With a breach of this size, I think we're officially at the point where the data about enough people is out there and knowledge based questions for security should be considered unsafe. We need to come up with different authentication methods.
Doesn't necessarily need to be anyone with a lot of money, just a lot of people mass reporting things combined with automated systems.
For me it's not boot licking but recognizing that IA made a huge unforced error that may cost us all not just that digital lending program but stuff like the Wayback Machine and all the other good projects the IA runs.
That's likely what they want. If you're not viewing their ads and your third-party app is even blocking all the tracking, then you are not providing any value to them to keep you as a 'customer'. All it does is reduce their hosting and serving costs when you're blocked or when you eventually stop using it.
As for what these were, they are modified versions of the official YouTube app. What has been taken down is the full modified app files (.ipa) ready to install on an iPhone, not the source code to the tweaks that are in the repos.
These modifications do things like replicate the paid YouTube Premium features, from the uYou features list for example:
- Ad-Free Browsing: Bid farewell to interruptions and enjoy seamless video playback without annoying advertisements.
- Background Playback: Keep your favorite videos running in the background while you multitask or lock your device.
- Video and Audio Downloads: Download videos, shorts, and audio tracks in various formats, including MP4 and WebM, for offline viewing and listening pleasure.
- [...]
You can see why Google would want to have them taken down. They aren't even a re-implementation with their own code/UI like NewPipe.
You also know that all votes are technically public and can be viewed by any instance admin that's federated with the server a community is on, right? There's no way to see that in the Lemmy UI at the moment but the data is there on the server.
Ah yes, MacRumors falsely reporting... Apple's own statements, right...:
Previously: https://web.archive.org/web/20240216001557/https://developer.apple.com/support/dma-and-apps-in-the-eu/
Why don’t users in the EU have access to Home Screen web apps?
To comply with the Digital Markets Act, Apple has done an enormous amount of engineering work to add new functionality and capabilities for developers and users in the European Union — including more than 600 new APIs and a wide range of developer tools.
The iOS system has traditionally provided support for Home Screen web apps by building directly on WebKit and its security architecture. That integration means Home Screen web apps are managed to align with the security and privacy model for native apps on iOS, including isolation of storage and enforcement of system prompts to access privacy impacting capabilities on a per-site basis.
Without this type of isolation and enforcement, malicious web apps could read data from other web apps and recapture their permissions to gain access to a user’s camera, microphone or location without a user’s consent. Browsers also could install web apps on the system without a user’s awareness and consent. Addressing the complex security and privacy concerns associated with web apps using alternative browser engines would require building an entirely new integration architecture that does not currently exist in iOS and was not practical to undertake given the other demands of the DMA and the very low user adoption of Home Screen web apps. And so, to comply with the DMA’s requirements, we had to remove the Home Screen web apps feature in the EU.
EU users will be able to continue accessing websites directly from their Home Screen through a bookmark with minimal impact to their functionality. We expect this change to affect a small number of users. Still, we regret any impact this change — that was made as part of the work to comply with the DMA — may have on developers of Home Screen web apps and our users.
Now: https://developer.apple.com/support/dma-and-apps-in-the-eu/
Why don’t users in the EU have access to Home Screen web apps?
UPDATE: Previously, Apple announced plans to remove the Home Screen web apps capability in the EU as part of our efforts to comply with the DMA. The need to remove the capability was informed by the complex security and privacy concerns associated with web apps to support alternative browser engines that would require building a new integration architecture that does not currently exist in iOS.
We have received requests to continue to offer support for Home Screen web apps in iOS, therefore we will continue to offer the existing Home Screen web apps capability in the EU. This support means Home Screen web apps continue to be built directly on WebKit and its security architecture, and align with the security and privacy model for native apps on iOS.
Developers and users who may have been impacted by the removal of Home Screen web apps in the beta release of iOS in the EU can expect the return of the existing functionality for Home Screen web apps with the availability of iOS 17.4 in early March.
They're downplaying their responsibility and the problem while taking a negative tone about the white hat (bold added):
CUSG was notified of this vulnerability by Jeremiah Fowler, a self-acclaimed “researcher” who appears to access corporate systems to expose vulnerabilities, then notifies the organizations regarding their exposure. At least in the case of this incident, he also requested a “bounty” to help fund his research, and then published the information in his blog which was later picked up by a specialized publication called, “HACK READ.” These posts can then be google-searched by other parties including media outlets. CUSG did not agree to pay the requested “bounty.”
CUSG was in the process of gathering information and preparing a client communication when news of this publication broke. Nowhere in the article is an actual breach alleged. In fact, after exaggerating the incident to readers in an effort to sell their products, even the HACK READ article and Mr. Fowler’s personal blog post point out that the identified vulnerability was secured and rectified “on the same day.” [...] In his Website Planet blog, Mr. Fowler has done similar “research/publication” work regarding scores of companies including Software Projects, Australian travel agency Inspiring Vacations, the America Family Law Center, Redcliffe Labs, Deutsche Bank, retailer Hendel Hogar, and numerous others. Again, the motivation seems to be to raise awareness, but also to benefit Mr. Fowler personally in his career as a researcher, writer, and speaker.
CUSG CEO Dave Adams, summarized this incident this way: “While researchers like Mr. Fowler can help remind us of the importance of good data security, the publication of his findings in ways that potentially disparage corporate brands, create a customer “call to action”, and exaggerate the facts is clearly irresponsible and could place him and others at legal risk if their hacked data ends up being mishandled.”
And of course, the obligatory 'we have an excellent security team, everyone faces threats, you can't blame us':
Continuing, Adams expressed confidence in CUSG’s Internal Technology security: “For over 30 years, CUSG has operated with the same experienced technology team and leadership that has a stellar reputation for managing IT security on behalf of its stakeholders. While all companies are exposed to the ever-growing threats of cyber-security, and ransomware, CUSG’s team constantly monitors vulnerabilities and makes corrections immediately as needed and then reports to stakeholders with transparency.”
Basically the standard "we take security seriously":
https://www.troyhunt.com/we-take-security-seriously-otherwise/
“We take security seriously”, otherwise known as “We didn’t take it seriously enough”
The best response that I've seen to this so far is this video of a former student speaking to the school board:
Bridget, our first ever interaction was when you retweeted a hate article about me from The Nationalist while I was a Sarasota County school student. You are a reminder that some people view politics as a service to others while some view it as an opportunity for themselves. On this board you have spent public funds that could have been used to increase teacher pay to change our district lines for political gain, remove books from schools, target trans and queer children, erase black history, and elevate your political career, all while sending your children to private schools because you do not believe in the public school system that you've been leading. My question is why doesn't an elected official using our money to harm our students and our teachers for her gain seem to matter as much for us as her having a threesome does? Bridget Ziegler, you do not deserve to be on the Sarasota County School Board but you do not deserve to be removed from it for having a threesome. That defeats the lesson we've been trying to teach you which is that a politician's job is to serve their community, not to police personal lives. So, to be extra clear: Bridget, you deserve to be fired from your job because you are terrible at your job, not because you had sex with a woman.
Closest to the original source I can find (referenced in numerous news articles): https://www.tiktok.com/@queenofhives/video/7313654227564383530
Currently being investigated by browser makers but not something they can just do on their own like Signal.
Here's Chromium's current proposal that they're testing:
https://blog.chromium.org/2023/08/protecting-chrome-traffic-with-hybrid.html
The names are public. Per Georgia Code Title 17. Criminal Procedure § 17-7-54 it looks like they're spelled out as part of the standard form that indictments take. Addresses aren't that hard to get once you know the name.
There was the one case with the scammers in the UK using a homemade cell tower to essentially send out phishing texts directly to cell phones in an area, completely bypassing the phone company. It seems like this scare texts scenario would fit that kind of tech even better, as you only need to send out a message once to a large amount of people and you don't need to collect information in response like in a phishing scenario.