Researchers in the UK claim to have translated the sound of laptop keystrokes into their corresponding letters with 95 percent accuracy in some cases....
It just clicked in my brain. What I haven't been able to articulate about why I'm so anxious about #Windows Recall. I'm sure others have already gotten to where I am.
It's worse than "a system that tracks everything you do" and stores that info in a basic database that could be easily compromised.
It's worse than a nanny surveillance tool for companies to spy on their employees.
It's inescapable.
It doesn't matter if I make a dozen "how to disable recall" tutorials. The second YOUR data shows up on someone ELSE'S screen, it's in THEIR recall database.
It won't matter if you're a master #security expert specialist. You can't account for EVERY other computer you've ever interacted with. If a family member looks up an old email with your personal data in it, your data is now at risk.
If THEIR system is compromised YOUR data is at risk.
I just went from "vague feeling of unease" to "actively writing templates to canvas elected officials, regulators, and attorneys general."
An incredibly technically complex #backdoor in xz (potentially also in libarchive and elsewhere) was just discovered. This backdoor has been quietly implemented over years, with the assistance of a wide array of subtly interconnected accounts:
Could anyone give me recommendations for a password manager? Google is basically useless now and I don't know anywhere else to ask. 😅
So far, I've never found one that I trust enough to use. I do understand the importance but I'm extremely, incredibly hesitant to hand over my passwords to a 3rd party program. I'm even more hesitant to use randomly-generated passwords that I can't memorize as a backup.
All that being said, here's what's important to me:
Transparency - public audits, published whitepaper, and/or open source.
Export to a printable format. I don't have reliable backups, so this is a must-have!
Works with desktop & mobile Firefox.
Works on Windows & Linux (I regularly use both).
Works on Android - not critical, but would be really helpful.
Can work offline (I don't trust any sync server to stay online).
For everything else, I'm more flexible. I don't mind paying a small amount for a better / more trustworthy option, either.
Any suggestions, recommendations, or just boosts are appreciated! Thanks so much in advance! 💙
#GrapheneOS: Der Goldstandard unter den Android-ROMs. Kein Zweifel: GrapheneOS ist derzeit das sicherste und datenschutzfreundlichste Custom-ROM bzw. Android-System. :android: 👇
Had a person send me their number as an interested buyer and told me to text them. I did (first mistake), and we arranged a meetup time. Then they asked if, for their safety, they could send me a six digit code (some of you already know where this is going) that I could repeat back to them to verify myself.
I said, "absolutely!" And sure enough, I got a Google Voice verification number. lol
If you're not familiar with the scam, shady people will take your phone number and try to create a Google Voice account with it. If you provide them with the 6-digit code that Google sends you, they can "verify" that they are you, and then basically use your phone number to run scams, commit fraud, etc. It's nasty business.
I called them out, blocked them, then reported them to the marketplace website and to the FTC--though, almost certainly, they were using the phone number of another poor soul to carry this out.
I used to work as a social engineer, running phishing campaigns (ethically, with consent lol), against Fortune 1000 companies to assess their level of vulnerability. Luckily for me, I was super familiar with this, but most of the people I told about it have said, "Oh, I probably would have fallen for that...", and even I set myself up for it.
So that is why I'm posting this. Please be aware of sketchy shit like this. If someone is asking you for a verification code over SMS or email, tread with EXTREME caution. Also, it's usually pretty shady if a stranger you're already chatting with wants to move to a new platform. Not always, but if someone emails or messages you on Facebook to ask you to text them, that's a little weird. I'd had legitimate buyers/sellers do that, so it's not unheard of, but it should put you on guard.
If you buy/sell/trade online frequently, it's a good idea to use a dedicated MySudo number, VOIP number, and/or a burner phone for that.
Bank: “Please create a secure password”
Me: Types in secure password
Bank: “thats too secure, fuck yourself”
Me: what?
Bank: i dont like those characters
Me: types new password
Bank: “you misspelled it once and you cant see it, fuck yourself”
Me: “ok” uses password generator
Bank: “we dont allow copy paste, fuck yourself”
Bank: “you did it too much. Gotta call us. 3 hour wait.” :)
The rogue 2FA app that steals scanned secrets is now ranked 18 on the German App Store for the productivity category. No wonder! The app disguises as a Microsoft app. It is the top hit when you search for "Microsoft Authenticator" and the developer has updated the screenshots in the ad card to highlight the word "Microsoft". Surprisingly, the product page of the app shows different screenshots with the word "Microsoft" removed.
The app now has 1.2K reviews, as opposed to 18 when we first addressed the app.
🙏 Boosting this post will help spread the word. Thank you!
Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.
TL;DR: Don't turn it on.
The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.
We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.
Why is this bad?
Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access .... 🧵
Is it just me, or has Microsoft gone completely crazy? They are implementing spyware that takes screenshots every second and forcing AI integration. Why would anyone willingly purchase this? Anyone with experience in computer or information security knows that it is a bad idea, even if it is locally done. Just don't do it. Yet, here we are, and they are doubling down on this idea. https://arstechnica.com/gadgets/2024/05/microsofts-new-recall-feature-will-record-everything-you-do-on-your-pc/#privacy#security
Nach meiner Einschätzung sind nicht nur große Teile der Microsoft-O365-Service kompromittiert, sondern auch alle Windows-Rechner, die damit verbunden waren. Ein Super-Gau epischen Ausmaßes - scheint vielen aktuell nicht klar zu sein. 🤷♂️ 👇
Two decades ago, my life changed forever: hearing #BruceSchneier explain that "#security" doesn't exist in the abstract. You can only be secure from some threat. A fire alarm won't protect you from burglaries. A condom won't protect you from mass shootings. It seems obvious, but how often do we hear about "security" without any mention of who is being made secure, and from which threat?
Ich dokumentiere immer alle Einstellungen, die ich bei Software verändere/anpasse. Zum Beispiel bei Thunderbird, Brave und Co. Das liegt bei mir lokal. Meine Idee ist nun: Das online im Blog zu dokumentieren. Was haltet ihr davon?
#Bluesky continues to be entirely non-responsive to the numerous security vulnerabilities I've reported to them, so I spent the evening writing up a nice README and a framework with exploit modules, and just made it all public.
Noch ist die Informationslage dünn, aber alle die können, sollten auf ihrer Fritz!Box das aktuell veröffentlichte Update FRITZ.OS 7.57 (7.31) einspielen. Offenbar hat AVM eine (schwerwiegende) Sicherheitslücke gefixt.
Bardzo bym prosił o audyt mojego projektu "midutils". Są to 3 małe programy w Pythonie, których zadaniem jest ochrona plików przed nieuprzywilejowanymi procesami, np. plików cookies w Firefoxie, kluczy SSH, ważnych dokumentów. W szczególności zależy mi na ostatnim narzędziu "midlaunch" uruchamiającym aplikacje w kontenerach bwrap, które jest najbardziej złożone (407 linijek kodu). Wszystkie programy wymagają uprawnień root, więc niedopatrzenia mogą prowadzić do nieautoryzowanej eskalacji uprawnień.
Uważam, że w ekosystemie GNU/Linuxa brakuje tego typu narzędzi, więc zrobiłem własne. Chciałbym aby kiedyś trafiło do repozytoriów Arch, Ubuntu, Fedory i innych dystrybucji i pomogło poprawić bezpieczeństwo użytkowników desktopowego GNU/Linuxa. Niestety nie mam zbyt dużego doświadczenia w pracy nad średnimi i dużymi projektami, dlatego proszę was o pomoc.
Vanavond zit ik aan tafel bij de @angrynerdspodcast een goed bekeken en beluisterd wekelijks programma over #Privacy en #Security en #hack dingen in het algemeen.
Ik wil hun volgers en luisteraars naar de Fediverse trekken. Laten jullie even zien dat het hier leeft door ze van 139 volgers naar een stuk of 200 te laten stijgen vandaag? Boost is fijn. 🙏🏻
Get ready; Google Adsense, which is used by the majority of websites out there, is introducing a beta feature called Offerwall (Ad gate). https://support.google.com/adsense/answer/11913007 Once the threshold of 4 page views has been reached for any given user, the ad gate will appear everywhere. How generous of them and the website operators? Currently, this is optional, but it may become a permanent feature unless you turn off the ad blocker. #privacy#security
"Export controls and usage controls [on cryptographic software] are slowing the deployment of security at the same time as the Internet is exponentially increasing in size and attackers are increasing in sophistication. This puts users in a dangerous position as they are forced to rely on insecure electronic communication."
In April, Propublica's by Joshua Kaplan, @justinelliott and #AlexMierjeski dropped a bombshell: #SupremeCourt Justice #ClarenceThomas had been showered in high-ticket "gifts" by billionaire ideologue #HarlanCrow, who subsequently benefited from Thomas's rulings in the court:
If you'd like an essay-formatted version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
Boffins convert typing sounds into text with 95% accuracy (www.theregister.com)
Researchers in the UK claim to have translated the sound of laptop keystrokes into their corresponding letters with 95 percent accuracy in some cases....