Yesterday The New York Times unveiled that General Motor's had accidentally enrolled millions of people into its "OnStar Smart Driver+" program. If consumers chose to not enroll through the phone app – it would do it anyways.
Unenrolling requires consumers to contact OnStar customer support line. However, some people do not trust them and have turned to stripping the electronic devices from their car.
The OnStar Smart Driver+ data was being sold to LexisNexis, and insurance companies, to modify insurance rates. The data sold was invasive and logged:
- Number of trips
- Miles driven
- Minutes driven
- Hard-brake vents
- Rapid accelerates
- Speeding events
The reporter from the New York Times requested a copy of their data and received it. See attached image.
@Kalilinux
Source
Source
DDoS
Logstalgia is a visualization tool that graphically repeats the web server access sequences simulating a retro arcade game.
The left column shows the IPs that make the requests. The right-hand column is the resource on the server (url), it can be an html file, an image, etc. The "points" that travel are the requests/responses, and lastly, the 200s you see is the code that the web server returns (Http response code) to the requests.
source
Millions of customers' data found on dark web in latest AT&T data breach
AT&T said the information included in the compromised data set varies from person to person. It could include social security numbers, full names, email and mailing addresses, phone numbers, and dates of birth, as well as AT&T account numbers and passcodes.
@kalilinux
https://www.npr.org/2024/03/30/1241863710/att-data-breach-dark-web
Russian state-backed hackers gained access to some of Microsoft’s core software systems in a hack first disclosed in January, the company said Friday, revealing a more extensive and serious intrusion into Microsoft’s systems than previously known.
Microsoft believes that the hackers have in recent weeks used information stolen from Microsoft’s corporate email systems to access “some of the company’s source code repositories and internal systems,” the tech firm said in a filing with the US Securities and Exchange Commission.
@kalilinux
https://www.bleepingcomputer.com/news/microsoft/microsoft-says-russian-hackers-breached-its-systems-accessed-source-code/
European consumer rights groups are accusing Meta, of carrying out a “massive” and “illegal” operation. The buzz is all about Meta's pay-or-consent model, arguing that this “pay-or-consent” approach was an example of an unfair and “aggressive” commercial practice prohibited under EU law.
Meta disputes the allegations.
The European Consumer Organisation (BEUC), an umbrella body for 45 consumer groups, said eight of the groups were filing complaints with their respective national data protection authorities Thursday.
More on this Issue:
https://www.cnn.com/2024/02/29/tech/meta-data-processing-europe-gdpr/index.html
@kalilinux
In a YouTube video, security researcher Stacksmashing demonstrated that hackers can extract the BitLocker encryption key from Windows PCs in just 43 seconds using a $4 Raspberry Pi Pico.
@kalilinux
https://www.youtube.com/watch?v=wTl4vEednkQ
https://www.bloomberg.com/news/articles/2024-01-29/raspberry-pi-picks-banks-for-ipo-choosing-london-over-new-york
@Kalilinux
https://www.youtube.com/watch?v=cwLRiadmfaQ
@kalilinux
Right now, the Tor network, Tor Browser, onion services, Snowflake, and the ecosystem of tools and services built and maintained by the Tor Project are protecting the privacy of millions of people. Because the Tor Project is a nonprofit, this work is powered by donations from our community—by you.
In that vein, today the Tor Project is launching our annual fundraising campaign. This year we’re keeping our message simple: if you value the privacy that Tor provides to yourself or to other people, please make a donation.
💜👉Tor is and will always be free. 👈💜Unrestricted access to the technology we create is part of our mission. But the challenges of 2023 and beyond mean that if you are in the position to donate this year, your support is more vital than ever.
Your support ensures that the Tor Project remains strong on an organizational level, and that the ecosystem of Tor services and tools continue to reach the people who need privacy online the most.
https://torproject.org/donate./donate-tel-ann-2023
Google:
Our new approach builds on the software that runs our carbon-intelligent computing platform, adding new capabilities that allow us to temporarily reduce the power demand of a Google data center when called on to do so by an external power system partner, such as a utility or grid operator.
When we receive notice from a grid operator of a forecasted local grid event, for example an extreme weather event that will cause a supply constraint, we can alert our global computing planning system to when and where it will take place. This alert activates an algorithm that generates hour-by-hour instructions for specified data centers to limit non-urgent compute tasks for the duration of the grid event, and allows them to be rescheduled after the grid event has passed. When feasible, some of these tasks get rerouted to a data center on a different power grid. All of this is done without additional computer hardware and without impacting the performance of Google services like Search, Maps, YouTube, Google Cloud, and Workspace (which includes Gmail, Docs, Sheets and more) that people, businesses, and public sector organizations rely on around the clock.
@kalilinux
https://cloud.google.com/blog/products/infrastructure/using-demand-response-to-reduce-data-center-power-consumption
Premium members can now boost us, so that the channel is able to share stories and keep you updated:
/channel/kalilinux?boost
Microsoft researchers said on Thursday they found what they believe is a network of fake, Chinese-controlled social media accounts seeking to influence U.S. voters by using artificial intelligence.
A Chinese embassy spokesperson in Washington said that accusations of China using AI to create fake social media accounts were "full of prejudice and malicious speculation" and that China advocates for the safe use of AI.
In a new research report, Microsoft said the social media accounts were part of a suspected Chinese information operation. The campaign bore similarities to activity which the U.S. Department of Justice has attributed to "an elite group within (China's) Ministry of Public Security," Microsoft said.
https://www.reuters.com/world/china-may-be-behind-social-media-accounts-seeking-sway-us-voters-microsoft-says-2023-09-07/
@kalilinux
YouTube legal team asked Invidious developers to take down the service within 7 days.
In response, the project manager of the Invidious project replied on GitHub that they never agreed to any of YouTube's Terms of Services or Policies, and that Invidious doesn't use YouTube's API to fetch and display the videos. He added that “Things will continue normally until they can't anymore.”, implying that they're not going to comply with YouTube legal team's request.
@kalilinux
https://alternativeto.net/news/2023/6/youtube-legal-team-asked-invidious-developers-to-take-down-the-service-within-7-days/
Reddit is getting ready to slap third-pary apps with millions of dollars in API fees, and many Reddit users are unhappy about it. A widespread protest is planned for June 12, with hundreds of big and small subreddits planning to go dark for at least 48 hours.
@kalilinux
https://arstechnica.com/gadgets/2023/06/reddits-plan-to-kill-third-party-apps-sparks-widespread-protests/
Last November, NASA's Voyager 1 sent home garbled data, and engineers traced the problem to the flight data subsystem (FDS). The problem turned out to be a single chip in the FDS memory. They couldn't repair the chip but could move the affected code into sections and store them in different parts of the FDS system. They tested the new system this week, sending signals to the Voyager 1, 22.5 light-hours away. It worked, and Voyager 1 is back.
@Kalilinux
Source
@kalilinux 😅😂
elhackernet/111976624479158820">source
The xz package, starting from version 5.6.0 to 5.6.1, was found to contain a backdoor. The impact of this vulnerability affected Kali between March 26th to March 29th. If you updated your Kali installation on or after March 26th, it is crucial to apply the latest updates today.
This backdoor could potentially allow a malicious actor to compromise sshd authentication. If you did not update your Kali installation before the 26th, you are not affected by this backdoor vulnerability.
More information can be found at:
https://www.helpnetsecurity.com/2024/03/29/cve-2024-3094-linux-backdoor/
And
https://www.openwall.com/lists/oss-security/2024/03/29/4
If you would like to be sure that you are up to date and not affected by this vulnerability, you can do the following to upgrade your local version of the package:
sudo apt update && sudo apt install —only-upgrade liblzma5
Full blog post:
https://www.kali.org/blog/about-the-xz-backdoor/
@kalilinux
Exploiting a vulnerability in Telegram's system that allows for matching user IDs with phone numbers
Russian security forces and officials employ a system known as "Insider," alongside Telegram bots, to de-anonymize users by exploiting a vulnerability in Telegram's system that allows for matching user IDs with phone numbers, thereby revealing their identities. This system, which utilizes leaked databases from sources like Yandex and Wildberries, is part of a broader initiative called "Demon of Laplace," aimed at monitoring social networks and identifying activists. The purchase of "Insider" by authorities, under contracts signed by several Russian regional departments, is funded by budget money.
The developer behind "Insider," Evgeny Venediktov, is known for his controversial past, and the legality of employing such systems for de-anonymization purposes raises significant questions under Russian law.
STATISTICS:
- More than 76 million mobile numbers are loaded into the "Insider" system from leaked databases.
- One license for "Laplace's Demon" costs on average 500 thousand rubles. ($5500 USD)
- In 2019, the database used had 10 million numbers, which has now grown to more than 76 million.
@kalilinux
Sources: [researcher lordx64 - zakharovchannel]
OpenAI publishes Elon Musk’s emails. ‘We’re sad that it’s come to this’
In the emails, parts of which have been redacted, Musk argues that the company stood virtually no chance of building a successful generative AI platform by raising cash alone, and the company needed to find alternate sources of revenue to survive.
OpenAi just announced Sora, a video generating Ai. Sora can generate videos up to a minute long while maintaining visual quality and adherence to the user’s prompt. The model understands not only what the user has asked for in the prompt, but also how those things exist in the physical world. Sora can also create multiple shots within a single generated video that accurately persist characters and visual style.The current model has weaknesses. It may struggle with accurately simulating the physics of a complex scene, and may not understand specific instances of cause and effect. For example, a person might take a bite out of a cookie, but afterward, the cookie may not have a bite mark. more on that in the OpenAi's website:
https://openai.com/sora
@kalilinux
AnyDesk confirmed today that it suffered a recent cyberattack that allowed hackers to gain access to the company's production systems. BleepingComputer has learned that source code and private code signing keys were stolen during the attack.
https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/
@kalilinux
Apple’s Proposed Changes Reject the Goals of the DMA
@Kalilinux
https://newsroom.spotify.com/2024-01-26/apples-proposed-changes-reject-the-goals-of-the-dma/
Google’s Manifest V3 still puts unnecessary limitations on developers, EFF’s Alexei Miagkov tells verge. “These are helpful changes, but… the big problem remains the same: if extensions can’t innovate, users lose and trackers win.”
@kalilinux
https://www.theverge.com/2023/11/16/23964509/google-manifest-v3-rollout-ad-blockers
Google Cloud, AWS, and Cloudflare report largest DDoS attacks ever
The attack on Google Cloud was 7½ times larger than any previously recorded DDoS attack.
@kalilinux
https://www.zdnet.com/article/google-cloud-aws-and-cloudflare-report-largest-ddos-attacks-ever/#ftag=RSSbaffb68
Forty years ago, Richard Stallman announced the plan to develop the GNU operating system, which would be entirely composed of free software. The existence of a free operating system would enable people to operate their computers in freedom, throwing off the power of the developers of nonfree software.
The GNU Project has also built the global free software movement.
On September 27th 2023 they invite you to join the GNU community in Biel/Bienne to celebrate this occasion, and help build a future where users' computing freedom extends further than ever.
https://www.gnu.org/gnu40/
@kalilinux
🤖 Telegram Mini App Contest
Prize fund: $50,000
Deadline: 23:59 on October 9th (Dubai time)
Who can participate: Everyone
Results: October 31st, 2023
Telegram is launching a contest for developers of Mini Apps like this one. One of the goals of this competition is to create a variety of examples and reusable tools for future Mini App developers.
The Task:
The task is to build any useful Mini App for Telegram and publish its client and server code on Github.
Your submission must include:
• A GitHub repository containing the source code of your example Mini App, built from scratch. You can use any programming language for the server-side code. The source code of your app must be easy to understand and reusable for any developer starting to build Mini Apps for Telegram. For more, see the “Mini App requirements” section below.
• Comprehensive and organized documentation in English, including a setup guide. Ensure the guide addresses every element of your solution, and the documentation details all potential errors and exceptions. It should be written in a user-friendly way that is approachable even for inexperienced developers. Translations in other languages are welcome too.
---
Mini App requirements:
• Design a simple yet functional app. For reference, see @DurgerKingBot or @wallet.
• Your solution should include at least one fully functional Mini App example. Example apps are allowed to showcase fictional services or generate placeholder data, such as creating a mock store.
• It is strictly prohibited to implement a browser view of actual webpages, the Mini App must be a separate entity built from scratch solely for its purpose. For example a "Weather App" submission that only provides a browser view for an existing weather website is not allowed. That said, actual webpages are allowed for authorization flows where a user is required to sign up or log in to use the service.
• Recommended Mini App categories include games, dating, community management, venue booking, e-commerce, сontent editing, etc.
• Each additional Mini App example can qualify for extra rewards, but only if it represents a different app category.
Evaluation Criteria:
We will evaluate each submission's code and documentation quality from the developer perspective, as well as its example Mini Apps from the user perspective. The app should be useful for developers, users, or both.
____
@ContestBot will begin accepting submissions at a later date. We will further clarify the submission instructions closer to the deadline.
https://www.eff.org/deeplinks/2023/07/fbi-seizure-mastodon-server-wakeup-call-fediverse-users-and-hosts-protect-their
@kalilinux
🔍Call for Testers: Help the Tor Project to test Conjure on Tor Browser Alpha!
We are thrilled to announce that Conjure, a new pluggable transport is now supported in the alpha version of Tor Browser for Desktop and Android. Conjure is an anti-censorship tool that uses refraction networking (aka decoy routing) that will help users to bypass censorship and connect to the Tor network. We need your help to test if Conjure works in regions that the Tor network is blocked.
Your feedback will help us identify issues with this new pluggable transport and ensure its reliability.
What is Conjure?
Conjure is an anti-censorship tool in the refraction networking (a.k.a. decoy routing) lineage of circumvention systems. The key innovation of Conjure is to turn the unused IP address space of deploying Internet Service Providers (ISPs) into a large pool of phantom proxies that users can connect to. Due to the size of unused IPv6 address space and the potential for collateral damage against real websites hosted by the deploying ISPs, Conjure provides an effective solution to the problem of censors enumerating deployed bridges or proxies.
# How to test Conjure
‼️ Important note on risk assessment
Please only download Tor Browser Alpha if you are okay with some things not working properly, want to help us find and report bugs, and are not putting yourself at risk. Be aware that testing a new pluggable transport may call attention of censors.
To participate in this testing program, please follow these steps:
💻 Desktop
1. Download and install the latest alpha version of Tor Browser for Desktop (make sure you have a backup of your existing browser setup).
https://www.torproject.org/download/alpha/
2. Open Tor Browser and navigate to the Connection preferences window. Or Click on "Configure Connection...".
Menu > Settings > Connection (about:preferences#connection)
3. Click on "Add a Bridge Manually". Copy and add the bridge line below in the field.
conjure 143.110.214.222:80 url=https://registration.refraction.network.global.prod.fastly.net/api front=cdn.sstatic.net
4. Click "OK" to close the bridge dialog. Finally, scroll up and click on "Connect".
5. If you see a purple screen "Test. Thoroughly." or if your Tor Browser Alpha was updated, you will see "Tor Browser has been updated”. Then, it means Conjure is working and you can use it for your browsing activities.
6. Take note of any issues, errors, or unexpected behavior you encounter while trying to connect to Tor using Conjure.
📱 Android
1. Download and install the latest alpha version of Tor Browser for Android.
2. When you run Tor Browser for the first time, you will see the option to connect directly to the Tor network, or to configure Tor Browser for your connection with the settings icon.
3. Tap on the settings icon. Tor Browser will take you through a series of configuration options. The first screen will tell you about the status of the Tor Network and provide you the option to configure a Bridge ('Config Bridge'). Tap on 'Config Bridge'.
4. Choose the "Provide a Bridge I know" option and then enter this bridge address:
conjure 143.110.214.222:80 url=https://registration.refraction.network.global.prod.fastly.net/api front=cdn.sstatic.net
5. Tap 'OK' and, if everything works well, it will connect.
📝 Submit your feedback
Submit your feedback and findings here on this topic or use Conjure Gitlab for technical reports. Include a clear description of the problem, your Tor logs, steps to reproduce it, and any relevant details.
By testing Conjure and reporting any issues, bugs, or suggestions, you will contribute significantly to refining its performance and optimizing its capabilities. Your participation will not only benefit the Tor community but also help advance the Internet freedom community.
https://forum.torproject.net/t/call-for-testers-help-the-tor-project-to-test-conjure-on-tor-browser-alpha/7815
In a surprising move, Japan’s government recently reaffirmed that it will not enforce copyrights on data used in AI training. The policy allows AI to use any data “regardless of whether it is for non-profit or commercial purposes, whether it is an act other than reproduction, or whether it is content obtained from illegal sites or otherwise.”
@Kalilinux
https://technomancers.ai/japan-goes-all-in-copyright-doesnt-apply-to-ai-training/
