Security

Today, almost everything about our lives is digitally recorded and stored somewhere. Each credit card purchase, personal medical diagnosis, and preference about music and books is recorded and then used to predict what we like and dislike, and—ultimately—who we are.

This often happens without our knowledge or consent. Personal information that corporations collect from our online behaviors sells for astonishing profits and incentivizes online actors to collect as much as possible. Every mouse click and screen swipe can be tracked and then sold to ad-tech companies and the data brokers that service them.

In an attempt to justify this pervasive surveillance ecosystem, corporations often claim to de-identify our data. This supposedly removes all personal information (such as a person’s name) from the data point (such as the fact that an unnamed person bought a particular medicine at a particular time and place). Personal data can also be aggregated, whereby data about multiple people is combined with the intention of removing personal identifying information and thereby protecting user privacy.

Sometimes companies say our personal data is “anonymized,” implying a one-way ratchet where it can never be dis-aggregated and re-identified. But this is not possible—anonymous data rarely stays this way. As Professor Matt Blaze, an expert in the field of cryptography and data privacy, succinctly summarized: “something that seems anonymous, more often than not, is not anonymous, even if it’s designed with the best intentions.”

In its 10 years of operation, Grindr had amassed millions of users and become a central cog in gay culture around the globe.

But to Yeagley, Grindr was something else: one of the tens of thousands of carelessly designed mobile phone apps that leaked massive amounts of data into the opaque world of online advertisers. That data, Yeagley knew, was easily accessible by anyone with a little technical know-how. So Yeagley—a technology consultant then in his late forties who had worked in and around government projects nearly his entire career—made a PowerPoint presentation and went out to demonstrate precisely how that data was a serious national security risk.

As he would explain in a succession of bland government conference rooms, Yeagley was able to access the geolocation data on Grindr users through a hidden but ubiquitous entry point: the digital advertising exchanges that serve up the little digital banner ads along the top of Grindr and nearly every other ad-supported mobile app and website. This was possible because of the way online ad space is sold, through near-instantaneous auctions in a process called real-time bidding. Those auctions were rife with surveillance potential. You know that ad that seems to follow you around the internet? It’s tracking you in more ways than one. In some cases, it’s making your precise location available in near-real time to both advertisers and people like Mike Yeagley, who specialized in obtaining unique data sets for government agencies.

Vehicle theft is an issue that affects us all collectively. As cybersecurity and technology professionals, we recognize the importance of acting rapidly to reduce its impact on Canadians. That being said, we believe the federal government’s proposal, particularly the prohibition of security research tools, is ill-advised, overbroad and most importantly, will be counterproductive.

Curated lists of tools, tips and resources for protecting digital security and privacy

• I am denied read-only access to some websites because I use a VPN. This makes no sense at all, but it happens anyway.
• I am not allowed to register in some forums because I use a VPN. Because everyone knows that anyone who uses a VPN is a serious criminal. There is no other option.
• I am subsequently banned from forums because the moderators realise that my IP address is not unique because I use a VPN. My posts don't matter at all, IP addresses obviously unambiguously identify every person on this planet.
• I'm supposed to confirm that I'm not a robot because I use a VPN. The fact that the company asking for these confirmations (usually Google) is itself sending robots marauding through the internet doesn't matter, because Google is Google and I'm just a bloke with a VPN.

Guys, a VPN is self-defence. A website banning VPNs is like a brothel banning condoms. I mean, of course the house rules apply, but I'd like to see a bit more judgement. What's happening right now is ridiculous and hardly does justice to the security aspect of these "tests". If you find yourself as a contributor to this list, I urge you to stop. I am not a bad guy. All I do is use a VPN.

Thank you.

The Internet was concieved decades ago. In hindsight, many bad design choices were made. Given what was known at the time it's still blows my mind how well it has aged. There are some

Hypothetical scenario: what design choices would we change security wise if we had the opportunity to redesign the Internet from scratch today? Or to tackle the problem the other way around: what are the bad design choices for Internet security that we are stuck with today, unfixible without starting over?

The state of software security is dire. If we only look at the past year, if you ran industry-standard software like Ivanti, MOVEit, Outlook, Confluence, Barracuda Email Security Gateway, Citrix NetScaler ADC, and NetScaler Gateway, chances are you got hacked. Even companies with near-infinite resources (like Apple and Google) made trivial “worst practice” security mistakes that put their customers in danger. Yet we continue to rely on all these products.

Software is now (rightfully) considered so dangerous that we tell everyone not to run it themselves. Instead, you are supposed to leave that to an “X as a service” provider, or perhaps just to “the cloud.” Compare this to a hypothetical situation where cars are so likely to catch fire that the advice is not to drive a car yourself, but to leave that to professionals who are always accompanied by professional firefighters.

The assumption is then that the cloud is somehow able to make insecure software trustworthy. Yet in the past year, we’ve learned that Microsoft’s email platform was thoroughly hacked, including classified government email. (Twice!) There are also well-founded worries about the security of the Azure cloud. Meanwhile, industry darling Okta, which provides cloud-based software that enables user log-in to various applications, got comprehensively owned. This was their second breach within two years. Also, there was a suspicious spate of Okta users subsequently getting hacked.

Clearly, we need better software.

For your convenience, now five months earlier! From an email received today, 2/13/24

You’re receiving this email from Twilio because our records show you’ve used the Twilio Authy Desktop app in the past.

What do you need to know?

Starting March 19, 2024, Twilio Desktop Authy apps will reach their end of life (EOL). Beyond this date, you can access most of the desktop features and functionality in the mobile Authy apps.

You may have previously seen an August 19, 2024, end of life (EOL) date for Twilio Desktop Authy apps. This date has been moved up to March 19, 2024.

What do you need to do?

Switch to the Authy app on your Apple or Google Play Store-compatible Android device to manage your Authy account and 2FA tokens.

What if you don’t take action?

If you don’t take action before March 19, 2024, you won’t be able to use, access, or migrate your Authy-based account tokens from the Twilio Authy Desktop apps nor download the Authy desktop apps from authy.com.

Here is their pull request (with plenty of users negative comments)

They even got anti-feature from F-Droid because of this

If short, developers don’t listen to users opinions and just close all (or nearly all) issues with negative comments about this.

Not to overflood topic I will post links to closed issues in “code” box. This is the list where users are really unhappy about this idea:

https://github.com/organicmaps/organicmaps/issues/7119
https://github.com/organicmaps/organicmaps/issues/6707
https://github.com/organicmaps/organicmaps/issues/6773
https://github.com/organicmaps/organicmaps/issues/6668
https://github.com/organicmaps/organicmaps/issues/6967
https://github.com/organicmaps/organicmaps/issues/6774
https://github.com/organicmaps/organicmaps/pull/6720
https://github.com/organicmaps/organicmaps/issues/6774

From kayak privacy policy (kayak[dot]de/privacy (not clickable not to make you accidentally leak your information to them)):

What they STEAL:

- Personal details (such as your name, age, birthday, gender)
- Contact information (such as email address, address, phone number)
- Booking information (such as, for each traveler, the traveler's name, frequent flyer details, passport number, redress control number, country of citizenship, booking reference number, and itinerary, which may include name of airline or carrier, hotel accommodation and/or vessel, port of destination, port of arrival, date and time of departure and/or check-in, date and time of arrival and/or check-out, meal preferences, luggage information, and layover information)
- Account information (such as login credentials, including email address and password, and account settings)
- Social media data (if you choose to link your KAYAK account with a social media account, KAYAK may collect personal information such as name, age, gender, photograph, and other personal information relating to your social media account)
- Billing information (such as credit, debit, or other payment card information and billing address)
- Your contacts (such as contact information of people you add to, or notify of, your reservations or itineraries through our Services)
- Your preferences (such as your home airport, seating preferences, meal preferences, communication preferences, and other preference information you provide us)
- Reviews you submit (including any screenname you publish under or any personal information you include about yourself or others in such review)
- Content you publish (including your travel recommendations and any personal information you include about yourself or others, or in content you publish in your Guide or other mediums provided by us)
- Photos of you (such as when you add a photo of yourself to your profile, upload photos to a review, or link your social media account to your KAYAK account)
- Communications you send us (such as questions, conversations, complaints, or other information that you may submit to our support team)
- Promotion information (if you choose to participate in a contest, sweepstakes, or similar campaign, we will collect any information you provide in relation to such activity, such as photos, images, captions, or other content, in accordance with the terms provided at that time)
- Other information you may provide (including other information you provide about yourself or others through our Services or to which you provide us with access via third-party platforms)

What they can do with this:

- Send you marketing communications, including communicating with you about services or products offered by KAYAK, our group companies, or our business partners…
- Provide services and information to travel partners, such as providing user feedback and usage details
- Provide you more relevant advertising on and off our Services
- Comply with our policies, procedures and legal obligations, including complying with law enforcement or government authority requests
- As otherwise consented to by you and as required or permitted by applicable law

The most important thing is that, that developers argue with F-Droid community, their own community, and closing everything that related this idea.

cross-posted from: https://infosec.pub/post/2466014

This is my first write-up, on a vulnerability I discovered in iTerm2 (RCE). Would love to hear opinions on this. I tried to make the writing engaging.

I was organizing and cleaning my mail today, and I saw a mail from a few days ago that I left unread.

This is a copypaste of that mail:

Hello!

Unfortunately, there are some bad news for you. Around several months ago I have obtained access to your devices that you were using to browse internet. Subsequently, I have proceeded with tracking down internet activities of yours.

Below, is the sequence of past events: In the past, I have bought access from hackers to numerous email accounts (today, that is a very straightforward task that can be done online). Clearly, I have effortlessly logged in to email account of yours (contact@vis4valentine.com).

A week after that, I have managed to install Trojan virus to Operating Systems of all your devices that are used for email access. Actually, that was quite simple (because you were clicking the links in inbox emails). All smart things are quite straightforward. (>_<)

The software of mine allows me to access to all controllers in your devices, such as video camera, microphone and keyboard. I have managed to download all your personal data, as well as web browsing history and photos to my servers. I can access all messengers of yours, as well as emails, social networks, contacts list and even chat history. My virus unceasingly refreshes its signatures (since it is driver-based), and hereby stays invisible for your antivirus.

So, by now you should already understand the reason why I remained unnoticed until this very moment...

While collecting your information, I have found out that you are also a huge fan of websites for adults. You truly enjoy checking out porn websites and watching dirty videos, while having a lot of kinky fun. I have recorded several kinky scenes of yours and montaged some videos, where you reach orgasms while passionately masturbating.

If you still doubt my serious intentions, it only takes couple mouse clicks to share your videos with your friends, relatives and even colleagues. It is also not a problem for me to allow those vids for access of public as well. I truly believe, you would not want this to occur, understanding how special are the videos you love watching, (you are clearly aware of that) all that stuff can result in a real disaster for you.

Let's resolve it like this: All you need is $1450 USD transfer to my account (bitcoin equivalent based on exchange rate during your transfer), and after the transaction is successful, I will proceed to delete all that kinky stuff without delay. Afterwards, we can pretend that we have never met before. In addition, I assure you that all the harmful software will be deleted from all your devices. Be sure, I keep my promises.

That is quite a fair deal with a low price, bearing in mind that I have spent a lot of effort to go through your profile and traffic for a long period. If you are unaware how to buy and send bitcoins - it can be easily fixed by searching all related information online.

Below is bitcoin wallet of mine: 13g3WtdxuoB9AVyy54QW9xxbDtFjE2iNHk

You are given not more than 48 hours after you have opened this email (2 days to be precise).

Below is the list of actions that you should not attempt doing:

Do not attempt to reply my email (the email in your inbox was created by me together with return address). Do not attempt to call police or any other security services. Moreover, don't even think to share this with friends of yours. Once I find that out (make no doubt about it, I can do that effortlessly, bearing in mind that I have full control over all your systems) - the video of yours will become available to public immediately. Do not attempt to search for me - there is completely no point in that. All cryptocurrency transactions remain anonymous at all times. Do not attempt reinstalling the OS on devices of yours or get rid of them. It is meaningless too, because all your videos are already available at remote servers.

Below is the list of things you don't need to be concerned about:

That I will not receive the money you transferred.

• Don't you worry, I can still track it, after the transaction is successfully completed, because I still monitor all your activities (trojan virus of mine includes a remote-control option, just like TeamViewer).

That I still will make your videos available to public after your money transfer is complete.

• Believe me, it is meaningless for me to keep on making your life complicated. If I indeed wanted to make it happen, it would happen long time ago!

Everything will be carried out based on fairness!

Before I forget...moving forward try not to get involved in this kind of situations anymore! An advice from me - regularly change all the passwords to your accounts.

The thing is, this was sent on July 13 and I just opened it today. So I went through the 48 hours without paying and nothing happened, didn't send any more mail and my family and friends certainly had not gotten any videos of my jerking off. Also the language is very vague. " You truly enjoy checking out porn websites and watching dirty videos, while having a lot of kinky fun." That could apply to almost anyone. If someone tried to black mail me, they gotta be more specific.

Also, a trojan? I use GNU/Linux and most of my current devices are Raspberry Pi's because my main computer died and I'm waiting for a new laptop to ship. And I never used TeamViewer in my life.

BTW my mail is public, so I'm not concerned about being doxxed lol.

I changed my mail password which is a painless process and needed to be updated anyway.

What do you think? Should I watch my back?

The recommendation and link title was set on this page about security & privacy.

Old discussion from earlier update: https://lemmy.ml/post/83116

cross-posted from: https://lemmy.ml/post/823051

r/Futurology

Seems to be light on details but probably a good time to change your master password if you are a LastPass user.

Users of the Signal messaging app got hit by a hacker attack. We analyze what happened and why the attack demonstrates that Signal is reliable.