Robert Grupe's AppSecNewsBits 2024-08-10

Black Hat 2024 Aug 3-8: Cyber Security Attack Research Analyst Conference
Navigate to Briefings > Schedule in the main event menu. Locate the desired session on the schedule. Click on the blue session title. Scroll down to the bottom of the page (below the abstract/session summary) and if/when presentation materials are available, you will see a link under "Presentation Material". Also check YouTube postings over coming weeks.
Journalist coverage also below in Hacking section.
AI in Security, Microsoft Vulnerabilities, and More: Key Takeaways From Black Hat USA 2024

BRAVO
Every Microsoft employee is now being judged on their security work
Microsoft has now placed security as one of its key priorities alongside diversity and inclusion. Both are now required to be part of performance conversations — internally called a “Connect” — for every employee, alongside priorities that are agreed upon between employees and their managers. All Microsoft employees are expected to use the company’s Connect tool for performance reviews, including executives who will also have their own security priority to deliver on.
“It goes beyond compliance, as we are asking employees to prioritize security in all the work that they do and hold themselves accountable by capturing their impact for it whenever they complete a Connect.” Microsoft employees will have to demonstrate how they’ve made impactful security changes. For technical employees, that means incorporating security into product design processes at the start of a project, following established security practices, and making sure products are secure by default.
[rG: NIST CSF 2.0 GOVERN (GV): The organization's cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored]

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
UK health services call-handling vendor faces $7.7M fine over 2022 ransomware attack
Advanced Computer Software Group pulled its systems offline on August 4, 2022, in an incident that was eventually attributed to LockBit. NHS non-emergency phone operators on the 111 line were forced to revert to pen-and-paper operations as disruptions continued for weeks. Some systems were still down in October of that year.
There are a number of things that really irked information commissioner John Edwards about this particular case. For one, the incident was allowed to take place because a customer account without multi-factor authentication (MFA) was used to breach the vendor's systems. Legitimate credentials were used to create a remote desktop session to Advanced's Staffplan Citrix server.
During the initial logon session, the attacker moved laterally in Advanced's Health and Care environment and escalated privileges, enabling them to conduct reconnaissance, and deploy encryption malware. Immediately prior to encrypting systems, the threat actor copied and exfiltrated personal data belonging to 82,946 people. Medical records were also stolen which, again, isn't very good at all but all the recent attacks on healthcare providers have made this somewhat the norm nowadays.

Students scramble after security breach wipes 13,000 devices
Singapore’s Ministry of Education said Monday that roughly 13,000 students from 26 secondary schools had their devices wiped remotely in the incident. The agency said it will remove the Mobile Guardian from all iPads and Chromebooks it issues.
The agency said that the breach was “primarily attributed to poor password management practice, and not the result of the unauthorized individual exploiting vulnerabilities in MG's systems.” On Tuesday, a Reddit user published an email purportedly sent to Mobile Guardian reporting a “critical” vulnerability involving improper access control. The user said the vulnerability allows the unauthorized reading and modification of “all data in Mobile Guardian systems” and requires only three minutes to exploit.

Design flaw has Microsoft Authenticator overwriting MFA accounts, locking users out
Microsoft stands out from the authenticator crowd by annihilating accounts when new accounts are introduced via QR code. Despite user complaints for years, no fix has been issued and Microsoft blames users.
Microsoft Authenticator will overwrite an account with the same username. Given the prominent use of email addresses for usernames, most users’ apps share the same username. Google Authenticator and just about every other authenticator app add the name of the issuer — such as a bank or a car company — to avoid this issue. Microsoft only uses the username.
Making this situation worse is that when a Microsoft overwrite happens, it’s not easy to determine which account is being overwritten. This can cause authentication issues with both the newly created account and the account that is overwritten. Moreover, users can potentially not realize a previously created account was annihilated until they attempt to use it again.

512-bit RSA key in home energy system gives control of “virtual power plant”
When Ryan Castellucci recently acquired solar panels and a battery storage system for their home just outside of London, they were drawn to the ability to use an open source dashboard to monitor and control the flow of electricity being generated. In addition to the control over an estimated 60,000 installed systems, the admin account—which amounts to root control of the company's cloud-connected products—also made it possible for them to enumerate names, email addresses, usernames, phone numbers, and addresses of all other GivEnergy customers. “I set up some scheduled charging, then started experimenting with the API. The next evening, I had control over a virtual power plant comprised of tens of thousands of grid connected batteries.”
The cause of the authentication bypass Castellucci discovered was a programming interface that was protected by an RSA cryptographic key of just 512 bits. The key signs authentication tokens and is the rough equivalent of a master-key. The bit sizes allowed Castellucci to factor the private key underpinning the entire API. The factoring required $70 in cloud computing costs and less than 24 hours.
GivEnergy introduced a fix within 24 hours of Castellucci privately disclosing the weakness.

Small CSS tweaks can help nasty emails slip through Outlook's anti-phishing net
The First Contact Safety Tip – a banner displayed in Outlook when a user receives a message from an address that typically doesn't contact them – can be hidden (mostly) using CSS style tags. Because the First Contact Safety Tip is added to the HTML code of an email before the message content, all a phisher would have to do is craft an email solely in HTML, changing the banner's background and font both to white, and voila, the banner still exists but is no longer visible.
The researchers informed Microsoft about this in February but their findings aren't going to be addressed in the short term. "We determined your finding is valid but does not meet our bar for immediate servicing considering this is mainly applicable for phishing attacks."

Users call on Microsoft to update Outlook's friendly name feature
The problem is connected to how a list of emails is displayed. Outlook will helpfully show the friendly name if it can rather than the actual address of the sender. In some service iterations, hovering over the name will show the actual address, but in others, a user must open the email to see the relevant information. The opportunities for scammers and phishing attacks are clear. An email might seem legitimate in a user's inbox, and that same user might, therefore, click a malicious link after opening it.

It's 2024 and we're just getting round to stopping browsers insecurely accessing 0.0.0.0
A firm called Oligo Security flagged up the vulnerability this month and named it a 0.0.0.0 Day because it involves the 0.0.0.0 IPv4 address. And it appears at least some attackers have been abusing this flaw since at least the late 2000s.
The problem is as simple as this: If you open a malicious webpage in a vulnerable browser on a vulnerable OS (other than Windows), that page can fire off requests to 0.0.0.0 and a port of its choosing. And if you have servers or other services running locally on your box on that port, those requests will go to it. So if you have some service running on your macOS or Linux workstation on port 11223, and you assume no one can reach it because it's behind your firewall, and that your big-name browser blocks outside requests to localhost, guess again because that browser will route a 0.0.0.0:11223 request by a malicious page you're visiting to your service.
There are supposed to be security mechanisms in place to prevent external websites from reaching your localhost in this way. Specifically, the Cross-Origin Resource Sharing (CORS) specification, and then the more recent Private Network Access (PNA). The Oligo team, however, was able to bypass PNA. The researchers set up a dummy HTTP server running on 127.0.0.1 aka localhost, on port 8080, and was then able to access it from an external public site using JavaScript, by sending a request to 0.0.0.0:8080.

Delta: CrowdStrike's offer to help in Falcon meltdown was too little, too late
Delta threatened legal action against CrowdStrike and Microsoft, claiming the IT fiasco cost it more than $500 million. CrowdStrike tried to "blame the victim" in its sorry-not-sorry August 4 letter to the airline. "CrowdStrike engaged in grossly negligent, indeed willful, misconduct with respect to the faulty update." This, in part, is due to the software company's admission that it didn't do a staged roll-out of its errant update.
Delta pushed back on CrowdStrike's claims of working "tirelessly" to help Delta restore its systems. The only offer of help the airline got during the first 65 hours of the outage was the publicly available remediation website suggesting manual reboots of all affected computers, we're told. Plus, the automated fix from July 21 "introduced a second bug that prevented many machines from recovering without additional intervention." By the time Kurtz called Delta CEO Ed Bastain — and this only happened one time, Boies asserts — on the night of July 22, it was "too late." The phone call was "unhelpful and untimely," arriving almost four days after the disaster, by which time "Delta had already restored its critical systems and most other machines.”

CrowdStrike hires outside security outfits to review troubled Falcon code
CrowdStrike has hired two outside security firms to review its threat-detection suite Falcon that sparked a global IT outage last month – though it may not have an awful lot to find, because CrowdStrike has identified the simple mistake that caused the meltdown.

CrowdStrike releases root cause analysis of the global Microsoft breakdown
In the report, CrowdStrike admits that "lack of a specific test for non-wildcard matching criteria in the 21st field" contributed to "the confluence of these issues that resulted in a system crash".
Toby Murray, associate professor at the University of Melbourne's School of Computing and Information Systems, said the "dodgy data file update" was "embarrassing. That is an incredibly basic and fundamental mismatch that was always going to lead to catastrophic problems, sooner or later. The fact that the CrowdStrike developers were able to have this obvious inconsistency between the data file format and the software code means that the most basic forms of quality review and assurance were not being correctly carried out."

Bad apps bypass Windows security alerts for six years using newly unveiled trick
Research focused on ways to bypass Windows SmartScreen and Smart App Control (SAC), the go-to built-in protections against running potentially nasty software downloaded from the web in Windows 8 and 11 respectively.
One was dubbed "LNK Stomping," a bug in the way Windows shortcut files (.LNK) are handled that nullifies Windows' Mark of the Web (MotW) – a digital tag placed on downloaded files that could be malicious if executed. SmartScreen only scans files that are tagged with MotW and SAC is set up to block certain file types if they're marked, so any method that can circumvent MotW will naturally be a boon to malware miscreants. This is far from the first MotW bypass technique that's been introduced over the years, but the fact it has been in use for so long and is "trivial" to exploit, makes it worth defenders taking some time to understand how it works. This "trivial" technique involves crafting LNK files with non-standard target paths or internal structures. This forces Windows Explorer to correct these small errors before launching the malicious app, but in the process of correcting these errors, MotW is removed, which means SmartScreen and SAC don't flag it as malicious. The easiest way to trigger this bug is to simply append a period or a space somewhere in the target executable path.
Reputation Hijacking, which involves identifying an existing program with a good reputation and meddling with it for malicious means. The researcher said script hosts are ideal for this kind of attack, although any app that's controlled without any common line parameters would work.
Reputation Seeding appears to work best with SAC. This attack involves an attacker dropping a binary that appears trustworthy but can be exploited at a later time, such as when certain conditions are met.

Microsoft discloses unpatched Office flaw that exposes NTLM hashes
The zero-day impacts multiple 32-bit and 64-bit Office versions, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise. As demonstrated repeatedly in the past, these hashes can be cracked, allowing threat actors to gain access to login names and plaintext passwords. NTLM hashes can also be used in NTLM Relay Attacks, as previously seen with the ShadowCoerce, DFSCoerce, PetitPotam, and RemotePotato0 attacks, to gain access to other resources on a network.
However, Microsoft notes utilizing any of the mitigations could prevent legitimate access to remote servers that rely on NTLM authentication.

Sonic Automotive says ransomware-linked CDK software outage cost it $30M

Exploit released for Cisco SSM bug allowing admin password changes
Cisco SSM On-Prem helps manage accounts and product licenses on an organization's environment using a dedicated dashboard on the local network. Exploit code is now available for a maximum severity vulnerability that lets attackers change any user password on unpatched Cisco Smart Software Manager On-Prem (Cisco SSM On-Prem) license servers.
CVE-2024-20419 is caused by an unverified password change weakness in SSM On-Prem's authentication system. This weakness lets unauthenticated attackers remotely change any user password (including those used for administrator accounts) without knowing the original credentials.

CISA warns of hackers abusing Cisco Smart Install feature
CISA has spotted threat actors using this tactic and leveraging other protocols or software to steal sensitive data, such as system configuration files, which prompted an alert advising admins to disable the legacy SMI protocol (superseded by the Cisco Network Plug and Play solution) to block these ongoing attacks.
It also recommended reviewing the NSA's Smart Install Protocol Misuse advisory and Network Infrastructure Security Guide for further configuration guidance.

HACKING
Police take just 2 days to recover $40M stolen in business email scam
Interpol was called in after an unidentified Singaporean commodity biz filed a police report on July 23 claiming it had been scammed out of $42.3 million four days earlier. The company only became aware of the bamboozling when a supplier, the intended recipient of the money transfer, got in touch asking why it hadn't been paid.
In 2023 alone, more than 21,000 complaints relating to BEC were filed with the FBI, which incurred adjusted losses exceeding $2.9 billion. For comparison, the same report said 2,825 ransomware complaints were made with adjusted losses topping $59 million. (It's a large discrepancy in monetary losses, however, it should be noted that ransom payments are often made without informing law enforcement, and these losses may not account for downtime, recovery costs, and other finances associated with a ransomware attack.)

Cybercriminals blackmail farmer and hack milking robot - cow dies
Hackers launched a cyberattack on a Swiss farmer's computer system, disrupting the flow of vital data from a milking robot. Tragically, this led to the death of a cow and her unborn calf. When the animal owner stopped receiving milking data, he initially suspected a dead zone. But then he learned from the manufacturer of his milking system that he had been hacked. Apparently it was a ransomware attack. The hackers demanded $10,000 to decrypt the data. Because the computer was paralyzed, the farmer was unable to recognize the emergency in time. They tried everything to at least save the cow, but in the end it had to be put down.

Mac and Windows users infected by software updates delivered over hacked ISP
Because the update mechanisms didn’t use TLS or cryptographic signatures to authenticate the connections or downloaded software, the threat actors were able to use their control of the ISP infrastructure to successfully perform machine-in-the-middle (MitM) attacks that directed targeted users to hostile servers rather than the ones operated by the affected software makers.
That is the fun/scary part—this was not the hack of the ISPs DNS servers. This was a compromise of network infrastructure for Internet traffic. The DNS queries, for example, would go to Google’s DNS servers destined for 8.8.8.8. The traffic was being intercepted to respond to the DNS queries with the IP address of the attacker’s servers.
The attack worked by hacking routers or similar types of device infrastructure of an unnamed ISP. The attackers then used their control of the devices to poison domain name system responses for legitimate hostnames providing updates for at least six different apps written for Windows or macOS.
There are many options for preventing these sorts of attacks beyond (1) eschewing all software that updates unsecurely or (2) using DNS over HTTPS or DNS over TLS. The first method is likely the best, although it likely means having to stop using a preferred app in at least some cases. The alternative DNS configurations are viable, but at the moment are offered by only a handful of DNS providers, with 8.8.8.8 and 1.1.1.1 being the best known.

Cloud storage lockers from Microsoft and Google used to store and spread state-sponsored malware
State-sponsored cyber spies and criminals are increasingly using legitimate cloud services to attack their victims, according to Symantec's threat hunters who have spotted three such operations over recent months, plus new data theft and other malware tools in development by these goons. criminals use clouds many of the same reasons as legitimate organizations, plus the fact that they make it easier to avoid being caught snooping around on victims' networks. One of the benefits is the infrastructure costs are zero for the nation-state groups.

Your victim's Windows PC fully patched? Just force undo its updates and exploit away
It appears you must already have administrative access, or be able to make a privileged account complete some steps, to pull these attacks off. If you have that kind of access, you can already do a lot of damage and steal a lot of things from the system, so we can't see this research being that devastating for most people. Still, some miscreants out there might find it useful to really drill into and persist quietly in a target's environment, plus it reveals more about the inner workings of Windows.
The Windows maker has yet to formulate a full fix for the security holes Leviev discovered, and it is for now alerting customers.

It’s not worth paying to be removed from people-finder sites, study says
Consumer Reports' study asked 32 volunteers for permission to try to delete their personal data from 13 people-search sites, using seven services over four months. The services, including DeleteMe, Reputation Defender from Norton, and Confidently, were also compared to "Manual opt-outs," i.e. following the tucked-away links to pull down that data on each people-search site. The services varied in efficacy, with EasyOptOuts notably performing the second-best at a 65 percent removal rate after four months. But if your goal is to remove entirely others' ability to find out about you, no service Consumer Reports tested truly gets you there. Manual opt-outs were the most effective removal method, at 70 percent removed within one week, which is both a higher elimination rate and quicker turn-around than all the automated services.

Samsung boosts bug bounty to a cool million for cracks of the Knox Vault subsystem
Knox Vault – the isolated subsystem the Korean giant bakes into its smartphones to store info like credentials and run authentication routines. Samsung's not made it easy to become a bug-blasting millionaire. Scoring the cash requires demonstrating use of a zero-click method – no user interaction required – to crack a Galaxy S or Z handset as an unprivileged user and come away with credentials.

How to Weaponize Microsoft Copilot for Cyberattackers
Attackers can use Copilot to search for data, exfiltrate it without producing logs, and socially engineer victims to phishing sites even if they don't open emails or click on links. Enterprises are implementing Microsoft's Copilot AI-based chatbots at a rapid pace, hoping to transform how employees gather data and organize their time and work. Developers could unwittingly build Copilot chatbots capable of exfiltrating data or bypassing policies and data loss prevention controls with Microsoft's bot creation and management tool, Copilot Studio.
Bargury released an offensive security toolset for Microsoft 365 on GitHub. The new LOLCopilot module, part of powerpwn, is designed for Microsoft Copilot, Copilot Studio, and Power Platform. Bargury describes it as a red-team hacking tool to show how to change the behavior of a bot, or "copilot" in Microsoft parlance, through prompt injection. There are two types: A direct prompt injection, or jailbreak, is where the attacker manipulates the LLM prompt to alter its output. With indirect prompt injections, attackers modify the data sources accessed by the model. Using the tool, Bargury can add a direct prompt injection to a copilot, jailbreaking it and modifying a parameter or instruction within the model.

Critical AWS Vulnerabilities Allow S3 Attack Bonanza
The impacted AWS services include Cloud Formation, CodeStar, EMR, Glue, SageMaker, and Service Catalog. While AWS has mitigated the vulnerabilities impacting its services, the attack vectors could still impact open source projects deployed in their AWS environments. Many open source projects automatically create S3 buckets or direct users to deploy them. Users should avoid creating S3 buckets with predictable or static identifiers in the first place. Instead, they should create an S3 bucket name with a unique hash or a random identifier for each region and account to prevent attackers from claiming them first.

Tech misconceptions plague the IT world
New research shows that while many Brits will snap shut a laptop camera in the name of privacy, a worrying amount will just as happily shovel all manner of personal information into an online game in order to get a result they can share with their friends.
49% had taken the sensible step of covering their webcam when not in use.
44 % admitted to "Taking funny tests or playing mini-games on social media and posting the results."
35% were a bit superstitious about digitally forwarded messages and would send them to friends and family to avoid breaking a chain.
25% stuck their smartphone in a special cover so hackers couldn't steal their data.
21% believe a magnet can erase a smartphone. (This might be true if you used that magnet to smash the device into millions of tiny pieces.)
40% believe that browsers' "incognito mode" makes their activity invisible to everyone.
24% assume an encrypted messaging service such as WhatsApp will make live links safe to use.
22% believe iOS-based products are immune to all attempts to hack them.
41% expressed suspicion regarding the amount of data collected by modern cars.
[rG: Snaps David]

APPSEC, DEVSECOPS, DEV
CISA Releases Secure by Demand Guidance
This guide provides organizations with questions to ask when buying software, considerations to integrate product security into various stages of the procurement lifecycle, and resources to assess product security maturity in line with secure by design principles.

AI Policy and Governance: Shaping the Future of Artificial Intelligence
The EU AI Act and ISO/IEC 42001.

CSA Report Reveals AI’s Potential for Enhancing Offensive Security
The report explores the transformation potential of integrating LLM-powered AI into offensive security. It highlights the current challenges and illustrates AI’s capability across five key security phases: reconnaissance, scanning, vulnerability analysis, exploitation, and reporting.

Make Data Governance Automation Suck Less With a Supergraph
Data Governance is notoriously difficult, expensive and not always satisfying. It can sometimes feel like filing your state and federal taxes, but year-round. One significant challenge is keeping up with ever-changing legal and regulatory requirements and the organization’s evolving data environment. Leveraging Supergraph makes addressing these concerns more manageable while providing clear business value. In other words, focus less on compliance and focus more on its business value.
The Supergraph Manifesto
Supergraph is an architecture framework that offers reference architectures, design guidelines/principles and an operating model to help multiple teams to collaborate on a self-serve platform for federated data access, API integration/composition or GraphQL APIs. An implementation artifact of the Supergraph architecture is called a supergraph. When a supergraph is built with a GraphQL federation stack, the engine is often called a gateway or a router and the subgraph connectors are often GraphQL services.

Software innovation just isn't what it used to be, and Moxie Marlinspike blames Agile
Instead of allowing developers to operate from the bottom up in a way that lets them combine engineering expertise with the vision to see new capabilities in existing technology, agile teams end up siloed, working separately from each other, and without much visibility into what other teams are doing. These black box teams also tend to lack visibility into some of the fundamentals of what makes their own products work.
Programming students aren't learning low-level languages, or how to interact with machine code, Snyder said - just high-level languages that make app development smoother, but leave engineers without needed context to understand how their pieces of the puzzle fit into a larger, vastly interconnected whole.

VENDORS & PLATFORMS
GitLab: Introducing CI/CD Steps, a programming language for DevSecOps automation

AMD's 'Sinkclose' vulnerability affects hundreds of millions of processors, enables data theft — AMD begins patching issue in critical chip lines, more to follow
There is good news, though: since it has not been discovered for 18 years, it likely hasn't been used.
To exploit this flaw, attackers must first gain access to a system's kernel, which isn't easy, but it is possible. However, the system must already have been compromised by some other attack. Once this access is secured, the Sinkclose vulnerability allows the perpetrators to install bootkit malware that evades detection by standard antivirus tools, remaining nearly invisible within the system and can persist even after the operating system is reinstalled.
[rG: LOL – publicly acknowledged discovery that is, but there are easier exploits so this would only be of use for those looking to establish deep persistence.]

macOS Sequoia makes it harder to run apps that don’t follow Apple’s security rules
Since the Mac doesn’t have the same locked-down app distribution system of iOS and iPadOS, Apple has created other tools meant to protect users. Some of those tools include app signing and notarization. Essentially, these provide a way for Apple to perform a level of vetting for macOS apps, even ones that don’t hit the Mac App Store. Trying to open an app that isn’t correctly signed or notarized results in some scary warnings. But until now, power users could bypass those warnings—and Apple’s overall security process—using a Control-click shortcut. But that shortcut is going away in macOS Sequoia.

Entrust faces years of groveling to regain browsers' trust
After falling down in the estimations of major browser makers Google and Mozilla, Entrust faces a lengthy fight on its hands to regain industry trust and once more issue trusted TLS certificates. Microsoft and Apple are likely to follow in their competitors' footsteps in distrusting certificates newly issued by Entrust in Edge and Safari respectively. None of the 14 certificate authorities (CA) previously distrusted as public root authorities have gone on to regain their status in the CA world. "Google's policies are stringent and clear: Once trust is lost, regaining it is exceedingly difficult."

China starts testing national cyber-ID before consultation on the idea closes
Chinese app developers have signed up to beta test a national cyberspace ID system that will use facial recognition technology and the real names of users. The national cyberspace ID is meant to eliminate the need for citizens to provide their real-life personal information to internet service providers (ISPs) – a current requirement when using the internet in the Middle Kingdom. It also takes away data retention chores from the ISPs and puts it in Beijing's capable hands instead.

NFL to begin using face scanning tech across all of its stadiums
The National Football League and all 32 of its teams will use tech from facial recognition software vendor Wicket to verify the identity of thousands of staff, media and fans as part of its credentialing program. It works like this: credential holders snap a selfie, Wicket scans the resulting image and compares it to a photo on file to verify their identity as people pass a security checkpoint. Credentialing software provided by UK outfit Accredit Solutions helps to make those checks and determine access rights. If identity checks are passed, the credential holder can walk through security checkpoints and access restricted areas based on their permissions.

Core Python developer suspended for three months
The suspended developer is Tim Peters, who cited objections include the following:
• Making a significant number of posts (47 out of 177) to a discussion of a change to bylaws, "which created an atmosphere of fear, uncertainty, and doubt, which encouraged increasingly emotional responses from other community members."
• "Defending 'reverse racism' and 'reverse sexism', concepts not backed by empirical evidence, which could be seen as deliberate intimidation or creating an exclusionary environment."
• "Using potentially offensive language or slurs, in one case even calling an SNL [Saturday Night Live] skit from the 1970s using the same slur 'genuinely funny', which shows a lack of empathy towards other community members."
• "Making light of sensitive topics like workplace sexual harassment, which could be interpreted as harassment or creating an unwelcoming environment."
• "Casually mentioning scenarios involving sexual abuse, which may be inappropriate or triggering for some audiences."
• "Discussing bans or removals of community members, which may be seen as publishing private information without permission."
• "Dismissing unacceptable behavior of others as a 'neurodivergent' trait, which is problematic because it creates a stereotype that neurodivergent people are hard to interact with and need special treatment.
• "Excessive discussion of controversial topics or past conflicts, which could be seen as sustained disruption of community discussions."
• "Use of potentially offensive terms, even when self-censored or alluded to indirectly."
• "Making assumptions or speculations about other community members’ motivations and/or mental health."

Russia blocks Signal for 'violating' anti-terrorism laws
The list of banned messenger apps included Discord, Microsoft Team, Telegram, Threema, Viber, WhatsApp, and WeChat, but Signal was not mentioned. Russia has also banned the most trustworthy VPN products. The Russian government also blocked access to YouTube even though a full block was expected in September.
Signal confirmed that some countries block its services and advised users to enable the built-in censorship circumvention feature from Signal Settings > Privacy > Advanced > Censorship circumvention.

LEGAL & REGULATORY
Illinois relaxes biometric privacy law so snafus won't cost businesses billions
The updated law still covers the capture and usage of the above biometric data and includes the same penalties – but it now counts multiple distributions of data as one violation. If a business negligently sells the same person's data two, ten, or a thousand times, it would face just one $1,000 penalty for that one person, not multiples.