An Android version was also uncovered with even more capabilities. However, the malware isn’t circulating on official app stores. Nor does it exploit any iOS vulnerabilities. Instead, the creators of the malware have been tricking victims into installing the malicious app and then granting all the necessary configurations, including powerful device permissions via Apple's TestFlight or Mobile Device Management profile system.
So… not malware or a Trojan. Just a regular app that people are being tricked into installing, then tricked into setting up MDM…
I thought for sure this was going to be a security flaw. Turns out the security is fine
Top down design of protocols by a security- and privacy-conscious organization rather than leaving security to corporations as a side item or PR campaign topic when their primary focuses are marketing, advertising, data collection, and intellectual property.
Stop using email as a trusted authentication source.
This is a case where using it was super convenient because you could have a personal identifier, an easy way to contact the user, and be reasonably sure that password resets would only reach the intended user all in one convenient plaintext string.
However it's also a single point of failure and if a malicious actor can get access to your email account, they can get access to most of your other accounts that use that same address
Edit: MFA being available in more places has reduced the risk of this happening, assuming that you use it and it's also deployed correctly. ie: it can't be reset from the same email address that your password resets go to.
Design the internet around principles of communication between people, based on choices everyone makes and can understand the implications of.
Given that the internet was meant and is designed as a means to surveil, sell, and act as a private means of production, there is no way to fix it without completely dismantling it and starting fresh.
Websites have no interest in banning VPNs and excluding visitors. The fact is that they are a conduit for spam, bots and more rarely hacking and so hosts will protect themselves. Self defence.
Topical answer: Bots going around scraping content to feed into some LLM dataset without consent. If the website is anything like Reddit they'll be trying to monetise bot access to their content without affecting regular users.
Unfortunately not. The major difference between an honest bot and a regular user is a single text string (the user agent). There's no reason that bots have to be honest though and anyone can modify their user agent. You can go further and use something like Selenium to make your bot appear even more like a regular user including random human-like mouse movements. There are also a plethora of tools to fool captchas now too. It's getting harder by the day to differentiate.
Nope. It gets difficult every single day. Used to be easy - just check the user agent string. Real users will have a long one that talks about what browser they’re using. Bots won’t have it or will have one that mentions the underlying scraping library they’re using.
But then bot makers wizened up. Now they just copy the latest browser agent string.
Used to be that you could use mouse cursor movement to create heat maps and figure out if it’s a real user. Then some smart Alec went and created a basic script to copy his cursor movement and broke that.
Oh, and then someone created a machine learning model to learn that behavior too and broke that even more.
Maybe we just not ban anything and accept a little crime.
We can then instead focus on relieving the fundamental imbalances in society that result in people needing to commit crime in pursuit of a better life.
Having your car broken into or stolen because it has a lock that is useless would suck. This seems like one of those times a basic consumer protection regulation would make the most sense.
Do you think that the lock on your car is why it hasn't been stolen? Perhaps you aren't storing it correctly? Maybe we should mandate that all cars must be stored in a garage, our of public sight.
Models of cars that are easy to hotwire, for example, get stolen at a higher rate.
'Having a garage' is up to the consumer and often impractical and/or expensive. That's pretty different in various ways from a company having to follow some standards for implementing encryption.
John Oliver did this with a Senator. Can't remember who, but he purchased ad space in the Washington area and ran certain ads like those for male enhancement pills (don't quote me on that, it was some like it), and tracked down the dudes internet activity just by purchasing it from ad clicks.
The amount of information that could be gathered is disgusting.
Security
Oldest