China’s social credit program creeps into Canada

Vancouver, British Columbia, Canada: China’s Orwellian “social credit system” that records the social and financial behaviour of individuals and corporations across China, using a vast surveillance system, has expanded globally, and is now openly operational at the renowned Haidilao hot pot restaurant, in Western Canada.

Ryan Pan, a manager with Haidilao Hot Pot in Vancouver confirmed that over 60 surveillance cameras have been installed in the restaurant at the request of the Haidilao corporation, as part of the social credit system in China. He said that the Vancouver location has 30 tables with two cameras assigned to each table.

When asked specifically why Haidilao required so many cameras to monitor staff and patrons, Ryan Pan said that the cameras were installed to “punish” staff if they didn’t adhere to corporate standards and to “people track”. Pan also said that the video is sent back to China but declined to say why this was, other than to say the reason for this was “secret.”

Founded in Sichuan, China, the Haidilao opened up at two locations in the Vancouver region, the most recent of which was opened in 2018 in a former Swiss Chalet restaurant in the trendy Kitsilano district of Vancouver. The location is within walking distance of the home rented by Huawei for staff temporarily re-located to Vancouver to assist Meng Wanzhou, the chief financial officer (CFO) of the telecom giant. Following her arrest and hearing over a provisional US extradition request for fraud and conspiracy to commit fraud in order to circumvent US sanctions against Iran. The Haidilao location is no more than 10 minutes to Meng Wanzhou’s mansion and the Peoples Republic of China Consulate. Haidilao has over 935 locations around the world and more than 36 million VIP members and 60,000 plus staff.

We reached out to Ivy Li, with the Canadian Friends of Hong Kong, who is a well-known public speaker, writer and activist on matters related to China and pro-democracy, to ask why Canadians should be concerned that China’s social credit system is now operational in Canada.

https://www.sundayguardianlive.com/news/chinas-social-credit-program-creeps-canada

#canada #vancouver #china #surveillance #social #scoring
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Not Your Usual Supply Chain Hack: The Codecov Bash Uploader Blunder

We all know about the SolarWinds supply chain hack. But, while smaller in scope, Codecov‘s Bash Uploader Security supply chain failure is also a record-setter. And, this is not a record anyone wants to break.

Months after their code was busted Codecov only discovered the foul-up, thanks to a security-conscious user. He checked the Secure Hash Algorithm 1 (SHA-1) checksum for the Github version of Codecov Bash Uploader and the SHA-1 checksum for the downloaded Bash Uploader version with shasum — a Linux program that calculates and verifies SHA-1 hashes — and found they didn’t match. In other words, they were not the same program.

Whoops!

Codecov is a reporting tool that inserts coverage metrics directly into continuous integration (CI) workflows. Its job is to watch for coding problems while running test suites. It especially looks in pull requests where new features and bug fixes are usually found and new bugs and problems often pop up.

Bash Uploader’s task is to export users’ CI environmental data. This includes any credentials, tokens, or keys users were working within their CI runner when the Bash Uploader script was executed. That’s already dangerous enough because its name is perfectly descriptive. Bash Uploader uses the Bash shell and curl to upload unencrypted environmental data to Codecov. And, oh yes, to the attacker’s server as well.

https://thenewstack.io/not-your-usual-supply-chain-hack-the-codecov-bash-uploader-blunder/

💡 Read as well ...
https://t.iss.one/cRyPtHoN_INFOSEC_EN/15695

#supplychain #hack #codecov
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Wikinews discusses DRM and DMCA with Richard Stallman after GitHub re-enables public access to youtube-dl

Interview with Richard Stallman about the harms of DRM and DMCA 1201

https://en.wikinews.org/wiki/Wikinews_discusses_DRM_and_DMCA_with_Richard_Stallman_after_GitHub_re-enables_public_access_to_youtube-dl

#freesoftware #stallman #drm #dmca #youtubedl #github #interview #mp3
🎙@cRyPtHoN_INFOSEC_FR
🎙@cRyPtHoN_INFOSEC_EN
🎙@cRyPtHoN_INFOSEC_DE
🎙@BlackBox_Archiv
🎙@NoGoolag

In epic hack, Signal developer turns the tables on forensics firm Cellebrite

Widely used forensic software can be exploited to infect investigators' computers.

For years, Israeli digital forensics firm Cellebrite has helped governments and police around the world break into confiscated mobile phones, mostly by exploiting vulnerabilities that went overlooked by device manufacturers. Now, Moxie Marlinspike—the brainchild behind the Signal messaging app—has turned the tables.

On Wednesday, Marlinspike published a post that reported vulnerabilities in Cellebrite software that allowed him to execute malicious code on the Windows computer used to analyze a device. The researcher and software engineer exploited the vulnerabilities by loading specially formatted files that can be embedded into any app installed on the device.

Cellebrite provides two software packages: The UFED breaks through locks and encryption protections to collect deleted or hidden data, and separate Physical Analyzer uncovers digital evidence (“trace events”).

To do their job, both pieces of Cellebrite software must parse all kinds of untrusted data stored on the device being analyzed. Typically, software that is this promiscuous undergoes all kinds of security hardening to detect and fix any memory-corruption or parsing vulnerabilities that might allow hackers to execute malicious code.

“Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security,” Marlinspike wrote. “Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present.”

https://arstechnica.com/information-technology/2021/04/in-epic-hack-signal-developer-turns-the-tables-on-forensics-firm-cellebrite/

https://signal.org/blog/cellebrite-vulnerabilities/

#signal #hack #forensics #cellebrite #israel #vulnerabilities
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Here’s Why University of Minnesota is Getting Banned from Contributing to Linux Kernel Code

Trolling Linux kernel maintainers first and then playing victim. Greg Kroah-Hartman had enough of these university researchers.

It all started with a seemingly innocent patch to the Linux kernel on the 6th April, 2021. A Ph.D. candidate at University of Minnesota submitted this really small patch:

https://news.itsfoss.com/hypocrite-commits/

💡 Read as well (PDF) - Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits
https://t.iss.one/BlackBox_Archiv/2068

#opensource #security #minnesota #university #trolling
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Russian intelligence agency SVR sets up dark web whistleblowing platform

The SVR, Russia’s main intelligence service, has deployed a system similar to the SecureDrop whistleblowing platform to allow Russians living abroad to safely send anonymous tips via the Tor network about national security threats.

“If you are outside Russia and have important information regarding urgent threats to the security of the Russian Federation, you can safely and anonymously share it with us via the virtual reception system (VRS) of the SVR over the TOR network,” the Russian Foreign Intelligence Service (SVR) says in a page on its official website.

The SVR’s new Tor site is located at:
svrgovru24yd42e6mmrnohzs37hb35yqeulvmvkc76e3drb75gs4qrid.onion

https://therecord.media/russian-intelligence-agency-svr-sets-up-dark-web-whistleblowing-platform/

#russia #svr #whistleblowing #platform #tor
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

UK.gov wants mobile makers to declare death dates for their new devices from launch

IoT security plan suddenly thrusts into the mainstream

Phone, tablet, and IoT gadget makers will have to state when they'll stop providing security updates for new devices entering the market, the UK's Department for Culture, Media and Sport (DCMS) vowed this morning.

Today's pledge would see existing plans for internet-connected tat extended to smartphones and tablets, which is a large step for a scheme originally put together for landfill Internet-of-Things devices such as webcams.

Digital Infrastructure Minister Matt Warman said in a canned statement: "Our phones and smart devices can be a gold mine for hackers looking to steal data, yet a great number still run older software with holes in their security systems."

The £70m Secure by Design plan has been telegraphed by the DCMS for years, though today's extension to everyday smartphones is notable.

On top of this, smart device makers will also be banned from publishing default admin passwords for their wares. Such admin passwords are a standard method for digital crims to break into a device or the network to which it is connected.

A government-sponsored study from University College London two years ago, highlighted today by DCMS, said typical IoT devices come with no crime prevention advice, which is presumably the sort of finding that UK.gov enjoys seeing public money poured into.

https://www.theregister.com/2021/04/21/ukgov_death_dates_smartphones_iot_security/

#smartphones #iot #security #updates
📡 @nogoolag 📡 @blackbox_archiv

Phantom Malware: Conceal Malicious Actions From Malware Detection Techniques by Imitating User Activity

State of the art malware detection techniques only consider the interaction of programs with the operating system’s API (system calls) for malware classification. This paper demonstrates that techniques like these are insufficient. A point that is overlooked by the currently existing techniques is presented in this paper: Malware is able to interact with windows providing the corresponding functionality in order to execute the desired action by mimicking user activity. In other words, harmful actions will be masked as simulated user actions.

https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9186656#fghj7

#phantom #malware #detection #antivirus #windows #pdf
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

I Made A Water Computer And It Actually Works

Computers add numbers together using logic gates built out of transistors. But they don't have to be! They can be built out of greedy cup siphons instead! I used specially designed siphones to works as XOR and AND gates and chained them together so they add 4 digit binary numbers.

https://www.youtube.com/watch?v=IxXaizglscw

#water #computer #video
📽@cRyPtHoN_INFOSEC_FR
📽@cRyPtHoN_INFOSEC_EN
📽@cRyPtHoN_INFOSEC_DE
📽@BlackBox_Archiv
📽@NoGoolag

Apple’s AirDrop leaks users’ PII, and there’s not much they can do about it

Apple has known of the flaw since 2019 but has yet to acknowledge or fix it.

AirDrop, the feature that allows Mac and iPhone users to wirelessly transfer files between devices, is leaking user emails and phone numbers, and there's not much anyone can do to stop it other than to turn it off, researchers said.

AirDrop uses Wi-Fi and Bluetooth Low Energy to establish direct connections with nearby devices so they can beam pictures, documents, and other things from one iOS or macOS device to another. One mode allows only contacts to connect, a second allows anyone to connect, and the last allows no connections at all.

A matter of milliseconds

To determine if the device of a would-be sender should connect with other nearby devices, AirDrop broadcasts Bluetooth advertisements that contain a partial cryptographic hash of the sender's phone number and email address. If any of the truncated hashes matches any phone number or email address in the address book of the receiving device or the device is set to receive from everyone, the two devices will engage in a mutual authentication handshake over Wi-Fi. During the handshake, the devices exchange the full SHA-256 hashes of the owners' phone numbers and email addresses.

Hashes, of course, can't be converted back into the cleartext that generated them, but depending on the amount of entropy or randomness in the cleartext, they are often possible to figure out. Hackers do this by performing a "brute-force attack," which throws huge numbers of guesses and waits for the one that generates the sought-after hash. The less the entropy in the cleartext, the easier it is to guess or crack, since there are fewer possible candidates for an attacker to try.

The amount of entropy in a phone number is so minimal that this cracking process is trivial since it takes milliseconds to look up a hash in a precomputed database containing results for all possible phone numbers in the world. While many email addresses have more entropy, they too can be cracked using the billions of email addresses that have appeared in database breaches over the past 20 years.

https://arstechnica.com/gadgets/2021/04/apples-airdrop-leaks-users-pii-and-theres-not-much-they-can-do-about-it

#apple #mac #iphone #airdrop #vulnerability
📡 @nogoolag 📡 @blackbox_archiv

India asks Twitter to take down some tweets critical of its COVID-19 handling

The Indian government asked social media platform Twitter (TWTR.N) to take down dozens of tweets, including some by local lawmakers, that were critical of India’s handling of the coronavirus outbreak, as cases of COVID-19 again hit a world record.

Twitter has withheld some of the tweets after the legal request by the Indian government, a company spokeswoman told Reuters on Saturday.

The government made an emergency order to censor the tweets, Twitter disclosed on Lumen database, a Harvard University project.

In the government's legal request, dated April 23 and disclosed on Lumen, 21 tweets were mentioned. Among them were tweets from a lawmaker named Revnath Reddy, a minister in the state of West Bengal named Moloy Ghatak and a filmmaker named Avinash Das.

https://www.reuters.com/world/india/india-asks-twitter-take-down-some-tweets-critical-its-covid-19-handling-2021-04-24/

💡 read this as well:
https://www.thehindu.com/news/national/other-states/seize-property-of-those-spreading-rumours-up-cm/article34404518.ece

#india #twitter #covid #corona #thinkabout
📡 @nogoolag 📡 @blackbox_archiv

University of Minnesota security researchers apologize for deliberately buggy Linux patches

The abashed University of Minnesota researchers apologized for their blunders, but the issues are far from resolved. And, Linus Torvalds briefly addresses the fouled up Linux patches.

Last week, some University of Minnesota (UMN) security researchers kicked a hornet nest, when it was revealed that they'd tried to insert deliberately buggy patches into Linux. Greg Kroah-Hartman, the well-respected Linux kernel maintainer for the Linux stable branch, responded by banning not only them but any UMN-connected developers from contributing to the Linux kernel. Now, the researchers have sort of, kind of, apologized for their mistakes: "We sincerely apologize for any harm our research group did to the Linux kernel community."

https://www.zdnet.com/article/university-of-minnesota-security-researchers-apologize-for-deliberately-buggy-linux-patches/

https://lore.kernel.org/lkml/CAK8KejpUVLxmqp026JY7x5GzHU2YJLPU8SzTZUNXU2OXC70ZQQ@mail.gmail.com/T/#u

#opensource #security #minnesota #university #trolling #apologize
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Emotet malware self-destructs after cops deliver time-bomb DLL to infected Windows PCs

Uninstall code, distributed from backend servers seized in January, fired on Sunday

Notorious Windows malware Emotet was automatically wiped from computers yesterday by European law enforcement using a customized DLL.

This specially crafted time bomb caused the software to self-destruct on Sunday, April 25. The code was distributed at the end of January to Emotet-infected computers by the malware's command-and-control (C2) infrastructure, which had just been seized in a multinational police operation.

Those raids were largely successful: on Friday this week, malware tracker site Abuse.ch’s Emotet portal showed none of the Emotet C2 servers it tracks were online.

As the dust settled from the swoops, the officers and agents involved wondered what to do next. The answer was to set a firm death date. Infosec bods subsequently spotted that the backend systems seized by the police had made available a software update for Emotet that, once automatically downloaded and quietly installed, would activate an uninstall routine this weekend.

Infosec outfit MalwareBytes confirmed on Sunday that its updated Emotet install had indeed completely removed itself as expected.

Mariya Grozdanova, a threat intelligence analyst at Redscan, described the cops' deinstallation code to The Register: “The EmotetLoader.dll is a 32-bit DLL responsible for removing the malware from all infected computers. This will ensure that all services related to Emotet will be deleted, the run key in the Windows registry is removed – so that no more Emotet modules are started automatically – and all running Emotet processes are terminated."

https://www.theregister.com/2021/04/26/emotet_sunday_25_april_killswitch_date/

https://nitter.pussthecat.org/MBThreatIntel/status/1386413655659479043

💡 read this as well:
https://t.iss.one/BlackBox_Archiv/1707

💡 read this as well:
https://t.iss.one/BlackBox_Archiv/1705

💡 read this as well:
https://t.iss.one/BlackBox_Archiv/1703

#malware #botnet #emotet #bka #europol #busted #takedown #uninstall
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

“SWAT team of nerds” - Pentagon explains odd transfer of 175 million IP addresses to obscure company

Something weird happened minutes before Trump left—US says it was security research.

The US Department of Defense puzzled Internet experts by apparently transferring control of tens of millions of dormant IP addresses to an obscure Florida company just before President Donald Trump left the White House, but the Pentagon has finally offered a partial explanation for why it happened. The Defense Department says it still owns the addresses but that it is using a third-party company in a "pilot" project to conduct security research.

"Minutes before Trump left office, millions of the Pentagon's dormant IP addresses sprang to life," was the title of a Washington Post article on Saturday. Literally three minutes before Joe Biden became president, a company called Global Resource Systems LLC "discreetly announced to the world's computer networks a startling development: It now was managing a huge unused swath of the Internet that, for several decades, had been owned by the US military."

The number of Pentagon-owned IP addresses announced by the company rose to 56 million by late January and 175 million by April, making it the world's largest announcer of IP addresses in the IPv4 global routing table.

"The theories were many," the Post article said. "Did someone at the Defense Department sell off part of the military's vast collection of sought-after IP addresses as Trump left office? Had the Pentagon finally acted on demands to unload the billions of dollars worth of IP address space the military has been sitting on, largely unused, for decades?"

The Post said it got an answer from the Defense Department on Friday in the form of a statement from the director of "an elite Pentagon unit known as the Defense Digital Service." The Post wrote:

"Brett Goldstein, the DDS's director, said in a statement that his unit had authorized a "pilot effort" publicizing the IP space owned by the Pentagon.

"This pilot will assess, evaluate, and prevent unauthorized use of DoD IP address space," Goldstein said. "Additionally, this pilot may identify potential vulnerabilities."

Goldstein described the project as one of the Defense Department's "many efforts focused on continually improving our cyber posture and defense in response to advanced persistent threats. We are partnering throughout DoD to ensure potential vulnerabilities are mitigated."

https://arstechnica.com/information-technology/2021/04/pentagon-explains-odd-transfer-of-175-million-ip-addresses-to-obscure-company/

#usa #pentagon #ip #adresses #why
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

NewPipe Releases (unofficial) - NewPipe's GitHub releases

The APK sent here cannot be installed over F-Droid's one because they use different signing keys (details)

This pull request adds an experimental SponsorBlock integration, the fork's apk is linked there

👉🏼 https://t.iss.one/newpipe_releases 👈🏼

💡 read this as well: YouTube video hosting alternatives
https://t.iss.one/NoGoolag/2284

#newpipe #youtube #alternatives
📡 @nogoolag 📡 @blackbox_archiv

Arch User Repository Blocks Pamac

Pamac is causing an excessive amount of requests to aur.archlinux.org

Hi.
Today we had an incident where aur.archlinux.org went down for a couple of hours. In investing the issue, we found out that Pamac user agent was responsible for making a very large number of requests to the AUR that caused it to stop responding to new requests.
We have completely blocked the Pamac user agent, to restore service for the users. It seems there's an issue with the latest pamac version that's causing this number of requests.

https://gitlab.manjaro.org/applications/pamac/-/issues/1017

#arch #archlinux #pamac
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Reproducing Spectre Attack with gem5, How To Do It Right?

💡Table of Contents:

1. Introduction
2. HowTo
2.1. How to Setup the Native ARM System
2.2. How to Perform the Spectre Attack
2.3. How to Setup gem5 for a Full-System Simulation
2.4. How to Simulate Spectre with gem5
2.5. How to Visualize the Pipeline of a gem5 Processor with Konata
3. Implementations
3.1. Spectre
3.2. gem5
4. Appendices

https://pierreay.github.io/reproduce-spectre-gem5/

#attack #spectre #gem5
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

NoFb Event Scraper

This app scrapes Facebook event links and adds the event to your calendar

https://github.com/akaessens/NoFbEventScraper

https://f-droid.org/repo/com.akdev.nofbeventscraper

The purpose of this application is to get access to Facebook events without an account.
Therefore it does not use the Facebook API.
Instead it opens the Facebook event URI and downloads the website HTML code.
This source should contain the event information in form of structured data.
That data is extracted and used to create Android events.

Features:
* Does not use Facebook API
* Supports "open-with" and "share-to"
* Independent from Facebook regional sub-domain URLs
* Saves history of scraped events
* Handles upcoming events from pages


#fb #Facebook #deletefacebook
📡 @libreware 📡 @nogoolag 📡 @blackbox_archiv

Why is Telegram no longer updated in the Play store?

All third party clients will be removed from play.

As you know, Telegram Android's code is full of coupling, complexity, and shit. They compress a month's worth of shit into one commit at a time and release it, then close the issue section. But is there more?

Last year, the Play store required all apps to update their target API to 29 (Android Pie).

One year later, what has Telegram changed? Just a requestLegacyExternalStorage cheat symbol.

Back to the question, why is Telegram no longer updated in the play store? Because they don't want to modify their shit mountain for their users; to avoid being unexplainable, they stop updating a month in advance, and once they are taken down by Google, it can be attributed to censorship.

Oppose censorship, but don't support being fed shit.

If this happens, please don't support Telegram, for the sake of true freedom.

https://telegra.ph/Why-is-Telegram-no-longer-updated-in-the-Play-store-04-26

#telegram #google #playstore #updates #censorship #comment
📡 @nogoolag 📡 @blackbox_archiv

Payments 2.0, Scheduled Voice Chats, New Web Versions

This update brings Payments 2.0 for all Telegram chats, Scheduling and Mini Profiles for Voice Chats, new versions of Telegram Web for your browser, and more.

Payments 2.0
• Offer real goods and services for sale in any group, channel or bot – Telegram doesn't charge a commission.
• Pay for goods securely using one of the 8 integrated payment providers – Telegram doesn't collect your payment info.
• See how this works in our @TestStore.

Scheduled Voice Chats
• Schedule voice chats to let participants know about them in advance.
• View a countdown to the voice chat and get notified when it starts.

New Web Versions
• Try two new, fully-featured versions of Telegram Web – both supporting animated stickers, dark mode, chat folders and more: https://webk.telegram.org/ and https://webz.telegram.org/.

More about this update:
https://telegram.org/blog/payments-2-0-scheduled-voice-chats

#telegram #update
📡 @nogoolag 📡 @blackbox_archiv

Firefox and Chromium - Madaidans-Insecurities (Last edited: April 26, 2021)

Chromium is vastly more secure than Firefox. Firefox's sandboxing and exploit mitigations are much weaker than Chromium's. This article is not blindly hating on Firefox but is a factual analysis of its weaknesses.

https://madaidans-insecurities.github.io/firefox-chromium.html

💡 read this as well:
https://t.iss.one/BlackBox_Archiv/831

#madaidan #insecurities #information #android #linux #ff #chrome #chromium #bsd #vpn #thinkabout
📡 @nogoolag 📡 @blackbox_archiv