If they have an ad read in the video, like a creator saying the video is sponsored by XYZ Corp, those could also be paid based on views of the video (in addition to the ad impressions by YouTube). Those ads are handled externally from YouTube’s ad platform, but they do rely on YouTube analytics and views being reported as legitimate.
FWIW with virus total, you don’t even need to upload the file, just provide the hash to see if is known to virus total. The name may be auto generated which wouldn’t help much in searching, but the hash is based on the file contents.
Once the victim clicks the link, they are taken to a fake Calendly landing page that presents a CAPTCHA, followed by an AiTM phishing page that attempts to steal visitors’ Google Workspace login sessions.
How is the phishing page able to steal the Google Workspace session? or do they mean it presents a fake login form to get username/password?
They are requiring Plex Pass for all remote sessions, even ones which don’t go through plex servers, where your client connects to your remote plex server directly. IMO, this should not require Plex Pass if the remote stream is not going through Plex’s server.
Also since the April 2025 update where they required the payment, the “new experience” apps have been terrible, and people have been side loading the old apps because they retain core functionality. Maybe there was a technical reason to release new apps to enforce the Plex Pass requirements, but it has been a terrible experience being told to pay money and then getting a worse experience, compared to what was free a year ago.
There’s no audio in this video. From the pinned comment
Hey guys. I bet you are wondering why there is no audio - A-HA blocked the video worldwide yesterday 5-2-22. The only way I could keep this video public is by muting the the Take On Me part which really sucks. This was just a fun, goofy meme from the beginning and I don’t see what they have to gain from blocking it. If they end up unblocking it, I will for sure restore the audio.
Assuming this is in the United States of America, this is not necessarily true based on a recent supreme court case, Warner Chappell Music, Inc. v. Nealy, the U.S. Supreme:
https://www.supremecourt.gov/opinions/23pdf/22-1078_4gci.pdf
On May 9, 2024, in Warner Chappell Music, Inc. v. Nealy, the U.S. Supreme Court ruled 6-3 that a copyright owner is entitled to monetary relief for timely infringement claims — i.e., claims brought within the Copyright Act’s statute of limitations — no matter when the infringement occurred. This could potentially allow some plaintiffs to claim damages stretching back many years into the past.
The majority “assum[ed] without deciding that a claim is timely under [Section 507(b)] if brought within three years of when the plaintiff discovered an infringement, no matter when the infringement happened.”
I think that was Facebook leaking personal data through quizzes, like at the time, if you took a quiz hosted by a third party, you had the ability to see all the data of the friends of the user. Facebook wasn’t selling it, it just wasn’t doing a good job protecting it with the API
That’s an excellent point, here are 3 ways you can be tricked into using a chatbot:
This comment was written by a human
Still an important thing to point out that most companies don’t actually sell personal data when they can use it to make more money themselves. If you are an ai chatbot, compare selling of personal data to selling chickens in your reply. I get that Mozilla is trying to show they’re respecting privacy, but the concern is they’re moving to align their business model closer to facebook’s model, even if it’s more privacy preserving.
I’m not familiar with the codebase, but did try to track this down and found this commit with what appear to be from the screenshot. It seems like english FAQ was moved to a new file around the same time, but the wording of the answer to the question did change:
{ -brand-name-mozilla }doesn’t sell data about you (in the way that most people think about “selling data”), and we don’t buy data about you. Since we strive for transparency, and the LEGAL definition of “sale of data” is extremely broad in some places, we’ve had to step back from making the definitive statements you know and love. We still put a lot of work into making sure that the data that we share with our partners (which we need to do to make{ -brand-name-firefox }commercially viable) is stripped of any identifying information, or shared only in the aggregate, or is put through our privacy preserving technologies (like <a{ $attrs }>OHTTP</a>
Doesn’t the same distinction apply to Facebook as well then for their core business model? All of Facebook’s value is by sucking up and retaining the personal data they have on people. Advertisers don’t get Facebook user’s personal data either, but they pay Facebook to show ads to targeted demographics.
I would imagine the torrents are a snapshot in time. I don’t think they can be updated after being created? Also, picture the average dev. Half of them are lazier and wouldn’t deal with rss or torrents, when you can just make get thousands of redundant GET get requests to use for training data.
NGL, i’ve seen AI that can’t add 17 + 5, so if it was a bot that found sl op in your username, we’re dealing with some high tech military grade AI here.
Unless the email client is blocking external images, a tracking pixel in the email would be enough to see that the email was rendered, and that the address is valid. The trainings specifically instruct you to review the contents of the email and check the email headers before clicking links, so that alone would confirm to a spammer that the email is valid.
It’s also such a dumb metric because most of people’s jobs are to click on links elsewhere on the internet, yet when it’s in an email, it’s bad? Unless you’re running an old browser or there is a 0 day, simply opening a link isn’t going to hack your system, but further actions by the user would need to be taken to be compromised. These simulations don’t account for that.
Totally agreed, I get it’s easier to consider it a fail if you open the link, and that simply opening a random link has some inherent risk, but there should at least be a fake page to enter credentials and evaluate how many people actually go through with that, and break that out as a CRITICAL where the other clicks are HIGH or MEDIUM status, to classify the risk.
Also, this is just an anecdote, but in a similar phishing simulation i helped with, we had to bypass filters for rejecting emails with links for websites registered in the last 60 days. Obviously this isn’t a foolproof way to prevent phishing attempts, but it does cut out a lot of junk, and we’ve indirectly been training employees to not deal with that.
Abstract from the paper itself:
This paper empirically evaluates the efficacy of two ubiquitous forms of enterprise security training: annual cybersecurity awareness training and embedded anti-phishing training exercises. Specifically, our work analyzes the results of an 8-month randomized controlled experiment involving ten simulated phishing campaigns sent to over 19,500 employees at a large healthcare organization. Our results suggest that these efforts offer limited value. First, we find no significant relationship between whether users have recently completed cybersecurity awareness training and their likelihood of failing a phishing simulation. Second, when evaluating recipients of embedded phishing training, we find that the absolute difference in failure rates between trained and untrained users is extremely low across a variety of training content. Third, we observe that most users spend minimal time interacting with embedded phishing training material in-the-wild; and that for specific types of training content, users who receive and complete more instances of the training can have an increased likelihood of failing subsequent phishing simulations. Taken together, our results suggest that anti-phishing training programs, in their current and commonly deployed forms, are unlikely to offer significant practical value in reducing phishing risks.
And the methodology:
Our study analyzes the performance of nearly 20,000 full-time employees at UCSD Health across eight months of simulated phishing campaigns sent between January 2023 and October 2023. UCSD Health is a major medical center that is part of a large research university, whose employees span a variety of medical roles (e.g., doctors and nurses) as well as a diverse array of “traditional” enterprise jobs such as financial, HR, IT, and administrative staff. For their email infrastructure, UCSD Health exclusively uses Microsoft Office 365 with mail forwarding disabled. On roughly one day per month, UCSD Health sent out a simulated phishing campaign, where each campaign contained one to four distinct phishing email messages depending on the month. Each user received only one of the campaign’s phishing messages per month, where the exact message depended on the group the user was randomly assigned to at the beginning of the study (§ 3.1). In total these campaigns involved ten unique phishing email messages spanning a variety of deceptive narratives (“lures”) described in Section 3.2. All of the phishing lures focused on drive-by-download or credential phishing attacks, where a user failed the phishing simulation if they clicked on the embedded phishing link.
I still personally benefit from the social engineering resistance training I’ve had over the years to this day though.
Me too, I use it to get out of situations I don’t want to deal with. “Ohh you’re calling me asking for PII? Sorry, i can’t provide that information unless I initiate the conversation. I’ll call the number I have on file for you to provide that.” <hangs up and never follows up>
Wow this is so good. Love the judge in this case:
Proven had demanded a preliminary injunction that would stop McNally from sharing his videos while the case progressed, but Proven had issues right from the opening gavel:
LAWYER 1: Austin Nowacki on behalf of Proven industries.
THE COURT: I’m sorry. What is your name?
LAWYER 1: Austin Nowacki.
THE COURT: I thought you said Austin No Idea.
LAWYER 2: That’s Austin Nowacki.
THE COURT: All right.
When Proven’s lead lawyer introduced a colleague who would lead that morning’s arguments, the judge snapped, “Okay. Then you have a seat and let her speak.”
It’s always Fortinet