Privacy

Hi there! If I buy a computer on Amazon from a trusted brand like Apple or Lenovo, will they keep my name and address and connect that information to the serial numbers of the computer's parts? I'm especially worried about this when I visit various websites that track serial numbers from my PC while browsing or when using gaming platforms like Steam. Would it be wiser to purchase it from a physical store using cash, or a second-hand computer from ebay instead?

I've always had it on, but it's kind of a pain in the ass. Especially on worse (not necessarily slower) networks.

On laptop it's fine for the most part since the use-case is a bit different, but on a phone it's causing me some annoyances/issues.

With my carrier indoors it takes on average 62 seconds to connect. This is pretty annoying if toggling/switching VPN servers more often.
But when travelling (e.g.: in a train) it can make the difference from slightly spotty signal to almost never being connected successfully, impacting usability.

As such, I often find myself not even using VPN in such cases in the first place.
For comparison, plain Wireguard is done before I can pull away my finger from the "connect" button, usually even on 2G EDGE.

Do you keep this (perhaps a bit paranoid-level) option on?
Even if actually useful in the future, it would only protect traffic recorded from User to VPN anyway.

cross-posted from: https://lemmy.sdf.org/post/31274457

Archive

An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there's no sign of a fix from Microsoft, which apparently considers this a low priority.

The attack method is low-tech but effective, relying on malicious .LNK shortcut files rigged with commands to download malware. While appearing to point to legitimate files or executables, these shortcuts quietly include extra instructions to fetch or unpack and attempt to run malicious payloads.

Ordinarily, the shortcut's target and command-line arguments would be clearly visible in Windows, making suspicious commands easy to spot. But Trend's Zero Day Initiative said it observed North Korea-backed crews padding out the command-line arguments with megabytes of whitespace, burying the actual commands deep out of sight in the user interface.

Trend reported this to Microsoft in September last year and estimates that it has been used since 2017. It said it had found nearly 1,000 tampered .LNK files in circulation but estimates the actual number of attacks could have been higher.

"This is one of many bugs that the attackers are using, but this is one that is not patched and that's why we reported it as a zero day," Dustin Childs, head of threat awareness at the Zero Day Initiative, [said].

"We told Microsoft but they consider it a UI issue, not a security issue. So it doesn't meet their bar for servicing as a security update, but it might be fixed in a later OS version, or something along those lines."

[...]

Fastbackgroundcheck. com says there's info on me on truthfinder, spokeo, peoplefinders and instantcheckmate. When I try going through all four of those sites takes a super long time, including a few times in the past when I tried getting reports on myself.

The progress bars reach 100% and reset continously. If these sites are legimate like some reddit users claim, then why or be upfront about wanting me to pay? Right now I'm convinced that these sites are snake oil, maybe they work if you pay but the behavior of the free options turn me off. They act 100% like typical scam websites, the kind that asks you to complete three surveys on external sites with fake progress bars.

Basic info like my full name, address, age, and siblings can be found with search engines easily but I feel like there's no point in trying to wipe it if there aren't methods that could definitely work.

Archived version

Here is an Invidious link for the video (and 'Lola' part starts at ~5 minutes)

To demonstrate this, Sadoun introduces the audience to “Lola,” a hypothetical young woman who represents the typical web user that Publicis now has data about. “At a base level, we know who she is, what she watches, what she reads, and who she lives with,” Sadoun says. “Through the power of connected identity, we also know who she follows on social media, what she buys online and offline, where she buys, when she buys, and more importantly, why she buys.”

It gets worse. “We know that Lola has two children and that her kids drink lots of premium fruit juice. We can see that the price of the SKU she buys has been steadily rising on her local retailer’s shelf. We can also see that Lola’s income has not been keeping pace with inflation. With CoreAI, we can predict that Lola has a high propensity to trade down to private label,” Sadoun says, meaning that the algorithm apprehends whether Lola is likely to start buying a cheaper brand of juice. If the software decides this is the case, the CoreAI algo can automatically start showing Lola ads for those reduced price juice brands, Sadoun says.

@privacy Privacy Roundup: Week 11 of Year 2025

Hi Lemmy, shared with <3 from Mastodon.

https://avoidthehack.com/privacy-week11-2025

cross-posted from: https://europe.pub/post/9313

cross-posted from: https://europe.pub/post/9311

In case you ever wanted to blur your house from google street view you can. A little privacy i suppose, its pretty easy. you dont need a reason to do it. This probaly the only thing google lets opt out of which is cool.

Originally posted on Reddit

cross-posted from: https://futurology.today/post/4000823

And by burned, I mean "realize they have been burning for over a year". I'm referring to a bug in the Tor Browser flatpak that prevented the launcher from updating the actual browser, despite the launcher itself updating every week or so. The fix requires manual intervention, and this was never communicated to users. The browser itself also doesn't alert the user that it is outdated. The only reason I found out today was because the NoScript extension broke due to the browser being so old.

To make matters worse, the outdated version of the browser that I had, differs from the outdated version reported in the Github thread. In other words, if you were hoping that at least everybody affected by the bug would be stuck at the same version (and thus have the same fingerprint), that doesn't seem to be the case.

This is an extreme fingerprinting vulnerability. In fact I checked my fingerprint on multiple websites, and I had a unique fingerprint even with javascript disabled. So in other words, despite following the best privacy and security advice of:

1. using Tor Browser
2. disabling javascript
3. keeping software updated

My online habits have been tracked for over a year. Even if Duckduckgo or Startpage doesn't fingerprint users, Reddit sure does (to detect ban evasions, etc), and we all know 90% of searches lead to Reddit, and that Reddit sells data to Google. So I have been browsing the web for over a year with a false sense of security, all the while most of my browsing was linked to a single identity, and that much data is more than enough to link it to my real identity.

How was I supposed to catch this? Manually check the About page of my browser to make sure the number keeps incrementing? Browse the Github issue tracker before bed? Is all this privacy and security advice actually good, or does it just give people a false sense of security, when in reality the software isn't maintained enough for those recommendations to make a difference? Sorry for the rant, it's just all so tiring.

Edit: I want to clarify that this is not an attack on the lone dev maintaining the Tor Browser flatpak. They mention in the issue that they were fairly busy last year. I just wanted to know how other people handled this issue.

It looks like the Privacy Act might be a way to audit DOGE on a per-person level. Jamie Raskin has suggested mailing them a formal request for your data.

While there does appear to be precedent for this, I can't find much more information about it. So this is more of a thread in search of info.

Here is some from NPR:

The Privacy Act was once a quite sleepy law in my privacy classes. It's gotten increasing prominence in part because there's been so much compliance with the Privacy Act. You know, every agency now has to put out, you know, notices about having new collections of information in databases. And there's chief privacy officers at every agency. You have to pay attention to it and adhere to its commitments, which are to ensure that you don't collect information you shouldn't be collecting for a proper purpose, and that you're not sharing it unless you meet the conditions of the Privacy Act.

cross-posted from: https://programming.dev/post/26910708

My small company (less than 30 employees) has been using Skype for internal group meetings and messaging. Since it's closing, we're looking for alternatives.

I think few people in the company are privacy minded (one of the higher ups had to get scolded to stop using some random AI to listen to all his meetings and write summaries), so we need something with a low barrier to entry.

We have basically no IT department, so self hosting would be a challenge. We do self host a redmine server via docker, and we have to connect to it via VPN when we're off-site (we have several full time remote employees).

Our feature requirements are: Group and individual messaging Screen sharing Meetings up to 2 hours Inexpensive Meetings with up to 10 participants Windows (some people use Skype from their phones also, but not a requirement) Minimal friction to setup and use Minimal bugs (mature)

Some of the ideas floated: Teams Discord Google Meet Signal Telegram Jami

I really don't think we could pull off Matrix, but am I wrong? Which of these ideas bothers you the least? Is there something else I'm overlooking?

Join this tactical, practical, and heretical discussion between Meredith Whittaker, President of Signal and leading advocate for secure communication, and Guy Kawasaki, host of the Remarkable People podcast

Someone made a compilation of academic reviews and blogposts here: https://community.signalusers.org/t/wiki-overview-of-third-party-security-audits/13243 but none of them seem to be real security audit reports, ex. compare with real security audits to Delta Chat: https://delta.chat/en/help#security-audits

Privacy rights groups have called on Apple’s legal challenge to a secret U.K. government order asking it to backdoor an end-to-end encrypted (E2EE) version of its iCloud storage service to be heard in public, rather than behind closed doors.

Unpaywalled: https://archive.is/7yc9S

cross-posted from: https://lemmy.sdf.org/post/30887912

Here is the report Security and Trust: An Unsolvable Digital Dilemma? (pdf)

Police authorities and governments are calling for digital backdoors for investigative purposes - and the EU Commission is listening. The Centre for European Policy (cep) warns against a weakening of digital encryption. The damage to cyber security, fundamental rights and trust in digital infrastructures would be enormous.

[...]

The debate has become explosive due to the current dispute between the USA and the UK. The British government is demanding that Apple provide a backdoor to the iCloud to allow investigating authorities access to encrypted data. Eckhardt sees parallels with the EU debate: "We must prevent the new security strategy from becoming a gateway for global surveillance." Technology companies such as Meta, WhatsApp and Signal are already under pressure to grant investigators access to encrypted messages.

"Once you install a backdoor, you lose control over who uses it," says Küsters. Chinese hackers were recently able to access sensitive data through a vulnerability in US telecommunications networks - a direct consequence of the infrastructure there. Instead, Küsters advocates a strategy of "security by design", i.e. designing systems securely from the outset, and the increased use of metadata analyses and platform cooperation as viable alternatives to mass surveillance.

[...]

Lessons from across the Atlantic?

A recent episode from the US provides an illustrative cautionary tale. For decades, some US law enforcement and intelligence agencies advocated “exceptional access” to encrypted communications, claiming that only criminals needed such robust privacy protections – echoing the current debate in the EU. But over the past months, a dramatic shift occurred following revelations that Chinese state-sponsored hackers had infiltrated major US telecommunications networks, gaining access to call metadata and possibly even live calls (the so-called “Salt Typhoon” hack).

Specifically, the Chinese hackers exploited systems that US telecom companies had built to comply with federal wiretapping laws such as Communications Assistance for Law Enforcement Act (CALEA), which requires telecommunications firms to enable “lawful intercepts”. In theory, these built-in channels were supposed to only give law enforcement an exclusive window into suspect communications. In practice, however, they became a universal vulnerability that hostile actors could just as easily exploit.

Suddenly, the very government voices that once dismissed end-to-end encryption began recommending that citizens use encrypted messaging apps to maintain their security.

**What can we learn from this? **

While governments often push for greater surveillance capabilities, the real and current threat of state-sponsored cyber-espionage demonstrates the indispensable value of strong encryption. As the Electronic Frontier Foundation has noted, Salt Typhoon shows once more that there is no such thing as a backdoor that only the “good guys” can use.

If the mechanism exists, a malicious party will eventually find it and weaponise it. The lesson for Europe is clear: undermining encryption to aid investigations may prove short-sighted if it also exposes citizens – and state institutions – to hostile foreign interference. Is this really what we want to do in an increasingly challenging geopolitical environment? The debate about ensuring lawful and effective access to data in the digital age will remain one of the most pressing challenges, so we need to ask whether there are alternative, viable models.

[...]

cross-posted from: https://lemmy.sdf.org/post/30867694

Here you can download the report, Cybersecurity with Chinese Characteristics (pdf)

Archived

Through its Digital Silk Road, China is not only developing digital infrastructure, but also aggressively promoting its own norms for governing these technologies. One area where this is most pronounced is in the promotion of cybersecurity norms, says the NGO Article19 in a new report.

"The success of China’s digital norms-setting in this critical realm of internet governance risks supercharging digital authoritarianism regionally – and normalising Beijing’s model internationally – at the expense of human rights, internet freedom, and democracy," the organization finds.

Cybersecurity with Chinese Characteristics establishes a baseline understanding of China’s repressive cybersecurity norms and reveals how it is smuggling them, via the Trojan Horse of digital development, into 3 Indo-Pacific countries: Indonesia, Pakistan, and Vietnam. It also presents a compelling alternative model of cybersecurity governance: Taiwan’s transparent, rights-based, multi-stakeholder approach.

Michael Caster, Head of the Global China Programme at ARTICLE 19, said:

China’s aggressive promotion of authoritarian cybersecurity norms in the Indo-Pacific is a canary in the coalmine for the international community. Because make no mistake: Xi Jinping’s ambitions do not end there. We have it in their own words: China’s ambition is to lead the world in digital infrastructure, and with it, to set the rules for a new digital authoritarian future of its own design.

Few countries are as well-versed in responding to China’s cyberattacks and resisting its cyber norms as Taiwan. As our report argues, if the international community is serious about resisting China’s repressive global ambitions, it must urgently increase its engagement with Taiwan.

Through in-depth case studies, the report examines how countries in the Indo-Pacific region have adopted China’s norms in law, policy, and practice – from Indonesia’s embrace of ‘cyber sovereignty’ to Pakistan’s China-style firewall to Vietnam’s repressive content moderation – with catastrophic consequences for people’s right to free expression and access to information.

Faced with these threats, alternative norms for digital governance are urgently needed. As the report shows, Taiwan’s alternative, which seeks to balance the threats emanating from Beijing with efforts to avoid infringing on people’s human rights and fundamental freedoms, has much to offer global advocates engaged in developing these norms.

[...]

I haven't played Minecraft since 2015, but I get the feeling I might again in the new few years as I wanna find new hobbies. I know that game has changed a whole lot but I don't have any official online data on it.

I've had this Microsoft account for over a decade and its probably full of personal information that I wanna let go of, I've already exported all my data. I would need to pay $30 for another copy of Minecraft, same price I paid in 2013. I just did a bunch of searching and its not possible to transfer my Minecraft license to another account.

cross-posted from: https://lemmy.sdf.org/post/30804814

A former senior Facebook executive has told the BBC how the social media giant worked "hand in glove" with the Chinese government on potential ways of allowing Beijing to censor and control content in China.

Sarah Wynn-Williams - a former global public policy director - says in return for gaining access to the Chinese market of hundreds of millions of users, Facebook's founder, Mark Zuckerberg, considered agreeing to hiding posts that were going viral, until they could be checked by the Chinese authorities.

Ms Williams - who makes the claims in a new book - has also filed a whistleblower complaint with the US markets regulator, the Securities and Exchange Commission (SEC), alleging Meta misled investors. The BBC has reviewed the complaint.

Facebook's parent company Meta, says Ms Wynn-Williams had her employment terminated in 2017 "for poor performance".

It is "no secret we were once interested" in operating services in China, it adds. "We ultimately opted not to go through with the ideas we'd explored."

[...]

Ms Wynn-Williams says her allegations about the company's close relationship with China provide an insight into Facebook's decision-making at the time.

[...]

Ms Wynn-Williams claims that in the mid-2010s, as part of its negotiations with the Chinese government, Facebook considered allowing it future access to Chinese citizens' user data.

"He was working hand in glove with the Chinese Communist Party, building a censorship tool… basically working to develop sort of the antithesis of many of the principles that underpin Facebook," she told the BBC.

Ms Wynn-Williams says governments frequently asked for explanations of how aspects of Facebook's software worked, but were told it was proprietary information.

"But when it came to the Chinese, the curtain was pulled back," she says.

"Engineers were brought out. They were walked through every aspect, and Facebook was making sure these Chinese officials were upskilled enough that they could not only learn about these products, but then test Facebook on the censorship version of these products that they were building."

[...]

In her SEC complaint, Ms Wynn-Williams also alleges Mr Zuckerberg and other Meta executives had made "misleading statements… in response to Congressional inquiries" about China.

One answer given by Mr Zuckerberg to Congress in 2018 said Facebook was "not in a position to know exactly how the [Chinese] government would seek to apply its laws and regulations on content"

[...]