Security

Here is their pull request (with plenty of users negative comments)

They even got anti-feature from F-Droid because of this

If short, developers don’t listen to users opinions and just close all (or nearly all) issues with negative comments about this.

Not to overflood topic I will post links to closed issues in “code” box. This is the list where users are really unhappy about this idea:

https://github.com/organicmaps/organicmaps/issues/7119
https://github.com/organicmaps/organicmaps/issues/6707
https://github.com/organicmaps/organicmaps/issues/6773
https://github.com/organicmaps/organicmaps/issues/6668
https://github.com/organicmaps/organicmaps/issues/6967
https://github.com/organicmaps/organicmaps/issues/6774
https://github.com/organicmaps/organicmaps/pull/6720
https://github.com/organicmaps/organicmaps/issues/6774

From kayak privacy policy (kayak[dot]de/privacy (not clickable not to make you accidentally leak your information to them)):

What they STEAL:

- Personal details (such as your name, age, birthday, gender)
- Contact information (such as email address, address, phone number)
- Booking information (such as, for each traveler, the traveler's name, frequent flyer details, passport number, redress control number, country of citizenship, booking reference number, and itinerary, which may include name of airline or carrier, hotel accommodation and/or vessel, port of destination, port of arrival, date and time of departure and/or check-in, date and time of arrival and/or check-out, meal preferences, luggage information, and layover information)
- Account information (such as login credentials, including email address and password, and account settings)
- Social media data (if you choose to link your KAYAK account with a social media account, KAYAK may collect personal information such as name, age, gender, photograph, and other personal information relating to your social media account)
- Billing information (such as credit, debit, or other payment card information and billing address)
- Your contacts (such as contact information of people you add to, or notify of, your reservations or itineraries through our Services)
- Your preferences (such as your home airport, seating preferences, meal preferences, communication preferences, and other preference information you provide us)
- Reviews you submit (including any screenname you publish under or any personal information you include about yourself or others in such review)
- Content you publish (including your travel recommendations and any personal information you include about yourself or others, or in content you publish in your Guide or other mediums provided by us)
- Photos of you (such as when you add a photo of yourself to your profile, upload photos to a review, or link your social media account to your KAYAK account)
- Communications you send us (such as questions, conversations, complaints, or other information that you may submit to our support team)
- Promotion information (if you choose to participate in a contest, sweepstakes, or similar campaign, we will collect any information you provide in relation to such activity, such as photos, images, captions, or other content, in accordance with the terms provided at that time)
- Other information you may provide (including other information you provide about yourself or others through our Services or to which you provide us with access via third-party platforms)

What they can do with this:

- Send you marketing communications, including communicating with you about services or products offered by KAYAK, our group companies, or our business partners…
- Provide services and information to travel partners, such as providing user feedback and usage details
- Provide you more relevant advertising on and off our Services
- Comply with our policies, procedures and legal obligations, including complying with law enforcement or government authority requests
- As otherwise consented to by you and as required or permitted by applicable law

The most important thing is that, that developers argue with F-Droid community, their own community, and closing everything that related this idea.

A more TLDR article about this: https://www.extremetech.com/defense/173108-researchers-crack-the-worlds-toughest-encryption-by-listening-to-the-tiny-sounds-made-by-your-computers-cpu

FAQs from the researchers: https://web.archive.org/web/20230130225254/http://www.cs.tau.ac.il/~tromer/acoustic/

A HIDS (host-based intrusion detection system) for verifying the integrity of a system.

Features

• checks the integrity of system's files with a list of rules;
• checks the output of commands (iptables, ...);
• possibity to use RSA to sign to check the integrity of its database;
• alerts are written in the logs of the system;
• alerts can be sent via email to a list of users;
• alerts can be sent on IRC channels through the irker IRC client (which should be running as a daemon);
• verify files with Hashlookup, Pandora, MISP and YARA;
• possibility to export the database in a Bloom or a Cuckoo filter.

pyHIDS is under GPLv3 license.

Homepage: https://github.com/cedricbonhomme/pyHIDS

• it is only 11Mb in size
• input method to avoid system keyboard key logging

check your data breach https://monitor.firefox.com to learn why you need multiple passwords

check about #lastpass to learn about why you do not share passwords

optionally sync files between devices

cross-posted from: https://lemmy.ml/post/4958656

Chrome was updated September 11

Electron updated September 12

Matrix Element Desktop updated September 15, without a changelog or advisory. (The Element update on September 13 did not include the updated electron with the fix; today's update does, according to their announcement on Matrix.)

Many/most electron apps don't receive timely security updates, so if you don't want arbitrary images to be able to get code execution you might want to stop using them.

cross-posted from: https://infosec.pub/post/2466014

This is my first write-up, on a vulnerability I discovered in iTerm2 (RCE). Would love to hear opinions on this. I tried to make the writing engaging.

The machine is running Windows 11

cross-posted from: https://lemdro.id/post/190327 (!android@lemdro.id)

Every so often a piece of security research will generate a level of excitement and buzz that's palpable. Dan Kaminsky's DNS bug, Barnaby Jack's ATM Jackpotting, Chris Valasek and Charlie Miller's Jeep hacking escapades. There's something special about the overheard conversations, the whispered sightings of the superstar du jour, and the packed-to-the-rafters conference hall. These moments have delivered something more than just research: they delivered entertainment.

Stagefright was one of these big moments. A frenzied feeling in the air, a willing showman, and a message to deliver. Mobile security was broken, seriously broken.

It's been 8 years since Stagefright's careful dissection of Android's remote security posture, and it seems like a great time to revisit the event and its aftermath. Like any great piece of research, Stagefright changed the world, and it's only with hindsight that it's really possible to understand how.

See article for more.

I was organizing and cleaning my mail today, and I saw a mail from a few days ago that I left unread.

This is a copypaste of that mail:

Hello!

Unfortunately, there are some bad news for you. Around several months ago I have obtained access to your devices that you were using to browse internet. Subsequently, I have proceeded with tracking down internet activities of yours.

Below, is the sequence of past events: In the past, I have bought access from hackers to numerous email accounts (today, that is a very straightforward task that can be done online). Clearly, I have effortlessly logged in to email account of yours (contact@vis4valentine.com).

A week after that, I have managed to install Trojan virus to Operating Systems of all your devices that are used for email access. Actually, that was quite simple (because you were clicking the links in inbox emails). All smart things are quite straightforward. (>_<)

The software of mine allows me to access to all controllers in your devices, such as video camera, microphone and keyboard. I have managed to download all your personal data, as well as web browsing history and photos to my servers. I can access all messengers of yours, as well as emails, social networks, contacts list and even chat history. My virus unceasingly refreshes its signatures (since it is driver-based), and hereby stays invisible for your antivirus.

So, by now you should already understand the reason why I remained unnoticed until this very moment...

While collecting your information, I have found out that you are also a huge fan of websites for adults. You truly enjoy checking out porn websites and watching dirty videos, while having a lot of kinky fun. I have recorded several kinky scenes of yours and montaged some videos, where you reach orgasms while passionately masturbating.

If you still doubt my serious intentions, it only takes couple mouse clicks to share your videos with your friends, relatives and even colleagues. It is also not a problem for me to allow those vids for access of public as well. I truly believe, you would not want this to occur, understanding how special are the videos you love watching, (you are clearly aware of that) all that stuff can result in a real disaster for you.

Let's resolve it like this: All you need is $1450 USD transfer to my account (bitcoin equivalent based on exchange rate during your transfer), and after the transaction is successful, I will proceed to delete all that kinky stuff without delay. Afterwards, we can pretend that we have never met before. In addition, I assure you that all the harmful software will be deleted from all your devices. Be sure, I keep my promises.

That is quite a fair deal with a low price, bearing in mind that I have spent a lot of effort to go through your profile and traffic for a long period. If you are unaware how to buy and send bitcoins - it can be easily fixed by searching all related information online.

Below is bitcoin wallet of mine: 13g3WtdxuoB9AVyy54QW9xxbDtFjE2iNHk

You are given not more than 48 hours after you have opened this email (2 days to be precise).

Below is the list of actions that you should not attempt doing:

Do not attempt to reply my email (the email in your inbox was created by me together with return address). Do not attempt to call police or any other security services. Moreover, don't even think to share this with friends of yours. Once I find that out (make no doubt about it, I can do that effortlessly, bearing in mind that I have full control over all your systems) - the video of yours will become available to public immediately. Do not attempt to search for me - there is completely no point in that. All cryptocurrency transactions remain anonymous at all times. Do not attempt reinstalling the OS on devices of yours or get rid of them. It is meaningless too, because all your videos are already available at remote servers.

Below is the list of things you don't need to be concerned about:

That I will not receive the money you transferred.

• Don't you worry, I can still track it, after the transaction is successfully completed, because I still monitor all your activities (trojan virus of mine includes a remote-control option, just like TeamViewer).

That I still will make your videos available to public after your money transfer is complete.

• Believe me, it is meaningless for me to keep on making your life complicated. If I indeed wanted to make it happen, it would happen long time ago!

Everything will be carried out based on fairness!

Before I forget...moving forward try not to get involved in this kind of situations anymore! An advice from me - regularly change all the passwords to your accounts.

The thing is, this was sent on July 13 and I just opened it today. So I went through the 48 hours without paying and nothing happened, didn't send any more mail and my family and friends certainly had not gotten any videos of my jerking off. Also the language is very vague. " You truly enjoy checking out porn websites and watching dirty videos, while having a lot of kinky fun." That could apply to almost anyone. If someone tried to black mail me, they gotta be more specific.

Also, a trojan? I use GNU/Linux and most of my current devices are Raspberry Pi's because my main computer died and I'm waiting for a new laptop to ship. And I never used TeamViewer in my life.

BTW my mail is public, so I'm not concerned about being doxxed lol.

I changed my mail password which is a painless process and needed to be updated anyway.

What do you think? Should I watch my back?

Also here: https://www.malwarebytes.com/blog/news/2023/07/act-now-unpatched-zimbra-vulnerability-is-actively-exploited