Firewalls Don't Stop Dragons Podcast

For many people, privacy is just a vague concept. But it can literally be a matter of life and death. It deserves your attention, your consideration and (crucially) your support. Technology has vastly improved our daily lives, but some of it also threatens to undermine our basic human rights and even our democracy/society. We need to understand the implications of the laws we pass - and the laws we aren't passing. Today, I'll talk about several stories with a common theme: privacy matters. Of course, I'll also cover several security-related topics this week, as well: I'll tell you how to completely hack someone's Windows PC with a gaming mouse; Microsoft's Azure cloud service left thousands of customers' data completely exposed; new and disturbing details emerge about the role of NSA-pushed backdoors in the massive Juniper breach of 2015; Australia considers making state ID required for social media accounts; Google tries to cut off access to account data that endangers US helpers in Afghanistan; Apple pa

Computers are supposed to be completely predictable. When you tell it to do something, it should do exactly that - over and over again, if necessary - in the same way, with the same result. This is the nature of computer programming. But this predictability can allow computer criminals to interrupt a computer's processing and divert it to do nefarious things. If you know exactly where to poke the system, predicting where and how it does it's processing, you can effectively rewire it to do your bidding. This is the basic attack methodology that lets bad guys insert their malware into our systems. But what if we were able to randomly perturb a computer's processing on a periodic basis, making it effectively unpredictable? This is the essence of a new computer architecture called Morpheus that may one day make all of our computers and computerized devices much, much harder to hack. Today, Todd Austin will explain how this brilliant defense mechanism works and how it was inspired by the human body's immune system

How far would you go to protect your children from sexual predators? How much privacy would you give up to try to prevent the sharing of child pornography? We are now faced squarely with those questions because Apple has just announced some new initiatives that it believes will curb the viewing and sharing of pornographic images. But we need to be extremely careful here. The Four Horsemen of the Infocalypse are pedophiles, terrorists, drug dealers and organized crime. When someone asks you what privacy and civil liberties you would be willing to give up to stop these undeniably bad things, you need to replace their bogeyman with other straw men and make sure your convictions still hold. Technologies that can be used to stop something you hate today can also be used to stop things you don't tomorrow. Today I'll discuss Apple's new "child safety" initiatives and explain why I think they're making the wrong tradeoffs. And also why they are actually not that effective and even potentially harmful to children.

Are hackers born or are they made? What is the essence of a true hacker? Today I explore these topics and more with the founder of both DEFCON and Black Hat, Jeff Moss - also known as The Dark Tangent. I also ask Jeff why we seem to suck at cybersecurity, what his top tips are for staying safe online, when DEFCON evolved to be bigger than its founder, how DEFCON has managed to stay focused on its attendees all these years, and how he plans to find a worthy successor to run the DEFCON conference when he inevitably steps aside. Further Info DEFCON documentary: https://www.youtube.com/watch?v=3ctQOmjQyYg Privacy is Power, book by Carissa Véliz : https://www.amazon.com/Privacy-Power-Should-Take-Control/dp/1612199151 My review of Privacy is Power: https://firewallsdontstopdragons.com/privacy-is-power-review/ The Value of Privacy, by Bruce Schneier: https://www.schneier.com/blog/archives/2006/05/the_value_of_pr.html TED Talk on Privacy by Glenn Greenwald: https://www.ted.com/talks/glenn_greenwald_why_privacy_

What is a hacker, exactly? What does it mean to hack something? With all the ransomware attacks and election meddling in the headlines, it's easy to paint all hackers with a broad brush as malicious, self-serving computer criminals. And to be clear, many computer criminals are definitely hackers (some aren't). But the real definition of hacker, the original notion of hacking itself, is something quite different. Nowhere is this more evident than at DEFCON, one of the world's largest hacking conferences. I've been wanting to go to DEFCON for many years, but finally made my pilgrimage to Las Vegas this year for DEFCON 29. My goal was to document first hand, not just the conference, but the culture and the hackers themselves. Because unlike most trade conferences, DEFCON is really about the attendees and the betterment of their craft. Today's show is a non-technical exploration of what it means to be a hacker and why you might aspire to be one yourself. Further Info DEFCON documentary: https://www.youtube.

Every time you load a web page, your personal data is being shared with thousands of companies. The ad spaces on the page are being auctioned off to the highest bidder in fractions of a second. The Irish Council for Civil Liberties calls this the biggest data breach in histor, and is suing the ad tech companies on your behalf to stop this needlessly invasive and dangerous practice. My guest Johnny Ryan will explain how this real-time bidding process works and has insider documentation on the types of extremely personal data that's being shared in order to target those ads to you. Dr Johnny Ryan is a Senior Fellow at the Irish Council for Civil Liberties, and a Senior Fellow at the Open Markets Institute. He is focused on surveillance, data rights, competition/anti-trust, and privacy. He is former Chief Policy & Industry Relations Officer at Brave, the private web browser. Dr Ryan led Brave’s campaign for GDPR enforcement, and liaised with government and industry colleagues globally. Previously, Dr. Ryan wo

Your phone number is arguably as strong a personal identifier as your social security number, passport number or email address. These are things we almost never change any more - meaning that it's an identifier for life. Our cell phones contain a ton of personal information, including our locations (not just now, but over time). Today I'll help you understand why it's so important to protect your cell phone number and digital contact lists. In other news: you need to update everything again... Apple, Microsoft, Google, Adobe; REvil ransomware gang has disappeared completely from the dark web - and possibly not coincidentally, Kaseya has obtained a universal decryption key for all of it's customers (REvil victims); the Pegasus Project appears to have unveiled serious abuses of the NSO Group's spyware; Venmo finally gets rid of the public transaction list; the FBI is using cell site simulators to track cars; and it turns out that it's easy and highly profitable to re-associate people with supposedly anonymou

The first step to solving any problem is gathering as much information as you can. Unfortunately, today we're basically flying blind when it comes to identifying and resolving latent software bugs in our systems. Software today is made up of dozens if not hundreds of distinct components. Like automobiles, these piece parts can come from many different vendors. And even the parts from those vendors are likely themselves made up of many sub-components from yet other vendors. But you can bet that Ford and Toyota have a complete and accurate list of each and every one of the components in their vehicles - knowing who made them, which lot or batch they were from, which revision of the part they have, and so on. Because at the end of the day, the auto maker is responsible for knowing this in case there's a safety issue. This is not true for software makers... yet. Allan Friedman and his team at the National Telecommunications and Information Administration (NTIA, a part of the Dept. of Commerce) are trying to chang

Just when you thought it couldn't get worse, the bad guys say "hold my beer". The REvil gang has managed to pull off what appears to be the biggest ransomware infection ever through a clever supply chain attack on a company you've never heard of called Kaseya. Kaseya is what we call a Managed Service Provider, or MSP. They manage software and IT functions for lots of small-to-medium sized businesses, so that those companies don't have to. But this also gives MSP's a very privileged security position, making it a prime target for bad guys wanting to infect a lot of companies with a single hack. Today I'll catch you up on this ongoing horror show and give you some tips on how to avoid becoming a ransomware victim yourself. In other news: Kaspersky Password Manager (KPM) was found to have a bad bug making its generated passwords a lot easier to crack; I'll tell you about how some Brazilian iPhone thieves came up with a clever way to hack your accounts; Google has delayed FLoC and blocking of third-party cooki

Robocalls are the bane of my existence. I get so many spam calls that I've just stopped answering my home phone altogether. I've given out my cell number to fewer people, so thankfully I get fewer junk calls there. But I still won't answer any calls unless I recognize the number. Why is it so easy to spoof caller ID? Well, starting July 1st in the US, mobile carriers are now required to implement a new(ish) set of technologies to make that more difficult: "Stir" ("secure telephone identity revisited") and "Shaken" ("signature-based handling of asserted information using tokens"). While not perfect, they should at least help identify shady callers. In today's Tip of the Week, I'll give you some other options for blocking spam calls, as well. Lots of other (mostly bad) cybersecurity news to cover today: Someone scraped a ton of LinkedIn data from over 700M LinkedIn subscribers (about 92% of total users) and posted it for $5000; a very odd and specific WiFi SSID could break your iPhone; 30M Dell computers are

Today's news headlines are littered with stories on massive cybersecurity failures: SolarWinds, Microsoft Exchange, Colonial Pipeline, data breaches, ransomware... Are the bad guys ramping up their game? Or are we just really bad at cybersecurity? (Or both?) How do we fix this? Who can lead the charge to improve our cyber defenses and fend off these attacks? Where do we learn best practices? Can new tools like Artificial Intelligence (AI) help us be more secure - or will these tools benefit the bad guys more? In today's show, I discuss the current sorry state of cybersecurity and it's foggy future with Josh Jackson from 6clicks! Josh Jackson is an avid student of law, policy, and regulations. He is a speaker on Artificial Intelligence and Automation and a teacher on the Legal and Regulatory Environment of Business. He is passionate about ethics and agency law, and corporate and regulatory risk. Further Info: 6clicks: https://www.6clicks.io/ Cybersecurity Maturity Model: https://www.acq.osd.mil/cmmc/d

Are satellites really just IoT devices in space? They're small computers and connected to the internet, not unlike Nest thermostats, baby video monitors, and smart toasters. You'd think that they'd be a lot more complex and secure... but are they really? My two guests today are running a program to test that very question, and in the process, try to make our military and commercial satellites more secure. We don't think about it, but satellites play a crucial role in our daily lives. GPS satellites are used by airplanes, ships and even agricultural machinery. Weather satellites allow us to predict the path of severe storms and save countless lives. We take them for granted, but these orbiting computers are critical in our modern lives. The Hack-A-Sat contest was created to help ensure the security of these systems. Anyone can enter - and time to register for this year's tournament is running out! Carl Rodio Jr. is Principal Cyber Security Engineer for The MITRE Corporation, supporting the US Space Force De

Payment apps are fairly secure & very convenient, but NOT private. And Venmo is the worst. Venmo is the only payment app that is primarily a "social" app. That's shorthand for "share as much info as possible, with as many people as possible". If you weren't already aware, all Venmo transactions are public by default. (That might come as an unwelcome surprise to the third of millennials who have used Venmo to pay for drugs.) Your Venmo friends list is also public by default, as Joe Biden recently discovered. But perhaps due to that event, Venmo at least now gives you a way to make it private. I'll tell you how to change this and other Venmo privacy settings - and also which apps are better at privacy. Lots of other news to cover today: Amazon Sidewalk has been activated for all new Echo and Ring devices (like it or not), but you can turn it off; Amazon Ring is offering more transparency on requests for video footage by law enforcement; Apple addresses some of the "stalker" privacy concerns with AirTags; app

Is it possible for you to view your FLoC ID right now? And if so, can you decode this ID to understand what Google is learning about you from it? Does FLoC require your consent or cooperation from the sites you're visiting? Are there tools to block this and, if so, how effective are they? In part 2 of my discussion with EFF's Bennett Cyphers, we'll answer these questions and many more. Google's FLoC proposal depends on Google being a "benevolent and omniscient overseer", which is a bad bet. Even if Google manages to get the technology right and carefully avoids tracking "sensitive" info, there's nothing saying it won't change this later - on purpose or by accident or both. And given the rabid desire by data mining companies to monetize your information, FLoC may enable new forms of tracking and fingerprinting. Bennett Cyphers is a staff technologist on the Tech Projects team. He works with a variety of teams across EFF, focusing on consumer privacy, competition, and state legislation. He also assists wi

The public has voted and the results are in: people do not want to be tracked. In response, like pop-up ads before them, third party cookies are now being blocked by default by just about every browser - except Chrome. Google (who owns Chrome) is an ad company who relies on web tracking to make 90% of their revenue. With the writing on the wall, they and other ad tech companies are scrambling to find other ways to track people. Google has proposed a new system they call Federated Learning of Cohorts, or FLoC, which they claim can replace most of the tracking capability of third party cookies while somehow managing to preserve users' privacy. Today, I will discuss this new proposal with Bennett Cyphers of the Electronic Frontier Foundation: how it works, how they are rolling it out, and why EFF believes that FLoC is not the way to go. Bennett Cyphers is a staff technologist on the Tech Projects team. He works with a variety of teams across EFF, focusing on consumer privacy, competition, and state legislati

Today is the day we've all been waiting for! The super-secret, highly-collectible, security-enhancing device is finally HERE!! For a short period of time, I will be offering a very limited edition challenge coins to my patrons. Not only is the coin itself amazingly cool, it can also help you generate secure passphrases using my brand new website d20key.com! Listen in today for all the details, as well as my tip of the week for how and when to use passphrases (instead of passwords)! In other news: The Colonial Pipeline is open again after a nasty ransomware attack by the DarkSide group; President Biden signs a landmark executive order to strength cybersecurity for the US government and anyone who sells to them; the HSE in Ireland is hit with a ransomware attack, too; Microsoft warns of a fake ransomware infection that just steals data; apparently when give a real, clear choice, almost no one wants apps to track them (Apple's App Tracking Transparency update); Veritone launches a creepy new deep-fake voice s

What is Tor, exactly? How and why would I use it? And what the heck is a Tor node? In part 2 of my talk with Alison from the Library Freedom Project, we'll discuss why libraries are so important in the fight for privacy and how they're using technologies like Tor to keep its patron's (and even other's) web browsing anonymous. We'll talk about why it's important to do a self-assessment of your particular "threat model" and Alison will provide some time-tested tips for improving your security and privacy. Oh, and we'll talk about what all of this has to do with the so-called Streisand Effect! Alison Macrina is a librarian, internet activist, and founder and director of Library Freedom project. Alison is passionate about fighting surveillance and connecting privacy issues to other struggles for justice and an analysis of power. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragonsLibrary Freedom project: https://libraryfreedom.org/ Library Freedom wiki: https://libraryfreedom.wi

Want to read a book without your reading history being tracked? Do you need to surf the web with complete anonymity? If so, then look no further than your local public library. You have the right to research and collaborate on politically or socially sensitive topics without fearing your government or even your local community - and your local public libraries are there to help. Today I'll discuss the topics of intellectual freedom, access to information, and the right to privacy with the founder of the Library Freedom Project. We'll discuss book banning, media consolidation, mass surveillance, access to your library records by law enforcement, and even the lethal dangers of furniture! Alison Macrina is a librarian, internet activist, and founder and director of Library Freedom project. Alison is passionate about fighting surveillance and connecting privacy issues to other struggles for justice and an analysis of power. Further Info BECOME A PATRON! https://www.patreon.com/FirewallsDontStopDragonsLib

After what seemed like forever, Apple has finally released its App Tracking Transparency (ATT) feature which requires apps to get your permission to track you across other apps and websites. This was announced last year and delayed by several months to allow app makers to come into compliance (particularly Facebook). Today I'll tell you what this feature does and doesn't do, and of course, how to enable it. Tons of other security and privacy news to cover today, as well: A nasty bug was just fixed in macOS (update now!!); Firefox fixes a bug that could allow fake HTTPS lock icons and therefore compromise security; Facebook Messenger users have been targeted with a major scam; Codecov hack is just the latest in software supply chain attacks that threaten hundreds of companies and their customers; bad guys hacked ad servers to serve up malware; the US Postal Service is running a 'covert operations program' that monitors social media accounts; more US federal agencies are turning to private companies to buy d

While law enforcement touts the benefits of cell site simulators, today we will talk about the negative impacts, as well. While the actual impacts are not documented due to secrecy, we have to wonder whether Stingrays could interfere with critical communications like 911 calls, for example. We also must understand that any tool can be used for good and for evil, by the "good guys" as well as the "bad guys". In an effort to bring more transparency, Cooper created Crocodile Hunter (a reference to Steve Irwin, who was tragically killed by a real-life stingray). Cooper explains how it works and how anyone can make one. And finally we'll talk about why it's so important to get out there and fight for more transparency. Cooper shows us what a difference this can make in your community with two very different situations in two US cities. Cooper Quintin is a security researcher and Senior Staff Technologist with the EFF Threat Lab. He has worked on projects such as Privacy Badger, Canary Watch, and analysis of sta