The knee-jerk answer when an app pushes designed obsolescence by advancing the min Android API required is always “for security reasons…” It’s never substantiated. It’s always an off-the-cuff snap answer, and usually it does not even come from the developers. It comes from those loyal to the app and those who perhaps like being forced to chase the shiny with new phone upgrades.

Banks, for example, don’t even make excuses. They can just neglect to be mindful of the problem and let people assume that some critical security vuln emerged that directly impacts their app.

But do they immediately cut-off access attempts on the server-side that come from older apps? No. They lick their finger and stick it in the air, and say: feels like time for a new version.

It’s bullshit. And the pushover masses just accept the ongoing excuse that the platform version must have become compromised to some significant threat -- without realising that the newer version bears more of the worst kinds of bugs: unknown bugs, which cannot be controlled for.

Banks don’t have to explain it because countless boot-licking customers will just play along. After all, these are people willing to dance for Google and feed Google their data in the first place.

But what about FOSS projects? When a FOSS project advances the API version, they are not part of the shitty capitalist regime of being as non-transparent as possible for business reasons. A FOSS project /could/ be transparent and say: we are advancing from version X to Y because vuln Z is directly relevant to our app and we cannot change our app in a way that counters the vuln.

The blame-culture side-effect of capitalism

Security analysis is not free. For banks and their suppliers, it is cheaper to bump up the AOS API than it is to investigate whether it is really necessary.

It parallels the pharmacutical industry, where it would cost more to test meds for an accurate date of expiry. So they don’t bother.. they just set an excessively safe very early expiration date.

Android version pushing is ultimately a consequence of capitalist blame-culture. Managers within an organisation simply do not want to be blamed for anything because it’s bad for their personal profit. Shedding responsibility is the name of the game. And outsourcing is the strategy. They just need to be able to point the blame away from themselves if something goes wrong.

Blindly chasing the bleeding-edge latest versions of software is actually security-ignorant¹ but upper management does not know any better. In the event of a compromise, managers know they can simply shrug and say “we used the latest versions” knowing that upper managers, shareholders, and customers are largely deceived into believing “the latest is the greatest”.

¹ Well informed infosec folks know that it’s better to deal with the devil you know (known bugs) than it is to blindly take a new unproven version that is rich in unknown bugs. Most people are ignorant about this.

Research needed

I speak from general principles in the infosec discipline, but AFAIK there is no concrete research specifically in the context of the onslaught of premature obsolescence by Android app developers. It would be useful to have some direct research on this, because e-waste is a problem and credible science is a precursor to action.

Hey there. Recently I got such message RQAAL TDTJX KWISK QBJCB DNQSS ZYFLM. I need to decode it

The background is here. In short, an SSD with the “Apacer” brand froze itself into read-only mode, presumably due to reaching a point of poor reliability.

The data on the drive is useless. It was part way through installing linux when it happened. I would like to reverse that switch to make one last write operation (to write a live linux distro), which thereafter can be read-only.

I have heard some speculation that the manufacturer uses password to impose read-only mode. If true, then the password would be in the drive’s firmware. Does anyone know what Apacer uses for this password?

aspe:keyoxide.org:3VP5CIVZ6MQ767ELCSBRCPSV4M

I tested using Google's Gemini as a helping hand in Linux log based threat hunting - and it is actually helpful, although not ready to take the security analyst's job (yet).

A blog post I made based on discussions at a conference last week - we need to teach smart things like self driving cars and ships to defend themselves against cyber attacks. This outlines how we should approach it.

cross-posted from: https://programming.dev/post/8121843

~n (@nblr@chaos.social) writes:

This is fine...

"We observed that participants who had access to the AI assistant were more likely to introduce security vulnerabilities for the majority of programming tasks, yet were also more likely to rate their insecure answers as secure compared to those in our control group."

[Do Users Write More Insecure Code with AI Assistants?](https://arxiv.org/abs/2211.03622?

Hello everyone!

My name is Anton Kachanov, I am an information security specialist and I have 7 years experience in developing different secure solutions for the pharmaceutical industry and for some big international binary trading platforms.

Every year we have fewer and fewer rights to privacy online. Our messages and our files from online storage may be easily disclosed to third parties. And our money from online payment systems may be easily stolen.

It doesn’t have to be this way, and today I will look at several real cases of privacy violations and talk about my products and how I am going to ensure the privacy of my online life and, I hope, yours.

Messengers

In 2023 our life is impossible without messengers. I use various instant messengers every day at work and at home. It’s free, fast and easy. But I would also like it to be safe and private.

Unfortunately, all well-known and widely used instant messengers are not safe and private.

On the Tor network it is easy to find a person willing to hack your account in Viber, WhatsApp, Telegram, Facebook and Instagram for only 100–200 dollars.

In addition, using your messenger, it is easy to violate human rights. One of my familiar persons from Russia was the admin of a small group in a Telegram and he actively spoke out against the War between Russia and Ukraine in this group. In Russia, a criminal case was opened against him for insulting government officials and slander.

In addition, for the last couple of years I have been regularly receiving spam from scammers 2–3 times a month.

All this prompted me to create my own messenger called “Mystery Messenger”. It does not have the shortcomings that I indicated above.

The main highlight of my messenger is lack of registration. You don’t need to create an account and you don’t need to verify your phone number.

All information about yourself like avatar, name, last name, and all messages will be stored on your device. No need to worry about free space on your phone. In fact, it does not take up as much space as it might seem at first glance. All instant messengers store local copies of all your messages on your phone to reduce the load on their servers.

Due to the fact that your account is not stored on the server, it is impossible to find you on the server by name or by telephone number. This will completely rid you of spammers and scammers.

To start a new chat with somebody, you need to share your QR-code with him. After that, he will be saved in your contacts list and you will be able to write to him any time.

All messages and all information about you will be encrypted with an asymmetric cipher on your device and sended to your opponent in encrypted form through my servers and will be completely deleted from the server after receiving them.

So if someone hacks my server, they won’t be able to get access to all your messages. And even if he will get access to one or two of your undelivered messages, he will not be able to read them. I also will not be able to read your messages because using asymmetric cipher only the sender and the recipient can decrypt it. You can read more about asymmetric ciphers on the internet.

I have already developed the server and the client application will be available in May 2024.

This and other projects you can find on my official website. The link will be at the end of this article.

Cloud storage

Today, cloud storage is a popular and most convenient way to store your data.

Firstly, you save space on your device. Secondly, it is very convenient to share your data with anyone. This is convenient for individual use and for business.

However, today cloud-based storage is one of the leading targets for hackers:

• In 2022 39% of businesses experienced a data breach in their cloud environment;
• In 2023 75% of businesses said more than 40% of data stored in the cloud is sensitive (on average only 45% of this sensitive data is encrypted).

Giants that provide cloud storage services, such as Google, Microsoft and Dropbox, don’t want to provide reliable protection of users’ data!

Unfortunately, until recently I was forced to choose one of the existing public solutions, but last month I launched beta testing of my secure online storage “FortressCloud”. And anyone can participate in beta testing and give me feedback on how I can make it better.

The main highlight of my solution is the key generation algorithm.

Each file will be encrypted with a set of unique keys, so one file will be separated into many chunks and each chunk will be encrypted with its own unique key! Decryption keys or their hash sums are not stored either on the server or on the user’s device.

Keys will be generated on the fly using your key-phrase on the client side after that file will be encrypted on your device and sended to the server in encrypted form.

Thus, hacking my server or even a user’s personal device usually will not allow an attacker to gain access to files stored in the cloud!

This and other projects you can find on my official website. The link will be at the end of this article.

Finance

Today, many of us use different payment systems for quick transfers to other countries. It’s easy and fast.

But find a reliable and proven solution is not easy. Some payment systems are unreliable and some allow themselves to block customer accounts, sometimes without giving reasons.

Personally, I have a problem with several payment systems that I use. So I’m Russian and I live in Cyprus, but I do not have citizenship and I recently renewed my residence permit.

Despite the fact that I submitted an application for renewal of the permit a month before the expiration of the first one, I received a new one 1.5 months after the expiration of the old one.

And many payment systems just froze my accounts until I provided them with a renewed document. This was honestly earned money, on which taxes were paid. But payment systems don’t care.

But for today, to avoid such problems, you can use cryptocurrencies. Many crypto wallets do not require you to verify your identity, and you will not have the same problems as I did. But many people do not understand what cryptocurrencies are and how to work with them.

My payment system is called “Black” (It’s not racism, it’s just my favorite color. Sorry) should solve this problem.

Firstly, it does not require identification confirmation. And secondly my product will allow you to deposit crypto (or easily buy it with P2P payments) and convert it to any of 159 fiat currencies without commissions inside the “Black” system. You can use dollars, euros, swiss francs, sterlings and more other currencies inside the “Black”.

You will be able to withdraw it to your crypto-wallet or to your bank card with P2P payments.

In the future, it is planned to add the ability to pay for purchases but now I have MVP where you can just make deposit from your crypto-wallet to your “black”-account, convert to any of 159 currencies, send and receive money in useful fiat currency from other customers and withdraw them to your crypto-wallet.

This and other projects you can find on my official website. The link will be at the end of this article.

Before conclusion

While working on the above products I asked myself a question:

Having given the world anonymous messengers, anonymous cloud storage and even an anonymous payment system, will criminals use my products?

I have researched this issue, and I have a strong answer “NO”. Criminals developing and using their own anonymous solutions. They will never trust and use third-party services.

So my projects will in no way increase the number of criminals and, unfortunately, will not reduce their number in any way.

But my projects will help make the online life private for everyone. I believe that every person deserves it.

Conclusion

Thank you for reading this article to the end.

I tried to make this article as short as possible and include only key highlights of my solutions to this article.

But if you are interested, you can find more details on my official website: https://akachanov.org/

There you can learn more about me and about all my projects, and contact me for any reason.

I will be glad to receive any feedback, advice and any support for my projects. All of them are currently being developed by one person and have no funding.

Best regards.

I am curious if anyone has advice on a good start to get into InfoSec. I just bought a car, used a separate phone number and somehow marketers found my actual number, so want to get a better handle on how to handle personal data.

Now ever since I got a label printer I made it a habit to... well... label everything. It's been the a gamechanger in organizing my stuff.

This habit includes having a tiny label with my street address and mail address on most any item that I loan away or tend to regularly lug around with me as a general reminder of ownership. I forget about and lose stuff all the time, so this gives me some piece of mind with most of my medium-value little gadgets. I believe (and have experienced) that people are generally decent and will return lost stuff to me if it's easy for them to find out to whom it belongs.

Now it has occurred to me that this practice might be detrimental when applied to a smart cards in general and my Yubikeys in particular. After all, shouldn't a lost Yubikey be considered "tampered with/permanently lost" anyway, whether it's returned or not? And wouldn't an Email address on the key just increase the risk of some immediate abuse of the key's contents, i.e. GPG private keys, that would otherwise not be possible?

Or am I overhtinking this?

cross-posted from: https://lemmy.kevitprojects.com/post/8452

What do you guys think about this?

It was a meme about a cyber security guy not giving out his personal information, not even to girls he likes. I can't find it on here anymore