Vulnerabilities

In a curious twist, all the icecream machines started working again

8 Likes

Dammit, I was trying to come up with something about the ice machines, and failed.

tumblr_02d3e86f5c4607fa95be9f20256292dc_1bf74251_540

4 Likes
5 Likes
4 Likes

I hate how many devices like this and other control systems are developed with a complete lack of concern for security. The developers assume the environment will be safe because so few people know about/have access to the system, but you’d think by now more developers would realize there is no such thing as an adversary-free environment in the age of cheap wireless, be it WiFi, Bluetooth, Zigbee, etc or even just a software defined radio. Hacking this stuff is way too easy!

6 Likes

Not true! The “S” in “IoT” is for “Security”!

7 Likes
1 Like

So far, it looks like someone was playing a long game by taking over maintenance of a utility, then gradually slipping in malicious code.

Back in 2022 a host of characters appeared and basically bullied the creator of the XZ project to hand it over to somebody else - at the time the guy cited mental health issues around not updating the project quickly.

At the time he was already talking about maybe handing over to the account who years later introduced the backdoor.

In mid 2023 said account introduced a change to Google’s OSS Fuzzer to weaken detection for XZ.

Somebody played a years long game of Jenga and lost.

If someone is playing a long, slow game, then they have time to play multiple games in parallel, and they only need to win one. (The thread goes on, apparently this isn’t the only game they were playing.)

This one was found because a developer wondered “Why is this code so slow?”

(No evidence that the person was in China.)

6 Likes
3 Likes

I got a new phone (Samsung). Anyone know of a good guide for scraping out as much junkware and spytech and such as I can from it?

(If anyone knows of a better thread for such a question, do please let me know!)

6 Likes

If there isn’t one already, a thread for making your devices yours is a great idea for here.

6 Likes

AND … the latest “update” is a downgrade

Preparing to unpack .../liblzma_5.6.1+really5.4.5_aarch64.deb ...
Unpacking liblzma (5.6.1+really5.4.5) over (5.6.1) ...
Setting up liblzma (5.6.1+really5.4.5) ...
Preparing to unpack .../xz-utils_5.6.1+really5.4.5_aarch64.deb ...
Unpacking xz-utils (5.6.1+really5.4.5) over (5.6.1) ...
Setting up xz-utils (5.6.1+really5.4.5) ...
$ xz --version
xz (XZ Utils) 5.4.5
liblzma 5.4.5
2 Likes

Via the IP List

The new Outlook App is a data scraping nightmare. Run away.

When you sync third-party email accounts from services like Yahoo or Gmail(new window) with the new Outlook, you risk granting Microsoft access(new window) to the IMAP(new window) and SMTP(new window) credentials, emails, contacts, and events associated with those accounts, according to the German IT blog Heise Online(new window).

Although this transfer is secured with Transport Layer Security (TLS), according to Heise Online, your IMAP and SMTP username and password are transmitted to Microsoft in plain text.

A deeper dive into Microsoft’s privacy policy shows what personal data it may extract:

  • Name and contact data
  • Passwords
  • Demographic data
  • Payment data
  • Subscription and licensing data
  • Search queries
  • Device and usage data
  • Error reports and performance data
  • Voice data
  • Text, inking, and typing data
  • Images
  • Location data
  • Content
  • Feedback and ratings
  • Traffic data
6 Likes

Nice description of the attack.

1 Like

I wonder how to disable all of that fuckery.

2 Likes

Diligence, code inspection, knowing your s**t and caring enough to dig in when something doesn’t look right.

Well, that and hope that your CPU microcode isn’t backdoored (probably is)… or your network card’s little CPU isn’t leaking secrets (probably is)… or that odd little chip you can’t identify on your motherboard isn’t malign… There are so many layers you just have to trust, even when you have the source code and your computer isn’t programmed to actively work against you.

Speaking of not looking right, libarchive had a dodgy commit under the same user name. It looks like it was easily cleaned out, but watch for updates.

3 Likes

Oh how I wish I had even an inkling of awareness of what you’re talking about. :sob:

4 Likes

… has this been discussed before

I’m not an expert by any means but I think Samsung is no worse than any other manufacturer as regards bloatware, etc. these days.

I find these guides quite helpful generally:

https://www.privacyguides.org/en/

Apart from general advice about using Android’s own settings, they also recommend apps, etc. Once better apps have been installed, one can try to uninstall the stock apps they’re replacing. When the phone won’t let you do that, you should at least be able to revoke the app’s permissions.

Hope that helps.

If anyone has anything better to suggest, I’d love to see it too.

2 Likes

The hell? Does bbs have a soundtrack now?

That appears on my drop down menu. It’s slow piano noodling.

Confused Steve Brule GIF by MOODMAN

3 Likes