Raisin8659

Flute: Emmanuel Pahud Cello: Jonathan Manson Harpsichord: Trevor Pinnock

Whole piece: https://youtu.be/svPTIHjdPcE

Summary

The FBI has requested a significant budget increase for 2024, specifically for its DNA database known as CODIS. This request, totaling $53 million, is in response to a 2020 rule that requires the Department of Homeland Security to collect DNA from individuals in immigration detention. CODIS currently holds genetic information from over 21 million people, with 92,000 new DNA samples added monthly. This increase in funding demonstrates the government's commitment to collecting over 750,000 new samples annually from immigrant detainees, raising concerns about civil liberties, government surveillance, and the weaponization of biometrics.

Since the Supreme Court's Maryland v. King decision in 2013, states have expanded DNA collection to cover more offenses, even those unrelated to DNA evidence. The federal government's push to collect DNA from all immigrant detainees represents a drastic effort to accumulate genetic information, despite evidence disproving a link between crime and immigration status.

Studies suggest that increasing DNA database profiles does not significantly improve crime-solving rates, with the number of crime-scene samples being more relevant. Additionally, inclusion in a DNA database increases the risk of innocent individuals being implicated in crimes.

This expanded DNA collection worsens racial disparities in the criminal justice system, as it disproportionately affects communities of color. Black and Latino men are already overrepresented in DNA databases, and adding nearly a million new profiles of immigrant detainees, mostly people of color, will further skew the existing 21 million profiles in CODIS.

The government's increased capacity for collecting and storing invasive data poses a risk to all individuals. With the potential for greater sample volume and broader collection methods, society is moving closer to a future of mass biometric surveillance where everyone's privacy is at risk.

Summary

GitHub has officially launched its passkeys security feature into general availability, following a two-month beta testing period. Passkeys enable cloud-synced authentication using cryptographic key pairs, allowing users to sign in to websites and apps with their screen-lock PIN, biometrics, or a physical security key. This technology combines the security benefits of passwords and two-factor authentication (2FA) into a single step, simplifying secure access to online services. GitHub's move aligns with industry efforts, including collaborations between major tech companies like Google, Apple, Microsoft, and the FIDO Alliance, to make passwordless logins a reality across devices, browsers, and operating systems. Passkeys are seen as a significant step in enhancing security in the software supply chain, a vital aspect of the cybersecurity landscape.

Summary

Attackers can use automated email rules to evade detection after compromising an email account. They can use these rules to steal information, hide emails, and impersonate others.

Some of the ways attackers use email rules include:

• Forwarding emails containing sensitive keywords to an external address

• Hiding specific inbound emails by moving them to rarely used folders, marking them as read, or deleting them

• Creating email forwarding rules to monitor the activities of a victim and collect intelligence on the victim or the victim’s organization to use as part of further exploits or operations

• Setting up rules that delete all inbound emails from a certain colleague, such as the Chief Finance Officer (CFO), so they can impersonate the CFO and send fake emails to convince colleagues to transfer company funds

Defenses that don't work on their own include:

• Changing the victim's password

• Turning on multifactor authentication

• Imposing other strict conditional access policies

• Rebuilding the victim's computer

Summary

The Electronic Frontier Foundation (EFF) has released a new version of Privacy Badger that updates how it fights "link tracking" across a number of Google products. With this update, Privacy Badger removes tracking from links in Google Docs, Gmail, Google Maps, and Google Images results. Privacy Badger now also removes tracking from links added after scrolling through Google Search results.

Link tracking is a technique that allows a company to follow you whenever you click on a link to leave its website. Google uses different techniques for link tracking in different browsers and products. One common approach is to surreptitiously redirect the outgoing request through the tracker's own servers.

The EFF says that there is virtually no benefit to you when this happens, and that the added complexity mostly just helps Google learn more about your browsing.

The new version of Privacy Badger works by blocking all Google link tracking requests at the network layer. This is a more reliable way to prevent tracking, but it is not compatible with Google's Manifest V3 (MV3) extension API.

The EFF says that it would like to see this important functionality gap resolved before MV3 becomes mandatory for all extensions.

Privacy Badger is a free and open-source browser extension that helps to protect your privacy online. It is available for Chrome, Firefox, and Edge.

More info and installation links: https://privacybadger.org/

Summary

The UK Parliament has passed the Online Safety Bill (OSB), claiming it will enhance online safety but actually leading to increased censorship and surveillance. The bill grants the government the authority to compel tech companies to scan all user data, including encrypted messages, to detect child abuse content, effectively creating a backdoor. This jeopardizes privacy and security for everyone. The bill also mandates the removal of content deemed inappropriate for children, potentially resulting in politicized censorship decisions. Age-verification systems may infringe on anonymity and free speech. The implications of how these powers will be used are a cause for concern, with the possibility that encrypted services may withdraw from the UK if their users' security is compromised.

Summary

addy.io has passed an independent security audit conducted by Securitum. The audit included a web application penetration test and a source code audit. No significant vulnerabilities were identified during testing, and the 2 low-risk issues that were found have been fixed.

Full report: https://addy.io/addy-io-security-audit.pdf

Comment

For personal use, watch out if you use Google Authenticator with sync to the cloud feature. If your Google account is compromised, e.g. you get phished:

• Your 2FA for other accounts might be compromised as well.

• If you use the GMail address for other accounts' password recovery, the passwords for those accounts may be reset/compromised too, regardless of how complex the passwords are.

Question

For personal use, because "Google Prompt" on an Android device is automatically the default 2FA for Google account, can you delete this default 2FA method and just enable a FIDO2 key on Google's account?

Summary

Google's Authenticator app, designed for generating Multi-Factor Authentication (MFA) codes, was criticized by a security company called Retool for exacerbating a recent internal network breach. The breach occurred when an employee received a deceptive text message, leading them to share their login credentials, including a Temporary One-Time Password (TOTP), with the attackers. The situation escalated due to Google's Authenticator sync feature introduced in April, which allowed the attackers to compromise multiple company accounts once they gained access to the employee's Google account.

This synchronization feature stored MFA codes in the cloud, making them vulnerable if the Google account was compromised. Retool argued that Google employed unclear settings for disabling this feature, making it challenging for users and administrators to prevent. As a result, the attackers exploited this vulnerability to gain access to various accounts, including VPNs and internal systems, enabling them to take over specific customer accounts in the cryptocurrency industry.

Retool's security shortcomings were also highlighted, as they relied on TOTPs, which can be phished with relative ease, instead of adopting more secure industry-standard MFA solutions like FIDO2. While Google defended its syncing feature, emphasizing its benefits for user convenience, they acknowledged the preference for local storage of OTPs in enterprise environments.

There’s a good argument to be made that Retool used the Google Authenticator issue to deflect attention away from Retool’s culpability in the compromise.

In conclusion, the incident underscores the importance of adopting FIDO2-compliant MFA for robust security, while Google's Authenticator app is seen as a middle-ground option that may be inadequate for enterprises where security is paramount.

Summary

Israeli software maker Insanet has developed a commercial product called Sherlock that can infect devices via online adverts to snoop on targets and collect data about them for the biz's clients. This is the first time details of Insanet and its surveillanceware have been made public. Sherlock is capable of drilling its way into Microsoft Windows, Google Android, and Apple iOS devices. Insanet received approval from Israel's Defense Ministry to sell Sherlock globally as a military product albeit under various tight restrictions, such as only selling to Western nations.

To market its snoopware, Insanet reportedly teamed up with Candiru, an Israel-based spyware maker that has been sanctioned in the US, to offer Sherlock along with Candiru's spyware.

The Electronic Frontier Foundation's Director of Activism Jason Kelley said Insanet's use of advertising technology to infect devices and spy on clients' targets makes it especially worrisome.

There are some measures netizens can take to protect themselves from Sherlock and other data-harvesting technologies.

• not loading JavaScript
• using ad blockers or privacy-aware browsers
• not clicking on advertisements
• pass consumer data privacy laws

Comment

Don't forget to update ALL web browsers on ALL platforms, plus at least Electron apps.

Summary

The article discusses the security of Electron-based desktop applications and highlights several key points:

Introduction to Electron: Electron is a popular cross-platform desktop application development framework that uses web technologies like HTML, CSS, and JavaScript. It enables developers to create desktop applications for various operating systems based on web versions.

Advantages of Electron: Electron is favored by developers for its ability to streamline the development process for desktop apps across multiple operating systems. It also offers features for packaging, diagnostics, app store publication, and automatic updates.

Issues with Electron-Based Apps: Electron-based applications are known for being resource-intensive and having large file sizes. Additionally, they incorporate a Chromium web browser instance, making them potential targets for cybercriminals. Frequent vulnerabilities in Chromium can pose security risks, and Electron apps may not always receive timely updates.

Lack of Control: Users often have limited control over the Chromium instances within Electron apps, as updates depend on the app's vendor. This lack of control can lead to unpatched vulnerabilities and security concerns.

Common Electron-Based Applications: The article lists popular applications that are based on Electron, including 1Password, Agora Flat, Asana, Discord, Figma, GitHub Desktop, Hyper, Loom, Microsoft Teams, Notion, Obsidian, Polyplane, Postman, Signal, Skype, Slack, Splice, Tidal, Trello, Twitch, Visual Studio Code, WhatsApp, and WordPress Desktop.

Security Recommendations: To mitigate security risks associated with Electron-based apps, the article suggests the following measures:

1. Reduce the number of Electron-based apps in use, as these apps typically have feature-rich web versions that may suffice.

2. Maintain an inventory of Electron-based apps used within an organization and prioritize their updates, especially for collaboration tools.

3. Employ a reliable security solution to protect against attacks targeting known vulnerabilities.

In summary, while Electron-based desktop applications offer cross-platform convenience for developers, they come with security challenges due to their Chromium integration and update dependencies. Users are advised to be cautious, minimize their use of such apps, and prioritize security measures to mitigate potential risks.

Electron app list, although apparently not including some apps: https://www.electronjs.org/apps

Summary

• The article discusses the concept of information overload and how it can lead to analysis paralysis.

• The author argues that randomness can be a helpful tool for overcoming choice overload.

• The author cites a study that found that people who were given a random decision prompt were more likely to be satisfied with their decision than those who were not given a prompt.

• The author concludes by saying that while randomness is not a perfect solution, it can be a helpful tool for making decisions when we are feeling overwhelmed by choice.

Key Points

• Choice overload occurs when we are presented with too many options, which can make it difficult to choose one.

• This can lead to analysis paralysis, which is the inability to make a decision because we are too busy considering all of the options.

• Randomness can help us to overcome choice overload by forcing us to make a decision without overthinking it.

• This can be done by flipping a coin, rolling a die, or using another randomizing device.

• While randomness is not a perfect solution, it can be a helpful tool for making decisions when we are feeling overwhelmed by choice.