cross-posted from: https://rss.ponder.cat/post/193175

Thousands of home and small office routers manufactured by Asus are being infected with a stealthy backdoor that can survive reboots and firmware updates in an attack by a nation-state or another well-resourced threat actor, researchers said.

The unknown attackers gain access to the devices by exploiting now-patched vulnerabilities, some of which have never been tracked through the internationally recognized CVE system. After gaining unauthorized administrative control of the devices, the threat actor installs a public encryption key for access to the device through SSH. From then on, anyone with the private key can automatically log in to the device with administrative system rights.

Durable control

“‍The attacker’s access survives both reboots and firmware updates, giving them durable control over affected devices,” researchers from security firm GreyNoise reported Wednesday. “The attacker maintains long-term access without dropping malware or leaving obvious traces by chaining authentication bypasses, exploiting a known vulnerability, and abusing legitimate configuration features.”

Read full article

Comments

From Ars Technica - All content via this RSS feed

LLMs can be very useful for my personal life. How can I deal with this in the future?

• the quality highly depends on model, size, internet access, etc.
• They get seemingly more accurate over time

Personally, I can find information within a second. I can ask it which philosopher wrote about "free will" and it'll provide me a good chunk of information that sounds very plausible. Gemini is very impressive from a layman's perspective. llama is worse in this regard but still ok. It may only be good on the surface but I can ask it for the book as well and it'll provide me information. It will get better over time.

Google already knows a lot of stuff and now it will collect even more information about people. I caught myself asking it a philosophical thought of myself.

I was asking the computer. I was not judging an output of it. I was asking to judge my output.

I was asking the computer a philosophical question that has no clear answer. I evaluated the computer's output and was happy it told me that I was right.

I also do maths with a computer. I trust it, it is usually deterministic.

I've also asked it about medical advice, which sounded good.

Today, I wanted to ask it something else, and I was observing that I ask a computer a question. I'd need many minutes, many difficult minutes to think about it. I'd need to research more information, talk to people. But I chose to prompt it.

I realised that I would need to think about this and prompt a community to think about it to exchange information by (hopefully) humans.

Using llms, especially online llms, e.g. google, yield higher quality output than local llms in my experience, hence I'd like to use online llms. But I do not want to give every question I have to google. I do not want all of us giving everything to google. Am I overreacting? Fear of new technology?

It can save me a lot of time. "I could achieve more" by using it. could I really? wouldn't the ai achieve it for me? do i want the achievement anyway? Do I want to get a headstart with ai? I write code for a living. is there a huge difference in writing deterministic code and the probabilistic llm output?

Fear of missing out is kicking in.

I do not want to get left behind but I also do not want to give up my free will.

I do not want to lose my privacy (to google).

I do not want to lose my philosophical maturity, or at least what's left of it.

Fear of missing out is kicking in.

geteilt von: https://europe.pub/post/958415

cross-posted from: https://lemm.ee/post/65253750

Full text to avoid paywall

---

If you’ve left a comment on a YouTube video, a new website claims it might be able to find every comment you’ve ever left on any video you’ve ever watched. Then an AI can build a profile of the commenter and guess where you live, what languages you speak, and what your politics might be.

The service is called YouTube-Tools and is just the latest in a suite of web-based tools that started life as a site to investigate League of Legends usernames. Now it uses a modified large language model created by the company Mistral to generate a background report on YouTube commenters based on their conversations. Its developer claims it's meant to be used by the cops, but anyone can sign up. It costs about $20 a month to use and all you need to get started is a credit card and an email address.

The tool presents a significant privacy risk, and shows that people may not be as anonymous in the YouTube comments sections as they may think. The site’s report is ready in seconds and provides enough data for an AI to flag identifying details about a commenter. The tool could be a boon for harassers attempting to build profiles of their targets, and 404 Media has seen evidence that harassment-focused communities have used the developers' other tools.

YouTube-Tools also appears to be a violation of YouTube’s privacy policies, and raises questions about what YouTube is doing to stop the scraping and repurposing of peoples’ data like this. “Public search engines may scrape data only in accordance with YouTube's robots.txt file or with YouTube's prior written permission,” it says.

To test the service, I plugged a random YouTube commenter into the system and within seconds the site found dozens of comments on multiple videos and produced an AI-generated paragraph about them. “Possible Location/Region: The presence of Italian language comments and references to ‘X Factor Italia’ and Italian cooking suggest an association with Italy,” the report said.

“Political/Social/Cultural Views: Some comments reflect a level of criticism towards interviewers and societal norms (e.g., comments on masculinity), indicating an engagement with contemporary cultural discussions. However, there is no overtly political stance expressed,” it continued.

According to the site, it has access to “1.4 billion users & 20 billion comments.” The dataset is not complete; YouTube has more than 2.5 billion users.

Youtube-Tools launched about a week ago and is an outgrowth of LoL-Archiver. There’s also nHentai-Archiver, which can give you a comprehensive comment history of a user on the popular adult manga sharing site. Kick-Tools can produce the chat history or ban history of a user on the streaming site Kick. Twitch-Tools can give you the chat history for an account sorted by timestamp and sortable by all the channels they interact on.

Twitch-Tools only monitors a channel that users have specifically requested it to monitor. As of this writing, the website says it is monitoring 39,057 Twitch channels. For example, I was able to pull a username from a popular Twitch stream, plug it into the tool and then track every time that user had made a comment on another one of the tracked channels.

Reached for comment, the developer of these tools didn’t dance around the reason they built them. “The end goal of people tracking Twitch channels would certainly be to gather information on specific users,” they said.

Twitch did not respond to 404 Media’s request for comment, and YouTube acknowledged a request but did not provide a statement in time for publication. But I spoke with someone in control of a contact email address listed on the LoL-Archiver’s “about” page. They said they’re based in Europe, have a background in OSINT, and often partnered with law enforcement in their country. “I decided I launched [sic] these tools in the first place as a project to build the tool that could be use by LEAs [law enforcement agencies] and PIs [private investigators.]”

According to the developer, they’ve provided the tool to cops in Portugal, Belgium, and “other countries in Europe.” They told 404 Media that the website is meant for private investigators, journalists, and cops.

“To prevent abuses [sic] we only allow the website to people with legitimate purposes,” they said. I asked how the site vets users. “We ask the users to accept our Terms of Use and do targeted KYC [know your customer] requests to people we estimate have an illegitimate reason to use our website. If we find that a user doesn't have a legitimate purpose to use our service according to our terms of use, we reserve the right to terminate that user's access to our website.”

The site’s Terms of Service makes this explicit in the first paragraph. “The Service is distributed only to licensed professional investigators and law enforcement. Non-professional individuals are not allowed to subscribe to the Service,” it says.

But YouTube-Tools is a “grant access first ask for proof later” kind of website. 404 Media was able to set up an account and begin browsing information in minutes after paying for a month of the service with a credit card. It didn’t ask me any questions about how I planned to use the service nor did it need any other information about me.

I asked the developer for an example of a time they had removed someone from the platform. They said they’d removed a client a few weeks ago after they realized the email the client used to obtain their license was “temporary.” The developer said they reached out to the client to ask why they wanted the tool and didn’t get a response. “They ignored us, and we therefore reported the issue to Stripe and terminated their access.”

The AI summaries are new and only exist for the YouTube tools. “The AI summary is to provide points of interest, so that an investigator doesn't have to go through the (potentially) thousand [sic] of comments,” the developer said. “This summary is not to replace the research and investigation process of the investigator, but to give clues on where they can start looking at first.”

I asked them about the possible privacy violations the tool presents and the developer acknowledged that they’re real. “But we try to limit them during [our] vetting process,” they said. Again, I was able to sign up for the site with a credit card and an email. I was not vetted.

“I also believe that the tool can be a very valuable source of information for professionals such as police agencies, private investigators, journalists,” the developer said. “That is why we currently offer free access to police agencies requesting it, and have offered [it] to several agencies already. If someone wants to remove any information that the tools has archived they can make a formal request to us, to which we will comply, as we've always done.”

Scraping public data is a big problem. Last month, researchers in Brazil published a dataset built from 2 billion Discord messages they’d pulled from publicly available servers. Last year, Discord shut down a service called Spy Pet that’s similar to YouTube-Tools.

cross-posted from: https://lemmy.ml/post/30792652

Support for Windows 10 ends on October 14, 2025. Microsoft wants you to buy a new computer. But what if you could make your current one fast and secure again?

If you bought your computer after 2010, there's most likely no reason to throw it out. By just installing an up-to-date Linux operating system you can keep using it for years to come.

Installing an operating system may sound difficult, but you don't have to do it alone. With any luck, there are people in your area ready to help!

5 Reasons to upgrade your old computer to Linux:

1. No New Hardware, No Licensing Costs
2. Enhanced Privacy
3. Good For The Planet
4. Community & Professional Support
5. Better User Control

cross-posted from: https://lemmy.bestiver.se/post/410276

Mullvad Leta

Comments

I have an older Sony TV which has (what I can only guess to be) Google's Android TV app installed on it. I'm sick of getting new recommendations from Amazon and Disney+ and all those services. Is there a way to strip it down bare bones and get everything I need from another app repo - kinda like with Graphene vs Android?

cross-posted from: https://lemmy.ml/post/30717996

Amazon and PayPal being out of the running of course. FWIW, I think Mullvad uses Stripe . . . 🤔

Hi, I just found out my dentists office is using a program called "Second Opinion" produced by "Hello Pearl". There is literally no information about what this company does in the background with my information, however I know they at the very least have:

1. My full legal name
2. X-Rays of my teeth

I'm concerned because there is literally nothing online about how to opt out of them using your data for AI training. They are an AI company and the screen the Dentist was showing me showed a pop-up about provides information being able to be used for AI training. What should I do, what are my rights?

The European Comission is looking for feedback on forcing retention of metadata from all communication services for "a reasonable period of time", for purposes of criminal investigation!

Which means encrypted messaging without a backdoor would be illegal if this passes! That's a slippery slope!

That basically means an attacker with some skill could read any data from anyone (correct me if I'm wrong but I think you can infer the content from the metadata in 90% of cases)

For more detail on why it's bad, click the link below and read literally any feedback comment.

Go ahead and give some feedback! You can do so even if you are not an EU citizen!

https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14680-Impact-assessment-on-retention-of-data-by-service-providers-for-criminal-proceedings-/_en
@soatok @echo_pbreyer @privacy @technology
#Europe #privacy #encryption

Millions of Americans have downloaded apps that secretly route their internet traffic through Chinese companies, according to an investigation by the Tech Transparency Project (TTP), including several that were recently owned by a sanctioned firm with links to China’s military.

I'm finding alternatives for Discord/Twitter/Reddit very easily but still on the search for a Facebook alternative, anyone who didn't quit Facebook yet know how shitty their feed is now bloated with things not related to your friends but it was good before, it wasn't just about "posting", things like being able to create pages, join communities/groups (private and public), events calendar, optional geotagging, tagging people on photos

geteilt von: https://feddit.org/post/13109300

via @[email protected]:

The #UnplugTrump series is now in English – spread the word and let it roll like a wave across the Fediverse! 🌊 👇

https://www.kuketz-blog.de/unplugtrump-free-yourself-digitally-from-trump-and-big-tech/

#UnplugTrump #privacy #security #GAFAM"

https://social.tchncs.de/@kuketzblog/114572938988438124

If I should, are there ways I could install such apps with a spoofed Device ID or something like that?

When i was considerong buying a fairphone, fairphones with e/os came up and wondered if it was a good option for privacy.

I do not like pixels, and would love nothing to do with that phone. I prefer my one plus and if i can keep that still have my privacy, that would be nice.

E/os can be put on different android phones my one plus included.

Archived URL (Wayback Machine) - Original URL (in case of Wayback Machine downtime)

A small portion of the article:

At the end of May, Meta will start using Europeans’ data to train its AI. Here is how you can exercise your rights and prevent it.

Instagram and Facebook users in Europe will soon have their data and posts used by parent company Meta to train its artificial intelligence (AI) models.

Europeans have until May 27 to restrict Meta from using their data, the date when the company will start using Europe’s data.

Hello, I have a Pixel 8A GrapheneOs phone. I Want to make this a Safe phone. A privacy friendly phone. Basically I want to strip any/all tracking features of this phone, whilst making it hard against any adversaries to monitor me/track me, or watch my phone or its activities.

Not doing anything wrong, just want to know what are my best moves with this phone.

What VPN should I use on this phone?

The threat actor is mostly local feds, and doing what's necessary to stop them getting grips of surveillance.

Thank you.

The title says it all. Part of what i do now is to convince people to care about their privacy. I know I cannot force people to do anything. And I have a charisma level of -1, if this was an rpg. Like its nonnexistent.

I feel lonely in general because it feels like people make me feel like I'm delusional for caring about protecting my privacy. Maybe there is a support group for that🤣🤣🤣

But anything I can specifically say that works best in planting a seed in people's mind?

My current phone is 7 years old, does not support recent android versions, and battery life is becoming atrocious. This feels like right time to change my phone.

Currently, I know of & am considering 3 options:

• Google Pixel
• iPhone
• Samsung Galaxy

I heard that Pixel is the best choice for privacy, despite it being Google^TM. Should I go with it, and install Graphene OS or similar options? The very fact that the name "Google" is attached makes me nervous. Also, I don't think I can trust android, so I would have to install Graphene OS or the like. In the case, app support would be lacking, though.

I am considering iPhone as well, since it has "reputation" of being secure. Of course, Apple can access my data, but that might be a good enough compromise? Honestly, I don't know. It's the best supported option as well - lots of apps support iPhone.

Galaxy is just the one that I am the most familiar with (my current one is Galaxy S8). I don't trust it, though. Do they even make good hardware nowadays?

EDIT: Turns out, Pixel phones are poorly supported by local telecomm companies. It is relatively cheap though. Still worth it?

EDIT2: I heard that data & message is fine, but the call quality is impacted by lack of VoLTE compatibility.

For example, if:

1. I'm on a tracking website like Linkedin
2. I log out and close the browser
3. I turn on the vpn and open the same browser
4. I create a Spotify account

Is it possible that Spotify will give me targeted ads based on my home IP due to the cookies?

Thanks in advance

I like sharing my thoughts and struggles here, but I don't want it to be a permanent digital footprint and wish to delete all the posts and comments one day.