Comment

Given my paranoia, it's hard to imagine people protecting their crypto accounts with SIM 2FA. Hardware keys are cheap comparing to the assets you are trying to protect?

Summary

Three Americans have been charged with the theft of over $400 million in a SIM-swapping attack in November 2022, which likely targeted the now-defunct cryptocurrency exchange FTX. The indictment reveals Robert Powell as the alleged ringleader of the "Powell SIM Swapping Crew," with Emily Hernandez and Carter Rohn implicated as accomplices. During the attack, the perpetrators transferred a victim's phone number to their device, intercepting authentication messages and resetting passwords. The stolen funds were traced to Russian-linked criminal groups. The defendants await further legal proceedings, while the investigation involves entities like the FBI and Kroll, a consulting firm handling FTX's bankruptcy claims.

Summary:

Radically Open Security conducted a comprehensive code audit for the Tor Project between April 17, 2023, and August 13, 2023. The audit covered various components of the Tor ecosystem, including Tor Browser, exit relays, exposed services, and infrastructure components. The main goals were to assess software changes aimed at improving the Tor network's speed and reliability. Recommendations included reducing the attack surface of public-facing infrastructure, addressing outdated libraries, implementing modern web security standards, and following redirects in HTTP clients by default. The audit also emphasized fixing issues related to denial-of-service vulnerabilities, local attacks, insecure permissions, and insufficient input validation. The U.S. State Department Bureau of Democracy, Human Rights, and Labor sponsored the project, aiming to enhance the Tor network's performance and reliability in regions with internet repression.

Hello,

Does anyone know if the setting "Show Notifications for New Posts" in the native web UI (Lemmy-UI) supposed to get exported along with other settings?

I exported my settings, but there is no "notification" parameter exported beyond the "send_notifications_to_email" in the .json file. Importing the .json file doesn't get the setting tick/unticked either.

Comment:

I thought this article gives a balanced view if we should VPN with a public Wifi network, instead of the normal VPN vendor selling fears.

Summary:

Evil Twin Attacks - Not a major threat anymore

What is it?

Evil twin attacks involve hackers setting up fake Wi-Fi networks that mimic legitimate ones in public places. Once connected, attackers can spy on your data.

Why was it scary?

Before 2015, most online connections weren't encrypted, making your data vulnerable on such networks.

Why isn't it a major threat anymore?

• HTTPS encryption: Most websites (85%) now use HTTPS, which encrypts your data, making it useless even if intercepted.
• Let's Encrypt: This non-profit campaign made free website encryption certificates readily available, accelerating the widespread adoption of HTTPS.

Are there still risks?

• Non-HTTPS websites: A small percentage of websites (15%) lack HTTPS, leaving your data vulnerable.
• WiFi sniffing: Although not as common, attackers can still try to intercept unencrypted data on public Wi-Fi.

Should you still be careful?

• Use a VPN: Even with HTTPS, your browsing history can be tracked by Wi-Fi providers and ISPs. A VPN encrypts your data and hides your activity.
• Be cautious with non-HTTPS websites: Avoid entering sensitive information like passwords on such websites.

Overall:

HTTPS encryption has significantly reduced the risks of evil twin attacks. While vigilance is still recommended, especially when using unencrypted websites, it's no longer a major threat for most web browsing.

I am all for easy parallel parking and tight turn-around!

Summary:

A new analysis of Predator spyware reveals that its persistence between reboots is an "add-on feature" offered based on licensing options. Predator is a product of the Intellexa Alliance, which was added to the U.S. Entity List in July 2023 for "trafficking in cyber exploits." It can target both Android and iOS, and is sold on a licensing model that runs into millions of dollars. Spyware like Predator often relies on zero-day exploit chains, which can be rendered ineffective as Apple and Google plug security gaps. Intellexa offloads the work of setting up the attack infrastructure to the customers themselves, and uses a delivery method known as Cost Insurance and Freight (CIF) to claim they have no visibility of where the systems are deployed. Predator's operations are connected to the license, which is by default restricted to a single phone country code prefix, but this can be loosened for an additional fee. Cisco Talos says that public disclosure of technical analyses of mobile spyware and tangible samples is needed to enable greater analyses, drive detection efforts, and impose development costs on vendors.

Original analysis: https://blog.talosintelligence.com/intellexa-and-cytrox-intel-agency-grade-spyware/#

Summary:

The Government Accountability Office (GAO) has issued a report finding that federal agents are using face recognition software without training, policies, or oversight. The GAO reviewed seven agencies within the Department of Homeland Security and Department of Justice, and found that none of the seven agencies fully complied with their own policies on handling personally identifiable information (PII), like facial images.

The GAO also found that thousands of face recognition searches have been conducted by federal agents without training or policies. In the period GAO studied, at least 63,000 searches had happened, but this number is a known undercount. A complete count of face recognition use is not possible, because some systems used by the Federal Bureau of Investigation (FBI) and Customs and Border Protection (CBP) don’t track these numbers.

The GAO report is a reminder of the dangers of face recognition technology, particularly when used by law enforcement and government. Face recognition technology can be used to facilitate covert mass surveillance, make judgments about how we feel and behave, and track people automatically as they go about their day.

The GAO recommends that the federal government immediately put guardrails around who can use face recognition technology for what and cease its use of this technology altogether.

Stanley Kubrick - 2001: A Space Odyssey (1968) - 'The Blue Danube' (waltz) scene

Summary

The Electronic Frontier Foundation (EFF) filed an amicus brief urging the Michigan Supreme Court to find that warrantless drone surveillance of a home violates the Fourth Amendment. The EFF argues that drones are fundamentally different from helicopters or airplanes, and that their silent and unobtrusive capabilities make them a formidable threat to privacy. The EFF also points out that the government is increasingly using drones for surveillance, and that communities of color are more likely to be targeted. The EFF calls on the court to recognize the danger that governmental drone use poses to our Fourth Amendment rights.

Summary

A recent privacy study from Cornell University reveals that Amazon Alexa, the virtual assistant found in smart speakers, collects user data for targeted advertising both on and off its platform. This practice has raised concerns about privacy violations. The study also highlights that Amazon's and third-party skills' operational practices are often not transparent in their privacy policies.

Amazon Alexa is designed to respond to voice commands and is present in various Amazon devices, offering a wide range of functionalities, including controlling smart devices, providing information, and playing music.

While Amazon claims that Alexa only records when activated by its wake word ("Alexa"), research has shown that it can sometimes activate accidentally, leading to unintended recordings. Amazon employees listen to and transcribe these recordings, raising concerns about privacy.

Amazon links interactions with Alexa to user accounts, using this data for targeted advertising. Advertisers pay a premium for this information, making it highly valuable. Although Amazon allows users to delete their recordings, compliance with this feature has been questioned.

Additionally, third-party "skills" on Alexa can access user data, and many developers abuse Amazon's privacy policies by collecting voice data and sharing it with third parties without proper oversight.

The recent FTC fine against Amazon highlights its failure to delete certain data, including voice recordings, after users requested their removal, violating the Children's Online Privacy Protection Act (COPPA).

While Amazon Alexa offers convenience, it comes at the cost of privacy. Users looking for more privacy-friendly alternatives can consider Apple's Siri, which offers stronger privacy protection. For those interested in open-source options, Mycroft provides a natural language voice assistant with an emphasis on privacy, but note that the company may be shutting down soon.