US state of New York to stop cryptomining

A politician wants to suspend cryptomining in New York and have its impact on the environment examined.

Cryptomining is considered to be harmful to the environment. But how severe are the effects? A senator in the US state of New York wants to find out and is proposing to suspend cryptomining for some time. He has introduced a corresponding bill in the state Senate.

https://legiscan.com/NY/bill/S06486/2021

#cryptomining #ny #usa #environment
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Facebook's Trump ban upheld by Oversight Board, for now

Donald Trump's ban from Facebook and Instagram has been upheld by Facebook's Oversight Board.

But it criticised the permanent nature of the ban as beyond the scope of Facebook's normal penalties.

It has ordered Facebook to review the decision and "justify a proportionate response" that is applied to everyone, including ordinary users.

The former president was banned from both sites in January following the Capitol Hill riots.

The Oversight Board said the initial decision to permanently suspend Mr Trump was "indeterminate and standardless", and that the correct response should be "consistent with the rules that are applied to other users of its platform".

Facebook must respond within six months, it said.

At a press conference, Oversight Board co-chair Helle Thorning-Schmidt admitted: "We did not have an easy answer."

The Board was due to announce its decision last month but delayed the ruling in order to review more than 9,000 public responses to cases, it said.

In the meantime, Mr Trump, who is also banned from Twitter, launched a new website on Tuesday to update supporters with his thoughts.

https://www.bbc.com/news/technology-56985583

#ToddlerTrump #trump #facebook #DeleteFacebook
📡 @nogoolag 📡 @blackbox_archiv

Xenobots 2.0: Scientists Create Next Generation of Living Robots

The next version of Xenobots have been created — they're faster, live longer, and can now record information.

https://www.youtube.com/watch?v=G-zpsO8szEI

#xenobots #living #robots #video
📽@cRyPtHoN_INFOSEC_FR
📽@cRyPtHoN_INFOSEC_EN
📽@cRyPtHoN_INFOSEC_DE
📽@BlackBox_Archiv
📽@NoGoolag

What happens to privacy once AIs start hacking systems – and people?

Artificial Intelligence (AI) has mostly figured in this blog because of its ability to sift through information – for example, finding patterns in data, or matching faces. But one of the reasons that AI is such a powerful and important technology is that it is completely general: it can be applied to almost anything. As a new paper by the well-known security expert Bruce Schneier explores, one area where AI will have a major impact is hacking, in all its forms. It’s extremely wide-ranging, and well-worth reading in its entirety (there’s also a good summary by Schneier himself) but this post will concentrate on the ways in which AI hacking is likely to impact privacy and data protection. Schneier writes:

"One area that seems particularly fruitful for AI systems is vulnerability finding. Going through software code line by line is exactly the sort of tedious problem at which AIs excel, if they can only be taught how to recognize a vulnerability. Many domain-specific challenges will need to be addressed, of course, but there is a healthy amount of academic literature on the topic – and research is continuing. There’s every reason to expect AI systems will improve over time, and some reason to expect them to eventually become very good at it."

If that happens, it will have a huge and direct impact on data protection. Over the last few years, we have already seen massive leaks of personal data caused by people breaking into supposedly secure systems through the use of flaws in the code.

https://www.privateinternetaccess.com/blog/what-happens-to-privacy-once-ais-start-hacking-systems-and-people/

#privacy #data #protection #ai #hacking #systems
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Malicious Office 365 Apps Are the Ultimate Insiders

Phishers targeting Microsoft Office 365 users increasingly are turning to specialized links that take users to their organization’s own email login page. After a user logs in, the link prompts them to install a malicious but innocuously-named app that gives the attacker persistent, password-free access to any of the user’s emails and files, both of which are then plundered to launch malware and phishing scams against others.

These attacks begin with an emailed link that when clicked loads not a phishing site but the user’s actual Office 365 login page — whether that be at microsoft.com or their employer’s domain. After logging in, the user might see a prompt that looks something like this:

https://krebsonsecurity.com/

#microsoft #office #phishing #email #malware
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

How I Hacked Google App Engine: Anatomy of a Java Bytecode Exploit

Back in college, I was very interested in Java bytecode. When I got an internship at Google in 2013, I was skeptical of the security of the Java version of Google App Engine and got permission to spend the last week of my internship doing a mini red team exercise, trying to break into App Engine. This is the story of how I found a vulnerability and developed an exploit to break out of the App Engine sandbox and get arbitrary code execution on a Google server.

Background

One of the reasons I was skeptical was Java’s poor security track record. Java is unusual among programming languages in attempting to do in-process sandboxing with its Applet model, where trusted and untrusted code run within the same language runtime.

Back in the dark ages before Javascript and Webassembly took over the world, website authors that wanted to include nontrivial interactivity had to rely on browser plugins. Sun’s entry into the fray was Java Applets, a system that allowed website authors to include precompiled Java classfiles on their site. When the user views the embedding page, the browser sends that code to the Java Virtual Machine (JVM) installed on the user’s computer for execution.

In order to keep things secure, Java used a permission system to control what running code could and couldn’t do. Desktop applications were executed with all permissions by default, while Java applets ran with a very restrictive policy that prevented stuff like accessing the user’s local files.

Unfortunately, applets were still plagued with security vulnerabilities. One issue is that most of the Java runtime library is itself implemented in Java. Trusted and untrusted code run side by side in the same VM, with the only thing separating them being the permission system and visibility modifiers (public, protected, private, etc.)

This means that a bug anywhere in the JVM or standard libraries is liable to become a security vulnerability. Additionally, the attack surface is huge. The Java 7 runtime included over 17,000 classes, a lot of places for bugs to creep in.

https://blog.polybdenum.com/2021/05/05/how-i-hacked-google-app-engine-anatomy-of-a-java-bytecode-exploit.html

#google #app #engine #hacked #java #bytecode #exploit
📡 @nogoolag 📡 @blackbox_archiv

Facebook’s Nextdoor-clone Neighborhoods is coming soon to four US cities

It’s already available across Canada

Facebook, which never saw a social network it couldn’t copy, says its Nextdoor-clone Neighborhoods is now available across Canada and is coming soon to four US cities. According to CNET, the US locations being targeted are Charlotte, North Carolina; San Diego, California; Baton Rouge, Louisiana; and Newark, New Jersey.

Like Nextdoor, Neighborhoods is all about corralling geographically-defined groups of users into a single space to discuss local goings-on. Facebook says users should be able to get to know neighbors, ask for recommendations for the best coffee shops or locksmiths, and organize local events. Users can also create splinter groups specific to their interests.

https://www.theverge.com/2021/5/5/22420597/facebook-nextdoor-clone-neighborhoods-canada-us-cities-launch

#facebook #DeleteFacebook #nextdoor #clone #neighborhoods #usa #canada
📡 @nogoolag 📡 @blackbox_archiv

Russia’s plot to control the Internet is no longer a secret

Russia’s campaign to control the Internet isn’t just a secret intelligence gambit any longer. It’s an explicit goal, proclaimed by Russian President Vladimir Putin as a key element of the Kremlin’s foreign policy.

Putin complained during his annual address to the Russian federal assembly on April 21 that the United States and other western countries are “stubbornly rejecting Russia’s numerous proposals to establish an international dialogue on information and cybersecurity. We have come up with these proposals many times. They avoid even discussing this matter.”

Asking for “international dialogue” takes some nerve, coming from the world’s biggest cyberbully — a country that notoriously meddled in the 2016, 2018 and 2020 U.S. elections, and has engaged in similar Internet mischief throughout the world. Controlling the “information space,” as the Russians sometimes call it, has long been an intelligence priority for Moscow.

Russia is waging its cyberdiplomacy offensive on two fronts: First, the United Nations has embraced Russia’s proposal to write a new treaty governing cybercrime, to replace the 2001 Budapest convention that Moscow rejected because it was too intrusive. And second, Russia is lobbying for its candidate to head the U.N.’s International Telecommunications Union (ITU) and use it to supplant the current private group, known as ICANN, that coordinates Internet addresses.

These international regulatory battles sound obscure, but they will help determine who writes the rules for Internet communications for the rest of the 21st century. The fundamental question is whether the governance process will benefit authoritarian states that want to control information or the advocates of openness and freedom.

https://telegra.ph/Opinion--Russias-plot-to-control-the-Internet-is-no-longer-a-secret-05-05

via www.washingtonpost.com

#opinion #russia #putin #plot #control #internet
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

This massive DDoS attack took large sections of a country's internet offline

More than 200 organisations across Belgium including the government and parliament were affected by a DDoS attack that overwhelmed them with bad traffic.

A massive distributed denial of service (DDoS) attack took down the websites of more than 200 organisations across Belgium, including government, parliament, universities and research institutes.

The DDoS attack started at 11am on Tuesday 4 May and overwhelmed the web sites with traffic, rendering their public-facing sites unusable for visitors, while the attack overwhelmed internal systems, cutting them off from the internet.

The attack targeted Belnet, the government-funded ISP provider for the county's educational institutions, research centres, scientific institutes and government services – including government ministries and the Belgian parliament. Some debates and committee meetings had to be postponed as users couldn't access the virtual services required to take part.

https://www.zdnet.com/article/this-massive-ddos-attack-took-large-sections-of-a-countrys-internet-offline/

#ddos #attack #belgium
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Peloton’s leaky API let anyone grab riders’ private account data

But the company won't say if it has evidence of malicious exploitation

Halfway through my Monday afternoon workout last week, I got a message from a security researcher with a screenshot of my Peloton account data.

My Peloton profile is set to private and my friend’s list is deliberately zero, so nobody can view my profile, age, city, or workout history. But a bug allowed anyone to pull users’ private account data directly from Peloton’s servers, even with their profile set to private.

Peloton, the at-home fitness brand synonymous with its indoor stationary bike and beleaguered treadmills, has more than three million subscribers. Even President Biden is said to own one. The exercise bike alone costs upwards of $1,800, but anyone can sign up for a monthly subscription to join a broad variety of classes.

As Biden was inaugurated (and his Peloton moved to the White House — assuming the Secret Service let him), Jan Masters, a security researcher at Pen Test Partners, found he could make unauthenticated requests to Peloton’s API for user account data without it checking to make sure the person was allowed to request it. (An API allows two things to talk to each other over the internet, like a Peloton bike and the company’s servers storing user data.)

But the exposed API let him — and anyone else on the internet — access a Peloton user’s age, gender, city, weight, workout statistics and, if it was the user’s birthday, details that are hidden when users’ profile pages are set to private.

Masters reported the leaky API to Peloton on January 20 with a 90-day deadline to fix the bug, the standard window time that security researchers give to companies to fix bugs before details are made public.

https://techcrunch.com/2021/05/05/peloton-bug-account-data-leak

#peloton #leak #api #private #account #data #exploitation
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Report on University of Minnesota Breach-of-Trust Incident

On April 20, 2021, in response to the perception that a group of University of Minnesota (UMN) researchers had resumed sending compromised code submissions to the Linux kernel, Greg Kroah-Hartman asked the community to stop accepting patches from UMN and began a re-review of all submissions previously accepted from the University.

This report summarizes the events that led to this point, reviews the "Hypocrite Commits" paper that had been submitted for publication, and reviews all known prior kernel commits from UMN paper authors that had been accepted into our source repository.

https://lwn.net/ml/linux-kernel/202105051005.49BFABCE@keescook/

#linux #kernel #university #minnesota #breach #trust
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

This morning, I was locked out of my Google account

I chatted with Google support to see if they could help me. This is a genuine live chat with Google support:

https://nitter.pussthecat.org/RaveofRavendale/status/1389507928269393921/

#google #DeleteGoogle
📡 @nogoolag 📡 @blackbox_archiv

How to Build an Egalitarian, Decentralized Search Engine Part 1: The Principles

Search is dead. So how do we revive it, without billions of dollars in funding and massive computing resources? We leverage the crowd.

We need a functioning search engine if the open web is to prevail. Google and its competitors do not care to make a decent product. It counters their business goals. So we have to build it ourselves.

https://chapra.blog/how-to-build-a-search-engine-part-1-374/

#search #engine #build #howto #decentralized
📡 @nogoolag 📡 @blackbox_archiv

Active BGP-based Traceback for Amplification DDoS Attacks

This is talk about reflective DDoS which lets attackers hide behind IP spoofing and explore how BGP poisoning can help to trace back these attacks.

Errata: Contrary to the statement on slide 30, the resulting graphs are only rooted and directed, but not necessarily acyclical. Yet they still provide all required properties.

https://media.ccc.de/v/vnog-11-bgpeek-a-boo-active-bgp-based-tr

#ccc #vnog #bgp #traceback #ddos #attack #video
📽@cRyPtHoN_INFOSEC_FR
📽@cRyPtHoN_INFOSEC_EN
📽@cRyPtHoN_INFOSEC_DE
📽@BlackBox_Archiv
📽@NoGoolag

White House launches new artificial intelligence website

The White House has launched a new website, AI.gov, to make artificial intelligence research more accessible across the nation, Axios has learned.

Why it matters: The U.S. once led significantly in the global artificial intelligence race, but now risks being overtaken by China. This is one step the White House is taking to drum up excitement for AI and broaden educational opportunities in the field.

What’s on the site: The website's target audience is the general public, and its purpose is to make public information available on AI more visible to someone like a teacher or student interested in science.

https://www.axios.com/white-house-artificial-intelligence-website-61609ea0-f4ce-4fa4-af48-d60c85bc9519.html

https://telegra.ph/The-National-Artificial-Intelligence-Initiative-NAII-National-Artificial-Intelligence-Initiative-05-06

via www.ai.gov

#usa #wh #artificial #intelligence #website
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Scammer Used Fake Court Order to Take Over Dark Web Drug Market Directory

Dark.fail includes links to dark web markets. A scammer tricked a domain registrar into transferring ownership of the domain with a fake document.

A scammer used a fake court order to convince a domain registrar to transfer ownership of a domain that lists dark web drug markets, and then used that to point the sites to their own copies of the markets designed to steal peoples' bitcoin.

Hackers often make lookalike sites of dark web markets, but the use of a fake court order is unusual. It bears some similarity to how scammers use fake trademarks to convince Instagram to transfer ownership of valuable usernames.

"I had 2FA and PGP enabled on that account. I am not an idiot when it comes to security," Dark Fail, the pseudonymous admin of the site dark.fail which was a victim of the hijacking, told Motherboard during the account takeover late last week.

https://www.vice.com/en/article/qj8833/dark-fail-fake-court-order-dark-web-markets

#scammer #darkfail #phishing #darknet
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

I'm seeing a lot of people FOMO quit their jobs to join "crypto", probably out of some over-romanticized view of what goes on in these projects. Let me illuminate you about what actually happens:

https://nitter.pussthecat.org/jonsyu/status/1389635626698297344

via Twitter

#bitcoin #thinkabout
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Attorney General James Issues Report Detailing Millions of Fake Comments, Revealing Secret Campaign to Influence FCC’s 2017 Repeal of Net Neutrality Rules

Multi-Year Investigation Into 2017 Net Neutrality Rulemaking Finds 18 Million Fake Comments Filed with FCC, Half a Million Fake Letters Sent to Congress

Broadband Industry Funded Six Companies That Engaged in Illegal Activity and Impersonated Millions of Americans

NEW YORK – New York Attorney General Letitia James today released a report detailing the results of her office’s wide-ranging investigation into fake, public comments submitted to the Federal Communications Commission (FCC) in a 2017 proceeding to repeal net neutrality rules. Net neutrality prohibits broadband providers from blocking, slowing down, or charging companies to prioritize certain content on the internet. Attorney General James’ investigation uncovered widespread fraud, as well as abusive practices used to sway government policy — using masses of comments and messages to create the false impression of popular support. Additionally, Attorney General James today resolved investigations into three companies that contributed to the millions of fake comments submitted in the 2017 net neutrality proceeding.

“Americans voices are being drowned out by masses of fake comments and messages being submitted to the government to sway decision-making,” said Attorney General James. “Instead of actually looking for real responses from the American people, marketing companies are luring vulnerable individuals to their websites with freebies, co-opting their identities, and fabricating responses that giant corporations are then using to influence the polices and laws that govern our lives. But, today, we are taking action to root out this fraud and the impersonation that has been corrupting the process for far too long.

https://telegra.ph/Attorney-General-James-Issues-Report-Detailing-Millions-of-Fake-Comments-Revealing-Secret-Campaign-to-Influence-FCCs-2017-Repeal-05-06

via ag.ny.gov

#report #fake #comments #influence #campaign #net #neutrality
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

IRS Now Seeks Identities of American Cryptocurrency Traders

IRS wants to tax owners of cryptocurrency.

A federal court in the Northern District of California have authorized the United States Internal Revenue Service (IRS) to identify taxpayers that have used a cryptocurrency exchange. In particular, the IRS wants to know about taxpayers who conducted at least $20,000 in crypto transactions from 2016 to 2020.

Cryptocurrencies were originally designed to be an anonymous payment method that could not be regulated by governments. But as they have become a widespread payment instrument as well as an investment asset for those who want to protect their savings and/or make some additional money, they quickly emerged on the radar of tax collecting agencies, such as the IRS. Although crypto transactions are still anonymous, the process or buying or selling cryptocurrencies is not. To that end, it is not surprising that the IRS want to know about U.S. taxpayers who used cryptocurrencies in the past few years.

For now, the court in California authorized the IRS to identify Americans who have used the services of Payward Ventures Inc. and its subsidiaries, such as Kraken, a digital currency exchange headquartered in San Francisco, California. The IRS is seeking information about taxpayers who conducted at least the equivalent of $20,000 in transactions. Meanwhile, on April 1, 2021, a federal court in the District of Massachusetts granted an order for the IRS to serve a similar John Doe summons on Circle, an exchange from Boston. In the future, the IRS may be authorized to identify customers of other crypto exchanges.

https://www.tomshardware.com/news/irs-now-seeks-identities-of-american-cryptocurrency-traders

https://telegra.ph/Court-Authorizes-Service-of-John-Doe-Summons-Seeking-Identities-of-US-Taxpayers-Who-Have-Used-Cryptocurrency-05-06

via www.justice.gov

#irs #usa #cryptocurrency #traders #taxes #taxpayers
📡@cRyPtHoN_INFOSEC_FR
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@BlackBox_Archiv
📡@NoGoolag

Profil3r

Profil3r is an OSINT tool that allows you to find potential profiles of a person on social networks, as well as their email addresses. This program also alerts you to the presence of a data leak for the found emails.

‼️ For educational purposes only

https://github.com/Rog3rSm1th/Profil3r

#educational #profil3r #osint #tool #social #networks #email
📡 @nogoolag 📡 @blackbox_archiv

Answering Europe’s Call: Storing and Processing EU Data in the EU

Today we are announcing a new pledge for the European Union. If you are a commercial or public sector customer in the EU, we will go beyond our existing data storage commitments and enable you to process and store all your data in the EU. In other words, we will not need to move your data outside the EU. This commitment will apply across all of Microsoft’s core cloud services – Azure, Microsoft 365, and Dynamics 365. We are beginning work immediately on this added step, and we will complete by the end of next year the implementation of all engineering work needed to execute on it. We’re calling this plan the EU Data Boundary for the Microsoft Cloud.

The new step we’re taking builds on our already strong portfolio of solutions and commitments that protect our customers’ data, and we hope today’s update is another step toward responding to customers that want even greater data residency commitments. We will continue to consult with customers and regulators about this plan in the coming months, including adjustments that are needed in unique circumstances like cybersecurity, and we will move forward in a way that is responsive to their feedback.

Microsoft cloud services already comply with or exceed EU guidelines even before the plan we’re announcing today. We already provide commercial and public sector customers the choice to have data stored in the EU, and many Azure cloud services can already be configured to process data in the EU as well. In addition, we use world-class encryption and robust lockbox solutions that meet current regulatory guidance. Many of our services put control of customer data encryption in customers’ hands through the use of customer-managed keys, and we defend our customers’ data from improper access by any government in the world.

https://blogs.microsoft.com/eupolicy/2021/05/06/eu-data-boundary/

#microsoft #eu #data #boundary
📡 @nogoolag 📡 @blackbox_archiv