The Nexus of Privacy

@thenexusofprivacy@infosec.exchange
1.2K Followers
396 Following
3.4K Posts

A newsletter about #privacy, #technology, #policy, #strategy, and #justice.

Posts by @jdp23.

Newsletterhttps://thenexusofprivacy.net
Abouthttps://thenexusofprivacy.net/about
Blueskyhttps://bsky.app/profile/thenexusofprivacy.net
The Nexus of Privacy4h ago

LinkedIn Joins Meta and YouTube in Abandoning Policies Designed to Counter Anti-Trans Hate

https://www.techpolicy.press/linkedin-joins-meta-and-youtube-in-abandoning-policies-designed-to-counter-antitrans-hate/

A good post by @JenniOlsonSF on Tech Policy Press.

#LGBTQIA2S #lgbtqia #lgbtq

LinkedIn Joins Meta and YouTube in Abandoning Policies Designed to Counter Anti-Trans Hate | TechPolicy.Press

GLAAD Social Media Safety Program's Jenni Olson says it is deeply concerning to see LinkedIn remove a policy protecting transgender and nonbinary people.

Tech Policy Press
The Nexus of Privacy5h ago
Show threadZack Whittaker7h ago

TeaOnHer is the latest gated community app that requires users to sign up using their government-issued IDs, yet has shown no evidence of any security testing before its app was launched.

Yet, TeaOnHer is still #2 in the free app charts on the Apple App Store today, showing how popular it is.

https://techcrunch.com/2025/08/13/how-we-found-teaonher-spilling-users-drivers-licenses-in-less-than-10-minutes/

How we found TeaOnHer spilling users' driver's licenses in less than 10 minutes | TechCrunch

Exclusive: A dating gossip app for men exposed thousands of users' personal data, including scans of driver's licenses. The app's developer, Xavier Lampkin, won't say if he plans to notify affected users about the app's security lapse.

TechCrunch
The Nexus of Privacy18h ago
Show threadZoë (english toots)1d ago
@borup
EU: "You have to ask for consent before tracking."
Companies: "Hey, you can't access our website before telling us if we can send information about you to these tens of companies (in fact we were doing it without ask… Wait, I mean, we value your privacy)."
The Nexus of Privacy18h ago
Borup1d ago
Periodic reminder that EU did not mandate cookie popups.
Cookie popups are yet another example of malicious complience by an industry that wants to use and abuse data about us all.
The Nexus of Privacy21h ago
Dissent Doe  22h ago

So yesterday, I emailed a state court system that appears to be linked to the exposed data I mentioned recently and that the host notified on or about July 28.

No reply was received.

Today, I sent a contact form message to the lawyer for a juvenile whose records were sealed. Sealed, except 11 of them were exposed to anyone who can access the data. I told him what was going on and suggested he contact the court and tell them to get the data secured.

No reply was received.

Today, I sent an email to the judge who ordered the juvenile's records sealed and I cc:d the district attorney. I gave them the juvenile's name, case number and that I could see all the sealed records. I urged them to have their IT or vendor call me and I could give them the IP address over the phone, etc.

No reply was received.

Dear Russia, China, and North Korea:

You do not need to hack our courts. They are leaking like sieves and do not respond when we try to tell them they need to secure the data.

Yours in total frustration,

/Dissent

#infosec #cybersecurity #incident_response #dataleak #databreach #WAKETHEFUCKUP

The Nexus of Privacy22h ago
Ian Campbell1d ago

This is some really smart digging: realizing that Claude Code does not require user interaction for certain bash commands, they discovered that DNS lookups were specifically allowlisted, clearing a trivial path for well-known DNS exfiltration methods.

So when I say “all these implementations are ignoring years and decades of lessons learned the hard way” it’s not hyperbole. Anthropic 100% cleared the path for DNS exfil here.

h/t to @cR0w - thank you!

#infosec #genai

https://embracethered.com/blog/posts/2025/claude-code-exfiltration-via-dns-requests/

Claude Code: Data Exfiltration with DNS · Embrace The Red

Embrace The Red
The Nexus of Privacy23h ago
Show threadIrenes (many)23h ago

@cstross like... it's bullshit, but don't make the mistake of thinking it's accidental bullshit. it inverts responsibility too directly for that, and it falls into that sweet spot where even attempting to rebut it seems to legitimize it. accidental bullshit would be less well-crafted.

we've personally met the people who come up with this kind of thing, and we can attest that yes, companies do this stuff deliberately.

The Nexus of Privacy23h ago
404 Media23h ago

A DEA agent used a local police officer’s password to the Flock automated license plate reader system to search for someone suspected of an “immigration violation.”

That DEA agent did this “without [the local police officer’s] knowledge,”

🔗 https://www.404media.co/feds-used-local-cops-password-to-do-immigration-surveillance-with-flock-cameras/

Feds Used Local Cop's Password to Do Immigration Surveillance With Flock Cameras

A DEA agent used a local cop's password "for federal investigations in late January 2025 without [the cop's] knowledge of said use."

404 Media
The Nexus of Privacy1d ago
IFTAS Blog2d ago

The 2025 Fediverse Needs Assessment is Open: Have Your Say

Every year, IFTAS asks the people who keep our communities safe to tell us what they need.The Fediverse Needs Assessment gathers input from moderators, administrators, and community managers across the decentralised social web and beyond.

Whether you run a Mastodon, Pixelfed, Lemmy or Peertube instance, a Nostr relay, a Bluesky community, Matrix or Discord rooms, your experience matters. Any platform, any protocol. Single user service or a million person community. Doesn’t matter. We focus […]

https://about.iftas.org/2025/08/11/the-2025-fediverse-needs-assessment-is-open-have-your-say/

The Nexus of Privacy1d ago
The Nexus of Privacy1d ago

As you've probably seen or heard Dropsitenews has published a list (from a Meta whistleblower) of "the roughly 100,000 top websites and content delivery network addresses scraped to train Meta's proprietary AI models" -- including quite a few fedi sites. Meta denies everything of course, but they routinely lie through their teeth so who knows. In any case, whether the specific details in the report are accurate, it's certainly a threat worth thinking about.

So I'm wondering what defenses fedi admins are using today to try to defeat scrapers: robots.txt, user-agent blocking, firewall-level blocking of ip ranges, Cloudflare or Fastly AI scraper blocking, Anubis, stuff you don't want to disclose ... @deadsuperhero has some good discussion on We Distribute, and it would b e very interesting to hear what various instances are doing.

And a couple of more open-ended questions:

  • Do you feel like your defenses against scraping are generally holding up pretty well?

  • Are there other approaches that you think might be promising that you just haven't had the time or resources to try?

  • Do you have any language in your terms of servive that attempts to prohibit training for AI?

Here's @FediPact's post with a link to the Dropsitenews report and (in the replies) a list of fedi instances and CDNs that show up on the list.

https://cyberpunk.lol/@FediPact/114999480874284493

@fediverse @fediversenews

#MastoAdmin #Meta #FediPact