Forwarded from BlackBox (Security) Archiv
Step-by-step guides and detailed information on secure messaging apps for Android, iOS, Windows, Mac and Linux.
💡 Apps are listed in order of:
✅✅ = "Highly Recommended"
✅ = "Worth a Try"
❌= "Not Recommended"
👀 👉🏼 https://securechatguide.org/centralizedapps.html
#secure #chat #messaging #apps #android #iOS #windows #mac #linux #guide
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag
💡 Apps are listed in order of:
✅✅ = "Highly Recommended"
✅ = "Worth a Try"
❌= "Not Recommended"
👀 👉🏼 https://securechatguide.org/centralizedapps.html
#secure #chat #messaging #apps #android #iOS #windows #mac #linux #guide
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag
Your Computer Isn't Yours
https://sneak.berlin/20201112/your-computer-isnt-yours
It’s here. It happened. Did you notice?
I’m speaking, of course, of the world that Richard Stallman predicted in 1997. The one Cory Doctorow also warned us about.
On modern versions of macOS, you simply can’t power on your computer, launch a text editor or eBook reader, and write or read, without a log of your activity being transmitted and stored.
It turns out that in the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it. Lots of people didn’t realize this, because it’s silent and invisible and it fails instantly and gracefully when you’re offline, but today the server got really slow and it didn’t hit the fail-fast code path, and everyone’s apps failed to open if they were connected to the internet.
...
#Mac #Apple #why
https://sneak.berlin/20201112/your-computer-isnt-yours
It’s here. It happened. Did you notice?
I’m speaking, of course, of the world that Richard Stallman predicted in 1997. The one Cory Doctorow also warned us about.
On modern versions of macOS, you simply can’t power on your computer, launch a text editor or eBook reader, and write or read, without a log of your activity being transmitted and stored.
It turns out that in the current version of the macOS, the OS sends to Apple a hash (unique identifier) of each and every program you run, when you run it. Lots of people didn’t realize this, because it’s silent and invisible and it fails instantly and gracefully when you’re offline, but today the server got really slow and it didn’t hit the fail-fast code path, and everyone’s apps failed to open if they were connected to the internet.
...
#Mac #Apple #why
sneak.berlin
Your Computer Isn't Yours
The personal website of Jeffrey Paul.
Forwarded from BlackBox (Security) Archiv
Apple’s AirDrop leaks users’ PII, and there’s not much they can do about it
Apple has known of the flaw since 2019 but has yet to acknowledge or fix it.
AirDrop, the feature that allows Mac and iPhone users to wirelessly transfer files between devices, is leaking user emails and phone numbers, and there's not much anyone can do to stop it other than to turn it off, researchers said.
AirDrop uses Wi-Fi and Bluetooth Low Energy to establish direct connections with nearby devices so they can beam pictures, documents, and other things from one iOS or macOS device to another. One mode allows only contacts to connect, a second allows anyone to connect, and the last allows no connections at all.
A matter of milliseconds
To determine if the device of a would-be sender should connect with other nearby devices, AirDrop broadcasts Bluetooth advertisements that contain a partial cryptographic hash of the sender's phone number and email address. If any of the truncated hashes matches any phone number or email address in the address book of the receiving device or the device is set to receive from everyone, the two devices will engage in a mutual authentication handshake over Wi-Fi. During the handshake, the devices exchange the full SHA-256 hashes of the owners' phone numbers and email addresses.
Hashes, of course, can't be converted back into the cleartext that generated them, but depending on the amount of entropy or randomness in the cleartext, they are often possible to figure out. Hackers do this by performing a "brute-force attack," which throws huge numbers of guesses and waits for the one that generates the sought-after hash. The less the entropy in the cleartext, the easier it is to guess or crack, since there are fewer possible candidates for an attacker to try.
The amount of entropy in a phone number is so minimal that this cracking process is trivial since it takes milliseconds to look up a hash in a precomputed database containing results for all possible phone numbers in the world. While many email addresses have more entropy, they too can be cracked using the billions of email addresses that have appeared in database breaches over the past 20 years.
https://arstechnica.com/gadgets/2021/04/apples-airdrop-leaks-users-pii-and-theres-not-much-they-can-do-about-it
#apple #mac #iphone #airdrop #vulnerability
📡 @nogoolag 📡 @blackbox_archiv
Apple has known of the flaw since 2019 but has yet to acknowledge or fix it.
AirDrop, the feature that allows Mac and iPhone users to wirelessly transfer files between devices, is leaking user emails and phone numbers, and there's not much anyone can do to stop it other than to turn it off, researchers said.
AirDrop uses Wi-Fi and Bluetooth Low Energy to establish direct connections with nearby devices so they can beam pictures, documents, and other things from one iOS or macOS device to another. One mode allows only contacts to connect, a second allows anyone to connect, and the last allows no connections at all.
A matter of milliseconds
To determine if the device of a would-be sender should connect with other nearby devices, AirDrop broadcasts Bluetooth advertisements that contain a partial cryptographic hash of the sender's phone number and email address. If any of the truncated hashes matches any phone number or email address in the address book of the receiving device or the device is set to receive from everyone, the two devices will engage in a mutual authentication handshake over Wi-Fi. During the handshake, the devices exchange the full SHA-256 hashes of the owners' phone numbers and email addresses.
Hashes, of course, can't be converted back into the cleartext that generated them, but depending on the amount of entropy or randomness in the cleartext, they are often possible to figure out. Hackers do this by performing a "brute-force attack," which throws huge numbers of guesses and waits for the one that generates the sought-after hash. The less the entropy in the cleartext, the easier it is to guess or crack, since there are fewer possible candidates for an attacker to try.
The amount of entropy in a phone number is so minimal that this cracking process is trivial since it takes milliseconds to look up a hash in a precomputed database containing results for all possible phone numbers in the world. While many email addresses have more entropy, they too can be cracked using the billions of email addresses that have appeared in database breaches over the past 20 years.
https://arstechnica.com/gadgets/2021/04/apples-airdrop-leaks-users-pii-and-theres-not-much-they-can-do-about-it
#apple #mac #iphone #airdrop #vulnerability
📡 @nogoolag 📡 @blackbox_archiv
Ars Technica
Apple’s AirDrop leaks users’ PII, and there’s not much they can do about it
Apple has known of the flaw since 2019 but has yet to acknowledge or fix it.
Zapstore
Permissionless and social app store built on the #nostr protocol
For #Android #Linux and #Mac
https://zapstore.dev
Download
https://zapstore.dev/download/
Sources
https://github.com/zapstore
Secure by default
Everything you install comes from trusted sources and is cryptographically verified. Not satisfied with the default? Choose your own curators, or mix and match! Censorship has no place in our world.
Relevant to you
Supercharged by the nostr open protocol, recommendations come right from your social connections — or use it in totally private way. With our growing catalog, you will never run out of great apps.
Support your devs
Connect with your favorite developers: send them direct feedback, request features and support them through micropayments, all without any middlemen.
#apk #store
Permissionless and social app store built on the #nostr protocol
For #Android #Linux and #Mac
https://zapstore.dev
Download
https://zapstore.dev/download/
Sources
https://github.com/zapstore
Secure by default
Everything you install comes from trusted sources and is cryptographically verified. Not satisfied with the default? Choose your own curators, or mix and match! Censorship has no place in our world.
Relevant to you
Supercharged by the nostr open protocol, recommendations come right from your social connections — or use it in totally private way. With our growing catalog, you will never run out of great apps.
Support your devs
Connect with your favorite developers: send them direct feedback, request features and support them through micropayments, all without any middlemen.
#apk #store
Hardware Security Threats Against #Bluetooth #Mesh Networks
https://ieeexplore.ieee.org/document/8433184/authors#authors
Security risks of Bluetooth
Man-in-the-middle attacks (#MITM):
Bluetooth connections can be susceptible to eavesdropping attacks if strong encryption is not used. Older Bluetooth versions (before 4.2) are particularly risky.
#Bluejacking & #bluesnarfing:
Attackers could try to send unwanted messages (bluejacking) or even steal data from devices (bluesnarfing).
Traceability:
Bluetooth devices often send unique #MAC addresses, which makes users traceable.
Weak standard pairing methods:
Many devices still use simple PINs or confirm connections without verification (e.g. "Just Works" mode with Bluetooth LE).
Risks specific to Bluetooth mesh networks
Mesh networks increase the attack surface:
Each device in the mesh acts as a relay, which means that a compromised device could influence the entire data traffic.
Lack of end-to-end encryption:
If the app/software does not implement additional encryption, messages can be forwarded in plain text.
Decentralized management:
Without centralized control, it is difficult to identify and remove malicious nodes.
https://ieeexplore.ieee.org/document/8433184/authors#authors
Security risks of Bluetooth
Man-in-the-middle attacks (#MITM):
Bluetooth connections can be susceptible to eavesdropping attacks if strong encryption is not used. Older Bluetooth versions (before 4.2) are particularly risky.
#Bluejacking & #bluesnarfing:
Attackers could try to send unwanted messages (bluejacking) or even steal data from devices (bluesnarfing).
Traceability:
Bluetooth devices often send unique #MAC addresses, which makes users traceable.
Weak standard pairing methods:
Many devices still use simple PINs or confirm connections without verification (e.g. "Just Works" mode with Bluetooth LE).
Risks specific to Bluetooth mesh networks
Mesh networks increase the attack surface:
Each device in the mesh acts as a relay, which means that a compromised device could influence the entire data traffic.
Lack of end-to-end encryption:
If the app/software does not implement additional encryption, messages can be forwarded in plain text.
Decentralized management:
Without centralized control, it is difficult to identify and remove malicious nodes.