How I made a heap overflow in #curl
Let me talk CVE-2023-38545 a bit
https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl/
A new low, even for #Google. Giving Google permission to share information about you with third-party websites is being falsely advertised as an "ad privacy feature". This is privacy washing at its most extreme. But it gets even worse.
There is a dark pattern on the second screenshot. It isn't just informing you about the fake privacy features. Clicking on "Got it" actually turns on these features that allow Google to use your recent browsing history for ads on third-party websites:
If you are using Android phone then you could have noticed recent update from Google which allowed you to "personalize your ad experience" and those settings apparently were on by default. So you have to actually do work to opt out. Here is how you can turn it off: Settings->Security&Privacy->More privacy settings->Ads->Ad privacy. It will take you to the screen in picture, go ahead and turn off all of these settings and definitely delete your advertising ID. #punkprivacy
I am excited to announce that I am going to be speaking at HOU.SEC.CON - THE Houston-area information security conference. October 12-13 2023, right before solar eclipse. If you are in town, come see me and learn a thing or two about "Privacy in the age of AI". If you are not in town, take a trip to Houston and see what you've been missing all of these years. Stay tuned for exact day and time of my session. #infosec https://web.cvent.com/event/76d46ccb-fe00-4fe5-ba46-e4a77c807f21/summary
If it is not censorship then what that is? This week youtube published new guideline on medical information that they will remove content that contradicts health authority(bureaucrats that has nothing to do with science), essentially censoring content that cast shadow of a doubt on official position. Now here is puzzle for you: aspartame deemed dangerous by WHO yet some how safe by FDA. What they'll do? https://blog.youtube/inside-youtube/a-long-term-vision-for-medical-misinformation-policies/
Stumbled upon this article. Today people "own" lot's of things in electronic form, now think how much could you trust company that you purchase it from. Even giant are not protected from a market forces or bad management. So ask yourself do you really own that e-book, or song from iTunes or you just leasing it for free. https://slate.com/technology/2009/07/how-amazon-s-remote-deletion-of-e-books-from-the-kindle-paves-the-way-for-book-banning-s-digital-future.html
Old news, but even SEC is trying to influence openly traded companies to do more when it come to #cybersecurity and incidents in particular. https://blog.isc2.org/isc2_blog/2023/08/sec-votes-to-adopt-rules-expanding-cybersecurity-reach-and-disclosure.html
Not everything about AI or LLM/GLLM is great, people often focus on positive side, improvements those models can bring to our lives. However there is also dark side of it. Advances in AI has always been used by APT actors, with GLLM it just another piece of the puzzle that corporations have to think about when deploying those tools into their ecosystems. https://securityintelligence.com/posts/unmasking-hypnotized-ai-hidden-risks-large-language-models/ #cybersecurity
White House announces a competition to "use artificial intelligence (AI) to protect the United States’ most important software, such as code that helps run the internet and our critical infrastructure". Possible to win MILLIONS OF DOLLARS. https://www.whitehouse.gov/briefing-room/statements-releases/2023/08/09/biden-harris-administration-launches-artificial-intelligence-cyber-challenge-to-protect-americas-critical-software/
Many people misunderstood what privacy protection should be implemented in order for them to keep their free will. At the end of the day [social media company name here] does not care about you drunk photos or your most guarded secret as those have no monetary value for legal business. However your attention and your intentions do have a value. So when you are protecting your privacy avoid disclosing your intentions at all costs. #privacy
Interesting article, main point in my opinion everyone has to decide by themselves how much privacy do they want. https://tracks.ranea.org/post/722507935765397504/youre-so-vain-you-probably-think-this-app-is
TIP: Never store passwords on your mobile, or for that matter use built in password manager which does not have additional master password. Imagine situation when your phone gets stolen, and thief already learned your pin code by shoulder surfing. Their next move is to change your AppleID password and from there they'll have access to every single piece of information connected to your AppleID. Use stand alone 3-rd party password managers. #punkprivacy
Quite interesting vulnerability recently discovered within MS Teams. https://www.hackread.com/microsoft-teams-flaw-malware-employees-inbox/ #cybersecurity
I've read white-paper about data that iOS and Android devices send when NOT IN USE, so that you don't have to. Situation is really bad, even when user opted out of telemetry devices continue to send data to A and G respectively. Aside from everything else, one area that I'd like to highlight is MAC addresses of nearby devices, along with gateway that iOS devices send, if exposed 3-rd parties may learn a lot about devices in your household. https://www.scss.tcd.ie/doug.leith/apple_google.pdf
There is huge difference between privacy and anonymity: Privacy is when people know who you are, but they can't see what you are doing. In case of anonymity all of your actions are in open, but people don't know who you are. Thus when you are using VPN provider you need to know what you are trying to protect from by choosing VPN connection, is it your privacy or anonymity? #punkprivacy
Vulnerability recently poped up in KeepPassXC, if you are using it just be aware. However attacker would have to gain access to your machine first, so employing tools that prevent some one exploiting your device is a still effective line of defense. https://securityonline.info/keepassxc-vulnerability-cve-2023-35866-allows-attackers-to-change-the-master-password-and-second-factor-authentication-settings/?utm_content=buffer3fd75&utm_medium=social&utm_source=linkedin.com&utm_campaign=buffer
For those who playing with RaspberryPi CM4 if you got it with eMMC storage onboard, please note that it's mounted to the same physical mount points as your SD card, so inserting SD card into IO board won't do anything. You actually have to use rpiboot to flash system onto eMMC directly. Here is official GitHub repo to use: https://github.com/raspberrypi/usbboot in case some one need it. #raspberrypi4
Experienced technology entrepreneur on the quest for ethics and privacy. Follow #punkprivacy tag to get regular privacy tips. You can also follow @ethiork account to get information about progress of Ethiork project that enables people to own their data and protect their privacy.