#security

FreeBSD Foundation's avatar
FreeBSD Foundation

@[email protected]

FreeBSD 14.2 is here! New ZFS, Firecracker VMM, AIM for UDP, rtw89(4) driver, & AddressSanitizer. Explore performance & security updates! 🔗buff.ly/4f5bZG5

Seth Michael Larson's avatar
Seth Michael Larson

@[email protected]

I've noticed a concerning trend of "slop security reports" being sent to open source projects. Here are thoughts about what platforms, reporters, and maintainers can do to push back:

sethmlarson.dev/slop-security-

Veronica Olsen 🏳️‍🌈🇳🇴🌻's avatar
Veronica Olsen 🏳️‍🌈🇳🇴🌻

@[email protected]

Someone told me yesterday of a minutes app for meetings they'd found. Knowing how these apps work, I checked the security policy. I got my fears confirmed. It collects data and share it with 8 third parties, including use for ads & analysis.

I showed her this, and said she should probably get consent from others when using the app. Today she told me she'd uninstalled it and thanked me for the warning!

We can't expect people to figure this out. We need better regulation.

Tuta's avatar
Tuta

@[email protected]

At Tuta, we believe that best security must be free for everyone.

We are happy to announce that in December all existing Tuta accounts will be upgraded to quantum-safe encryption! 🥳🎉

With TutaCrypt your data is safe - now and in the future. ⚛️ 🔒

Learn more about this quantum leap in : tuta.com/blog/post-quantum-cry

Crypto lock of Tuta
Crypto lock of Tuta
heise Security's avatar
heise Security

@[email protected]

Helldown-Ransomware: Einbruch durch Sicherheitslücke in Zyxel-Firewalls

IT-Forscher beobachten, dass die Helldown-Ransomware nach Einbruch in Netze durch Sicherheitslücken Zyxel-Firewalls zuschlägt.

heise.de/news/Helldown-Ransomw

heise Security's avatar
heise Security

@[email protected]

Wordpress-Plug-in Anti-Spam by Cleantalk gefährdet 200.000 Seiten

Im Wordpress-Plug-in Anti-Spam by Cleantalk klaffen gleich zwei Sicherheitslücken, durch die nicht authentifizierte Angreifern Instanzen kompromittieren können.

heise.de/news/Wordpress-Plug-i

Mike Fiedler, Code Gardener's avatar
Mike Fiedler, Code Gardener

@[email protected]

I wrote a report on a recent package uploaded to over here: blog.pypi.org/posts/2024-11-25

🄷e⃞i⃞t⃞e⃞c⃞ Ⓜ️'s avatar
🄷e⃞i⃞t⃞e⃞c⃞ Ⓜ️

@[email protected]

Signal Is Now a Great Encrypted Alternative to Zoom and Google Meet
And Signal app is FREE 😁

lifehacker.com/tech/signal-is-

yossarian (1.3.6.1.4.1.55738)'s avatar
yossarian (1.3.6.1.4.1.55738)

@[email protected]

PyPI's support for PEP 740 now includes GitLab, extending support beyond the initial scope (which was GitHub). that means that, if you're a GitLab CI/CD user, you can now upload attestations to PyPI and the index will verify and re-serve them!

docs here: docs.pypi.org/attestations/pro

screencap of https://docs.pypi.org/attestations/producing-attestations/#gitlab-cicd
screencap of https://docs.pypi.org/attestations/producing-attestations/#gitlab-cicd
Hazelnoot's avatar
Hazelnoot

@[email protected]

Urgent Warning for Fedi Admins

We've discovered an ongoing Denial-of-Service attack against Misskey-based instances. The attacks exploit a zero-day vulnerability impacting Misskey, Sharkey, IceShrimp, and other related software. Patches are in progress and will be released ASAP. We encourage all admins to update immediately!

Note: this is a
different vulnerability from the ones that were recently announced! You should update today and again tomorrow at the scheduled time.

Update: Sharkey version 2024.9.2 has been released with a patch. You can get the update here:
https://activitypub.software/TransFem-org/Sharkey/-/releases/2024.9.2

Joel "Allegedly Human" Goguen's avatar
Joel "Allegedly Human" Goguen

@[email protected]

Have you ever thought about how awesome it would be to work with me? My team is looking for a Senior with good sense!

The SRE job description is mongodb.com/careers/jobs/63618, either anywhere in North America or hybrid/in-office. No formal experience required, good sense is perfectly fine; this is first and foremost a SRE role with security as a focus.

Apply even if you don't meet all requirements! You don't need to be perfect!

Frankie ✅'s avatar
Frankie ✅

@[email protected]

Let's Encrypt is 10 years old today!
Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG). Huge thanks to everyone involved in making HTTPS available to everyone for free

letsencrypt.org/

Senioradmin's avatar
Senioradmin

@[email protected]

Oha, das ist provokativ: Dieser Blogartikel sagt:

- Nutzt kein /
- Nutzt kein + OMEMO
- Nutzt kein (im Sinne: verlasst euch nicht auf die Verschlüsselung)
- E-Mails verschlüsseln ist sinnlos

Ich kenne den Autor nicht und würde ihn nicht erwähnen, würde der Artikel nicht in ernstzunehmenden ITSec-Newslettern zitiert

soatok.blog/2024/11/15/what-to

Meinungen?

yossarian (1.3.6.1.4.1.55738)'s avatar
yossarian (1.3.6.1.4.1.55738)

@[email protected]

Security means securing people where they are

blog.yossarian.net/2024/11/18/

Mark's avatar
Mark

@[email protected]

US senators urge investigation into Musk

Senators argued ’s involvement in programs should be reviewed for potential debarment & exclusion due to the alleged contacts. Debarment would bar him from certain contracts and privileges.

Relationships between well-known US & Musk, beneficiary of billions in US govt funding, is serious risk regarding ’s reliability as contractor & holder

kyivindependent.com/democratic

Benjamin Carr, Ph.D. 👨🏻‍💻🧬's avatar
Benjamin Carr, Ph.D. 👨🏻‍💻🧬

@[email protected]

Le Monde used to track the movements of world leaders. They don’t use tracking devices, but their do.
: lemonde.fr/en/france/article/2
and : lemonde.fr/en/united-states/ar
: lemonde.fr/en/international/ar

Nix Kelley's avatar
Nix Kelley

@[email protected] · Reply to Nix Kelley's post

tip:

unless you know your chats or audio/video calls are secure, DON'T say anything that you wouldn't say around an unsafe person.

does this restrict your speech? yes it fucking does. but only in certain spaces.

be the annoying person who suggests over and over again to set up a secure group chat with your fellow community members. almost every service is free to use.

remember that is not secure comms. remember that chats, and activity there, is not secure comms. remember that anything owned by Meta is not secure comms no matter what the company says.

be too careful. it's better to be too careful than careless for a moment.

Agnieszka R. Turczyńska's avatar
Agnieszka R. Turczyńska

@[email protected]

Is there any European body giving recommendations/requirements about It security, similar to NIST? Especially I'm looking for an organisation giving recommendations for passwords related policies. Preferably a widely scoped, but if there is anything reasonable in a particular industry, I'd be glad to know it as well.

Asta [AMP]'s avatar
Asta [AMP]

@[email protected]

Hey everyone! A couple good things to remember:

Signal is your friend!
https://signal.org/
Be careful about what you post on corporate
and federated social media. You don't need to self censor but you should take extra spicy discussions to something like Signal!

(people: please feel free to add hot tips for helping people keep things private!)

EDIT: It's definitely worth pointing out what I mean about "spicy". Expressing frustration in a way that could easily be misinterpreted by law enforcement? That's spicy! Planning a safe, legal protest? I'd argue that's spicy! That's the sort of thing I mean by this. No encryption or software is perfect; consider the level of risk when utilizing the tools.

But broadcasting stuff on social media can carry a
lot of risk, so just... you know.

Olly 👾's avatar
Olly 👾

@[email protected]

Apple creates Private Cloud Compute VM to let Researchers find Bugs. :apple_inc:

The company also seeks to improve the system's security and has expanded its security bounty program to include rewards of up to [$1 Million] for vulnerabilities that could compromise “the fundamental security and privacy guarantees of PCC”.

security.apple.com/blog/pcc-se

Apple created a Virtual Research Environment to allow public access to testing the security of its Private Cloud Compute system, and released the source code for some “key components” to help researchers analyze the privacy and safety features on the architecture.

The company also makes available the Private Cloud Compute Security Guide, which explains the architecture and technical details of the components and the way they work.

<https://security.apple.com/documentation/private-cloud-compute>
Apple created a Virtual Research Environment to allow public access to testing the security of its Private Cloud Compute system, and released the source code for some “key components” to help researchers analyze the privacy and safety features on the architecture. The company also makes available the Private Cloud Compute Security Guide, which explains the architecture and technical details of the components and the way they work. <https://security.apple.com/documentation/private-cloud-compute>
[ImageSource: Apple]

Interacting with the Private Cloud Compute client from the Virtual Research Environment.

Apple provides a Virtual Research Environment (VRE), which replicates locally the cloud intelligence system and allows inspecting it as well as testing its security and hunting for issues.

“The VRE runs the PCC node software in a virtual machine with only minor modifications. Userspace software runs identically to the PCC node, with the boot process and kernel adapted for virtualization,” Apple explains, sharing documentation on how to set up the Virtual Research Environment on your device.

VRE is present on macOS Sequia 15.1 Developer Preview and it needs a device with Apple silicaon and at least 16GB of unified memory.

<https://security.apple.com/documentation/private-cloud-compute/vresetup>
[ImageSource: Apple] Interacting with the Private Cloud Compute client from the Virtual Research Environment. Apple provides a Virtual Research Environment (VRE), which replicates locally the cloud intelligence system and allows inspecting it as well as testing its security and hunting for issues. “The VRE runs the PCC node software in a virtual machine with only minor modifications. Userspace software runs identically to the PCC node, with the boot process and kernel adapted for virtualization,” Apple explains, sharing documentation on how to set up the Virtual Research Environment on your device. VRE is present on macOS Sequia 15.1 Developer Preview and it needs a device with Apple silicaon and at least 16GB of unified memory. <https://security.apple.com/documentation/private-cloud-compute/vresetup>
heise Security's avatar
heise Security

@[email protected]

Change Healthcare: Größtes Datenleck im US-Gesundheitswesen

Nach einem Cyberangriff auf Change Healthcare Anfang des Jahres gibt es Gewissheit. Krankendaten von fast einem Drittel der US-Bevölkerung wurden geleakt.

heise.de/news/Change-Healthcar

Jonathan Lamothe's avatar
Jonathan Lamothe

@[email protected]

Just got a notification from F-Droid that my browser ( ) has known issues. Looks like I'm in the market for a new browser on my mobile devices.

I know I'm gonna hate asking this, but what browser sucks the least on these days?

João Costa 💚🇵🇹🇪🇺🇬🇧🇺🇦's avatar
João Costa 💚🇵🇹🇪🇺🇬🇧🇺🇦

@[email protected]

"Russia’s Central Bank raised its key from 19% to a historic 21% on Friday"

"seasonally adjusted price growth last month rose to 9.8% year-on-year from 7.5% in August. Core increased to 9.1% from 7.7% over the same period."

"russia has faced volatile prices since it sent troops into in February 2022"

" is set to spend almost 9% of its GDP on and this year"

themoscowtimes.com/2024/10/25/

Pedro Piñera's avatar
Pedro Piñera

@[email protected]

There should be a SOC 2 version for companies that are just getting started. The amount of work required to be compliant can kill companies…

XenoPhage :verified:'s avatar
XenoPhage :verified:

@[email protected]

BSides Delaware parking and hotel information is up on the website now! bsidesdelaware.com/2024-venue/

If you don't have your tickets yet, WHAT ARE YOU WAITING FOR! Come join us!

eventbrite.com/e/security-bsid

AND SPEAK! CFP is open and waiting for your amazing submissions!

bit.ly/BDECFP24

Membook's avatar
Membook

@[email protected]

A two-panel illustration. The first panel shows a hand applying the sticker, obscuring the camera with the caption "YES,". The second panel depicts a smartphone screen with a front camera in the notch, labeled "BUT".
A two-panel illustration. The first panel shows a hand applying the sticker, obscuring the camera with the caption "YES,". The second panel depicts a smartphone screen with a front camera in the notch, labeled "BUT".
xoron :verified:'s avatar
xoron :verified:

@[email protected]

Decentralized Encrypted P2P Chat

Blog: positive-intentions.com/blog/i

GitHub: github.com/positive-intentions

Demo: chat.positive-intentions.com

Follow for more!

positive-intentions
positive-intentions
Jeremiah Lee's avatar
Jeremiah Lee

@[email protected]

Grant Negotiation and Authorization Protocol (GNAP), the successor to OAuth 2, became RFC 9635 yesterday!

GNAP is easier to use than OAuth 2.0, with best practices as defaults and clearly articulated uses cases.

rfc-editor.org/rfc/rfc9635

Sascha Wübbena :mastodon:'s avatar
Sascha Wübbena :mastodon:

@[email protected]

Wichtiger Hinweis am Rande:

Wer via die WLAN-Daten auf iPhones, iPads und Macs verteilt, damit nur Unternehmensgeräte ins Netzwerk können, der sollte UNBEDINGT die -App ausblenden.

Es wäre sonst möglich, sich in der Rubrik „WLAN“ den Anmelde-QR-Code anzeigen zu lassen, was es dann zu einem Kinderspiel macht, auch private Geräte ins Netzwerk einzubinden.

Die bessere Variante ist, den Zugang zum nur mittels eines Zertifikats zuzulassen.

Quad9DNS's avatar
Quad9DNS

@[email protected]

We're excited to announce the receipt of critical funding from @craignewmark Philanthropies to continue and further our work on improving the and stability of the Internet through our services, as part of CNP's commitment to .

quad9.net/news/press/quad9-rec

nixCraft 🐧's avatar
nixCraft 🐧

@[email protected]

There is no such thing as a backdoor for good guys. Once you place a backdoor, you compromise the safety and privacy of all your users. A third party or bad guys will get access to it and abuse it further. The concept of a "backdoor for good guys" is fundamentally flawed and dangerous. It sets a dangerous precedent. Security and privacy should be absolute. There's no safe way to create a backdoor that can't be exploited by malicious actors.

Carey Parker's avatar
Carey Parker

@[email protected]

My 400TH is only 5 weeks away! For 7.5 years, I've helped my audience improve their & . And damn it, that's worth celebrating! 🥂🐉🔥

Wanna help? Post a link to a fav episode & tag it !

Stay tuned for more...

💯 💯 💯 💯

podcast.firewallsdontstopdrago

Thomas Broyer's avatar
Thomas Broyer

@[email protected] · Reply to Thomas Broyer's post

And another one published simultaneously: Why are JWT?

about why you don't actually want to add them to your application, and certainly not as a kind of session token

blog.ltgt.net/jwt/

Thomas Broyer's avatar
Thomas Broyer

@[email protected]

New blog post: Beyond the login page

about why authentication is much more than just a login page and password storage and verification

blog.ltgt.net/beyond-the-login

Harris Lapiroff 🔥's avatar
Harris Lapiroff 🔥

@[email protected]

Fresh !

Hi, I'm Harris.

Professionally I work for Freedom of the Press Foundation (freedom.press/) managing our web team and @dangerzone. I'm a web developer learning to put my skills to good use.

My posts are likely to be about and, lately, some self-conscious epistemic trespassing.

I also do a lot of social dance and making—maybe I'll try posting about those a bit more often!

Me holding a red margarita.
Me holding a red margarita.
Me dancing with a partner in a wooden outdoor pavillion.
Me dancing with a partner in a wooden outdoor pavillion.
Portrait of me leaning on a railing on a rooftop. I'm a mixed Asian-Caucasian man with wire rimmed round glasses and long black hair in my thirties. I'm wearing a white shirt with botanical flower print.
Portrait of me leaning on a railing on a rooftop. I'm a mixed Asian-Caucasian man with wire rimmed round glasses and long black hair in my thirties. I'm wearing a white shirt with botanical flower print.
Mike Kuketz 🛡's avatar
Mike Kuketz 🛡

@[email protected]

Fennec und Mull sind besonders für datenschutzbewusste Nutzer interessant, aber wegen der verzögerten Updates nicht für jeden geeignet. Teil 5 der Artikelserie »Sichere und datenschutzfreundliche Browser«. 👇

kuketz-blog.de/fennec-und-mull

Mad A. Argon :qurio:'s avatar
Mad A. Argon :qurio:

@[email protected]

How I see attempts to force in E2E ...

Comic with title "Government's fight against encryption".
First picture: Nerdy-looking man with beard holds baloon. Other man has a needle and says: "I want a small hole in this so I could use it if I would need to." Man with beard replies: "But it's impossible! Or you would destroy everything..."
Second picture: Closer view, head, shoulders and arm of bearded man with ballon. Only hands of man with needle are visible, needle is close to ballon. Man with needle says: "I said only small hole. Nobody else would know about this." Bearded man replies: "It doesn't work... THIS WAY!". His last two words are on third picture, with close view of ballon and hand touching its surface with needle.
On last, fourth picture there is orange-yellow explosion with big text "BOOM!".
Comic with title "Government's fight against encryption". First picture: Nerdy-looking man with beard holds baloon. Other man has a needle and says: "I want a small hole in this so I could use it if I would need to." Man with beard replies: "But it's impossible! Or you would destroy everything..." Second picture: Closer view, head, shoulders and arm of bearded man with ballon. Only hands of man with needle are visible, needle is close to ballon. Man with needle says: "I said only small hole. Nobody else would know about this." Bearded man replies: "It doesn't work... THIS WAY!". His last two words are on third picture, with close view of ballon and hand touching its surface with needle. On last, fourth picture there is orange-yellow explosion with big text "BOOM!".
pasta la vida's avatar
pasta la vida

@[email protected]

hold up. I just remembered something.

a phone (android or iOS, I forget) said "you can set the phone to [technician-safe] mode while [repair guy] fixes it"

I mean I expect the SSDs of my devices to /always/ have that same evil maid data protection at all times?*

like what exactly does that add?

*as distinct from tampering from the device itself. e.g., not full evil maid, more like "read the C:/ drive without authentication". as in, "wait it would let you read it without auth while the SSD is offline before?"

I mean maybe the NVMe has like, a cached drive key, that you could get from specialized hardware / jtags, and this tells the device "hey, forget the drive key"

but also... shouldn't it do that anytime the device powers off? (and restore SSD access via TPM? or via password and small bootloader?)

Berkubernetus's avatar
Berkubernetus

@[email protected]

Red Hat Open Source Practice Office () is hiring not one, not two, but three new staff! If you're into working 100% on community , one of these jobs may be for you.

All positions are attached to either the Ireland or Czech office.

Security Community Architect: work in our Verticals Team identifying, boosting, and participating in communities: redhat.wd5.myworkdayjobs.com/e

(1/2)

MadeInDex's avatar
MadeInDex

@[email protected]

@torproject & @tails are going to strengthen their collaboration by merging¹! 👍

has also released a new alpha

✔ It seems this does not address any of the potential issues, recently suspected after claims to have used to unmask Tor users.

✔ Potential solutions: timing delays, cover traffic...

¹blog.torproject.org/tor-tails-
²blog.torproject.org/tor-is-sti

Nonilex's avatar
Nonilex

@[email protected]

MVP speaking soon in , about building an that will work for all Americans.

for & Gov to protect our fundamental freedoms & defeat & the this .



youtube.com/watch?v=XokApnr_Ca

Dr. John Barentine FRAS's avatar
Dr. John Barentine FRAS

@[email protected]

"The team used a DJI Phantom 4 Pro drone as a stand-in for such an aircraft for an experiment. Using a ground-based radar system, the team spotted the tiny drone thanks to the radiation emitted by a Starlink , which was flying over the Philippines at the time."

futurism.com/the-byte/chinese-

Curtis "Ovid" Poe (he/him)'s avatar
Curtis "Ovid" Poe (he/him)

@[email protected]

Have you ever heard of SS7? It's the backbone of most of our phone system and it's extremely insecure. Here's Veritasium exposing how easy it is to intercept your calls and texts without your knowledge.

youtube.com/watch?v=wVyu7NB7W6

Alex Shoup's avatar
Alex Shoup

@[email protected]

I guess I should probably do an

- IT professional
- born and raised
- Lifelong fan of football.
- Advocate of , , and .
- user (btw, I use )
- Building experience with my

Chris Alemany🇺🇦🇨🇦🇪🇸's avatar
Chris Alemany🇺🇦🇨🇦🇪🇸

@[email protected]

Any security/privacy experts have any thoughts about Apple’s Private Relay service through their iCloud+ subscription?
Good?
Bad?
Irrelevant?
I won’t be getting rid of my iCloud account anytime soon, so unless there is some other compelling reason not to, it seems worth using it.
Edit: Ironically, I couldn’t send this post from my local server because, I think, of my local DNS so… Private Relay off now. 😆

A white text on black screenshot of the ICloud Private Relay description says:
“iCloud Private Relay
Private Relay is an innovative Internet privacy service built directly into iCloud that lets you connect to the internet and browse the web in a more secure and private way.
Normally, when you browse the web, your local network can use your DNS records to see the names of the websites you're visiting. In addition, the websites you visit may collect your IP address, which allows them to determine your identity and approximate location without your explicit permission. All of this information can be aggregated over time into a detailed profile about you that may be used for targeted advertising and other purposes.
To help solve this problem, Private Relay protects users' web browsing in Safari, DNS resolution queries, and insecure http app traffic. It routes the traffic through two separate internet relays that hide your IP address and encrypt your web traffic such that no single party-including Apple—can see both who you are and what sites you're visiting.
Private Relay is available to all iCloud+ subscribers. You can turn it on or off any time from your iCloud settings.”
A white text on black screenshot of the ICloud Private Relay description says: “iCloud Private Relay Private Relay is an innovative Internet privacy service built directly into iCloud that lets you connect to the internet and browse the web in a more secure and private way. Normally, when you browse the web, your local network can use your DNS records to see the names of the websites you're visiting. In addition, the websites you visit may collect your IP address, which allows them to determine your identity and approximate location without your explicit permission. All of this information can be aggregated over time into a detailed profile about you that may be used for targeted advertising and other purposes. To help solve this problem, Private Relay protects users' web browsing in Safari, DNS resolution queries, and insecure http app traffic. It routes the traffic through two separate internet relays that hide your IP address and encrypt your web traffic such that no single party-including Apple—can see both who you are and what sites you're visiting. Private Relay is available to all iCloud+ subscribers. You can turn it on or off any time from your iCloud settings.”
Max "Sweaty Sunsets of September" Eddy's avatar
Max "Sweaty Sunsets of September" Eddy

@[email protected]

I never did an !

Hi, I'm Max. I live in and do at PCMag where I cover , , and . I also write reviews of and professionally complain about . I'm the Unit Chair of the ZDCG and moonlight as a organizer. If you want to learn about how to unionize your workplace, plz DM me. I play badly and think about literature. I'm spending too much money on .

Mysk🇨🇦🇩🇪's avatar
Mysk🇨🇦🇩🇪

@[email protected]

🚨🎬 🧵 1/4
Here is what happens when you insert an unlocked SIM card into a locked iPhone:
- The accepts the SIM card and connects to the internet 😳
- Apple immediately adds the phone number of the SIM card to the Apple ID of the iPhone owner 😲
- accepts the new phone number as a username to sign in with the Apple ID of the iPhone owner 😱
- iOS activates the new phone number for iMessage 🤯

The video:

youtu.be/ln-8KnwtdSw

Mysk🇨🇦🇩🇪's avatar
Mysk🇨🇦🇩🇪

@[email protected]

🚨🎬 Privacy Concerns about Apple Push Notifications

TL;DR: data-hungry apps use push notifications as a trigger to send app analytics and device information to their remote servers, even if the apps aren't running at all on your iPhone. Such apps include TikTok, Facebook, FB Messenger, Instagram, Threads, X, and many more.

Watch this video to see it in action:
youtu.be/4ZPTjGG9t7s

🧵 1/9

João Costa 💚🇵🇹🇪🇺🇬🇧🇺🇦's avatar
João Costa 💚🇵🇹🇪🇺🇬🇧🇺🇦

@[email protected]

Bilateral agreements signed with 🇺🇦

1️⃣ 12/1🇬🇧
2️⃣ 16/2🇩🇪
3️⃣ 16/2🇫🇷
4️⃣ 23/2🇩🇰
5️⃣ 24/2🇨🇦
6️⃣ 24/2🇮🇹
7️⃣ 02/3🇳🇱
8️⃣ 03/3🇫🇮
9️⃣ 11/4🇱🇻
1️⃣0️⃣ 28/5🇪🇸
1️⃣1️⃣ 28/5🇧🇪
1️⃣2️⃣ 28/5🇵🇹
1️⃣3️⃣ 31/5🇸🇪
1️⃣4️⃣ 31/5🇳🇴
1️⃣5️⃣ 31/5🇮🇸
1️⃣6️⃣ 13/6🇺🇸
1️⃣7️⃣ 13/6🇯🇵
1️⃣8️⃣ 27/6🇪🇪
1️⃣9️⃣ 27/6🇱🇹
2️⃣0️⃣ 27/6🇪🇺
2️⃣1️⃣ 08/7🇵🇱
2️⃣2️⃣ 10/7🇱🇺
2️⃣3️⃣ 11/7🇷🇴
2️⃣4️⃣ 18/7🇨🇿
2️⃣5️⃣ 18/7🇸🇮
2️⃣6️⃣ 04/9🇮🇪
2️⃣7️⃣ 11/9🇱🇹

@BjornW@mastodon.social's avatar
@[email protected]

@[email protected]

Here's my :
I live in The Netherlands, Europe. I work as a self-employed tech consultant & software developer. I like to tinker & have way too many interests :)

Likely to toot about:
,

h o ʍ l e t t's avatar
h o ʍ l e t t

@[email protected]

's reCAPTCHA v2 just labor , boffins say
theregister.com/2024/07/24/goo

“The conclusion can be extended that the true purpose of v2 is a image-labeling and farm for advertising and masquerading as a service”

Reclaim Your Tech

@[email protected]

(1/2)
Announcing the launch of a new blog, Reclaim Your Tech (reclaimyour.tech).

This blog was founded on the premise that digital infrastructure should be owned by individuals, their families, and their communities. Being user first, it will provide technical guides, open-source tools, software recommendations, essays, and discussion.

Lukasz Olejnik's avatar
Lukasz Olejnik

@[email protected]

My book “PROPAGANDA: from disinformation and influence to operations and information warfare” treats the subject adequately, comprehensively, broadly, expertly. How does information influence work? Offence & defence. Expert arrangement of the subject.
blog.lukaszolejnik.com/propaga

Jef Kazimer😶‍🌫️'s avatar
Jef Kazimer😶‍🌫️

@[email protected]

With the ever increasing attacks on users, moving to is a must in order to reduce the attack surface of just relying on a password to secure access to resources. Implementing that is enforced all the time relies on also having a good user experience, which gave rise to mobile authenticator apps since many users always have their phones with them. However it also gave rise to and griefing to get those users to approve. With the recent GA of orgs can enable number match and context for the push notification to further improve the of the users by avoiding the blind approval of a push notification.

🔥 See the post on the AzureAD blog here and go enable these settings for your organization techcommunity.microsoft.com/t5

heise online's avatar
heise online

@[email protected]

Faktencheck: Telegram ist weniger privat als andere Messenger

Die Annahme, Telegram sei besonders sicher, scheint sich hartnäckig zu halten. Fakt ist: In puncto Verschlüsselung ist Telegram der Konkurrenz unterlegen.​

heise.de/hintergrund/Faktenche

Nonilex's avatar
Nonilex

@[email protected] · Reply to Nonilex's post

Pummel out of the sky? Impossible; as David Burbach, affairs prof at the Naval War College,…[said], “Nobody has enough anti-satellite weapons to come anywhere near shooting that down.”

& Starlink, which currently operates in 75 countries, is only getting bigger. A new batch of went up today. has already received approval from regulators [🤬] to launch thousands more,

Nonilex's avatar
Nonilex

@[email protected] · Reply to Nonilex's post

The fiasco may have led to backing down, but it has also revealed just how easily he can serve users whatever HE may want. ’s fame, the omnipresence of his many businesses, & his growing attention to does not automatically translate to expertise [ya think? He’s a fanboy FFS]. But what could Brazil—or any nation—really do to curb his control?

Nonilex's avatar
Nonilex

@[email protected] · Reply to Nonilex's post

Since took over , he has made it a cozy home for provocateurs, reinstated the accounts of previously banned bad actors, promoted , & made the website worse at separating fact from fiction. And yet, believes that is the “number 1 source of news in the world.” [🤦🏼‍♀️] For a part of the world that relies on , Musk could, if he wanted, make it the ONLY source.[😱]

Nonilex's avatar
Nonilex

@[email protected] · Reply to Nonilex's post

Other companies are working on their own constellations, incl’g , but they’re lagging far behind—& none of their leaders owns prominent companies, where they can [personally] govern the flow of .

Compared w/ , the world’s town square, as calls , is a cauldron of , especially for users.

Nonilex's avatar
Nonilex

@[email protected] · Reply to Nonilex's post

At the time of this writing—& that’s important to note, because launches a fresh batch nearly every week—more than 6k operational are circling Earth, accounting for >½ of all functioning satellites in orbit.

Starlink has grown so large in part because SpaceX is simply the most prolific company in the world.

Nonilex's avatar
Nonilex

@[email protected] · Reply to Nonilex's post

The deal resembled agreements between & other world powers for , but as far as we know, the , where is registered, did not send to the to broker it. He flew over on his private jet.

is what’s known in the business as a .

Nonilex's avatar
Nonilex

@[email protected] · Reply to Nonilex's post

toured a kibbutz that had attacked, dressed in a suit instead of his trademark occupy mars T-shirt, & offered ’s services to the Israeli govt. has imposed blackouts & destroyed in …. This summer, after lengthy negotiations, Israeli authorities allowed to activate in one hospital in Gaza, w/more service on the way.

Nonilex's avatar
Nonilex

@[email protected] · Reply to Nonilex's post

As one undersecretary told @NewYorker’s Ronan Farrow, “Even though is not technically a diplomat or statesman, I felt it was important to treat him as such, given the he had on this issue.”

Last year, when ’s PM Benjamin hosted for a visit, the billionaire looked—& [cos]played—the part of a world leader traveling to a war zone.

Nonilex's avatar
Nonilex

@[email protected] · Reply to Nonilex's post

Soon, found himself w/ immense decision-making , as authorities pleaded w/him to activate over a port city in , apparently so that they could conduct a surprise drone attack on ’s fleet anchored there. By the end of the war’s first year, when no longer wanted to foot the bill for Starlink ops, the jumped to take over the job before SpaceX could cut off access.

Nonilex's avatar
Nonilex

@[email protected] · Reply to Nonilex's post

dispatched terminals to places reeling from natural disasters, & then to the front lines of war. When invaded in early 2022, it hacked the provider that the Ukrainian military relied on for communications. Ukrainian ofcls appealed to for help, & dispatched truckloads of terminals to the besieged country, for free.

Nonilex's avatar
Nonilex

@[email protected] · Reply to Nonilex's post

Not only can now determine who gains traction on a small but corner of the web; in certain corners of the , he can also determine WHO has to the at all, & WHAT people encounter when they use it.

For a service that took off only about 5 yrs ago, has become impressively ubiquitous, available for use on all 7 continents.

Nonilex's avatar
Nonilex

@[email protected] · Reply to Nonilex's post

This particular feud has crystallized an unsettling truth that is growing more apparent each day: is becoming an god [oh he’s gonna love that 🤢]. -based internet & are a potent combination, & their by a single person is quite unprecedented—& alarming in the same manner as a federal govt restricting online speech via sweeping decree.

Nonilex's avatar
Nonilex

@[email protected] · Reply to Nonilex's post

(& pursue action over assets). But in other ways, the debacle is a microcosm of fraught, ongoing debates over & around the world [& businesses abiding by the laws of the countries in which they operate]

…[’s] actions could be seen as a…corrective to govt overreach. But they seem less magnanimous when you consider that the alternative to govt overreach is…a World Wide Web governed by the whims of the world’s richest man.

Nonilex's avatar
Nonilex

@[email protected] · Reply to Nonilex's post

The fight reached a boil in recent days, when instructed providers in to cut off access to altogether & refused to block the site on until the latter business got its accounts back.

In some ways, this is classic Musk, scuffling w/ govt agencies when he believes they’re infringing on HIS enterprises. “What a scumbag!” Musk posted about de Moraes yesterday, after Starlink reversed course & agreed to block X….

Nonilex's avatar
Nonilex

@[email protected] · Reply to Nonilex's post

, the CEO of , received a medal from the Brazilian govt. But now ’s Brazilian service is tangled in a mess of tensions, , personal , & to revoke the company’s license to operate in the country. And this drama all started because of another business that links strangers around the globe: , née .

Nonilex's avatar
Nonilex

@[email protected]

Has the Off Switch

With both & under his control, the world’s richest man wields unprecedented .

By Marina Koren

Since Starlink first beamed down to Brazil 2yrs ago, hundreds of communities in the Amazon that were previously off the grid found themselves connected to the rest of the world. Here was the purest promise of SpaceX’s —to provide in even the most remote places on Earth—fulfilled.


theatlantic.com/technology/arc

fraggLe!'s avatar
fraggLe!

@[email protected]

as I can tag now.

I'm fwaggle, and have been for ages. If you've been around for 20+ years and you're thinking "hey, I think I know that guy" then you're probably right. If you thought I was a dickhead 20 years ago, you're almost certainly right... I'm trying to do better now though.

I do things for a WordPress host, which is good fun.

nixCraft 🐧's avatar
nixCraft 🐧

@[email protected]

Microsoft has confirmed that Windows 11 users will not be able to uninstall the controversial “Recall” feature, despite earlier reports suggesting otherwise. Recall, part of the Copilot+ suite announced in May, automatically captures screenshots of user activity on the operating system including sensitive information such as passwords or financial data digitalmarketreports.com/news/ Do yourself a favor and get rid of Windows from your life—enough of these greedy companies.

The Matrix.org Foundation's avatar
The Matrix.org Foundation

@[email protected]

Authentication is almost always the most frustrating step of interacting with a service. Matrix is no different, but Quentin is about to dramatically improve the situation.

Get a glimpse of all the goodness awaiting to be unlocked once his project lands!

youtu.be/dmUi4ZoYRWc

A YouTube thumbnail for Matrix Live. There is a dark background. On the top right is written "S09E39". In the center, there is an icon of a lock, between the square brackets of the Matrix logo. On the bottom there is the Matrix Logo, and the title: "Getting authentication out of the way".
A YouTube thumbnail for Matrix Live. There is a dark background. On the top right is written "S09E39". In the center, there is an icon of a lock, between the square brackets of the Matrix logo. On the bottom there is the Matrix Logo, and the title: "Getting authentication out of the way".
João Costa 💚🇵🇹🇪🇺🇬🇧🇺🇦's avatar
João Costa 💚🇵🇹🇪🇺🇬🇧🇺🇦

@[email protected]

We should be arming , not "for as long as it takes", but TO WIN.

Why? Because, to begin with, we are seriously struggling to keep afloat "for as long as it takes" and, in order to defend democracy, we must achieve a resounding Ukrainian .

That's why oligarchs, terrorists, extremists and dictators are ALL so invested in stopping war-time investment in European in the Ukrainian front.

Focus. Act decisively. Act now.



Illustration of a mass of water with the word "Russia" contained by a dam with the word "Ukraine". The dam wall is cracking. Below it, a town with the word "Europe".
Illustration of a mass of water with the word "Russia" contained by a dam with the word "Ukraine". The dam wall is cracking. Below it, a town with the word "Europe".
PrivacyDigest's avatar
PrivacyDigest

@[email protected]

Legislature Approves A.I. Safety Bill

The California bill has spurred a fierce debate over how to regulate the new technology, which both technologists and lay people have hyped for its potential benefits and harms to humanity.

nytimes.com/2024/08/28/technol

GENKI's avatar
GENKI

@[email protected]

怖いな、これ :vivaldi_red: も影響あるのかな

news.mynavi.jp/techplus/articl

randomcruft's avatar
randomcruft

@[email protected]

a list of for my

/ ( pays the bills)
/ ( for fun but not profit... learning other )
(it's both awesome and scary)
/ (however, will not turn down )
newbie ( / occupy my time currently)
(, , , , etc. etc.)
projects (if / as needed)

it's difficult writing 😅

Terri K O 🍁's avatar
Terri K O 🍁

@[email protected]

CVE Binary Tool 3.3 is released! (At long last!)

This is my work open source project that lets you scan for known vulnerabilities in your binaries, package lists and SBOMs. It's meant to make it easier (and cheaper!) to make secure open source software.

3.3 has new features from our Google Summer of Code 2023 contributors including EPSS metrics to help users assess risks associated with vulnerabilities, a new GitHub Action to make scanning easier, and a mirror of the NVD data backed by the same servers that do Linux distro mirroring so you don't have to deal with rate limits, downtime, and servers only located in the US.

Release notes: github.com/intel/cve-bin-tool/

And get the code on pypi:
pypi.org/project/cve-bin-tool/

Boosts appreciated!

Socialhome HQ's avatar
Socialhome HQ

@[email protected]

Socialhome v0.19.0 (security release!)

We noticed a similar vulnerability in #Socialhome that had been found in #Mastodon and various other projects, ie https://arcanican.is/excerpts/cve-2024-23832/discovery.htm

This should hopefully now be mitigated and anyone running a #Socialhome instance should update asap.

Other changes:

  • Docker images are now based on Python 3.10
  • The public stream is disabled by default on single user instances (with a configured root profile) for privacy reasons regarding followed content

https://socialhome.network

#security

alltechpacks's avatar
alltechpacks

@[email protected]

       

Terence Eden’s Blog's avatar
Terence Eden’s Blog

@[email protected]

Falsehoods programmers believe about... Biometrics
https://shkspr.mobi/blog/2021/01/falsehoods-programmers-believe-about-biometrics/

(For the new reader, there is a famous essay called Falsehoods Programmers Believe About Names. It has since spawned a long list of Falsehoods Programmers Believe About....)

Everyone has fingerprints!

The BBC has a grim tale of a family with a genetic mutation which means they have no fingerprints. It details the issues they have getting official ID.

In 2010, fingerprints became mandatory for passports and driver's licences. After several attempts, Amal was able to obtain a passport by showing a certificate from a medical board. He has never used it though, partly because he fears the problems he may face at the airport. And though riding a motorbike is essential to his farming work, he has never obtained a driving licence. "I paid the fee, passed the exam, but they did not issue a licence because I couldn't provide fingerprint," he said. The family with no fingerprints

Even if this genetic issue didn't exist, it should be obvious that not everyone has fingers, or hands. Some people are born without hands, some people lose them later in life.

Policy is about the edge-cases. It's easy to design something which works for the majority of people - the real challenge is how we deal with the fringes.

Everyone has a unique face / unique DNA

Ever heard of twins, dumbass?

OK, it is a little bit more complicated than that.

It is easy to revoke a biometric indicator

Even if you assumed that everyone has ten fingers - that means you can only change your ID 9 times. If you're using iris recognition, that's one change you're permitted before you have to grow new eyeballs.

Biometrics can't be copied

Back in 2002, Tsutomu Matsumoto copied fingerprints using Gummy Bears.

Researchers can consistently fool iris scanners

3D printed facemasks can defeat facial recognition systems.

The thing about biometrics is that they are not secret. You leave your fingerprints everywhere. If a camera can read your face, it can copy your details.

Biometrics can't be changed

Will having a "nose job" stop your iPhone from recognising you? Probably not. But there are a range of surgical procedures which can be done.

People who have Facial Feminisation Surgery can be given a letter from a doctor to explain to border guards why a person's face may no longer match their biometrics.

Just remembered last nights dream about trying to go back to the UK but getting refused entry as my facial biometrics no longer matched.Thanks, brain.I bet the clinic would have warned you.Oh they did. I have formal letter stating that I might not pass biometrics anymore. 😂

What are they good for?

Biometrics are not passwords. Nor are they a universal 2nd factor. Biometrics are, at best, usernames.

For the average user, it's probably fine to use your fingerprint or face to unlock your phone. If you think an enemy state is going to devote considerable resources to steal copies of your biometrics, consider changing to a different password mechanism.

Or, if you have kids.

Friend's 5-year old daughter started unlocking his phone with his fingerprint while he's asleep so that she can play games.

He now sleeps with gloves on. #lifeisblackmirror


Or if you're cheating on your spouse.

A Qatar Airways pilot was forced to make an emergency landing after a passenger found out her husband was cheating on her and had a violent reaction in midair. The woman reportedly used her sleeping husband's finger to unlock his phone and discovered his cheating ways. Eyewitness News

In a safe-ish environment, biometrics are a good convenience mechanism. If your phone is snatched by an opportunistic thief, they're unlikely to have the means to spoof your ID.

But they are not a perfect security measure.

https://shkspr.mobi/blog/2021/01/falsehoods-programmers-believe-about-biometrics/

masukomi's avatar
masukomi

@[email protected]

screenshot from Kalium! on twitter in 2021:

remember to regularly change your pronouns for security reasons.

keep pronouns safe with GNU Pronoun Guard an open source replacement for Symntec's Pretty Good Pronouns.

reply from "The competence tank is empty":

Similarly, your gender should contain at least one digit and a special character.
screenshot from Kalium! on twitter in 2021: remember to regularly change your pronouns for security reasons. keep pronouns safe with GNU Pronoun Guard an open source replacement for Symntec's Pretty Good Pronouns. reply from "The competence tank is empty": Similarly, your gender should contain at least one digit and a special character.
heise Security's avatar
heise Security

@[email protected]

Noch kein Patch: Sicherheitsforscher beraubt Windows sämtlicher Schutzfunktionen

Stimmen die Voraussetzungen, können Angreifer Windows Update manipulieren, um beliebige Windows-Komponenten durch veraltete, angreifbare Vorgänger zu ersetzen.

heise.de/news/Noch-kein-Patch-

Paula Gentle on Friendica's avatar
Paula Gentle on Friendica

@[email protected]

"75 Prozent der Server des Standorts waren anfällig für Cyberangriffe. [...]

Die Daten der Server blieben vier Jahre lang ungeschützt, berichtet der Guardian unter Verweis auf die NDA."


Atomkraft: Sellafield räumt massive Versäumnisse bei Cybersicherheit ein

Purism's avatar
Purism

@[email protected]

Hardware kill switches: Empowering users in the digital age. Our latest blog explores how physical control over your device builds trust, respects autonomy, and offers unparalleled protection. Discover how Purism is putting privacy at the forefront of mobile tech.
puri.sm/posts/the-evolution-of

Marcus "MajorLinux" Summers's avatar
Marcus "MajorLinux" Summers

@[email protected]

Hackers are finding more ways to commit supply chain attacks.

Mac and Windows users infected by software updates delivered over hacked ISP

arstechnica.com/security/2024/

Aaron Rainbolt's avatar
Aaron Rainbolt

@[email protected]

Security Concerns (please boost for visibility)

Ventoy is a popular utility for making USB drives containing multiple operating systems in the form of bootable image files. While very useful in theory, the source tree contains numerous binary blobs without source code. This issue has been brought up to the authors multiple times, have not been corrected, and have even gotten worse (more blobs have been added to the code over time). This is a potential malware vector, similar to the "test files" in the xz-utils backdoor catastrophe.

Recently the author has ignored a very lengthy thread raising security concerns because of these binary blobs. Given the amount of attention the thread has gotten, this seems strange, especially given that the authors have been active since then. github.com/ventoy/Ventoy/issue

Stranger yet still, a video by Veronica Explains (@vkc) on how to create bootable USB flash drives got flooded by comments heavily suggesting the use of Ventoy and even being somewhat accusing because Veronica didn't advertise Ventoy. This is... not anything I've seen users of ANY open-source project do, and it feels similar to the social engineering done against Lasse Collin that convinced him to add Jia Tan as a maintainer, thus compromising xz-utils. See the comments of youtube.com/watch?v=QiSXClZauX

If you're using Ventoy, you may want to consider ceasing its use for the time being out of an abundance of caution. If you truly need its functionality, you might look into something like the IODD SSD Enclosure (iodd.shop/HDD/SSD-Enclosure) which can emulate an optical drive and allows you to select an ISO saved to the drive to boot from.

h3artbl33d :openbsd: :ve:'s avatar
h3artbl33d :openbsd: :ve:

@[email protected]

Exquisite supports DANE, even while not every browser supports it. The 3-1-2 hash (domain issued certificate, SPKI, SHA-512) is:

6a9976657f0e85aa59e2954db3bd342c04f5e33ea166a70147fd6bb54bbafe23c11be8db582671e4d169be794ff2174ee99227e78ccd3961c84b53e20dad13b0

This goes for 443/tcp.

heise online's avatar
heise online

@[email protected]

Minister Wissing: IT-Pannen werden zunehmen

Crowdstrike hat gezeigt, wie verwundbar weltweite Vernetzung machen kann. Der Digitalminister sieht Deutschland gut gerüstet, auch für andere Szenarien.

heise.de/news/Minister-Wissing

Nonilex's avatar
Nonilex

@[email protected] · Reply to Nonilex's post

Thursday’s prisoner swap, which saw American & a consultant, & a group of some of ’s most prominent & , exchanged for a Russian group including a state , & , was the biggest & most complex switch since the Cold War.

It took place at a time of , w/ between the & Russia as bad as they have ever been.

Graphic details the complexity of Thursday’s swap
Graphic details the complexity of Thursday’s swap
EINGFOAN  :donor:'s avatar
EINGFOAN :donor:

@[email protected]

I started to try a with all mainstream .

Here Is the comparison:

docs.google.com/spreadsheets/d

it is really hard to compare since vendors are super unstructured

please for more reach

contributors welcome

docs.google.com/spreadsheets/d

EINGFOAN  :donor:'s avatar
EINGFOAN :donor:

@[email protected]

strength for

Original source:

linkedin.com/feed/update/urn:l

Eleanor Saitta's avatar
Eleanor Saitta

@[email protected]

A few :

I run Systems Structure Ltd., a US consultancy that provides fractional CISO services for pre-A to post-C round , along with training and reviews.

I've been working in since 2003 and did a spell in NGOland from ~2011 to 2016, working with NGOs and news organizations targeted by states and on tools they use, including the messaging app. The field work I did then fundamentally reshaped my approach to security, and I recommend that everyone in the field learn about the reality of being a high-risk user.

I live in the days, although in the before times (and hopefully soon again) I spent a fair bit of time in and . I run a performance space out of my home, along with my partner, called The Attic (@theatticfi on insta), where we make space for , , , and music, along other things. Before I moved here, I spent six or so years traveling full time.

I have written various essays over the years, which you can see on dymaxion.org, and I'm slowly writing a book. While security pays the bills, I spend a lot of my time thinking about , and in particular how the human and technical bits mesh, how they fail, and how to redesign them to fail better. In practice, this has meant everything from consulting on a constitution to thinking about what comes after the apocalypse. The "recruiting barbarians" in my bio refers to being more comfortable outside of institutions, but I'm starting to think more about community and infrastructure building now that I live somewhere.

I'm also an ; I paint and am slowly learning my way around a , and I've been accused of being an . I'm active in the scene, where we take larp serious as a dramatic form and do everything from a reworking of Hamlet played at the actual Elsinore castle to a larp about the early days of the HIV crisis. I'm primarily a theorist and critic there, as well as player, and I've edited two books and written a number of essays. Nordic larp has the best toolkit I've seen anywhere for analyzing the human parts of complex systems and especially for building new systems; it's heavily influenced my security work, along with my thinking.

Kushal Das :python: :tor: 🇵🇸's avatar
Kushal Das :python: :tor: 🇵🇸

@[email protected]

I wrote about on applications. kushaldas.in/posts/multi-facto

A demo showing after username/password login, the page is asking for TOTO token for the authentication.
A demo showing after username/password login, the page is asking for TOTO token for the authentication.
Marcos Dione's avatar
Marcos Dione

@[email protected]

Intro:

:sad_face: enthusiast (most of them) (not much of it)

Father of two, make my own maps and computer tools, have my own home server, fix as many things as I can myself, love to drive and travel by car but not for the city, and much more.

Mostly boosts, in several languages, including some I can't speak, write or read.

Solene % bot's avatar
Solene % bot

@[email protected]

Full-featured email server running OpenBSD

dataswamp.org/~solene/2024-07-

gemini://perso.pw/blog/article

@solene

Doyensec's avatar
Doyensec

@[email protected]

We're proud our testing helps ensure the security of Thinkst's OSS Canary Tokens! As part of their transparency efforts, you can read the results of our latest round of testing here:

doyensec.com/resources/Doyense

Doyensec and Thinkst logos with a link to the report
Doyensec and Thinkst logos with a link to the report
Mike Sheward's avatar
Mike Sheward

@[email protected]

Fediverse Competition time!

I have two signed copies of my book 'Security Operations in Practice', which is all about building effective Security Operations teams, to give away to my Fediverse friends.

To enter - all you have to do is boost this toot before 12pm PT on Thursday July 25th, and I'll randomly select two of the boosters to receive the copies.

You can find out more about this book, and my other releases at infosecdiaries.com. Thanks, and good luck!

Two Copies of the book Security Operations in Practice, by Mike Sheward (@Secureowl)
Two Copies of the book Security Operations in Practice, by Mike Sheward (@Secureowl)
Kelly Shortridge's avatar
Kelly Shortridge

@[email protected] · Reply to Kelly Shortridge's post

this is why I’ve side eyed any federal document about software , quality, or that demonizes open source software while touting the virtues of commercial cybersecurity products

as if those products aren’t notorious for deep access + flimsy quality…

I’ve written about this concern in two separate RFIs to CISA et al (with co-conspirator @rpetrich)

1) on OSS security kellyshortridge.com/blog/posts

2) on secure by design kellyshortridge.com/blog/posts

David August's avatar
David August

@[email protected]

Did you know calls for “the entirety of the CISA Advisory Committee should be dismissed on Day One.” (page 155).

If you like being able to use computers (or do anything with organizations that use computers, including have your vote counted in elections) that’s a very bad idea.

vam103's avatar
vam103

@[email protected]

Apparently NS&I (the old UK National Savings, as they put it "the government savings bank") have launched two factor authentication, which is good.

Except, it told me to expect a code, you would think through SMS. But no, its a phone call. To make matters worse its from France according to my phone! So of course I thought it had been compromised and wrote to them.

No, apparently they use a French company to do the OTP codes and then mask this with the UK number normally, except when it messes up or I guess your security is so high it does not show it. Actually the reply seemed annoyed that I did not just accept that the UK government bank would use a French company to do their security.

So I do not think much of the " improved security " until I can register a FIDO key or the local code generator as a call from France seems to have lots of points of failure. (Its not that its France specifically, just that it is another country.) Also they should mention this on their website! (Unless missed it).

nsandi.com/get-to-know-us/secu

Techlore's avatar
Techlore

@[email protected]

Welcome to the world of , , and in 2023!📅

This thread covers what we’re doing to spread privacy to the masses ⬇️⬇️

michabbb's avatar
michabbb

@[email protected]

Test your prompting skills to make Gandalf reveal secret information.

Gandalf is an exciting designed to challenge your ability to interact with large language models (LLMs).

gandalf.lakera.ai/intro

Tuta's avatar
Tuta

@[email protected]

What's the main difference between Tuta Mail and Gmail? 😎 PRIVACY 🔐

Get your Tuta Mail account now: app.tuta.com/signup

Table showing different features of Tuta Mail vs Gmail.
Table showing different features of Tuta Mail vs Gmail.
openSUSE Linux's avatar
openSUSE Linux

@[email protected]

The Release Candidate 3 of Aeon will include Full Disk to boost data . Get more details! news.opensuse.org/2024/07/12/a

Sarah Jamie Lewis's avatar
Sarah Jamie Lewis

@[email protected]

Some exciting news: Over the past few months I have been working on founding a new organization: Blodeuwedd Labs (@blodeuweddlabs)

We are now in a position to offer subsidized security assessments (and other services) for open source projects.

(In addition to a whole array of analysis, development, and custom research offerings for everyone else)

Announcement (and more info): blodeuweddlabs.com/news/open-s

bane's avatar
bane

@[email protected]

I am working on starting a project under fiscal sponsorship to teach underserved youth cybersecurity and provide them pathways to careers. I have received the application and budget projection template to fill out. I am looking for partnerships and potential donors. I am also looking for anyone who would be willing to join an advisor board. Please share if you think of anyone who would be interested in either!

Matt Burgess's avatar
Matt Burgess

@[email protected]

Hi all, been lurking for a few days but introducing myself now! I'm Matt and a reporter at WIRED. Like many others here, I'm coming to Mastodon after the chaos at the bird site in the last week.

The things I cover on a regular basis are , cybersecurity, , internet freedom, and human rights, and a bunch more things in the wider security realm.

I'm based in —and have lived here for the last decade—so I'm often reporting on issues from across Europe. When not writing words for the web, I'm often found and have been dabbling in the a few times over the last few years (edited to add introduction hashtag)

John Scott-Railton ☕'s avatar
John Scott-Railton ☕

@[email protected]

STAGGERING: Nearly all customers' text & call records breached.

An unnamed entity now has an NSA-level view into Americans' lives.

Damage isn't limited to AT&T customers.

But everyone they interacted with.

Also a huge national security incident given government customers on the network.

And of course, third party makes an appearance.

cnn.com/2024/07/12/business/at

Adam's avatar
Adam

@[email protected]

Little Bits: Issue #14

Uncover the accumulation of little bits I’ve found over the the past month on the topics of design, hardware, open source, privacy, security and more.

adamsdesk.com/posts/little-bit

Dark green background with bright green coloured text of ones and zeros with text that reads, Little Bits issue number 14.
Dark green background with bright green coloured text of ones and zeros with text that reads, Little Bits issue number 14.
🦋 Ben West -  🐒🌻's avatar
🦋 Ben West - 🐒🌻

@[email protected]

Hackvists release two gigabytes of Heritage Foundation data

"Self-described “gay furry hackers,” SiegedSec said it released the data in response to Heritage Foundation’s Project 2025, a set of proposals that aim to give Donald Trump a set of ready-made policies to implement if he wins this fall’s election. Its authors describe it as an initiative “to lay the groundwork for a White House more friendly to the right.”

The data, reviewed by CyberScoop, includes Heritage Foundation blogs and material related to The Daily Signal, a right-wing media site affiliated with Heritage. The data was created between 2007 and November 2022. 

The group says it gained access to the data on July 2 and released it to provide “transparency to the public regarding who exactly is supporting heritage (sic),” a spokesperson for the group who goes by the online handle “vio” told CyberScoop in an online chat Tuesday."

cyberscoop.com/hackvists-relea

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@[email protected]

We released 0.9.2, 0.10.1, and 0.11.1, which patched the last reported , CVE-2024-39687, but the vulnerability of SSRF attacks via DNS rebinding still exists, so we released Fedify 0.9.3, 0.10.2, and 0.11.2, which fixes it.

If you are using an earlier version, please update as soon as possible.

Thanks to @benaryorg for reporting the vulnerability!

Kris Hardy 🌮's avatar
Kris Hardy 🌮

@[email protected]

Does anyone know if there is a way to get a snapshot of a running container instance in for a investigation? I can't find anything in the docs to see if it's possible.

spv's avatar
spv

@[email protected]

hi, i'm spv. call me spv, or james if you want to be slightly weird without knowing me

here's an post because i don't think i've made one yet.
info to know about me: 17 from BFE, NY

i'm , and have too many other conditions to list. woooo!

i do on occasion
on the regular
i like to work with , but i don't do it enough

getting a degree in Security & from SUNY Broome (starting in august)

warning: i use a lot of

Hollo's avatar
Hollo

@[email protected]

To users: please update your to 0.1.0-dev.46, a patch which addresses @fedify's CVE-2024-39687, as soon as possible!

https://hollo.social/@fedify/019080c7-c784-755d-a6f2-d1f91f2c5709

Jan Penfrat's avatar
Jan Penfrat

@[email protected]

The @EUCommission wastes our tax payer money to team up with the and notorious villain and sue the EU data protection agency @EDPS because the Commission wants to continue to use the software shitshow.

How low can this institution sink?

digitalcourage.social/@echo_pb

Anders Eknert's avatar
Anders Eknert

@[email protected]

Announced yesterday, Regal is a new linter for , with the ambitious goal of both catching bugs/mistakes in policy code, *and* to help people learn the language! If you ever work with , I’m sure you’ll find it useful. Check it out, and if you’d like to help kick-start the project by giving at star ⭐️ I’d be overjoyed!

github.com/StyraInc/regal/

Kushal Das :python: :tor: 🇵🇸's avatar
Kushal Das :python: :tor: 🇵🇸

@[email protected]

Do you know about verybad.kushaldas.in:8000/ experiment? This web application has a lot of holes, and I tried to secure it using only . Feel free to do a round of , the box. Remember to let me know what did you find.

The box is up from April end 2022.

Please boost so that your other security minded friends see this. I try to make sure that any learning from this goes back to systemd upstream.

Catalin Cimpanu's avatar
Catalin Cimpanu

@[email protected]

Halycon researchers have discovered a new ransomware operator named Volcano Demon that is currently distributing versions of the LukaLocker ransomware.

Halycon says the group engages in targeted ransomware attacks but does not operate a dedicated dark web leak site.

The group is also known for calling a company's executives to extort and negotiate payments.

halcyon.ai/blog/halcyon-identi

kcarruthers's avatar
kcarruthers

@[email protected]

Follow me if you’re interested in:

Pics of my Mr Maxi & pics from walks in (it’s kind of a puppy spam account, but he’s adorbs)

stuff about & modern

Topics I’m interested in:

monocles's avatar
monocles

@[email protected]

What is it about?

offers ethically acceptable services and an online platform for individuals as well as for companies for a truly fair and secure digital life.

+ complete

+ 100% electricity from energy sources

+ no

+ highest possible

+ of corporations and organizations, as completely privately funded

Check out more on monocles.eu/more

monocles's avatar
monocles

@[email protected]

chat 1.7.9 is released on the playstore with a lot of updates and improvements! (See comments below)

play.google.com/store/apps/det

Tuta's avatar
Tuta

@[email protected]

Today we are proud to announce the launch of the world's first secure email platform! 🥳🎉

With TutaCrypt your data is safe against quantum computer attacks at rest & in transit. ⚛️ 🔒

Learn more about this quantum leap in here: tuta.com/blog/post-quantum-cry

Today we are proud to announce the launch of the world's first post-quantum secure email platform! 

With TutaCrypt your data is safe against quantum computer attacks at rest & in transit.
Today we are proud to announce the launch of the world's first post-quantum secure email platform! With TutaCrypt your data is safe against quantum computer attacks at rest & in transit.
Emelia 👸🏻's avatar
Emelia 👸🏻

@[email protected]

Okay, okay, at @nova's behest, an post:

Hi 👋🏻 I'm Emelia, from , , I'm trans queer and kinky.

I'm a princess 👸🏻 currently working most with , currently working on Fediverse Trust & Safety tooling

I'm most known for my work on , and contribute to & other fediverse software

In 2020, I became the of Unobvious Technology, aiming to improve the safety, and profitability of and advance the

Rob Ricci's avatar
Rob Ricci

@[email protected]

Hey! Let's talk about and !

If you've ever looked at SSH server logs you know what I'm about to say: Any SSH server connected to the public Internet is getting bombarded by constant attempts to log in. Not just a few of them. A *lot* of them. Sometimes even dozens per second. And this problem is not going away; it is, in fact, getting worse. And attackers' behavior is changing.

The graph attached to this post shows the number of attempted SSH logins per day to one of @cloudlab s clusters over a four-year period. It peaks at about 3.4 million login attempts per day.

This is part of a study we did on our production system, using logs of more than 640 million login attempts, covering more than 1,500 hosts on our side and observing more than 840 thousand incoming IP addresses.

A paper presenting our analysis and a new, highly effective means to block SSH brute force attacks ("Where The Wild Things Are: Brute-Force SSH Attacks In The Wild And How To Stop Them") will be presented next week at by @sachindhke . The full paper is at flux.utah.edu/paper/singh-nsdi

Let's dive in. 🧵

A graph of SSH login attempts per day, in millions. On the Y axis, the graph starts in October 2017 at around 0.25M attempts per day. The day-to-day numbers are very noisy, but a trend line shows that the average number of attacks per day rises to around 1.0M around January 2021, with a slight fall-off before the graph ends in August 2021.
A graph of SSH login attempts per day, in millions. On the Y axis, the graph starts in October 2017 at around 0.25M attempts per day. The day-to-day numbers are very noisy, but a trend line shows that the average number of attacks per day rises to around 1.0M around January 2021, with a slight fall-off before the graph ends in August 2021.
Mitex Leo's avatar
Mitex Leo

@[email protected]

Any reason to not trust Eset Antivirus?

#eset #privacy #Security #antivirus #infosec
Tokyo Outsider (337ppm)'s avatar
Tokyo Outsider (337ppm)

@[email protected]

, and question: If instances generally collect only one copy of each post and then share it with the users that need to see it, does that mean nonoriginating instances are trusted to not show that post to users the poster has blocked (or who shouldn't see it because they're not following etc depending on visibility)?

How do the collecting instances know who should see it? (A cached copy of the poster's follow list?)

And does change any of this?

/dev/rdsk/c5t1d0s2's avatar
/dev/rdsk/c5t1d0s2

@[email protected]

I probably should do an too

I'm Joel, the -whacker, -noodler, - licker, and -spooner. I also do a bunch of design and coding, while wondering why still sucks so much.

There will be regular and posts, and likely a lot of swearing as well

🅰🅻🅸🅲🅴  (Mutuals)'s avatar
🅰🅻🅸🅲🅴 (Mutuals)

@[email protected]

🥰 So fulfilling! 🥰 A friend just brought their little daughter over to my place, because she had a journal with a 3 wheel combination lock on it, and she'd forgotten the combo.

I showed her how to decode it, and eventually she got it open! We changed the combo and locked it again so she could practice more.

After a bit, she was asking about other kinds of locks, so I happily brought out an assortment of antique and miniature locks from my collection.

A couple hours later they had to leave, and she was beaming! Today she had picked 2 warded locks, a pair of police cuffs, raked open a 4-pin tumbler, and decoded a combination lock!

I sent her off with a smiley yellow binder clip and a minuscule warded lock to practice on.

They asked to come back next week to learn more. 💜

I feel like the Yoda of lock-sport. 🙂

---

Update: Friend just texted me to say their daughter is thinking of starting a YouTube channel to document her growth in lock-sport, and wanted advice on gear/setup stuff.

---

9 tiny locks locked to the shackle of a slightly larger tiny lock.
9 tiny locks locked to the shackle of a slightly larger tiny lock.
A pink elephant-shaped paperclip and a blue binder clip with a grumpy face on it.

In the right hands, these are powerful tools.
A pink elephant-shaped paperclip and a blue binder clip with a grumpy face on it. In the right hands, these are powerful tools.
Strypey's avatar
Strypey

@[email protected] · Reply to Strypey's post

Our Mastodon server has been mostly down for a week, and anything we posted during the brief uptime during the last week has been lost. Turns out our PostgresSQL container was hit by cryptojacking malware;

thehackernews.com/2024/05/kins

It doesn't seem like a targeted attack, I think we were just unlucky. I highly recommend admins review your security measures and harden your systems against automated attacks.

Is this something Reproducible Builds could help with?

Ciarán McNally's avatar
Ciarán McNally

@[email protected]

Hello all 👋
Am a self-employed consultant of 10+ years via securit.ie/

I regularly enjoy live sports/music (likely to post about), I code & and am unafraid of low-level / reverse engineering, builder, breaker, cocktail shaker. Lefty af ☭. An aspiring cyberterrorist armchair general on main
🤘😜👍

Avoid The Hack!'s avatar
Avoid The Hack!

@[email protected]

👋🏽 Hi Mastodon

(Redoing )

I am the same Avoid The Hack from Bird Site

Only news items and updates for avoidthehack.com are cross posted from Bird Site. Everything else is here (and only here) as I’m more active on Mastodon.

Most of this feed is related to and . Sometimes I post advice. Sometimes I share articles I have written. Sometimes I share articles featuring Avoid The Hack. Sometimes there are memes.

lj·rk's avatar
lj·rk

@[email protected]

Bio was too big, and I didn't yet make an :

Hi, I'm Leonard/Janis (like Cohen/Joplin respectively), I use they/them pronouns, he/him (Leo) and she/her (Janis).

I'm a from . I'm a professional procrastinator, don't expect me to stick to one project :'-)

Outside of computing I love , and , adore cats, have a passion for and spend too much time following politics. I listen to but my musical taste has since widened to also embrace R'n'B, Rock, Funk, and a lot of modern stuff. I read classic and my favorite authors are Terry , Douglas Adams, J.R.R. , Robert Harris, and Sjöwall & Wahlöö (rather male dominated, send recommendations!).

I'm politically left but not settled on the specific question of government.

I'm a and fetishist (these aren't the same, sometimes even oblique). Some see a gray space here, I consider the right to data self-determination a fundamental right. Also, free , and a livable environment are fundamental. and are crucial for individuals and society. Tech won't solve our core problems, merely highlight them and perhaps provide tools for change we can use.

Jon Seager's avatar
Jon Seager

@[email protected]

Pretty huge news from Canonical yesterday!

"Today, Canonical announced a 12 year LTS for any open source Docker image!"

canonical.com/blog/canonical-o

heise Security's avatar
heise Security

@[email protected]

Ab sofort gibt es Desinfec’t 2024 auf einem USB-Stick zum Kauf

Mit dem c’t-Sicherheitstool entfernen Sie Windows-Trojaner und greifen auf nicht mehr startenden PCs auf Ihre Daten zu.

heise.de/news/Ab-sofort-gibt-e

Christian Kent's avatar
Christian Kent

@[email protected]

Let’s hope this -conscious *choice* in the Kia EV9 is the start of a trend. They didn’t have to give us this. In a real button, no less — you can connect or disconnect the data from your phone while -charging it in your car. From MKBHD youtu.be/CRhjL9X2yKA

A photo of a YouTuber’s finger pointing at a button on the new Kia EV9 that shows two modes next to a USB port.  The symbols indicate two choices:  Battery only, or battery with USB data.
A photo of a YouTuber’s finger pointing at a button on the new Kia EV9 that shows two modes next to a USB port. The symbols indicate two choices: Battery only, or battery with USB data.
she hacked you's avatar
she hacked you

@[email protected]

Don't have time for a banner grab but still interested in basic info about a server?

Well taking advantage of a server's inability to process '%' b/c it expects two hex digits to follow; in many cases it errors

Preventing this from happening is actually easy

It requires an essential secure programming principle: verify, validate, and sanitize your input

This principle should be applied to EVERY input, and yes the URL is input

Using /% you can generate an error on many servers, and when they have not bothered to hide information it can be revealing.
Using /% you can generate an error on many servers, and when they have not bothered to hide information it can be revealing.
FreeTech Project's avatar
FreeTech Project

@[email protected]

So glad to be on floss.social! Time for another introduction. Hello from , , UK! We're a initiative founded back in 2010, focused on helping people use in a way that is more financially, environmentally, and socially , regardless of knowledge or skill level – using and promoting primarily to provide personalised learning. We particularly love , , and ! Feel free to spread the word. Thanks!

Martin Boller 🇺🇦  :tux: :freebsd: :windows: :mastodon:'s avatar
Martin Boller 🇺🇦 :tux: :freebsd: :windows: :mastodon:

@[email protected]

Sometimes logical isolation isn't enough

Sign saying:
"Septic Tanks Pumped
Swimming Pools Filled
Not same Truck"
Sign saying: "Septic Tanks Pumped Swimming Pools Filled Not same Truck"
WTL's avatar
WTL

@[email protected]

My four-month-late :
Work: & , , / ,

Life: movies, music, , curious and loves to learn, social justice, and to my surprise, a who has 15,477 KM Jan 2020 - Dec 2022.

If you stop and look at something the more closely you examine it, the more amazing it becomes.

Married to the wonderful @TAV for over 25 years, furdad to Sprocket the , (he/him) ,

sweet conceit's avatar
sweet conceit

@[email protected]

Since this is what's done on - I am a middle age recovering fandom nerd, still active and nerd, and someone who has amateur hour opinions on lots of things. My ideal vacation is reading terrible sci-fi in a nice hotel room.

Strongly in favor of and I seem to be getting more radical as I get older.

I'll probably post about:

(Originally posted on mastodon.lol)

Vegard Nossum 🥑's avatar
Vegard Nossum 🥑

@[email protected]

I've archived all my old tweets (except RTs) here:
vegard.github.io/twitter/

Almost everything has been tagged by subject/topic in case you are only interested in something specific.

Lots of , , , , , etc. posts.

James Bannan's avatar
James Bannan

@[email protected]

Now that the dust has settled, I can finally get to an

I’m based in Melbourne/Narrm, and live with my family (and dog!) a short walk from one of the loveliest beaches around.

I work as an consultant, mostly specialising in technologies, system architecture, and . I’ve also worked as a , an , a public speaker and an

I have one technical book under my belt, but am aspiring to and am enjoying being part of the community

Jack Platten's avatar
Jack Platten

@[email protected]

Hi friends! Now that it seems like the fediverse is sticking around, finally figured I should make an introduction post (on my fourth account don't mind me).

I'm into , , , and making things better to use for everyone.😀