harrysintonen

joined 2 years ago
sorted by: new top controversial old
S-Group (one of the big two retail chains in Finland) enables AI model training from user data by default. S-Group claims that "Data protection is built in, and even for training the model, data from in c/[email protected]
[–] [email protected] 0 points 3 days ago (1 children)

@gnyman I had the following enabled for me:
- Targeting in external channels
- Analytics and customer grouping

I had specifically disabled "Item-level purchase data" before, and I'm fairly confident I did not explicitly enable those other two.

1
S-Group (one of the big two retail chains in Finland) enables AI model training from user data by default. S-Group claims that "Data protection is built in, and even for training the model, data from (infosec.exchange)
 

S-Group (one of the big two retail chains in Finland) enables AI model training from user data by default. S-Group claims that "Data protection is built in, and even for training the model, data from customers who have opted out of analytics is not used."

S-Group has millions of customers, for whom they've now enabled this by default. If data protection were built-in, they would rather make this something people need to specifically opt-in to.

If you're an S-Group client (for example, you have an S-card), you can disallow your information from being used by visiting: https://s-kayttajatili.fi/en/my-information/privacy

You may want to check "Targeting in external channels", "Item-level purchase data”, and "Analytics and customer grouping".

#privacy #dataprotection #enshittification

I just spent untold hours debugging an issue I introduced myself by "removing an unnecessary variable". in c/[email protected]
[–] [email protected] 1 points 1 week ago

@[email protected] I sure did. I also renamed the variable to a name that makes its existence obvious to anyone reading the code.

I just spent untold hours debugging an issue I introduced myself by "removing an unnecessary variable". in c/[email protected]
[–] [email protected] 1 points 1 week ago (1 children)

The code originally made a copy of a struct before modifying the copy. The original was then used afterwards. I entirely missed the later use and that it was critical that the original struct was used as is. So I passed a subtly modified struct to the later processing, which, in combination with a second bug I had introduced some time earlier, caused all kinds of havoc.

There was another bug I also introduced, which funnily had similar effects. This bug was added months ago, and it affected only older OS versions. I typically only run the bleeding version during development (but I had tested the change with older versions, too). Unfortunately, this issue was random as it depended on stack contents to get triggered, and thus went unnoticed until the additional scrutiny introduced this intense debugging session.

The combination of these factors made this highly frustrating thing to debug, as any kind of A-B testing fails when you have multiple or random issues.

#bugstories

3
I just spent untold hours debugging an issue I introduced myself by "removing an unnecessary variable". (infosec.exchange)
 

I just spent untold hours debugging an issue I introduced myself by "removing an unnecessary variable".

The variable was necessary.

#development #programming

So #Microsoft will be monetising "not rebooting" #Windows: You can avoid security update-related reboots by paying for a monthly subscription. in c/[email protected]
[–] [email protected] 1 points 1 week ago

@[email protected] "Nice flow you've going there, would be a shame if I had to reboot"

4
So #Microsoft will be monetising "not rebooting" #Windows: You can avoid security update-related reboots by paying for a monthly subscription. (infosec.exchange)
 

So #Microsoft will be monetising "not rebooting" #Windows: You can avoid security update-related reboots by paying for a monthly subscription.

For now, this feature will be available for Windows Server 2025, but I see great business potential in the consumer market...

https://www.forbes.com/sites/daveywinder/2025/04/28/microsoft-confirms-150-windows-security-update-fee-starts-july-1/

6
If there were a single thing I'd want to convey to potential future #cybersecurity professionals: Hacking is fun, but reporting is the most important part. (infosec.exchange)
 

If there were a single thing I'd want to convey to potential future #cybersecurity professionals: Hacking is fun, but reporting is the most important part.

You can be the best hacker in the world, but all that is in vain if you can't convey what you did and how to prevent it.

You should spend time getting better at reporting, along with the technical skills.

#thoughtoftheday

3
The feeling when you notice a bug in your binutils port that has been generating semi-randomly broken branch relaxation trampolines for decades. (fedia.io)
 

The feeling when you notice a bug in your binutils port that has been generating semi-randomly broken branch relaxation trampolines for decades.

#programming #coding #oops

If you're a #facebook user, you can object to your information being used for #aItraining: https://www.facebook.com/help/contact/6359191084165019 in c/[email protected]
[–] [email protected] 2 points 3 weeks ago (1 children)

@[email protected] Ooof. I wonder if it's available in some states though, for example California? They have https://oag.ca.gov/privacy/ccpa

9
If you're a #facebook user, you can object to your information being used for #aItraining: https://www.facebook.com/help/contact/6359191084165019 (fedia.io)
 

If you're a #facebook user, you can object to your information being used for #aItraining: https://www.facebook.com/help/contact/6359191084165019

As part of the process, they demand you to explain how the process impacts you. Of course, this is just another step to stop you from exercising your right to object. You can enter "I refuse to explain my reasons" or similar, and it will be equally valid as an actual explanation.

#privacy #enshittification

No one — absolutely no one — saw this coming: "The UK government is developing a “murder prediction” programme which it hopes can use personal data of those known to the authorities to identify the in c/[email protected]
[–] [email protected] 6 points 3 weeks ago

This here is the prime example of why we must stay vigilant about the collection and dissemination of personal information.

Also, while this article only mentions "algorithm", it's not difficult to predict that AI models are or will be used for this kind of task.

AI advocates often claim that any plans to regulate AI are just a hindrance to progress. I will take regulation if it will stop this kind of madness.

18
No one — absolutely no one — saw this coming: "The UK government is developing a “murder prediction” programme which it hopes can use personal data of those known to the authorities to identify the (infosec.exchange)
 

No one — absolutely no one — saw this coming: "The UK government is developing a “murder prediction” programme which it hopes can use personal data of those known to the authorities to identify the people most likely to become killers."

https://www.theguardian.com/uk-news/2025/apr/08/uk-creating-prediction-tool-to-identify-people-most-likely-to-kill

This is far, far more sinister than anything even Philip K. Dick could dream of.

#precrime #thoughtcrime #privacy

4
I can't recommend (infosec.exchange)
 

I can't recommend
https://www.privacyguides.org/ enough. Excellent curated information on how to protect your #privacy.

7
Finnish Post has decided to start using your data for service planning and development. This is opt-in by default. (fedia.io)
 

Finnish Post has decided to start using your data for service planning and development. This is opt-in by default.

"My data may be used for service planning and development, as well as for delivering personalized content and targeted advertising using profiling.
Profiling refers to automated processing of personal data where the information is used to evaluate personal characteristics, such as interests or service usage. The purpose of profiling is to enhance the customer experience and ensure that the customer receives relevant and interesting recommendations and services."

Notably for some reason this is separate from "Marketing consents" and is enabled by default.

You can turn off this option at: https://my.account.posti.fi/settings

#profiling #privacy #gdpr #enshittification

21
Today Finland is voting in county and municipal #elections. Unsurprisingly the idiot Russian "hacking crew" is DDoSing websites of the political parties. (infosec.exchange)
 

Today Finland is voting in county and municipal #elections. Unsurprisingly the idiot Russian "hacking crew" is DDoSing websites of the political parties.

Newsflash: The voting is pen & paper. No websites are involved in the voting process. You gain absolutely nothing by DDoSing the party websites.

#infosec #cybersecurity

2
In case you haven't noticed #nis2directive is in effect in Finland now: (infosec.exchange)
 

In case you haven't noticed #nis2directive is in effect in Finland now:

"Finnish Parliament has passed the government proposal for a national #Cybersecurity Act to implement the EU Cybersecurity Directive (NIS 2 Directive). As regards public administration, the relevant requirements included in the Directive are laid down in the Act on Information Management in Public Administration."

Interestingly this also increases the duties and responsibilities of The Finnish Transport and Communications Agency Traficom:

"The Cybersecurity Act also entails new supervisory duties for Traficom compared to the old NIS Directive. In future, Traficom will be the competent authority supervising cybersecurity issues also in the following sectors: postal and courier services, space, public administration, managed service providers, managed security service providers, research, and the manufacture of vehicles and other transport equipment."

ref: https://traficom.fi/en/news/cybersecurity-act-passed-parliament-obligations-under-nis-2-directive-enter-force-8-april-2025

#Microsoft is removing the possibility to use a local account with #Windows. in c/[email protected]
[–] [email protected] 1 points 1 month ago

@[email protected] Sure, those methods might work for now. But if Microsoft follows their reasoning ("We’re removing X from the build to enhance security and user experience of Windows 11. This change ensures that all users exit setup with internet connectivity and a Microsoft Account.") they will remove these methods eventually as well.

#Microsoft is removing the possibility to use a local account with #Windows. in c/[email protected]
[–] [email protected] 1 points 1 month ago* (last edited 1 month ago)

@infinity Yeah, it does for now. I fully expect Microsoft to remove that registry key or the associated functionality next.

After all not doing so would mean that users could accidentally setup the system "without working internet connectivity and a Microsoft Account".

That would be terrible for security and user experience *cough* business.

12
#Microsoft is removing the possibility to use a local account with #Windows. (infosec.exchange)
 

#Microsoft is removing the possibility to use a local account with #Windows.
https://blogs.windows.com/windows-insider/2025/03/28/announcing-windows-11-insider-preview-build-26200-5516-dev-channel/

"We’re removing the bypassnro.cmd script from the build to enhance security and user experience of Windows 11."

Oh, okay, but how does it improve security or user experience?

"This change ensures that all users exit setup with internet connectivity and a Microsoft Account."

Ah, so it does not improve security or use experience. It in fact is making the user experience worse, as you no longer can set up Windows offline easily.

The only reason is to force more users to sign up to Microsoft account.

#enshittification

The fallout from the malicious tj-actions/changed-files is still being investigated. It is fortuitous that this malicious commit was identified fairly quickly, as further compromise of major OSS in c/[email protected]
[–] [email protected] 2 points 1 month ago* (last edited 1 month ago)

@jerry It largely depends on how well the initial impact is cleaned up. I'm hoping we won't see a ton of backdoors in various components next.

#curl predecessor httpget 0.2 from around 1996/1997 is 165 lines. Needless to say, it has multiple critical security vulnerabilities. How many can you spot? in c/[email protected]
[–] [email protected] 1 points 2 months ago* (last edited 2 months ago)

The httpget 0.2 doesn't quite work in the form it was uploaded.

First it uses hardcoded argv, argc instead of getting from the app invocation (as args in main, the code uses void main).

Second obtaining any data from the socket will result in the app stopping and leaving behind an empty file (if (nread) break;).

This program could never download anything. It is likely some work in progress or modified test version of httpget. Since it includes some windows specific headers and has disabled the unix ones I can only presume it was some earlier attempt to get the tool running on windows.

So while the code has a local stack buffer overflow it can't be triggered for this early version.

As expected #Apple has nuked Advanced Data Protection (ADP) for UK users. What does this mean in practice? UK govt will be able to decrypt all UK user's #iCloud data at will. in c/[email protected]
[–] [email protected] 1 points 2 months ago

If this trend continues, we will be losing the ability to use secure means of communication with UK friends and colleagues. For example, #signalapp will rather get out of the UK than add backdoors: https://www.bbc.com/news/technology-64584001

#Nordnet - nordic digital platform for savings and investments - had an issue where people could see each others information. The website has been taken down for now. in c/[email protected]
view more: next ›