Another VPN Caught Logging Data - Surveillance Report 62
Published June 19, 2023, 2:20 p.m. by Jerald Waisoki
Big surprise, a free VPN has been keeping logs. A man had his home stolen, very concerning Facebook research, Signal added proprietary code to their servers, and more!
Welcome to the Surveillance Report - featuring techlore & The New Oil to keep you updated on the newest security & privacy news.
ProtonMail Affiliate Link: https://go.getproton.me/aff_c?offer_id=26&aff_id=1182&url_id=267
ProtonMail Standard Link: https://protonmail.com
ProtonVPN Affiliate Link: https://go.getproton.me/SHJQ
ProtonVPN Standard Link: https://protonvpn.com/
The New Oil Support Methods: https://thenewoil.org/links.html
techlore Support Methods: https://techlore.tech/support.html
SR62 Sources: https://github.com/techlore/channel-content/blob/master/Surveillance%20Report%20Sources/SR62.md
00:00 Introduction
02:02 Data Breaches
06:05 Company News
10:20 VPN Logging Story
11:18 Research
19:10 Politics
23:55 FOSS News
29:28 Misfits
🔐 Our Website: https://techlore.tech
🕵 Go Incognito Course - to learn about privacy: https://techlore.tech/goincognito
🏫 techlore Coaching - to get direct support: https://techlore.tech/coaching
💻 techlore Forum - to connect with other advocates: https://discuss.techlore.tech
🦣 Mastodon - to stay updated: https://social.lol/@techlore
We cannot provide our content without our Patrons, huge thanks to:
Afonso, Boori, BRIGHTSIDE, Casper, Clark, Cyclops, Eldarix, JohnnyO, Jon, kevin, Larry, love your content, NotSure, Poaclu, x
🧡 Join them on Patreon: https://www.patreon.com/techlore
💖 Our Other Support Methods: https://techlore.tech/support
#security #privacy #news
You may also like to read about:
hello everyone and welcome to
surveillance report 62 where we are
dedicated to keeping you private and
secure with the latest news this report
recaps some of the most notable events
in the last week like a man who had his
home stolen that is privacy related stay
tuned some alarming but probably not
terribly surprising research about
signal adding proprietary code to their
server and yet another vpn provider
accused of logging user data i am nathan
from the new oil i am henry from teclor
and this week our affiliate link is
going to be protonvpn who is running a
special sale real quick before i get to
that a reminder we pick these links
proton is not an official sponsor they
have not reached out to us individually
this is part of an email that we got
because henry and i are both in proton's
affiliate program and so this was just
kind of a newsletter we got today and
thought you guys might like to know
about it
if proton is not right for you we
respect that there's also movad there's
ivpn there's winscribe we do definitely
encourage using a vpn so here's the sale
if you are a free or basic user and you
want to get some new features or support
proton and us at the same time or if
you're not a proton vpn user but you
want to check it out they will be
offering 50 off of a two-year plan 40
off of a one-year plan or 25 off of a
monthly plan if you upgrade to the plus
plan if you are already a plus user you
can get 33 off if you switch to a 2-year
plan or 47 percent off if you upgrade to
a protonmail and proton vpn bundle for
the plus level
the plus plan gives you 1300 servers in
61 countries basic only gives you 350
and 40 countries gives you 10
simultaneous connections 10 gigabits of
speed the ability to use proton vpn with
streaming services i do that myself it's
kind of hit or miss to be totally honest
but it is nice to hop servers and tor
over vpn we will have the links in the
description as well as a regular
non-affiliate link if you're interested
but you're kind of sketched out by
affiliate links which we totally
understand again
you don't have to go with proton that's
totally fine but if you are interested
here's a chance to save some money we're
going to go ahead and start with data
breaches this week as always and we're
going to start with a 1.8 terabyte data
breach of police helicopter surveillance
footage this was posted by a
transparency activist group who
was given this information from whoever
actually did this who they don't know
who did it yet pretty much the source
said that the two police departments who
are responsible for this restoring the
data in insecure cloud infrastructure
this showed things like vistas high
overhead to cars lined up at mcdonald's
drive-throughs it also included people
just standing in their own yards as well
as on local streets the leak illustrates
the inherent risk of collecting and
retaining sensitive footage that could
always be breached pretty much they've
declined to comment about the data
storage practices there's been really no
information from either police
department one thing is due to security
measures we are not able to discuss data
storage so apparently how they store
data is a security measure so that's
really it i mean you should really keep
in mind that every major city at this
point has some form of aerial
surveillance that is tracking very much
really anything happening outdoors it's
only a matter of time before i think of
this technology might be used to track
things indoors as well but that's just
my tinfoil hat spooky stuff this is kind
of the thing that you have to vote in
the in the voting booth against if you
want to make an impact i don't think
there's much you're going to be able to
do about this in your day-to-day life
unless you're looking to
really
do some weird stuff
our next story comes from a u.s medical
training company called phlebotomy
training specialists who expose the data
of tens of thousands of students this
comes from an unsecured aws bucket take
a shot and the number of exposed
students they're not quite sure it
ranges from 27 000 to 50 000.
the researchers contacted the school
amazon and cert and all of them failed
to respond so as far as i know nobody
has fixed this yet which is horrible
the information exposed includes id
cards driver's licenses resumes cvs
which we call cover letters here in the
us transcripts and much much more if
you're interested the article actually
lays out everything that they found this
information could of course be used for
phishing id theft fraud and a lot more
so this is definitely very worrying our
next data breach comes from the uk where
the labour party has admitted to a data
breach after a ransomware attack
it affected members registered and
affiliated supporters and quote others
who have provided their info to the
party unquote
they haven't really given us full
details on what's been disclosed in
terms of information or how many people
were affected but if we hear anything we
will keep you guys updated up next
hackers have gained access to my sa gov
accounts including license and
registration details my sa gov is the
south australian government's online
platform and application that provides
residents with single account access for
the state services like checking into a
venue or completing transactions for
vehicle registration this compromise
came from password recycling
meaning it was very much preventable by
people who weren't reusing their
passwords i don't know if i need to make
the takeaway a little bit clearer on
this one don't reuse the same password
and use a password manager
and our last data breach is going to be
brought to you by the word irony where
u.s defense contractor electronic
warfare was hit by a data breach the
company claims that the breach's impact
was limited but confirmed that the
threat actor did manage to exfiltrate
files containing sensitive information
the goal appeared to be wire fraud but
they think that may have just been a
misdirection because the stolen files
included names social security numbers
and driver's licenses that's about all
we know actually when they say sensitive
information we don't know if that was
employees if that was clients we don't
know if there was also like
any company information like any
schematics or contracts or technical
details i think if there's a takeaway on
this one it would be a credit freeze
most of us are w2 employees which means
when we go to work for somebody we have
to give them our social security number
and id and stuff like that and if they
get breached all that information is out
there through no fault of your own so
if you live in a country where you can
do a credit freeze definitely do that
and then people cannot use your identity
for fraud with that we will now move
into company news and we're going to
start with google specifically alphabet
who has launched an ai company to
discover new drugs i'm going to quote
the article uk registered isomorphic
labs will use technology from its sister
company deepmind which is google's ai
company to quote accelerate drug
discovery and ultimately find cures for
some of humanity's most devastating
diseases unquote on the surface this
article doesn't seem very privacy
related because they don't talk about
how the medication is going to be
deployed or who's going to have
ownership of it but the fact that google
is involved in alphabet i think it's a
pretty safe bet that they're going to
want shares and and kickback from
whatever is discovered and they're also
probably going to have a really vested
interest in the data of how it's
deployed who receives it and all that
kind of stuff so just something to have
on your radar on the topic of google
they are now allowing alternative in-app
payment systems but only in south korea
this is to comply with recent laws that
are obviously only in south korea which
affects android only google will start
charging a commission for alternate
payments but it will be lower than
previously stated they didn't miss the
opportunity to remind people that
alternate payment methods may not
include the same quotes protections or
features i think really the takeaway for
me here is that regulation can sometimes
be a good thing as it is going to allow
for a more open platform on android and
hopefully we'll see the same thing on
ios as well our next story will come
from amazon where the headline says
amazon wants you to keep quiet for a
brilliantly sinister reason basically
amazon alexa's vice president tom taylor
they want to take this stuff further and
i'm sure this is not a surprise to most
of us they want alexa to be able to
anticipate your wants and needs and do
things before you even ask so that's
really what this article is about it's a
pretty good read if you're interested in
knowing more about that but that's you
know the tl dr up next facebook which is
citing societal concerns is planning to
shut down its facial recognition system
it's not too much to say here there's
just some pr marketing about they're
trying to find a balance between the
benefits and harms of the software so
they're deleting the one billion images
they've collected but not necessarily
the software itself and they haven't
said anything about not bringing it back
in future products there's also a paper
somewhat misleading title that was
published today talking about how
facebook isn't going to use it
themselves
but the metaverse might
which is the parent company of facebook
so that's something that is kind of
being explored it's a little bit
misleading of a title because it's not
really based on anything it's just kind
of speculation that facebook could
theoretically be using the metaverse to
now be implementing this kind of
technology our next story comes from
clearview a.i who is in trouble for
breaching australian privacy on quote
numerous fronts the title pretty much
says it all one of the aspects of this
accusation is that clearview did not
give australians an easy way to opt out
they used to have an opt-out form on
their website but now the only way to
opt out is via email so they're still in
opt-out form but they don't advertise
that and therefore a lot of people don't
know that they can opt out which i'm
sure is 100 intentional on clearview's
side on that same note various
australian police departments did admit
that they tested out the software and
they trialled it a little bit that's
pretty much all there is to it again you
can always read the article and we do
encourage that but
yeah clearview is in trouble in
australia which is
oh no
can we get an f in the chats for
clearview ai in australia
everyone please i just i feel so bad for
them it's such an evil company i i don't
know how people can actually manage a
company that's like just built
to be just evil from the ground up
if anyone hasn't seen john oliver's
episode about clearview ai you should
because there's a it's not out of
context or anything there's a clip where
it's an interview with the founder and i
don't think it's john oliver it's
somebody else straight up asks him would
you work with repressive countries that
have a history of human rights abuses
like you know saudi arabia uae north
korea and the dude beats around the bush
he's just like well we've gotten a lot
of interest from uh various countries
and like john oliver makes a great point
he's just like that's not what you want
to hear from the person guarding the hen
house when you're like are you gonna let
foxes in the hen house well what i can
tell you is we've gotten a lot of
interest from foxes on getting into the
head house it's totally worth a watch
it's great
all right and our last company story the
headline of the article says we do not
maintain databases and that is a quote
this is an article about a free vpn
service called act mobile who has been
caught keeping logs despite adamant
statements that they don't and they
actually threaten to sue anyone who says
otherwise the blog post breaks down all
the proof it's a little bit technical it
kind of goes over my head but you can
read it for yourself and understand and
that we do not maintain databases that's
actually part of their official
statement this is a great time to remind
you that
if it's free you are the product be very
suspicious of free vpns usually like 99
of the time they can be trusted and
techlor has a whole tool on the website
about the various vpns out there and how
they stack up and there's even tools to
apply it to vpns that are not listed so
you can see for yourself if they are
trusted or not it's all open source
and that too
so go check it out and that is really
going to be it for companies this week
we're going to go ahead and move into
research and we're going to start with
you know we should find a name for this
honestly a story that i think everyone
who consistently listens to this podcast
knows about and could have expected but
it's kind of honestly an underrated
story and it's something that a lot of
people should get their eyes on
so a security researcher has found that
the facebook app tracks iphone movements
we're all like yeah of course but
actually like listen to this it's a
little bit more in depth than that
facebook collects location data from the
ip addresses and photo exif data so
that's your photo metadata even if you
set your settings to never track you
that can be preventable but generally
speaking most people aren't going to be
thinking about that so even if you turn
everything off the images you upload to
facebook are still collected and the
location data tied to that is still
collected now here's where things get
fun security researchers have suddenly
warned that facebook goes even further
using the accelerometer on your iphone
to track a constant stream of your
movements which can easily be used to
monitor your activities or behaviors at
times of day in particular places or
when interacting with its apps and
services alarmingly this data can even
match you with people near you whether
you know them or not
quote if you don't allow facebook access
to your location the app can still infer
your exact location only by grouping you
with users matching the same vibration
pattern that your phone accelerometer
records so i guess the idea here is if
you're with a friend who has the
facebook app installed and you don't
have facebook on your phone allowing
access to your location if you guys are
somehow in sync and have the same kind
of vibration patterns maybe like like if
you're riding in a car or something yeah
like in a car i think that's like where
you might see this kind of thing or in
like a public space with a lot of people
and like the crowd and the sound waves
are causing the same vibration patterns
in the phone that might be enough
information for facebook to see like oh
these two people are in the same exact
place and these this person here has
their location on so here's where they
are to add on top of this this isn't
just the facebook app
this is i would consider everything in
the new metaverse this includes
instagram and whatsapp if you have
whatsapp installed
this is happening inside the app this
isn't just like speculation this is
actual research showing this at least on
the bright side
tik tok wechat imessage telegram and
signal all don't do this this is really
kind of just a facebook thing and it
speaks to how terrible of a company
facebook is and why even installing it
on your phone is just a serious risk to
your pricing security and what i would
argue your basic freedom in the world i
don't know if you have something to add
there was a big story just that the only
way to stop it is to delete the app they
said that at the beginning that's it
we're not normally like all or nothing
kind of people normally it's like oh you
can prevent this by doing this but it's
a workaround so it's inconvenient no you
have to delete the app it's the only way
to stop this nonsense our next story
also has to do with phones and bluetooth
devices researchers were able to use a
cheap bluetooth detection device less
than 200 us dollars to track as much as
47 of mobile devices they were able to
use a bluetooth sniffer to uniquely
identify those devices which would allow
them to track them from place to place
now this would require an attacker to go
from place to place so it's not like
they can track you at the movie theater
and then also at the grocery store they
would have to be in both places so i
think for most people this is probably
not a huge threat but for most people
what i think the the real implication of
this is that this is a way that
companies can correlate that data if the
grocery store and the movie theater both
detect your unique device via bluetooth
they may not necessarily know that you
were in both places but when they sell
that data to data brokers further up the
chain they can connect those dots and
know that you were in both places i
always encourage you to turn off
bluetooth especially if you're not using
it leave your phone at home i did that
this morning it was awesome it's a good
point you bring up because i've never
thought of that it's the same thing with
data brokers if you're not listening in
the us i know this is a foreign concept
to you but here in the united states you
can just go online and there's things
called people searching websites and
literally it's what it sounds like you
just type in someone's name and it gives
you their address their phone numbers
their emails etc you have to like
actively be good about your privacy to
not end up on these sites i think by
default most people end up on these
sites but it's the same exact thing that
nathan just talked about these don't
normally come from one central place
it's oh facebook sold your phone number
to this data broker oh a snapchat sold
your your email to this data broker oh
this person had your home address and
then these data brokers and high up
areas really combine all this
information to form a very good
portfolio on individuals this is their
business their business is being able to
tie data together and so i don't think
that what you said is by any means out
of the question if this actually becomes
something that becomes widespread
honestly i'd be more surprised if it's
not already right widespread because so
many people just leave bluetooth on all
the time yeah and our last research
story brigham young university algorithm
accurately predicts when teens likely
have suicidal thoughts and behaviors i'm
gonna be honest here this is a personal
subject for me i have said in a previous
surveillance report that i have suffered
with depression and at one point in my
life i had suicidal thoughts i never
made any attempts but i had those
thoughts and looking back on even at the
time i think you know this is way before
i was into privacy i still think i would
have been upset if that was just public
knowledge i wanted to control who knew
that about me and how much of that they
knew because
i didn't want people judging me not to
go too far off a tangent but my mother
does not have a lot of experience with
mental health and depression and stuff
like that so when i told her i was
suicidal there was one time she called
me while i was in the shower and because
i didn't pick up right away she
immediately assumed the worst and i
didn't want those kinds of reactions
from everybody you know i wanted to
control who knew that stuff about me
this kind of research
i understand the value of it i
understand the value of knowing
if someone is a risk so that you can
step up and do something about it but at
the same time that's a huge invasion of
privacy and i think this research should
be
tread lightly i think this is an area
where we should tread very very lightly
so anyways to get into the actual story
this algorithm developed by brigham
young university which i believe is in
utah has a 91 accuracy rating among
adolescents they analyzed 179 384 junior
high school and high school students for
a total of 1.2 billion data points they
examined all kinds of things like i mean
pretty much any data point they could
get their hands on like a socioeconomic
background demographics all kinds of
stuff what i'm sure is probably not a
surprise to many people the top
predictors of suicidal thoughts and
behaviors being threatened or harassed
through digital media cough cough delete
facebook being bullied by a student at
school and serious arguments and yelling
at home those were the top three
predictors of somebody who was likely to
have suicidal thoughts and behaviors so
i think if there's a practical
application that we can take away from
this don't be a whole i know we all have
strong opinions and stuff but when
you're leaving your youtube comments
don't forget there's real people on the
other side of the keyboard
so
yeah and in in real life too just you
never know what somebody's going through
man don't be a jerk to give kind of a
different look on this as well i found a
podcast that i fell in love with and so
i downloaded tons of old episodes and i
was listening to one from over a year
ago when the pandemic first started
and they were talking about how what's
really sad about social media in general
is that they have so much great
information that they're getting on
people that can be used for so much good
they quoted a research paper it was a
similar one to this where pretty much
the social media platforms they know so
much about what you're going through in
your life and your feelings
likely better than you do
and they can actually use that for good
and it's something that's very
unfortunate because it's genuinely not a
bad technology inherently but it is only
being used for bad things and i would
almost argue that these platforms are
only making it worse despite the great
information that they have access to all
right and on that note we will move into
politics we're going to start off with
cisa or cisa i'm still not sure how
that's pronounced here we are what three
years later orders federal agencies to
fix hundreds of exploited security flaws
this is actually really impressive they
have given all civilian government
agencies two weeks to patch known
vulnerabilities in their softwares and i
believe if i read the article correctly
that this is actually a binding order
this isn't like a guideline or a
recommendation like they actually have
to do this so this is great news we are
finally catching up to the bare minimum
of cyber security by having people fix
known freaking vulnerabilities
fantastic and they have to do it quick
too this isn't one of those like by 2050
like no you got two weeks bro and i
think your first week is already up as
we're recording this so
yeah this is fantastic um i love that up
next here's the headline hackers are
stealing data today so quantum computers
can crack it in a decade and you can go
into this if you want to read it but
pretty much the moral is that
what is currently encrypted now it's up
in the air in 10 15 20 50 years from now
i know that a lot of companies are
planning to
essentially to simplify this re-encrypt
the data using quantum technology to
prevent it from being cracked by quantum
computers but these are all big ifs i
think the moral here is that we don't
know what's going to happen tomorrow so
the best thing to do is just assume that
anything you upload is going to
eventually be public information not to
be depressing but i wonder what the odds
are that the nsa already has quantum
computing and they're using it on all
that technology they're intercepting
it's very slim i did read some uh
research papers regarding the math and
the the amount of energy required to do
that and how we would actually be able
to trace down energy surges that would
require that much energy based on i
guess the technology that we think we
know unless you really wanted to go down
the rabbit hole of like the nsa has this
like 50 years from now advanced
technology exactly but it's the kind of
thing that i don't think it's a big even
people who are like pretty far down the
rabbit hole like snowden even they seem
very
big proponents of the math that's
currently available to them via just the
standard encryption that we use that's
gonna make me sleep better at night
for real our next story the us has put
israeli spy firm nso group on a trade
block list the title pretty much says it
all not to be political i have a very
low opinion of the us government and i'm
sure that's not really a controversial
opinion in any political side i don't
really think they do anything
altruistically or for the good of
mankind so i'm really wondering why they
did this on the surface they say it's
because nso has been doing things that
they don't approve of like working with
repressive governments like you know uae
and and uh i think turkey was one of
them and just you know all these these
governments with a big track record of
human rights abuses not that were
exactly a shining example but anyways on
the surface that's what they say but
then there's also the part of me that's
like but why now that i'm saying it i
wonder if maybe there's like a loophole
where
public companies can't do this but the
government can still use pegasus and
other nsa spyware i don't know i'm
speculating officially the us has
blocked them and nobody is allowed to
trade with them if they're a us-based
company there was also a russian company
and a singaporean company that the
article didn't name who were also added
to this list so it wasn't just nso group
there were a couple others i think it's
just an arms race there's a surveillance
arm race i'm guessing the pegasus might
outdo what the us was doing and this is
their attempt at kind of like
undermining that but that's just the
personal thing this is all speculation i
don't think either of us know the answer
to this we're not saying we do and our
last political story we're going to move
to kazakhstan who plans to require tech
forums to localize and that will open
the door to censorship so this is just
something we want to put on the radar of
our listeners i'm going to quote the
article a draft law in kazakhstan would
require foreign tech companies to open
local offices and comply with content
takedown demands within tight time
frames or have their services terminated
while legislators claim that the
amendments are necessary to counter
cyber bullying in 2020 kazakhstan
requested google delete bullying and
harassment content just once compared to
44 orders to remove criticism of the
government so we can already see that
this is kind of a
flimsy excuse for kazakhstan to try and
impose more censorship according to this
article the law is written in such a way
that it limits the ability for pushback
on the orders companies don't really
have a whole lot of room to say no
and it removes due process which is at
least here in the us due process is kind
of that thing where you have a right to
your accusers you have a right to a
trial you have a right to a speedy trial
all these kinds of things that are
supposed to make the justice system a
little bit more fair all of that is out
the window and they also point out that
similar laws in other countries have led
to more censorship so they're not just
being paranoid there's a lot of a
concern here that this is going to be
again just a flimsy excuse for abuse and
censorship especially if you are a
citizen of kazakhstan please have that
on your radar
all right we're going to go ahead and
migrate into free and open source fast
news of the week and we're going to
start with a story from movad so movad
has introduced wireguard over tcp and
ipv6 it's currently in beta and they're
asking for feedback check out the
sources if you want to get more
information and you're a molvad customer
very exciting stuff our next story is
going to come from signal and this is
kind of one of the big stories this week
so we're going to spend a minute to kind
of break this down signal is adding the
ability to re report spam messages
basically when you get a message from an
unknown number now it's a message
request and signal has added the ability
to
not only ignore the request or reject it
or block it but you can also report the
number that sent it as spam
if signal receives too many complaints
about that number
they will ask the person or whoever owns
that number for additional verification
like captchas for example so they still
won't see your messages it's more of
just if they get too many complaints
then they start assuming it's a bot some
people have expressed concern because in
order to do this like captcha thing for
example there will be proprietary code
added to the signal server just a little
bit but it will be there i'm gonna go
ahead and let henry comment on that and
the implications as he has a much better
technical understanding of signals
architecture than i do pretty much
what's interesting is that first off
people have been freaking out about this
and
first thing i'll say is like calm calm
down
because
signals architecture is built to make
the server completely not part of the
equation the server can be compromised
the server could be run by the nsa it
doesn't matter because the clients are
open source and the clients is where all
the fun signal stuff happens it's end to
end encrypted it's all done on your
client so that's kind of like my first
point it just doesn't matter the other
thing too as for the proprietary bits i
think all of us wish that it was 100
open source it doesn't really mean much
either way because we don't even know if
that's the server that they're hosting
outside of just taking their word for it
so in regards to transparency you don't
even already know if it's open source or
proprietary on a server and either way i
guess the only thing here is if people
are concerned about any security
implications of the proprietary side of
the server that might be a valid place
to ask questions but it doesn't sound
like it's very technologically
challenging it's just sending captchas
and it's just some automated system if
this individual is being reported 10
times a day for being spam maybe we
should send a captcha to them it doesn't
sound like it's a very complex issue
here
overall the entire point here is that
you don't have to trust the signal
server so if you understand this on a
technical level you understand that this
isn't really a massive deal while it's
one more thing that we should look at
you know signal now has gone through the
mobile coin thing they did hide their
server source code for a brief amount of
time which again doesn't really matter
either way they still haven't explained
what happened with that we're not saying
signal is perfect but we're also like
kind of breaking it down and why like
none of these issues actually affect
your pricing security in really any
conceivable way keep that in mind i
don't think this is a reason to avoid
signal it's reason for you to kind of
start raising eyebrows and going like
okay what might happen in five or so
years from now and maybe should i start
looking at alternatives if there's other
alternatives there and also i want to
defend sigma a little bit here too
because you should check out the signal
forums there's actually a lot of people
who complained about the fact that
they're spam on their platform and it
made it a pretty much unusable messenger
for them because they were just
receiving constant spam messages on
signal and there was no way to stop them
from coming in so i genuinely think this
is something that signal needed to
figure out in some way or another and
this is their best compromise in the
meantime for still keeping it a good
usable experience for people
and i think that other messengers like
session might have to deal with this
someday and they might have to implement
a similar strategy they're less popular
than signal so signal is now becoming a
target for spam so we just don't know
what that's going to look like for other
messengers down the road
all right moving on to our next story
the linux foundation has added software
supply chain security to lfx i will be
honest i don't really know what lfx is
according to the article quote lfx
supports projects and empowers open
source teams by enabling them to write
better more secure code drive engagement
and grow sustainable software ecosystems
and that is according to the linux
foundation i'm assuming it's just some
kind of software tool to kind of give
you a light audit of your code i'm going
to quote the article again enhanced and
free to use lfx security makes it easier
for open source projects to secure their
code specifically the lfx security
module now includes automatic scanning
for secrets and code and non-inclusive
language adding to its existing
automated vulnerability detection
capabilities they cite that this was
contributed to by blue bracket and snick
snike i'm not sure how that's pronounced
snyk just to give them a shout out for
their work in this i think the real
thing i wanted to highlight here is that
linux is trying to work on supply chain
issues because we have seen that a lot
lately where a corrupted library will
filter out and be abused by
malicious attackers and now there's
hundreds of thousands of devices
compromised all because that one library
had a malicious injection so yeah this
is good they're trying to take the lead
on that really quick to to nota the
email provider has released a new beta
app on android which now allows pin and
fingerprint unlocks that is all another
real quick one you can now unsend
messages on session
another one title says it all real quick
update and then just the final few
updates android has released a november
patch which fixes some actively
exploited kernel bugs so again keep it
up to date linux 5.15 just arrived and
here's what's inside you can go ahead
and check the sources for updates and it
also includes security updates so again
automatic updates firefox 94 has been
released with some new features and take
a guess security updates so enable
automatic updates and hey hey guys
listen to this one thunderbird 91.3 has
been released and it also includes
security updates
so you should use automatic security
updates with that let's move into our
final section misfits we're going to
start off in the uk where a luton luton
sorry don't know how to pronounce that
but a man from that place was left
shocked as his house is quote unquote
stolen the short version is this man had
his identity stolen the criminal used
that to sell his house and pocket the
cash the man only found out when he came
home he was out of town for a long time
i'm assuming like on a business trip or
something he came home all his stuff was
gone removed by the new owner they had
even like torn down some of the walls
they were doing some electrical work
like they were totally remodeling the
house and unfortunately you know he
called the cops to try and get it
straightened out they checked county
records and the change was legal so
unfortunately the cops had to be like
hey man i'm sorry but you gotta leave he
legally owns this house you gotta take
it to court so now he has to prove that
he did not make this sale and
i i'm
i'm optimistic that he's gonna get it
straightened out but oh my god can you
imagine the uphill battle that this man
has in store and now like the years he
has to spend in court and he has to find
a new place to live and just oh my
freaking god like
this is a nightmare so yeah next time
somebody's like what's the worst that
could happen like literally i've tried
to push privacy.com on people before and
people have just literally been like
well i've had my cards stolen before and
you know they just bank sent me a new
one in a couple days it really wasn't
that big of a deal and it's like i say
this all the time wouldn't you want to
avoid this in the first place like i
said i'm hopeful that this man is gonna
get it straight now because i'm sure
he's got lots of evidence that you know
i was out of town that was not me here's
proof that there was a data breach or
whatever like i'm sure they can get it
straightened out but it's gonna take
years and he's going to lose so much
time and money and like stress
just
i would rather just avoid it destructive
cyber attack hits national bank of
pakistan so these impacted atms
internal networks and mobile apps this
was data wiping malware this was not
ransomware and no funds were reported
missing that's it alright our next story
a photo on wikipedia can ruin your life
the basic summary of what happened was
for a long time the wikipedia page for a
serial killer from new york named
nathaniel white
featured an unrelated nathaniel white
from florida as the photo so when you
went to go look this guy's name up to do
like a background check or anything
anybody who went to look this guy up
nathaniel white and there's his face on
a wikipedia page saying he's a serial
killer do you really think they're gonna
read the whole article to see if he's
still in jail and if maybe this is the
wrong person this is just a reminder for
why we are so cautious about putting
your face on the internet the next story
is a series of tweets that this guy is
calling the wire this is very obviously
biased but i still think it is extremely
worth a read no matter your political
opinions because this guy gives a
detailed breakdown of how the feds used
phone metadata to track the extremists
who were present at january 6th
disclaimer obviously not everyone who
participated in january 6 went there
with the intention of storming the
capital or is a terrorist but
it is unarguable that some people were
some people showed up with the intention
of causing trouble and we're not good
people i just want to throw it out there
i know that some people just got carried
away and not everybody went there to
cause trouble
but yeah regardless it's still a
fascinating read because like he really
goes into detail of like they found this
piece of information here's the patterns
they looked for here's how they figured
out this and that and it's it's really
worth a read it really really is
regardless of your political affiliation
i 100 recommend it
up next phishing attacks are harder to
spot on your smartphone and that's why
hackers are using them more pretty much
what the headline says they found that
it's harder to spot phishing attacks on
your phone and maybe a reason for that
is because they've been used less
frequently on your mobile device i don't
know how much of this is based on the
actual technical differences or just on
your expectations when you use a
smartphone and what you think is going
to happen on it you can use your phone
less for sensitive things and stick to
using a computer you can also just set
up things beforehand to deal with
fishing and just have your normal
fishing checks fishing's kind of a hard
thing to universally deal with really
depends on your configuration and you
just have to be able to spot it it's not
an easy thing to deal with
i do have two theories on why it might
be harder to spot on phone number one
would be a technical limitation like you
can't hover over a link
like you can hold a link but even then
it's going to kind of pull the page and
the damage might be done and then number
two i think is just the emotional
reaction
of that in the moment thing where you
know you get a text message or a phone
call when you're in that moment and you
know phones are so real time with sms
and phone calls you just your emotional
side takes over and you forget to stop
and think like all right wait a minute
our next story comes from microsoft on
the topic of uh fraud and spam they are
warning of a rise in password spraying
so password spraying for those who don't
know is when attackers will attempt to
gain access by just trying a bunch of
different passwords so maybe they don't
actually know your password but they'll
try some of the common ones or whatever
this is just your quick reminder to use
unique strong passwords everywhere we
talked about that at the beginning do
not reuse passwords do not use common
passwords there's no reason to reuse
passwords these days up next xmpp admin
in the middle that's that's the headline
but xmpp is the the federated open
source chatting protocol and this isn't
unique to xmpp but it's a proof of
concept about how a malicious xmpp
server admin can access all of your data
and communications this is true of any
server now matrix is is also open source
and federated and matrix kind of has a
similar issue i do believe matrix will
implement end-to-end encryption before
it touches the admin so the admins won't
be able to see end-to-end encrypted
messages however you can still view all
the metadata so whatever matrix server
you're using to communicate know that
you're trusting a lot of data to these
people so even though it's federated and
you can choose what server to be on just
know that there are valid concerns with
matrix in fact something that i wish we
talked about i don't know if we did
mention this but in the recent signal
story i think that was last week where
signal was uh subpoenaed matrix wouldn't
likely have dealt as well with that
situation signal could not give any
information i think if they did that
with the matrix server the matrix server
would have been legally required to hand
over all the metadata of matrix users i
don't think we mentioned that but i
remember seeing a comment where somebody
mentioned something like that yeah i
read something i got somewhere and
they're 100 right assuming that they're
going to comply with the legal request
these federated platforms are actually
worse off on certain things like that i
think the best possible scenario is
something like briar
because briar is peer-to-peer which is
not the same thing as federated and if
there's peer-to-peer that really means
there is no central server whatsoever
they'd have to somehow get that
information from the individuals i think
just the takeaway here is that the use
case of the messenger matters which is
like the biggest misconception with
signal 2. if you're using signal for
anonymity
obviously you're not going to enjoy the
phone number requirement duh
but if you're using it for just basic
security and talking with your friends
and with for a small layer of privacy
compared to whatsapp it's fantastic i
really think that if you're trying to
find a balance between privacy security
and anonymity you're gonna have to go
for something extreme like briar which
fits pretty much almost every use case
very well but then breyer is also
extremely not usable for a lot of people
not to get too carried away the takeaway
there use messengers for the right
reasons use cases are important and our
last story of the week the internet of
things is getting a lot bigger but
security still is still getting left
behind this is an article from zdnet
they cited some statistics here four out
of five manufacturers do not provide a
way for people to report security
vulnerabilities in the products out of
the ones who do provide a way only one
in five advertise it there's so many
metrics by which we could measure the
insecurity of iot like how often they
receive updates if they receive updates
at all the expected lifespan and then
the actual security vulnerabilities the
nature of them the moral is
internet of things is still incredibly
unsafe so be cautious with them i
understand we're moving into a world
where they're more and more common it's
getting harder like i've heard some
people say they can't even buy a dumb tv
in the part of the world they live in
put things on a vlan
put things behind a firewall make sure
you're using good passwords update them
if you can
just
be aware iot is unsafe and be cautious
that was all of our news for this week
so we had a lot going on we had the
signal adding their code we've had more
research that facebook is a terrible
company that does not respect you we've
had clearview getting in trouble in
australia hopefully we'll get some
updates on that one in the near future
as usual all of these stories if we hear
anything new we will keep you updated so
make sure that you are subscribed to
future episodes we want to remind you
again our promo spot is proton vpn i'm
not going to go through the whole spiel
again they're doing a big sale this year
if you're not a plus user you're
thinking about checking them out go for
it if you're not interested in proton
vpn that's totally fine but you should
check out some other ones because vpns
do have their uses we want to thank you
for listening to surveillance support
and we are happy to know you're trying
to stay safe out there the final thing
we want to ask of you share the podcast
around send this episode to somebody you
think might like it or somebody who uses
facebook make sure that you're
subscribed give us a rating if you're on
a platform that does that like apple or
youtube we want privacy to reach as many
people as possible and you can help us
do that thank you again for listening
and we will see you next week
