Firewalls Don't Stop Dragons Podcast

When the New York Times broke the Clearview AI story in 2020, we suddenly had to face the reality that no one could truly be anonymous in public any more. This powerful app could take a picture of any face and find dozens of public images on the internet that they were in - even just in the background. And if those pictures were associated with a social media profile, we could identify the owner of the face along with their friends and family - all in an instant. Today I speak with Kashmir Hill about her investigation of this company and the sobering impacts of facial recognition technology in a world full of cameras, chronicled in her new book "Your Face Belongs to Us". Interview Notes Your Face Belongs to Us: https://www.kashmirhill.com/book Kashmir Hill facial recognition stories: https://www.kashmirhill.com/stories/face-recognition Clearview AI, delete dead links: https://www.clearview.ai/privacy-and-requests FRT used to track activity in coffee shop: https://www.linkedin.com/posts/endritrestelica_ai-tech-activity-7098293527951851520-Mejy/ PimEyes: https://pimeyes.com/ Fawkes masking tool: https://sandlab.cs.uchicago.edu/fawkes/ Further Info Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:37: Tell us about your beat at the New York Times 0:02:17: What is the Clearview app and what does it do? 0:05:12: How did you come to write about Clearview AI? 0:07:40: What happened when you first investigated this company? 0:11:46: How did Clearview AI obtain all these images of our faces? 0:14:24: Why are privacy advocates calling for a ban on this technology? 0:16:36: Do the makers of Clearview appreciate the privacy implications of their tool? 0:18:56: How did 9/11 influence our views on surveillance technology? 0:22:33: Who has access to the Clearview app? 0:24:14: How do we know who is using this tool? 0:25:22: How has Clearview tried to win approval for this tool? 0:27:37: What's to stop others from copying this technology? 0:31:05: Wasn't Clearview used to ban lawyers from venues in NYC? 0:33:13: Didn't Illinois sue Clearview AI and win? 0:34:09: Where else is facial recognition being used today? 0:38:05: How often is FRT used in solving crimes in the US? 0:41:26: What about cases where FRT identifies the wrong person? 0:43:23: How accurate are these tools? What causes them to fail? 0:45:59: How accurate is Clearview compared to other tools? 0:47:02: How well does Clearview deal with facial hair, masks, etc? 0:50:01: What can we do to protect our faces online? 0:52:33: How well can Clearview pick out faces in the background? 0:54:41: What's the future of privacy in a world full of cameras? 0:56:24: What can we do to rein in abuse of FRT? 0:58:00: Wrap up and a look ahead

Today I wrap up my four-part series on how to secure your home network. We've enumerated our devices, gotten rid of stuff we don't need, assessed the state of our devices and now it's time to actually remediate any vulnerabilities we found. I'll walk you through everything you need to do. In other news: Chrome's Topics API has rolled out (and I'll tell you how to shut it off); Apple fixes two zero-day, zero-click exploits; FBI dismantles and even fixes the Qakbot malware network; the UK backs down on requirements to undermine end-to-end encryption; Macs are being targeted with a malvertising campaign; LastPass breach seems to be behind crypto wallet stealing; Apple reveals why it abandoned its CSAM scanning feature; Kias and Hyundais are being stolen left and right and are being sued; new cars are a privacy nightmare; Chrome extensions are able to steal private data from web pages. Article Links [The Verge] How to disable Chrome’s new targeted ad tracking https://www.theverge.com/23860050/chrome-ads-topics-sandbox [citizenlab.ca] NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/ [TechCrunch] FBI operation tricked thousands of computers infected by Qakbot into uninstalling the malware https://techcrunch.com/2023/08/29/fbi-operation-qakbot-uninstall/ [AppleInsider] UK backs down from nonsensical law after threats from Apple, WhatsApp https://appleinsider.com/articles/23/09/06/uk-backs-down-from-nonsensical-law-after-threats-from-apple-whatsapp [Tom's Guide] Macs under threat from malicious ads spreading malware — don’t fall for this https://www.tomsguide.com/news/macs-under-threat-from-malicious-ads-spreading-malware-dont-fall-for-this [briankrebs] Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/ [WIRED] Apple’s Decision to Kill Its CSAM Photo-Scanning Tool Sparks Fresh Controversy https://www.wired.com/story/apple-csam-scanning-heat-initiative-letter/ [VICE] Kias and Hyundais Keep Getting Stolen by the Thousands and Cities Are Suing https://www.vice.com/en/article/93kdmp/kias-and-hyundais-keep-getting-stolen-by-the-thousands-and-cities-are-suing [Gizmodo] If You’ve Got a New Car, It’s a Data Privacy Nightmare https://gizmodo.com/mozilla-new-cars-data-privacy-report-1850805416 [techxplore.com] Researchers issue warning over Chrome extensions that access private data https://techxplore.com/news/2023-09-issue-chrome-extensions-access-private.html Tip of the Week: Remediate Your Network: https://firewallsdontstopdragons.com/secure-your-network-4-remediate/ Further Info Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:29: Kashmir Hill interview coming 0:01:40: News rundown 0:04:32: How to disable Chrome’s new targeted ad tracking 0:07:12: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild 0:10:36: FBI operation dismantles Qakbot botnet 0:13:51: UK backs down from nonsensical law after threats from Apple, WhatsApp 0:17:10: Macs under threat from malicious ads spreading malware 0:23:03: Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach

In the US today we're dealing with a completely unfettered free-for-all of data harvesting. Without meaningful privacy regulations like the EU's GDPR, our private information is being collected, collated, packaged and sold by data brokers to all comers. Ad companies like Google and Facebook collect and hoard our data to sell targeted ads for high profits without commensurate benefits to the people placing the ads. How does it all work? What's our data worth? And how can we protect it? I'll discuss all of this and more with my guest, Tom Kemp. Tom Kemp is a Silicon Valley-based entrepreneur, investor, and policy advisor. Tom is also the author of Containing Big Tech: How to Protect Our Civil Rights, Economy, and Democracy. Interview Notes Containing Big Tech:: https://www.tomkemp.ai/containing-big-tech Let’s Make Privacy Easy: https://techpolicy.press/lets-make-privacy-easy/ LinkedIn panel discussion on AI and privacy regulation in the US: https://www.linkedin.com/events/thestateofusprivacy-airegulatio7087548531820941312/ SB362 (Delete Act): https://www.darkreading.com/endpoint/why-the-california-delete-act-matters Tom’s post on SB362: https://www.linkedin.com/posts/tomkemp_sb362-databrokers-privacy-activity-7103448636260302848-Qg6p Global Privacy Control: https://firewallsdontstopdragons.com/how-to-enable-global-privacy-control/ Further Info Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:20: Follow me on Bluesky? 0:01:32: Interview preview 0:02:59: What are data brokers? Would we recognize their names? 0:06:07: How big is the data broker industry? 0:08:35: You say there are 5 different types of data brokers - what are they? 0:12:10: Are there financial data brokers outside the US? 0:15:53: Are we granting permission for data collection without realizing it? 0:18:44: Who is making money off our data and what is it really worth? 0:21:56: Who is selling our data out the back door? 0:26:50: Why is location data so valuable? 0:28:40: How much of my data is raw and how much is inferred or extrapolated? 0:33:06: How often do data records contain errors? 0:36:24: How much of our personal data is publicly available? 0:38:46: Can we have an ad-based web economy and privacy, too? 0:44:56: Our behavior ads really worth more than contextual ads? 0:48:08: Can antitrust laws be leveraged against data collection? 0:50:46: Can laws requiring transparency in data collection be a stepping stone? 0:56:14: Why can't we pass a federal privacy law? 0:58:25: What can we do right now to limit data collection? 1:01:50: What else does your book cover? 1:05:28: Interview wrap-up 1:06:01: Delete Act (SB362) Udpate 1:06:58: A note on warranty registrations 1:08:11: Global Privacy Control article 1:08:28: Patron podcast teaser 1:08:50: Look ahead

In the third part of my series on securing your home network, we'll assess your security and privacy vulnerabilities. In prior weeks, we've exhaustively listed our network devices (Scan) and removed any devices that we no longer need or don't need to be "smart" (Simplify). Now it's time to investigate the remaining devices and think about what we need to do to secure them. In other news: an old Mac malware info stealer is back; thousands of Android apps are evading detection using an interesting technique; Illinois just passed a law allowing doxing victims to sue perpetrators for damages; Meta plans to roll out end-to-end encryption for Messenger by year's end; LinkedIn accounts are being targeted for takeover; Intel's GPU driver collects personal info by default; Tesla suffers data breach of 75,000 current and former employees; police are accessing DNA databases even for people who opted out of this access; Pennsylvania court says police been to be transparent about social media monitoring; Kansas newspaper raid by police teaches us how better to encrypt our data; hackers are selling credit report info on just about any American; NSA director tells employees to spy "with dignity and respect". Article Links [TechRadar] One of the worst Mac malware strains is back and hiding as a productivity app - so beware https://www.techradar.com/pro/security/one-of-the-worst-mac-malware-strains-is-back-and-hiding-as-a-productivity-app-so-beware [Tom's Guide] Thousands of Android malware apps use stealthy APKs to bypass security, study finds https://www.tomsguide.com/news/thousands-of-android-malware-apps-use-stealthy-apks-to-bypass-security-study-finds [Ars Technica] Illinois just made it possible to sue people for doxxing attacks https://arstechnica.com/tech-policy/2023/08/illinois-just-made-it-possible-to-sue-people-for-doxxing-attacks/ [TechCrunch] Meta plans to roll out default end-to-end encryption for Messenger by the end of the year https://techcrunch.com/2023/08/22/meta-plans-to-roll-out-default-end-to-end-encryption-for-messenger-by-the-end-of-the-year/ [TechRadar] LinkedIn user accounts have been taken over in huge hacking campaign https://www.techradar.com/pro/security/linkedin-user-accounts-have-been-taken-over-in-huge-hacking-campaign [extremetech.com] Intel's GPU Drivers Now Collect Telemetry https://www.extremetech.com/gaming/intels-gpu-drivers-now-collect-telemetry-including-how-you-use-your-computer [TechCrunch] Tesla says data breach impacting 75,000 employees was an insider job https://techcrunch.com/2023/08/21/tesla-breach-employee-insider/ [BBC] Why US tech giants are threatening to quit the UK https://www.bbc.com/news/technology-66304002 [The Intercept] Police Are Getting DNA Data From People Who Think They Opted Out https://theintercept.com/2023/08/18/gedmatch-dna-police-forensic-genetic-genealogy/ [The Associated Press] A Pennsylvania court says state police can’t hide how it monitors social media https://apnews.com/article/pennsylvania-police-aclu-social-media-monitoring-1508189aba86cc776e19892b4a2b358a [freedom.press] What a newsroom police raid teaches us about encrypting our devices https://freedom.press/training/blog/marion-record-police-raid/ [404media.co] The Secret Weapon Hackers Can Use to Dox Nearly Anyone in America for $15 https://www.404media.co/the-secret-weapon-hackers-can-use-to-dox-nearly-anyone-in-america-for-15-tlo-usinfosearch-transunion/ [The Intercept] NSA Orders Employees to Spy on the World “With Dignity and Respect” https://theintercept.com/2023/08/25/nsa-spy-dignity-respect/ Tip of the Week: Securing Your Network 3: Assess: https://firewallsdontstopdragons.com/secure-your-network-3-assess/ Further Info Dragon Challenge Coin promotion: https://fdsd.me/promo823 Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions!

Unless you've been living under a rock, you've seen several news stories about AI, machine learning and so-called Large Language Models. While tools like ChatGPT hold a lot of promise, many are deeply concerned about AI replacing jobs, generating potent malware, and being used in phishing and disinformation campaigns. Today I will ask AI expert Michael Littman to explain clearly what AI is and what it isn't, how the technology actually works, and what we should and maybe shouldn't be worried about. Michael Littman is a computer science professor at Brown University who has won several prestigious teaching awards while studying machine learning and the implications of artificial intelligence. He serves as division director for Information and Intelligent Systems at the National Science Foundation and is also a Fellow of the Association for the Advancement of Artificial Intelligence and the Association for Computing Machinery. Interview Notes Gathering Strength, Gathering Storms: The One Hundred Year Study on Artificial Intelligence https://ai100.stanford.edu/gathering-strength-gathering-storms-one-hundred-year-study-artificial-intelligence-ai100-2021-study Code to Joy book preorder: https://www.amazon.com/Code-Joy-Everyone-Should-Programming/dp/0262546396/ Michael Littman’s website: https://www.littmania.com/ Gandalf AI challenge: https://gandalf.lakera.ai/ ChatGPT: https://openai.com/blog/chatgpt Stable Diffusion: https://stability.ai/stablediffusion Canva Image Generator online: https://www.canva.com/ai-image-generator/ Paperclip Maximizer: https://en.wikipedia.org/wiki/Instrumental_convergence#Paperclip_maximizer Further Info Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:56: Dragon coin promo update 0:01:51: Interview preview 0:03:15: What is Artificial Intelligence, really? 0:05:36: Is it a mistake to anthropomorphize AI? 0:08:50: What is AI versus machine learning? 0:11:59: How does AI differ from normal computer code? 0:14:49: What is a large language model or LLM? 0:18:45: What does it take to create an LLM? 0:22:04: Why are these AI models limited to certain points in time? 0:26:46: How are these chat bots leading people to believe they're sentient? 0:28:54: What was behind the AI explosion in late 2022? 0:32:29: How to AI systems generate images from text prompts? 0:35:36: How are AI systems affected by their training data? 0:40:24: Which concerns about AI are justified and which are overblown? 0:44:55: What sorts of jobs may be impacted by AI? 0:47:15: Is there an art to creating AI prompts? 0:48:43: Can you trick AI systems? 0:51:42: How do we detect AI output? How should we restrict this technology? 0:56:19: How can we try out these AI systems to learn more? 0:59:26: What's the next big thing in AI? 1:02:12: Why should people learn to do a little coding? 1:05:27: Wrap-up 1:07:01: Gandalf AI game 1:08:19: Upcoming interviews

Every summer, hackers from around the US and around the globe descend on Las Vegas, Nevada, for a series of computer security conferences which are lovingly referred to as hacker summer camp. These conferences - BSides Las Vegas, BlackHat and DEF CON - run for over a week, each overlapping the other. They bring top tier security researchers, government and industry leaders, and eager hackers to learn about new vulnerabilities, new defense mechanisms, and everything in between. There are contests and parties galore, allowing hackers to test their skills and network with others. Today I'll tell you about my trip to BSides and DEF CON in 2023. Article Links [securityweek.com] Downfall: New Intel CPU Attack Exposing Sensitive Information https://www.securityweek.com/downfall-new-intel-cpu-attack-exposing-sensitive-information/ [9to5mac.com] Mac malware can easily bypass Apple’s Background Task Manager, says security researcher https://9to5mac.com/2023/08/14/mac-malware-background-task-manager/ [whitehouse.gov] Biden-⁠Harris Administration Launches Artificial Intelligence Cyber Challenge to Protect America’s Critical Software https://www.whitehouse.gov/briefing-room/statements-releases/2023/08/09/biden-harris-administration-launches-artificial-intelligence-cyber-challenge-to-protect-americas-critical-software/ Donate to Maui wildfire relief fund: https://www.gofundme.com/f/5auw5q-maui-wildfire-relief-fund Veilid project (cDc): https://veilid.com/ Back Orifice: https://en.wikipedia.org/wiki/Back_Orifice Namecheck from Steve Gibson: https://youtu.be/hGyVuszu0F8?t=6240 CalyxOS mention: https://en.wikipedia.org/wiki/CalyxOS Tom Kemp on LinkedIn Live: https://www.tomkemp.ai/blog/2023/7/19/live-event-the-state-of-us-privacy-and-ai-regulation Further Info Dragon Challenge Coin promotion: https://fdsd.me/promo823 Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:04: Preview 0:01:27: Look ma, I'm on Wikipedia! 0:02:16: Steve Gibson reads FDSD 0:03:16: Show overview 0:04:29: What is Hacker Summer Camp? 0:06:21: Using Lockdown Mode on Apple 0:07:20: BSides Las Vegas 2023, Josh Corman, et al 0:08:28: BSides pool party 0:09:44: I skipped out on linecon 0:11:36: I skipped the merch line, too 0:12:36: Darknet Diaries meets FDSD 0:13:13: r00t party! 0:15:14: cDc announces Veilid platform 0:18:48: Voting Village, brush with Chris Krebs 0:20:34: Interview with Nick Oles 0:22:49: Meet Joe Gray ("Practical Social Engineering" author) 0:23:22: cDc Veilid launch party 0:24:19: Checking in the the Hack-a-Sat team 0:38:00: EFF Tech Trivia 0:38:37: Hacker Jeopardy 0:40:11: Evacuation of Caesar's Forum 0:41:50: Closing ceremonies 0:42:48: No swag or amulet sightings 0:43:31: Downfall: New Intel CPU Attack Exposing Sensitive Information 0:47:24: Mac malware can easily bypass Apple’s Background Task Manager 0:52:22: Maui wildfire relief fund 0:53:01: DARPA Launches AI Cyber Challenge 0:54:07: Looking ahead 0:55:28: Dragon coin promotion is ending soon

In the early 1980s, personal computers started entering our homes. Prior to the internet and services like America On Line (AOL), there were online bulletin board systems (BBS) where people could share text files via phone modem connections. Of course, if you wanted to connect to a BBS outside your home area code, you would have to dial long distance - which at the time could be prohibitively expensive. Necessity is the mother of invention and it's no coincidence that some of the earliest hacking was of the phone system to get free long distance calls. One of the first named groups of hackers was The Cult of the Dead Cow (aka, cDc). Today I'll reminisce about the old days with two prominent members of cDc: Deth Veggie and Omega. We'll talk about what it was like in the days prior to the internet, how hackers think, and how hacking has evolved over the years. We'll talk about how cDc pioneered the hactivist movement and how their group overlapped and interacted with other famous groups like L0pht Heavy Industries, Masters of Deception (MOD), Legion of Doom (LOD) and much, much more. Interview Notes The Cult of the Dead Cow: https://cultdeadcow.com/ "The Cult of the Dead Cow" book: https://www.hachettebookgroup.com/titles/joseph-menn/cult-of-the-dead-cow/9781549169991/ cDc text files: http://textfiles.com/groups/CDC/ The Hacker’s Manifesto: http://phrack.org/issues/7/3.html Hactivismo Declaration: https://web.archive.org/web/20090502054355/http://www.cultdeadcow.com/cDc_files/declaration.html cDc’s unofficial suggested reading/viewing list: https://fdsd.me/cdclist Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:43: Interview prep 0:03:51: How did cDc start and where did it get its name? 0:08:11: How did you get involved with cDc? 0:11:15: What is a BBS? What are textfiles? 0:15:36: What sort of information did these textfiles contain? 0:23:46: What really happened in the Hacker Wars? 0:25:28: How did phone phreaking work? 0:29:43: How did you choose your handle? When did you first use it in public? 0:37:47: Two things War Games got right 0:38:38: Blue boxes and red boxes 0:40:26: What did your friends & family think? How have perceptions of hackers changed? 0:45:16: What is hacktivism? What sort of hactivist behavior is acceptable? 0:51:58: What are some examples of hactivism? 0:55:19: What are some signs that I might enjoy hacking? 1:01:49: Hacking in the real world, questioning everything. 1:04:38: Books and movies with accurate portrayals of hackers & hacking? 1:11:14: Interview wrap-up 1:12:46: Patron bonus material & promo 1:16:04: Next week's show may be delayed

Last time, I told you how to enumerate all the devices on your home network. Before we go to the trouble of analyzing and mitigating their vulnerabilities, we should take the opportunity to cull the inventory. Do you really need all of these devices? Or could you forego the "smart" features that require them to be connected to your network? Today we'll talk about reducing your attack surface before we bother trying to secure it. In other news: the White House announces new cybersecurity labeling program; the SEC mandates a 4-day reporting window for cyber attacks; EFF opposes a bill that threatens our privacy; stolen Microsoft signing keys behind a set of targeted US government email hacks; more details emerge about Facebook mining Onano VPN for user data; TETRA radios used for decades revealed to have deliberately weakened encryption; ALPR data now being used with AI algorithms to guess which cars might contain criminals; Apple threatens to pull Facetime, Messages from UK over proposed surveillance law changes; Google's Web Integrity API causes a stir; Apple to require justification for use of some APIs that might compromise user privacy. Article Links [whitehouse.gov] Biden-⁠Harris Administration Announces Cybersecurity Labeling Program for Smart Devices to Protect American Consumers https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/18/biden-harris-administration-announces-cybersecurity-labeling-program-for-smart-devices-to-protect-american-consumers/ [The Hacker News] New SEC Rules Require U.S. Companies to Reveal Cyber Attacks Within 4 Days https://thehackernews.com/2023/07/new-sec-rules-require-us-companies-to.html [Electronic Frontier Foundation] Amended Cooper Davis Act Is a Direct Threat to Encryption https://www.eff.org/deeplinks/2023/07/amended-cooper-davis-act-direct-threat-encryption [TechCrunch] Microsoft lost its keys, and the government got hacked https://techcrunch.com/2023/07/17/microsoft-lost-keys-government-hacked/ [Financial Review] Facebook admits it used app to ‘know nearly everything’ about users https://www.afr.com/companies/media-and-marketing/facebook-admits-it-used-app-to-know-nearly-everything-about-users-20230713-p5do2a [WIRED] Code Kept Secret for Years Reveals Its Flaw—a Backdoor https://www.wired.com/story/tetra-radio-encryption-backdoor/ [Forbes] This AI Watches Millions Of Cars Daily And Tells Cops If You’re Driving Like A Criminal https://www.forbes.com/sites/thomasbrewster/2023/07/17/license-plate-reader-ai-criminal/ [MacRumors] Apple Threatens to Pull FaceTime and iMessage in the UK Over Proposed Surveillance Law Changes https://www.macrumors.com/2023/07/20/apple-threatens-to-pull-facetime-and-imessage-uk/ [Ars Technica] Google’s nightmare “Web Integrity API” wants a DRM gatekeeper for the web https://arstechnica.com/gadgets/2023/07/googles-web-integrity-api-sounds-like-drm-for-the-web/ [MacRumors] Apple Developers Required to Justify Use of Some APIs in Latest Move to Boost Privacy https://www.macrumors.com/2023/07/28/developers-required-to-justify-api-use/ Tip of the Week: Less is More: https://firewallsdontstopdragons.com/secure-your-network-2-simplify/ Further Info Stop the bad bills: https://www.eff.org/deeplinks/2023/07/you-can-help-stop-these-bad-internet-bills Dragon Challenge Coin Promo! https://fdsd.me/promo823 Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Table of Contents Add time-based list of markers.

Despite growing demand from US citizens for privacy protections, the federal government has failed repeatedly to enact basic privacy laws. However, one US state - California - has led the charge on privacy and passed regulations that have benefited people outside the state. Today I'll speak with Ernesto Falcon who is currently running for California State Senate in District 7. He has decades of experience in public policy, particularly in the realm of privacy rights, both in politics and with the Electronic Frontier Foundation. We'll talk about how the legislative sausage is made, why we can't seem to pass privacy regulations, how lobbyists influence policy, and much more. Disclaimer: Views, opinions, or statements expressed are solely those of the candidate and not of his employer at the Electronic Frontier Foundation. Interview Notes Ernesto Falcon’s campaign website: https://www.ernestofalcon.com/ California Consumer Privacy Act: https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act California Privacy Rights Act: https://en.wikipedia.org/wiki/California_Privacy_Rights_Act Further Info Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:16: Interview prep 0:02:40: Tell us about your CA Senate campaign 0:10:56: How have CA privacy laws impacted the greater US? 0:15:45: How do we regain control over our data? 0:17:59: What is preventing a good federal privacy law? 0:24:36: What are the dangers of all this personal data being hoarded? 0:31:01: How does HIPAA actually work? What doesn't it cover? 0:33:01: What is the EARN IT Act and why does EFF oppose it? 0:37:58: How do child safety laws undermine privacy? 0:40:41: How are legal wire taps different from backdoors in encryption? 0:43:10: Won't repressive regimes abuse encryption backdoors? 0:44:45: Is on-device scanning a valid compromise solution? 0:47:07: Will we ever win the Crypto Wars? 0:48:59: How can we best support the privacy cause? 0:52:00: Would more privacy transparency be a good first step? 0:54:35: Are monopolies part of the problem here? 0:58:53: What's next for you and your senate campaign? 1:00:42: Post interview wrap-up 1:01:46: Go talk to your representative! 1:02:55: Dragon Challenge Coin Promotion!

The Internet of Things (IoT) has added internet connections to lots of home devices. Each and every one of those devices runs software on a computer chip. Almost all software has bugs and those bugs may be exploitable by bad guys. We're going to take another look at protecting our home networks using a simple, logical methodology. Step one: SCAN. That is, first of all, we need to understand the scope of the problem by enumerating all of the devices on your home network. I'll explain how to do that. In other news: Apple re-releases security update after web glitch; EV chargers are vulnerable to hacking which could have significant impacts; tax prep firms shared 'extraordinarily sensitive' data with Meta; Meta's new Threads service collects tons of personal info and employs dark patterns to hook you in; France passes law giving law enforcement access to private device cameras, mics and locations; police are collecting and selling personal info, bypassing the 4th Amendment and sharing across state lines; Massachusetts weighs outright ban on selling user location data; printers and printing services may be mining your documents for data. Article Links [MacRumors] Apple Releases Revised iOS and macOS Security Updates to Fix Actively Exploited Vulnerability and Safari Bug https://www.macrumors.com/2023/07/12/apple-releases-revised-security-updates/ [WIRED] EV Charger Hacking Poses a ‘Catastrophic’ Risk https://www.wired.com/story/electric-vehicle-charging-station-hacks/ [The Associated Press] 3 tax prep firms shared ‘extraordinarily sensitive’ data about taxpayers with Meta, lawmakers say https://apnews.com/article/irs-taxpayer-tax-preparation-meta-congress-9315cfca7a0942ab89f765d183fbf822 [Ars Technica] How Threads’ privacy policy compares to Twitter’s (and its rivals’) https://arstechnica.com/security/2023/07/how-threads-privacy-policy-compares-to-twitters-and-its-rivals/ [Yanko Design] The ‘Threads’ App is FILLED With Deceptive Dark Design Patterns – We Spotted More Than TEN https://www.yankodesign.com/2023/07/07/the-threads-app-is-filled-with-deceptive-dark-design-patterns-we-spotted-more-than-ten/ [Gizmodo] France Passes New Bill Allowing Police to Remotely Activate Cameras on Citizens' Phones https://gizmodo.com/france-bill-allows-police-access-phones-camera-gps-1850609772 [Tampa Bay Times] Hillsborough, Clearwater police monitoring private security cameras https://www.tampabay.com/news/hillsborough/2023/07/10/hillsborough-clearwater-police-monitoring-private-security-cameras/ [New York Daily News] NYPD seeks to grab cell phone IDs from people under arrest or in custody; push for IMEI numbers raises concerns https://www.nydailynews.com/new-york/nyc-crime/ny-nypd-campaign-cellphone-idenfiication-numbers-controversy-20230708-yltabdlozfbppeoodxymyub3zq-story.html [The Sacramento Bee] California cops illegally share data with anti-abortion states https://www.sacbee.com/news/politics-government/capitol-alert/article275795726.html [Engadget] Massachusetts weighs outright ban on selling user location data https://www.engadget.com/massachusetts-weighs-outright-ban-on-selling-user-location-data-191637974.html [The Washington Post] Your printing service might read your documents. Here’s what to know. https://www.washingtonpost.com/technology/2023/07/10/printing-privacy-security-printed-documents/ Tip of the Week: IoT Inventory https://firewallsdontstopdragons.com/secure-your-network-part-1-scan/ Further Info Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about sec...

After lengthy negotiations and revisions, the White House has finally released its National Cybersecurity Strategy document, outlining it's priorities and goals. It's a wide-ranging and ambitious document consisting of five major areas of focus, or "pillars". What's new here? What will it mean for businesses and critical infrastructure? And what does this mean for you and I? Today I'll cover all of that and more with Josh Corman from I Am the Cavalry and formerly with the US Cybersecurity and Infrastructure Security Agency (CISA). Interview Notes National Security Strategy doc: https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf Consequential Cybersecurity: https://claroty.com/blog/consequential-cybersecurity-brace-yourself-for-the-white-house-national-cybersecurity-strategy PPD-21: https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil Known Exploited Vulnerabilities catalog : https://www.cisa.gov/known-exploited-vulnerabilities-catalog Swimming with Sharks TED talk: https://www.youtube.com/watch?v=rZ6xoAtdF3o I Am the Cavalry: https://iamthecavalry.org/ CISA Secure by Design: https://www.cisa.gov/securebydesign Further Info Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:55: Interview setup 0:04:00: What is this strategy document, at a high level? 0:14:02: What are some of the more important or novels aspects? 0:18:05: Do agencies have the budget and authority to implement these strategies? 0:22:11: Will having a gov't backstop actually encourage attacks or discourage preparation? 0:30:40: Should the gov't actively scan US firms/orgs for vulnerabilities? 0:36:56: What should we do about the marketplace for zero-day hacks? 0:39:52: How aggressive should the US be against hackers? 0:41:03: What is NOT addressed by this strategy? 0:45:55: How should be manage our dependencies on foreign software and hardware? 0:52:59: What can everyday people take away from these strategies? 0:59:50: Has this document already had impacts? How do we monitor progress? 1:03:56: Interview wrap-up 1:07:40: Looking ahead

You're using a password manager. You're even using two-factor authentication. Great! When done properly, this will keep the bad guys out. Unfortunately, if you're not careful, it may also keep you out. If you forget your master password or lose access to your 2FA device, you'll be in real trouble... unless you have an access backup plan. This same plan can also help your spouse or next of kin to access your accounts should you die or become incapacitated. In the news: CISA issues a DDoS warning after multiple attacks; LetMeSpy stalkerware maker suffers a data breach of collected data; researchers use LED power light flicker to break cryptographic keys; Australian PM recommends citizens to power cycle their phones once a day; several artists boycott venues that use facial recognition; Brave browser introduces new localhost access permission; Proton unveils new password manager; Dear Carey questioner asks about PDF readers. Article Links [BleepingComputer] CISA issues DDoS warning after attacks hit multiple US orgs https://www.bleepingcomputer.com/news/security/cisa-issues-ddos-warning-after-attacks-hit-multiple-us-orgs/ [TechCrunch] LetMeSpy, a phone tracking app spying on thousands, says it was hacked https://techcrunch.com/2023/06/27/letmespy-hacked-spyware-thousands/ [The Hacker News] Researchers Find Way to Recover Cryptographic Keys by Analyzing LED Flickers https://thehackernews.com/2023/06/researchers-find-way-to-recover.html [9to5mac.com] Why tips like ‘turn off your iPhone for five minutes’ don’t actually help users https://9to5mac.com/2023/06/26/turn-off-your-iphone-for-5-minutes-advice/ [Rolling Stone] Tom Morello, Zack de la Rocha, and Boots Riley Boycotting Venues That Use Face-Scanning Technology https://www.rollingstone.com/music/music-features/tom-morello-zack-de-la-rocha-facial-recognition-concerts-boycott-1234775909/ [BleepingComputer] Brave Browser boosts privacy with new local resources restrictions https://www.bleepingcomputer.com/news/security/brave-browser-boosts-privacy-with-new-local-resources-restrictions/ [9to5mac.com] Proton Pass end-to-end encrypted password manager is here and free for everyone https://9to5mac.com/2023/06/28/proton-pass-encrypted-password-manager-free/ Tip of the Week - Access Backup Plan: https://firewallsdontstopdragons.com/craft-your-access-backup-plan/ Further Info Saving your Apple Photo Stream pics: https://support.apple.com/en-us/HT210705 Securityzed podcast: https://www.securityzed.com/podcast-test/securityzed-ltfyn-7xm5l-b8c8s-km25d-jbagp-6k9d4-39cr9-z5nhw-w4jwm Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:00: Photo Stream, Securityzed podcast 0:03:21: News rundown 0:05:10: CISA issues DDoS warning after attacks hit multiple US orgs 0:09:29: LetMeSpy stalkerware maker says it was hacked 0:16:43: Researchers Recover Crypto Keys from LED Flickers 0:24:07: Turn your iPhone off every day for 5 mins? 0:29:39: Artists boycotting venues that Use Face-Scanning Technology 0:34:02: Brave Browser boosts privacy with localhost restrictions 0:41:28: Proton debuts new password manager 0:45:56: Dear Carey question 0:50:05: Tip of the Week 1:00:32: Wrap-up

Right now there are thousands of satellites orbiting above our heads performing crucial tasks. At the end of the day, they're just computers running software - albeit at thousands of miles up and thousands of miles per hour. Can they be hacked? What are the dangers? Aaron Myrick and the Hack-A-Sat team are trying to answer those questions. And they're doing it by launching an actual satellite into low earth orbit for this year's DEF CON hacking contest and asking talented hackers from around the world to take their best shot. Interview Notes Moonlighter Fact Sheet: https://aerospace.org/fact-sheet/moonlighter-fact-sheet Hack-A-Sat 4: https://hackasat.com/moonlighter/ Hack-A-Sat GitHub resources: https://github.com/deptofdefense/hack-a-sat-library Space-Track.org: https://www.space-track.org/ Moonlighter launch: https://vimeo.com/833432259/4ba9b0927b Further Info Amulet of Entropy (DEF CON badge): https://amuletofentropy.com/ Nominate someone for a challenge coin: https://fdsd.me/quest Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:36: Update Apple devices, ASUS routers 0:01:03: Misc updates 0:03:08: Interview setup 0:04:19: What is Aerospace Corp and what do you do there? 0:08:25: What are things satellites do that we might not think about? 0:13:42: Break down some key stats on satellites for us. 0:17:27: How might we be affected by loss of satellites? 0:21:31: How do you hack an orbiting satellite, logistically? 0:24:38: What sorts of attacks are we worried about? 0:26:58: How do we debug problems in orbiting satellites? 0:30:55: How is hacking a satellite different from a computer? 0:35:23: What happens to old satellites? 0:41:26: What is the Hack-A-Sat program about? 0:43:35: How did the target systems work, prior to this year? 0:46:39: What have we learned so far from past contests? 0:51:24: What's new with Hack-a-Sat 4? 0:52:43: When and how will Moonlighter launch? 0:58:30: What kinds of things can I hack on Moonlighter? 1:00:43: What's the future for Hack-a-Sat? 1:03:26: Wrap-up

I launched my mission to improve people’s privacy and security almost ten years ago now. It’s been quite a journey and I’ve learned a lot in that time. One thing I’ve realized is that there’s only so much I can do on my own. And so I’ve encouraged the more technically savvy members of my audience to help others where they can. One downside to being a podcaster is that I don’t have much insight into the effectiveness of my exhortations. I have no idea how many people are going forth to do good deeds nor what those deeds are. So today I'm launching a new campaign to solicit stirring stories of good deeds and every quarter or so I will select the most inspiring deed-doers and reward them with one of my dragon challenge coins! In the news: Clop ransomware gang lists first victims of MOVEit supply chain hacks; firmware bug in Gigabyte motherboards has a fix now; US Congress and intelligence agencies debate reform for mass surveillance program; tissue and fluid samples are being abused by law enforcement for DNA scans; check washing scams are on the rise; how to avoid being scammed by virtual kidnapping schemes; 1Password announces beta support for browser passkey extension; bold new plan for 311 cyber support line. Article Links [TechCrunch] Ransomware gang lists first victims of MOVEit mass-hacks, including US banks and universities https://techcrunch.com/2023/06/15/moveit-clop-mass-hacks-banks-universities/ [restoreprivacy.com] Hackers Stole Millions of Driver’s Licenses and IDs from U.S. States https://restoreprivacy.com/hackers-stole-millions-of-drivers-licenses-and-ids-from-u-s-states/ [Tom's Hardware] Firmware Backdoor Discovered in Gigabyte Motherboards, 250+ Models Affected https://www.tomshardware.com/news/gigabyte-motherboards-come-with-a-firmware-backdoor [cyberscoop.com] Congress and intelligence officials spar over surveillance reforms https://cyberscoop.com/congress-fbi-section-702/ Senate hearing: https://www.judiciary.senate.gov/oversight-of-section-702-of-the-foreign-intelligence-surveillance-act-and-related-surveillance-authorities [aclu.org] Donated Blood or an Organ? Police Shouldn’t Have Easy Access to Your DNA https://www.aclu.org/news/privacy-technology/donated-blood-or-an-organ-police-shouldnt-have-easy-access-to-your-dna [Lifehacker] Why You Should Stop Sending Checks in the Mail, Especially Now https://lifehacker.com/why-you-should-stop-sending-checks-in-the-mail-especia-1850543113 [connectsafely.org] Quick-Guide to Virtual Kidnapping Scams https://connectsafely.org/virtualkidnapping/ [9to5mac.com] 1Password passkey support for the web launches in public beta on the Mac https://9to5mac.com/2023/06/06/1password-passkey-browser-extension/ [WIRED] The Bold Plan to Create Cyber 311 Hotlines https://www.wired.com/story/ut-austin-cybersecurity-clinic-311/ Tip of the Week: Go Forth, Do Good Deeds: https://fdsd.me/quest Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:00:47: News preview 0:03:01: Clop Ransomware hits several public and privacy organizations 0:11:32: Firmware Backdoor Discovered in Gigabyte Motherboards 0:17:04: Congress and intelligence officials spar over surveillance reforms 0:24:13: Police Shouldn’t Have Easy Access to Your DNA 0:28:03: Why You Should Stop Sending Checks in the Mail 0:31:43: Quick-Guide to Virtual Kidnapping Scams

At some point, when you care enough about a particular cause, you shift from following the issue to actually trying to advance the issue - to make a difference. The easiest way to do this is to find groups that are already working for this cause and supporting them with donations of your time and/or money. But what do you do if you can't find such a group, or maybe there's no local chapter? Well, you can start your own! It's not as hard as it sounds - and in fact, there exist organizations that can help you. Today I'll speak with Rory Mir from the Electronic Frontier Alliance along with leaders from two successful EFA-affiliated groups: Freddy Martinez from Lucy Parsons Labs and Chris Bushick from PDX Privacy. Interview Notes Reach out to EFF organizing team: organizing@eff.org Electronic Frontier Alliance (EFA): https://www.eff.org/efa Meetup groups: https://meetup.com Lucy Parsons Labs: https://lucyparsonslabs.com/ PDX Privacy: https://www.pdxprivacy.org/ EFF on the EARN IT Act: https://www.eff.org/deeplinks/2023/05/dangerous-earn-it-bill-advances-out-committee-several-senators-offer-objections Further Info Dragon Coins! https://fdsd.me/coin2 Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Generate secure passphrases! https://d20key.com/#/ Table of Contents 0:00:25: Interview setup 0:04:32: Introductions and overview of EFA 0:09:12: Lucy Parsons Project overview 0:10:52: PDX Privacy overview 0:12:28: How has the EFA helped you with your projects? 0:15:33: What other types of groups work with the EFA? 0:17:49: What did you do before? What was it like starting your group? 0:23:02: How can you go about finding sources of funding? 0:25:25: What sorts of grants are available? 0:30:09: What accomplishments are you most proud of? 0:34:48: What were some of your biggest challenges? 0:38:51: Do you ever feel like you're David versus Goliath? 0:42:26: How can I find existing groups that I can support or join? 0:45:58: What's the first step in starting my own group? 0:49:31: If you were starting over again, what would you have done differently? 0:49:56: Do I need to incorporate or create a legal entity? 0:53:02: Can a non-profit organization make money? 0:57:32: Any parting thoughts you'd like to share? 1:00:32: Wrap-up 1:03:11: Looking ahead 1:04:09: Upcoming challenge coin campaign

Two weeks ago, I told you about the availability of two new top-level domains that also happen to be popular file name extensions: .zip and .mov. The ambiguity will undoubtedly be exploited by ne'er-do-wells to trick people into doing something they shouldn't do. There are clever ways to manipulate website addresses that would trick even tech-savvy people into clicking malicious links. Today I'll tell you how these tricks work and explain you can avoid all of these issues by simply blocking these new domains. In other news: iTunes for Windows patches a nasty bug; Android malware downloaded over 420 million times; Android phones vulnerable to fingerprint brute-force attacks; Luxottica exposes 300 million customer records; free VPN service SuperVPN exposes 360 million user records; Amazon gets slap on the wrist for Ring video doorbell private data access; KeePass "master password crack" not as bad as it sounds; Twitter adding Content Notes 'fact checks' to images; Microsoft now scanning inside password-protected zip files; drone pilot is NOT killed by drone; AI is NOT likely to cause human extinction; and Brave introduces new Off The Record browsing mode. Plus my Dear Carey question: recommended cheat sheet for computer safety. Article Links [MacRumors] PSA: If You Run Windows, Make Sure to Update iTunes to Fix Security Vulnerability https://www.macrumors.com/2023/06/01/itunes-windows-vulnerability/ [Lifehacker] This Android Malware Was Downloaded Over 420 Million Times https://lifehacker.com/this-android-malware-was-downloaded-over-420-million-ti-1850492306 [BleepingComputer] Android phones are vulnerable to fingerprint brute-force attacks https://www.bleepingcomputer.com/news/security/android-phones-are-vulnerable-to-fingerprint-brute-force-attacks/ [bitdefender.com] Luxottica 2021 breach: 300 million customer records up for grabs online https://www.bitdefender.com/blog/hotforsecurity/luxottica-2021-breach-300-million-customer-records-up-for-grabs-online/ [hackread.com] Free VPN Service SuperVPN Exposes 360 Million User Records https://www.hackread.com/free-vpn-service-supervpn-leaks-user-records/ [AppleInsider] Amazon gets slap on the wrist over privacy violations with Ring cameras https://appleinsider.com/articles/23/05/31/amazon-gets-slap-on-the-wrist-over-privacy-violations-with-ring-cameras [Naked Security] Serious Security: That KeePass “master password crack”, and what we can learn from it https://nakedsecurity.sophos.com/2023/05/31/serious-security-that-keepass-master-password-crack-and-what-we-can-learn-from-it/ [Mashable] Twitter will now put Community Notes 'fact checks' on images https://mashable.com/article/twitter-notes-on-media-images [Ars Technica] Microsoft is scanning the inside of password-protected zip files for malware https://arstechnica.com/information-technology/2023/05/microsoft-is-scanning-the-inside-of-password-protected-zip-files-for-malware/ [VICE] USAF Official Says He ‘Misspoke’ About AI Drone Killing Human Operator in Simulated Test https://www.vice.com/en/article/4a33gj/ai-controlled-drone-goes-rogue-kills-human-operator-in-usaf-simulated-test [Schneier Blog] On the Catastrophic Risk of AI https://www.schneier.com/blog/archives/2023/06/on-the-catastrophic-risk-of-ai.html [brave.com] Request "Off the Record" https://brave.com/privacy-updates/26-request-off-the-record/ Tip of the Week: Blocking .zip Domains: https://firewallsdontstopdragons.com/how-to-block-the-new-zip-domain/ Further Info How to send files securely: https://firewallsdontstopdragons.com/how-to-send-files-securely-like-tax-info/ Checklist of Tips for my book: https://firewallsdontstopdragons.com/wp-content/uploads/2023/02/FDSDv5-workbook-v1.pdf 10 Years After Snowden: https://www.eff.org/deeplinks/2023/05/10-years-after-snowden-some-things-are-better-some-were-still-fighting The Wayback Machine: https://web.archive.org/

Modern cars are more like smartphones on wheels. Like our cell phones, they are chock full of sensors, computer chips and software, and they're connected to the internet 24/7 via cellular modems. What data is being collected? Who owns this data? How secure is your data? Who is it being shared with? And most importantly, what - if anything - can you do about it? Since we last spoke with Privacy4Car's Andrea Amico, his company has released a powerful new Vehicle Privacy Report tool that aims to answer at least some of these questions and help you to be a more informed car buyer. Today we'll delve into the murky world of car data collection and privacy. Andrea Amico is one of the nation’s leading authorities on vehicle privacy and cybersecurity. He is also the founder of Privacy4Cars, the first and only privacy-tech company focused on identifying the challenges posed by vehicle data. Interview Notes Privacy4Cars: https://privacy4cars.com/ Vehicle Privacy Report tool: https://vehicleprivacyreport.com/ Assert your data rights: https://privacy4cars.com/personal-use/assert-your-data-rights/ Previous interview: Driving Data Privacy for Cars https://podcast.firewallsdontstopdragons.com/2021/09/13/driving-data-privacy-for-cars/ New privacy rules will impact your shop: https://www.autoserviceworld.com/new-privacy-rules-will-impact-your-shop/ Who Is Collecting Data From Your Car? https://themarkup.org/the-breakdown/2022/07/27/who-is-collecting-data-from-your-car Further Info Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:04:38: What has happened with Privacy4Cars since we last spoke? 0:06:17: Why are cars collecting so much data? How private is this data? 0:09:31: You say cars are "cell phones on wheels" - what does that mean? 0:10:24: Are cars connected even when turned off? 0:11:55: What types of data is my car collecting? 0:14:16: Do electric cars gather more data than regular cars? 0:16:54: Do cameras built into your car represent a privacy risk? 0:21:51: Who can access my car's data? Can I access it myself? 0:27:25: Who owns the data in rental or fleet cars? What about wrecked cars? 0:32:24: Cars now have smartphone apps - what data are they collecting? 0:37:18: How do I know if I've opted in to data collection? 0:40:42: Can I opt of of data collection? If so, how? 0:44:20: What about Apple's CarPlay or Google's Android Auto? 0:49:37: How do I know which cars best respect my privacy? 0:55:08: How does the Vehicle Privacy Report tool work? 0:57:14: What does this tool tell me about a car? 1:00:43: What's the value of this tool for car makers and dealerships? 1:06:09: What's next for your company and the reporting tool? 1:09:49: Interview follow-up notes

Everyone hates dealing with passwords. This has led to a mad search for 'password-killer' technology. After several failed attempts, there's finally a worthy contender: passkeys. The technology has been around for years - it's the basis for hardware keys like YubiKey. But no one wanted to have to carry the little things all the time. With passkeys, you get the same phishing-proof, passwordless goodness but tied to a device you always have: your smartphone. Websites are slowly rolling out the ability to secure your accounts with passkeys, and Apple, Google and Microsoft are building support for passkeys into their operating systems. But I would caution you to wait a bit before jumping on the bandwagon - I'll explain why in today's show. In other news: update all your Apple devices; FBI and NSA break the notorious Snake malware; Intel deploys microcode security update; location data on 2M Toyoya customers exposed for years; new .zip and .mov domains are dangerously ambiguous; new crafty Chinese router malware; online age verification will cause serious problems; Apple will allow you to 'bank' your voice soon. Article Links [Tom's Guide] Apple issues urgent fix to block zero-day attacks — update your iPhone and Mac now https://www.tomsguide.com/news/apple-issues-urgent-fix-to-block-zero-day-attacks-update-your-iphone-and-mac-now [tech.co] FBI & NSA Cut the Head Off Notorious Russian Snake Malware https://tech.co/news/nsa-fbi-russian-snake-malware [Tom's Hardware] Intel Deploys Undisclosed Microcode Security Update For CPUs Going Back To Coffee Lake https://www.tomshardware.com/news/intel-microcode-security-update [BleepingComputer] Toyota: Car location data of 2 million customers exposed for ten years https://www.bleepingcomputer.com/news/security/toyota-car-location-data-of-2-million-customers-exposed-for-ten-years/ [Digital Trends] Hackers are using a devious new trick to infect your devices https://www.digitaltrends.com/computing/hackers-are-abusing-zip-mov-domain-names/ [9to5mac.com] Researchers find security flaw in Wemo Smart Plug, Belkin says it won’t release a patch https://9to5mac.com/2023/05/16/wemo-smart-plug-security-flaw-no-patch-coming/ [Ars Technica] Malware turns home routers into proxies for Chinese state-sponsored hackers https://arstechnica.com/information-technology/2023/05/malware-turns-home-routers-into-proxies-for-chinese-state-sponsored-hackers/ [Electronic Frontier Foundation] Age Verification Mandates Would Undermine Anonymity Online https://www.eff.org/deeplinks/2023/03/age-verification-mandates-would-undermine-anonymity-online [9to5mac.com] Everyone should use Personal Voice; it does in 15 minutes what currently takes several weeks https://9to5mac.com/2023/05/19/everyone-should-use-personal-voice/ Tip of the Week: The Pros & Cons of Passkeys https://firewallsdontstopdragons.com/the-pros-and-cons-of-passkeys/ Further Info Meross MSS115 Matter-enabled smart plug: https://shop.meross.com/products/meross-matter-smart-wi-fi-plug-mini-mss115 Get your Firewalls Don’t Stop Dragons Merch! https://fdsd.me/merch Give the gift of privacy and security: https://fdsd.me/coupons Send me your questions! https://fdsd.me/qna Support our mission! https://fdsd.me/support Subscribe to the newsletter: https://fdsd.me/newsletter Check out my book, Firewalls Don’t Stop Dragons: https://fdsd.me/book Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:01:10: Update on new location tracker spec 0:02:52: News preview 0:05:30: FBI & NSA Cut the Head Off Notorious Russian Snake Malware 0:07:27: Intel Deploys Undisclosed Microcode Security Update 0:11:12: Toyota location data of 2M customers exposed for years

In the book "1984" (published in 1949), George Orwell envisioned a Big Brother that would control the media and dictate what was "truth". But Orwell didn't predict that "telescreens" would fit in our pockets or that we would willingly carry them with us 24/7, even to the bathroom. He also didn't foresee that we would willingly subscribe to sources of mis- and disinformation in the form of social media. Today I speak with the co-author of the book "Ministry of Truth", Vincent Hendricks, about the current state of social media and its influence on democracy and society. Vincent F. Hendricks, author of THE MINISTRY OF TRUTH: BigTech's Influence On Facts, Feelings And Fictions, is Professor of Formal Philosophy at the University of Copenhagen. He is the Director of the Center for Information and Bubble Studies (CIBS) funded by the Carlsberg Foundation. Interview Notes “Ministry of Truth” book: https://www.vince-inc.com/vincent/?p=7625 “1984” by George Orwell: https://en.wikipedia.org/wiki/Nineteen_Eighty-Four "Reality Lost" (free PDF book): https://link.springer.com/book/10.1007/978-3-030-00813-0 Vincent Hendricks website: https://www.vince-inc.com/vincent/ More from Vincent: https://www.oecd-forum.org/users/vincent-f-hendricks Blocking Google popups (and other annoyances): https://firewallsdontstopdragons.com/how-to-block-google-popups/ Further Info Send me your questions! https://fdsd.me/qna Support me! https://fdsd.me/support Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/ Check out my book, Firewalls Don’t Stop Dragons: https://www.amazon.com/gp/product/1484261887 Would you like me to speak to your group about security and/or privacy? https://fdsd.me/speakerrequest Generate secure passphrases! https://d20key.com/#/ Table of Contents Use these timestamps to jump to a particular section of the show. 0:02:23: Pre-inteview notes 0:03:51: Why did you write this book? 0:06:06: What is the current state of social media content moderation? 0:10:41: How equally are moderation rules applied to all users? 0:12:44: Do algorithms just feed our desire for stuff that's not good for us? 0:16:39: Are things really worse today or just different? 0:21:21: Do private companies have a moral duty to support a "public square"? 0:26:23: Are social media companies warping the public discourse? 0:28:58: Is TikTok really more of a threat than Facebook or Twitter? 0:31:15: Are any of the proposed TikTok solutions viable? 0:35:41: Why can't the US Congress pass a real privacy law? 0:38:00: Can we fix some key social media ills by adding some friction? 0:41:10: How will AI systems like ChatGPT impact disinformation? 0:44:15: Can AI also have positive impacts on social media? 0:48:10: How are social media platforms like casinos? 0:50:28: How are social media platforms like Orwell's Ministry of Truth? 0:51:34: How much responsibility do we have here? 0:57:42: What tips do you have for using social media today? 1:02:59: Interview wrap-up 1:03:28: Privacy and security book club 1:04:37: Patron perks 1:05:02: Preview of upcoming shows

Have you noticed Google getting really pushy lately with offers to "sign in with Google"? You're not alone. Many websites offer the ability to create a free account so that you can "personalize your experience", but lately Google has been popping up an very annoying window to prompt you to create this account by signing in with your Google account. First of all, you almost never need to create an account to view the site. But second, even if you do want to create an account, you shouldn't be linking that account with Google. You're creating a data sharing arrangement that is completely unnecessary and not in your best interests. I'll explain how to block these irritating popups (and many like them) for good. In other news: 1Password was not hacked, but recent messages might have worried you; new macOS malware stealer app; five things scammers hope you search for; Microsoft Edge is recording your web surfing data; Windows 10 will never receive another feature update; Microsoft is rewriting core Windows software in a memory-safe language; study claims 83% of passwords can be hacked in one second; Google adds support for passkeys; Apple issues first Rapid Security Response with confusing messages; NYPD hands out 500 free AirTags to combat auto thefts; Apple and Google partner on industry spec to thwart unwanted tracking devices; Google adds cloud backup for 2FA without end-to-end encryption; Amazon Clinic requires you to sign away privacy rights; Washington State pass health data privacy law; my take on recent efforts to undermine encryption and restrict access to social media. Article Links [Digital Trends] No, 1Password wasn’t hacked – here’s what really happened https://www.digitaltrends.com/computing/1password-secret-keys-not-hacked/ [9to5mac.com] PSA: ‘Atomic macOS Stealer’ malware can compromise iCloud Keychain passwords, credit cards, crypto wallets https://9to5mac.com/2023/04/28/atomic-macos-stealer-malware-steal-passwords/ [Lifehacker] Five Things Scammers Are Hoping You Google https://lifehacker.com/five-things-scammers-are-hoping-you-google-1850405964 [The Verge] Microsoft Edge is leaking the sites you visit to Bing https://www.theverge.com/2023/4/25/23697532/microsoft-edge-browser-url-leak-bing-privacy [Lifehacker] Microsoft Will Never Update Windows 10 Again (But You Can Keep Using It) https://lifehacker.com/microsoft-will-never-update-windows-10-again-but-you-c-1850386188 [theregister.com] Microsoft is busy rewriting core Windows code in memory-safe Rust https://www.theregister.com/2023/04/27/microsoft_windows_rust/ [9to5mac.com] Study reveals top 20 most used passwords; 83% can be cracked in a second https://9to5mac.com/2023/05/02/most-used-passwords-report/ [The Hacker News] Google Introduces Passwordless Secure Sign-In with Passkeys for Google Accounts https://thehackernews.com/2023/05/google-introduces-passwordless-secure.html [AppleInsider] Apple issues Rapid Security Response update for iOS 16.4.1, macOS 13.3.1 https://appleinsider.com/articles/23/05/01/apple-issues-rapid-security-response-update-for-ios-1641-macos-1331 [AppleInsider] New York hands out 500 AirTags in car theft crackdown https://appleinsider.com/articles/23/05/01/new-york-hands-out-500-airtags-in-car-theft-crackdown [Apple] Apple, Google partner on an industry specification to address unwanted tracking https://www.apple.com/newsroom/2023/05/apple-google-partner-on-an-industry-specification-to-address-unwanted-tracking/ [Gizmodo] Google’s New Two-Factor Authentication Isn’t End-to-End Encrypted, Tests Show https://gizmodo.com/google-authenticator-two-factor-not-end-encrypted-1850377102 [The Washington Post] To become an Amazon Clinic patient, first you sign away some privacy https://www.washingtonpost.com/technology/2023/05/01/amazon-clinic-hipaa-privacy/ [The Verge] Washington passes law requiring consent before companies collect health data https://www.theverge.