ISPs worry a new Chrome feature will stop them from spying on you

ISPs worry a new Chrome feature will stop them from spying on you

Enlarge (credit: Thomas Trutschel/Photothek via Getty Images)

When you visit a new website, your computer probably submits a request to the domain name system (DNS) to translate the domain name (like arstechnica.com) to an IP address. Currently, most DNS queries are unencrypted, which raises privacy and security concerns. Google and Mozilla are trying to address these concerns by adding support in their browsers for sending DNS queries over the encrypted HTTPS protocol.

But major Internet service providers have cried foul. In a September 19 letter to Congress, Big Cable and other telecom industry groups warned that Google's support for DNS over HTTPS (DOH) "could interfere on a mass scale with critical Internet functions, as well as raise data-competition issues."

On Sunday, the Wall Street Journal reported that the House Judiciary Committee is taking these concerns seriously. In a September 13 letter, the Judiciary Committee asked Google for details about its DOH plans—including whether Google plans to use data collected via the new protocol for commercial purposes.

Read 18 remaining paragraphs | Comments

600,000 GPS trackers for people and pets are using 123456 as a password

Dog plush toy with tracker attached.

Enlarge (credit: Shenzhen i365 Tech)

An estimated 600,000 GPS trackers for monitoring the location of kids, seniors, and pets contain vulnerabilities that open users up to a host of creepy attacks, researchers from security firm Avast have found.

The $25 to $50 devices are small enough to wear on a necklace or stash in a pocket or car dash compartment. Many also include cameras and microphones. They’re marketed on Amazon and other online stores as inexpensive ways to help keep kids, seniors, and pets safe. Ignoring the ethics of attaching a spying device to the people we love, there’s another reason for skepticism. Vulnerabilities in the T8 Mini GPS Tracker Locator and almost 30 similar model brands from the same manufacturer, Shenzhen i365 Tech, make users vulnerable to eavesdropping, spying, and spoofing attacks that falsify users’ true location.

Researchers at Avast Threat Labs found that ID numbers assigned to each device were based on its International Mobile Equipment Identity, or IMEI. Even worse, during manufacturing, devices were assigned precisely the same default password of 123456. The design allowed the researchers to find more than 600,000 devices actively being used in the wild with that password. As if that wasn’t bad enough, the devices transmitted all data in plaintext using commands that were easy to reverse engineer.

Read 5 remaining paragraphs | Comments

Nipe – Make Tor Default Gateway For Network

Nipe – Make Tor Default Gateway For Network

Nipe is a Perl script to make Tor default gateway for network, this script enables you to directly route all your traffic from your computer to the Tor network through which you can surf the internet anonymously without having to worry about being tracked or traced back.

Tor enables users to surf the internet, chat and send instant messages anonymously, and is used by a wide variety of people for both licit and illicit purposes.

Read the rest of Nipe – Make Tor Default Gateway For Network now! Only available at Darknet.

Silent Mac update nukes dangerous webserver installed by Zoom

Pedestrians use crosswalk in large metropolis.

Enlarge (credit: Kena Betancur/Getty Images)

Apple said it has pushed a silent macOS update that removes the undocumented webserver that was installed by the Zoom conferencing app for Mac.

The webserver accepts connections from any device connected to the same local network, a security researcher disclosed on Monday. The server continues to run even when a Mac user uninstalls Zoom. The researcher showed how the webserver can be abused by people on the same network to force Macs to reinstall the conferencing app. Zoom issued an emergency patch on Tuesday in response to blistering criticism from security researchers and end users.

Apple on Wednesday issued an update of its own, a company representative speaking on background told Ars. The update ensures the webserver is removed—even if users have uninstalled Zoom or haven’t installed Tuesday’s update. Apple delivered the silent update automatically, meaning there was no notification or action required of end users.

Read 3 remaining paragraphs | Comments