Certes Google Public DNS, pour rester sur le plus connu, est fiable (il ne ment pas et ne tombe pas souvent en panne) mais, Google étant Google, c'est leur donner accès à l'intégralité des requêtes DNS partant de vos machines, soit à peu prêt toute votre activité sur le net. Ces derniers nous disent qu'ils ne font pas grand chose des données collectées, notamment qu'ils ne croisent pas les données qu'ils possèdent via votre compte Google. Dans ce domaine, on ne peut que les croire sur parole. De plus, des données sensibles sont tout de même collectées (entre autre : AS - votre FAI grosso modo - et zone géographique). Notons que sur ce point, ça a l'air d'être la fête du slip chez Cisco (si c'est bien le bon document que j'ai trouvé). Bref, regardons ce que donnent de telles métadonnées avec Unbound (en activant l'option log-queries)

The Investigatory Powers Act formally legalizes a number of mass surveillance programs revealed by Edward Snowden. Civil liberties campaigners say it's one of the most extreme surveillance laws in any…

AMP is Google’s attempt to re-fight the transcoding wars of the early 2000s. It is actively dangerous to the web ecosystem, helps disseminate propaganda, and is disliked by many users. If, li…

It lights you up like a Vegas casino, says compsci boffin

But financials are just a small part of what makes Facebook so powerful. Here are some ways it dominates human attention:

• More than one billion people use Facebook each day. 1/4 of all time spent on the internet is spent using Facebook.

• For many people, Facebook is the internet. It’s the first place most people go to announce weddings, births, deaths, and other major life events.

• Facebook is increasingly the place where people consume other forms of media.

Uber recently updated its Terms of Use, and it is outright unethical and grossly violates user’s right to their own data. This is what it says: Any User Content provided by you remains your property. However, by providing User Content to Uber, you grant Uber a worldwide, perpetual, irrevocable…

"In a few steps they were able to make votes for one candidate count as votes for a rival"...

D'après les sources du New York Times, Facebook planche actuellement sur un outil permettant de bloquer l'apparition de certains contenus sur une base géographique....

Des dilemmes moraux qui se logent dans les lignes de code

Contraction des mots grecs « tout » et « voir », et du mot anglais « réseau », Panoptinet est un site web qui donne aux particuliers de nombreuses ressources destinées à la sécurisation de leur accès Internet : actualités, fiches théoriques, fiches pratiques, documentation technique, outils, etc. La possession d’un réseau personnel, notamment WiFi, implique quelques connaissances et l’instauration d’un minimum de sécurité. C’est pourquoi la démarche de Panoptinet est axée sur l’information, la pédagogie et la responsabilisation.

Your call logs get sent to Apple’s servers whenever iCloud is on — something Apple does not disclose.

Fin août, WhatsApp faisait savoir que, dorénavant, certaines données de ses utilisateurs seraient partagées avec sa maison mère, nommément Facebook. Deux mois et...

In the wake of one of the most tumultuous election cycles in recent memory, many people are criticizing social media outlets – namely Facebook –...

Apps like WhatsApp and Telegram are the latest to face crackdowns, a new report says. Two-thirds of Internet users live in countries that censor criticism of the government, military or rulers.

Earlier this year, an accused crack cocaine dealer wanted to know how he was identified as a suspect in an undercover drug sting on the Northside. Facing a criminal trial, he deposed the detectives on his case and revealed for the first time how a controversial technology is being used by the Jacksonville Sheriff’s Office.

The uncertainty that weaves its way into your psyche while you wait can cause angst, sleepless nights and worse. Why we’re anxious about email — and what to do about it.

Microsoft acquired Xamarin in February of 2016 as part of a key strategic move designed (among other things) to help bolster Microsoft ‘Universal Windows Platform’ (UWP) technology and its cross-platform reach. So what’s it like to be acquired by Redmond and does Microsoft really get the theory behind heterogeneous open connections as it claims?

Signal is unusual because it combines cutting edge cryptography with consumer friendliness and is actually successful. It's pragmatic, not ideological. Crypto-warriors have a long history of producing secure software that nobody uses and then blaming the general public for not getting it; this sort of blog post is just a continuation of this decades long trend.

News and insights on Google platforms, tools, and events.

SMS/MMS encryption made easy

Android n'en finit plus d'écraser la concurrence. Depuis ses débuts, le petit robot vert a grappillé des parts de marché avec un appétit monstre. Au troisième trimestre 2016,...

Take control of your data

The main goal of this project is to get PPAPI (Pepper) Flash player working in Firefox.

Do you want to stream the audio from Rhythmbox, VLC or another Linux app to your TV through Chromecast? Well, we've found a nifty little Linux tool that lets you do just that.

An exemption in a decade-old anti-hacking statute has finally kicked in, and could unleash a new bounty of security research.

If Windows 10 isn't your cup of tea, there's a new Ubuntu laptop from System76 with Intel's new Kaby Lake chip that won't burn your wallet.

The future for one of the few remaining alternative mobile OS platforms, Jolla's Sailfish OS, looks to be taking clearer shape. Today the Finnish company..

Facebook ça fait longtemps que les hacktivistes ont compris les problèmes de Facebook. On sait que la centralisation c’est tout pourri. On sait que le contrôle unilatéral de nos données c’est de la merde. On sait que leur modèle c’est l’exploitation capitaliste des données qu’on leur fourni gratuitement.
Pourtant, on est toujours sur Facebook. Parce qu’on sait pas trop où on irait sinon là bas car ils ont une masse critique qui s’auto-alimente.

A collaborative, free and open database of ingredients, nutrition facts and information on food products from around the world

The Zuckerberg Files is an archive of all public utterances of Facebook’s founder and CEO, Mark Zuckerberg. It includes transcripts and bibliographic data of all publicly-available content from 2004-2014 representing the voice and words of Zuckerberg, including blog posts, letters to shareholders, media interviews, public appearances and product presentations, and quotes in other sources.

Fake news didn’t throw the election. It was a symptom, not a cause.

Today is a big day in the Riot world, finally releasing the very first cross-platform implementation of Matrix’s end-to-end encryption!

A lot of password rules are there simply “because we’ve always done it that way.” NIST aims to fix that, and here’s how.

À l'issue du contrôle fiscal lancé il y a deux ans et portant sur les années 2011, 2012 et 2013, Bercy aurait fini par prendre la décision d'imposer à Apple un redressement...

Outre-Manche, l'opérateur Three a officiellement reconnu, en fin de semaine dernière, avoir été victime d'une intrusion dans son système dédié aux renouvellements...

Le partenariat conclu entre le FBI et l'entreprise Dataminr permet à l'agence gouvernementale d'accéder, en temps réel, aux 500 millions de messages postés quotidiennement sur Twitter.

L'entreprise russe ElcomSoft a récemment mis en avant la sauvegarde automatique des historiques d'appels des iPhone sur le compte iCloud auquel ils sont rattachés....

The law forces UK internet providers to store browsing histories -- including domains visited -- for one year, in case of police investigations.

There’s no way Amazon would co-launch an exclusive flagship product that has a hidden backdoor that secretly sends all of your personal…

A security researcher has uncovered a potentially creepy feature of the popular app to discover music.

Au terme de longs mois dédiés au test de son dispositif, Facebook vient de donner le feu vert aux entreprises pour commencer à envoyer des "messages sponsorisés"...

Tips, Tools and How-tos for Safer Online Communications

Modern surveillance programs would be a disaster under President Trump

Différence entre microG et OpenGApps

Pornhub Bypasses Ad Blockers With WebSockets

*** Links to discussions on Reddit and Hacker News. Also check out BugReplay on Product Hunt :)

TLDR: Watch the BugReplay Recording of Pornhub dodging AdBlock

(NSFW level: medium)

We tried to find the most PG page on MindGeek’s network to use as an example- it wasn’t easy.

When I was building the prototype for BugReplay, I was evaluating different methods of capturing
and analyzing network traffic from Chrome. One of the first things I saw that looked promising was the chrome.webRequest API.

From the docs: “Use the chrome.webRequest API to observe and analyze traffic and to intercept, block, or modify requests in-flight.”

That seemed to be exactly what I needed.

After experimenting with the Chrome webRequest API, I quickly realized there was a big problem. It didn’t allow me to analyze any WebSocket traffic, something I really wanted to support.

As I was searching the web trying to see if I was misreading the documentation or was looking in the wrong spot, I found a relevant bug report from 2012: “chrome.webRequest.onBeforeRequest doesn’t intercept WebSocket requests.”
In the bug report, users were complaining that without the ability to block WebSockets, websites could get around ad blockers fairly easily. If WebSocket data was not visible to Chrome extensions via the webRequest API, they could not be blocked without some heavy duty hacks.

Initially, the risks to ad blockers seemed theoretical; the examples of sites that were employing this technique were very obscure. Then in August 2016, an employee of the company that owns Pornhub.com (MindGeek) started arguing against adding the WebSocket blocking capabilities to the Chrome API. Pornhub is the 63rd most visited site on the Internet according to Alexa. I checked out a few of MindGeek’s sites and sure enough, I could see ads coming through even though I had Adblock Plus on. The ads on Pornhub are marked ‘By Traffic Junky,’ which is an ad network owned by MindGeek.

In the screenshot below, you can see a banner at the top of the page announcing that the site is aware that the user is using an Ad Blocker, with an invitation to subscribe to a premium ads free version of the site. On the right side of the page you can see an advertisement.

How They Do It

When you visit Pornhub.com, it tries to detect if you have an ad blocker. If it detects one, it opens a WebSocket connection that acts as a backup mechanism for delivering ads.

Watching the BugReplay browser recording, you can see a number of network requests triggered that are blocked by AdBlock: They are marked Failed in the network traffic, and if you click one to inspect the detail pane you can see the failed reason is net::ERR_BLOCKED_BY_CLIENT. That is the error reported by Chrome when an asset is blocked from loading.

You can find the WebSocket frames individually in the network panel or just look at the WebSocket create request which has links to all the individual frames. The name of the domain where the WebSocket connects is “ws://ws.adspayformy.site.” A decent joke aimed at ad blockers :)

When the WebSocket loads, the browser sends a frame with a JSON encoded payload for each of the spots it has available for ads.
Checking out one of the WebSocket frames, you can see in the frame data the advertisement data is sent back with:

The zone_id 13, for where the JavaScript should place the ad.

The media_type image, so the page knows what kind of element to create (most of the ads are videos, I picked an image for this post because it was relatively tame).

The Image itself, transmitted base64 encoded so it can be reconstructed using the data uri scheme

An “img_type” (“image/jpeg”) to pass to the data uri.

Ad Blockers primarily work using the webRequest API, so constructing the ad by transmitting the data over the WebSocket as base64 is a pretty clever way of dodging the blocker.

What’s next

On October 25th, 2016, there was some new activity on the Chromium ticket. A contributor wrote a patch adding the ability to block WebSockets using the webRequest api. If it’s accepted, it will eventually wind up in Chrome stable.

When or if that rolls out, the ad blocker extension writers can choose to remove the hacks for users of the latest Chrome, leaving content providers like Pornhub to figure out their next move in the ad blocking war.

Update

Since I started looking into this, AdBlock Plus and uBlock Origin have shipped workarounds to block this technique. AdBlock and others still do not.

For AdBlock Plus, “The wrapper performs a dummy web request before WebSocket messages are sent/received. The extension recognizes these dummy web requests as representing a WebSocket message. It intercepts and blocks them if the corresponding WebSocket message should be blocked. The WebSocket wrapper then allows / blocks the WebSocket message based on whether the dummy web request was blocked or not.” via

For uBlock Origin, they shipped a workaround that has the “ability to foil WebSocket using a CSP directive.”

« Prétendre que votre droit à une sphère privée n'est pas important parce que vous n'avez rien à cacher n'est rien d'autre que dire que la liberté d'expression n'est pas essentielle car vous n'avez rien à dire. »
-- E. Snowden

Disroot is a platform providing online services based on principles of freedom, privacy, federation and decentralization.
No tracking, no ads, no profiling, no data mining!

Impressive. Chrome doesn't work at all if it can't access Google services. "Don't be evil" yeah right

An Amazon.com Inc. employee was injured when he leaped off a building at the company’s Seattle headquarters in what police characterized as a suicide attempt.

Google’s attitude towards its customers is a continuing stain upon its reputation. In an ideal world, no one would ever need to contact customer services. Every step of one’s interactio…

By infecting a Tesla owner's phone with Android malware, a car thief can hack and then steal a Tesla car, security researchers have revealed this week.

Interior Minister Thomas de Maiziere is planning a major limitation of privacy rights in Germany, say data protection groups. Germans will no longer have the right to know what data about them is being collected.

OpenFood est une base de données librement accessible sur les produits vendus en Suisse. Elle est maintenue par le laboratoire d'Épidémiologie Numérique de l'EPFL.

Hackers gained access to sensitive information, including Social Security numbers, for 134,386 current and former U.S. sailors, the U.S. Navy said on Wednesday.

For some reason, people have gotten pretty interested in mobile security lately. So let’s talk about a secure messaging app called Signal.

La présidente de la CNIL et du G 29, les CNIL européennes, nous a longuement confié son point de vue sur l'évolution de nos informations personnelles.

Mark Zuckerberg a mis du scotch sur sa webcam et son microphone, et utilise thunderbird

Mais aujourd’hui, quelqu’un a décidé de faire un peu plus qu’exprimer son désaccord avec G. Quelqu’un a décidé de prévenir Facebook que G. ne jouait pas selon les règles du réseau social. Et aujourd’hui, Facebook a suspendu le compte Facebook de G. la coupant ainsi totalement de bon nombre de ses contacts qui n’avaient que ce moyen de communication pour interagir avec iel au quotidien.

The first MacBook Pro with Touch Bar models are arriving, and if you were encouraged by the removable SSD OWC found in the entry-level machine, there’s bad news. Owners who have opened them u…

En décembre dernier, Mozilla lançait Focus by Firefox, une application de "blocage de contenu" destinée à alléger la navigation avec Safari sur iOS. À peine 11 mois...

Nouvelle petite secousse dans le monde de la sécurité Android. Une équipe de chercheurs américains a découvert dans de nombreux modèles de téléphone Android un petit...

poisontap - Exploits locked/password protected computers over USB, drops persistent WebSocket-based backdoor, exposes internal router, and siphons cookies using Raspberry Pi Zero & Node.js.

If you're the maker of a popular, zero access encrypted webmail product and suddenly discover your product is no longer featuring in Google search results for..

Download apps directly from Google Play. Raccoon is the only APK Downloader that also supports paid and large apps.

When CSI meets public wifi: Inferring your mobile phone password via wifi signals Li et al., CCS 2016 Not that CSI. CSI in this case stands for channel state information, which represents the state…

Facebook has responded to widespread criticism of how its Newsfeed algorithm disseminates and amplifies misinformation in the wake of the Trump victory in the..

Méfiez-vous des extensions que vous installez

A free and open source Jabber/XMPP client for Android. Easy to use, reliable, battery friendly. With built-in support for images, group chats and e2e encryption.

D'après un rapport publié par l'agence Zenith et basé sur l'observation d'une soixantaine de marchés de par le monde, les usages franchiront l'année prochaine un...

Turns out you can't trust the LED indicator light on your webcam to tell you if you're being spied upon or not.