Firewalls Don't Stop Dragons Podcast

Today, I dip back into the archives to bring you a classic interview from the first year of this podcast. In Episode 21 (Aug 2017) I interviewed Ladar Levison, the founder of the secure email service Lavabit. He started Lavabit in 2004 as one of the first truly secure, end-to-end encrypted email services focused on the privacy of users, almost ten years before Proton Mail launched. But when the FBI came (literally) knocking in 2013 asking him to subvert the encryption so that they could monitor his users (in particular a guy named Edward Snowden), Ladar decided to shut down Lavabit instead of complying. Ladar relaunched Lavabit in 2021 and I interviewed him that summer about his company, the right to privacy, the story of the shutdown, and much more. It's as relevant today as it was then. Interview Notes Lavabit: https://lavabit.com/  Lavabit history: https://en.wikipedia.org/wiki/Lavabit  Mr Peaboy and the Wayback Machine: https://en.wikipedia.org/wiki/Mister_Peabody  Further Info Send m

I've culled through the podcasts from the last year and put together an hour's worth of the best content! Here's a nice little charcuterie sampler of the top interview segments from 2023. Episode Links Ep347 (Oct 16) What’s Your Threat Model? https://podcast.firewallsdontstopdragons.com/2023/10/16/whats-your-threat-model/  Ep342 (Sep 18) Your Face Belongs to Us https://podcast.firewallsdontstopdragons.com/2023/09/18/your-face-belongs-to-us/  Ep336 (Aug 7) Cult of the Dead Cow https://podcast.firewallsdontstopdragons.com/2023/08/07/cult-of-the-dead-cow/  Ep348 (Oct 30) Reclaiming the Internet https://podcast.firewallsdontstopdragons.com/2023/10/30/reclaiming-the-internet/  Ep324 (May 15) - Probing the Ministry of Truth https://podcast.firewallsdontstopdragons.com/2023/05/15/probing-the-ministry-of-truth/  Ep338 (Aug 21) Demystifying AI https://podcast.firewallsdontstopdragons.com/2023/08/21/demystifying-ai/  Further Info Send me your questions! https://fdsd.me/qna  Check out my

We here in the US like to believe that we're the gold standard for democracy. And yet, in recent years, much of the electorate has lost faith in the outcome of our elections. Many security researchers have found concerning vulnerabilities in our voting systems, and yet we have no evidence that those vulnerabilities have actually been exploited. Many people believe that people are voting multiple times or that ineligible people are voting, and yet study after study shows that voter fraud is nearly non-existent. How can we restore trust in our election results? What changes must we make to our election systems and processes to promote complete transparency and remove doubt? Today I'll dig deep into this complicated topic with Ben Adida, founder and Executive Director of VotingWorks. Interview Notes VotingWorks: https://www.voting.works/ Risk Limiting Audits with ARLO:  https://www.voting.works/risk-limiting-audits  Verified Voting, Verifier tool: https://verifiedvoting.org/verifier/  Ben’s PhD t

Your online account credentials have two parts: a user name and a password. Today, most online providers force you to use your email address for your user name. This gives the service provider a guaranteed way to contact (and spam) their users, but it also means that bad guys know half of all your credentials and data brokers have a unique ID to track you across all your accounts. Today I'll explain the value of using email aliases for your online user names. In other news: Iranian hackers attack US water plant; CISA launches program to address critical infrastructure threats; Google Drive users report missing data; Plex users fear new feature will leak p0rn watching habits; several articles on the ease of using data broker tools to spy on just about anyone, creating privacy and national security problems; smart mattress company CEO inadvertently reveals extent of data collection; concerns about IoT device sold with a home; overblown fears over Apple's new NameDrop feature; Zelle offering refunds to some s

City governments are relying more and more on a vast network of sensors to tell them what's going on: stop light cameras, gunshot detectors, air quality sensors, license plate readers, automated toll booths, and much more. While these technologies can help the powers that be allocate precious resources and gain helpful insights, they can also lead to over-policing, chilling of free speech and mass warrantless surveillance. Today I'll discuss the dangers of smart cities with Eleni Manis from the Surveillance Technology Oversight Project (STOP). Interview Notes Surveillance Technology Oversight Project: https://www.stopspying.org/  S.T.O.P.'s Beginner’s Guide to the All-Too-Dumb World of Smart Cities: www.justcities.tech  CCOPS laws: https://www.eff.org/issues/community-control-police-surveillance-ccops  Further Info Best & Worst Gifts for 2023: https://firewallsdontstopdragons.com/best-worst-gifts-2023/ Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  Give the gif

The holiday gift-giving season is upon us - and therefore it's time for my annual guide on the best and worst gifts for your loved ones, at least in terms of security and privacy. There are some perennial favs on the nice and naughty lists, but there are some newcomers, as well. And I've got some top tips for how to shop for privacy-respecting, security-protecting products! I've even got some ideas for free and helpful stocking stuffers. In the news: FCC tried to protect consumers from SIM-swap attacks; cheap children's tablet came with malware and data mining software; medical transcription service has data of 9M patients exposed; hackers hold data from plastic surgeon patients for ransom, including nude photos; FTC filing in Kochava case unsealed showing 'staggering' amount of data for sale; Bitwarden announces support for passkeys; Article 45 of eIDAS 2.0 bill will completely undermine internet security in the EU. Article Links [The Hacker News] FCC Enforces Stronger Rules to Protect Customers Ag

Today there is a thriving market for legal, for-profit smartphone spyware (aka mercenary spyware). Companies like the NSO Group are free to create and sell highly sophisticated, zero-click malware such as Pegasus which has been used to spy on dissidents, politicians, activists and journalists around the world. There are also several apps available to parents to track their children, but are often used to abuse or stalk adult partners or ex-lovers. Today I'll discuss the state of these malicious apps, ways to protect our smartphones and even detect such spyware after the fact with the co-founders of iVerify, Danny Rogers and Rocky Cole. Interview Notes iVerify app: https://www.iverify.io/consumer xkcd “Security” cartoon: https://xkcd.com/538/  Moxie Marlinspike (Signal) on Cellebrite tool: https://signal.org/blog/cellebrite-vulnerabilities/  Further Info Nominate someone for a challenge coin: https://fdsd.me/quest  Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch  G

Connecting all our stuff to the internet – making devices “smart” – brings with it a lot of risks. Besides the more obvious cybersecurity vulnerabilities, these devices are also collecting a lot of personal data, offsetting razor thin profit margins by monetizing our data. In most cases, we can limit this data exfiltration using outbound firewalls and DNS services, or just by disconnecting the devices from the internet altogether. But lately I've been seeing devices coming configured with cellular data connections, which would effectively bypass your home network entirely - and therefore your ability to block or control the data flow. In other news: 1Passwords discloses security breach; Drug makers to pay 23andMe for access to your DNA; EFF publishes guidance for 23andMe customers after further data breach; Apple's private Wi-Fi MAC address feature has never worked right, until now; Hackers find side-channel attack on Apple Silicon to pull private data from Safari browsers; Windows PCs targeted with new ma

What happened to the internet? It had so much promise. Social media and search results are full of stuff we never wanted to see. Surveillance capitalism is monetizing our most private information to serve us so many ads that we can never seem to consume the actual content. And if we're all so unhappy with the incumbents, where are the competitors offering better service? Cory Doctorow helps us understand how the internet got so crappy and what we can do to fix it. Cory Doctorow is a science fiction author, activist, journalist and blogger at the site Pluralistic. He has written a bunch of great books, both fiction and non, including Little Brother, Red Team Blues and Chokepoint Capitalism. Interview Notes TikTok’s Ensh*tification: https://pluralistic.net/2023/01/21/potemkin-ai/#hey-guys  Cory’s blog: https://pluralistic.net/ Cory at DEF CON 31: https://www.youtube.com/watch?v=rimtaSgGz_4  The Internet Con: https://craphound.com/category/internetcon/  Chokepoint Capitalism: https://chokep

Email is old and was never built for security and privacy. Thankfully there are several modern secure email services. My personal favorite is Proton Mail and I'll explain to you today why you should really give it a try. I will also (finally) answer several interesting "Dear Carey" questions from listeners. In other news: If you use WinRAR, you need to update right away; hackers are targeting a company that brokers Emergency Data Requests between law enforcement and Big Tech companies; Google is forced to reveal user search history in a CO court case; Google is making passkeys the default, but you may want to wait; EFF asks MasterCard to stop selling our data; and Bruce Schneier has an insightful article around the rather heated discussions over the benefits and dangers of artificial intelligence. Article Links [Gizmodo] You Need to Update WinRAR, Right Now https://gizmodo.com/you-need-to-update-winrar-right-now-1850939201 [404media.co] Hackers Target Company That Vets Police Data Requests for Te

There are several privacy-focused services available today. And the products we use have a dizzying array of privacy and security settings. How do you know which products you need and which vendors you can trust? How do you know which protections you need and which ones you don't? It comes down to understanding your personal threat model. We each have different things to protect and different consequences for failure. Today I'll speak with Andy Yen, CEO and founder of Proton, to help us figure out what we need. Interview Notes Proton Sentinel: https://proton.me/blog/sentinel-high-security-program  Privacy Decrypted #1: https://proton.me/blog/what-is-a-threat-model?ref=instantsearch  Private from Everyone (But Us):  https://podcast.firewallsdontstopdragons.com/2022/04/25/private-from-everyone-but-us/ Security Planner (threat model tool): https://innovation.consumerreports.org/initiatives/security-planner/  Ars Technica threat model series: https://arstechnica.com/features/2021/10/securing-yo

October is national Cybersecurity Awareness Month here in the US. One of the four key themes this year is Recognizing and Reporting Phishing. We just discussed this at length with Nick Oles, but I wanted to give my perspective and tell you how to report phishing emails to the proper authorities. In other news: cheap Android TV boxes come laced with malware and fraud software; 23andMe investigating massive data breach; US agencies caught using location data illegally; Meta proposes subscription plans in Europe for Facebook and Instagram; FBI warns of 'phantom hacker' scams targeting elderly; new Microsoft AI tool can simulate any voice with just 3 seconds of audio; attackers don't bother brute-forcing long passwords; free upgrade from Windows 7/8 to 10 is going away soon; FCC details plans to reinstate net neutrality; how to turn off Google's new Topics tracking system; new app from Consumer Reports to delete personal data; new privacy-respecting URL shortening tool from Panquake. Article Links [WIRE

The weakest link in most cybersecurity systems is you - that is, human beings. And one of the primary ways that people are tricked into infecting their devices (and potentially then threatening other devices on the network) is through phishing. We've all seen the Nigerian Prince scams, but with AI tools like ChatGPT, scam emails are going to get a lot harder to spot. On today's show, author and cybersecurity expert Nick Oles will teach us how to recognize phishing emails, introduce us to tools for detecting and protecting against phishing, and detail other techniques for defending against these sorts of attacks. All of this is just a taste of the top notch advice contained in his new book, "How to Catch a Phish". Interview Notes How to Catch a Phish: https://www.amazon.com/How-Catch-Phish-Practical-Detecting/dp/1484293606  Win a free copy!! https://fdsd.me/catchaphish  Nick Oles on LinkedIn: https://www.linkedin.com/in/nick-o-8b5b6349/ National Cybersecurity Awareness Month: https://www.cisa.

Apple has just released a major update to its mobile operating system: iOS 17. There are tons of fun new features, but today I'll walk you through some of the security and privacy enhancements. These include new protections in Lockdown Mode, the Check In feature which can alert loves ones if you fail to arrive at your destination, some privacy-enhancing web browser features, and support for securely sharing passwords and passkeys with others. In other news: a critical WebP vulnerability means we have to update most of our apps and devices; credit bureaus in the US now allow free weekly access to your credit reports; Proton announces a new, privacy-focused CAPTCHA service; the FTC puts data brokers on notice; LastPass is requiring their users to make their master passwords longer; password managers are still your best bet for web security, despite the LastPass debacle; Hyundai Pay seeks to make in-car payments a thing; and an interesting article from a privacy advocate claiming that privacy tools are too di

When the New York Times broke the Clearview AI story in 2020, we suddenly had to face the reality that no one could truly be anonymous in public any more. This powerful app could take a picture of any face and find dozens of public images on the internet that they were in - even just in the background. And if those pictures were associated with a social media profile, we could identify the owner of the face along with their friends and family - all in an instant. Today I speak with Kashmir Hill about her investigation of this company and the sobering impacts of facial recognition technology in a world full of cameras, chronicled in her new book "Your Face Belongs to Us". Interview Notes Your Face Belongs to Us: https://www.kashmirhill.com/book  Kashmir Hill facial recognition stories: https://www.kashmirhill.com/stories/face-recognition  Clearview AI, delete dead links: https://www.clearview.ai/privacy-and-requests  FRT used to track activity in coffee shop: https://www.linkedin.com/posts/endr

Today I wrap up my four-part series on how to secure your home network. We've enumerated our devices, gotten rid of stuff we don't need, assessed the state of our devices and now it's time to actually remediate any vulnerabilities we found. I'll walk you through everything you need to do. In other news: Chrome's Topics API has rolled out (and I'll tell you how to shut it off); Apple fixes two zero-day, zero-click exploits; FBI dismantles and even fixes the Qakbot malware network; the UK backs down on requirements to undermine end-to-end encryption; Macs are being targeted with a malvertising campaign; LastPass breach seems to be behind crypto wallet stealing; Apple reveals why it abandoned its CSAM scanning feature; Kias and Hyundais are being stolen left and right and are being sued; new cars are a privacy nightmare; Chrome extensions are able to steal private data from web pages. Article Links [The Verge] How to disable Chrome’s new targeted ad tracking https://www.theverge.com/23860050/chrome-ads

In the US today we're dealing with a completely unfettered free-for-all of data harvesting. Without meaningful privacy regulations like the EU's GDPR, our private information is being collected, collated, packaged and sold by data brokers to all comers. Ad companies like Google and Facebook collect and hoard our data to sell targeted ads for high profits without commensurate benefits to the people placing the ads. How does it all work? What's our data worth? And how can we protect it? I'll discuss all of this and more with my guest, Tom Kemp. Tom Kemp is a Silicon Valley-based entrepreneur, investor, and policy advisor. Tom is also the author of Containing Big Tech: How to Protect Our Civil Rights, Economy, and Democracy. Interview Notes Containing Big Tech:: https://www.tomkemp.ai/containing-big-tech  Let’s Make Privacy Easy: https://techpolicy.press/lets-make-privacy-easy/  LinkedIn panel discussion on AI and privacy regulation in the US: https://www.linkedin.com/events/thestateofusprivacy-a

In the third part of my series on securing your home network, we'll assess your security and privacy vulnerabilities. In prior weeks, we've exhaustively listed our network devices (Scan) and removed any devices that we no longer need or don't need to be "smart" (Simplify). Now it's time to investigate the remaining devices and think about what we need to do to secure them. In other news: an old Mac malware info stealer is back; thousands of Android apps are evading detection using an interesting technique; Illinois just passed a law allowing doxing victims to sue perpetrators for damages; Meta plans to roll out end-to-end encryption for Messenger by year's end; LinkedIn accounts are being targeted for takeover; Intel's GPU driver collects personal info by default; Tesla suffers data breach of 75,000 current and former employees; police are accessing DNA databases even for people who opted out of this access; Pennsylvania court says police been to be transparent about social media monitoring; Kansas newspap

Unless you've been living under a rock, you've seen several news stories about AI, machine learning and so-called Large Language Models. While tools like ChatGPT hold a lot of promise, many are deeply concerned about AI replacing jobs, generating potent malware, and being used in phishing and disinformation campaigns. Today I will ask AI expert Michael Littman to explain clearly what AI is and what it isn't, how the technology actually works, and what we should and maybe shouldn't be worried about. Michael Littman is a computer science professor at Brown University who has won several prestigious teaching awards while studying machine learning and the implications of artificial intelligence. He serves as division director for Information and Intelligent Systems at the National Science Foundation and is also a Fellow of the Association for the Advancement of Artificial Intelligence and the Association for Computing Machinery. Interview Notes Gathering Strength, Gathering Storms: The One Hundred Year

Every summer, hackers from around the US and around the globe descend on Las Vegas, Nevada, for a series of computer security conferences which are lovingly referred to as hacker summer camp. These conferences - BSides Las Vegas, BlackHat and DEF CON - run for over a week, each overlapping the other. They bring top tier security researchers, government and industry leaders, and eager hackers to learn about new vulnerabilities, new defense mechanisms, and everything in between. There are contests and parties galore, allowing hackers to test their skills and network with others. Today I'll tell you about my trip to BSides and DEF CON in 2023. Article Links [securityweek.com] Downfall: New Intel CPU Attack Exposing Sensitive Information https://www.securityweek.com/downfall-new-intel-cpu-attack-exposing-sensitive-information/ [9to5mac.com] Mac malware can easily bypass Apple’s Background Task Manager, says security researcher https://9to5mac.com/2023/08/14/mac-malware-background-task-manager/ [white