Miscellaneous Tech News
-
ProtonMail removed “we do not keep any IP logs” from its privacy policy
Swiss courts compelled it to log and disclose a user's IP and browser fingerprint.
This weekend, news broke that security/privacy-focused anonymous email service ProtonMail turned over a French climate activist's IP address and browser fingerprint to Swiss authorities. This move seemingly ran counter to the well-known service's policies, which as recently as last week stated that "by default, we do not keep any IP logs which can be linked to your anonymous email account." After providing the activist's metadata to Swiss authorities, ProtonMail removed the section that had promised no IP logs, replacing it with one saying, "ProtonMail is email that respects privacy and puts people (not advertisers) first." -
@mlnews said in Miscellaneous Tech News:
ProtonMail removed “we do not keep any IP logs” from its privacy policy
Swiss courts compelled it to log and disclose a user's IP and browser fingerprint.
This weekend, news broke that security/privacy-focused anonymous email service ProtonMail turned over a French climate activist's IP address and browser fingerprint to Swiss authorities. This move seemingly ran counter to the well-known service's policies, which as recently as last week stated that "by default, we do not keep any IP logs which can be linked to your anonymous email account." After providing the activist's metadata to Swiss authorities, ProtonMail removed the section that had promised no IP logs, replacing it with one saying, "ProtonMail is email that respects privacy and puts people (not advertisers) first."I guess I can't really blame them as I'm sure they have to keep something for some duration, even a microsecond.... Which is likely how the lawyers forced this..
Just kind of disappointing
-
https://www.apple.com/child-safety/
Update as of September 3, 2021: Previously we announced plans for features intended to help protect children from predators who use communication tools to recruit and exploit them and to help limit the spread of Child Sexual Abuse Material. Based on feedback from customers, advocacy groups, researchers, and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features.
so they are delaying it - but likely not stopping it.
-
@dashrender said in Miscellaneous Tech News:
so they are delaying it - but likely not stopping it.
And changing the process. For better or worse, we shall see.
Nothing wrong with the purpose. Everything wrong with how they were doing it. -
@jaredbusch said in Miscellaneous Tech News:
@dashrender said in Miscellaneous Tech News:
so they are delaying it - but likely not stopping it.
And changing the process. For better or worse, we shall see.
Nothing wrong with the purpose. Everything wrong with how they were doing it.I believe that they only committed to maybe changing the process after evaluating it some more.
-
@dashrender said in Miscellaneous Tech News:
https://www.apple.com/child-safety/
Update as of September 3, 2021: Previously we announced plans for features intended to help protect children from predators who use communication tools to recruit and exploit them and to help limit the spread of Child Sexual Abuse Material. Based on feedback from customers, advocacy groups, researchers, and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features.
so they are delaying it - but likely not stopping it.
Right. As of right now, nothing is officially changing except for the implementation date.
Which means for me, nothing is changing in my plans to not buy any more of that hardware because until they provide assurances that they won't start spying on me and my kids, I'm done with them. I appreciate the need to bow to unrelenting government pressures and threats, but that's why open source matters. Going closed source put them at risk of this and they have to live with the consequences of that decision, good or bad.
-
WhatsApp “end-to-end encrypted” messages aren’t that private after all
Millions of WhatsApp messages are reviewed by both AI and human moderators.
Yesterday, independent newsroom ProPublica published a detailed piece examining the popular WhatsApp messaging platform's privacy claims. The service famously offers "end-to-end encryption," which most users interpret as meaning that Facebook, WhatsApp's owner since 2014, can neither read messages itself nor forward them to law enforcement. This claim is contradicted by the simple fact that Facebook employs about 1,000 WhatsApp moderators whose entire job is—you guessed it—reviewing WhatsApp messages that have been flagged as "improper." -
@mlnews said in Miscellaneous Tech News:
WhatsApp “end-to-end encrypted” messages aren’t that private after all
Millions of WhatsApp messages are reviewed by both AI and human moderators.
Yesterday, independent newsroom ProPublica published a detailed piece examining the popular WhatsApp messaging platform's privacy claims. The service famously offers "end-to-end encryption," which most users interpret as meaning that Facebook, WhatsApp's owner since 2014, can neither read messages itself nor forward them to law enforcement. This claim is contradicted by the simple fact that Facebook employs about 1,000 WhatsApp moderators whose entire job is—you guessed it—reviewing WhatsApp messages that have been flagged as "improper."I saw this one and Ars Technica needs a huge slap for not just click bait title, but flat out lying.
The messages are 100% private in the same way any other message is. The article even mentions how they are so private that the recipient has to COPY the message to a non-secure channel and send it again (e.g. copy/paste essentially) to let someone else see it. Because the privacy is very, very private on WhatsApp.
-
Apple dealt major blow in Epic Games trial
Apple has been dealt a major blow in its ongoing trial against Fortnite-maker Epic Games.
A court in Oakland, California has ruled that Apple cannot stop app developers directing users to third-party payment options. Apple had argued that all apps should use Apple's own in-app payment options. But Epic Games challenged the up-to-30% cut Apple takes from purchases and argued that the App Store was a monopoly. On Friday, Judge Yvonne Gonzalez-Rogers issued a permanent injunction that said Apple could no longer prohibit developers linking to their own purchasing mechanisms. For example, a movie-streaming service will now be able to tell customers to subscribe via their own website, without using Apple's in-app purchasing mechanism. Epic had argued that this was unreasonable, and that the company should be able to inform users that they could make purchases away from the App Store. Epic has also taken legal action against Google over its Play Store. -
@mlnews said in Miscellaneous Tech News:
Apple dealt major blow in Epic Games trial
Apple has been dealt a major blow in its ongoing trial against Fortnite-maker Epic Games.
A court in Oakland, California has ruled that Apple cannot stop app developers directing users to third-party payment options. Apple had argued that all apps should use Apple's own in-app payment options. But Epic Games challenged the up-to-30% cut Apple takes from purchases and argued that the App Store was a monopoly. On Friday, Judge Yvonne Gonzalez-Rogers issued a permanent injunction that said Apple could no longer prohibit developers linking to their own purchasing mechanisms. For example, a movie-streaming service will now be able to tell customers to subscribe via their own website, without using Apple's in-app purchasing mechanism. Epic had argued that this was unreasonable, and that the company should be able to inform users that they could make purchases away from the App Store. Epic has also taken legal action against Google over its Play Store.Good news!
-
Apple Issues Emergency Security Updates to Close a Spyware Flaw
Researchers at Citizen Lab found that NSO Group, an Israeli spyware company, had infected Apple products without so much as a click.
FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild
-
Apple releases fix for zero click vulnerability in all apple devices
If you haven't seen it, update your apple gear now. A zero click has been discovered, created by NSO, that allows for zero click ownership of any Apple Device.
-
Apple issues urgent iPhone software update to address critical spyware vulnerability
If you still haven't seen it, update your apple devices!
-
TikTok faces privacy investigations by EU watchdog
TikTok is under investigation by The Irish Data Protection Commission (DPC) - its lead regulator in the EU - over two privacy-related issues.
The watchdog is looking into its processing of children's personal data, and whether TikTok is in line with EU laws about transferring personal data to other countries, such as China. TikTok said privacy was "our highest priority". The Irish DPC said it was specifically looking into GDPR-related issues. These are the EU privacy laws which can potentially lead to enormous fines of up to 4% of a company's global turnover. It said the first inquiry would examine "the processing of personal data... for users under age 18, and age verification measures for persons under 13". It will also look into how transparent TikTok has been about how it processes such data. -
Cryptocurrency launchpad hit by $3 million supply chain attack
SushiSwap's MISO launchpad hacked via a malicious GitHub commit.
SushiSwap's chief technology officer says the company's MISO platform has been hit by a software supply chain attack. SushiSwap is a community-driven decentralized finance (DeFi) platform that lets users swap, earn, lend, borrow, and leverage cryptocurrency assets all from one place. Launched earlier this year, Sushi's newest offering, Minimal Initial SushiSwap Offering (MISO), is a token launchpad that lets projects launch their own tokens on the Sushi network. Unlike cryptocurrency coins that need a native blockchain and substantive groundwork, DeFi tokens are an easier alternative to implement, as they can function on an existing blockchain. For example, anybody can create their own "digital tokens" on top of the Ethereum blockchain without having to recreate a new cryptocurrency altogether. -
@mlnews said in Miscellaneous Tech News:
Cryptocurrency launchpad hit by $3 million supply chain attack
SushiSwap's MISO launchpad hacked via a malicious GitHub commit.
SushiSwap's chief technology officer says the company's MISO platform has been hit by a software supply chain attack. SushiSwap is a community-driven decentralized finance (DeFi) platform that lets users swap, earn, lend, borrow, and leverage cryptocurrency assets all from one place. Launched earlier this year, Sushi's newest offering, Minimal Initial SushiSwap Offering (MISO), is a token launchpad that lets projects launch their own tokens on the Sushi network. Unlike cryptocurrency coins that need a native blockchain and substantive groundwork, DeFi tokens are an easier alternative to implement, as they can function on an existing blockchain. For example, anybody can create their own "digital tokens" on top of the Ethereum blockchain without having to recreate a new cryptocurrency altogether.Thats not really a supply chain attack. It sounds like someone who had access to contribute to their private repo committed malicious code that wasn't reviewed.
Guessing they used that term since it's hot news right now.
-
@stacksofplates said in Miscellaneous Tech News:
@mlnews said in Miscellaneous Tech News:
Cryptocurrency launchpad hit by $3 million supply chain attack
SushiSwap's MISO launchpad hacked via a malicious GitHub commit.
SushiSwap's chief technology officer says the company's MISO platform has been hit by a software supply chain attack. SushiSwap is a community-driven decentralized finance (DeFi) platform that lets users swap, earn, lend, borrow, and leverage cryptocurrency assets all from one place. Launched earlier this year, Sushi's newest offering, Minimal Initial SushiSwap Offering (MISO), is a token launchpad that lets projects launch their own tokens on the Sushi network. Unlike cryptocurrency coins that need a native blockchain and substantive groundwork, DeFi tokens are an easier alternative to implement, as they can function on an existing blockchain. For example, anybody can create their own "digital tokens" on top of the Ethereum blockchain without having to recreate a new cryptocurrency altogether.Thats not really a supply chain attack. It sounds like someone who had access to contribute to their private repo committed malicious code that wasn't reviewed.
Guessing they used that term since it's hot news right now.
Yeah - like calling everything a zero day exploit when it's not.
-
@stacksofplates said in Miscellaneous Tech News:
@mlnews said in Miscellaneous Tech News:
Cryptocurrency launchpad hit by $3 million supply chain attack
SushiSwap's MISO launchpad hacked via a malicious GitHub commit.
SushiSwap's chief technology officer says the company's MISO platform has been hit by a software supply chain attack. SushiSwap is a community-driven decentralized finance (DeFi) platform that lets users swap, earn, lend, borrow, and leverage cryptocurrency assets all from one place. Launched earlier this year, Sushi's newest offering, Minimal Initial SushiSwap Offering (MISO), is a token launchpad that lets projects launch their own tokens on the Sushi network. Unlike cryptocurrency coins that need a native blockchain and substantive groundwork, DeFi tokens are an easier alternative to implement, as they can function on an existing blockchain. For example, anybody can create their own "digital tokens" on top of the Ethereum blockchain without having to recreate a new cryptocurrency altogether.Thats not really a supply chain attack. It sounds like someone who had access to contribute to their private repo committed malicious code that wasn't reviewed.
Guessing they used that term since it's hot news right now.
I wonder if that isn't a supply chain attack anyway. Private repo or not, shouldn't make a difference in that determination. "Private" is just private in the sense that you have to be invited to contribute.
What makes it a supply chain attack is that the hacker didn't attack any production servers. He attacked the software supply chain by injecting malicious code in their repository. Which eventually got deployed and ended up running.
If he had gained access to production servers somehow and made the exact same changes on the software running, it would not have been a supply chain attack.
Don't know how the sushi-thing works but they say it's community driven and decentralized which sound like the malicious code might have ended up deployed in many places.
-
@pete-s said in Miscellaneous Tech News:
@stacksofplates said in Miscellaneous Tech News:
@mlnews said in Miscellaneous Tech News:
Cryptocurrency launchpad hit by $3 million supply chain attack
SushiSwap's MISO launchpad hacked via a malicious GitHub commit.
SushiSwap's chief technology officer says the company's MISO platform has been hit by a software supply chain attack. SushiSwap is a community-driven decentralized finance (DeFi) platform that lets users swap, earn, lend, borrow, and leverage cryptocurrency assets all from one place. Launched earlier this year, Sushi's newest offering, Minimal Initial SushiSwap Offering (MISO), is a token launchpad that lets projects launch their own tokens on the Sushi network. Unlike cryptocurrency coins that need a native blockchain and substantive groundwork, DeFi tokens are an easier alternative to implement, as they can function on an existing blockchain. For example, anybody can create their own "digital tokens" on top of the Ethereum blockchain without having to recreate a new cryptocurrency altogether.Thats not really a supply chain attack. It sounds like someone who had access to contribute to their private repo committed malicious code that wasn't reviewed.
Guessing they used that term since it's hot news right now.
I wonder if that isn't a supply chain attack anyway. Private repo or not, shouldn't make a difference in that determination. "Private" is just private in the sense that you have to be invited to contribute.
What makes it a supply chain attack is that the hacker didn't attack any production servers. He attacked the software supply chain by injecting malicious code in their repository. Which eventually got deployed and ended up running.
If he had gained access to production servers somehow and made the exact same changes on the software running, it would not have been a supply chain attack.
Don't know how the sushi-thing works but they say it's community driven and decentralized which sound like the malicious code might have ended up deployed in many places.
It's not that it's a private repo. It's that the person was allowed to modify the code base. Supply chain isn't opening a PR to a project and having it approved, that's just insider malicious coding.
-
@mlnews said in Miscellaneous Tech News:
TikTok faces privacy investigations by EU watchdog
TikTok is under investigation by The Irish Data Protection Commission (DPC) - its lead regulator in the EU - over two privacy-related issues.
The watchdog is looking into its processing of children's personal data, and whether TikTok is in line with EU laws about transferring personal data to other countries, such as China. TikTok said privacy was "our highest priority". The Irish DPC said it was specifically looking into GDPR-related issues. These are the EU privacy laws which can potentially lead to enormous fines of up to 4% of a company's global turnover. It said the first inquiry would examine "the processing of personal data... for users under age 18, and age verification measures for persons under 13". It will also look into how transparent TikTok has been about how it processes such data.I'd be okay if TikTok was blocked by ever ISP - and every (TikTok) server combusted...