Notices by Dan Goodin (dangoodin@infosec.exchange)

Can we devote some time to discussing Slack? As in, why are we all sending our every thought to a centralized server that can be hacked, and can can train AI with them? And why is Slack allowed to store transcripts but I can't?

My union uses Slack for organizing. How crazy is it that an organization in the cross hairs of a dangerous and emboldened government would do this? With everything going on right now, I'd love to be more active in the union, but must I really give up so much to this opaque platform?

Is anyone else struggling with these concerns? Do you know of viable Slack alternatives? Are there any hacks that make Slack less of a privacy invasion or make LLM training harder? Are there at least ways for me to save sessions the way I can with IRC? How do I resist Slack and not lose touch with groups that still use it?

Please boost for reach.

If you're still tweeting on the hell site -- particularly those with blue checkmarks -- you're actively helping drive investors' renewed interest in the platform. Same thing for companies like Apple and Amazon that are once again advertising there.

https://www.nytimes.com/2025/02/13/technology/elon-musk-x-debt-sale.html

The result of the attack is the planting of false long-term memories that will be present in all future sessions, opening the potential for the chatbot to act on false information or instructions in perpetuity.

https://arstechnica.com/security/2025/02/new-hack-uses-prompt-injection-to-corrupt-geminis-long-term-memory/

For a couple years now I've been asking journos and privacy and civil liberties advocates still tweeting regularly: is there ANYTHING Musk could do to make you finally give up the platform? It looks like his Nazi salute was the red line for a good many of the people I was thinking of. And to them, kudos!

But even now a lot of these laggards are still supporting a platform hostile to a free press, privacy, and human rights. And to them, I ask the question once again.

Trust me, history isn't going to judge you kindly.

If only there are been people warning all the Trump haters that the consequences would be unimaginable if they didn't rally around the democratic nominee.

Apple-designed chips powering Macs, iPhones, and iPads contain two newly discovered vulnerabilities that leak credit card information, locations, and other sensitive data from the Chrome and Safari browsers as they visit sites such as iCloud Calendar, Google Maps, and Proton Mail.

https://arstechnica.com/security/2025/01/newly-discovered-flaws-in-apple-chips-leak-secrets-in-safari-and-chrome/

People keep warning about how awful the next 4 years are going to be. That sounds optimistic to me.

Late last month, researchers revealed a finding that’s likely to shock some people and confirm the low expectations of others: Renewable energy facilities throughout Central Europe use unencrypted radio signals to receive commands to feed or ditch power into or from the grid that serves some 450 million people throughout the continent.

https://arstechnica.com/security/2025/01/could-hackers-use-new-attack-to-take-down-european-power-grid/

privacy is another good reason for paying with cash. What's the point of using encrypted comms or ad blockers or taking other privacy-preserving measures and then buying everything with a payment card? Payment cards allow data brokers to track every purchase you make, every business you visit and when. When you split a check with someone else, it lets them know who your friends and coworkers are. The amount of privacy lost using payment cards is astounding.

So many responses from people trying to find reasons to hold onto their payment cards. Fine, go ahead. Have your purchases, contacts and whereabouts permanently stored and tracked. Just don't lecture anyone about the dangers of unencrypted comms or website tracking.

If you're choosing locally owned businesses for your coffee, groceries or other things, kudos for supporting alternatives to corporate-owned outlets. A reminder that paying with cash allows them to keep the full proceeds rather than sharing them with moneygrubbing banks and payment processors.

Is there a way to hide long threads that you don't want to see?

@GossiTheDog

Do you have a link to the dump?

A fork of the Signal Messenger known as Sessions has omitted several important security properties found in the original source code, making it a less secure alternative, a researcher says. The deficiencies include:

-- no forward secrecy

• insufficient Entropy in Ed25519 Keys
• no in-Band Negotiation for Message Signatures
• using Public Keys as AES-GCM Keys

Stay away from this offering unless you really, really, really know what you're doing:

https://soatok.blog/2025/01/14/dont-use-session-signal-fork/

@GossiTheDog

Color me unimpressed. Mark is continuing to use a platform he believes is has descended into "toxic masculinity and Neo-Nazi madness." So much for principles.

Researchers, please, please, please create RSS feeds for your blogs. We desperately need alternatives to social media to get your work out there.

Do you have experience implementing passkey authentication on your organization’s website or network? Have you supported the use of passkeys for end users? Have you spent time testing the way passkeys sync/work across platforms (Apple, Windows, etc.) or on different sites that have rolled out this new authentication paradigm? If so, I’m eager to speak with for an article I’m working on. Please DM me on Signal (DanArs.82) or (if you must) DM me here. Please boost for reach.

Emails, documents, and other untrusted content can plant malicious memories ChatGPT will recall forever

https://arstechnica.com/security/2024/09/false-memories-planted-in-chatgpt-give-hacker-persistent-exfiltration-channel/

Over at the bad place, @evilsocket has reported an unauthenticated RCE in all GNU/Linux systems.

Canonical, RedHat and others have confirmed the severity, rating it a 9.9. Despite this, no working fix or CVE has been issued. Simone says the devs responsible are being defensive and dragging their feet.

Are things really as bad as Simone says?

It’s not every day that a security researcher acquires the ability to generate counterfeit HTTPS certificates, track email activity, and execute code of his choice on thousands of servers—all in a single blow that cost only $20 and a few minutes to land. But that’s exactly what happened recently to Benjamin Harris.

https://arstechnica.com/security/2024/09/rogue-whois-server-gives-researcher-superpowers-no-one-should-ever-have/