#privacy
TunnelVision: Decloaking Routing-Based VPNs
CVE-2024-3661
If you want to be safe, don't get DHCP service from anything but your own router. Don't connect to public WiFi anywhere. If you need to use a local network you don't control, connect your router to it and connect your device to your router so you get DHCP service from your router, not someone else's. It's also important that only your devices be allowed to connect to your router.
https://github.com/leviathansecurity/TunnelVision
TunnelVision is a local network VPN leaking technique that allows an attacker to read, drop, and sometimes modify VPN traffic from a targets (sic) on the local network. This technique does not activate kill-switches and does not have a full fix for every major operating system. We are using the built-in and widely supported feature DHCP option 121 to do this.\
\
Option 121 supports installing multiple routes with CIDR ranges. By installing multiple /1 routes an attacker can leak all traffic of a targeted user, or an attacker might choose to leak only certain IP addresses for stealth reasons. We're calling this effect decloaking.\
\
TunnelVision has been theoretically exploitable since 2002, but has gone publicly unnoticed as far as we can tell. For this reason, we are publishing broadly to make the privacy and security industry aware of this capability. In addition, the mitigation we've observed from VPN providers renders a VPN pointless in public settings and challenges VPN providers' assurances that a VPN is able to secure a user's traffic on untrusted networks.\
\
A fix is available on Linux when configuring the VPN users host to utilize network namespaces. However, we did not encounter its use outside of our own research. The best documentation we've found about that fix is available from WireGuard's team. It remains unclear, at the time of publishing, whether this fix or a similar fix is also possible on other operating systems such as Windows and MacOS due to neither appearing to have support for network namespaces.
#security #safety #privacy #surveillance #spying #vpn #vpns #virtual-private-network #virtual-private-networks #tunnelvision
4 Tools to Share Large Files Over the Internet Securely
These are privacy respecting tools to consider. But what signifies as a big file? Any file that you cannot seem to send through an encrypted messaging app like Signal or Telegram’s secret chat. Ideally, it should be anything more than 1 GB.
Internxt is probably the most convenient being online, whilst an option like OninionShare is fully peer-to-peer but then does require the app to be installed at both ends (but is available for all generally used platforms).
See itsfoss.com/share-large-files-…
#Blog, #filesharing, #opensource, #privacy, #technology
EU plan to force messaging apps to scan for CSAM risks millions of false positives, experts warn
https://www.yahoo.com/tech/eu-plan-force-messaging-apps-174641543.html
#privacy #surveillance #messenger #signal #whatsapp #chat #CSAM #EU
Hm... On "euthanizing G-Mail" (&/or Google et al)
Opinion | Happy 20th Anniversary, Gmail. I’m Sorry I’m Leaving You. (Ezra Klein)
When Google unveiled Gmail 20 years ago, everyone wanted in — but you needed an invite, our Opinion columnist Ezra Klein writes. He remembers the thrill of finding one: “I felt lucky. I felt chosen.”
"There is no end of theories for why the internet feels so crummy these days. The New Yorker blames the shift to algorithmic feeds. Wired blames a cycle in which companies cease serving their users and begin monetizing them. The M.I.T. Technology Review blames ad-based business models. The Verge blames search engines. I agree with all these arguments. But here’s another: Our digital lives have become one shame closet after another."
#GMail #Google #privacy #algorithms #DataScraping #monetizing #GoogleIs#vil #technology
Please use an #Invidious plugin for your browser to avoid having to watch the videos on #google and to protect your privacy. I have been reprimanded many times, I have to go the official way. You don't. #privacy #video https://addons.mozilla.org/de/firefox/addon/invidious-site/
EU-Raad onder vuur wegens controversiële en privacyschendende anti-kinderpornowet
De Volkskrant
Dat kinderen beschermd moeten worden op het internet, staat buiten kijf voor de EU. Desondanks stuit een wetsvoorstel van de Raad van de Europese Unie op felle kritiek, omdat hiermee surveillance-software geïnstalleerd kan worden op de telefoons van alle Europeanen.
(Tekst loopt door onder de foto.)
Een overheidscampagne om aandacht te vragen voor de (online) verspreiding van kinderporno. Beeld Harold Versteeg/ ANP.
In 2023 stuurden de wetenschappers al een open brief met kritiek over het voorstel naar de Raad, maar deze heeft hun waarschuwingen over surveillance en privacyschendingen op grote schaal niet ter harte genomen, schrijven meer dan 250 ondertekenaars donderdag in een tweede brief. Nog altijd wil de Raad AI-toepassingen installeren op de telefoons van Europeanen om te detecteren of iemand bijvoorbeeld op WhatsApp ongepast contact legt met minderjarigen of schadelijk materiaal deelt.
Deze technologie, client-side scanning geheten, doet een inbreuk op de privacy en kan onschuldige EU-burgers onterecht bestempelen als crimineel, vinden wetenschappers, het Meldpunt Kinderporno en de Tweede Kamer. Daar is het Europees Parlement het mee eens, waarna het een tegenvoorstel opstelde, dat gericht is op het voorkomen in plaats van het detecteren van kindermisbruik. (...)
> Zie ook: Yesilgöz, koningin van de onderbuik Citaat:
“Het belangrijkste bezwaar van een hele reeks is echter dat er geen enkele garantie is dat client-side scanning alleen gebruikt zal worden voor de detectie van kinderporno. Niet voor niets nam de Tweede Kamer een motie aan die het kabinet opriep om tegen alle client-side scanning voorstellen van de Europese Commissie te stemmen. Maar Yesilgöz, koningin van de onderbuik, vertrouwt meer op haar gevoel dan op de experts, en legde de motie naast zich neer.”
Tags: #nederlands #nederland #kinderporno #client_side_scanning #censuur #privacy #kinderporno #europese_commissie #eu #europese_unie #vvd #tweede_kamer #massasurveillance
#Posteo dealt jetzt mit #S/MIME - für 3,65€ im Jahr.
Ich habe das für Euch mal von meinen Mathematiker*innen umrechnen lassen: Das ist 1 Cent pro Tag!
#Privacy #email #Privatsphäre #PoweredByRSS
E-Mail grün, sicher, einfach und werbefrei - posteo.de - Neu bei Posteo: S/MIME-Zertifikate erstellen und sofort nutzen
📲 "Datensparsames Android mit der Android Debug Bridge" & "Google-Apps und weitere Bloatware loswerden mit dem 'Universal Android Debloater Next Generation'"
Für diejenigen, die Android-Geräte betreiben, bei denen sie kein Custom ROM installieren können (oder wollen), hier zwei gnulinux.ch-Artikel, in denen es darum geht, wie auch ein Stock-Android ohne Root weitgehend datensparsam betrieben werden kann und wie Google-Apps und weitere Bloatware entfernt werden können:
Im ersten Teil der Artikelreihe "Datensparsames Android mit der Android Debug Bridge" beschreibt Matthias "den Versuch, unter Android durch Umbau mittels der Android Debug Bridge (ADB), ohne Root soweit wie möglich an das Datenschutzniveau besserer Android Custom ROMs heranzukommen. Es ist der erste Teil einer voraussichtlich dreiteiligen Serie. Im ersten Teil wird der Ansatz für ein aktuelles Samsung Android (Stock-ROM) mit Android 14 demonstriert." und zeigt "wie mit Hilfe der Android Debug Bridge (ADB) und weniger Apps zur Geräteadministration auch ein vorinstalliertes Stock-ROM mehr oder weniger datenschutzfreundlich umgebaut werden kann".
Ergänzend dazu habe ich im Artikel "Google-Apps und weitere Bloatware loswerden mit dem Universal Android Debloater Next Generation" noch eins der Tools vorgestellt, mit dessen Hilfe Funktionen der "Android Debug Bridge" über ein grafisches Frontend genutzt werden. So können auf relativ einfachem Weg auf vergoogelten Androids Google-Apps und weitere Bloatware wie Hersteller- und Werbeapps entfernt werden.
#Android #Google #Datenschutz #Privacy #Samsung #ADB #Bloatware #UniversalAndroidDebloater #FDroid #CustomROM #RethinkDNS #Shelter
@Datenschutz - Privacy - Digitale Selbstverteidigung
#Safari on #iOS features device #tracking
source: https://mastodon.social/@mysk/112340023465073147
#Apple recently introduced a new URI scheme so that #iOS users in the #EU can install marketplace apps from the browser. #Safari handles the scheme insecurely leaving users exposed to tracking.
#surveillance #politics #europe #software #security #privacy #news #problem #fail #smartphone #warning
The US isn’t just reauthorizing its surveillance laws – it’s vastly expanding them
The Guardian
A little-known amendment to the reauthorized version of Fisa would enlarge the government’s surveillance powers to a drastic, draconian degree.
(Text continues underneath the photo.)
The US House of Representatives agreed to reauthorize a controversial spying law known as Section 702 of the Foreign Intelligence Surveillance Act last Friday without any meaningful reforms, dashing hopes that Congress might finally put a stop to intelligence agencies’ warrantless surveillance of Americans’ emails, text messages and phone calls.
The vote not only reauthorized the act, though; it also vastly expanded the surveillance law enforcement can conduct. In a move that Senator Ron Wyden condemned as “terrifying”, the House also doubled down on a surveillance authority that has been used against American protesters, journalists and political donors in a chilling assault on free speech. (...)
Tags: #surveillance #mass_surveillance #nsa #fisa #government_surveillance #spying_law #Foreign_Intelligence_Surveillance_Act #privacy #human_rights
Cops can force suspect to unlock #phone with #thumbprint, US #court rules
#usa #justice #privacy #security #smartphone #mobile #technology #news #police #surveillance
A Privacy Policy: We do not display advertising on the website or app but…
I can’t recall what this service was for as I don’t find any login saved for it, but I was reading the updated privacy policy they sent me in an e-mail (looks like it may have been a service a tried a long time ago). It’s very long and starts out quite well, but it was when I got to these paragraphs below that it really starts to worry me as they are basically claiming all sorts of metadata will be passed on online advertising networks, social media companies and other 3rd party services, including GPS locations and click stream information. This includes for children 13 years and older. It’s similar to what WhatsApp passes up to Meta, which made me drop WhatsApp like a hot potato, because of who that data gets passed to.
An extract: “Specifically, we permit third party online advertising networks, social media companies and other third-party services, to collect information about your use of the VERO Website over time so that they may play or display ads for our products and services on other websites or services you may use, and on other devices you may use. Typically, though not always, the information used for interest-based advertising is collected through tracking technologies, such as cookies, web beacons, embedded scripts, location-identifying technologies, and similar technology, which recognize the device you are using and collect information, including click stream information, browser type, time and date you visited the VERO Websites, AdID, and other similar information. If permitted by your device settings, they may also collect location data through GPS, Wi-Fi or other methods. We and our third-party partners use this information to make the advertisements you see online more relevant to your interests, as well as to provide advertising-related services such as reporting, attribution, analytics and market research. We may also use services provided by third parties (such as social media platforms) to serve targeted ads to you and others on such platforms.”
This extract could imply your data gets made available to data brokers even: “Please be aware that your Personal Information and communications may be transferred to and maintained on servers or databases located outside your state, province, or country. We store and process the information that we collect in the United States in accordance with this Privacy Policy though our Service Providers may store and process data outside the United States. The laws in the United States may not be as protective of your privacy as those in your location.”
Well, this re-assuring that they don’t “sell” the information: “We do not “sell” personal information as most people would typically understand that term. However, on certain portions of the VERO Website, we do allow certain third-party partners and providers to collect information about consumers directly through our services for purposes of analyzing and optimizing our services, displaying ads on third party sites, providing content and ads that are more relevant, measuring statistics and the success of ad campaigns, and detecting and reporting fraud. This practice may be interpreted to constitute a “sale” under the U.S. state privacy laws, or may constitute the “sharing” or processing of your personal information for cross-context behavioral advertising purposes.”
They at least do expand here on selling: “We have “sold” or “shared” the following categories of personal information for the purposes described in our Privacy Policy, subject to your settings and preferences and your Right to Opt-Out: Identifiers, Commercial Information, and Internet/Network Information.”
This is what is stated about 3rdparty identity services: “VERO does not receive the biometric identifier generated from the images, however, for identity verification and security purposes, VERO will receive the results of the identity verification process, including the images of your ID and the results of the liveness check, as well as text extracted from the ID scan. We may use some or all of this information and associated information to verify your account.”
And this: “We do not sell sensitive information, and we do not process or otherwise share sensitive information for the purpose of targeted advertising.” Except that this contradicts what was said earlier about targeted advertising! Because I understand “to make the advertisements you see online more relevant to your interests” to mean targeted advertising. Maybe relevant and targeted mean two different things?
We don’t always have time to read updated privacy policies, but many do contain these hidden gems, that quite frankly can put you off using such services. The sites of course are usually “free” to use, so are funded by advertisers who require these conditions to be in place.
One can see why so many then flock to the Fediverse and other decentralised platforms which are funded by volunteers. It worth considering giving some small donations to these volunteer projects when they’re keeping you free from invasive advertising and data collection policies.
According to the latest draft text of the controversial EU Child Sexual Abuse Regulation proposal leaked by the French news organization Contexte, which the EU member states discussed, the EU interior ministers want to exempt professional accounts of staff of intelligence agencies, police and military from the envisaged scanning of chats and messages (Article 1 (2a)). The regulation should also not apply to “confidential information” such as professional secrets (Article 1 (2b)). The EU governments reject the idea that the new EU Child Protection Centre should support them in the prevention of child sexual abuse and develop best practices for prevention initiatives (Article 43(8)).
“The fact that the EU interior ministers want to exempt police officers, soldiers, intelligence officers and even themselves from chat control scanning proves that they know exactly just how unreliable and dangerous the snooping algorithms are that they want to unleash on us citizens,” commented Pirate Party MEP Patrick Breyer.
It just keeps on crawling back time and time again like a freaking zombie
#chatcontrol #Chatkontrolle #chatcontrole #privacy #europe #democracy #surveillance
