close
  • Sc chevron_right

    Websites that Collect Your Data as You Type

    news.movim.eu / Schneier · 2 days ago - 20:29 · 1 minute

A surprising number of websites include JavaScript keyloggers that collect everything you type as you type it, not just when you submit a form.

Researchers from KU Leuven, Radboud University, and University of Lausanne crawled and analyzed the top 100,000 websites, looking at scenarios in which a user is visiting a site while in the European Union and visiting a site from the United States. They found that 1,844 websites gathered an EU user’s email address without their consent, and a staggering 2,950 logged a US user’s email in some form. Many of the sites seemingly do not intend to conduct the data-logging but incorporate third-party marketing and analytics services that cause the behavior.

After specifically crawling sites for password leaks in May 2021, the researchers also found 52 websites in which third parties, including the Russian tech giant Yandex, were incidentally collecting password data before submission. The group disclosed their findings to these sites, and all 52 instances have since been resolved.

“If there’s a Submit button on a form, the reasonable expectation is that it does something — that it will submit your data when you click it,” says Güneş Acar, a professor and researcher in Radboud University’s digital security group and one of the leaders of the study. “We were super surprised by these results. We thought maybe we were going to find a few hundred websites where your email is collected before you submit, but this exceeded our expectations by far.”

Research paper .

  • Sc chevron_right

    Surveillance by Driverless Car

    news.movim.eu / Schneier · Thursday, 12 May - 18:44

San Francisco police are using autonomous vehicles as mobile surveillance cameras.

Privacy advocates say the revelation that police are actively using AV footage is cause for alarm.

“This is very concerning,” Electronic Frontier Foundation (EFF) senior staff attorney Adam Schwartz told Motherboard. He said cars in general are troves of personal consumer data, but autonomous vehicles will have even more of that data from capturing the details of the world around them. “So when we see any police department identify AVs as a new source of evidence, that’s very concerning.”

  • Sc chevron_right

    ICE Is a Domestic Surveillance Agency

    news.movim.eu / Schneier · Wednesday, 11 May - 14:24 · 1 minute

Georgetown has a new report on the highly secretive bulk surveillance activities of ICE in the US:

When you think about government surveillance in the United States, you likely think of the National Security Agency or the FBI. You might even think of a powerful police agency, such as the New York Police Department. But unless you or someone you love has been targeted for deportation, you probably don’t immediately think of Immigration and Customs Enforcement (ICE).

This report argues that you should. Our two-year investigation, including hundreds of Freedom of Information Act requests and a comprehensive review of ICE’s contracting and procurement records, reveals that ICE now operates as a domestic surveillance agency. Since its founding in 2003, ICE has not only been building its own capacity to use surveillance to carry out deportations but has also played a key role in the federal government’s larger push to amass as much information as possible about all of our lives. By reaching into the digital records of state and local governments and buying databases with billions of data points from private companies, ICE has created a surveillance infrastructure that enables it to pull detailed dossiers on nearly anyone, seemingly at any time. In its efforts to arrest and deport, ICE has — without any judicial, legislative or public oversight — reached into datasets containing personal information about the vast majority of people living in the U.S., whose records can end up in the hands of immigration enforcement simply because they apply for driver’s licenses; drive on the roads; or sign up with their local utilities to get access to heat, water and electricity.

ICE has built its dragnet surveillance system by crossing legal and ethical lines, leveraging the trust that people place in state agencies and essential service providers, and exploiting the vulnerability of people who volunteer their information to reunite with their families. Despite the incredible scope and evident civil rights implications of ICE’s surveillance practices, the agency has managed to shroud those practices in near-total secrecy, evading enforcement of even the handful of laws and policies that could be invoked to impose limitations. Federal and state lawmakers, for the most part, have yet to confront this reality.

  • Sc chevron_right

    Apple Mail Now Blocks Email Trackers

    news.movim.eu / Schneier · Monday, 9 May - 14:39

Apple Mail now blocks email trackers by default.

Most email newsletters you get include an invisible “image,” typically a single white pixel, with a unique file name. The server keeps track of every time this “image” is opened and by which IP address. This quirk of internet history means that marketers can track exactly when you open an email and your IP address, which can be used to roughly work out your location.

So, how does Apple Mail stop this? By caching. Apple Mail downloads all images for all emails before you open them. Practically speaking, that means every message downloaded to Apple Mail is marked “read,” regardless of whether you open it. Apples also routes the download through two different proxies, meaning your precise location also can’t be tracked.

Crypto-Gram uses Mailchimp, which has these tracking pixels turned on by default. I turn them off. Normally, Mailchimp requires them to be left on for the first few mailings, presumably to prevent abuse. The company waived that requirement for me.

  • Sc chevron_right

    Video Conferencing Apps Sometimes Ignore the Mute Button

    news.movim.eu / Schneier · Friday, 29 April - 14:18 · 1 minute

New research: “ Are You Really Muted?: A Privacy Analysis of Mute Buttons in Video Conferencing Apps “:

Abstract: In the post-pandemic era, video conferencing apps (VCAs) have converted previously private spaces — bedrooms, living rooms, and kitchens — into semi-public extensions of the office. And for the most part, users have accepted these apps in their personal space, without much thought about the permission models that govern the use of their personal data during meetings. While access to a device’s video camera is carefully controlled, little has been done to ensure the same level of privacy for accessing the microphone. In this work, we ask the question: what happens to the microphone data when a user clicks the mute button in a VCA? We first conduct a user study to analyze users’ understanding of the permission model of the mute button. Then, using runtime binary analysis tools, we trace raw audio in many popular VCAs as it traverses the app from the audio driver to the network. We find fragmented policies for dealing with microphone data among VCAs — some continuously monitor the microphone input during mute, and others do so periodically. One app transmits statistics of the audio to its telemetry servers while the app is muted. Using network traffic that we intercept en route to the telemetry server, we implement a proof-of-concept background activity classifier and demonstrate the feasibility of inferring the ongoing background activity during a meeting — cooking, cleaning, typing, etc. We achieved 81.9% macro accuracy on identifying six common background activities using intercepted outgoing telemetry packets when a user is muted.

The paper will be presented at PETS this year.

News article .

  • Ga chevron_right

    Facebook Doesn’t Know What It Does With Your Data, Or Where It Goes: Leaked Document

    Danie van der Merwe · news.movim.eu / gadgeteerza-tech-blog · Wednesday, 27 April - 19:46 · 1 minute

Facebook is facing what it describes internally as a “tsunami” of privacy regulations all over the world, which will force the company to dramatically change how it deals with users’ personal data. And the “fundamental” problem, the company admits, is that Facebook has no idea where all of its user data goes, or what it’s doing with it, according to a leaked internal document obtained by Motherboard.

“We’ve built systems with open borders. The result of these open systems and open culture is well described with an analogy: Imagine you hold a bottle of ink in your hand. This bottle of ink is a mixture of all kinds of user data (3PD, 1PD, SCD, Europe, etc.) You pour that ink into a lake of water (our open data systems; our open culture) … and it flows … everywhere,” the document read. “How do you put that ink back in the bottle? How do you organize it again, such that it only flows to the allowed places in the lake?”

My opinion is it should actually be quite simple... you protect your users' private info (profiles, private posts, metadata) and you don't sell or give it away. If you do want to give away for whatever reason, or sell it, a user has to specifically opt in. Other networks like Mastodon, PixelFed, and many more seem to have got it right, and they don't have thousands of employees to manage it. The problem is Facebook got into the business of making money out of users' data, and now with the pressure coming on, is finding it difficult to put controls in place. So switch it off and don't share the data...

See https://www.vice.com/en/article/akvmke/facebook-doesnt-know-what-it-does-with-your-data-or-where-it-goes

#technology #privacy #facebook #meta

Android application for on-line privacy and security.

InviZible Pro. (Open source)
New version 5.7.0

Keeps privacy, prevents tracking, gets access to blocked and hidden on-line resources.

InviZible Pro uses DNSCrypt, Tor and Purple I2P to achieve maximum security, privacy and comfortable use of the Internet.

DNS is used by most applications to translate domain names into IP addresses to find a remote server with the site that you want to visit. But this communication is not encrypted and can be used by attackers. DNSCrypt encrypts and authenticates DNS traffic, thus preventing DNS tracking and spoofing.

Tor encrypts Internet traffic and hides your actual location. It uses thousands of computers around the world to mask your IP address and prevents activity tracking to preserve your privacy and anonymity. Tor also provides access to onion services. These are sites that are in a completely hidden network without censorship.

The Invisible Internet Project (I2P) is a hidden anonymous network. It includes thousands of computers distributed around the world. Purple I2P encrypts the traffic of your device and sends it through these computers to ensure privacy and anonymity. Start I2P to access i2p sites and other Invisible Internet hidden services.

InviZible Pro can use root, if your device has root privileges, or uses a local VPN to deliver Internet traffic to Tor, DNSCrypt and I2P networks.

- InviZible Pro does not support ipv6 at this time.

Features:
* No root required
* Hides location and IP
* Unblocks the restricted web content
* Prevents tracking
* Allows access to hidden networks
* ARP spoofing detection
* Built-in firewall
* Tethering supported
* No analytics
* No advertisements
* Open source
* Material design theme

Premium feature:
* Automatic Updates – Use the latest versions of InviZible Pro, and its modules such as DNSCrypt , Tor, and Purple I2P.
* Absence of reminder about the need to support the project.
* Priority technical advice.
* Material design night theme

What's New
* Updated Tor to version 4.7.6.
* Updated Tor snowflake bridge to version 2.1.0.
* Updated Purple I2P to version 2.41.0.
* Implemented the use of Tor relays as default vanilla bridges.
* Implemented Tor bridges sorting and swipe to refresh bridges ping.
* Implemented firewall for Root mode.
* Optimized memory usage in VPN mode.
* Added Turkish translation.

Please visit the project’s page: https://invizible.net/en

Download from Google Play: https://play.google.com/store/apps/details?id=pan.alexander.tordnscrypt.gp

F-droid: https://apt.izzysoft.de/fdroid/index/apk/pan.alexander.tordnscrypt

Take a look at source code: https://github.com/Gedsh/InviZible

#android #internet #vpn #anonymous #privacy #confidentiality #dnscrypt #tor #i2p #vpn #proxy #invizible #inviziblepro
  • Ga chevron_right

    It's a myth that using a VPN somehow makes everything private, and protects from malware and hackers

    Danie van der Merwe · news.movim.eu / gadgeteerza-tech-blog · Wednesday, 20 April - 14:03 · 1 minute

This article actually emerged from a debate on Lemmy (an alternative to Reddit) recently, and I found it does explain quite clearly why many so-called reasons for using VPN's, in fact, don't provide those protections, and why just using the Tor browser for some of those scenarios may actually be better.

Yes, certainly if your aim is to bypass geoblocking for streaming services, or to isolate your activity from risky public Wi-Fi, then a VPN is a good thing. Tor is better at actually hiding your IP address, and cannot just be blocked or shut down.

But it is true that a VPN emerges somewhere (as does the Tor browser traffic) and from there it is openly accessing websites. Those websites can still fingerprint you, plant cookies on your computer, inject malware on your computer, etc.

It's not to say that Tor browser will magically prevent everything, but it can do a better job of protecting you from fingerprinting though, and also not by exiting through one known provider. Tor can also have bridging activated, which offers an additional layer of protection, especially when operating in a country where certain social media and sites are being blocked by authorities.

But yes there are many companies selling VPN services (some good, and some very dubious) and obviously they are marketing to make money (by selling the service to you, or in some cases selling your metadata).

A VPN is not a magic bullet, so the best advice is to think about why one wants to use one, and then to probably rather use a paid one which provides some guarantees of auditing and privacy. Yes, you can spin your own VPN too, but you are usually associated with its public IP address in some way.

Interesting read at https://matt.traudt.xyz/posts/2019-10-17-you-want-tor-browser-not-a-vpn/

#technology #security #privacy #VPN #Tor