cross-posted from: https://lemmy.sdf.org/post/33122696

[...]

The first rupture appeared on January 29 when cloud security firm Wiz stumbled upon an exposed ClickHouse database tagged “ds‑log‑prod‑001". Anyone with a browser could have accessed more than a million log lines: raw chat history, API keys, and even internal service tokens. Wiz engineers demonstrated that with two clicks they could seize “full database control", inject malicious code and pivot into the rest of DeepSeek’s infrastructure.

A week later mobile forensics specialists at NowSecure published a parallel autopsy of the iOS build. Their findings read like a checklist of everything Apple’s security team tells developers not to do: hard‑coded encryption keys, deprecated 3DES ciphers and App Transport Security switched off globally, allowing chats to travel unencrypted. The company urged enterprises to ban the app outright. However, DeepSeek’s parentage turned out to be even more troubling.

Corporate r

cross-posted from: https://lemmy.sdf.org/post/32102322

Archived

TikTok owner ByteDance is set to be hit by a privacy fine of more than €500 million for illegally shipping European users’ data to China, adding to the growing global backlash over the video-sharing app.

Ireland’s data protection commission, the company’s main regulator in Europe, will issue the penalty against TikTok before the end of the month, according to people familiar with the matter.

The move comes after a lengthy investigation found the Chinese business fell foul of the European Union’s General Data Protection Regulation in sending the information to China to be accessed by engineers, added the people, who spoke under condition of anonymity.

[...]

As part of the decision from Ireland’s data protection commission, the regul

cross-posted from: https://lemmy.sdf.org/post/31957116

Millions of Americans have downloaded apps that secretly route their internet traffic through Chinese companies, according to an investigation by the Tech Transparency Project (TTP), including several that were recently owned by a sanctioned firm with links to China’s military.

TTP’s investigation found that one in five of the top 100 free virtual private networks in the U.S. App Store during 2024 were surreptitiously owned by Chinese companies, which are obliged to hand over their users’ browsing data to the Chinese government under the country’s national security laws. Several of the apps traced back to Qihoo 360, a firm declared by the Defense Department to be a “Chinese Military Company." Qihoo did not respond to questions about its app-related holdings.

[...]

VPNs allow users to mask the IP address that can identify them, and, in theory, keep their internet browsing private. For that reason, they have been u

cross-posted from: https://lemmy.sdf.org/post/31274457

Archive

An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there's no sign of a fix from Microsoft, which apparently considers this a low priority.

The attack method is low-tech but effective, relying on malicious .LNK shortcut files rigged with commands to download malware. While appearing to point to legitimate files or executables, these shortcuts quietly include extra instructions to fetch or unpack and attempt to run malicious payloads.

Ordinarily, the shortcut's target and command-line arguments would be clearly visible in Windows, making suspicious commands easy to spot. But Trend's Zero Day Initiative said it observed North Korea-backed crews padding out the command-line arguments with megabytes of whitespace, burying the actual commands de

cross-posted from: https://slrpnk.net/post/19675447

Archived version

Here is an Invidious link for the video (and 'Lola' part starts at ~5 minutes)

To demonstrate this, Sadoun introduces the audience to “Lola,” a hypothetical young woman who represents the typical web user that Publicis now has data about. “At a base level, we know who she is, what she watches, what she reads, and who she lives with,” Sadoun says. “Through the power of connected identity, we also know who she follows on social media, what she buys online and offline, where she buys, when she buys, and more importantly, why she buys.”

It gets worse. “We know that Lola has two children and that her kids drink lots of premium fruit juice. We can see that the price of the SKU she buys h

Firefox may be incompatible with DFSG and probably other similar principles and TOS.

From the bug report:

The new Terms of Use, from what I can see, are in violation of the DFSG points 5 and 6:

5. No discrimination against persons or groups

Rationale:

The terms of use grant Mozilla the right to terminate anyone's access:

 undefined

        Mozilla can suspend or end anyone’s access to Firefox at any
    time for any reason


  

https://www.mozilla.org/en-US/about/legal/terms/firefox/#mozilla-can-update-or-terminate-this-agreement

6. No discrimination against fields of endeavor

Rationale:

The terms of use don't allow you to use Firefox to break the law. While this seems a reasonable term, it wouldn't be so reasonable for a disident in an oppressive country.

 undefined

        you agree that you will not use Firefox to [...] violate any
    applicable laws or regulations.

  

...

Apart from these violations of the DFSG, Firefox has now permission to leak user data to Mozilla, and who knows who else they decide to sell i

cross-posted from: https://lemmy.sdf.org/post/30887912

Here is the report Security and Trust: An Unsolvable Digital Dilemma? (pdf)

Police authorities and governments are calling for digital backdoors for investigative purposes - and the EU Commission is listening. The Centre for European Policy (cep) warns against a weakening of digital encryption. The damage to cyber security, fundamental rights and trust in digital infrastructures would be enormous.

[...]

The debate has become explosive due to the current dispute between the USA and the UK. The British government is demanding that Apple provide a backdoor to the iCloud to allow investigating authorities access to encrypted data. Eckhardt sees parallels with the EU debate: "We must prevent the new security strategy from becoming a gateway for global surveillanc

cross-posted from: https://lemmy.sdf.org/post/30804814

A former senior Facebook executive has told the BBC how the social media giant worked "hand in glove" with the Chinese government on potential ways of allowing Beijing to censor and control content in China.

Sarah Wynn-Williams - a former global public policy director - says in return for gaining access to the Chinese market of hundreds of millions of users, Facebook's founder, Mark Zuckerberg, considered agreeing to hiding posts that were going viral, until they could be checked by the Chinese authorities.

Ms Williams - who makes the claims in a new book - has also filed a whistleblower complaint with the US markets regulator, the Securities and Exchange Commission (SEC), alleging Meta misled investors. The BBC has reviewed the complaint.

Facebook's parent company Meta, says Ms Wynn-Williams had her employment terminated in 2017 "for poor performance".

It is "no secret we were once interested" in operating

We're very happy to share Techlore's video review of the BusKill Kill Cord.

Can't see video above? Watch it on PeerTube at neat.tube or on YouTube at youtu.be/Zns0xObbOPM

Disclaimer: We gave Techlore a free BusKill Kit for review; we did not pay them nor restrict their impartiality and freedom to publish an independent review. For more information, please see Techlore's Review Unit Protocols policy. We did require them to make the video open-source as a condition of receiving this free review unit. The above video is licensed CC BY-SA; you are free to

cross-posted from: https://lemmy.sdf.org/post/30014783

U.S. Federal Trade Commission urged to investigate Google’s RTB data in first ever complaint under new national security data law.

Google sends enormous quantities of sensitive data about Americans to China and other foreign adversaries, according to evidence in a major complaint filed today at the FTC by Enforce and EPIC. This is the first ever complaint under the new Protecting Americans’ Data from Foreign Adversaries Act.

The complaint (open pdf) targets a major part of Google’s business: Google’s Real-Time Bidding (RTB) system dominates online advertising, and operates on 33.7 million websites, 92% of Android apps, and 77% of iOS apps. Much of Google’s $237.9 billion advertising revenue is RTB.

Today’s complaint reveals that Google has known for at least a decade that its RTB technology broadcasts sen

cross-posted from: https://lemmy.sdf.org/post/30014356

The General Data Protection Regulation (GDPR) was designed to put people’s rights at the centre of the digital economy, ensuring strong safeguards against data exploitation and corporate or state overreach. However, nearly six years after its enforcement, the reality falls short of the promise. Large technology companies have repeatedly delayed and obstructed procedures, while inconsistencies between -and other practices of- Data Protection Authorities (DPAs) have left individuals without effective redress.

The GDPR Procedural Regulation offers a rare opportunity to fix systemic weaknesses by streamlining cross-border enforcement, reducing delays, and ensuring consistency in cross-border cases. If done right, it could restore trust in the GDPR and reaffirm the EU’s leadership in protecting fundamental rights in the digital age. But if weakened by loopholes and inefficiencies, it risks entrenching existing problems and sett

cross-posted from: https://lemmy.dbzer0.com/post/36880616

Help Combat Internet Censorship by Running a Snowflake Proxy (Browser or Android)

Internet censorship remains a critical threat to free expression and access to information worldwide. In regions like Iran, Russia, and Belarus, journalists, activists, and ordinary citizens face severe restrictions when trying to communicate or access uncensored news. You can support their efforts by operating a Snowflake proxy—a simple, low-impact way to contribute to a freer internet. No technical expertise is required. Here’s how it works:

---

What Is Snowflake?

Snowflake is a privacy tool integrated with the Tor network. By running a Snowflake proxy, you temporarily route internet traffic for users in censored regions, allowing them to bypass government or institutional blocks. Unlike traditional Tor relays, Snowflake requires minimal bandwidth, no configuration, and no ongoing maintenance. Your device acts as a

This post contains a canary message that's cryptographically signed by the official BusKill PGP release key

The BusKill project just published their Warrant Canary #009

For more information about BusKill canaries, see:

• https://buskill.in/canary

 undefined

    
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Status: All good
Release: 2025-01-14
Period: 2025-01-01 to 2025-06-01
Expiry: 2025-06-30

Statements
==========

The BusKill Team who have digitally signed this file [1]
state the following:

1. The date of issue of this canary is January 14, 2025.

2. The current BusKill Signing Key (2020.07) is

   E0AF FF57 DC00 FBE0 5635  8761 4AE2 1E19 36CE 786A

3. 
  

cross-posted from: https://beehaw.org/post/17950455

In the judgment C-416/23, the Austrian Data Protection Authority (DSB) received a slap in the face from the CJEU. The authority has – arbitrarily – set the number of complaints that data subjects can file at a maximum of two per month, even if one is affected by GDPR violations almost daily. The CJEU has now made it clear: as long as you do not file abusive complaints, all users have the right to have any GDPR violation remedied by the DSB. Unfortunately, Data Protection Authorities (DPAs) trying to get rid of complaints isn't just an Austrian problem. Our figures show an EU-wide problem with DPA inactivity.

cross-posted from: https://eviltoast.org/post/10253328

I could not place a call over VOIP, so I logged into my voip account on the website where my account is managed. Saw the usual tabs for checking my balance, call history, profile, etc. Plus a new tab “KYC”.

WTF people. KYC has turned my bank into a police station that pisses all over privacy. What’s going on here? Is it that no one resisted KYC in banking, so now they have decided to start deploying it in other areas?

Entering the KYC tab tells me:

“Your account is unverified. We need:

• selfie of you holding your ID card
• copy of your ID card
• utility bill or bank statement

This is so fucked up. Have any other VOIP users noticed this?

It turns out I can still make calls -- it was just a temporary glitch. But I guess I should ditch this VOIP provider.

Archived version

[...]

The inquiry will focus on whether TikTok adequately informs users about its advertising policies and provides them with the opportunity to opt in rather than opt out.

[...]

Concerns have been raised that TikTok, owned by the Chinese company ByteDance, does not fully disclose the details of its terms of service and privacy policy at the time users sign up. Under South Korean law, digital platforms are required to give users the freedom to decide if they wish to receive marketing communications, ensuring that consent is obtained clearly and transparently prior to any such communications being sent.

[...]

The [South Korean media regulator Korea Communications Commission] KCC's probe into TikTok comes amidst a broader global conversation about the responsibilities of social media platforms in protecti

I call my credit card supplier to make a payment over the phone. This is because other payment methods are a shitshow¹. The robot says it will record my voice and use it for verification purposes. I’m not okay with that so I press buttons until a human comes on. I order the payment to draw from a checking acct. Then the operator transferred me a bot that said “state your name to confirm this payment”. Now what? I was trapped.

I wonder if this is something I should be giving a shit about. My data is routinely exfiltrated by criminals. I’m not sure if voice prints are being stolen in that way or how they might be used. Perhaps voice print is even more secure for the consumer. If the voiceprint cannot be used to create a voice, only to verify it, then a voice print may even be less useful for criminals than security questions. Any thoughts on this?

¹ (billpay is outsourced likely to a privacy abuser; will not do autopay because I want control [the purpose of privacy]; mailing a paper c