Firewalls Don't Stop Dragons Podcast

Passwords suck and humans aren't good at using them. Password managers can help a lot, but to truly improve your account security these days, you need to add defense in depth. The easiest way to do that today is to enable two-factor authentication, or 2FA. Many websites have supported 2FA for years, but as hacking has gotten more aggressive and password databases are being stolen more often, the popularity of 2FA has grown significantly in the last year or two. Unfortunately, many 2FA systems rely on the lowest common denominator for implementing the PIN code system: SMS or text messaging. SMS is very old, but also very widely used and supported. It's never been terribly secure, but recently some clever security researchers have discovered a simple and cheap way to steal your text messages. Like, for $16. I'll explain this hack and tell you how and why you should switch to the much more secure Time-based one-time-password (TOTP) system for 2FA. In other news: I'll update you on the massive Microsoft Exchange hack; I'll cover a couple stories about Apple bowing to pressure from foreign powers; thousands of surveillance cameras hacked in major corporations, schools, hospitals and even jails; a clever technique to identify deepfake videos; two welcome new privacy features in Firefox; Amazon's take-it-or-leave-it driver surveillance demands; opting out of T-Mobile's new data grab; and Texas making hundreds of millions of dollars off their citizens' data. Further Info Amazing Tom Cruise deep fake videos: https://www.tiktok.com/@deeptomcruise Stop using SMS for 2FA: https://firewallsdontstopdragons.com/stop-using-text-messages-for-2fa/ First interview with PGP’s Phil Zimmermann: https://podcast.firewallsdontstopdragons.com/2018/05/07/we-now-live-in-the-golden-age-of-surveillance/ Microsoft: 92% of Exchange servers safe from ProxyLogon attacks https://www.bleepingcomputer.com/news/security/microsoft-92-percent-of-exchange-servers-safe-from-proxylogon-attacks/ Apple Provides Timeline for ProtonVPN App Update, Suggesting App Store Rejection Was Unrelated to Current Events in Myanmar https://www.macrumors.com/2021/03/25/apple-responds-protonvpn-app-update-rejection/ Apple Bent the Rules for Russia—and Other Countries Will Take Note https://www.wired.com/story/apple-russia-iphone-apps-law/ Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams?sref=iKB6XOvfScientists developed a clever way to detect Deepfakes by analyzing light reflections in the eyes https://thenextweb.com/neural/2021/03/11/ai-detects-deepfakes-analyzing-light-reflections-in-the-cornea-eyes-gans-thispersondoesnotexist/ Firefox 87 introduces new SmartBlock tracker blocking mechanism https://appleinsider.com/articles/21/03/24/firefox-87-launches-introduces-new-smartblock-tracker-blocking-mechanism Mozilla Firefox tweaks Referrer Policy to shore up user privacy https://www.zdnet.com/article/mozilla-firefox-tweaks-referrer-policy-to-shore-up-user-privacy/ Amazon Delivery Drivers Forced to Sign ‘Biometric Consent’ Form or Lose Job https://www.vice.com/en/article/dy8n3j/amazon-delivery-drivers-forced-to-sign-biometric-consent-form-or-lose-job It’s mind-blowing how many millions of dollars Texas makes each year selling your personal data https://www.dallasnews.com/news/watchdog/2021/03/19/its-mind-blowing-how-many-millions-of-dollars-texas-makes-each-year-selling-your-personal-data/ U.S. Carriers Fix SMS Routing Vulnerability That Let Hackers Hijack Texts https://www.macrumors.com/2021/03/25/sms-routing-vulnerability-fix/

Given that we're using computer algorithms to evaluate humans, can these systems be gamed or fooled? And is it possible that computers are less biased that humans? On any given day, humans can be distracted, tired, sick or just flat out biased against people for any number of reasons. Should these systems be more transparent? How do we know if they're being fair? Do we need to regulate these services? Is there a happy medium here? And finally, if you feel that you've been unfairly discriminated against by these systems, is there anything you can do about it? John Davisson is Senior Counsel at EPIC. John works on a variety of appellate litigation and Freedom of Information Act cases. John first came to EPIC in 2015 as a clerk in the Internet Public Interest Opportunities Program. He has previously clerked at Levine Sullivan Koch & Schulz, served as a student attorney in the Civil Rights Section of Georgetown’s Institute for Public Representation, and interned at the Appignani Humanist Legal Center. John is a 2016 magna cum laude graduate of Georgetown University Law Center, where he was managing editor of the Georgetown Journal on Poverty Law & Policy, a Georgetown Law Fellow, and an NGO observer to the 9/11 military commission at Naval Station Guantanamo Bay. He worked as a journalist before entering the law and earned his B.A. at Columbia University. John is a member of the New York and District of Columbia bars. Further Info: Electronic Privacy Information Center: https://epic.org/ Become a patron! https://www.patreon.com/FirewallsDontStopDragons Follow me!https://twitter.com/FirewallDragonshttps://www.facebook.com/FirewallsDontStopDragons https://bit.ly/Firewalls-YouTube

Convincing a human to hire you is hard enough. Can you imagine trying to convince a computer? Artificial intelligence is now being used to automate the screening of job candidates, evaluating cognitive ability, vocabulary, and even emotional intelligence. This new "hiretech" promises to weed out the bad applicants and flag the good ones by analyzing not just the substance of answers to interview questions, but also the manor in which you respond - your cadence, your word choices, your tone, your speech patterns, and perhaps even your facial expressions and body language. What could possibly go wrong? We'll discuss this and more today with John Davisson from the Electronic Privacy Information Center. John Davisson is Senior Counsel at EPIC. John works on a variety of appellate litigation and Freedom of Information Act cases. John first came to EPIC in 2015 as a clerk in the Internet Public Interest Opportunities Program. He has previously clerked at Levine Sullivan Koch & Schulz, served as a student attorney in the Civil Rights Section of Georgetown's Institute for Public Representation, and interned at the Appignani Humanist Legal Center. John is a 2016 magna cum laude graduate of Georgetown University Law Center, where he was managing editor of the Georgetown Journal on Poverty Law & Policy, a Georgetown Law Fellow, and an NGO observer to the 9/11 military commission at Naval Station Guantanamo Bay. He worked as a journalist before entering the law and earned his B.A. at Columbia University. John is a member of the New York and District of Columbia bars. Further Info: Electronic Privacy Information Center: https://epic.org/ Become a patron! https://www.patreon.com/FirewallsDontStopDragons Weapons of Math Destruction: https://www.amazon.com/Weapons-Math-Destruction-Increases-Inequality/dp/0553418815

Ep210. I've recommended LastPass for years - since I wrote my book and every day since. Until now. There are several good (secure and private) password managers out there. But LastPass was the full package: a free tier that had all the functionality most people need and for-pay tiers that had very useful extras. But now they're hobbling the free version by only allowing you to use it on one type of device: either a mobile device or a computer, but not both. To me, that makes the free tier useless. LastPass's Android app was also found to contain seven different trackers. That was the last straw for me. In today's episode, I'll tell you my new recommendations and give you an important tip on making the switch. In other news: a new law in Australia aims to force Google and Facebook to pay for news links; SolarWinds is blaming an intern for using a horrible password; SMS tax scams are picking up; Alexa Skills have serious privacy and security issues; adtech companies are scrambling to avoid telling you that you're being tracked on iOS; cops use copyright filters to prevent being recorded; a new company is creating a nationwide surveillance system; pharmacies are capitalizing on the COVID vaccine to get your data for marketing; Firefox 86 has a killer new system to prevent third party cookie tracking; however, adtech is exploiting a loophole in DNS to turn third party cookies into first party cookies. Further Info: Switching to Bitwarden: https://firewallsdontstopdragons.com/?p=2447Chat with me on Discord and get exclusive content! https://www.patreon.com/FirewallsDontStopDragons SMS tax scam unmasked: Bogus but believable – don’t fall for it! https://nakedsecurity.sophos.com/2021/02/12/sms-tax-scam-unmasked-bogus-but-believable-dont-fall-for-it/Alexa Skills: Security gaps and data protection problems https://www.helpnetsecurity.com/2021/03/02/alexa-skills-security/Ongoing & enormous Microsoft Exchange server hack hits 30,000 US groups https://appleinsider.com/articles/21/03/06/microsoft-exchange-server-hack-affects-over-30000-us-organizationsPost-IDFA Alliance will address concerns of mobile app and game marketers https://venturebeat.com/2021/02/17/post-idfa-alliance-will-address-concerns-of-mobile-app-and-game-marketers/Judge approves $650m settlement of privacy lawsuit against Facebook https://www.theguardian.com/technology/2021/feb/27/facebook-illinois-privacy-lawsuit-settlementCops Using Music to Try to Stop Being Filmed Is Just the Tip of the Iceberg https://www.eff.org/deeplinks/2021/02/cops-using-music-try-stop-being-filmed-just-tip-icebergInside ‘TALON,’ the Nationwide Network of AI-Enabled Surveillance Cameras https://www.vice.com/en/article/bvx4bq/talon-flock-safety-cameras-police-license-plate-readerYou got a vaccine. Walgreens got your data. (Recode) https://www.vox.com/recode/22310281/covid-vaccine-walgreens-cvs-rite-aid-walmart-dataFirefox's Total Cookie Protection aims to stop tracking between multiple sites https://www.engadget.com/firefox-total-cookie-protection-stop-tracking-websites-140044979.htmlOnline Trackers Increasingly Switching to Invasive CNAME Cloaking Technique https://thehackernews.com/2021/02/online-trackers-increasingly-switching.htmlChanges to LastPass Free https://blog.lastpass.com/2021/02/changes-to-lastpass-free/Security researcher raises questions about trackers in LastPass Android app https://appleinsider.com/articles/21/02/26/security-raises-questions-about-trackers-in-lastpass-android-app

In the second half of my interview with the Tech Learning Collective, we delve into their course curriculum a bit, and then discuss why they teach what they teach and how they approach these topics in a unique and meaningful way. We also examine the notion of "ethical hacking" and how this term can be used to whitewash some truly unethical and immoral products and services. Finally, we discuss why it's important to know how to perform cyber attacks in order to properly defend against them. These classes are truly like nothing else you'll find online. Check out one of their workshops for yourself (and support their important work in the process)! Technology, taught collectively. Looking to get certified? Look elsewhere. Looking to spark a revolution? We’ll show you how to become more powerful than the most well-funded adversaries, including corporate- and government-backed opponents. Further Info Tech Learning Collective: https://techlearningcollective.com/ Support me on Patreon! https://www.patreon.com/FirewallsDontStopDragons The Privacy Issue’s Essential Privacy Podcasts: https://theprivacyissue.com/privacy-and-society/download-privacy-security-podcastsTranscript: https://techlearningcollective.com/2021/04/06/firewalls-dont-stop-dragons-interviews-tech-learning-collective-part-2.html

I first learned of the Tech Learning Collective at a privacy conference in late 2020. I struck up a conversation with one of its representatives and ended up taking one of their wonderful workshops in January. The TLC offers some top-notch courses on computers with a focus on cybersecurity. Unlike college courses or cybersecurity certification courses, TLC offers eminently practical and affordable content, focused squarely on doing. It's like the difference between taking a karate class to earn colored belts and taking a personal self defense class to actually protect yourself. But it's also much more than that, and hard to describe. You'll have to listen to this interview to truly understand! From their website... Technology, taught collectively. Looking to get certified? Look elsewhere. Looking to spark a revolution? We’ll show you how to become more powerful than the most well-funded adversaries, including corporate- and government-backed opponents. Further Info Tech Learning Collective: https://techlearningcollective.com/ The Privacy Issue's Essential Privacy Podcasts: https://theprivacyissue.com/privacy-and-society/download-privacy-security-podcastsTranscript: https://techlearningcollective.com/2021/04/06/firewalls-dont-stop-dragons-interviews-tech-learning-collective-part-1.html

Ep207. Clearview AI - the company that has hoovered up every face it can find on the internet to create a creepy person identifying app - is back in the news. Canada and the EU have decided that Clearview has gone too far and needs to allow its users to opt out and even delete all the data they have, upon request. It's a welcome development, but unfortunately only available to California residents in the US (plus Canada and the EU). I'll tell you how to delete your data. In other news: Google uncovers a killer security feature in iOS 14 called BlastDoor; Amazon is expanding its "surveillance empire" in a massive and creepy way; someone "hacked" a water treatment plant in Florida trying (and failing) to poison its citizens; a bad bug has been found in a popular Wi-Fi iOT chip; a new phishing attack uses Morse code to hide its malicious web links; Facebook's "Supreme Court" has rendered its first set of rulings; and Clubhouse, the latest social media craze, is using some intrusive techniques to find more members. Also, I've got several tips for tax time in the US, including avoiding scams and safely transferring your financial data. Further Info Opt out of Clearview AI and delete your data: https://clearview.ai/privacy/requests Avoid tax scams: https://firewallsdontstopdragons.com/its-tax-scam-time-again/ Send files securely: https://firewallsdontstopdragons.com/how-to-send-files-securely-like-tax-info/ Get your IRS IP PIN: https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin

Episode 206. The social media events around the January 6th storming of the US Capitol have sparked raging, divisive debates in the US. But the banning of individuals and the deplatforming of apps and groups are not new phenomenons. The Right of Free Speech that is enshrined in the First Amendment to the US Constitution is not limitless. It does have legal boundaries. And private companies, even monopolies, have the legal right to control access to their platforms. But does that make it right? Today, I will wade into this decidedly thorny issue with Troy Hunt, who brings a plethora of global technology and security experience to the debate. Troy Hunt is an Australian Microsoft Regional Director and a Most Valuable Professional awardee for Developer Security. He’s a blogger, international speaker and author of several online courses, and he runs the very valuable internet security service HaveIBeenPwned. Further Info Troy Hunt’s blog on deplatforming: https://www.troyhunt.com/weekly-update-226/ EFF's take: https://www.eff.org/deeplinks/2019/05/censorship-cant-be-only-answer-disinformation-online Legal limits of free speech: https://en.wikipedia.org/wiki/United_States_free_speech_exceptions Listener survey: https://bit.ly/Firewalls-survey-2021 Patron survey: http://bit.ly/Firewalls-patron-survey-2021

Tracking and data mining has gotten way out of hand. We're not only being tracked online, we're now being tracked around the real world, too. We're truly living in a panopticon - and it's not good for us as individuals or as a democratic society. Today I'll cover several stories that make it clear that we've hit a tipping point. It has to stop. And it's going to require all of us putting pressure on our representatives to lay down some common sense rules to curb surveillance capitalism. In today’s news: One week left to send in your podcast listener survey; update all your iOS devices ASAP; Apple walks back a controversial OS change that would have allowed some Apple apps to bypass firewalls and VPNs; Microsoft is touting a new Edge browser feature that notifies you when your passwords have been breached; an innocuous-looking police robot is actually paving the way towards chilling mass surveillance; another US intelligence agency has been caught buying the location data of US citizens from data brokers; Apple’s efforts at improving user privacy are ruffling more feathers at Google and Facebook. Further Info New Years Resolution ideas for 2021: https://firewallsdontstopdragons.com/new-years-resolutions-2021/Data Privacy Day checklist: https://firewallsdontstopdragons.com/data-privacy-day-checklist/ Listener survey: https://bit.ly/Firewalls-survey-2021 Patron survey: http://bit.ly/Firewalls-patron-survey-2021

We all love to beat up on Facebook over user privacy, but the real granddaddy of them all is Google. Google is everywhere. And they almost surely know way more about you than any other company on the planet. In addition to all the "G" apps and services that you know about, Google also owns Android, Chrome browser, Waze, Nest and YouTube. It's extremely hard to avoid using Google. But there are alternatives that will respect your privacy - and today I'll give you a long list of viable options. And with international Data Privacy Day happening this week (Jan 28th), it's a great time to take back control of your data. In other news: Some malicious Chrome extensions have been scraping Facebook data, a man working for ADT has been caught spying on women using the security cameras he helped to install, Google seems to be dragging their heels on updating their iOS app privacy labels, Malwarebytes says they've been hacked by the same group behind the SolarWinds hacks, WhatsApp has upset many of their users with a new privacy ultimatum, and I'll delve into the national security implications of the recent US Capitol breach. Further Info Listener survey: https://bit.ly/Firewalls-survey-2021 Patron survey: http://bit.ly/Firewalls-patron-survey-2021 My Data Privacy Day Checklist: https://firewallsdontstopdragons.com/data-privacy-day-checklist/ Google Alternatives: https://restoreprivacy.com/google-alternatives/Restore Privacy tools: https://restoreprivacy.com/privacy-tools/  No More Google: https://nomoregoogle.com/ Just Get My Data: https://justgetmydata.com/Just Delete Me: https://justdeleteme.xyz/