mics (machine identification code) are nearly invisible marks most printers add to anything they print, as a means of tracking where each peice of printed material was printed from - down to the exact printer. not model, the individual printer
it's allegedly to curb counterfeit money, but obviously it can be used to connect material you print for, say, activism or political stuff down to the exact printer you used. if you're going to bureau en gros to print, or if you used a printer you bought, it can be traced to you
the @eff has some material that tried to identify printers that do or do not use mics, but it's no longer maintained:
I got a DM about how to host a Website as anonymous as possible, especially viewed from the outside with as little attack surface as possible. I already threw a bunch of my ideas in the room, but maybe you can think of something I haven't thought of...
Please just answer to this post if something crosses your mind from security over hoster to the website itself, I will link it to the person.
Aixรญ que Espanya va enviar una de les seves ordres xusques a Suรฏssa (d'aquelles que anomenen terroristes a Tsunami โLOL), Suรฏssa va requerir a #ProtonMail i aixรฒ va acabar descobrint la identitat d'una persona (a travรฉs del seu mail de recuperacio i un requeriment a Apple), i en la seva detenciรณ.
Aneu amb compte i no doneu per fet que un servei segur/encriptat us converteix en anรฒnims.
(Notรญcia de fa mรญnim dos setmanes que pel que sigui no m'havia arribat fins avui)
Every year this gets called into question, yet rarely is the full story ever told. In this video, Josh explains what's really happening with these privacy and security apps as well as how it affects YOU directly.
Are you a journalist, activist or whistleblower in need of an anonymous email account that doesn't require a personally identifiable recovery email address or phone number?
๐ Just completed the 'Basics of Personal Threat Modeling' course by @privacyguides ๐ก๏ธ
Threat modeling is crucial because it helps identify and prioritize the most probable security and privacy risks. It enables focused resource allocation, tailored defenses, and heightened awareness.
Some people should not be allowed anywhere near networked computers. Just participated in some EU research project kick-off meetingโฆ
> We have a 250TB storage system for our data with "RAID-6 backup".
> You can reach it under hสสp://foobarโ.โfnordโ.โfail (it's a HTTP 301 redirect to some IP in a university's address range; no TLS; plaintext HTTP).
Aฬตฬฬฬอฬอaฬธฬ ฬฬฬอaฬถอฬฬออฬฒrฬธฬพฬอฬ ฬฬปอrฬดฬฬฬญฬฬซฬgฬตอ ฬฬฟฬออฬซgฬธฬอฬฬออฬขฬฃฬgฬถฬฬฬอฬอฬ อฬฒฬhฬถฬออฬฬฆhฬดอ อฬฑฬงhฬดฬอhฬถอออฬฬบฬ โ my headspace
put device in bag 2) put bagged device in another bag 3) pour in a mixture of different colored beans, forming a visual mosaic 4) send picture of mosaic to recipient
First screenshot is the real PIN prompt, second one is a JavaScript prompt() with a custom prompt text.
The only differences are:
โข PIN dialog is at the top of the window, prompt() centered.
โข PIN dialog says "Sign In" on the button, prompt() says "OK" (which is not customizable).
โข PIN dialog has "https://", prompt() just the domain.
I'd say that makes it pretty trivial to phish for Passkey PINs โฆ ๐คฆโโ๏ธ
๐ blog! โThere's nothing you can do to prevent a SIM-swap attackโ
It is tempting to think that users are to blame for their own misfortune. If only they'd had a stronger password! If only they didn't re-use credentials! If only they had perfect OpSec! If only...! Yes, users should probably take better care of their digital credentials and bury tโฆ
It is tempting to think that users are to blame for their own misfortune. If only they'd had a stronger password! If only they didn't re-use credentials! If only they had perfect OpSec! If only...!
Yes, users should probably take better care of their digital credentials and bury them in a digital vault. But there are some things which are simply impossible for a user to protect against. Take, for example, a SIM-swap attack.
You probably have your phone-number tied to all sorts of important services. If you want to recover your email, log in to a bank, or prove your identity - you'll probably need to receive a call or SMS. If an attacker can take over your phone number, they're one step closer to taking over your accounts.
I keep saying "your phone number", but that's a clever lie. The phone number does not belong to you. It belongs to the network operator and they define which SIM the number points to.
This means a suitably authorised person at the telco can point "your" number to a new SIM card. That's helpful if you've lost your SIM but bad if an attacker wants to divert your number.
What can you do to stop this attack? Nothing.
Oh, you can have a strong and unique password on your account, and you can hope your telco uses TOTP and PassKeys. But it turns out that it is possible to bribe telco employees for the low, low price of US$1000.
If your security rests on a phone number, you've effectively outsourced your security to the most bribeable manager employed by your telco.
Now, I said there's nothing you can do. That isn't quite true. You can attempt to pen-test yourself.
Go to your phone company's account. Set a long password and complex password. Change your mother's maiden name to HK2BY@]'PU,:!VQ;}baTj. Turn on every security measure you can find. Call the phone company from a different phone and explain that you lost your phone and want a new SIM card. If they ask for your mother's maiden name, say "Oh, I set it to a long stream of gibberish". If they ask where to send the SIM, give a trusted friend's address. If your phone company is negligent and send out a new SIM on the basis of poor verification, then you should move your number to a more reputable provider.
It's good fun to try and social-engineer a call-centre worker for your own details. But it's probably illegal to try and bribe someone to hijack yourself.
Anyway, please try to remove your phone number as a critical lynchpin in your security regime.
Today I was half a second away from tapping a link in an SMS that was informing me I need to renew my credit card details because my CC was expiring.
My CC IS expiring this month. I updated my CC details on two other services yesterday. Through sheer dumb luck the scammer happened to bait their hook correctly.
I must not be complacent.
Complacency is the opsec-killer.
Complacency is the little death that brings identity theft.
I just released an OPSEC guide on my site for just 5$. It goes into the depths of how you can organize your internet life and become as private as possible. It also comes with tips and a variety of solutions. A sample is also provided.
Price: 5$
Payment Method: Crypto (All popular coins including Monero)