Firewalls Don't Stop Dragons Podcast

How many of your “smart” devices are smart enough to update their own software? For that matter, how many of them can upgrade at all? It’s a good bet that most of them run some flavor of the free and open-source Linux operating system. A nasty bug was just found that affects almost all Linux systems, allowing a simple remote command to bring the system to its knees. There have been other bugs found in Linux and there will be more. If your device’s software can’t be updated, it will always be vulnerable. I’ll go over some basic IoT security tips to mitigate your vulnerability, but in the end, older IoT devices that can’t be upgraded should just be pitched. In other news, Firefox just patched two critical vulnerabilities, Dell’s built-in remote assistance software can be remotely hacked, Venmo transactions are still painfully public by default, a Spanish soccer apps turns its fans into unwitting narcs, and Facebook has launched a new cryptocurrency called Libra.

In today’s show I have a sobering discussion with the EFF’s Eva Galperin about the rise of stalkerware (sometimes called “spouseware”). It’s become all too easy for abusive, unscrupulous people to spy on their significant others, tracking their every move, monitoring all their communications. We’ll talk about how our phones can be subverted and what measures you can take to prevent it. Eva also provides practical and prudent advice for people who suspect they may be victims of stalkerware. Eva Galperin is EFF’s Director of Cybersecurity. Prior to 2007, when she came to work for EFF, Eva worked in security and IT in Silicon Valley and earned degrees in Political Science and International Relations from SFSU. Her work is primarily focused on providing privacy and security for vulnerable populations around the world. To that end, she has applied the combination of her political science and technical background to everything from organizing EFF’s Tor Relay Challenge, to writing privacy and security training materials (including Surveillance Self Defense and the Digital First Aid Kit), and publishing research on malware in Syria, Vietnam, Kazakhstan. When she is not collecting new and exotic malware, she practices aerial circus arts and learning new languages. Further Info Surveillance Self Defense: https://ssd.eff.org/ EFF Newsletter: https://supporters.eff.org/subscribe Donate to the EFF: https://supporters.eff.org/donate/

Google Chrome is the most popular web browser on the planet by far, used by about two thirds of all web surfers. But Google is an advertising company and ad blockers are a direct threat to their business model. Google is planning to make a highly controversial change to Chrome’s plugin framework that would break some popular ad blocking extensions like uBlock Origin, forcing them to use much less effective techniques for blocking ads. Compare that to Mozilla’s Firefox browser, which just announced even more built-in tracking and ad-blocking capabilities – many of which will be on by default. The evidence is clear: Firefox respects your privacy and is giving your more and more tools with which to protect it; Chrome is doing the opposite. It’s time to switch to Firefox and ditch Chrome. In other news, Maine has just signed bill into law which will require internet service providers to get your explicit consent before collecting and selling your web surfing data, Apple has announced several privacy-enhancing features to debut in iOS 13 this fall, and Windows Remote Desktop Services are under attack by hackers. Further Info: Patch your old Windows Systems Now! https://firewallsdontstopdragons.com/a-worrisome-windows-worm/ Switch from Google Chrome to Firefox: https://firewallsdontstopdragons.com/its-time-switch-to-firefox/ Firefox’s content blocking settings: https://support.mozilla.org/en-US/kb/content-blocking

Is it possible to hide your tracks online? Is it even worth the effort to try? How do you know which companies, products and services you can trust? Is government regulation the answer? We’ll address all of these questions today in part 2 of my interview with David Ruiz. David will give you several great resources for getting more informed and also for getting more involved in the fight for privacy. David Ruiz is a pro-privacy, pro-security writer for Malwarebytes Labs, where he covers online privacy, legislation, and the interplay between technology and the law. Further Info Who Has Your Back? https://www.eff.org/who-has-your-back-2018 Privacy Not Included: https://foundation.mozilla.org/en/privacynotincluded/ Terms of Service; Didn’t Read: https://tosdr.org/ Malwarebytes poll on privacy: https://blog.malwarebytes.com/security-world/2019/03/labs-survey-finds-privacy-concerns-distrust-of-social-media-rampant-with-all-age-groups/ Top 6 Takeaways from poll: https://blog.malwarebytes.com/101/2019/05/the-top-six-takeaways-for-user-privacy/ Help me to help you! https://www.patreon.com/FirewallsDontStopDragons

In January of this year, Malwarebytes (a world-class antivirus software maker) conducted a massive poll on privacy that included 4000 people from 66 different countries. On today’s show, I will delve into the key takeaways from this poll and some rather (pleasantly) surprising results. (Tune in next week for part 2.) David Ruiz is a pro-privacy, pro-security writer for Malwarebytes Labs, where he covers online privacy, legislation, and the interplay between technology and the law. Further Info Malwarebytes poll on privacy: https://blog.malwarebytes.com/security-world/2019/03/labs-survey-finds-privacy-concerns-distrust-of-social-media-rampant-with-all-age-groups/ Top 6 Takeaways from poll: https://blog.malwarebytes.com/101/2019/05/the-top-six-takeaways-for-user-privacy/

It shouldn’t surprise you to learn that Google can read your Gmail. You may even realize that Google is scanning your emails for things like trip itineraries, which allows them to automatically add flights and hotel reservations to your Google Calendar, for example. But you may not realize how much other juicy info is there to be mined, like online purchases. Every email receipt you’ve received since you’ve had your Gmail account has almost surely been parsed and indexed. In today’s show, I’ll tell you how you can view this history and even delete it (painful as it may be). In other news, an FCC commissioner has released an update on the selling of location data by cell phone providers, San Francisco is poised to become the first major US city to ban the government use of facial recognition systems, and many popular games have been found to give away tons of user data. Further Info Check your Google purchase history: https://myaccount.google.com/purchases

Facebook co-founder Chris Hughes makes a heartfelt and cogent argument for breaking up the world’s dominant social media company, Facebook. The litmus test for the US Government has focused too much on impact to consumer pricing, which has little to do with “free” services such as Facebook. It’s time to also consider social and consumer impact. In other news, a photo storage service has been caught using your images to train facial recognition systems without proper disclosure, Google has unveiled plans to allow users to auto-delete certain sensitive user data after a specified number of months, and Facebook has cranked up the creepy factor by encouraging you to identity up to nine of your friends that you are secretly crushing on. Further Info New York Times Privacy Project: https://www.nytimes.com/2019/05/07/opinion/google-sundar-pichai-privacy.html It’s Time to Break Up Facebook: https://www.nytimes.com/2019/05/09/opinion/sunday/chris-hughes-facebook-zuckerberg.html Firewalls Don’t Stop Dragons links & errata: https://github.com/Apress/firewalls-dont-stop-dragons

A disturbing study in the JAMA Network Open journal showed that almost all of 36 mental health apps they downloaded were sharing your data to some extent – many without proper or even any disclosure. Many shared basic data with Facebook and Google, and a few shared very sensitive information like health diaries and self reports of substance abuse. I’ll give you some tips on how you can protect yourself. In other news, Firefox plugins were all shut off over the weekend due to a Mozilla certificate expiring, bad guys are using Google ads to trick you into paying money to fake customer support sites, data from 80M US households was found lying around on Microsoft servers, and Princeton has a cool new app that will tell you which of your IoT devices may be snitching on you. Further Info Terms of Service; Didn’t Read: https://tosdr.org/ Princeton IoT Inspector: https://iot-inspector.princeton.edu/ Spring Cleaning for you apps: https://firewallsdontstopdragons.com/close-security-holes/

Facebook has once again gone too far and, when caught, asked for forgiveness and promised to change. First it was revealed that Facebook has been requesting since May 2016 that new users provide their email account passwords in order to verify their email addresses – without giving any obvious way to opt out. When caught, they said they would stop doing this. However, it was then revealed that Facebook “unintentionally” hoovered up the email contact lists of 1.5 million Facebook users that gave them their email passwords! I’ll tell you how you can review and delete any contacts you’ve shared (intentionally or otherwise) with Facebook… as well as how to just delete Facebook! In other news, Microsoft has dropped the requirement to periodically change your password in Windows 10, another IoT vulnerability has been found that affects millions of devices, I have an update on the supposed Amazon employee Echo spying, and finally I’ll explain why browser makers are throwing in the towel and allowing ‘ping’ tracking (and how you can still block this).

How do you deal with the threat of identity theft? Follow Adam Levin’s 3 M’s: 1) minimize your exposure, 2) monitor your accounts, and 3) manage the damage. We discuss these techniques and much more in part two of my interview with Adam Levin, author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves. Adam Levin is a consumer advocate with more than 40 years of experience in security, privacy, personal finance and many other things. He is the former director of the New Jersey Division of Consumer Affairs and current chairman and founder of CyberScout. You may have seen Adam on one of his several TV appearances, as well. Further Info: Adam Levin’s website: https://adamlevin.com/ Adam’s book, Swiped: https://adamlevin.com/swiped-book-adam-levin/ CyberScout: https://www.cyberscout.com/ Bruce Schneier’s Data and Goliath Kevin Mitnick’s The Art of Invisibility Brian Kreb’s Spam Nation and his blog Identity Theft Resource Center Consumer Federation of America Privacy Rights Clearinghouse