Archived

Pros:

• Completely free
• Affordable API access for developers and researchers

Cons:

• Doesn’t keep your data safe
• Occasionally incorrect
• No deep research, image generation, or voice mode features
• Slow responses
• Obvious censorship

This post contains a canary message that's cryptographically signed by the official BusKill PGP release key

The BusKill project just published their Warrant Canary #010

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Status: All good
Release: 2025-06-16
Period: 2025-06-01 to 2026-05-31
Expiry: 2026-06-30

Statements
==========

The BusKill Team who have digitally signed this file [1]
state the following:

1. The date of issue of this canary is July 16, 2025.

2. The current BusKill Signing Key (2020.07) is

   E0AF FF57 DC00 FBE0 5635  8761 4AE2 1E19 36CE 786A

3. We positively confirm, to the best of our knowledge, that the 
   integrity of our systems are sound: all our infrastructure is in our 
   control, we have not been compromised or suffered a data breach, we 
   have not disclosed any private keys, we have not introduced any 
   backdoors, and we have not been forced to modify our system to allow 
   access or information leakage to a third party in any way.

4. We plan to publish the next of these canary statements before the
   Expiry date listed above. Special note should be taken if no new
   canary is published by that time or if the list of statements changes
   without plausible explanation.

Special announcements
=====================

1. We are changing from twice-yearly to once-yearly canaries

Disclaimers and notes
=====================

This canary scheme is not infallible. Although signing the 
declaration makes it very difficult for a third party to produce 
arbitrary declarations, it does not prevent them from using force or 
other means, like blackmail or compromising the signers' laptops, to 
coerce us to produce false declarations.

The news feeds quoted below (Proof of freshness) serves to 
demonstrate that this canary could not have been created prior to the 
date stated. It shows that a series of canaries was not created in 
advance.

This declaration is merely a best effort and is provided without any 
guarantee or warranty. It is not legally binding in any way to 
anybody. None of the signers should be ever held legally responsible 
for any of the statements made here.

Proof of freshness
==================

16 Jun 25 19:17:39 UTC

Source: DER SPIEGEL - International (https://www.spiegel.de/international/index.rss)
"Teacher Li": Catching Up with the Most Effective Chinese Regime Opponent
Firing at the Desperate: Palestinians Killed as They Gather to Receive Relief Supplies

Source: NYT > World News (https://rss.nytimes.com/services/xml/rss/nyt/World.xml)
Live Updates: Israel Strikes Iranian State TV as It Expands Targets in Tehran
With No Clear Off-Ramp, Israel’s War With Iran May Last Weeks, Not Days

Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
No further damage seen at Iran nuclear sites, global watchdog says
'Nowhere feels safe': Iranians on life under Israeli attacks

Source: Bitcoin Blockchain (https://blockchain.info/q/latesthash)
00000000000000000000f2c3a15949aac2f6d7bc153330a4fca496f68c8c4b21

Footnotes
=========

[1] https://docs.buskill.in/buskill-app/en/stable/security/pgpkeys.html

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEeY3BEB897EKK3hJNaLi8sMUCOQUFAmhQbsQACgkQaLi8sMUC
OQW6Ng//aVnkEMdWFTbwBkDD5k7i1+sdoX1XwigV/hYHoTBJqeIATbw3uvdqiQfx
/VY8sCJUFyLjAqSmEb7rXMjvVy0PFWP7zS4BJgGimEkNoIYRQBfY7txK9uD7ZJ1n
02ybYu7VwEoBJPtwmP4rp6Vpb5rVXmN//ezXDHteLvLEGTKSJ6X/O7tEPtUNbJmR
37KvkKPLY4txkm0z/3ChGVCicQPO9R7d+Xh2TUo9xXPyVneYTRhjSjWfwpcg0Z58
xW5KTGDbB09HMdrmWkl2aOQrf0GgHjPUapOXy1CB3NBR84j6Nsr2Pod3dOuS7moQ
VKnokMS6/dTTvoUbjUpSizDZu+Te2RYanV2I3gt5CHKDNhyFUh4EYOMPqje1dy8j
bf5I4p0qsZkRN12IvIQzDVKKq4guD7zQuagpWvi0d7OtNldT2lu7G2uWQ55WLej0
4QbFn7WCeEWyMXhQHYVYjY8QZPSIHTLHUBTm59+/CGEXYB9WeVi3g2sbD9Aasgod
Te7pm3SC4Sg+F8v7SCoPbxY9VXdCUREOsxPybYrtbFgkdnZwsb2YlN7UDJ9Lqz7i
GYMqX7JNpt7R+Zbp4TQCy1yQY4gNR4H2E1Z2o+3cRTygbUHV58/L0IJc+lO6oHJY
Sa4k/6pswal3CYJSu+imbRmhoFnpv1pFZ1ch2b8k8K/1q727NkU=
=1XvB
-----END PGP SIGNATURE-----

What is a Warrant Canary?

The BusKill team publishes cryptographically signed warrant canaries on an annual basis.

Although security is one of our top priorities, we might not be able to inform you of of a breach if served with a State-issued, secret subpoena (gag order).

The purpose of publishing these canary statements is to indicate to our users the integrity of our systems.

For more information about BusKill canaries, see:

• https://buskill.in/canary

To view all past canaries, see:

• https://www.buskill.in/category/Canary/

What is BusKill?

BusKill is a laptop kill-cord. It's a USB cable with a magnetic breakaway that you attach to your body and connect to your computer.

Watch the BusKill Explainer Video for more info youtube.com/v/qPwyoD_cQR4

If the connection between you to your computer is severed, then your device will lock, shutdown, or shred its encryption keys -- thus keeping your encrypted data safe from thieves that steal your device.

cross-posted from: https://lemmy.sdf.org/post/36376926

Archived

On June 4, during a meeting with government officials, Vladimir Putin stated that all public services must be moved to the national messenger app called Max. According to Minister of Digital Development Maksut Shadayev, the multiplatform system is already operational.

[...]

The Max app — a Russian equivalent of China’s WeChat — was unveiled by the tech giant VK in late March. At present, it features a messenger, a chatbot builder, a payment system, and mini-apps. On June 5, VTB’s digital bank launched on the platform.

To register, a Belarusian or Russian SIM card is required — which, as The Insider noted, foreigners can no longer obtain without submitting biometric data.

As stated in the Max app’s privacy policy, the platform will collect data on:

• user devices
• IP address
• operating system
• browser
• location
• internet provider
• contacts from the address book
• all user activity within the service
• information obtained through the camera or microphone, if the user grants the app access (most users will, for example, in order to record voice messages)

Other messaging apps collect such data as well, but there's a catch. The Max app's privacy policy explicitly states that it may share this data with the “company's partners” as well as with “any government or local authority.”

[...]

Archived

A newly emerged threat actor, going by the alias “Often9,” has posted on a prominent cybercrime and database trading forum, claiming to possess 428 million unique TikTok user records. The post is titled “TikTok 2025 Breach – 428M Unique Lines.”

The seller’s post, which appeared on the forum [on May 29, 2025], promises a dataset containing detailed user information such as:

• Email addresses
• Mobile phone numbers
• Biography, avatar URLs, and profile links
• TikTok user IDs, usernames, and nicknames
• Account flags like private_account, secret, verified, and ttSeller status.
• Publicly visible metrics such as follower counts, following counts, like counts, video counts, digg counts, and friend counts.

[...]

crosspostato da: https://lemmy.sdf.org/post/36242205

Archived

• Hundreds of millions of users are likely exposed.
• Data leak contained billions of documents with financial data, WeChat and Alipay details.
• The Cybernews research team believes the dataset was meticulously gathered and maintained for building comprehensive behavioral, economic, and social profiles of nearly any Chinese citizen.

The supermassive data leak likely exposed hundreds of millions of users, primarily from China, the Cybernews research team’s latest findings reveal. A humungous, 631 gigabytes-strong database was left without a password, publicizing mind-boggling 4 billion records.

Bob Dyachenko, cybersecurity researcher and owner at SecurityDiscovery.com, together with the Cybernews team, discovered billions upon billions of exposed records on an open instance.

[...]

The database consisted of numerous collections, containing from half a million to over 800 million records from various sources. The Cybernews research team believes the dataset was meticulously gathered and maintained for building comprehensive behavioral, economic, and social profiles of nearly any Chinese citizen.

“The sheer volume and diversity of data types in this leak suggests that this was likely a centralized aggregation point, potentially maintained for surveillance, profiling, or data enrichment purposes,” the team observed.

There’s no shortage of ways threat actors or nation states could exploit the data. With a data set of that magnitude, everything from large-scale phishing, blackmail, and fraud to state-sponsored intelligence gathering and disinformation campaigns is on the table.

[...]

The team managed to see sixteen data collections, likely named after the type of data they included.

The largest collection, with over 805 million records, was named “wechatid_db,” which most likely points to the data coming from the Baidu-owned super-app WeChat.

[...]

The second largest collection, “address_db,” had over 780 million records containing residential data with geographic identifiers. The third largest collection, simply named “bank,” had over 630 million records of financial data, including payment card numbers, dates of birth, names, and phone numbers.

Possessing only these three collections would enable skilled attackers to correlate different data points to find out where certain users live and what their spending habits, debts, and savings are.

Another major collection in the dataset was named in Mandarin, which roughly translates to “three-factor checks.” With over 610 million records, the collection most likely contained IDs, phone numbers, and usernames.

[...]

"Individuals who may be affected by this leak have no direct recourse due to the anonymity of the owner and lack of notification channels,” the team noted.

China-based data leaks are hardly new. We [Cybernews] ourselves have previously written about a data leak that exposed 1.5 billion Weibo, DiDi, Shanghai Communist Party, and others’ records, or a mysterious actor spilling over 1.2 billion records on Chinese users. More recently, attackers leaked 62 million iPhone users’ records online.

[...]

cross-posted from: https://lemmy.sdf.org/post/36106116

Archived

[...]

According to the measures, introduced by the Ministry of Public Security (MPS), each internet user in China will be issued with a unique “web number,” or wanghao (网号), that is linked to their personal information. While these IDs are, according to the MPS notice, to be issued on a strictly voluntary basis through public service platforms, the government appears to have been working on this system for quite some time — and state media are strongly promoting it as a means of guaranteeing personal “information security” (信息安全). With big plans afoot for how these IDs will be deployed, one obvious question is whether these measures will remain voluntary.

[...]

The measures bring China one step closer to centralized control over how Chinese citizens access the internet. The Cybersecurity Law of 2017 merely stipulated that when registering an account on, say, social media, netizens must register their “personal information” (个人信息), also called “identifying information” (身份信息). That led to uneven interpretations by private companies of what information was required. Whereas some sites merely ask for your name and phone number, others also ask for your ID number — while still others, like Huawei’s cloud software, want your facial biometrics on top of it.

[...]

Beyond the key question of personal data security, there is the risk that the cyber ID system could work as an internet kill switch on each and every citizen. It might grant the central government the power to bar citizens from accessing the internet, simply by blocking their cyber ID. “The real purpose is to control people’s behavior on the Internet,” Lao Dongyan cautioned last year.

[...]

Take a closer look at state media coverage of the evolving cyber ID system and the expansion of its application seems a foregone conclusion — even extending to the offline world. Coverage by CCTV reported last month that it would make ID verification easier in many contexts. “In the future, it can be used in all the places where you need to show your ID card,” a professor at Tsinghua’s AI Institute said of the cyber ID. Imagine using your cyber ID in the future to board the train or access the expressway.

[...]

While Chinese state media emphasize the increased ease and security cyber IDs will bring, the underlying reality is more troubling. Chinese citizens may soon find themselves dependent on government-issued digital credentials for even the most basic freedoms — online and off.

cross-posted from: https://lemmy.sdf.org/post/35993881

[...]

Under draft legislation that the State Duma approvedat first reading on May 22, 2025, a bill will require banks and merchants to facilitate digital ruble transactions and a universal QR payment code for purchases. Beginning October 1, 2025, the digital ruble will be used for a limited range of federal budget expenditures, transitioning on January 1, 2026, to full, unrestricted use for all federal outlays.

[...]

Kremlin financiers will track every digital ruble transaction in real time, granting authorities the power to block citizens’ accounts without a court order and automatically deduct taxes, fines, and other charges. Social benefits payable in digital rubles will be usable only for government‐approved categories of goods and services, and spending may be restrictedbased on a citizen’s place of residence or product type.

[...]

Critics—from human rights groups to economic analysts—argue the digital ruble will entrench state surveillance. According to The Cryptonomist, Russia’s CBDC may replicate China’s model of monitoring every transaction, but with even tighter Kremlin oversight. Ukrainian intelligence observers highlight the risk of a “behavioral loyalty” system, where digital currency access depends on citizens’ political and social “reliability.”

Previously, it was reported that Latvia’s Defense Intelligence and Security Service released a 48-page public handbook designed to help civilians identify and report suspected Russian operatives. The guide details indicators such as ragged appearance and suspicious behavior, offers safe reporting practices, and includes case studies illustrating espionage tactics in both urban and rural settings.

[...]

Native Android apps – including Facebook, Instagram, and several Yandex apps such as Maps, Navi, Browser, and Search – silently listen on fixed local ports on mobile devices to de-anonymize users’ browsing habits without consent, says a report published by a team of researchers from Spain-based IMDEA Networks Internet Analytics Group, and Dutch Radboud University.

Here is the technical report: https://localmess.github.io/

By embedding tracking code into millions of websites, Meta’s Pixel and Yandex Metrica have been able to map Android users’ browsing habits with their persistent identities (that is to say, with the account holder logged in). This method bypasses privacy protections offered by Android’s permission controls and even browsers’ Incognito Mode, affecting all major Android browsers. The international research team has disclosed the issue to several browser vendors, who are actively working on mitigations to limit this type of abuse. For instance, Chrome’s mitigation is scheduled to go into effect very soon.

These tracking companies have been doing this bypass for a long time: since 2017 in the case of Yandex, and Meta since September 2024. The number of people affected by this abuse is high, given that Meta Pixel and Yandex Metrica are estimated to be installed on 5.8 million and 3 million sites, respectively. It is also worth noting that evidence of this tracking practice has been observed only on Android.

[...]

cross-posted from: https://lemmy.sdf.org/post/35915645

Archived

TikTok introduced a slew of new advertiser tools at the company’s annual advertiser summit on June 3rd. The new products range from AI-powered ad tools to new features connecting creators and brands, but the overall picture is clear: advertiser content on TikTok is about to become much more tailored and specific.

The company will give brands precise details about how their target audience is using the platform — including AI-generated suggestions on ads to run. Using a tool called Insight Spotlight, advertisers will be able to sort by user demographics and industry to see what videos users in the target group are watching and what keywords are associated with popular content. In an example provided by TikTok, an AI-generated suggestion recommends that a brand “produce video content focused on ‘hormonal health’ for female, English-speaking users” and to include a specific keyword. Another feature in Insight Spotlight analyzes users’ viewing history to identify types of content that are bubbling up.

[...]

cross-posted from: https://lemmy.sdf.org/post/35817780

Archived

TikTok has launched a High Court challenge to a €530m fine imposed on it by the Data Protection Commission (DPC).

It is the latest legal attempt by Big Tech to overturn penalties imposed by the Irish privacy regulator. Of the more than €4bn in fines levied on companies including Meta and Amazon, only €20m has been paid so far.

The other penalties are being challenged in the Irish courts. There is no date set for any of the hearings, as a decision is awaited from the European Court of Justice on a key legal point.

[...]

“TikTok failed to verify, guarantee and demonstrate that the personal data of European Economic Area (EEA) users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU,” DPC deputy commissioner Graham Doyle said at the time.

“As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.”

[...]

In a further “serious development”, the DPC noted that, throughout its inquiry, TikTok had said it did not store EEA user data on servers in China. However, in April it told the regulator that, two months earlier, it discovered that “limited” data had in fact been stored on Chinese servers.

“TikTok informed the DPC that this discovery meant it had provided inaccurate information to the inquiry,” the regulator pointed out. The DPC is currently engaging with other European data regulators on that issue.

cross-posted from: https://lemmy.sdf.org/post/35554000

Archived

[...]

Chinese hackers targeted the Czech Foreign Ministry in a sophisticated cyberattack that lasted more than a year, the government said Tuesday, formally blaming Beijing for infiltrating one of the country’s most sensitive communication systems.

[...]

Foreign Minister Jan Lipavský summoned the Chinese ambassador to Prague, Feng Biao, on Tuesday morning to formally protest the cyberattack. He said the ministry’s system had long suffered from outdated technology and security flaws, which made the breach possible.

[...]

This cyberattack didn’t expose personal data but shows ongoing risks to [...] security. Outdated systems leave sensitive government info vulnerable, which could affect national security and public services. Cooperation with NATO, the EU, and allies aims to prevent future attacks and protect services like passports and healthcare. While your data wasn’t at risk this time, the breach highlights the growing need for strong cybersecurity to keep information safe.

watch on youtube or Invidious

cross-posted from: https://lemmy.sdf.org/post/33723368

Archived

European Union privacy watchdogs fined TikTok 530 million euros ($600 million) on Friday after a four-year investigation found that the video sharing app’s data transfers to China breached strict data privacy rules in the EU.

Ireland’s Data Protection Commission also sanctioned TikTok for not being transparent with users about where their personal data was being sent and it ordered the company to comply with the rules within six months.

[...]

TikTok, whose parent company ByteDance is based in China, has been under scrutiny in Europe over how it handles personal information of its users amid concerns from Western officials that it poses a security risk over user data sent to China. In 2023, the Irish watchdog also fined the company hundreds of millions of euros in a separate child privacy investigation.

[...]

The Irish watchdog said its investigation found that TikTok failed to address “potential access by Chinese authorities” to European users’ personal data under Chinese laws on anti-terrorism, counter-espionage, cybersecurity and national intelligence that were identified as “materially diverging” from EU standards.

[...]

TikTok faces further scrutiny from the Irish regulator, which said that the company had provided inaccurate information to throughout the inquiry by saying that it didn’t store European user data on Chinese servers. It wasn’t until April that it informed the regulator that it discovered in February that some data had in fact been stored on Chinese servers.

[...]

cross-posted from: https://lemmy.sdf.org/post/33548424

Archived

• The agency said that before DeepSeek’s chatbot was removed from app stores in South Korea, the company was transferring user data to firms in China and the U.S. without consent.
• The findings were released in relation to an ongoing investigation into DeepSeek, and the company has been sent corrective recommendations.

South Korea’s data protection authority has concluded that Chinese artificial intelligence startup DeepSeek collected personal information from local users and transferred it overseas without their permission.

The authority, the Personal Information Protection Commission [PIPC], released its written findings on Thursday in connection with a privacy and security review of DeepSeek.

It follows DeepSeek’s removal of its chatbot application from South Korean app stores in February at the recommendation of PIPC.

[...]

During DeepSeek’s presence in South Korea, it transferred user data to several firms in China and the U.S. without obtaining the necessary consent from users or disclosing the practice, the PIPC said.

The agency highlighted a particular case in which DeepSeek transferred information from user-written AI prompts, as well as device, network, and app information, to a Chinese cloud service platform named Beijing Volcano Engine Technology Co.

[...]

When the data protection authority announced the removal of DeepSeek from local app stores, it signaled that the app would become available again once the company implemented the necessary updates to comply with local data protection policy.

That investigation followed reports that some South Korean government agencies had banned employees from using DeepSeek on work devices. Other global government departments, including in Taiwan, Australia, and the U.S., have reportedly instituted similar bans.

cross-posted from: https://lemmy.sdf.org/post/33122696

[...]

The first rupture appeared on January 29 when cloud security firm Wiz stumbled upon an exposed ClickHouse database tagged “ds‑log‑prod‑001". Anyone with a browser could have accessed more than a million log lines: raw chat history, API keys, and even internal service tokens. Wiz engineers demonstrated that with two clicks they could seize “full database control", inject malicious code and pivot into the rest of DeepSeek’s infrastructure.

A week later mobile forensics specialists at NowSecure published a parallel autopsy of the iOS build. Their findings read like a checklist of everything Apple’s security team tells developers not to do: hard‑coded encryption keys, deprecated 3DES ciphers and App Transport Security switched off globally, allowing chats to travel unencrypted. The company urged enterprises to ban the app outright. However, DeepSeek’s parentage turned out to be even more troubling.

Corporate registries in Zhejiang and the Cayman Islands show the chatbot is a wholly owned offshoot of High‑Flyer Quant, a hedge fund founded in 2016 by the 38‑year‑old trader and CEO of Deepseek, Liang Wenfeng. Reuters reporting confirms that High‑Flyer pivoted from equity markets to artificial intelligence research in 2023, building two super‑computing clusters stuffed with Nvidia A100 processors before US export controls came into force.

[...]

Sources say the Computer Emergency Response Team of India (CERT‑In) is preparing a broader advisory under the new Digital Personal Data Protection Act that could push local app stores to delist the software if it fails a security audit. Other democracies have gone further: Italy, Australia and Taiwan have banned DeepSeek from public‑sector systems, with Taipei warning of “systemic espionage risk".

[...]

High‑Flyer Quant’s pitch decks boast of “harvesting alternative data at planetary scale". If every trade idea whispered into DeepSeek ends up in a Hangzhou warehouse, the company enjoys a real‑time map of market sentiment unavailable to Wall Street — and unpoliced by the Securities and Exchange Commission. For American fund managers and Indian startups alike, using the chatbot could be tantamount to CC‑ing a rival on every brainstorming session.

[...]

cross-posted from: https://lemmy.sdf.org/post/32102322

Archived

TikTok owner ByteDance is set to be hit by a privacy fine of more than €500 million for illegally shipping European users’ data to China, adding to the growing global backlash over the video-sharing app.

Ireland’s data protection commission, the company’s main regulator in Europe, will issue the penalty against TikTok before the end of the month, according to people familiar with the matter.

The move comes after a lengthy investigation found the Chinese business fell foul of the European Union’s General Data Protection Regulation in sending the information to China to be accessed by engineers, added the people, who spoke under condition of anonymity.

[...]

As part of the decision from Ireland’s data protection commission, the regulator will order TikTok to suspend the unlawful data processing in China within a set time frame. China has long provoked the ire of privacy activists, who claim that the nation’s mass surveillance regime violates fundamental rights.

TikTok has been in the crosshairs of the Irish data protection commission before. In September 2023, it was fined €345 million for alleged lapses in the way it cares for children’s personal data. The watchdog has also sounded the alarm over Big Tech firms shipping the personal data of European citizens outside of the 27-member bloc, slapping a record €1.2 billion fine against Facebook owner Meta Platforms Inc. for failing to protect personal information from the American security services.

The Irish probe into TikTok started in 2021, when the regulator’s then head Helen Dixon claimed that EU user data could be accessed by “maintenance and AI engineers in China.”

[...]

cross-posted from: https://lemmy.sdf.org/post/31957116

Millions of Americans have downloaded apps that secretly route their internet traffic through Chinese companies, according to an investigation by the Tech Transparency Project (TTP), including several that were recently owned by a sanctioned firm with links to China’s military.

TTP’s investigation found that one in five of the top 100 free virtual private networks in the U.S. App Store during 2024 were surreptitiously owned by Chinese companies, which are obliged to hand over their users’ browsing data to the Chinese government under the country’s national security laws. Several of the apps traced back to Qihoo 360, a firm declared by the Defense Department to be a “Chinese Military Company." Qihoo did not respond to questions about its app-related holdings.

[...]

VPNs allow users to mask the IP address that can identify them, and, in theory, keep their internet browsing private. For that reason, they have been used by people around the world to sidestep government censorship or surveillance, or because they believe it will improve their online security. In the U.S., kids often download free VPNs to play games or access social media during school hours.

However, VPNs can themselves pose serious risks because the companies that provide them can read all the internet traffic routed through them. That risk is compounded in the case of Chinese apps, given China’s strict laws that can force companies in that country to secretly share access to their users’ data with the government.

[...]

The VPN apps identified by TTP have been downloaded more than 70 million times from U.S. app stores, according to data from AppMagic, a mobile apps market intelligence firm.

[...]

The findings raise questions about Apple’s carefully cultivated reputation for protecting user privacy. The company has repeatedly sought to fend off antitrust legislation designed to loosen its control of the App Store by arguing such efforts could compromise user privacy and security. But TTP’s investigation suggests that Apple is not taking adequate steps to determine who owns the apps it offers its users and what they do with the data they collect. More than a dozen of the Chinese VPNs were also available in Apple’s App Store in France in late February, showing that the issue extends to other Western markets.

[...]

cross-posted from: https://lemmy.sdf.org/post/31274457

Archive

An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there's no sign of a fix from Microsoft, which apparently considers this a low priority.

The attack method is low-tech but effective, relying on malicious .LNK shortcut files rigged with commands to download malware. While appearing to point to legitimate files or executables, these shortcuts quietly include extra instructions to fetch or unpack and attempt to run malicious payloads.

Ordinarily, the shortcut's target and command-line arguments would be clearly visible in Windows, making suspicious commands easy to spot. But Trend's Zero Day Initiative said it observed North Korea-backed crews padding out the command-line arguments with megabytes of whitespace, burying the actual commands deep out of sight in the user interface.

Trend reported this to Microsoft in September last year and estimates that it has been used since 2017. It said it had found nearly 1,000 tampered .LNK files in circulation but estimates the actual number of attacks could have been higher.

"This is one of many bugs that the attackers are using, but this is one that is not patched and that's why we reported it as a zero day," Dustin Childs, head of threat awareness at the Zero Day Initiative, [said].

"We told Microsoft but they consider it a UI issue, not a security issue. So it doesn't meet their bar for servicing as a security update, but it might be fixed in a later OS version, or something along those lines."

[...]

cross-posted from: https://slrpnk.net/post/19675447

Archived version

Here is an Invidious link for the video (and 'Lola' part starts at ~5 minutes)

To demonstrate this, Sadoun introduces the audience to “Lola,” a hypothetical young woman who represents the typical web user that Publicis now has data about. “At a base level, we know who she is, what she watches, what she reads, and who she lives with,” Sadoun says. “Through the power of connected identity, we also know who she follows on social media, what she buys online and offline, where she buys, when she buys, and more importantly, why she buys.”

It gets worse. “We know that Lola has two children and that her kids drink lots of premium fruit juice. We can see that the price of the SKU she buys has been steadily rising on her local retailer’s shelf. We can also see that Lola’s income has not been keeping pace with inflation. With CoreAI, we can predict that Lola has a high propensity to trade down to private label,” Sadoun says, meaning that the algorithm apprehends whether Lola is likely to start buying a cheaper brand of juice. If the software decides this is the case, the CoreAI algo can automatically start showing Lola ads for those reduced price juice brands, Sadoun says.

Firefox may be incompatible with DFSG and probably other similar principles and TOS.

From the bug report:

The new Terms of Use, from what I can see, are in violation of the DFSG points 5 and 6:

5. No discrimination against persons or groups

Rationale:

The terms of use grant Mozilla the right to terminate anyone's access:

Mozilla can suspend or end anyone’s access to Firefox at any
time for any reason

https://www.mozilla.org/en-US/about/legal/terms/firefox/#mozilla-can-update-or-terminate-this-agreement

6. No discrimination against fields of endeavor

Rationale:

The terms of use don't allow you to use Firefox to break the law. While this seems a reasonable term, it wouldn't be so reasonable for a disident in an oppressive country.

you agree that you will not use Firefox to [...] violate any
applicable laws or regulations.

...

Apart from these violations of the DFSG, Firefox has now permission to leak user data to Mozilla, and who knows who else they decide to sell it later. This is a security bug.

You give Mozilla all rights necessary to operate Firefox,
including processing data as we describe in the Firefox Privacy
Notice, as well as acting on your behalf to help you navigate
the internet.  When you upload or input information through
Firefox, you hereby grant us a nonexclusive, royalty-free,
worldwide license to use that information to [...]

cross-posted from: https://lemmy.sdf.org/post/30887912

Here is the report Security and Trust: An Unsolvable Digital Dilemma? (pdf)

Police authorities and governments are calling for digital backdoors for investigative purposes - and the EU Commission is listening. The Centre for European Policy (cep) warns against a weakening of digital encryption. The damage to cyber security, fundamental rights and trust in digital infrastructures would be enormous.

[...]

The debate has become explosive due to the current dispute between the USA and the UK. The British government is demanding that Apple provide a backdoor to the iCloud to allow investigating authorities access to encrypted data. Eckhardt sees parallels with the EU debate: "We must prevent the new security strategy from becoming a gateway for global surveillance." Technology companies such as Meta, WhatsApp and Signal are already under pressure to grant investigators access to encrypted messages.

"Once you install a backdoor, you lose control over who uses it," says Küsters. Chinese hackers were recently able to access sensitive data through a vulnerability in US telecommunications networks - a direct consequence of the infrastructure there. Instead, Küsters advocates a strategy of "security by design", i.e. designing systems securely from the outset, and the increased use of metadata analyses and platform cooperation as viable alternatives to mass surveillance.

[...]

Lessons from across the Atlantic?

A recent episode from the US provides an illustrative cautionary tale. For decades, some US law enforcement and intelligence agencies advocated “exceptional access” to encrypted communications, claiming that only criminals needed such robust privacy protections – echoing the current debate in the EU. But over the past months, a dramatic shift occurred following revelations that Chinese state-sponsored hackers had infiltrated major US telecommunications networks, gaining access to call metadata and possibly even live calls (the so-called “Salt Typhoon” hack).

Specifically, the Chinese hackers exploited systems that US telecom companies had built to comply with federal wiretapping laws such as Communications Assistance for Law Enforcement Act (CALEA), which requires telecommunications firms to enable “lawful intercepts”. In theory, these built-in channels were supposed to only give law enforcement an exclusive window into suspect communications. In practice, however, they became a universal vulnerability that hostile actors could just as easily exploit.

Suddenly, the very government voices that once dismissed end-to-end encryption began recommending that citizens use encrypted messaging apps to maintain their security.

**What can we learn from this? **

While governments often push for greater surveillance capabilities, the real and current threat of state-sponsored cyber-espionage demonstrates the indispensable value of strong encryption. As the Electronic Frontier Foundation has noted, Salt Typhoon shows once more that there is no such thing as a backdoor that only the “good guys” can use.

If the mechanism exists, a malicious party will eventually find it and weaponise it. The lesson for Europe is clear: undermining encryption to aid investigations may prove short-sighted if it also exposes citizens – and state institutions – to hostile foreign interference. Is this really what we want to do in an increasingly challenging geopolitical environment? The debate about ensuring lawful and effective access to data in the digital age will remain one of the most pressing challenges, so we need to ask whether there are alternative, viable models.

[...]

cross-posted from: https://lemmy.sdf.org/post/30804814

A former senior Facebook executive has told the BBC how the social media giant worked "hand in glove" with the Chinese government on potential ways of allowing Beijing to censor and control content in China.

Sarah Wynn-Williams - a former global public policy director - says in return for gaining access to the Chinese market of hundreds of millions of users, Facebook's founder, Mark Zuckerberg, considered agreeing to hiding posts that were going viral, until they could be checked by the Chinese authorities.

Ms Williams - who makes the claims in a new book - has also filed a whistleblower complaint with the US markets regulator, the Securities and Exchange Commission (SEC), alleging Meta misled investors. The BBC has reviewed the complaint.

Facebook's parent company Meta, says Ms Wynn-Williams had her employment terminated in 2017 "for poor performance".

It is "no secret we were once interested" in operating services in China, it adds. "We ultimately opted not to go through with the ideas we'd explored."

[...]

Ms Wynn-Williams says her allegations about the company's close relationship with China provide an insight into Facebook's decision-making at the time.

[...]

Ms Wynn-Williams claims that in the mid-2010s, as part of its negotiations with the Chinese government, Facebook considered allowing it future access to Chinese citizens' user data.

"He was working hand in glove with the Chinese Communist Party, building a censorship tool… basically working to develop sort of the antithesis of many of the principles that underpin Facebook," she told the BBC.

Ms Wynn-Williams says governments frequently asked for explanations of how aspects of Facebook's software worked, but were told it was proprietary information.

"But when it came to the Chinese, the curtain was pulled back," she says.

"Engineers were brought out. They were walked through every aspect, and Facebook was making sure these Chinese officials were upskilled enough that they could not only learn about these products, but then test Facebook on the censorship version of these products that they were building."

[...]

In her SEC complaint, Ms Wynn-Williams also alleges Mr Zuckerberg and other Meta executives had made "misleading statements… in response to Congressional inquiries" about China.

One answer given by Mr Zuckerberg to Congress in 2018 said Facebook was "not in a position to know exactly how the [Chinese] government would seek to apply its laws and regulations on content"

[...]

We're very happy to share Techlore's video review of the BusKill Kill Cord.

Can't see video above? Watch it on PeerTube at neat.tube or on YouTube at youtu.be/Zns0xObbOPM

Disclaimer: We gave Techlore a free BusKill Kit for review; we did not pay them nor restrict their impartiality and freedom to publish an independent review. For more information, please see Techlore's Review Unit Protocols policy. We did require them to make the video open-source as a condition of receiving this free review unit. The above video is licensed CC BY-SA; you are free to redistribute it. If you are a video producer and would like a free BusKill Kit for review, please contact us

To see the full discussion about this video on the Techolore forums, see:

• discuss.techlore.tech/t/buskill-secure-your-laptop-in-seconds

Support BusKill

We're looking forward to continuing to improve the BusKill software and looking for other avenues to distribute our hardware BusKill cable to make it more accessible this year.

If you want to help, please consider purchasing a BusKill cable for yourself or a loved one. It helps us fund further development, and you get your own BusKill cable to keep you or your loved ones safe.

Buy a BusKill Cable
https://buskill.in/buy

You can also buy a BusKill cable with bitcoin, monero, and other altcoins from our BusKill Store's .onion site.

Stay safe,
The BusKill Team
https://www.buskill.in/
http://www.buskillvampfih2iucxhit3qp36i2zzql3u6pmkeafvlxs3tlmot5yad.onion/

cross-posted from: https://lemmy.sdf.org/post/30014783

U.S. Federal Trade Commission urged to investigate Google’s RTB data in first ever complaint under new national security data law.

Google sends enormous quantities of sensitive data about Americans to China and other foreign adversaries, according to evidence in a major complaint filed today at the FTC by Enforce and EPIC. This is the first ever complaint under the new Protecting Americans’ Data from Foreign Adversaries Act.

The complaint (open pdf) targets a major part of Google’s business: Google’s Real-Time Bidding (RTB) system dominates online advertising, and operates on 33.7 million websites, 92% of Android apps, and 77% of iOS apps. Much of Google’s $237.9 billion advertising revenue is RTB.

Today’s complaint reveals that Google has known for at least a decade that its RTB technology broadcasts sensitive data without any security, according to internal Google discussions highlighted in today’s complaint.

The complaint cites internal Google communications showing that Google CEO, Sundar Pichai, rejected or failed to act upon internal calls (example) to reform the company’s dangerous RTB system in 2021. Instead, Google continued to expose sensitive American defense and industry personnel, and their institutions, to blackmail and compromise, in addition to causing grave privacy harm to consumers.

The complaint cites internal Google communications showing that Google CEO, Sundar Pichai, rejected or failed to act upon internal calls to reform the company’s dangerous RTB system in 2021. Instead, Google continued to expose sensitive American defense and industry personnel, and their institutions, to blackmail and compromise, in addition to causing grave privacy harm to consumers. Even Google’s so called “non personalized” data contains dangerous data.

[...]