All about Security, News, Events and Incidents

And one more site's security went belly up
https://www.theregister.co.uk/2018/09/06/british_airways_hacked/

 

British Airways, Another Victim of Ongoing Magecart Attacks
https://www.securityweek.com/british-airways-another-victim-ongoing-magecart-attacks
The data breach that British Airways said last week to have impacted 380,000 of its users was caused by an attack from Magecart, a threat group known for the use of web-based card skimmers.
The incident, the airline revealed on September 6, resulted in cybercriminals accessing the personal and financial details of customers who made bookings between August 21 and September 5, either via the company’s website or their mobile app.
On Friday, chief executive Alex Cruz told BBC the airline experienced “a very sophisticated, malicious, criminal attack” on their website. The breach resulted in customer names, postal addresses, email addresses and credit card information being stolen.
British Airways says the breach of customer data spanned a total of 15 days, but the attackers likely had access to the company’s systems before that, RiskIQ reveals. A paid certificate from Comodo used in this attack was issued on August 15, suggesting the miscreants “likely had access to the British Airways site before the reported start date of the attack on August 21st,” the security firm says.
RiskIQ, which has been tracking Magecart attacks since 2015, and which found a couple of months ago that the threat group also stole the information of Ticketmaster UK customers, said today they discovered how the data of British Airways’ customers was stolen.
The culprit was a modified version of the Modernizr JavaScript library that was loaded from the baggage claim information page of the British Airways website. Modified on August 21, the file contained 22 lines of JavaScript, and was long enough to steal the information of 380,000 users.
The script would extract user’s name and information from the payment form as soon as they hit the button to submit their payment on the compromised British Airways site. The data was sent to the attackers’ server.
“This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately. This particular skimmer is very much attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer,” RiskIQ says.
The attackers’ infrastructure was also specifically tailored for this attack, targeting scripts that would blend in with normal payment processing to stay under the radar. The attackers set up the domain baways.com, hosted on 89.47.162.248, an IP located in Romania but part of a VPS provider based in Lithuania.
What made it possible to target the users of British Airways’ mobile app as well, the security firm reveals, was the fact that the software loads a series of resources from the airline’s website, including the same compromised Modernizr JavaScript library. The hackers, however, also “put in the touchend callback in the skimmer to make it work for mobile visitors as well,” RiskIQ points out.
“Magecart set up custom, targeted infrastructure to blend in with the British Airways website specifically and avoid detection for as long as possible. While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets,” RiskIQ concludes.
Magecart is an active threat that has been continuously refining tactics and targets to maximize returns. As part of the Ticketmaster attack, they targeted third-party provider Inbenta, but switched to targeting a specific brand in the British Airways incident, specifically tailoring their attack to match the site’s functionality. The threat group is expected to continue to evolve, the security firm says.

 

And now, Newegg.

"We urge banks to issue new cards or added protection through OTP on cards they can correlate belonging to transactions that occurred on Newegg between August 14th and September 18th"

https://www.riskiq.com/blog/labs/magecart-newegg/

 

Governments are using games to engage citizens — but #beware before you play.

They can be a tool for citizen participation, but raise concerns about #privacy and exclusion.

https://apolitical.co/solution_arti...to-engage-citizens-but-beware-before-you-play

Spoiler: Read More:

In Suining, China, all residents aged 14 and above are graded by a complex social credit system designed to monitor and shape citizens’ behaviour. Did you take care of a sick family member? You earn 50 points. Were you convicted of drunk driving? Fifty are taken away.

Suining served as a testing ground for a mass surveillance system China is currently rolling out nationwide. Citizen behaviour is carefully watched and ranked for “trustworthiness”: Grade-A citizens may get first priority for jobs, skip hospital queues and get discounts on energy bills. Grade-D citizens, meanwhile, can be denied public services, banned from buying plane tickets or even blocked from dating websites.

Critics say China’s social credit system is a glimpse into a dystopian future; a place where all citizens are watched and rated by government, which doles out rewards or punishments accordingly. But at its core, China’s social credit system is one of the most widespread uses of gamification — an “underexplored approach to governance”, according to Gianluca Sgueo, a New York University professor and policy analyst for the European Parliament.

• For more like this, see our government innovation newsfeed.

Sgueo is the author of Games, Power and Democracies, which is one of the first books to analyse how government can use elements of games — such as points, levels, ranking and badges — to encourage civic participation and mould citizens’ behaviour. Sgueo doesn’t extol the tool as a cure-all for what’s broken in the policymaking process. In fact, he writes that in terms of improving interaction between government and the public, gamification has yet to have “any real impact”.

But, Sgueo says, gamification has the potential to bring apathetic citizens into the policymaking process and make decision-making more participatory. Here, he discusses why governments are using gamification wrong, and how the tool can be harnessed to change how citizens interact with government.

You open your book with a description of an episode of the TV show Black Mirror, in which every citizen has a rating that measures their social value. Do you think this is where governments’ use of gamification is heading?

I think there are two threads. One is a good one — not like the Black Mirror episode, but something more positive: gamification as a tool to engage people in policymaking. However, I have to be honest: sometimes the risk is that government, in experimenting with gamification, invades citizens’ privacy and is too intrusive with their lives.

One well-known case is in China. In Suining, your behaviour as a citizen is rated and it affects your social life. You can be denied a permit to go to the hospital or access to other public services if your rating is low. That’s very scary.

The other experiment that is very intrusive, is one in which citizens’ garbage and recycling habits were judged. People were rated by photos of their garbage, which were shared publicly. [BinCam, a Newcastle University project aimed at monitoring individuals’ recycling behaviour, installed a mobile phone inside garbage bins and took a photo every time they were used. People rated the photos on Facebook.] Overall, the trend is more positive, but there are some scary examples like these.

So far, experiments have generally been confined to small subsets of a population. Do you think gamification has the power to bring citizens into decision-making on a larger scale?

That’s the challenge. If you look at the number of people attracted by games — mobile games, video games, the numbers are crazy. The potential to attract people is there; we just need to use it to engage citizens.

The issue is that when we play a game, there is always a moment when we get bored and abandon the game. Let’s say you’re playing a game, but struggling to go to the next level — if it’s too difficult, you abandon it. If it’s too easy, you get bored.

The same principle is applied to gamification and public policy. If there are too many confusing game elements or citizens don’t feel sufficiently engaged after the first time, they just stop trying it.

The example I have in mind is from London. A couple of years ago, the government was struggling with people throwing cigarettes on the ground right before entering the metro instead of throwing them away.

They wanted people to use the bins, but they were too often in a rush. So, what they did is install two bins with [football players] Ronaldo and Messi on them. Above, it was written “Which player is better?” It worked very well for the first few months — people were throwing cigarettes away — but after awhile, they got bored. If citizens don’t find the game interesting anymore, it won’t be effective in the long term.

What are some common mistakes governments make when trying to use gamification?

The first one is to lock in a strategy for the long term. Maybe your game is super cool, but it’s not going to last for too long. There is no game you could play forever with the same level of engagement. Think about Monopoly: I like to play it but I don’t play it every day. In a way, the same thing happens with gamification. In my opinion, the most common mistake is implementing a game that is not easily changed.

The second common mistake is to only go digital. This goes back to the issue of digital divide and exclusion. The best examples of gamification include both offline and online elements. If you just use digital games, you’ll leave out a lot of people. My mother is 65 years old — if the Italian government was to launch a public consultation through digital games, she wouldn’t take the time to see what it’s about. And there are a lot of people like her whose opinion they would miss out on.

Has any one government been able to overcome these challenges?

Not yet, not entirely, and definitively not satisfactorily. The problem of inclusiveness and ethical issues are common to all initiatives of gamification. The first is a natural consequence of the digital nature of nearly all cases of gamified public policy.

One exception to the rule is the case of Macon Money, [from Macon, Georgia] a game designed for community engagement. It’s a virtual currency distributed to residents — but the interesting thing is that to redeem the value of Macon dollars, you have to find someone who has the other half of your coin. It was posted in the local newspaper who had what half, and the two people were forced to meet an interact. They could redeem the money in local stores.

This type of thing wouldn’t work in a city like Rome or London, but in a small city like Macon it helps neighbours socialise and stay informed on civic affairs. It’s meant to engage both the digitally illiterate and people who have no interest in community affairs.

Finally, ethical concerns are common to every nudging initiative, including gamification. In the final chapter of the book I describe attempts from think tanks and researchers to develop ethically neutral algorithms that could be used to counterweight ethical biases in gamification. At present, however, these initiatives are in the trial phase.

What would you say is the most successful example of a government using gamification to involve citizens in policymaking?

The municipalities of Madrid and Barcelona have both adopted platforms for engaging people in policymaking: Decide Madrid and Decidim Barcelona, which means “We Decide” in Catalan.

The platforms have implemented simple elements to give points to people who participate more. So if your ideas and comments aren’t successful — as in, they don’t make it into government — you still get points for participation. It’s not just about using the platform to convince the municipality to adopt your ideas; it’s about contributing and how you are rewarded with a system of points. The result is that more people are willing to participate. It’s very simple, very basic but very successful, which shows the promise of these types of platforms.

You say that gamification alone is not a game-changer, and that it’s yet to have any real impact in terms of advancing interactions between citizens and government. Why should governments even try to use this tool?

Because of the promise they see in it. They see an easy way to get a response from citizens. They see a low-cost way — which is not actually a reasonable way if you want to do it seriously. And they see in it probably the only escape we can find in this age where distrust for government is so spread.

I’m not saying that gamification is useless. I’m saying in most examples that I’ve analysed while writing this book, I could spot some, let’s say, naive approaches from government. In other very few cases, I saw gamification used as part of a broader strategy. These three factors — underestimating costs; overestimation of results; and the lack of a proper strategy — are probably the reasons for which governments are using it without much of a result. — Jennifer Guay

 

Farcebook:

"an attacker exploited a technical vulnerability to steal access tokens that would allow them to log into about 50 million people’s accounts on Facebook"

technical vulnerability... Zuckerberg terminology for catastrophic security defect + flawed programming + loss of control.

https://www.theverge.com/2018/9/28/...ffected-security-token-access-view-as-feature

 

With another Facebook hack on the way? Streamed Live? I wouldn't attend that BTW, or click on the link to attend it... that Live Stream might be the actual hack itself.

"News of this security exploit comes just hours after a prominent Taiwanese hacker by the name of Chang Chi-yuan pledged to delete Zuckerberg’s personal page on Sunday as a way to demonstrate some type of security flaw in Facebook, Chang’s proficiency as a hacker, or both. It was not immediately clear whether the issue affecting Facebook’s View As feature is the one Chang intended to exploit, but the timing had some suspecting they could be related. Facebook said this exploit does not have anything to do with Chang’s stunt, which he reportedly planning to stream on Facebook Live."

I remember reading this, they were going to go without a lead Security group, and were going to let each group work out their own security, I wondered how long that was going to last, before something catastrophic happened to change it.

"A more pressing concern for Facebook is the absence of a chief security officer, after former CSO Alex Stamos left the company last month. Following Stamos’ departure, Facebook said it would not be filling the CSO role and would instead restructure its security organization and embed specialists through its many divisions. A Facebook spokesperson said at the time that the company would “continue to evaluate what kind of structure works best” to protect users’ security."

Right about now, I guess...

 

China Used Tiny Chip in Hack That Infiltrated Amazon, Apple
The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.
http://forum.notebookreview.com/thr...in-hack-that-infiltrated-amazon-apple.823509/

"In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information."

 

What is a #Threat #Modeling?
https://en.wikipedia.org/wiki/Threat_model

Application Threat Modeling:
https://www.owasp.org/index.php/Application_Threat_Modeling

https://www.linkedin.com/feed/update/urn:li:activity:6453915376995565568

 

Recently I was redirected to bad webpage to type my debit card number for payment, I noticed my PC wasn't responding which is a first time on Linux. I went to task mgr and saw the webpage was using 99% of my CPU in firefox. I closed it and opened the same payment gateway that lands me on debit card based payment. I suspected it was Crypto miner inside some script on server side that actually didn't show up in uBO log at all! I closed it and went to Net banking and my PC was back to normal. Sad to see this happen on the site, that actually conduct PhD entrance exams.

 

Is this is related to any of my links in the post? or this is something else? I mean if any of the links in this post is suspicious please let me know so I can remove it.
I'm sorry for what happen with you, you have to be more careful those days.
Good luck with your PhD, I'll be happy to help you with anything I can do.

 

No No your links are clean. I was referring to the DFD where I was targeted (mainly Web and App server). Looks like firewall in Linux is recommended.
Stay safe online. I think it was a silent version of spectre and some developer tried to mine coins using cpu. If it didn't mine I wouldn't have noticed. It was really in stealth mode via jsp. If you see any high CPU usage on older PC/phones suddenly it might be some stealth malware. I couldn't get a glimpse of it. It is the first time something managed to slip my eyes. I heard the fans spinning at 100% that's what startled me!
Have you heard news of stealth based coin mining?

 

I just saw this article:
Stealth Cryptocurrency Mining Sites Can Now Run Even After You Close Your Browser
https://www.extremetech.com/interne...y-mining-sites-can-now-run-even-close-browser

 

Windows 10 Ransomware Protection Bypassed Using DLL Injection
https://www.bleepingcomputer.com/ne...ware-protection-bypassed-using-dll-injection/

 

Just Answering A Video Call Could Compromise Your WhatsApp Account
https://thehackernews.com/2018/10/hack-whatsapp-account-chats.html

 

Fake Flash Updaters Push Cryptocurrency Miners

https://researchcenter.paloaltonetw...ke-flash-updaters-push-cryptocurrency-miners/

http://forum.notebookreview.com/threads/clever-legit-flash-update-with-extra-load.825418/

 

The cost of cybersecurity
CNBC Television
Published on Oct 16, 2018
John Carlin of the Aspen Institute and Morrison and Foerster joins 'Squawk Box' to discuss the rising threat of global cyber attacks and the state of cybersecurity long-term.

 

This has been news for a little while now, but I haven't seen any posts about an important turn in China's society, whereby China watches all personal activity - on and off the internet - rates it and generates a Social Score which limits what you can do in society. Scary stuff, very real and here today, in China.

Exposing China's Digital Dystopian Dictatorship | Foreign Correspondent
ABC News (Australia)
Published on Sep 18, 2018
China is marrying Big Brother to Big Data. Every citizen will be watched and their behaviour scored in the most ambitious and sophisticated system of social control in history. Matthew Carney reports. Read more here: https://www.abc.net.au/news/2018-09...el-citizen-in-a-digital-dictatorship/10200278


https://www.youtube.com/results?search_query=Exposing+China's+Digital+Dystopian+Dictatorship+

 

"An exploitable code execution vulnerability exists in the HTTP packet-parsing functionality of the LIVE555 RTSP server library -\- used internally by well-known software such as VLC and MPlayer"

Fix by Live Networks, but vlc etc needs update to implement it.
Edit: seems no risk for endusers. Good. See post below.

https://blog.talosintelligence.com/2018/10/vulnerability-spotlight-live-networks.html

 

^^^ update and details:

"Initial concern over the bug ( CVE-2018-4013) had client-side users of the popular VLC open-source media player and the MPLayer video player scrambling to update their software. However, as Cisco Talos pointed out, the impacted LIVE555 Media libraries only affects streaming server software, not the players that use it"

https://threatpost.com/critical-bug-impacts-live555-media-streaming-libraries/138477/

 

The future of passwords? Your brain
https://www.fastcompany.com/90257174/the-future-of-passwords-your-brain

[COLOR=rgba(0, 0, 0, 0.75)][/COLOR]

 

Microsoft accused of disclosing Indian banking information with US intelligence agencies
Indian press reports raise security questions about cloud computing
https://www.computing.co.uk/ctg/new...ing-information-with-us-intelligence-agencies

 

Oh my... MSFT should know to keep secrets a secret in Cloud. Most bank employees don't even know W10 uses telemetry at all!

 

Hacker Who DDoSed Sony, EA and Steam Gaming Servers Pleads Guilty
https://thehackernews.com/2018/11/gaming-server-ddos-attack.html via @TheHackersNews

 

Damn this one sounds bad.

Google Services Unreachable After Traffic Hijacking

Services from Google on Monday became unavailable for up to two hours as user traffic followed a tortuous path through operators in Russia and Nigeria before hitting the Great Firewall of China.

This was the effect of an unintended anomaly that changed the normal traffic route towards some IP prefixes belonging to Google. At the heart of the issue was Nigerian ISP (AS37282) MainOne Cable Company, which leaked the prefixes to China Telecom, a government-owned provider.


https://www.bleepingcomputer.com/news/security/google-services-unreachable-after-traffic-hijacking/

 

Who Hijacked Google's Web Traffic?
https://www.inforisktoday.com/who-hijacked-googles-web-traffic-a-11699?platform=hootsuite

 

^^^ and now this:

Official Google account hacked to promote Bitcoin scam on Twitter
https://thenextweb.com/2018/11/13/google-hack-bitcoin-twitter/

 

That's bad news...

 

Americans, Canadians are warned not to eat romaine lettuce
Candice Choi, Ap Food & Health Writer Updated 6:56 pm PST, Tuesday, November 20, 2018
https://www.sfgate.com/g00/news/med...-romaine-lettuce-safe-to-eat-cdc-13409363.php

 

Apple macOS Zero-Day Vulnerabilities (by: Dropbox & Syndis)

 

https://www.zdnet.com/article/fbi-d...scheme-operating-across-over-one-million-ips/

"the 3ve operation generated over three billion fraudulent daily ad bid requests, employed over 60,000 accounts selling fraudulent ad inventories, operated over 10,000 counterfeit websites for the sole purpose of showing ads, ran over 1,000 data center servers, and controlled over one million IP addresses"

 

Half of all Phishing Sites Now Have the Padlock

Maybe you were once advised to “look for the padlock” as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with “https”.

https://krebsonsecurity.com/2018/11/half-of-all-phishing-sites-now-have-the-padlock/

 

I check their keys used such as SHA1, DH etc...

 

Marriott data breach affects a half-billion guests

 

Some 100's of millions here & there. Seems to be the new norm, just change your password and forget about it -lol-. Am expecting anyday to read that a 'Really Big One' has occured (amazon, google or azure etc).

100 million Quora users data exposed in major breach
https://betanews.com/2018/12/04/quora-data-breach/

 

Google+
https://www.theregister.co.uk/2018/12/11/google_hacked_again/

"People is a list of person resources, each of which represents a Google+ user. People methods enable your application to get a person's profile, search through profiles, and list all of the people who have +1'd or reshared a particular activity."
https://developers.google.com/+/web/api/rest/latest/people

The concept of (and the word) 'privacy' has become a big joke.

 

Just deleted my G+ profile!

 

Farcebook takes your privacy seriously.

"The exposure occurred between September 12th and September 25th. Facebook told TechCrunch that it discovered the breach on the 25th; it isn’t clear why the company waited until now to disclose it"

https://www.theverge.com/2018/12/14...to-exposure-leak-bug-millions-users-disclosed

 

It never stops.

"A security vulnerability in the massively popular SQLite database engine puts thousands of desktop and mobile applications at risk."

"SQLite is embedded in thousands of apps, the vulnerability impacts a wide range of software, from IoT devices to desktop software, and from web browsers to Android and iOS apps."

https://www.zdnet.com/article/sqlit...f-apps-including-all-chromium-based-browsers/

 

Farcebook again:

"For years, Facebook gave some of the world’s largest technology companies more intrusive access to users’ personal data than it has disclosed, effectively exempting those business partners from its usual privacy rules"

"Facebook allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent, the records show, and gave Netflix and Spotify the ability to read Facebook users’ private messages"

"The social network permitted Amazon to obtain users’ names and contact information through their friends, and it let Yahoo view streams of friends’ posts"

https://www.nytimes.com/2018/12/18/technology/facebook-privacy.html

 

Privacy was lost since Internet creation... so.. that's just my opinion... that's all

 

Not only the Internet destroyed privacy, we have GSM, Smart devices, Smart TV's, Operating systems, network devices, satellites, CCTV's, digital transformation, home robots, echo systems and many others like Implementing Microchips in Humans:
http://forum.notebookreview.com/thr...rochips-in-humans.807293/page-5#post-10831083

 

One thing does not circumvent the other necessarily, it's a choice or ignorance, and near-do-wells taking advantage of the unwary.

You don't get off that easily, you are in control, giving up is not an option.

Those are not "pay-off's" for allowing yourself to be taken advantage of. Those things are all a matter of fact completely unaligned with giving up on your privacy when designed to protect it.

It's all configurable, demand your privacy, demand the designs to provide it.

It's a simple equation, do the math, and don't give in so easily.

 

Someone testing their weapons ?

"A number of major US newspapers -- including the Los Angeles Times, Chicago Tribune, Wall Street Journal and New York Times -- have been hit by a cyberattack that is said to originate from another country"

https://betanews.com/2018/12/30/cyberattack-us-newspapers/

 

Microsoft Is Making It Harder To Mess With Windows 10's Built-in Antivirus
https://www.forbes.com/sites/leemat...mess-with-windows-10s-built-in-antivirus/amp/

 

Google DNS Service (8.8.8.8) Now Supports DNS-over-TLS Security
https://thehackernews.com/2019/01/google-dns-over-tls-security.html

 

Global DNS Hijacking Campaign: DNS Record Manipulation at Scale
https://www.fireeye.com/blog/threat...ampaign-dns-record-manipulation-at-scale.html

 

US government shutdown leaves websites insecure.
https://www.bbc.com/news/technology-46836905#

 

Yossi Appleboum on How Bloomberg is Positioning His Research Against Supermicro
https://www.servethehome.com/yossi-...-positioning-his-research-against-supermicro/

Today, Bloomberg upped the stakes in its contentious story around Chinese tampering of Supermicro hardware, citing Yossi Appleboum CEO of Sepio Systems. Here is that story. I reached out to Mr. Appleboum for comment via telephone. Whereas the Bloomberg story singles out Supermicro servers, Mr. Appleboum’s sentiment is that this is an industrywide issue. Other very large server and networking manufacturers are certainly impacted, perhaps more so. He also stated that as an industry, or a society, we have two options: we go with the narrative that a US company, Supermicro, is the only one impacted as the Bloomberg reporting suggests, or we recognize that this is a persistent threat that impacts the entire hardware supply chain that underpins the lynchpin communications infrastructure of our global economy.

 

Linux APT MiTM Vulnerability

 

What is the difference between DNS over TLS & DNS over HTTPS?
While they sound like the same thing, there’s one major difference and it’s causing a heated debate.
https://www.thesslstore.com/blog/dns-over-tls-vs-dns-over-https/

"...
Ok, so what’s the difference between DNS over TLS & DNS over HTTPS? While both of these standards encrypt DNS requests, there are some important differences between DNS over TLS vs DNS over HTTPS. The IETF has defined DNS over HTTPS as RFC 8484 and it’s defined DNS over TLS as RFC 7858 and RFC 8310.

DNS over TLS uses TCP as the basic connection protocol and layers over TLS encryption and authentication. DNS over HTTPS uses HTTPS and HTTP/2 to make the connection.

This is an important distinction because it affects what port is used. DNS over TLS has its own port, Port 853. DNS over HTTPS uses Port 443, which is the standard port for HTTPS traffic.

While having a dedicated port sounds like it would be an advantage, in certain contexts it’s actually quite the opposite. While DNS over HTTPS requests can hide in the rest of the encrypted traffic, DNS over TLS requests all use a distinct port where anyone at the network level can easily see them and even block them.

Granted, the request itself – its content or response – is encrypted. So you wouldn’t know what was being requested, but they’d know you were using DNS over TLS. And at the very least that’s going to raise suspicions. It’s kind of like taking the fifth in the US. It just lends itself to the perception you have something to hide and in a lot of countries that’s not a good perception to have about you.
...
What’s the better standard, DNS over HTTPS or DNS over TLS?
That’s what all of this debate is trying to decide! There are legitimately valid arguments on both sides. What’s not helpful are ad-hominem attacks that distract from an otherwise worthy conversation.

Given the fact this is a human rights issue emotions are bound to flare, but it’s important to remember the side advocating for DNS over TLS, which favors a network security approach but potentially opens up some privacy concerns don’t hold that position because they’re cold or lack empathy, they’re just viewing this from a different perspective.

Sometimes what’s best from a qualitative standpoint, and what’s best from a human rights or even a morality standpoint don’t align. To many in the DNS over TLS camp, this has nothing to do with real-world privacy issues and everything to do with the fact they see DNS over HTTPS as an inferior standard to DNS over TLS.

This isn’t about working in deference to a social conscience to them, it’s about designing a standard that is the most efficient. Nobody is fighting against privacy, even if not everyone is fighting for the same thing.

We’ll keep updating you on this as more develops."

The Google DNS over TLS standard allows visibility into your DNS requests and allows tracking you specifically along with your requests.

This can be a problem for operation in unfriendly government environments, but would likely be a requirement under those same regimes. Perhaps this is why Google is choosing this method over the more private DNS over HTTPS.

There are more details in the article supporting visibility into traffic allowing for better security, and I'm sure oppressive regimes would also agree for the same reason.

Right now it's no loss, as DNS is unencrypted, and encrypting traffic crossing many boundries is a good thing, but make sure you pick your DNS partner even more carefully.

I don't think I would pick Google, as this would add to their personal tracking info database, which is already detailed enough, it doesn't need secure confirmation of every DNS request made from my equipment.