Meh, just Mullvad. Cops can raid em all they want; they just walk away empty handed
That makes no sense.
We aren’t talking about two phones paired with each other, were talking about a pair of headphones or a smart watch, causing the phone it’s linked to to make a sound. Nothing more.
There is absolutely 0 opportunity to acquire a location from that.
Beyond that; apple products, specifically airpods and apple’s smart watch, have these abilities.
Why would it be a security flaw to allow an Apple manufactured device to perform these functions, but not a third party device, utilizing the exact same implementations?
Try again.
First of all, they have to already know you have that device.
Ie: any amazon smart device; which are becoming increasingly popular and found in many homes globally.
Also, I’m not taking about someone targeting me, you, or anyone specifically. I’m talking about someone wandering around looking for homes that happen to have a vulnerable device and seeing where they can get from there.
Really not hard to find.
THEN they have to hang around long enough for any sort of updates and shit to happen.
Trivial when you consider not everyone lives in a single-family home with significant yardspace around it. Apartments exist, so do smaller multi-family dwellings.
THEN THEN they have to try and figure out how to get any useful data from this connection
The useful info here being your WIFI password (the info this connection is intended to spread) allowing an attacker to piviot to the rest of your network.
THEN THEN THEN they have to find a way to remove said useful information to a device that can actually store it.
This would be where I’ve repeatedly talked about an attacker being able to purchase an amazon device, jailbreak it, and use it to connect to your network
They can buy a device from Amazon then have all the time in the world to figure out a method of retrieving data from it. Once a method is worked out, they then deploy it against unsuspecting victims. (ie any random home they can get near and find an amazon device thats broadcasting looking for new devices)
if someone is able to just walk up to your house with a random device and hang out long enough to establish a wifi connection and pull out any sort of useful data you have WAY BIGGER PROBLEMS
I completely agree which is why I’m not happy with Amazon providing a hole to achieve exactly that.
Yes, that is exactly what I’m saying as that’s what it sounds like.
If you can buy a new amazon device and have it connect to all your stuff without your input; what stops someone else buying an amazon device and connecting to your network with it?
Obviously I’m not worried about the device I actually receive; I’m concerned that someone can buy their own device and use it to connect to other people’s networks via existing amazon devices.
Depending on a setting being disabled thats more than likely on by default isn’t much comfort. Most people won’t know about or look for those kinds of settings, especially with the deceptive descriptions often used for features like these.
To be clear, I don’t use these devices either; I’m just concerned for those that don’t know any better.
The verification still needs one of the devices listed in my post to be active on your wifi to allow the setup and communication.
Yes, that’s what I said; your amazon devices are giving away your wifi info to new devices. As in once you’ve allowed an amazon device onto your network, any new device can add itself to that network via your existing device without your input.
This happens before the new device has authenticated into your amazon account as it doesn’t yet have an internet connection (ie before its proven to be your device and not say a neighbours) and before you manually provide authentication for your wifi. Hence the ‘with 0 auth’.
The auth is likely done by device to device handshake. Its just that there isn’t a human involved.
A handshake between a device you own but have little control over and a device you’ve never seen before, may not have physical access too, and that could have been compromised before requesting your info. Great.
I’m not saying they’re beaming it out in plain text for all to read; just that they’ll give your info to a device you may not even be aware of let alone own or have any control over. That device may be a stock Amazon device, or it could be something more malicious.
Hmm
Two possibilities:
Is the old device still plugged in while you setup the new one? Perhaps they connected to each other. My previous Samsung phone did this with my new one without prior setup of the ‘feature’, though after I signed into my Samsung account onnthe new phone.
Or it could have come pre-loaded with data on your account…
I’m not very comfortable with either option really.
Youtube never knows the private half of your key pair. That never leaves your system.
Anything encrypted with the private half can only be decrypted with the public half, and anything encrypted with the public half can only be decrypted with the private half. These halves are known as the public key and the private key. Each side of the connection generates their own key pairs.
We both generate a set of keys, and exchange the public halves with each other. I then want to send you a message: I first encrypt it using my private key, I then encrypt it again using your public key and send that to you.
In order to read that message, you first decrypt it using your private key. This ensures the message was intended for you and wasn’t modified in transit, as you are the only one with access to that private key and only its matching public key could have been used to encrypt that layer.
You then decrypt it a second time using my public key. As I’m the only one with access to my own private key, you can be sure the message was sent by me.
As long as that resulted in a readable message; You’ve now verified who sent the message, that it was intended for you, and that the contents have not been modified or read in transit.
All this, including the key exchange is handled for you by the https (tls) protocol every time you connect to a website. Each of the messages sent between you and the site are encrypted in this manner.
Maybe in comming years, but I’ve never encountered an ad served explicitly through DoH/DoT. It’s certainly possible, just not actually in use yet.
You can also setup DoH front and back ends for pihole so traffic entering and leaving it is encrypted. When/if it becomes necessary I’ll probably look into https packet inspection using custom Root certs to force clients to use my local DoH services and block other traffic, or look into inspecting the SNI to apply blocking there; but again its just not needed yet and may not be for a long time. We’ll see. I’m sure the pihole/Adguard teams are also investigating solutions.
Pi-hole blocks ads served by these networks just fine. Never seen an ad in Boost for Lemmy or for Reddit, though I tend to use Jerboa now that I’ve gotten used to it while I was waiting for Boost for Lemmy to release.
DNS based adblocking like Pihole or Adguard limits you to receiving advertising hosted by the app provider (youtube for example) which is usually better curated than third party advertising networks and less commonly found at all.
In the 6 years I’ve ran mine, I’ve not had any issues and I run a blocklist with over 1 million domains on it.
If I was to run into something that’s blocked that I do want loaded, I can just open the pihole interface and either whitelist the blocked domain or disable blocking for a short time, each with just a couple clicks.
https://www.cloudflare.com/learning/security/what-is-https-inspection/
https://blog.cloudflare.com/monsters-in-the-middleboxes/
While this has traditionally been achieved by having the end client install a new certificate into their device for the corporations certificate authority, Google and other security firms also offer network appliances that will do this using certificates your device already trusts such as the above Google Trust Services LLC certificate. I’ve also experienced this 4 years ago with connections intercepted using certs from DigiCert and I’m sure there are others out there.
Https is dependent on a chain of trust, but most end users no little to nothing about it and definitely don’t chose which certificates to base that chain of trust on. Instead you’re given a set of certificates from the os/software developers and told to trust everything that leads back to those without any idea who has the authority to sign with those certificates.
Theoretically speaking; I could have an insider at letsencrypt who bypasses their check to see if I actually control a particular domain and instead just issues every certificate for any domain I ask for. Your browser wouldn’t know the difference, just accepting them as valid certs as they’ve got the domains you asked for and they’re signed by someone the browser trusts.
Google and others sell exactly that service.
If you’ve connected your personal laptop to your work wifi, they 100% can see all your browsing history (specifically whats passed through their network).
Hell, I only run a simple homelab and I can see the exact traffic/browsing history of every device on my home network. I’m only tracking via dns traffic, but your https traffic can even be intercepted and decrypted pretty easily. So don’t even trust that.
This doesn’t require installing anything on your device to fully monitor you.
Corporate networks (especially those utilizing MITM) block vpn access altogether.
You can’t reach your vpn server, falling back to plain un-tunneled https. Then instead of dns retuning the true ip, it returns a local corporate ip; you connect to that with https and it serves you a cert generated on the fly for that particular domain signed by a root cert your browser already trusts. Your browser sees nothing wrong and transmits via that compromised connection.
You can usually check for this by connecting via mobile data, taking a screenshot of the cert details, then doing the same on work wifi and compare.
If the cert details change on wifi, your traffic is being intercepted, decrypted, read/logged, then re-encrypted and passed to the server you’re trying to reach.
Why would you ever be buying a sim card seprate from the carrier servicing it…?
Honestly asking, that’s incredibly unusual to me. Where I live, the mobile carrier always provides the sim card. Usually free with a monthly phone plan, or as a part of a pre-paid plan. (pre-paid you can usually buy from a corner store like seven eleven. monthly you’ll actually have to visit their store/mall booth)