The Linkielist

Linking ideas with the world

The Linkielist

Daily Archives: July 24, 2025

Steam cracks down on some sex games to appease US prim payment processors

Posted on by

[…]In a Tuesday update to the “Rules and Guidelines” section of Steam’s Onboarding Documentation, the company added a new rule prohibiting “Content that may violate the rules and standards set forth by Steam’s payment processors and related card networks and banks, or Internet network providers. In particular, certain kinds of adult only content.”

On its own, the new rule seems rather vague, with no details on which of the many kinds of “adult only content” would belong in the “certain” subset prohibited by these unnamed payment processors and ISPs. But the trackers over at SteamDB noticed that the publication of the new rule coincides with the removal of dozens of Steam games whose titles make reference to incest, along with a handful of sex games referencing “slave” or “prison” imagery.

Holding the keys to the bank

Valve isn’t alone in having de facto restrictions on content imposed on it by outside payment processors. In 2022, for instance, Visa suspended all payments to Pornhub’s ad network after the adult video site was accused of profiting from child sexual abuse materials. And PayPal has routinely disallowed payments to file-sharing sites and VPN providers over concerns surrounding piracy of copyrighted materials.

Since Valve’s 2018 announcement that Steam would allow any games that aren’t “illegal” or “outright trolling,” the company has shown some difficulty deciding where specifically to draw the line when it comes to adult content. Before this week, Valve’s rules prohibited games that feature explicit images of real people, adult content that isn’t labeled or age-gated, and content that is “patently offensive or intended to shock or disgust viewers.” The guidelines also prohibit “content that exploits children in any way,” a rule that seems to have affected some non-sexual games that feature school settings or characters in school uniforms.

This time, though, it seems Valve is being pressured to implement a new rule on in-game content by outside payment processors, rather than by its own interpretation of speech laws or acceptable social norms. And those outside companies have a lot of leverage here; avoiding third-party payment processors altogether is nearly impossible for a company like Valve, which stopped accepting Bitcoin as a payment option in 2017 due to the extreme volatility of the cryptocurrency’s value.[…]

Source: Steam cracks down on some sex games to appease payment processors – Ars Technica

Posted in Sex

Copilot Vision on Windows 11 next MS spy but now sends data to Microsoft servers

Posted on by

[…]

Copilot Vision is an extension of Microsoft’s divisive Recall, a feature initially sort of exclusive to the Copilot+ systems with a neural co-processor of sufficient computational power. Like Recall, which was pulled due to serious security failings and subject to a lengthy delay before its eventual relaunch, Copilot Vision is designed to analyze everything you do on your computer.

It does this, when enabled, by capturing constant screenshots and feeding them to an optical character recognition system and a large language model for analysis – but where Recall works locally, Copilot Vision sends the data off to Microsoft servers.

According to a Microsoft spokesperson back in April, users’ data will not be stored long-term, aside from transcripts of the conversation with the Copilot assistant itself, and “are not used for model training or ads personalisation.”

[…]

While the screen snooping only happens when the user expressly activates it as part of a Copilot session, unlike Recall, which is constantly active in the background when enabled, it’s also designed to be more proactive than previous releases – which, for many readers, will conjure memories of Clippy and his cohort of animated assistants from the days of Microsoft Office 97 and onward.

At the time of writing, Microsoft was only offering Copilot Vision in the US, with the promise (or threat) that it will be coming to very specifically “non-European countries” soon – a tip of the hat, it seems, to the European Union’s AI Act.

[…]

Source: Copilot Vision on Windows 11 sends data to Microsoft servers • The Register

After $380M hack, Clorox sues its service desk vendor Cognizant for simply giving out passwords

Posted on by

Hacking is hard. Well, sometimes.

Other times, you just call up a company’s IT service desk and pretend to be an employee who needs a password reset, an Okta multifactor authentication reset, and a Microsoft multifactor authentication reset… and it’s done. Without even verifying your identity.

So you use that information to log in to the target network and discover a more trusted user who works in IT security. You call the IT service desk back, acting like you are now this second person, and you request the same thing: a password reset, an Okta multifactor authentication reset, and a Microsoft multifactor authentication reset. Again, the desk provides it, no identity verification needed.

So you log in to the network with these new credentials and set about planting ransomware or exfiltrating data in the target network, eventually doing an estimated $380 million in damage. Easy, right?

According to The Clorox Company, which makes everything from lip balm to cat litter to charcoal to bleach, this is exactly what happened to it in 2023. But Clorox says that the “debilitating” breach was not its fault. It had outsourced the “service desk” part of its IT security operations to the massive services company Cognizant—and Clorox says that Cognizant failed to follow even the most basic agreed-upon procedures for running the service desk.

In the words of a new Clorox lawsuit, Cognizant’s behavior was “all a devastating lie,” it “failed to show even scant care,” and it was “aware that its employees were not adequately trained.”

“Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques,” says the lawsuit, using italics to indicate outrage emphasis. “The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over. Cognizant is on tape handing over the keys to Clorox’s corporate network to the cybercriminal—no authentication questions asked.”

I can has password reset?

From 2013 through 2023, Cognizant had helped “guard the proverbial front door” to Clorox’s network by running a “service desk” that handled common access requests around passwords, VPNs, and multifactor authentication (MFA) such as SMS codes.

When a purported Clorox employee called the service desk, protocol demanded that the employee use an internal verification and self-reset password tool called MyID. If that wasn’t possible, the service desk should have verified the person’s identity using their manager’s name and the user’s MyID username, after which the password could be reset but the manager and employee would both be notified by email.

Instead, says Clorox, this happened on August 11, 2023:

Cybercriminal: I don’t have a password, so I can’t connect.
Cognizant Agent: Oh, ok. Ok. So let me provide the password to you ok?
Cybercriminal: Alright. Yep. Yeah, what’s the password?
Cognizant Agent: Just a minute. So it starts with the word “Welcome”…

When this worked, and the caller had a working password, he moved on to asking about an MFA reset:

Cybercriminal: My Microsoft MFA isn’t working.
Cognizant Agent: Oh, ok…
Cybercriminal: Can you reset my MFA? It’s on my old phone … [inaudible] old phone.
Cognizant Agent: [Following a brief hold]. So thanks for being on hold, Alex. So multifactor authentication reset has been done now. Ok. So can you check if you’re able to login …
Cybercriminal: Alright. It let me sign in now. Thank you.

After adopting the ID of a second Clorox user in IT security and calling back later that same day, the hacker tried all the same tricks again. And they worked, even across multiple Cognizant agents.

Cognizant Agent: How can I help you today?
Cybercriminal: Um my password on Okta was not working …
Cognizant Agent: I’m going to have your password reset from my end right away. Ok. And we’ll see how it’s going to work. Ok. [Following a brief hold] Thank you … I’m extremely sorry for the long hold. So … password is going to be Clorox@123.
Cybercriminal: What’s that?
Cognizant Agent: Yeah it was Clorox@123…Ok.
Cybercriminal: Yep.
Cognizant Agent: Want me to wait over the phone while you are trying it?
Cybercriminal: Yes, yes, please.
Cognizant Agent: Sure … sure.

[…]

Source: After $380M hack, Clorox sues its “service desk” vendor for simply giving out passwords – Ars Technica

WeTransfer faces open source competition by Sendox after controversy over terms of service

Posted on by

The collective The New Digital announces the public beta of Sendox: an open source file sharing platform that puts privacy and digital sovereignty at its core. Sendox has been developed as a transparent and independent alternative to services like WeTransfer.

“We believe that digital freedom and autonomy are not luxuries, but fundamental rights,” said Frank Zijlstra, the initiator of The New Digital. “Sendox is a first, tangible building block in an open and sovereign digital ecosystem.”

Sendox is the first project from The New Digital, a collaboration of Dutch digital agencies, developers, and designers committed to an independent digital ecosystem. The collective aims to develop tools, infrastructure, and standards that are free from Big Tech influence, open, verifiable, collaboratively built, and that respect the digital autonomy of citizens and organisations.

Sendox is currently available as an open beta. This means the platform is still very much in development, and users are explicitly invited to test the system. Errors, bugs, or shortcomings can easily be reported, so the platform can be further optimized with the help of the community. Every user helps make Sendox more robust, user-friendly, and secure.

The public beta comes in the wake of the uproar over WeTransfer’s terms of service. Essentially, it means that people who send files via WeTransfer relinquish their rights. This allows the company to use the data – including the files sent – for purposes such as training artificial intelligence (AI).

After angry reactions from privacy organizations and users, this last point was scrapped, but according to experts, that does not change the situation. Some believe this could be the final blow for the digital transfer service that enjoyed trust for many years.

Source: WeTransfer faces open source competition after controversy over terms of service – TechCentral.ie