Firewalls Don't Stop Dragons Podcast

Today is the day we’ve all been waiting for! The super-secret, highly-collectible, security-enhancing device is finally HERE!! For a short period of time, I will be offering a very limited edition challenge coins to my patrons. Not only is the coin itself amazingly cool, it can also help you generate secure passphrases using my brand new website d20key.com! Listen in today for all the details, as well as my tip of the week for how and when to use passphrases (instead of passwords)! In other news: The Colonial Pipeline is open again after a nasty ransomware attack by the DarkSide group; President Biden signs a landmark executive order to strength cybersecurity for the US government and anyone who sells to them; the HSE in Ireland is hit with a ransomware attack, too; Microsoft warns of a fake ransomware infection that just steals data; apparently when give a real, clear choice, almost no one wants apps to track them (Apple’s App Tracking Transparency update); Veritone launches a creepy new deep-fake voice service for celebrities; Eufy camera bug crosses wires and shows people the wrong camera feeds (as in, from cameras they don’t own); and Amazon is enabling its Sidewalk mesh network by default – and I’ll tell you how to disable it. Further Info Get your own Firewalls Don’t Stop Dragons Challenge Coin! https://www.patreon.com/FirewallsDontStopDragons  How and When to Use a Passphrase: https://firewallsdontstopdragons.com/how-when-to-use-a-passphrase/  Generate a secure passphrase!  https://d20key.com/  Check out my Malwarebytes interview! https://blog.malwarebytes.com/category/podcast/  Threat Technology’s list of 20 Best Security Podcasts: https://threat.technology/20-best-computer-security-podcasts-of-2021/  FAQ: DarkSide Ransomware Group and Colonial Pipeline https://www.eff.org/deeplinks/2021/05/faq-darkside-ransomware-group-and-colonial-pipeline  DarkSide group that attacked Colonial Pipeline drops from sight online https://www.washingtonpost.com/technology/2021/05/14/darkside-ransomware-shutting-down/  Biden signs executive order to strengthen US cybersecurity https://arstechnica.com/information-technology/2021/05/biden-signs-executive-order-to-strengthen-us-cybersecurity/  Irish cyber-attack: Hackers bail out Irish health service for free https://www.bbc.com/news/world-europe-57197688  Microsoft Warns of Data Stealing Malware That Pretends to Be Ransomware https://thehackernews.com/2021/05/microsoft-warns-of-data-stealing.html  Americans Actually Want Privacy. Shocking. https://www.nytimes.com/2021/05/20/opinion/apple-facebook-ios-privacy.html   Coalition Launches ‘Dark Patterns’ Tip Line to Expose Deceptive Technology Design https://www.eff.org/press/releases/coalition-launches-dark-patterns-tip-line-expose-deceptive-technology-design  Veritone launches new platform to let celebrities and influencers clone their voice with AI https://www.theverge.com/2021/5/14/22432180/voice-clone-deepfake-celebrities-influencers-veritone-ai-platform  Eufy camera owners report video mixups https://nakedsecurity.sophos.com/2021/05/17/those-arent-my-kids-eufy-camera-owners-report-video-mixups/  Here’s Anker’s apology after 712 Eufy customers had camera feeds exposed to strangers https://www.theverge.com/2021/5/19/22444164/eufy-security-camera-glitch-privacy-feed-exposed-statement-details Amazon’s Sidewalk Network Is Turned On by Default. Here’s How to Turn It Off https://www.inc.com/jason-aten/amazons-sidewalk-network-is-turned-on-by-default-heres-how-to-turn-it-off.html

What is Tor, exactly? How and why would I use it? And what the heck is a Tor node? In part 2 of my talk with Alison from the Library Freedom Project, we’ll discuss why libraries are so important in the fight for privacy and how they’re using technologies like Tor to keep its patron’s (and even other’s) web browsing anonymous. We’ll talk about why it’s important to do a self-assessment of your particular “threat model” and Alison will provide some time-tested tips for improving your security and privacy. Oh, and we’ll talk about what all of this has to do with the so-called Streisand Effect! Alison Macrina is a librarian, internet activist, and founder and director of Library Freedom project. Alison is passionate about fighting surveillance and connecting privacy issues to other struggles for justice and an analysis of power. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragons Library Freedom project: https://libraryfreedom.org/  Library Freedom wiki: https://libraryfreedom.wiki/  Library Freedom Institute GitHub page: https://github.com/alisonLFP/libraryfreedominstitute  Library Freedom Institute on Vimeo: https://vimeo.com/libraryfreedominstitute  Discover your threat model: https://ssd.eff.org/en/module/your-security-plan  Download Tor Browser: https://www.torproject.org/download/

Want to read a book without your reading history being tracked? Do you need to surf the web with complete anonymity? If so, then look no further than your local public library. You have the right to research and collaborate on politically or socially sensitive topics without fearing your government or even your local community – and your local public libraries are there to help. Today I’ll discuss the topics of intellectual freedom, access to information, and the right to privacy with the founder of the Library Freedom Project. We’ll discuss book banning, media consolidation, mass surveillance, access to your library records by law enforcement, and even the lethal dangers of furniture! Alison Macrina is a librarian, internet activist, and founder and director of Library Freedom project. Alison is passionate about fighting surveillance and connecting privacy issues to other struggles for justice and an analysis of power. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragons Library Freedom project: https://libraryfreedom.org/  Library Freedom wiki: https://libraryfreedom.wiki/  Library Freedom Institute GitHub page: https://github.com/alisonLFP/libraryfreedominstitute  Library Freedom Institute on Vimeo: https://vimeo.com/libraryfreedominstitute  Noam Chomsky propaganda model: https://en.wikipedia.org/wiki/Propaganda_model  Terrorism vs furniture-related deaths: https://www.washingtonpost.com/news/monkey-cage/wp/2015/11/23/youre-more-likely-to-be-fatally-crushed-by-furniture-than-killed-by-a-terrorist/

After what seemed like forever, Apple has finally released its App Tracking Transparency (ATT) feature which requires apps to get your permission to track you across other apps and websites. This was announced last year and delayed by several months to allow app makers to come into compliance (particularly Facebook). Today I’ll tell you what this feature does and doesn’t do, and of course, how to enable it. Tons of other security and privacy news to cover today, as well: A nasty bug was just fixed in macOS (update now!!); Firefox fixes a bug that could allow fake HTTPS lock icons and therefore compromise security; Facebook Messenger users have been targeted with a major scam; Codecov hack is just the latest in software supply chain attacks that threaten hundreds of companies and their customers; bad guys hacked ad servers to serve up malware; the US Postal Service is running a ‘covert operations program’ that monitors social media accounts; more US federal agencies are turning to private companies to buy data on people and bypass the 4th Amendment; Emotet malware has been taken down; the FBI has been hacking company servers without their consent (but with a warrant) to try to fix Exchange server hacks; some promising new AI regulations have cropped up in Europe and the US; Signal expertly trolls and hamstrings Cellebrite; and finally, Apple’s long-awaited AirTags have finally been released, but the anti-stalker protections seem to fall short, particularly for Android owners. Further Info: A macOS major security bug has just been fixed – UPDATE NOW! https://www.forbes.com/sites/thomasbrewster/2021/04/26/update-your-mac-now-the-worst-hack-in-years-hits-apple-computers/ Mozilla Fixes Firefox Flaw That Allowed Spoofing of HTTPS Browser Padlock https://threatpost.com/mozilla-fixes-firefox-flaw/165501/ Facebook Messenger users targeted by a large-scale scam https://www.helpnetsecurity.com/2021/04/20/facebook-messenger-scam/ Codecov hackers breached hundreds of restricted customer sites https://www.reuters.com/technology/codecov-hackers-breached-hundreds-restricted-customer-sites-sources-2021-04-19/ 120 Compromised Ad Servers Target Millions of Internet Users https://thehackernews.com/2021/04/120-compromised-ad-servers-target.html The Postal Service is running a ‘covert operations program’ that monitors Americans’ social media posts https://news.yahoo.com/the-postal-service-is-running-a-running-a-covert-operations-program-that-monitors-americans-social-media-posts-160022919.html Federal Agencies Are Secretly Buying Consumer Data https://www.brennancenter.org/our-work/analysis-opinion/federal-agencies-are-secretly-buying-consumer-data Emotet Malware Taken Down By Global Law Enforcement Effort https://www.cpomagazine.com/cyber-security/emotet-malware-taken-down-by-global-law-enforcement-effort-cleanup-patch-pushed-to-1-6-million-infected-devices/ Are we safer with the FBI accessing our computers without consent? https://thenextweb.com/news/are-we-safer-with-the-fbi-accessing-our-computers-without-consent-syndication The sun is setting on A.I.’s Wild West https://fortune.com/2021/04/27/the-sun-is-setting-on-a-i-s-wild-west/ Signal professionally trolls and screws Cellebrite: https://signal.org/blog/cellebrite-vulnerabilities/ AirTags are scarily good at tracking items and … people. I know because I tried. https://mashable.com/review/apple-airtags-review/  Apple reveals more about AirTag stalking protections as domestic abuse concerns expressed https://9to5mac.com/2021/04/30/airtag-stalking-protections/

While law enforcement touts the benefits of cell site simulators, today we will talk about the negative impacts, as well. While the actual impacts are not documented due to secrecy, we have to wonder whether Stingrays could interfere with critical communications like 911 calls, for example. We also must understand that any tool can be used for good and for evil, by the “good guys” as well as the “bad guys”. In an effort to bring more transparency, Cooper created Crocodile Hunter (a reference to Steve Irwin, who was tragically killed by a real-life stingray). Cooper explains how it works and how anyone can make one. And finally we’ll talk about why it’s so important to get out there and fight for more transparency. Cooper shows us what a difference this can make in your community with two very different situations in two US cities. Cooper Quintin is a security researcher and Senior Staff Technologist with the EFF Threat Lab. He has worked on projects such as Privacy Badger, Canary Watch, and analysis of state sponsored malware campaigns such as Dark Caracal. He has also performed security trainings for activists, non profit workers and ordinary folks, and given talks about security research at security conferences around the world. He previously worked building websites for non-profits, such as Greenpeace, Adbusters, and the Chelsea Manning Support Network. Cooper was also an editor and contributor to the hacktivist journal, “Hack this Zine.” He has spoken at multiple black hat conferences about security issues ranging from IMSI Catchers to Malware attacks against journalists. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragons Electronic Frontier Foundation (EFF): https://www.eff.org/  EFF’s Electronic Frontier Alliance: https://www.eff.org/electronic-frontier-alliance  Crocodile Hunter project: https://github.com/EFForg/crocodilehunter How IMSI catchers work: https://www.eff.org/wp/gotta-catch-em-all-understanding-how-imsi-catchers-exploit-cell-networks EFF page on IMSI catchers: https://www.eff.org/pages/cell-site-simulatorsimsi-catchers Why 5g won’t help: https://www.eff.org/deeplinks/2019/01/5g-protocol-may-still-be-vulnerable-imsi-catchers DIGITS documentary: https://curiositystream.com/video/1720 My new Apress video: Maximum Privacy with End-to-End Encryption https://link.springer.com/video/10.1007/978-1-4842-7034-9 

The single easiest way to track someone today is using their cell phone. We have them with us at all times and in order for them to work, they must be tracked by the cell phone network. When law enforcement wants to identify people at a protest or hanging around a particular area, they could take the time to get a warrant to present to multiple cell phone providers. Or they could simply bring in a portable, fake cell site. Any cell phones in the area will reveal their location to all nearby cell sites, and the owners of those phones will be none the wiser. The use of cell site simulators (often known by a particularly popular model called a “Stingray”) is heavily shrouded in secrecy. Even their very existence was denied for years. Today, we’ll talk with a man who has made it his mission to uncover the use of such devices. We’ll talk about how they work, why they’re so hard to detect, and the broader implications of their use by police and sheriff’s departments with little to no oversight. Cooper Quintin is a security researcher and Senior Staff Technologist with the EFF Threat Lab. He has worked on projects such as Privacy Badger, Canary Watch, and analysis of state sponsored malware campaigns such as Dark Caracal. He has also performed security trainings for activists, non profit workers and ordinary folks, and given talks about security research at security conferences around the world. He previously worked building websites for non-profits, such as Greenpeace, Adbusters, and the Chelsea Manning Support Network. Cooper was also an editor and contributor to the hacktivist journal, “Hack this Zine.” He has spoken at multiple black hat conferences about security issues ranging from IMSI Catchers to Malware attacks against journalists. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragons Electronic Frontier Foundation (EFF): https://www.eff.org/  EFF’s Electronic Frontier Alliance: https://www.eff.org/electronic-frontier-alliance  Crocodile Hunter project: https://github.com/EFForg/crocodilehunter How IMSI catchers work: https://www.eff.org/wp/gotta-catch-em-all-understanding-how-imsi-catchers-exploit-cell-networks EFF page on IMSI catchers: https://www.eff.org/pages/cell-site-simulatorsimsi-catchers Why 5g won’t help: https://www.eff.org/deeplinks/2019/01/5g-protocol-may-still-be-vulnerable-imsi-catchers Sea Glass project: https://seaglass.cs.washington.edu/  Sitch project: https://sensor.readthedocs.io/en/latest/  My new Apress video: Maximum Privacy with End-to-End Encryption https://link.springer.com/video/10.1007/978-1-4842-7034-9 

Lots of news to cover today… and to me the common thread seems to be a lack of proper security and privacy. So the theme today is “trust no one”. And the idea there isn’t really personal trust, but computer trust, algorithm trust, procedural trust. We need to engineer our systems and processes around the idea that data is a toxic asset that loves to find ways to leak. Assume that you will be hacked. Assume an employee will do something stupid or go rogue. Assume the “bad guys” will find a way to bypass your main security barrier, so you need to have a second, and possible third barrier in place. Today I’ll tell you about yet another massive Facebook and LinkedIn data leak; a new vaccine survey scam to watch out for; some new and troubling ransomware tactics to force victims to pay even if they have good data backups; a hacker site that sold credit cards and social security numbers was itself hacked; LexisNexis and Clearview AI have been working very closely with law enforcement, including ICE; and the ACLU has been caught sharing their own user’s data with (of all companies) Facebook. And finally, I review the fantastic new book, Privacy is Power by Carissa Véliz. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragons  Privacy is Power book review: https://firewallsdontstopdragons.com/privacy-is-power-review/  Were you part of a data breach? https://haveibeenpwned.com/  Articles quoted today: Don’t Fall for the ‘Vaccine Survey’ Scam https://twocents.lifehacker.com/don-t-fall-for-the-vaccine-survey-scam-1846620925  Ransomware gang leaks data from Stanford, Maryland universities https://www.bleepingcomputer.com/news/security/ransomware-gang-leaks-data-from-stanford-maryland-universities/  Ransom Gangs Emailing Victim Customers for Leverage https://krebsonsecurity.com/2021/04/ransom-gangs-emailing-victim-customers-for-leverage/  Facebook Says Leak of 533 Million Users’ Data Wasn’t a Hack. https://www.wsj.com/articles/facebook-says-leak-of-533-million-users-data-wasnt-a-hack-does-it-matter-11617910106 , https://www.bleepingcomputer.com/news/security/533-million-facebook-users-phone-numbers-leaked-on-hacker-forum/   Another 500 million accounts have leaked online, and LinkedIn’s in the hot seat https://www.theverge.com/2021/4/8/22374464/linkedin-data-leak-500-million-accounts-scraped-microsoft  70,000 SSNs, 600,000 Credit Card Records Leaked After Stolen-Data Hub Gets Hacked https://gizmodo.com/70-000-ssns-600-000-credit-card-records-leaked-after-s-1846638234  LexisNexis to Provide Giant Database of Personal Information to ICE https://theintercept.com/2021/04/02/ice-database-surveillance-lexisnexis/  Clearview AI used by police https://www.buzzfeednews.com/article/ryanmac/clearview-ai-local-police-facial-recognition  ACLU, a defender of digital privacy, reveals that it shares user data with Facebook https://fortune.com/2021/04/02/aclu-shares-data-facebook-third-parties-digital-privacy/ 

There are many business models and businesses that we curtail because they can be dangerous to people or democracy or society. Even rights enshrined in the US Constitution have reasonable limits. Now that it’s become evident how engagement-optimized and algorithm-driven social media is ripping at the very fabric of our democracy, it’s time for an intervention. Today, Phil Zimmermann (creator of PGP) will explain why things have gotten so bad and what we need to do to fix it and save civil society. Phil Zimmermann is the creator of Pretty Good Privacy. PGP is still widely regarded as the gold standard for secure email communication and caused quite a controversy when it was introduced in the early 1990s. Phil went on to form Silent Circle and win several prestigious awards including US Privacy Champion and was inducted into the Cybersecurity Hall of Fame. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragons  About Phil Zimmermann: https://www.philzimmermann.com/EN/background/index.html Read Crypto by Steven Levy: https://amzn.to/2PyAjKE Silent Circle: https://www.silentcircle.com/  Okuna update: https://medium.com/okuna/the-path-forward-8d56ccf37b5c Check out Somus.app: https://www.somus.app/ Watch The Social Dilemma: https://www.netflix.com/title/81254224  Watch The Great Hack: https://www.netflix.com/Title/80117542  Foundation for Individual Rights in Education (FIRE): https://www.thefire.org/

Passwords suck and humans aren’t good at using them. Password managers can help a lot, but to truly improve your account security these days, you need to add defense in depth. The easiest way to do that today is to enable two-factor authentication, or 2FA. Many websites have supported 2FA for years, but as hacking has gotten more aggressive and password databases are being stolen more often, the popularity of 2FA has grown significantly in the last year or two. Unfortunately, many 2FA systems rely on the lowest common denominator for implementing the PIN code system: SMS or text messaging. SMS is very old, but also very widely used and supported. It’s never been terribly secure, but recently some clever security researchers have discovered a simple and cheap way to steal your text messages. Like, for $16. I’ll explain this hack and tell you how and why you should switch to the much more secure Time-based one-time-password (TOTP) system for 2FA. In other news: I’ll update you on the massive Microsoft Exchange hack; I’ll cover a couple stories about Apple bowing to pressure from foreign powers; thousands of surveillance cameras hacked in major corporations, schools, hospitals and even jails; a clever technique to identify deepfake videos; two welcome new privacy features in Firefox; Amazon’s take-it-or-leave-it driver surveillance demands; opting out of T-Mobile’s new data grab; and Texas making hundreds of millions of dollars off their citizens’ data. Further Info Amazing Tom Cruise deep fake videos: https://www.tiktok.com/@deeptomcruise  Stop using SMS for 2FA: https://firewallsdontstopdragons.com/stop-using-text-messages-for-2fa/  First interview with PGP’s Phil Zimmermann: https://podcast.firewallsdontstopdragons.com/2018/05/07/we-now-live-in-the-golden-age-of-surveillance/  Microsoft: 92% of Exchange servers safe from ProxyLogon attacks https://www.bleepingcomputer.com/news/security/microsoft-92-percent-of-exchange-servers-safe-from-proxylogon-attacks/  Apple Provides Timeline for ProtonVPN App Update, Suggesting App Store Rejection Was Unrelated to Current Events in Myanmar https://www.macrumors.com/2021/03/25/apple-responds-protonvpn-app-update-rejection/  Apple Bent the Rules for Russia—and Other Countries Will Take Note https://www.wired.com/story/apple-russia-iphone-apps-law/  Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals https://www.bloomberg.com/news/articles/2021-03-09/hackers-expose-tesla-jails-in-breach-of-150-000-security-cams?sref=iKB6XOvf Scientists developed a clever way to detect Deepfakes by analyzing light reflections in the eyes https://thenextweb.com/neural/2021/03/11/ai-detects-deepfakes-analyzing-light-reflections-in-the-cornea-eyes-gans-thispersondoesnotexist/  Firefox 87 introduces new SmartBlock tracker blocking mechanism https://appleinsider.com/articles/21/03/24/firefox-87-launches-introduces-new-smartblock-tracker-blocking-mechanism  Mozilla Firefox tweaks Referrer Policy to shore up user privacy https://www.zdnet.com/article/mozilla-firefox-tweaks-referrer-policy-to-shore-up-user-privacy/  Amazon Delivery Drivers Forced to Sign ‘Biometric Consent’ Form or Lose Job https://www.vice.com/en/article/dy8n3j/amazon-delivery-drivers-forced-to-sign-biometric-consent-form-or-lose-job  It’s mind-blowing how many millions of dollars Texas makes each year selling your personal data https://www.dallasnews.com/news/watchdog/2021/03/19/its-mind-blowing-how-many-millions-of-dollars-texas-makes-each-year-selling-your-personal-data/  U.S. Carriers Fix SMS Routing Vulnerability That Let Hackers Hijack Texts https://www.macrumors.com/2021/03/25/sms-routing-vulnerability-fix/

Given that we’re using computer algorithms to evaluate humans, can these systems be gamed or fooled? And is it possible that computers are less biased that humans? On any given day, humans can be distracted, tired, sick or just flat out biased against people for any number of reasons. Should these systems be more transparent? How do we know if they’re being fair? Do we need to regulate these services? Is there a happy medium here? And finally, if you feel that you’ve been unfairly discriminated against by these systems, is there anything you can do about it? John Davisson is Senior Counsel at EPIC. John works on a variety of appellate litigation and Freedom of Information Act cases. John first came to EPIC in 2015 as a clerk in the Internet Public Interest Opportunities Program. He has previously clerked at Levine Sullivan Koch & Schulz, served as a student attorney in the Civil Rights Section of Georgetown’s Institute for Public Representation, and interned at the Appignani Humanist Legal Center. John is a 2016 magna cum laude graduate of Georgetown University Law Center, where he was managing editor of the Georgetown Journal on Poverty Law & Policy, a Georgetown Law Fellow, and an NGO observer to the 9/11 military commission at Naval Station Guantanamo Bay. He worked as a journalist before entering the law and earned his B.A. at Columbia University. John is a member of the New York and District of Columbia bars. Further Info: Electronic Privacy Information Center: https://epic.org/  Become a patron! https://www.patreon.com/FirewallsDontStopDragons  Follow me! https://twitter.com/FirewallDragons https://www.facebook.com/FirewallsDontStopDragons  https://bit.ly/Firewalls-YouTube