submitted 18 hours ago by [email protected] to c/[email protected]


The Electronic Frontier Foundation (EFF) filed an amicus brief urging the Michigan Supreme Court to find that warrantless drone surveillance of a home violates the Fourth Amendment. The EFF argues that drones are fundamentally different from helicopters or airplanes, and that their silent and unobtrusive capabilities make them a formidable threat to privacy. The EFF also points out that the government is increasingly using drones for surveillance, and that communities of color are more likely to be targeted. The EFF calls on the court to recognize the danger that governmental drone use poses to our Fourth Amendment rights.

submitted 2 days ago by [email protected] to c/[email protected]
submitted 3 days ago by [email protected] to c/[email protected]
submitted 4 days ago by [email protected] to c/[email protected]


A recent privacy study from Cornell University reveals that Amazon Alexa, the virtual assistant found in smart speakers, collects user data for targeted advertising both on and off its platform. This practice has raised concerns about privacy violations. The study also highlights that Amazon's and third-party skills' operational practices are often not transparent in their privacy policies.

Amazon Alexa is designed to respond to voice commands and is present in various Amazon devices, offering a wide range of functionalities, including controlling smart devices, providing information, and playing music.

While Amazon claims that Alexa only records when activated by its wake word ("Alexa"), research has shown that it can sometimes activate accidentally, leading to unintended recordings. Amazon employees listen to and transcribe these recordings, raising concerns about privacy.

Amazon links interactions with Alexa to user accounts, using this data for targeted advertising. Advertisers pay a premium for this information, making it highly valuable. Although Amazon allows users to delete their recordings, compliance with this feature has been questioned.

Additionally, third-party "skills" on Alexa can access user data, and many developers abuse Amazon's privacy policies by collecting voice data and sharing it with third parties without proper oversight.

The recent FTC fine against Amazon highlights its failure to delete certain data, including voice recordings, after users requested their removal, violating the Children's Online Privacy Protection Act (COPPA).

While Amazon Alexa offers convenience, it comes at the cost of privacy. Users looking for more privacy-friendly alternatives can consider Apple's Siri, which offers stronger privacy protection. For those interested in open-source options, Mycroft provides a natural language voice assistant with an emphasis on privacy, but note that the company may be shutting down soon.

submitted 6 days ago* (last edited 6 days ago) by [email protected] to c/[email protected]


The FBI has requested a significant budget increase for 2024, specifically for its DNA database known as CODIS. This request, totaling $53 million, is in response to a 2020 rule that requires the Department of Homeland Security to collect DNA from individuals in immigration detention. CODIS currently holds genetic information from over 21 million people, with 92,000 new DNA samples added monthly. This increase in funding demonstrates the government's commitment to collecting over 750,000 new samples annually from immigrant detainees, raising concerns about civil liberties, government surveillance, and the weaponization of biometrics.

Since the Supreme Court's Maryland v. King decision in 2013, states have expanded DNA collection to cover more offenses, even those unrelated to DNA evidence. The federal government's push to collect DNA from all immigrant detainees represents a drastic effort to accumulate genetic information, despite evidence disproving a link between crime and immigration status.

Studies suggest that increasing DNA database profiles does not significantly improve crime-solving rates, with the number of crime-scene samples being more relevant. Additionally, inclusion in a DNA database increases the risk of innocent individuals being implicated in crimes.

This expanded DNA collection worsens racial disparities in the criminal justice system, as it disproportionately affects communities of color. Black and Latino men are already overrepresented in DNA databases, and adding nearly a million new profiles of immigrant detainees, mostly people of color, will further skew the existing 21 million profiles in CODIS.

The government's increased capacity for collecting and storing invasive data poses a risk to all individuals. With the potential for greater sample volume and broader collection methods, society is moving closer to a future of mass biometric surveillance where everyone's privacy is at risk.

submitted 1 week ago by [email protected] to c/[email protected]


GitHub has officially launched its passkeys security feature into general availability, following a two-month beta testing period. Passkeys enable cloud-synced authentication using cryptographic key pairs, allowing users to sign in to websites and apps with their screen-lock PIN, biometrics, or a physical security key. This technology combines the security benefits of passwords and two-factor authentication (2FA) into a single step, simplifying secure access to online services. GitHub's move aligns with industry efforts, including collaborations between major tech companies like Google, Apple, Microsoft, and the FIDO Alliance, to make passwordless logins a reality across devices, browsers, and operating systems. Passkeys are seen as a significant step in enhancing security in the software supply chain, a vital aspect of the cybersecurity landscape.

submitted 1 week ago by [email protected] to c/[email protected]


Attackers can use automated email rules to evade detection after compromising an email account. They can use these rules to steal information, hide emails, and impersonate others.

Some of the ways attackers use email rules include:

  • Forwarding emails containing sensitive keywords to an external address

  • Hiding specific inbound emails by moving them to rarely used folders, marking them as read, or deleting them

  • Creating email forwarding rules to monitor the activities of a victim and collect intelligence on the victim or the victim’s organization to use as part of further exploits or operations

  • Setting up rules that delete all inbound emails from a certain colleague, such as the Chief Finance Officer (CFO), so they can impersonate the CFO and send fake emails to convince colleagues to transfer company funds

Defenses that don't work on their own include:

  • Changing the victim's password

  • Turning on multifactor authentication

  • Imposing other strict conditional access policies

  • Rebuilding the victim's computer

submitted 1 week ago by [email protected] to c/[email protected]


On May 10, 2019, security researcher Bob Diachenko discovered an exposed database containing the personal data of over 80 million people. The database was used by a spam operation called ApexSMS to send millions of phishing and scam messages. The database contained names, locations, phone numbers, IP addresses, and carrier network names. It also tracked which users clicked on which links and responded to which messages.

ApexSMS relied on a messaging and marketing platform called Mobile Drip to send its messages. Mobile Drip denied any connection to ApexSMS, but TechCrunch disputed this claim.

TechCrunch did not publish the names of the spammers, because it is for the courts to decide if the operation was unlawful. However, the company did name the companies involved in the operation, including ApexSMS, Mobile Drip, and Grand Slam Marketing.

It is not known for how long the database was exposed or if anybody else accessed it. However, Diachenko said that the spammers were "still using and improperly storing the information or data of millions of people."

submitted 1 week ago by [email protected] to c/[email protected]


The Electronic Frontier Foundation (EFF) has released a new version of Privacy Badger that updates how it fights "link tracking" across a number of Google products. With this update, Privacy Badger removes tracking from links in Google Docs, Gmail, Google Maps, and Google Images results. Privacy Badger now also removes tracking from links added after scrolling through Google Search results.

Link tracking is a technique that allows a company to follow you whenever you click on a link to leave its website. Google uses different techniques for link tracking in different browsers and products. One common approach is to surreptitiously redirect the outgoing request through the tracker's own servers.

The EFF says that there is virtually no benefit to you when this happens, and that the added complexity mostly just helps Google learn more about your browsing.

The new version of Privacy Badger works by blocking all Google link tracking requests at the network layer. This is a more reliable way to prevent tracking, but it is not compatible with Google's Manifest V3 (MV3) extension API.

The EFF says that it would like to see this important functionality gap resolved before MV3 becomes mandatory for all extensions.

Privacy Badger is a free and open-source browser extension that helps to protect your privacy online. It is available for Chrome, Firefox, and Edge.

More info and installation links: https://privacybadger.org/

submitted 1 week ago by [email protected] to c/[email protected]


The UK Parliament has passed the Online Safety Bill (OSB), claiming it will enhance online safety but actually leading to increased censorship and surveillance. The bill grants the government the authority to compel tech companies to scan all user data, including encrypted messages, to detect child abuse content, effectively creating a backdoor. This jeopardizes privacy and security for everyone. The bill also mandates the removal of content deemed inappropriate for children, potentially resulting in politicized censorship decisions. Age-verification systems may infringe on anonymity and free speech. The implications of how these powers will be used are a cause for concern, with the possibility that encrypted services may withdraw from the UK if their users' security is compromised.

submitted 1 week ago by [email protected] to c/[email protected]


addy.io has passed an independent security audit conducted by Securitum. The audit included a web application penetration test and a source code audit. No significant vulnerabilities were identified during testing, and the 2 low-risk issues that were found have been fixed.

Full report: https://addy.io/addy-io-security-audit.pdf

submitted 2 weeks ago by [email protected] to c/[email protected]


For personal use, watch out if you use Google Authenticator with sync to the cloud feature. If your Google account is compromised, e.g. you get phished:

  • Your 2FA for other accounts might be compromised as well.

  • If you use the GMail address for other accounts' password recovery, the passwords for those accounts may be reset/compromised too, regardless of how complex the passwords are.


For personal use, because "Google Prompt" on an Android device is automatically the default 2FA for Google account, can you delete this default 2FA method and just enable a FIDO2 key on Google's account?


Google's Authenticator app, designed for generating Multi-Factor Authentication (MFA) codes, was criticized by a security company called Retool for exacerbating a recent internal network breach. The breach occurred when an employee received a deceptive text message, leading them to share their login credentials, including a Temporary One-Time Password (TOTP), with the attackers. The situation escalated due to Google's Authenticator sync feature introduced in April, which allowed the attackers to compromise multiple company accounts once they gained access to the employee's Google account.

This synchronization feature stored MFA codes in the cloud, making them vulnerable if the Google account was compromised. Retool argued that Google employed unclear settings for disabling this feature, making it challenging for users and administrators to prevent. As a result, the attackers exploited this vulnerability to gain access to various accounts, including VPNs and internal systems, enabling them to take over specific customer accounts in the cryptocurrency industry.

Retool's security shortcomings were also highlighted, as they relied on TOTPs, which can be phished with relative ease, instead of adopting more secure industry-standard MFA solutions like FIDO2. While Google defended its syncing feature, emphasizing its benefits for user convenience, they acknowledged the preference for local storage of OTPs in enterprise environments.

There’s a good argument to be made that Retool used the Google Authenticator issue to deflect attention away from Retool’s culpability in the compromise.

In conclusion, the incident underscores the importance of adopting FIDO2-compliant MFA for robust security, while Google's Authenticator app is seen as a middle-ground option that may be inadequate for enterprises where security is paramount.

[-] [email protected] 21 points 2 weeks ago

Ah, the lure of power.

[-] [email protected] 16 points 2 weeks ago

Well, that's most terrifying. Can you do anything about it except not using smartphones?

[-] [email protected] 57 points 2 weeks ago

Hey, that's how I find out the world news nowadays. Submarine implosion, armed rebellion, mysterious plane crash, those all came through.

[-] [email protected] 14 points 2 weeks ago

Yes, there's already an update.

[-] [email protected] 37 points 2 weeks ago

Since webp is Google's, I wouldn't be surprised that everybody is using Google libwebp's derived code to display webp images. There was an advisory to check updates for ALL your browsers on ALL platforms. Edge also had a recent update.

[-] [email protected] 15 points 2 weeks ago

This article specifically addresses Visa applications. So, if the person is already applying for a citizenship, there is most likely already a residency which doesn't require Visa on entry. There also seems to be a different set of rules for people already in the country. From the article:

And while the court recognized the First Amendment rights of noncitizens currently present in the United States who limit their online speech because they may need to renew a visa in the future, it held that the federal government’s regulation of immigration should be granted significant deference.

[-] [email protected] 12 points 3 weeks ago

If they knew it wasn't going to work, why ask for it at the first place. Red herring? Ask for something big to trade for something smaller? Drama for the bored?

[-] [email protected] 31 points 3 weeks ago

Opting out is likely impossible for people living outside the GDPR area right now.

[-] [email protected] 17 points 3 weeks ago


In November 2022, LastPass, a password manager service, suffered a data breach in which hackers stole password vaults containing encrypted and plaintext data for over 25 million users. Since then, there has been a series of cryptocurrency thefts targeting individuals in the tech industry, totaling more than $35 million. These thefts primarily targeted individuals deeply integrated into the cryptocurrency ecosystem, including employees of crypto organizations and venture capitalists.

Researchers, led by Taylor Monahan, CEO of MetaMask, have identified a common factor among these victims: they had previously used LastPass to store their "seed phrase," which is a critical private key for accessing their cryptocurrency investments. Armed with this seed phrase, attackers can instantly access and transfer the victim's cryptocurrency holdings.

The LastPass breach exposed vulnerabilities in its security, particularly related to the master passwords and encryption settings. LastPass users who stored important passwords, especially for cryptocurrency accounts, are urged to change their credentials immediately and migrate their crypto holdings to offline hardware wallets. Alternatives like 1Password, which offer additional security layers like a Secret Key, are recommended.

While the research suggests a strong link between the LastPass breach and the cryptocurrency thefts, it's challenging to definitively prove causation. Nonetheless, security experts advise taking immediate action to protect digital assets.

[-] [email protected] 38 points 3 weeks ago

"Mr President, we have no armors to protect the planes against bombs' fragmentation."

"Very well, let them have car tires."

ps: it must be effective against something.

[-] [email protected] 19 points 3 weeks ago

It's a miracle! Hallelujah!

view more: next ›


4333 post score
454 comment score
joined 2 months ago