Firewalls Don't Stop Dragons Podcast

Two security researchers showed how many modern VPN services are vulnerable to malicious misconfiguration, exposing some or all of your internet traffic. While this is not likely to impact most of us, it does expose the limitations of Virtual Private Networks and why they are not silver bullets for security of privacy - despite many marketing claims to the contrary. Today we'll discuss how TunnelVision works, how it can be mitigated, and how this affects different privacy threat models with the two researchers from Leviathan Security, Dani Cronce and Lizzie Moratti. Interview Notes Lizzie Moratti: https://www.linkedin.com/in/lmoratti/  Dani Cronce: https://www.linkedin.com/in/danicronce/  TunnelVision: https://www.tunnelvisionbug.com/  ProtonVPN threat model: https://protonvpn.com/blog/threat-model  Dani’s GitHub: https://github.com/superit23  Leviathan Security blog: https://www.leviathansecurity.com/blog  Veilid: https://veilid.com/  Willy Wonka scene: https://www.youtube.com/wat

We often think of malware as a problem for our computers and perhaps our smartphones. But bad guys love to hack our home routers and IoT devices, as well. Thankfully, purging malware from those types of devices can usually be done just by rebooting them. (There's a reason tech support always asks you to try turning your device off and back on again.) I'll explain why this works and what you should do to protect your connected devices. In other news: I explain why most people are not in danger of their devices blowing up; a new Windows phishing campaign uses fake CAPTCHAs and PowerShell; LinkedIn started training their AI on your data before telling you how to opt out; Oracle's CEO touts his vision of ubiquitous AI surveillance; Ford seeks a patent to show you ads in your vehicle based on your conversations and other private data; Meta admits to scraping public Instagram and Facebook posts to train its AI; four great new iOS 18 privacy and security features; Apple Intelligence servers are very basic, for a

You may be vaguely aware of the term 'quantum computing' from media reports. But what you may not have picked up on is that one of the primary uses for quantum computers may be to break data encryption. Furthermore, you may not realize that if three-letter agencies can save off our encrypted emails and messages now, this could mean they could read them in the future when sufficiently powerful quantum computing becomes viable. How does this work? And what can we do about it now to protect our privacy in the future? We'll dig into all of this today with Brandon Sundh from Tuta (formerly Tutanota), a prominent secure email company, who is already deploying such protections. Interview Notes Try Tuta! https://tuta.com/  Tuta’s quantum-safe crypto: https://tuta.com/blog/post-quantum-cryptography  Quantum mechanics: https://en.wikipedia.org/wiki/Quantum_mechanics  Schrödinger's cat:  https://en.wikipedia.org/wiki/Schr%C3%B6dinger's_cat  NIST post-quantum standards: https://csrc.nist.gov/projects/p

Mis- and disinformation is just a fact of modern life, but certain events can cause the practice to significantly increase - like a big election. This is a good time to review this phenomenon, learning how to recognize it, how to avoid being drawn in, and perhaps most importantly how to reduce its spread. In other news: Telegram's CEO was arrested in France; too many people keep saying Telegram is an secure messaging app when it's really not; if you think ads and tracking are bad now, wait till you hear all the ways modern TVs are monetizing their users; sextortion scams are using some new techniques to scam their victims; consumer groups have lobbied the FTC to create clear guidance on 'software tethering'; and California just approved a new privacy bill that will finally require companies to honor universal opt-out signals from apps and browsers. Article Links BBC] Telegram CEO Pavel Durov arrested at French airport https://www.bbc.com/news/articles/ckg2kz9kn93o [blog.cryptographyengineering.co

Proton released three major new products this summer, all within the span of about a couple months: Proton Docs, Proton Wallet and Proton Scribe. Given that Proton is a privacy-focused company, some of these offerings seemed almost at odds with that mission. So today I ask Andy Yen (Proton's CEO) some questions about the privacy of their Bitcoin wallet and AI editing tool. We also discuss the new Proton Foundation and how it safeguards their privacy mission for the future. Finally, I ask Andy if they would consider acquiring Mozilla to save the Firefox browser and, in the wake of the blow back Signal received about protecting local access to messaging data, how Proton addresses the 'compromised machine' threat model. Interview Notes Proton Docs: https://proton.me/blog/docs-proton-drive  Proton Wallet: https://proton.me/blog/proton-wallet-launch  Proton Scribe: https://proton.me/blog/proton-scribe-writing-assistant  Proton Foundation: https://proton.me/blog/proton-non-profit-foundation  Tech

The headlines have been on fire with stories about 3 billion people's data being leaked from a company you've never heard of. But like many such stories, the mainstream media gets a lot of the important details wrong and glosses over a lot of the important nuances. Today we're going to dive into what really happened and what you should do about it, whether your data was part of the breach or not. In other news: Illinois waters down its landmark biometric information law; US court rules geofence warrants are unconstitutional; FTC to investigate :surveillance pricing" and files rule impacting shady product reviews; the CFPB cracks down on some types of consumer data sales; and Consumer Reports evaluates several top data deletion services. Article Links [Reuters] Illinois governor approves business-friendly overhaul of biometric privacy law https://www.reuters.com/legal/government/illinois-governor-approves-business-friendly-overhaul-biometric-privacy-law-2024-08-05/ [TechCrunch] US appeals court r

Finding your soul mate or even just a one-night stand can all be done digitally now - there's an app for that. Several, in fact. But in order to find the best match, you need to turn over a lot of extremely personal information. You probably also need to let the app track your location, so you're only matching people within some acceptable distance. You would hope that dating apps would be better than other apps at securing your private data... but are they? And are these services selling my data to advertisers? Today I answer these questions and many more with Zoë MacDonald from Mozilla's Privacy Not Included team who recently published a full report on this topic. Interview Notes Privacy Not Included report on dating apps: https://foundation.mozilla.org/en/privacynotincluded/articles/data-hungry-dating-apps-are-worse-than-ever-for-your-privacy/  Mozilla Foundation: https://foundation.mozilla.org/en/?form=donate-header  Mozilla’s Privacy Not Included: https://foundation.mozilla.org/en/privacynot

It's time once again for cybersecurity professionals to make the pilgrimage to the scorching desert of Las Vegas, Nevada for a week of tech conferences that we lovingly refer to as Hacker Summer Camp. Today I'll bring you my on-the-ground reporting from BSides and DEF CON. I'll also bring you part 2 of my series on Open Source Intelligence (OSINT) and how to purge your personal data from the web. In the news this week: Vegas hotels search hacker's rooms; Apple and others fix old but important browser bug; NFL rolls out more facial recognition at stadiums; Ford looks to patent car surveillance tech; automakers sold your data to brokers for pennies; border agents can no longer search your smartphone without a warrant; judge rules that Google is a monopoly. Article Links [404media.co] Hotel to Search Rooms During DEF CON Hacking Conference https://www.404media.co/hotel-to-search-rooms-during-def-con-hacking-conference/ [AppleInsider] Apple has closed an ancient macOS Safari security hole https://app

Jack Daniel is a storyteller, wanderer, comic, bartender, blacksmith, luthier, historian, mechanic, and the world’s oldest millennial. He is also one of the founders of Security BSides. Jack has a colorful and interesting history, and today we'll learn about how and why he started BSides, delve into a little hacker conference history, talk about modern hackers and cybersecurity conferences and how he's seen them change over the years, and how hackers and their conferences are vastly different than the others. Interview Notes Jack Daniel: https://www.linkedin.com/in/jackadaniel/  BSides official site: https://bsides.org/  BSides Las Vegas (part of hacker summer camp): https://bsideslv.org/  InfoSecMap: https://infosecmap.com/  Cult of the Dead Cow interview: https://podcast.firewallsdontstopdragons.com/2023/08/07/cult-of-the-dead-cow/  Jeff Moss interview #1: https://podcast.firewallsdontstopdragons.com/2021/08/16/on-a-dark-tangent/  Jeff Moss interview #2: https://podcast.firewallsdon

Last week, we all learned about a company called CrowdStrike that apparently has the capability to single-handedly bring multiple airlines, hospitals and other large companies to their knees in an instant. There are many lessons we should be learning from this incident, though I'm not going to hold my breath. I'll tell you what happened and what I think we should be doing to avoid a repeat of this incident in the future. In other news: Google finally throws in the towel on blocking third-party cookies; a private organization claims to have gained access to advertising-based location data on Trump's shooter; Republican VP candidate JD Vance forgets to make his Venmo data private; leaked docs show what phones Cellebrite can and can't hack; Meta takes down thousands of accounts related to sextortion ring; and for my Tip of the Week, we'll tackle part 1 of my article on deleting your public data from the web. Article Links [AppleInsider] Google gives up on Chrome plan to ditch third-party cookies https:

If someone decided to dig into your life - perhaps even try to 'dox' you - how might they go about doing that? What could they find about you right now on the internet? You might be surprised at how much information is readily available from public sources, including your local government agencies and state databases. Today I'll be talking with Jason Edison from Intel Techniques whose day job is using open source intelligence, or OSINT, to find suspected criminals and whose night job is helping people remove that same information to protect their privacy and even personal security. Interview Notes Intel Techniques: https://inteltechniques.com/  Data Removal Guide: https://inteltechniques.com/workbook.html  Data Removal Workbook (PDF): https://inteltechniques.com/data/workbook.pdf  Credit Freeze Guide: https://inteltechniques.com/freeze.html  MySudo privacy app: https://mysudo.com/ SimpleLogin (Proton) email aliases: https://simplelogin.io/ Private credit cards: https://privacy.com/  

Ads on the web are beyond annoying - they are actually a threat to your privacy and sometimes even your security. Ads pay for a lot of the "free" web content we consume, but until ad networks stop tracking us and selling ad space to phishing and malware groups, we need tools to block them. Today I'll give you two solid options for doing so. In the news: Australian man charged for WiFi scam on flights; Airbnb reveals 35,000 complaints about hidden cameras; Linksys routers expose WiFi credentials; a massive new hacker list contains 10 billion unique passwords; a new AT&T call and text records data breach; Signal gets flak for response to storing encryption keys in the clear; Mozilla launches "privacy-preserving" ad attribution system (on by default); Proton launches encrypted Google Docs competitor. Article Links [The Hacker News] Australian Man Charged for Fake Wi-Fi Scam on Domestic Flights https://thehackernews.com/2024/07/australian-man-charged-for-fake-wi-fi.html [9to5Mac] 35,000 complaints ab

We're generating a ridiculous amount of data every day. Much of it is highly personal and that's dangerous. But there are actually several Privacy Enhancing Technologies that may allow us to use this personal data to improve our collective quality of life without ruining the privacy of the data subjects. I'll be discussing these PETs with Irene Knapp who spent five years working in the privacy department at Google. I will also spend a good bit of time asking them about what it's like working at Google and get some insights about the company's approach to privacy from the inside. (Spoiler: it's not good.) Interview Notes Internet Safety Labs: https://internetsafetylabs.org/about-us/  Irene’s Google departure post: https://medium.com/@Irenes/on-the-occasion-of-leaving-google-b8c7029c8d8b  Coworker.org: https://coworker.org  Google loses privacy chief: https://www.techspot.com/news/103268-google-privacy-chief-head-competition-law-leaving-not.html  Further Info BOOK SURGE!! https://fdsd.me

We've talked about how to backup your local device data and how to back up data that is primarily stored in the cloud. But there's a lot of important, irreplaceable data we take for granted: data owned by others. This might be shared online photo albums, cloud document collaborations, eBooks and other digital media, and even websites you frequently rely on. Today we'll talk about how you can make local copies of these files in case they should ever go offline. In other news: European politicians' personal details exposed online; Proton transitions to non-profit corporate structure; lawsuit claims Microsoft tracked sex toy purchases; online ID verification service exposed drivers licenses; new Mac info-stealer served up by Google Ads; law enforcement is spying on Americans' mail; new ALPR vulnerabilities prove it's a public safety threat; UK hospital hack leaks 300M patient records; US bans Kaspersky software; Sonos removes promise not to sell its users' data; Mozilla buys a 'privacy-centric' ad firm. Ar

Every day, we generate tons of digital exhaust: our web browsing, GPS location, online and in-store purchases, emails and messages, social media posts and feed viewing habits, and much, much more. Online marketers and data brokers have been living off these breadcrumbs for years. The intelligence and law enforcement agencies have found this data to be incredibly revealing, and they can buy most of this data on the open market without requiring any sort of warrant - and they have. This has important implications for democratic societies that value privacy and freedom. I'll discuss how this mass surveillance works and what it means for all of us with Byron Tau, author of the book "Means of Control". Interview Notes Means of Control: https://www.amazon.com/Means-Control-Alliance-Government-Surveillance/dp/0593443225  Byron Tau at NOTUS: https://www.notus.org/byron-tau  Puking Monkey’s DEF CON presentation: https://www.youtube.com/watch?v=T43Ti7c11lY  Make your EZ Pass “moo”: https://hackaday.com/

Until recently, most of our important data lived primarily on our devices. Backing up that data often meant choosing a cloud backup service. But today, many of our most important photos and files are actually stored in the cloud. While cloud servers are supposed to be more robust than home computers with flaky hard drives and smartphones that get lost or stolen, it also means that someone else is in control of that data. Cloud services go offline, get bought out or even shut down. We now need to be sure to back up our cloud data, too. In other news: 23andMe breach under investigation by US and Canada; cops release personal location info to FOIA request; hacker gains access to Tile customer data; more car privacy updates; Microsoft Recall backlash highlights our distrust; report shows Microsoft favoring profits over security; Mac Bartender app shadily changes ownership; new Apple privacy features coming. Article Links [malwarebytes.com] 23andMe data breach under joint investigation in two countries h

Encrypted communications are important for everyone, even if you have nothing to hide. But they're also important when you're trying to hide global criminal operations. Drug smugglers and money launderers have special needs when it comes to secure messaging. Several phone companies were created to address this market. Unfortunately for the criminals, the most popular one - Anom - was secretly run by the FBI. Today Joseph Cox from 404 Media will tell us about this astoundingly audacious sting operation, which is the basis for his book, Dark Wire. Interview Notes Order Dark Wire: https://a.co/d/h9o7ump Anom website (right before take down): https://web.archive.org/web/20210507151115/http://anom.io/  Phantom Secure website (circa 2017): https://web.archive.org/web/20170330122723/http://phantomsecure.com/  Vice Anom story: https://www.vice.com/en/article/n7b4gg/anom-phone-arcaneos-fbi-backdoor  Anom phone video: https://www.youtube.com/watch?v=EA1KS-xh0n0  Operation Trojan Shield: https://en

Most major social media platforms are a hot mess. Your feed is filled with tons of crap you never asked to see and your data is mined mercilessly to serve you targeted ads. The promise of having a place to trade interesting posts with friends and family is now muddied up with sponsored content chosen by hidden algorithms optimized to keep you scrolling. It doesn't have to be that way. I've found something much better, and I'm inviting you to come join me. In other news: Ticketmaster breach leaks data on half a billion users; the iOS bug that resurrected deleted photos explained; GPT-4 can write working malware based only on CVE bug descriptions; Slack customers upset to learn that their data was being used to train AI systems; WiFi location service can be used to track mobile routers; police are trialing new devices that can track and identify you based on multiple electronic signals; new Windows AI feature records everything you do on your PC; Microsoft rolling out welcome changes to admin privilege use;

Our privacy has never been more threatened. While some of us are vaguely aware of this, most of the rampant data collection and sharing is completely opaque. And the consequences are more dire than most of us realize. We can't afford to be complacent. We need to push back, to ask questions, and make better choices. Privacy-respecting apps and services do exist today. Making a deliberate and overt decision to use them will force the market (and our elected representatives) to take notice. My guest Naomi Brockwell from NBTV will make a compelling case for privacy and reclaiming control of our data, including several top notch tips for doing so. Interview Notes Naomi Brockwell’s NBTV: https://www.nbtv.media/   A World Without Privacy: https://www.nbtv.media/episodes/a-world-without-privacy  A Beginner’s Introduction to Privacy: https://www.amazon.com/Beginners-Introduction-Privacy-Naomi-Brockwell-ebook/dp/B0BQHS8MFS  Who can access your car remotely? https://www.youtube.com/watch?v=Ff9pmaSdZV8 

Security experts talk at length about how to choose a good password - but we don't often talk about how to choose a good PIN code. A recent analysis by a researcher shows popular patterns humans use when choosing PIN codes, and therefore what you should avoid doing. In the news: MediSecure e-Rx firm hit by data breach; CISA warns of active D-Link router exploit; a couple cases of insecure APIs being abused; 53k Nissan employees' SSN's leaked; new macOS malware called Cuckoo; Ascension Healthcare suffers cyberattack; Proton user's poor OpSec gives him away; TunnelVision VPN attack exploits DHCP feature; Maryland & Vermont pass data privacy laws; tracker detection feature debuts on iPhone & Android. Article Links [BleepingComputer] MediSecure e-script firm hit by ‘large-scale’ data breach https://www.bleepingcomputer.com/news/security/medisecure-e-script-firm-hit-by-large-scale-ransomware-data-breach/ [The Hacker News] CISA Warns of Actively Exploited D-Link Router Vulnerabilities https://thehacker