Nhảy tới nội dung

2023-09-08

NSO group iPhone zero-click, zero-day exploit captured in the wild

  • Apple has released an update to address a zero-click vulnerability discovered by Citizen Lab, which was leveraged to deploy NSO Group's Pegasus spyware.
  • The exploit chain, known as BLASTPASS, could compromise iPhones running the latest iOS version without victim interaction. In response, Apple issued two CVEs (Common Vulnerabilities and Exposures), identifiers for publicly known security risks.
  • Users are recommended to update their devices and enable Lockdown Mode, potentially blocking this attack. This incident underscores the targeting of civil society organizations and the need for their cybersecurity support.

Reactions

  • The discussion revolves around the NSO Group, an Israeli cybersecurity company, criticized for selling zero-click, zero-day exploits for iPhones, with concerns that authoritarian states employ their software to monitor and suppress activists and journalists.
  • Matters such as Apple's Lockdown Mode limitations, iMessage security, the efficacy of security measures, and the need for stronger protections to address vulnerabilities are considered, including the potential ramifications of iPhone region-locking.
  • The debate includes suggestions for strengthening security like fuzzing, using memory-safe languages (such as Rust), overcoming sandboxing limitations, and the importance of ethical considerations and regulatory measures in the cybersecurity industry.

Chrome now tracks users and shares a “topic” list with advertisers

  • Google has introduced a new ad platform in Chrome called "Privacy Sandbox," which monitors user activity to customize a list of advertising topics for websites.
  • While Google posits this as a necessary alternative to third-party tracking cookies—planning to block these by late 2024—critics suggest envisioning a world without targeted ads.
  • Chrome users have the ability to control this feature through their browser settings, offering some degree of agency over the process.

Reactions

  • The discourse encompasses numerous topics concerning web browsers such as privacy issues, tracking practices, effects on competition, new feature and ad introduction, browser performance, and the necessity for stricter regulations.
  • The conversation extends to possible alternatives to mainstream browsers like Google Chrome, bots on websites, the security and ease of use trade-off, user agent strings, and Google's treatment of user data.
  • These discussions underscore the prevailing debates and concerns about web browsers and user privacy.

Kagi Small Web

  • Kagi, a web search platform, has introduced Kagi Small Web, an innovative initiative focusing on boosting the visibility of the 'Small Web,' described as the non-commercial segment of the internet.
  • This new service collects fresh data from handpicked blogs, displays it within their search results, and also offers an RSS feed. It is open-source and includes a specially curated list of almost 6,000 verified websites. Kagi Small Web's goal is to give a more personal search experience, spotlight lesser-known aspects of the web, and stress the significance of the Small Web.
  • Kagi has also unveiled the Kagi Small Web website, a platform operating without JavaScript to enable user interactions like appreciation of posts and note-taking. Users can access Kagi Small Web via an RSS feed or API, and provide feedback or contribute through various platforms.

Reactions

  • Kagi, a minor web search engine, has introduced a novel feature, "Small Web" explicitly showcasing content from independent blogs and websites.
  • Although Kagi is applauded for its user-friendly UI, dedication to privacy, and value, there is some criticism regarding its incorporation of links to centralized platforms such as Twitter, leading to suggestions for substitutes like Mastodon or federated, libre software choices.
  • Despite uncertainties about scalability and business models, there's a general sense of enthusiasm and endorsement for Kagi's new initiative.

Mullvad on Tailscale: Privately browse the web

  • Mullvad, a privacy-focused Virtual Private Network (VPN) service, has teamed up with Tailscale to provide Tailscale customers the use of Mullvad's VPN servers. This partnership enhances user privacy and security during web browsing.
  • Tailscale, which creates a private internet environment, acts as a coordination layer between devices and Mullvad's network edge, guaranteeing end-to-end encryption and privacy.
  • Although Tailscale knows users' identities, it does not share personal information with Mullvad, further emphasizing privacy. This partnership allows for various uses of Mullvad exit nodes with Tailscale.

Reactions

  • The central theme of the article revolves around Virtual Private Networks (VPNs) and web proxies, highlighting their potential risks and different perspectives on their usage.
  • It includes a detailed focus on the integration of Tailscale and Mullvad, two VPN services, discussing their benefits and limitations.
  • There's an emphasis on privacy, censorship issues, and the usage of VPNs to access restricted content on the internet.

North Korean campaign targeting security researchers

  • Google's Threat Analysis Group provides an update on a North Korean campaign targeting security researchers who focus on vulnerability research and development.
  • The government-supported actors use 0-day exploits, establish rapport with their targets via social media, and then send malicious files using encrypted messaging platforms.
  • The group has created a Windows tool capable of downloading and executing unspecified codes from an attacker-controlled domain. Google is presently taking measures to protect its users and disseminate outcomes within the security community.

Reactions

  • North Korean hackers have been targeting security researchers with malicious code via GitHub, raising concerns about the safety of using open-source code.
  • The discussions delve into potential threats, including compromised maintainers, the misuse of GitHub stars, and questions surrounding the attribution of cyber attacks to North Korea.
  • The conversation also explores the training, recruitment tactics, and living conditions of North Korean hackers, sparking debates about the credibility of security intelligence reports and the risks these hackers present.
  • Microsoft's new Copilot Copyright Commitment defends customers from lawsuits over copyright infringement related to the use of Microsoft's Copilot services or their generated output.
  • The commitment applies to paid versions of Copilot services and mandates customers to use content filters and refrain from generating any infringing materials.
  • Microsoft's move aims to stand behind its customers, take responsibility for any legal issues from its product use, and ensure the promotion of AI goals, copyright respect, competition, and innovation.

Reactions

  • Microsoft has pledged to bear any copyright risks pertaining to its Copilot AI tool amid user worries about potential copyright infringement and the impact on the broader code repository.
  • There is ongoing debate around the legality and fair use of generative AI in content creation, with particular focus on its intersection with copyright law and the need for legal clarification.
  • Discussions have also emerged on the liability related to using Copilot and how enforceable Microsoft's commitment really is. The discourse contains diverging opinions, with some questioning the copyrightability of certain code snippets and others emphasizing respect for intellectual property.

Tailscale Has Partnered with Mullvad

  • Tailscale has entered into a collaboration with Mullvad VPN, letting their customers utilize both services in tandem.
  • This partnership allows Tailscale customers to reach their devices via Tailscale's mesh network and send outbound connections through Mullvad VPN's WireGuard servers.
  • The collaboration provides users with a higher degree of functionality and versatility.

Reactions

  • Tailscale has entered into a collaboration with Mullvad, a firm entrenched in the arena of internet security and privacy.
  • The specific details of this partnership and what it may entail are currently undisclosed.

Textual Web: TUIs for the Web

  • Textual Web is a project converting Textual-supported terminal applications into web apps, removing the necessity for firewall and port configurations.
  • It simplifies sharing applications through URLs, making web app development more attainable for Python developers lacking web development experience.
  • Future updates aim to incorporate additional web platform APIs and support for constructing terminal, web, and desktop apps from the same codebase. Right now, the Textual Web project is in public beta.

Reactions

  • The article explores the concept of Textual User Interfaces (TUIs) and how it compares to Graphical User Interfaces (GUIs), shedding light on their potential coexistence.
  • It highlights some tools, like AutoCAD and Emacs, that provide both TUI and GUI options, indicating the flexibility in the user interface design.
  • The Textual app, a TUI development framework for Python, is introduced, and some users' experiences and views on Textual are presented, providing an actual application and reaction to TUIs.

Mojo is available for local download

  • Mojo, a high-performance programming language tailored for AI developers, is now ready for local download. It integrates with Python, enabling the use of the complete Mojo feature set, including compiler features and IDE tools.
  • The Mojo Software Development Kit (SDK) offers tools like the Mojo Driver, a Visual Studio Code Extension, and Jupyter Integration. It allows developers to harness Python performance and access the Python ecosystem in a seamless manner.
  • Future plans for Mojo include open sourcing some parts of the language for further development and improvement.

Reactions

  • The conversation focuses on Mojo, a programming language, with concerns regarding its licensing model, closed-source nature, and unclear future in open-sourcing.
  • Users are reluctant to invest time in Mojo due to its closed-source aspect and the uncertainty about the creators' openness.
  • Opinions are divided on Mojo's syntax style, performance, and its effectiveness compared to Python for programming and machine learning tasks.

Grindr Loses Almost Half Its Staff on 2-Day RTO Requirement

  • The LGBTQ dating app, Grindr, has witnessed about 45% of its workforce resigning after it enforced a rigid back-to-office policy amidst unionization plans.
  • Grindr's policy required employees to work in-person for two days a week or risk being terminated.
  • Consequently, approximately 80 out of 178 employees had to resign due to disagreeing with the company's new strategy.

Reactions

  • This summary discusses certain issues, namely staff cuts at Grindr and allegations of improper handling of employees and potential security threats.
  • It notes Elon Musk's claim that Twitter advertising revenue declined due to the Anti-Defamation League (ADL) and Center for Countering Digital Hate (CCDH).
  • The summary also delves into the discussion on the expenditures incurred in managing a software company, the distinction of businesses as software companies, and their capability to adapt to market requirements via software subscriptions.