Privacy

Parking apps is an interesting one:

• it is very convenient to not have to run back and put more money in the meter if your appointment / event goes over time
• there are some significant privacy issues

Google warns “passwords are not only painful to maintain, but are also more prone to phishing and often leaked through data breaches.” And that’s the real issue. “It’s important to use tools that automatically secure your account and protect you from scams,” Google tells users, and that means upgrading account security now.

Google says “we want to move beyond passwords altogether, while keeping sign-ins as easy as possible.” That includes social sign ins, but mainly it means passkeys. “Passkeys are phishing-resistant and can log you in simply with the method you use to unlock your device (like your fingerprint or face ID) — no password required.”

This is just one of their excuses, to keep their users inside google's walled-garden

Archive : https://archive.ph/iWzFo

crosspostato da: https://lemmy.sdf.org/post/36247127

Archived

A newly emerged threat actor, going by the alias “Often9,” has posted on a prominent cybercrime and database trading forum, claiming to possess 428 million unique TikTok user records. The post is titled “TikTok 2025 Breach – 428M Unique Lines.”

The seller’s post, which appeared on the forum [on May 29, 2025], promises a dataset containing detailed user information such as:

• Email addresses
• Mobile phone numbers
• Biography, avatar URLs, and profile links
• TikTok user IDs, usernames, and nicknames
• Account flags like private_account, secret, verified, and ttSeller status.
• Publicly visible metrics such as follower counts, following counts, like counts, video counts, digg counts, and friend counts.

[...]

crosspostato da: https://lemmy.sdf.org/post/36242205

Archived

• Hundreds of millions of users are likely exposed.
• Data leak contained billions of documents with financial data, WeChat and Alipay details.
• The Cybernews research team believes the dataset was meticulously gathered and maintained for building comprehensive behavioral, economic, and social profiles of nearly any Chinese citizen.

The supermassive data leak likely exposed hundreds of millions of users, primarily from China, the Cybernews research team’s latest findings reveal. A humungous, 631 gigabytes-strong database was left without a password, publicizing mind-boggling 4 billion records.

Bob Dyachenko, cybersecurity researcher and owner at SecurityDiscovery.com, together with the Cybernews team, discovered billions upon billions of exposed records on an open instance.

[...]

The database consisted of numerous collections, containing from half a million to over 800 million records from various sources. The Cybernews research team believes the dataset was meticulously gathered and maintained for building comprehensive behavioral, economic, and social profiles of nearly any Chinese citizen.

“The sheer volume and diversity of data types in this leak suggests that this was likely a centralized aggregation point, potentially maintained for surveillance, profiling, or data enrichment purposes,” the team observed.

There’s no shortage of ways threat actors or nation states could exploit the data. With a data set of that magnitude, everything from large-scale phishing, blackmail, and fraud to state-sponsored intelligence gathering and disinformation campaigns is on the table.

[...]

The team managed to see sixteen data collections, likely named after the type of data they included.

The largest collection, with over 805 million records, was named “wechatid_db,” which most likely points to the data coming from the Baidu-owned super-app WeChat.

[...]

The second largest collection, “address_db,” had over 780 million records containing residential data with geographic identifiers. The third largest collection, simply named “bank,” had over 630 million records of financial data, including payment card numbers, dates of birth, names, and phone numbers.

Possessing only these three collections would enable skilled attackers to correlate different data points to find out where certain users live and what their spending habits, debts, and savings are.

Another major collection in the dataset was named in Mandarin, which roughly translates to “three-factor checks.” With over 610 million records, the collection most likely contained IDs, phone numbers, and usernames.

[...]

"Individuals who may be affected by this leak have no direct recourse due to the anonymity of the owner and lack of notification channels,” the team noted.

China-based data leaks are hardly new. We [Cybernews] ourselves have previously written about a data leak that exposed 1.5 billion Weibo, DiDi, Shanghai Communist Party, and others’ records, or a mysterious actor spilling over 1.2 billion records on Chinese users. More recently, attackers leaked 62 million iPhone users’ records online.

[...]

Old video, but keeps being relevant.

If you want to attend a protest, you have to become unidentifiable. This is how you do it. Become a producer of independent research and analysis by joining my Patreon page: / thehatedone

Police now have the ability to harass protesters with arrests, threats and coercion all the way back to their homes and offices. Attending a protest with a phone will now tell the police exactly who are you, who you communicate with and where you live.

Your phone has four main radio signals, all of which can compromise your security: • Cellular radio – is your phone’s most revealing data point. Your SIM card has a unique IMSI number that is broadcast indiscriminately into all directions. The police can capture this number with so called IMSI catchers, find your real phone number and even intercept your calls and SMS texts. • WiFi – is the second most common data point. Police can setup a rogue hotspot to trick your phone into connecting to it without you noticing and they can start monitoring your traffic in real time. • Police can also use Bluetooth beacons to catch your phone’s unique identifier. They could also try to exploit known Bluetooth vulnerabilities to attack your device with malicious payload. • GPS is broadly used for precise locations services, but this one is the safest data point. Your phone is only a receiver of GPS signals and doesn’t transmit any information. Your phone may, however, store GPS coordinates, which may be revealed to the police if they capture and unlock your phone.

Surveillance is the best tool to silence dissent. This is why if you care about your cause, you are going to have to care about protecting the identity of you and your fellow protesters. Your goal must be to become unidentifiable.

What follows is a comprehensive guide to become anonymous in the street. The goal is extreme anonymity and no middle-ground compromises. This guide will be split into two parts – Digital security, and physical security. Make sure to follow and understand every step in both of these parts as they are both equally required to remain anonymous.

Sources EFF's guide on attending a protest: https://ssd.eff.org/en/module/attendi... IMSI Catchers: https://www.eff.org/wp/gotta-catch-em...

Stingrays: https://www.wired.com/2015/10/stingra...
https://www.wired.com/2014/06/feds-to...

How to prepare your phone for a protest: https://themarkup.org/ask-the-markup/... Protest privacy - photos: https://themarkup.org/ask-the-markup/... Burner Phone tutorial by The Intercept: https://theintercept.com/2020/06/15/p... Rogue WIFI hotspots: https://www.forbes.com/sites/andygree... Dataminers spy on social media: https://theintercept.com/2020/07/09/t... Anonymous Twitter account: https://theintercept.com/2017/02/20/h... Facial recognition in Hong Kong protest: https://www.nytimes.com/2019/07/26/te...

List of all apps and services mentioned (no affiliation) GrapheneOS: https://grapheneos.org/

Download: https://grapheneos.org/releases
Install: https://grapheneos.org/install

F-Droid: https://f-droid.org/ Orbot: https://guardianproject.info/apps/org... Tor Browser: https://www.torproject.org/ Aurora Store: https://f-droid.org/en/packages/com.a...

KeepassDX: https://github.com/Kunzisoft/KeePassDX Tutanota: https://tutanota.com/ Protonmail: https://protonmail.com/ SimpleLogin: https://simplelogin.io/ Aegis Authenticator: https://getaegis.app/ Signal: https://signal.org/ Briar: https://briarproject.org/ Wire: https://wire.com/en/ Anonymous Twitter: https://twitter3e4tixl4xyajtrzo62zg5v/... Scrambled Exif: https://f-droid.org/en/packages/com.j... ImagePipe: https://f-droid.org/en/packages/com.j... ObscuraCam: https://guardianproject.info/apps/obs... OsmAnd: https://osmand.net/

Credits Music By: White Bat Audio / whitebataudio

Follow me: / the_hatedone_
/ thehatedone

The footage and images featured in the video were for critical analysis, commentary and parody, which are protected under the Fair Use laws of the United States Copyright act of 1976.

Original idea by @HiddenLayer555@lemmy.ml

Receiving a spam call puts you in a bit of a dilemma, or at least it does for me: How do I deal with this call that doesn't alert the spammers that this is an active number that they can call again? Answering the call is obviously the wrong choice, but I always assume that rejecting the call outright will also be detected as a deliberate action and therefore a person is on the other side. Some people have suggested answering the phone but not talking, so they think it's a dead number, but I want something more definitive.

My idea is to have a "spam" button on the incoming call screen, that answers the call but doesn't connect the microphone. Instead it plays either the standard "the number you're dialing is not assigned, please check your number and try your call again" recording, or a fax/modem sound to make them think the phone number belongs to a machine and not a human.

Would they work? Or would they still be able to determine that the recording is spoofed by the phone itself? Does anything like this already exist?

cross-posted from: https://lemmy.sdf.org/post/36106116

Archived

[...]

According to the measures, introduced by the Ministry of Public Security (MPS), each internet user in China will be issued with a unique “web number,” or wanghao (网号), that is linked to their personal information. While these IDs are, according to the MPS notice, to be issued on a strictly voluntary basis through public service platforms, the government appears to have been working on this system for quite some time — and state media are strongly promoting it as a means of guaranteeing personal “information security” (信息安全). With big plans afoot for how these IDs will be deployed, one obvious question is whether these measures will remain voluntary.

[...]

The measures bring China one step closer to centralized control over how Chinese citizens access the internet. The Cybersecurity Law of 2017 merely stipulated that when registering an account on, say, social media, netizens must register their “personal information” (个人信息), also called “identifying information” (身份信息). That led to uneven interpretations by private companies of what information was required. Whereas some sites merely ask for your name and phone number, others also ask for your ID number — while still others, like Huawei’s cloud software, want your facial biometrics on top of it.

[...]

Beyond the key question of personal data security, there is the risk that the cyber ID system could work as an internet kill switch on each and every citizen. It might grant the central government the power to bar citizens from accessing the internet, simply by blocking their cyber ID. “The real purpose is to control people’s behavior on the Internet,” Lao Dongyan cautioned last year.

[...]

Take a closer look at state media coverage of the evolving cyber ID system and the expansion of its application seems a foregone conclusion — even extending to the offline world. Coverage by CCTV reported last month that it would make ID verification easier in many contexts. “In the future, it can be used in all the places where you need to show your ID card,” a professor at Tsinghua’s AI Institute said of the cyber ID. Imagine using your cyber ID in the future to board the train or access the expressway.

[...]

While Chinese state media emphasize the increased ease and security cyber IDs will bring, the underlying reality is more troubling. Chinese citizens may soon find themselves dependent on government-issued digital credentials for even the most basic freedoms — online and off.

An Italian parliamentary committee has confirmed that the government used the Israeli-made spyware Graphite, developed by the offensive cyber company Paragon, to hack the smartphones of several activists working with migrants.

The committee confirmed that Paragon provided Graphite to two Italian agencies, including the country's external intelligence service, starting in 2023. The version of Graphite provided did not include the ability to activate the phone's microphone or camera, the report said. Instead, it only enabled its operators access to encrypted communications on the hacked devices.

The report also confirmed that Graphite exploited a vulnerability in WhatsApp that Meta identified and patched in December 2024, one month before the spyware's activity was publicly disclosed. The vulnerability's discovery also caused "panic" at Israel's military intelligence Unit 8200, according to the recent Israeli television report.

What is DNS4EU? DNS4EU is an initiative by the European Commission that aims to offer an alternative to the public DNS resolvers currently dominating the market. Supported by the European Union Agency for Cybersecurity (ENISA), the European Union's DNS4EU secure-infrastructure project provides a protective, privacy-compliant, and resilient DNS service to strengthen the EU’s digital sovereignty and enhance digital security for European Union citizens, governments, and institutions.

The program provides robust DNS security for public institutions and their employees, ministries, local governments or municipalities, healthcare, education, and other critical services such as telecommunications providers. By working with the latter, for example, it ensures DNS resolution service for all of a telco’s customers, with minimum manual overhead for their teams.

Additionally, the DNS4EU solutions aid organizations in complying with regulatory requirements (such as GDPR) to keep data within European borders.

As these organizations often face challenges to independently developing and maintaining high-level cybersecurity measures (such as election cycles or funding), the DNS4EU project solves these challenges by providing a Europe-based, centralized, scalable solution to ensure the highest standards of security and privacy, compliant with EU regulations.

Push notification data can sometimes include the unencrypted content of notifications. Requests include from the U.S., U.K., Germany, and Israel.

Apple provided governments around the world with data related to thousands of push notifications sent to its devices, which can identify a target’s specific device or in some cases include unencrypted content like the actual text displayed in the notification, according to data published by Apple. In one case, that Apple did not ultimately provide data for, Israel demanded data related to nearly 700 push notifications as part of a single request.

The data for the first time puts a concrete figure on how many requests governments around the world are making, and sometimes receiving, for push notification data from Apple.

The practice first came to light in 2023 when Senator Ron Wyden sent a letter to the U.S. Department of Justice revealing the practice, which also applied to Google. As the letter said, “the data these two companies receive includes metadata, detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered. In certain instances, they also might also receive unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in an app notification.”

The published data relates to blocks of six month periods, starting in July 2022 to June 2024. Andre Meister from German media outlet Netzpolitik posted a link to the transparency data to Mastodon on Tuesday.

For example, according to the data, the U.S. made 99 requests for push token data related to 345 different push tokens, and received data in response to 65 of the requests between July and December 2023. The U.K. made 123 requests, about 128 tokens, and received data in response to 111 requests in the same time period. Germany was the only other country to receive data, which was in response to 5 of the country’s requests. The Netherlands and France also requested data but did not receive any.

Israel made a single push notification data request in that time period, but it related to 694 push tokens, according to the data. Representatives of the Israeli government did not respond to a request for comment, and neither did Apple.

In another stretch of time, from January to June 2024, the U.K. received data in response to 127 requests, and the U.S. got data from 36. Germany did successfully receive some data during that period. Singapore has also made requests for data but has not received any, according to the transparency report.

Along with the data Apple published the following description: “Push Token requests are based on an Apple Push Notification service token identifier. When users allow a currently installed application to receive notifications, a push token is generated and registered to that developer and device. Push Token requests generally seek identifying details of the Apple Account associated with the device’s push token, such as name, physical address and email address.”

404 Media previously published a U.S. court record which sought access to push notification data.

In December 2023, Apple said it started to require a judge’s order to hand over push notification data. Before that, it was available with a subpoena.

About the author

Joseph is an award-winning investigative journalist focused on generating impact. His work has triggered hundreds of millions of dollars worth of fines, shut down tech companies, and much more.

I hate everything about this

Cross-posted from: https://lemmy.ca/post/45444332