Post

Infosec Reading List - September 2024

Posted
Preview Image
By Dominik Birk
4 min read

On a monthly basis I will publish my reading recommendations which mainly focus on Information Security (InfoSec) and Outdoor Sports. All InfoSec Reading Lists can be found here. Text in italic represent quotes from the original article.

Quotes from the Twitterverse

Desktop View

InfoSec

  • Amazon is bricking primary feature on $160 Echo device after 1 year - The photo-forward mode, per Amazon, let people make “selected personal photos the primary rotating content on the ambient screen” (photos rotated every 30 seconds). Now, Echo Show 8 Photo Editions will work like a regular Echo Show 8 and default to showing ads and promotions after three hours. - Getting people to pay monthly for a feature that some would argue the gadget should already support out of the box seems difficult. - it‘s just one example why customers can‘t trust the digital market anymore - we have multiple examples like this, see C. Doctorow‘s enshittification - [link]
  • Windows driver zero-day exploited by Lazarus hackers to install rootkit - [link]
  • Your TV set has become a digital billboard. And it’s only getting worse. - Rather than selling as many TVs as possible, brands like LG, Samsung, Roku, and Vizio are increasingly, if not primarily, seeking recurring revenue from already-sold TVs via ad sales and tracking. - so the TV-selling business has moved into an ads business, so far so bad - Automatic content recognition (ACR) tech is at the heart of the smart TV ads business. Most TV brands say users can opt out of ACR, but we’ve already seen Vizio take advantage of the feature without user permission. - clever: just monitor what the user is watching to show him ads. The user can hardly do anything about it since the software base does not belong to him but the vendor. - “ACR ingests pixels on-screen to assign a value to each frame,” which is like an “unknown fingerprint.” The OS sends these fingerprints “to a database that logs content available on TV to find a known match and identify the content. Once ACR identifies the show, it can tie that viewing data to a specific household, such as a given household watching The Big Bang Theory at 9 pm.” - this all sounds pretty much like a privacy nightmare - [link]
  • The First Decade of Corporate Ransomware - [link]
  • Exploits and vulnerabilities in Q2 2024 - [link]
  • Admins wonder if the cloud was such a good idea after all - [link]
  • Is Telegram really an encrypted messaging app? - However, when we talk about encryption in the context of modern private messaging services, the word typically has a very specific meaning: it refers to the use of default end-to-end encryption to protect users’ message content. - I think it‘s important to clarify this: end-2-end encryption is what counts, nothing else: not the different greytones that exist out there when it comes to encryption, not the desires from various governments for encryption backdoors etc. - If you want to use end-to-end encryption in Telegram, you must manually activate an optional end-to-end encryption feature called “Secret Chats” for every single private conversation you want to have. - For plenty of people, Telegram is used more like a social media network than a private messenger. - so Telegram is fine if your threat model has no desire for encryption - [link]
  • The XZ Backdoor Story - [link]
  • Ford seeks patent for tech that listens to driver conversations to serve ads - “In one example, the controller may monitor user dialogue to detect when individuals are in a conversation,” the patent application says. - By monitoring dialogue between vehicle occupants the ad controller system can determine when to deliver audio versus visual ads, providing ads to drivers as they travel “through a human-machine interface (HMI) of the vehicle,” the application said. - totally makes sense from an economical point of view: if you know what people talk about and where they are driving to, you can sell better ads. The problem is just: this is a complete disaster from a privacy point of view. However, with the increasing pressure on the „traditional“ automotive industry and the progression towards „small datacenters on wheels“, this desire will become more obvious also for Ford‘s competitors - [link]
  • We’re in the brute force phase of AI – once it ends, demand for GPUs will too - [link]

Outdoor

  • Could a new hiking trail bring new, full-time residents? Sweden thinks so - added to [todo] list - [link]
infosec readinglist
This post is licensed under CC BY 4.0 by the author.