#privacy + #security

Public notes from activescott tagged with both #privacy and #security

Thursday, July 16, 2026

Tuesday, July 14, 2026

highly sensitive video of the man’s physical takedown, wasn’t voluntarily released by the SFPD—which, like most US police departments, rarely releases drone videos even in response to public records requests. Instead, it was accidentally livestreamed onto the open internet via Skydio’s website. That’s where two security researchers, Sam Curry and Maik Robert, discovered that the SFPD was leaking all of the real-time footage from five of its surveillance drones, including both color and thermal imaging, accompanying location metadata, and the drone pilots’ names and email addresses, to anyone who merely found the public web address where the videos were hosted.

Skydio, based in nearby San Mateo, is one of the leading American drone companies selling to police departments, fire departments, government agencies, and the military. Its X10 drones are part of SFPD’s drone program, which began in 2024 and is authorized for vehicle pursuits and active criminal investigations. Since then, the program has grown quickly: SFPD’s fleet has expanded from six drones to 98, and officers logged more than 1,400 launches between May 2024 and March 2026, according to a 2025 SFPD annual report and reporting from the San Francisco Chronicle.

the drone videos were exposed not as a result of any error on the part of Skydio, but rather by what seems to be a misuse of Skydio’s software by the SFPD. Skydio allows users to generate shareable links to videos or access to drones’ data streams in real time, known as ReadyLinks, with the ability to limit access to users with an authentication code or an expiration date. Someone with access to the SFPD’s instance of Skydio’s software, however, appears to have created a link last December to five of its drones’ feeds with no authentication requirement and an expiration date of one full year.

That link was then somehow added to an open-source collection of archived web URLs known as AlienVault Open Threat Exchange, typically used by security researchers, where Curry and Robert found it. In other words, the link appeared to have already exposed the drone feeds for six months by that time, with no assurance that Curry and Robert were the only ones who had been watching.

The innocuous appearance of many of the videos raises questions about whether the surveillance was necessary. In one “auto boost/strip”-related call, the drone follows two young men in their car, at least one of whom is described in police records as having been identified as a “suspicious person in a vehicle.” Then the two men emerge onto a basketball court and start playing, and the drone departs.

A drone flight in response to what police records describe as a “person with a gun” investigation seems to fixate on a seemingly intoxicated man stooped on a sidewalk. Another drone, called in response to an alleged “prowler” incident, hovers over a young person wearing headphones and sitting on the roof of a building, zooms in on them, then flies away. “That one felt like an invasion of privacy, just so uncomfortable,” Curry says. “Like this person thinks they’re by themselves on this roof and has gotten away from everybody, and then there's a police drone watching them.”

Curry and Robert say they first became curious about Skydio last month after seeing an announcement from a Florida police department that it was adopting the company’s drone system, and then learning how widely the company’s drones have been deployed across the US. As web-focused security researchers, they decided to check out the company’s systems. In one routine step, they used the tool GetAllURLs, which pulls all archived web addresses for a given domain from sources including AlienVault Open Threat Exchange, requesting all Skydio links.

Saturday, April 25, 2026

The findings expose how suspected commercial surveillance vendors (CSVs) exploit the global telecom interconnect ecosystem, leverage private operator networks, and conduct covert location tracking operations that can persist undetected for years.

SIM Card Exploitation: One campaign sent a malicious SMS containing hidden SIM card commands to extract location information, attempting to turn the device into a covert tracking beacon.

Our findings highlight a systemic issue at the core of global telecommunications: operator infrastructure designed to enable seamless international connectivity is being leveraged to support covert surveillance operations that are difficult to monitor, attribute, and regulate. Despite repeated public reporting, this activity continues unabated and without consequence.

These vulnerabilities are not the result of software bugs or network misconfigurations; rather, they are inherent to global telecommunications design and business practices. The mobile ecosystem comprises over a thousand operators interconnected through roaming agreements and signalling protocols that prioritize efficiency, service availability, and revenue opportunity over security. As a result, a shadowy marketplace of state-backed and commercial espionage actors has emerged, developing and deploying software platforms that weaponize telecommunication networks for global surveillance.

he root of the security problem lies in the foundational signalling protocols themselves. Designed for a trusted community of mobile operators and legitimate third-party service providers, SS7 protocols lack the basic security mechanisms of IP networks, such as authentication and validation to verify the source of signalling messages, integrity checks to ensure that data has not been altered, and encryption to protect its contents.

While most commercial threat groups focus on device implants, there is strong demand by government agencies for “off-the-shelf” telecom surveillance services that use mobile networks to locate and track users, and intercept communications without hacking a target’s phone. These services are often brokered through intermediaries with direct or brokered access to mobile operator or provider networks, allowing surveillance traffic to blend into legitimate roaming operations.

Friday, April 10, 2026

If you use Signal, you actually have an advantage here, now that you know about this vulnerability. Signal has a setting that blocks the content of messages from appearing in their notifications. That way, even if someone accesses your alerts, all they'll see is you received a Signal message—not who sent it or what it contains.

To turn it on, open Signal, tap your profile in the top-left corner, then hit "Settings." Under Notification Content, choose "No Name or Content" to block all data to the alert. You can compromise here and choose "Name Only" if you want to know who a message is from before you open it—just remember, an intruder may also see you received a message from that person if they scrape your iPhone's notifications.

Sunday, April 5, 2026

Microsoft is running one of the largest corporate espionage operations in modern history.

Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers and to third-party companies including an American-Israeli cybersecurity firm.

The user is never asked. Never told. LinkedIn’s privacy policy does not mention it.

Because LinkedIn knows each user’s real name, employer, and job title, it is not searching anonymous visitors. It is searching identified people at identified companies. Millions of companies. Every day. All over the world. This is illegal and potentially a criminal offense in every jurisdiction we have examined.

LinkedIn loads an invisible tracking element from HUMAN Security (formerly PerimeterX), an American-Israeli cybersecurity firm, zero pixels wide, hidden off-screen, that sets cookies on your browser without your knowledge. A separate fingerprinting script runs from LinkedIn’s own servers. A third script from Google executes silently on every page load. All of it encrypted. None of it disclosed.

Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers. The entire process happens in the background. There is no consent dialog, no notification, no mention of it in LinkedIn’s privacy policy.

This page documents exactly how the system works, with line references and code excerpts from LinkedIn’s production JavaScript bundle.

See https://browsergate.eu/how-it-works/

Sunday, January 25, 2026