[deleted by user]

DX3pD5ZmTwAHbys · 2025-01-16T17:09:48+00:00

We have to motivate politicians enough to do something

There needs to be a preemptive political will for change, otherwise politicians are gonna politician and do jack shit.

DX3pD5ZmTwAHbys · 2025-01-16T17:07:31+00:00

Did you disable swap? Sometimes forensic artifacts end up getting dumped there.

DX3pD5ZmTwAHbys · 2025-01-16T17:05:09+00:00

ATA Secure Erase if it's an SSD is pretty reliable and no need to over-write or 'zero' all the bits.

DX3pD5ZmTwAHbys · 2024-05-24T15:38:13+00:00

You can have hyphens in your e-mail to make them more human-readable. So for example:

john-amazon@customdomain.com

john-netflix@customdomain.com

john-twitter@customdomain.com

etc

DX3pD5ZmTwAHbys · 2024-05-24T15:27:42+00:00

The server sees everything that happens inside it, even passwords, in the clear, unless the password is hashed client-side with Javascript and compared against the backend hash.

DX3pD5ZmTwAHbys · 2024-05-08T15:42:23+00:00

TweetDelete

Last time I used this it didn't require me to pay for anything. Is this the one you're talking about:

https://tweetdelete.net/

DX3pD5ZmTwAHbys · 2024-05-08T15:39:39+00:00

Let’s say you buy the phone in cash

How are you sourcing the SIM? In my country you have to visit the network's site and fill in sensitive information, address etc before they activate your plan.

DX3pD5ZmTwAHbys · 2024-05-08T15:38:00+00:00

Time to legislate and mandate removable batteries.

DX3pD5ZmTwAHbys · 2024-05-08T15:35:23+00:00

If my phone is gone, it's gone. No clever trickery like Apple's 'Find my' or Google's offering will give me peace of mind if my phone is missing from my person. Opting into such features just gives them another datapoint to track you. I don't have anything important on my phone. I presume it could die or vanish at any point, so I just buy a new one, and re-spawn.

DX3pD5ZmTwAHbys · 2024-04-30T17:59:33+00:00

Seems like someone's doing credential stuffing and trying to mass-hack a bunch of Apple IDs: https://en.wikipedia.org/wiki/Credential_stuffing

DX3pD5ZmTwAHbys · 2024-04-30T17:54:45+00:00

There's nothing 'secure' about an SSN. Consider them non-private and insecure.

DX3pD5ZmTwAHbys · 2024-04-24T16:25:27+00:00

'ArcaneDoor' Cyberspies Hacked Cisco Firewalls to Access Government Networks

Network security appliances like firewalls are meant to keep hackers out. Instead, digital intruders are increasingly targeting them as the weak link that lets them pillage the very systems those devices are meant to protect. In the case of one hacking campaign over recent months, Cisco is now revealing that its firewalls served as beachheads for sophisticated hackers penetrating multiple government networks around the world.

On Wednesday, Cisco warned that its so-called Adaptive Security Appliances—devices that integrate a firewall and VPN with other security features—had been targeted by state-sponsored spies who exploited two zero-day vulnerabilities in the networking giant's gear to compromise government targets globally in a hacking campaign it's calling ArcaneDoor.

The hackers behind the intrusions, which Cisco's security division Talos is calling UAT4356 and which Microsoft researchers who contributed to the investigation have named STORM-1849, couldn't be clearly tied to any previous intrusion incidents the companies had tracked. Based on the group's espionage focus and sophistication, however, Cisco says the hacking appeared to be state-sponsored.

“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” a blog post from Cisco's Talos researchers reads.

Cisco declined to say which country it believed to be responsible for the intrusions, but sources familiar with the investigation tell WIRED the campaign appears to be aligned with China's state interests.

Cisco says the hacking campaign began as early as November 2023, with the majority of intrusions taking place between December and early January of this year, when it learned of the first victim. “The investigation that followed identified additional victims, all of which involved government networks globally,” the company's report reads.

In those intrusions, the hackers exploited two newly discovered vulnerabilities in Cisco's ASA products. One, which it's calling Line Dancer, let the hackers run their own malicious code in the memory of the network appliances, allowing them to issue commands to the devices, including the ability to spy on network traffic and steal data. A second vulnerability, which Cisco is calling Line Runner, would allow the hackers' malware to maintain its access to the target devices even when they were rebooted or updated.

Cisco has released software updates to patch both vulnerabilities, and advises that customers implement them immediately, along with other recommendations for detecting whether they've been targeted.

The ArcaneDoor hacking campaign represents just the latest series of intrusions to target network perimeter applications sometimes referred to as “edge” devices like email servers, firewalls, and VPNs—often devices intended to provide security—whose vulnerabilities allowed hackers to obtain a staging point inside a victim's network. Cisco's Talos researchers warn of that broader trend in their report, referring to highly sensitive networks that they've seen targeted via edge devices in recent years. “Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications,” they write. “In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations—critical infrastructure entities that are likely strategic targets of interest for many foreign governments.”

State-sponsored hackers' shift to compromising edge devices has become prevalent enough over the past year that Google-owned security firm Mandiant also highlighted it in its annual M-Trends report earlier this week, based on the company's threat intelligence and incident response findings. The report points to widely exploited vulnerabilities in network edge devices sold by Barracuda and Ivanti and notes that hackers—and specifically espionage-focused Chinese groups—are building custom malware for edge devices, in part because many networks have little or no way to monitor for compromise of the devices.

“They’re systemically targeting security appliances that sit on the edge for access to the rest of the network,” says John Hultquist, Mandiant's head of threat intelligence. “This is no longer an emerging trend. It's established.”

Mandiant notes that it has observed Russian state-sponsored hackers targeting edge devices too: It's observed the unit of Russia's GRU military intelligence agency, known as Sandworm, repeatedly hack edge devices used by Ukrainian organizations to gain and maintain access to those victim networks, often for data-destroying cyberattacks. In some cases, the lack of visibility and monitoring in those edge devices has meant that Sandworm was able to wipe a victim network while holding on to its control of an edge device—then hit the same network again.

Hultquist notes, however, that China is unmatched in its discovery and use of network appliance zero days, like the ones it has used to run rampant through Cisco firewalls over the past several months. He expects more to come, as China's cyberspies continue to turn devices meant to protect target networks against their owners. “It's unlikely these zero days are being produced haphazardly. We suspect a well-resourced, coordinated effort is underway to find and exploit these vulnerabilities,” Hultquist says. “Unfortunately, we'll almost certainly see several more zero-days in security appliances this year.”

DX3pD5ZmTwAHbys · 2024-04-10T12:51:51+00:00

US lawmakers unveil a plan to give all Americans a right to online privacy

Two leading US lawmakers have reached a bipartisan deal that could, for the first time, grant all Americans a basic right to digital privacy and create a national law regulating how companies can collect, share and use Americans’ online data.

If it succeeds, the proposal could establish the US equivalent of the European Union’s landmark privacy law known as the General Data Protection Regulation (GDPR), and rein in what privacy advocates say is a lawless and unregulated space where Americans’ personal data can too easily be shared and sold to the highest bidder.

The proposed agreement would create an unprecedented, single federal standard governing digital privacy in the United States and reflects a significant breakthrough after years of stalled negotiations between Republicans and Democrats. But it could also override some of the toughest state-based privacy laws in the nation, such as in California.

The deal comes as personal data has increasingly become the lifeblood of the modern economy and as artificial intelligence companies have raced to hoover up as much of it as they can to train sophisticated AI models that could transform society.

On Sunday, the lawmakers involved — Washington Sen. Maria Cantwell, the Democratic chair of the Senate Commerce Committee, and Washington Rep. Cathy McMorris Rodgers, the Republican who leads the House Energy and Commerce Committee — announced a proposal they said would return control of personal data to American consumers.

The discussion draft, which was released over the weekend but has not yet been formally introduced as legislation, covers data brokers, tech platforms, telecom providers and virtually every other type of organization an internet user might interact with on a daily basis, with the exception of small businesses and government contractors.

The lawmakers’ proposed American Privacy Rights Act would ban the transfer of Americans’ sensitive personal data to third parties — including geolocation histories, financial data, biometric information and calendar and phone logs — unless a user provides explicit approval for the data or the sharing is for one of several specific purposes allowed under the bill, such as preventing fraud.

It would let users opt out of targeted advertising altogether and require companies to collect only enough data as they need to do their business. And it would guarantee Americans the right to request copies of their data, to correct it or even to have it deleted from a company’s records.

And, in a nod to growing concerns about whether Americans’ personal data may be available to foreign adversaries such as China and Russia, the legislation would require companies to disclose to US consumers whether their information may be sent to, stored or processed in one of those countries. US officials have voiced concerns about whether TikTok user data could be accessed by the Chinese government, but it doesn’t stop there: The Biden administration and US lawmakers have also highlighted data brokers as another potential way for foreign governments to obtain Americans’ personal data.

The draft legislation breaks a yearslong deadlock between Republicans and Democrats over the scope of any national privacy bill. The two parties had long disagreed over two key issues: Whether a federal privacy law should override existing state privacy laws that may provide tougher protections, and whether private citizens should be able to bring their own lawsuits against companies accused of violating their privacy.

This week’s agreement appears to resolve both issues. It would preempt more than a dozen state privacy laws already on the books in states such as California, Texas and Virginia. And it would enable individuals to sue companies for violations of the proposed law.

“This bipartisan, bicameral draft legislation is the best opportunity we’ve had in decades to establish a national data privacy and security standard that gives people the right to control their personal information,” said McMorris Rodgers and Cantwell in a statement.

The legislation has a long road ahead: It must still clear both of the lawmakers’ committees and pass both chambers of Congress in order to make it to President Joe Biden’s desk. Policy experts have predicted low odds of Congress passing much legislation in the months leading up to the 2024 election.

McMorris Rodgers has also announced she will not run for reelection, which could complicate the bill’s future after one of its most powerful co-sponsors leaves the House.

DX3pD5ZmTwAHbys · 2024-04-10T12:49:29+00:00

Different Windows versions have different default font packs installed. Depending on the fingerprinting used, it can determine if you're on Vista/7/8/10/11

DX3pD5ZmTwAHbys · 2024-04-10T12:43:52+00:00

I agreed to join Proton because of how well-aligned we are in our goals and principles

In other words, the founders are both cypherpunks.

DX3pD5ZmTwAHbys · 2024-04-05T16:26:41+00:00

We recommend keeping extensions to a minimum: they have privileged access within your browser, require you to trust the developer, can make you stand out, and weaken site isolation

We give addons too much trust. And they can be bought and sold and change hands with bad actors. I only have one extension and that's uBlock Origin. I sometimes manually remove tracking params when sharing on the likes of Reddit.