By Jeremy Hsu on September 24, 2024

Popular smart TV models made by Samsung and LG can take multiple snapshots of what you are watching every second – even when they are being used as external displays for your laptop or video game console.

Smart TV manufacturers use these frequent screenshots, as well as audio recordings, in their automatic content recognition systems, which track viewing habits in order to target people with specific advertising. But researchers showed this tracking by some of the world’s most popular smart TV brands – Samsung TVs can take screenshots every 500 milliseconds and LG TVs every 10 milliseconds – can occur when people least expect it.

“When a user connects their laptop via HDMI just to browse stuff on their laptop on a bigger screen by using the TV as a ‘dumb’ display, they are unsuspecting of their activity being screenshotted,” says Yash Vekaria at the University of California, Davis. Samsung and LG did not respond to a request for comment.

Vekaria and his colleagues connected smart TVs from Samsung and LG to their own computer server. Their server, which was equipped with software for analysing network traffic, acted as a middleman to see what visual snapshots or audio data the TVs were uploading.

They found the smart TVs did not appear to upload any screenshots or audio data when streaming from Netflix or other third-party apps, mirroring YouTube content streamed on a separate phone or laptop or when sitting idle. But the smart TVs did upload snapshots when showing broadcasts from the TV antenna or content from an HDMI-connected device.

The researchers also discovered country-specific differences when users streamed the free ad-supported TV channel provided by Samsung or LG platforms. Such user activities were uploaded when the TV was operating in the US but not in the UK.

By recording user activity even when it’s coming from connected laptops, smart TVs might capture sensitive data, says Vekaria. For example, it might record if people are browsing for baby products or other personal items.

Customers can opt out of such tracking for Samsung and LG TVs. But the process requires customers to either enable or disable between six and 11 different options in the TV settings.

“This is the sort of privacy-intrusive technology that should require people to opt into sharing their data with clear language explaining exactly what they’re agreeing to, not baked into initial setup agreements that people tend to speed through,” says Thorin Klosowski at the Electronic Frontier Foundation, a digital privacy non-profit based in California.

https://www.newscientist.com/article/2449198-smart-tvs-take-snapshots-of-what-you-watch-multiple-times-per-second/ (paywall!!)

I never seen such a good YouTube video from Linus Tech Tips: https://www.youtube.com/watch?v=GsjHMzGl-VY (jokes on you)

If you don't get it? Remove Chrome now and install Firefox (or any fork of Firefox). Then install uBlock Origin now! Add-on here: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/

I saw today the infamous pop-up of YouTube again that they will block the video player after 2 more videos if I keep using uBlock Origin. ** Google.

Some people might think you can only use or set environment variable of the service in docker compose eg.:

my-service:
  image: lts-alpine
  environment:
    MY_SECRET_KEY: ${MY_SECRET_KEY}

But the same ${} syntax can be used to set a version of Docker image of PostgreSQL, like in this example below:

my-service:
  image: postgres:${POSTGRES_VERSION:-13}-alpine

If nothing is set, version 13 is the fallback value. Now you can set POSTGRES_VERSION environment via your shell. Or leverage the .env file of Docker:

POSTGRES_VERSION=16

When running: docker compose --env-file .env up, Docker should now use PostgreSQL v16 Alpine as Docker image.

Bonus: The docker-compose.yml filename is an old filename, use compose.yml from now. Same for other Compose files like compose.override.yml.

More info: https://docs.docker.com/compose/environment-variables/set-environment-variables/ and https://docs.docker.com/compose/environment-variables/set-environment-variables/

YouTube starts censoring medical information and content. And only content that "meets WHO guidelines" appears on YouTube. No other medical data.

I found this very dangerous, because people should be able to judge themselves what they want to read or hear about. It's our body and your health. I would like to make my own decisions.

More info: https://support.google.com/youtube/answer/13813322

You can also use the map feature of fediverse.observer to pick your new kbin instance.

Lemmy was/is vulnerable for XSS attacks.

Hackers try to inject JavaScript code that tries to steal your (ideally admin) cookie credentials. It seems that the admin account of lemmy.world was compromised this way (MichelleG). Other instances aren't safe either. Which could point to the custom emojis feature in the federate comments, meaning a lot of external instances could be effected by now.

Incorrect escaping of user input data could lead to these issues. Kbin just recently discovered a similar regression issue and which has been solved by now. But it seems that Lemmy was or still is vulnerable to this attack factor.

Mitigation action Lemmy users: You might want to disable JavaScript in the meanwhile.

Mitigation action for Lemmy server owner: Disable custom emoji:

DELETE FROM custom_emoji_keyword;
DELETE FROM custom_emoji;

Clean-up the exploit content:

UPDATE comment SET content = '<REMOVED BY ADMIN>' WHERE content LIKE '%![" onload%';
UPDATE private_message SET content = '<REMOVED BY ADMIN>' WHERE content LIKE '%![" onload%';
UPDATE post SET body = '<REMOVED BY ADMIN>' WHERE body LIKE '%![" onload%';
UPDATE post SET name = '<REMOVED BY ADMIN>' WHERE name LIKE '%![" onload%';

Rotate your JWT secret (invalidates all current login sessions):

UPDATE secret SET jwt_secret = gen_random_uuid();

Note: Even just opening a link to a vulnerable Lemmy instance could allow hackers to steal your cookies or sessions credentials. Therefore I will not share or allow people to share URLs of comprised / vulnerable instances.

<button onclick="myFunction()">Try it</button>

<script> function myFunction() { alert("I am an alert box!"); } </script>

Currently, the kbin.social instance has planned maintenance. They are busy upgrading the infrastructure to Kubernetes, using Docker containers. They said it shouldn't take much longer than 1 hour downtime in total (if everything goes fine).

The migration will help to dynamically scale the instance, to remove the growing pains. And hopefully increase the availability (uptime) as well.

Soon additional setup configurations, best server practices and ansible playbooks will be shared with the community.

In the meanwhile you can of course use other instances (I bet you are reading this message right now from another instance).

Today kbin.social is blocking a huge list of domains just to get federation working again.

The reason for this temporally block is not to defederate, but rather to get the large backlog of 500k messenger queue processed again. Anyway, this does mean that kbin.social is federating again with other instances.

This is a temporary measure. Several users / developers are looking into how to better optimize the failed message queue, as we speak. Hopefully Ernest has eventually time to dive into solutions as well instead of workarounds, once his instance is migrated to Kubernets. See my preview thread: https://kbin.melroy.org/m/updates/t/4257/Kbin-federation-issues-and-infra-upgrade

List of the domains causing trouble:

lemmygrad.ml, eientei.org, vive.im, lemmy.ml, lemmynsfw.com, kbin.lol, lemmy.webgirand.eu, tuna.cat, posta.no, lemmy.atay.dev, sh.itjust.works, kbin.stuffie.club, kbin.dssc.io, bolha.social, dataterm.digital, kbindev.lerman-development.com, test.fedia.io, mer.thekittysays.icu, lemmy.stark-enterprise.net, kbin.rocks, kbin.cocopoops.com, kbin.lgbt, lemmy.deev.io, lemmy.lucaslower.com, lemmy.norbz.org, social.jrruethe.info, digitalgoblin.uk, pwzle.com, lemmy.friheter.com, federated.ninja, lemmy.shtuf.eu, u.fail, arathe.net, lemmy.click, thekittysays.icu, lemmy.ubergeek77.chat, lemmy.maatwo.com, faux.moe, eslemmy.es, seriously.iamincredibly.gay, test.dataharvest.social, programming.dev, kbin.knocknet.net, pawb.social, lucitt.social, longley.ws, kbin.dentora.social, atay.dev, lemmy.kozow.com, ck.altsoshl.com, pawoo.net, techy.news, lemmy.vergaberecht-kanzlei.de, lemmyonline.com, beehaw.org, pouet.chapril.org, kbin.pcft.eu, fl0w.cc, lemmy.sdf.org, lemmy.zip, feddit.dk, fedi.shadowtoot.world, lemmy.noogs.me, lemmy.kemomimi.fans, social.agnitum.co.uk, fediverse.boo, hive.atlanten.se, forkk.me, lemmy.ghostplanet.org, lemmy.mayes.io, lemmy.mats.ooo, lemmy.world, lemmy.sdfeu.org, lemmy.death916.xyz, geddit.social, masto.fediv.eu