wdormann

bontchev , 10 days ago to random

This article is absolute nonsense:

"Google: Stop Burning Counterterrorism Operations":

https://poppopret.org/2024/06/24/google-stop-burning-counterterrorism-operations/

My arguments:

• The job of the security researchers is to find security flaws, attackers exploiting them, etc.

• The job of the spies to the spy.

• The job of those doing counter-terrorism is to fight terrorists.

Do your job and stop complaining about the other people who are doing their job.

wdormann , 10 days ago

@bontchev
It also conveys: "I'm definitely the only person in the universe who knows about this bug now, and until the end of time."

video/mp4

wdormann , 1 month ago to random

This Microsoft Recall thing...

While it does actually omit things that it knows are sensitive (e.g. incognito mode in recognized browsers) from the screenshots it saves, things that it does not know about are all fair game.

DuckDuckGo browser? Never heard of it. Let's hoover up all the data we can get.
Signal? 🤷‍♂️ I'll just default to saving everything I see there.
You get the picture...

wdormann OP , 1 month ago

Chrome-based browser windows in incognito (or whatever they call it) mode are actually omitted from the saved screenshots. Which is sort of neat.

However, Windows is apparently unaware that Firefox Private Browsing is a thing. So all that stuff gets saved.

Microsoft Recall saves Firefox Private Browsing data.

wdormann OP , 1 month ago

@erickolb
Anything you do in a non-incognito (or other recognized equavalent) is fair game.
If you see something on the screen, Recall sees and indexes it.

wdormann OP , 1 month ago

@erickolb
TBH, I'm not sure what it takes for an app to be excluded from Recall snapshots.
Specifically if it's something the app needs to do explicitly, or if it's up to Microsoft to provide a list of things not to capture.
For example, the KeePassXC app isn't included, but the 1password session in a browser is.

image/png

wdormann OP , 1 month ago

@erickolb
I mean, it's better than nothing.
But at the same time, the 1password stand-alone app is NOT exempt from Recall indexing.
Is this 1password's fault for not exempting itself from Recall, or is this Microsoft's fault for not recognizing that 1password should be exempt?

image/png

wdormann OP , 1 month ago

@erickolb
You can manually exclude apps and websites.
But both of these lists are empty, at least from the GUI perspective.
So how Recall knows to ignore the KeePassXC app, but doesn't know to ignore 1password is beyond me...

wdormann , 3 months ago to random

Just a backdoor in XZ.
Nothing important.
https://www.openwall.com/lists/oss-security/2024/03/29/4

wdormann OP , 3 months ago

Interesting how this backdoor can lead to an sshd compromise.

"openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma."

wdormann OP , 3 months ago

Presumably somebody is going back through all of this actor's commits back to 2021 to check for shenanigans?
On the other hand, that seems like a lot of work.
It's probably all good. 😬

wdormann OP , 3 months ago

More about this actor:
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
"libarchive should also be considered compromised until proven otherwise."

Good times...

wdormann , 3 months ago to random

So yes, Facebook intercepting Snapchat messages is completely inexcusable.
But at the same time, Snapchat explicitly designed their app to allow message text to be intercepted. (Pictures are end-to-end encrypted)
What was the rationale for this decision, I wonder?

wdormann OP , 3 months ago

Though as I look closer, it appears that Snapchat has been doing cert pinning since 2015 at the latest.
So, if Facebook was intercepting Snapchat traffic in 2016... what exactly were they successfully seeing?
https://github.com/magicguru/SnapchatCertPinning