| Blog | https://mbhtech.blogspot.com/?hl=en |
| https://twitter.com/mbhbox |
“If you see this video, we have been intercepted and kidnapped in international waters.”
“This seizure blatantly violates international law and defies the ICJ’s binding orders requiring unimpeded humanitarian access to Gaza. These volunteers are not subject to Israeli jurisdiction and cannot be criminalised for delivering aid or challenging an illegal blockade – their detention is arbitrary, unlawful, and must end immediately.”
"Implement least privilege. When in doubt, default deny."
Aspiring CISO, writing: Got it, allow nothing.
“Implement least trust. In fact, zero trust."
Aspiring CISO: Got it, trust nothing.
“And whatever you do, don't be the department of no"
Aspiring CISO: ...Back up a bit.
(Update: clarifying this was a specific case, not general case... although, lots of cameras wandering around everywhere nowadays)
"Food Delivery Robots Are Feeding Camera Footage to the LAPD, Internal Emails Show"
(9/28/2023)
Serve Robotics, which delivers food for Uber Eats, provided footage filmed by at least one of its robots to the LAPD as evidence in a criminal case. The emails show the robots, which are a constant sight in the city, can be used for surveillance.
A friend was going to buy the ReMarkable e-Ink tablet but then backed down last minute.
What he got was something even better: Boox colored e-Ink tablet: https://shop.boox.com/products/tabultrac
The quality and feel of the writing is fantastic & you're enslaved to a yearly subscription like the ReMarkable.
China targeted and might have held for months access to the infrastructure used to do wiretaps on the AT&T and Verizon networks.
This is a huge "told you so" moment for the cryptographic community that has been saying that such infrastructure does present a huge risk to national security. China reportedly used this capability for intelligence collection, obviously without a warrant ...
A Chinese rocket narrowly missed a landing on Sunday—the video is amazing
Deep Blue Aerospace is just one of several Chinese companies working on vertical landing.
Australia's biggest radiology clinic I-MED has handed over private medical scans from potentially 100,000s of Australians to buzzy tech startup Harrison. ai to train their AI — and patients had no idea.
Neither company responded to questions about it.
https://www.crikey.com.au/2024/09/19/patient-scan-data-train-artificial-intelligence-consent/
Update: I found a workaround to not use Windows Hello.
On my Android phone, I opened Chrome & logged in to my account. I immediately discover a horrible security risk: Chrome asked me which account I wanted to login to, and I selected one of the ones already logged into GMail on the phone.
The risk? Google suggests that I can login using a Passkey on the phone using fingerprint, facial identification, or using the phone's screen lock code!
This allows anyone with access to the phone to also have full access to the Google accounts on the phone. No more requirement for the 2FA yubi keys like before!
If someone had access to my lock screen code in the past, they could only access my email logged into GMail. No access to any of the settings of the Google account itself.
It's now a lot riskier than in the past, as it provides full access to the account! No need for your yubi keys anymore.
Continuing with this horror show of security:
I plug my new yubi key to my PC and make sure to name the key with a unique name & disable FIDO2. Save the settings on the key. This disables Passkeys, as I don't want to save any identity data on the key itself and only want to use it as a 2FA device.
I go back to Chrome on Android, go to my account settings and then security settings. I click to add a Passkey then "Save Another Way" -> "Another Device"
Note: if you make the mistake here of choosing one of your Google accounts, it'll save the Passkey to your Google Password Manager & sync it! If you're paranoid like me & want to keep things offline, click very carefully on "Another device"
Plug the yubi key then touch it. It's now enrolled as a 2FA device without saving your account data on it.
What worries me is that now my phone is considered an active Passkey and I need to poke around to remove it later.
Final thoughts: I think this overall implementation puts users at a higher risk than to actually improve security and privacy.
Google is giving excessive access to our accounts using less security controls...
I was able to remove my older yubi key from my account using the Chrome on Android session. It didn't ask me for any 2FA key or code or any validation.
Someone could enroll their own keys with access to your face, fingerprint or lock screen code.
I wanted to enroll a new version of yubi security keys to my Google accounts, but I was unable to do on my Windows laptop & Linux desktop.
When I go to the Passkeys & Security Keys settings menu in my Google accounts, I'm given this message:
"A passkey can't be created on this device"
When I searched for the cause, I found this:
Passkeys require Windows Hello, which requires an online account, which I refuse to do for privacy reasons.
Linux is not supported at all!
So, Google is enforcing the use of privacy-breaking features on Windows (Windows Hello), and its user interface does not present any option at all to enroll simple 2FA keys anymore.
I'm unable to update my yubi keys, and I'll never enable Windows Hello as I refuse to create a Microsoft account & link it to my operating system.
What do I do now? :/
josh://
J Wolfgang Goerlich
AI6YR Ben
Frédéric Jacobs
Ars Technica
camwilson
Dan Gillmor