Major Security Flaws Found in Satellite Communications

Researchers from UC San Diego and the University of Maryland revealed that nearly half of geostationary satellite signals transmit unencrypted data, exposing sensitive communications from telecom networks, military operations, and critical infrastructure[^1].

Using just $800 in off-the-shelf equipment - a satellite dish, roof mount, motor and tuner card - the team intercepted vast amounts of unprotected data over three years from their San Diego location[^7]. Their findings included:

• T-Mobile cellular network traffic, including over 2,700 phone numbers and one-sided call/text content captured in just 9 hours[^7]
• U.S. military vessel communications and Mexican military/law enforcement data, including helicopter locations and narcotics intelligence[^7]
• Critical infrastructure communications from power grids and offshore oil platforms[^4]
• In-flight WiFi data from 10 different airlines[^7]

"It just completely shocked us. There are some really critical pieces of our infrastructure relying on this satellite ecosystem, and our suspicion was that it would all be encrypted," said Aaron Schulman, UCSD professor who co-led the research[^7].

After being notified, some companies like T-Mobile quickly added encryption, while others, including certain U.S. critical infrastructure operators, have yet to secure their systems[^4].

The researchers estimate they accessed only 15% of global satellite transponders from their single location, suggesting the vulnerability's true scope is far larger[^7]. Johns Hopkins professor Matt Green noted: "The fact that this much data is going over satellites that anyone can pick up with an antenna is just incredible"[^7].

[^1]: SATCOM Security [^4]: Security Affairs - Unencrypted satellites expose global communications [^7]: Wired - Satellites Are Leaking the World's Secrets: Calls, Texts, Military and Corporate Data

Hello everyone, what is your go-to password manager? What would you suggest for friends and family that aren't very tech savvy?

I'm not that knowledgeable on networking, but I do remember that if a device is connected to a wired network, it can end up receiving packets not meant for it because switches will flood all the ports for packets they don't know how to route. But I also heard that Wi-Fi is supposedly smarter than that and a device connected to it should never receive a packet not meant for it.

Is this true? And in practice, does this mean it's preferable should keep computers with invasive operating systems (which might decide to record foreign packets sent to it in its telemetry) on Wi-Fi instead of on the wired network?

Also, how exactly does Wi-Fi prevent devices from receiving the wrong packets when it's a radio based system and any suitable antenna can receive any Wi-Fi signal? Does each device get assigned a unique encryption key and so is only capable of decrypting packets meant for it? How secure is it actually?

cross-posted from: https://lemmy.zip/post/50937777

According to Microsoft's documentation, a user can only change the setting to enable or disable the new People section three times a year.

In the forum, I saw a couple of people suggesting,

1. Syncthing (But Syncthing for Android is dead, AFAIK)
2. USB stick
3. Cloud storage

Please suggest if there are any alternatives. Or what is the option that you're using.

cross-posted from: https://lemmy.zip/post/50937678

https://archive.md/QMvAI

With just $800 in basic equipment, researchers found a stunning variety of data—including thousands of T-Mobile users’ calls and texts and even US military communications—sent by satellites unencrypted.

Banning online anonymity tools like Tor won’t stop crime. It will only drive people underground and normalize government control over the internet

“You are not the customer, you are the abandoned carcass. The real customer is the market that trades in your future behaviour.” - Shoshana Zuboff

Zuboff’s The Age of Surveillance Capitalism has been on my list for a long time - finally diving in. It’s unsettling, brilliant, and painfully relevant. I wrote a short piece distilling her core message and what it means for digital freedom today.

Please share with friends and family who are being a bit slow to up their privacy game 😁

Found this AI art block list recently and thought I would share it with you guys. It definitely comes in handy!

Over the past few years I have gone through a bunch of different apps and protocols to find the best one for "securely" communicating with my family and friends.

I ended up with the amazing XMPP protocol and my family/friends frequently use its clients to contact me.

Monal for IOS and Cheogram/Conversations/Quicksy for Android. The android app I install depends on if I can get F-Droid on their phone or not.

It's been great with OMEMO encryption and the clients/apps available for XMPP. But sometimes I have issues introducing people to it.

Jabber (friendly name for xmpp) sounds silly to say. The clients all have weird names. And after trying the Signal mobile app it feels more focused than what anyone in the XMPP community has whipped up.

But the capabilities of XMPP makes it better.

Signal Cons (immediete)

• Centralized
• Single app
• Phone numbers

XMPP/Jabber Cons

• Picking server
• Apps are sort of less friendly

What really scares me about Signal is the centralization. Any nerd can easily host an XMPP server these days. But Signal from what I've heard really wants us to use their server.

If XMPP gets more attention I'm sure we can get people supporting projects and creating better apps.

I keep seeing people recommended Signal instead.

This is a bit of a tired ramble. What I wanna know is why anyone is preferring Signal over XMPP apps. I assume it might be not knowing about it. Tell me what you use to message people.

This makes a world of difference. I know many people may know of it but may not actually do it. It Protects your files in case your computer is ever stolen and prevents alphabet agencies from just brute forcing into your Laptop or whatever.

I found that Limine (bootloader) has the fastest decryption when paired with LUKS at least for my laptop.

If your computer isn't encrypted I could make a live USB of a distro, plug it into your computer, boot, and view your files on your hard drive. Completely bypassing your Login manager. If your computer is encrypted I could not. Use a strong password and different from your login

Benefits of Using LUKS with GRUB Enhanced Security

• Data Protection: LUKS (Linux Unified Key Setup) encrypts disk partitions, ensuring that data remains secure even if the physical device is stolen.
• Full Disk Encryption: It can encrypt the entire disk, including sensitive files and swap space, preventing unauthorized access to confidential information.

Compatibility with GRUB

• Unlocking from Bootloader: GRUB can unlock LUKS-encrypted partitions using the cryptomount command, allowing the system to boot securely without exposing sensitive data.
• Support for LVM: When combined with Logical Volume Management (LVM), LUKS allows for flexible partition management while maintaining encryption.

"The problem in a nutshell. Surveillance agency NSA and its [UK counterpart] GCHQ are trying to have standards-development organizations endorse weakening [pre-quantum] ECC+PQ down to just PQ."

Part of this is that NSA and GCHQ have been endlessly repeating arguments that this weakening is a good thing... I'm instead looking at how easy it is for NSA to simply spend money to corrupt the standardization process.... The massive U.S. military budget now publicly requires cryptographic "components" to have NSA approval... In June 2024, NSA's William Layton wrote that "we do not anticipate supporting hybrid in national security systems"...

[Later a Cisco employee wrote of selling non-hybrid cryptography to a significant customer, "that's what they're willing to buy. Hence, Cisco will implement it".]

What do you do with your control over the U.S. military budget? That's another opportunity to "shape the worldwide commercial cryptography marketplace". You can tell people that you won't authorize purchasing double encryption. You can even follow through on having the military publicly purchase single encryption. Meanwhile you quietly spend a negligible amount of money on an independent encryption layer to protect the data that you care about, so you're actually using double encryption.

So I just started messing around with the settings in my windows and account tied to it. And good Lord, this thing's just as bad as Android. 😒 ? The thing is literally saving all my inquiries and everything to my Microsoft account. I can't even turn off some of these features as far as trying to stop them. Many privacy settings are also buried all over the place. When did this happen?

You're welcome I'll share even better books later.

Obviously a lot of people here hide a lot of information. What is keeping you all from extreme stress considering the possibility that a government is spying on your actions despite strict privacy practices? Considering my current situation and my extreme threat model it feels like the privacy walls around me are closing in. I'm very paranoid. I do a lot of risky and dangerous shit on the internet. Every knock on my door and phone call feels like the police. I don't talk with others about what I do and I'm always hiding my internet activity from others. Any thoughts would be helpful

After making a post about comparing VPN providers, I received a lot of requested feedback. I've implemented most of the ideas I received.

Providers

• AirVPN
• IVPN
• Mozilla VPN
• Mullvad VPN
• NordVPN
• NymVPN
• Private Internet Access (abbreviated PIA)
• Proton VPN
• Surfshark VPN
• Tor (technically not a VPN)
• Windscribe

Notes

• I'm human. I make mistakes. I made multiple mistakes in my last post, and there may be some here. I've tried my best.
• Pricing is sometimes weird. For example, a 1 year plan for Private Internet Access is 37.19€ first year and then auto-renews annually at 46.73€. By the way, they misspelled "annually". AirVPN has a 3 day pricing plan. For the instances when pricing is weird, I did what I felt was best on a case-by-case basis.
• Tor is not a VPN, but there are multiple apps that allow you to use it like a VPN. They've released an official Tor VPN app for Android, and there is a verified Flatpak called Carburetor which you can use to use Tor like a VPN on secureblue (Linux). It's not unreasonable to add this to the list.
• Some projects use different licenses for different platforms. For example, NordVPN has an open source Linux client. However, to call NordVPN open source would be like calling a meat sandwich vegan because the bread is vegan.
• The age of a VPN isn't a good indicator of how secure it is. There could be a trustworthy VPN that's been around for 10 years but uses insecure, outdated code, and a new VPN that's been around for 10 days but uses up-to-date, modern code.
• Some VPNs, like Surfshark VPN, operate in multiple countries. Legality may vary.
• All of the VPNs claim a "no log" policy, but there's some I trust more than others to actually uphold that.
• Tor is special in the port forwarding category, because it depends on what you're using port forwarding for. In some cases, Tor doesn't need port forwarding.
• Tor technically doesn't have a WireGuard profile, but you could (probably?) create one.

Takeaways

• If you don't mind the speed cost, Tor is a really good option to protect your IP address.
• If you're on a budget, NymVPN, Private Internet Access, and Surfshark VPN are generally the cheapest. If you're paying month-by-month, Mullvad VPN still can't be beat.
• If you want VPNs that go out of their way to collect as little information as possible, IVPN, Mullvad VPN, and NymVPN don't require any personal information to use. And Tor, of course.

ODS file: https://files.catbox.moe/cly0o6.ods

IMPORTANT NOTE - READ FIRST:

This is still a work-in-progress and a close-source project (This is what a honeypot would look like). To view the open source MVP version see here. NONE of my projects have been audited or reviewed. I provide them for testing and demo purposes only. NOT to replace your current messaging app (or any other app you use).

BE RESPONSIBLE WHEN USING UNAUDITED SOFTWARE... DO NOT USE FOR SENSITIVE PURPOSES.

Now that I've hit you over the head with caution...

Want to send encrypted WebRTC messages and video calls with no downloads, no sign-ups and no tracking?

This prototype uses WebRTC to establish an encrypted browser-to-browser connection. Everything is ephemeral and cleared when you refresh the page - true zerodata privacy!

Check out the pre-release demo here.

• Website: https://positive-intentions.com/
• Mastodon: https://infosec.exchange/@xoron

I'm turning 41, but I don't feel like celebrating.

Our generation is running out of time to save the free Internet built for us by our fathers.

What was once the promise of the free exchange of information is being turned into the ultimate tool of control.

Once-free countries are introducing dystopian measures such as digital IDs (UK), online age checks (Australia), and mass scanning of private messages (EU).

Germany is persecuting anyone who dares to criticize officials on the Internet. The UK is imprisoning thousands for their tweets. France is criminally investigating tech leaders who defend freedom and privacy.

A dark, dystopian world is approaching fast - while we're asleep. Our generation risks going down in history as the last one that had freedoms -and allowed them to be taken away.

We've been fed a lie.

We've been made to believe that the greatest fight of our generation is to destroy everything our forefathers left us: tradition, privacy, sovereignty, the free market, and free speech.

By betraying the legacy of our ancestors, we've set ourselves on a path toward self-destruction - moral, intellectual, economic, and ultimately biological.

So no, I'm not going to celebrate today. I'm running out of time. We are running out of time.

Let's imagine we live in a world the American government is not the American government so you can trust what American companies say when they talk about protecting your privacy and so on...

In a compelling, entertaining and accessible format, we present these negative awards to companies, organisations, and politicians. The BigBrotherAwards highlight privacy and data protection offenders in business and politics, or as the French paper Le Monde once put it, they are the “Oscars for data leeches”.

I can really recommend Digitalcourage and the event. I am not directly involved.

I made a spreadsheet comparing different open source VPN providers.

Part 2 here

Providers

• IVPN
• Mozilla VPN
• Mullvad VPN
• NymVPN
• Proton VPN

Notes

• Please do not start a flame war about Proton.
• Please do not start a flame war about cryptocurrencies. Monero is the only cryptocurrency listed because of its privacy.
• The very left column is the category for each row, the middle section is the various VPN providers, and the right section is which VPNs are the best in each category.
• IVPN has two differing plans, which is why "Standard" and "Pro" are sometimes differentiated.
• For accounts, "Generated" means a random identifier is created for you to act as your account, "Required" means you must sign up yourself. Proton VPN allows guest use under specific conditions (e.g. installed from the Google Play Store), but otherwise requires an account.
• Switzerland is seen as more private than Sweden. Gibraltar is seen as privacy neutral.
• All prices are in United States Dollars. Tax is not included.
• Pricing is based on the price combination to achieve the exact time frame. For example, Proton VPN does not have a 3 year plan but you can achieve 3 years by combining a 2 year plan with a 1 year plan.
• The availability section is security based. Availability is framed around a GrapheneOS and secureblue setup.
• The Proton VPN Flatpak is unofficial, but based on the official code.
• Availability on secureblue is based on the ujust install-vpn command. Security features must be disabled on secureblue in order to use the GUI for IVPN and Mullvad VPN, but not for Proton VPN. Mozilla VPN and NymVPN are available as Flatpaks, which are safer than layering packages.
• I wanted to include more categories, such as which programming languages they are written in, connection speed, and security, but that became far too difficult and complex, so I decided to omit those categories.

Takeaways

• NymVPN is very very new, but it's off to a strong start. It wins in almost every category. I actually hadn't heard of it until I started this project.
• If you want a free VPN, Proton VPN is the only one here that meets that requirement.
• If you want to pay week-by-week, IVPN is the only one that allows that.
• If you're paying month-by-month on a budget, Mullvad VPN is the cheapest option.
• NymVPN is the cheapest plan for anything past 1 month.
• If you want to use Accrescent as your main app store, IVPN is the only VPN available there for now.
• If you want to pay for a bundle of apps, including a VPN, Proton sells more than just a VPN.
• Mozilla VPN is terrible. The only thing it has going for it is a verified Flatpak, but NymVPN also has that so it doesn't even matter.