Hasty Briefsbeta

All tags

#privacy

903 stories total

Bilingual

Highly Sensitive Medical Cannabis Patient Data Exposed by Unsecured Database
9 months ago
- Legal cannabis expansion in the U.S. has led to companies collecting extensive customer data.
- A security researcher found a publicly accessible database with sensitive medical and personal information of medical cannabis applicants in Ohio.
- The exposed data included medical records, mental health evaluations, physician reports, and IDs, totaling nearly a million records.
- The database likely belonged to Ohio Medical Alliance LLC (Ohio Marijuana Card), which secured the database after being contacted.
- The company did not respond to inquiries but stated they take data security seriously and are investigating.
- The database contained sensitive information such as Social Security numbers, email addresses, and medical conditions like anxiety, cancer, and HIV.
- Files in the database included PDFs, JPGs, PNGs, and a CSV with internal communications and over 200,000 email addresses.
- Misconfigured databases left publicly exposed are a recurring issue despite awareness efforts.
Show HN: GiralNet – A Privacy Network for Your Team (Not the World)
9 months ago
- GiralNet is a private, high-trust onion routing network written in Rust.
- Designed for small, trusted groups like journalists or activists.
- First stable release (v0.0.1) with full core functionality.
- High-trust security model where all node operators are personally known and vetted.
- Dynamic 3-hop circuits for traffic routing.
- Secure Directory Authority manages trusted nodes with TLS and shared secret.
- End-to-end encryption using Onion Routing and TLS.
- User-friendly TUI for setup, accessible to non-developers.
- Self-contained network infrastructure with no third-party reliance.
- Security features include TLS, AES-256-GCM, RSA, and shared secret authentication.
- Interactive setup, automatic config file creation, and Windows support.
- Requires 5 instances for full testing: 1 Directory, 3 Nodes, 1 Proxy.
- Open-source, welcoming contributions in areas like Pluggable Transports and GUI development.
- Known limitations include single Directory Server point of failure and reliance on operator trustworthiness.
- Future plans include Pluggable Transports, GUI, and decentralized discovery.
- Licensed under GNU GPL v2.0.
AnduinOS
9 months ago
- AnduinOS is a custom Ubuntu-based Linux distribution designed for ease of use and a smooth transition to Linux.
- Features a lightweight 2.0GB ISO, GNOME-based desktop, and user-friendly interface.
- Prioritizes privacy with no tracking, profiling, or targeting of users.
- Compatible with Ubuntu's apt packages, offering a blend of experience and ecosystem.
- Open-source under GPL-v3, allowing modification and redistribution.
- Uses Flatpak for graphical applications, ensuring system separation and permission control.
- Available in LTS (stable) and Standard (latest features) versions.
- Versatile usage as a daily OS, development environment, server, or learning tool.
- Praised by users for its simplicity, privacy focus, and seamless transition from Windows.
- Described as intuitive and well-designed, making Linux usage a delight.
Travel eSIMs may route traffic over Chinese and undisclosed networks
9 months ago
- Security study reveals eSIMs route user data through foreign networks without disclosure.
- Researchers found user traffic frequently passes through Chinese infrastructure regardless of location.
- eSIM providers like Holafly, Airalo, and eSIM Access were tested, showing opaque routing arrangements.
- Devices appeared to be located in China due to IP addresses from China Mobile.
- Researchers accessed region-restricted content without VPNs using eSIMs.
- Becoming an eSIM reseller is surprisingly easy, requiring only an email and payment method.
- eSIM resellers gain access to sensitive user data, including IMSI numbers and device locations.
- eSIM profiles engage in proactive communication without user knowledge, connecting to servers in Singapore and Hong Kong.
- Researchers propose enhanced transparency, regulatory frameworks, and releasing datasets for further study.
I Hacked India's Biggest Dating App (They Offered Me a $100 Gift Card)
9 months ago
- Flutrr, backed by The Times of India, has severe security flaws exposing all user data.
- No authentication checks in any API endpoints, allowing unauthorized access.
- Vulnerabilities include logging into any account, sending messages as any user, and swiping for others.
- Full user data (names, emails, phone numbers, location, etc.) is accessible to anyone.
- Account deletion and other malicious actions are possible without authorization.
- Reported vulnerabilities in November 2024, ignored until March 2025, and still unfixed by August 2025.
- Offered only a $100 Amazon gift card as compensation for critical vulnerabilities.
- Users' private data (messages, matches, profiles) is completely exposed.
- Recommendation for users to delete accounts until fixes are implemented.
Home Depot Sued for 'Secretly' Using Facial Recognition at Self-Checkouts
8 months ago
- Home Depot is being sued for allegedly using facial recognition technology at self-checkout kiosks without customer consent.
- Plaintiff Benjamin Jankowski claims the system scanned and stored his facial geometry without warning, violating Illinois' BIPA law.
- The lawsuit seeks class-action status for affected shoppers in Illinois, with penalties of $1,000-$5,000 per violation.
- Home Depot introduced the technology in 2024 to reduce theft but allegedly failed to disclose or obtain consent for biometric data collection.
- The case follows Rite Aid's ban on facial recognition after similar misuse led to false identifications and privacy violations.
LibreOffice 25.8: smarter, faster and more reliable
8 months ago
- LibreOffice 25.8 focuses on digital sovereignty and privacy protection.
- Open-source with no proprietary technology constraints.
- No data collection, complies with GDPR.
- All features run locally without internet or cloud connection.
- Supports self-hosted collaboration via solutions like Nextcloud.
- Improved performance with faster startup and document handling.
- Better interoperability with Microsoft Office files (DOCX, XLSX, PPTX).
- New functions added in Calc for enhanced productivity.
- Export capability to PDF 2.0 format.
- No longer supports Windows 7, 8/8.1, or 32-bit versions.
- Last version to support macOS 10.15.
- Enterprise support available through certified partners.
- Free, no ads, tracking, or subscriptions.
- Ideal for students, teachers, freelancers, and public administrations.
- Available for Windows, macOS, and Linux (Intel/ARM).
Zed fork focused on privacy and being local-first
8 months ago
- Zedless is a privacy-friendly, local-first fork of Zed, currently a work-in-progress.
- No reliance on proprietary cloud services; non-selfhostable components will be removed.
- No spyware; telemetry and automatic crash reporting will be eliminated.
- Emphasis on bring-your-own-infrastructure; network features will allow custom provider configuration.
- No default providers for network services; such features are disabled by default.
- No Contributor License Agreement (CLA); contributors retain their copyright.
- Ensures no rugpulls; strict compliance with open source licenses via cargo-about.
- Guidelines for resolving CI issues related to licensing, including adding license SPDX identifiers.
Thousands of Grok chats are now searchable on Google
8 months ago
- Grok chatbot conversations are easily accessible via Google Search due to shared URLs being indexed.
- Shared Grok conversations reveal users asking for illegal activities like hacking, drug manufacturing, and weapon creation.
- xAI's rules prohibit harmful uses, but users still ask Grok for instructions on dangerous activities.
- Grok provided instructions on making fentanyl, suicide methods, bomb construction, and even a plan to assassinate Elon Musk.
- OpenAI previously faced similar issues with ChatGPT conversations being indexed, calling it a 'short-lived experiment.'
- Grok claims to prioritize privacy and lacks a sharing feature, according to Elon Musk.
- TechCrunch Disrupt 2025 features top tech and VC leaders like Netflix, ElevenLabs, and Sequoia Capital.
- TechCrunch invites confidential tips and feedback via secure communication channels.
Grok chats exposed in Google results
8 months ago
- Hundreds of thousands of Grok user conversations exposed in Google search results.
- Shared Grok chat links were indexed by Google without users' knowledge.
- Exposed chats included sensitive topics like drug-making instructions and medical advice.
- AI chatbots like Grok raise significant privacy concerns.
- Previous incidents with OpenAI and Meta AI also exposed shared user conversations.
- Experts warn that leaked chatbot conversations can reveal personal and sensitive information permanently.
- Users are often unaware that shared chats can appear in search results.
Show HN: Changefly ID + Anonymized Identity and Age Verification
8 months ago
- Changefly ID introduces Anonymized Identity & Age Verification to enhance privacy and security online.
- Uses Zero-Knowledge Proofs to verify attributes like age without revealing personal data.
- Implements Secure Multi-Party Computation to verify uniqueness without exposing personal details.
- Replaces traditional login credentials with temporary, unique identifiers to prevent credential stuffing and account takeovers.
- Benefits end-users by simplifying digital experiences while maximizing privacy and security.
- Assists product developers by reducing compliance burdens and minimizing risks of data breaches.
- Protects against identity theft by eliminating centralized databases of personal information.
- Prevents online tracking by generating ephemeral identifiers and disabling cross-site correlation.
- Offers a developer-friendly API for integrating anonymized identity verification into applications.
- Available now for users and developers to start using for secure and private online interactions.
Leaving Gmail for Mailbox.org
8 months ago
- Switched from Gmail to Mailbox.org for better privacy.
- Concerned about plain text email transmission and data access by agencies.
- Chose Mailbox.org for integrated PGP encryption and Apple Mail compatibility.
- Mailbox.org offers 10GB email + 5GB cloud storage starting at €2.50/month.
- Used imapsync to migrate emails from Gmail to Mailbox.org.
- Set up email forwarding from Gmail to Mailbox.org for a smooth transition.
- Mailbox.org supports PGP encryption via web interface, useful for iOS users.
- Satisfied with the switch, highlighting unexpected positive aspects.
Recreationally overengineering my location history
8 months ago
- The author discusses their project to create a personal location history visualization tool, moving away from Google Maps for privacy reasons.
- The project includes a map showing visited places in a visually appealing way and a feature to share live location with others via a simple link.
- Data collection is done through an iOS app that uses 'significant location changes' to minimize battery impact, with an option for high-resolution updates for live sharing.
- The backend is built in Rust, utilizing a custom project template for efficiency and maintainability, with PostgreSQL and PostGIS for data storage and geodata handling.
- The author emphasizes the importance of 'production-grade' projects, even for personal use, to ensure stability, performance, and ease of maintenance.
- The iOS app, despite the author's limited experience with Swift and SwiftUI, successfully collects and sends location data to the backend with minimal battery usage.
- The visualization uses a hexagonal grid over a base map, generated efficiently with PostGIS, showing visited areas at various zoom levels.
- Live location sharing is implemented via WebSockets, with tokens that expire automatically to prevent unintended prolonged sharing.
- The author reflects on the project's success, noting its efficient resource use and the pleasure of using it to explore their travel history.
- The post concludes with a note on the project's code size and the author's satisfaction with the outcome, despite considering additional topics like LLMs in coding.
Agentic Browser Security: Indirect Prompt Injection in Perplexity Comet
8 months ago
- Brave is developing an AI assistant, Leo, capable of autonomous browsing and transactions, raising security and privacy concerns.
- A vulnerability in Perplexity's Comet browser allows indirect prompt injection, where hidden malicious instructions on a webpage can manipulate the AI.
- Attackers can embed instructions in web content, leading the AI to perform unauthorized actions like accessing sensitive data or logging into accounts.
- Traditional web security measures like same-origin policy (SOP) are ineffective against AI-driven cross-domain attacks initiated by natural language commands.
- Mitigation strategies include distinguishing user instructions from webpage content, requiring user interaction for sensitive actions, and isolating agentic browsing from regular browsing.
- Brave emphasizes the need for robust security and privacy protections in agentic browsers to prevent misuse and protect user data.
ICE Uses Celebrity Loophole to Hide Deportation Flights
8 months ago
- ICE is using a Federal Aviation Administration (FAA) program, originally designed for celebrities to hide private jet flight records, to obscure deportation flight information.
- The program, known as the Limiting Aircraft Data Displayed (LADD) list, was created by the private jet lobby to block aircraft data from public tracking sites.
- Activists and journalists have tracked ICE's deportation flights, which are criticized for inhumane conditions, including shackling passengers and medical neglect.
- Charter airlines like Avelo Airlines and GlobalX Air, which also transport sports teams, have started adding planes to the LADD list to hide deportation flights.
- Despite being on the LADD list, deportation flights can still be tracked using crowd-sourced ADS-B data, similar to how Elon Musk's and Taylor Swift's jets are tracked.
- The FAA, under industry pressure, has rolled back transparency requirements for private jets, including obscuring ownership information.
The Unusual Nonprofit That Helps ICE Spy on Wire Transfers
8 months ago
- ICE uses the TRAC database to track undocumented immigrants through financial transactions.
- TRAC contains over 340 million wire transfer records, including sender and recipient details.
- Arizona's state attorney general powers TRAC with administrative subpoenas, bypassing judicial oversight.
- Privacy advocates criticize TRAC for disproportionately targeting immigrants and lacking safeguards.
- ICE has heavily utilized TRAC, contributing data and funding its operations.
- TRAC's origins trace back to 2006, expanding under successive Arizona attorneys general.
- The database's $500 threshold for tracking transactions is criticized as insufficient to protect privacy.
- TRAC operates as a nonprofit but maintains close ties with law enforcement agencies.
- Legal challenges against TRAC have been dismissed, with current AG Kris Mayes defending its use.
- Mayes' administration has increased secrecy around TRAC, withholding operational details.
Where are you being recorded? Almost everywhere
8 months ago
- Surveillance has expanded beyond high-security areas to everyday spaces like parks and homes due to smart devices, Ring doorbells, CCTV, and facial recognition.
- Albert Fox Cahn, a privacy advocate, highlights surveillance in various daily environments: homes, workplaces, shops, public spaces, and transit.
- Tips to limit surveillance exposure: avoid smart devices, use VPNs, shun facial recognition venues, delete social media apps when traveling, and leave non-essential devices behind.
- Organizing and demanding better privacy protections from organizations and lawmakers is crucial to combat mass surveillance.
Why I'm Now Running Enterprise AI on My Laptop (Without Internet)
8 months ago
- The author was skeptical of cloud-based AI due to privacy, cost, and data ownership concerns.
- HugstonOne Enterprise Edition 1.0.7 offers local, private AI without internet dependency.
- Current cloud AI systems often lack transparency, lock users into platforms, and compromise privacy.
- HugstonOne ensures zero data leaves the network, enhancing compliance with regulations like HIPAA and GDPR.
- It supports any GGUF model, providing flexibility without API keys or conversions.
- Enterprise-grade security features include model isolation to prevent cross-model data breaches.
- HugstonOne improves developer workflows with offline code assistance, handling up to 5000 lines of code.
- Medical diagnostics can be performed locally, reducing costs and maintaining data privacy.
- The tool is genuinely free, with no hidden costs, ads, or data collection.
- Designed for non-tech users, it enables tasks like medical research, report generation, and lesson planning offline.
Apple vs. Facebook Is Kayfabe
8 months ago
- Apple vs. Facebook's rivalry is described as 'kayfabe'—a staged conflict—while Apple enables Facebook's surveillance through in-app browsers.
- Facebook's in-app browsers act as ad-blocker blockers, allowing extensive tracking despite Apple's App Tracking Transparency (ATT) feature.
- In-app browsers (IABs) lack privacy settings and extensions, making them tools for surveillance, unlike real browsers that protect user privacy.
- Apple and Google facilitate Facebook's tracking by not enforcing stricter privacy measures on IABs, keeping big apps in their stores.
- The article suggests legislative and regulatory solutions are needed, as tech giants like Apple and Google are unlikely to self-regulate effectively.
Apple´s Tim Cook battle results
8 months ago
- Apple's 2016 stand against the FBI was about preventing a universal backdoor into iPhones, not just one case.
- The FBI demanded Apple create a tool to bypass iPhone encryption permanently, which Apple refused, citing security risks.
- Other tech giants like Google, Meta, and Microsoft have compromised with governments, allowing access to user data under pressure.
- Google's Project Stargate enabled U.S. law enforcement to access 1.2 million Google accounts without warrants by 2022.
- Meta agreed to a 'shared key' with the U.K. government, allowing police to read private Facebook messages without warrants.
- Microsoft lost a 2014 case, setting a precedent for government access to encrypted data stored abroad.
- Apple remains the only major tech company to consistently refuse government demands for backdoors.
- Privacy promises from tech companies are often overridden by legal demands, making user data vulnerable.
- The government's playbook involves legal threats and pressure to force companies into compliance.
- Tim Cook's 2016 warning highlighted the conflict between security and privacy, a paradox that persists today.

first prev18next

About|Login

#privacy

Highly Sensitive Medical Cannabis Patient Data Exposed by Unsecured Database

Show HN: GiralNet – A Privacy Network for Your Team (Not the World)

AnduinOS

Travel eSIMs may route traffic over Chinese and undisclosed networks

I Hacked India's Biggest Dating App (They Offered Me a $100 Gift Card)

Home Depot Sued for 'Secretly' Using Facial Recognition at Self-Checkouts

LibreOffice 25.8: smarter, faster and more reliable

Zed fork focused on privacy and being local-first

Thousands of Grok chats are now searchable on Google

Grok chats exposed in Google results

Show HN: Changefly ID + Anonymized Identity and Age Verification

Leaving Gmail for Mailbox.org

Recreationally overengineering my location history

Agentic Browser Security: Indirect Prompt Injection in Perplexity Comet

ICE Uses Celebrity Loophole to Hide Deportation Flights

The Unusual Nonprofit That Helps ICE Spy on Wire Transfers

Where are you being recorded? Almost everywhere

Why I'm Now Running Enterprise AI on My Laptop (Without Internet)

Apple vs. Facebook Is Kayfabe

Apple´s Tim Cook battle results