Privatnost i sigurnost podataka i korisnika

[tomek@vz]

Citiraj:

Cybersecurity researchers have discovered vulnerable code in legacy Python packages that could potentially pave the way for a supply chain compromise on the Python Package Index (PyPI) via a domain takeover attack.
Software supply chain security company ReversingLabs said it found the "vulnerability" in bootstrap files provided by a build and deployment automation tool named "zc.buildout."
"The scripts automate the process of downloading, building, and installing the required libraries and tools," security researcher Vladimir Pezo said. "Specifically, when the bootstrap script is executed, it fetches and executes an installation script for the package Distribute from python-distribute[.]org – a legacy domain that is now available for sale in the premium price range while being managed to drive ad revenue."
The PyPI packages that include a bootstrap script that accesses the domain in question include tornado, pypiserver, slapos.core, roman, xlutils, and testfixtures.a

> Legacy Python Bootstrap Scripts Create Domain-Takeover Risk in Multiple PyPI Packages

Citiraj:

Cybersecurity researchers have shed light on a cross-tenant blind spot that allows attackers to bypass Microsoft Defender for Office 365 protections via the guest access feature in Teams.
"When users operate as guests in another tenant, their protections are determined entirely by that hosting environment, not by their home organization," Ontinue security researcher Rhys Downing said in a report.
"These advancements increase collaboration opportunities, but they also widen the responsibility for ensuring those external environments are trustworthy and properly secured."
The development comes as Microsoft has begun rolling out a new feature in Teams that allows users to chat with anyone via email, including those who don't use the enterprise communications platform, starting this month. The change is expected to be globally available by January 2026.

> MS Teams Guest Access Can Remove Defender Protection When Users Join External Tenants

Citiraj:

Microsoft has announced plans to improve the security of Entra ID authentication by blocking unauthorized script injection attacks starting a year from now.
The update to its Content Security Policy (CSP) aims to enhance the Entra ID sign-in experience at "login.microsoftonline[.]com" by only letting scripts from trusted Microsoft domains run.
"This update strengthens security and adds an extra layer of protection by allowing only scripts from trusted Microsoft domains to run during authentication, blocking unauthorized or injected code from executing during the sign-in experience," the Windows maker said.
Specifically, it only allows script downloads from Microsoft trusted CDN domains and inline script execution from a Microsoft trusted source. The updated policy is limited to browser-based sign-in experiences for URLs beginning with login.microsoftonline.com. Microsoft Entra External ID will not be affected.
The change, which has been described as a proactive measure, is part of Microsoft's Secure Future Initiative (SFI) and is designed to safeguard users against cross-site scripting (XSS) attacks that make it possible to inject malicious code into websites. It's expected to be rolled out globally starting mid-to-late October 2026.

> Microsoft to Block Unauthorized Scripts in Entra ID Logins with 2026 CSP Update

[tomek@vz]

Citiraj:

Earlier this week, the developer of SmartTube, the most popular alternative YouTube app for Android TV and Fire TV devices, announced that his app’s digital signature had been exposed. A new version of the app using a new digital signature has since been released. While everyone is encouraged to switch to the new app, SmartTube’s developer has shared more information with me about what happened that may make you want to take additional precautions if you’ve installed or updated the app recently.
SmartTube’s developer told me that the computer used to create the APKs for the project’s official GitHub page was compromised by malware. As a result, some official SmartTube releases were unintentionally released with malware. It’s unclear which version was first affected, but the compromise seems to have first occurred earlier this month. SmartTube versions 30.43 and 30.47 from APKMirror are both being flagged as infected by malware scanners.
It is likely the presence of this malware that caused Google and Amazon to forcibly uninstall SmartTube on some devices, not the exposed digital signature as first suspected. SmartTube’s developer says the compromised machine has been wiped and is confident that both the new SmartTube releases and the machine that created them are malware-free.

> SmartTube’s official APK was compromised with malware — What you should do if you use it


---


I malo smijeha za ponedjeljak

Citiraj:

Let me introduce you to my most novel and oldest technique to verify if sites behind CDN are hosted in Inside Iran or not. Works most of the time. I call it the BOOBS CHECK.

Code:

curl -i https://domain/boobs.jpg

If your response is a 403 with 10.10.34.x IP in body, you're landing inside IR. Result of basic censorship filtering applied on traffic.

> x.com

[mkey]

Nije dobro https://forum.pcekspert.com/boobs.jpg

[Neo-ST]

Ne pripada ovdje ali ne znam gdje drugo stavit ?

[tomek@vz]

Citiraj:

Autor Neo-ST

Ne pripada ovdje ali ne znam gdje drugo stavit ?

Jos jedan cavao u platformu. Iskreno - vec par mjeseci sam na detoksikaciji od dnevnog konzumiranja Youtube sadrzaja i mogu samo reci kad se hoce - moze se. Google pokusava Youtube monetizirati na svakom milimetru cak i kad to ide naustrb korisnikove komocije. I da shvacam da je Google zapravo danas AI i ADs firma al heboga sta je previse - previse je. 1-2 reklama u pola sata gledanja Youtube sadrzaja bi bile ok al ovo je previse.


Apropos Google:

Citiraj:

Google's latest Android enterprise update adds RCS Archival, a tool that lets organizations intercept, archive, and retain messages sent through Google Messages on work-managed Pixel phones. The feature is designed for compliance and legal discovery, but it also reshapes expectations for privacy in encrypted workplace texting.
Rich Communication Services is Google's modernization of SMS and MMS for Android. It offers read receipts, typing indicators, and end-to-end encryption, positioning it as a secure replacement for the older texting standards.
While that encryption protects messages in transit, it does not secure them once they arrive. Until now, this limitation had little practical impact. Older enterprise tools relied on carriers that could not access the encrypted content, making archiving difficult. Google's RCS update changes that.

The update applies only to work-managed devices and does not affect personal phones. Still, it highlights a growing source of confusion among users regarding the limits of end-to-end encryption.

> Android's latest enterprise update shows encrypted work texts aren't as private as they look

[tomek@vz]

Citiraj:

The European Parliament and Council have agreed on a set of significant changes to how online payments and payment services must operate. The new measures aim to strengthen user protection against both fraud and hidden fees associated with online transactions – and that's only the beginning.
European authorities have completed the negotiation phase for the Payment Services Regulation and the Third Payment Services Directive, two new regulatory frameworks designed to improve user protection and transparency in online payments. The rules aim to harmonize and modernize how payment service providers operate across the European Union, covering payment services offered by banks, post-office giro systems, and other financial institutions.

> EU strikes deal on new payment rules that force providers to refund fraud losses and reveal hidden fees


Ovo je OK.

[nepalac]

Citiraj:

Autor tomek@vz

1-2 reklama u pola sata gledanja Youtube sadrzaja bi bile ok al ovo je previse.

Nisi čuo za ublock ili revanced?
Ne znam zašto bi pogledao i jednu reklamu...

Btw, uskoro i kod nas:
https://www.index.hr/mobile/vijesti/...jesti_ostalo_m

[tomek@vz]

Citiraj:

Autor nepalac

Nisi čuo za ublock ili revanced?
Ne znam zašto bi pogledao i jednu reklamu...

Btw, uskoro i kod nas:
https://www.index.hr/mobile/vijesti/...jesti_ostalo_m

Lako za smartphone i dekstop (firefox+ublock origin) ali svim tim revanced/smarttube aplikacijama vjerujem ko gladnom lavu kad kaze da me nece pojest:

https://forum.pcekspert.com/showpost...&postcount=932

Jednog dana se svi oni usmrde.A s druge strane trebaju se i nekako financirati jel? E pa - da se financiraju kroz 1-2 reklame na pol sata onda bih osobno iskljucio adblocker na youtube jer sam svjestan da se ne zivi od zraka.

[Neo-ST]

Revanced koristim godinama, nikad problema. Open source je, imaš ga na githubu pa baci oko.

[Neo-ST]

Announcing Session Protocol v2.

Re-implementing Perfect Forward Secrecy (PFS), adopting Post-Quantum Cryptography (PQC), and more secure device management.

[tomek@vz]

Citiraj:

Autor Neo-ST

Revanced koristim godinama, nikad problema. Open source je, imaš ga na githubu pa baci oko.

Koristio sam jedno vrijeme ali mi je FF+Ublock dovoljan i dugorocno vidim kao sigurniju opciju. Problem sa svim tim "sa strane" alatima je da nikad neznas kad se bas ovakvo sranje moze dogoditi. Smarttube sam imao na jednom od Android boxeva par puta instaliran, zadnji puta pred cca mjesec dana i imao sam dojam da se zadnji puta cijeli uredaj nekako usporio - deinstalacija nije pomogla. Factory reset > opet sve normalno radi, nisam vise smarttube instalrao. A gore imam samo Zattoo, Wiim i VLC. Tak da pretpostavljam da sam sa smarttube usro motku. Zato sam nepovjerljiv prema takvim alatima.

[mkey]

Ako želiš biti siguran, instaliraš smarttube. Ako se problem s performansama ponovi, onda znaš šta je. Ako se ne ponovi, onda ne znaš šta je.

[tomek@vz]

Citiraj:

The rise of remote work introduced a degree of ambiguity to employees' locations during conference calls on apps such as Zoom and Microsoft Teams. An upcoming update for Teams threatens to eliminate any doubt by automatically informing employers when workers connect to office Wi-Fi.
A Microsoft Teams update planned for January 2026 will automatically update users' locations to indicate which building they are located in. Although the feature will likely facilitate office coordination, it could also help bosses enforce stricter surveillance.
According to Microsoft 365 Roadmap ID 488800, the update will be generally available on the Windows and macOS versions of Teams next month. Automatic location updates will be turned off by default, with Tenant administrators deciding whether to enable it and require other users to participate. The feature informs administrators as soon as an employee connects to Wi-Fi in one of the company's buildings.

> Microsoft Teams may soon tell your boss when you enter or leave the office. New location detection feature is sparking worries about employee surveillance

[domy_os]

Već dugo oni to planiraju čim aplikacija uporno traži location permission iako sam isključio location sharing.

[tomek@vz]

Citiraj:

Microsoft has silently "mitigated" a high-severity Windows LNK vulnerability exploited by multiple state-backed and cybercrime hacking groups in zero-day attacks. Tracked as CVE-2025-9491, this security flaw allows attackers to hide malicious commands within Windows LNK files, which can be used to deploy malware and gain persistence on compromised devices. However, the attacks require user interaction to succeed, as they involve tricking potential victims into opening malicious Windows Shell Link (.lnk) files. Thus some element of social engineering, and user technically naive and gullibility such as thinking Windows is secure is required. [...]

As Trend Micro threat analysts discovered in March 2025, the CVE-2025-9491 was already being widely exploited by 11 state-sponsored groups and cybercrime gangs, including Evil Corp, Bitter, APT37, APT43 (also known as Kimsuky), Mustang Panda, SideWinder, RedHotel, Konni, and others. Microsoft told BleepingComputer in March that it would "consider addressing" this zero-day flaw, even though it didn't "meet the bar for immediate servicing." ACROS Security CEO and 0patch co-founder Mitja Kolsek found, Microsoft has silently changed LNK files in the November updates in an apparent effort to mitigate the CVE-2025-9491 flaw. After installing last month's updates, users can now see all characters in the Target field when opening the Properties of LNK files, not just the first 260. As the movie the Ninth Gate stated: "silentium est aurum"

Citiraj:

Cybersecurity researchers have uncovered a sophisticated malware campaign that infected millions of computers via browser extensions on the Chrome Web Store and Microsoft Edge add-ons website. The extensions used to be legitimate apps but were updated with malicious code last year.
According to researchers at cybersecurity firm Koi, a China-based hacking syndicate known as ShadyPanda is actively conducting at least two malware campaigns by weaponizing browser extensions with malicious code.

> Popular Chrome and Edge extensions go rogue, infecting over 4 million devices with spyware

[tomek@vz]

Citiraj:

The Irish Council for Civil Liberties (ICCL) has announced it filed a complaint against Microsoft, accusing the global tech giant of unlawfully processing data on behalf of the Israeli military and facilitating the killings of Palestinian civilians in Gaza. In the complaint, the council asked the Data Protection Commission -- the European Union's lead data regulator for the company -- to "urgently investigate" Microsoft Ireland's processing.

"Microsoft's technology has put millions of Palestinians in danger. These are not abstract data-protection failures -- they are violations that have enabled real-world violence," Joe O'Brien, ICCL's executive director, said in a statement. "When EU infrastructure is used to enable surveillance and targeting, the Irish Data Protection Commission must step in -- and it must use its full powers to hold Microsoft to account."

After months of complaints from rights groups and Microsoft whistleblowers, the company said in September it cancelled some services to the Israeli military over concerns that it was violating Microsoft's terms of service by using cloud computing software to spy on millions of Palestinians.

[mkey]

Prokleti kineski hakeri. A ovo Evil Corp, da li je to google?

[Bono]

Zeznuti su ti SMS-ovi, ChatGPT korisnici uzivajte...

Citiraj:

We were notified by Mixpanel, an external data analytics service provider, that there had been a breach of part of their systems following an SMS-based phishing attack against their employees. Mixpanel has confirmed that during this incident, datasets were exported from some customer projects, including ours.

Citiraj:

The incident occurred within Mixpanel’s systems and involved limited analytics data related to some users of the API. Users of ChatGPT and other products were not impacted.

This was not a breach of OpenAI’s systems. No chat, API requests, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised or exposed.

What happened

On November 9, 2025, Mixpanel became aware of an attacker that gained unauthorized access to part of their systems and exported a dataset containing limited customer identifiable information and analytics information. Mixpanel notified OpenAI that they were investigating, and on November 25, 2025, they shared the affected dataset with us.

What this means for impacted users

User profile information associated with the use of platform.openai.com⁠(opens in a new window) may have been included in data exported from Mixpanel. The information that may have been affected was limited to:

Name that was provided to us on the API account
Email address associated with the API account
Approximate coarse location based on API user browser (city, state, country)
Operating system and browser used to access the API account
Referring websites
Organization or User IDs associated with the API account

https://openai.com/index/mixpanel-incident/

[tomek@vz]

Citiraj:

Two Virginia brothers Muneeb and Sohaib Akhter, previously convicted of hacking the U.S. State Department, were rehired as federal contractors and are now charged with conspiring to steal sensitive data and destroy government databases after being fired. "Following the termination of their employment, the brothers allegedly sought to harm the company and its U.S. government customers by accessing computers without authorization, issuing commands to prevent others from modifying the databases before deletion, deleting databases, stealing information, and destroying evidence of their unlawful activities," the Justice Department said in a Wednesday press release. BleepingComputer reports:

Citiraj: