Firewalls Don't Stop Dragons Podcast

Today I have the great honor and pleasure of speaking with two luminaries in the field of privacy: Michelle Finneran Dennedy and Melanie Ensign. Between them, they have decades of experience managing privacy processes, policies, technology and communications within dozens of big name tech companies. I get their unique perspective on data privacy and the evolution of how these companies approach the problem of collecting and managing your data. Are things getting better or worse? How can companies earn the trust of their customers? Is data the new oil? And is it an asset or a liability? How can we have social media like Facebook and privacy at the same time? NOTE: I captured WAY more content from these two than I could fit into this one podcast. To get the full interview, become a patron! (And nab yourself a kick-butt challenge coin, too!) Michelle Dennedy was the first CPO for many global IT infrastructure companies including Oracle, McAfee, Intel & Cisco. Michelle is now a partner at Privatus.online and CEO at a Privacy Engineering startup in stealth mode. She is the co-author of The Privacy Engineer’s Manifesto and The Privacy Engineer’s Companion.  Melanie Ensign is the CEO of Discernible, helping cybersecurity & privacy teams better communicate with business leaders and consumers. She is also part of the DEF CON leadership team. Further Info Discernable: https://discernibleinc.com/ Privatus: https://privatus.online/ The Privacy Engineer’s Manifesto: https://www.amazon.com/Privacy-Engineers-Manifesto-Getting-Policy/dp/1430263555  The Rise of Privacy Tech (TROPT): https://www.riseofprivacytech.com/  Privacy is Power (book): https://firewallsdontstopdragons.com/privacy-is-power-review/ The Social Dilemma: https://www.thesocialdilemma.com/ The challenge coin promotion is BACK!! https://firewallsdontstopdragons.com/my-challenge-coins-are-back/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

I admit it. I’m an Apple fan. Are they perfect? Definitely not. But in most cases, they’re actually trying to be good. And at the end of the day, their business model doesn’t rely on hoovering up your personal data. Apple just released a big update to its devices, iOS 15, and it’s got some really cool security and privacy features. I’ll tell you all about them in today’s show. In other news: thousands of Netgear routers can be hacked via a Disney parental control feature even if you didn’t ask for it; yet another company is scraping social media and public info to sell it to law enforcement; the NSA and CIA are warning their employees to block ads for cybersecurity reasons; Microsoft has rolled out a “passwordless” login system; EFF is ending support for its wonderful browser plugin HTTPS Everywhere – because HTTPS is now already everywhere; Amazon’s new house robot, Astro, is a privacy nightmare (shocker); and this is the first week of National Cybersecurity Awareness Month in the US. Article Links National Cybersecurity Awareness Month, Week #1: Own your role in cybersecurity https://staysafeonline.org/wp-content/uploads/2020/04/Own-Your-Role-in-Cybersecurity_-Start-with-the-Basics-.pdf  Thousands of Netgear routers can be hacked — here’s what to do https://www.tomsguide.com/news/netgear-router-circle-patches  Researcher drops three iOS zero-days that Apple refused to fix https://www.bleepingcomputer.com/news/security/researcher-drops-three-ios-zero-days-that-apple-refused-to-fix/  ShadowDragon: Inside the Social Media Surveillance Software That Can Watch Your Every Move https://theintercept.com/2021/09/21/surveillance-social-media-police-microsoft-shadowdragon-kaseware/  The NSA and CIA Use Ad Blockers Because Online Advertising Is So Dangerous https://www.vice.com/en/article/93ypke/the-nsa-and-cia-use-ad-blockers-because-online-advertising-is-so-dangerous  You Can Now Sign-in to Your Microsoft Accounts Without a Password https://thehackernews.com/2021/09/you-can-now-sign-in-to-you-microsoft.html  HTTPS Is Actually Everywhere https://www.eff.org/deeplinks/2021/09/https-actually-everywhere  Amazon Astro is ‘terrible’ and will ‘throw itself down’ stairs, developers reportedly claim https://www.theverge.com/2021/9/28/22699284/amazon-astro-real-world-stairs-fragile-developer-claims-documents-tracking  National Cybersecurity Awareness Month https://www.cisa.gov/cybersecurity-awareness-month Apple’s iOS 15 Privacy and Security features: https://firewallsdontstopdragons.com/ios-15-security-privacy-features/  Further Info The challenge coin promotion is BACK!! https://firewallsdontstopdragons.com/my-challenge-coins-are-back/  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

Apple was set to roll out controversial new on-device scanning technology in iOS 15 last week, but thanks to pushback from groups like the Electronic Frontier Foundation and people like you, Apple has since thought better of it and backed down. It’s not clear when or if these “child safety” features will come to iPhones, but in the meantime we can hope that Apple will listen carefully to our concerns before proceeding. Today I’ll speak with Jason Kelley from the EFF about Apple’s proposed technology, the problem of child sexual abuse material (CSAM), and why Apple’s proposed solution was so problematic. Jason Kelley guides EFF’s social media tactics, develops EFF’s online digital advocacy, and writes about various forms of governmental and private surveillance and tracking. Further Info Donate to EFF! https://supporters.eff.org/donate/join-4 EFF’s Perspectives event: https://www.eff.org/event/perspectives-encryption-and-child-safety  Sign the petition to stop Apple’s poorly-designed child safety features: https://www.eff.org/deeplinks/2021/09/dont-stop-now-join-eff-fight-future-apple-protests-nationwide  Fight for the Future’s #noSpyPhone coverage: https://www.fightforthefuture.org/news/2021-09-13-photos-video-protests-hit-apple-stores-across/  Child Rights International Network (CRIN): https://home.crin.org/  Detailed new review of my book: https://parmsam.medium.com/notes-from-reading-firewalls-dont-stop-dragons-f69ae0d4bf0a  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

It’s really easy to complain about the sadly insecure state of many of our products and services, but the fact is that doing security right is hard – even when you’re trying to get it right. Part of the problem is that there are just so many things to secure, even on a single product or service. Today we’re going to discuss several recent security issues with popular products, and why getting it right can be such a daunting task. In today’s show: a universal decryption key for all REvil ransomware victims prior to July 13th is now available; Microsoft patched a nasty security bug in all of its Windows OS versions, but it’s still being actively exploited (hint: patch now!); it was recently argued that WhatsApp’s end-to-end encryption has a “backdoor”, but I’ll explain why that’s not true; a home security system maker refuses to patch a bug that would allow an attacker to disable your system just by knowing (or guessing) your email address; ProtonMail is forced to alter its “no IP logging” marketing in the face of a recent incident involving a French activist’s account; new Mac malware has emerged that uses poisoned search results to trick its victims; and for my tip of the week, I’ll tell you about a new fourth credit bureau where you should freeze your credit report. Article Links Free REvil ransomware master decrypter released for past victims https://www.bleepingcomputer.com/news/security/free-revil-ransomware-master-decrypter-released-for-past-victims/  Recently reported Microsoft zero-day gaining popularity with attackers, Kaspersky says https://www.msn.com/en-us/news/technology/recently-reported-microsoft-zero-day-gaining-popularity-with-attackers-kaspersky-says/ar-AAOyUvR  WhatsApp Fixes Its Biggest Encryption Loophole https://www.wired.com/story/whatsapp-end-to-end-encrypted-backups/  No, Facebook Isn’t Reading Your Private WhatsApp Messages. The Problem Is Much Worse https://www.inc.com/jason-aten/no-facebook-isnt-reading-your-private-whatsapp-messages-problem-is-much-worse.html  Pwned! The home security system that can be hacked with your email address https://nakedsecurity.sophos.com/2021/09/02/pwned-the-home-security-system-that-can-be-hacked-with-your-email-address/   ProtonMail Amends Its Policy After Giving Up an Activist’s Data https://www.wired.com/story/protonmail-amends-policy-after-giving-up-activists-data/  New Mac malware spreads via search results https://www.tomsguide.com/news/mac-malware-fake-iterm2 Tip of the week: https://firewallsdontstopdragons.com/freeze-you-credit-at-innovis-too/  Further Info Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Stay tuned for a new challenge coin promotion! https://firewallsdontstopdragons.com/get-your-official-challenge-coin/ Generate secure passphrases! https://d20key.com/#/ 

Ever paired your phone to a rental car? Did you erase all the data from the last car you sold or turned in at the end of your lease? Do you know what data you car is sending to the cloud wireless right now? Cars have become a privacy nightmare. Andrea Amico is the founder of a company called Privacy 4 Cars and today he’ll help us understand all the data you car is hoovering up – from your phone, your driving habits, your location, and even your facial expressions (no, really). And thankfully, his company also gives you a powerful tool to find and delete the data exhaust you’ve generated, probably without even realizing it. Andrea Amico is one of the nation’s leading authorities on vehicle privacy and cybersecurity. He is also the founder of Privacy4Cars, the first and only privacy-tech company focused on identifying the challenges posed by vehicle data. Further Info Privacy4Cars: https://privacy4cars.com/ Assert Your Data Rights! https://privacy4cars.com/personal-use/assert-your-data-rights/  Twitter: https://twitter.com/privacy4cars Free CCPA Agent: https://freeccpaagent.com/  Auto ISAC: https://automotiveisac.com/  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

For many people, privacy is just a vague concept. But it can literally be a matter of life and death. It deserves your attention, your consideration and (crucially) your support. Technology has vastly improved our daily lives, but some of it also threatens to undermine our basic human rights and even our democracy/society. We need to understand the implications of the laws we pass – and the laws we aren’t passing. Today, I’ll talk about several stories with a common theme: privacy matters. Of course, I’ll also cover several security-related topics this week, as well: I’ll tell you how to completely hack someone’s Windows PC with a gaming mouse; Microsoft’s Azure cloud service left thousands of customers’ data completely exposed; new and disturbing details emerge about the role of NSA-pushed backdoors in the massive Juniper breach of 2015; Australia considers making state ID required for social media accounts; Google tries to cut off access to account data that endangers US helpers in Afghanistan; Apple partners with 8 US states to incorporate state IDs into Apple Wallet; Apple has thankfully delayed its rollout of on-device surveillance technology aimed at stemming child porn; the FTC comes down hard on a stalkerware company; and I take a moment to reflect on the 20th anniversary of 9/11. My Tip of the Week explains how to quickly disable biometric unlocking of your smartphone. Article Links Not just Razer: SteelSeries mice, keyboards hijack Windows 10 too — what you can do https://www.tomsguide.com/news/steelseries-windows-privilege-escalation Microsoft Azure cloud vulnerability is the ‘worst you can imagine’ https://www.theverge.com/2021/8/27/22644161/microsoft-azure-database-vulnerabilty-chaosdb Juniper Breach Mystery Starts to Clear With New Details on Hackers and U.S. Role https://finance.yahoo.com/news/juniper-breach-mystery-starts-clear-130016591.html  Australia Considers Social Media ID Requirement https://www.infosecurity-magazine.com/news/australia-considers-social-media  Google locks Afghan government email accounts as concerns grow over the Taliban tracking down their enemies https://www.businessinsider.com/google-locks-afghan-government-email-accounts-to-block-taliban-report-2021-9 Opinion: It’s dangerously stupid to put your state ID in your Apple Wallet https://thenextweb.com/news/dangerously-stupid-state-id-in-your-apple-wallet Millions of smartphones, laptops, trucks, planes affected by new Bluetooth flaws — what you need to know https://www.tomsguide.com/news/braktooth-bluetooth-flaws Apple cares about privacy, unless you work at Apple https://www.theverge.com/22648265/apple-employee-privacy-icloud-id Apple backs down on CSAM features, postpones launch https://appleinsider.com/articles/21/09/03/apple-backs-dow Victory! Federal Trade Commission Bans Stalkerware Company from Conducting Business https://www.eff.org/deeplinks/2021/09/victory-federal-trade-commission-bans-stalkerware-company-conducting-business  ‘Panic made us vulnerable’: how 9/11 made the US surveillance state – and the Americans who fought backhttps://www.theguardian.com/world/2021/sep/04/surveillance-state-september-11-panic-made-us-vulnerable  Further Info Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ 

Computers are supposed to be completely predictable. When you tell it to do something, it should do exactly that – over and over again, if necessary – in the same way, with the same result. This is the nature of computer programming. But this predictability can allow computer criminals to interrupt a computer’s processing and divert it to do nefarious things. If you know exactly where to poke the system, predicting where and how it does it’s processing, you can effectively rewire it to do your bidding. This is the basic attack methodology that lets bad guys insert their malware into our systems. But what if we were able to randomly perturb a computer’s processing on a periodic basis, making it effectively unpredictable? This is the essence of a new computer architecture called Morpheus that may one day make all of our computers and computerized devices much, much harder to hack. Today, Todd Austin will explain how this brilliant defense mechanism works and how it was inspired by the human body’s immune system. Todd Austin is a Professor of Electrical Engineering and Computer Science at the University of Michigan in Ann Arbor. His research interests include computer architecture, robust and secure system design, hardware and software verification, and performance analysis tools and techniques. Todd is also co-founder of Agita Labs, a startup developing privacy-enhanced computation technologies that help ease the tension between data discovery and personal privacy. Further Info Morpheus article: https://spectrum.ieee.org/morpheus-turns-a-cpu-into-a-rubiks-cube-to-defeat-hackers  Morpheus video: https://www.youtube.com/watch?v=v2mLm2QqsVo  DARPA SSITH program: https://www.darpa.mil/program/ssith  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

How far would you go to protect your children from sexual predators? How much privacy would you give up to try to prevent the sharing of child pornography? We are now faced squarely with those questions because Apple has just announced some new initiatives that it believes will curb the viewing and sharing of pornographic images. But we need to be extremely careful here. The Four Horsemen of the Infocalypse are pedophiles, terrorists, drug dealers and organized crime. When someone asks you what privacy and civil liberties you would be willing to give up to stop these undeniably bad things, you need to replace their bogeyman with other straw men and make sure your convictions still hold. Technologies that can be used to stop something you hate today can also be used to stop things you don’t tomorrow. Today I’ll discuss Apple’s new “child safety” initiatives and explain why I think they’re making the wrong tradeoffs. And also why they are actually not that effective and even potentially harmful to children. In other news: Both T-Mobile and AT&T appear to have suffered massive data breaches of current and even prospective customers; Microsoft’s PrintNightmare continues, despite several attempts to fix the issues; millions of home routers, web cams and baby monitors are vulnerable to a new attacks; Facebook is trying to help Afgans hide their friends lists in the face of Taliban reprisals; your IoT devices are horrible with random numbers, and that’s a huge security risk; a secret terrorist watch list with almost 2 million people has leaked; and the OAuth web app authentication system is ripe for hacking, potentially putting several of your accounts at risk. Article Links Blocking the Exploitation of PrintNightmare https://securityboulevard.com/2021/08/blocking-the-exploitation-of-printnightmare/ Disabling your Print Spooler (see “Workarounds”): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 Millions of home Wi-Fi routers under attack by botnet malware https://www.tomsguide.com/news/arcadyan-router-malware SEE ALSO: Router Security: https://routersecurity.org/  T-Mobile Data Breach: 100 Million Customer Data Records Compromised Including Social Security, Driver’s License & Unique Device Numbers https://www.cpomagazine.com/cyber-security/t-mobile-data-breach-100-million-customer-data-records-compromised-including-social-security-drivers-license-unique-device-numbers/ Hacker Selling Private Data Allegedly from 70 Million AT&T Customers https://restoreprivacy.com/att-data-breach-70-million-customers/  Millions of Web Camera and Baby Monitor Feeds Are Exposed https://www.wired.com/story/kalay-iot-bug-video-feeds/  Secret terrorist watchlist with 2 million records exposed online https://www.bleepingcomputer.com/news/security/secret-terrorist-watchlist-with-2-million-records-exposed-online/  To protect users, Facebook says it’s hiding friends lists on accounts in Afghanistan https://www.nytimes.com/2021/08/20/world/asia/afghanistan-facebook.html  Web apps have become so complex that they’re unsafe to use, researchers say https://www.tomsguide.com/news/unsafe-web-apps-oauth  DEFCON “You’re doing IoT RNG” paper: https://labs.bishopfox.com/tech-blog/youre-doing-iot-rng  Apple’s New ‘Child Safety’ Initiatives, and the Slippery Slope https://daringfireball.net/2021/08/apple_child_safety_initiatives_slippery_slope We built a system like Apple’s to flag child sexual abuse material — and concluded the tech was dangerous https://www.washingtonpost.com/opinions/2021/08/19/apple-csam-abuse-encryption-security-privacy-dangerous/ Open letter to Apple from 90+ world orgs https://cdt.org/insights/international-coalition-calls-on-apple-to-abandon-plan-to-build-surveillance-capabilities-into-iphones-ipads-and-other-products/  Tell Apple not to scan our phones: https://act.eff.org/action/tell-apple-don-t-scan-our-phones  Further Info Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/ 

Are hackers born or are they made? What is the essence of a true hacker? Today I explore these topics and more with the founder of both DEFCON and Black Hat, Jeff Moss – also known as The Dark Tangent. I also ask Jeff why we seem to suck at cybersecurity, what his top tips are for staying safe online, when DEFCON evolved to be bigger than its founder, how DEFCON has managed to stay focused on its attendees all these years, and how he plans to find a worthy successor to run the DEFCON conference when he inevitably steps aside. Further Info DEFCON documentary: https://www.youtube.com/watch?v=3ctQOmjQyYg  Privacy is Power, book by Carissa Véliz : https://www.amazon.com/Privacy-Power-Should-Take-Control/dp/1612199151  My review of Privacy is Power: https://firewallsdontstopdragons.com/privacy-is-power-review/  The Value of Privacy, by Bruce Schneier: https://www.schneier.com/blog/archives/2006/05/the_value_of_pr.html  TED Talk on Privacy by Glenn Greenwald: https://www.ted.com/talks/glenn_greenwald_why_privacy_matters  Hackers, book by Steven Levy: https://www.amazon.com/Hackers-Computer-Revolution-Steven-Levy/dp/1449388396  Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker Generate secure passphrases! https://d20key.com/#/

What is a hacker, exactly? What does it mean to hack something? With all the ransomware attacks and election meddling in the headlines, it’s easy to paint all hackers with a broad brush as malicious, self-serving computer criminals. And to be clear, many computer criminals are definitely hackers (some aren’t). But the real definition of hacker, the original notion of hacking itself, is something quite different. Nowhere is this more evident than at DEFCON, one of the world’s largest hacking conferences. I’ve been wanting to go to DEFCON for many years, but finally made my pilgrimage to Las Vegas this year for DEFCON 29. My goal was to document first hand, not just the conference, but the culture and the hackers themselves. Because unlike most trade conferences, DEFCON is really about the attendees and the betterment of their craft. Today’s show is a non-technical exploration of what it means to be a hacker and why you might aspire to be one yourself. Further Info DEFCON documentary: https://www.youtube.com/watch?v=3ctQOmjQyYg  DEFCON 29: https://defcon.org/html/defcon-29/dc-29-index.html  DEFCON 29 media: https://media.defcon.org/DEF%20CON%2029/  Making the DEF CON 29 Badge: https://www.youtube.com/watch?v=H3kdq40PY3s Soundtrack https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20music/  Preparing for Hacker Summer Camp: https://theplaceboeffects.wordpress.com/2019/07/13/preparing-for-hacker-summer-camp/  Hack-A-Day badge article: https://hackaday.com/2021/08/05/hands-on-def-con-29-badge-embraces-the-new-normal/  DC Tin Foil Hat: @DC_Tin_Foil_Hat (Twitter) Hackerboxes.com: https://hackerboxes.com/ Become a Patron! https://www.patreon.com/FirewallsDontStopDragons  Generate secure passphrases! https://d20key.com/#/ Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker