Leaderboard

Nu cred ca Whatsapp ar incepe sa decripteze mesajele private daca au in policy asta. Daca intr-adevar fac asta si sunt prinsi, o sa le crape actiunile celor de la Facebook. Aici zic ce colecteaza: Your Account Information - nu e nimic special aici, la fel cere si Google, Microsoft, banca si alte site-uri; eventual poate sa-ti creeze un shadow profile in Facebook in caz ca nu ai cont si, in momentul in care ti-l creezi, sa-ti dea o lista de prieteni pe baza agendei telefonice la sugestii Your Messages - specifica faptul ca sunt doua situatii in care stocheaza date: in momentul in care userul e offline ca sa poata sa-i trimita mesajul pe telefon atunci cand revine in aplicatie pentru fisiere media - aici e un pic cu semnul intrebarii pentru ca, fiind companie americana, s-ar putea sa bage pe viitor vreo clauza DMCA si sa blocheze contul daca sunt transferate materiale cu copyright We offer end-to-end encryption for our Services - asigurarea lor ca nu vor citi mesajele Your Connections iti aduna contactele din agenda pentru a te ajuta sa te conectezi mai rapid cu alti oameni care folosesc Whatsapp acelasi lucru il fac si Telegram si Signal daca datele astea ajung la Facebook, singurul lucru pe care Facebook poate sa-l faca cu ele e sa-ti dea sugestii de prieteni pe baza agendei telefonice sau sa genereze pentru fiecare contact cate un shadow profile Status Information - e mai mult sau mai putin aceeasi functionalitate care era pe Y!M, mai nimeni nu foloseste statusul pe Whatsapp Transactions And Payments Data - e pentru un serviciu de plati care nu e disponibil la noi Customer Support And Other Communications - nimic special aici Usage And Log Information ce pot sa faca aici e sa vada ca vorbesti foarte mult cu X-ulescu pe Whatsapp (nu se vad mesajele, dar se va vedea traficul) si sa ti-l recomande ori ca prieten pe Facebook, ori, daca e deja prieten, sa ti-l puna mai sus in lista Device And Connection Information - nimic special aici, ia detalii tehnice despre telefonul tau ca sa stie sa te ajute in caz ca crapa ceva sau sa poata sa faca repro Location Information - prin asta, Facebook poate sa-ti arunce reclame mai targhetate pe zona ta, gen pizzerii din zona, evenimente, etc. Cookies - nimic special aici In afara de a te bombarda cu reclame targhetate si de a-ti da sugestii de prieteni pe Facebook, ce se mai poate intampla e ca politia sau alte organe sa faca un request pe https://www.facebook.com/records/login/ si sa ceara o lista cu toate persoanele (si numerele de telefon din profilul respectivilor) cu care X a comunicat. Nu vor fi mesajele efective, dar vor fi metadate (X a discutat cu Y la orele a,b,c; cu Z la orele d,e,f) care pot fi folosite mai departe pentru a-i localiza pe respectivii. La fel, pe baza request-ului, se pot lega discutiile de conturile de Facebook ale lui X, Y, Z, IP-uri, timestamp-uri, geolocation, activitate, etc.

WhatsApp Will Disable Your Account If You Don't Agree Sharing Data With Facebook January 06, 2021 Ravie Lakshmanan "Respect for your privacy is coded into our DNA," opens WhatsApp's privacy policy. "Since we started WhatsApp, we've aspired to build our Services with a set of strong privacy principles in mind." But come February 8, 2021, this opening statement will no longer find a place in the policy. The Facebook-owned messaging service is alerting users in India of an update to its terms of service and privacy policy that's expected to go into effect next month. The "key updates" concern how it processes user data, "how businesses can use Facebook hosted services to store and manage their WhatsApp chats," and "how we partner with Facebook to offer integrations across the Facebook Company Products." The mandatory changes allow WhatsApp to share more user data with other Facebook companies, including account registration information, phone numbers, transaction data, service-related information, interactions on the platform, mobile device information, IP address, and other data collected based on users' consent. Unsurprisingly, this data sharing policy with Facebook and its other services doesn't apply to EU states that are part of the European Economic Area (EEA), which are governed by the GDPR data protection regulations. The updates to WhatsApp terms and privacy policy come on the heels of Facebook's "privacy-focused vision" to integrate WhatsApp, Instagram, and Messenger together and provide a more coherent experience to users across its services. Users failing to agree to the revised terms by the cut-off date will have their accounts rendered inaccessible, the company said in the notification. This effectively means that, while the profiles will remain inactive, WhatsApp will eventually end up deleting the accounts after 120 days of inactivity (i.e. not connected to the app) as part of its efforts to "maintain security, limit data retention, and protect the privacy of our users." WhatsApp's Terms of Service was last updated on January 28, 2020, while its current Privacy Policy was enforced on July 20, 2020. Facebook Company Products refers to the social media giant's family of services, including its flagship Facebook app, Messenger, Instagram, Boomerang, Threads, Portal-branded devices, Oculus VR headsets (when using a Facebook account), Facebook Shops, Spark AR Studio, Audience Network, and NPE Team apps. It, however, doesn't include Workplace, Free Basics, Messenger Kids, and Oculus Products that are tied to Oculus accounts. What's Changed in its Privacy Policy? In its updated policy, the company expands on the "Information You Provide" section with specifics about payment account and transaction information collected during purchases made via the app and has replaced the "Affiliated Companies" section with a new "How We Work With Other Facebook Companies" that goes into detail about how it uses and shares the information gathered from WhatsApp with other Facebook products or third-parties. This encompasses promoting safety, security, and integrity, providing Portal and Facebook Pay integrations, and last but not least, "improving their services and your experiences using them, such as making suggestions for you (for example, of friends or group connections, or of interesting content), personalizing features and content, helping you complete purchases and transactions, and showing relevant offers and ads across the Facebook Company Products." One section that's received a major rewrite is "Automatically Collected Information," which covers "Usage and log Information," "Device And Connection Information," and "Location Information." "We collect information about your activity on our Services, like service-related, diagnostic, and performance information. This includes information about your activity (including how you use our Services, your Services settings, how you interact with others using our Services (including when you interact with a business), and the time, frequency, and duration of your activities and interactions), log files, and diagnostic, crash, website, and performance logs and reports. This also includes information about when you registered to use our Services; the features you use like our messaging, calling, Status, groups (including group name, group picture, group description), payments or business features; profile photo, "about" information; whether you are online, when you last used our Services (your "last seen"); and when you last updated your "about" information." WhatsApp's revised policy also spells out the kind of information it gathers from users' devices: hardware model, operating system information, battery level, signal strength, app version, browser information, mobile network, connection information (including phone number, mobile operator or ISP), language and time zone, IP address, device operations information, and identifiers (including identifiers unique to Facebook Company Products associated with the same device or account). "Even if you do not use our location-related features, we use IP addresses and other information like phone number area codes to estimate your general location (e.g., city and country)," WhatsApp updated policy reads. Concerns About Metadata Collection While WhatsApp is end-to-end encrypted, its privacy policy offers an insight into the scale and wealth of metadata that's amassed in the name of improving and supporting the service. Even worse, all of this data is linked to a user's identity. Apple's response to this unchecked metadata collection is privacy labels, now live for first- and third-party apps distributed via the App Store, that aim to help users better understand an app's privacy practices and "learn about some of the data types an app may collect, and whether that data is linked to them or used to track them." The rollout forced WhatsApp to issue a statement last month. "We must collect some information to provide a reliable global communications service," it said, adding "we minimize the categories of data that we collect" and "we take measures to restrict access to that information." In stark contrast, Signal collects no metadata, whereas Apple's iMessage makes use of only email address (or phone number), search history, and a device ID to attribute a user uniquely. There's no denying that privacy policies and terms of service agreements are often long, boring, and mired in obtuse legalese as if deliberately designed with an intention to confuse users. But updates like this are the reason it's essential to read them instead of blindly consenting without really knowing what you are signing up for. After all, it is your data. UPDATE: Why Zuckerberg Wants to Integrate WhatsApp and Facebook? In a statement shared with The Hacker News, a WhatsApp spokesperson justifies integrating both platforms by saying: "As we announced in October, WhatsApp wants to make it easier for people to both make a purchase and get help from a business directly on WhatsApp. While most people use WhatsApp to chat with friends and family, increasingly people are reaching out to businesses as well. To further increase transparency, we updated the privacy policy to describe that going forward businesses can choose to receive secure hosting services from our parent company Facebook to help manage their communications with their customers on WhatsApp." "Though of course, it remains up to the user whether or not they want to message with a business on WhatsApp. The update does not change WhatsApp's data sharing practices with Facebook and does not impact how people communicate privately with friends or family wherever they are in the world. WhatsApp remains deeply committed to protecting people's privacy. We are communicating directly with users through WhatsApp about these changes so they have time to review the new policy over the course of the next month." Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post. Sursa; https://thehackernews.com/2021/01/whatsapp-will-delete-your-account-if.html

WHATSAPP nu e listata pe bursa este doar Facebook-ul care detine Whatsapp si nu-i afecteaza prea mult.

Daca are cere cont premium, fara reclame, pe WhatsApp, ar deveni reale (partial) acele mesaje idioate ca "WhatsApp nu o sa mai fie gratuit".

https://ibb.co/gr2gXWm

GKE Auditor A tool to detect a set of common Google Kubernetes Engine misconfigurations. Aimed to help security and development teams streamline configuration parts of their processes, and save time looking for generic bugs and vulnerabilities. The tool consists of individual modules called Detectors, each scanning for a specific vulnerability. This is not an officially supported Google product. Dependencies JDK 11 or later Maven Google Cloud SDK kubectl To install the dependencies on Debian, run: install-debian.sh If the tool is run from a GCP Cloud shell, all the above mentioned dependencies should be pre-installed in the Shell. To access the Cloud Shell, use the Google Cloud Console or SSH into it by running: gcloud alpha cloud-shell ssh after installing the Google Cloud SDK into your local machine. Installation git clone https://github.com/google/gke-auditor cd ./gke-auditor/ ./build.sh Authentication Before running the tool, make sure to configure access to your cluster. gcloud init gcloud auth login gcloud container clusters get-credentials CLUSTER_NAME --zone=ZONE Usage The tool has to be built by running the build.sh script first. Once the tool is built, it can be run using the auditor.sh script, using the following options: ./auditor.sh [-a] [-ast] [-c] [-d] [-h] [-i <arg>] [-p <arg>] [-q] [-r <arg>] -a,--all Run all detectors. -ast,--assets Run all detectors for each individual asset. -c,--color Turns on tool output coloring. -d,--defaults Runs detectors including Kubernetes default assets. Disabled by default. -h,--help Print help information. -i,--iso <arg> Run Node Isolation detectors. To run all detectors, omit the argument list. To specify individual detectors to run, give a list of indices: 1. NODE_SELECTOR_POD_REJECTED 2. NODE_TAINTS_POD_REJECTED 3. NODE_AFFINITY_POD_REJECTED -p,--psp <arg> Run PSP (Pod Security Policy) detectors. To run all detectors, omit the argument list. To specify individual detectors to run, give a list of indices: 1. PRIVILEGED_CONTAINERS 2. CONTAINERS_SHARING_HOST_PROCESS_ID_NAMESPACE 3. CONTAINERS_SHARING_HOST_IPC 4. CONTAINER_SHARING_HOST_NETWORK_NAMESPACE 5. CONTAINERS_ALLOW_PRIVILEGE_ESCALATION 6. ROOT_CONTAINERS_ADMISSION 7. CONTAINERS_NET_RAW_CAPABILITY 8. CONTAINERS_ADDED_CAPABILITIES 9. CONTAINERS_CAPABILITIES_ASSIGNED -q,--quiet Prints out only misconfigurations, without additional detector info. Disabled by default. -r,--rbac <arg> Run RBAC (Role Based Access Control) detectors. To run all detectors, omit the argument list. To specify individual detectors to run, give a list of indices: 1. CLUSTER_ADMIN_ROLE_USED 2. SECRET_ACCESS_ALLOWED 3. WILDCARD_USED 4. CREATE_PODS_ALLOWED 5. AUTOMOUNT_SERVICE_ACCOUNT_TOKEN_ENABLED 6. ESCALATING_RESOURCES_REPORT Examples Run all detectors ./auditor.sh or ./auditor.sh --all Run specific detectors ./auditor.sh --iso 1 --psp 2,3 --rbac This will run the first isolation detector (NODE_SELECTOR_POD_REJECTED), second and third PSP detectors (CONTAINERS_SHARING_HOST_PROCESS_ID_NAMESPACE, CONTAINERS_SHARING_HOST_IPC) and all RBAC detectors. Detectors can be chosen by specifying a list of indices in accordance with the lists given in the help section of the tool. Run detectors for individual assets ./auditor.sh --assets # Runs all detectors. ./auditor.sh --assets --iso 0 --psp 1,2 --rbac # Runs only specified detectors. A detector auditing assets for vulnerabilities individually: instead of running a detector on all available assets, runs all detectors on a single asset at a time. Additional features In addition to the above listed example, the tool can be run with following options: Coloring ./auditor.sh -c Vulnerabilities will be colored in red. Quiet mode ./auditor.sh -q Quiet mode: no additional information about vulnerabilities will be printed out besides the detector names and vulnerable assets found. Including K8s defaults ./auditor.sh -d Includes K8s defaults in the audit. A default K8s cluster will have some configurations which might be considered vulnerable by the tool. Those configurations are excluded from the audit by default, but including those defaults might be useful for some researchers (e.g. those auditing K8s itself). Detector Information For detailed information about the vulnerabilities the detectors are checking for, refer to OUTPUTS.md. References Some of the implemented detectors refer to CIS Benchmarks. Contributing See CONTRIBUTING.md. License Copyright 2020 Google LLC Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at https://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. Download gke-auditor-master.zip or git clone https://github.com/google/gke-auditor.git Source

Hardware security keys—such as those from Google and Yubico—are considered the most secure means to protect accounts from phishing and takeover attacks. But a new research published on Thursday demonstrates how an adversary in possession of such a two-factor authentication (2FA) device can clone it by exploiting an electromagnetic side-channel in the chip embedded in it. The vulnerability (tracked as CVE-2021-3011) allows the bad actor to extract the encryption key or the ECDSA private key linked to a victim's account from a FIDO Universal 2nd Factor (U2F) device like Google Titan Key or YubiKey, thus completely undermining the 2FA protections. "The adversary can sign in to the victim's application account without the U2F device, and without the victim noticing," NinjaLab researchers Victor Lomne and Thomas Roche said in a 60-page analysis. "In other words, the adversary created a clone of the U2F device for the victim's application account. This clone will give access to the application account as long as the legitimate user does not revoke its second factor authentication credentials." The whole list of products impacted by the flaw includes all versions of Google Titan Security Key (all versions), Yubico Yubikey Neo, Feitian FIDO NFC USB-A / K9, Feitian MultiPass FIDO / K13, Feitian ePass FIDO USB-C / K21, and Feitian FIDO NFC USB-C / K40. Besides the security keys, the attack can also be carried out on NXP JavaCard chips, including NXP J3D081_M59_DF, NXP J3A081, NXP J2E081_M64, NXP J3D145_M59, NXP J3D081_M59, NXP J3E145_M64, and NXP J3E081_M64_DF, and their respective variants. The key-recovery attack, while doubtless severe, needs to meet a number of prerequisites in order to be successful. An actor will have first to steal the target's login and password of an account secured by the physical key, then stealthily gain access to Titan Security Key in question, not to mention acquire expensive equipment costing north of $12,000, and have enough expertise to build custom software to extract the key linked to the account. "It is still safer to use your Google Titan Security Key or other impacted products as a FIDO U2F two-factor authentication token to sign in to applications rather than not using one," the researchers said. To clone the U2F key, the researchers set about the task by tearing the device down using a hot air gun to remove the plastic casing and expose the two microcontrollers soldered in it — a secure enclave (NXP A700X chip) that's used to perform the cryptographic operations and a general-purpose chip that acts as a router between the USB/NFC interfaces and the authentication microcontroller. Once this is achieved, the researchers say it's possible to glean the ECDSA encryption key via a side-channel attack by observing the electromagnetic radiations coming off the NXP chip during ECDSA signatures, the core cryptographic operation of the FIDO U2F protocol that's performed when a U2F key is registered for the first time to work with a new account. A side-channel attack typically works based on information gained from the implementation of a computer system, rather than exploiting a weakness in the software. Often, such attacks leverage timing information, power consumption, electromagnetic leaks, and acoustic signals as a source of data leakage. By acquiring 6,000 such side-channel traces of the U2F authentication request commands over a six-hour period, the researchers said they were able to recover the ECDSA private key linked to a FIDO U2F account created for the experiment using an unsupervised machine learning model. Although the security of a hardware security key isn't diminished by the above attack due to the limitations involved, a potential exploitation in the wild is not inconceivable. "Nevertheless, this work shows that the Google Titan Security Key (or other impacted products) would not avoid [an] unnoticed security breach by attackers willing to put enough effort into it," the researchers concluded. "Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered." Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post. Source: https://thehackernews.com/2021/01/new-attack-could-let-hackers-clone-your.html

Daca am inteles eu bine nu are treaba cu trezor. E vina NXP ca chipul lor secure e vulnerabil la EM profiling. Desi specificatiile lor se lauda cu cele mai SF features vad ca tot nu a fost validat corect. Asta ridica intrebari si legat de celelalte secure crypto-processors/enclaves/elements. de ce nu si cele de la stm, qualcom, microchip? Costul nu e asa mare avand in vedere ca aceste chipuri sunt folosite si de armata, servicii secrete, guverne etc. (plm 6 ore pe o masina de $12,000. si de 10 ori mai scump tot e ok.)

Jaxx nu cere KYC. Also, ai si optiune de a face exchange intre criptomonede fara sa iti pui nici adresa de e-mail

Why everyone should be using Signal instead of WhatsApp The Signal protocol underpins WhatsApp's encryption, but Facebook's ubiquitous messaging service doesn't hold a candle to Signal itself By K.G ORPHANIDES Thursday 16 April 2020 WIRED WhatsApp is the most popular communications app on the planet with over two billion users using it for messaging. Bought by Facebook in 2014, the service popularised the use of end-to-end encryption in day-to-day communications, introducing it as its default for messaging in 2016. To do so it cooperated with Moxy Marlinspike’s Open Whisper Systems to integrate the Signal encrypted messaging protocol. Microsoft and Google have also used the protocol, widely regarded as the gold standard in encrypted communications. Now Open Whisper Systems exists as Signal Messenger, LLC, and is part of the Signal Foundation. This rebranding has seen the foundation put more effort into its own app. The Signal Foundation's flagship Signal app provides fully-fledged and easy to use secure communications in its own right. It has direct and group messaging, as well as one-to-one audio and video chat, and there are very good reasons to opt for secure messaging's Cool Original flavour over WhatsApp. In February, the European Commission advised its staff to do exactly that. Here’s why you should use Signal for any conversation where privacy matters – even if that’s just giving your family the shared Disney+ password – and why your friends should, too. 1. Signal has more up-to-date security features New security features come to Signal first. For example, Signal has had disappearing messages – which are automatically deleted after a specified period of time – since 2016 but the feature is still being tested with small numbers of WhatsApp users. Other mainstream and beta Signal features that WhatsApp users don’t have include view-oncemedia messages, encrypted profiles, an incognito keyboard switch for Android to keep Gboard from sending your typing history back to Google, and backups that don’t default to unencrypted storage in Google Drive or Apple iCloud. Signal also has a slightly broader range of clients, with a dedicated client for Linux desktop users – likely to appeal to those in the security and data analysis fields, while WhatsApp directs them to its web app. 2. Signal is open source All of Signal’s source code is published for anyone to examine and use under a GPLv3 license for clients and an AGPLv3 license for the server. This means that you can see what’s going on inside it – or, more usefully, rely on the specialist expertise of people who review the code and know exactly what they’re looking for. 3. Signal has less potential for hidden vulnerabilities As a larger platform, WhatsApp is more inviting to malicious actors to start with, but the fact that its codebase is a proprietary closed box means that it may take longer for dangerous vulnerabilities to be detected. Any application can and eventually will suffer vulnerabilities – Signal has resolved a few of its own. But WhatsApp’s closed-source code (beyond its use of the open Signal protocol) means that there are a lot of potential targets that remain unknown until they’re exploited. A particularly worrying example was a vulnerability in WhatsApp’s VoIP stack, used by intelligence agencies to inject spyware in 2019. 4. You can run your own Signal server (but probably shouldn’t) Another advantage of open source software is that you can play with it, if you’re that way inclined. You probably won’t want or need a Signal server of your own for either personal or business reasons. It’s designed as a mass communications platform and isn’t really intended to scale down, it’s a pain to build and there are currently no containerised versions for easy deployment. But if you’re technically minded, you can learn a lot about how a system functions by building a test instance and poking it with a stick. It’s non-trivial, but community guides are available to help users get a Signal server up and running and some interesting forks exist, including a decentralised messaging system. 5. How much can you trust Facebook? Perhaps the most compelling reason to use Signal is Facebook's long-standing lack of respect for its users' privacy. Facebook has an appalling history when it comes to data collection and handling, from the Cambridge Analytica affair to its practice of sharing data about users with phone manufacturers. It’s already proved that it can’t be trusted with WhatsApp user data that should, under EU law, have remained private. In 2017, European regulators took action against Facebook for sharing the WhatsApp users’ phone numbers with its Facebook social network for advertising purposes. Firmly in breach of data protection regulations, it was an opt-out rather than opt-in system. Facebook had previously claimed such a mechanism would never be implemented. WhatsApp co-developer Brian Acton, who left Facebook in 2017 and went on to co-found the Signal Foundation with Marlinspike, has harshly criticised Facebook’s approach to privacy and revealed that Facebook coached him “to explain that it would be really difficult to merge or blend data between [WhatsApp and Facebook]” when giving information to EU regulators in 2014. Facebook’s desire to insert adverts and commercial messaging into WhatsApp and potentially compromise its security prompted Acton to leave Facebook early, sacrificing some $850 million in stock in the process. Acton’s fellow WhatsApp dev, Jan Koum, also walked out on Facebook following reported disputes with the company over its efforts to weaken encryption. Mark Zuckerberg has since publicly supported end-to-end encryption, saying it will also be added to its Messenger app. Facebook was until recently still vacillating over plans to introduce adverts to WhatsApp, with the latest reports indicating that the plan has finally been scrapped. Although it's not clear what will eventually happen to the service when Facebook merges WhatsApp with Instagram messaging and Messenger. Sursa: https://www.wired.co.uk/article/signal-vs-whatsapp

Sincer argumentele nu mi se par foarte solide. Da, WhatsApp e closed source, dar nu inseamna neaparat ca are spyware si logging pe absolut orice. Desigur ca privacy concern la cel mai inalt nivel face sens sa folosesti Signal, dar din paperul de la facebook iti dai seama ca incearca sa asigure o securitate cat mai mare pentru mesaje. Exista riscul ca pe viitor whatsapp sa fie mai putin secure dar pe moment nu cred ca existaa mari dovezi de nereguli. Cat despre "At no time does the whatsapp server have access to client's private keys" a fost scos presupun din cauza Business API. "The WhatsApp server has no access to the client’s private keys, though if a business user delegates operation of their Business API client to a vendor, that vendor will have access to their private keys - including if that vendor is Facebook." Stupid. Dar nu neaparat malicious.

Cam greu,daca am inteles corect ce vrei...in ziua de azi toti vor sa stie cine esti (KYC)..erau unii prin Israel,poti gasi pe google mai multe informatii.Doar pana in 300 euro fara verificare..asa ca ai ceva de munca..?