remixtures

"I'm not the only person for whom a detailed knowledge of scams created immunity from being scammed. Troy Hunt is the proprietor of HaveIBeenPwned.com, the internet's most comprehensive and reliable breach notification site. Hunt pretty much invented the practice of tracking breaches, and he is steeped – saturated – in up-to-the-minute, nitty-gritty details of how internet scams work.

Guess who got phished?
(...)
Hunt had just gotten off a long-haul flight. He was jetlagged. He got a well-constructed, plausible counterfeit email from Mailchimp telling him that his mailing-list – which he absolutely relies upon – had been frozen after a spam complaint, and advising him to click on a link to contest the suspension. He was taken to a fake login screen that his password manager didn't autopopulate, so he manually pasted the password in (Mailchimp doesn't have 2FA). It was only when the login session hung that he realized he'd been scammed – and by then, it was too late. Within minutes, his mailing list had been exported by the scammers.

In his postmortem of the scam, Hunt identifies the overlapping factors that made him vulnerable. He was jetlagged. The mailing list was important. Bogus spam complaints are common. Big corporate sites like Mailchimp often redirect their logins through different domains, which causes password manager autofill to fail. Hunt had experienced near-identical phishing attempts before and spotted them, but this one just happened to land at the very moment that he was vulnerable. Plus – as with my credit union scam – it seems likely that Mailchimp itself had been breached (or has an insider threat), which allowed the scammers to pad out the scam with plausible details that made it seem legit."

https://pluralistic.net/2025/04/05/troy-hunt/#teach-a-man-to-phish

#Scams #Phishing #CyberSecurity

"The Israeli-Palestinian conflict has gained significant media prominence following the recent attack carried out by Hamas against Israel, which involved missile launches and the incursion of armed fighters onto Israeli soil. In line with historical recurrence, the present situation has also been instrumentalised to polarise public opinion and reduce its complexity to Manichaeism, with the aim of obscuring its actual essence — as an epiphenomenon of the warlike dynamics of crisis neo-imperialism at the heart of late capitalism. The unequivocally genocidal and colonialist project carried out by the State of Israel against the Palestinian people, evident in the latter’s confinement within the Gaza strip through technological terror and systematic violence, has been going on for more than half a century. Nevertheless, it is essential to reject the stigmatising conflation of the Israeli population with its state apparatus. Its daily existence, permeated by rigid racial divisions and chronic militarisation, not only subjugates this people — subjecting them to the servitude of a neo-fascist government — but also brings them suffering (evident in the civilian victims, both in the context of the attack, the Arab-Israeli war, internal repression, or even strategic-military sacrifices, as occurred in Be’eri kibbutz). The Enlightenment left, in its eagerness to express its synthetic anti-imperialism anchored in bourgeois reason and the nostalgic dichotomy of the Cold War, has shown itself to be complicit in this utilitarian appropriation, neglecting the scrutiny demanded by the situation. The counter-offensive in question does not originate from the spontaneous movement of the people against oppressive forces; on the contrary, it arises from a jihadist, nationalist, and anti-Marxist organisation — Hamas..."

https://medium.com/@ascentreact/the-israeli-palestinian-conflict-in-critical-and-historical-analysis-d6a796e3fcf7

#Israel #Palestine #Gaza #Hamas #History #Colonialism #Imperialism

"President Donald Trump’s latest executive order titled “RESTORING TRUTH AND SANITY TO AMERICAN HISTORY” replicates a tactic used by all authoritarian regimes. In the name of countering bias, they distort the nation’s history into self-serving mythology.

History will be used to justify the power of the ruling elites in the present by deifying the ruling elites of the past. It will disappear the suffering of the victims of genocide, enslavement, discrimination and institutional racism. The repression and violence during our labor wars — hundreds of workers were killed by gun thugs, company goons, police and soldiers from National Guard units in the struggle to unionize — will be untold. Historical figures, such as Woodrow Wilson, will be social archetypes whose darker actions, including the decision to re-segregate the federal government and oversee one of the most aggressive campaigns of political repression in U.S. history, will be ignored.

In the America of our Trump-approved history books — I have read the textbooks used in “Christian” schools so this is not conjecture — equal opportunity for all exists and has always existed. America exemplifies human progress. It has constantly improved and perfected itself under the tutelage of its enlightened and almost exclusively white male rulers. It is the vanguard of “Western civilization.”

https://x.com/ChrisLynnHedges/status/1907499697373327403

#USA #Trump #History #Schools #Ideology #Propaganda #WhiteSupremacism #Authoritarianism

"Google is updating Gmail to allow enterprise users to send encrypted messages to any inbox in just a few clicks. Google says it’s developed a new encryption model that, unlike the current encryption feature on Gmail, doesn’t require senders or recipients to use custom software or exchange encryption certificates.

The feature is rolling out in beta starting today, and will initially be available for Google enterprise users to send encrypted emails to other Gmail users within the same organization. Google says this will expand to emails sent to any Gmail inbox “in the coming weeks,” and to inboxes from any third-party email provider “later this year.”

Gmail’s current encryption feature, based on the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol, can already be used to send external emails. Doing so requires the recipient to have S/MIME configured and complete multiple steps with the sender before emails can be securely exchanged, however."

https://www.theverge.com/news/640422/google-gmail-email-encryption-enterprise-beta

#Google #CyberSecurity #Encryption #Privacy #eMail

"NEW YORK—A lawsuit seeking to stop the U.S. Office of Personnel Management (OPM) from disclosing tens of millions of Americans’ private, sensitive information to Elon Musk’s “Department of Government Efficiency” (DOGE) can continue, a federal judge ruled Thursday.

Judge Denise L. Cote of the U.S. District Court for the Southern District of New York partially rejected the defendants’ motion to dismiss the lawsuit, which was filed Feb. 11 on behalf of two labor unions and individual current and former government workers across the country. This decision is a victory: The court agreed that the claims that OPM illegally disclosed highly personal records of millions of people to DOGE agents can move forward with the goal of stopping that ongoing disclosure and requiring that any shared information be returned.

Cote ruled current and former federal employees "may pursue their request for injunctive relief under the APA [Administrative Procedure Act]. ... The defendants’ Kafkaesque argument to the contrary would deprive the plaintiffs of any recourse under the law."

"The complaint plausibly alleges that actions by OPM were not representative of its ordinary day-to-day operations but were, in sharp contrast to its normal procedures, illegal, rushed, and dangerous,” the judge wrote."

https://www.eff.org/press/releases/judge-rejects-governments-attempt-dismiss-eff-lawsuit-against-opm-doge-and-musk

#USA #Musk #OPM #DOGE #DataProtection #Privacy

"My current conclusion, though preliminary in this rapidly evolving field, is that not only can seasoned developers benefit from this technology — they are actually in the optimal position to harness its power.

Here’s the fascinating part: The very experience and accumulated know-how in software engineering and project management — which might seem obsolete in the age of AI — are precisely what enable the most effective use of these tools.

While I haven’t found the perfect metaphor for these LLM-based programming agents in an AI-assisted coding setup, I currently think of them as “an absolute senior when it comes to programming knowledge, but an absolute junior when it comes to architectural oversight in your specific context.”

This means that it takes some strategic effort to make them save you a tremendous amount of work.

And who better to invest that effort in the right way than a senior software engineer?

As we’ll see, while we’re dealing with cutting-edge technology, it’s the time-tested, traditional practices and tools that enable us to wield this new capability most effectively."

https://manuel.kiessling.net/2025/03/31/how-seasoned-developers-can-achieve-great-results-with-ai-coding-agents/

#AI #GenerativeAI #Programming #SoftwareDevelopment #AIAgents #LLMs #Chatbots #VibeCoding #SoftwareEngineering #ProjectManagement

Sweden just isn't what it used to be...

"In most countries, the government knows when you were born, your social security number, where you live, how much you earn and how much your house is worth. Sweden is a bit different though. There, the tax authority doesn’t just use this information for administrative purposes – but sells it to data brokers who publish it online. This is a violation of EU law. Earlier this year, a Swedish data subject asked the country’s tax authority to stop selling his data. The country’s Supreme Court has recently ruled that freedom of information and privacy rights must be balanced and data must be marked as confidential, if the recipient is likely to process it in conflict with the GDPR. The tax authority rejected the request, claiming it simply follows the Swedish constitutional principle of transparency rather than the ruling by the Supreme Court. noyb now takes the authority to court."

https://noyb.eu/en/noyb-takes-swedish-tax-authority-court-selling-peoples-personal-data

#Sweden #EU #Taxes #DataProtection #Privacy #GDPR

"API keys are foundational elements for authentication, but relying solely on them is inherently a risky proposal.

Firstly, there’s the reality that API keys are not securely designed — they were never meant to be used as the sole form of authentication, and as such, they aren’t really built for the task. These keys can often be easily stolen, leaked, or, in some cases (especially if generated incrementally), outright guessed. An API key is suitable for tracking usage but is poor for security.

There is also the additional reality that keys in their default state lack some critical functionality. There’s not a lot of verification built-in for identity management, and what does exist offers very little in the way of granular access control.

Ultimately, solely relying on API keys is a mistake common with novice developers but frighteningly common even in advanced products.

Best Practices
Instead of relying heavily on API keys as a sole mechanism, combine those keys with additional approaches such as OAuth 2.0 or mTLS. Implement rigorous expiration and rotation policies to ensure that keys which are made public are only useful for a short amount of time. Consider more advanced approaches, such as IP whitelisting or device fingerprinting, to add another layer of security atop the API key process."

https://nordicapis.com/9-signs-youre-doing-api-security-wrong/

#API #APIs #APISecurity #APIDesign #WebSecurity #CyberSecurity

"Now consider the chatbot therapist: what are its privacy safeguards? Well, the companies may make some promises about what they will and won't do with the transcripts of your AI sessions, but they are lying. Of course they're lying! AI companies lie about what their technology can do (of course). They lie about what their technologies will do. They lie about money. But most of all, they lie about data.

There is no subject on which AI companies have been more consistently, flagrantly, grotesquely dishonest than training data. When it comes to getting more data, AI companies will lie, cheat and steal in ways that would seem hacky if you wrote them into fiction, like they were pulp-novel dope fiends:
(...)
But it's not just people struggling with their mental health who shouldn't be sharing sensitive data with chatbots – it's everyone. All those business applications that AI companies are pushing, the kind where you entrust an AI with your firm's most commercially sensitive data? Are you crazy? These companies will not only leak that data, they'll sell it to your competition. Hell, Microsoft already does this with Office365 analytics:
(...)
These companies lie all the time about everything, but the thing they lie most about is how they handle sensitive data. It's wild that anyone has to be reminded of this. Letting AI companies handle your sensitive data is like turning arsonists loose in your library with a can of gasoline, a book of matches, and a pinky-promise that this time, they won't set anything on fire."

https://pluralistic.net/2025/04/01/doctor-robo-blabbermouth/#fool-me-once-etc-etc

#AI #GenerativeAI #LLMs #ChatBots #Privacy #DataProtection #AITraining #Therapy #BigTech

"It is now time to fix it for good. A new solution has been proposed: partitioning visited link history. This approach fundamentally changes how browsers store and expose visited link data. Instead of maintaining a global list, web browsers will store visited links with a triple-key partition:

• Link URL. The destination of the visited link.
• Top-Level Site. The domain of the main browsing context.
• Frame Origin. The origin of the frame rendering the link.

A link is only styled as :visited if it was visited from the same top-level site and frame origin (...) This approach guarantees isolation and works well with the web's same-origin policy. The system records only navigations initiated by link clicks or scripts—excluding direct address bar entries or bookmark navigations.

Key benefits of this model include: strong protection against cross-site history leaks, solving for good of many known side-channel attacks, support for meaningful styling within trusted, same-context domains, conforming to established web privacy principles and data protection regulations.

This feature is already implemented in Chrome (v132, behind a #partition-visited-link-database-with-self-links flag). I am confident that in 2025 we are going to have this privacy headache solved once and for all."

https://blog.lukaszolejnik.com/fixing-web-browser-history-leaks/

#CyberSecurity #WebSecurity #Privacy #WebBrowser #WebBrowserHistory

"We don’t know what pressure the Trump administration is using to make intelligence services fall into line, but it isn’t crazy to worry that the NSA might again start monitoring domestic communications.

Because of the Signal chat leak, it’s less likely that they’ll use vulnerabilities in Signal to do that. Equally, bad actors such as drug cartels may also feel safer using Signal. Their security against the US government lies in the fact that the US government shares their vulnerabilities. No one wants their secrets exposed.

I have long advocated for a "defense dominant" cybersecurity strategy. As long as smartphones are in the pocket of every government official, police officer, judge, CEO, and nuclear power plant operator—and now that they are being used for what the White House now calls calls "sensitive," if not outright classified conversations among cabinet members—we need them to be as secure as possible. And that means no government-mandated backdoors.

We may find out more about how officials—including the vice president of the United States—came to be using Signal on what seem to be consumer-grade smartphones, in a apparent breach of the laws on government records. It’s unlikely that they really thought through the consequences of their actions.

Nonetheless, those consequences are real. Other governments, possibly including US allies, will now have much more incentive to break Signal’s security than they did in the past, and more incentive to hack US government smartphones than they did before March 24.

For just the same reason, the US government has urgent incentives to protect them."

https://www.schneier.com/blog/archives/2025/03/the-signal-chat-leak-and-the-nsa.html

#USA #CyberSecurity #Signal #Encryption #Backdoors #Privacy #NSA #StateHacking

"Apple has been hit with a fine of €150 million ($162 million) by France's competition watchdog over the implementation of its App Tracking Transparency (ATT) privacy framework.

The Autorité de la concurrence said it's imposing a financial penalty against Apple for abusing its dominant position as a distributor of mobile applications for iOS and iPadOS devices between April 26, 2021 and July 25, 2023.

ATT, introduced by the iPhone maker with iOS 14.5, iPadOS 14.5, and tvOS 14.5, is a framework that requires mobile apps to seek users' explicit consent in order to access their device's unique advertising identifier (i.e., the Identifier for Advertisers or IDFA) and track them across apps and websites for purposes targeted advertising.

"Unless you receive permission from the user to enable tracking, the device's advertising identifier value will be all zeros and you may not track them," Apple notes on its website. "While you can display the AppTrackingTransparency prompt whenever you choose, the device's advertising identifier value will only be returned once you present the prompt and the user grants permission."

App developers, besides requesting for permission to track the users, are also required to state the purpose behind why such tracking is necessary in the first place."

https://thehackernews.com/2025/04/apple-fined-150-million-by-french.html

#EU #France #Apple #Antitrust #AppTrackingTransparency #Privacy #DataProtection #Competition