remixtures

joined 2 years ago
 

"I'm not the only person for whom a detailed knowledge of scams created immunity from being scammed. Troy Hunt is the proprietor of HaveIBeenPwned.com, the internet's most comprehensive and reliable breach notification site. Hunt pretty much invented the practice of tracking breaches, and he is steeped – saturated – in up-to-the-minute, nitty-gritty details of how internet scams work.

Guess who got phished?
(...)
Hunt had just gotten off a long-haul flight. He was jetlagged. He got a well-constructed, plausible counterfeit email from Mailchimp telling him that his mailing-list – which he absolutely relies upon – had been frozen after a spam complaint, and advising him to click on a link to contest the suspension. He was taken to a fake login screen that his password manager didn't autopopulate, so he manually pasted the password in (Mailchimp doesn't have 2FA). It was only when the login session hung that he realized he'd been scammed – and by then, it was too late. Within minutes, his mailing list had been exported by the scammers.

In his postmortem of the scam, Hunt identifies the overlapping factors that made him vulnerable. He was jetlagged. The mailing list was important. Bogus spam complaints are common. Big corporate sites like Mailchimp often redirect their logins through different domains, which causes password manager autofill to fail. Hunt had experienced near-identical phishing attempts before and spotted them, but this one just happened to land at the very moment that he was vulnerable. Plus – as with my credit union scam – it seems likely that Mailchimp itself had been breached (or has an insider threat), which allowed the scammers to pad out the scam with plausible details that made it seem legit."

https://pluralistic.net/2025/04/05/troy-hunt/#teach-a-man-to-phish

#Scams #Phishing #CyberSecurity

 

"The Israeli-Palestinian conflict has gained significant media prominence following the recent attack carried out by Hamas against Israel, which involved missile launches and the incursion of armed fighters onto Israeli soil. In line with historical recurrence, the present situation has also been instrumentalised to polarise public opinion and reduce its complexity to Manichaeism, with the aim of obscuring its actual essence — as an epiphenomenon of the warlike dynamics of crisis neo-imperialism at the heart of late capitalism. The unequivocally genocidal and colonialist project carried out by the State of Israel against the Palestinian people, evident in the latter’s confinement within the Gaza strip through technological terror and systematic violence, has been going on for more than half a century. Nevertheless, it is essential to reject the stigmatising conflation of the Israeli population with its state apparatus. Its daily existence, permeated by rigid racial divisions and chronic militarisation, not only subjugates this people — subjecting them to the servitude of a neo-fascist government — but also brings them suffering (evident in the civilian victims, both in the context of the attack, the Arab-Israeli war, internal repression, or even strategic-military sacrifices, as occurred in Be’eri kibbutz). The Enlightenment left, in its eagerness to express its synthetic anti-imperialism anchored in bourgeois reason and the nostalgic dichotomy of the Cold War, has shown itself to be complicit in this utilitarian appropriation, neglecting the scrutiny demanded by the situation. The counter-offensive in question does not originate from the spontaneous movement of the people against oppressive forces; on the contrary, it arises from a jihadist, nationalist, and anti-Marxist organisation — Hamas..."

https://medium.com/@ascentreact/the-israeli-palestinian-conflict-in-critical-and-historical-analysis-d6a796e3fcf7

#Israel #Palestine #Gaza #Hamas #History #Colonialism #Imperialism

 

"President Donald Trump’s latest executive order titled “RESTORING TRUTH AND SANITY TO AMERICAN HISTORY” replicates a tactic used by all authoritarian regimes. In the name of countering bias, they distort the nation’s history into self-serving mythology.

History will be used to justify the power of the ruling elites in the present by deifying the ruling elites of the past. It will disappear the suffering of the victims of genocide, enslavement, discrimination and institutional racism. The repression and violence during our labor wars — hundreds of workers were killed by gun thugs, company goons, police and soldiers from National Guard units in the struggle to unionize — will be untold. Historical figures, such as Woodrow Wilson, will be social archetypes whose darker actions, including the decision to re-segregate the federal government and oversee one of the most aggressive campaigns of political repression in U.S. history, will be ignored.

In the America of our Trump-approved history books — I have read the textbooks used in “Christian” schools so this is not conjecture — equal opportunity for all exists and has always existed. America exemplifies human progress. It has constantly improved and perfected itself under the tutelage of its enlightened and almost exclusively white male rulers. It is the vanguard of “Western civilization.”

https://x.com/ChrisLynnHedges/status/1907499697373327403

#USA #Trump #History #Schools #Ideology #Propaganda #WhiteSupremacism #Authoritarianism

 

"Google is updating Gmail to allow enterprise users to send encrypted messages to any inbox in just a few clicks. Google says it’s developed a new encryption model that, unlike the current encryption feature on Gmail, doesn’t require senders or recipients to use custom software or exchange encryption certificates.

The feature is rolling out in beta starting today, and will initially be available for Google enterprise users to send encrypted emails to other Gmail users within the same organization. Google says this will expand to emails sent to any Gmail inbox “in the coming weeks,” and to inboxes from any third-party email provider “later this year.”

Gmail’s current encryption feature, based on the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol, can already be used to send external emails. Doing so requires the recipient to have S/MIME configured and complete multiple steps with the sender before emails can be securely exchanged, however."

https://www.theverge.com/news/640422/google-gmail-email-encryption-enterprise-beta

#Google #CyberSecurity #Encryption #Privacy #eMail

 

"NEW YORK—A lawsuit seeking to stop the U.S. Office of Personnel Management (OPM) from disclosing tens of millions of Americans’ private, sensitive information to Elon Musk’s “Department of Government Efficiency” (DOGE) can continue, a federal judge ruled Thursday.

Judge Denise L. Cote of the U.S. District Court for the Southern District of New York partially rejected the defendants’ motion to dismiss the lawsuit, which was filed Feb. 11 on behalf of two labor unions and individual current and former government workers across the country. This decision is a victory: The court agreed that the claims that OPM illegally disclosed highly personal records of millions of people to DOGE agents can move forward with the goal of stopping that ongoing disclosure and requiring that any shared information be returned.

Cote ruled current and former federal employees "may pursue their request for injunctive relief under the APA [Administrative Procedure Act]. ... The defendants’ Kafkaesque argument to the contrary would deprive the plaintiffs of any recourse under the law."

"The complaint plausibly alleges that actions by OPM were not representative of its ordinary day-to-day operations but were, in sharp contrast to its normal procedures, illegal, rushed, and dangerous,” the judge wrote."

https://www.eff.org/press/releases/judge-rejects-governments-attempt-dismiss-eff-lawsuit-against-opm-doge-and-musk

#USA #Musk #OPM #DOGE #DataProtection #Privacy

 

"My current conclusion, though preliminary in this rapidly evolving field, is that not only can seasoned developers benefit from this technology — they are actually in the optimal position to harness its power.

Here’s the fascinating part: The very experience and accumulated know-how in software engineering and project management — which might seem obsolete in the age of AI — are precisely what enable the most effective use of these tools.

While I haven’t found the perfect metaphor for these LLM-based programming agents in an AI-assisted coding setup, I currently think of them as “an absolute senior when it comes to programming knowledge, but an absolute junior when it comes to architectural oversight in your specific context.”

This means that it takes some strategic effort to make them save you a tremendous amount of work.

And who better to invest that effort in the right way than a senior software engineer?

As we’ll see, while we’re dealing with cutting-edge technology, it’s the time-tested, traditional practices and tools that enable us to wield this new capability most effectively."

https://manuel.kiessling.net/2025/03/31/how-seasoned-developers-can-achieve-great-results-with-ai-coding-agents/

#AI #GenerativeAI #Programming #SoftwareDevelopment #AIAgents #LLMs #Chatbots #VibeCoding #SoftwareEngineering #ProjectManagement

[–] remixtures@tldr.nettime.org 1 points 3 days ago* (last edited 3 days ago)

@kvadd Yes, but data brokers can buy that information for ad targeting and marketing purposes. These usages should be specifically outlawed, according to the GDPR.

 

Sweden just isn't what it used to be...

"In most countries, the government knows when you were born, your social security number, where you live, how much you earn and how much your house is worth. Sweden is a bit different though. There, the tax authority doesn’t just use this information for administrative purposes – but sells it to data brokers who publish it online. This is a violation of EU law. Earlier this year, a Swedish data subject asked the country’s tax authority to stop selling his data. The country’s Supreme Court has recently ruled that freedom of information and privacy rights must be balanced and data must be marked as confidential, if the recipient is likely to process it in conflict with the GDPR. The tax authority rejected the request, claiming it simply follows the Swedish constitutional principle of transparency rather than the ruling by the Supreme Court. noyb now takes the authority to court."

https://noyb.eu/en/noyb-takes-swedish-tax-authority-court-selling-peoples-personal-data

#Sweden #EU #Taxes #DataProtection #Privacy #GDPR

 

"API keys are foundational elements for authentication, but relying solely on them is inherently a risky proposal.

Firstly, there’s the reality that API keys are not securely designed — they were never meant to be used as the sole form of authentication, and as such, they aren’t really built for the task. These keys can often be easily stolen, leaked, or, in some cases (especially if generated incrementally), outright guessed. An API key is suitable for tracking usage but is poor for security.

There is also the additional reality that keys in their default state lack some critical functionality. There’s not a lot of verification built-in for identity management, and what does exist offers very little in the way of granular access control.

Ultimately, solely relying on API keys is a mistake common with novice developers but frighteningly common even in advanced products.

Best Practices
Instead of relying heavily on API keys as a sole mechanism, combine those keys with additional approaches such as OAuth 2.0 or mTLS. Implement rigorous expiration and rotation policies to ensure that keys which are made public are only useful for a short amount of time. Consider more advanced approaches, such as IP whitelisting or device fingerprinting, to add another layer of security atop the API key process."

https://nordicapis.com/9-signs-youre-doing-api-security-wrong/

#API #APIs #APISecurity #APIDesign #WebSecurity #CyberSecurity

 

"Now consider the chatbot therapist: what are its privacy safeguards? Well, the companies may make some promises about what they will and won't do with the transcripts of your AI sessions, but they are lying. Of course they're lying! AI companies lie about what their technology can do (of course). They lie about what their technologies will do. They lie about money. But most of all, they lie about data.

There is no subject on which AI companies have been more consistently, flagrantly, grotesquely dishonest than training data. When it comes to getting more data, AI companies will lie, cheat and steal in ways that would seem hacky if you wrote them into fiction, like they were pulp-novel dope fiends:
(...)
But it's not just people struggling with their mental health who shouldn't be sharing sensitive data with chatbots – it's everyone. All those business applications that AI companies are pushing, the kind where you entrust an AI with your firm's most commercially sensitive data? Are you crazy? These companies will not only leak that data, they'll sell it to your competition. Hell, Microsoft already does this with Office365 analytics:
(...)
These companies lie all the time about everything, but the thing they lie most about is how they handle sensitive data. It's wild that anyone has to be reminded of this. Letting AI companies handle your sensitive data is like turning arsonists loose in your library with a can of gasoline, a book of matches, and a pinky-promise that this time, they won't set anything on fire."

https://pluralistic.net/2025/04/01/doctor-robo-blabbermouth/#fool-me-once-etc-etc

#AI #GenerativeAI #LLMs #ChatBots #Privacy #DataProtection #AITraining #Therapy #BigTech

[–] remixtures@tldr.nettime.org 2 points 4 days ago

"Browsers keep track of the pages that a user has visited, and they use this information to style anchor elements on a page differently if a user has visited that link before. Most browsers give visited links a different color by default; some web developers rely on the :visited CSS selector to style visited links according to their own preferences.

It is well-known that styling visited links differently from unvisited links opens the door to side-channel attacks that leak the user’s browsing history. One notable attack used window.getComputedStyle and the methods that return a NodeList of HTMLCollection of anchor elements (e.g. document.querySelectorAll, document.getElementsByTagName, etc.) to inspect the styles of each link that was rendered on the page. Once attackers had the style of each link, it was possible to determine whether each link had been visited, leaking sensitive information that should have only been known to the user.

In 2010, browsers implemented a mitigation for this attack: (1) when sites queried link styling, the browser always returned the “unvisited” style, and (2) developers were now limited in what styles could be applied to links. However, these mitigations were complicated for both browsers to implement and web developers to adjust to, and there are proponents of removing these mitigations altogether." https://github.com/explainers-by-googlers/Partitioning-visited-links-history

 

"It is now time to fix it for good. A new solution has been proposed: partitioning visited link history. This approach fundamentally changes how browsers store and expose visited link data. Instead of maintaining a global list, web browsers will store visited links with a triple-key partition:

  • Link URL. The destination of the visited link.
  • Top-Level Site. The domain of the main browsing context.
  • Frame Origin. The origin of the frame rendering the link.

A link is only styled as :visited if it was visited from the same top-level site and frame origin (...) This approach guarantees isolation and works well with the web's same-origin policy. The system records only navigations initiated by link clicks or scripts—excluding direct address bar entries or bookmark navigations.

Key benefits of this model include: strong protection against cross-site history leaks, solving for good of many known side-channel attacks, support for meaningful styling within trusted, same-context domains, conforming to established web privacy principles and data protection regulations.

This feature is already implemented in Chrome (v132, behind a #partition-visited-link-database-with-self-links flag). I am confident that in 2025 we are going to have this privacy headache solved once and for all."

https://blog.lukaszolejnik.com/fixing-web-browser-history-leaks/

#CyberSecurity #WebSecurity #Privacy #WebBrowser #WebBrowserHistory

 

"We don’t know what pressure the Trump administration is using to make intelligence services fall into line, but it isn’t crazy to worry that the NSA might again start monitoring domestic communications.

Because of the Signal chat leak, it’s less likely that they’ll use vulnerabilities in Signal to do that. Equally, bad actors such as drug cartels may also feel safer using Signal. Their security against the US government lies in the fact that the US government shares their vulnerabilities. No one wants their secrets exposed.

I have long advocated for a "defense dominant" cybersecurity strategy. As long as smartphones are in the pocket of every government official, police officer, judge, CEO, and nuclear power plant operator—and now that they are being used for what the White House now calls calls "sensitive," if not outright classified conversations among cabinet members—we need them to be as secure as possible. And that means no government-mandated backdoors.

We may find out more about how officials—including the vice president of the United States—came to be using Signal on what seem to be consumer-grade smartphones, in a apparent breach of the laws on government records. It’s unlikely that they really thought through the consequences of their actions.

Nonetheless, those consequences are real. Other governments, possibly including US allies, will now have much more incentive to break Signal’s security than they did in the past, and more incentive to hack US government smartphones than they did before March 24.

For just the same reason, the US government has urgent incentives to protect them."

https://www.schneier.com/blog/archives/2025/03/the-signal-chat-leak-and-the-nsa.html

#USA #CyberSecurity #Signal #Encryption #Backdoors #Privacy #NSA #StateHacking

[–] remixtures@tldr.nettime.org 1 points 5 days ago (1 children)

@Alabaster_Mango@lemmy.ca OK, smart ass. Here's a little conversation I had with Gemini 2.5 LLM from Google about this topic. It's backed up with official sources: https://aistudio.google.com/app/prompts?state=%7B%22ids%22:%5B%221B0JecBTkQJ9wVjOnhM81piNPjrq3QbzU%22%5D,%22action%22:%22open%22,%22userId%22:%22113653798100742351191%22,%22resourceKeys%22:%7B%7D%7D&usp=sharing. Are you satisfied?

 

"Apple has been hit with a fine of €150 million ($162 million) by France's competition watchdog over the implementation of its App Tracking Transparency (ATT) privacy framework.

The Autorité de la concurrence said it's imposing a financial penalty against Apple for abusing its dominant position as a distributor of mobile applications for iOS and iPadOS devices between April 26, 2021 and July 25, 2023.

ATT, introduced by the iPhone maker with iOS 14.5, iPadOS 14.5, and tvOS 14.5, is a framework that requires mobile apps to seek users' explicit consent in order to access their device's unique advertising identifier (i.e., the Identifier for Advertisers or IDFA) and track them across apps and websites for purposes targeted advertising.

"Unless you receive permission from the user to enable tracking, the device's advertising identifier value will be all zeros and you may not track them," Apple notes on its website. "While you can display the AppTrackingTransparency prompt whenever you choose, the device's advertising identifier value will only be returned once you present the prompt and the user grants permission."

App developers, besides requesting for permission to track the users, are also required to state the purpose behind why such tracking is necessary in the first place."

https://thehackernews.com/2025/04/apple-fined-150-million-by-french.html

#EU #France #Apple #Antitrust #AppTrackingTransparency #Privacy #DataProtection #Competition

[–] remixtures@tldr.nettime.org 1 points 5 days ago (3 children)

@Alabaster_Mango@lemmy.ca I just quoted an article that was authored by Robert Delwood. I don't have to justify anything. I don't own you a detailed empirical study of my position, sorry.

[–] remixtures@tldr.nettime.org 1 points 6 days ago (5 children)

@Alabaster_Mango@lemmy.ca In my country, Portugal, and in most countries of the world, artists can barely survive. Just look at job boards such as LinkedIn and compare the average remuneration offered to an artist - designer, musician, painter, video maker - to the average remuneration of a plumber. And also don't forget to compare the gross number of job ads.

[–] remixtures@tldr.nettime.org 1 points 6 days ago (7 children)

@Alabaster_Mango@lemmy.ca I think what the author wants to state - and I agree with - is that it's way more difficult to earn a living as an artist than as an craftsman. Unfortunately, that is a fact. It's extremely difficult to survive as an artist. And only the real talented ones can gather a high enough number of fans to sustain their work.

[–] remixtures@tldr.nettime.org 0 points 6 days ago (10 children)

@Umbrias@beehaw.org The number of people who gain a living as plumbers, electricians, carpenters, and locksmiths is way higher than the number of people who people who gain a living as artists. Unfortunately, that is the truth.

[–] remixtures@tldr.nettime.org 1 points 6 days ago (12 children)

@Umbrias@beehaw.org Although I don't believe people need "new" art, I agree that art can fulfill a "spiritual" hole in people's lives. But I don't think that's exactly the same...

[–] remixtures@tldr.nettime.org 2 points 2 weeks ago (1 children)

"It’s no coincidence that a majority of jurisdictionally aware US data preservation efforts are listing ProtonMail accounts as their contact info. Proton is a Swiss company offering services comparable to Gmail, Google Drive and Docs, as well as having an end-to-end encrypted platform, a password manager, backup storage, photos, and a VPN. Proton explains in a March 2023 blog post that Swiss law and encryption protects Proton’s users from abortion-related data requests, and details the difference between data requests they receive and those sent to Facebook and Google.

For people who prefer globally accurate maps free of Trump Sharpie defacements, and the Gulf of Mexico keeping its name, check out MagicEarth, TomTom AmiGO, HERE WeGo (all Netherlands-based) or OpenStreetMap (global contributors). Check out Vivaldi (Norway) for browsing, and Qwant (France) or Startpage (Netherlands) for a search engine. IONOS (Germany) is a Squarespace/Wix alternative, Pixelfed (Canada) can stand in for Instagram. StoryGraph (UK) for Goodreads. Affinity (UK/AU) or Canva (AU) can replace Adobe products, and Kobo (Canada/Japan) for an ebook reader.

Check out Plex or Jellyfin for music and video, Nextcloud for file storage and syncing, LibreOffice for an office suite, Affinity Suite to replace Adobe, SearXNG for search—all based outside the US. Codeberg (EU) is basically an open source, privacy-forward, community-run Github; one user has a handy Linux-Is-Best/Outside_Us_Jurisdiction listing for digital service providers. If you’re looking for a non-US Starlink alternative, Eutelsat may have you covered."

[–] remixtures@tldr.nettime.org 3 points 1 month ago

@joachim@drupal.community Just because Silicon Valley companies over-engineer their models, that doesn't mean it must be necessarily so... Look at DeepSeek: https://github.com/deepseek-ai/open-infra-index/blob/main/202502OpenSourceWeek/day_6_one_more_thing_deepseekV3R1_inference_system_overview.md

[–] remixtures@tldr.nettime.org 5 points 1 month ago* (last edited 1 month ago) (3 children)

@joachim: You have every right to not use LLMs. Personally, I find them a great help for improving my productivity. Every person has its own reasons for using or not using generative AI. Nevertheless, I'm afraid that this technology - like many other productivity-increasing technologies - will become a matter of fact in our daily lifes. The issue here is how best to adapt it to our own advantage.Open-source LLMs should be preferred, of course. But I don't think that mere stubbornness is a very good strategy to deal with new technology.

"If we don’t use AI, we might be replaced by someone who will. What company would prefer a tech writer who fixes 5 bugs by hand to one who fixes 25 bugs using AI in the same timeframe, with a “good enough” quality level? We’ve already seen how DeepSeek AI, considered on par with ChatGPT’s quality, almost displaced more expensive models overnight due to the dramatically reduced cost. What company wouldn’t jump at this chance if the cost per doc bug could be reduced from $20 to $1 through AI? Doing tasks more manually might be a matter of intellectual pride, but we’ll be extinct unless we evolve."

https://idratherbewriting.com/blog/recursive-self-improvement-complex-tasks

view more: next ›