Firewalls Don't Stop Dragons Podcast

Can Facebook or Google really promise to keep your data private in this era of mass surveillance by the likes of the NSA and GCHQ? Max Schrems doesn’t think so, and he’s convinced the EU Court of Justice of the same thing. There’s no way to protect user data when intelligence agencies are hoovering up all our communications and storing them on massive server farms forever. In part 2 of my chat with EFF’s Danny O’Brien, we’ll talk about the two Shrems cases in the EU and what the recent ruling against Privacy Shield will mean for all of us. Danny O’Brien has been an activist for online free speech and privacy for over 20 years. In his home country of the UK, he fought against repressive anti-encryption law, and helped found the Open Rights Group, Britain’s own digital rights organization. He was EFF’s activist from 2005 to 2007, its international outreach coordinator from 2007-2009, and international director from 2013-2019. He now supervises EFF’s medium and long-term strategy, with an eye to maintaining the organization’s global impact and reputation. Further Info: EU Court Again Rules That NSA Spying Makes U.S. Companies Inadequate for Privacy: https://www.eff.org/deeplinks/2020/07/eu-court-again-rules-nsa-spying-makes-us-companies-inadequate-privacy None of Your Business: https://noyb.eu/en  Donate to EFF: https://supporters.eff.org/donate/join-eff-today

What good are privacy laws when we all know that intelligence agencies don’t play by the rules? How can any company promise to keep our data safe when we know that agencies like the NSA and GCHQ are hoovering it all up? That’s the essential argument behind the Max Schrems cases at the European Court of Justice. And the EU court agrees. In part 1 of my interview with EFF’s Danny O’Brien, we’ll talk about how we got here and how the parallel development of data mining and mass surveillance led us to these (successful) court challenges. Danny O’Brien has been an activist for online free speech and privacy for over 20 years. In his home country of the UK, he fought against repressive anti-encryption law, and helped found the Open Rights Group, Britain’s own digital rights organization. He was EFF’s activist from 2005 to 2007, its international outreach coordinator from 2007-2009, and international director from 2013-2019. He now supervises EFF’s medium and long-term strategy, with an eye to maintaining the organization’s global impact and reputation. Further Info: EU Court Again Rules That NSA Spying Makes U.S. Companies Inadequate for Privacy: https://www.eff.org/deeplinks/2020/07/eu-court-again-rules-nsa-spying-makes-us-companies-inadequate-privacy Donate to EFF: https://supporters.eff.org/donate/join-eff-today

When most people think of protecting their computers, they think of antivirus software. Viruses are a real problem, of course, but how well do antivirus (AV) apps protect you? And are there any downsides to using AV software? Turns out there are plenty – so many that the cons probably outweigh the pros for most people, on Apple Mac or on Windows PC. Don’t believe me? Listen to this show and then decide. In other news: Google is finally bringing its Google One storage app to iOS, but don’t use it; Netgear has declared that at least 45 of their highly vulnerably routers will never be fixed; and if you’ve purchased anything from Amazon, you have a public profile – and you should review what others can see about you. Further Info: Cryptomator: https://cryptomator.org/ Sync.com secure cloud storage Netgear routers you should get rid of: https://www.tomsguide.com/news/netgear-routers-no-fixes My “pros & cons of AV” article: https://firewallsdontstopdragons.com/the-pros-and-cons-of-anti-virus-software/

Last week, Twitter was massively hacked – apparently just to launch a Bitcoin scam (though that story is still developing). Famous people’s accounts were taken over, including Joe Biden, Barack Obama, Bill Gates, Elon Musk and several popular brand name accounts. (President Trump’s account was not taken over due to enhanced security measures.) But beyond the details of the hack, we need to look at the bigger picture and what this hack should be telling us about these totally unregulated social media giants with zero accountability. We’ll dig into that in today’s show. In other news: account credential dumps have significantly increased on the dark web, including over 140 million MGM Resort creds; Windows 10 suffers another maddening bug, but there’s a workaround; Signal has stirred up a lot of controversy with a recent change; a massive wifi router study revealed widespread security problems; and I’ll go over some of the cool new privacy features coming in iOS 14 and macOS Big Sur. Further Info: Windows 10 “No Internet Connection” workaround: https://lifehacker.com/how-to-fix-windows-10s-latest-no-internet-connection-bu-1844458254 Fraunhofer Institute router security report: https://github.com/fkie-cad/embedded-evaluation-corpus/blob/master/2020/FKIE-HRS-2020.md

In the second part of my interview with Renee Dudley from ProPublica, we delve into the cyber insurance and ransomware incident response industries, including how some of these companies are being less than forthcoming about their services. In fact, it appears that several “incident response” companies are simply paying the ransom and then charging companies a fee on top of that. We’ll talk about how cyber insurance works and how to decide whether or not it’s for you. And Renee will also give us some tips on choosing an incident response firm and what red flags to watch out for. Renee Dudley is a tech reporter at ProPublica. Before joining ProPublica in 2018, she was a member of the enterprise team at Reuters, where she reported extensively on issues with college-entrance exams. Before joining Reuters in 2015, she worked as a reporter in New York for Bloomberg News and in South Carolina for The (Charleston) Post and Courier and The (Hilton Head) Island Packet. At Bloomberg, she uncovered questionable accounting and unauthorized sales practices at Walmart Inc. In Charleston, her reporting led to the indictment and resignation of South Carolina’s most powerful politician. She received the Society of Professional Journalists’ Pulliam Award in 2010 for her work upholding First Amendment rights while reporting for The Island Packet. Further Information: ProPublica on ransomware: https://www.propublica.org/article/the-extortion-economy-how-insurance-companies-are-fueling-a-rise-in-ransomware-attacks Mike Gillespie to the rescue: https://www.propublica.org/article/the-ransomware-superhero-of-normal-illinois ID Ransomware: https://id-ransomware.malwarehunterteam.com/ No More Ransom: https://www.nomoreransom.org/ Bleeping Computer: https://www.bleepingcomputer.com/

Unless you’ve been living under a rock, you know that ransomware is one of the most common and most lucrative cybersecurity rackets today. But despite all the press, ransomware is massively under-reported because companies don’t want bad press. And in most cases, unless it can be proven that data was actually stolen, companies are under no legal obligation to inform the data subjects (you) of these hacks. In part one of my interview with Renee Dudley from ProPublica, we’ll discuss the current state of the ransomware problem and the emergence of cyber insurance and incident response companies to deal with the threat and recover from attacks. And we’ll also see that not all players are above board about what they do. Renee Dudley is a tech reporter at ProPublica. Before joining ProPublica in 2018, she was a member of the enterprise team at Reuters, where she reported extensively on issues with college-entrance exams. Before joining Reuters in 2015, she worked as a reporter in New York for Bloomberg News and in South Carolina for The (Charleston) Post and Courier and The (Hilton Head) Island Packet. At Bloomberg, she uncovered questionable accounting and unauthorized sales practices at Walmart Inc. In Charleston, her reporting led to the indictment and resignation of South Carolina’s most powerful politician. She received the Society of Professional Journalists’ Pulliam Award in 2010 for her work upholding First Amendment rights while reporting for The Island Packet. Further Information: ProPublica on ransomware: https://www.propublica.org/article/the-extortion-economy-how-insurance-companies-are-fueling-a-rise-in-ransomware-attacks Mike Gillespie to the rescue: https://www.propublica.org/article/the-ransomware-superhero-of-normal-illinois ID Ransomware: https://id-ransomware.malwarehunterteam.com/ No More Ransom: https://www.nomoreransom.org/ Bleeping Computer: https://www.bleepingcomputer.com/

TikTok is the hot new social media service (Snapchat and Instragram are so last year), particularly in Asian countries like India. But India just banned this and several other apps from China over privacy concerns – and I have a feeling they won’t be the last. The TikTok app was just revealed to be copying the user’s clipboard contents every few seconds for some completely unknown reason (and TikTok’s explanation was lame). While it has supposedly “fixed” this, another researcher claims to have reverse engineered the TikTok app and found that it’s pulling all sorts of other user data – enough to put Facebook and Google to shame. Short answer? Delete this app. And there’s a ton of other news this week: Zoom changes course on end-to-end encryption for free users, with a couple catches; I have more info on the recent Netgear router vulnerability affecting dozens of their products; Adobe Flash will be erased from the Earth by year’s end; Oracle’s BlueKai data mining subsidiary left a ton of personal data exposed with no password; Sen. Sherrod Brown (D-Ohio) has a wonderful privacy proposal that will probably never pass Congress; new Mac malware uses a trick to get around Apple’s app security; Microsoft shoves its new Edge browser down its users’ virtual throats; and Comcast is the first ISP to qualify for Mozilla’s Trusted Recursive Resolver program (DNS over HTTPS) and might switch out Cloudflare without asking you. Further Info: Netgear router fix info: https://bit.ly/netgear-fix https://bit.ly/netgear-passwords  Humble Bundle – LAST CHANCE! https://www.humblebundle.com/books/protect-your-stuff-apress-books

In the second half of my interview with Eduard Goodman and Adam Levin from Cyberscout, we discuss the privacy aspects of our new work- and learn-from-home reality. How much privacy should you really expect? What are your legal rights? What should we beware of when using a single device for both work and personal things? How much should companies be willing to spend to make sure their employees and intellectual property are well protected while working from home? How do we avoid, as a democracy, giving up too much privacy with hopes it will make us more secure? Will we ever get that privacy back? We discuss all of this and much more! Eduard Goodman is the Chief Legal Counsel and Global Privacy Officer for CyberScout, a global leader in identity theft resolution, data defense and employee benefits services. An internationally trained attorney and data protection expert, Goodman has more than twenty years of experience in global privacy law and cybersecurity. Adam Levin is a consumer advocate with more than 30 years of experience in security, privacy, personal finance and many other things. He is the former director of the New Jersey Division of Consumer Affairs and current chairman and founder of CyberScout. He is also the author of the book Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves. Further Info: CyberScout: https://www.cyberscout.com/en My Apress Humble Bundle: https://www.humblebundle.com/books/protect-your-stuff-apress-books Patreon: https://www.patreon.com/FirewallsDontStopDragons

Today I speak with not one but two experts on security and privacy to get their insights, stories and tips on staying safe from scammers and hackers in our new COVID19 pandemic reality. These guys have dealing with cyber incidents every day and bring some unique perspectives. In some ways, it’s same stuff, different day; but the pandemic, economy woes and general civil unrest have given the bad guys some fertile material for working their craft. Eduard Goodman is the Chief Legal Counsel and Global Privacy Officer for CyberScout, a global leader in identity theft resolution, data defense and employee benefits services. An internationally trained attorney and data protection expert, Goodman has more than twenty years of experience in global privacy law and cybersecurity. Adam Levin is a consumer advocate with more than 30 years of experience in security, privacy, personal finance and many other things. He is the former director of the New Jersey Division of Consumer Affairs and current chairman and founder of CyberScout. He is also the author of the book Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves. Further Info: CyberScout: https://www.cyberscout.com/en My Apress Humble Bundle: https://www.humblebundle.com/books/protect-your-stuff-apress-books Patreon: https://www.patreon.com/FirewallsDontStopDragons

With the US general election just over 20 weeks away and no vaccine in sight for the coronavirus, it’s time to think very seriously about how you’re going to vote. Even if you think you want to vote in person this November, you should have a backup plan: voting by mail. This means that you’ll need to register for an absentee ballot – and the sooner you do so, the better prepared your state and county will be. I’ll tell you everything you need to know to get your absentee ballot. In other news: Microsoft, IBM and Amazon have taken very welcome steps to curbing the use of facial recognition for law enforcement purposes; the FBI is once again warning us about banking hacks, this time related to mobile apps; the Brave browser was busted “accidentally” trying to cash in on your browsing; Google is being sued for $5B over its Chrome browser tracking while in incognito mode; and Zoom is rolling out full end-to-end encryption on its video conferencing solution… if you’re willing to pay. Further Info: Get your absentee ballot: https://www.vote.org/ Support election reform: https://www.verifiedvoting.org/ Support fair and open voting: https://fairfight.com/ Vote at home: https://www.voteathome.org/