social.sokoll.com
Longer passwords, even consisting of simpler words or constructs, are better than short passwords with special characters.www.zdnet.com
Private WhatsApp groups visible in Google searches
Your #WhatsApp groups may not be as secure as you think they are
Google is indexing invite links to private WhatsApp group chats. This means with a simple search anyone can discover and join these groups including ones the administrator may want to keep private.
Does #Google care about your privacy and security? No.
Does #Facebook honestly care about your privacy and security? No.
https://www.dw.com/en/private-whatsapp-groups-visible-in-google-searches/a-52468603
#Facebook #chat #apps #privacy #security #surveillance #messaging #im
Private WhatsApp groups visible in Google searches
Your #WhatsApp groups may not be as secure as you think they are
Google is indexing invite links to private WhatsApp group chats. This means with a simple search anyone can discover and join these groups including ones the administrator may want to keep private.
Does #Google care about your privacy and security? No.
Does #Facebook honestly care about your privacy and security? No.
https://www.dw.com/en/private-whatsapp-groups-visible-in-google-searches/a-52468603
#Facebook #chat #apps #privacy #security #surveillance #messaging #im
SHA-1 is a Shambles
First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust
https://eprint.iacr.org/2020/014.pdf
Below is the abstract from the article. The most concerning thing here is the ability to forge signatures of keys. As you know if you read my posts, I have always argued that we should never sign other people's keys. Even without the problem of possible forged signatures using the technique in the article, key-signing harms privacy.
The only key signature created by EasyGPG is the signature on a newly created key pair.printf "${newkeyattr}" | env TZ=UTC gpg --homedir "${keydir}" --batch --use-agent --cert-digest-algo "SHA512" --s2k-cipher-algo "AES256" --s2k-digest-algo "SHA512" --s2k-mode 3 --s2k-count 32000000 --status-file "${temp}" --gen-key 2> /dev/null
Notice that SHA512 is used. As for signatures on messages and encrypted files, see below (after the abstract). EasyGPG always uses SHA512.
Abstract. The SHA-1 hash function was designed in 1995 and has been widely used
during two decades. A theoretical collision attack was first proposed in 2004 [WYY05],
but due to its high complexity it was only implemented in practice in 2017, using
a large GPU cluster [SBK + 17]. More recently, an almost practical chosen-prefix
collision attack against SHA-1 has been proposed [LP19]. This more powerful attack
allows to build colliding messages with two arbitrary prefixes, which is much more
threatening for real protocols.
In this paper, we report the first practical implementation of this attack, and its
impact on real-world security with a PGP/GnuPG impersonation attack. We managed
to significantly reduce the complexity of collisions attack against SHA-1: on an Nvidia
GTX 970, identical-prefix collisions can now be computed with a complexity of 2 61.2
rather than 2 64.7 , and chosen-prefix collisions with a complexity of 2 63.4 rather than
2 67.1 . When renting cheap GPUs, this translates to a cost of 11k US$ for a collision,
and 45k US$ for a chosen-prefix collision, within the means of academic researchers.
Our actual attack required two months of computations using 900 Nvidia GTX 1060
GPUs (we paid 75k US$ because GPU prices were higher, and we wasted some time
preparing the attack).
Therefore, the same attacks that have been practical on MD5 since 2009 are now
practical on SHA-1. In particular, chosen-prefix collisions can break signature schemes
and handshake security in secure channel protocols (TLS, SSH). We strongly advise
to remove SHA-1 from those type of applications as soon as possible.
We exemplify our cryptanalysis by creating a pair of PGP/GnuPG keys with different
identities, but colliding SHA-1 certificates. A SHA-1 certification of the first key can
therefore be transferred to the second key, leading to a forgery. This proves that
SHA-1 signatures now offers virtually no security in practice. The legacy branch of
GnuPG still uses SHA-1 by default for identity certifications, but after notifying the
authors, the modern branch now rejects SHA-1 signatures (the issue is tracked as
CVE-2019-14855).
Keywords:$ grep "gpg" easygpg.sh | grep " -s " encryptedText=`printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" -e ${recipients} --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty -` printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" --no-emit-version --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty - | xclip -i -selection clipboard (tar --numeric-owner -c "$(basename "${filename}")" | gpg --homedir "${keydir}" --trust-model always -a -s -u "${senderID}" -e ${recipients} --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty --yes -o "${savepath}" -) | zenity --progress --text="Encrypting..." --pulsate --auto-close --no-cancel (tar --numeric-owner -c "$(basename "${filename}")" | gpg --homedir "${keydir}" --trust-model always -s -u "${senderID}" -e ${recipients} --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty --yes -o "${savepath}" -) | zenity --progress --text="Encrypting..." --pulsate --auto-close --no-cancel tar --numeric-owner -c "$(basename "${filename}")" | gpg --homedir "${keydir}" -a --trust-model always -s -u "${senderID}" --no-emit-version --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty --yes -o "${savepath}" - printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" -e -R "${senderID}" --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty - > "${savepath}" printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" -e -R "${senderID}" --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty - > "${savepath}"
#easygpg #gpg #encryption #privacy #surveillance #security #cryptography
printf "${newkeyattr}" | env TZ=UTC gpg --homedir "${keydir}" --batch --use-agent --cert-digest-algo "SHA512" --s2k-cipher-algo "AES256" --s2k-digest-algo "SHA512" --s2k-mode 3 --s2k-count 32000000 --status-file "${temp}" --gen-key 2> /dev/null$ grep "gpg" easygpg.sh | grep " -s "
encryptedText=`printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" -e ${recipients} --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty -`
printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" --no-emit-version --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty - | xclip -i -selection clipboard
(tar --numeric-owner -c "$(basename "${filename}")" | gpg --homedir "${keydir}" --trust-model always -a -s -u "${senderID}" -e ${recipients} --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty --yes -o "${savepath}" -) | zenity --progress --text="Encrypting..." --pulsate --auto-close --no-cancel
(tar --numeric-owner -c "$(basename "${filename}")" | gpg --homedir "${keydir}" --trust-model always -s -u "${senderID}" -e ${recipients} --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty --yes -o "${savepath}" -) | zenity --progress --text="Encrypting..." --pulsate --auto-close --no-cancel
tar --numeric-owner -c "$(basename "${filename}")" | gpg --homedir "${keydir}" -a --trust-model always -s -u "${senderID}" --no-emit-version --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty --yes -o "${savepath}" -
printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" -e -R "${senderID}" --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty - > "${savepath}"
printf "%s\n" "${theText}" | gpg --homedir "${keydir}" -a --trust-model always --textmode -s -u "${senderID}" -e -R "${senderID}" --no-emit-version --no-encrypt-to --personal-digest-preferences "SHA512 SHA384 SHA256" --personal-compress-preferences "ZLIB BZIP2 ZIP" --personal-cipher-preferences "AES256 TWOFISH CAMELLIA256 AES192 AES" --use-agent --no-tty - > "${savepath}"#UK #police deny responsibility for poster urging parents to report kids for using #Kali #Linux
source: https://www.zdnet.com/article/uk-police-distance-themselves-from-poster-warning-parents-to-report-kids-for-using-kali-linux/Virtual machines, the #Tor Browser, Kali Linux, #WiFi Pineapple, #Discord, and #Metasploit are all deemed terrible finds and the poster urges parents to call the cops "so we can give advice and engage them into positive diversions."Just a few years ago I would have been burnt at the stake.
#Danger #Warning #fail #Technology #Security #Crime #Cyber #children #newsUK police deny responsibility for poster urging parents to report kids for using Kali Linux | ZDNet
Updated: Using Discord, too, is apparently a warning sign that your child is turning into a naughty hacker.www.zdnet.com
Virtual machines, the #Tor Browser, Kali Linux, #WiFi Pineapple, #Discord, and #Metasploit are all deemed terrible finds and the poster urges parents to call the cops "so we can give advice and engage them into positive diversions."Just a few years ago I would have been burnt at the stake.
Updated: Using Discord, too, is apparently a warning sign that your child is turning into a naughty hacker.www.zdnet.com
Shared via Fedilab @realramnit@chaos.social 🔗 https://chaos.social/users/realramnit/statuses/103645804448003773
Die Loki-Foundation hat sich den #Signal-Quellcode genommen und eine der größten Schwächen des Messengers entfernt - die Telefonnummernabhängigkeit!
Außerdem routen sie sämtlichen Traffic durch Tor. Das macht "Session" - wie der neue Messenger getauft wurde - zu einem interessanten Delta-Chat-Konkurrenten.
https://getsession.org/
#Session #Signal #Messenger #Chat # Privacy #Security
#securityCritical Windows 10 vulnerability used to Rickroll the NSA and Github
Attack demoed less than 24 hours after disclosure of bug-breaking certificate validation.arstechnica.com
One misstep from developers at Starbucks left exposed an API key that could be used by an attacker to access internal systems and manipulate the list of authorized users.www.bleepingcomputer.com
Ein Angreifer hätte nun versuchen können, diesen Hash selbst zu berechnen. Aber das war gar nicht notwendig. In unseren Tests reichte es bereits, den entsprechenden Eintrag namens "dirhash" leer zu lassen. Einen leeren Wert akzeptierte Quincy als gültig und führte anschließend die von uns manipulierte setup.exe aus. Der Angriff funktionierte auf diese Weise mit der Version von Quincy, die zum Zeitpunkt unserer Tests Ende Oktober aktuell warhttps://glm.io/145428
Hersteller um Stellungnahme gebeten, Anwaltskanzlei antwortet https://www.golem.de/print.php?a=145428 RT Dr. Streisand bitte zur Post-Mortem-Analyse in Station 23, Dr. Streisand bitte https://twitter.com/nitram2342/status/1204531431214637058 #Quincy
In einer Software für Arztpraxen ist der Updateprozess ungeschützt über eine Rsync-Verbindung erfolgt. Der Hersteller der Software versucht, Berichterstattung darüber zuglm.io
Ein Krimineller bietet die Daten von Millionen Mixcloud-Nutzern zum Verkauf an. Laut Mixcloud soll es sich nicht um alle User handeln.www.golem.de
Travelers should use only AC charging ports, use USB no-data cables, or "USB condom" devices.www.zdnet.com
How terrible software design decisions led to Uber’s deadly 2018 crash
https://arstechnica.com/cars/2019/11/how-terrible-software-design-decisions-led-to-ubers-deadly-2018-crash/The NTSB report includes a second-by-second timeline showing what the software was "thinking" as it approached Herzberg, who was pushing a bicycle across a multi-lane road far from any crosswalk:#uber, #security, #self-driving-car
- 5.2 seconds before impact, the system classified her as an "other" object.
- 4.2 seconds before impact, she was reclassified as a vehicle.
- Between 3.8 and 2.7 seconds before impact, the classification alternated several times between "vehicle" and "other."
- 2.6 seconds before impact, the system classified Herzberg and her bike as a bicycle.
- 1.5 seconds before impact she became "unknown."
- 1.2 seconds before impact she became a "bicycle" again.How terrible software design decisions led to Uber’s deadly 2018 crash
NTSB says the system "did not include consideration for jaywalking pedestrians."arstechnica.com
The NTSB report includes a second-by-second timeline showing what the software was "thinking" as it approached Herzberg, who was pushing a bicycle across a multi-lane road far from any crosswalk:#uber, #security, #self-driving-car
- 5.2 seconds before impact, the system classified her as an "other" object.
- 4.2 seconds before impact, she was reclassified as a vehicle.
- Between 3.8 and 2.7 seconds before impact, the classification alternated several times between "vehicle" and "other."
- 2.6 seconds before impact, the system classified Herzberg and her bike as a bicycle.
- 1.5 seconds before impact she became "unknown."
- 1.2 seconds before impact she became a "bicycle" again.
NTSB says the system "did not include consideration for jaywalking pedestrians."arstechnica.com
Twitter "Unintentionally" Used Your Phone Number for Targeted Advertising
#security #socialnetworks #electronicfrontierfoundation #eff #digitalrights #digitalprivacy
posted by pod_feeder_v2Twitter "Unintentionally" Used Your Phone Number for Targeted Advertising
Stop us if you’ve heard this before: you give a tech company your personal information in order to use two-factor authentication, and later find out that they were using that security information for targeted advertising.That’s exactly what Twitter fessed up to yesterday in an understated blog post...www.eff.org
Twitter "Unintentionally" Used Your Phone Number for Targeted Advertising
#security #socialnetworks #electronicfrontierfoundation #eff #digitalrights #digitalprivacy
posted by pod_feeder_v2Twitter "Unintentionally" Used Your Phone Number for Targeted Advertising
Stop us if you’ve heard this before: you give a tech company your personal information in order to use two-factor authentication, and later find out that they were using that security information for targeted advertising.That’s exactly what Twitter fessed up to yesterday in an understated blog post...www.eff.org
Stop us if you’ve heard this before: you give a tech company your personal information in order to use two-factor authentication, and later find out that they were using that security information for targeted advertising.That’s exactly what Twitter fessed up to yesterday in an understated blog post...www.eff.org
#security #hacker #browser #Chrome #FirefoxRussian hacker group patches Chrome and Firefox to fingerprint TLS traffic | ZDNet
A Russian cyber-espionage hacker group has been spotted using a novel technique that involves patching locally installed browsers like Chrome and Firefox in order to modify the browsers' internal components.
The end goal of these modifications is to alter the way the two browsers set up HTTPS connections, and add a per-victim fingerprint for the TLS-encrypted web traffic that originates from the infected computers.Russian hacker group patches Chrome and Firefox to fingerprint TLS traffic | ZDNet
Turla hacker group lives up to its reputation with another clever/wacky hacking technique.www.zdnet.com
A Russian cyber-espionage hacker group has been spotted using a novel technique that involves patching locally installed browsers like Chrome and Firefox in order to modify the browsers' internal components.
The end goal of these modifications is to alter the way the two browsers set up HTTPS connections, and add a per-victim fingerprint for the TLS-encrypted web traffic that originates from the infected computers.
Turla hacker group lives up to its reputation with another clever/wacky hacking technique.www.zdnet.com
You’ll be astonished at how many apps want Bluetooth access.www.theverge.com
UK cybersecurity agency warns devs to drop Python 2 due to looming EOL & security risks | ZDNet
https://www.zdnet.com/article/uk-cybersecurity-agency-warns-devs-to-drop-python-2-due-to-looming-eol-security-risks/
#programming #securityUK cybersecurity agency warns devs to drop Python 2 due to looming EOL & security risks | ZDNet
NCSC likens companies continuing to use Python 2 past its EOL to tempting another WannaCry or Equifax incident.www.zdnet.com
NCSC likens companies continuing to use Python 2 past its EOL to tempting another WannaCry or Equifax incident.www.zdnet.com
It seemed like a good idea at the time.mashable.com
Priti Patel calls for access to users’ data on messaging appswww.independent.co.uk
This commotion all started with the publication of CVE-2019-13615, which is marked as a “critical” vulnerability with a score of 9.8 out of 10. VLC’s developers aren’t happy they weren’t even contacted before the publishing of this flaw.www.howtogeek.com
Cryptography engineers have been tearing their hair out over PGP’s deficiencies for (literally) decades. When other kinds of engineers get wind of this, they’re shocked. PGP is bad? Why do people keep telling me to use PGP? The answer is that they shouldn’t be telling you that, because PGP is bad and needs to go away. There are, as you’re about to see, lots of problems with PGP. Fortunately, if you’re not morbidly curious, there’s a simple meta-problem with it: it was designed in the 1990s, before serious modern cryptography.latacora.micro.blog
😆 Wie geil ist das denn bitte?
https://www.giga.de/news/einbrecher-raeumen-haus-leer-lassen-ipad-und-mac-absichtlich-da/
Ist mir aber auch passiert. Als in Brasilien war wurde bei mir eingebrochen. Mein Mac stand noch da. 👍
Das mag ich so an Apple. Keiner klaut ein iPhone oder nen Mac. Wozu auch?
#Apple #SecurityEinbrecher räumen Haus leer, lassen iPad und Mac absichtlich da
Ein Mann kommt abends nach Hause und stellt fest, dass in seinem Haus eingebrochen wurde: Spiegelreflexkamera, Lautsprecher, Windows-Laptop..www.giga.de
Ein Mann kommt abends nach Hause und stellt fest, dass in seinem Haus eingebrochen wurde: Spiegelreflexkamera, Lautsprecher, Windows-Laptop..www.giga.de
Die App-Review-Week startet mit der Android-App Komoot (Version 9.16.2) – eine Navi-App für Radfahrer und Wanderer. Beginnen wir mit den Netzwerkverbindungen, die Komoot während der…www.kuketz-blog.de
