12 years since Operation Aurora. Have we learned anything?

The question that we’re exploring in this interview is whether or not we’ve managed to move the infosec needle since the Chinese government hacked Google back during the Operation Aurora attacks of 2009.

https://risky.biz/soapbox51/

#operation #aurora #china #google #podcast
🎙@cRyPtHoN_INFOSEC_FR
🎙@cRyPtHoN_INFOSEC_EN
🎙@cRyPtHoN_INFOSEC_DE
🎙@BlackBox_Archiv
🎙@NoGoolag

Crystal Web Archiver

Crystal is a program to download websites for long-term archival. It works best on traditional websites made of distinct pages (rather than infinitely scrolling feeds of content) which make limited use of JavaScript. This includes most static websites, blogs, and wikis and excludes most social media sites.

Digital preservation is important

I personally care a lot about digital preservation, which makes it possible to access and enjoy digital content even after it was originally released, substantially beyond the usual lifetime of such works. I’m planning to work on a few projects this year to advance the state of the art in preserving both online sites and old Macintosh programs from the 1990’s. If this topic is also of interest to you, please consider following me on Twitter or RSS. I like hearing from people who have similar interests.

⚠️ This project is beta quality, and in particular requires additional documentation to be realistically usable by most people. If you'd like to take the plunge anyway, please see the "Quickstart" section below.

Download ⬇️

👉🏼 macOS 10.14 and later
👉🏼 Windows 7, 8, 10

https://github.com/davidfstr/Crystal-Web-Archiver#crystal-web-archiver

#CrystalWebArchiver #web #archiver #program #tools
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

mailbox.org came after the Snowden revelations: a talk with Peer Heinlein

We spoke with Peer Heinlein of the crypto email service mailbox.org. But there is much more at stake. They're expanding their business model.

We recently spoke with Peer Heinlein, founder of the crypto e-mail service mailbox.org. But it’s about much more than mail: the company is expanding its business model.

A detailed conversation with the CEO of mailbox.org

We enjoyed an extended conversation with Peer Heinlein, the founder and managing director of the e-mail provider mailbox.org. But not only that: Heinlein also runs JPBerlin, a provider for socially and politically engaged people, in addition to Heinlein Hosting, another consulting firm and his own Linux academy. You can read the german version here.

There is a lot of competition among crypto-mail providers, with Posteo’s offices literally just around the corner. Another, Tutanota is based in Hanover, to name just the two best-known German competitors, and there are many more abroad.

But there is more: Heinlein, the law graduate, who used to work as a journalist over the years has grown into the role of an entrepreneur, and he also lobbies on his own behalf. His topics include the increasing hunger of the German authorities for access to online services that manage their customers‘ data. A recent example is the ongoing revision of the German Telecommunications Act (TKG). If the EU gets its way, all providers would have to integrate official backdoors for the authorities. IT security or digital seclusion would no longer be possible.

https://tarnkappe.info/mailbox-org-came-after-the-snowden-revelations-a-talk-with-peer-heinlein/

#interview #mailboxorg #crypto #mail #service
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Firefox 87 Introduces 'SmartBlock' Private Browsing Feature to Fix Websites Broken By Tracking Protections

Mozilla has released Firefox 87 for Macs, Windows, and Linux machines, introducing a new intelligent tracker blocking mechanism called SmartBlock.

Since 2015, Firefox has included a built-in Content Blocking feature that automatically blocks third-party scripts, images, and other content from being loaded from cross-site tracking companies in Private Browsing windows and Strict Tracking Protection Mode.

Mozilla recognizes that the feature sometimes blocks legitimate elements of websites which can cause them to malfunction. SmartBlock aims to provide a solution to this problem without compromising user privacy. From the company's blog:

"In building these extra-strong privacy protections in Private Browsing windows and Strict Mode, we have been confronted with a fundamental problem: introducing a policy that outright blocks trackers on the web inevitably risks blocking components that are essential for some websites to function properly. This can result in images not appearing, features not working, poor performance, or even the entire page not loading at all.

To reduce this breakage, Firefox 87 is now introducing a new privacy feature we are calling SmartBlock. SmartBlock intelligently fixes up web pages that are broken by our tracking protections, without compromising user privacy."

https://www.macrumors.com/2021/03/24/firefox-87-smartblock-private-browsing-feature/

#mozilla #firefox #smartblock #private #browsing #feature
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

TikTok vs Douyin

A Security and Privacy Analysis

💡 Key Findings

👉🏼 This report provides a comparative analysis of security, privacy, and censorship issues in TikTok and Douyin, both developed by ByteDance.

👉🏼 TikTok and Douyin do not appear to exhibit overtly malicious behavior similar to those exhibited by malware. We did not observe either app collecting contact lists, recording and sending photos, audio, videos or geolocation coordinates without user permission.

👉🏼 Despite not exhibiting overtly malicious behavior, Douyin contains features that raise privacy and security concerns, such as dynamic code loading and server-side search censorship. TikTok does not contain these features.

👉🏼 TikTok and Douyin’s Android apps share many parts of their source code. We postulate that ByteDance develops TikTok and Douyin starting out from a common code base and applies different customizations according to market needs. We observed that some of these customizations can be turned on or off by different server-returned configuration values. We are concerned but could not confirm that this capability may be used to turn on privacy-violating hidden features.

👉🏼 Both TikTok and Douyin have source code for restricting search results for content labeled as “hate speech,” “suicide prevention,” and “sensitive.” We suspect the “sensitive” field restriction refers to content that is “politically sensitive” but could not confirm.

👉🏼 The evidence we collected is inconclusive about whether TikTok employs political censorship of user posts. We did not test for post censorship on Douyin

👉🏼 Douyin restricts some political terms in search. TikTok did not restrict any of the keywords we tested.

https://citizenlab.ca/2021/03/tiktok-vs-douyin-security-privacy-analysis/

#tiktok #douyin #security #privacy #analysis #ByteDance
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

We are calling for the removal of the entire Board of the Free Software Foundation

Richard M. Stallman, frequently known as RMS, has been a dangerous force in the free software community for a long time. He has shown himself to be misogynist, ableist, and transphobic, among other serious accusations of impropriety. These sorts of beliefs have no place in the free software, digital rights, and tech communities. With his recent reinstatement to the Board of Directors of the Free Software Foundation, we call for the entire Board of the FSF to step down and for RMS to be removed from all leadership positions.

We, the undersigned, believe in the necessity of digital autonomy and the powerful role user freedom plays in protecting our fundamental human rights. In order to realize the promise of everything software freedom makes possible, there must be radical change within the community. We believe in a present and a future where all technology empowers – not oppresses – people. We know that this is only possible in a world where technology is built to pay respect to our rights at its most foundational levels. While these ideas have been popularized in some form by Richard M. Stallman, he does not speak for us. We do not condone his actions and opinions. We do not acknowledge his leadership or the leadership of the Free Software Foundation as it stands today.

There has been enough tolerance of RMS’s repugnant ideas and behavior. We cannot continue to let one person ruin the meaning of our work. Our communities have no space for people like Richard M. Stallman, and we will not continue suffering his behavior, giving him a leadership role, or otherwise holding him and his hurtful and dangerous ideology as acceptable.

https://rms-open-letter.github.io/

#stallman #rms #fsf #openletter #thinkabout
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

An Entire Game Inside Of A Font

Where’s the last place you’d expect to be able to play a game on your computer? The word processing program? Image editor? How about your text editor? That’s right — you can fight your Fontemons in any program that makes use of fonts, because mad genius [Michael Mulet] has created a game that exists entirely within a single Open Type font file.

[Michael] has harnessed the power of ligatures to create a choose-your-own-adventure-style turn-based game that pokes fun at both Pokemon and various typeface names. You start by choosing between Papyromaniac, Verdanta, and Proggito and face off against enemies like Helvetikhan and Scourier.

https://hackaday.com/2021/03/22/an-entire-game-inside-of-a-font/

#games #fonts #texteditor
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Google's tracking replacement fails for the time being due to EU law

Google will initially not introduce its tracking alternative FLoC in Europe. The search engine giant wants to clarify the legal basis first. After all, GDPR violations can be very expensive.

It is astonishing at first glance: At a meeting of the Improving Web Advertising Business Group (IWABG) at the World Wide Web Consortium (W3C), Google engineer Michael Kleber announced on Tuesday that the planned tests with the tracking alternative FLoC were initially planned not wanting to start in the European Union (EU).

Google fears GDPR penalties

The “Federated Learning of Cohorts” should become the data protection-friendly alternative to the previous tracking. FLoC is intended to bring large groups of people together in clusters and to work out commonalities from the group characteristics. The approach is intended to effectively “disappear into the crowd” for individuals. The device-internal processing is used to protect the browser history. It should no longer be possible to identify an individual user.

So what is stopping Google from using the supposedly better method to test in the EU? The answer is: open questions that cannot be answered quickly and reliably. Everything revolves around which company will act as data controller and which will act as data processor in the creation of cohorts and what counts as data processing at all.

https://worldweeklynews.com/yikes-gdpr-googles-tracking-replacement-fails-for-the-time-being-due-to-eu-law/

#gdpr #google #DeleteGoogle #eu #law #floc
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Mob Mentality Threatens The Free Software Movement

Richard Stallman recently announced on a video that he's back. He's back at the Free Software Foundation and is reinstated as a board member. And the haters are out in full force, actively trying to cancel Richard again. And not just Richard, the haters actually are trying to force the entire board of the FSF to resign.

https://www.youtube.com/watch?v=Uun2YhnUNGc

#stallman #rms #fsf #openletter #thinkabout #video
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Mozilla and Tor join calls to oust Richard Stallman from Free Software Foundation

More than 1,500 people have signed a petition calling for Richard Stallman to be removed from positions of leadership in free software.

More than 1,500 people, along with prominent software projects including Mozilla and the Tor Project, have signed a petition calling for the board of the Free Software Foundation to resign and Richard Stallman to be “removed from all leadership positions.” The group recently reappointed the controversial developer and activist to its board; he had previously departed in the wake of sexual-harassment allegations and comments he made about the Jeffrey Epstein case that many found repellent.

https://www.fastcompany.com/90618666/mozilla-and-tor-join-calls-to-oust-richard-stallman-from-free-software-foundation

#stallman #rms #fsf #openletter #tor #mozilla #thinkabout #video
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

EXTREME PROGRAMMING - ZOMBIE APOCALYPSE EDITION

WHAT YOU’VE JUST SEEN IS REAL

Find out how to build a serverless, scalable, and reliable app while being chased by a motherfucking zombie!

https://extreme.booster.cloud/

#extreme #programming #zombie #apocalypse #video
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Page Shield: Protect User Data In-Browser

Today we're excited to introduce Page Shield, a client-side security product customers can use to detect attacks in end-user browsers.

Starting in 2015, a hacker group named Magecart stole payment credentials from online stores by infecting third-party dependencies with malicious code. The infected code would be requested by end-user browsers, where it would execute and access user information on the web page. After grabbing the information, the infected code would send it to the hackers, where it would be resold or used to launch additional attacks such as credit card fraud and identity theft.

Since then, other targets of such supply chain attacks have included Ticketmaster, Newegg, British Airways, and more. The British Airways attack stemmed from the compromise of one of their self-hosted JavaScript files, exposing nearly 500,000 customers’ data to hackers. The attack resulted in GDPR fines and the largest class-action privacy suit in UK history. In total, millions of users have been affected by these attacks.

Writing secure code within an organization is challenging enough without having to worry about third-party vendors. Many SaaS platforms serve third-party code to millions of sites, meaning a single compromise could have devastating results. Page Shield helps customers monitor these potential attack vectors and prevent confidential user information from falling into the hands of hackers.

Earlier this week, we announced Remote Browser Isolation for all as a way to mitigate client-side attacks in your employee’s browsers. Page Shield is continuing Cloudflare’s push into client-side security by helping mitigate attacks aimed at your customers.

https://blog.cloudflare.com/introducing-page-shield/

#cloudflare #pageshield #user #data #browser
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

This is what happens when ICE asks Google for your user information

You’re scrolling through your Gmail inbox and see an email with a strange subject line: A string of numbers followed by “Notification from Google.”

It may seem like a phishing scam or an update to Gmail’s terms of service. But it could be the only chance you’ll have to stop Google from sharing your personal information with authorities.

Tech companies, which have treasure troves of personal information, have become natural targets for law enforcement and government requests. The industry’s biggest names, such as Google, Facebook, Twitter and LinkedIn, receive data requests — from subpoenas to National Security Letters — to assist in, among other efforts, criminal and non-criminal investigations as well as lawsuits.

An email like this one is a rare chance for users to discover when government agencies are seeking their data.

In Google’s case, the company typically lets users know which agency is seeking their information.

In one email The Times reviewed, Google notified the recipient that the company received a request from the Department of Homeland Security to turn over information related to their Google account. (The recipient shared the email on the condition of anonymity due to concern about immigration enforcement). That account may be attached to Gmail, YouTube, Google Photos, Google Pay, Google Calendar and other services and apps.

The email, sent from Google’s Legal Investigations Support team, notified the recipient that Google may hand over personal information to DHS unless it receives within seven days a copy of a court-stamped motion to quash the request.

https://www.latimes.com/business/technology/story/2021-03-24/federal-agencies-subpoena-google-personal-information

#ice #federal #agencies #google #DeleteGoogle #personal #data #information #thinkabout
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

What’s in your browser (backup)?

It’s not every day that I wake up thinking about how people back up their web browsers. Mostly this is because I don’t feel the need to back up any aspect of my browsing. Some people lovingly maintain huge libraries of bookmarks and use fancy online services to organize them. I pay for one of those because I aspire to be that kind of person, but I’ve never been organized enough to use it.

In fact, the only thing I want from my browser is for my history to please go away, preferably as quickly as possible. My browser is a part of my brain, and backing my thoughts up to a cloud provider is the most invasive thing I can imagine. Plus, I’m constantly imagining how I’ll explain specific searches to the FBI.

All of these thoughts are apropos a Twitter thread I saw last night from a Chrome developer, which purports to explain why “browser sync” features (across several platforms) don’t provide end-to-end encryption by default.

https://blog.cryptographyengineering.com/2021/03/25/whats-in-your-browser-backup/

#chrome #browser #backup #sync #encryption #thinkabout
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Mubadala, Abu Dhabi Catalyst Partners invest $150 million in social media platform Telegram

ABU DHABI, 23rd March, 2021 (WAM) -- Mubadala Investment Company, the Abu Dhabi-based sovereign investor, has invested US$75 million in 5-year pre-IPO convertible bonds of Telegram, an operator of the self-named security-focused social media platform, with Abu Dhabi Catalyst Partners investing a further US$75 million.

The strategic partnership between the companies is also expected to create new collaboration opportunities and thereby further advance Abu Dhabi’s ecosystem of innovative and tech-enabled companies.

Launched in 2013 by brothers Pavel and Nikolai Durov as a secure messaging app utilising end-to-end encryption, Telegram evolved into a fully-fledged social media platform and has its global headquarters in the UAE. It has become one of the 10 most downloaded apps in the world with over 500 million monthly active users.

Faris Sohail Faris Al Mazrui, Head of Mubadala’s Russia and CIS Investment Programme, said, "We recognise and admire Pavel's vision for the company and the team’s execution in building an exceptional product and company. His unwavering focus on user experience and privacy, and how it is central to every business decision he makes, is one of the keys to Telegram's popularity and success. Telegram's user base has reached a critical mass that places it amongst global tech giants.

"We believe that Telegram is well-positioned for an inflection point that will transform it into a leading global technology company. The company represents a very promising investment opportunity for Mubadala and will sit well within our wider portfolio of pioneering companies looking to transform their respective industries. Our investment in Telegram establishes a strategic partnership for us to further strengthen Abu Dhabi's technology ecosystem as well as bring new levels of tech skills and talent to the capital."

Pavel Durov, Founder and CEO of Telegram, added, "We are honoured by the US$150 million investment into Telegram from Mubadala and Abu Dubai Catalyst Partners. We look forward to developing this strategic partnership to continue our growth in the MENA region and globally."

https://www.wam.ae/en/details/1395302920777

#abudhabi #investment #telegram #durov
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Redefining longevity: Android 9 now available for Fairphone 2

It all started with a spark of inspired optimism: We can change the electronics industry for the better, by becoming a part of it. Setting new standards and reshaping an entire industry was going to take serious, long-term commitment.

This year is a milestone for us, and you, as it marks 5 years of continuous support of the Fairphone 2. It is also one of the few Android smartphones sold in that year (2015), to still receive continued software support. It might not seem like a big deal, but trust us, it is. This is the only smartphone to receive an upgrade to Android 9 and we had to build the operating system without any support from chip-maker Qualcomm.

https://www.fairphone.com/en/2021/03/25/android9-fairphone2/

#fairphone #smartphone #update #video
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Endless OS

Computing is one of the greatest revolutions in human history. Yet, it remains out of reach for half the planet. We created Endless OS – a free and robust computing solution – so people everywhere have access to relevant information and technology.

Our goal at the Endless OS Foundation is to build a global platform for digital literacy.

https://endlessos.com/

#endlessos #video
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Red Hat statement about Richard Stallman’s return to the Free Software Foundation board

Red Hat is a long-time donor and contributor to projects stewarded by the Free Software Foundation (FSF), with hundreds of contributors and millions of lines of code contributed. Considering the circumstances of Richard Stallman’s original resignation in 2019, Red Hat was appalled to learn that he had rejoined the FSF board of directors. As a result, we are immediately suspending all Red Hat funding of the FSF and any FSF-hosted events. In addition, many Red Hat contributors have told us they no longer plan to participate in FSF-led or backed events, and we stand behind them.

In 2019, we called on the FSF board to use the opportunity created by Stallman’s departure to transition to a more diverse, inclusive board membership. The FSF took only limited steps in this direction. Richard Stallman’s return has reopened wounds we had hoped would slowly heal after his departure. We believe that in order to regain the confidence of the broader free software community, the FSF should make fundamental and lasting changes to its governance.

On Wednesday, the FSF board of directors committed to a series of changes related to organizational governance and the appointment of members to its board of directors. However, we have no reason to believe that the most recent FSF board statement signals any meaningful commitment to positive change. We look forward to working with the FSF and others to enable the FSF to once again become an effective and trusted advocacy organization in line with its chartered non-profit mission.

https://www.redhat.com/en/blog/red-hat-statement-about-richard-stallmans-return-free-software-foundation-board

💡 most recent FSF board statement
https://www.fsf.org/news/preliminary-board-statement-on-fsf-governance

#stallman #rms #fsf #openletter #redhat #statement
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

New Advanced Android Malware Posing as “System Update”

Another week, and another major mobile security risk. A few weeks ago, Zimperium zLabs researchers disclosed unsecured cloud configurations exposing information in thousands of legitimate iOS and Android apps (you can read more about it in our blog). This week, zLabs is warning Android users about a sophisticated new malicious app.

The new malware disguises itself as a System Update application, and is stealing data, messages, images and taking control of Android phones. Once in control, hackers can record audio and phone calls, take photos, review browser history, access WhatsApp messages, and more (a complete list is below).

https://blog.zimperium.com/new-advanced-android-malware-posing-as-system-update/

#android #malware #alert
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

The internet – the Scene’s friend or foe?

Does the internet make the things inside the Scene easier or not? Does it support or kill everything? Sane of Monk tries to find the answer.

Written by Sane a.k.a. sAner / Monk

Don’t we all sometimes think about the glorious past of the Amiga Scene? The glorious past when there was no Facebook, no YouTube, no Instagram, no Twitter, no LinkedIn. When Sceners were said to be so much more productive as they are now in the era of the internet. When the vast majority of the Sceners were said to be eager to be creative instead of what they supposedly are now: lazy consumers of the hard work of just a few. Is this idea something that is real or it this idea stuck in our head, but based on dreams? Based on good memories. Based on false memories, because we glorify the past?

https://tarnkappe.info/the-internet-the-scenes-friend-or-foe/

#internet #GoodOldTimes #amiga
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag