• 5 Posts
  • 15 Comments
Joined 3Y ago
cake
Cake day: Apr 05, 2022

help-circle
rss
I use the built-in sync service in various Firefox forks to sync bookmarks/history/tabs, using the default Mozilla servers. When I went to "Manage Account" to review and prune the devices ("services?") linked with Mozilla Sync down to what I'm actively using currently, and noticed "Mozilla Monitor" in there. I can't find any info on why [Mozilla Monitor](https://monitor.mozilla.org/) required sync credentials, and I don't remember Mozilla Monitor telling me it would be gaining access to my sync data, nor can I find any way to review what data "Mozilla Monitor" has access to. Any ideas? For now I'm signing out that entry, while I consider other sync options. Edit: changed title from 'Mozilla/Firefox sync - why is "Mozilla Monitor" a signed in device?'
fedilink

Most mass-marketed VPN services (the type marketed for accessing the internet) allow you to VPN into their private subnet where the thing you can access is their gateway router (which you use in place of your home gateway router/modem for connecting to the internet). You don’t need a VPN service to use VPN software between two points you control.


ublock origin does not have this disclaimer. It works well and is widely trusted.


If you’re using Mozilla’s level of endorsement as a metric, note this prominent disclaimer on the addon’s page:

⚠️ This add-on is not actively monitored for security by Mozilla. Make sure you trust it before installing.



Yep. It works and it’s awesome. I use conversations on android devices and dino and gajim on desktops, various family members use siskin on iOS.

With zero app or server-software or provider lock-in, and an actual in-practice diversity of apps and providers, the whole thing seems pretty immune to enshittification.


Well within the budget of a private investigator or burglar or peeping-tom or abusive ex-partner.

No need to scale; plenty of privacy/security incursions don’t require mass-surveillance.

That said, I’d suggest that the attack does scale economically . Think war-driving but with one of these setups – cruising around in a van through a dense neighbourhood collecting short clips of cctv footage looking for something of interest.


[…] the attack is an extremely expensive nation state level operation that doesn’t scale.

About $250 at most. Quoting the linked page:

Below is a list of equipment we used for the experiments.

  • (1) Software Defined Ratio (SDR): Ettus USRP B210 USRP, ~$2100.
  • (2) Low Noise Amplifier (LNA): Foresight Intelligence FSTRFAMP06 LNA, ~$200.
  • (3) Directional Antenna: A common outdoor Log-periodic directional antenna (LPDA), ~$15.
  • (4) A laptop, of course.

Note that the equipment can be replaced with cheaper counterparts. For example, USRP B210 can be replaced with RTL-SDR that costs ~$30.

To reproduce the attack: our GitHub repository provides the codes and instructions for reproducing and understanding the attack. We have prepared a ready-to-use software tool that can produce real-time reconstructions of the eavesdropped videos with EM signal input from the USRP device.


I wonder when (if?) orbital radio receiver arrays (a la starlink) are sensitive and discriminating enough to be used for this type of attack.


EM Eye: Electromagnetic Side-channel Eavesdropping on Embedded Cameras
> EM Eye investigates a cybersecurity attack where the attackers eavesdrop on the confidential video data of cameras by parsing the unintentional electromagnetic leakage signals from camera circuits. This happens on the physical/analog layer of camera systems and thus allows attackers to steal victim's camera data even when perfect software protections (e.g., unbreakable passwords) are all in place. Exploiting the eavesdropped videos, attackers can spy on privacy-sensitive information such as people's activities in an enclosed room recorded by the victim's home security camera. [...] [Paper](https://dx.doi.org/10.14722/ndss.2024.24552).
fedilink

No, the “distributor” is the part which runs on your portable device, receives the push notifications, and wakes up the target apps as necessary.

https://unifiedpush.org/developers/spec/definitions/


Conversations can be a unified push distibutor: https://unifiedpush.org/users/distributors/conversations/

…and I’d trust it (battery-wise) with that. I have an old tablet with conversations running without battery restrictions on it, and if I’m not actually picking it up and using it it regularly goes 1-2 weeks on an 80% battery charge before it dies, the whole time giving audible notifications for XMPP messages/calls (which I attend to on other devices).


To be clear though: by E2EE here I mean browser-side encryption with zero-knowledge on the server side.

Etherpad is still encrypted in transit with https; only the server can snoop.

Cryptpad and other web-based E2EE services can still be completely compromised server-side by serving malicious code to the browser, and practically the user would never know.


Cryptpad:

  • Full-on google docs / office365 / libreoffice type replacement with collaboration.
  • E2EE
  • The complexity means it doesn’t work well on mobile, takes a while to load on a slow connection, more frequent bugs. (3.5 MiB page transfer)
  • Self-hosting is complicated.

Etherpad:

  • A competent collaborative rich-text editor. Doesn’t do spreadsheets or presentations or […].
  • Not E2EE (you need to trust that the server a bit more).
  • Lightweight, works on slower connections, works alright on mobile. (1.7 MiB page transfer)
  • Self-hosting quite simple.

PrivateBin:

  • Super-simple plain-text/markdown pastebin. No editing possible once saved.
  • E2EE
  • Very small. Works fine on slow connections and mobile. (0.2 MiB page transfer)
  • Self-hosting very simple.

>On November 16th, Meredith Whittaker, President of Signal, published a detailed breakdown of the popular encrypted messaging app’s running costs for the very first time. The unprecedented disclosure’s motivation was simple - the platform is rapidly running out of money, and in dire need of donations to stay afloat. Unmentioned by Whittaker, this budget shortfall results in large part due to the US intelligence community, which lavishly financed Signal’s creation and maintenance over several years, severing its support for the app. > >Never acknowledged in any serious way by the mainstream media, Signal’s origins as a US government asset are a matter of extensive public record, even if the scope and scale of the funding provided has until now been secret. The app, brainchild of shadowy tech guru ‘Moxie Marlinspike’ (real name Matthew Rosenfeld), was launched in 2013 by his now-defunct Open Whisper Systems (OWS). The company never published financial statements or disclosed the identities of its funders at any point during its operation. > >Sums involved in developing, launching and running a messaging app used by countless people globally were nonetheless surely significant. The newly-published financial records indicate Signal’s operating costs for 2023 alone are $40 million, and projected to rise to $50 million by 2025. Rosenfeld boasted in 2018 that OWS “never [took] VC funding or sought investment” at any point, although mysteriously failed to mention millions were provided by Open Technology Fund (OTF). > >OTF was launched in 2012 as a pilot program of Radio Free Asia (RFA), an asset of US Agency for Global Media (USAGM), which is funded by US Congress to the tune of over $1 billion annually. In August 2018, its then-CEO openly acknowledged the Agency’s “global priorities…reflect US national security and public diplomacy interests.” > > [[Article continues...](https://kitklarenberg.substack.com/p/signal-facing-collapse-after-cia)] Archive links: - https://archive.md/DyfJB - https://web.archive.org/web/20231205063052/https://kitklarenberg.substack.com/p/signal-facing-collapse-after-cia - https://ghostarchive.org/archive/4ZzzV
fedilink

Use a good XMPP client like dino/siskin/conversations and OMEMO just works. XMPP client OMEMO support status.

You can’t argue “not all XMPP clients support e2ee” without arguing the same for matrix – not all matrix clients support e2ee.


Hi! I’m over here on lemmy, and created this post as a link to your post. I don’t think there’s a mutually compatible way to repost/boost a mastodon post into a lemmy community, but this seemed close enough.


Google docs infects html exports with google tracking redirects.
@Joe_0237@fosstodon.org wrote: > Today I found out that google docs infects html exports with spyware, no scripts, but links in your document are replaced with invisible google tracking redirects. I was using their software because a friend wanted me to work with him on a google doc, he is a pretty big fan of their software, but we were both somehow absolutely shocked that they would go that far.
fedilink


Related material, not all as optimistic as the ABC news article: - [Video interview with Dr Katharine Kemp](https://www.abc.net.au/news/2023-09-28/government-flags-changes-in-response-to-privacy/102913552). - [Government response to the Privacy Act Review Report](https://www.ag.gov.au/rights-and-protections/publications/government-response-privacy-act-review-report). - [Govt kicks Privacy Act can down the road - Only commits to a handful of review recommendations.](https://ia.acs.org.au/article/2023/govt-kicks-privacy-act-can-down-the-road.html).
fedilink