reveals that it shares user data with Facebook https://fortune.com/2021/04/02/aclu-shares-data-facebook-third-parties-digital-privacy/

There are many business models and businesses that we curtail because they can be dangerous to people or democracy or society. Even rights enshrined in the US Constitution have reasonable limits. Now that it's become evident how engagement-optimized and algorithm-driven social media is ripping at the very fabric of our democracy, it's time for an intervention. Today, Phil Zimmermann (creator of PGP) will explain why things have gotten so bad and what we need to do to fix it and save civil society. Phil Zimmermann is the creator of Pretty Good Privacy. PGP is still widely regarded as the gold standard for secure email communication and caused quite a controversy when it was introduced in the early 1990s. Phil went on to form Silent Circle and win several prestigious awards including US Privacy Champion and was inducted into the Cybersecurity Hall of Fame. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragons About Phil Zimmermann: https://www.philzimmermann.com/EN/background/index.htmlRead Crypto by Steven Levy: https://amzn.to/2PyAjKE Silent Circle: https://www.silentcircle.com/ Okuna update: https://medium.com/okuna/the-path-forward-8d56ccf37b5c Check out Somus.app: https://www.somus.app/ Watch The Social Dilemma: https://www.netflix.com/title/81254224 Watch The Great Hack: https://www.netflix.com/Title/80117542 Foundation for Individual Rights in Education (FIRE): https://www.thefire.org/

Passwords suck and humans aren't good at using them. Password managers can help a lot, but to truly improve your account security these days, you need to add defense in depth. The easiest way to do that today is to enable two-factor authentication, or 2FA. Many websites have supported 2FA for years, but as hacking has gotten more aggressive and password databases are being stolen more often, the popularity of 2FA has grown significantly in the last year or two. Unfortunately, many 2FA systems rely on the lowest common denominator for implementing the PIN code system: SMS or text messaging. SMS is very old, but also very widely used and supported. It's never been terribly secure, but recently some clever security researchers have discovered a simple and cheap way to steal your text messages. Like, for $16. I'll explain this hack and tell you how and why you should switch to the much more secure Time-based one-time-password (TOTP) system for 2FA. In other news: I'll update you on the massive Microsoft Exchange hack; I'll cover a couple stories about Apple bowing to pressure from foreign powers; thousands of surveillance cameras hacked in major corporations, schools, hospitals and even jails; a clever technique to identify deepfake videos; two welcome new privacy features in Firefox; Amazon's take-it-or-leave-it driver surveillance demands; opting out of T-Mobile's new data grab; and Texas making hundreds of millions of dollars off their citizens' data. Further Info Amazing Tom Cruise deep fake videos: https://www.tiktok.com/@deeptomcruise Stop using SMS for 2FA: https://firewallsdontstopdragons.com/stop-using-text-messages-for-2fa/ First interview with PGP’s Phil Zimmermann: https://podcast.firewallsdontstopdragons.com/2018/05/07/we-now-live-in-the-golden-age-of-surveillance/ Microsoft: 92% of Exchange servers safe from ProxyLogon attacks https://www.bleepingcomputer.com/news/security/microsoft-92-percent-of-exchange-servers-safe-from-proxylogon-attacks/ Apple Provides Timeline for ProtonVPN App Update, Suggesting App Store Rejection Was Unrelated to Current Events in Myanmar https://www.macrumors.com/2021/03/25/apple-responds-protonvpn-app-update-rejection/ Apple Bent the Rules for Russia—and Other Countries Will Take Note https://www.wired.com/story/apple-russia-iphone-apps-law/ Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams?sref=iKB6XOvfScientists developed a clever way to detect Deepfakes by analyzing light reflections in the eyes https://thenextweb.com/neural/2021/03/11/ai-detects-deepfakes-analyzing-light-reflections-in-the-cornea-eyes-gans-thispersondoesnotexist/ Firefox 87 introduces new SmartBlock tracker blocking mechanism https://appleinsider.com/articles/21/03/24/firefox-87-launches-introduces-new-smartblock-tracker-blocking-mechanism Mozilla Firefox tweaks Referrer Policy to shore up user privacy https://www.zdnet.com/article/mozilla-firefox-tweaks-referrer-policy-to-shore-up-user-privacy/ Amazon Delivery Drivers Forced to Sign ‘Biometric Consent’ Form or Lose Job https://www.vice.com/en/article/dy8n3j/amazon-delivery-drivers-forced-to-sign-biometric-consent-form-or-lose-job It’s mind-blowing how many millions of dollars Texas makes each year selling your personal data https://www.dallasnews.com/news/watchdog/2021/03/19/its-mind-blowing-how-many-millions-of-dollars-texas-makes-each-year-selling-your-personal-data/ U.S. Carriers Fix SMS Routing Vulnerability That Let Hackers Hijack Texts https://www.macrumors.com/2021/03/25/sms-routing-vulnerability-fix/

Given that we're using computer algorithms to evaluate humans, can these systems be gamed or fooled? And is it possible that computers are less biased that humans? On any given day, humans can be distracted, tired, sick or just flat out biased against people for any number of reasons. Should these systems be more transparent? How do we know if they're being fair? Do we need to regulate these services? Is there a happy medium here? And finally, if you feel that you've been unfairly discriminated against by these systems, is there anything you can do about it? John Davisson is Senior Counsel at EPIC. John works on a variety of appellate litigation and Freedom of Information Act cases. John first came to EPIC in 2015 as a clerk in the Internet Public Interest Opportunities Program. He has previously clerked at Levine Sullivan Koch & Schulz, served as a student attorney in the Civil Rights Section of Georgetown’s Institute for Public Representation, and interned at the Appignani Humanist Legal Center. John is a 2016 magna cum laude graduate of Georgetown University Law Center, where he was managing editor of the Georgetown Journal on Poverty Law & Policy, a Georgetown Law Fellow, and an NGO observer to the 9/11 military commission at Naval Station Guantanamo Bay. He worked as a journalist before entering the law and earned his B.A. at Columbia University. John is a member of the New York and District of Columbia bars. Further Info: Electronic Privacy Information Center: https://epic.org/ Become a patron! https://www.patreon.com/FirewallsDontStopDragons Follow me!https://twitter.com/FirewallDragonshttps://www.facebook.com/FirewallsDontStopDragons https://bit.ly/Firewalls-YouTube

Convincing a human to hire you is hard enough. Can you imagine trying to convince a computer? Artificial intelligence is now being used to automate the screening of job candidates, evaluating cognitive ability, vocabulary, and even emotional intelligence. This new "hiretech" promises to weed out the bad applicants and flag the good ones by analyzing not just the substance of answers to interview questions, but also the manor in which you respond - your cadence, your word choices, your tone, your speech patterns, and perhaps even your facial expressions and body language. What could possibly go wrong? We'll discuss this and more today with John Davisson from the Electronic Privacy Information Center. John Davisson is Senior Counsel at EPIC. John works on a variety of appellate litigation and Freedom of Information Act cases. John first came to EPIC in 2015 as a clerk in the Internet Public Interest Opportunities Program. He has previously clerked at Levine Sullivan Koch & Schulz, served as a student attorney in the Civil Rights Section of Georgetown's Institute for Public Representation, and interned at the Appignani Humanist Legal Center. John is a 2016 magna cum laude graduate of Georgetown University Law Center, where he was managing editor of the Georgetown Journal on Poverty Law & Policy, a Georgetown Law Fellow, and an NGO observer to the 9/11 military commission at Naval Station Guantanamo Bay. He worked as a journalist before entering the law and earned his B.A. at Columbia University. John is a member of the New York and District of Columbia bars. Further Info: Electronic Privacy Information Center: https://epic.org/ Become a patron! https://www.patreon.com/FirewallsDontStopDragons Weapons of Math Destruction: https://www.amazon.com/Weapons-Math-Destruction-Increases-Inequality/dp/0553418815

Ep210. I've recommended LastPass for years - since I wrote my book and every day since. Until now. There are several good (secure and private) password managers out there. But LastPass was the full package: a free tier that had all the functionality most people need and for-pay tiers that had very useful extras. But now they're hobbling the free version by only allowing you to use it on one type of device: either a mobile device or a computer, but not both. To me, that makes the free tier useless. LastPass's Android app was also found to contain seven different trackers. That was the last straw for me. In today's episode, I'll tell you my new recommendations and give you an important tip on making the switch. In other news: a new law in Australia aims to force Google and Facebook to pay for news links; SolarWinds is blaming an intern for using a horrible password; SMS tax scams are picking up; Alexa Skills have serious privacy and security issues; adtech companies are scrambling to avoid telling you that you're being tracked on iOS; cops use copyright filters to prevent being recorded; a new company is creating a nationwide surveillance system; pharmacies are capitalizing on the COVID vaccine to get your data for marketing; Firefox 86 has a killer new system to prevent third party cookie tracking; however, adtech is exploiting a loophole in DNS to turn third party cookies into first party cookies. Further Info: Switching to Bitwarden: https://firewallsdontstopdragons.com/?p=2447Chat with me on Discord and get exclusive content! https://www.patreon.com/FirewallsDontStopDragons SMS tax scam unmasked: Bogus but believable – don’t fall for it! https://nakedsecurity.sophos.com/2021/02/12/sms-tax-scam-unmasked-bogus-but-believable-dont-fall-for-it/Alexa Skills: Security gaps and data protection problems https://www.helpnetsecurity.com/2021/03/02/alexa-skills-security/Ongoing & enormous Microsoft Exchange server hack hits 30,000 US groups https://appleinsider.com/articles/21/03/06/microsoft-exchange-server-hack-affects-over-30000-us-organizationsPost-IDFA Alliance will address concerns of mobile app and game marketers https://venturebeat.com/2021/02/17/post-idfa-alliance-will-address-concerns-of-mobile-app-and-game-marketers/Judge approves $650m settlement of privacy lawsuit against Facebook https://www.theguardian.com/technology/2021/feb/27/facebook-illinois-privacy-lawsuit-settlementCops Using Music to Try to Stop Being Filmed Is Just the Tip of the Iceberg https://www.eff.org/deeplinks/2021/02/cops-using-music-try-stop-being-filmed-just-tip-icebergInside ‘TALON,’ the Nationwide Network of AI-Enabled Surveillance Cameras https://www.vice.com/en/article/bvx4bq/talon-flock-safety-cameras-police-license-plate-readerYou got a vaccine. Walgreens got your data. (Recode) https://www.vox.com/recode/22310281/covid-vaccine-walgreens-cvs-rite-aid-walmart-dataFirefox's Total Cookie Protection aims to stop tracking between multiple sites https://www.engadget.com/firefox-total-cookie-protection-stop-tracking-websites-140044979.htmlOnline Trackers Increasingly Switching to Invasive CNAME Cloaking Technique https://thehackernews.com/2021/02/online-trackers-increasingly-switching.htmlChanges to LastPass Free https://blog.lastpass.com/2021/02/changes-to-lastpass-free/Security researcher raises questions about trackers in LastPass Android app https://appleinsider.com/articles/21/02/26/security-raises-questions-about-trackers-in-lastpass-android-app

In the second half of my interview with the Tech Learning Collective, we delve into their course curriculum a bit, and then discuss why they teach what they teach and how they approach these topics in a unique and meaningful way. We also examine the notion of "ethical hacking" and how this term can be used to whitewash some truly unethical and immoral products and services. Finally, we discuss why it's important to know how to perform cyber attacks in order to properly defend against them. These classes are truly like nothing else you'll find online. Check out one of their workshops for yourself (and support their important work in the process)! Technology, taught collectively. Looking to get certified? Look elsewhere. Looking to spark a revolution? We’ll show you how to become more powerful than the most well-funded adversaries, including corporate- and government-backed opponents. Further Info Tech Learning Collective: https://techlearningcollective.com/ Support me on Patreon! https://www.patreon.com/FirewallsDontStopDragons The Privacy Issue’s Essential Privacy Podcasts: https://theprivacyissue.com/privacy-and-society/download-privacy-security-podcastsTranscript: https://techlearningcollective.com/2021/04/06/firewalls-dont-stop-dragons-interviews-tech-learning-collective-part-2.html

I first learned of the Tech Learning Collective at a privacy conference in late 2020. I struck up a conversation with one of its representatives and ended up taking one of their wonderful workshops in January. The TLC offers some top-notch courses on computers with a focus on cybersecurity. Unlike college courses or cybersecurity certification courses, TLC offers eminently practical and affordable content, focused squarely on doing. It's like the difference between taking a karate class to earn colored belts and taking a personal self defense class to actually protect yourself. But it's also much more than that, and hard to describe. You'll have to listen to this interview to truly understand! From their website... Technology, taught collectively. Looking to get certified? Look elsewhere. Looking to spark a revolution? We’ll show you how to become more powerful than the most well-funded adversaries, including corporate- and government-backed opponents. Further Info Tech Learning Collective: https://techlearningcollective.com/ The Privacy Issue's Essential Privacy Podcasts: https://theprivacyissue.com/privacy-and-society/download-privacy-security-podcastsTranscript: https://techlearningcollective.com/2021/04/06/firewalls-dont-stop-dragons-interviews-tech-learning-collective-part-1.html

Ep207. Clearview AI - the company that has hoovered up every face it can find on the internet to create a creepy person identifying app - is back in the news. Canada and the EU have decided that Clearview has gone too far and needs to allow its users to opt out and even delete all the data they have, upon request. It's a welcome development, but unfortunately only available to California residents in the US (plus Canada and the EU). I'll tell you how to delete your data. In other news: Google uncovers a killer security feature in iOS 14 called BlastDoor; Amazon is expanding its "surveillance empire" in a massive and creepy way; someone "hacked" a water treatment plant in Florida trying (and failing) to poison its citizens; a bad bug has been found in a popular Wi-Fi iOT chip; a new phishing attack uses Morse code to hide its malicious web links; Facebook's "Supreme Court" has rendered its first set of rulings; and Clubhouse, the latest social media craze, is using some intrusive techniques to find more members. Also, I've got several tips for tax time in the US, including avoiding scams and safely transferring your financial data. Further Info Opt out of Clearview AI and delete your data: https://clearview.ai/privacy/requests Avoid tax scams: https://firewallsdontstopdragons.com/its-tax-scam-time-again/ Send files securely: https://firewallsdontstopdragons.com/how-to-send-files-securely-like-tax-info/ Get your IRS IP PIN: https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin