Carey Parker presents
Firewalls Don't Stop Dragons Podcast
A Podcast on Computer Security & Privacy for Non-Techies
September 13, 2021
Driving Data Privacy for Cars
Ever paired your phone to a rental car? Did you erase all the data from the last car you sold or turned in at the end of your lease? Do you know what data you car is sending to the cloud wireless right now? Cars have become a privacy nightmare. Andrea Amico is the founder of a company called Privacy 4 Cars and today he'll help us understand all the data you car is hoovering up - from your phone, your driving habits, your location, and even your facial expressions (no, really). And thankfully, his company also gives you a powerful tool to find and delete the data exhaust you've generated, probably without even realizing it. Andrea Amico is one of the nation’s leading authorities on vehicle privacy and cybersecurity. He is also the founder of Privacy4Cars, the first and only privacy-tech company focused on identifying the challenges posed by vehicle data. Further Info Privacy4Cars: Your Data Rights! Twitter: CCPA Agent: Auto ISAC: Become a Patron! Would you like me to speak to your group about security and/privacy? secure passphrases!
September 6, 2021
For many people, privacy is just a vague concept. But it can literally be a matter of life and death. It deserves your attention, your consideration and (crucially) your support. Technology has vastly improved our daily lives, but some of it also threatens to undermine our basic human rights and even our democracy/society. We need to understand the implications of the laws we pass - and the laws we aren't passing. Today, I'll talk about several stories with a common theme: privacy matters. Of course, I'll also cover several security-related topics this week, as well: I'll tell you how to completely hack someone's Windows PC with a gaming mouse; Microsoft's Azure cloud service left thousands of customers' data completely exposed; new and disturbing details emerge about the role of NSA-pushed backdoors in the massive Juniper breach of 2015; Australia considers making state ID required for social media accounts; Google tries to cut off access to account data that endangers US helpers in Afghanistan; Apple partners with 8 US states to incorporate state IDs into Apple Wallet; Apple has thankfully delayed its rollout of on-device surveillance technology aimed at stemming child porn; the FTC comes down hard on a stalkerware company; and I take a moment to reflect on the 20th anniversary of 9/11. My Tip of the Week explains how to quickly disable biometric unlocking of your smartphone. Article Links Not just Razer: SteelSeries mice, keyboards hijack Windows 10 too — what you can do Azure cloud vulnerability is the ‘worst you can imagine’ Breach Mystery Starts to Clear With New Details on Hackers and U.S. Role Australia Considers Social Media ID Requirement Google locks Afghan government email accounts as concerns grow over the Taliban tracking down their enemies It’s dangerously stupid to put your state ID in your Apple Wallet of smartphones, laptops, trucks, planes affected by new Bluetooth flaws — what you need to know cares about privacy, unless you work at Apple backs down on CSAM features, postpones launch Federal Trade Commission Bans Stalkerware Company from Conducting Business ‘Panic made us vulnerable’: how 9/11 made the US surveillance state – and the Americans who fought Further Info Become a Patron! Would you like me to speak to your group about security and/privacy? secure passphrases!
August 30, 2021
Morpheus: Securing CPUs with Entropy
Computers are supposed to be completely predictable. When you tell it to do something, it should do exactly that - over and over again, if necessary - in the same way, with the same result. This is the nature of computer programming. But this predictability can allow computer criminals to interrupt a computer's processing and divert it to do nefarious things. If you know exactly where to poke the system, predicting where and how it does it's processing, you can effectively rewire it to do your bidding. This is the basic attack methodology that lets bad guys insert their malware into our systems. But what if we were able to randomly perturb a computer's processing on a periodic basis, making it effectively unpredictable? This is the essence of a new computer architecture called Morpheus that may one day make all of our computers and computerized devices much, much harder to hack. Today, Todd Austin will explain how this brilliant defense mechanism works and how it was inspired by the human body's immune system. Todd Austin is a Professor of Electrical Engineering and Computer Science at the University of Michigan in Ann Arbor. His research interests include computer architecture, robust and secure system design, hardware and software verification, and performance analysis tools and techniques. Todd is also co-founder of Agita Labs, a startup developing privacy-enhanced computation technologies that help ease the tension between data discovery and personal privacy. Further Info Morpheus article: Morpheus video: DARPA SSITH program: Become a Patron! Would you like me to speak to your group about security and/privacy? secure passphrases!
August 23, 2021
Beware the Four Horsemen
How far would you go to protect your children from sexual predators? How much privacy would you give up to try to prevent the sharing of child pornography? We are now faced squarely with those questions because Apple has just announced some new initiatives that it believes will curb the viewing and sharing of pornographic images. But we need to be extremely careful here. The Four Horsemen of the Infocalypse are pedophiles, terrorists, drug dealers and organized crime. When someone asks you what privacy and civil liberties you would be willing to give up to stop these undeniably bad things, you need to replace their bogeyman with other straw men and make sure your convictions still hold. Technologies that can be used to stop something you hate today can also be used to stop things you don't tomorrow. Today I'll discuss Apple's new "child safety" initiatives and explain why I think they're making the wrong tradeoffs. And also why they are actually not that effective and even potentially harmful to children. In other news: Both T-Mobile and AT&T appear to have suffered massive data breaches of current and even prospective customers; Microsoft's PrintNightmare continues, despite several attempts to fix the issues; millions of home routers, web cams and baby monitors are vulnerable to a new attacks; Facebook is trying to help Afgans hide their friends lists in the face of Taliban reprisals; your IoT devices are horrible with random numbers, and that's a huge security risk; a secret terrorist watch list with almost 2 million people has leaked; and the OAuth web app authentication system is ripe for hacking, potentially putting several of your accounts at risk. Article Links Blocking the Exploitation of PrintNightmare your Print Spooler (see “Workarounds”): of home Wi-Fi routers under attack by botnet malware ALSO: Router Security: T-Mobile Data Breach: 100 Million Customer Data Records Compromised Including Social Security, Driver’s License & Unique Device Numbers Selling Private Data Allegedly from 70 Million AT&T Customers Millions of Web Camera and Baby Monitor Feeds Are Exposed Secret terrorist watchlist with 2 million records exposed online To protect users, Facebook says it’s hiding friends lists on accounts in Afghanistan Web apps have become so complex that they're unsafe to use, researchers say DEFCON “You’re doing IoT RNG” paper: Apple’s New ‘Child Safety’ Initiatives, and the Slippery Slope built a system like Apple’s to flag child sexual abuse material — and concluded the tech was dangerous letter to Apple from 90+ world orgs Tell Apple not to scan our phones:
August 16, 2021
On a Dark Tangent
Are hackers born or are they made? What is the essence of a true hacker? Today I explore these topics and more with the founder of both DEFCON and Black Hat, Jeff Moss - also known as The Dark Tangent. I also ask Jeff why we seem to suck at cybersecurity, what his top tips are for staying safe online, when DEFCON evolved to be bigger than its founder, how DEFCON has managed to stay focused on its attendees all these years, and how he plans to find a worthy successor to run the DEFCON conference when he inevitably steps aside. Further Info DEFCON documentary: Privacy is Power, book by Carissa Véliz : My review of Privacy is Power: The Value of Privacy, by Bruce Schneier: TED Talk on Privacy by Glenn Greenwald: Hackers, book by Steven Levy: Become a Patron! Would you like me to speak to your group about security and/privacy? secure passphrases!
August 11, 2021
Understanding Hackers & Hacking
What is a hacker, exactly? What does it mean to hack something? With all the ransomware attacks and election meddling in the headlines, it's easy to paint all hackers with a broad brush as malicious, self-serving computer criminals. And to be clear, many computer criminals are definitely hackers (some aren't). But the real definition of hacker, the original notion of hacking itself, is something quite different. Nowhere is this more evident than at DEFCON, one of the world's largest hacking conferences. I've been wanting to go to DEFCON for many years, but finally made my pilgrimage to Las Vegas this year for DEFCON 29. My goal was to document first hand, not just the conference, but the culture and the hackers themselves. Because unlike most trade conferences, DEFCON is really about the attendees and the betterment of their craft. Today's show is a non-technical exploration of what it means to be a hacker and why you might aspire to be one yourself. Further Info DEFCON documentary: DEFCON 29: DEFCON 29 media: Making the DEF CON 29 Badge: Soundtrack Preparing for Hacker Summer Camp: Hack-A-Day badge article: DC Tin Foil Hat: @DC_Tin_Foil_Hat (Twitter)Hackerboxes.com: a Patron! Generate secure passphrases! you like me to speak to your group about security and/privacy?
August 2, 2021
Selling You Out to the Highest Bidder
Every time you load a web page, your personal data is being shared with thousands of companies. The ad spaces on the page are being auctioned off to the highest bidder in fractions of a second. The Irish Council for Civil Liberties calls this the biggest data breach in histor, and is suing the ad tech companies on your behalf to stop this needlessly invasive and dangerous practice. My guest Johnny Ryan will explain how this real-time bidding process works and has insider documentation on the types of extremely personal data that's being shared in order to target those ads to you. Dr Johnny Ryan is a Senior Fellow at the Irish Council for Civil Liberties, and a Senior Fellow at the Open Markets Institute. He is focused on surveillance, data rights, competition/anti-trust, and privacy. He is former Chief Policy & Industry Relations Officer at Brave, the private web browser. Dr Ryan led Brave’s campaign for GDPR enforcement, and liaised with government and industry colleagues globally. Previously, Dr. Ryan worked in adtech, media, and policy. His previous roles included Chief Innovation Officer of The Irish Times and Senior Researcher at the Institute of International & European Affairs (IIEA). Further Info: Irish Council for Civil Liberties lawsuit: Johnny Ryan: IAB Audience Taxonomy: Content Taxonomy: OpenRTB 3.0 spec: Browser plugin: data broker report from 2014: Data Brokers: A Call for Transparency and AccountabilityBecome a Patron! Would you like me to speak to your group about security and/privacy? secure passphrases!
July 26, 2021
Guard Your Digital Rolodex
Your phone number is arguably as strong a personal identifier as your social security number, passport number or email address. These are things we almost never change any more - meaning that it's an identifier for life. Our cell phones contain a ton of personal information, including our locations (not just now, but over time). Today I'll help you understand why it's so important to protect your cell phone number and digital contact lists. In other news: you need to update everything again... Apple, Microsoft, Google, Adobe; REvil ransomware gang has disappeared completely from the dark web - and possibly not coincidentally, Kaseya has obtained a universal decryption key for all of it's customers (REvil victims); the Pegasus Project appears to have unveiled serious abuses of the NSO Group's spyware; Venmo finally gets rid of the public transaction list; the FBI is using cell site simulators to track cars; and it turns out that it's easy and highly profitable to re-associate people with supposedly anonymous data sets. Article Links Apple fixes bug that breaks iPhone WiFi when joining rogue hotspots Revil Ransomware Group Missing From Dark Web; Temporary Vacation, or Permanently Out of Business? The Kaseya Ransomware Nightmare Is Almost Over Takeaways from the Pegasus Project How to Protect Yourself From the New Windows 10 and 11 Security Bug Venmo removes its global, public feed as part of a major redesign The FBI Is Locating Cars By Spying On Their WiFi Inside the Industry That Unmasks People at Scale A priest’s phone location data outed his private life. It could happen to anyone. Connected cars: What happens to your data after you leave your rental car behind? Privacy International 2017 study: Further Info Who’s making money on ransomware? No More Ransom: Become a Patron! Would you like me to speak to your group about security and/privacy? secure passphrases!
July 19, 2021
It’s Time to Drop the SBOM
The first step to solving any problem is gathering as much information as you can. Unfortunately, today we're basically flying blind when it comes to identifying and resolving latent software bugs in our systems. Software today is made up of dozens if not hundreds of distinct components. Like automobiles, these piece parts can come from many different vendors. And even the parts from those vendors are likely themselves made up of many sub-components from yet other vendors. But you can bet that Ford and Toyota have a complete and accurate list of each and every one of the components in their vehicles - knowing who made them, which lot or batch they were from, which revision of the part they have, and so on. Because at the end of the day, the auto maker is responsible for knowing this in case there's a safety issue. This is not true for software makers... yet. Allan Friedman and his team at the National Telecommunications and Information Administration (NTIA, a part of the Dept. of Commerce) are trying to change that. Allan Friedman is the Director of Cybersecurity Initiatives at the National Telecommunications and Information Administration, which is part of the US department of Commerce,. There he coordinates cross-sector efforts to address key challenges in the cybersecurity ecosystem. Further Info NTIA’s SBOM website: Twitter #SBOM: Become a Patron! Would you like me to speak to your group about security and/or privacy? secure passphrases!
July 12, 2021
How to Keep Ransomware at Bay
Just when you thought it couldn't get worse, the bad guys say "hold my beer". The REvil gang has managed to pull off what appears to be the biggest ransomware infection ever through a clever supply chain attack on a company you've never heard of called Kaseya. Kaseya is what we call a Managed Service Provider, or MSP. They manage software and IT functions for lots of small-to-medium sized businesses, so that those companies don't have to. But this also gives MSP's a very privileged security position, making it a prime target for bad guys wanting to infect a lot of companies with a single hack. Today I'll catch you up on this ongoing horror show and give you some tips on how to avoid becoming a ransomware victim yourself. In other news: Kaspersky Password Manager (KPM) was found to have a bad bug making its generated passwords a lot easier to crack; I'll tell you about how some Brazilian iPhone thieves came up with a clever way to hack your accounts; Google has delayed FLoC and blocking of third-party cookies for at least two years; a Microsoft exec tells the US Congress about how law enforcement and intelligence agencies make thousands of gag-order-restricted demands for data every year; a research group discovers that an old cell phone encryption standard was intentionally weakened to allow easier cracking; Microsoft's PrintNightmare bug is still not fully patched and the back story is a comedy of errors; and with hurricane season upon us, I'll point you to some great tips on preparing for power outages. Article Links A popular password manager screwed up, but there's an easy fix Brazilian iPhone thieves demonstrate importance of responsible password practices Why Google Can't Bring Itself to Make the Internet Respect Your Privacy Microsoft exec: Targeting of Americans’ records ‘routine’ Bombshell Report Finds Phone Network Encryption Was Deliberately Weakened PrintNightmare official patch is out – update now? Up to 1,500 businesses infected in one of the worst ransomware attacks ever Further Info Microsoft PrintNightmare patch: CISA, FBI share guidance for victims of Kaseya ransomware attack Ransomware Defense: Top 5 Things to Do Right Now How to prepare for a power outage: How to safely download software: Sign up for the newsletter: Become a Patron! Would you like me to speak to your group about security and/privacy? secure passphrases!
July 5, 2021
Make That Shaken AND Stirred
Robocalls are the bane of my existence. I get so many spam calls that I've just stopped answering my home phone altogether. I've given out my cell number to fewer people, so thankfully I get fewer junk calls there. But I still won't answer any calls unless I recognize the number. Why is it so easy to spoof caller ID? Well, starting July 1st in the US, mobile carriers are now required to implement a new(ish) set of technologies to make that more difficult: "Stir" ("secure telephone identity revisited") and "Shaken" ("signature-based handling of asserted information using tokens"). While not perfect, they should at least help identify shady callers. In today's Tip of the Week, I'll give you some other options for blocking spam calls, as well. Lots of other (mostly bad) cybersecurity news to cover today: Someone scraped a ton of LinkedIn data from over 700M LinkedIn subscribers (about 92% of total users) and posted it for $5000; a very odd and specific WiFi SSID could break your iPhone; 30M Dell computers are vulnerable to a nasty BIOS attack; many users of the old WD My Book Live storage drives have had all their data erased; the REvil ransomware gang has attacked at least 200 companies with a new supply chain hack; Microsoft tries and fails miserably to fix a bad printer server bug ("PrintNightmare"), Russian hackers are constantly trying to brute force your bad passwords; and finally, the USA's CISA is warning manufacturers of ThroughTek devices about an exploitable vulnerability in several webcams and IoT devices. Article Links Data Scraping Yields 700 Million LinkedIn Profiles for Sale on Dark Web; About 92% Of Platform Users, but Mostly Public Information Connecting to This Wireless Network Can Break Your iPhone's Wi-Fi Feature 30M Dell Devices at Risk for Remote BIOS Attacks, RCE Western Digital My Book Live devices being remotely wiped by attackers REvil ransomware hits 200 companies in MSP supply-chain attack How to Avoid Windows' 'PrintNightmare' Security Threat Russian Hackers Are Trying to Brute-Force Hundreds of Networks CISA warns manufacturers of ThroughTek vulnerability (webcams) Robocalls are out of control. But that could all change today Further Info Become a Patron! Would you like me to speak to your group about security and/privacy? secure passphrases!
June 28, 2021
Sad State of Cybersecurity
Today's news headlines are littered with stories on massive cybersecurity failures: SolarWinds, Microsoft Exchange, Colonial Pipeline, data breaches, ransomware... Are the bad guys ramping up their game? Or are we just really bad at cybersecurity? (Or both?) How do we fix this? Who can lead the charge to improve our cyber defenses and fend off these attacks? Where do we learn best practices? Can new tools like Artificial Intelligence (AI) help us be more secure - or will these tools benefit the bad guys more? In today's show, I discuss the current sorry state of cybersecurity and it's foggy future with Josh Jackson from 6clicks! Josh Jackson is an avid student of law, policy, and regulations. He is a speaker on Artificial Intelligence and Automation and a teacher on the Legal and Regulatory Environment of Business. He is passionate about ethics and agency law, and corporate and regulatory risk. Further Info: 6clicks: Cybersecurity Maturity Model: Internet of Things Cybersecurity Improvement Act of 2020: Only three days to get your challenge coin!! Become a Patron! Would you like me to speak to your group about security and/privacy? secure passphrases!
June 21, 2021
Hacking Satellites for Fun & Profit
Are satellites really just IoT devices in space? They're small computers and connected to the internet, not unlike Nest thermostats, baby video monitors, and smart toasters. You'd think that they'd be a lot more complex and secure... but are they really? My two guests today are running a program to test that very question, and in the process, try to make our military and commercial satellites more secure. We don't think about it, but satellites play a crucial role in our daily lives. GPS satellites are used by airplanes, ships and even agricultural machinery. Weather satellites allow us to predict the path of severe storms and save countless lives. We take them for granted, but these orbiting computers are critical in our modern lives. The Hack-A-Sat contest was created to help ensure the security of these systems. Anyone can enter - and time to register for this year's tournament is running out! Carl Rodio Jr. is Principal Cyber Security Engineer for The MITRE Corporation, supporting the US Space Force Defensive Cyber Operations for Space Systems (DCO-S) program. MITRE operates Federally Funded Research and Development Centers (FFRDC's), which support the US government in a variety of capacities. Jason Williams is a Security Researcher, Engineer, and CEO of Cromulence LLC and member of Legitimate Business Syndicate (organizers of DEF CON CTF 2012-2017). 15+ years experience in cybersecurity and vulnerability research. Further Info Hack-A-Sat 2: US Digital Service: LLC: Corp: sale on my book right now! Use code SUMMER2021: Get your custom d20 challenge coin! Become a Patron! Would you like me to speak to your group about security and/privacy? secure passphrases!
June 14, 2021
Payment App Privacy Sucks
June 7, 2021
Have I Been FLoCed? (Part 2)
Is it possible for you to view your FLoC ID right now? And if so, can you decode this ID to understand what Google is learning about you from it? Does FLoC require your consent or cooperation from the sites you're visiting? Are there tools to block this and, if so, how effective are they? In part 2 of my discussion with EFF's Bennett Cyphers, we'll answer these questions and many more. Google's FLoC proposal depends on Google being a "benevolent and omniscient overseer", which is a bad bet. Even if Google manages to get the technology right and carefully avoids tracking "sensitive" info, there's nothing saying it won't change this later - on purpose or by accident or both. And given the rabid desire by data mining companies to monetize your information, FLoC may enable new forms of tracking and fingerprinting. Bennett Cyphers is a staff technologist on the Tech Projects team. He works with a variety of teams across EFF, focusing on consumer privacy, competition, and state legislation. He also assists with development on Privacy Badger. Outside of work he has hobbies and likes fun. Further Info: Ditch Chrome, switch to Firefox: Donate to Mozilla (Firefox): I FLoC’d? Disable Amazon’s Sidewalk: HUGE sale on my book right now! Use code SUMMER2021: you like me to speak to your group about security and/or privacy? your custom d20 challenge coin! Generate secure passphrases! a Patron!
May 31, 2021
Have I Been FLoCed? (Part 1)
The public has voted and the results are in: people do not want to be tracked. In response, like pop-up ads before them, third party cookies are now being blocked by default by just about every browser - except Chrome. Google (who owns Chrome) is an ad company who relies on web tracking to make 90% of their revenue. With the writing on the wall, they and other ad tech companies are scrambling to find other ways to track people. Google has proposed a new system they call Federated Learning of Cohorts, or FLoC, which they claim can replace most of the tracking capability of third party cookies while somehow managing to preserve users' privacy. Today, I will discuss this new proposal with Bennett Cyphers of the Electronic Frontier Foundation: how it works, how they are rolling it out, and why EFF believes that FLoC is not the way to go. Bennett Cyphers is a staff technologist on the Tech Projects team. He works with a variety of teams across EFF, focusing on consumer privacy, competition, and state legislation. He also assists with development on Privacy Badger. Outside of work he has hobbies and likes fun. Further Info: Get your custom d20 challenge coin! Become a patron! Would you like me to come speak to your group about security and/privacy? “Sensitivity of Cohorts” paper: Google’s FLoC API spec: Am I FLoC’d? Opt out of NHS data sharing:
May 24, 2021
How & When to Use a Passphrase
Today is the day we've all been waiting for! The super-secret, highly-collectible, security-enhancing device is finally HERE!! For a short period of time, I will be offering a very limited edition challenge coins to my patrons. Not only is the coin itself amazingly cool, it can also help you generate secure passphrases using my brand new website d20key.com! Listen in today for all the details, as well as my tip of the week for how and when to use passphrases (instead of passwords)! In other news: The Colonial Pipeline is open again after a nasty ransomware attack by the DarkSide group; President Biden signs a landmark executive order to strength cybersecurity for the US government and anyone who sells to them; the HSE in Ireland is hit with a ransomware attack, too; Microsoft warns of a fake ransomware infection that just steals data; apparently when give a real, clear choice, almost no one wants apps to track them (Apple's App Tracking Transparency update); Veritone launches a creepy new deep-fake voice service for celebrities; Eufy camera bug crosses wires and shows people the wrong camera feeds (as in, from cameras they don't own); and Amazon is enabling its Sidewalk mesh network by default - and I'll tell you how to disable it. Further Info Get your own Firewalls Don’t Stop Dragons Challenge Coin! How and When to Use a Passphrase: Generate a secure passphrase! Check out my Malwarebytes interview! Threat Technology’s list of 20 Best Security Podcasts: FAQ: DarkSide Ransomware Group and Colonial Pipeline DarkSide group that attacked Colonial Pipeline drops from sight online Biden signs executive order to strengthen US cybersecurity Irish cyber-attack: Hackers bail out Irish health service for free Microsoft Warns of Data Stealing Malware That Pretends to Be Ransomware Americans Actually Want Privacy. Shocking. Coalition Launches ‘Dark Patterns’ Tip Line to Expose Deceptive Technology Design Veritone launches new platform to let celebrities and influencers clone their voice with AI Eufy camera owners report video mixups Here’s Anker’s apology after 712 Eufy customers had camera feeds exposed to strangers Sidewalk Network Is Turned On by Default. Here's How to Turn It Off
May 17, 2021
Protecting Intellectual Freedom (Part 2)
What is Tor, exactly? How and why would I use it? And what the heck is a Tor node? In part 2 of my talk with Alison from the Library Freedom Project, we'll discuss why libraries are so important in the fight for privacy and how they're using technologies like Tor to keep its patron's (and even other's) web browsing anonymous. We'll talk about why it's important to do a self-assessment of your particular "threat model" and Alison will provide some time-tested tips for improving your security and privacy. Oh, and we'll talk about what all of this has to do with the so-called Streisand Effect! Alison Macrina is a librarian, internet activist, and founder and director of Library Freedom project. Alison is passionate about fighting surveillance and connecting privacy issues to other struggles for justice and an analysis of power. Further Info BECOME A PATRON! Freedom project: Library Freedom wiki: Library Freedom Institute GitHub page: Library Freedom Institute on Vimeo: Discover your threat model: Download Tor Browser:
May 10, 2021
Protecting Intellectual Freedom (Part 1)
Want to read a book without your reading history being tracked? Do you need to surf the web with complete anonymity? If so, then look no further than your local public library. You have the right to research and collaborate on politically or socially sensitive topics without fearing your government or even your local community - and your local public libraries are there to help. Today I'll discuss the topics of intellectual freedom, access to information, and the right to privacy with the founder of the Library Freedom Project. We'll discuss book banning, media consolidation, mass surveillance, access to your library records by law enforcement, and even the lethal dangers of furniture! Alison Macrina is a librarian, internet activist, and founder and director of Library Freedom project. Alison is passionate about fighting surveillance and connecting privacy issues to other struggles for justice and an analysis of power. Further Info BECOME A PATRON! Freedom project: Library Freedom wiki: Library Freedom Institute GitHub page: Library Freedom Institute on Vimeo: Noam Chomsky propaganda model: Terrorism vs furniture-related deaths:
May 3, 2021
App Tracking Transparency
After what seemed like forever, Apple has finally released its App Tracking Transparency (ATT) feature which requires apps to get your permission to track you across other apps and websites. This was announced last year and delayed by several months to allow app makers to come into compliance (particularly Facebook). Today I'll tell you what this feature does and doesn't do, and of course, how to enable it. Tons of other security and privacy news to cover today, as well: A nasty bug was just fixed in macOS (update now!!); Firefox fixes a bug that could allow fake HTTPS lock icons and therefore compromise security; Facebook Messenger users have been targeted with a major scam; Codecov hack is just the latest in software supply chain attacks that threaten hundreds of companies and their customers; bad guys hacked ad servers to serve up malware; the US Postal Service is running a 'covert operations program' that monitors social media accounts; more US federal agencies are turning to private companies to buy data on people and bypass the 4th Amendment; Emotet malware has been taken down; the FBI has been hacking company servers without their consent (but with a warrant) to try to fix Exchange server hacks; some promising new AI regulations have cropped up in Europe and the US; Signal expertly trolls and hamstrings Cellebrite; and finally, Apple's long-awaited AirTags have finally been released, but the anti-stalker protections seem to fall short, particularly for Android owners. Further Info: A macOS major security bug has just been fixed - UPDATE NOW! Fixes Firefox Flaw That Allowed Spoofing of HTTPS Browser Padlock Messenger users targeted by a large-scale scam hackers breached hundreds of restricted customer sites Compromised Ad Servers Target Millions of Internet Users Postal Service is running a 'covert operations program' that monitors Americans' social media posts Agencies Are Secretly Buying Consumer Data Malware Taken Down By Global Law Enforcement Effort we safer with the FBI accessing our computers without consent? sun is setting on A.I.’s Wild West professionally trolls and screws Cellebrite: AirTags are scarily good at tracking items and ... people. I know because I tried. Apple reveals more about AirTag stalking protections as domestic abuse concerns expressed