• 5 Posts
  • 23 Comments
Joined 2Y ago
cake
Cake day: Jun 03, 2021
help-circle
rss
@ThreeHopsAhead@lemmy.mltoPrivacy@lemmy.mlUK to Criminalize Possession of “sophisticated encrypted communication devices”
link
fedilink
62d

Also known as computer

link
fedilink
Reminder to check whether you have old accounts that you might have forgotten about
You might have old accounts especially cloud accounts that are just idling abandoned while still holding personal information. They might have old weak passwords just waiting to get compromised. Same goes for old email addresses that you do not use anymore but are still linked to other accounts. This is a reminder to check those, delete your data from them or to delete them altogether (delete private information manually first before deleting the account as many companies do not actually delete the data from deleted accounts and just mark the account as deleted). Some examples of this could be: * old Google accounts from old devices * old iCloud accounts * old Microsoft accounts * old Aol or similar email accounts * old accounts from smartphone vendors like Samsung, Huawei etc. that often have their own cloud services Make sure to set a strong passwords on accounts you want to keep and of course use a password manager. Besides the security password managers have the great side effect of giving you an overview over all your accounts so that you cannot just forget old ones.
fedilink
18
Reminder to check whether you have old accounts that you might have forgotten about
fedilink
Saying that using an adblocker is immoral is no different than saying that it is immoral to switch the TV channel in a commercial break
just that the TV commercial looks back at you through the TV and the TV follows you around everywhere, wherever you go, whatever you do, taking note of everything to get to know every single detail about you, every interest, every prejudice, every weakness of yours, to get to know you like no person, no matter how close to you does, like not even yourself do to use that information to influence you most effectively to the TV channel's and the advertiser's advantage, to manipulate you, to sell this information about you to other companies like insurances who use the power that this knowledge provides over you to extract every last cent of money from you, to sell you.
fedilink
40
Saying that using an adblocker is immoral is no different than saying that it is immoral to switch the TV channel in a commercial break
fedilink
Discord is a privacy disaster. How to use Discord as private as possible Guide
##Some general background Discord is a privacy and security disaster. They do not make their money through ads and tracking (as of now) but they do not care about privacy or security just the slightest bit either. Discord messages are not end to end encrypted. Discord, their employees and their infrastructure partners like Google Cloud Messaging have access to your messages at all time. Do not ever send anything sensitive over Discord! Discord also does *not* delete your messages when you delete your account, leave a server or delete a channel or group. When you delete a channel or group or get removed from one your messages still stay on their server. You just lose access to them and have no way to delete them anymore. If you delete your account without deleting your messages first they will stay on their servers forever without you having any way to access or delete them. There is no official way for deleting all your messages. I am not a lawyer, but I am very sure that is a violation of the GDPR and highly illegal. They claim they anonymize that data when you delete your account, but all your messages are still tied to an account ID and there is no way to anonymize private messages that can contain personal information. Using client mods to automate deleting messages is even against their TOS. They do not comply with laws that require them to delete your data and reserve the right to ban you when you try to do that yourself. You should absolutely regularly delete your messages anyways. Make sure to have another mean of contact for your Discord friends so you do not rely on Discord as they can and do of course ban you for any or no reason whatsoever. Discord also has extremely extensive telemetry that is *not* anonymized. They basically log every click you make in the app: when you click on a profile, when you join a voice channel etc. You can see this data when you do a GDPR request. Included in this logs is your IP address, your rough location and device information for every single event. You can block some of this with uBo in a browser or with client mods. ##Settings in Discord * Opt out of personalization and other data sharing. * Set yourself to invisible/offline. Everyone on every server can see when you are online otherwise and there are bots collecting this information. ##Modifications * If you can, use Discord in a browser with uBlock Origin. * Regularly use a script like [this](https://github.com/victornpb/deleteDiscordMessages) to delete your messages. * Consider using a VPN to hide your IP address and location. * If you use their mobile app do not grant it storage permission and instead share files from your gallery or file manager with Discord. ##Usage Assume that absolutely everything you do on Discord – every message you send every word you say in a voice channel, every click you make – gets permanently recorded by Discord and secrete services, gets sold to advertisers either right away or in the future and breached to the public in the future. That is exactly what you risk when using Discord. Use it accordingly and do not share anything sensitive. If you need to discuss something private shift to another platform.
fedilink
36
Discord is a privacy disaster. How to use Discord as private as possible Guide
fedilink
@ThreeHopsAhead@lemmy.mltoSecurity@lemmy.mlWhat’s in a PR statement: LastPass breach explained
link
fedilink
11M

Bitwarden

link
fedilink
@ThreeHopsAhead@lemmy.mltoSecurity@lemmy.mlWhat’s in a PR statement: LastPass breach explained
link
fedilink
21M

Due to their frontend architecture and how it interacts with their backend, you have no idea if they store your master password or associated encryption keys on their servers or not. They say they don’t, but they totally could and it’s impossible to prove or disprove.

What? That sounds really really bad. If that is true LastPass was an absolute security nightmare all along.

link
fedilink
@ThreeHopsAhead@lemmy.mltoPrivacy@lemmy.mlHow can I have a private second identity over onion routing in matrix?
link
fedilink
22M

Why not use Whonix on your Arch? The Matrix client in Whonix would be routed over Tor and anonymous provided you do not give out your identity and the Matrix client on the host would be in the clear.

link
fedilink
@ThreeHopsAhead@lemmy.mltoPrivacy@lemmy.mlThinking about taking your computer to the repair shop? Be very afraid
link
fedilink
22M

Sounds like a good way to filter out the worst.

link
fedilink
@ThreeHopsAhead@lemmy.mltoSecurity@lemmy.mlLastPass Posts Notice of Recent Security Incident
link
fedilink
32M

Probably a good time to change to an audited open source password manager if you are a LastPass user. Fixed that for you.

link
fedilink
@ThreeHopsAhead@lemmy.mltoPrivacy@lemmy.mlTor Is Not Just for Anonymity
link
fedilink
22M

Exit nodes alone cannot deanonymize Tor traffic. Tor is specifically designed so that unlike e.g. VPNs it does not have a single point of failure. If a node in your circuit is malicious, no matter which, you are still anonymous.

link
fedilink
@ThreeHopsAhead@lemmy.mltoPrivacy@lemmy.mlApple Says iPhone Usage Data Is Anonymous. New Tests Say: Not True
link
fedilink
42M

So the anonymized data might not be anonymized after all. That is as unexpected as a pot of milk boiling over on the stove when you leave the room. Expect this to be the case with all telemetry as the default. They always claim it is only for improving the products, but in reality it is very often an extremely detailed log of all user activity comprising sometimes of essentially every click and even other data about third party programs other device activity unrelated to the program or data about other devices in the same network, proximity etc. and the way your device communicates with them.

Unless software is open source and transparent about what data it collects for telemetry on a truly voluntary basis, openly asking you about whether you want to send telemetry and giving you equivalent yes and no options without any dark patterns or opt outs, always reject telemetry where possible, go into the settings and turn it off, opt out of hidden data sharing settings and block telemetry and other tracking at the network level e.g. with DNS filtering.

Supposedly anonymized data is very often not really anonymized at all. That is often just a claim to bypass privacy regulations. There are data brokers identifying supposedly anonymized data and aggregating it with other data sources for a business.

link
fedilink
@ThreeHopsAhead@lemmy.mltoPrivacy@lemmy.ml*Permananently Deleted*
link
fedilink
12M

I would simply be 135 year old identifying as a pirate, but torrent trackers don’t ask for this information.

link
fedilink
@ThreeHopsAhead@lemmy.mltoPrivacy@lemmy.mlKOSA Would Let the US Government Control What Young People See Online, EFF says
link
fedilink
12M

Yes, I did.

But KOSA’s chief focus is not to protect young people’s privacy. The bill’s main aim is to censor a broad swath of speech in response to concerns that young people are spending too much time on social media, and too often encountering harmful content. KOSA requires sites to “prevent and mitigate mental health disorders,” including by the promotion or exacerbation of “self-harm, suicide, eating disorders, and substance use disorders.” Make no mistake: this is a requirement that platforms censor content.

That sounds a lot like “Think of the children!” to me.

link
fedilink
@ThreeHopsAhead@lemmy.mltoPrivacy@lemmy.mlKOSA Would Let the US Government Control What Young People See Online, EFF says
link
fedilink
12M

But think of the children!

link
fedilink
@ThreeHopsAhead@lemmy.mltoPrivacy@lemmy.mlFBI Director Cannot ‘Be Sure’ Whether Facebook Is Sending User Information to Agents
link
fedilink
1
edit-2
2M

deleted by creator

link
fedilink
@ThreeHopsAhead@lemmy.mltoPrivacy@lemmy.mlKOSA Would Let the US Government Control What Young People See Online, EFF says
link
fedilink
1
edit-2
2M

deleted by creator

link
fedilink
Critical Android lock screen bypass: What you should do now and general advice
The last two paragraphs can be seen as a brief Tl;Dr. As you have probably already read a critical vulnerability in Android has been found by a researcher accidentally that allows to bypass the Android lock screen and to unlock the phone without the password on Pixel devices and potentially also many other devices. Here is his original post: https://bugs.xdavidhu.me/google/2022/11/10/accidental-70k-google-pixel-lock-screen-bypass/ Tl;Dr: When the phone is locked an attacker can swap the SIM card to their own while on the password entry screen. The device will then show the unlock SIM screen on top of the lockscreen password entry screen. Now the attacker can intentionally enter an incorrect PIN to their SIM card three times causing the SIM card to get locked and requiring the PUK code. When the attacker enters their PUK to unlock the SIM card again and then sets any new SIM pin the phone will unlock without requiring the lockscreen password. All the attacker needs is access to the locked phone, that just needs to have been unlocked once since the last boot and any SIM card they know the PUK of. The vulnerability is in AOSP and could therefore also affect other non Pixel devices depending on whether the OS uses the AOSP or a customized variant of the lock screen and PIN screen. The vulnerability has been fixed in the November Android security update. So if you are on a Pixel make sure to update your phone quickly and check that you have the November security patch. I read somewhere that the vulnerability got introduced with Android 12, but I cannot verify this. All Android devices without the November 2022 security patch are potentially vulnerable until confirmed otherwise. Even if they are not vulnerable the unlock system before that security patch had significant security issues that made this vulnerability possible and could lead to other similar vulnerabilities being found. I can personally confirm that the exploit is working on GraphneOS prior to the November security patch. ## What to do now The most important thing is of course to update the OS to get the patch. But there is one huge catch: many manufacturers take very long to incorporate the Android security updates into their custom Android variants and to publish security updates. Even worse many Android devices are no longer supported by the manufacturer and do not get security updates anymore at all. This means many potentially vulnerable Android devices are unpatched and there is no patch available. If your device is still supported you should pay especial close attention to updates in the next time and install them timely. Devices no longer officially supported might have custom ROMs with newer AOSP security updates available (e.g. GrapheneOS has the November security patch for the Pixel 4 and Pixel 4 XL). However custom ROMs can come with their own issues and are not a solution for the huge number of average users. ## Mitigations and general advice Since some time Android encrypts user data with filesystem encryption. When you boot your phone the data is encrypted and not accessible until your enter the password so it can get decrypted. A lockscreen bypass cannot bypass encryption. There is a huge difference whether your device is freshly booted and all user data is at rest and encrypted or whether it is just locked. Once you enter the password Android stores the encryption keys in memory and loads data to memory. Now your user data is accessible to Android and only the lockscreen protects it against someone with physical access. A lockscreen is generally much less secure than encryption. There is significantly more attack surface once you unlock your device after boot as this vulnerability shows. Also biometric authentication is only available after the first unlock which is more vulnerable to different attacks like forced unlocking or tampering and faked biometrics. What this means is that when you shutdown your device or reboot it, it is invulnerable to this lockscreen bypass as it is protected by something much stronger: encryption. Only once you enter the password again it becomes vulnerable. The following is good advice in general but especially important now for people with unpatched devices: (Tl;Dr:) If you get into a situation where your device is more susceptible to physical access by others such as border control, a police control, anything like that or you let your device unsupervised somewhere or store it somewhere without using it for some time, turn off or reboot your device beforehand. This will make sure all user data is encrypted at rest and significantly reduces attack surface for a physical attacker. Of course every encryption and every lock screen is just as secure as the password. This is also a good example of why security update support is important. When buying a device, pay attention to the time frame for guaranteed security updates. Also be careful about how long different Android manufacturers take to publish security updates. Generally Android variants closer to AOSP like Pixel stock Android or Graphene OS get security updates quickly while heavily modified manufacturer variants like Samsung's One UI, Huawei's EMUI or Xiaomi's MIUI take much longer.
fedilink
10
Critical Android lock screen bypass: What you should do now and general advice
fedilink
Critical Android lock screen bypass: What you should do now and general advice
The last two paragraphs can be seen as a brief Tl;Dr. As you have probably already read a critical vulnerability in Android has been found by a researcher accidentally that allows to bypass the Android lock screen and to unlock the phone without the password on Pixel devices and potentially also many other devices. Here is his original post: https://bugs.xdavidhu.me/google/2022/11/10/accidental-70k-google-pixel-lock-screen-bypass/ Tl;Dr: When the phone is locked an attacker can swap the SIM card to their own while on the password entry screen. The device will then show the unlock SIM screen on top of the lockscreen password entry screen. Now the attacker can intentionally enter an incorrect PIN to their SIM card three times causing the SIM card to get locked and requiring the PUK code. When the attacker enters their PUK to unlock the SIM card again and then sets any new SIM pin the phone will unlock without requiring the lockscreen password. All the attacker needs is access to the locked phone, that just needs to have been unlocked once since the last boot and any SIM card they know the PUK of. The vulnerability is in AOSP and could therefore also affect other non Pixel devices depending on whether the OS uses the AOSP or a customized variant of the lock screen and PIN screen. The vulnerability has been fixed in the November Android security update. So if you are on a Pixel make sure to update your phone quickly and check that you have the November security patch. I read somewhere that the vulnerability got introduced with Android 12, but I cannot verify this. All Android devices without the November 2022 security patch are potentially vulnerable until confirmed otherwise. Even if they are not vulnerable the unlock system before that security patch had significant security issues that made this vulnerability possible and could lead to other similar vulnerabilities being found. I can personally confirm that the exploit is working on GraphneOS prior to the November security patch. ## What to do know The most important thing is of course to update the OS to get the patch. But there is one huge catch: many manufacturers take very long to incorporate the Android security updates into their custom Android variants and to publish security updates. Even worse many Android devices are no longer supported by the manufacturer and do not get security updates anymore at all. This means many potentially vulnerable Android devices are unpatched and there is no patch available. If your device is still supported you should pay especial close attention to updates in the next time and install them timely. Devices no longer officially supported might have custom ROMs with newer AOSP security updates available (e.g. GrapheneOS has the November security patch for the Pixel 4 and Pixel 4 XL). However custom ROMs can come with their own issues and are not a solution for the huge number of average users. ## Mitigations and general advice Since some time Android encrypts user data with filesystem encryption. When you boot your phone the data is encrypted and not accessible until your enter the password so it can get decrypted. A lockscreen bypass cannot bypass encryption. There is a huge difference whether your device is freshly booted and all user data is at rest and encrypted or whether it is just locked. Once you enter the password Android stores the encryption keys in memory and loads data to memory. Now your user data is accessible to Android and only the lockscreen protects it against someone with physical access. A lockscreen is generally much less secure than encryption. There is significantly more attack surface once you unlock your device after boot as this vulnerability shows. Also biometric authentication is only available after the first unlock which is more vulnerable to different attacks like forced unlocking or tampering and faked biometrics. What this means is that when you shutdown your device or reboot it, it is invulnerable to this lockscreen bypass as it is protected by something much stronger: encryption. Only once you enter the password again it becomes vulnerable. The following is good advice in general but especially important now for people with unpatched devices: (Tl;Dr:) If you get into a situation where your device is more susceptible to physical access by others such as border control, a police control, anything like that or you let your device unsupervised somewhere or store it somewhere without using it for some time, turn off or reboot your device beforehand. This will make sure all user data is encrypted at rest and significantly reduces attack surface for a physical attacker. Of course every encryption and every lock screen is just as secure as the password. This is also a good example of why security update support is important. When buying a device, pay attention to the time frame for guaranteed security updates. Also be careful about how long different Android manufacturers take to publish security updates. Generally Android variants closer to AOSP like Pixel stock Android or Graphene OS get security updates quickly while heavily modified manufacturer variants like Samsung's One UI, Huawei's EMUI or Xiaomi's MIUI take much longer.
fedilink
6
Critical Android lock screen bypass: What you should do now and general advice
fedilink
@ThreeHopsAhead@lemmy.mltoSecurity@lemmy.mlOver 13,000 Vivo phones found to be using same IMEI number
link
fedilink
27M

Yet another reason never to use SMS for 2FA.

link
fedilink
@ThreeHopsAhead@lemmy.mltoSecurity@lemmy.mlDoes "change your password because Twitch got leaked" actually make sense?
link
fedilink
11Y

I’m going to assume that Twitch implements password hashing and salting correctly

This is not a good idea. Many many sites including major companies have terrible security and don’t spend the slightest effort in protecting user data. They simply face no consequences over it. Countless data breaches show over and over again how bad sensitive information like passwords are protected. Many sites still use ridiculously weak hashing procedures like unsalted MD5 or even store passwords in plaintext. The way many sites handle passwords not only shows that their users’ security is of absolutely no priority to them but can often only be explained with enormous incompetence. Password guidelines are often so ridiculously bad to the point where it would be a lot easier to just do it right, yet someone explicitly programed nonsensical limitations for the passwords like lenght limits, limited character sets, the necessity to start with a letter, case insensitive passwords or whatever idiocy they can think of.

Never trust a site to secure your data. They most likely won’t. Also don’t trust a companie’s report on a breach. Breaches are often kept secrete until there is no way to hide it anymore. But even then companies usually play it down and admit only to what they really cannot hide. The number and extent of known breaches is already disastrous, but there certainly is a lot of unknown breached data that makes it even worse.

We have to assume the Twitch leak is worse than they admit. The attackers might have had access to much more than we know, perhaps they were able to intercept passwords in plaintext. We also have to assume Twitch did not properly secure the saved passwords. Acting otherwise would be foolish and insecure.

Be better safe than sorry and just hit the password generate button in your password manager. If you used the same password on other sites those should be changed regardless.

And of course if your password is too weak no hashing can protect it from being cracked.

link
fedilink
@ThreeHopsAhead@lemmy.mltoPrivacy@lemmy.mlIn iOS 15, the phone is findable even when “Powered off”
link
fedilink
11Y

I strongly disagree. That’s a problem for everyone. Everyone needs privacy, not just journalists.

link
fedilink
@ThreeHopsAhead@lemmy.mltoPrivacy@lemmy.mlDeleting Old Email
link
fedilink
51Y

If you are in the EU you can send them a GDPR request and ask them to remove your account and all associated data. Look for a contact email address in their privacy policy.

link
fedilink
@ThreeHopsAhead@lemmy.mltoPrivacy@lemmy.mlFree PN: open-source peer-to-peer VPN
link
fedilink
62Y

Looks like a good way to get a bunch of IPs for your botnet.

link
fedilink
@ThreeHopsAhead@lemmy.mltoSecurity@lemmy.mlZoom security issues: Here's everything that's gone wrong (so far)
link
fedilink
42Y

No. Unless you’re discussing state or corporate secrets, or disclosing personal health information to a patient, Zoom should be fine.

So the average person does not need privacy?

link
fedilink
@ThreeHopsAhead@lemmy.mltoPrivacy@lemmy.mlAccording privacy...
link
fedilink
22Y

How is this connected to Bromite or GrapheneOS? Do you have anything to back up those claims?

link
fedilink