Firewalls Don't Stop Dragons Podcast

If you're a Windows PC user, you know the term "bloatware", or maybe "crapware". Every consumer PC comes chock full of it. Free trials of games, cloud storage services and antivirus software. Half a dozen "helper" apps from the PC manufacturer. Pre-installed calling, chat, and shopping services. It's a mess. But they're not just annoying. They can slow down your computer's startup and shutdown, and waste precious battery life on laptops. Today I'll share two ways to take out this trash. In other news: Android 11 and iOS 14 are out, and have neat new security and privacy features; Google is blocking W3C efforts to improve your privacy while also blocking resource-hogging ads in Chrome and blocking stalkerware apps in the Google Play Store; the FBI is now worried that video doorbells may actually let people spy on them; Facebook will try to ban deepfake political videos; and the US House unanimously passes a much-needed IoT security bill.

Enterprising scammers have found some very clever ways to trick you into believing your computer needs fixing, when in reality it's just fine. Using various techniques, fake web pop-up alerts can cause your browser or computer to seem sluggish or malfunctioning. And then you get a helpful pop-up alerting you of a serious problem and offering to help you fix it - for a fee. I'll tell you how to spot these fakes and how to recover from the issues they've inflicted. In other news: there's a new and nasty Bluetooth bug, Emotet malware infections are spiking, Apple accidentally notarized malware in its App Store, Apple chooses to delay it's key privacy feature on iOS 14 due to push back from marketing companies like Facebook, the Epic/Apple battle ratchets up yet again, a US circuit court rules that warrantless wiretapping is illegal, Portland enacts the country's strictest ban on facial recognition technology, and the secure messaging app Threema has decided to go open source. Further Info: Order the 4th edition of my book: https://www.apress.com/us/book/9781484261880Enter my book giveaway! http://bit.ly/firewalls4

Did you know that Google's search can track you on a non-Chrome browser, even if you block third party cookies? And did you also know that there's a gaping privacy hole in web surfing that even a VPN may not fix? Is it possible to defeat browser fingerprinting? In the second half of my interview with Mozilla's Chief Security Officer Marshall Erwin, we'll answer these questions and much more. Marshall will give us his personal privacy tips and tell us about some upcoming Firefox features. And perhaps most importantly, he'll tell us what we can do to support Mozilla and Firefox. Marshall Erwin is the Chief Security Officer at the Mozilla Corporation, where he leads teams responsible for protecting Mozilla and its users. He also drives policy initiatives on encryption, government vulnerability disclosure, malicious online content, and online political advertising, as well as product initiatives to protect people from pervasive web tracking. Prior to joining Mozilla, Marshall worked in a variety of positions related to technology policy, cybersecurity, and national security more broadly. He began his career in national security, an analyst covering counterterrorism and cybersecurity. He also served as the counterterrorism and intelligence adviser on the Senate Homeland Security and Government Affairs Committee and as the intelligence specialist at the Congressional Research Service, focusing on National Security Agency surveillance programs and legislative changes to FISA statute. Marshall is a current Non-Residential Fellow at Stanford Law School’s Center for Internet & Society. Further Info: Download the Firefox browser: https://www.mozilla.org/en-US/firefox/new/Donate to Mozilla Foundation: https://donate.mozilla.org/en-US/Pre-order the 4th edition of my book: https://www.amazon.com/gp/product/148426188Enter my book giveaway! http://bit.ly/firewalls4

If you really care about online privacy, you can't use Google's Chrome browser. Google is an advertising company. Everything else they do is in support of that core business. If you want a secure, fast browser that is actually focused on protecting your privacy, you want to be using Mozilla's Firefox browser. Today I'll be speaking with Mozilla's Chief Security Officer, Marshall Erwin. We'll trace Firefox's heritage back to the stalwart Netscape Navigator and then dive into the ugly world of ubiquitous web tracking, by both governments and corporations. Are we really going dark? Why is privacy important? Are targeted ads really worth that much more than "dumb" ads? Marshall Erwin is the Chief Security Officer at the Mozilla Corporation, where he leads teams responsible for protecting Mozilla and its users. He also drives policy initiatives on encryption, government vulnerability disclosure, malicious online content, and online political advertising, as well as product initiatives to protect people from pervasive web tracking. Prior to joining Mozilla, Marshall worked in a variety of positions related to technology policy, cybersecurity, and national security more broadly. He began his career in national security, an analyst covering counterterrorism and cybersecurity. He also served as the counterterrorism and intelligence adviser on the Senate Homeland Security and Government Affairs Committee and as the intelligence specialist at the Congressional Research Service, focusing on National Security Agency surveillance programs and legislative changes to FISA statute. Marshall is a current Non-Residential Fellow at Stanford Law School’s Center for Internet & Society. Further Info: Firefox browser: https://www.mozilla.org/en-US/firefox/new/Donate to Mozilla Foundation: https://donate.mozilla.org/en-US/Pre-order the 4th edition of my book: https://www.amazon.com/gp/product/1484261887

Epic - the maker of the massively popular game Fortnite - has thrown down the proverbial gauntlet. It has decided that it no longer wishes to cut Apple in for 30% of its profits... Which is exactly what all app developers do - and have explicitly and contractually agreed to do - in return for using Apple's platform, tools, software development kits, and security testing. Apple provides this and access to billions of users. Microsoft, Sony and Google charge the same 30% in their app stores. But Epic claims that Apple's cut is too much, and has deliberately picked a legal fight with Apple (and Google) to try to get more favorable terms or be allowed to run a private Epic store. It's complex and nuanced, but I'll wade into the muddy and turbulent waters on today's show. In other news: There's a tricky new Outlook email phishing scam going around, Jack Daniels has been hacked and asked to pay millions in ransom, Google had a big outage, your location data is for sale to corporations as well as government agencies (bypassing the need for court orders and warrants), and I'll cover a couple interesting Android security stories from the recent DEFCON and BlackHat security conferences. Further Info: Scan suspicious files online: www.virustotal.com

Can Facebook or Google really promise to keep your data private in this era of mass surveillance by the likes of the NSA and GCHQ? Max Schrems doesn't think so, and he's convinced the EU Court of Justice of the same thing. There's no way to protect user data when intelligence agencies are hoovering up all our communications and storing them on massive server farms forever. In part 2 of my chat with EFF's Danny O'Brien, we'll talk about the two Shrems cases in the EU and what the recent ruling against Privacy Shield will mean for all of us. Danny O'Brien has been an activist for online free speech and privacy for over 20 years. In his home country of the UK, he fought against repressive anti-encryption law, and helped found the Open Rights Group, Britain's own digital rights organization. He was EFF's activist from 2005 to 2007, its international outreach coordinator from 2007-2009, and international director from 2013-2019. He now supervises EFF's medium and long-term strategy, with an eye to maintaining the organization's global impact and reputation. Further Info: EU Court Again Rules That NSA Spying Makes U.S. Companies Inadequate for Privacy: https://www.eff.org/deeplinks/2020/07/eu-court-again-rules-nsa-spying-makes-us-companies-inadequate-privacyNone of Your Business: https://noyb.eu/en Donate to EFF: https://supporters.eff.org/donate/join-eff-today

What good are privacy laws when we all know that intelligence agencies don't play by the rules? How can any company promise to keep our data safe when we know that agencies like the NSA and GCHQ are hoovering it all up? That's the essential argument behind the Max Schrems cases at the European Court of Justice. And the EU court agrees. In part 1 of my interview with EFF's Danny O'Brien, we'll talk about how we got here and how the parallel development of data mining and mass surveillance led us to these (successful) court challenges. Danny O'Brien has been an activist for online free speech and privacy for over 20 years. In his home country of the UK, he fought against repressive anti-encryption law, and helped found the Open Rights Group, Britain's own digital rights organization. He was EFF's activist from 2005 to 2007, its international outreach coordinator from 2007-2009, and international director from 2013-2019. He now supervises EFF's medium and long-term strategy, with an eye to maintaining the organization's global impact and reputation. Further Info: EU Court Again Rules That NSA Spying Makes U.S. Companies Inadequate for Privacy: https://www.eff.org/deeplinks/2020/07/eu-court-again-rules-nsa-spying-makes-us-companies-inadequate-privacyDonate to EFF: https://supporters.eff.org/donate/join-eff-today

When most people think of protecting their computers, they think of antivirus software. Viruses are a real problem, of course, but how well do antivirus (AV) apps protect you? And are there any downsides to using AV software? Turns out there are plenty - so many that the cons probably outweigh the pros for most people, on Apple Mac or on Windows PC. Don't believe me? Listen to this show and then decide. In other news: Google is finally bringing its Google One storage app to iOS, but don't use it; Netgear has declared that at least 45 of their highly vulnerably routers will never be fixed; and if you've purchased anything from Amazon, you have a public profile - and you should review what others can see about you. Further Info: Cryptomator: https://cryptomator.org/Sync.com secure cloud storageNetgear routers you should get rid of: https://www.tomsguide.com/news/netgear-routers-no-fixesMy "pros & cons of AV" article: https://firewallsdontstopdragons.com/the-pros-and-cons-of-anti-virus-software/

Last week, Twitter was massively hacked - apparently just to launch a Bitcoin scam (though that story is still developing). Famous people's accounts were taken over, including Joe Biden, Barack Obama, Bill Gates, Elon Musk and several popular brand name accounts. (President Trump's account was not taken over due to enhanced security measures.) But beyond the details of the hack, we need to look at the bigger picture and what this hack should be telling us about these totally unregulated social media giants with zero accountability. We'll dig into that in today's show. In other news: account credential dumps have significantly increased on the dark web, including over 140 million MGM Resort creds; Windows 10 suffers another maddening bug, but there's a workaround; Signal has stirred up a lot of controversy with a recent change; a massive wifi router study revealed widespread security problems; and I'll go over some of the cool new privacy features coming in iOS 14 and macOS Big Sur. Further Info: Windows 10 "No Internet Connection" workaround: https://lifehacker.com/how-to-fix-windows-10s-latest-no-internet-connection-bu-1844458254 Fraunhofer Institute router security report: https://github.com/fkie-cad/embedded-evaluation-corpus/blob/master/2020/FKIE-HRS-2020.md

In the second part of my interview with Renee Dudley from ProPublica, we delve into the cyber insurance and ransomware incident response industries, including how some of these companies are being less than forthcoming about their services. In fact, it appears that several "incident response" companies are simply paying the ransom and then charging companies a fee on top of that. We'll talk about how cyber insurance works and how to decide whether or not it's for you. And Renee will also give us some tips on choosing an incident response firm and what red flags to watch out for. Renee Dudley is a tech reporter at ProPublica. Before joining ProPublica in 2018, she was a member of the enterprise team at Reuters, where she reported extensively on issues with college-entrance exams. Before joining Reuters in 2015, she worked as a reporter in New York for Bloomberg News and in South Carolina for The (Charleston) Post and Courier and The (Hilton Head) Island Packet. At Bloomberg, she uncovered questionable accounting and unauthorized sales practices at Walmart Inc. In Charleston, her reporting led to the indictment and resignation of South Carolina’s most powerful politician. She received the Society of Professional Journalists’ Pulliam Award in 2010 for her work upholding First Amendment rights while reporting for The Island Packet. Further Information: ProPublica on ransomware: https://www.propublica.org/article/the-extortion-economy-how-insurance-companies-are-fueling-a-rise-in-ransomware-attacksMike Gillespie to the rescue: https://www.propublica.org/article/the-ransomware-superhero-of-normal-illinoisID Ransomware: https://id-ransomware.malwarehunterteam.com/No More Ransom: https://www.nomoreransom.org/Bleeping Computer: https://www.bleepingcomputer.com/