rgl7194 + privacy   3844

1Password X 1.17: New brain, new menu, and even more accessible | 1Password
1Password X harnesses the power of your 1Password account to fill and save passwords, view and edit items, and more – all in your browser. And with today’s release, 1Password X gets even better! Here’s what’s new in 1Password X 1.17.
New Filling brain written in Rust
1Password’s filling brain is the technology responsible for autofilling your information. The brain analyzes webpages in the background so it can suggest relevant items to fill in the available fields.
In 1Password X 1.17, we’ve completely rewritten the brain in Rust and WebAssembly. Rust gives us a boost in both speed and portability - making it smarter, faster, and more embeddable in all our apps.
Not to get too technical on you, but we’re now using Rust libraries to power many parts of the extension, including all Markdown parsing and time-based one-time password (TOTP) generation. By taking advantage of Rust’s ability to compile to WebAssembly, we can now share this implementation across all of our apps.
security  privacy  1password  passwords 
6 days ago by rgl7194
RSA-240 Factored - Schneier on Security
This just in:
We are pleased to announce the factorization of RSA-240, from RSA's challenge list, and the computation of a discrete logarithm of the same size (795 bits):
RSA-240 = 12462036678171878406583504460810659043482037465167880575481878888328 966680118821085503603957027250874750986476843845862105486553797025393057189121 768431828636284694840530161441643046806687569941524699318570418303051254959437 1372159029236099 = 509435952285839914555051023580843714132648382024111473186660296521821206469746 700620316443478873837606252372049619334517 * 244624208838318150567813139024002896653802092578931401452041221336558477095178 155258218897735030590669041302045908071447
The previous records were RSA-768 (768 bits) in December 2009 [2], and a 768-bit prime discrete logarithm in June 2016 [3].
It is the first time that two records for integer factorization and discrete logarithm are broken together, moreover with the same hardware and software.
Both computations were performed with the Number Field Sieve algorithm, using the open-source CADO-NFS software [4].
The sum of the computation time for both records is roughly 4000 core-years, using Intel Xeon Gold 6130 CPUs as a reference (2.1GHz). A rough breakdown of the time spent in the main computation steps is as follows.
RSA-240 sieving: 800 physical core-years
RSA-240 matrix: 100 physical core-years
DLP-240 sieving: 2400 physical core-years
DLP-240 matrix: 700 physical core-years
The computation times above are well below the time that was spent with the previous 768-bit records. To measure how much of this can be attributed to Moore's law, we ran our software on machines that are identical to those cited in the 768-bit DLP computation [3], and reach the conclusion that sieving for our new record size on these old machines would have taken 25% less time than the reported sieving time of the 768-bit DLP computation.
security  privacy  encryption  algorithm  research  record  RSA 
8 days ago by rgl7194
New crypto-cracking record reached, with less help than usual from Moore’s Law | Ars Technica
795-bit factoring and discrete logarithms achieved using more efficient algorithms.
Researchers have reached a new milestone in the annals of cryptography with the factoring of the largest RSA key size ever computed and a matching computation of the largest-ever integer discrete logarithm. New records of this type occur regularly as the performance of computer hardware increases over time. The records announced on Monday evening are more significant because they were achieved considerably faster than hardware improvements alone would predict, thanks to enhancements in software used and the algorithms it implemented.
Many public-key encryption algorithms rely on extremely large numbers that are the product of two prime numbers. Other encryption algorithms base their security on the difficulty of solving certain discrete logarithm problems. With sufficiently big enough key sizes, there is no known way to crack the encryption they provide. The factoring of the large numbers and the computing of a discrete logarithm defeat the cryptographic assurances for a given key size and force users to ratchet up the number of bits of entropy it uses.
The new records include the factoring of RSA-240, an RSA key that has 240 decimal digits and a size of 795 bits. The same team of researchers also computed a discrete logarithm of the same size. The previous records were the factoring in 2010 of an RSA-768 (which, despite its digit is a smaller RSA key than the RSA-240, with 232 decimal digits and 768 bits) and the computation of a 768-bit prime discrete logarithm in 2016.
The sum of the computation time for both of the new records is about 4,000 core-years using Intel Xeon Gold 6130 CPUs (running at 2.1GHz) as a reference. Like previous records, these ones were accomplished using a complex algorithm called the Number Field Sieve, which can be used to perform both integer factoring and finite field discrete logarithms. A rough breakdown of the time spent in the sieving and matrixing of both the RSA factoring and the computation of the discrete logarithm problem are:
RSA-240 sieving: 800 physical core-years
RSA-240 matrix: 100 physical core-years
DLP-240 sieving: 2400 physical core-years
DLP-240 matrix: 700 physical core-years
security  privacy  encryption  algorithm  research  record  RSA 
8 days ago by rgl7194
Contract for the Web launch — Social kit – World Wide Web Foundation
On Monday 25 November, Sir Tim Berners-Lee will launch the Contract for the Web — the first-ever global plan of action to make our online world safe and empowering for everyone.
Please help us share the launch on social media. We’ve suggested sample text and graphics below. Graphics can be downloaded via the provided links.
Share the launch with hashtag #WebWeWant and the link contractfortheweb.org/action.
2010s  contract  digital_rights  global  gov2.0  governance  open  privacy  TimBL  web  www  social_media 
10 days ago by rgl7194
What’s next in our fight for the #WebWeWant – World Wide Web Foundation
The web’s power to be a force for good is under threat, and we are all grappling for the right solutions. Governments struggle to pass laws that keep pace with fast-changing technology. Companies promise to respect users’ rights, but then make decisions that prioritize short-term profit and harm consumers and society. Our human rights are at risk.
But it doesn’t have to be this way. We have the power to overcome these threats and fight for the web we want — but only if we roll up our sleeves and get to work creating tangible solutions that can forge real change.
Here at the Web Foundation, we’re taking up this challenge. Over the past year, we’ve convened a coalition of experts from governments, companies and civil society to build the Contract for the Web — a global plan of action to make our online world safe and empowering for everyone.
Today, Sir Tim Berners-Lee, our co-founder and the inventor of the web, is launching the Contract for the Web at the Internet Governance Forum in Berlin.
www  open  web  digital_rights  2010s  global  gov2.0  governance  contract  privacy  TimBL 
10 days ago by rgl7194
Homepage - Contract for the Web
The Web was designed to bring people together and make knowledge freely available. It has changed the world for good and improved the lives of billions. Yet, many people are still unable to access its benefits and, for others, the Web comes with too many unacceptable costs.
Everyone has a role to play in safeguarding the future of the Web. The Contract for the Web was created by representatives from over 80 organizations, representing governments, companies and civil society, and sets out commitments to guide digital policy agendas. To achieve the Contract’s goals, governments, companies, civil society and individuals must commit to sustained policy development, advocacy, and implementation of the Contract text.
www  open  web  digital_rights  2010s  global  gov2.0  governance  contract  privacy  TimBL 
10 days ago by rgl7194
Launching the Contract for the Web – World Wide Web Foundation
This post was originally published at contractfortheweb.org.
Last year, the inventor of the web, Sir Tim Berners-Lee, called for governments, companies and citizens from across the world to take action to protect the web as a force for good.
Today, we stand together to launch the result of that call: a new Contract for the Web.
Experts and citizens have come together — bringing a diverse range of experiences and perspectives — to build a global plan of action to make our online world safe and empowering for everyone.
Launching the Contract, Sir Tim said:“The power of the web to transform people’s lives, enrich society and reduce inequality is one of the defining opportunities of our time. But if we don’t act now — and act together — to prevent the web being misused by those who want to exploit, divide and undermine, we are at risk of squandering that potential.
At this pivotal moment for the web, we have a shared responsibility to fight for the web we want. Many of the most vocal campaigners on this issue have already recognised that this collaborative approach is critical.
www  open  web  digital_rights  2010s  global  gov2.0  governance  privacy  contract  TimBL 
10 days ago by rgl7194
CA DMV Makes $50M Selling Personal Data, Report Says - NBC 7 San Diego
The California Department of Motor Vehicles is selling customers’ personal information for millions of dollars, according to a report from VICE released this week.
The report cites a CA DMV document that shows the “total annual revenue” from commercial requesters of data.
The state has collected about $50 million a year since 2015 providing registration and license data to various businesses, according to that document.
“[I’m] really irritated that they make that much money selling our personal information,” said Julian resident Dale Watterson while in line at the Hillcrest DMV Tuesday. “In this day of protecting your information, that’s just inexcusable.”
But the DMV is pushing back.
“The VICE headline is inaccurate,” said DMV Public Affairs Deputy Director Anita Gore.
Gore explained only certain groups, like insurance companies, background check businesses or car manufacturers, can seek the data.
The spokesperson said the $50 million a year is not profit, but rather just the cost of processing the requests for data.
“We do not put information up for sale,” Gore continued in a phone call with NBC 7.
However, the DMV did not provide a specific list of those businesses or companies who have paid for data.
And when asked if DMV customers are made aware their data may be sold, Gore asked, wouldn’t [NBC 7] want to know if a car manufacturer had a recall, and used the information to get in touch?
“We don’t want it to be just open sourced, where anybody who wants it can obtain our data for a fee,” said Identity Theft Resource Center CEO Eva Velasquez.
The data and privacy expert said companies buying data is not necessarily a bad thing, emphasizing this issue is nuanced.
“Often other organizations use that data in their fraud analytics, in their authentication process… however we need to be more transparent about it,” said Velasquez.
“People need to know if their data is being sold and to whom it is being sold and for what purpose,” she said.
“It is important to note DMV does not sell driver information for marketing purposes, or to generate revenue outside of the administrative cost of the program,” read a statement from the DMV.
“The DMV takes its obligation to protect personal information very seriously. Information is only released according to California law, and the DMV continues to review its release practices to ensure information is only released to authorized persons/entities and only for authorized purposes,” the statement continued.
california  gov2.0  data  privacy  sales  money 
10 days ago by rgl7194
How to Get Your Digital Accounts Ready In Case of Death: Wirecutter
On March 7, 2019, Myrna M. DeLeon passed away, days before her 65th birthday. “Her death was completely unexpected,” said her daughter and my brother-in-law’s wife, Casey. In the emotional aftermath for the family, one thing made the grieving process less stressful: Myrna’s “in case of death” preparations. She had filed important documents in a safe and kept a categorized “little black book of information.”
“She was a nurse who was organized in the operating room, and she took that skillset of organization and advanced thinking into our home life as well,” Casey said. “For example, ‘B’ was not for people with the last name starting with B, but for banks and other financial institutions. It listed account numbers for policies and phone numbers to call for claims.”
Casey and her brother had set up their mom’s phone and email, so they knew her passwords for those, which proved essential. “All of her contacts were in her cell phone, and I needed those to inform them of Mom's passing. I also needed to ask her colleagues how their union benefits worked so I could get answers as quickly as possible.”
Preparing for your eventual demise is a gift your loved ones will appreciate even as they mourn your loss—and it will give you peace of mind in the present, too. Most people have thought about setting up a will and doing other estate planning, but you should also arm your family with the most essential information they’ll need in the immediate days and weeks after you’re gone, preferably in one easy-to-access place. Here’s how to set up a digital version of Myrna’s “little black book” for simple and secure information sharing with family members and trusted friends.
wirecutter  legacy  digital  passwords  1password  privacy  security  data  family  RIP  death 
11 days ago by rgl7194
“Sounds Like a Bug” — MacSparky
There is a story developing today around the Facebook iOS Application. Web Designer Joshua Maddox reports reports via Twitter discovering the Facebook app was turning on the camera with no indication to the user. Maddox reports duplicating the bug on multiple devices. Third parties are now reporting the ability to at least partially replicate the bug.
Facebook’s VP of integrity replied to Maddox, “sounds like a bug.” No shit. I’m sure I have a bit of a chip on my shoulder about Facebook, but how do they continue to under-react to privacy problems with their platform? Also, if this bug does exist, how does it exist? What were they trying to do that could possibly trigger turning on the camera?
Hopefully this, whatever it is, gets fixed soon. In the meantime, if you have Facebook installed on your iPhone, go to Settings > Privacy > Camera and turn off Facebook access for your camera. While you are at it, consider whether you even want the Facebook app on your phone. I know several people that use Facebook exclusively in the browser to avoid problems like this.
facebook  ios  camera  bug  privacy 
12 days ago by rgl7194
The chain of trust in Apple’s devices | The Mac Security Blog
A lot of computer security is based on trust. Your devices verify that you are, indeed, an authorized user, through the use of user names and passwords. And your devices trust services and servers, through a series of certificates and "trusted third parties" who work through a cascading system of verification and authentication.
If you use Apple devices, the company has its own chain of trust that allows you to use multiple devices in concert. Each link of this chain is carefully designed to ensure its reliability, and each link also enhances other links in the chain. This can seem complex, but when you break it down into its component parts, it's a lot easier to understand.
In most cases, you don't need to know how all these elements work together, but it can be good to be aware of how Apple ensures the security of your devices, your accounts, and even your payment methods.
apple  2FA  security  privacy  trust  authentication  appleID 
13 days ago by rgl7194
Intego Mac Podcast: The Chain of Trust
Apple's two-factor authentication system sets up a chain of trust from one device to another. By ensuring your identity on one device, that device can then authenticate you on another device, and provide you with enhanced features, such as an Apple Watch unlocking a Mac, or an iPhone authorizing Apple Pay on a Mac. Understanding this chain of trust helps you better understand how Apple protects you.
Show Notes:
The Chain of Trust in Apple Devices (The Mac Security Blog)
Chain of trust (Wikipedia)
Episode 52: Was the Big Hack Really Big?
Certificate authority (Wikipedia)
Use Your Apple Watch to Unlock Your Mac and Authenticate
About the Apple T2 Security Chip
apple  2FA  security  privacy  trust  podcast  authentication 
13 days ago by rgl7194
Intego Mac Podcast: Black Friday Safe Shopping Advice
It's Black Friday again, either the day we release this episode if you're in Europe, or next week, if you're in the US. It's the day when you can get some good deals on things you need, discounts on things you don't need, and, if you're not careful, you could get scammed. We discuss some best practices for buying new and used on Black Friday, and warn you about buying a used iPhone.
Show Notes:
Caution! These Black Friday “deals” may be bad for your security
6 Cyber Security Tips for Holiday Shopping Online
6 Essential Tips to Stay Safe Shopping Online
Black Friday 2019 Security Threat: U.S. Government Advises Consumers To Stay Vigilant
The Shop at KonMari
security  privacy  podcast  shopping  safety  ecommerce 
19 days ago by rgl7194
A Year Later, Cybercrime Groups Still Rampant on Facebook — Krebs on Security
Almost exactly one year ago, KrebsOnSecurity reported that a mere two hours of searching revealed more than 100 Facebook groups with some 300,000 members openly advertising services to support all types of cybercrime, including spam, credit card fraud and identity theft. Facebook responded by deleting those groups. Last week, a similar analysis led to the takedown of 74 cybercrime groups operating openly on Facebook with more than 385,000 members.
Researchers at Cisco Talos discovered the groups using the same sophisticated methods I employed last year — running a search on Facebook.com for terms unambiguously tied to fraud, such as “spam” and “phishing.” Talos said most of the groups were less than a year old, and that Facebook deleted the groups after being notified by Cisco.
Talos also re-confirmed my findings that Facebook still generally ignores individual abuse reports about groups that supposedly violate its ‘community standards,’ which specifically forbid the types of activity espoused by the groups that Talos flagged.
“Talos initially attempted to take down these groups individually through Facebook’s abuse reporting functionality,” the researchers found. “While some groups were removed immediately, other groups only had specific posts removed.”
But Facebook deleted all offending groups after researchers told Facebook’s security team they were going to publish their findings.  This is precisely what I experienced a year ago.
Not long after Facebook deleted most of the 120 cybercrime groups I reported to it back in April 2018, many of the groups began reemerging elsewhere on the social network under similar names with the same members.
facebook  cybercrime  security  privacy  krebs  forum 
20 days ago by rgl7194
Sign In with Apple: Goodbye Account Management - MacStories
I love trying new apps and services. It may be part of my job at MacStories, but even if it weren’t, I would still constantly be on the lookout for interesting, creative products that can benefit either my work or leisure. In recent years it seems like there’s always a fresh stream of apps and services to check out. Often when I try something new, however, I’m immediately confronted with the obstacle of a login screen. At which point there’s a choice to make: do I go through the hassle of creating an account for this service, or – if the option is available – do I simply authenticate via a third party like Google or Facebook? Sadly, neither option is ideal.
Creating a new account for every service you try is a major pain. It’s made easier with the aid of iCloud Keychain and 1Password, but while those tools eliminate lots of friction, they can be a little clunky, and in the end you’re still trusting your data to the (usually unknown) privacy policies of the service you sign up for.
Third-party login buttons solve the convenience problem, mostly. They may require entering your credentials for that third-party service, but at least you don’t have to create and remember new credentials for multiple services. The data privacy issue can be a question mark with these buttons though; when you authenticate through, let’s say Facebook, do you really know exactly what data you’re sharing with the new service? Or how the service will use that data? As consumers continue losing trust in Facebook itself to secure their data, why would they trust a service that taps into their Facebook data?
apple  SSO  security  privacy  login 
20 days ago by rgl7194
Victory: Pennsylvania Supreme Court Rules Police Can’t Force You to Tell Them Your Password | Electronic Frontier Foundation
The Pennsylvania Supreme Court issued a forceful opinion today holding that the Fifth Amendment to the U.S. Constitution protects individuals from being forced to disclose the passcode to their devices to the police. In a 4-3 decision in Commonwealth v. Davis, the court found that disclosing a password is “testimony” protected by the Fifth Amendment’s privilege against self-incrimination.
EFF filed an amicus brief in Davis, and we were gratified that the court’s opinion closely parallels our arguments. The Fifth Amendment privilege prohibits the government from coercing a confession or forcing a suspect to lead police to incriminating evidence. We argue that unlocking and decrypting a smartphone or computer is the modern equivalent of these forms of self-incrimination.
Crucially, the court held that the narrow “foregone conclusion exception” to the Fifth Amendment does not apply to disclosing passcodes. As described in our brief, this exception applies only when an individual is forced to comply with a subpoena for business records and only when complying with the subpoena does not reveal the “contents of his mind,” as the U.S. Supreme Court put it. (For more on the foregone conclusion exception, see this post on a similar case currently pending in the Indiana Supreme Court.)
security  privacy  state  gov2.0  legal  EFF  passwords  smartphone 
21 days ago by rgl7194
Daring Fireball: Oregon Judge Ordered Woman to Type in Her iPhone Passcode So Police Could Search It for Evidence Against Her
...This is bullshit — being forced to produce a password is clearly a violation of the Fifth Amendment. If you’ve got the password written down on a sticky note and the police get a warrant to search your home and find it, that’s evidence. But being compelled to produce something in your mind is the definition of self-incrimination.
A password is different than biometric authentication. There are debates on whether law enforcement should be able to compel someone to provide their fingerprint or look at a facial recognition scanner to unlock a device. Are they allowed to just wave your phone in front of your face? (With a Pixel 4, closing your eyes won’t protect you.)
As a reminder, you can temporarily disable Touch ID and Face ID just by going to the power-down screen. On a X-class iPhone, that means pressing and hold the power button and either volume button for a second or two. Once your phone is at this screen, even if you tap “Cancel”, you must enter your passcode to unlock the phone. If you’re ever worried about anyone — law enforcement or otherwise — taking your phone from you and unlocking it with your face, just squeeze those two buttons. You don’t even need to take it out of your pocket or purse — you’ll feel haptic feedback once you’ve held the buttons long enough. And, if you keep holding the two buttons down for five seconds, your iPhone will call emergency services and contact your emergency contacts.
iphone  passwords  security  privacy  legal  daring_fireball  authentication 
21 days ago by rgl7194
Daring Fireball: Google Pixel 4 Face Unlock Works Even if Your Eyes Are Shut
Chris Fox, writing for BBC News:
On Tuesday, BBC News tested the Face Unlock feature on the new Pixel 4. Using the default settings, the phone still unlocked if the user pretended to be asleep. The test was repeated on several people, with the same result.
It’s right there in Google’s own support document for the Pixel 4: “Your phone can also be unlocked by someone else if it’s held up to your face, even if your eyes are closed.”
Speaking before the launch, Pixel product manager Sherry Lin said: “They are actually only two face [authorisation] solutions that meet the bar for being super-secure. So, you know, for payments, that level — it’s ours and Apple’s.”
Sounds like it’s still only Apple’s, which is now in its third-generation of devices. Biometric authentication is an area where Apple has been, and remains, several years ahead of all its competitors.
google  iphone  security  privacy  faceID  daring_fireball 
21 days ago by rgl7194
Daring Fireball: 'How Safe Is Apple’s Safe Browsing?'
Matthew Green, writing at Cryptographic Engineering:
When Apple wants to advertise a major privacy feature, they’re damned good at it. As an example: this past summer the company announced the release of the privacy-preserving “Find My” feature at WWDC, to widespread acclaim. They’ve also been happy to claim credit for their work on encryption, including technology such as iCloud Keychain.
But lately there’s been a troubling silence out of Cupertino, mostly related to the company’s interactions with China. Two years ago, the company moved much of iCloud server infrastructure into mainland China, for default use by Chinese users. It seems that Apple had no choice in this, since the move was mandated by Chinese law. But their silence was deafening. Did the move involve transferring key servers for end-to-end encryption? Would non-Chinese users be affected? Reporters had to drag the answers out of the company, and we still don’t know many of them.
In the Safe Browsing change we have another example of Apple making significant modifications to its privacy infrastructure, largely without publicity or announcement. We have learn about this stuff from the fine print. This approach to privacy issues does users around the world a disservice.
If Apple needs to do things differently in China to comply with Chinese law, they need to explain exactly what they’re doing and why. Otherwise people are going to assume the worst. “Trust us” is not good enough. If they’re embarrassed to explain in detail what they’re doing to comply with Chinese law, then they shouldn’t be doing it.
safari  google  china  fraud  web2.0  security  privacy  daring_fireball  safety 
21 days ago by rgl7194
Daring Fireball: Trust but Verify, 'Safari Fraudulent Website Warning' Edition
Via Dino Dai Zovi, a user on Hacker News disassembled the code for Safari’s Fraudulent Website Warning feature and verified that it only uses Tencent (instead of Google) if the region code is set to mainland China.
safari  google  china  fraud  web2.0  security  privacy  daring_fireball 
21 days ago by rgl7194
Daring Fireball: Safari's Fraudulent Website Warning Feature Only Uses Tencent in Mainland China
...After quoting Apple’s statement, Rene Ritchie has more details on how the feature works, including the fact that the URLs you visit aren’t sent to Google (or Tencent) — hashed prefixes of the URLs are sent. This became a story over the weekend when a story by Tom Parker at Reclaim the Net ran under the alarming headline “Apple Safari Browser Sends Some User IP Addresses to Chinese Conglomerate Tencent by Default”.
My assumption was that Apple was only using Tencent in mainland China, where Google services are banned. Apple’s statement today makes it clear that that is true. But Apple brought this mini-controversy upon itself, because Apple’s own description of the feature doesn’t specify when the Fraudulent Website Warning feature uses Google and when it uses Tencent. Apple’s description simply says...
safari  google  china  fraud  web2.0  security  privacy  daring_fireball 
21 days ago by rgl7194
How to Spot a Fake Website
If you’ve used the internet for any amount of time, there’s a good chance you’ve received plenty of phishing emails. Nigerian prince emails, foreign lottery winner emails and even “if you don’t pay the ransom, you’ll never see your son again” emails, all of which are designed to get you to hand over your identifying information, your money or both.
But now that phishing emails so widely recognized for the scams they are, savvy thieves have a new trick up their sleeves: phishing websites. How do these work? They masquerade as the real deal, tricking you into entering your credit card info, downloading a harmful software, filling out the registration form with your sensitive data or some other similar tactic.
Try this example: You head over to Amaz0n.com or PayPaI (notice the zero instead of an O and a capital letter I instead of a lowercase l) and enter all of your information, update your payment information or bank account, verify your account identity or some other mechanism for stealing from you. You never knew you weren’t on the correct site and the scammers stole everything.
security  privacy  web2.0  fake  malware  phishing 
21 days ago by rgl7194
How Russia Recruited Elite Hackers for Its Cyberwar - The New York Times
MOSCOW — Aleksandr B. Vyarya thought his job was to defend people from cyberattacks — until, he says, his government approached him with a request to do the opposite.
Mr. Vyarya, 33, a bearded, bespectacled computer programmer who thwarted hackers, said he was suddenly being asked to join a sweeping overhaul of the Russian military last year. Under a new doctrine, the nation’s generals were redefining war as more than a contest of steel and gunpowder, making cyberwarfare a central tenet in expanding the Kremlin’s interests.
“Sorry, I can’t,” Mr. Vyarya said he told an executive at a Russian military contracting firm who had offered him the hacking job. But Mr. Vyarya was worried about the consequences of his refusal, so he abruptly fled to Finland last year, he and his former employer said. It was a rare example of a Russian who sought asylum in the face of the country’s push to recruit hackers.
“This is against my principles — and illegal,” he said of the Russian military’s hacking effort.
While much about Russia’s cyberwarfare program is shrouded in secrecy, details of the government’s effort to recruit programmers in recent years — whether professionals like Mr. Vyarya, college students, or even criminals — are shedding some light on the Kremlin’s plan to create elite teams of computer hackers.
security  privacy  hack  russia  cybercrime  nytimes 
23 days ago by rgl7194
Why Were the Russians So Set Against This Hacker Being Extradited? — Krebs on Security
The Russian government has for the past four years been fighting to keep 29-year-old alleged cybercriminal Alexei Burkov from being extradited by Israel to the United States. When Israeli authorities turned down requests to send him back to Russia — supposedly to face separate hacking charges there — the Russians then imprisoned an Israeli woman for seven years on trumped-up drug charges in a bid to trade prisoners. That effort failed as well, and Burkov had his first appearance in a U.S. court last week. What follows are some clues that might explain why the Russians are so eager to reclaim this young man.
On the surface, the charges the U.S. government has leveled against Burkov may seem fairly unremarkable: Prosecutors say he ran a credit card fraud forum called CardPlanet that sold more than 150,000 stolen cards.
However, a deep dive into the various pseudonyms allegedly used by Burkov suggests this individual may be one of the most connected and skilled malicious hackers ever apprehended by U.S. authorities, and that the Russian government is probably concerned that he simply knows too much.
security  privacy  hack  russia  usa  krebs  foreign_relations  cybercrime 
23 days ago by rgl7194
Some thoughts on iPassword funding + How to do strong passwords – On my Om
There has been so much angst about 1Password raising $200 million in new funding and many are expecting that the 14-year old company is going to be ruined by an influx of cash. It is understandable that their fans are worried — too much money corrupts. But why are reporters showing paranoia when instead they should be asking questions? (For starters: Why so much money?)
If you ask me, money won’t ruin 1Password. There are precedents for this sort of thing: Atlassian was a private, self-grown business that thrived for years before it took venture capital and then went public. The capital only helped expand its footprint. It continues to thrive.
1Password is a totally remote company, which doubled its workforce over the past 18-months. So, it is not surprising to think that they might need a cash infusion. My guess is that the new capital is going to be put towards growing their footprint in the corporate sector, where security has been one of the biggest areas of spending right now — about $124 billion in 2019 according to Gartner, a research company. In 2022, that will balloon to $170 billion. 1Password has a good presence in corporations big and small, but it has rivals who are better funded and are chasing a similar market.
1password  passwords  business  money  security  privacy  design  UI/UX 
26 days ago by rgl7194
Federal Judge Issues Historic Opinion for Digital Privacy at the Border | Electronic Frontier Foundation
In a historic opinion on privacy at the border, a federal judge this week recognized that international travelers have significant privacy interests in their digital data and ruled that suspicionless electronic device searches at U.S. ports of entry violate the Fourth Amendment. U.S. District Court Judge Denise Casper in Boston held that border agents must have reasonable suspicion that a device contains digital contraband before searching or seizing the device.
The summary judgment opinion was issued in EFF and ACLU’s case Alasaad v. McAleenan, in which we represent 11 plaintiffs against the Department of Homeland Security (DHS), U.S. Customs and Border Protection (CBP), and U.S. Immigration and Customs Enforcement (ICE). The case is a constitutional challenge to the agencies’ polices on border searches and seizures of electronic devices.
CBP and ICE policies permit suspicionless manual or “basic” device searches. For forensic or “advanced” device searches, the policies require either a vague concern about national security, or reasonable suspicion that the device contains evidence of broadly defined wrongdoing. The policies also permit border agents to access any and all data resident on a device. The policies are based on easily distinguishable legal precedent that authorizes warrantless, suspicionless searches of luggage for border security purposes, specifically, immigration and customs enforcement. We argued, and Casper agreed, that electronic devices are not comparable to suitcases or purses in terms of the privacy interests at stake.
Casper’s ruling is an important win for digital privacy rights for three reasons.
gov2.0  legal  digital  privacy  EFF 
26 days ago by rgl7194
The Ultimate Guide to Passwords in 2019: Length, Complexity & More!
Despite recent advances in authentication technologies, traditional passwords are still the way users log into most services. That’s why it’s so tragic that so many people use terrible passwords. According to a recent analysis, 86% of users use passwords that have already been cracked.
There is so much outdated, misleading, and just plain wrong information about passwords floating around on the Internet that it isn’t surprising so many people choose bad passwords. Yet companies cannot afford to be complacent. With the average security breach now costing companies $3.86 million, you need to cut through the noise and deliver good information about password security to your workforce.
We want put to rest some of the most persistent falsehoods about passwords and talk about what it takes to come up with strong passwords and practice good password security in 2019.
passwords  1password  security  privacy  guide  2FA 
27 days ago by rgl7194
Passwords Are a Design Problem + Subtraction.com
Like a lot of urgent advice, this terrific article about best practices in creating strong passwords, written by Jon Xavier of Fleetsmith, feels both necessary and tragic. Necessary because, as the article says, there is “so much outdated, misleading, and just plain wrong information” about how to create and maintain passwords out there. And tragic because this most basic of security measures, which few of us have ever really mastered, seems likely to continue to challenge most users of digital products for the foreseeable future. It’s well worth reading the article in full, but a quick rundown of its main takeaways is also worthwhile:
Passwords should be a minimum of ten characters long, and ideally as long as possible
Neither special characters nor numbers are necessary in order to make passwords stronger
Cleverly swapping numbers for letters in your passwords is completely ineffective
A password should only be changed when there’s reason to believe it’s been compromised
The same password should never be used on multiple sites
Two-factor authorization should always be turned on if it’s available
Never give honest answers to password security questions, e.g., What’s your mother’s maiden name?
Xavier goes deep into the myths driving password implementations and usage today, but one thing he doesn’t touch on is how poor is the user experience of passwords across platforms and products. Create six different accounts at six different web sites and you’ll very likely encounter six different approaches to encouraging and enforcing password strength and security, some egregiously lax and others excessively restrictive.
passwords  1password  security  privacy  design  UI/UX 
27 days ago by rgl7194
Kirkville - Passwords Are a Design Problem – Subtraction.com
Designer Khoi Vinh weighs in on a recent article called The Ultimate Guide to Strong Passwords in 2019, by Jon Xavier. This article points out how to have the strongest password: how long it should be, that it doesn’t need special characters or numbers, that there’s no need to regularly change it unless it has been compromized, etc.
Vinh points out my biggest annoyances with password managers (like him, I use 1Password).
It’s also difficult for a password manager to understand when a password is applicable to more than one site or app. Once a password is created, it’s often matched exclusively to the domain of that site. So if your login is also valid on a closely related site, as is the case with many sites from large companies, the password manager won’t automatically recognize the relationship and present the relevant login.
I have lots of sites where I have passwords stored for login.domain.com, user.domain.com, domain.com, etc. If I just look at Apple, which has a number of sub-domains, and check one of my passwords, 1Password shows me this...
They’re not “reused,” they are just used with different subdomains:
Arguably, some of these are no longer used, but 1Password cannot understand that it is not wrong to use the same password for all these sites. I understand that there are cases where different sub-domains should have different passwords, but a password manager should be able to allow you to map a password to a domain regardless of its subdomain.
Another example is Amazon. You may not know this, but if you have an account with one Amazon store, you can use it in any Amazon store (US, UK, Canada, etc.). I do use multiple Amazon stores, and have a separate login in 1Password for each one. So there is a long list of Amazon logins, with various subdomains – 54 in all – and these can’t all be grouped. The ones with different sub-domains can, but each store (each country) has a different top-level domain.
Source: Passwords Are a Design Problem + Subtraction.com
passwords  1password  security  privacy  design  UI/UX 
27 days ago by rgl7194
The robocall crisis will never totally be fixed | Ars Technica
Like spam, we'll be able to manage it but not eliminate it.
Years into the robocalling frenzy, your phone probably still rings off the hook with "important information about your account," updates from the "Chinese embassy," and every bogus sweepstakes offer imaginable. That's despite promises from the telecom industry and the US government that solutions would be coming. Much like the firehose of spam that made email almost unusable in the late 1990s, robocalls have made people in the US wary of picking up their cell phones and landlines. In fact, email spam offers a useful analogy: a scourge that probably can't be eliminated but can be effectively managed.
Finding the right tools for that job remains a challenge. The Federal Trade Commission has had a strong track record in its 140 robocall-related suits, including a recent victory at the end of March that targeted four massive operations. Bipartisan anti-robocalling legislation is gaining traction in Congress. Apps that flag or block unwanted calls have matured and are solidly effective. And wireless carriers—in part facing pressure from the Federal Communications Commission—have increasingly offered their own anti-robocalling apps and tools for free.
Yet the number of robocalls continues to hit new highs. The anti-robocalling company YouMail estimates that March 2019 saw 5.23 billion robocalls, the highest volume ever. And other firms recorded similar highs. But those numbers don't take into account calls that were successfully blocked. A more useful measure might be the number of complaints filed per month to the FCC and FTC, which remained mostly static in 2018 and the beginning of 2019.
spam  robocalls  telemarketing  gov2.0  privacy  telco  FCC 
4 weeks ago by rgl7194
What is personal information? In legal terms, it depends - Malwarebytes Labs | Malwarebytes Labs
In early March, cybersecurity professionals around the world filled the San Francisco Moscone Convention Center’s sprawling exhibition halls to discuss and learn about everything infosec, from public key encryption to incident response, and from machine learning to domestic abuse.
It was RSA Conference 2019, and Malwarebytes showed up to attend and present. Our Wednesday afternoon session—“One person can change the world—the story behind GDPR”—explored the European Union’s new, sweeping data privacy law which, above all, protects “personal data.”
But the law’s broad language—and finite, severe penalties—left audience members with a lingering question: What exactly is personal data?
The answer: It depends.
Personal data, as defined by the EU’s General Data Protection Regulation, is not the same as “personally identifiable information,” as defined by US data protection and cybersecurity laws, or even “personal information” as defined by California’s recently-signed data privacy law. Further, in the US, data protection laws and cybersecurity laws serve separate purposes and, likewise, bestow slightly separate definitions to personal data.
Complicating the matter is the public’s instinctual approach to personal information, personal data, and online privacy. For everyday individuals, personal information can mean anything from telephone numbers to passport information to postal codes—legal definitions be damned.
Today, in the latest blog for our cybersecurity and data privacy series, we discuss the myriad conditions and legal regimes that combine to form a broad understanding of personal information.
Companies should not overthink this. Instead, data privacy lawyers said businesses should pay attention to what information they collect and where they operate to best understand personal data protection and compliance.
As Duane Morris LLP intellectual property and cyber law partner Michelle Donovan said:
“What it comes down to, is, it doesn’t matter what the rules are in China if you’re not doing business in China. Companies need to figure out what jurisdictions apply, what information are they collecting, where do their data subjects reside, and based on that, figure out what law applies.”
data  legal  PII  gov2.0  security  privacy  GDPR  europe  usa  california 
4 weeks ago by rgl7194
Reverse Engineering a Chinese Surveillance App - Schneier on Security
Human Rights Watch has reverse engineered an app used by the Chinese police to conduct mass surveillance on Turkic Muslims in Xinjiang. The details are fascinating, and chilling.
Boing Boing post.
security  privacy  spying  apps  china  police 
4 weeks ago by rgl7194
EFF’s New ‘Threat Lab’ Dives Deep into Surveillance Technologies—And Their Use and Abuse | Electronic Frontier Foundation
EFF is proud to announce its newest investigative team: the Threat Lab. Using a combination of research skills, the Threat Lab will take a deep dive into how surveillance technologies are used to target communities, activists, or individuals.
The Threat Lab is a multidisciplinary unit that’s part of our Technology Projects team. EFF’s Director of Cybersecurity, Eva Galperin heads up the group, which also includes Senior Staff Technologist Cooper Quintin and Senior Investigative Researcher Dave Maass.
The creation of the Threat Lab is a logical evolution of the investigative work we’ve been doing at EFF for years. Some of the projects that will move under the Threat Lab umbrella include our research into state-sponsored malware and cyber-mercenaries, our analysis of Automatic License Plate Readers (ALPRs) and how data collected by police endangers privacy, and our work fighting spouseware and stalkerware. And people are already taking notice: Eva’s work in this area was recently featured in Wired.
We all have a right to live our lives without the threat of illegal surveillance. EFF’s Threat Lab will do its part to enforce those rights with rigorous examinations of new surveillance technologies and how they are being abused by law enforcement or others.
EFF  security  privacy  spying 
4 weeks ago by rgl7194
How to Change Your Lock Screen Information on macOS – The Sweet Setup
Did you know that macOS allows you to set lock screen information? This is very helpful if you work somewhere where you all have the same device, or if you’re concerned about your device going missing. This feature lets you show a custom message on the lock screen so you can request the device be returned to you, for example.
In System Preferences, go to Security & Privacy, and unlock the pane by clicking the padlock in the bottom left and typing in your password. Now you can enable the Show a message when the screen is locked option, and click Set Lock Message.
Now’s the time you can get creative! You can offer a reward for returning the device, let people know FileVault and Find my Mac are enabled (rendering the device useless to most thieves), and more. Mine is simple: If found, please return to Rosemary Orchard. +1 (XXX) XXX-XXXX, followed by my email address. This lets anyone who picks up my laptop by accident know it’s mine, and should the device go missing, a good samaritan has the means to contact me and reunite me with my laptop!
Even if your Mac never leaves your house, it’s worth adding your email address and phone number to the lock screen — just in case. It takes less than two minutes and has no downside at all, and you can even leave a fun note for your family and friends!
mac  howto  prefs  security  privacy  macosxhints 
4 weeks ago by rgl7194
Daring Fireball: One Year After 'The Big Hack'
I was going to write about the one-year anniversary of Bloomberg’s “The Big Hack” fiasco, but Nick Heer, writing at his excellent Pixel Envy, has done the job for me:
Unfortunately, a year later, we’re still no closer to understanding what happened with this story. Bloomberg still stands by it, but hasn’t published a follow-up story from its additional reporting. No other news organization has corroborated the original story in any capacity. After being annihilated after the story’s publication, Supermicro’s stock has bounced back.
Most upsetting is that we don’t know the truth here in any capacity. We don’t know how the story was sourced originally other than the vague descriptions given about their roles and knowledge. We don’t know what assumptions were made as Riley and Robertson almost never quoted their sources. We don’t know anything about the thirty additional companies — aside from Amazon and Apple — that were apparently affected, nor if any of the other nine hundred customers of Supermicro found malicious hardware. We don’t know what role, if any, Bloomberg’s financial services business played in the sourcing and publication of this story, since they were also users of Supermicro servers. We don’t know the truth of what is either the greatest information security scoop of the decade or the biggest reporting fuck-up of its type.
What does that say about Bloomberg’s integrity?
As Heer points out, a year ago, co-author Michael Riley himself tweeted, “That’s the unique thing about this attack. Although details have been very tightly held, there is physical evidence out there in the world. Now that details are out, it will be hard to keep more from emerging.”
With not one shred of evidence emerging in a year, it seems very clear that this was, in fact, “the biggest reporting fuck-up of its type”.
And yet Bloomberg stands by it.
amazon  apple  china  chip  daring_fireball  hack  privacy  security  server  supply_chain 
4 weeks ago by rgl7194
Apple updates its privacy pages; you should take a look | Computerworld
Did you know your iPhone knows whether you’re human?
Apple has updated its privacy website and published several white papers explaining its approach to the issue and how its products protect your privacy.
Apple offers more information than ever
The updated website delivers much more information now, with a broad overview of what the company is doing. It details features and controls as well as the company's  privacy policy and transparency report. 
The site also offers a selection of understandable white papers that explain how  privacy controls work in Safari, Location Services, Photos and Sign-in With Apple. These contain a large amount of information on Apple and its services.
apple  data  privacy  safari  location_services  photos_app  SSO  maps  messaging  siri  news  wallet  apple_pay  health  digital_rights 
5 weeks ago by rgl7194
Apple Reveals Major Update to Its Privacy Webpage - MacStories
Privacy and everything it entails is not easy to explain. Under the hood, it’s driven by complex mathematics and code. However, in practice, app privacy starts with how apps are designed. Some are designed to collect information about you, and others aren’t. With Apple’s update to its privacy page today, the company has created a site that explains how privacy drives the design of its apps in clear, concise language. However, for anyone who wants to understand the nitty-gritty details, Apple has also published white papers and linked to other materials that provide a closer look at the issues that the main page addresses.
Apple’s Privacy webpage starts with a declaration of the company’s position on privacy:
Privacy is a fundamental human right. At Apple, it’s also one of our core values. Your devices are important to so many parts of your life. What you share from those experiences, and who you share it with, should be up to you. We design Apple products to protect your privacy and give you control over your information. It’s not always easy. But that’s the kind of innovation we believe in.
What follows is an app-by-app explanation of how each is designed to give users control over what they share and limit what Apple collects. Safari, Maps, Photos, Messages, Siri, News, Wallet, Health, Sign On with Apple, and the App Store are all covered with playful animations and a short explanation of what they do to protect your privacy.
apple  data  privacy  safari  location_services  photos_app  SSO  maps  messaging  siri  news  wallet  apple_pay  health  digital_rights 
5 weeks ago by rgl7194
Privacy - Features - Apple
We’re committed to protecting your data.
Privacy is built in from the beginning. Our products and features include innovative privacy technologies and techniques designed to minimize how much of your data we — or anyone else — can access. And powerful security features help prevent anyone except you from being able to access your information. We are constantly working on new ways to keep your personal information safe.
apple  data  privacy  safari  location_services  photos_app  SSO  maps  messaging  siri  news  wallet  apple_pay  health  digital_rights 
5 weeks ago by rgl7194
Privacy - Apple
Privacy is a fundamental human right. At Apple, it’s also one of our core values. Your devices are important to so many parts of your life. What you share from those experiences, and who you share it with, should be up to you. We design Apple products to protect your privacy and give you control over your information. It’s not always easy. But that’s the kind of innovation we believe in.
apple  data  privacy  safari  location_services  photos_app  SSO  maps  messaging  siri  news  wallet  apple_pay  health  digital_rights 
5 weeks ago by rgl7194
Apple: Raising the stakes on data privacy | iMore
Apple started the year in privacy off with a colossal flex — Giant billboards across from January's CES show in Vegas saying what happens on your iPhone stays on your iPhone. It was privacy by design. Privacy as a civil right.
That was quickly followed by a bug that could allow eavesdropping through FaceTime calls, an impressive array of new privacy protections including Sign in with Apple, HomeKit secure video and routers, increased tracking protection, private federated learning, and an anonymized new Find My network.
Then, a scandal involving Siri and letting humans, contractors even, listen to and grade customer voice recordings for quality assurance. An industry-wide practice-become-scandal, yes, but one unexpected and unacceptable given Apple's position on privacy, both moral and marketing.
Up, down, up, down. What was left was to make it right. And, Apple's doing that in two ways: A) With the release a week ago of new, fully disclosed opt-in grading process for Siri last week as part of iOS 13.2 and, B) the unveiling of a new, detailed privacy website including four new privacy-centric white papers.
apple  data  privacy  safari  location_services  photos_app  SSO  AI/ML  diff_priv  digital_rights 
5 weeks ago by rgl7194
4 Critical Tips and Tricks to Be a Successful Digital Nomad
The open road has always held an allure of adventure and rebellion. Whether perched on an Indian or Harley-Davidson motorcycle, laid back in an old Chevy truck or a VW van, or sailing a sloop downwind to French Polynesia, who hasn’t daydreamed about breaking away from the daily slog?
Escaping the rat race used to mean separating from traditional employment as well as communication with the rest of the world. There were few jobs, other than those based on special skills and alternative lifestyles, that allowed for a road warrior lifestyle lived far from a business office or a city.
The New Era of Digital Nomads
That’s all changed. With the abundance of internet broadband available through Wi-Fi or cellular connections, we can now travel almost anywhere in the populated world and have access to family, clients, banking, shopping, cloud data, and the other digital services required just to get by in today’s society.
Programming, writing, photography, videography, and piece-work consulting are all naturally suited to a new, peripatetic lifestyle, and many in those fields are models of what a working nomad can do away from traditional work environments. But technologies like 5G and X Reality (XR) are opening the door to intricate tasks that in the past could only be performed in person. Procedures as demanding as remote surgery are now possible using telepresence technology. Who knows what skills and jobs will be able to done from thousands (or even millions of miles) away in the future? After all, today the Mars Rover can be driven by an operator in Pasadena, California.
Combine these new technologies with people’s imagination and creativity, and we can expect the number of people who live and work on the road to explode in coming years.
digital  travel  internet  wi-fi  security  privacy  tips 
5 weeks ago by rgl7194
Ghosts of passwords past: When old accounts come back to haunt you | 1Password
If you’re reading this, you probably take your online security seriously — but was your past self as diligent? Most of us have been guilty at some point of reusing passwords or not making our passwords strong enough. But if you haven’t corrected those mistakes, your past just may come back to haunt you.
We’re going to help you clear out those virtual cobwebs and set you up to defend against any ghosts that may be trying to haunt your old accounts.
Here’s what you need to watch out for, and how to make sure all your accounts belong to the land of the living.
security  privacy  1password  passwords 
5 weeks ago by rgl7194
Security is a key focus in macOS Catalina | 1Password
macOS Catalina launched earlier this month, and it’s chock full of fantastic new features. We’re thrilled to see the emphasis Apple has placed on user privacy and security in this latest release. I installed it on launch day and have been exploring the ins and outs ever since. Here’s what I was most excited to see — and what the 1Password team thinks you’ll love too.
Lock it up tight
Losing my laptop is one of my worst nightmares — all my photos, music, and writing gone in a flash. Sure, I keep backups of everything, but I don’t want anyone else getting their hands on my important information. Or my high school photos that prove I had no sense of style. That’s why the new Activation Lock feature is so incredible.
With the new security feature in place, no one can access your account even if they physically have your computer. So, if your laptop is stolen from a coffee shop, the only person who can erase and reactivate it is you. It gives you peace of mind and adds an additional layer of security to your data. Even if someone got their hands on your laptop, they’d still be completely locked out of everything.
security  privacy  1password  macOS  10.15  safari 
5 weeks ago by rgl7194
Authy | Two-factor Authentication (2FA) App & Guides
Two-factor authentication (2FA) is the best way to protect yourself online.
Defeat cyber criminals & avoid account takeovers with stronger security, for free! Watch the video below to learn more about why you should enable 2FA for your accounts.
Why use Two-Factor Authentication
Relying on just usernames and passwords to secure your online accounts is no longer considered safe. Data breaches occur daily and hackers are always inventing new ways to take over your accounts. Protect yourself by enabling two-factor authentication (2FA). This blocks anyone using your stolen data by verifying your identity through your device. Enable 2FA now to protect your accounts online. Learn more about 2FA
ios  apps  security  privacy  2FA  authentication  guide 
5 weeks ago by rgl7194
Who Is Homo Contractus? Edward Snowden on the Deep State - WhoWhatWhy
Reading Time: 7 minutes
The term “Deep State” was popularized in John le Carré spy novel, Delicate Truth. It is an expression bandied about so frequently these days that it’s in danger of losing its meaning and becoming just another empty buzzword. Which would be dangerous, because there is a real, non-fictional Deep State, and it’s important that we come to understand what it is.
One of the more mature and sober descriptions of what the Deep State is, and what it does, came from former GOP congressional staffer Mike Lofgren in a discussion, back in 2014, “The Deep State: Hiding in Plain Sight,” with Bill Moyers. Lofgren spent 28 years working on the Senate and House budget committees. He described the Deep State as “a hybrid of corporate America and the national security state.” It is a place, says Moyers, “where elected and unelected figures collude to protect and serve powerful vested interests.”
“We’re having a situation where the Deep State is essentially out of control,” Lofgren tells Moyers. “It’s unconstrained. Since 9/11 we have built the equivalent of three Pentagons around the DC metropolitan area, holding defense contractors, intelligence contractors, and government civilians involved in the military-industrial complex [MIC].” Ostensibly, they all work together to keep America safe under the emotional rubric of “Never Again.”
But there’s more. The Deep State has literally declared the Internet a battlefield. There’s no democracy on a battlefield. To help keep the internet safe from perceived enemies, the MIC — or Deep State — has contracted with corporations such as Amazon, Google, and Facebook to police the cybersphere by gathering information on each and every human online and sharing it with the government. Thus, the Deep State spends a lot of time searching for and stalking the alleged spies and traitors amongst us, while the corporations are given the green light to exploit and play with our deepest desires. In short, the Deep State is at war with privacy. We are the last frontier.
gov2.0  politics  spying  security  privacy  snowden  whistleblower  deep_state 
6 weeks ago by rgl7194
Bruce Schneier on how insecure electronic voting could break the United States — and surveillance without tyranny - 80,000 Hours
Nobody is in favor of the power going down. Nobody is in favor of all cell phones not working. But an election? There are sides. Half of the country will want the result to stand and half the country will want the result overturned; they’ll decide on their course of action based on the result, not based on what’s right.
Bruce Schneier
November 3 2020, 10:32PM: CNN, NBC, and FOX report that Donald Trump has narrowly won Florida, and with it, re-election.
November 3 2020, 11:46PM: The NY Times, Washington Post and Wall Street Journal report that some group has successfully hacked electronic voting systems across the country, including Florida. The malware has spread to tens of thousands of machines and deletes any record of its activity, so the returning officer of Florida concedes they actually have no idea who won the state — and don’t see how they can figure it out.
What on Earth happens next?
Today’s guest — world-renowned computer security expert Bruce Schneier — thinks this scenario is plausible, and the ensuing chaos would sow so much distrust that half the country would never accept the election result.
Unfortunately the US has no recovery system for a situation like this, unlike Parliamentary democracies, which can just rerun the election a few weeks later.
The constitution says the state legislature decides, and they can do so however they like; one tied local election in Texas was settled by playing a hand of poker.
Elections serve two purposes. The first is the obvious one: to pick a winner. The second, but equally important, is to convince the loser to go along with it — which is why hacks often focus on convincing the losing side that the election wasn’t fair.
Schneier thinks there’s a need to agree how this situation should be handled before something like it happens, and America falls into severe infighting as everyone tries to turn the situation to their political advantage.
And to fix our voting systems, we urgently need two things: a voter-verifiable paper ballot and risk-limiting audits.
security  privacy  gov2.0  election  politics  podcast  interview  voting  hack  transcript  malware 
6 weeks ago by rgl7194
Social Media Privacy and Professionalism: What You Give Away — ACFE Insights
You might be giving away more information on your social media than you should
Eva Velasquez
President and CEO, Identity Theft Resource Center
Since the rise in popularity of social media, there have been new rules created around social norms and professionalism — something to keep in mind when considering your personal social media privacy behaviors. At the advent of social media, many might have thought it was only for teenagers or college kids. However, people of all ages have joined the social sphere with personal profiles about both their personal and professional lives. Now that there is an abundance of social sharing from individuals and companies alike, it can be difficult to know where to draw the line in a professional capacity.
Here’s a high-level overview of the many different considerations you should make in order to maintain safe, healthy levels of social media privacy.
social_media  privacy  data  passwords  2FA  security 
6 weeks ago by rgl7194
New 'Privacy on iPhone' Ad Gets Released
Apple has shared its new ‘Privacy on iPhone’ video ad on the official Apple YouTube channel today to emphasize its stance on customer privacy.
The ad, which runs about a minute long, displays an aerial shot of a city, with homes, office buildings and others before focusing on an iPhone 11 Pro Max user. Voice-over talks about how important privacy is in an all-digital world.
The ad ends with the words ‘Privacy. That’s iPhone’. In the YouTube description, the Cupertino-based firm stresses how privacy should be straightforward and simple.
Apple has released privacy-centric videos before on its ‘Privacy on iPhone’ series, ranging from humorous to ones that have serious tones. The tech firm’s belief is that privacy should be considered a ‘fundamental human right’, and cements that stance by collecting as little customer data as possible.
Apple’s complete privacy policy can be found at the company’s privacy website.
iphone  privacy  security  video 
6 weeks ago by rgl7194
Apple makes a video on importance of privacy - iPhone
The iPhone has always been a tool deemed to offer privacy oriented features. Apple talks at length about the security modules it has created to keep their users’ data secure at its events. 
The business model of Apple is extremely advantageous to the company, it does not have to rely on mining data from its users to show ads. It has a good revenue system: people buy phones, laptops, desktops, tablets, etc and the money flows into their bank account.
Simple as that
Apple has now released a video showcasing the privacy aspect of the iPhone. The video is now live on the YouTube channel of Apple with the title “Privacy on iPhone — Simple as that — Apple”.
“Right now there is more private information on your phone than in your home. Think about that. So many details about your life right in your pocket. This makes privacy more important now than ever,” is heard in the background of the video.
iphone  privacy  security  video 
6 weeks ago by rgl7194
Apple plays the privacy card, with drones (video) | Philip Elmer‑DeWitt
A simple idea, effectively presented.
My take: Creepy drone footage. Reminds me of time, many years ago, that the photo editors on the 24th floor of the old Time Life building had a well-lit view of a pair of office workers conducting an affair in a 23rd-floor window across the street. Drone views into office windows, of course, have nothing to do with the kind of privacy protection Apple is selling. But try showing that on a video screen.
iphone  privacy  security  video 
6 weeks ago by rgl7194
Apple publishes new 'Simple as that' video about privacy on iPhone
There's more private information on your phone than ever before.
What you need to know
Apple has published a new video highlighting pricy on the iPhone.
The video claims that there is now more private information on our phones than in our homes.
Also says privacy should be simple, straightforward and understood.
A new Apple video published to YouTube has highlighted privacy on the iPhone, saying that it has never been more important.
The video states:
Right now there is more private information on your phone than in your home. Think about that.
The description reads:
We believe your privacy should never be something you have to question. It should be simple, straightforward, and understood.
Whilst Apple has always highlighted privacy and security as a feature of the iPhone, the video comes in the wake of several privacy gaffs from some of Apple's competitors. Recently it was revealed that a security flaw in the Samsung Galaxy S10 meant that if you applied a third-party screen protector, the device could be unlocked using any fingerprint. Google also came under fire after it was revealed that its brand new Pixel 4 did not have an eyes open option for its Face Unlock feature, meaning that someone could theoretically point your phone at your face whilst you were asleep to unlock it.
You can check out the full video below.
iphone  privacy  security  video 
6 weeks ago by rgl7194
The Best Two-Factor Authentication App for 2019: Reviews by Wirecutter
The most important thing you can do to increase your online security, alongside using a password manager, is to enable two-factor authentication. After interviewing three experts and testing seven authenticator apps, we think Authy has the best combination of compatibility, usability, security, and reliability.
Our pick
The best two-factor authentication app
Authy is free, available across platforms, and easy to use, and its security features are better than those of other two-factor authentication apps.
Buy from Authy
Buy from Apple App Store
Buy from Google Play
When you log in to an online account with two-factor authentication enabled, the site first asks for your username and password, and then, in a second step, it typically asks for a code. Even if someone gets ahold of your username and password, they still can’t log in to your account without the code. This code, which is time-sensitive, can come to you via SMS, or it can be generated by a two-factor authentication app, such as Authy, on your phone. When you open Authy you see a grid with large icons that makes it easy to find the account you’re looking for, copy the security token, and get on with your day.
Compared with other authentication apps, Authy is also available on more platforms, including iOS, Android, Windows, Mac, and Chrome, and it features PIN and biometric protection for the app. Unlike most other two-factor authentication apps, Authy includes a secure cloud backup option, which makes it easier to use on multiple devices and makes your tokens simple to restore if you lose or replace your phone. The fact that the backup is optional lets you decide what, if any, security risks you’re willing to make in favor of usability. It’s run by Twilio, a reputable company that clearly outlines its security practices and updates Authy frequently.
Two-factor authentication can be a bit mind-boggling if you haven’t used it before, so check out our section on setting up Authy for a visual explanation of how it works.
security  privacy  2FA  wirecutter  review  comparo  apps  ios  authentication 
6 weeks ago by rgl7194
Intego Mac Podcast: Developing a Security Mindset
After a couple of news items, about Apple sending browsing data to Tencent in China, and a Google exec warning people to be wary of its smart home devices, we discuss Josh's talk at the MacTech conference about developing a security mindset.
Show Notes:
Apple Sending User Data to Chinese Company for Fraudulent Website Warnings in Safari
Apple Clarifies Tencent's Role in Fraudulent Website Warnings, Says No URL Data is Shared and Checks are Limited to Mainland China
Hash (Wikipedia)
Google exec says Nest owners should warn guests that their conversations might be recorded
security  privacy  presentation  podcast 
7 weeks ago by rgl7194
Mr. Robot season four: A show delightfully booting back to root | Ars Technica
With its premiere, the new season leans into what attracted fans in the first place.
Warning: This story references events from episode one of Mr. Robot's fourth season.
In retrospect, it was never just the attention to technical detail or the unique visual stylings. Part of what made Mr. Robot's first season a modern classic was how it blended familiar TV formats—Elliot would take down small timers or execute highly hackable heists in episodic of-the-week adventures while the show built up longer season arcs. It's a formula other modern shows like Buffy, Justified, or Mindhunter have used to great effect, combining satisfying procedural watchability with slowly built histories and battles. For Mr. Robot, that blend allowed viewers to quickly get familiar with Elliot on a deeper level, as his technical capabilities and internal struggle with mental illness revealed themselves through a variety of situations. Those two character traits became the hallmark of the whole series.
In subsequent seasons, however, Mr. Robot tipped heavily toward that second TV format with only a few select exceptions (like when Angela hacked an FBI base camp). The show's overarching plot became more and more complicated as a result: S1's showdown between Elliot and his cronies against E-Corp evolved into a situation where this highly skilled hacker working for a Big Tech/Finance corporation contractor has been duped into executing an attack against the big corporation on behalf of a Dark Web syndicate that maybe controls the global economy... huh?
Whatever the show's fourth and final season ultimately has in store, Mr. Robot seems to be tapping back into its roots based on last night's premiere ("401 Unauthorized") and the early season episodes that follow (Ars had the opportunity to watch the first four). Yes, there's plenty of plot to plow through to see whether Elliot or the Dark Army will come out victorious. But after a second season that frustrated the show's larger audience and a third season that quietly reset the world, Mr. Robot is willing once again to devote time to doing what it does best: sketching out deep character portraits while simultaneously executing some highly entertaining self-contained adventures.
mr_robot  spoilers  tv  preview  technology  hack  security  privacy  mental_health 
8 weeks ago by rgl7194
Cyberbullying and Identity Theft Go Hand-In-Hand and Continue to Pose a Threat
The second Wednesday in October is one of the most important holidays we have since it impacts every single citizen in the world. National Stop Bullying Day is not only an awareness campaign about a crucial global issue, it is also one that impacts young and old, rich and poor, every race and nationality.
There was a time when bullying meant schoolyard taunts or some rude graffiti. Now, it encompasses horrific crimes like cyberbullying, including sextortion, doxxing, identity theft and account takeover.
The first step to stopping these and other cyberbullying problems is to understand when it is even happening. For too many people, especially parents of younger victims, the truth only emerges after something far more serious occurs. This guide contains more details, but some common signs include withdrawing emotionally, repeatedly missing school or work for no apparent reason, increased need for funds and dramatic behavior changes.
The organization Stomp Out Bullying has some great resources for this year’s important campaign, which can be found on their website. This article by the Cybercrime Support Network can also help. However, recognizing that cyberbullying is a very serious matter, one that can affect adults as well as young people, is the most important step anyone can take to avoiding this threat.
Stay Safe Online also offers a lot of helpful solutions, such as...
safety  security  privacy  bullying  identity_theft  children  teenager  cybercrime 
8 weeks ago by rgl7194
The MacOS Catalina Privacy and Security Features You Should Know | WIRED
The latest macOS update is chock-full of ways to better safeguard your data.
MacOS Catalina is live and out now for the masses to download—and Apple being Apple, it's packed with features focused on user security and privacy. Here's how Catalina promises to make your Mac safer and better protected than ever, from warnings about weak passwords to smart ways to retrieve a lost MacBook.
Improved Data Protection
MacOS Catalina makes apps jump through more hoops—as in, forcing them to ask for permission—if they want to access the parts of your computer where documents and other personal files are kept. That includes iCloud Drive and external drives, for example.
Another change, which isn't as visible to end users, is that macOS itself is now being stored on a separate disk volume. In other words, it's isolated from the rest of your data and programs, so apps won't be able to mess with important system files; they simply won't have access to them.
macOS  10.15  passwords  find_my_device  security  privacy  data  email  screen_time  notes_app  location_services  appleID  video 
8 weeks ago by rgl7194
Random but Memorable (podcast) - 1Password | Listen Notes
Lighthearted security advice and banter from 1Password and guests.
1password  passwords  security  privacy  podcast 
8 weeks ago by rgl7194
Appearing on the 'Random but Memorable' podcast
Just before Christmas I was fortunate enough to be invited onto the “Random but Memorable” podcast, hosted by Matt Davey and Michael Fey of 1Password.
And – unlike my recent appearance on Strangers in Space’s Desert Planet Picks – there’s a fair bit of security-related chat!
Here is the blurb from the show notes:
We talk Governments and the security industry with Graham Cluley. How The Rock feels after cheat day, how to look like Mark Wahlberg and dive a bit deeper into VPNs.
“Random but Memorable” is not only a pretty good name for a podcast, it’s a great podcast! So take a listen. The interview with me begins at about 13 mins 20 seconds.
Thanks to Matt and Michael for inviting me onto the show. It was great fun.
And don’t forget, if you are into computer security and privacy podcasts, to check out the weekly “Smashing Security” podcast I co-host with Carole Theriault.
1password  passwords  security  privacy  podcast 
8 weeks ago by rgl7194
Random but Memorable (the 1Password podcast) : 1Password
We made a podcast! Two of 1Password's most delightful voices, Matt (our COO) and Roo (our lead iOS/Mac dev) have teamed up to produce Random but Memorable, featuring friendly security advice, 1Password updates, and answers to user-submitted questions.
The first two episodes are available now on iTunes, Overcast, Pocket Casts, Simplecast, and quite possibly your other favorite podcast apps too.
If you want your question answered in one of our next episodes, tweet us @1Password using the hashtag #ask1Password!
1password  passwords  security  privacy  podcast 
8 weeks ago by rgl7194
7 Best Password Managers of 2019 (Paid, Family, and Free) | WIRED
Best Overall
1Password began life as a Apple-centric password solution, but it has since broadened its offerings to include iOS, Android, Windows, and ChromeOS. There's even a command line tool that will work anywhere. There are plugins for your favorite web browser too, which makes it easy to generate and edit new passwords on the fly.
What sets 1Password apart from the rest is the number of extras it offers. In addition to managing passwords, it can act as an authentication app like Google Authenticator and, for added security, it creates a secret key to the encryption key it uses, meaning no one can decrypt your passwords without that key. (The downside is that if you lose this key, no one, not even 1Password, can decrypt your passwords.)
Another reason 1Password offers the best experience is its tight integration with other mobile apps. Rather than needing to copy/paste passwords between your password manager and other apps, 1Password is integrated with many apps and can autofill. This is more noticeable on iOS, where inter-app communication is more restricted.
The other reason I like 1Password is "Travel Mode," which allows you to delete any sensitive data from your devices before you travel and then restore it with a click after you've crossed the border. This prevents anyone, even law enforcement at international borders, from accessing your complete password vault.
There's a 30-day free trial for either plan so you can test it out before committing.
1Password costs $3 per month ($36 per year, $60 a year for families)
1password  passwords  security  privacy  comparo  review 
8 weeks ago by rgl7194
The All Things Auth Podcast | #008 - Secured by Math, Designed for People with Pilar García of 1Password | Episode 8
Want to earn $100k for reading some bad poetry? Break into a 1Password Vault and it could all be yours! Pilar explains how 1Password is built around the core principles of privacy by design, cryptography, usability, and openness.
Social media & website
Twitter: @1password
Website: 1password.com
Resources mentioned in episode
Conor and Pilar frequently reference 1Password’s White Paper, which explains the security architecture and overall security philosophy of the company.
Pilar mentioned the well known XKCD comic on password strength that popularized the comical phrase “correct horse battery staple”.
1Password’s Watchtower has many useful features related to monitoring the security of your account passwords and your use of two factor authentication (2FA).
You can learn more about Troy Hunt’s Pwned Passwords API here and here. Also, check out Junade Ali’s post on the Cloudflare blog about why and how he proposed the Pwned Passwords API should use k-anonymity.
Conor mentions the NIST special publication 800-63B, which contains password best practices.
1Password has a $100k bug bounty hosted on BugCrowd.
You can find the host of The All Things Auth Podcast on Twitter @conorgil.
Canonical URL: https://allthingsauth.com/podcast/008-pilar-garcia-of-1password.
podcast  1password  security  privacy  hack  contest  open  UI/UX  design  encryption  interview 
8 weeks ago by rgl7194
Kirkville - macOS Catalina: Use Your Apple Watch to Enter Your Password and Authenticate
You have been able to use the Apple Watch to unlock your Mac for a couple of years. In the Security & Privacy pane of System Preferences, you can check a box to allow this to occur. When you’re wearing your Apple Watch, and it’s unlocked, pressing a key on your keyboard or clicking your mouse tells the Mac to look for the Apple Watch to authenticate you. This was the single feature that got me back to using the Apple Watch a couple of years ago after having worn the device off and on.
Now, in Catalina, this goes one step further. If you have turned on the above setting, you can use your Apple Watch to enter your password when you need to authenticate to perform administrative tasks. For example, if you want to delete files in the system space, applications installed via the Mac App Store, or access secure preferences panes, you must enter this password.
Now, you’ll see a dialog like this...
macOS  10.15  security  privacy  authentication  passwords  watch 
8 weeks ago by rgl7194
Edward Snowden's Memoirs - Schneier on Security
Ed Snowden has published a book of his memoirs: Permanent Record. I have not read it yet, but I want to point you all towards two pieces of writing about the book. The first is an excellent review of the book and Snowden in general by SF writer and essayist Jonathan Lethem, who helped make a short film about Snowden in 2014. The second is an essay looking back at the Snowden revelations and what they mean. Both are worth reading.
As to the book, there are lots of other reviews.
The US government has sued to seize Snowden's royalties from book sales.
books  gov2.0  politics  privacy  security  snowden  whistleblower  review 
9 weeks ago by rgl7194
Researchers Find New Hack to Read Content Of Password Protected PDF Files
Looking for ways to unlock and read the content of an encrypted PDF without knowing the password?
Well, that's now possible, sort of—thanks to a novel set of attacking techniques that could allow attackers to access the entire content of a password-protected or encrypted PDF file, but under some specific circumstances.
Dubbed PDFex, the new set of techniques includes two classes of attacks that take advantage of security weaknesses in the standard encryption protection built into the Portable Document Format, better known as PDF.
To be noted, the PDFex attacks don't allow an attacker to know or remove the password for an encrypted PDF; instead, enable attackers to remotely exfiltrate content once a legitimate user opens that document.
In other words, PDFex allows attackers to modify a protected PDF document, without having the corresponding password, in a way that when opened by someone with the right password, the file will automatically send out a copy of the decrypted content to a remote attacker-controlled server on the Internet.
security  privacy  PDF  hack  encryption  passwords 
9 weeks ago by rgl7194
How to open apps from unidentified developers on Mac in macOS Catalina | iMore
Over the years, Apple has put its vast resources into making it's operating systems more secure for end-users. In macOS Catalina, the company has taken this to all-new levels by introducing beneficial security changes that make it even harder for miscreants to play havoc with our computers. However, because security is a tricky business, so-called improvements for some might not work for others. Specifically, Apple's decision to make Gatekeeper even more difficult crack is a significant step forward for everyday Mac users. For developers, perhaps not so much. Luckily, there's a workaround.
Warning: This terminal trick disables important security aspects of Gatekeeper, which leaves your Mac vulnerable to malware. We highly recommend you reinable the default security settings if you chose to follow this guide at your own risk.
What is Gatekeeper?
Gatekeeper has been an essential part of macOS for years. As its name suggests, the tool has been designed to check recently downloaded apps for known malware and sends it to quarantine. In his June article, The Great Mac Balancing Act, Rene Ritchie explains:
Currently, when you download an app, whether it's off the Store or the Web or even from AirDrop, that app is quarantined. If and when you try to open a quarantined app, Gatekeeper checks it for known malware, validates the developer signature to make sure it hasn't been tampered with, makes sure it's allowed to run, for example matches your settings for App Store apps and/or known developer apps, and then double checks with you that you really want to run the app for the first time, that it's not trying to pull a fast one and autorun itself.
Until now, Gatekeeper didn't take the same approach with apps launched via Terminal. It also didn't check non-quarantined apps and files for malware. In other words, it checked an app only once for malware.
Significant changes have arrived with macOS Catalina.
macOS  10.15  security  privacy  apps  terminal  safety 
9 weeks ago by rgl7194
Apple's latest update cripples location-based marketing | AdAge
Why prices for location data might soon go up
After taking on companies that track consumers all over the web, Apple has now set its sights on app publishers that track consumers all over the real world. In mid-September Apple released iOS 13, which is a software update offering new features and improvements. Among those changes: It asks users if they want to opt-in to share their location with app makers.
The iOS 13 update, for instance, will ask users if they want to allow an app publisher Bluetooth access. Although most people associate Bluetooth with sound, it can also determine a person’s location through various means, such as planting beacons at car dealerships, malls or stores. Open the Best Buy app, for example, and a prompt from Apple will display: “Best Buy would like to use Bluetooth. This will allow Best Buy to find and connect to Bluetooth accessories. This app may also use Bluetooth to know when you’re nearby.”
In the example above, the user might question why Best Buy needs Bluetooth access and deny the retailer permission to access that data altogether. Apple’s software update also prevents other methods app publishers use to track consumers. For instance, companies could previously learn a user’s location if they walked by a public WiFi hotspot. With Apple’s update, they no longer can.
Apple’s iOS operating system has a 48 percent market share in the U.S., according to Amazon-owned Statista. Thus, the company’s latest update makes it significantly harder to track nearly half of all smartphone users. Apple did not return requests for comment by press time.
advertising  privacy  security  ios13  tracking  location_services  bluetooth 
9 weeks ago by rgl7194
Dutch Govt Explains the Risks Behind DNS-Over-HTTPS Move
The Dutch National Cyber Security Centre (NCSC) explains how DNS-monitoring will get more difficult as modern encrypted DNS transport protocols are getting more popular in a fact sheet published this week.
The fact sheet's audience is represented by system or network admins and security officers who want to move to DNS over TLS (DoT) and DNS over HTTPS (DoH) DNS encryptions protocols that offer increased security and confidentiality.
Both DoH and DoT are designed to allow DNS resolution over encrypted HTTPS connections instead of using the currently common plain text DNS lookups.
europe  DNS  security  privacy  encryption  HTTP/S  DoH  DoT  gov2.0  google  chrome  firefox 
9 weeks ago by rgl7194
U.K. lawsuit against Google over iPhone privacy reinstated | iMore
The bill could be expensive.
What you need to know
A U.K. representative action (class action) against Google has been reinstated by the U.K. Court of Appeal .
Judges had previously thrown the case out claiming no "damage" had been suffered.
Case concerns Google's alleged collection of data of 4 million iPhone users between June 2011 and February 2012.
A lawsuit in the U.K. filed against Google over claims it illegally accessed the details of iPhone users has today been reinstated by the U.K Court of Appeal in London. The action, filed in 2017, revolves around Google, who allegedly used a backdoor method to install cookies on iPhones, even if they were blocked in Safari settings. It is purported that this affected more than 4 million iPhone users.
The suit was raised by Richard Lloyd, who is the former director of consumer rights group Which? Three judges ruled that the decision in 2018 by the U.K. High Court to dismiss the case was wrong, and that the claimant was now free to serve legal papers on Google in the US.
According to Bloomberg, in the ruling Judge Geoffrey Vos said:
"This case, quite properly if the allegations are proved, seeks to call Google to account for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to a commercial profit.
As noted, if the case is proved in court against Google, it could turn out to be quite the legal upset. It could also result in the 4 million or so users affected recieving an equal payout from Google as compensation.
uk  legal  iphone  privacy  google 
10 weeks ago by rgl7194
7 Ways to Prevent Identity Theft - SecureMac
Identity theft can upend your life. It requires a tremendous amount of time and effort to undo the damage—and the aftereffects can be felt for months or even years.
Even the largest companies experience data breaches, losing track of customer passwords and personal information that can then be used to commit identity theft. And smaller organizations, governments, and schools are increasingly under attack by cybercriminals as well. In short, we’re all at risk.
While you can’t do much to improve your bank’s cybersecurity posture, there are some simple steps you can take to protect yourself. If you want to prevent identity theft, here are 7 things that you can do.
security  privacy  identity_theft  passwords  networking  phishing  scam  telephone  credit_freeze 
10 weeks ago by rgl7194
What is Cloudflare's WARP VPN and should you use it? | iMore
WARP is a VPN but it's not like most others and doesn't work the way you think a VPN should. It's confusing.
In November 2018, Cloudflare introduced its application. It was a simple app that could move your phone's networking stack to use Cloudflare's DNS service instead of the one assigned by your internet service provider. Google does something very similar with its own public DNS service, but Cloudflare's is faster so it made your connections feel more "instant." The announcement also talked about something called WARP, which would be coming at a later date.
WARP is part of Cloudflare's existing app and not a standalone service.
That later date has arrived, and WARP is now part of the app. So far, not too confusing, but that changes when the term VPN enters the fray. WARP is a VPN, but WARP isn't like any VPN you might be using now or have heard about.
vpn  security  privacy  DNS  apps  networking  router  wi-fi  encryption 
10 weeks ago by rgl7194
Daring Fireball: Yet Another 'Far Larger Than It Had Previously Acknowledged' Facebook Fiasco
Kate Conger, Gabriel J.X. Dance, and Mike Isaac, reporting for The New York Times:
Facebook said on Friday that it had suspended tens of thousands of apps for improperly sucking up users’ personal information and other transgressions, a tacit admission that the scale of its data privacy issues was far larger than it had previously acknowledged.
The social network said in a blog post that an investigation it began in March 2018 — following revelations that Cambridge Analytica, a British consultancy, had retrieved and used people’s Facebook information without their permission — had resulted in the suspension of “tens of thousands” of apps that were associated with about 400 developers. That was far bigger than the last number that Facebook had disclosed of 400 app suspensions in August 2018.
400 apps, 10,000 apps, what’s the difference?
If these privacy violations weren’t so serious, and if Facebook weren’t so powerful and influential to the daily lives of billions, it would be comical the way they vastly underestimate any and all privacy or security problems, only to come back months later with a more accurate number. They do it every time, and the errors are always in the direction of underreporting severity.
business  facebook  data  privacy  security  daring_fireball  apps 
10 weeks ago by rgl7194
Help! My Parent or Friend is the Victim of a Scam - Identity Theft Resource Center
It may be hard to believe, but there just might be a feeling worse than that of being the victim of a scam: sitting on the sidelines while someone you care about is victimized.
The feeling of helplessness when a friend or family member is being taken advantage of can be almost as bad as falling into a scammer’s hands yourself. Whether it’s a romance scam or a work from home scam, or any other type of fraud, it hurts to know you can’t protect your loved one once they’ve been taken in.
One victim who contacted the Identity Theft Resource Center reported that an elderly woman he knew had fallen victim to a social media romance scam. After looking back through her posts, he discovered that she’d actually had several different online “boyfriends” to whom she’d given money. More than likely, they were all the same person who would sweet talk her into sending outrageous amounts of money, break off the relationship or “disappear,” and then start fresh with a new name.
Unfortunately, the victim was unwilling to believe she’d been scammed. It was hard enough to think the people who’d claimed to love her were lying, but then to think that she’d lost tens of thousands of dollars on top of it was too much to admit. Instead, she doubled-down in her belief that the relationship was real. The end result was that she cut off her friends and relatives who’d tried to help her.
scam  fraud  security  privacy  family  identity 
10 weeks ago by rgl7194
On Chinese "Spy Trains" - Schneier on Security
The trade war with China has reached a new industry: subway cars. Congress is considering legislation that would prevent the world's largest train maker, the Chinese-owned CRRC Corporation, from competing on new contracts in the United States.
Part of the reasoning behind this legislation is economic, and stems from worries about Chinese industries undercutting the competition and dominating key global industries. But another part involves fears about national security. News articles talk about "spy trains," and the possibility that the train cars might surreptitiously monitor their passengers' faces, movements, conversations or phone calls.
This is a complicated topic. There is definitely a national security risk in buying computer infrastructure from a country you don't trust. That's why there is so much worry about Chinese-made equipment for the new 5G wireless networks.
It's also why the United States has blocked the cybersecurity company Kaspersky from selling its Russian-made antivirus products to US government agencies. Meanwhile, the chairman of China's technology giant Huawei has pointed to NSA spying disclosed by Edward Snowden as a reason to mistrust US technology companies.
The reason these threats are so real is that it's not difficult to hide surveillance or control infrastructure in computer components, and if they're not turned on, they're very difficult to find.
security  privacy  spying  china  usa  snowden  computers  technology 
11 weeks ago by rgl7194
Greta Thunberg Is Leading A Youth Climate Movement Of Teen Girls Online — And They're Getting Attacked For It
A new movement of teenage climate activists — most of whom are girls — are getting dragged, doxed, hacked, and harassed online.
On the morning of August 25, 11-year-old Lilly Platt tweeted a video clip of a Brazilian Amazon tribe speaking out against deforestation. Awareness of the Amazon wildfires was already at a fever pitch, and the tweet exploded. Then, within an hour, a swarm of troll accounts started flooding her mentions with porn.
Shortly after the attack, her mom, Eleanor Platt, made an online plea for help: “Dear Friends of Lilly, this is Lillys mum she is being targeted by revolting trolls who are spamming her feed with pornography. There is only so much i can do to block this. Please if you see these posts report them.” Over the course of the day, some of Lilly’s nearly 10,000 followers did just that.
Young girls like Lilly, who has been striking in her hometown of Utrecht, Netherlands, every Friday for the last year, are overwhelmingly leading a growing global movement to draw attention to the climate crisis. They spurred an estimated 4 million people across seven continents to walk out of work and school on September 20 — and they are getting attacked for it. They have faced a barrage of daily insults, seemingly coordinated attacks (like the one that targeted Lilly), creepy DMs, doxing, hacked accounts, and death threats. This is the new normal for young climate leaders online, according to BuzzFeed News interviews with nearly a dozen of the kids and their parents.
Personal attacks have always been a part of the climate denial playbook, even as fossil fuel companies secretly funded campaigns and researchers to question the scientific consensus on climate change. The most famous incident, 2009’s Climategate, involved scientists getting their emails hacked and then facing death threats. And as the politics of climate change begins to mirror the broader dark trends of global politics, weaponized social media — in the form of intimidation, memes, and disinformation — has emerged as the dominant vehicle for climate denial.
But the rise of a new climate movement means there’s now a much more visible — and especially vulnerable — target: kids.
The clearest example of this is what's happening today with climate activism’s biggest star, Greta Thunberg.
greta  activism  climate_change  politics  leadership  teenager  protest  women  sexism  safety  security  privacy  hack  doxing 
11 weeks ago by rgl7194
Daring Fireball: Google Chrome Update Rendered Macs Without System Integrity Protection Unbootable
Mr. Macintosh:
Sometimes Avid Media Creators use 3rd Party Graphics cards connected to their Mac Pro. When the issue hit yesterday, it was thought that Avid was the main cause of the problems since all the users experiencing the issue had Avid software.
Only later after a MacAdmins deep dive investigation was it found that AVID was NOT the cause of the problem but the Google Chrome was!
Nice detective work here to figure out that Chrome was to blame. The Chrome updater was deleting the /var symlink at the root of the startup volume.
We recently discovered that a Chrome update may have shipped with a bug that damages the file system on macOS machines with System Integrity Protection (SIP) disabled, including machines that do not support SIP. We’ve paused the release while we finalize a new update that addresses the problem.
Why in the world would a web browser’s software updater be doing anything at all at the root level of the boot volume? The arrogance and presumptuousness here boggles the mind. This is like hiring someone to wash your windows and finding out they damaged the foundation of your house. And people wonder why Apple requires Chrome to be a sandboxed app that uses WebKit on iOS.
mac  privacy  security  google  chrome  troubleshooting  file_system  bug 
11 weeks ago by rgl7194
Cloudflare's WARP Secures iOS and Android Web Traffic for Free
Cloudflare's WARP mobile app for iOS or Android designed to secure all the Internet traffic on one's mobile devices is now available for everyone.
WARP works by making DNS requests faster and by automatically encrypting all unencrypted connections by default without requiring users to install an extra root certificate.
The WARP mobile app was announced on April 1 and it was expected to be rolled out until July. Since that didn't happen until today, around two million people signed up to try the app and got added to the waiting list.
"As a way of hopefully making amends, for everyone who was on the waitlist before today, we're giving 10 GB of WARP Plus — the even faster version of WARP that uses Cloudflare’s Argo network — to those of you who have been patiently waiting," says Cloudflare's CEO Matthew Prince.
privacy  security  ios  android  vpn  free  apps  encryption  DNS 
11 weeks ago by rgl7194
Update: JPMorgan, other banks hacked, and FBI looks to Russia for culprits | Ars Technica
Suspected reprisal for US sanctions resulted in gigabytes of stolen account data.
The FBI is reportedly investigating whether a sophisticated attack on JPMorgan Chase and at least four other banks was the work of state-sponsored hackers from Russia. The attacks, which were detected earlier this month, netted gigabytes of checking and savings account data, according to a report by The New York Times.
Update: According to one source Ars contacted who claims to be familiar with the investigation at JPMorgan Chase, the attack on the bank stemmed from malware that infected an employee's desktop computer. It was not clear whether the malware was delivered by a web attack or by an email "phishing" attack. That is contradicted by information shared with Bloomberg, which indicates the attack started with a zero-day exploit of one of JPMorgan's web servers.
In a statement sent to Ars, John Prisco, CEO of the security firm Triumfant said, "The nature of the JPMorgan breach was a persistent threat with a backdoor that enabled the attacker to enter whenever they wanted." He expressed surprise that the breach went undetected for so long, claiming that it was "fairly easy breach to detect."
Russian hackers were initially blamed for attacks on Estonia and Georgia in 2007 and 2008, but their link to the Russian government was tenuous at best. Those attacks were largely denial-of-service attacks aimed at bringing down government, media, and financial institution websites. In April of 2007, Estonia was attacked after a controversy over the relocation of a Soviet war memorial and war graves in Tallinn—but after accusations of Russian involvement, it turned out that the attack was launched by an Estonian student. And while some security analysts pointed to Russian government coordination of the Russian Business Network in attacks on Georgian government websites during the 2008 military conflict between Russia and Georgia over South Ossetia, others found no evidence to point to state sponsorship of what was largely a botnet-based attack.
russia  privacy  security  banking  hack  money  data  FBI 
11 weeks ago by rgl7194
Russian national confesses to biggest bank hack in US history | Ars Technica
In all, defendant stole more than 100 million records, prosecutors say.
A Russian national has admitted to carrying out the largest-known computer hack on a US bank. His 2014 breach of JPMorgan Chase generated hundreds of millions of dollars in illicit revenue and stole the data of more than 80 million JPMorgan clients.
Andrei Tyurin, 35, whose last name is also spelled Tiurin, also pleaded guilty to hacks against other US financial institutions, brokerage firms, and other companies. In all, he pleaded guilty in federal court to computer intrusion, wire fraud, bank fraud, and illegal online gambling as part of a securities-fraud scheme carried out by co-conspirators.
Prosecutors said that the from 2012 to mid-2015, Tyurin carried out a massive computer-hacking campaign that stole data belonging to more than 100 million customers of the targeted companies. The 2014 intrusion on JPMorgan alone resulted in the theft of more than 80 million customer records, making it the largest—or at least one of the largest—data hacks against a US financial institution.
Tyurin carried out the hacks at the direction of co-conspirator Gery Shalon, who used the stolen data to further a variety of schemes, including securities fraud. One scheme involved artificially inflating the price of certain publicly traded stocks by marketing them in a deceptive and misleading manner to customers of companies Tyurin had hacked.
russia  privacy  security  banking  hack  money  data 
11 weeks ago by rgl7194
Haverford student, 22, who hacked the IRS for Donald Trump’s tax returns, pleads guilty
A Haverford College student who used a campus computer to attempt to hack into an IRS database to obtain Donald Trump’s tax returns days before the 2016 presidential election pleaded guilty Tuesday to two misdemeanor crimes in federal court.
Justin Hiemstra, 22, who finished his studies in May but will not get his degree until he completes a study-abroad program next May, told Judge Cynthia Rufe that he did not know what he would have done with the tax returns if he and classmate Andrew Harris had succeeded in obtaining them on Nov. 2, 2016.
“It was a time when Donald Trump’s tax returns were of interest,” said Hiemstra, a Fulbright Scholar who speaks fluent Russian.
“I don’t think that has changed,” Rufe responded.
Hiemstra, a native of St. Paul Park, Minn., pleaded guilty to accessing a computer without authorization and attempting to access a computer without authorization to obtain government information. The maximum sentence he faces for both crimes is two years in prison, two years of supervised release, and a $200,000 fine.
Rufe tentatively set a sentencing hearing for Dec. 16, but said she may reschedule it to allow Hiemstra to complete a Boren Scholarship program studying math and Russian in Kazakhstan. The U.S. Defense Department-funded program will begin Aug. 21 and end May 13, said Hiemstra’s lawyer, Michael van der Veen.
trump  taxes  college  privacy  security  hack  legal  gov2.0  politics 
11 weeks ago by rgl7194
Haverford student who came this close to hacking Trump tax returns will plead guilty. Here’s how he did it.
In the days before the November 2016 election, two Haverford College students came within a hair’s breadth of prising Donald Trump’s tax returns from a government database.
Nearly three years later, the man who federal investigators believe masterminded the plan is pleading guilty. Andrew Harris, 24, is scheduled to admit on Thursday that he used a student financial aid site in a failed attempt to access Trump’s most-guarded financial documents.
The plan, which Harris’ lawyer called a college prank, was beautiful in its simplicity — if faulty in its execution.
“This was a Wayne’s World scene gone awry,” said Harris’ attorney, William J. Brennan Jr., referring to the 1990s comedy films about two good-hearted teenage dreamers with a gnarly public-access TV show and not a lot of smarts.
In a previous interview with the Washington Post, Brennan had described the two students as Beavis and Butthead, two snickering MTV cartoon characters without an ounce of brains between them. He regrets that comparison. “They were Wayne and Garth in a blue Pacer with a dumb idea and a mixed run of luck.”
In the run up to the election, Trump had refused to provide his returns to the public claiming he was under audit. “You don’t learn anything from a tax return,” Trump said.
Every major party nominee since the late 1970s has released tax returns before Election Day, according to Factcheck.org. It’s a way of exposing potential conflicts of interests and “a form of checking on how a candidate conducts his financial affairs.”
trump  taxes  college  privacy  security  hack  legal  gov2.0  politics 
11 weeks ago by rgl7194
« earlier      
per page:    204080120160

related tags

0day  1password  2FA  3D_printing  3D_touch  9to5mac  10.10  10.11  10.12  10.13  10.14  10.15  60s  70s  90s  2000s  2010s  accessibility  accessories  activism  adblock  adobe  advertising  adware  africa  AI/ML  airdrop  airplane  airpods  air_gap  alexa  algorithm  amazon  analytics  android  anniversary  anonymity  ANZ  APFS  API  apple  appleID  appletv  apple_card  apple_event  apple_pay  Apple_vs_FBI  apple_v_fbi  apps  archive  ashley  asia  assistant  ATM  auction  audio  audiobooks  australia  authentication  autofill  automatic_link  automation  award  backup  banking  baseball  battery  berners-lee  bezos  big_data  biometric  biometrics  birthday  bitcoin  bittorrent  bletchley  blockchain  blogs  bluetooth  boarding_school  books  border  botnet  bots  brain  brand  breach  broadband  browser  bug  bullying  business  business_model  cables  cable_tv  calendar  california  camera  camping  canada  cancer  capital_one  career  cars  cellphones  censorship  census  charger  children  china  chip  chrome  CIA  CISA  classified  climate_change  clothing  cloud  cloudbleed  collecting  collection_#1  college  comedy  comics  comment  commercials  community  comparo  competition  computers  conference  conflict_of_interest  congress  conspiracy  consulting  consumer  contacts  contest  contract  cookies  cool_tools  copyright  corruption  cpu  credential_stuffing  credit_cards  credit_freeze  credit_monitoring  credit_report  crime  crime_drama  crowdfunding  cryptocurrency  culture  CxO  cyber  cybercrime  cyrillic  daring_fireball  darknet  dark_mode  dark_patterns  dark_web  data  database  dd-wrt  DDOS  deals  death  debate  debugging  deepfake  deep_state  deep_web  demo  democracy  Dems  design  developer  diagnostics  diff_priv  digital  digital_rights  disaster  disinformation  DMCA  DNA  DNS  documentary  DoH  DOJ  donation  DoT  download  doxing  do_not_call  do_not_disturb  do_not_track  DPD  driving  DRM  dropbox  ecommerce  economics  ecosystem  editing  education  EFF  elderly  election  electric  email  emergency  EMV  encryption  equifax  estate_planning  ethics  euromaidan  europe  evangelist  evercookie  evernote  exercise  extortion  f&f  facebook  faceID  facetime  facial_recognition  factcheck  fake  fake_news  family  FAQ  FBI  FCC  federighi  filevault  file_system  finances  find_my_device  fingerprint  firefox  firewall  firmware  flash  flickr  FLOTUS  flying  fonts  food  foreign_relations  forensics  forum  franken  fraud  FREAK  free  freedom  FSB  FUD  gadgets  games  gates  GDPR  geek  genealogy  geotag  germany  global  gmail  google  google_photos  google_voice  GOP  gov2.0  governance  GPS  grade  grammar  greta  guide  hack  handbrake  harry_potter  hate  health  heartbleed  hermione  hillary  HIPAA  history  homescreen  home_stuff  howto  html5  HTTP/S  human_rights  humor  hypocrisy  i18n  IBM  ibooks  iboot  icloud  ID  identity  identity_theft  imac  infographic  infrastructure  instagram  installer  instapaper  insurance  integrity  internet  interview  ios  ios9  ios10  ios11  ios12  ios13  IoT  ipad  iphone  iphone7  iphone8  iphoneX  iphoneXS  ipod  IPv4  IPv6  ISP  IT/IS  itunes  jailbreak  java  javascript  jobs  job_search  journal  just  kaspersky  key  keyboard  keylogging  keyraider  kickstarter  KRACK  krebs  language  laptop  last_fm  latimes  laundering  leadership  leak  lefsetz  legacy  legal  lets_encrypt  library  linkedin  linux  live_photos  lobbying  location_services  login  LTE  M&A  mac  macbook  maciej_ceglowski  macOS  macosxhints  mail  malware  mapping  maps  marketing  marriott  math  mazda  MBP  medical  meltdown_spectre  meme  mental_health  messaging  meta  metadata  mexico  microsoft  middle_east  military  millennials  minecraft  MitM  mobile  money  movies  MPU  mr_robot  music  mystery  NAS  net  netflix  networking  net_neutrality  news  new_york  notes_app  notifications  NSA  nytimes  obama  obamacare  OBD-II  OCR  olympics  op-ed  open  open_source  OPM_breach  opt-in  opt-out  opt_out  organizing  OTP  overview  p2p  pandora  parental_controls  parenting  pass  passport  passwords  patents  paypal  pdf  performance  pew  phishing  photo  photography  photos_app  PII  pinboard  pinterest  piracy  pizza  plugins  podcast  pokémon  police  policy  politics  porn  POTUS  prefs  presentation  press_release  preview  printing  privacy  PrivacyAware  productivity  products  programming  propaganda  protest  prototype  proxy  psychology  public  puzzle  puzzles  pwn  pwn_phone  q&a  quantum  quotes  racing  racism  radio  RAM  ranking  ransomware  raspberry_pi  reality  recommendations  record  remote  remote_login  reply_all  report  reputation  research  restaurants  retirement  review  ridesharing  RIP  robocalls  root  rootkit  rootless  router  RSA  RSS  rumor  russia  SaaS  safari  safety  safe_harbor  sales  sat_phone  scam  scanning  schools  sci-fi  science  SCOTUS  screenshots  screen_time  scripts  search  security  self-driving  selfie  seniors  seo  server  services  session_replay  setup  sex  sexism  sexting  shadow_brokers  sharing  SHIELD  shopping  signal  SIM  simplicity  SIM_swap  siri  skimming  skype  slack  smartphone  smartphones  smart_home  SMH  snapchat  snowden  socialnetworking  social_engineering  social_media  social_networking  social_security  society  software  solid  sonos  soundcloud  south_america  spam  speech  spelling  spoilers  sports  spotify  spying  SSN  SSO  standards  startup  state  states  statistics  steve_jobs  storage  store  subscription  subtitles  supply_chain  support  surveillance  survey  swatting  sync  t-shirt  TakeCTRL  talk_show  taxes  technology  TED  teenager  telco  telegram  telemarketing  telephone  terminal  terrorism  tesla  test  theft  thriller  thunderbolt  TimBL  tim_cook  tips  tools  top_ten  tor  touchID  touch_bar  tracking  trade_show  trailer  training  transcript  transparency  travel  troll  troubleshooting  trump  trust  tutorial  tv  tvOS  TWC  twitter  typosquatting  u2  U2F  UI/UX  uk  ukraine  ukrainian  UN  unicode  university  unix  unlock  update  upgrade  URL  usa  USB  usenet  user_profile  utilities  V2V  video  virtualization  visualization  voice  voice_control  voting  vpn  w3c  wallet  wallpaper  war  watchOS  weather  web  web-design  web-dev  web2.0  webcam  whatsapp  whistleblower  wi-fi  wiki  wikileaks  windows  wirecutter  wired  wireless  women  workflow  WPA3  wrens  wsj  WWDC  WWII  www  xkcd  yahoo  youtube  zoom  zuck  watch 

Copy this bookmark: