Firewalls Don't Stop Dragons Podcast

If you really care about online privacy, you can't use Google's Chrome browser. Google is an advertising company. Everything else they do is in support of that core business. If you want a secure, fast browser that is actually focused on protecting your privacy, you want to be using Mozilla's Firefox browser. Today I'll be speaking with Mozilla's Chief Security Officer, Marshall Erwin. We'll trace Firefox's heritage back to the stalwart Netscape Navigator and then dive into the ugly world of ubiquitous web tracking, by both governments and corporations. Are we really going dark? Why is privacy important? Are targeted ads really worth that much more than "dumb" ads? Marshall Erwin is the Chief Security Officer at the Mozilla Corporation, where he leads teams responsible for protecting Mozilla and its users. He also drives policy initiatives on encryption, government vulnerability disclosure, malicious online content, and online political advertising, as well as product initiatives to protect people from pervasive web tracking. Prior to joining Mozilla, Marshall worked in a variety of positions related to technology policy, cybersecurity, and national security more broadly. He began his career in national security, an analyst covering counterterrorism and cybersecurity. He also served as the counterterrorism and intelligence adviser on the Senate Homeland Security and Government Affairs Committee and as the intelligence specialist at the Congressional Research Service, focusing on National Security Agency surveillance programs and legislative changes to FISA statute. Marshall is a current Non-Residential Fellow at Stanford Law School’s Center for Internet & Society. Further Info: Firefox browser: https://www.mozilla.org/en-US/firefox/new/Donate to Mozilla Foundation: https://donate.mozilla.org/en-US/Pre-order the 4th edition of my book: https://www.amazon.com/gp/product/1484261887

Epic - the maker of the massively popular game Fortnite - has thrown down the proverbial gauntlet. It has decided that it no longer wishes to cut Apple in for 30% of its profits... Which is exactly what all app developers do - and have explicitly and contractually agreed to do - in return for using Apple's platform, tools, software development kits, and security testing. Apple provides this and access to billions of users. Microsoft, Sony and Google charge the same 30% in their app stores. But Epic claims that Apple's cut is too much, and has deliberately picked a legal fight with Apple (and Google) to try to get more favorable terms or be allowed to run a private Epic store. It's complex and nuanced, but I'll wade into the muddy and turbulent waters on today's show. In other news: There's a tricky new Outlook email phishing scam going around, Jack Daniels has been hacked and asked to pay millions in ransom, Google had a big outage, your location data is for sale to corporations as well as government agencies (bypassing the need for court orders and warrants), and I'll cover a couple interesting Android security stories from the recent DEFCON and BlackHat security conferences. Further Info: Scan suspicious files online: www.virustotal.com

Can Facebook or Google really promise to keep your data private in this era of mass surveillance by the likes of the NSA and GCHQ? Max Schrems doesn't think so, and he's convinced the EU Court of Justice of the same thing. There's no way to protect user data when intelligence agencies are hoovering up all our communications and storing them on massive server farms forever. In part 2 of my chat with EFF's Danny O'Brien, we'll talk about the two Shrems cases in the EU and what the recent ruling against Privacy Shield will mean for all of us. Danny O'Brien has been an activist for online free speech and privacy for over 20 years. In his home country of the UK, he fought against repressive anti-encryption law, and helped found the Open Rights Group, Britain's own digital rights organization. He was EFF's activist from 2005 to 2007, its international outreach coordinator from 2007-2009, and international director from 2013-2019. He now supervises EFF's medium and long-term strategy, with an eye to maintaining the organization's global impact and reputation. Further Info: EU Court Again Rules That NSA Spying Makes U.S. Companies Inadequate for Privacy: https://www.eff.org/deeplinks/2020/07/eu-court-again-rules-nsa-spying-makes-us-companies-inadequate-privacyNone of Your Business: https://noyb.eu/en Donate to EFF: https://supporters.eff.org/donate/join-eff-today

What good are privacy laws when we all know that intelligence agencies don't play by the rules? How can any company promise to keep our data safe when we know that agencies like the NSA and GCHQ are hoovering it all up? That's the essential argument behind the Max Schrems cases at the European Court of Justice. And the EU court agrees. In part 1 of my interview with EFF's Danny O'Brien, we'll talk about how we got here and how the parallel development of data mining and mass surveillance led us to these (successful) court challenges. Danny O'Brien has been an activist for online free speech and privacy for over 20 years. In his home country of the UK, he fought against repressive anti-encryption law, and helped found the Open Rights Group, Britain's own digital rights organization. He was EFF's activist from 2005 to 2007, its international outreach coordinator from 2007-2009, and international director from 2013-2019. He now supervises EFF's medium and long-term strategy, with an eye to maintaining the organization's global impact and reputation. Further Info: EU Court Again Rules That NSA Spying Makes U.S. Companies Inadequate for Privacy: https://www.eff.org/deeplinks/2020/07/eu-court-again-rules-nsa-spying-makes-us-companies-inadequate-privacyDonate to EFF: https://supporters.eff.org/donate/join-eff-today

When most people think of protecting their computers, they think of antivirus software. Viruses are a real problem, of course, but how well do antivirus (AV) apps protect you? And are there any downsides to using AV software? Turns out there are plenty - so many that the cons probably outweigh the pros for most people, on Apple Mac or on Windows PC. Don't believe me? Listen to this show and then decide. In other news: Google is finally bringing its Google One storage app to iOS, but don't use it; Netgear has declared that at least 45 of their highly vulnerably routers will never be fixed; and if you've purchased anything from Amazon, you have a public profile - and you should review what others can see about you. Further Info: Cryptomator: https://cryptomator.org/Sync.com secure cloud storageNetgear routers you should get rid of: https://www.tomsguide.com/news/netgear-routers-no-fixesMy "pros & cons of AV" article: https://firewallsdontstopdragons.com/the-pros-and-cons-of-anti-virus-software/

Last week, Twitter was massively hacked - apparently just to launch a Bitcoin scam (though that story is still developing). Famous people's accounts were taken over, including Joe Biden, Barack Obama, Bill Gates, Elon Musk and several popular brand name accounts. (President Trump's account was not taken over due to enhanced security measures.) But beyond the details of the hack, we need to look at the bigger picture and what this hack should be telling us about these totally unregulated social media giants with zero accountability. We'll dig into that in today's show. In other news: account credential dumps have significantly increased on the dark web, including over 140 million MGM Resort creds; Windows 10 suffers another maddening bug, but there's a workaround; Signal has stirred up a lot of controversy with a recent change; a massive wifi router study revealed widespread security problems; and I'll go over some of the cool new privacy features coming in iOS 14 and macOS Big Sur. Further Info: Windows 10 "No Internet Connection" workaround: https://lifehacker.com/how-to-fix-windows-10s-latest-no-internet-connection-bu-1844458254 Fraunhofer Institute router security report: https://github.com/fkie-cad/embedded-evaluation-corpus/blob/master/2020/FKIE-HRS-2020.md

In the second part of my interview with Renee Dudley from ProPublica, we delve into the cyber insurance and ransomware incident response industries, including how some of these companies are being less than forthcoming about their services. In fact, it appears that several "incident response" companies are simply paying the ransom and then charging companies a fee on top of that. We'll talk about how cyber insurance works and how to decide whether or not it's for you. And Renee will also give us some tips on choosing an incident response firm and what red flags to watch out for. Renee Dudley is a tech reporter at ProPublica. Before joining ProPublica in 2018, she was a member of the enterprise team at Reuters, where she reported extensively on issues with college-entrance exams. Before joining Reuters in 2015, she worked as a reporter in New York for Bloomberg News and in South Carolina for The (Charleston) Post and Courier and The (Hilton Head) Island Packet. At Bloomberg, she uncovered questionable accounting and unauthorized sales practices at Walmart Inc. In Charleston, her reporting led to the indictment and resignation of South Carolina’s most powerful politician. She received the Society of Professional Journalists’ Pulliam Award in 2010 for her work upholding First Amendment rights while reporting for The Island Packet. Further Information: ProPublica on ransomware: https://www.propublica.org/article/the-extortion-economy-how-insurance-companies-are-fueling-a-rise-in-ransomware-attacksMike Gillespie to the rescue: https://www.propublica.org/article/the-ransomware-superhero-of-normal-illinoisID Ransomware: https://id-ransomware.malwarehunterteam.com/No More Ransom: https://www.nomoreransom.org/Bleeping Computer: https://www.bleepingcomputer.com/

Unless you've been living under a rock, you know that ransomware is one of the most common and most lucrative cybersecurity rackets today. But despite all the press, ransomware is massively under-reported because companies don't want bad press. And in most cases, unless it can be proven that data was actually stolen, companies are under no legal obligation to inform the data subjects (you) of these hacks. In part one of my interview with Renee Dudley from ProPublica, we'll discuss the current state of the ransomware problem and the emergence of cyber insurance and incident response companies to deal with the threat and recover from attacks. And we'll also see that not all players are above board about what they do. Renee Dudley is a tech reporter at ProPublica. Before joining ProPublica in 2018, she was a member of the enterprise team at Reuters, where she reported extensively on issues with college-entrance exams. Before joining Reuters in 2015, she worked as a reporter in New York for Bloomberg News and in South Carolina for The (Charleston) Post and Courier and The (Hilton Head) Island Packet. At Bloomberg, she uncovered questionable accounting and unauthorized sales practices at Walmart Inc. In Charleston, her reporting led to the indictment and resignation of South Carolina’s most powerful politician. She received the Society of Professional Journalists’ Pulliam Award in 2010 for her work upholding First Amendment rights while reporting for The Island Packet. Further Information: ProPublica on ransomware: https://www.propublica.org/article/the-extortion-economy-how-insurance-companies-are-fueling-a-rise-in-ransomware-attacksMike Gillespie to the rescue: https://www.propublica.org/article/the-ransomware-superhero-of-normal-illinoisID Ransomware: https://id-ransomware.malwarehunterteam.com/No More Ransom: https://www.nomoreransom.org/Bleeping Computer: https://www.bleepingcomputer.com/

TikTok is the hot new social media service (Snapchat and Instragram are so last year), particularly in Asian countries like India. But India just banned this and several other apps from China over privacy concerns - and I have a feeling they won't be the last. The TikTok app was just revealed to be copying the user's clipboard contents every few seconds for some completely unknown reason (and TikTok's explanation was lame). While it has supposedly "fixed" this, another researcher claims to have reverse engineered the TikTok app and found that it's pulling all sorts of other user data - enough to put Facebook and Google to shame. Short answer? Delete this app. And there's a ton of other news this week: Zoom changes course on end-to-end encryption for free users, with a couple catches; I have more info on the recent Netgear router vulnerability affecting dozens of their products; Adobe Flash will be erased from the Earth by year's end; Oracle's BlueKai data mining subsidiary left a ton of personal data exposed with no password; Sen. Sherrod Brown (D-Ohio) has a wonderful privacy proposal that will probably never pass Congress; new Mac malware uses a trick to get around Apple's app security; Microsoft shoves its new Edge browser down its users' virtual throats; and Comcast is the first ISP to qualify for Mozilla's Trusted Recursive Resolver program (DNS over HTTPS) and might switch out Cloudflare without asking you. Further Info: Netgear router fix info:https://bit.ly/netgear-fixhttps://bit.ly/netgear-passwords Humble Bundle - LAST CHANCE! https://www.humblebundle.com/books/protect-your-stuff-apress-books

In the second half of my interview with Eduard Goodman and Adam Levin from Cyberscout, we discuss the privacy aspects of our new work- and learn-from-home reality. How much privacy should you really expect? What are your legal rights? What should we beware of when using a single device for both work and personal things? How much should companies be willing to spend to make sure their employees and intellectual property are well protected while working from home? How do we avoid, as a democracy, giving up too much privacy with hopes it will make us more secure? Will we ever get that privacy back? We discuss all of this and much more! Eduard Goodman is the Chief Legal Counsel and Global Privacy Officer for CyberScout, a global leader in identity theft resolution, data defense and employee benefits services. An internationally trained attorney and data protection expert, Goodman has more than twenty years of experience in global privacy law and cybersecurity. Adam Levin is a consumer advocate with more than 30 years of experience in security, privacy, personal finance and many other things. He is the former director of the New Jersey Division of Consumer Affairs and current chairman and founder of CyberScout. He is also the author of the book Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves. Further Info: CyberScout: https://www.cyberscout.com/enMy Apress Humble Bundle: https://www.humblebundle.com/books/protect-your-stuff-apress-booksPatreon: https://www.patreon.com/FirewallsDontStopDragons