Privatnost i sigurnost podataka i korisnika

[Night]

Citiraj:

Autor Ivo_Strojnica

što meni znači OpenWRT, što mi znači firewall, što mi išta znači, ako procesor sam u sebi vrti cijelu komunikaciju i zaobilazi sve ruleove koje sam ja složija u firewallu?
Što meni znači da sam ugasio mobitel, spremio ga u ladicu, kad se taj mobitel ide spojiti na internet i raditi što mu je zapisano tamo gdje ja ne mogu pristupiti?
Što ako qualcomm procesor u mobitelu priča sa qualcomm procesorom u mom routeru i time se zaobilazi cijela security infrastruktura?

Malo je tu previše toga "što ako". Ti imaš neke konkretne dokaze da recimo moj Mikrotik router priča sa servisima s kojima ne bih htio da priča? Možeš li me uputiti kako da postavim Wireshark da uhvatim dump toga prometa pa da vidim detaljnije što se događa?
Da se razumijemo, ima dosta uređaja koji komuniciraju sa bazom na nepoželjne načine, pogotovo kineski brendovi, Matt Brown ( https://www.youtube.com/@mattbrwn/videos ) ima dosta videa gdje radi analizu takvih uređaja, firmware dump, traffic monitoring, itd.
Ali opet reći da je svaki uređaj backdooran i da ne možeš ništa napraviti po tom pitanju mi je malo prenategnuto.

[mkey]

Meni je jako zanimljivo ovo s ugašenim pixelom koji se spaja na net. Bilo bi zanimljivo vidjeti i promet. To je očito dodatni hardware koji služi (samo) pozadinskoj komunikaciji. Meni se prvi put pred ohoho godina dogodilo da jedan ugašeni preklopni SE počne zvoniti zbog podešenog alarma. Ostao sam paf. Kada sam izvadio bateriju prestao je, da nije tek bi onda to bilo zanimljivo U današnje vrijeme sam siguran da mogu unutra ubaciti i neki kondenzator koji jedno vrijeme može napajati backdoor pristup.

[Ivo_Strojnica]

naravno da nemam dokaza da je svaki backdooran, ne smatram sebe nekim stručnjakom oko cybersecurity, ali sudeći po ponašanju USA, očito je dosta toga sumnjivo, dovoljno da mi se digne obrva.

[The Exiled]

IMHO uopće nije sporno da je sva moguća tehnika na ovaj ili onaj način (1 - 2 - 3 - 4 - 5 - 6), posložena da se kad za to dođe vrijeme što lakše skrši tko god je s druge strane, a tak jasno u tome bez pardona sudjeluju svi veći igrači geopolitičke scene. Tim više, jer se iluzija američke "domaće proizvodnje" odavno urušila, do te mjere da se oni sad s novom državnom garniturom čude kako to da se npr. jedan popularan ajUređaj kojeg koriste ama baš svi radi "sigurnosti i zakrpa" ne proizvodi ni blizu američke obale, dok su sastavni dijelovi uredno dopremljeni iz svih mogućih kuteva svijeta koji se rimuju s Azijom ili Kinom. I onda za dobru mjeru, nakon skoro dva desetljeća korištenja društvenih mreža i smartphone uređaja za podjelu najmanjih detalja iz privatnog života, krajnji korisnici uvijek i jako glasno traže svoju privatnost, a opet im nije problem dati sve što Temu od njih traži, jer "nemaju ništa za skrivati", a i uštedili su dosta na plastičnim čang-šlang glupostima koje su naručili i nikad izvadili iz pakiranja, jer se paket izgubil na relaciji Zagreb Branimirova - Marina Držića.

[medo]

Citiraj:

Autor mkey

Meni je jako zanimljivo ovo s ugašenim pixelom koji se spaja na net. Bilo bi zanimljivo vidjeti i promet. To je očito dodatni hardware koji služi (samo) pozadinskoj komunikaciji.

Bilo bi jako zanimljivo kada taj promet ne bi bio enkriptiran

Može ali i ne mora biti da mobitel špijunira. Možda šalje svoju lokaciju. To bi možda bilo korisno u slučaju da je ukraden a lopov niti ne zna da se on javlja gdje je.

Ali da je uznemirujuće svakako je bar za bilo koga tko drži do sigurnosti više nego do privatnosti. Tko zna što sve sluša na mikrofuni, mreži i koji su sve neotkriveni backdoorovi u hardwareu.

[kopija]

https://blog.google/products/android...ft-protection/
znači odma izvadit karticu/bateriju da vam se vlasnik nebi na vratima pojavio, vrlo neugodna situacija izbjegnuta time
a i ko što slučaj josipe rimac pokazuje, izvadit bateriju i kad se sastajete s nekim od članova zločinačke organizacije

[Night]

Citiraj:

Autor kopija

https://blog.google/products/android...ft-protection/
znači odma izvadit karticu/bateriju da vam se vlasnik nebi na vratima pojavio, vrlo neugodna situacija izbjegnuta time
a i ko što slučaj josipe rimac pokazuje, izvadit bateriju i kad se sastajete s nekim od članova zločinačke organizacije

A znamo i da limene kutije od keksa nisu samo dobre za šivaći pribor nego lijepo posluže i kao Faradayev kavez

[medo]

Ali slabo izolira zvuk

[Colop]

Citiraj:

Autor kopija

https://blog.google/products/android...ft-protection/
znači odma izvadit karticu/bateriju da vam se vlasnik nebi na vratima pojavio, vrlo neugodna situacija izbjegnuta time
a i ko što slučaj josipe rimac pokazuje, izvadit bateriju i kad se sastajete s nekim od članova zločinačke organizacije

Sreća je pala jer je previše pričala u autu, tj audio dokazi su je uništili. Imala je bubu u autu. Poruke su bile dodatni bonus.

Citiraj:

Autor medo

Ali slabo izolira zvuk

Imaju na amazonu mini faradeyv kaze vreće, ubijaju signal mreže, wifi signal, gps.
I bolje su zvučno izolirane

[tomek@vz]

Citiraj:

Backdoors are typically designed to bypass traditional authentication methods and provide unauthorized remote access to vulnerable network appliances or endpoint devices. The most effective backdoors remain invisible to both end users and system administrators, making them especially attractive to threat actors engaged in covert cyber-espionage campaigns.
Analysts at GreyNoise have uncovered a mysterious backdoor-based campaign affecting more than 9,000 Asus routers. The unknown cybercriminals are exploiting security vulnerabilities – some of which have already been patched – while others have never been assigned proper tracking entries in the CVE database. The story is full of "unknowns," as the attackers have yet to take visible action with the sizeable botnet they have built.

> Techspot

[medo]

Proslijedio kumu. On ima Asusa. Mislim da je iza CGNATa ali bumo vidli

[Libertus]

Imam ja isto, ali nisam shvatio kako ispraviti ili zaštititi router.

[kopija]

Citiraj:

Autor Libertus

Imam ja isto, ali nisam shvatio kako ispraviti ili zaštititi router.

Zajebano je, al da se fixat, osobito ako su izdali fw update za tvoj ruter.

[Libertus]

Nemam web access nikada uključen pa se nadam da je to jedan od ograničavajućih faktora ovdje. Imam Merlin FW, uvijek zadnju verziju.

Koliko sam shvatio, factory reset rješava sve probleme ukoliko je netko primijetio da je jedan od ov8h probijenih.

[tomek@vz]

Citiraj:

Autor Libertus

Koliko sam shvatio, factory reset rješava sve probleme ukoliko je netko primijetio da je jedan od ov8h probijenih.

Naravno. Osim ako ti se par sati/dana nakon reseta opet govno ne uvuče unutra...

[Neo-ST]

Jesam ja siguran?

[tomek@vz]

Citiraj:

Two information disclosure flaws have been identified in apport and systemd-coredump, the core dump handlers in Ubuntu, Red Hat Enterprise Linux, and Fedora, according to the Qualys Threat Research Unit (TRU).
Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like Apport and systemd-coredump are designed to handle crash reporting and core dumps in Linux systems.
"These race conditions allow a local attacker to exploit a SUID program and gain read access to the resulting core dump," Saeed Abbasi, manager of product at Qualys TRU, said.
A brief description of the two flaws is below -

• CVE-2025-5054 (CVSS score: 4.7) - A race condition in Canonical apport package up to and including 2.32.0 that allows a local attacker to leak sensitive information via PID-reuse by leveraging namespaces
• CVE-2025-4598 (CVSS score: 4.7) - A race condition in systemd-coredump that allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process

> HackerNews

[medo]

Rekla-kazala ali potakne na razmišljanje:

https://youtu.be/_c8UrgGG3NA

[tomek@vz]

Nadam se da iz ovog izađe nešto dobro....

Citiraj:

Apple's end-to-end iCloud encryption product ("Advanced Data Protection") was famously removed in the U.K. after a government order demanded backdoors for accessing user data.

So now a Google software engineer wants to build an open source version of Advanced Data Protection for everyone. "We need to take action now to protect users..." they write (as long-time Slashdot reader WaywardGeek). "The whole world would be able to use it for free, protecting backups, passwords, message history, and more, if we can get existing applications to talk to the new data protection service." "I helped build Google's Advanced Data Protection (Google Cloud Key VaultService) in 2018, and Google is way ahead of Apple in this area. I know exactly how to build it and can have it done in spare time in a few weeks, at least server-side... This would be a distributed trust based system, so I need folks willing to run the protection service. I'll run mine on a Raspberry PI...

The scheme splits a secret among N protection servers, and when it is time to recover the secret, which is basically an encryption key, they must be able to get key shares from T of the original N servers. This uses a distributed oblivious pseudo random function algorithm, which is very simple.

In plain English, it provides nation-state resistance to secret back doors, and eliminates secret mass surveillance, at least when it comes to data backed up to the cloud... The UK and similarly confused governments will need to negotiate with operators in multiple countries to get access to any given users's keys. There are cases where rational folks would agree to hand over that data, and I hope we can end the encryption wars and develop sane policies that protect user data while offering a compromise where lives can be saved.
"I've got the algorithms and server-side covered," according to their original submission. "However, I need help." Specifically...

• Running protection servers. "This is a T-of-N scheme, where users will need say 9 of 15 nodes to be available to recover their backups."
• Android client app. "And preferably tight integration with the platform as an alternate backup service."
• An iOS client app. (With the same tight integration with the platform as an alternate backup service.)
• Authentication. "Users should register and login before they can use any of their limited guesses to their phone-unlock secret."

"Are you up for this challenge? Are you ready to plunge into this with me?"


In the comments he says anyone interested can ask to join the "OpenADP" project on GitHub — which is promising "Open source Advanced Data Protection for everyone."

[medo]

https://youtu.be/lb1BbT5fpwA

[tomek@vz]

Kad me pitaju zašto imam sve lokalno

Citiraj:

OneDrive is one of the most popular cloud storage services in the market, largely because Microsoft aggressively promotes it to Windows users. However, security researchers warn that OneDrive's File Picker feature may expose users and organizations to serious data risks by granting full read access to unauthorized parties.
Microsoft is being extremely careless with security boundaries in OneDrive. A recent Oasis Security analysis revealed that OneDrive's File Picker tool can grant websites, apps, and outside users full read-only access to all content stored on the service. This glaring flaw puts both individual users and corporations at risk, prompting Oasis to recommend a thorough audit of all previously granted permissions.

> Techspot

[Libertus]

Imam sve u lokalnom cloudu.

[Night]

Citiraj:

Autor medo

Rekla-kazala ali potakne na razmišljanje:

https://youtu.be/_c8UrgGG3NA

Mislim da je Rob tu u pravu, ne samo što se tiče iPhonea nego i svih tih ostalih "AI asistenata." Oni se mogu dobro iskoristiti za skupljanje podataka prije enkripcije, a pošto vidimo da se ta trgovina podacima otela kontroli sigurno nema sumnje da će se koristiti i za takvo nešto.

[tomek@vz]

Citiraj:

An anonymous reader quotes a report from 404 Media: Apple provided governments around the world with data related to thousands of push notifications sent to its devices, which can identify a target's specific device or in some cases include unencrypted content like the actual text displayed in the notification, according to data published by Apple. In one case, that Apple did not ultimately provide data for, Israel demanded data related to nearly 700 push notifications as part of a single request. The data for the first time puts a concrete figure on how many requests governments around the world are making, and sometimes receiving, for push notification data from Apple.

The practice first came to light in 2023 when Senator Ron Wyden sent a letter to the U.S. Department of Justice revealing the practice, which also applied to Google. As the letter said, "the data these two companies receive includes metadata, detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered. In certain instances, they also might also receive unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in an app notification." The published data relates to blocks of six month periods, starting in July 2022 to June 2024. Andre Meister from German media outlet Netzpolitik posted a link to the transparency data to Mastodon on Tuesday. Along with the data Apple published the following description: "Push Token requests are based on an Apple Push Notification service token identifier. When users allow a currently installed application to receive notifications, a push token is generated and registered to that developer and device. Push Token requests generally seek identifying details of the Apple Account associated with the device's push token, such as name, physical address and email address."

P.S.- ovo je samo blaži primjer kako Apple ne mari za privatnost svojih korisnika.

[tomek@vz]

Citiraj:

For years, the privacy of Android users browsing the web has been quietly compromised by a sophisticated tracking method employed by two of the world's largest tech companies: Meta and Yandex. According to recent research, both companies have exploited legitimate browser-to-app communication protocols to covertly link anonymous web activity with the identities of users logged into native apps like Facebook, Instagram, and various Yandex services on Android devices.
The research, extensively analyzed by Ars Technica, focuses on the widespread use of analytics scripts such as Meta Pixel and Yandex Metrica. These tools are embedded across millions of websites, ostensibly to help advertisers track campaign performance. However, behind the scenes, they enable a process that circumvents the privacy protections built into Android and major web browsers.

> Techspot

[Night]

Citiraj:

Autor tomek@vz

P.S.- ovo je samo blaži primjer kako Apple ne mari za privatnost svojih korisnika.

Appleu nije cilj dati korisnicima privatnost nego im je cilj imati monopol na te podatke. Zato se trude onemogućiti drugima prikupljanje korisničkih podataka, što predstavljaju kao brigu za privatnost, a zapravo u svrhu da ih samo oni mogu prikupljati, prodavati i raspolagati njima. Apple je što se tiče privatnosti lošiji izbor od Androida sa alternativnim ROMom.
I usput je američka firma, što znači da su obvezni dati troslovnim agencijama što god zatraže od njih.

[medo]

Čini mi se da je veći problem u korisnicima mobilnih uređaja koji pristaju koristiti te servise pa onda svi moraju.

Koji je najbolji kandidat mobitela za instalirati GrapheneOS?

[Night]

Citiraj:

Autor medo

Čini mi se da je veći problem u korisnicima mobilnih uređaja koji pristaju koristiti te servise pa onda svi moraju.

Koji je najbolji kandidat mobitela za instalirati GrapheneOS?

Vrtim ga na Pixel 8 i Pixel 8 Pro i radi super. Mislim da ide na bilo koji Pixel.

[strikoo]

Citiraj:

We strongly recommend only purchasing one of the following devices for GrapheneOS due to better security and a long minimum support guarantee from launch for full security updates and other improvements:

Pixel 9a — minimum 7 years support and hardware memory tagging support
Pixel 9 Pro Fold — minimum 7 years support and hardware memory tagging support
Pixel 9 Pro XL — minimum 7 years support and hardware memory tagging support
Pixel 9 Pro — minimum 7 years support and hardware memory tagging support
Pixel 9 — minimum 7 years support and hardware memory tagging support
Pixel 8a — minimum 7 years support and hardware memory tagging support
Pixel 8 Pro — minimum 7 years support and hardware memory tagging support
Pixel 8 — minimum 7 years support and hardware memory tagging support
Pixel Fold
Pixel Tablet
Pixel 7a
Pixel 7 Pro
Pixel 7

[mkey]

Citiraj:

Autor medo

Koji je najbolji kandidat mobitela za instalirati GrapheneOS?

Pixeli općenito. Mislim da ništa drugo praktično nije niti podržano.



... hebiga, nisam vidio strikoov komentar