privacy - bitdefendercentralhub

What is the Fediverse, and how does it work?

Oleh bambang raharjoDiposting pada September 21, 2023

After Elon Musk “broke” his Twitter (now known as X) and Mark Zuckerberg released his Threads, there’s been a lot of talk on the internet about something called the Fediverse. Many see it as humanity’s last hope to escape the current social network mess.

In this post, we take look at what this Fediverse is, how it works, what it offers users right now, and what it may change in the near future.

What’s wrong with regular social networks?

Let’s start with why Fediverse is needed in the first place. The main problem with today’s social networks is that they’ve become too closed and self-absorbed (not to mention there are an awful lot of them). Often, you’re not even able to access a significant portion of a social network’s content if you’re not registered on it — and don’t even think about further interactions on the platform.

For example, to like a post on Twitter or leave a comment on a YouTube video, you have to be registered. When it comes to social networks that are part of Mark Zuckerberg’s empire, it’s even worse: without an account, you usually can’t even get acquainted with the content, let alone like it.

The second major problem with social networks is that they don’t really produce anything themselves. Users create all the content on social networks, which the massive and powerful corporations behind the networks then profit from. And, of course, corporations have absolutely no respect for their users’ privacy — collecting an incredible amount of data about them. This has already led to major scandals in the past, and will most likely result in a whole bunch of problems in the future if nothing changes drastically.

The way things are currently organized, there’s another significant risk associated with the complete lack of user control over the platforms that they are, in fact, creating. Let’s just imagine a huge social network, which just happened to play a significant role in global politics, being taken over by a person with rather peculiar views. Its users are left with no choice but to adapt — or look for another platform with a more reasonable owner.

The Fediverse is designed to solve all these problems of conventional social networks: excessive centralization, complete lack of accountability, content isolation, collection of user data, and violation of user privacy.

The theoretical side: what the Fediverse is, and how it works

The Fediverse (a combination of “federation” and “universe”) is an association of independent social networks, which allows users to interact with each other in much the same way as they would within a single platform. That is — read, subscribe/follow, like, share content, comment, and so on.

And each platform participating in the Fediverse is federated itself: it consists of a community of independent servers (referred to as “instances” within the Fediverse).

An essential feature of the Fediverse is therefore decentralization. Each instance within the Fediverse has its owners (who independently create and maintain the server and bear all expenses for its operation), its own user community, rules, moderation system, and often some sort of theme.

The specially designed ActivityPub protocol is used for interaction among all these independent instances. ActivityPub is developed by the organization that specializes in creating common protocols that the internet runs on — the World Wide Web Consortium (W3C).

Mastodon.social is the largest instance of Mastodon, the largest social network in the Fediverse

Anyone can create their own instance within the Fediverse. All you have to do is:

Rent or set up a server at home;
Install the appropriate server software on it (usually open-source, free);
Connect to the internet;
Pay for the domain;
Create a community, and develop its rules, theme, and so on.

It’s important to note that a significant portion of the Fediverse, at least for now, runs on pure enthusiasm, and sometimes on donations from supporters or some occasional banners. There’s currently no sustainable commercial model here, and it seems that there is no intention to implement one yet.

How the Fediverse works for the average user

From an ordinary user’s perspective, they register on one of the servers that belong to a particular social network that’s part of the Fediverse. Then with this same account they can interact with users from any other servers within the Fediverse network, as if you can use a Twitter account to comment on a YouTube video or follow someone on Instagram. This removes the boundaries between different social networks, along with the need to create separate accounts in each of them.

However, in reality, it’s not as simple as it sounds: Fediverse instances are often quite closed communities, not particularly welcoming to outsiders, and registration can often be inaccessible. Logging into one social network with an account from another is usually not possible at all. Moreover, there’s no way to search across instances in the Fediverse.

So, basically, yes, you can indeed access the content of (almost) any Fediverse user without leaving the instance where you’re registered. You can probably even comment, like, or repost that user’s content, all while staying within the comfort and familiarity of your own instance. But there’s one catch — you need to know the address of that user. And knowing it isn’t so simple because, as mentioned above, there’s no search function in the Fediverse.

Pixelfed — A federated alternative to Instagram

Explaining the Fediverse by analogy

Most people use the analogy of email to explain the Fediverse: it doesn’t matter which server you’re registered with, you can still send an email to anyone; for example, to your mom’s Gmail account from your work address at bigcorp.com. But personally, I think email is not the best analogy here — it’s too simple and uniform. In my opinion, it’s much better to describe the Fediverse in terms of the good old telephone system.

The global telephone system integrates a bunch of different technologies, from rotary dial phones connected to analog switching centers, to smartphones on the cutting-edge 5G network, and from virtual IP telephony numbers to satellite-link communication. For the end user, the technological solution underlying any particular network is completely unimportant. And there can be any number of these networks. They all support a single protocol for basic interaction, making them compatible with each other — you can call any number, whether it’s virtual or satellite.

Similarly, in the Fediverse, whether a platform is primarily text-based, video streaming, or graphic, it can participate in the project and its users can “call” other platforms.

This is how one of the instances of the microblogging platform Pleroma looks. Source

However, the compatibility of telephone networks is far from complete. Each network may have its own special services and features — try sending an emoji to your great-grandmother’s landline phone. And on top of universal addressing (the international phone number format) there are often some local quirks: all those 0s or 00s instead of a normal country code, the possibility of not entering any codes at all when calling within a specific network (such as a city or office network), different formats for recording numbers (various dashes, brackets, and spaces, which can easily confuse people unfamiliar with local rules), and so on.

Again, the same goes for the Fediverse: while its platforms are generally connected and compatible at the top level, the user experience and functionality vary greatly from one platform to another. To figure out how to ~~make long-distance calls~~ perform a certain action on a given service, you often have to delve into the local specifics. It might actually be impossible to “call” certain instances because, while they formally support all the necessary technologies, they’ve decided to isolate themselves from the outside world for some reason.

In general, compared to email, the Fediverse is a much more diverse and less standardized collection of relatively unique instances. But despite this uniqueness, these instances do allow their users to interact with each other to some extent since they all support a common protocol.

Lemmy — one of the Reddit analogs in the Fediverse

The practical side: which services are compatible with the Fediverse now, and which ones will be in the future

Now let’s turn to the practical side of the issue — what social networks are already operating within the Fediverse. Here’s a list of the most significant ones:

Mastodon — The largest and most popular social platform within the Fediverse, accounting for about half of its active users. It’s a microblogging social network — a direct Twitter analogue.
Misskey and Pleroma — Two other microblogging platforms that attract users with their atmosphere and cozy interface. Misskey was created in Japan, which has ensured its high popularity among fans of anime and related topics.

Misskey, the Japanese microblogging platform

Misskey — microblogging with a Japanese twist

PixelFed — A social networking platform for posting images. It’s a Fediverse version of Instagram but with a focus on landscape photography rather than glamorous golden poolside selfies.
PeerTube — A video streaming service. I’d like to say it’s the local equivalent of YouTube. However, since creating video content is so expensive, this analogy doesn’t completely hold up in reality.
Funkwhale — An audio streaming service. This can be considered a local version of Soundcloud or Spotify — with the same caveat as PeerTube.
Lemmy and Kbin — Social platforms for aggregating links and discussing them on forums. Sounds complicated, but they’re basically federated versions of Reddit.

Of course, these aren’t all the platforms within the Fediverse. You can find a more comprehensive list here.

A glimpse into the global future of the Fediverse

Another service worth mentioning that currently supports the ActivityPub protocol is the content management system WordPress. Some time ago an independent developer created a plugin for WordPress to ensure compatibility with this protocol.

Recently, Automattic, the company that owns both WordPress and Tumblr, acquired the plugin and hired its developer. Meanwhile, at the end of last year, Tumblr also announced future support for ActivityPub. Apparently, Automattic really believes in the potential of the Fediverse. Mozilla, Medium, and Flipboard are also now showing serious interest in the Fediverse.

But the most important — and quite unexpected — development for the federation of decentralized social networks was the promise made by Mark Zuckerberg’s company to add ActivityPub support to the recently launched social network Threads. It’s not yet been specified when exactly this will happen or in what form; however, if or when it does, several hundred million people from Threads/Instagram may suddenly join the existing few million Fediverse users.

What will this sudden popularity lead to? This isn’t such a simple question. Many long-time Fediverse users are visibly concerned about a possible invasion of “tourists”, and how these newcomers — accustomed to the noise of “big” social networks — will impact the communities that have been so carefully cultivated within the project.

How will the Fediverse cope with these sudden changes? Only time will tell. But one thing’s for sure: the further development and evolution of the Fediverse will be very interesting to watch…

#Fediverse #work

Top apps for encrypted, private videocalls

Oleh bambang raharjoDiposting pada September 15, 2023

Videocalls became much more widespread after the COVID-19 pandemic began, and they continue to be a popular alternative to face-to-face meetings. Both platforms and users soon got over the teething problems, and learned to take basic security measures when hosting videoconferences. That said, many online participants still feel uncomfortable knowing that they might be recorded and eavesdropped on all the time. Zoom Video Communications, Inc. recently had to offer explanations regarding its new privacy policy, which states that all Zoom videoconferencing users give the company the right to use any of their conference data (voice recordings, video, transcriptions) for AI training. Microsoft Teams users in many organizations are well aware that turning on recording means activating transcription as well, and that AI will even send premium subscribers a recap. For those out there who discuss secrets on videocalls (for instance in the telemedicine industry), or simply have little love for Big Tech Brother, there are less known but far more private conferencing tools available.

What can we protect ourselves against?

Let’s make one thing clear: following the tips below isn’t going to protect you from targeted espionage, a participant secretly recording a call, pranks, or uninvited guests joining by using leaked links. We already provided some videoconferencing security tips that can help mitigate those risks. Protecting every participant’s computer and smartphone with comprehensive cybersecurity — such as Kaspersky Premium — is equally important.

Here, we focus on other kinds of threats such as data leaks from the videoconferencing platform, misuse of call data by the platform, and the harvesting of biometric information or conference content. There are two possible engineering solutions to these: (i) hosting the conference entirely on participant computers and servers, or (ii) encrypting it, so that even the host servers have no access to the meeting content. The latter option is known as end-to-end encryption, or E2EE.

Signal: a basic tool for smaller group calls

We have repeatedly described Signal as one of the most secure private instant messaging apps around, but Signal calls are protected with E2EE as well. To host a call, you have to set up a chat group, add everyone you want to call, and tap the videocall button. Group videocalls are limited to 40 participants. Admittedly, you’re not getting any business conveniences such as call recording, screen sharing, or corporate contact-list invitations. Besides, you’ll need to set up a separate group for each meeting, which works well for regular calls with the same people, but not so much if the participants change every time.

Signal lets you set up videoconferences for up to 40 participants in a familiar interface

WhatsApp and Facetime: just as easy — but not without their issues

Both these apps are user-friendly and popular, and both support E2EE for videocalls. They share all the shortcomings of Signal, adding a couple of their own: WhatsApp is owned by Meta, which is a privacy red flag for many, while Facetime calls are only available to Apple users.

Jitsi Meet: self-hosted private videoconferencing

The Jitsi platform is a good choice for large-scale, fully featured, but still private meetings. It can be used for hosting meetings with: dozens to hundreds of participants, screen sharing, chatting and polling, co-editing notes, and more. Jitsi Meet supports E2EE, and the conference itself is created at the moment the first participant joins and self-destructs when the last one disconnects. No chats, polls or any other conference content is logged. Finally, Jitsi Meet is an open-source app.

Jitsi Meet is a user-friendly, cross-platform videoconferencing tool with collaboration options. It can be self-hosted or used for free on the developer’s website

Though the public version can be used for free on the Jitsi Meet website, the developers strongly recommend that organizations deploy a Jitsi server of their own. Paid hosting by Jitsi and major hosting providers is available for those who’d rather avoid spinning up a server.

Matrix and Element: every type of communication — fully encrypted

The Matrix open protocol for encrypted real-time communication and the applications it powers — such as Element — are a fairly powerful system that supports one-on-one chats, private groups and large public discussion channels. The Matrix look-and-feel resembles Discord, Slack and their forerunner, IRC, more than anything else.

Connecting to a Matrix public server is a lot like getting a new email address: you select a user name, register it with one of the available servers, and receive a matrix address formatted as @user:server.name. That allows you to talk freely to other users including those registered with different servers.

Even a public server makes it easy to set up an invitation-only private space with topic-based chats and videocalls.

The settings in Element are slightly more complex, but you get more personalization options: chat visibility, permission levels, and so on. Matrix/Element makes sense if you’re after team communications in various formats, such as chats or calls, and on various topics rather than just a couple of odd calls. If you’re simply looking to host a call from time to time, Jitsi works better — the call feature in Element even uses Jitsi code.

Element is a fully featured environment for private conversations, with video chats just one of the available options

Corporations are advised to use the Element enterprise edition, which offers advanced management tools and full support.

Zoom: encryption for the rich

Few know that Zoom, the dominant videoconferencing service, has an E2EE option too. But to enable this feature, you need to additionally purchase the Large Meetings License, which lets you host 500 or 1000 participants for $600–$1080 a year. That makes the price of E2EE at least $50 per month higher than the regular subscription fee.

Zoom supports videoconferencing with E2EE too, but you need an extended license to be able to use it

You can enable encryption for smaller meetings as well, but still only if you have a Large Meeting License. According to the Zoom website, activating E2EE for a meeting disables most familiar features, such as cloud recording, dial-in, polling and others.

#Top #apps #encrypted #private #videocalls

Spyware versions of Telegram and Signal on Google Play

Oleh bambang raharjoDiposting pada September 8, 2023

For popular messengers such as Telegram, Signal and WhatsApp, there are quite a few alternative clients (not to be confused with clients as in (human) customers; whoever opted this confusing language needs a good talking to) out there. Such modified apps — known as mods — often provide users with features and capabilities that aren’t available in the official clients.

While WhatsApp disapproves of mods — periodically banning them from official app stores, not only has Telegram never waged war on alternative clients, it actively encourages their creation, so Telegram mods are popping up like mushrooms. But are they safe?

Alas, several recent studies show that messenger mods should be handled with great caution. Although most users still blindly trust any app that’s been verified and published on Google Play, we’ve repeatedly highlighted the dangers: when downloading an app on Google Play, you could also pick up a Trojan (that one had more than a 100 million downloads!), a backdoor, a malicious subscriber, and/or loads of other muck.

This just in: infected Telegram in Chinese and Uyghur on Google Play

We’ll start with a recent story. Our experts discovered several infected apps on Google Play under the guise of Uyghur, Simplified Chinese and Traditional Chinese versions of Telegram. The app descriptions are written in the respective languages and contain images very similar to those on the official Telegram page on Google Play.

To persuade users to download these mods instead of the official app, the developer claims that they work faster than other clients thanks to a distributed network of data centers around the world.

Spyware versions of Telegram on Google Play

Simplified Chinese, Traditional Chinese, and Uyghur versions of Telegram on Google Play with spyware inside

At first glance, these apps appear to be full-fledged Telegram clones with a localized interface. Everything looks and works almost the same as the real thing.

We took a peep inside the code and found the apps to be little more than slightly modified versions of the official one. That said, there is a small difference that escaped the attention of the Google Play moderators: the infected versions house an additional module. It constantly monitors what’s happening in the messenger and sends masses of data to the spyware creators’ command-and-control server: all contacts, sent and received messages with attached files, names of chats/channels, name and phone number of the account owner — basically the user’s entire correspondence. Even if a user changes their name or phone number, this information also gets sent to the attackers.

Previously: spyware versions of Telegram and Signal on Google Play

Interestingly, a short while ago researchers at ESET found another spyware version of Telegram — FlyGram. True, this one didn’t even try to pretend to be official. Instead, it positioned itself as an alternative Telegram client (that is, just a mod), and had found its way not only onto Google Play, but into the Samsung Galaxy Store as well.

What’s even more curious is that its creators didn’t limit themselves to imitating just Telegram. They also published an infected version of Signal in these same stores, calling it Signal Plus Messenger. And for added credibility, they even went so far as to create the websites flygram[.]org and signalplus[.]org for their fake apps.

Signal Plus Messenger: a spyware version of Signal on Google Play and in the Samsung Galaxy Store

There’s a spyware client on Google Play for Signal too, called Signal Plus Messenger. (Source)

Inside, these apps amounted to full-fledged Telegram/Signal messengers, whose open-source code was flavored with malicious additives.

Thus FlyGram learned to steal contacts, call history, a list of Google accounts and other information from the victim’s smartphone, as well as make “backup copies” of correspondence to be stored… where else but on the attackers’ server (although this “option” had to be activated in the modified messenger independently by the user).

In the case of Signal Plus, the approach was somewhat different. The malware scraped a certain amount of information from the victim’s smartphone directly, and allowed the attackers to log in to the victim’s Signal account from their own devices without being noticed, after which they could read all correspondence almost in real time.

FlyGram appeared on Google Play in July 2020 and stayed there until January 2021, while Signal Plus was published in app stores in July 2022 and removed from Google Play only in May 2023. In the Samsung Galaxy Store, according to BleepingComputer, both apps were still available at the end of August 2023. Even if they are now completely gone from these stores, how many unsuspecting users continue to use these “quick and easy” messenger mods that expose all their messages to prying eyes?

Infected WhatsApp and Telegram spoof cryptowallet addresses

And just a few months back, the same security researchers uncovered a slew of trojanized versions of WhatsApp and Telegram aimed primarily at cryptocurrency theft. They work by spoofing the cryptowallet addresses in the messages so as to intercept incoming transfers.

Infected WhatsApp spoofs the cryptowallet address in messages

An infected version of WhatsApp (left) spoofs the cryptowallet address in a message to the recipient, who has the official, uninfected version of WhatsApp (right). (Source)

In addition, some of the versions found use image recognition to search screenshots stored in the smartphone’s memory for seed phrases — a series of code words that can be used to gain full control over a cryptowallet and then empty it.

And some of the fake Telegram apps stole user profile information stored in the Telegram cloud: configuration files, phone numbers, contacts, messages, sent/received files, and so on. Basically, they pilfered all user data except for secret chats created on other devices. All these apps were distributed not on Google Play, but through a variety of fake sites and YouTube channels.

How to stay safe

Lastly, a few tips on how to protect yourself from infected versions of popular messengers, as well as other threats targeting Android users:

As we’ve seen, even Google Play isn’t immune to malware. That said, official stores are still far safer than other sources. So, always use them to download and install apps.
As this post has made clear, alternative clients for popular messengers should be treated with extreme caution. Open source lets anyone create mods — and fill them with all sorts of nasty surprises.
Before installing even the most official app from the most official store, look closely at its page and make sure that it’s real — pay attention not only to the name, but also the developer. Cybercriminals often try to fool users by making clones of apps with descriptions similar to the original.
It’s a good idea to read negative user reviews — if there’s a problem with an app, most likely someone will have already spotted and written about it.
And be sure to install reliable protection on all your Android devices, which will warn you if malware tries to sneak in.
If you use the free version of Kaspersky Security & VPN, remember to manually scan your device after installation and before running any app for the first time.
Threat scanning is done automatically in the full version of our security solution for Android, which is included into the Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium subscription plans.

#Spyware #versions #Telegram #Signal #Google #Play

AI dina Leungeun Cybercriminals: Kumaha Ngenalkeun Seni Palsu sareng Deepfakes

ChatGPT’s Impact on Privacy and How to Protect Yourself

Oleh bambang raharjoDiposting pada September 8, 2023

How To Manage Your Privacy When Using ChatGPT

Love it or hate it, ChatGPT has become one of the most talked about tech developments of 2023. Many of us have embraced it with open arms and have put it to work by tasking it to ‘assist’ with assignments, write copy for an ad, or even pen a love letter – yes, it’s a thing. Personally, I have a love/hate relationship with it. As someone who writes for a living, it does ‘grind my gears’ but I am a big fan of its ability to create recipes with whatever I can find in my fridge. But like any new toy, if you don’t use it correctly then there could be issues – which may include your privacy.

ChatGPT – A Quick Recap

ChatGPT is an online software program that uses a new form of artificial intelligence – generative artificial intelligence – to provide human-style responses to a broad array of requests. Think of it as Google on steroids. It can solve maths questions, translate copy, write jokes, develop a resume, write code, or even help you prepare for a job interview. If you want to know more, check out my Parent’s Guide to ChatGPT.

But for ChatGPT to answer tricky questions and be so impressive, it needs a source for its ‘high IQ’. So, it relies on knowledge databases, open data sources and feedback from users. It also uses social media to gather information and a practice known as ‘web scraping’ to gather data from a multitude of sources online. And it is this super powerful combination that allows ChatGPT to ‘almost always’ deliver on tasks.

Why Is ChatGPT A Threat To My Privacy?

Your privacy is affected in several ways by ChatGPT. Some of these ways may not concern you, but I’m quite sure some will. Here’s what you need to know:

1. ChatGPT Uses Your Data Without Your Permission

When ChatGPT absorbed the enormous amount of data it needed to function from the internet, it did so without permission. As data can be used to identify us, our friends and family or even our location, this is clearly a violation of privacy. But not only was the data taken without permission, it was also taken without compensation. Many online news groups have been, understandably, quite upset about this, particularly when ChatGPT is making a handsome profit by offering users a premium package for US$20/month. However, in recent weeks, many online news outlets have blocked OpenAI’s crawler which will limit the ChatGPT’s ability to access their news content.

2. Whatever You Share With ChatGPT Goes Into Its Data Bank

Every time you share a piece of information with ChatGPT, you are adding to its data bank, risking that the information ends up somewhere in the public domain. The Australian Medical Association (AMA) recently issued a mandate for Western Australian doctors not to use ChatGPT after doctors at a Perth hospital used it to write patient notes. These confidential patient notes could be used to not only further train ChatGPT but could also be included in responses to other users.

3. ChatGPT Collects A Lot Of Information About Its Users

In addition to collecting the information users share, it also collects detailed information about its users. In the company’s privacy policy, it outlines that it collects users’ IP addresses and browser types. It also collects information on the behaviour of its users e.g. the type of content that users engage with as well as the features they use. It also says that it may share users’ personal information with unspecified parties, without informing them, to meet their business operation needs.

4. Risk of a Data Breach

One of the biggest risks to using ChatGPT is the risk that your details will be leaked in a data breach. Between 100,000 ChatGPT accounts credentials were compromised and sold on the Dark Web in a large data beach which happened between June 2022 to May 2023, according to Search Engine Journal.

But here’s the big problem – as ChatGPT users can store conversations, if a hacker gains access to an account, it may mean they also gain access into propriety information, sensitive business information or even confidential personal information.

What’s ChatGPT Doing To Protect Privacy?

Now please don’t misunderstand me, ChatGPT is taking action to protect users however in my opinion these steps are not enough to truly protect your privacy.

ChatGPT does make it very clear that all conversations between a user and ChatGPT are protected by end-to-end encryption. It also outlines that strict access controls are in place so only authorised personnel can access sensitive user data. It also runs a Bug Bounty program which rewards ethical hackers for finding security vulnerabilities. However, in order to remain protected while using the app, I believe the onus is on the user to take additional steps to protect their own privacy.

So, What Can I Do To Protect My Privacy While Using ChatGPT?

As we all know, nothing is guaranteed in life however there are steps you can take to minimise the risk of your privacy being compromised while using ChatGPT. Here are my top tips:

1. Be Careful What You Share With ChatGPT

Never share personal or sensitive information in any of your chats with ChatGPT. By doing so, you increase the risk of sharing confidential data with cybercriminals. If you need a sensitive piece of writing edited, ask a friend!!

2. Consider Deleting Your Chat History

One of the most useful ways of safeguarding your privacy is to avoid saving your chat history. By default, ChatGPT stores all conversations between users and the chatbot with the aim of training OpenAI’s systems. If you do choose not to save your chat history, OpenAI will still you’re your conversations for 30 days. Despite this, it is still one of the best steps you can take to protect yourself.

3. Stay Anonymous

As mentioned above, ChatGPT can collect and process highly sensitive data and associate it with your email address and phone number. So, why not set up a dedicated email just for ChatGPT? And keep your shared personal details to a minimum. That way, the questions you ask or content you share can’t be associated with your identity. And always use a pseudonym to mask your true identity.

4. Commit To Staying Up To Date

Whether it’s ChatGPT or Google’s Bard, it’s imperative that you stay up to date with the company’s privacy and data retention policies, so you understand how your data is managed. Find out how long your conversations will be stored for before they are anonymised or deleted and who your details could potentially be shared with.

So, if you’re looking for a recipe for dinner, ideas for an upcoming birthday party or help with a love letter, by all means get ChatGPT working for you. However, use a dedicated email address, don’t store your conversations and NEVER share sensitive information in the chat box. But if you need help with a confidential or sensitive issue, then maybe find another alternative. Why not phone a friend – on an encrypted app, of course!!

Introducing McAfee+

Identity theft protection and privacy for your digital life

#ChatGPTs #Impact #Privacy #Protect

How to customize privacy and security in Mastodon

Oleh bambang raharjoDiposting pada September 7, 2023

The once cozy world of social media has been getting feverish in recent years. In the battle for audience attention, fly-by-night social networks come and go (Clubhouse, anyone?), users run back and forth, and governments, as ever, ponder the introduction of regulations. Who’d have thought, for example, that TikTok would be able to displace such monsters as Facebook and Instagram, and also to be banned fully or partially in a host of countries?

The public skirmishes between, and overall pantomime of the owners of the world’s largest social networks — Mark Zuckerberg (Facebook, Instagram, Threads) and Elon Musk (X, formerly Twitter) — similarly add nothing in terms of stability. And while Threads, despite analysts’ predictions, didn’t bury Twitter, Musk himself is doing a good job of digging the latter’s grave: with every new innovation he comes up with, users jump ship in their droves. Catching up, slowly but surely, is YouTube, which has long since morphed from a mere video hosting service into a social media powerhouse boasting 2.5 billion users a month and used by 95% of teenagers; while taking a breather on the sidelines is LinkedIn, having carved out a business niche all for itself.

Against this backdrop of upheavals, there’s a relatively new… elephant in the room, which more than fills an X-shaped hole. And that is Mastodon (a mastodon, in case you don’t know, was a furry elephant — long extinct). But it turns out Mastodon is no newcomer; it’s still a game-changer…

How Mastodon works

Created in 2016, Mastodon is a microblogging social network similar to X (ex-Twitter), but based on the principles of decentralization. Unlike X, Mastodon consists of multiple independent servers (called “instances”) brought together into a single network and interacting with each other, which offers far greater customization and control. Users can select instances according to their preferences and settings, yet still communicate with members from other instances.

What are Mastodon instances?

Instances are independent servers, each with their own address in the Mastodon network, its own administrator, and its own rules of use. They can be general-purpose, or highly specialized with a unique theme dedicated to specific interests, languages, regions or communities. Users can select the servers they want to register on, while being able to follow accounts registered on other servers and view posts from any account on any server in their timeline.

Mastodon is a decentralized social network where each server has its own rules, values and guidelines.

The first server to run Mastodon was mastodon.social. The instance was created and is maintained by its founder, Eugen “Gargron” Rochko, and is very popular.

Picking a Mastodon server is like choosing a place to live.

How to pick a Mastodon server

There are several criteria when it comes to choosing an instance in Mastodon:

Community size. Look at the number of registered users on the server. Larger instances are more buzzing with content, but the load on them is higher, and they may run slower.
Sign-up process. This option is worth considering if you need to get registered quickly. Some instances offer instant registration; others require confirmation from an administrator.
Server location. Instances may be hosted in different countries and regions. If accessibility and connection speed are important, choose a server closer to where you are.
Rules and moderation. Each Mastodon instance has its own policies. Before registering on a server, read its rules and make sure they align with your values and expectations. As each server moderates its own content, some may, for example, allow pornography, and even viewing such content can have legal consequences in a number of countries or jurisdictions. Besides local rules, Mastodon has general ones that describe what can and can’t be done on the platform. Violation of these common rules can result in the server being blocked and shut down.

Example of local rules for the mastodon.social server. Given that this is the server of Mastodon’s creator, they can in part be considered as general policies.

A privacy policy is published for each instance. On the whole, they all contain basic clauses about data collection, usage, storage and security, and about sharing information with third parties. On the odd occasion you might come across a particularly law-abiding server that mentions users’ rights to delete, amend, or do other things with collected personal data — usually these are EU servers that are subject to the GDPR.
Topics and interests. If you like a particular topic, or want to join a community of interest, search for relevant thematic servers.
Administration and support. Check whether the server has active administrators and community support. This may come in handy if you have any problems or questions.
Server reputation. Find out about an instance’s reputation by reading reviews or asking other Mastodon users.

Already registered? Let’s set up privacy!

Right after registration, head straight to the settings. First of all, turn on two-factor authentication and set the posting privacy level. You can choose one of three options for your account:

Public — everyone can see your posts.
Unlisted — everyone can see your posts, but they’re not listed on public timelines.
Followers-only — only followers can see your posts.

In addition, you can set the privacy level for each individual post:

Public
Followers-only
Direct (visible only to users mentioned in the post)

Privacy settings for accounts in general and for individual posts.

Additional privacy settings allow you to show or hide your followers and follows in your profile, as well as show what app you use for posting. We recommend unchecking the latter — your readers really don’t need to know what app or device you use.

Additional privacy settings in Mastodon.

On top of that, there are settings for choosing who can find and follow you, and how. For example, you can: enable your public posts to appear in Mastodon search results; make your profile findable in search engines; allow your posts and profile to show up in promos inside Mastodon; and even automatically accept follow requests.

How to become a star (or not): customizing how Mastodon tells others about you.

Finally, there are options to configure rules (and exceptions to them) for auto-deleting posts after a set period (from one week to two years) — and for archivists to export and download a complete archive of all their data.

You can configure auto-deletion of posts, or download all your data.

A few final tips

Mastodon is a far less regulated social network than the notoriously censor-heavy monsters, but it too has its rules and regulations. That said, these are mostly determined by the server administrator, and you get to choose which server you want out of many. But there are platform-wide policies as well, so when publishing posts you need to take into account the rules of both the specific instance you’re registered on and Mastodon in general. Furthermore, the privacy policy directly states: “We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others rights, property, or safety.” So the golden rule — Think Before You Post — applies equally to this social network.

Don’t forget about security either. Although Mastodon may feel like a hobby club, there might be bad actors amid the like-minders. So, as with other social networks, it pays to protect your privacy and guard against phishing and leaks of personal data on all your devices with the help of Kaspersky Premium.

#customize #privacy #security #Mastodon

McAfee’s New Privacy & Identity Guard Launches at Staples Stores

Oleh bambang raharjoDiposting pada September 5, 2023

Your privacy means everything. And your identity too. The launch of McAfee Privacy & Identity Guard will protect them both.

We’re proud to announce the launch of McAfee Privacy & Identity Guard in partnership with Staples. Through this partnership, McAfee’s Privacy & Identity Guard will be available at select Staples locations across the U.S. and help customers protect their identity and privacy online.

McAfee’s Privacy & Identity Guard will be sold in the travel section of Staples along with other travel benefits such as passport services, TSA PreCheck sign up, and fingerprinting services. McAfee’s Privacy & Identity Guard offers a natural fit for Staples customers who are on the go, particularly as they rely on their laptops and smartphones to get things done while traveling.

And people certainly have concerns about their privacy and identity when they hit the road. McAfee’s recent Safer Summer Report revealed 1 in 3 people have been scammed when booking or taking trips, with a third (34%) of those losing $1,000 or more. This same study found 61% of all adults worry more about digital safety than physical safety when on vacation.

“As Staples exclusive tech services security partner for the last seven years, we’re excited to partner with Staples on the initial launch of McAfee Privacy & Identity Guard in the U.S.,” said Gagan Singh, McAfee’s Executive Vice President, Chief Operating Officer. “This online protection product was designed to address consumers’ key concerns about safeguarding personal information online, something that becomes even more at risk when traveling.”

Key McAfee Privacy & Identity Guard features include:

Identity Monitoring – Monitor personal information with timely alerts.

Proactive and Guided – When a breach is detected McAfee can help guide consumers to take the most effective and simple steps when action is needed.

Extensive Monitoring – Keep tabs on almost 60 unique pieces of your personal info such as your email address, phone number, Social Security number, credit cards, passport information, and bank accounts, to ensure they are secure.
Dedicated Support – McAfee offers friendly 24/7 assistance from security experts available via phone or online.

Identity Restoration – Exclusive to Staples customers, these features offer further peace of mind in the event of identity theft or loss.

Restoration Experts – Identity restoration experts are available 24/7 to help customers take the necessary steps to help repair their identity and credit if they ever need it, including assistance to help prevent or assist with identity fraud of a deceased family member.

Lost Wallet Assistance – If a consumer’s ID, credit, or debit cards are lost or stolen, McAfee will help cancel and replace them.

Privacy Features – Find personal data tied to old, unused online accounts & requests removal of any personal information found on data broker sites.

Online Account Cleanup – This feature runs monthly scans to find customers’ online accounts and shows a risk level to help customers decide which to keep or delete.
Personal Data Cleanup – Removes personal info from sites that buy and sell it. Staples customers get full-service protection that scans more than 40 high-risk data broker sites and automatically requests removal of any personal information found.

Is your email on the dark web?

One sign that your privacy and identity is at risk if your email appears on the dark web. Hackers and scammers post email addresses and other personal and financial information on dark web sites—sometimes offered freely, sometimes offered to other hackers and scammers for sale. You can find out if your email is posted on the dark web by visiting https://www.mcafee.com/idscan-staples.

Introducing McAfee+

Identity theft protection and privacy for your digital life

#McAfees #Privacy #Identity #Guard #Launches #Staples #Stores

Privacy and security threats of short links

Oleh bambang raharjoDiposting pada Agustus 25, 2023

Short links are everywhere these days. All these bit.ly, ow.ly, t.co, t.me, tinyurl.com and the like have long since become a familiar part of the online landscape. So familiar, in fact, that most users click on them without thinking twice. But thinking is never a bad thing. With that in mind, we explain below how short links work and what privacy and security threats they can pose.

What happens when you click on a short link?

When you click on a short link, you almost go straight to the intended destination, which is the address specified by the user who created the link. Almost, but not quite: the actual route takes a quick detour via the URL shortener service.

The more efficient the service, the quicker this takes, and the smoother the transition to the end stop. Of course, the delay feels insignificant only to a person — we humans are rather slow. But for an electronic system, it’s more than long enough to get up to all kinds of activity, which we’ll discuss below.

Why short links? The main reason is one of space: making a long link shorter means it takes up less of the screen (think mobile devices) and doesn’t eat up the character limit (think social media posts). Alas, that’s not all there is to it. The creators of short links may be pursuing their own goals, not necessarily driven by concern for users. Let’s talk about them.

Short links and user tracking

Have you ever wondered why many internet links are so long and unsightly? It’s usually because links encode all kinds of parameters for tracking click-throughs, so-called UTM tags.

Usually, these tags are deployed to determine where the user clicked on the link, and thus to evaluate the effectiveness of ad campaigns, placement on blogger pages, and so on. This is not done in the name of user convenience, of course, but for digital marketing.

In most cases, this is a fairly harmless form of tracking that doesn’t necessarily collect data from link clickers: often marketers are just interested in the source of traffic. But since this additional “packaging” doesn’t look very aesthetic, and often makes the URL insanely long, shortener services are often brought into play.

What’s more unpleasant from a privacy point of view is that URL shorteners don’t limit themselves to redirecting users to the destination address. They also tend to harvest a host of statistics about the link clickers — so your data ends up in the hands not only of the creator of the short link through embedded UTM tags, but also of the owners of the URL shortener. Of course, this is the internet, and everyone collects some kind of statistics, but using a short link introduces another intermediary that holds data on you.

Disguised malicious links

Besides violating your privacy, short links can threaten the security of your devices and data. As we never tire of repeating: always carefully check links before clicking on them. But with short links, a problem arises: you never know for sure where it is you’ll be taken.

If cybercriminals use short links, the advice to check them becomes meaningless: you can only find out where a link points after clicking. And by then it may be too late — if the attackers exploit a zero-click vulnerability in the browser, the infection can occur as soon as you land on the malicious site.

Short links and dynamic redirects

Cybercriminals can also use link-shortening tools to change the target address as the need arises. Suppose that some attackers bought a database of millions of email addresses and used it to send out phishing messages with some kind of link. But here’s the problem (for the attackers): the phishing site they created was quickly discovered and blocked. Rehosting it at a different address is not an issue, but then they would have to resend all the phishing mailshots.

The solution (again, for the attackers) is to use a “shimming” service, which makes it possible to quickly change the URL users will visit. And the role of “shims” here can be played by URL shorteners, including ones originally created with dubious intentions in mind.

With this approach, a link to the shimming service is added to the phishing email, which redirects victims to the phishers’ site at their currently active address. Often, multiple redirects are used to further muddy the trail. And if the destination phishing site gets blocked, the cybercriminals simply host it at a new address, change the link in the shim, and the attack continues.

Man-in-the-middle attacks

Some link-shortening tools, such as Sniply, offer users more than just shorter links. They allow tracking the actions of link clickers on the actual destination site, which is effectively a man-in-the-middle attack: traffic passes through an intermediate service node that monitors all data exchanged between the user and the destination site. Thus, the URL shortener can intercept anything it wants: entered credentials, social network messages, and so on.

Personal spying

In most cases, short links intended for mass use are placed in social network posts or on web pages. But additional risks arise if one was sent to you personally — in a messenger or an email to your personal or work address. Using such links, an attacker who already has some information about you can redirect you to a phishing site where your personal data is pre-filled. For example, to a copy of a banking site with a valid username and a request to enter your password, or to the “payment gateway” of some service with your bank card number pre-filled, asking you to enter a security code.

What’s more, such links can be used for doxing and other types of tracking, especially if the URL shortener service offers advanced functionality. For instance, our recent post about protecting privacy in Twitch looked in detail at ways to de-anonymize streamers and how to counter them.

How to stay protected

What to do about it? We could advise never to click on short links, but, in the vast majority of cases, URL shorteners are used for legitimate purposes, and short links have become so common that total avoidance isn’t really an option. That said, we do recommend that you pay special attention to short links sent to you in direct messages and emails. You can inspect such links before clicking by copying and pasting them into a tool for checking short links, such as GetLinkInfo or UnshortenIt.

However, there is a simpler method: a high-quality security solution with an integrated approach that takes care of security and privacy at the same time. For example, our Kaspersky Premium has a Private Browsing component that blocks most known online trackers and thus prevents your online activities from being monitored.

Our products also offer protection against online fraud and phishing, so rest assured that Kaspersky Premium will warn you in good time before landing on a dangerous site — even if the link was shortened. And, of course, the antivirus will guard against any attempts to infect your devices — including ones exploiting as-yet-unknown vulnerabilities.

#Privacy #security #threats #short #links

Step-by-step recommendations for streamers to guard against doxing, bullying, stalkers and bots

Oleh bambang raharjoDiposting pada Agustus 11, 2023

For some, Twitch streaming brings fame and fortune. The platform’s genre diversity has long transcended the boundaries of video games: artists, athletes and even bicycle couriers have all found appreciative audiences. From professional gamers to guitarists, all are united by the desire to connect with fans and earn a crust without falling victim to bullies, pranksters or spammers. Here are the security measures that all Twitch streamers need to take.

How to protect personal information

Set up separate accounts specifically for Twitch that won’t point to the real you in search results, social media or forums.
Your Twitch handle should not be your actual name, or even resemble it. This tip will be a recurring theme throughout this post: there is no need whatsoever for your fans to know your name or where you live. Use profile pics that are completely different from the ones on your social networks – similar photos are easy to find.
Twitch-related accounts (profiles on Discord, social networks, etc.) must be registered under your Twitch handle and not give away your real name. If you already have personal accounts on Twitter, YouTube and the like, do not use them in conjunction with Twitch, but create new ones.
We recommend that active streamers use a separate email and phone number that are linked only to accounts used for streaming (Twitch, Discord, YouTube, etc.).
If you accept snail mail (fan letters/gifts, etc.), set up a PO Box. And do not use the box for any other purpose. In some countries, a PO Box can be set up under any name, in which case use your Twitch handle. If that’s not an option and you need to give out personal information, ask the post office if there’s a way to avoid revealing your real name.
If Twitch becomes a regular source of income, consider setting up a legal entity and registering your domains, mailboxes and other assets under it.
Check out our detailed guide to Twitch security and privacy settings.
Use a strong unique password and two-factor authentication and install a comprehensive security solution for gamers on your computers that does not affect streaming and protects against phishing.

How to moderate Twitch chats

Draw up a list of chat rules and share it with fans. You’ll make life easier for yourself and your moderators. We recommend formulating rules such as: “It is forbidden to post links,” “It is forbidden to disclose names, contact details or other personal information in a chat” – this will protect both you and the chat participants.
If you don’t want fans to ask you about certain aspects of your personal life, you can explicitly set off-limit topics in the rules.
Posting links should be banned not only because of the threat of spam; special URL-shortening services can be used to spy on the IP addresses and other data of those who tap or click on the link.
Review the automatic chat moderation settings, and enable AutoMod if you think it will help you and your moderators. The level of moderation can be customized for sensitive topics. There is also a manually updatable list of bad words that can be filtered by AutoMod. Avoid sweeping bans on terms and topics – false positives annoy chatters.
If there are chat users you know personally (especially offline), ask them separately not to discuss topics that you consider inappropriate. Make sure you are on the same page regarding no-go topics.
If a chat user reveals any personal information about you (name, address or anything else), just delete the message and do not respond in any way. Do not comment on the veracity of the information. And delete personal information that someone has clearly made up – again without responding.

How to hide personal information in Twitch videos

Before you start streaming, make sure there’s nothing in shot that shouldn’t be there. Here are some things that can give away personal information to eagle-eyed viewers:
- Envelopes, documents, bills, autographed photos, framed certificates.
- Personalized or souvenir clothing. Besides your own name, the name of a school, university or company on a souvenir T-shirt, for example, could be used to identify you.
- Personalized backpacks, mugs, plates, etc.
- Distinctive pieces of furniture and jewelry.
- Window views, even partial.
- Underwear or very personal items.
- Housemates, family members, pets.
Create a signature backdrop (physical or virtual), and use it in all your streams.
We recommend setting a short broadcast delay (from ten seconds to one minute) to give you time to react to potential glitches and incidents. This will make things much harder for stream snipers.
Turn off your smart speakers and other voice-activated gadgets, or move them to another room. There have been cases of voice assistants leaking information during streams.
If you are IRL streaming outside, always turn on your camera a good distance from home, so you don’t reveal the name of your street or a view of where you live. And it’s a bad idea to show buildings that could easily lead to you: school, workplace, nearby bus stops, stores, etc.
If you’re streaming from a public place, be aware that interlopers, including IRL stream snipers, can get in your shot. Be prepared: practice emergency muting and wallpapering, and more importantly, have a plan of action to get rid of the intruder.

How to hide personal information in Twitch screencasts

A lot of streamers show their screens. This is especially true for game streaming, but sometimes you may need to show something in your browser, Discord, or another app. Test all such apps in advance to make sure there is no inappropriate information on the screen.
When streaming, make sure that only the apps you need are running. Anything extraneous should be turned off, closed or moved to another monitor that is not in the stream.
Pay close attention to the contents of the Dock/Taskbar, tray icons (including the clock) and files on the desktop.
Check that pop-ups and notifications are disabled or displayed on a non-streaming monitor.
We recommend showing web content in a private browser used exclusively for this purpose, preferably in incognito mode. Make sure that you are not signed in to any personal accounts not related to streaming, such as email and other services.
Make sure your streaming browser is configured to block ads and tracking. Keep in mind that contextual advertising may reveal your interests and approximate location, so turn it off during streaming. Use Kaspersky Premium settings to minimize ads and privacy risks.
Again, set a slight delay in streaming (from ten seconds to one minute) to give yourself time to calmly deal with unforeseen situations and make the job of stream snipers more difficult.
Prepare animated background images – saying “Starting in a couple of minutes,” “Thank you,” “Be right back,” and so on – to keep your audience engaged while setting up or dealing with technical issues. These are easily added in OBS Studio.
Certain games and game consoles offer special tools to protect the privacy of streamers. Look for features that allow you to hide your alias and avatar, PSN username, region information and pings to game servers.

How to protect personal information in donations and wishlists

If Twitch is a regular source of income for you, consider creating a legal entity to pay your earnings into and help protect your real identity.
Twitch donations are usually made through PayPal. Any user can go to their payment history and view the real names of senders and recipients. To avoid such crude unmasking, use a PayPal business account.
If your country doesn’t allow PayPal or you can’t switch to a PayPal business account, choose a service that accepts bank card donations and doesn’t show the recipient’s real name.
If you receive gifts or snail mail in your PO Box, make sure that all name and address labels, post office stamps and other such information have been removed before showing such items to your viewers. Your PO Box for Twitch must not be used for anything else.
It is becoming common practice to create wishlists on marketplaces like Amazon. Create a separate account for your Twitch wishlist – do not put it under an account that you use for everyday purchases. If possible, register the account under your Twitch handle.

General privacy tips for Twitch streamers

It’s a good idea to start thinking about privacy from day one, without waiting until you become a super-streamer – it’s better to build a safety net right away than try to wipe your data off the internet later. Use our guide to design your own personal threat landscape, as practiced in corporate security.

And for maximum privacy protection, use an all-in-one security solution like Kaspersky Premium:

Protects against viruses and phishing.
Prevents intrusion attempts, including through remote access tools.
Blocks ads.
Removes traces of your activity.
Prevents online collection of personal data.
Detects leaks of personal data containing email addresses and phone numbers.
Provides encrypted storage of data and documents.
Offers premium priority technical support.
Includes a password manager with generation of two-factor authentication codes.

Your Kaspersky Premium subscription covers all your devices. For more information on features and capabilities, please see our separate posts on protection for computers and Android/iOS smartphones.

#Stepbystep #recommendations #streamers #guard #doxing #bullying #stalkers #bots

Wi-Fi hacking in recycled printers, computers and smart-home equipment

Oleh bambang raharjoDiposting pada Agustus 9, 2023

When you throw away or sell an old computer or phone, you probably remember to delete photos, messages and other personal stuff. But there’s another kind of personal data that (almost) no one thinks about — and it needs to be erased not only from phones, but also from watches, printers and other smart devices — even your fridge. These are the settings for connecting to your Wi-Fi network.

The danger of leaky Wi-Fi access

Accessing someone else’s Wi-Fi network has commercial value. The simplest and most innocent (albeit naughty) form is using a neighbor’s connection. Far less innocent is data theft: in a home or office network, devices usually trust each other, so connecting to someone else’s Wi-Fi makes it easy to steal photos and documents from other network devices.

Even worse is when a Wi-Fi network is infiltrated for illegal activity, such as spamming or DDoS attacks. Exploiting a discovered Wi-Fi network just once, an attacker can hack a device on it (the router itself, home network-attached storage (NAS), a video surveillance camera, or any other easily hackable devices) — and then use it as a proxy server, without further recourse to Wi-Fi “services”. Such proxies operating from home networks are in steady demand from cybercriminals. Of course, the owner of the hacked device bears the brunt: their internet is slower; their IP address lands in various denylists; and, in rare cases, they might get blocked by the ISP or even get a police visit.

As for printers, cameras and other devices on an office network, their Wi-Fi settings can be used to attack the company in question. This attack vector is great for hackers, because in many companies cybersecurity is set up to protect against threats from the internet, while office devices — especially printers — are paid little attention. By connecting to the Wi-Fi network, attackers can easily carry out data theft and/or ransomware attacks.

How Wi-Fi settings get stolen

Most devices store Wi-Fi network information in unprotected form, making it child’s play to retrieve it from a discarded or sold-on gadget. It’s also not hard to find out who previously owned it:

If you sold it, the buyer knows it came from you;
If you decided to recycle the device, it’s possible you left your contact details when turning it in;
If you threw it away, most likely it was somewhere very close to where you used the device.

A bad factory reset also leaves behind many clues: the device name often points to the owner (Alex’s iPhone 8), and the Wi-Fi network name — to their address or employer (TheBensonsHouse, Volcano_Coffee_staff).

Such pointers make your Wi-Fi network easy to locate, and the password for it is right there in the device memory. For added credibility, attackers can connect to your network by spoofing the MAC address of the discarded device.

How to guard against Wi-Fi leaks

Reset and wipe. The most obvious security measure is to wipe the settings from all devices before parting with them. For laptops and computers, it’s recommended to physically format the drive; for other equipment, we advise a full factory reset with deletion of all data. After resetting, go to the network settings and make sure that everything’s really gone — then do another reset to make doubly sure. Unfortunately, the quality of factory resets varies depending on the device and the manufacturer, and there’s no cast-iron guarantee that a reset really does delete everything. For example, Canon recently reported an issue in 200 printer models in which the reset failed to clear the Wi-Fi settings. Canon’s advisory explains that a double reset is required, but for many other devices there’s simply no reliable way to clear the network settings.

Changing the Wi-Fi settings. This method is fiddly, but reliable and not too difficult technically. After getting rid of a device, change your Wi-Fi network password and update the settings on all your other devices. The fewer devices you have, the less trouble, of course. Always use strong, long passwords. And when you change one, generate a password randomly rather than just adding a number or letter at the end. Kaspersky Password Manager, included in a Kaspersky Premium subscription, will help you do this. In the Wi-Fi settings, select WPA2 or WPA3 encryption.

Strict access control. Every Wi-Fi-connected device has its own network access rights. For office and well-configured home networks, managing Wi-Fi access rights at the device level will help — your Wi-Fi router must support these settings. Configure your router so that any unknown or newly connected device is completely isolated and prohibited from accessing the internet or any device on your home network until you explicitly allow it to do so. When discarding or selling a device, be sure to isolate it in the router settings — not just remove it from the list. Then, even if attackers try to connect to the router through stolen credentials, no access will be granted.

A simple option for Wi-Fi access control. For those who find the previous method a bit too complicated, we recommend our smart home security guide, which takes a detailed look at how to properly configure home Wi-Fi and segment it for different categories of devices: computers, smartphones, smart home gadgets, and guest devices. To protect your home Wi-Fi from outsiders, we recommend the Devices on My Network feature in Kaspersky Premium. At first launch, the feature automatically maps your home network and identifies the name and type of each device, after which it continuously monitors the network for the appearance of “strangers” and warns you if a new unknown device pops up. If something in the list looks out of place, you can investigate and take action: from changing your Wi-Fi password to disabling unknown devices. And Kaspersky Premium will guide you through the process.

#WiFi #hacking #recycled #printers #computers #smarthome #equipment

How to set up privacy and security in Threads

Oleh bambang raharjoDiposting pada Agustus 2, 2023

In our previous post, we discussed privacy concerns regarding the new Twitter alternative from Mark Zuckerberg, how much data the Threads app collects (hint: it’s a lot), how the social network operates (it’s a little unusual), whether it’s worth creating a profile for those who already have an Instagram account, and whether you should rush to create one if you don’t have one already (no need to rush, actually).

In this post, I’ll be talking about what you can set up (and where) to make Threads more private and secure.

Where to find the privacy and security settings in the Threads app

Let’s start with the privacy and security settings that you can find within the application itself. Actually, that should be applications in the plural. Since the Threads social network is an extension of Instagram, they share some of the same settings. But that’s not all. In total, Threads settings can be found in three different places:

Some of them can be found within the Threads app itself.
A more comprehensive list of settings is available in the Instagram app (however, they aren’t regular Instagram settings, and can only be accessed from Threads).
Finally, some settings are located in the Meta Accounts Center.

Confused yet? That’s normal — there are lots of things about Threads that are pretty confusing.

Threads settings in the Threads app, Instagram app, and Meta Account Center

Threads settings exist in three places: in the Threads app, the Instagram app, and the Meta Account Center. So convenient!

Now let’s explore the useful settings you can find in these three sections.

How to restrict other users from interacting with you in Threads

Let’s start with the different levels of privacy protection against other Threads users. Just like Instagram, Threads offers several settings options that allow you to restrict other users’ visibility and access to your posts and comments, as well as hide their content from you (say, in case you find their content uninteresting, or they begin to bother you for some reason).

All the options discussed below can be found directly in the Threads app. To access them, go to your profile by tapping the icon with a little person in the lower right corner, then click on the button with two dashes in the upper right corner. This takes you to the Threads settings.

How to get to the Threads app settings

Muted users

The app allows you to mute users. With this setting, you won’t see posts from this profile in your feed, nor will you see their responses to your posts. Meanwhile, the owner of the profile won’t know that you’ve muted them.

By the way, this muted user doesn’t have to be your friend (that is, a follower or someone you follow) — you can mute anyone. To mute someone, go to their profile, tap the three-dots icon in the upper right corner, and select Mute.

How to mute a user in Threads

Keep in mind that your lists of muted profiles in Threads and Instagram are not linked to each other.

To find your list of muted users in Threads, go to Settings -> Privacy -> Muted. From there, you can also unmute someone (muting can only be done on that user’s profile).

How to unmute a user in Threads

Restricted accounts

You can also restrict users. In this case, you’ll no longer receive notifications when the restricted user likes your posts, replies to them, forwards or links to them. The profile owner won’t know you’ve restricted them. Again, you can restrict a user regardless of whether they’re your friend or not.

The list of restricted accounts is shared between Threads and Instagram — if you restrict someone in one app, they’ll automatically be restricted in the other.

How to restrict users in Threads

To restrict a user, go to their profile, find the icon with three dots in the upper right corner, and then click on Restrict.

To view the list of restricted users, go to Settings -> Privacy -> Other privacy settings -> Restricted accounts. On this tab, you can remove users from the list or add new ones using the search function.

How to remove or add a user to the restricted list in Threads

Blocked accounts

Now let’s move on to more drastic measures. In Threads, you can block users. After blocking, they won’t be able to find your content or profile on the social network. Just like with Twitter, Threads won’t notify the user about the block. And, as with the previous options, you can block anyone — not just your friends. The list of blocked users is shared between Threads and Instagram.

How to block a user in Threads

To block someone, go to their profile, click on the three dots in the upper right corner and select Block.

The list of blocked profiles can be found in Settings -> Privacy -> Blocked profiles. Here, you can also unblock a user or add someone to the blocked list by clicking on the “+” in the upper right corner.

How to remove or add a user to the blocked list in Threads

Private profile and access only for followers

Finally, if you’re completely fed up with bots and trolls, you can make your profile private. After doing so, only those who are following you will be able to see your posts, and you can carefully filter the list of your friends to ensure your privacy.

This level of privacy might not be quite in the spirit of microblogging platforms, but it will certainly give you a break from interacting with annoying individuals.

How to make your Threads profile private

Making your profile private is very easy: go to Settings -> Privacy and toggle the switch next to Private profile. A few lines further down you can find the Profiles you follow section. Go into it, select the Followers tab, and carefully edit the list — removing any suspicious individuals.

How to edit the list of your followers in Threads

Finally, it’s important to note that private profiles in Threads and Instagram are configured independently of each other.

Other privacy settings in Threads

There are a few more settings inside the Threads application that might be useful.

Here are the options available under Settings -> Privacy, and what you can configure with them:

Mentions. Here, you can set who can mention you in posts — that is, link to your profile using the “@” symbol followed by your username.
Hidden words. In this section you can filter offensive language in responses to your posts. You can use automatic filtering with built-in lists, or add specific words and phrases that are relevant to you. These options are synchronized across Threads and Instagram — if you enable them in one app, they’ll apply to the other as well.
Hide likes. With this setting, you can choose whether the like count will be displayed next to your posts. Note that this is another shared setting that applies to both Threads and Instagram.

Another useful setting is located in Settings -> Notifications. Just like Facebook and Instagram, Threads allows you to flexibly configure push notifications, deciding which of them the social network is allowed to send you. Currently, Threads offers a dozen separate types of notifications, along with the option to pause notifications from the app for a specific period — you can set an interval between 15 minutes and eight hours.

Notification settings in Threads

There’s no option to completely disable all notifications with one button, but you can do this in your smartphone’s settings if you wish.

Security settings in Threads

Strictly speaking, there are no security settings in the Threads app itself. The security settings of all Instagram and Facebook accounts are configured from Meta’s Accounts Center. To get there, in Threads, go to Settings -> Account and select Security.

Security settings in Threads

There are quite a few settings under this tab. The most relevant ones are the following:

Change password. It’s pretty easy to guess that this section allows you to change your Instagram (which means Threads as well) and Facebook account passwords in the same place.
Two-factor authentication. This is where you set up two-factor authentication for Threads/Instagram and Facebook. Different options are available — from one-time codes being sent to your phone, to authenticator apps. I recommend the latter option, as it offers the optimal trade-off between security and convenience.
Where you’re logged in. This section allows you to check which devices are signed in to your Instagram and Facebook accounts. It would be wise to check this list from time to time to see if any unexpected devices have appeared and to delete old ones you no longer use.
Login alerts. Here you can set up notifications that will alert you when someone tries to log into your Instagram and Facebook accounts. It would make sense to enable all the notification channels and respond to the alerts ASAP.
Security Checkup. This menu item takes you to a window presenting the key security-related information about your Threads/Instagram or Facebook account. Here you can look up your linked e-mails and phone numbers (and change them if no longer available), the date you changed your password the last time, and whether two-factor authentication is on or not.

Facebook or Threads/Instagram account security checkup

Technically, you can configure all the same things under other settings. This window, however, offers the convenience of doing it all from the same place.

Other privacy settings in Threads

Let’s now take a look at the measures limiting the amount of data Threads collects about you and thus protecting your privacy — not from other users of the platform but from its owners. And we’re going to do this in the settings, of course — not those of the app itself but in your OS.

iOS users should begin by checking that their iPhone or iPad is configured to disable permission for apps to track your actions across other companies’ apps and websites. Apple rolled out this feature back in its iOS 14.5. We’ve already discussed some details on its design, purpose, and proper setup.

You can set this up in iOS in Settings -> Privacy & Security -> Tracking. Best of all is to completely disable Allow Apps to Request to Track.

Disabling app tracking in iOS

Another thing to be set up is the app permissions. Threads requests a few of them already, whereas its parent, Instagram — considerably more. Permissions in both should be limited. Pay attention to the following in particular:

Access to microphone and camera. I personally prefer not to give these permissions at all.
Access to location services. Either permit it only when using the app (if you like adding geotags), or disable it altogether.
Access to photos and videos. For iOS, the best option is Selected Photos, which enables the app to access only the photos you intend posting in it. As far as I know, Android provides no such option, so you either permit access to photos or stick with not posting any. Not a bad option in fact, if you only intend to view other people’s posts.
Background app refresh. If you disable this one, apps won’t be able to operate in the background, which is good. Even if you’re not concerned with how much information about you they collect, this option greatly reduces the amount of data the apps keep streaming to their servers, thus saving your internet traffic and battery charge. The option is available both in iOS and Android.

Setting up Threads and Instagram permissions in iOS

You should also think about whether you really need all those endless social network notifications? I personally like to keep them completely off, so I am not distracted by random likes under my photos or posts. I prefer interacting with my apps when I want to and have time for it — not when they choose to bother me with yet another notification.

To disable all notifications from Threads in iOS, go to Settings -> Notifications, find the app in the list and deactivate Allow Notifications. In Android, the menu items will be different depending on device version and vendor, but the feature will be placed in a similar location.

Completely disabling Threads notifications in iOS

Deleting your Threads account

You might have heard that your Threads account cannot be deleted. That’s kind of true; thing is — Threads accounts don’t exist, so it’s quite tricky deleting something that’s not there. You sign in to Threads using your Instagram account, based on which your Threads user profile is created. Thus, you don’t have to make up a new password, or even type it: your login and password will be automatically copied over from Instagram.

But you cannot delete your Threads profile either: to wipe it you have to completely delete your parent Instagram account. But your Threads profile can be deactivated: once you do that, all your data will be concealed from other users of the social network. So, in practical terms, it’s not much different from deletion.

To do this, go to Settings -> Account -> Deactivate profile and press Deactivate Threads profile.

Threads profile deactivation is effectively the same as deletion

Password is the staff of life

The fact that your Instagram account data is now used for two social networks instead of one has an important consequence: your login and password are now twice as important. So now your Instagram account needs to be properly protected against takeover more than ever. Do the following:

Use a password that’s both unique and strong. In general, strong means long — at least 12 characters or more. You can generate a good password using our Kaspersky Password Manager, which also doubles as secure password storage, lest you forget your password.
Enable two-factor authentication. It’s best to use one-time codes from the app. By the way, our Kaspersky Password Manager now features a built-in authenticator.

#set #privacy #security #Threads

Tag: privacy

What’s wrong with regular social networks?

The theoretical side: what the Fediverse is, and how it works

How the Fediverse works for the average user

Explaining the Fediverse by analogy

The practical side: which services are compatible with the Fediverse now, and which ones will be in the future

A glimpse into the global future of the Fediverse

What can we protect ourselves against?

Signal: a basic tool for smaller group calls

WhatsApp and Facetime: just as easy — but not without their issues

Jitsi Meet: self-hosted private videoconferencing

Matrix and Element: every type of communication — fully encrypted

Zoom: encryption for the rich

This just in: infected Telegram in Chinese and Uyghur on Google Play

Previously: spyware versions of Telegram and Signal on Google Play

Infected WhatsApp and Telegram spoof cryptowallet addresses

How to stay safe

Introducing McAfee+

How Mastodon works

What are Mastodon instances?

How to pick a Mastodon server

Already registered? Let’s set up privacy!

A few final tips

Key McAfee Privacy & Identity Guard features include:

Introducing McAfee+

What happens when you click on a short link?

Short links and user tracking

Disguised malicious links

Short links and dynamic redirects

Man-in-the-middle attacks

Personal spying

How to stay protected

How to protect personal information

How to moderate Twitch chats

How to hide personal information in Twitch videos

How to hide personal information in Twitch screencasts

How to protect personal information in donations and wishlists

General privacy tips for Twitch streamers

The danger of leaky Wi-Fi access

How Wi-Fi settings get stolen

How to guard against Wi-Fi leaks

Where to find the privacy and security settings in the Threads app

How to restrict other users from interacting with you in Threads

Muted users

Restricted accounts

Blocked accounts

Private profile and access only for followers

Other privacy settings in Threads

Security settings in Threads

Other privacy settings in Threads

Deleting your Threads account

Password is the staff of life