Search

Comment

Well, this articles promotes Protons' products a bit, but the info is interesting anyway.

Summary

The article discusses the value of your data to big tech companies, mainly focusing on Google and Facebook.

Key Points:

• Facebook: Makes $42.34 per user globally, with US/Canada users valued much higher at $217.26. They recently offered an ad-free option for €9.99/month, suggesting a higher internal valuation.
• Google: Earns around $47 per user globally from Search ads, but this varies greatly by region (US users generate $393).
• Other Big Tech: Amazon, Apple, Microsoft also generate billions from ads.
• Beyond ads: Data is sold in less obvious ways (ISPs, car companies, grocery stores). Black market prices exist for stolen data (credit cards, etc.).
• Total value: Hundreds of dollars per year are extracted from each user by various companies.
• Privacy concerns: The article questions the ethical implications of big tech profiting from user data without informed consent. It emphasizes the importance of privacy and using encrypted services like Proton to protect your data.

Overall, the article urges readers to be aware of the value of their data and take steps to protect it from exploitation.

Comment:

I thought this article gives a balanced view if we should VPN with a public Wifi network, instead of the normal VPN vendor selling fears.

Summary:

Evil Twin Attacks - Not a major threat anymore

What is it?

Evil twin attacks involve hackers setting up fake Wi-Fi networks that mimic legitimate ones in public places. Once connected, attackers can spy on your data.

Why was it scary?

Before 2015, most online connections weren't encrypted, making your data vulnerable on such networks.

Why isn't it a major threat anymore?

• HTTPS encryption: Most websites (85%) now use HTTPS, which encrypts your data, making it useless even if intercepted.
• Let's Encrypt: This non-profit campaign made free website encryption certificates readily available, accelerating the widespread adoption of HTTPS.

Are there still risks?

• Non-HTTPS websites: A small percentage of websites (15%) lack HTTPS, leaving your data vulnerable.
• WiFi sniffing: Although not as common, attackers can still try to intercept unencrypted data on public Wi-Fi.

Should you still be careful?

• Use a VPN: Even with HTTPS, your browsing history can be tracked by Wi-Fi providers and ISPs. A VPN encrypts your data and hides your activity.
• Be cautious with non-HTTPS websites: Avoid entering sensitive information like passwords on such websites.

Overall:

HTTPS encryption has significantly reduced the risks of evil twin attacks. While vigilance is still recommended, especially when using unencrypted websites, it's no longer a major threat for most web browsing.

Comment

Don't forget to update ALL web browsers on ALL platforms, plus at least Electron apps.

Summary

The article discusses the security of Electron-based desktop applications and highlights several key points:

Introduction to Electron: Electron is a popular cross-platform desktop application development framework that uses web technologies like HTML, CSS, and JavaScript. It enables developers to create desktop applications for various operating systems based on web versions.

Advantages of Electron: Electron is favored by developers for its ability to streamline the development process for desktop apps across multiple operating systems. It also offers features for packaging, diagnostics, app store publication, and automatic updates.

Issues with Electron-Based Apps: Electron-based applications are known for being resource-intensive and having large file sizes. Additionally, they incorporate a Chromium web browser instance, making them potential targets for cybercriminals. Frequent vulnerabilities in Chromium can pose security risks, and Electron apps may not always receive timely updates.

Lack of Control: Users often have limited control over the Chromium instances within Electron apps, as updates depend on the app's vendor. This lack of control can lead to unpatched vulnerabilities and security concerns.

Common Electron-Based Applications: The article lists popular applications that are based on Electron, including 1Password, Agora Flat, Asana, Discord, Figma, GitHub Desktop, Hyper, Loom, Microsoft Teams, Notion, Obsidian, Polyplane, Postman, Signal, Skype, Slack, Splice, Tidal, Trello, Twitch, Visual Studio Code, WhatsApp, and WordPress Desktop.

Security Recommendations: To mitigate security risks associated with Electron-based apps, the article suggests the following measures:

1. Reduce the number of Electron-based apps in use, as these apps typically have feature-rich web versions that may suffice.

2. Maintain an inventory of Electron-based apps used within an organization and prioritize their updates, especially for collaboration tools.

3. Employ a reliable security solution to protect against attacks targeting known vulnerabilities.

In summary, while Electron-based desktop applications offer cross-platform convenience for developers, they come with security challenges due to their Chromium integration and update dependencies. Users are advised to be cautious, minimize their use of such apps, and prioritize security measures to mitigate potential risks.

Electron app list, although apparently not including some apps: https://www.electronjs.org/apps

Summary

Google has strengthened the security of its Workspace suite by adding new challenges that users must complete when performing sensitive actions. These challenges can include entering a verification code from Google Authenticator, using a security key, or using a recovery/signed-in device.

The new challenges are designed to catch out attackers who have hijacked a user's account. For example, if an attacker tries to change the user's password or add a forwarding address to their email, they will be prompted to complete a challenge. If they fail to complete the challenge, the user will be notified and the attacker will be prevented from making changes to the account.

The new challenges are available for all Workspace customers and can be customized by administrators. Note that Workspace customers include all those using products such as Gmail, Calendar, Drive, or Google Docs Editors Suite (among other apps).

New Gmail Actions that would Trigger Verification

• Filters: creating a new filter, editing an existing filter, or importing filters.

• Forwarding: Adding a new forwarding address from the Forwarding and POP/IMAP settings.

• IMAP access: Enabling the IMAP access status from the settings. (Workspace admins control whether this setting is visible to end users or not)

Existing Common Actions that would Trigger Verification

• View activity saved in your Google Account

• Change your password

• View saved passwords

• Turn on 2-Step Verification

• Download your data

• Change channel ownership on YouTube Creator Studio

• Change Google Ads account budget

• Buy any other product or service from Google

• Example: Buy a Google Pixel or Nest device from Google Store

Identity Verification

The device you use to do this must have been registered for a period of seven days minimum:

• A device associated with the recovery phone number for your account

• A device that's signed in to your Google Account

• For accounts with 2-Step Verification turned on

1. A security key that’s been added to your Google Account

2. A verification code from Google Authenticator

Blog/News Key Points

• Google has strengthened the security of its Workspace suite by adding new challenges that users must complete when performing sensitive actions.

• The new challenges are designed to catch out attackers who have hijacked a user's account.

• The new challenges are available for all Workspace customers and can be customized by administrators.

• Identity verification can use recovery/signed-in device or 2FA methods.