Mass Extraction: The Widespread Power of U.S. Law Enforcement to Search Mobile Phones

Every day, law enforcement agencies across the country search thousands of cellphones, typically incident to arrest. To search phones, law enforcement agencies use mobile device forensic tools (MDFTs), a powerful technology that allows police to extract a full copy of data from a cellphone — all emails, texts, photos, location, app data, and more — which can then be programmatically searched. As one expert puts it, with the amount of sensitive information stored on smartphones today, the tools provide a “window into the soul.”

This report documents the widespread adoption of MDFTs by law enforcement in the United States. Based on 110 public records requests to state and local law enforcement agencies across the country, our research documents more than 2,000 agencies that have purchased these tools, in all 50 states and the District of Columbia. We found that state and local law enforcement agencies have performed hundreds of thousands of cellphone extractions since 2015, often without a warrant. To our knowledge, this is the first time that such records have been widely disclosed.

Every American is at risk of having their phone forensically searched by law enforcement.

https://www.upturn.org/reports/2020/mass-extraction/

💡 Read as well:
https://www.eff.org/deeplinks/2021/03/fbi-should-stop-attacking-encryption-and-tell-congress-about-all-encrypted-phones

#usa #fbi #lawenforcement #massextraction #MDFT #mobilephones #cellphones #encryption #decryption #study #thinkabout
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

After months of stalling, Google finally revealed how much personal data they collect in Chrome and the Google app. No wonder they wanted to hide it.

Spying on users has nothing to do with building a great web browser or search engine. We would know (our app is both in one).

https://nitter.nixnet.services/DuckDuckGo/status/1371509053613084679

#duckduckgo #google #DeleteGoogle #personal #data #yourdata
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

$5.7M stolen in Roll crypto heist after hot wallet hacked

A security breach at cryptocurrency platform Roll allowed a hacker to obtain the private key to its hot wallet and steal its contents — worth about $5.7 million.

In a statement, the company said it was investigating the breach, which happened early Sunday.

"As of this writing, it seems like a compromise of the private keys [sic] of our hot wallet and not a bug in the Roll smart contracts or any token contracts," the statement said. Roll said the attacker had already sold the tokens for Ethereum.

"There is no further user action suggested at this stage. We are temporarily disabling withdraw from the Roll wallet of all social money until we have migrated our hot wallet," the statement added.

It's not clear how the attacker broke in and obtained the private key — akin to the password for Roll's hot wallet. Hot wallets are designed to be connected to the internet to send and receive cryptocurrency, but typically only store a fraction of a cryptocurrency owner's total reserves, given the inherent security risk of an internet-connected wallet. A cold wallet, or storage device that isn't connected to the internet, is typically used for holding the bulk of an owner's cryptocurrency for longer-term periods.

https://finance.yahoo.com/news/5-7m-stolen-roll-crypto-141924662.html

https://tryroll.com/security-incident/

#breach #crypto #cryptocurrency #wallet #hacker #attack #tryroll
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Darknet Diaries - EP 87: Guild of the Grumpy Old Hackers

In 2016 the LinkedIn breach data became available to the public. What the Guild of the Grumpy Old Hackers did with it then is quite the story. Listen to Victor, Edwin, and Mattijs tell their story.

https://darknetdiaries.com/episode/87/

#truecrime #darknetdiaries #podcast
🎙@cRyPtHoN_INFOSEC_FR
🎙@cRyPtHoN_INFOSEC_EN
🎙@cRyPtHoN_INFOSEC_DE
🎙@BlackBox_Archiv
🎙@NoGoolag

The most invasive apps: which apps are sharing your personal data?

Apps form a part of our everyday life. From catching up with our friends to playing games, watching films, investing in stocks and banking, there’s not much we do without them.

But what price do we pay for the ease they offer?

💡Apps can collect and share anything from your personal information and user content, to search and browsing history, to analyse you as a ‘profile’ for themselves and other apps.

https://blog.pcloud.com/invasive-apps/

#invasive #apps #data #sharing #profiling #bigdata #thinkabout
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Computer giant Acer hit by $50 million ransomware attack

Computer giant Acer has been hit by a REvil ransomware attack where the threat actors are demanding the largest known ransom to date, $50,000,000.

Acer is a Taiwanese electronics and computer maker well-known for laptops, desktops, and monitors. Acer employs approximately 7,000 employees and earned $7.8 billion in 2019.

Yesterday, the ransomware gang announced on their data leak site that they had breached Acer and shared some images of allegedly stolen files as proof.

https://www.bleepingcomputer.com/news/security/computer-giant-acer-hit-by-50-million-ransomware-attack

#acer #ransomware #attack
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Amazon delivery drivers in the US have until tonight to sign this consent form for Amazon to collect their biometric info and use AI-cameras that monitor their location and movement.

If they don't sign, they lose their jobs.

https://twitter.com/LaurenKGurley/status/1374114988391022606

#DeleteAmazon #DickPunchBezos #pleaseshare #thinkabout #why
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Integrate FusionAuth SSO with MongoDB Realm JWT User Authentication using HMAC-SHA256 Shared Secret

Note: This video used HS256 shared secret. However, FusionAuth supports JWKS (https://fusionauth.io/docs/v1/tech/oa... ) and MongoDB supports JWKS too. We've tested JWKS and it works, so it's a better idea to use JWKS and a custom ECDSA-256 asymmetric key.

https://www.youtube.com/watch?v=duE9156DW7M

#fusionauth #mongodb #realm #jwt #sso #authentication #openid #video
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Triage software in emergency rooms - The next quick fix from Spahn's house.

The Ministry of Health (Germany) wants to introduce software to sort emergency cases in hospitals. But doctors and medical associations fear for the safety of patients.

Overloading the healthcare system is one of the great dangers of the pandemic. But even before Corona, media reports on overcrowded emergency rooms and overworked staff were mounting. The question of how best to distribute the scarce time of emergency personnel among patients seems all the more pressing.

A software program is now to help doctors and nurses decide how quickly and by whom patients need to be treated in the emergency room. This is provided for in a draft law of the Federal Ministry of Health. Hospital staff are to use a computer program to assess symptoms and decide on further care. Less severe cases could thus be referred to a family doctor's office for the next business day.

However, the proposal is strongly opposed by professional associations. A wrong decision by the software could lead to deaths, their introduction is not justifiable. What's more, one study points out that while intensive care beds are currently full, many people are avoiding hospitals because of the pandemic. As a result, emergency rooms are less busy than before, it says. So how come the Federal Ministry of Health is pushing ahead with the controversial reform now?

https://netzpolitik.org/2021/triage-software-in-notaufnahmen-der-naechste-schnellschuss-aus-dem-hause-spahn/

#triage #software #hospitals #emergency #rooms #thinkabout
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

12 years since Operation Aurora. Have we learned anything?

The question that we’re exploring in this interview is whether or not we’ve managed to move the infosec needle since the Chinese government hacked Google back during the Operation Aurora attacks of 2009.

https://risky.biz/soapbox51/

#operation #aurora #china #google #podcast
🎙@cRyPtHoN_INFOSEC_FR
🎙@cRyPtHoN_INFOSEC_EN
🎙@cRyPtHoN_INFOSEC_DE
🎙@BlackBox_Archiv
🎙@NoGoolag

Crystal Web Archiver

Crystal is a program to download websites for long-term archival. It works best on traditional websites made of distinct pages (rather than infinitely scrolling feeds of content) which make limited use of JavaScript. This includes most static websites, blogs, and wikis and excludes most social media sites.

Digital preservation is important

I personally care a lot about digital preservation, which makes it possible to access and enjoy digital content even after it was originally released, substantially beyond the usual lifetime of such works. I’m planning to work on a few projects this year to advance the state of the art in preserving both online sites and old Macintosh programs from the 1990’s. If this topic is also of interest to you, please consider following me on Twitter or RSS. I like hearing from people who have similar interests.

⚠️ This project is beta quality, and in particular requires additional documentation to be realistically usable by most people. If you'd like to take the plunge anyway, please see the "Quickstart" section below.

Download ⬇️

👉🏼 macOS 10.14 and later
👉🏼 Windows 7, 8, 10

https://github.com/davidfstr/Crystal-Web-Archiver#crystal-web-archiver

#CrystalWebArchiver #web #archiver #program #tools
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

mailbox.org came after the Snowden revelations: a talk with Peer Heinlein

We spoke with Peer Heinlein of the crypto email service mailbox.org. But there is much more at stake. They're expanding their business model.

We recently spoke with Peer Heinlein, founder of the crypto e-mail service mailbox.org. But it’s about much more than mail: the company is expanding its business model.

A detailed conversation with the CEO of mailbox.org

We enjoyed an extended conversation with Peer Heinlein, the founder and managing director of the e-mail provider mailbox.org. But not only that: Heinlein also runs JPBerlin, a provider for socially and politically engaged people, in addition to Heinlein Hosting, another consulting firm and his own Linux academy. You can read the german version here.

There is a lot of competition among crypto-mail providers, with Posteo’s offices literally just around the corner. Another, Tutanota is based in Hanover, to name just the two best-known German competitors, and there are many more abroad.

But there is more: Heinlein, the law graduate, who used to work as a journalist over the years has grown into the role of an entrepreneur, and he also lobbies on his own behalf. His topics include the increasing hunger of the German authorities for access to online services that manage their customers‘ data. A recent example is the ongoing revision of the German Telecommunications Act (TKG). If the EU gets its way, all providers would have to integrate official backdoors for the authorities. IT security or digital seclusion would no longer be possible.

https://tarnkappe.info/mailbox-org-came-after-the-snowden-revelations-a-talk-with-peer-heinlein/

#interview #mailboxorg #crypto #mail #service
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Firefox 87 Introduces 'SmartBlock' Private Browsing Feature to Fix Websites Broken By Tracking Protections

Mozilla has released Firefox 87 for Macs, Windows, and Linux machines, introducing a new intelligent tracker blocking mechanism called SmartBlock.

Since 2015, Firefox has included a built-in Content Blocking feature that automatically blocks third-party scripts, images, and other content from being loaded from cross-site tracking companies in Private Browsing windows and Strict Tracking Protection Mode.

Mozilla recognizes that the feature sometimes blocks legitimate elements of websites which can cause them to malfunction. SmartBlock aims to provide a solution to this problem without compromising user privacy. From the company's blog:

"In building these extra-strong privacy protections in Private Browsing windows and Strict Mode, we have been confronted with a fundamental problem: introducing a policy that outright blocks trackers on the web inevitably risks blocking components that are essential for some websites to function properly. This can result in images not appearing, features not working, poor performance, or even the entire page not loading at all.

To reduce this breakage, Firefox 87 is now introducing a new privacy feature we are calling SmartBlock. SmartBlock intelligently fixes up web pages that are broken by our tracking protections, without compromising user privacy."

https://www.macrumors.com/2021/03/24/firefox-87-smartblock-private-browsing-feature/

#mozilla #firefox #smartblock #private #browsing #feature
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

TikTok vs Douyin

A Security and Privacy Analysis

💡 Key Findings

👉🏼 This report provides a comparative analysis of security, privacy, and censorship issues in TikTok and Douyin, both developed by ByteDance.

👉🏼 TikTok and Douyin do not appear to exhibit overtly malicious behavior similar to those exhibited by malware. We did not observe either app collecting contact lists, recording and sending photos, audio, videos or geolocation coordinates without user permission.

👉🏼 Despite not exhibiting overtly malicious behavior, Douyin contains features that raise privacy and security concerns, such as dynamic code loading and server-side search censorship. TikTok does not contain these features.

👉🏼 TikTok and Douyin’s Android apps share many parts of their source code. We postulate that ByteDance develops TikTok and Douyin starting out from a common code base and applies different customizations according to market needs. We observed that some of these customizations can be turned on or off by different server-returned configuration values. We are concerned but could not confirm that this capability may be used to turn on privacy-violating hidden features.

👉🏼 Both TikTok and Douyin have source code for restricting search results for content labeled as “hate speech,” “suicide prevention,” and “sensitive.” We suspect the “sensitive” field restriction refers to content that is “politically sensitive” but could not confirm.

👉🏼 The evidence we collected is inconclusive about whether TikTok employs political censorship of user posts. We did not test for post censorship on Douyin

👉🏼 Douyin restricts some political terms in search. TikTok did not restrict any of the keywords we tested.

https://citizenlab.ca/2021/03/tiktok-vs-douyin-security-privacy-analysis/

#tiktok #douyin #security #privacy #analysis #ByteDance
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

We are calling for the removal of the entire Board of the Free Software Foundation

Richard M. Stallman, frequently known as RMS, has been a dangerous force in the free software community for a long time. He has shown himself to be misogynist, ableist, and transphobic, among other serious accusations of impropriety. These sorts of beliefs have no place in the free software, digital rights, and tech communities. With his recent reinstatement to the Board of Directors of the Free Software Foundation, we call for the entire Board of the FSF to step down and for RMS to be removed from all leadership positions.

We, the undersigned, believe in the necessity of digital autonomy and the powerful role user freedom plays in protecting our fundamental human rights. In order to realize the promise of everything software freedom makes possible, there must be radical change within the community. We believe in a present and a future where all technology empowers – not oppresses – people. We know that this is only possible in a world where technology is built to pay respect to our rights at its most foundational levels. While these ideas have been popularized in some form by Richard M. Stallman, he does not speak for us. We do not condone his actions and opinions. We do not acknowledge his leadership or the leadership of the Free Software Foundation as it stands today.

There has been enough tolerance of RMS’s repugnant ideas and behavior. We cannot continue to let one person ruin the meaning of our work. Our communities have no space for people like Richard M. Stallman, and we will not continue suffering his behavior, giving him a leadership role, or otherwise holding him and his hurtful and dangerous ideology as acceptable.

https://rms-open-letter.github.io/

#stallman #rms #fsf #openletter #thinkabout
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

An Entire Game Inside Of A Font

Where’s the last place you’d expect to be able to play a game on your computer? The word processing program? Image editor? How about your text editor? That’s right — you can fight your Fontemons in any program that makes use of fonts, because mad genius [Michael Mulet] has created a game that exists entirely within a single Open Type font file.

[Michael] has harnessed the power of ligatures to create a choose-your-own-adventure-style turn-based game that pokes fun at both Pokemon and various typeface names. You start by choosing between Papyromaniac, Verdanta, and Proggito and face off against enemies like Helvetikhan and Scourier.

https://hackaday.com/2021/03/22/an-entire-game-inside-of-a-font/

#games #fonts #texteditor
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Google's tracking replacement fails for the time being due to EU law

Google will initially not introduce its tracking alternative FLoC in Europe. The search engine giant wants to clarify the legal basis first. After all, GDPR violations can be very expensive.

It is astonishing at first glance: At a meeting of the Improving Web Advertising Business Group (IWABG) at the World Wide Web Consortium (W3C), Google engineer Michael Kleber announced on Tuesday that the planned tests with the tracking alternative FLoC were initially planned not wanting to start in the European Union (EU).

Google fears GDPR penalties

The “Federated Learning of Cohorts” should become the data protection-friendly alternative to the previous tracking. FLoC is intended to bring large groups of people together in clusters and to work out commonalities from the group characteristics. The approach is intended to effectively “disappear into the crowd” for individuals. The device-internal processing is used to protect the browser history. It should no longer be possible to identify an individual user.

So what is stopping Google from using the supposedly better method to test in the EU? The answer is: open questions that cannot be answered quickly and reliably. Everything revolves around which company will act as data controller and which will act as data processor in the creation of cohorts and what counts as data processing at all.

https://worldweeklynews.com/yikes-gdpr-googles-tracking-replacement-fails-for-the-time-being-due-to-eu-law/

#gdpr #google #DeleteGoogle #eu #law #floc
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Mob Mentality Threatens The Free Software Movement

Richard Stallman recently announced on a video that he's back. He's back at the Free Software Foundation and is reinstated as a board member. And the haters are out in full force, actively trying to cancel Richard again. And not just Richard, the haters actually are trying to force the entire board of the FSF to resign.

https://www.youtube.com/watch?v=Uun2YhnUNGc

#stallman #rms #fsf #openletter #thinkabout #video
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Mozilla and Tor join calls to oust Richard Stallman from Free Software Foundation

More than 1,500 people have signed a petition calling for Richard Stallman to be removed from positions of leadership in free software.

More than 1,500 people, along with prominent software projects including Mozilla and the Tor Project, have signed a petition calling for the board of the Free Software Foundation to resign and Richard Stallman to be “removed from all leadership positions.” The group recently reappointed the controversial developer and activist to its board; he had previously departed in the wake of sexual-harassment allegations and comments he made about the Jeffrey Epstein case that many found repellent.

https://www.fastcompany.com/90618666/mozilla-and-tor-join-calls-to-oust-richard-stallman-from-free-software-foundation

#stallman #rms #fsf #openletter #tor #mozilla #thinkabout #video
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

EXTREME PROGRAMMING - ZOMBIE APOCALYPSE EDITION

WHAT YOU’VE JUST SEEN IS REAL

Find out how to build a serverless, scalable, and reliable app while being chased by a motherfucking zombie!

https://extreme.booster.cloud/

#extreme #programming #zombie #apocalypse #video
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag