#security

Emelia 👸🏻's avatar
Emelia 👸🏻

@thisismissem@hachyderm.io

This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

RE: hachyderm.io/@nivenly/11426849

Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

calling the deficit a “national emergency” that threatens US , lays out his *legal* argument for his actions.

“They rip us off,”Trump says of the , announcing a 20% on the 27-nation bloc.

Trump holds a chart showing reciprocal tariff rates for US trading partners & says he will charge half of that much? There is no explanation for the calculations that he is using to justify the . Likely because they’re arbitrary revenge tactics.

Emelia 👸🏻's avatar
Emelia 👸🏻

@thisismissem@hachyderm.io

This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

RE: hachyderm.io/@nivenly/11426849

Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

The use of , a FAR LESS secure method of communication than the encrypted messaging app [which isn’t secure enough for these kinds of comms either], is the latest example of questionable practices by top ofcls already under fire for the mistaken inclusion of a journalist in a group chat about high-level planning for ops in Yemen.

Emelia 👸🏻's avatar
Emelia 👸🏻

@thisismissem@hachyderm.io

This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

RE: hachyderm.io/@nivenly/11426849

Emelia 👸🏻's avatar
Emelia 👸🏻

@thisismissem@hachyderm.io

This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

RE: hachyderm.io/@nivenly/11426849

Emelia 👸🏻's avatar
Emelia 👸🏻

@thisismissem@hachyderm.io

This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

RE: hachyderm.io/@nivenly/11426849

Emelia 👸🏻's avatar
Emelia 👸🏻

@thisismissem@hachyderm.io

This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

RE: hachyderm.io/@nivenly/11426849

Emelia 👸🏻's avatar
Emelia 👸🏻

@thisismissem@hachyderm.io

This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

RE: hachyderm.io/@nivenly/11426849

Emelia 👸🏻's avatar
Emelia 👸🏻

@thisismissem@hachyderm.io

This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

RE: hachyderm.io/@nivenly/11426849

Esk 🐌⚡💜's avatar
Esk 🐌⚡💜

@esk@hachyderm.io

hey, fediverse friends - i'm excited that we're finally announcing our Fediverse Security Fund over at @nivenly to help make fedi software more secure.

we're starting off super small to see if the Fund is a thing that can help. along the way we'll learn and improve our intake/payout process. and if there's solid interest and we see good impact, we'll hold a member vote near the end of the experiment to decide if we'll renew/expand the program.

thanks to @thisismissem for her contributions and being the first disclosure to validate the process.

let's close some vulns! :blobfoxscience:

Esk 🐌⚡💜's avatar
Esk 🐌⚡💜

@esk@hachyderm.io

hey, fediverse friends - i'm excited that we're finally announcing our Fediverse Security Fund over at @nivenly to help make fedi software more secure.

we're starting off super small to see if the Fund is a thing that can help. along the way we'll learn and improve our intake/payout process. and if there's solid interest and we see good impact, we'll hold a member vote near the end of the experiment to decide if we'll renew/expand the program.

thanks to @thisismissem for her contributions and being the first disclosure to validate the process.

let's close some vulns! :blobfoxscience:

Emelia 👸🏻's avatar
Emelia 👸🏻

@thisismissem@hachyderm.io

This is a program that I've been championing within @nivenly over the past year, after we noticed that security vulnerabilities weren't being disclosed responsibly, and not enough research was going into the security of Fediverse software.

You might remember my Pixelfed vulnerability from last year, where OAuth scopes weren't checked allowing for privilege escalation via the API (CVE-2024-25108), that was our very first test-case of this program.

I'm incredibly proud to be involved in launching the Fediverse Security Fund from Nivenly Foundation (a 501(c)4 not-for-profit cooperative)

RE: hachyderm.io/@nivenly/11426849

yossarian (1.3.6.1.4.1.55738)'s avatar
yossarian (1.3.6.1.4.1.55738)

@yossarian@infosec.exchange

this makes me really happy: over 1/6th of the top (by download) Python projects are producing attestations!

that's a meteoric adoption rate, given that we only enabled attestation upload support on PyPI ~5 months ago!

tracker here: trailofbits.github.io/are-we-p

a screencap of https://trailofbits.github.io/are-we-pep740-yet/
ALT text detailsa screencap of https://trailofbits.github.io/are-we-pep740-yet/
Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

The use of , a FAR LESS secure method of communication than the encrypted messaging app [which isn’t secure enough for these kinds of comms either], is the latest example of questionable practices by top ofcls already under fire for the mistaken inclusion of a journalist in a group chat about high-level planning for ops in Yemen.

Andrew Lock's avatar
Andrew Lock

@andrewlock@hachyderm.io

Blogged: Creating SBOM attestations in GitHub Actions

andrewlock.net/creating-sbom-a

In this post I show how you can create attestations for SBOM documents that you have created for your application or Nuget package

Melroy van den Berg's avatar
Melroy van den Berg

@melroy@mastodon.melroy.org

Cloud is hacked. Another reason why I do not use the :)

techcrunch.com/2025/03/31/orac

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org · Reply to Open Rights Group's post

Encryption is essential for cybersecurity 🔐

The lack of protections for it in the UK Cyber Security Bill, coupled with the UK's encryption-breaching order against Apple, shows a lack of seriousness about the threats we face.

Sign and share our petition to send a message ⬇️

you.38degrees.org.uk/petitions

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org · Reply to Open Rights Group's post

Encryption is essential for cybersecurity 🔐

The lack of protections for it in the UK Cyber Security Bill, coupled with the UK's encryption-breaching order against Apple, shows a lack of seriousness about the threats we face.

Sign and share our petition to send a message ⬇️

you.38degrees.org.uk/petitions

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org · Reply to Open Rights Group's post

The UK Cyber Security and Resilience Bill is an opportunity to assess and reduce the UK’s dependence on large US corporations for vital government infrastructure.

Other countries, such as France and the Netherlands, are already debating how to do this, through open source software for example.

arstechnica.com/information-te

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org · Reply to Open Rights Group's post

“The UK cannot claim to be strengthening the country’s cyber defences while at the same time issuing notices to companies like Apple and demanding that they reduce the security of the services they offer."

🗣️ @JamesBaker – ORG Programme Manager.

computerweekly.com/news/366619

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org

NEW: The UK government has published its Cyber Security Bill and there are glaring holes.

Missing:

🔴 Protections for encryption.
🔴 Reduction of our dependence on US corporations for vital UK government infrastructure, such as through open source software.

Read our response ⬇️

openrightsgroup.org/press-rele

Simona Casolari's avatar
Simona Casolari

@symcasolari@mastodon.social

After about a month of researching, documenting, and writing, this piece is out. Out of my brain, out of my soul.

Knowledge hurts sometimes. Acting consciously is so empowering though, and liberating.

Thanks @Ullilust and @Xeniax for allowing me to include your images and words.

My and @davidrevoy's illustrations in the article are CC-BY 4.0.

illugination.com/not-in-my-nam

Simona Casolari's avatar
Simona Casolari

@symcasolari@mastodon.social

After about a month of researching, documenting, and writing, this piece is out. Out of my brain, out of my soul.

Knowledge hurts sometimes. Acting consciously is so empowering though, and liberating.

Thanks @Ullilust and @Xeniax for allowing me to include your images and words.

My and @davidrevoy's illustrations in the article are CC-BY 4.0.

illugination.com/not-in-my-nam

Simona Casolari's avatar
Simona Casolari

@symcasolari@mastodon.social

After about a month of researching, documenting, and writing, this piece is out. Out of my brain, out of my soul.

Knowledge hurts sometimes. Acting consciously is so empowering though, and liberating.

Thanks @Ullilust and @Xeniax for allowing me to include your images and words.

My and @davidrevoy's illustrations in the article are CC-BY 4.0.

illugination.com/not-in-my-nam

mailbox.org's avatar
mailbox.org

@mailbox_org@social.mailbox.org

🖥️ Today is World Backup Day – a reminder to secure your data! At @mailbox_org you benefit from automatic server backups, encrypted storage, and high security standards in German data centers. Stay in control of your e-mails and files!

World Backup Day
ALT text detailsWorld Backup Day
michabbb's avatar
michabbb

@michabbb@vivaldi.net

In case you missed it: integrates with browser for enhanced and .

Hide your IP address, access global content, and block malicious scripts with encryption standards.

🧵 👇

michabbb's avatar
michabbb

@michabbb@vivaldi.net

In case you missed it: integrates with browser for enhanced and .

Hide your IP address, access global content, and block malicious scripts with encryption standards.

🧵 👇

mailbox.org's avatar
mailbox.org

@mailbox_org@social.mailbox.org

🖥️ Today is World Backup Day – a reminder to secure your data! At @mailbox_org you benefit from automatic server backups, encrypted storage, and high security standards in German data centers. Stay in control of your e-mails and files!

World Backup Day
ALT text detailsWorld Backup Day
Tokyo Outsider (337ppm)'s avatar
Tokyo Outsider (337ppm)

@tokyo_0@mas.to

Every app that uses location access on nags me to turn on the "accurate" (WiFi surveillance) location setting now, rather than just letting me use my GPS. And when I don't, Android thinks I'm nowhere near where I actually am.

I know that isn't a hardware problem, because GPS used to work fine all of its own accord.

Why are my only options "let us digitally surveil you" or "this doesn't work"?

XenoPhage :verified:'s avatar
XenoPhage :verified:

@XenoPhage@infosec.exchange

Why is it that Home Depot has passkey support and my bank still wants me to answer those three questions?

Aral Balkan's avatar
Aral Balkan

@aral@mastodon.ar.al

So after listening to your feedback, I agree: let’s spend that money in the EU to create a publicly-owned, free and open ACME-compatible certificate authority.

See post quoted below, with links to Tom’s work as he’s already been thinking/working on this.

mamot.fr/@tdelmas/114224564125

John Goerzen's avatar
John Goerzen

@jgoerzen@changelog.complete.org

Why You Should (Still) Use Signal As Much As Possible

As I write this in March 2025, there is a lot of confusion about Signal messenger due to the recent news of people using Signal in government, and subsequent leaks.

The short version is: there was no problem with Signal here. People were using it because they understood it to be secure, not the other way around.

Both the government and the Electronic Frontier Foundation recommend people use Signal. This is an unusual alliance, and in the case of the government, was prompted because it understood other countries had a persistent attack against American telephone companies and SMS traffic.

So let’s dive in. I’ll cover some basics of what security is, what happened in this situation, and why Signal is a good idea.

This post isn’t for programmers that work with cryptography every day. Rather, I hope it can make some of these concepts accessible to everyone else.

What makes communications secure?

When most people are talking about secure communications, they mean some combination of these properties:

  1. Privacy - nobody except the intended recipient can decode a message.
  2. Authentication - guarantees that the person you are chatting with really is the intended recipient.
  3. Ephemerality - preventing a record of the communication from being stored. That is, making it more like a conversation around the table than a written email.
  4. Anonymity - keeping your set of contacts to yourself and even obfuscating the fact that communications are occurring.

If you think about it, most people care the most about the first two. In fact, authentication is a key part of privacy. There is an attack known as man in the middle in which somebody pretends to be the intended recipient. The interceptor reads the messages, and then passes them on to the real intended recipient. So we can’t really have privacy without authentication.

I’ll have more to say about these later. For now, let’s discuss attack scenarios.

What compromises security?

There are a number of ways that security can be compromised. Let’s think through some of them:

Communications infrastructure snooping

Let’s say you used no encryption at all, and connected to public WiFi in a coffee shop to send your message. Who all could potentially see it?

  • The owner of the coffee shop’s WiFi
  • The coffee shop’s Internet provider
  • The recipient’s Internet provider
  • Any Internet providers along the network between the sender and the recipient
  • Any government or institution that can compel any of the above to hand over copies of the traffic
  • Any hackers that compromise any of the above systems

Back in the early days of the Internet, most traffic had no encryption. People were careful about putting their credit cards into webpages and emails because they knew it was easy to intercept them. We have been on a decades-long evolution towards more pervasive encryption, which is a good thing.

Text messages (SMS) follow a similar path to the above scenario, and are unencrypted. We know that all of the above are ways people’s texts can be compromised; for instance, governments can issue search warrants to obtain copies of texts, and China is believed to have a persistent hack into western telcos. SMS fails all four of our attributes of secure communication above (privacy, authentication, ephemerality, and anonymity).

Also, think about what information is collected from SMS and by who. Texts you send could be retained in your phone, the recipient’s phone, your phone company, their phone company, and so forth. They might also live in cloud backups of your devices. You only have control over your own phone’s retention.

So defenses against this involve things like:

  • Strong end-to-end encryption, so no intermediate party – even the people that make the app – can snoop on it.
  • Using strong authentication of your peers
  • Taking steps to prevent even app developers from being able to see your contact list or communication history

You may see some other apps saying they use strong encryption or use the Signal protocol. But while they may do that for some or all of your message content, they may still upload your contact list, history, location, etc. to a central location where it is still vulnerable to these kinds of attacks.

When you think about anonymity, think about it like this: if you send a letter to a friend every week, every postal carrier that transports it – even if they never open it or attempt to peak inside – will be able to read the envelope and know that you communicate on a certain schedule with that friend. The same can be said of SMS, email, or most encrypted chat operators. Signal’s design prevents it from retaining even this information, though nation-states or ISPs might still be able to notice patterns (every time you send something via Signal, your contact receives something from Signal a few milliseconds later). It is very difficult to provide perfect anonymity from well-funded adversaries, even if you can provide very good privacy.

Device compromise

Let’s say you use an app with strong end-to-end encryption. This takes away some of the easiest ways someone could get to your messages. But it doesn’t take away all of them.

What if somebody stole your phone? Perhaps the phone has a password, but if an attacker pulled out the storage unit, could they access your messages without a password? Or maybe they somehow trick or compel you into revealing your password. Now what?

An even simpler attack doesn’t require them to steal your device at all. All they need is a few minutes with it to steal your SIM card. Now they can receive any texts sent to your number - whether from your bank or your friend. Yikes, right?

Signal stores your data in an encrypted form on your device. It can protect it in various ways. One of the most important protections is ephemerality - it can automatically delete your old texts. A text that is securely erased can never fall into the wrong hands if the device is compromised later.

An actively-compromised phone, though, could still give up secrets. For instance, what if a malicious keyboard app sent every keypress to an adversary? Signal is only as secure as the phone it runs on – but still, it protects against a wide variety of attacks.

Untrustworthy communication partner

Perhaps you are sending sensitive information to a contact, but that person doesn’t want to keep it in confidence. There is very little you can do about that technologically; with pretty much any tool out there, nothing stops them from taking a picture of your messages and handing the picture off.

Environmental compromise

Perhaps your device is secure, but a hidden camera still captures what’s on your screen. You can take some steps against things like this, of course.

Human error

Sometimes humans make mistakes. For instance, the reason a reporter got copies of messages recently was because a participant in a group chat accidentally added him (presumably that participant meant to add someone else and just selected the wrong name). Phishing attacks can trick people into revealing passwords or other sensitive data. Humans are, quite often, the weakest link in the chain.

Protecting yourself

So how can you protect yourself against these attacks? Let’s consider:

  • Use a secure app like Signal that uses strong end-to-end encryption where even the provider can’t access your messages
  • Keep your software and phone up-to-date
  • Be careful about phishing attacks and who you add to chat rooms
  • Be aware of your surroundings; don’t send sensitive messages where people might be looking over your shoulder with their eyes or cameras

There are other methods besides Signal. For instance, you could install GnuPG (GPG) on a laptop that has no WiFi card or any other way to connect it to the Internet. You could always type your messages on that laptop, encrypt them, copy the encrypted text to a floppy disk (or USB device), take that USB drive to your Internet computer, and send the encrypted message by email or something. It would be exceptionally difficult to break the privacy of messages in that case (though anonymity would be mostly lost). Even if someone got the password to your “secure” laptop, it wouldn’t do them any good unless they physically broke into your house or something. In some ways, it is probably safer than Signal. (For more on this, see my article How gapped is your air?)

But, that approach is hard to use. Many people aren’t familiar with GnuPG. You don’t have the convenience of sending a quick text message from anywhere. Security that is hard to use most often simply isn’t used. That is, you and your friends will probably just revert back to using insecure SMS instead of this GnuPG approach because SMS is so much easier.

Signal strikes a unique balance of providing very good security while also being practical, easy, and useful. For most people, it is the most secure option available.

Signal is also open source; you don’t have to trust that it is as secure as it says, because you can inspect it for yourself. Also, while it’s not federated, I previously addressed that.

Government use

If you are a government, particularly one that is highly consequential to the world, you can imagine that you are a huge target. Other nations are likely spending billions of dollars to compromise your communications. Signal itself might be secure, but if some other government can add spyware to your phones, or conduct a successful phishing attack, you can still have your communications compromised.

I have no direct knowledge, but I think it is generally understood that the US government maintains communications networks that are entirely separate from the Internet and can only be accessed from secure physical locations and secure rooms. These can be even more secure than the average person using Signal because they can protect against things like environmental compromise, human error, and so forth. The scandal in March of 2025 happened because government employees were using Signal rather than official government tools for sensitive information, had taken advantage of Signal’s ephemerality (laws require records to be kept), and through apparent human error had directly shared this information with a reporter. Presumably a reporter would have lacked access to the restricted communications networks in the first place, so that wouldn’t have been possible.

This doesn’t mean that Signal is bad. It just means that somebody that can spend billions of dollars on security can be more secure than you. Signal is still a great tool for people, and in many cases defeats even those that can spend lots of dollars trying to defeat it.

And remember - to use those restricted networks, you have to go to specific rooms in specific buildings. They are still not as convenient as what you carry around in your pocket.

Conclusion

Signal is practical security. Do you want phone companies reading your messages? How about Facebook or X? Have those companies demonstrated that they are completely trustworthy throughout their entire history?

I say no. So, go install Signal. It’s the best, most practical tool we have.

This post is also available on my website, where it may be periodically updated.

John Goerzen's avatar
John Goerzen

@jgoerzen@changelog.complete.org

Why You Should (Still) Use Signal As Much As Possible

As I write this in March 2025, there is a lot of confusion about Signal messenger due to the recent news of people using Signal in government, and subsequent leaks.

The short version is: there was no problem with Signal here. People were using it because they understood it to be secure, not the other way around.

Both the government and the Electronic Frontier Foundation recommend people use Signal. This is an unusual alliance, and in the case of the government, was prompted because it understood other countries had a persistent attack against American telephone companies and SMS traffic.

So let’s dive in. I’ll cover some basics of what security is, what happened in this situation, and why Signal is a good idea.

This post isn’t for programmers that work with cryptography every day. Rather, I hope it can make some of these concepts accessible to everyone else.

What makes communications secure?

When most people are talking about secure communications, they mean some combination of these properties:

  1. Privacy - nobody except the intended recipient can decode a message.
  2. Authentication - guarantees that the person you are chatting with really is the intended recipient.
  3. Ephemerality - preventing a record of the communication from being stored. That is, making it more like a conversation around the table than a written email.
  4. Anonymity - keeping your set of contacts to yourself and even obfuscating the fact that communications are occurring.

If you think about it, most people care the most about the first two. In fact, authentication is a key part of privacy. There is an attack known as man in the middle in which somebody pretends to be the intended recipient. The interceptor reads the messages, and then passes them on to the real intended recipient. So we can’t really have privacy without authentication.

I’ll have more to say about these later. For now, let’s discuss attack scenarios.

What compromises security?

There are a number of ways that security can be compromised. Let’s think through some of them:

Communications infrastructure snooping

Let’s say you used no encryption at all, and connected to public WiFi in a coffee shop to send your message. Who all could potentially see it?

  • The owner of the coffee shop’s WiFi
  • The coffee shop’s Internet provider
  • The recipient’s Internet provider
  • Any Internet providers along the network between the sender and the recipient
  • Any government or institution that can compel any of the above to hand over copies of the traffic
  • Any hackers that compromise any of the above systems

Back in the early days of the Internet, most traffic had no encryption. People were careful about putting their credit cards into webpages and emails because they knew it was easy to intercept them. We have been on a decades-long evolution towards more pervasive encryption, which is a good thing.

Text messages (SMS) follow a similar path to the above scenario, and are unencrypted. We know that all of the above are ways people’s texts can be compromised; for instance, governments can issue search warrants to obtain copies of texts, and China is believed to have a persistent hack into western telcos. SMS fails all four of our attributes of secure communication above (privacy, authentication, ephemerality, and anonymity).

Also, think about what information is collected from SMS and by who. Texts you send could be retained in your phone, the recipient’s phone, your phone company, their phone company, and so forth. They might also live in cloud backups of your devices. You only have control over your own phone’s retention.

So defenses against this involve things like:

  • Strong end-to-end encryption, so no intermediate party – even the people that make the app – can snoop on it.
  • Using strong authentication of your peers
  • Taking steps to prevent even app developers from being able to see your contact list or communication history

You may see some other apps saying they use strong encryption or use the Signal protocol. But while they may do that for some or all of your message content, they may still upload your contact list, history, location, etc. to a central location where it is still vulnerable to these kinds of attacks.

When you think about anonymity, think about it like this: if you send a letter to a friend every week, every postal carrier that transports it – even if they never open it or attempt to peak inside – will be able to read the envelope and know that you communicate on a certain schedule with that friend. The same can be said of SMS, email, or most encrypted chat operators. Signal’s design prevents it from retaining even this information, though nation-states or ISPs might still be able to notice patterns (every time you send something via Signal, your contact receives something from Signal a few milliseconds later). It is very difficult to provide perfect anonymity from well-funded adversaries, even if you can provide very good privacy.

Device compromise

Let’s say you use an app with strong end-to-end encryption. This takes away some of the easiest ways someone could get to your messages. But it doesn’t take away all of them.

What if somebody stole your phone? Perhaps the phone has a password, but if an attacker pulled out the storage unit, could they access your messages without a password? Or maybe they somehow trick or compel you into revealing your password. Now what?

An even simpler attack doesn’t require them to steal your device at all. All they need is a few minutes with it to steal your SIM card. Now they can receive any texts sent to your number - whether from your bank or your friend. Yikes, right?

Signal stores your data in an encrypted form on your device. It can protect it in various ways. One of the most important protections is ephemerality - it can automatically delete your old texts. A text that is securely erased can never fall into the wrong hands if the device is compromised later.

An actively-compromised phone, though, could still give up secrets. For instance, what if a malicious keyboard app sent every keypress to an adversary? Signal is only as secure as the phone it runs on – but still, it protects against a wide variety of attacks.

Untrustworthy communication partner

Perhaps you are sending sensitive information to a contact, but that person doesn’t want to keep it in confidence. There is very little you can do about that technologically; with pretty much any tool out there, nothing stops them from taking a picture of your messages and handing the picture off.

Environmental compromise

Perhaps your device is secure, but a hidden camera still captures what’s on your screen. You can take some steps against things like this, of course.

Human error

Sometimes humans make mistakes. For instance, the reason a reporter got copies of messages recently was because a participant in a group chat accidentally added him (presumably that participant meant to add someone else and just selected the wrong name). Phishing attacks can trick people into revealing passwords or other sensitive data. Humans are, quite often, the weakest link in the chain.

Protecting yourself

So how can you protect yourself against these attacks? Let’s consider:

  • Use a secure app like Signal that uses strong end-to-end encryption where even the provider can’t access your messages
  • Keep your software and phone up-to-date
  • Be careful about phishing attacks and who you add to chat rooms
  • Be aware of your surroundings; don’t send sensitive messages where people might be looking over your shoulder with their eyes or cameras

There are other methods besides Signal. For instance, you could install GnuPG (GPG) on a laptop that has no WiFi card or any other way to connect it to the Internet. You could always type your messages on that laptop, encrypt them, copy the encrypted text to a floppy disk (or USB device), take that USB drive to your Internet computer, and send the encrypted message by email or something. It would be exceptionally difficult to break the privacy of messages in that case (though anonymity would be mostly lost). Even if someone got the password to your “secure” laptop, it wouldn’t do them any good unless they physically broke into your house or something. In some ways, it is probably safer than Signal. (For more on this, see my article How gapped is your air?)

But, that approach is hard to use. Many people aren’t familiar with GnuPG. You don’t have the convenience of sending a quick text message from anywhere. Security that is hard to use most often simply isn’t used. That is, you and your friends will probably just revert back to using insecure SMS instead of this GnuPG approach because SMS is so much easier.

Signal strikes a unique balance of providing very good security while also being practical, easy, and useful. For most people, it is the most secure option available.

Signal is also open source; you don’t have to trust that it is as secure as it says, because you can inspect it for yourself. Also, while it’s not federated, I previously addressed that.

Government use

If you are a government, particularly one that is highly consequential to the world, you can imagine that you are a huge target. Other nations are likely spending billions of dollars to compromise your communications. Signal itself might be secure, but if some other government can add spyware to your phones, or conduct a successful phishing attack, you can still have your communications compromised.

I have no direct knowledge, but I think it is generally understood that the US government maintains communications networks that are entirely separate from the Internet and can only be accessed from secure physical locations and secure rooms. These can be even more secure than the average person using Signal because they can protect against things like environmental compromise, human error, and so forth. The scandal in March of 2025 happened because government employees were using Signal rather than official government tools for sensitive information, had taken advantage of Signal’s ephemerality (laws require records to be kept), and through apparent human error had directly shared this information with a reporter. Presumably a reporter would have lacked access to the restricted communications networks in the first place, so that wouldn’t have been possible.

This doesn’t mean that Signal is bad. It just means that somebody that can spend billions of dollars on security can be more secure than you. Signal is still a great tool for people, and in many cases defeats even those that can spend lots of dollars trying to defeat it.

And remember - to use those restricted networks, you have to go to specific rooms in specific buildings. They are still not as convenient as what you carry around in your pocket.

Conclusion

Signal is practical security. Do you want phone companies reading your messages? How about Facebook or X? Have those companies demonstrated that they are completely trustworthy throughout their entire history?

I say no. So, go install Signal. It’s the best, most practical tool we have.

This post is also available on my website, where it may be periodically updated.

Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

In an EO, hit the elite firm w/many of the same penalties that he had applied to its competitors who had taken on cases or causes he did not like.

He directed the cancellation of all govt contracts w/ , & the suspension of any clearances of its employees. The order also barred WilmerHale employees from federal buildings [Federal Court buildings fall into the category], banned them from communicating w/govt employees & prevented them from being hired at govt agencies.

Stefano Marinelli's avatar
Stefano Marinelli

@stefano@bsd.cafe

After the article from The Atlantic, I've seen a lot of misinformation circulating among journalists. I'm not getting into the political side of things, but many are focusing on the fact that Signal was used, claiming it's "not encrypted" or "not secure." This really saddens me because it spreads the wrong message.

Frontend Dogma's avatar
Frontend Dogma

@frontenddogma@mas.to

How to Protect Your Web Applications From XSS, by @torgo (@w3c):

w3.org/blog/2025/how-to-protec

Stefano Zacchiroli's avatar
Stefano Zacchiroli

@zacchiro@mastodon.xyz

My team at Polytechnic Institute of Paris/Télécom school of engineering is looking for a research engineer to conduct development and empirical experiments in various fields, most notable and .

Programming skills in are particularly welcome, even though we are quite polyglots and would also welcome C/Java/OCaml developers 😉

3-year contract, on site in the south of Paris.

Full job description at: institutminestelecom.recruitee

Aral Balkan's avatar
Aral Balkan

@aral@mastodon.ar.al

So after listening to your feedback, I agree: let’s spend that money in the EU to create a publicly-owned, free and open ACME-compatible certificate authority.

See post quoted below, with links to Tom’s work as he’s already been thinking/working on this.

mamot.fr/@tdelmas/114224564125

Tim (Wadhwa-)Brown :donor:'s avatar
Tim (Wadhwa-)Brown :donor:

@timb_machine@infosec.exchange

Interesting Git repos of the week:

Detection:

* github.com/tstromberg/ucd - hunt for unauthorised changes
* github.com/mnrkbys/fjta - check for anomalies in your FS timeline

Exploitation:

* github.com/hardenedlinux/tzram - audit your TrustZone implementatation

Nerd:

* gist.github.com/halcy/b4f455ef the Fediverse in FUSE

, ,

Stefano Zacchiroli's avatar
Stefano Zacchiroli

@zacchiro@mastodon.xyz

My team at Polytechnic Institute of Paris/Télécom school of engineering is looking for a research engineer to conduct development and empirical experiments in various fields, most notable and .

Programming skills in are particularly welcome, even though we are quite polyglots and would also welcome C/Java/OCaml developers 😉

3-year contract, on site in the south of Paris.

Full job description at: institutminestelecom.recruitee

nixCraft 🐧's avatar
nixCraft 🐧

@nixCraft@mastodon.social

Quick tip! You can actually see the changelog details for Debian/Ubuntu packages, which includes security info, CVEs, package urgency, and a short description. Super helpful for figuring out if you need to patch right away or schedule downtime, especially if you're working with clusters. For example, here is how to see info about the nginx:

apt changelog nginx

See cyberciti.biz/faq/debian-ubunt for more info.

`apt changelog nginx` command output showing the changelog of a package and displays it via default pager on Debian and friends.
ALT text details`apt changelog nginx` command output showing the changelog of a package and displays it via default pager on Debian and friends.
nixCraft 🐧's avatar
nixCraft 🐧

@nixCraft@mastodon.social

Quick tip! You can actually see the changelog details for Debian/Ubuntu packages, which includes security info, CVEs, package urgency, and a short description. Super helpful for figuring out if you need to patch right away or schedule downtime, especially if you're working with clusters. For example, here is how to see info about the nginx:

apt changelog nginx

See cyberciti.biz/faq/debian-ubunt for more info.

`apt changelog nginx` command output showing the changelog of a package and displays it via default pager on Debian and friends.
ALT text details`apt changelog nginx` command output showing the changelog of a package and displays it via default pager on Debian and friends.
Frontend Dogma's avatar
Frontend Dogma

@frontenddogma@mas.to

How to Protect Your Web Applications From XSS, by @torgo (@w3c):

w3.org/blog/2025/how-to-protec

Tim (Wadhwa-)Brown :donor:'s avatar
Tim (Wadhwa-)Brown :donor:

@timb_machine@infosec.exchange

Interesting Git repos of the week:

Detection:

* github.com/tstromberg/ucd - hunt for unauthorised changes
* github.com/mnrkbys/fjta - check for anomalies in your FS timeline

Exploitation:

* github.com/hardenedlinux/tzram - audit your TrustZone implementatation

Nerd:

* gist.github.com/halcy/b4f455ef the Fediverse in FUSE

, ,

scy's avatar
scy

@scy@chaos.social

Oh, great. had a broken implementation of "follower-only" posts, _and_ fucked up the disclosure / bugfix release process.

fokus.cool/2025/03/25/pixelfed

Summary of the bug: If you have a protected account (on Pixelfed, Mastodon, GTS, whatever) and a Pixelfed user followed you and got approved by you, _all_ users on that instance were now able to see your followers-only posts, not just the one you approved.

Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

, Ldr of the ’s Liberal Democrats:

& his mates clearly aren't fit to run a group chat, let alone the world's strongest force. It has to make our services nervous about the we're sharing with them.”

's can't be trusted. Their reckless approach to security means it's only a matter of time before British intelligence is leaked.

“The Govt must urgently review our intelligence-sharing arrangements with the US.”

JD Vance and his mates clearly aren't fit to run a group chat, let alone the world's strongest military force. It has to make our security services nervous about the intelligence we're sharing with them.
ALT text detailsJD Vance and his mates clearly aren't fit to run a group chat, let alone the world's strongest military force. It has to make our security services nervous about the intelligence we're sharing with them.
Trump's White House can't be trusted. Their reckless approach to security means it's only a matter of time before British intelligence is leaked. The Government must urgently review our intelligence-sharing arrangements with the US.
ALT text detailsTrump's White House can't be trusted. Their reckless approach to security means it's only a matter of time before British intelligence is leaked. The Government must urgently review our intelligence-sharing arrangements with the US.
Olivier Forget's avatar
Olivier Forget

@teleclimber@social.tchncs.de

Uh, is it normal for an automated scanner to be unaware of patched packages?

Like how OpenSSH 9.2p1 is vulnerable to CVE-2023-38408 but the Debian version 1:9.2p1-2+deb12u5 is patched. But the security scanner sees the "9.2p1" string and sounds the alarm.

security-tracker.debian.org/tr

Is this a common problem for people running Debian servers?

Really Lazy Bear's avatar
Really Lazy Bear

@reallylazybear@mastodon.social

This is a pretty cool yet somewhat creepy website lol.

deviceinfo.me/

Really Lazy Bear's avatar
Really Lazy Bear

@reallylazybear@mastodon.social

This is a pretty cool yet somewhat creepy website lol.

deviceinfo.me/

Andrew Lock's avatar
Andrew Lock

@andrewlock@hachyderm.io

Blogged: Creating a software bill of materials (SBOM) for an open-source NuGet package

andrewlock.net/creating-a-soft

In this post I discuss several tools you can use to create a software bill of materials (SBOM) for an application or a NuGet package

Matt Burgess's avatar
Matt Burgess

@mattburgess@infosec.exchange

Hi all, been lurking for a few days but introducing myself now! I'm Matt and a reporter at WIRED. Like many others here, I'm coming to Mastodon after the chaos at the bird site in the last week.

The things I cover on a regular basis are , cybersecurity, , internet freedom, and human rights, and a bunch more things in the wider security realm.

I'm based in —and have lived here for the last decade—so I'm often reporting on issues from across Europe. When not writing words for the web, I'm often found and have been dabbling in the a few times over the last few years (edited to add introduction hashtag)

Jordan Warne's avatar
Jordan Warne

@jw@social.lol

I kept seeing people misunderstanding the differences between privacy, security, and anonymity. So I created a video at @privacyguides to educate people on the differences between them!

It's essential to know the distinction between them so you can make educated decisions on what tools to utilise for your situation. 🔒

➡️ Watch it here: privacyguides.org/videos/2025/

Video thumbnail, on the left side is the Proton Mail logo, on the right side is the Signal logo. Underneath both of the logos is a bold title that says "NOT PRIVATE?"
ALT text detailsVideo thumbnail, on the left side is the Proton Mail logo, on the right side is the Signal logo. Underneath both of the logos is a bold title that says "NOT PRIVATE?"
Jordan Warne's avatar
Jordan Warne

@jw@social.lol

I kept seeing people misunderstanding the differences between privacy, security, and anonymity. So I created a video at @privacyguides to educate people on the differences between them!

It's essential to know the distinction between them so you can make educated decisions on what tools to utilise for your situation. 🔒

➡️ Watch it here: privacyguides.org/videos/2025/

Video thumbnail, on the left side is the Proton Mail logo, on the right side is the Signal logo. Underneath both of the logos is a bold title that says "NOT PRIVATE?"
ALT text detailsVideo thumbnail, on the left side is the Proton Mail logo, on the right side is the Signal logo. Underneath both of the logos is a bold title that says "NOT PRIVATE?"
Jordan Warne's avatar
Jordan Warne

@jw@social.lol

I kept seeing people misunderstanding the differences between privacy, security, and anonymity. So I created a video at @privacyguides to educate people on the differences between them!

It's essential to know the distinction between them so you can make educated decisions on what tools to utilise for your situation. 🔒

➡️ Watch it here: privacyguides.org/videos/2025/

Video thumbnail, on the left side is the Proton Mail logo, on the right side is the Signal logo. Underneath both of the logos is a bold title that says "NOT PRIVATE?"
ALT text detailsVideo thumbnail, on the left side is the Proton Mail logo, on the right side is the Signal logo. Underneath both of the logos is a bold title that says "NOT PRIVATE?"
Zak :1password:'s avatar
Zak :1password:

@zak@infosec.exchange

Apropos of this, one of the best things that you can do in addition to the baseline of using @signalapp is set up data retention limits for you and others that you talk to. I mentioned this the other day.

- Set storage limits for chats on your own device.
- Set disappearing messages for people that you talk to.

I use 30 days just because I'm not overly cautious about these things. But you can set them to whatever you're most comfortable with.

mastodon.social/@RealJournalis

Digitalcourage's avatar
Digitalcourage

@digitalcourage@digitalcourage.social

Herzlichen Glückwunsch! 🎉 Denn wenn du das hier lesen kannst, hast du sehr vieles richtig gemacht. Das unabhängige geht aber noch weit über Mastodon hinaus. In unserem kurz&mündig Band 16 erfährst du mehr über das dezentrale Social-Media-Universum :fediverse:

Band 16 der Reihe kurz&mündig
Autor.innen: Leena Simon 🔗 muendigkeit.digital und Christian Pietsch
A6, 28 Seiten, ISBN 978-3-934636-45-3
5 Euro, shop.digitalcourage.de

Weißt du eigentlich, dass das Fediverse viel mehr zu bieten hat, als Mastodon? * Mehr erfahren
ALT text detailsWeißt du eigentlich, dass das Fediverse viel mehr zu bieten hat, als Mastodon? * Mehr erfahren
* PeerTube ist ein trackerfreies Videoportal. * Pixelfed ist Heimat für schöne Fotos. * Funkwhale bietet Musik und Podcasts. * Und auf Lemmy lässt es sich wunderbar diskutieren. * Mehr dazu in Band 16 der kurz&mündig-Reihe: "Fediverse. So geht Social Media".
ALT text details* PeerTube ist ein trackerfreies Videoportal. * Pixelfed ist Heimat für schöne Fotos. * Funkwhale bietet Musik und Podcasts. * Und auf Lemmy lässt es sich wunderbar diskutieren. * Mehr dazu in Band 16 der kurz&mündig-Reihe: "Fediverse. So geht Social Media".
Titelbild "Fediverse. So geht Social Media – Raus aus den Hassmedien"
ALT text detailsTitelbild "Fediverse. So geht Social Media – Raus aus den Hassmedien"
* Die Autor.innen der Wissensreihe kurz&mündig bringen komplexe Themen für ein kleines Format auf den Punkt. Aha! * Teilen, Bestellen, Lesen! * Digitalcourage kurz&mündig: erhältlich auf shop.digitalcourage.de und im Buchhandel. * digitalcourage.de
ALT text details* Die Autor.innen der Wissensreihe kurz&mündig bringen komplexe Themen für ein kleines Format auf den Punkt. Aha! * Teilen, Bestellen, Lesen! * Digitalcourage kurz&mündig: erhältlich auf shop.digitalcourage.de und im Buchhandel. * digitalcourage.de
Digitalcourage's avatar
Digitalcourage

@digitalcourage@digitalcourage.social

Herzlichen Glückwunsch! 🎉 Denn wenn du das hier lesen kannst, hast du sehr vieles richtig gemacht. Das unabhängige geht aber noch weit über Mastodon hinaus. In unserem kurz&mündig Band 16 erfährst du mehr über das dezentrale Social-Media-Universum :fediverse:

Band 16 der Reihe kurz&mündig
Autor.innen: Leena Simon 🔗 muendigkeit.digital und Christian Pietsch
A6, 28 Seiten, ISBN 978-3-934636-45-3
5 Euro, shop.digitalcourage.de

Weißt du eigentlich, dass das Fediverse viel mehr zu bieten hat, als Mastodon? * Mehr erfahren
ALT text detailsWeißt du eigentlich, dass das Fediverse viel mehr zu bieten hat, als Mastodon? * Mehr erfahren
* PeerTube ist ein trackerfreies Videoportal. * Pixelfed ist Heimat für schöne Fotos. * Funkwhale bietet Musik und Podcasts. * Und auf Lemmy lässt es sich wunderbar diskutieren. * Mehr dazu in Band 16 der kurz&mündig-Reihe: "Fediverse. So geht Social Media".
ALT text details* PeerTube ist ein trackerfreies Videoportal. * Pixelfed ist Heimat für schöne Fotos. * Funkwhale bietet Musik und Podcasts. * Und auf Lemmy lässt es sich wunderbar diskutieren. * Mehr dazu in Band 16 der kurz&mündig-Reihe: "Fediverse. So geht Social Media".
Titelbild "Fediverse. So geht Social Media – Raus aus den Hassmedien"
ALT text detailsTitelbild "Fediverse. So geht Social Media – Raus aus den Hassmedien"
* Die Autor.innen der Wissensreihe kurz&mündig bringen komplexe Themen für ein kleines Format auf den Punkt. Aha! * Teilen, Bestellen, Lesen! * Digitalcourage kurz&mündig: erhältlich auf shop.digitalcourage.de und im Buchhandel. * digitalcourage.de
ALT text details* Die Autor.innen der Wissensreihe kurz&mündig bringen komplexe Themen für ein kleines Format auf den Punkt. Aha! * Teilen, Bestellen, Lesen! * Digitalcourage kurz&mündig: erhältlich auf shop.digitalcourage.de und im Buchhandel. * digitalcourage.de
Zak :1password:'s avatar
Zak :1password:

@zak@infosec.exchange

Just noticed a @signalapp quirk that bothers me a bit. I can set my own message storage limit to "30 days" in the storage settings. But in the privacy settings, I can set my messages to disappear after "4 weeks." It should be one or the other for both options.

Zhi Zhu 🕸️'s avatar
Zhi Zhu 🕸️

@ZhiZhu@newsie.social · Reply to Zhi Zhu 🕸️'s post

Zoom In On This
talkingpointsmemo.com/edblog/z

"DOGE went to the private contractor working for ...said, you don’t have a clear or ethical ability to do this. But if you don’t want to lose all your federal contracts, you have to. And they did...

There are a lot of very large federal security contractors who wield & force on behalf of the govt... those contractors are also extremely vulnerable to because DOGE can make contracts disappear"

Text from article(edited for length): ...I want to draw out a critical element of what happened on Monday... DOGE went to the private security contractor working for USIP & essentially said, you don’t have a clear legal or ethical ability to do this. But if you don’t want to lose all your federal contracts, you have to. And they did. This cuts to the core of DOGE’s role as a rogue operation inside the federal govt and critically one that very much by design engineered its ability to work across the entire federal govt. One department or another … none of that matters. DOGE is operating everywhere. The critical point is this: There are a lot of very large federal security contractors who wield violence and force on behalf of the US government. In theory, they do it under the state’s monopoly over the legitimate use of violence and under law. But those contractors are also extremely vulnerable to DOGE because DOGE can make contracts disappear, absent any kind of review process, beyond the reach of the clout of stakeholders within any one agency, anywhere in the government. So the basic transition that occurred here has many potential applications. Maybe DOGE says to a policing contractor. Look, it’s not pretty. But if you don’t want to lose your contracts you’re going to have to break up that protest. Or maybe you need to take the mayor into custody. Simple point: lot of capacity of state violence and a lot of cash. And DOGE operates front to back across the transaction.
ALT text detailsText from article(edited for length): ...I want to draw out a critical element of what happened on Monday... DOGE went to the private security contractor working for USIP & essentially said, you don’t have a clear legal or ethical ability to do this. But if you don’t want to lose all your federal contracts, you have to. And they did. This cuts to the core of DOGE’s role as a rogue operation inside the federal govt and critically one that very much by design engineered its ability to work across the entire federal govt. One department or another … none of that matters. DOGE is operating everywhere. The critical point is this: There are a lot of very large federal security contractors who wield violence and force on behalf of the US government. In theory, they do it under the state’s monopoly over the legitimate use of violence and under law. But those contractors are also extremely vulnerable to DOGE because DOGE can make contracts disappear, absent any kind of review process, beyond the reach of the clout of stakeholders within any one agency, anywhere in the government. So the basic transition that occurred here has many potential applications. Maybe DOGE says to a policing contractor. Look, it’s not pretty. But if you don’t want to lose your contracts you’re going to have to break up that protest. Or maybe you need to take the mayor into custody. Simple point: lot of capacity of state violence and a lot of cash. And DOGE operates front to back across the transaction.
Privacy Guides's avatar
Privacy Guides

@privacyguides@mastodon.neat.computer

This week we’re tackling some common misconceptions with privacy, security, and anonymity!

Often privacy and anonymity are used interchangeably. However, there are distinct differences between the two. In our latest video, we aim to explain and discuss the differences, so you can make better decisions on your privacy and security journey.

privacyguides.org/videos/2025/

Zhi Zhu 🕸️'s avatar
Zhi Zhu 🕸️

@ZhiZhu@newsie.social · Reply to Zhi Zhu 🕸️'s post

Elon Musk’s Starlink Takes Over the White House

The world’s richest man now has control over the internet at the White House.
newrepublic.com/post/192855/el

"numerous of interest & issues. already collects billions of dollars through his contracts, & controls . If employees are using the service, he could have access to their ... questions as to how secure Starlink’s is."

Headline: Elon Musk’s Starlink Takes Over the White House The world’s richest man now has control over the internet at the White House. by Hafiz Rashid March 18, 2025 / 10:29 a.m. ET
ALT text detailsHeadline: Elon Musk’s Starlink Takes Over the White House The world’s richest man now has control over the internet at the White House. by Hafiz Rashid March 18, 2025 / 10:29 a.m. ET
Zhi Zhu 🕸️'s avatar
Zhi Zhu 🕸️

@ZhiZhu@newsie.social · Reply to Zhi Zhu 🕸️'s post

Elon Musk’s Starlink Expands Across White House Complex

admn officials said the company donated the service, saying the gift had been vetted by the lawyer overseeing ethics issues in the Counsel’s Office.
nytimes.com/2025/03/17/us/poli

" ... controls Starlink...

the White House “was aware of DOGE’s intentions...” and that it “did not consider this matter a security incident or breach.”

Headline: Elon Musk’s Starlink Expands Across White House Complex Trump administration officials said the company donated the internet service, saying the gift had been vetted by the lawyer overseeing ethics issues in the White House Counsel’s Office.
ALT text detailsHeadline: Elon Musk’s Starlink Expands Across White House Complex Trump administration officials said the company donated the internet service, saying the gift had been vetted by the lawyer overseeing ethics issues in the White House Counsel’s Office.
Zhi Zhu 🕸️'s avatar
Zhi Zhu 🕸️

@ZhiZhu@newsie.social · Reply to Zhi Zhu 🕸️'s post

Elon Musk’s DOGE Guts U.S. Nuclear Agency

DOGE cuts have hit some of the country’s top nuclear scientists.
newrepublic.com/post/192825/el

"Several scientists, bomb engineers, & experts critical to were among the cuts...

the wanton, haphazard budget cuts championed by & the ... Many people who left the agency held top-secret clearances, and it will be tough to train replacements."

Headline: Elon Musk’s DOGE Guts U.S. Nuclear Agency DOGE cuts have hit some of the country’s top nuclear scientists. by Hafiz Rashid March 17, 2025 / 11:58 a.m. ET
ALT text detailsHeadline: Elon Musk’s DOGE Guts U.S. Nuclear Agency DOGE cuts have hit some of the country’s top nuclear scientists. by Hafiz Rashid March 17, 2025 / 11:58 a.m. ET
Em :official_verified:'s avatar
Em :official_verified:

@Em0nM4stodon@infosec.exchange

New Privacy Guides article 🔐✨
by me:

If you want to keep your password manager local-only, KeePassXC is a great solution!

It's free,
Open-source,
Easy to install and use,
Doesn't require an account,
Works on Linux, macOS, and Windows,
And the team is here! 👉 @keepassxc

Here's how to set it up with a YubiKey: privacyguides.org/articles/202

Illustration of a laptop with the KeePassXC logo on it. There is a plus sign on the right, followed by a photo of a YubiKey.
ALT text detailsIllustration of a laptop with the KeePassXC logo on it. There is a plus sign on the right, followed by a photo of a YubiKey.
Adrianna Tan's avatar
Adrianna Tan

@skinnylatte@hachyderm.io

Come work with me!

candidateportal.creativecircle

Em :official_verified:'s avatar
Em :official_verified:

@Em0nM4stodon@infosec.exchange

New Privacy Guides article 🔐✨
by me:

If you want to keep your password manager local-only, KeePassXC is a great solution!

It's free,
Open-source,
Easy to install and use,
Doesn't require an account,
Works on Linux, macOS, and Windows,
And the team is here! 👉 @keepassxc

Here's how to set it up with a YubiKey: privacyguides.org/articles/202

Illustration of a laptop with the KeePassXC logo on it. There is a plus sign on the right, followed by a photo of a YubiKey.
ALT text detailsIllustration of a laptop with the KeePassXC logo on it. There is a plus sign on the right, followed by a photo of a YubiKey.
Em :official_verified:'s avatar
Em :official_verified:

@Em0nM4stodon@infosec.exchange

New Privacy Guides article 🔐✨
by me:

If you want to keep your password manager local-only, KeePassXC is a great solution!

It's free,
Open-source,
Easy to install and use,
Doesn't require an account,
Works on Linux, macOS, and Windows,
And the team is here! 👉 @keepassxc

Here's how to set it up with a YubiKey: privacyguides.org/articles/202

Illustration of a laptop with the KeePassXC logo on it. There is a plus sign on the right, followed by a photo of a YubiKey.
ALT text detailsIllustration of a laptop with the KeePassXC logo on it. There is a plus sign on the right, followed by a photo of a YubiKey.
Em :official_verified:'s avatar
Em :official_verified:

@Em0nM4stodon@infosec.exchange

New Privacy Guides article 🔐✨
by me:

If you want to keep your password manager local-only, KeePassXC is a great solution!

It's free,
Open-source,
Easy to install and use,
Doesn't require an account,
Works on Linux, macOS, and Windows,
And the team is here! 👉 @keepassxc

Here's how to set it up with a YubiKey: privacyguides.org/articles/202

Illustration of a laptop with the KeePassXC logo on it. There is a plus sign on the right, followed by a photo of a YubiKey.
ALT text detailsIllustration of a laptop with the KeePassXC logo on it. There is a plus sign on the right, followed by a photo of a YubiKey.
Andrew Lock's avatar
Andrew Lock

@andrewlock@hachyderm.io

Blogged: Creating provenance attestations for NuGet packages in GitHub Actions

andrewlock.net/creating-proven

In this post I discuss software provenance, what attestations say about your software, how they work, how to create an attestation for a NuGet package, and why that doesn't really work 😅

Matt Burgess's avatar
Matt Burgess

@mattburgess@infosec.exchange

Mastodon friends, I've heard a few suggestions of companies moving from US cloud providers to those based in the EU, due to risks with the Trump administration/Cloud Act, etc.

Has anyone come across any businesses that have made the leap recently? Feel free to DM or message on Signal, mattburgess.20

Zhi Zhu 🕸️'s avatar
Zhi Zhu 🕸️

@ZhiZhu@newsie.social · Reply to Zhi Zhu 🕸️'s post

DOGE Cuts Reach Key Nuclear Scientists, Bomb Engineers & Safety Experts

Firings & buyouts hit the top-secret National Nuclear Safety Admn amid a major effort to upgrade America’s arsenal. Critics say it shows the consequences of heedlessly cutting the federal work force.
nytimes.com/2025/03/17/us/poli

"Officials had initially expected that the nuclear agency’s mission would protect it from layoffs."

Headline: DOGE Cuts Reach Key Nuclear Scientists, Bomb Engineers and Safety Experts Firings and buyouts hit the top-secret National Nuclear Safety Administration amid a major effort to upgrade America’s nuclear arsenal. Critics say it shows the consequences of heedlessly cutting the federal work force.
ALT text detailsHeadline: DOGE Cuts Reach Key Nuclear Scientists, Bomb Engineers and Safety Experts Firings and buyouts hit the top-secret National Nuclear Safety Administration amid a major effort to upgrade America’s nuclear arsenal. Critics say it shows the consequences of heedlessly cutting the federal work force.
Matt Burgess's avatar
Matt Burgess

@mattburgess@infosec.exchange

Mastodon friends, I've heard a few suggestions of companies moving from US cloud providers to those based in the EU, due to risks with the Trump administration/Cloud Act, etc.

Has anyone come across any businesses that have made the leap recently? Feel free to DM or message on Signal, mattburgess.20

Peter N. M. Hansteen's avatar
Peter N. M. Hansteen

@pitrh@mastodon.social

I thought I had seen it all when it comes to mail delivery and security issues.

But this morning I was introduced to the fact that there are Exchange admins who will implement a rule that all incoming mail from outside their own organization should be flagged as potentially dangerous and presented to the user with the option to block sender and no option to mark the message or the sender as valid.

Yes, that for every single message.

Peter N. M. Hansteen's avatar
Peter N. M. Hansteen

@pitrh@mastodon.social

I thought I had seen it all when it comes to mail delivery and security issues.

But this morning I was introduced to the fact that there are Exchange admins who will implement a rule that all incoming mail from outside their own organization should be flagged as potentially dangerous and presented to the user with the option to block sender and no option to mark the message or the sender as valid.

Yes, that for every single message.

Em :official_verified:'s avatar
Em :official_verified:

@Em0nM4stodon@infosec.exchange

New Privacy Guides video 📺✨
by @jw

If you've wondered about
the difference between:

Privacy,
Security,
and Anonymity :neocat_foxmask:

And why some privacy-focused
services are worth using even when they don't provide perfect anonymity, watch this!

It's truly an amazing short video!
Everyone should watch it 👇

privacyguides.org/videos/2025/

Francesco Chicchiriccò's avatar
Francesco Chicchiriccò

@ilgrosso@fosstodon.org

One more reason for this: arstechnica.com/gadgets/2025/0

Francesco Chicchiriccò's avatar
Francesco Chicchiriccò

@ilgrosso@fosstodon.org

One more reason for this: arstechnica.com/gadgets/2025/0

Francesco Chicchiriccò's avatar
Francesco Chicchiriccò

@ilgrosso@fosstodon.org

One more reason for this: arstechnica.com/gadgets/2025/0

Francesco Chicchiriccò's avatar
Francesco Chicchiriccò

@ilgrosso@fosstodon.org

One more reason for this: arstechnica.com/gadgets/2025/0

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org · Reply to Open Rights Group's post

The battle for encryption happens TODAY. Your right to privacy and security will be decided behind your back.

We call for the hearing to be made public.

Encryption must be protected from this slippery slope.

Sign and share our petition to have your say ⬇️

you.38degrees.org.uk/petitions

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org · Reply to Open Rights Group's post

The battle for encryption happens TODAY. Your right to privacy and security will be decided behind your back.

We call for the hearing to be made public.

Encryption must be protected from this slippery slope.

Sign and share our petition to have your say ⬇️

you.38degrees.org.uk/petitions

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org

"This is a significant test for the battle between law enforcement and technology.”

Holding the Apple case in secret makes the legal process more cloak and dagger, less scales and sword.

It makes it harder to challenge the UK government's order to break encryption and creates a dangerous precedent.

This case sets the stage for more shady encryption-breaking orders to be made.

theguardian.com/technology/202

Privacy Guides's avatar
Privacy Guides

@privacyguides@mastodon.neat.computer

This week we’re tackling some common misconceptions with privacy, security, and anonymity!

Often privacy and anonymity are used interchangeably. However, there are distinct differences between the two. In our latest video, we aim to explain and discuss the differences, so you can make better decisions on your privacy and security journey.

privacyguides.org/videos/2025/

Adrianna Tan's avatar
Adrianna Tan

@skinnylatte@hachyderm.io

Come work with me!

candidateportal.creativecircle

Adrianna Tan's avatar
Adrianna Tan

@skinnylatte@hachyderm.io

Come work with me!

candidateportal.creativecircle

W3C Developers's avatar
W3C Developers

@w3cdevs@w3c.social

Based on the @w3c workshop "Secure the Web Forward” and thanks to work taking place in the W3C Security Web Application Guidelines (SWAG) , we are happy to release 6 videos that address the complexities of Content Security Policy and Trusted Types, by introducing open-source tooling that reduce uncertainty and complexity of configuring web mitigations against XSS.

▶️ w3.org/blog/2025/how-to-protec
cc @simone @torgo

🎬 Security at W3C playlist: youtube.com/playlist?list=PLNh

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org

Whisper it, the showdown over Apple encryption is THIS WEEK ⏱️

🤐 A secret tribunal will hear the appeal against the UK government’s order to carve a backdoor into Apple’s encrypted services.

🛑 Our cybersecurity and privacy shouldn’t be decided in the shadows.

computerweekly.com/news/366620

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org · Reply to Open Rights Group's post

In response to the State's demand for insecurity, Apple withdrew its encrypted services from the UK and appealed.

A secret tribunal now decides 🤫

This hearing MUST happen in public.

It starts with Apple... the UK government will chomp away encryption to a rotten core.

digit.fyi/apple-to-battle-uk-g

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org · Reply to Open Rights Group's post

In response to the State's demand for insecurity, Apple withdrew its encrypted services from the UK and appealed.

A secret tribunal now decides 🤫

This hearing MUST happen in public.

It starts with Apple... the UK government will chomp away encryption to a rotten core.

digit.fyi/apple-to-battle-uk-g

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org · Reply to Open Rights Group's post

History is a set of lies agreed upon.

The UK government took to revisionist tactics and wiped its advice for lawyers and barristers to use Apple encrypted services.

Putting victims of crime at a greater risk of harm so you don't contradict yourself isn't a good look 🤷‍♂️

techcrunch.com/2025/03/06/uk-q

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org · Reply to Open Rights Group's post

The UK Home Office issued a secret order under the Investigatory Powers Act to make Apple put a backdoor in its encrypted services.

This is so the government can access what's uploaded to the cloud... them and hackers alike.

Too sly sly, hush hush spy to spy.

openrightsgroup.org/press-rele

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org · Reply to Open Rights Group's post

The story so far...

The Investigatory Powers Act was widened last year to:

🔴 Prevent companies from rolling out encryption.
🔴 Have the UK government approve any security updates to tech products.

Surveillance first 👁️, security be damned 🗑️

openrightsgroup.org/press-rele

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org

Make it rain 🌧️

The UK government’s demand for a spy hole makes your iCloud storage leaky.

All your pics, docs, finances and more are up for grabs. Hackers, blackmailers and predators will have a field day.

Sign our petition to save Apple encrypted services!

➡️ you.38degrees.org.uk/petitions

Image: Apple logo with multiple bites taken out of it on a blue swirly background. Text: Petition – Keep our Apple data encrypted.
ALT text detailsImage: Apple logo with multiple bites taken out of it on a blue swirly background. Text: Petition – Keep our Apple data encrypted.
Tuta's avatar
Tuta

@Tutanota@mastodon.social

🚨BREAKING🚨 The French National Assembly removed the backdoor section from the amendment to the law.

Read here how Politicians tried to undermine everybody's : tuta.com/blog/france-surveilla

🙏 And thank you for fighting against this with us. This is a great win for privacy, yet, the battle is not over. Together we are strong! 💪

Remind Legislators: "A backdoor for the good guys only is not possible."
ALT text detailsRemind Legislators: "A backdoor for the good guys only is not possible."
Tuta's avatar
Tuta

@Tutanota@mastodon.social

🚨BREAKING🚨 The French National Assembly removed the backdoor section from the amendment to the law.

Read here how Politicians tried to undermine everybody's : tuta.com/blog/france-surveilla

🙏 And thank you for fighting against this with us. This is a great win for privacy, yet, the battle is not over. Together we are strong! 💪

Remind Legislators: "A backdoor for the good guys only is not possible."
ALT text detailsRemind Legislators: "A backdoor for the good guys only is not possible."
Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org

Whisper it, the showdown over Apple encryption is THIS WEEK ⏱️

🤐 A secret tribunal will hear the appeal against the UK government’s order to carve a backdoor into Apple’s encrypted services.

🛑 Our cybersecurity and privacy shouldn’t be decided in the shadows.

computerweekly.com/news/366620

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org

Whisper it, the showdown over Apple encryption is THIS WEEK ⏱️

🤐 A secret tribunal will hear the appeal against the UK government’s order to carve a backdoor into Apple’s encrypted services.

🛑 Our cybersecurity and privacy shouldn’t be decided in the shadows.

computerweekly.com/news/366620

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org

Save Encryption. Save the World 🌐

Only by blocking message scanning technology on messaging apps can we ensure online safety!

End-to-end encryption prevents predators and hackers from weeding their way into our private lives.

We must 💬

openrightsgroup.org/blog/the-c

Emelia 👸🏻's avatar
Emelia 👸🏻

@thisismissem@hachyderm.io

Mixing up Public and Private Keys in OpenID Connect deployments - Hanno's Blog:

blog.hboeck.de/archives/909-Mi

W3C Developers's avatar
W3C Developers

@w3cdevs@w3c.social

Based on the @w3c workshop "Secure the Web Forward” and thanks to work taking place in the W3C Security Web Application Guidelines (SWAG) , we are happy to release 6 videos that address the complexities of Content Security Policy and Trusted Types, by introducing open-source tooling that reduce uncertainty and complexity of configuring web mitigations against XSS.

▶️ w3.org/blog/2025/how-to-protec
cc @simone @torgo

🎬 Security at W3C playlist: youtube.com/playlist?list=PLNh

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org

Carpe DM 👁️‍🗨️?

End-to-end encryption = online safety. It keeps what we send on messaging apps secure from hackers and predators.

🚫 Tell Ofcom NOT to implement message scanning powers in their consultation.

⏰ You have until 5pm TODAY!

💬

action.openrightsgroup.org/48-

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org

Carpe DM 👁️‍🗨️?

End-to-end encryption = online safety. It keeps what we send on messaging apps secure from hackers and predators.

🚫 Tell Ofcom NOT to implement message scanning powers in their consultation.

⏰ You have until 5pm TODAY!

💬

action.openrightsgroup.org/48-

frankie (Pirate from Carribean)'s avatar
frankie (Pirate from Carribean)

@frankie@infosec.exchange

The State of Personal Online Security and Confidentiality | SXSW LIVE

By @Mer__edith , President Signal Foundation

A brilliant discussion on Signal, human rights, surveillance, and security. 🥳

Mike Williamson's avatar
Mike Williamson

@sleepycat@infosec.exchange

Welcome to Jurassic Park: A Comprehensive Study of Risks in and its Ecosystem

Deno 2.0 addresses many of the problems identified but it's a great paper to read.

cispa.de/en/research/publicati

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org

Save Encryption. Save the World 🌐

Only by blocking message scanning technology on messaging apps can we ensure online safety!

End-to-end encryption prevents predators and hackers from weeding their way into our private lives.

We must 💬

openrightsgroup.org/blog/the-c

Mike Williamson's avatar
Mike Williamson

@sleepycat@infosec.exchange

Welcome to Jurassic Park: A Comprehensive Study of Risks in and its Ecosystem

Deno 2.0 addresses many of the problems identified but it's a great paper to read.

cispa.de/en/research/publicati

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org

🚨 Time is Running Out to Save Encryption 🔐

Ofcom is consulting on implementing message scanning powers in the UK Online Safety Act.

This would break end-to-end encryption on the messaging apps we all use!

⏰ CLOSES Monday 10 March, 5pm.

Use our tool to tell Ofcom 💬

ACT NOW ⬇️

action.openrightsgroup.org/48-

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org

🚨 Time is Running Out to Save Encryption 🔐

Ofcom is consulting on implementing message scanning powers in the UK Online Safety Act.

This would break end-to-end encryption on the messaging apps we all use!

⏰ CLOSES Monday 10 March, 5pm.

Use our tool to tell Ofcom 💬

ACT NOW ⬇️

action.openrightsgroup.org/48-

Lorenzo Ancora :verified:'s avatar
Lorenzo Ancora :verified:

@LorenzoAncora@ieji.de

GNU Emacs: new critical remote shell injection vulnerability.

Red Hat discovered a command injection flaw in the text editor Emacs. It allows a remote, unauthenticated attacker to execute any command on your computer. The vulnerability is activated when you visit a malicious website or link.

cve.org/CVERecord?id=CVE-2025-

---

---

Mitigation: uninstall/update immediately.

Em :official_verified:'s avatar
Em :official_verified:

@Em0nM4stodon@infosec.exchange

New Privacy Guides article 🔑✨
by me:

If you are using a YubiKey,

you might get in some situations where you need to reset your key to factory default, and/or set up a backup of it on a spare key.

This tutorial will guide you
through each step to reset and back up your YubiKey successfully, with clear instructions and plenty of visual support.

I hope you find it helpful!

privacyguides.org/articles/202

Photo of a YubiKey security key on a table between a MacBook computer and a cellphone.
ALT text detailsPhoto of a YubiKey security key on a table between a MacBook computer and a cellphone.
Em :official_verified:'s avatar
Em :official_verified:

@Em0nM4stodon@infosec.exchange

New Privacy Guides article 🔑✨
by me:

If you are using a YubiKey,

you might get in some situations where you need to reset your key to factory default, and/or set up a backup of it on a spare key.

This tutorial will guide you
through each step to reset and back up your YubiKey successfully, with clear instructions and plenty of visual support.

I hope you find it helpful!

privacyguides.org/articles/202

Photo of a YubiKey security key on a table between a MacBook computer and a cellphone.
ALT text detailsPhoto of a YubiKey security key on a table between a MacBook computer and a cellphone.
Em :official_verified:'s avatar
Em :official_verified:

@Em0nM4stodon@infosec.exchange

New Privacy Guides article 🔑✨
by me:

If you are using a YubiKey,

you might get in some situations where you need to reset your key to factory default, and/or set up a backup of it on a spare key.

This tutorial will guide you
through each step to reset and back up your YubiKey successfully, with clear instructions and plenty of visual support.

I hope you find it helpful!

privacyguides.org/articles/202

Photo of a YubiKey security key on a table between a MacBook computer and a cellphone.
ALT text detailsPhoto of a YubiKey security key on a table between a MacBook computer and a cellphone.
Professor Code's avatar
Professor Code

@ProfessorCode@fosstodon.org · Reply to Professor Code's post

I can't believe that Mozilla is choosing to take Firefox down this road of seemingly trying to harvest and sell their users' data, when there is already a proven method to increase their revenue with one of their own products.

Thunderbird has already proven that people are willing to support open source, privacy-friendly and well-maintained projects, especially if it's a critical part of their workflow. Just build a product that people want to use.

Professor Code's avatar
Professor Code

@ProfessorCode@fosstodon.org · Reply to Professor Code's post

I can't believe that Mozilla is choosing to take Firefox down this road of seemingly trying to harvest and sell their users' data, when there is already a proven method to increase their revenue with one of their own products.

Thunderbird has already proven that people are willing to support open source, privacy-friendly and well-maintained projects, especially if it's a critical part of their workflow. Just build a product that people want to use.

Professor Code's avatar
Professor Code

@ProfessorCode@fosstodon.org

Since Firefox requires a "nonexclusive, royalty-free, worldwide license" to my personal data, I've finally decided to move away to another browser.

youtube.com/watch?v=Rc96ISKh2O

The problem appears to be, though, that I'm not sure which browser to use now. Most of the alternatives seem to have questionable privacy or security.

ProScience

@proscience@toot.community

Very interesting food for thought:

"Managing the Transatlantic Divorce: A roadmap towards a European way of war"

Warning: May make an uncomfortable read but IMHO we have to face reality as is, not as we wish it to be.

epc.eu/en/publications/Managin

ProScience

@proscience@toot.community

Very interesting food for thought:

"Managing the Transatlantic Divorce: A roadmap towards a European way of war"

Warning: May make an uncomfortable read but IMHO we have to face reality as is, not as we wish it to be.

epc.eu/en/publications/Managin

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org

LGBTQ people need online communities for support 🏳️‍🌈 🌐

End-to-end encryption underpins this essential lifeline with the safety of confidentiality.

It's a matter of survival, particularly for people who live with unsupportive families or in oppressive societies.

Save encryption. 💬

openrightsgroup.org/blog/queer

Image: 3D inflated message bubble with the pride flag. Text: Save Encryption – Practice Safe Text.
ALT text detailsImage: 3D inflated message bubble with the pride flag. Text: Save Encryption – Practice Safe Text.
Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org · Reply to Open Rights Group's post

“Strong encryption strengthens the foundation of trust online and ensures that our digital spaces remain ones where individuals can live authentically and without fear.”

Shae Gardner from LGBT Tech explains why encryption is so important for the LGBTQ community 🏳️‍🌈

💬

Video from LGBT Tech explaining the importance of encryption for the LGBTQ community.
ALT text detailsVideo from LGBT Tech explaining the importance of encryption for the LGBTQ community.
Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org · Reply to Open Rights Group's post

“Strong encryption strengthens the foundation of trust online and ensures that our digital spaces remain ones where individuals can live authentically and without fear.”

Shae Gardner from LGBT Tech explains why encryption is so important for the LGBTQ community 🏳️‍🌈

💬

Video from LGBT Tech explaining the importance of encryption for the LGBTQ community.
ALT text detailsVideo from LGBT Tech explaining the importance of encryption for the LGBTQ community.
Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org · Reply to Open Rights Group's post

LGBTQ people are core users of the Internet 🏳️‍🌈 🌐

80% participate in social networking, compared to 58% of the general public.

Messaging apps that use end-to-end encryption help to keep LGBTQ people safe.

Read more from LGBT Tech ⬇️

lgbttech.org/post/2019/11/22/l

💬

Vide from LGBT Tech, explaining the importance of encryption for the LGBTQ community.
ALT text detailsVide from LGBT Tech, explaining the importance of encryption for the LGBTQ community.
Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org

LGBTQ people need online communities for support 🏳️‍🌈 🌐

End-to-end encryption underpins this essential lifeline with the safety of confidentiality.

It's a matter of survival, particularly for people who live with unsupportive families or in oppressive societies.

Save encryption. 💬

openrightsgroup.org/blog/queer

Image: 3D inflated message bubble with the pride flag. Text: Save Encryption – Practice Safe Text.
ALT text detailsImage: 3D inflated message bubble with the pride flag. Text: Save Encryption – Practice Safe Text.
Mike Williamson's avatar
Mike Williamson

@sleepycat@infosec.exchange

Welcome to Jurassic Park: A Comprehensive Study of Risks in and its Ecosystem

Deno 2.0 addresses many of the problems identified but it's a great paper to read.

cispa.de/en/research/publicati

ApplSec's avatar
ApplSec

@applsec@infosec.exchange

🧪 NEW BETA RELEASES 🧪

📱 iOS 18.4 beta 2 (22E5216h)
📱 iPadOS 18.4 beta 2 (22E5216h)
💻 macOS 15.4 beta 2 (24E5222f)
📺 tvOS 18.4 beta 2 (22L5234e)
🥽 visionOS 2.4 beta 2 (22O5215f)
⌚ watchOS 11.4 beta 2 (22T5228e)

Tuta's avatar
Tuta

@Tutanota@mastodon.social

France is about to pass the worst surveillance law in the EU.

Here's how you can stop them: 👉 tuta.com/blog/france-surveilla

REMIND LEGISLATORS: "A backdoor for the good guys only is not possible.”
ALT text detailsREMIND LEGISLATORS: "A backdoor for the good guys only is not possible.”
beSpacific's avatar
beSpacific

@bespacific@newsie.social

@psuPete Recommends - Weekly highlights on cyber security issues, 03/01/25 llrx.com/2025/03/pete-recommen Five posts from this week: has purged government websites; The Wayback Machine trying to preserve the record; Turn off your read receipts. They’re a risk; You can now easily remove personal info from Search results; Google plans to end verification in favor of codes; and isn’t doing enough to protect customers from scams.

beSpacific's avatar
beSpacific

@bespacific@newsie.social

@psuPete Recommends - Weekly highlights on cyber security issues, 03/01/25 llrx.com/2025/03/pete-recommen Five posts from this week: has purged government websites; The Wayback Machine trying to preserve the record; Turn off your read receipts. They’re a risk; You can now easily remove personal info from Search results; Google plans to end verification in favor of codes; and isn’t doing enough to protect customers from scams.

ApplSec's avatar
ApplSec

@applsec@infosec.exchange

🧪 NEW BETA RELEASES 🧪

📱 iOS 18.4 beta 2 (22E5216h)
📱 iPadOS 18.4 beta 2 (22E5216h)
💻 macOS 15.4 beta 2 (24E5222f)
📺 tvOS 18.4 beta 2 (22L5234e)
🥽 visionOS 2.4 beta 2 (22O5215f)
⌚ watchOS 11.4 beta 2 (22T5228e)

thinkberg's avatar
thinkberg

@thinkberg@tetrax.de

Von wegen : Wer nen schoenen hat, darf mich gerne anpingen. Mit hab ich 8 Jahre als gewerkelt. Dabei war Hardware ( mini, ), Software (embedded, Blockchain, , , ) - speziell der elektonische und am Ende greenhouse gas accounting. Ich helfe Teams mit ihren Aufgaben zu wachsen und stabile Produkte zu produzieren.

thinkberg's avatar
thinkberg

@thinkberg@tetrax.de

Von wegen : Wer nen schoenen hat, darf mich gerne anpingen. Mit hab ich 8 Jahre als gewerkelt. Dabei war Hardware ( mini, ), Software (embedded, Blockchain, , , ) - speziell der elektonische und am Ende greenhouse gas accounting. Ich helfe Teams mit ihren Aufgaben zu wachsen und stabile Produkte zu produzieren.

Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

“It is unsurprising that allies in are gathering in London this weekend & equally unsurprising that the is being taken much more seriously in Brussels & capitals,” Ashton said.

And yet there are limits to ’s . He was unable to extract any guarantees from for , despite an exaggerated show of deference to the president. That included Starmer hand-delivering an invitation for a state visit from ….

Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

The meeting has thrust into an unaccustomed place for a British prime minister: at the heart of during a crisis. >8 years after the country voted to leave the , the rapidly changing landscape is driving closer to the continent.

Catherine Ashton, a Briton who served as the EU’s high representative for & security policy, said Starmer’s successful meeting w/ had reinforced his credentials as a leader for Europe.

BiznisBox's avatar
BiznisBox

@biznisbox@fosstodon.org

🚀 BiznisBox v2 is here! 🎉

After 6+ months of development, we’re bringing you a major upgrade with:

🔐 2FA & Login Notifications – Enhanced security for safer access
🔗 Webhook Support – Seamless third-party integrations
🛠️ New Support Ticket Module – Streamlined issue tracking
📜 New Contracts Module – Better document organization
🎨 Complete UI Redesign – Modern, intuitive & sleek
Upgrade now & experience the future of business management! 🚀

Tuta's avatar
Tuta

@Tutanota@mastodon.social

France is about to pass the worst surveillance law in the EU.

Here's how you can stop them: 👉 tuta.com/blog/france-surveilla

REMIND LEGISLATORS: "A backdoor for the good guys only is not possible.”
ALT text detailsREMIND LEGISLATORS: "A backdoor for the good guys only is not possible.”
BiznisBox's avatar
BiznisBox

@biznisbox@fosstodon.org

🚀 BiznisBox v2 is here! 🎉

After 6+ months of development, we’re bringing you a major upgrade with:

🔐 2FA & Login Notifications – Enhanced security for safer access
🔗 Webhook Support – Seamless third-party integrations
🛠️ New Support Ticket Module – Streamlined issue tracking
📜 New Contracts Module – Better document organization
🎨 Complete UI Redesign – Modern, intuitive & sleek
Upgrade now & experience the future of business management! 🚀

Tim Mak's avatar
Tim Mak

@timkmak@journa.host

Good morning to readers; Kyiv remains in Ukrainian hands.

said a deal with is pointless w/o .

Here’s why: made this mistake before.

broke ceasefire after agreements. International lawyer Oleksandr watched it all unfold.

Tim Mak's avatar
Tim Mak

@timkmak@journa.host

Good morning to readers; Kyiv remains in Ukrainian hands.

said a deal with is pointless w/o .

Here’s why: made this mistake before.

broke ceasefire after agreements. International lawyer Oleksandr watched it all unfold.

☮ ♥ ♬ 🧑‍💻's avatar
☮ ♥ ♬ 🧑‍💻

@peterrenshaw@ioc.exchange · Reply to ☮ ♥ ♬ 🧑‍💻's post

“Principle 4. Individuals’ and on the internet are fundamental and must not be treated as optional.”

“The Mozilla Addendum

Pledge for a Healthy

The open, global internet is the most powerful communication and collaboration resource we have ever seen. It embodies some of our deepest hopes for human progress. It enables new opportunities for learning, building a sense of shared humanity, and solving the pressing problems facing people everywhere.

Over the last decade we have seen this promise fulfilled in many ways. We have also seen the power of the internet used to magnify divisiveness, incite violence, promote hatred, and intentionally manipulate fact and reality. We have learned that we should more explicitly set out our aspirations for the human experience of the internet. We do so now.”

Lol 🤪 Principles

<mozilla.org/en-US/about/manife>

The first five points of the Mozilla 10 principles document. Principle 4 highlighted. source https://www.mozilla.org/en-US/about/manifesto/
ALT text detailsThe first five points of the Mozilla 10 principles document. Principle 4 highlighted. source https://www.mozilla.org/en-US/about/manifesto/
Lorenzo Ancora :verified:'s avatar
Lorenzo Ancora :verified:

@LorenzoAncora@ieji.de

GNU Emacs: new critical remote shell injection vulnerability.

Red Hat discovered a command injection flaw in the text editor Emacs. It allows a remote, unauthenticated attacker to execute any command on your computer. The vulnerability is activated when you visit a malicious website or link.

cve.org/CVERecord?id=CVE-2025-

---

---

Mitigation: uninstall/update immediately.

GrapheneOS's avatar
GrapheneOS

@GrapheneOS@grapheneos.social

GrapheneOS version 2025022700 released:

grapheneos.org/releases#202502

See the linked release notes for a summary of the improvements over the previous release.

Forum discussion thread:

discuss.grapheneos.org/d/20369

Frederik Borgesius's avatar
Frederik Borgesius

@Frederik_Borgesius@akademienl.social

'The EU’s chat control legislation is reportedly back on the table... Polish officials have now tabled a new proposal, which is open for feedback until 20 February.'
secure.dialog-mail.com/v/14566

Tuta's avatar
Tuta

@Tutanota@mastodon.social

France is about to pass the worst surveillance law in the EU.

Here's how you can stop them: 👉 tuta.com/blog/france-surveilla

REMIND LEGISLATORS: "A backdoor for the good guys only is not possible.”
ALT text detailsREMIND LEGISLATORS: "A backdoor for the good guys only is not possible.”
Tuta's avatar
Tuta

@Tutanota@mastodon.social

France is about to pass the worst surveillance law in the EU.

Here's how you can stop them: 👉 tuta.com/blog/france-surveilla

REMIND LEGISLATORS: "A backdoor for the good guys only is not possible.”
ALT text detailsREMIND LEGISLATORS: "A backdoor for the good guys only is not possible.”
Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org

❌ You can't trade privacy to prevent crime.

⚠️ Message scanning tech punches a hole in everyone's security. Surveillance organisations, hackers, scammers and predators alike will be able to creep into your life.

Read our longread on the need to protect end-to-end encryption ⬇️

openrightsgroup.org/blog/the-c

heise Security's avatar
heise Security

@heisec@social.heise.de

LibreOffice: Manipulierte Dokumente können in Windows Befehle einschleusen

In LibreOffice können Angreifer unter Windows eine Lücke missbrauchen, durch die Dateien nach Klick auf Links ausgeführt werden.

heise.de/news/LibreOffice-Mani

heise Security's avatar
heise Security

@heisec@social.heise.de

LibreOffice: Manipulierte Dokumente können in Windows Befehle einschleusen

In LibreOffice können Angreifer unter Windows eine Lücke missbrauchen, durch die Dateien nach Klick auf Links ausgeführt werden.

heise.de/news/LibreOffice-Mani

Justin Collins's avatar
Justin Collins

@presidentbeef@ruby.social

I am hiring a Senior Privacy Engineer at Gusto: job-boards.greenhouse.io/gusto

Preferring candidates in Denver, but can hire (remote) in Atlanta, Austin, Chicago, Los Angeles, Miami, Toronto.

More roles coming soon...

Zhi Zhu 🕸️'s avatar
Zhi Zhu 🕸️

@ZhiZhu@newsie.social · Reply to Zhi Zhu 🕸️'s post

OPM’s Own Guidance Says Fed Employees Never Have to Respond to the Elon Emails
talkingpointsmemo.com/edblog/o

"new system [created by ] was given the name Government-Wide Email System (GWES). On February 5th, 2025... OPM published this document... in sections 4.2 and 4.3, federal government employees are never obligated to respond to any GWES emails and are under no obligation to share any information."

Screen shot of the Privacy Impact Assessment for the Government Wide Email System (GWES) page 7-8.
ALT text detailsScreen shot of the Privacy Impact Assessment for the Government Wide Email System (GWES) page 7-8.
Linux Is Best's avatar
Linux Is Best

@Linux_Is_Best@misskey.de

Someone really should start another not self-hosted, non-US-based, Password Manager. I only know of two:

1) Heylogin
2) pCloud

(1Password, is owned by a Canadian company, owned by a US company).

1) Heylogin - Sucks.

It is completely tired to your phone. Using their web browser extension? Check your phone. Want to log in to a site? Check your phone. Want to update a login details? Check your phone.

You ever lose or damage your phone, you're f-cked. It is not designed for multiple devices either.

2) pCloud

It is indeed outside US-jurisdiction. The company is not owned by any business in the USA. It does not own any businesses itself in the USA. But they do resell services in the USA, and the only way you can avoid not being assigned to one of those US Servers is to use a VPN so you'll be forwarded to their Europe Servers.

From their own documentation:

" As a consequence API calls have to be made to the correct API host name depending were the user has been registered – api.pcloud.com for United States and eapi.pcloud.com for Europe. "

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org

❌ You can't trade privacy to prevent crime.

⚠️ Message scanning tech punches a hole in everyone's security. Surveillance organisations, hackers, scammers and predators alike will be able to creep into your life.

Read our longread on the need to protect end-to-end encryption ⬇️

openrightsgroup.org/blog/the-c

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org

❌ You can't trade privacy to prevent crime.

⚠️ Message scanning tech punches a hole in everyone's security. Surveillance organisations, hackers, scammers and predators alike will be able to creep into your life.

Read our longread on the need to protect end-to-end encryption ⬇️

openrightsgroup.org/blog/the-c

@BjornW@mastodon.social's avatar
@BjornW@mastodon.social

@BjornW@mastodon.social

Thought experiment:

@letsencrypt offers certificates to encrypt the traffic between a website & your browser.

They reside in the US & thus are subject to the judiciary system of the US.

What are the possible risks for websites outside the US, given the current unstable political situation & administration? What type of damage could an executive order do? How could this be mitigated?

Boosts appreciated.

Mike Kuketz 🛡's avatar
Mike Kuketz 🛡

@kuketzblog@social.tchncs.de

Apple entfernt seine höchste »Sicherheitsstufe« für Nutzerdaten in UK, nachdem die Regierung Zugriff auf Daten forderte. Die »Advanced Data Protection« (ADP) stellt durch Ende-zu-Ende-Verschlüsselung sicher, dass nur Kontoinhaber auf ihre gespeicherten Fotos oder Dokumente zugreifen können. Das gilt nun nicht mehr.

bbc.com/news/articles/cgj54eq4

Notesnook's avatar
Notesnook

@notesnook@fosstodon.org

Notesnook v3.0.27 is out with an all new command palette, quick open, support for pasting markdown directly, and much more!

Read the full release notes here: blog.notesnook.com/notesnook-v

, , , , ,

Mark's avatar
Mark

@paka@mastodon.scot

European Court of Human Rights Confirms: Weakening Encryption Violates Fundamental Rights

In a milestone judgment—Podchasov v. Russia—the Court of ( ) has ruled that weakening of can lead to general and indiscriminate of the of all users and violates the to .

eff.org/deeplinks/2024/03/euro

Terence Eden’s Blog's avatar
Terence Eden’s Blog

@blog@shkspr.mobi

The least secure TOTP code possible

shkspr.mobi/blog/2025/02/the-l

If you use Multi-Factor Authentication, you'll be well used to scanning in QR codes which allow you to share a secret code with a website. These are known as Time-based One Time Passwords (TOTP0).

As I've moaned about before, TOTP has never been properly standardised. It's a mish-mash of half-finished proposals with no active development, no test suite, and no-one looking after it. Which is exactly what you want from a security specification, right?!

So let's try to find some edge-cases and see where things break down.

One Punch Man

This is possibly the least secure TOTP code I could create. Scan it and see whether your app will accept it.

QR code.

What makes it so crap? There are three things which protect you when using TOTP.

  1. The shared secret. In this case, it is abcdefghijklmno - OK, that's not the easiest thing to guess, but it isn't exactly complex.
  2. The amount time the code is valid for before changing. Most TOTP codes last 30 seconds, this lasts 120.
  3. The length of the code. Most codes are 6 digits long. In theory, the spec allows 8 digits. This is 1. Yup. A single digit.

BitWarden showing a single digit for 119 seconds.

If you were thick enough to use this1, an attacker would have a 1/10 chance of simply guessing your MFA code. If they saw you type it in, they'd have a couple of minutes in which to reuse it.

Can modern TOTP apps add this code? I crowdsourced the answers.

Surprisingly, a few apps accept it! Aegis, 1password, and BitWarden will happily store it and show you a 1 digit code for 120 seconds.

A few reject it. Authy, Google Authenticator, and OpenOTP claim the code is broken and won't add it.

But, weirdly, a few interpret it incorrectly! The native iOS app, Microsoft Authenticator, and KeepassXC store the code, but treat it as a 6 digit, 30 second code.

Do The Right Thing

What is the right thing to do in this case? The code is outside the (very loosely defined) specification. Postel's Law tells us that we should try our best to interpret malformed data - which is what Aegis and BitWarden do.

But, in a security context, that could be dangerous. Perhaps rejecting a dodgy code makes more sense?

What is absolutely daft2 is ignoring the bits of the code you don't like and substituting your own data! Luckily, in a normal TOTP enrolment, the user has to enter a code to prove they've saved it correctly. Entering in a 6 digit code where only 1 is expected is likely to fail.

We're Only Human

A one-digit code is ridiculous. But what about the other extreme? Would a 128-digit code be acceptable? For a human, no; it would be impossible to type in correctly. For a machine with a shared secret, it possibly makes sesne.

On a high-latency connection or with users who may have mobility difficulties, a multi-minute timeframe could be sensible. For something of extremely high security, sub-30 seconds may be necessary.

But, again, the specification hasn't evolved to meet user needs. It is stagnant and decaying.

What's Next?

There's an draft proposal to tighten up to TOTP spec which has expired.

It would be nice if the major security players came together to work out a formal and complete specification for this vital piece of security architecture. But I bet it won't ever happen.

So there you have it. We're told to rely on TOTP for our MFA - yet the major apps all disagree on how the standard should be implemented. This is a recipe for an eventual security disaster.

How do we fix it?

  1. Yes! Just like Top of The Pops! The famous British TV show! Wow! I bet you're the first person in history to make that joke! Have a biscuit. ↩︎

  2. Please don't! ↩︎

  3. I wanted to use the words "utterly fucking stupid" but I felt it was unprofessional. ↩︎

Terence Eden’s Blog's avatar
Terence Eden’s Blog

@blog@shkspr.mobi

The least secure TOTP code possible

shkspr.mobi/blog/2025/02/the-l

If you use Multi-Factor Authentication, you'll be well used to scanning in QR codes which allow you to share a secret code with a website. These are known as Time-based One Time Passwords (TOTP0).

As I've moaned about before, TOTP has never been properly standardised. It's a mish-mash of half-finished proposals with no active development, no test suite, and no-one looking after it. Which is exactly what you want from a security specification, right?!

So let's try to find some edge-cases and see where things break down.

One Punch Man

This is possibly the least secure TOTP code I could create. Scan it and see whether your app will accept it.

QR code.

What makes it so crap? There are three things which protect you when using TOTP.

  1. The shared secret. In this case, it is abcdefghijklmno - OK, that's not the easiest thing to guess, but it isn't exactly complex.
  2. The amount time the code is valid for before changing. Most TOTP codes last 30 seconds, this lasts 120.
  3. The length of the code. Most codes are 6 digits long. In theory, the spec allows 8 digits. This is 1. Yup. A single digit.

BitWarden showing a single digit for 119 seconds.

If you were thick enough to use this1, an attacker would have a 1/10 chance of simply guessing your MFA code. If they saw you type it in, they'd have a couple of minutes in which to reuse it.

Can modern TOTP apps add this code? I crowdsourced the answers.

Surprisingly, a few apps accept it! Aegis, 1password, and BitWarden will happily store it and show you a 1 digit code for 120 seconds.

A few reject it. Authy, Google Authenticator, and OpenOTP claim the code is broken and won't add it.

But, weirdly, a few interpret it incorrectly! The native iOS app, Microsoft Authenticator, and KeepassXC store the code, but treat it as a 6 digit, 30 second code.

Do The Right Thing

What is the right thing to do in this case? The code is outside the (very loosely defined) specification. Postel's Law tells us that we should try our best to interpret malformed data - which is what Aegis and BitWarden do.

But, in a security context, that could be dangerous. Perhaps rejecting a dodgy code makes more sense?

What is absolutely daft2 is ignoring the bits of the code you don't like and substituting your own data! Luckily, in a normal TOTP enrolment, the user has to enter a code to prove they've saved it correctly. Entering in a 6 digit code where only 1 is expected is likely to fail.

We're Only Human

A one-digit code is ridiculous. But what about the other extreme? Would a 128-digit code be acceptable? For a human, no; it would be impossible to type in correctly. For a machine with a shared secret, it possibly makes sesne.

On a high-latency connection or with users who may have mobility difficulties, a multi-minute timeframe could be sensible. For something of extremely high security, sub-30 seconds may be necessary.

But, again, the specification hasn't evolved to meet user needs. It is stagnant and decaying.

What's Next?

There's an draft proposal to tighten up to TOTP spec which has expired.

It would be nice if the major security players came together to work out a formal and complete specification for this vital piece of security architecture. But I bet it won't ever happen.

So there you have it. We're told to rely on TOTP for our MFA - yet the major apps all disagree on how the standard should be implemented. This is a recipe for an eventual security disaster.

How do we fix it?

  1. Yes! Just like Top of The Pops! The famous British TV show! Wow! I bet you're the first person in history to make that joke! Have a biscuit. ↩︎

  2. Please don't! ↩︎

  3. I wanted to use the words "utterly fucking stupid" but I felt it was unprofessional. ↩︎

Terence Eden’s Blog's avatar
Terence Eden’s Blog

@blog@shkspr.mobi

The least secure TOTP code possible

shkspr.mobi/blog/2025/02/the-l

If you use Multi-Factor Authentication, you'll be well used to scanning in QR codes which allow you to share a secret code with a website. These are known as Time-based One Time Passwords (TOTP0).

As I've moaned about before, TOTP has never been properly standardised. It's a mish-mash of half-finished proposals with no active development, no test suite, and no-one looking after it. Which is exactly what you want from a security specification, right?!

So let's try to find some edge-cases and see where things break down.

One Punch Man

This is possibly the least secure TOTP code I could create. Scan it and see whether your app will accept it.

QR code.

What makes it so crap? There are three things which protect you when using TOTP.

  1. The shared secret. In this case, it is abcdefghijklmno - OK, that's not the easiest thing to guess, but it isn't exactly complex.
  2. The amount time the code is valid for before changing. Most TOTP codes last 30 seconds, this lasts 120.
  3. The length of the code. Most codes are 6 digits long. In theory, the spec allows 8 digits. This is 1. Yup. A single digit.

BitWarden showing a single digit for 119 seconds.

If you were thick enough to use this1, an attacker would have a 1/10 chance of simply guessing your MFA code. If they saw you type it in, they'd have a couple of minutes in which to reuse it.

Can modern TOTP apps add this code? I crowdsourced the answers.

Surprisingly, a few apps accept it! Aegis, 1password, and BitWarden will happily store it and show you a 1 digit code for 120 seconds.

A few reject it. Authy, Google Authenticator, and OpenOTP claim the code is broken and won't add it.

But, weirdly, a few interpret it incorrectly! The native iOS app, Microsoft Authenticator, and KeepassXC store the code, but treat it as a 6 digit, 30 second code.

Do The Right Thing

What is the right thing to do in this case? The code is outside the (very loosely defined) specification. Postel's Law tells us that we should try our best to interpret malformed data - which is what Aegis and BitWarden do.

But, in a security context, that could be dangerous. Perhaps rejecting a dodgy code makes more sense?

What is absolutely daft2 is ignoring the bits of the code you don't like and substituting your own data! Luckily, in a normal TOTP enrolment, the user has to enter a code to prove they've saved it correctly. Entering in a 6 digit code where only 1 is expected is likely to fail.

We're Only Human

A one-digit code is ridiculous. But what about the other extreme? Would a 128-digit code be acceptable? For a human, no; it would be impossible to type in correctly. For a machine with a shared secret, it possibly makes sesne.

On a high-latency connection or with users who may have mobility difficulties, a multi-minute timeframe could be sensible. For something of extremely high security, sub-30 seconds may be necessary.

But, again, the specification hasn't evolved to meet user needs. It is stagnant and decaying.

What's Next?

There's an draft proposal to tighten up to TOTP spec which has expired.

It would be nice if the major security players came together to work out a formal and complete specification for this vital piece of security architecture. But I bet it won't ever happen.

So there you have it. We're told to rely on TOTP for our MFA - yet the major apps all disagree on how the standard should be implemented. This is a recipe for an eventual security disaster.

How do we fix it?

  1. Yes! Just like Top of The Pops! The famous British TV show! Wow! I bet you're the first person in history to make that joke! Have a biscuit. ↩︎

  2. Please don't! ↩︎

  3. I wanted to use the words "utterly fucking stupid" but I felt it was unprofessional. ↩︎

Sooraj Sathyanarayanan's avatar
Sooraj Sathyanarayanan

@ianonymous3000@mastodon.social

If you’re a Windows user, I can help you switch to Linux. Please stop supporting an insecure and privacy-intrusive operating system. What’s stopping you from switching to Linux/macOS? Ask all your questions, and I’ll answer everything.

Orhun Parmaksız 👾's avatar
Orhun Parmaksız 👾

@orhun@fosstodon.org

Breaking news for the crab people 🚨

🦀 Ring, a widely used Rust cryptography library, is now unmaintained.

🔐 Security advisory: rustsec.org/advisories/RUSTSEC

➡️ Details: github.com/briansmith/ring/dis

Orhun Parmaksız 👾's avatar
Orhun Parmaksız 👾

@orhun@fosstodon.org

Breaking news for the crab people 🚨

🦀 Ring, a widely used Rust cryptography library, is now unmaintained.

🔐 Security advisory: rustsec.org/advisories/RUSTSEC

➡️ Details: github.com/briansmith/ring/dis

Orhun Parmaksız 👾's avatar
Orhun Parmaksız 👾

@orhun@fosstodon.org

Breaking news for the crab people 🚨

🦀 Ring, a widely used Rust cryptography library, is now unmaintained.

🔐 Security advisory: rustsec.org/advisories/RUSTSEC

➡️ Details: github.com/briansmith/ring/dis

Aral Balkan's avatar
Aral Balkan

@aral@mastodon.ar.al

Today I learned that the alarm system that came with our house – a very popular one here in Ireland – can be disarmed via Siri.

The default command?

“Hey, Siri, disarm.”

I shit you not.

Aral Balkan's avatar
Aral Balkan

@aral@mastodon.ar.al

Today I learned that the alarm system that came with our house – a very popular one here in Ireland – can be disarmed via Siri.

The default command?

“Hey, Siri, disarm.”

I shit you not.

Mike Kuketz 🛡's avatar
Mike Kuketz 🛡

@kuketzblog@social.tchncs.de

Apple entfernt seine höchste »Sicherheitsstufe« für Nutzerdaten in UK, nachdem die Regierung Zugriff auf Daten forderte. Die »Advanced Data Protection« (ADP) stellt durch Ende-zu-Ende-Verschlüsselung sicher, dass nur Kontoinhaber auf ihre gespeicherten Fotos oder Dokumente zugreifen können. Das gilt nun nicht mehr.

bbc.com/news/articles/cgj54eq4

Johannes Ernst's avatar
Johannes Ernst

@j12t@j12t.social

A family member has a Mac that appears compromised. It behaves strangely, runs with higher load than it should and macOS produced some error messages that imply it quarantined some code. I think the machine should be wiped completely and rebuilt.

people: how would you go about this without inadvertently carrying bad stuff over to another Mac or the rebuilt Mac? There are many files, email etc that need to be preserved.

Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

's main demands to stop the fighting include a withdrawal of Kyiv's troops from Ukrainian territory Moscow [illegally] claims & an end to 's ambitions to join . Ukraine says Russia must withdraw from its territory, & wants guarantees from the West. The admin says Ukraine has unrealistic, "illusionary" goals.

Kyle 🕵️‍♂️💻's avatar
Kyle 🕵️‍♂️💻

@beardedtechguy@infosec.exchange

This is NOT GOOD, not good AT ALL!

Now it will be only a matter of time before the US will want the same!

bbc.com/news/articles/cgj54eq4

Zhi Zhu 🕸️'s avatar
Zhi Zhu 🕸️

@ZhiZhu@newsie.social · Reply to Zhi Zhu 🕸️'s post

Trump Guts Crucial OPM Team as Elon Musk Gains Even More Power

The Office of Personnel Management has just limited access to certain government records on and his minions.
newrepublic.com/post/191663/el

"The Trump administration has fired members of the “privacy team” at the , a move that will hinder access & scrutiny over records related to the clearances of & Doge."

Headline and text from article: Headline: Trump Guts Crucial OPM Team as Elon Musk Gains Even More Power The Office of Personnel Management has just limited access to certain government records on Elon Musk and his DOGE minions. by Hafiz Rashid February 18, 2025 / 4:32 p.m. ET Text: The Trump administration has fired members of the “privacy team” at the Office of Personnel Management, a move that will hinder public access and scrutiny over government records related to the security clearances of Elon Musk and his team at the Department of Government Efficiency. CNN discovered the terminations when it made a freedom of information act (FOIA) request to OPM looking for those records, particularly regarding DOGE workers who were granted access to classified or sensitive information. An OPM email address responded to CNN’s request and said, “Good luck with that, they just fired the whole privacy team.”
ALT text detailsHeadline and text from article: Headline: Trump Guts Crucial OPM Team as Elon Musk Gains Even More Power The Office of Personnel Management has just limited access to certain government records on Elon Musk and his DOGE minions. by Hafiz Rashid February 18, 2025 / 4:32 p.m. ET Text: The Trump administration has fired members of the “privacy team” at the Office of Personnel Management, a move that will hinder public access and scrutiny over government records related to the security clearances of Elon Musk and his team at the Department of Government Efficiency. CNN discovered the terminations when it made a freedom of information act (FOIA) request to OPM looking for those records, particularly regarding DOGE workers who were granted access to classified or sensitive information. An OPM email address responded to CNN’s request and said, “Good luck with that, they just fired the whole privacy team.”
steve mookie kong's avatar
steve mookie kong

@mookie@chow.fan

Point of view always matters.

Two panes. First is screaming woman it reads it’s a data breach! Second pane is a cool cat and reads: unintentional off site backup
ALT text detailsTwo panes. First is screaming woman it reads it’s a data breach! Second pane is a cool cat and reads: unintentional off site backup
Andrew 🌻 Brandt 🐇's avatar
Andrew 🌻 Brandt 🐇

@threatresearch@infosec.exchange

This is *the most malicious, brutal* malicious compliance I've seen in quite some time, possibly ever, and I am HERE FOR IT. Thank you, @jwz

jwz.org/xscreensaver/google.ht

Melroy van den Berg's avatar
Melroy van den Berg

@melroy@mastodon.melroy.org

I wrote a new blog post about DNS (part 1)!

Learn how DNS works in more depth and I even provide you will some useful terminal commands you can try yourself:

blog.melroy.org/2025/dns-part-

authoritative# server

Andrew 🌻 Brandt 🐇's avatar
Andrew 🌻 Brandt 🐇

@threatresearch@infosec.exchange

This is *the most malicious, brutal* malicious compliance I've seen in quite some time, possibly ever, and I am HERE FOR IT. Thank you, @jwz

jwz.org/xscreensaver/google.ht

Linux Is Best's avatar
Linux Is Best

@Linux_Is_Best@misskey.de

My list of digital service providers outside the jurisdiction of the United States of America. 😉

https://codeberg.org/Linux-Is-Best/Outside_Us_Jurisdiction

The list is now hosted on Codeberg, an alternative to GitHub or GitLab, but based out of Germany. 😉

SecureDrop's avatar
SecureDrop

@securedrop@freedom.press

We’ve seen significant interest in newsrooms setting up SecureDrop to better protect whistleblowers, so we've put together a quick list of 5 key things you should know before setting it up:

securedrop.org/news/five-thing

SecureDrop's avatar
SecureDrop

@securedrop@freedom.press

We’ve seen significant interest in newsrooms setting up SecureDrop to better protect whistleblowers, so we've put together a quick list of 5 key things you should know before setting it up:

securedrop.org/news/five-thing

Linux Is Best's avatar
Linux Is Best

@Linux_Is_Best@misskey.de

Microsoft and the United States Government have a working partnership. You should consider try using Linux.

For a newbie, I would suggest Ultramarine Linux (KDE Plasma) or MX Linux (KDE Plasma). But ultimately, your goal should be to try using Linux.

If you need to keep a copy of Windows for gaming, that's fine. But still try using Linux too.

Linux Is Best's avatar
Linux Is Best

@Linux_Is_Best@misskey.de

Microsoft and the United States Government have a working partnership. You should consider try using Linux.

For a newbie, I would suggest Ultramarine Linux (KDE Plasma) or MX Linux (KDE Plasma). But ultimately, your goal should be to try using Linux.

If you need to keep a copy of Windows for gaming, that's fine. But still try using Linux too.

Privacy Guides's avatar
Privacy Guides

@privacyguides@mastodon.neat.computer

We're Privacy Guides, a non-profit project & community focused on personal data security and privacy. 👋

Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. Privacy is a human right, inherent to all of us, that we are entitled to (without discrimination).

You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. Everyone has something to protect. Privacy is something that makes us human.

We're on a mission to inform the public about the value of digital privacy, and about global government initiatives which aim to monitor your online activity.

Linux Is Best's avatar
Linux Is Best

@Linux_Is_Best@misskey.de

My list of digital service providers outside the jurisdiction of the United States of America. 😉

https://codeberg.org/Linux-Is-Best/Outside_Us_Jurisdiction

The list is now hosted on Codeberg, an alternative to GitHub or GitLab, but based out of Germany. 😉

Christian Wolff's avatar
Christian Wolff

@Christian_Freiherr_von_Wolff@defcon.social

For every obvious reason and then some, I'm not linking to anything here; I refer herein and throughout to the adult video website that functionally everyone knows exists.

What they want you to believe is that they've made the decision to geo-block U.S. states requiring users to verify their age, specifically because they care about their users' privacy, supposedly.

Adult websites don't need government issued IDs on file to de-anonymize and track people; they already do that, and already do so very well.

So:
"These Terms of Service, your use of this Website, and the relationship between you and us shall be governed by the laws of the Republic of Cyprus, without regard to conflict of law rules. Nothing contained in these Terms of Service shall constitute an agreement to the application of the laws of any other nation to this Website. You agree that this Website shall be deemed a passive Website that does not give rise to personal jurisdiction over us, either specific or general, in jurisdictions other than the Republic of Cyprus. The sole and exclusive jurisdiction and venue for any action or proceeding arising out of or related to these Terms of Service shall be in an appropriate court located in Limassol, Cyprus. You hereby submit to the jurisdiction and venue of said Courts."

They are a business and nothing else, they always care only about their own profit and never about anything else, and it's simply a technical matter that to comply with age verification laws outside of the jurisdiction in which they already hide everything, would nullify the above quoted legally binding contract between themselves, their users, and their precious tax haven.

It is absolutely in their financial best interest to lose a certain number of existing customers when the only alternative necessitates that they stop evading taxes and getting away with it; Al Capone, eat your heart out.

They do not care at all about anyone's privacy, whatsoever.

Benedikt Ritter (he/him)'s avatar
Benedikt Ritter (he/him)

@britter@chaos.social

How do folks deal with GitHub and GPG keys?

OptionVoters
One key per email address6 (86%)
Subkeys1 (14%)
Joni Suikeli's avatar
Joni Suikeli

@jonisuikeli@mementomori.social

Thanks to the threats from the United States, I have only now become interested in getting to know the EU properly, and especially its security issues.

If there are people here who know how to get involved at EU level, all tips and advice are welcome, thank you!

Joni Suikeli's avatar
Joni Suikeli

@jonisuikeli@mementomori.social

Thanks to the threats from the United States, I have only now become interested in getting to know the EU properly, and especially its security issues.

If there are people here who know how to get involved at EU level, all tips and advice are welcome, thank you!

Zhi Zhu 🕸️'s avatar
Zhi Zhu 🕸️

@ZhiZhu@newsie.social · Reply to Zhi Zhu 🕸️'s post

Elon Musk’s DOGE Shares Classified U.S. Intel With Entire World

Elon Musk’s minions posted classified data on their website for anyone to see.
newrepublic.com/post/191580/el

"this incident doesn’t speak well of the pseudo-agency’s procedures. The website has already been hacked by Thursday evening thanks to vulnerabilities. And since has gotten into all kinds of sensitive , every could be at risk."

News headline from The New Republic: Elon Musk’s DOGE Shares Classified U.S. Intel With Entire World Elon Musk’s minions posted classified data on their website for anyone to see. by Hafiz Rashid February 14, 2025 / 4:56 p.m. ET
ALT text detailsNews headline from The New Republic: Elon Musk’s DOGE Shares Classified U.S. Intel With Entire World Elon Musk’s minions posted classified data on their website for anyone to see. by Hafiz Rashid February 14, 2025 / 4:56 p.m. ET
Zhi Zhu 🕸️'s avatar
Zhi Zhu 🕸️

@ZhiZhu@newsie.social · Reply to Zhi Zhu 🕸️'s post

Elon Musk’s DOGE Shares Classified U.S. Intel With Entire World

Elon Musk’s minions posted classified data on their website for anyone to see.
newrepublic.com/post/191580/el

"this incident doesn’t speak well of the pseudo-agency’s procedures. The website has already been hacked by Thursday evening thanks to vulnerabilities. And since has gotten into all kinds of sensitive , every could be at risk."

News headline from The New Republic: Elon Musk’s DOGE Shares Classified U.S. Intel With Entire World Elon Musk’s minions posted classified data on their website for anyone to see. by Hafiz Rashid February 14, 2025 / 4:56 p.m. ET
ALT text detailsNews headline from The New Republic: Elon Musk’s DOGE Shares Classified U.S. Intel With Entire World Elon Musk’s minions posted classified data on their website for anyone to see. by Hafiz Rashid February 14, 2025 / 4:56 p.m. ET
Andrew 🌻 Brandt 🐇's avatar
Andrew 🌻 Brandt 🐇

@threatresearch@infosec.exchange

This is *the most malicious, brutal* malicious compliance I've seen in quite some time, possibly ever, and I am HERE FOR IT. Thank you, @jwz

jwz.org/xscreensaver/google.ht

Privacy Guides's avatar
Privacy Guides

@privacyguides@mastodon.neat.computer

We're Privacy Guides, a non-profit project & community focused on personal data security and privacy. 👋

Much like the right to interracial marriage, woman's suffrage, freedom of speech, and many others, our right to privacy hasn't always been upheld. In several dictatorships, it still isn't. Generations before ours fought for our right to privacy. Privacy is a human right, inherent to all of us, that we are entitled to (without discrimination).

You shouldn't confuse privacy with secrecy. We know what happens in the bathroom, but you still close the door. That's because you want privacy, not secrecy. Everyone has something to protect. Privacy is something that makes us human.

We're on a mission to inform the public about the value of digital privacy, and about global government initiatives which aim to monitor your online activity.

Zhi Zhu 🕸️'s avatar
Zhi Zhu 🕸️

@ZhiZhu@newsie.social · Reply to Zhi Zhu 🕸️'s post

DOGE’s .gov site lampooned as coders quickly realize it can be edited by anyone

DOGE site is apparently not running on government servers.
arstechnica.com/tech-policy/20

"DOGE appears to have skipped steps that are expected of websites. That pattern is troubling some federal workers...

makes it possible for bad actors to alter official databases of government information."

News headline: DOGE’s .gov site lampooned as coders quickly realize it can be edited by anyone DOGE site is apparently not running on government servers. by Ashley Belanger – Feb 14, 2025 10:24 AM
ALT text detailsNews headline: DOGE’s .gov site lampooned as coders quickly realize it can be edited by anyone DOGE site is apparently not running on government servers. by Ashley Belanger – Feb 14, 2025 10:24 AM
Zhi Zhu 🕸️'s avatar
Zhi Zhu 🕸️

@ZhiZhu@newsie.social · Reply to Zhi Zhu 🕸️'s post

DOGE software approval alarms Labor Dept employees

Elon Musk’s subordinates received approval to use at the Labor Dept that could be used to transfer large amounts of ...
nbcnews.com/tech/security/doge

"The approval for Musk’s team to use the remote-access and file-transfer software, known as PuTTY, has alarmed... Dept’s career employees...

“This is completely opposite of what we’d do to protect .”"

News headline: Security DOGE software approval alarms Labor Department employees Elon Musk’s DOGE subordinates received approval to use software at the Labor Department that could be used to transfer large amounts of data, two employees said.
ALT text detailsNews headline: Security DOGE software approval alarms Labor Department employees Elon Musk’s DOGE subordinates received approval to use software at the Labor Department that could be used to transfer large amounts of data, two employees said.
Zhi Zhu 🕸️'s avatar
Zhi Zhu 🕸️

@ZhiZhu@newsie.social · Reply to Zhi Zhu 🕸️'s post

Does DOGE Pose a National Security Risk?

Uncertainty About Access & Authority Will Worry Allies and Tempt Adversaries
foreignaffairs.com/united-stat

"what the agencies of US allies & adversaries see when [ ] grants sweeping access... to a team of young people who have no experience... and who work for an unelected figure w/extensive personal financial interests... American adversaries surely see an espionage & blackmail bonanza."

News headline: Does DOGE Pose a National Security Risk? Uncertainty About Access and Authority Will Worry Allies and Tempt Adversaries by James Goldgeier and Elizabeth N. Saunders February 7, 2025 (Sorry, this one's a bit late)
ALT text detailsNews headline: Does DOGE Pose a National Security Risk? Uncertainty About Access and Authority Will Worry Allies and Tempt Adversaries by James Goldgeier and Elizabeth N. Saunders February 7, 2025 (Sorry, this one's a bit late)
The Matrix.org Foundation's avatar
The Matrix.org Foundation

@matrix@mastodon.matrix.org

The world needs secure communication more than ever, as a bulwark against the surveillance, authoritarianism, and oppression increasingly enabled by Big Tech. Matrix seeks to meet that need, as an open source, decentralised, encrypted comms protocol.

But Trust & Safety is more difficult in a decentralised environment. How are we building a safer Matrix?

matrix.org/blog/2025/02/buildi

Jan Penfrat's avatar
Jan Penfrat

@ilumium@eupolicy.social

European Parliament advice after hacked infrastructure: Use plaintext Teams and only use encrypted @signalapp if Teams is unavailable. 🤷

Politico: "Parliament’s email reminded lawmakers they should use (...) Teams and when possible and only if the two are unavailable."

“The use of Signal is proposed as a safe alternative in cases where no equivalent corporate tool is available,” the Parliament’s press service said in a statement.

Jan Penfrat's avatar
Jan Penfrat

@ilumium@eupolicy.social

European Parliament advice after hacked infrastructure: Use plaintext Teams and only use encrypted @signalapp if Teams is unavailable. 🤷

Politico: "Parliament’s email reminded lawmakers they should use (...) Teams and when possible and only if the two are unavailable."

“The use of Signal is proposed as a safe alternative in cases where no equivalent corporate tool is available,” the Parliament’s press service said in a statement.

HiramFromTheChi 👨🏽‍💻💭's avatar
HiramFromTheChi 👨🏽‍💻💭

@hiramfromthechi@mastodon.social

Any device that needs to be off because it can't be trusted with your conversations should not exist in the first place.

A sign on a door of a healthcare facility that says: "Please remember to not discuss patient information (PHI) unless the Amazon Echo is muted."
ALT text detailsA sign on a door of a healthcare facility that says: "Please remember to not discuss patient information (PHI) unless the Amazon Echo is muted."
HiramFromTheChi 👨🏽‍💻💭's avatar
HiramFromTheChi 👨🏽‍💻💭

@hiramfromthechi@mastodon.social

Any device that needs to be off because it can't be trusted with your conversations should not exist in the first place.

A sign on a door of a healthcare facility that says: "Please remember to not discuss patient information (PHI) unless the Amazon Echo is muted."
ALT text detailsA sign on a door of a healthcare facility that says: "Please remember to not discuss patient information (PHI) unless the Amazon Echo is muted."
HiramFromTheChi 👨🏽‍💻💭's avatar
HiramFromTheChi 👨🏽‍💻💭

@hiramfromthechi@mastodon.social

Any device that needs to be off because it can't be trusted with your conversations should not exist in the first place.

A sign on a door of a healthcare facility that says: "Please remember to not discuss patient information (PHI) unless the Amazon Echo is muted."
ALT text detailsA sign on a door of a healthcare facility that says: "Please remember to not discuss patient information (PHI) unless the Amazon Echo is muted."
Sooraj Sathyanarayanan's avatar
Sooraj Sathyanarayanan

@ianonymous3000@mastodon.social

If you’re a Windows user, I can help you switch to Linux. Please stop supporting an insecure and privacy-intrusive operating system. What’s stopping you from switching to Linux/macOS? Ask all your questions, and I’ll answer everything.

Andrew Lock's avatar
Andrew Lock

@andrewlock@hachyderm.io

Blogged: Preventing client-side cross-site-scripting vulnerabilities with Trusted Types

andrewlock.net/preventing-clie

In this post I describe how the Trusted Types feature in a Content-Security-Policy can protect you against cross-site-scripting attacks

nat's avatar
nat

@nat@partyon.xyz

IMPORTANT PSA FOR ALL IPHONE USERS

Siri is "reading" all of your apps. Note, you must INDIVIDUALLY turn this feature off for every single app ***even if you have Siri completely disabled.***

National Lawyers Guild - Southern Arizona Chapter We know everyone has switched over to Signal for any potentially sensitive communication by now, but did you know that if you have an iPhone, you may have Apple Intelligence and Siri reading all your apps? To turn this function off, you need to: 1. Go into your settings, and open Apps 2. Open each App individually, find the button that says Apple Intelligence or Siri, and click on that button 3. Toggle it off You'll need to do this for each individual app. We recommend doing it not just for your messaging apps, but for all apps. Photos in comments to help direct you to the right screens (note this is from an older model iPhone, yours might look a little different).
ALT text detailsNational Lawyers Guild - Southern Arizona Chapter We know everyone has switched over to Signal for any potentially sensitive communication by now, but did you know that if you have an iPhone, you may have Apple Intelligence and Siri reading all your apps? To turn this function off, you need to: 1. Go into your settings, and open Apps 2. Open each App individually, find the button that says Apple Intelligence or Siri, and click on that button 3. Toggle it off You'll need to do this for each individual app. We recommend doing it not just for your messaging apps, but for all apps. Photos in comments to help direct you to the right screens (note this is from an older model iPhone, yours might look a little different).
beSpacific's avatar
beSpacific

@bespacific@newsie.social

Compromised? In this interview, muellershewrote.com/p/a-fork-i I speak to a systems security specialist who found privacy problems surrounding the HR@opm.gov email servers

beSpacific's avatar
beSpacific

@bespacific@newsie.social

Compromised? In this interview, muellershewrote.com/p/a-fork-i I speak to a systems security specialist who found privacy problems surrounding the HR@opm.gov email servers

Open Rights Group's avatar
Open Rights Group

@openrightsgroup@social.openrightsgroup.org

“The government want to be able to access anything and everything, anywhere, any time.

Their ambition to undermine basic security is frightening, unaccountable and would make everyone less safe.

It is straightforward bullying.”

🗣️ ORG’s @JamesBaker on the UK government’s order to break Apple’s encryption for millions.

metro.co.uk/2025/02/08/privacy

Morten Linderud's avatar
Morten Linderud

@Foxboron@chaos.social

My talk on `ssh-tpm-agent` I held at has been released!

Video: video.fosdem.org/2025/ub4132/f

Abstract: fosdem.org/2025/schedule/event

Slides: pub.linderud.dev/talks/Hardwar

Morten Linderud's avatar
Morten Linderud

@Foxboron@chaos.social

My talk on `ssh-tpm-agent` I held at has been released!

Video: video.fosdem.org/2025/ub4132/f

Abstract: fosdem.org/2025/schedule/event

Slides: pub.linderud.dev/talks/Hardwar

Zhi Zhu 🕸️'s avatar
Zhi Zhu 🕸️

@ZhiZhu@newsie.social · Reply to Zhi Zhu 🕸️'s post

Trump Has Disturbing Response to DOGE’s Massive Overreach of Power:
Donald Trump admitted that Elon Musk’s agency has access to too much sensitive data.
newrepublic.com/post/191322/do

"“Why does need all of that?” asked one reporter.

“Well, it doesn’t, but they get it very easily,” Trump admitted. “I mean, we don’t have very good in our country, & they get it very easily.”

appeared completely unbothered by the massive intrusion on the of citizens"

News headline: Trump Has Disturbing Response to DOGE’s Massive Overreach of Power Donald Trump admitted that Elon Musk’s agency has access to too much sensitive data. Edith Olmsted February 7, 2025 / 4:23 p.m. ET
ALT text detailsNews headline: Trump Has Disturbing Response to DOGE’s Massive Overreach of Power Donald Trump admitted that Elon Musk’s agency has access to too much sensitive data. Edith Olmsted February 7, 2025 / 4:23 p.m. ET
Zhi Zhu 🕸️'s avatar
Zhi Zhu 🕸️

@ZhiZhu@newsie.social · Reply to Zhi Zhu 🕸️'s post

Elon Musk’s Is Expected to Examine Another System Next Week:
The new target, sources said, is a sensitive database that tracks the flow of money across the .
propublica.org/article/elon-mu

"The in the system, known as the Central Accounting Reporting System, or , is considered sensitive...

People who work with the system have in the past been briefed that the may be of interest to foreign agencies"

News headline: Trump Administration Elon Musk’s DOGE Is Expected to Examine Another Treasury System Next Week The new target, sources said, is a sensitive database that tracks the flow of money across the government.
ALT text detailsNews headline: Trump Administration Elon Musk’s DOGE Is Expected to Examine Another Treasury System Next Week The new target, sources said, is a sensitive database that tracks the flow of money across the government.
Zhi Zhu 🕸️'s avatar
Zhi Zhu 🕸️

@ZhiZhu@newsie.social · Reply to Zhi Zhu 🕸️'s post

Musk’s DOGE Teen Was Fired By Firm for Leaking Company Secrets:
Edward Coristine posted online that he had retained access to the firm’s servers. Now he has access to sensitive govt information.
archive.is/1v8FG#selection-140

“I can confirm that 's brief contract was terminated after the conclusion of an internal investigation into the of proprietary company information"

News headline: Politics |Cybersecurity Musk’s DOGE Teen Was Fired By Cybersecurity Firm for Leaking Company Secrets Edward Coristine posted online that he had retained access to the firm’s servers. Now he has access to sensitive government information.
ALT text detailsNews headline: Politics |Cybersecurity Musk’s DOGE Teen Was Fired By Cybersecurity Firm for Leaking Company Secrets Edward Coristine posted online that he had retained access to the firm’s servers. Now he has access to sensitive government information.
Zhi Zhu 🕸️'s avatar
Zhi Zhu 🕸️

@ZhiZhu@newsie.social · Reply to Zhi Zhu 🕸️'s post

The Government’s Computing Experts Say They Are Terrified:

Four IT professionals lay out just how destructive Elon Musk’s incursion into the US govt could be.
theatlantic.com/technology/arc

"“This is the largest data breach & the largest breach in our country’s —at least that’s publicly known”...

nobody yet knows which info has access to, or what it plans to do with it...

“I don’t think the public quite understands the level of danger.”"

News headline: Technology The Government’s Computing Experts Say They Are Terrified Four IT professionals lay out just how destructive Elon Musk’s incursion into the U.S. government could be. By Charlie Warzel and Ian Bogost
ALT text detailsNews headline: Technology The Government’s Computing Experts Say They Are Terrified Four IT professionals lay out just how destructive Elon Musk’s incursion into the U.S. government could be. By Charlie Warzel and Ian Bogost
Zhi Zhu 🕸️'s avatar
Zhi Zhu 🕸️

@ZhiZhu@newsie.social · Reply to Zhi Zhu 🕸️'s post

Musk’s rats:
They’re burrowing into every system in the federal govt, although many wouldn’t pass a test
robertreich.substack.com/p/dog

"Sure, there’s some waste & fraud in . That’s why every department had an to find & stop it — until fired most of them. In addition, before Musk’s rats tunneled into the General Services Administration, accountants oversaw every department’s & agency’s spending.

In other words, the continues."

Headline: Musk’s rats They’re burrowing into every data system in the federal government, although many wouldn’t pass a security test by Robert Reich Feb 07, 2025
ALT text detailsHeadline: Musk’s rats They’re burrowing into every data system in the federal government, although many wouldn’t pass a security test by Robert Reich Feb 07, 2025
Aral Balkan's avatar
Aral Balkan

@aral@mastodon.ar.al

If Apple complies with this, the UK government will gain access to all iCloud data globally. The only way Apple comes out of this with any integrity is to leave the UK market. If they give in to this, every regime in the world will demand the same thing. And that’s before we even get to the fact that there’s no such thing a “backdoor” for just so-and-so. Either there is a door or there isn’t and if there is, anyone who obtains the key can use it.

theguardian.com/technology/202

Fedora Project's avatar
Fedora Project

@fedora@fosstodon.org

Looking for opportunities to harden your Fedora system? Here's one way to make your VPN use more secure with NetworkManager.

➡️ fedoramagazine.org/protect-you

Kushal Das :python: :tor: 🇵🇸's avatar
Kushal Das :python: :tor: 🇵🇸

@kushal@toots.dgplug.org

To all people here, did you see anything on Windows creating a lot of files with names like:

```
ኅȻㅺ慦愔驦䦔钓呩쥷儋ፑʑ壖兝㈪箖鴍퉛맩䑼னᖲ緄㵲
```
Most probably self replicating over external drives etc. Please RT for more reach.

Jeremiah Lee's avatar
Jeremiah Lee

@Jeremiah@alpaca.gold · Reply to Jeremiah Lee's post

Passkey Ready is a free analytics tool from 1Password for anonymously measuring what percentage of your users are ready for passkeys. It also suggests a rollout strategy for passwordless auth in your product.

passage.1password.com/post/pas

Jeremiah Lee's avatar
Jeremiah Lee

@Jeremiah@alpaca.gold · Reply to Jeremiah Lee's post

Do passkeys have some growing pains?

Yes: arstechnica.com/security/2024/

Are they being addressed?

Yes: fidoalliance.org/fido-alliance

Should products start prompting users to sign in with passkeys today? Yes.

Should products keep existing email+password+OTP authentication? Yes, for now.

Should products try to sign up new users with passkeys and fall back to email+password+OTP? Yes.

Phil's avatar
Phil

@phil@fed.bajsicki.com

Of public interest:

At least 15,000 people fully, without limits, irrevocably, licensed their personal information, public image, name and all data that reached loops.video infrastructure... to @dansup@mastodon.social 's loops.video platform.

Had they known they're entirely losing control of everything, would they be using the platform?

Explanation in the renote, and here:

https://bajsicki.com/blog/loops-video-terms/

Is this what we, as a , want?

RE: https://fed.bajsicki.com/notes/a349itz9il

Daniel Supernault (@dansup@mastodon.social) bragging about his loops.video platform crossing 15000 users.
ALT text detailsDaniel Supernault (@dansup@mastodon.social) bragging about his loops.video platform crossing 15000 users.
Phil's avatar
Phil

@phil@fed.bajsicki.com

How about no?

You're way overstepping with this, poisoning the entire ActivityPub ecosystem.

Let me break this down for you...

https://bajsicki.com/blog/loops-video-terms/

In short: if you really intend to federate, respect your users and their data.

Implementing federation while keeping these terms is a severe breach of trust, and would poison the entirety of the network in an way which will cripple ActivityPub, and undermine the very foundation of what AP stands for with regard to privacy, data ownership, and control over what we post to the network.

Hopefully that's not your intention. Is it?

RE: https://mastodon.social/users/dansup/statuses/113841956808397142

TheEvilSkeleton's avatar
TheEvilSkeleton

@TheEvilSkeleton@treehouse.systems

At last, the USB portal originally authored by @refi64 in 2021, later continued by Georges Stavracas in 2023, and finalized by @hub and @swick, has been merged!

The USB portal allows sandboxed formats like Flatpak to access USB devices without poking holes in the sandbox. This is great for security, as accessing USB devices will now need to be explicitly granted by the user.

Now we just need to wait for implementers to implement them in their respective portal implementations, starting with GNOME: gitlab.gnome.org/GNOME/xdg-des

The documentation for the USB portal is available on the xdg-desktop-portal website: flatpak.github.io/xdg-desktop-

Jeremiah Lee's avatar
Jeremiah Lee

@Jeremiah@alpaca.gold

Passkeys should be the default sign up/in method for every consumer app.

OpenID Connect should be the default for organization-managed user accounts.

Email+password+OTP is legacy.
Sign in with XYZ is legacy.

Get with the times, apps.

Change the defaults.

Migrate users.

Remove the insecure login.

caniuse.com/passkeys

Zhi Zhu 🕸️'s avatar
Zhi Zhu 🕸️

@ZhiZhu@newsie.social · Reply to Zhi Zhu 🕸️'s post

Musk’s Takeover Of The Government’s Computer Systems Needs To Be Understood As A Cyberattack, Or Worse
techdirt.com/2025/02/03/musks-

"These systems and his “team” have accessed are among the most sensitive and critical to the running of the ...

Yet here is Musk, a man who regularly chats with Vladimir , with access to it all, if not also outright control."

News headline and text from article. Headline: Musk’s Takeover Of The Government’s Computer Systems Needs To Be Understood As A Cyberattack, Or Worse Privacy from the we've-been-pwned dept Mon, Feb 3rd 2025 10:47am - Cathy Gellis Text: People sometimes think that cybersecurity is just about defending computer systems from remote adversaries. But it’s broader than that; cybersecurity has always been about protecting computer systems more generally from any sort of misuse, no matter how the adversary might access them. So that Elon Musk and his minions have managed to walk right into government offices to take over computer systems where they had no legitimate authorization or entitlement needs to be understood as a cyberattack by a rogue actor.
ALT text detailsNews headline and text from article. Headline: Musk’s Takeover Of The Government’s Computer Systems Needs To Be Understood As A Cyberattack, Or Worse Privacy from the we've-been-pwned dept Mon, Feb 3rd 2025 10:47am - Cathy Gellis Text: People sometimes think that cybersecurity is just about defending computer systems from remote adversaries. But it’s broader than that; cybersecurity has always been about protecting computer systems more generally from any sort of misuse, no matter how the adversary might access them. So that Elon Musk and his minions have managed to walk right into government offices to take over computer systems where they had no legitimate authorization or entitlement needs to be understood as a cyberattack by a rogue actor.
Zhi Zhu 🕸️'s avatar
Zhi Zhu 🕸️

@ZhiZhu@newsie.social · Reply to Zhi Zhu 🕸️'s post

Musk’s Takeover Of The Government’s Computer Systems Needs To Be Understood As A Cyberattack, Or Worse
techdirt.com/2025/02/03/musks-

"These systems and his “team” have accessed are among the most sensitive and critical to the running of the ...

Yet here is Musk, a man who regularly chats with Vladimir , with access to it all, if not also outright control."

News headline and text from article. Headline: Musk’s Takeover Of The Government’s Computer Systems Needs To Be Understood As A Cyberattack, Or Worse Privacy from the we've-been-pwned dept Mon, Feb 3rd 2025 10:47am - Cathy Gellis Text: People sometimes think that cybersecurity is just about defending computer systems from remote adversaries. But it’s broader than that; cybersecurity has always been about protecting computer systems more generally from any sort of misuse, no matter how the adversary might access them. So that Elon Musk and his minions have managed to walk right into government offices to take over computer systems where they had no legitimate authorization or entitlement needs to be understood as a cyberattack by a rogue actor.
ALT text detailsNews headline and text from article. Headline: Musk’s Takeover Of The Government’s Computer Systems Needs To Be Understood As A Cyberattack, Or Worse Privacy from the we've-been-pwned dept Mon, Feb 3rd 2025 10:47am - Cathy Gellis Text: People sometimes think that cybersecurity is just about defending computer systems from remote adversaries. But it’s broader than that; cybersecurity has always been about protecting computer systems more generally from any sort of misuse, no matter how the adversary might access them. So that Elon Musk and his minions have managed to walk right into government offices to take over computer systems where they had no legitimate authorization or entitlement needs to be understood as a cyberattack by a rogue actor.
Zhi Zhu 🕸️'s avatar
Zhi Zhu 🕸️

@ZhiZhu@newsie.social · Reply to Zhi Zhu 🕸️'s post

Musk’s Takeover Of The Government’s Computer Systems Needs To Be Understood As A Cyberattack, Or Worse
techdirt.com/2025/02/03/musks-

"These systems and his “team” have accessed are among the most sensitive and critical to the running of the ...

Yet here is Musk, a man who regularly chats with Vladimir , with access to it all, if not also outright control."

News headline and text from article. Headline: Musk’s Takeover Of The Government’s Computer Systems Needs To Be Understood As A Cyberattack, Or Worse Privacy from the we've-been-pwned dept Mon, Feb 3rd 2025 10:47am - Cathy Gellis Text: People sometimes think that cybersecurity is just about defending computer systems from remote adversaries. But it’s broader than that; cybersecurity has always been about protecting computer systems more generally from any sort of misuse, no matter how the adversary might access them. So that Elon Musk and his minions have managed to walk right into government offices to take over computer systems where they had no legitimate authorization or entitlement needs to be understood as a cyberattack by a rogue actor.
ALT text detailsNews headline and text from article. Headline: Musk’s Takeover Of The Government’s Computer Systems Needs To Be Understood As A Cyberattack, Or Worse Privacy from the we've-been-pwned dept Mon, Feb 3rd 2025 10:47am - Cathy Gellis Text: People sometimes think that cybersecurity is just about defending computer systems from remote adversaries. But it’s broader than that; cybersecurity has always been about protecting computer systems more generally from any sort of misuse, no matter how the adversary might access them. So that Elon Musk and his minions have managed to walk right into government offices to take over computer systems where they had no legitimate authorization or entitlement needs to be understood as a cyberattack by a rogue actor.
TheEvilSkeleton's avatar
TheEvilSkeleton

@TheEvilSkeleton@treehouse.systems · Reply to TheEvilSkeleton's post

As we're aware, the USB portal was merged a few months ago. All that's needed is for apps and desktops to implement them, so we can use them inside sandboxes without compromising security.

Just today, the USB portal implementation for xdg-desktop-portal-gnome was merged! Apps that use the USB portal will be able to request specific USB devices without giving unfiltered access to all your USB devices.

gitlab.gnome.org/GNOME/xdg-des

Dialog with a header bar and page with a description and list of USB devices. The header bar has the Deny button on the left side, “Access USB Devices” in the title, and Allow on the right side. The description reads “ASHPD Demo wants to access the following USB devices”. The list shows a row with “Elgato” as the title and “Stream Deck Plus” as the description, along with its serial number in a popover.
ALT text detailsDialog with a header bar and page with a description and list of USB devices. The header bar has the Deny button on the left side, “Access USB Devices” in the title, and Allow on the right side. The description reads “ASHPD Demo wants to access the following USB devices”. The list shows a row with “Elgato” as the title and “Stream Deck Plus” as the description, along with its serial number in a popover.
:rss: Qiita - 人気の記事's avatar
:rss: Qiita - 人気の記事

@qiita@rss-mstdn.studiofreesia.com

インターネット検閲:世界的脅威を理解する
qiita.com/pseudonym2/items/2d9

TheEvilSkeleton's avatar
TheEvilSkeleton

@TheEvilSkeleton@treehouse.systems · Reply to TheEvilSkeleton's post

As we're aware, the USB portal was merged a few months ago. All that's needed is for apps and desktops to implement them, so we can use them inside sandboxes without compromising security.

Just today, the USB portal implementation for xdg-desktop-portal-gnome was merged! Apps that use the USB portal will be able to request specific USB devices without giving unfiltered access to all your USB devices.

gitlab.gnome.org/GNOME/xdg-des

Dialog with a header bar and page with a description and list of USB devices. The header bar has the Deny button on the left side, “Access USB Devices” in the title, and Allow on the right side. The description reads “ASHPD Demo wants to access the following USB devices”. The list shows a row with “Elgato” as the title and “Stream Deck Plus” as the description, along with its serial number in a popover.
ALT text detailsDialog with a header bar and page with a description and list of USB devices. The header bar has the Deny button on the left side, “Access USB Devices” in the title, and Allow on the right side. The description reads “ASHPD Demo wants to access the following USB devices”. The list shows a row with “Elgato” as the title and “Stream Deck Plus” as the description, along with its serial number in a popover.
Zhi Zhu 🕸️'s avatar
Zhi Zhu 🕸️

@ZhiZhu@newsie.social · Reply to Zhi Zhu 🕸️'s post

The War at Home:
Elon Musk and The Security State's Uvalde Moment:
“We have a Constitutional crisis, period," says NSA whistleblower Tom Drake, who can't help but notice how the three-letter agencies that went after him aren't stopping this
forever-wars.com/elon-musk-and

"The danger to the is running amok inside govt buildings. But the State stands outside, deterred, & will present any number of rationalizations about how this isn't their job."

News headline: The War at Home Elon Musk and The Security State's Uvalde Moment “We have a Constitutional crisis, period," says NSA whistleblower Tom Drake, who can't help but notice how the three-letter agencies that went after him aren't stopping this. by Spencer Ackerman 03 Feb 2025 • 6 min read
ALT text detailsNews headline: The War at Home Elon Musk and The Security State's Uvalde Moment “We have a Constitutional crisis, period," says NSA whistleblower Tom Drake, who can't help but notice how the three-letter agencies that went after him aren't stopping this. by Spencer Ackerman 03 Feb 2025 • 6 min read
Erik Jonker's avatar
Erik Jonker

@ErikJonker@mastodon.social

Made me think about , this Doom game running inside (!) a PDF file, by @j0hnnyxm4s
doompdf.pages.dev/doom.pdf

Simple Nomad's avatar
Simple Nomad

@simplenomad@rigor-mortis.nmrc.org

On a slightly lighter topic, there is a Netflix limited series entitled "Zero Day" which from the trailer (youtube.com/watch?v=FOfBiiPdQP) looks to be slightly "exaggerated" from a pure technical perspective. The IMDB listing does not show any infosec-related technical advisor. I am wondering how shit this is going to be. On the plus side, a hell of a talented cast!

Erik Jonker's avatar
Erik Jonker

@ErikJonker@mastodon.social

Made me think about , this Doom game running inside (!) a PDF file, by @j0hnnyxm4s
doompdf.pages.dev/doom.pdf

:rss: Qiita - 人気の記事's avatar
:rss: Qiita - 人気の記事

@qiita@rss-mstdn.studiofreesia.com

【CTF】防衛省サイバーコンテスト2025:Writeup
qiita.com/kk0128/items/dbc8893

boredsquirrel's avatar
boredsquirrel

@Rhababerbarbar@tux.social · Reply to Mozilla's post

@mozillaofficial

Finally! This will allow better process , and make the and app finally an option?

bugzilla.mozilla.org/show_bug.

bugzilla.mozilla.org/show_bug.

onrust 🍉's avatar
onrust 🍉

@onrust@infosec.exchange · Reply to onrust 🍉's post

Principles for a New Security Industry, as per noah's article:

  1. We owe it to our users to criticise, thoroughly, our own industries. To do otherwise is to harm both our users and the industries in which we exist.
  2. Where possible, this should be done publicly and productively. Security or safety by obscurity is ineffective and counterproductive.
  3. We must consider threat models beyond our own.
  4. We must do away with the notion that collaboration is less desirable than individual, “you do you” styles of operating. The only way we build a safer (digital/physical) world is together.
  5. We must prioritise actually doing the things that keep us safe.
  6. We must react strongly and truthfully to incorrect notions.
  7. We must actively reject this wherever we see it, and remember that we have an obligation to teach.
  8. As best we can, we must act to prevent harm.
  9. We have to decide to actively pursue a safer world and make plans to put that into action.
  10. No matter how influential we are, we must remember that the work comes first. Your CVE list is useless on an empty planet.
  11. We must be aware of our own mistakes and seek to correct them.

Some principles have further annotations, they're in the full article fyi: covid.tips/fluconf-post/

onrust 🍉's avatar
onrust 🍉

@onrust@infosec.exchange · Reply to onrust 🍉's post

Hmmm ... TOR and Signal get flagged as 'so-called “freedom” tools' that received funds from state actors (US govt)

hhmmmm :think_bread:

onrust 🍉's avatar
onrust 🍉

@onrust@infosec.exchange · Reply to onrust 🍉's post

mentions multiple kinds of abuse (partner, parental, employer)

So important:

"When we make security onerous, (...) we help an abusive partner who can use a lack of 2FA to spy on an account, or a parent who wishes to spy on their child’s communications, or an employer who uses their security tooling to prevent unionisation."

onrust 🍉's avatar
onrust 🍉

@onrust@infosec.exchange · Reply to onrust 🍉's post

Proper security works best when using multiple 'layers' of intervention. Preferably a combination of technical tooling and social (education/policy) steps to protect one another.

Yet that's not what we're doing at all right now, noah comments.

Today, technical tools and messaging are ...

used to protect profits at the expense of our being able to live truly self-actualised lives.

We are told that masks are scary, that security is “too hard”, that companies or government entities that use pandemic-driven-eugenics or New Cold War driven weakening/distorting of digital security processes have our best interests at heart.

So, people working in security: "[are we] willing to let that stand"?

onrust 🍉's avatar
onrust 🍉

@onrust@infosec.exchange · Reply to onrust 🍉's post

Love this point:

security is a “force multiplier”, not a blocker — that by taking action now, by making digital security a habit, we can make it harder for disaster to strike later.

And also, if and when disaster might strike, the impact can be reduced compared to when you hadn't taken any measures at all

onrust 🍉's avatar
onrust 🍉

@onrust@infosec.exchange · Reply to onrust 🍉's post

If your threat is that the Mossad is gonna do Mossad things to your email account, try as you might, YOU'RE STILL GONNA BE MOSSAD'ED UPON

(sorry for shouting)

A table with three threats and their corresponding solutions, relating to email security (paraphrased): 1) Threat: Yr ex wants to break into your email. Solution: Use a strong password generated by and stored in a password manager, and 2FA. 2) Threat: Criminals want to break into yr email. Solution: As with (1), but also don't open suspicious unsolicited emails. 3) Threat: Mossad wants to break into yr email. Solution: "Magical amulets? Fake your own death, move into a submarine? YOU'RE STILL GONNA BE MOSSAD'ED UPON"
ALT text detailsA table with three threats and their corresponding solutions, relating to email security (paraphrased): 1) Threat: Yr ex wants to break into your email. Solution: Use a strong password generated by and stored in a password manager, and 2FA. 2) Threat: Criminals want to break into yr email. Solution: As with (1), but also don't open suspicious unsolicited emails. 3) Threat: Mossad wants to break into yr email. Solution: "Magical amulets? Fake your own death, move into a submarine? YOU'RE STILL GONNA BE MOSSAD'ED UPON"
onrust 🍉's avatar
onrust 🍉

@onrust@infosec.exchange · Reply to onrust 🍉's post

The result?

If you're in security and are making light of infectious diseases, happily infecting coworkers and others, then:

we indicate that our commitment to security stops once our paycheque or fame or particular social mode of interacting is on the line.

onrust 🍉's avatar
onrust 🍉

@onrust@infosec.exchange

Next up at#FluConf is noah (@text) with:

The Swiss Cheese Model: How Infosec Must Learn From Pandemic Response

Read it here: covid.tips/fluconf-post/

The article's blurb:

As a digital security professional and a pandemic activist it has been tremendously revealing to me to see how my professional community has responded to the pandemic. After a brief year of "safe mode" conferences and online trainings, the "back to normal" urge overrode many people's threat models and notable figures in the community began joking about getting covid at conferences, or client engagements, or work trips and so on. This proposal is something of a manifesto aimed at reminding the security community (and indeed the technology community) about our commitments to Defence in Depth, and drawing comparisons between still-successful pandemic interventions and how we can apply these same techniques to information security...and a plea for a new kind of cybersecurity community, one that aims to work in solidarity with our users rather than in spite of them, one that strives to prevent digital as well as physical social murder.

this resonates so strongly here 😬 😭

Michel Lind :fedora: :debian:'s avatar
Michel Lind :fedora: :debian:

@michelin@hachyderm.io

This is definitely not OK

futurism.com/openai-signs-deal

Michel Lind :fedora: :debian:'s avatar
Michel Lind :fedora: :debian:

@michelin@hachyderm.io

This is definitely not OK

futurism.com/openai-signs-deal

Zhi Zhu 🕸️'s avatar
Zhi Zhu 🕸️

@ZhiZhu@newsie.social · Reply to Zhi Zhu 🕸️'s post

"Wyden Demands Answers Following Report of Musk Personnel Seeking Access to Highly Sensitive U.S. Treasury Payments System:

In New Letter to Treasury Secretary Bessent, Wyden Warns That Political Meddling in Treasury Payments Risks Severe Economic Damage, Calls Out Dangerous Conflicts of Interest Stemming from Elon Musk’s Close Business Ties to the Chinese Government
finance.senate.gov/chairmans-n

Headline and text. Headline: Wyden Demands Answers Following Report of Musk Personnel Seeking Access to Highly Sensitive U.S. Treasury Payments System In New Letter to Treasury Secretary Bessent, Wyden Warns That Political Meddling in Treasury Payments Risks Severe Economic Damage, Calls Out Dangerous Conflicts of Interest Stemming from Elon Musk’s Close Business Ties to the Chinese Government Text: Washington, D.C. – Senate Finance Committee Ranking Member Ron Wyden, D-Ore., demanded answers from Treasury Secretary Scott Bessent today following a report that personnel affiliated with Elon Musk have sought access to a highly sensitive Treasury Department payment system. That system, which is maintained by non-political staff, disperses trillions of dollars each year, such as Social Security and Medicare benefits, tax credits for individuals and businesses, grants and payments to government contractors, including those that compete directly with Musk-owned companies. Senator Wyden wrote in a new letter: “To put it bluntly, these payment systems simply cannot fail, and any politically-motivated meddling in them risks severe damage to our country and the economy. I am deeply concerned that ... these officials associated with Musk may have intended to access these payment systems to illegally withhold payments to any number of programs... I am concerned that mismanagement of these payment systems could threaten the full faith and credit of the United States.”
ALT text detailsHeadline and text. Headline: Wyden Demands Answers Following Report of Musk Personnel Seeking Access to Highly Sensitive U.S. Treasury Payments System In New Letter to Treasury Secretary Bessent, Wyden Warns That Political Meddling in Treasury Payments Risks Severe Economic Damage, Calls Out Dangerous Conflicts of Interest Stemming from Elon Musk’s Close Business Ties to the Chinese Government Text: Washington, D.C. – Senate Finance Committee Ranking Member Ron Wyden, D-Ore., demanded answers from Treasury Secretary Scott Bessent today following a report that personnel affiliated with Elon Musk have sought access to a highly sensitive Treasury Department payment system. That system, which is maintained by non-political staff, disperses trillions of dollars each year, such as Social Security and Medicare benefits, tax credits for individuals and businesses, grants and payments to government contractors, including those that compete directly with Musk-owned companies. Senator Wyden wrote in a new letter: “To put it bluntly, these payment systems simply cannot fail, and any politically-motivated meddling in them risks severe damage to our country and the economy. I am deeply concerned that ... these officials associated with Musk may have intended to access these payment systems to illegally withhold payments to any number of programs... I am concerned that mismanagement of these payment systems could threaten the full faith and credit of the United States.”
Zhi Zhu 🕸️'s avatar
Zhi Zhu 🕸️

@ZhiZhu@newsie.social · Reply to Zhi Zhu 🕸️'s post

Exclusive: Musk aides lock government workers out of computer systems at US agency, sources say
reuters.com/world/us/musk-aide

"Aides to charged with running the US human resources agency have locked career civil servants out of computer systems that contain the personal data of millions of federal employees...

"We have no visibility into what they are doing with the computer and data systems," one of the officials said."

Headline and photo with caption. Headline: Exclusive: Musk aides lock workers out of OPM computer systems By Tim Reid February 1, 20258:27 AM CSTUpdated 6 min ago Photo: Elon Musk amid a group of men in suits raising his fists above his head in celebration. Caption: [1/3]Elon Musk, January 20, 2025, Washington, D.C. Ricky Carioti/Pool via REUTERS Purchase Licensing Rights
ALT text detailsHeadline and photo with caption. Headline: Exclusive: Musk aides lock workers out of OPM computer systems By Tim Reid February 1, 20258:27 AM CSTUpdated 6 min ago Photo: Elon Musk amid a group of men in suits raising his fists above his head in celebration. Caption: [1/3]Elon Musk, January 20, 2025, Washington, D.C. Ricky Carioti/Pool via REUTERS Purchase Licensing Rights
adb's avatar
adb

@adbenitez@mastodon.social

📢 BREAKING NEWS!!!

🎉 got public on some hours ago!!! 🔥

play.google.com/store/apps/det

also check the official website:
arcanechat.me

TIP: getting it from or direct download is recommended, but if you have friends that only know how to install from Google Play, now it is possible for them!

Thanks a lot to the ArcaneChat beta-testers that made this milestone possible! you rock!!!! 🤩

adb's avatar
adb

@adbenitez@mastodon.social

📢 BREAKING NEWS!!!

🎉 got public on some hours ago!!! 🔥

play.google.com/store/apps/det

also check the official website:
arcanechat.me

TIP: getting it from or direct download is recommended, but if you have friends that only know how to install from Google Play, now it is possible for them!

Thanks a lot to the ArcaneChat beta-testers that made this milestone possible! you rock!!!! 🤩

Stefano Marinelli's avatar
Stefano Marinelli

@stefano@bsd.cafe

A few days ago, a client of mine asked me to install an open-source software (which I won’t name for now). The software has only one official installation method: Docker. This is because, as they themselves admit, it has a huge number of dependencies - some quite outdated - that need to be carefully managed and forced into place; otherwise, nothing works.

I tried replicating the same setup on FreeBSD but didn’t succeed, as some dependencies either aren’t compatible or simply refuse to run. I could try finding workarounds, but I can already picture the chaos every time an update is needed.

So, I decided to build it via Docker to get a better sense of what we’re dealing with. The sheer number of dependencies that Node pulls in is impressive, but even more staggering is the number of warnings and errors it spits out: deprecated and unsupported packages, security vulnerabilities, generic warnings- you name it, and there’s plenty of it.

Since my client needs to launch this service but is subject to audits, they want to be fully compliant and ensure security. Given their substantial budget, they offered financial support to the developers (a company, not just a group of hobbyists) to help improve the project either by making it FreeBSD - compatible or, at the very least, by reducing dependencies with critical vulnerabilities. The client was willing to pay a significant sum, and since the improvements would be open-source, everyone would benefit.

The response from the team? A flat-out refusal. They claimed they couldn’t accept any amount of money because many of these dependencies are "necessary and irreplaceable, as parts of the code relying on them were written by people who no longer work on the project, and we can’t rewrite the core of the software.” Then came the part that really got under my skin: they stated they would rather deal directly “with my client, not with me, because in the end, my concerns are just useless and irrational paranoia.”

Translation? Just pay, and you’ll pass compliance checks - never mind the fact that underneath, it’s a tangled mess of outdated and insecure components. And don’t make a fuss about it.

While I can understand some of the challenges the team faces, I might have accepted this response if it had come from a group of volunteers or hobbyists. But if you’re a company whose sole business revolves around a single software product (with no real competition at the moment), this approach is not just short-sighted - it’s outright dangerous for your users’ security and for your own survival as a business.

The result? They lost a paying client who was ready to invest a significant budget into their software. That budget will now go elsewhere. My client is considering hiring developers to build a similar project with better security (they have both the time and the money for it). I’ll do my best to convince them to release it as open-source - at which point, a new “competitor” will emerge in the market.

^Kur0den\d{4}$ :irai_houki_tyuu:'s avatar
^Kur0den\d{4}$ :irai_houki_tyuu:

@kur0den0010@chpk.kur0den.net

『Cloudflare WAFのLeaked Credentials Checkを国内最速?で検証する - Qiita』 - https://qiita.com/kanish/items/32d30bb0d6e5ef868cf2

Natasha Nox 🇺🇦🇵🇸's avatar
Natasha Nox 🇺🇦🇵🇸

@Natanox@chaos.social

Irregular reminder that european-alternatives.eu/alter exists, a great list of service providers from Europe (including the exact nation as well as tags to know what's FOSS *AND* Self-hostable) that will enable you to move away from services hosted within and governed by the upcoming US Regime laws.

SpaceLifeForm

@SpaceLifeForm@infosec.exchange · Reply to The Tor Project's post

@torproject

Should have left X long ago. Now is the time.

Natasha Nox 🇺🇦🇵🇸's avatar
Natasha Nox 🇺🇦🇵🇸

@Natanox@chaos.social

Irregular reminder that european-alternatives.eu/alter exists, a great list of service providers from Europe (including the exact nation as well as tags to know what's FOSS *AND* Self-hostable) that will enable you to move away from services hosted within and governed by the upcoming US Regime laws.

nixCraft 🐧's avatar
nixCraft 🐧

@nixCraft@mastodon.social

Meta (Facebook) is no longer banning Distrowatch and discussion of Linux allowed again. lwn.net/Articles/1006859/ (adding screenshot in case it is taken down)

Malware scanner error Posted Jan 30, 2025 7:02 UTC (Thu) by osandov (subscriber, #97963) Parent article: Linux-related discussion as a cybersecurity threat I (Meta employee) can share this: Our automated systems blocked distrowatch.com for hosting a link to a file detected by third party security vendors as malware. This was an error and has since been addressed. Discussions of Linux are allowed on our services.
ALT text detailsMalware scanner error Posted Jan 30, 2025 7:02 UTC (Thu) by osandov (subscriber, #97963) Parent article: Linux-related discussion as a cybersecurity threat I (Meta employee) can share this: Our automated systems blocked distrowatch.com for hosting a link to a file detected by third party security vendors as malware. This was an error and has since been addressed. Discussions of Linux are allowed on our services.
Emeritus Prof Christopher May's avatar
Emeritus Prof Christopher May

@ChrisMayLA6@zirk.us

Q. will Greenland be the litmus test for how Europe responds to Trump?

Nathalie Tocci, thinks it reveals that:

'Europeans are scared. They fear Trump & their fear is paralysing. It freezes their actions & quiets their rhetoric. The more Trump confirms their fears through his repeated threats, the less they are inclined to react. Trump presumably smells the fear & like all bullies revels in it, upping the ante'!

Time to toughen up?

theguardian.com/commentisfree/

Emeritus Prof Christopher May's avatar
Emeritus Prof Christopher May

@ChrisMayLA6@zirk.us

Q. will Greenland be the litmus test for how Europe responds to Trump?

Nathalie Tocci, thinks it reveals that:

'Europeans are scared. They fear Trump & their fear is paralysing. It freezes their actions & quiets their rhetoric. The more Trump confirms their fears through his repeated threats, the less they are inclined to react. Trump presumably smells the fear & like all bullies revels in it, upping the ante'!

Time to toughen up?

theguardian.com/commentisfree/

Frankie ✅'s avatar
Frankie ✅

@Some_Emo_Chick@mastodon.social

DeepSeek collects keystroke data and more, storing it in Chinese servers

You might want to learn about DeepSeek's privacy policy before you sign up.

mashable.com/article/deepseek-

heise Security's avatar
heise Security

@heisec@social.heise.de

Elektronische Patientenakte: Gematik hielt Sicherheitslücke für "akzeptabel"

Die Gematik nahm die Sicherheitslücken bei der E-Patientenakte wohl erst nach Kenntnis von gültigen, auf Kleinanzeigen käuflichen Praxisidentitäten ernst.

heise.de/news/Elektronische-Pa

yossarian (1.3.6.1.4.1.55738)'s avatar
yossarian (1.3.6.1.4.1.55738)

@yossarian@infosec.exchange

zizmor v1.3.0 is released!

this release brings a new audit (overprovisioned-secrets), plus a handful of bugfixes/enhancements to existing audits.

notes here: github.com/woodruffw/zizmor/re

a screenshot of zizmor running and showing the results of the overprovisioned-secrets audit
ALT text detailsa screenshot of zizmor running and showing the results of the overprovisioned-secrets audit
Adrianna Tan's avatar
Adrianna Tan

@skinnylatte@hachyderm.io

Human Rights Watch is hiring a Director of Information Security

job-boards.greenhouse.io/human

Adrianna Tan's avatar
Adrianna Tan

@skinnylatte@hachyderm.io

Human Rights Watch is hiring a Director of Information Security

job-boards.greenhouse.io/human

yossarian (1.3.6.1.4.1.55738)'s avatar
yossarian (1.3.6.1.4.1.55738)

@yossarian@infosec.exchange

zizmor v1.3.0 is released!

this release brings a new audit (overprovisioned-secrets), plus a handful of bugfixes/enhancements to existing audits.

notes here: github.com/woodruffw/zizmor/re

a screenshot of zizmor running and showing the results of the overprovisioned-secrets audit
ALT text detailsa screenshot of zizmor running and showing the results of the overprovisioned-secrets audit
LabPlot's avatar
LabPlot

@LabPlot@floss.social

Today is the Data Privacy (Protection) Day! So let us remind you that in , an open-source data analysis and visualization software, Your Data is Yours!

@labplot@lemmy.kde.social @opensource @libre_software @privacy

Boosts appreciated! 🙂 :boost_love: 🚀

Volla's avatar
Volla

@volla@mastodon.social

Es gibt Neuigkeiten zum Versandstatus des Volla Tablets!

Hier gehts zum Blog Artikel:

volla.online/de/blog/files/tab

-----------------

Shipping of Volla Tablet has started. Find the blog article here:

volla.online/en/blog/files/tab

Volla's avatar
Volla

@volla@mastodon.social

Es gibt Neuigkeiten zum Versandstatus des Volla Tablets!

Hier gehts zum Blog Artikel:

volla.online/de/blog/files/tab

-----------------

Shipping of Volla Tablet has started. Find the blog article here:

volla.online/en/blog/files/tab

:rss: Qiita - 人気の記事's avatar
:rss: Qiita - 人気の記事

@qiita@rss-mstdn.studiofreesia.com

初心者向けサイバー攻撃の種類と対策の基礎知識
qiita.com/nucomiya/items/c30c8

Metin Seven's avatar
Metin Seven

@Seven@pixelfed.art

Isometric pixel art from a series of pixel illustrations I made for a Dutch infosec company.

The illustrations were printed as stickers. See other posts for more.

#PixelArt #isometric #security #InfoSec #safety #tech #technology #coding #CharacterDesign #stickers #design #artwork #illustration #illustrator #digital #DigitalArt #style #art #arts #arte #artist #artists #GraphicDesign #2D #3D #CreativeToots #FediArt #MastoArt #ArtistsOnMastodon
Isometric pixel art of a virtual reality gamer, sitting in a chair, while being surrounded by VR game elements in space: space fighter jets and a floating spaceship landing platform.
ALT text detailsIsometric pixel art of a virtual reality gamer, sitting in a chair, while being surrounded by VR game elements in space: space fighter jets and a floating spaceship landing platform.
Metin Seven's avatar
Metin Seven

@Seven@pixelfed.art

Isometric pixel art from a series of pixel illustrations I made for a Dutch infosec company.

The illustrations were printed as stickers. See other posts for more.

#PixelArt #isometric #security #InfoSec #safety #tech #technology #coding #CharacterDesign #stickers #design #artwork #illustration #illustrator #digital #DigitalArt #style #art #arts #arte #artist #artists #GraphicDesign #2D #3D #CreativeToots #FediArt #MastoArt #ArtistsOnMastodon
Isometric pixel art of a virtual reality gamer, sitting in a chair, while being surrounded by VR game elements in space: space fighter jets and a floating spaceship landing platform.
ALT text detailsIsometric pixel art of a virtual reality gamer, sitting in a chair, while being surrounded by VR game elements in space: space fighter jets and a floating spaceship landing platform.
Hollo :hollo:'s avatar
Hollo :hollo:

@hollo@hollo.social

In related news, has also released updates: 0.3.6 & 0.4.4. Update now!

https://hollo.social/@fedify/01948487-87b2-709d-953f-8799b78433ed

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@fedify@hollo.social

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

yossarian (1.3.6.1.4.1.55738)'s avatar
yossarian (1.3.6.1.4.1.55738)

@yossarian@infosec.exchange

TIL: GitHub Actions is surprisingly case-insensitive

yossarian.net/til/post/github-

yossarian (1.3.6.1.4.1.55738)'s avatar
yossarian (1.3.6.1.4.1.55738)

@yossarian@infosec.exchange

TIL: GitHub Actions is surprisingly case-insensitive

yossarian.net/til/post/github-

Mark Wyner :vm:'s avatar
Mark Wyner :vm:

@markwyner@mas.to

Are passkeys really better than passwords? And what happens when you no longer have access to the authentication device?

I keep reading up on this. But I find few answers. Is anyone willing to elaborate?

Dainius Happy 🇱🇹 ❤ 🇺🇦's avatar
Dainius Happy 🇱🇹 ❤ 🇺🇦

@anthroposamu@mastodon.social

almost_pwned.md
gist.github.com/zachlatta/f863
g.co, Google's official URL shortcut (update: or Google Workspace's domain verification, see bottom), is compromised. People are actively having their Google accounts stolen.

Dainius Happy 🇱🇹 ❤ 🇺🇦's avatar
Dainius Happy 🇱🇹 ❤ 🇺🇦

@anthroposamu@mastodon.social

almost_pwned.md
gist.github.com/zachlatta/f863
g.co, Google's official URL shortcut (update: or Google Workspace's domain verification, see bottom), is compromised. People are actively having their Google accounts stolen.

otaku binary オタクバイナリ's avatar
otaku binary オタクバイナリ

@otakubinary@sakurajima.moe

Seems that Crunchyroll had a breach. You should change your password.

The option to change the password in menu settings (logged in) didn't work throws an error.

Log out or try in another browser and select forgot password in login menu this will send you a link to reset the password

animehunch.com/crunchyroll-pre

Jordan Warne's avatar
Jordan Warne

@jw@social.lol

You need to protect your communication, not only for your own sake but for those around you. I produced a video at @privacyguides to raise awareness around the insecurity of SMS and to push people towards more secure alternatives.

youtube.com/watch?v=B9BWXvn-rB

Jordan Warne's avatar
Jordan Warne

@jw@social.lol

You need to protect your communication, not only for your own sake but for those around you. I produced a video at @privacyguides to raise awareness around the insecurity of SMS and to push people towards more secure alternatives.

youtube.com/watch?v=B9BWXvn-rB

tricia, queen of house cyberly :verified_paw: :donor:'s avatar
tricia, queen of house cyberly :verified_paw: :donor:

@triciakickssaas@infosec.exchange

Features aren't always innocent 😉

In the most recent publication by Akamai Technologies' Security Intelligence Group, Tomer Peled found yet -a n o t h e r- vuln in K8s. this time in Log Query, and it can do some big bad.

Did you know that out of the 12 vulns found in Kubernetes since 2023, Tomer has found 4 of them?!?!? i work with the coolest people

anyway, couldn't resist a britney parody sooooooo

akamai.com/blog/security-resea

tricia, queen of house cyberly :verified_paw: :donor:'s avatar
tricia, queen of house cyberly :verified_paw: :donor:

@triciakickssaas@infosec.exchange

Features aren't always innocent 😉

In the most recent publication by Akamai Technologies' Security Intelligence Group, Tomer Peled found yet -a n o t h e r- vuln in K8s. this time in Log Query, and it can do some big bad.

Did you know that out of the 12 vulns found in Kubernetes since 2023, Tomer has found 4 of them?!?!? i work with the coolest people

anyway, couldn't resist a britney parody sooooooo

akamai.com/blog/security-resea

otaku binary オタクバイナリ's avatar
otaku binary オタクバイナリ

@otakubinary@sakurajima.moe

Seems that Crunchyroll had a breach. You should change your password.

The option to change the password in menu settings (logged in) didn't work throws an error.

Log out or try in another browser and select forgot password in login menu this will send you a link to reset the password

animehunch.com/crunchyroll-pre

Privacy Guides's avatar
Privacy Guides

@privacyguides@mastodon.neat.computer

If you’re going to participate in a protest or other form of activism, you need to keep yourself protected.

Your smartphone can be an essential tool, but it also represents a huge risk to your privacy and security. If you decide to bring a phone along, understanding these best practices when it comes to securing it will help keep you and your data safe.

privacyguides.org/articles/202

Privacy Guides's avatar
Privacy Guides

@privacyguides@mastodon.neat.computer

If you’re going to participate in a protest or other form of activism, you need to keep yourself protected.

Your smartphone can be an essential tool, but it also represents a huge risk to your privacy and security. If you decide to bring a phone along, understanding these best practices when it comes to securing it will help keep you and your data safe.

privacyguides.org/articles/202

^Kur0den\d{4}$ :irai_houki_tyuu:'s avatar
^Kur0den\d{4}$ :irai_houki_tyuu:

@kur0den0010@chpk.kur0den.net

ポリシーによってはドメイン部以外もリファラとして送信されるのね

『主要ブラウザのReferrer Policyについて調べてみた - Qiita』 - https://qiita.com/n3_x/items/c2bafd5872af61147c89

^Kur0den\d{4}$ :irai_houki_tyuu:'s avatar
^Kur0den\d{4}$ :irai_houki_tyuu:

@kur0den0010@chpk.kur0den.net

ポリシーによってはドメイン部以外もリファラとして送信されるのね

『主要ブラウザのReferrer Policyについて調べてみた - Qiita』 - https://qiita.com/n3_x/items/c2bafd5872af61147c89

Privacy Guides's avatar
Privacy Guides

@privacyguides@mastodon.neat.computer

If you’re going to participate in a protest or other form of activism, you need to keep yourself protected.

Your smartphone can be an essential tool, but it also represents a huge risk to your privacy and security. If you decide to bring a phone along, understanding these best practices when it comes to securing it will help keep you and your data safe.

privacyguides.org/articles/202

Jonah Aragon's avatar
Jonah Aragon

@jonah@neat.computer

I was feeling inspired to write this morning after looking through a lot of this type of article and noticing they all omitted kind of important information. This includes all of the basics, and the stuff I thought was under-discussed, for example: AirDrop's privacy problems, and the importance of security patches in this specific scenario.

I hope someone finds this useful, and if I'm still missing anything or could explain something better, please let me know!

privacyguides.org/articles/202

nickbearded's avatar
nickbearded

@nickbearded@mastodon.social

The website is live!

bashcore.org/

BrianKrebs's avatar
BrianKrebs

@briankrebs@infosec.exchange

Some fascinating research out on hacking a Subaru via STARLINK connected vehicle service.

"On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK connected vehicle service that gave us unrestricted targeted access to all vehicles and customer accounts in the United States, Canada, and Japan.

Using the access provided by the vulnerability, an attacker who only knew the victim’s last name and ZIP code, email address, phone number, or license plate could have done the following:

Remotely start, stop, lock, unlock, and retrieve the current location of any vehicle.

Retrieve any vehicle’s complete location history from the past year, accurate to within 5 meters and updated each time the engine starts.

Query and retrieve the personally identifiable information (PII) of any customer, including emergency contacts, authorized users, physical address, billing information (e.g., last 4 digits of credit card, excluding full card number), and vehicle PIN.

Access miscellaneous user data including support call history, previous owners, odometer reading, sales history, and more.

After reporting the vulnerability, the affected system was patched within 24 hours and never exploited maliciously."

samcurry.net/hacking-subaru#in

@starlink

BrianKrebs's avatar
BrianKrebs

@briankrebs@infosec.exchange

Some fascinating research out on hacking a Subaru via STARLINK connected vehicle service.

"On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK connected vehicle service that gave us unrestricted targeted access to all vehicles and customer accounts in the United States, Canada, and Japan.

Using the access provided by the vulnerability, an attacker who only knew the victim’s last name and ZIP code, email address, phone number, or license plate could have done the following:

Remotely start, stop, lock, unlock, and retrieve the current location of any vehicle.

Retrieve any vehicle’s complete location history from the past year, accurate to within 5 meters and updated each time the engine starts.

Query and retrieve the personally identifiable information (PII) of any customer, including emergency contacts, authorized users, physical address, billing information (e.g., last 4 digits of credit card, excluding full card number), and vehicle PIN.

Access miscellaneous user data including support call history, previous owners, odometer reading, sales history, and more.

After reporting the vulnerability, the affected system was patched within 24 hours and never exploited maliciously."

samcurry.net/hacking-subaru#in

@starlink

heise Security's avatar
heise Security

@heisec@social.heise.de

Cisco: Kritische Sicherheitslücke in Meeting Management

Cisco warnt vor einer kritischen Sicherheitslücke in Meeting Management sowie Schwachstellen in Broadworks und ClamAV.

heise.de/news/Cisco-Kritische-

BrianKrebs's avatar
BrianKrebs

@briankrebs@infosec.exchange

Some fascinating research out on hacking a Subaru via STARLINK connected vehicle service.

"On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK connected vehicle service that gave us unrestricted targeted access to all vehicles and customer accounts in the United States, Canada, and Japan.

Using the access provided by the vulnerability, an attacker who only knew the victim’s last name and ZIP code, email address, phone number, or license plate could have done the following:

Remotely start, stop, lock, unlock, and retrieve the current location of any vehicle.

Retrieve any vehicle’s complete location history from the past year, accurate to within 5 meters and updated each time the engine starts.

Query and retrieve the personally identifiable information (PII) of any customer, including emergency contacts, authorized users, physical address, billing information (e.g., last 4 digits of credit card, excluding full card number), and vehicle PIN.

Access miscellaneous user data including support call history, previous owners, odometer reading, sales history, and more.

After reporting the vulnerability, the affected system was patched within 24 hours and never exploited maliciously."

samcurry.net/hacking-subaru#in

@starlink

:rss: Qiita - 人気の記事's avatar
:rss: Qiita - 人気の記事

@qiita@rss-mstdn.studiofreesia.com

【メモ】セキュリティインシデントを調べるときに参考になるサイトまとめ
qiita.com/koinunopochi/items/4

heise Security's avatar
heise Security

@heisec@social.heise.de

Cisco: Kritische Sicherheitslücke in Meeting Management

Cisco warnt vor einer kritischen Sicherheitslücke in Meeting Management sowie Schwachstellen in Broadworks und ClamAV.

heise.de/news/Cisco-Kritische-

Metin Seven 🎨's avatar
Metin Seven 🎨

@metin@graphics.social

Signal is a secure messenger, but there are interesting alternatives, such as @matrix , @session , @delta , @simplex or XMPP …

➡️ matrix.org

➡️ getsession.org

➡️ delta.chat

➡️ simplex.chat

➡️ xmpp.org

If you’d like to learn more about these options, have a look at the responses to this toot.

ITSEC News's avatar
ITSEC News

@itsecbot@schleuss.online

Cloudflare CDN flaw leaks user location data, even through secure chat apps - A security researcher discovered a flaw in Cloudflare's content delivery network (CDN), w... bleepingcomputer.com/news/secu

Branedy's avatar
Branedy

@Branedy@mastodon.social

So much for National Security

Branedy's avatar
Branedy

@Branedy@mastodon.social

So much for National Security

:rss: Qiita - 人気の記事's avatar
:rss: Qiita - 人気の記事

@qiita@rss-mstdn.studiofreesia.com

NymVPNの”匿名モード”とは?技術的解説
qiita.com/pseudonym2/items/819

:rss: Qiita - 人気の記事's avatar
:rss: Qiita - 人気の記事

@qiita@rss-mstdn.studiofreesia.com

ハニーポット観測:Apache HTTP Serverパストラバーサル脆弱性(CVE-2021-41773,CVE-2021-42013)を標的とした攻撃の攻撃分析
qiita.com/melkruri/items/3f432

Hollo :hollo:'s avatar
Hollo :hollo:

@hollo@hollo.social

In related news, has also released updates: 0.3.6 & 0.4.4. Update now!

https://hollo.social/@fedify/01948487-87b2-709d-953f-8799b78433ed

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@fedify@hollo.social

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Lockdownyourlife's avatar
Lockdownyourlife

@Lockdownyourlife@infosec.exchange

Are you on Signal or Wire yet? Go do that. Gently move your friends/fam over to one of the platforms. Set disappearing messages on both sides of the conversation. Be careful what you say in group chats, know who you trust, and who are your Vault people. For REAL sensitive stuff, in-person, no phones.

Normalize going places without your phones, leave them at home now and again to establish a pattern.

Please understand anyone who works in advocacy, healthcare (esp reproductive rights/women's healthcare), journalists, some gov officials, marginalized groups will likely be targeted.

If this doesn't fit your threat model/risk profile, you know someone who will be impacted by oversight, surveillance or someone snitching

SnowshadowII's avatar
SnowshadowII

@SnowshadowII@beige.party

🇺🇸 🇺🇸 🇺🇸

Go back to any old social media profiles that you don’t use anymore and delete those accounts.

Delete/erase old email accounts/inboxes that are defunct.

Strip any information about your family or where you live from blogs or company websites.

Use a service like Delete Me or Aura to systematically go through the internet and remove personally identifiable information.

Lockdownyourlife's avatar
Lockdownyourlife

@Lockdownyourlife@infosec.exchange

Are you on Signal or Wire yet? Go do that. Gently move your friends/fam over to one of the platforms. Set disappearing messages on both sides of the conversation. Be careful what you say in group chats, know who you trust, and who are your Vault people. For REAL sensitive stuff, in-person, no phones.

Normalize going places without your phones, leave them at home now and again to establish a pattern.

Please understand anyone who works in advocacy, healthcare (esp reproductive rights/women's healthcare), journalists, some gov officials, marginalized groups will likely be targeted.

If this doesn't fit your threat model/risk profile, you know someone who will be impacted by oversight, surveillance or someone snitching

SnowshadowII's avatar
SnowshadowII

@SnowshadowII@beige.party

🇺🇸 🇺🇸 🇺🇸

Go back to any old social media profiles that you don’t use anymore and delete those accounts.

Delete/erase old email accounts/inboxes that are defunct.

Strip any information about your family or where you live from blogs or company websites.

Use a service like Delete Me or Aura to systematically go through the internet and remove personally identifiable information.

Maximum MEW's avatar
Maximum MEW

@maximum_mew@indieweb.social

I learned about the Opt Out Project's Cyber-Cleanse by @cyberlyra here on Mastodon. So grateful for a roadmap to regaining some of my online privacy.

maryewarner.com/2025/01/20/div

Hollo :hollo:'s avatar
Hollo :hollo:

@hollo@hollo.social

In related news, has also released updates: 0.3.6 & 0.4.4. Update now!

https://hollo.social/@fedify/01948487-87b2-709d-953f-8799b78433ed

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@fedify@hollo.social

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@fedify@hollo.social

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@fedify@hollo.social

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Hollo :hollo:'s avatar
Hollo :hollo:

@hollo@hollo.social

In related news, has also released updates: 0.3.6 & 0.4.4. Update now!

https://hollo.social/@fedify/01948487-87b2-709d-953f-8799b78433ed

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@fedify@hollo.social

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@fedify@hollo.social

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Hollo :hollo:'s avatar
Hollo :hollo:

@hollo@hollo.social

In related news, has also released updates: 0.3.6 & 0.4.4. Update now!

https://hollo.social/@fedify/01948487-87b2-709d-953f-8799b78433ed

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@fedify@hollo.social

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Hollo :hollo:'s avatar
Hollo :hollo:

@hollo@hollo.social

In related news, has also released updates: 0.3.6 & 0.4.4. Update now!

https://hollo.social/@fedify/01948487-87b2-709d-953f-8799b78433ed

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@fedify@hollo.social

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Hollo :hollo:'s avatar
Hollo :hollo:

@hollo@hollo.social

In related news, has also released updates: 0.3.6 & 0.4.4. Update now!

https://hollo.social/@fedify/01948487-87b2-709d-953f-8799b78433ed

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@fedify@hollo.social

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Hollo :hollo:'s avatar
Hollo :hollo:

@hollo@hollo.social

In related news, has also released updates: 0.3.6 & 0.4.4. Update now!

https://hollo.social/@fedify/01948487-87b2-709d-953f-8799b78433ed

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@fedify@hollo.social

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@fedify@hollo.social

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@fedify@hollo.social

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@fedify@hollo.social

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@fedify@hollo.social

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@fedify@hollo.social

We have released updates (1.0.14, 1.1.11, 1.2.11, 1.3.4) to address CVE-2025-23221, a in 's implementation. We recommend all users update to the latest version of their respective release series immediately.

The Vulnerability

A security researcher identified multiple security issues in Fedify's lookupWebFinger() function that could be exploited to:

  • Perform denial of service attacks through infinite redirect loops
  • Execute server-side request forgery () attacks via redirects to private network addresses
  • Access unintended URL schemes through redirect manipulation

Fixed Versions

  • 1.3.x series: Update to 1.3.4
  • 1.2.x series: Update to 1.2.11
  • 1.1.x series: Update to 1.1.11
  • 1.0.x series: Update to 1.0.14

Changes

The security updates implement the following fixes:

  1. Added a maximum redirect limit (5) to prevent infinite redirect loops
  2. Restricted redirects to only follow the same scheme as the original request (HTTP/HTTPS)
  3. Blocked redirects to private network addresses to prevent SSRF attacks

How to Update

To update to the latest secure version:

# For npm users
npm update @fedify/fedify

# For Deno users
deno add jsr:@fedify/fedify

We thank the security researcher who responsibly disclosed this vulnerability, allowing us to address these issues promptly.

For more details about this vulnerability, please refer to our security advisory.

If you have any questions or concerns, please don't hesitate to reach out through our GitHub Discussions, join our Matrix chat space, or our Discord server.

어둠사자's avatar
어둠사자

@gnh1201@catswords.social · Reply to 어둠사자's post

Product Bad Practices from

ic3.gov/CSA/2025/250117.pdf

Mark Heftler's avatar
Mark Heftler

@markheftler@esq.social

2025 kicks off with A Modest Divestment, a deliberate effort to reduce my reliance on US-based big tech. Canceling 365, switching to & , and exploring . Saying goodbye to and tightening up protections. Here's to a secure, private, and independent year ahead.

copingalgorithms.com/posts/a-m

Linux Is Best's avatar
Linux Is Best

@Linux_Is_Best@misskey.de

List of service providers outside the United States jurisdiction. 😉

🤫 VPN =

* iVPN, located in Gibraltar, Europe (UK territory)
https://www.ivpn.net

* Mullvad VPN, located in Sweden, Europe
https://mullvad.net

* Goose VPN, located in the Netherlands, Europe
https://goosevpn.com

* Xeovo VPN, located in Finland, Europe
https://xeovo.com

🌐 Managed DNS =

* AdGuard DNS, located in Cyprus, Europe
https://adguard-dns.io

* ClouDNS, located in Bulgaria, Europe
https://www.cloudns.net

* deSEC, located in Germany, Europe
https://desec.io

🌐 Public DNS =

* CIRA Canadian Shield, located in Canada, North America
https://www.cira.ca/en/canadian-shield/configure/

* Mullvad DNS, located in Sweden, Europe
https://mullvad.net/en/help/dns-over-https-and-dns-over-tls

🔏 Privacy focused e-mail =

* Tuta, located in Germany, Europe
https://tuta.com

* Soverin, located in the Netherlands, Europe
https://soverin.com

* Startmail, located in the Netherlands, Europe
https://www.startmail.com

* Mailfence, located in Belgium, Europe
https://mailfence.com

🌍 Domain Registration / Web Hosting =

* Scalewy, located in France, Europe
https://www.scaleway.com

* OVH, located in France, Europe
https://www.ovhcloud.com

* Netcup, located in Germany, Europe
https://www.netcup.com

* Glesys, located in Sweden, Europe
https://glesys.com

🌍 CDN =

* OVH, located in France, Europe
https://www.ovhcloud.com/en/web-hosting/options/cdn/

* Key CDN, located in Switzerland, Europe
https://www.keycdn.com

yossarian (1.3.6.1.4.1.55738)'s avatar
yossarian (1.3.6.1.4.1.55738)

@yossarian@infosec.exchange

i've released `zizmor` v1.2.0!

some key changes:

- there's a new `bot-conditions` audit, which can detect spoofable `github.actor` checks!
- precision/accuracy improvements to the `unpinned-uses` and `excessive-permissions` audits!
- bugfixes for the `template-injection` and `artipacked` audits!
- more general bugfixes, including a (hopeful) improvement to the SARIF output behavior and fixes to our parsing of some workflow/expression edge cases

and from a sustainability perspective: many thanks to astral.sh/ for being our first logo-level sponsor!

full release notes here:

woodruffw.github.io/zizmor/rel

a screenshot of zizmor with findings from the new bot-conditions audit
ALT text detailsa screenshot of zizmor with findings from the new bot-conditions audit
yossarian (1.3.6.1.4.1.55738)'s avatar
yossarian (1.3.6.1.4.1.55738)

@yossarian@infosec.exchange

i've released `zizmor` v1.2.0!

some key changes:

- there's a new `bot-conditions` audit, which can detect spoofable `github.actor` checks!
- precision/accuracy improvements to the `unpinned-uses` and `excessive-permissions` audits!
- bugfixes for the `template-injection` and `artipacked` audits!
- more general bugfixes, including a (hopeful) improvement to the SARIF output behavior and fixes to our parsing of some workflow/expression edge cases

and from a sustainability perspective: many thanks to astral.sh/ for being our first logo-level sponsor!

full release notes here:

woodruffw.github.io/zizmor/rel

a screenshot of zizmor with findings from the new bot-conditions audit
ALT text detailsa screenshot of zizmor with findings from the new bot-conditions audit
Kagi HQ's avatar
Kagi HQ

@kagihq@mastodon.social

Kagi mentioned as one of the key ways you can keep your family safe online:

"Mogull plans to make it the default search engine for all his relatives."

scworld.com/resource/five-cybe

Phil's avatar
Phil

@phil@fed.bajsicki.com

Of public interest:

At least 15,000 people fully, without limits, irrevocably, licensed their personal information, public image, name and all data that reached loops.video infrastructure... to @dansup@mastodon.social 's loops.video platform.

Had they known they're entirely losing control of everything, would they be using the platform?

Explanation in the renote, and here:

https://bajsicki.com/blog/loops-video-terms/

Is this what we, as a , want?

RE: https://fed.bajsicki.com/notes/a349itz9il

Daniel Supernault (@dansup@mastodon.social) bragging about his loops.video platform crossing 15000 users.
ALT text detailsDaniel Supernault (@dansup@mastodon.social) bragging about his loops.video platform crossing 15000 users.
Phil's avatar
Phil

@phil@fed.bajsicki.com

How about no?

You're way overstepping with this, poisoning the entire ActivityPub ecosystem.

Let me break this down for you...

https://bajsicki.com/blog/loops-video-terms/

In short: if you really intend to federate, respect your users and their data.

Implementing federation while keeping these terms is a severe breach of trust, and would poison the entirety of the network in an way which will cripple ActivityPub, and undermine the very foundation of what AP stands for with regard to privacy, data ownership, and control over what we post to the network.

Hopefully that's not your intention. Is it?

RE: https://mastodon.social/users/dansup/statuses/113841956808397142

:rss: Qiita - 人気の記事's avatar
:rss: Qiita - 人気の記事

@qiita@rss-mstdn.studiofreesia.com

Sphinx:LightningやNymを支える匿名データフォーマット
qiita.com/pseudonym2/items/200

Phil's avatar
Phil

@phil@fed.bajsicki.com

How about no?

You're way overstepping with this, poisoning the entire ActivityPub ecosystem.

Let me break this down for you...

https://bajsicki.com/blog/loops-video-terms/

In short: if you really intend to federate, respect your users and their data.

Implementing federation while keeping these terms is a severe breach of trust, and would poison the entirety of the network in an way which will cripple ActivityPub, and undermine the very foundation of what AP stands for with regard to privacy, data ownership, and control over what we post to the network.

Hopefully that's not your intention. Is it?

RE: https://mastodon.social/users/dansup/statuses/113841956808397142

^Kur0den\d{4}$ :irai_houki_tyuu:'s avatar
^Kur0den\d{4}$ :irai_houki_tyuu:

@kur0den0010@chpk.kur0den.net

『安全なウェブサイトの作り方に学ぶセッション管理 - Qiita』 - https://qiita.com/kujira_engineer/items/133af11f9386957a052c

heise Security's avatar
heise Security

@heisec@social.heise.de

WordPress-Plug-in W3 Total Cache: Potenziell 1 Millionen Websites attackierbar

Stimmen die Voraussetzungen, können Angreifer Websites mit dem WordPress-Plug-in W3 Total Cache ins Visier nehmen. Ein Sicherheitspatch ist verfügbar.

heise.de/news/WordPress-Plug-i

heise Security's avatar
heise Security

@heisec@social.heise.de

WordPress-Plug-in W3 Total Cache: Potenziell 1 Millionen Websites attackierbar

Stimmen die Voraussetzungen, können Angreifer Websites mit dem WordPress-Plug-in W3 Total Cache ins Visier nehmen. Ein Sicherheitspatch ist verfügbar.

heise.de/news/WordPress-Plug-i

Guy's avatar
Guy

@phlogiston@mastodon.nz

I was wondering ... as encryption via PGP/GnuPG is not suitable for true and ongoing end-to-end confidentiality. But what about authenticity of mails? I dislike S/MIME for its corporate nature, and via PGP/MIME is well enough supported by many (free) mail clients.

What's the or community's view on PGP for signing emails? Or what would a suitable alternative be? I haven't come across any, though.

1/2

:rss: Qiita - 人気の記事's avatar
:rss: Qiita - 人気の記事

@qiita@rss-mstdn.studiofreesia.com

VPN、Tor、I2P - Nymはどう比較されるのか?
qiita.com/pseudonym2/items/e9a

nixpkgs security changes's avatar
nixpkgs security changes

@nixpkgssecuritychanges@social.gerbet.me

rsync: 3.3.0 -> 3.4.1

github.com/NixOS/nixpkgs/pull/

Teddy / Domingo (🇨🇵/🇬🇧)'s avatar
Teddy / Domingo (🇨🇵/🇬🇧)

@TeddyTheBest@framapiaf.org

Defensive
Picture found at darkwebinformer.com/defensive-

Linux Security Apps
ALT text detailsLinux Security Apps
mailbox.org's avatar
mailbox.org

@mailbox_org@social.mailbox.org

👋 Goodbye spam and viruses! 📩

Keep your inbox clean and safe with spam and virus protection from mailbox.org!

✔️ Top filter technology
✔️ Customisable to your needs
✔️ Data protection first and foremost

👉 Switch now and mail stress-free

nixCraft 🐧's avatar
nixCraft 🐧

@nixCraft@mastodon.social

The rsync utility in Linux, *BSD, and Unix-like systems are vulnerable to multiple security issues, including arbitrary code execution, arbitrary file upload, information disclosure, and privilege escalation. Hence, you must patch the system ASAP cyberciti.biz/linux-news/cve-2

A critical vulnerability (CVE-2024-12084 and five others) requires immediate patching on Linux, *BSD, macOS, and Unix-like systems to protect your systems from attacks. Update Rsync now!
ALT text detailsA critical vulnerability (CVE-2024-12084 and five others) requires immediate patching on Linux, *BSD, macOS, and Unix-like systems to protect your systems from attacks. Update Rsync now!
Prainbow (she/her) 🏔️Colorado's avatar
Prainbow (she/her) 🏔️Colorado

@Prainbow@mastodon.social

"Data privacy advocates have long warned of the risks that data brokers pose to individuals’ privacy and national security. Researchers with access to the sample of Gravy Analytics’ location data posted by the hacker say that the information can be used to extensively track people’s recent whereabouts."

techcrunch.com/2025/01/13/grav

nixCraft 🐧's avatar
nixCraft 🐧

@nixCraft@mastodon.social

The rsync utility in Linux, *BSD, and Unix-like systems are vulnerable to multiple security issues, including arbitrary code execution, arbitrary file upload, information disclosure, and privilege escalation. Hence, you must patch the system ASAP cyberciti.biz/linux-news/cve-2

A critical vulnerability (CVE-2024-12084 and five others) requires immediate patching on Linux, *BSD, macOS, and Unix-like systems to protect your systems from attacks. Update Rsync now!
ALT text detailsA critical vulnerability (CVE-2024-12084 and five others) requires immediate patching on Linux, *BSD, macOS, and Unix-like systems to protect your systems from attacks. Update Rsync now!
nixCraft 🐧's avatar
nixCraft 🐧

@nixCraft@mastodon.social

The rsync utility in Linux, *BSD, and Unix-like systems are vulnerable to multiple security issues, including arbitrary code execution, arbitrary file upload, information disclosure, and privilege escalation. Hence, you must patch the system ASAP cyberciti.biz/linux-news/cve-2

A critical vulnerability (CVE-2024-12084 and five others) requires immediate patching on Linux, *BSD, macOS, and Unix-like systems to protect your systems from attacks. Update Rsync now!
ALT text detailsA critical vulnerability (CVE-2024-12084 and five others) requires immediate patching on Linux, *BSD, macOS, and Unix-like systems to protect your systems from attacks. Update Rsync now!
:rss: Qiita - 人気の記事's avatar
:rss: Qiita - 人気の記事

@qiita@rss-mstdn.studiofreesia.com

ブロックチェーンを安全にスケーリングする
qiita.com/pseudonym2/items/24a

mattlqx's avatar
mattlqx

@matt@lqx.net

The solution to my hotel’s cooling issues in their data closet is simply to leave the door open. Yikes!

mailbox.org's avatar
mailbox.org

@mailbox_org@social.mailbox.org

👋 Goodbye spam and viruses! 📩

Keep your inbox clean and safe with spam and virus protection from mailbox.org!

✔️ Top filter technology
✔️ Customisable to your needs
✔️ Data protection first and foremost

👉 Switch now and mail stress-free

:rss: Qiita - 人気の記事's avatar
:rss: Qiita - 人気の記事

@qiita@rss-mstdn.studiofreesia.com

最も匿名性に優れたVPNの選び方
qiita.com/pseudonym2/items/bd1

:rss: Qiita - 人気の記事's avatar
:rss: Qiita - 人気の記事

@qiita@rss-mstdn.studiofreesia.com

コンピュータでプロキシをオフにする方法(詳細ver.)
qiita.com/pseudonym2/items/cf0

Natasha Nox 🇺🇦🇵🇸's avatar
Natasha Nox 🇺🇦🇵🇸

@Natanox@chaos.social

Irregular reminder that european-alternatives.eu/alter exists, a great list of service providers from Europe (including the exact nation as well as tags to know what's FOSS *AND* Self-hostable) that will enable you to move away from services hosted within and governed by the upcoming US Regime laws.

Stefano Marinelli's avatar
Stefano Marinelli

@stefano@bsd.cafe

UPDATE: I haven't seen Recall in action there. I was just asking the doctor how they'll deal with it.

This morning, I went to the doctor for a scheduled appointment. While she was looking at the results of blood tests from two years ago on the screen (and suggested repeating them for a follow-up), I realized she was using Windows 11. A detail came to mind. The doctor is extremely polite and friendly, so I asked her, "How do you handle the feature called Recall?" The doctor was taken aback and had no idea what I was talking about. I was about to drop the conversation, but she, being a serious professional, immediately called the technicians who manage their PCs to ask for clarification. They downplayed it, saying it's not an issue and that it's a feature "on all PCs, so we can't do anything about it." She started to express that she didn’t like it and wanted it deactivated. No luck: they won’t proceed because, according to them, even deactivating it is "a hack that could compromise future updates." She’s furious and will talk to her colleagues and the decision-makers. She wants secure systems because "there’s patient data involved."

In reality, patient data is stored on servers (which I haven't investigated), but everything that appears on the screen is, in my opinion, at risk.

I’ve offered to help them find a solution—because, if I'm right, all they need is LibreOffice and a browser. In that case, I’ll suggest one of the *BSD or Linux systems and do it for free.

I don’t want to make money off my doctor. I just want patient data to be (sufficiently) secure.

Kagi HQ's avatar
Kagi HQ

@kagihq@mastodon.social

Kagi is "pick of the week" in this latest Smashing Security podcast episode by cybersecurity veterans Graham Cluley and Carole Theriault:

grahamcluley.com/smashing-secu

Jcrabapple (Catppuccin King)'s avatar
Jcrabapple (Catppuccin King)

@jcrabapple@dmv.community

Some developers have picked up the Mull source code and they're continuing development under the name Ironfox.

IronFox OSS / IronFox · GitLab

gitlab.com/ironfox-oss/IronFox

:rss: Qiita - 人気の記事's avatar
:rss: Qiita - 人気の記事

@qiita@rss-mstdn.studiofreesia.com

Nym mixnetはブロックチェーンではないが、ブロックチェーンで動いている
qiita.com/pseudonym2/items/206

RDP Snitch's avatar
RDP Snitch

@rdpsnitch@infosec.exchange

2025-01-08 RDP IOCs - 350 scans
Thread with top 3 features in each category and links to the full dataset

Top IPs:
68.183.88.109 - 200
185.42.12.81 - 16
185.170.144.198 - 16

Top ASNs:
AS14061 - 226
AS396982 - 24
AS59425 - 18

Top Accounts:
hello - 254
Administr - 24
Domain - 18

Top ISPs:
DigitalOcean, LLC - 226
Chang Way Technologies Co. Limited - 24
Google LLC - 24

Top Clients:
Unknown - 350

Top Software:
Unknown - 350

Top Keyboards:
Unknown - 350

Top IP Classification:
hosting - 248
Unknown - 64
proxy - 24

Pastebin links with full 24-hr RDP Honeypot IOC Lists:
pastebin.com/7emQHvAD

joschi's avatar
joschi

@joschi@hachyderm.io

Hey peeps,
are there any published checksums (or better: signed artifacts) for the AWS certificate bundles listed at docs.aws.amazon.com/AmazonRDS/?

I'd like to be sure I'm adding the right certificates into my certificate store. 😅

:rss: Qiita - 人気の記事's avatar
:rss: Qiita - 人気の記事

@qiita@rss-mstdn.studiofreesia.com

“Five Eyes”の監視を打ち破るには?Nymミックスネットのプライバシー
qiita.com/pseudonym2/items/e89

Brooke Kuhlmann's avatar
Brooke Kuhlmann

@bkuhlmann@mastodon.social

Last year I mentioned you should enable global Bundler 2.6.0's support for checksums in your Gemflile.lock for enhanced security:

`bundle config --global lockfile_checksums true`

Well, Maciej has a write up on why this is important that goes into much more detail: mensfeld.pl/2025/01/the-silent

Please enable if you haven't already!

Chris​‌​‬ Hayes‌​​​'s avatar
Chris​‌​‬ Hayes‌​​​

@chris_hayes@fosstodon.org

If anyone is looking at , particularly in and , has more than a few openings - jobs.lever.co/1password

Einstein^Vaderbilt's avatar
Einstein^Vaderbilt

@azuresaipan@defcon.social

On Mobile Phone Security
kicksecure.com/wiki/Mobile_Pho
and

What about hardening on a with a cellular hat? Then there's only carrier protocol weaknesses...

If ISPs use microwave relays (the hated 'air' - remember Max Headroom) and NSA access points, is domestic broadband really secure either? But the cable or fiber doesn't have 'carrier' vulns.
kicksecure.com/wiki/Router_and

-misc

XenoPhage :verified:'s avatar
XenoPhage :verified:

@XenoPhage@infosec.exchange

So, folks, how are you handling all of these job scams? Specifically, we're seeing a lot of folks coming to us who were "hired" by us, but the hiring process was a scam. ie, we had nothing to do with it.

I'm not sure there's much of anything we *can* do, but maybe I'm incorrect? Thoughts?

:rss: Qiita - 人気の記事's avatar
:rss: Qiita - 人気の記事

@qiita@rss-mstdn.studiofreesia.com

分散型VPN:NymVPNの技術 Mixnetの簡単な紹介
qiita.com/pseudonym2/items/91e

Brooke Kuhlmann's avatar
Brooke Kuhlmann

@bkuhlmann@mastodon.social

Last year I mentioned you should enable global Bundler 2.6.0's support for checksums in your Gemflile.lock for enhanced security:

`bundle config --global lockfile_checksums true`

Well, Maciej has a write up on why this is important that goes into much more detail: mensfeld.pl/2025/01/the-silent

Please enable if you haven't already!

:rss: Qiita - 人気の記事's avatar
:rss: Qiita - 人気の記事

@qiita@rss-mstdn.studiofreesia.com

Mountpoint for Amazon S3の有用性について考える
qiita.com/yuri_snowwhite/items

:rss: Qiita - 人気の記事's avatar
:rss: Qiita - 人気の記事

@qiita@rss-mstdn.studiofreesia.com

MS Ignite 2024のセキュリティセッションの再生リスト
qiita.com/ishiayaya/items/ac42

Scott 🏴's avatar
Scott 🏴

@scott@tams.tech

I just brought up a new, bespoke service. New subdomain, freshly minted LetsEncrypt cert. I hit it once for testing, and then within seconds comes a barrage of requests for common paths... /config.json, /.vscode/sftp.json (lol), /.DS_Store, /.env

of course my service had nothing of interest on these paths (phew) but how the hell did someone enumerate that fresh subdomain so quickly!? How did they know to hit it?

PrivacyDigest's avatar
PrivacyDigest

@PrivacyDigest@mas.to

Time to check if you ran any of these 33 malicious extensions

At least 33 extensions hosted in Google’s Chrome Web Store, some for as long as 18 months, were surreptitiously siphoning sensitive data from roughly 2.6 million devices.

arstechnica.com/security/2025/

PrivacyDigest's avatar
PrivacyDigest

@PrivacyDigest@mas.to

Time to check if you ran any of these 33 malicious extensions

At least 33 extensions hosted in Google’s Chrome Web Store, some for as long as 18 months, were surreptitiously siphoning sensitive data from roughly 2.6 million devices.

arstechnica.com/security/2025/

Frankie ✅'s avatar
Frankie ✅

@Some_Emo_Chick@mastodon.social

Asking some reasonable questions about Elon Musk's "help" with the Cybertruck bombing case

Frankie ✅'s avatar
Frankie ✅

@Some_Emo_Chick@mastodon.social

Asking some reasonable questions about Elon Musk's "help" with the Cybertruck bombing case

yossarian (1.3.6.1.4.1.55738)'s avatar
yossarian (1.3.6.1.4.1.55738)

@yossarian@infosec.exchange

zizmor 1.0

blog.yossarian.net/2025/01/02/

yossarian (1.3.6.1.4.1.55738)'s avatar
yossarian (1.3.6.1.4.1.55738)

@yossarian@infosec.exchange

zizmor 1.0

blog.yossarian.net/2025/01/02/

मोक्ष / untrusem's avatar
मोक्ष / untrusem

@untrusem@merveilles.town

Finally joined merveilles. So, here I go again, again

I am Moksh / untrusem, A kid with questions, from .
I am firm believer in and and also practice , My other shenanigans include , , , *nix and learning about . But I delve into so much things to write all of them down.

I also likes esoteric things. I try to program but a novice in that.

I will use my time here to steal knowledge from you amazing people, so watch out :)

Cloudflare's avatar
Cloudflare

@cloudflare@noc.social

In his most recent article, Cloudflare Field CTO John Engates shares how, despite the cloud revolution in IT service delivery, a critical piece remains elusive: IT still lacks sufficient visibility and control over and . cfl.re/3DBYwZn

:rss: Qiita - 人気の記事's avatar
:rss: Qiita - 人気の記事

@qiita@rss-mstdn.studiofreesia.com

OAuth 2.0の認可エンドポイントにおける脆弱な実装例と対策について考える
qiita.com/task4233/items/3af1b

Brett Flippin's avatar
Brett Flippin

@bflipp@vmst.io

I made the mistake of engaging with a thread over the weekend where an obvious paranoid schizophrenic decided to start replying to me.

I’ve muted them on my PC but the fact that mutes are only client side means my notifications are likely a god damn minefield and I’m avoiding looking at them on my phone. This is a REALLY STUPID DESIGN.

neatchee's avatar
neatchee

@neatchee@urusai.social

🚨 SECURITY PSA - 7ZIP VULN🚨

Update your 7zip, folks

cybersecuritynews.com/7-zip-vu

:rss: Qiita - 人気の記事's avatar
:rss: Qiita - 人気の記事

@qiita@rss-mstdn.studiofreesia.com

セキュリティ入門:『安全なウェブサイトの作り方』Railsでの具体例付きさらっと解説
qiita.com/ho_na/items/39dab467

Frederik Borgesius's avatar
Frederik Borgesius

@Frederik_Borgesius@akademienl.social

‘the VW [Volkswagen] Group stored sensitive information for 800,000 electric vehicles from various brands on a poorly secured Amazon cloud—essentially leaving the digital door wide open for anyone to waltz in. And not just briefly, but for months on end. The breach impacts fully electric models across Audi, VW, Seat, and Skoda brands, affecting vehicles not just in Germany but throughout Europe and other parts of the world.’ databreaches.net/2024/12/27/ma

Frederik Borgesius's avatar
Frederik Borgesius

@Frederik_Borgesius@akademienl.social

‘the VW [Volkswagen] Group stored sensitive information for 800,000 electric vehicles from various brands on a poorly secured Amazon cloud—essentially leaving the digital door wide open for anyone to waltz in. And not just briefly, but for months on end. The breach impacts fully electric models across Audi, VW, Seat, and Skoda brands, affecting vehicles not just in Germany but throughout Europe and other parts of the world.’ databreaches.net/2024/12/27/ma

:rss: Qiita - 人気の記事's avatar
:rss: Qiita - 人気の記事

@qiita@rss-mstdn.studiofreesia.com

CORSの設定とプリフライトが発生する条件
qiita.com/Kennie/items/ba41893

Marcus "MajorLinux" Summers's avatar
Marcus "MajorLinux" Summers

@majorlinux@toot.majorshouse.com

You may want to hold off on installing Windows 11 for a bit.

A weird Windows 11 bug won’t let some people install any security updates

theverge.com/2024/12/26/243297

#Bug

:rss: Qiita - 人気の記事's avatar
:rss: Qiita - 人気の記事

@qiita@rss-mstdn.studiofreesia.com

ヴィクトリア朝時代のハッキング
qiita.com/k-morita412/items/d8

:rss: Qiita - 人気の記事's avatar
:rss: Qiita - 人気の記事

@qiita@rss-mstdn.studiofreesia.com

サイバーセキュリティ超初心者だった私が今までのことを振り返ってみて
qiita.com/GenkaiChan/items/cec

Pete Prodoehl 🍕's avatar
Pete Prodoehl 🍕

@rasterweb@mastodon.social

Can scanning a QR code do this? I want to call bullshit because I’ve seen two (non-techie) friends share this. Can a computer security expert weigh in on this?

> “There is a QR code to scan, and once scanned, all the information from that phone will be sent to scammers. They receive all access to the phone. All personal and financial information is accessible to the scammers and often the victim's bank accounts are drained.”

Sovereign Tech Fund's avatar
Sovereign Tech Fund

@sovtechfund@mastodon.social · Reply to Sovereign Tech Fund's post

The Sovereign Tech Agency is looking for an experienced and innovative expert in to lead the Sovereign Tech Resilience program.

sovereign.tech/jobs/cybersecur

PrivacyDigest's avatar
PrivacyDigest

@PrivacyDigest@mas.to

firm spilling names of thousands of customers | TechCrunch

A researcher alerted TechCrunch in late November to customer names and affiliations — such as the name of their workplace — spilling from one of Hapn’s servers, which TechCrunch has seen.

techcrunch.com/2024/12/18/trac

GENKI's avatar
GENKI

@nibushibu@vivaldi.net

パスワード関係、 :vivaldi_red: に任せちゃってる…

PrivacyDigest's avatar
PrivacyDigest

@PrivacyDigest@mas.to

to Hear TikTok’s Challenge to Law That Could Ban It

The company and its Chinese parent invoked the in urging the justices to step in before a Jan. 19 deadline to sell or be shut down.

nytimes.com/2024/12/18/us/poli

Scratch Monkey BLU3's avatar
Scratch Monkey BLU3

@nchprgmng@hackers.town

Urgently seeking work, please boost 🙏

Good day netizens. Blue has returned after 10 years in tech, once again on the job hunt. I have worked a variety of roles from hands-on computer repair to NOC tech to Sys admin and more. In that time, I have accrued several certifications including the Certified Administrator, +, +, +, , and +. I'm currently looking for for anywhere in the . I'm targeting roles, since that is what I am passionate about and my certifications are focused in, but I am also open to other IT roles such as software engineer, dev ops, etc. I'm a woman trying to provide for her family and any pay would greatly help us make ends meet as we try to survive in this refuge state where the cost of living is so much higher than back home. Boosts and sharing is welcome, thanks for your time and help.

Gérald Barré's avatar
Gérald Barré

@meziantou@hachyderm.io

Generating SBOM for NuGet packages meziantou.net/generating-sbom-

arihak's avatar
arihak

@arihak@techhub.social

Ad blockers are becoming essential tools:
Threat actors often abuse ad networks - Even ads or ’s Search sponsored results aren’t immune to malvertising.
“Ad networks have proven exceptionally successful; they are fine-tuned machines built from the ground up to distribute traffic on a massive scale,” the Guardio Labs explain in the new report.
cybernews.com/security/fake-ca

Yellow Flag's avatar
Yellow Flag

@WPalant@infosec.exchange

I just replied to a blog comment, and I thought that I post my reply here as well:

I think that I have good reasons to be “against Avast,” having published seven articles on them so far. The security issues alone are bad enough. But Avast abused their position to collect and sell users’ browsing profiles. After they were caught they claimed the data to be anonymized, they claimed to only sell aggregated data – and they continue lying to this day, despite there being conclusive evidence to the contrary. While the company has been bought, it’s still the same people in charge. This sort of undermines any trust in them for anything related to security.

As the security of antivirus software goes, I’m not very fond of any as the articles in the “antivirus” category of my blog show. With Kaspersky it wasn’t only the security issues but also how they handled them, pushing out half-hearted fixes only for these to be circumvented shortly afterwards. McAfee and BullGuard had massive security issues stemming from being careless about security and not following best practices.

I’ve found a critical security issue in Bitdefender’s solution as well, but with them I at least had the impression that they were trying. Unfortunately, that’s currently the bar in the antivirus industry – at least trying to make their product secure.

Security-wise, one good thing about Windows Defender is that it only needs to do one job. It doesn’t need all the extra functionality as a selling argument. It doesn’t need to be a banking browser, it doesn’t need to be a phishing protection, it only needs to be an antivirus solution. It can keep a very small attack surface compared to all those antivirus suites, and so it does (yes, I checked).

やまのく's avatar
やまのく

@yamanoku@mastodon.social

セキュリティエンジニアって200職あんねん(分類とキャリアの話) - Qiita

qiita.com/ahera/items/3bea4df4

:rss: Qiita - 人気の記事's avatar
:rss: Qiita - 人気の記事

@qiita@rss-mstdn.studiofreesia.com

セキュリティエンジニアって200職あんねん(分類とキャリアの話)
qiita.com/ahera/items/3bea4df4

:rss: Qiita - 人気の記事's avatar
:rss: Qiita - 人気の記事

@qiita@rss-mstdn.studiofreesia.com

CVE-2024-10979をローカルで再現してみる
qiita.com/ikeda_takato/items/d

Talya (she/her) 🏳️‍⚧️✡️'s avatar
Talya (she/her) 🏳️‍⚧️✡️

@Yuvalne@433.world

the biggest update to since usernames - fully encrypted, fully secure cloud backups - are coming soon!
the first part of it - message syncing to a new secondary device - is now in pre-beta testing!
go and help test it out!
community.signalusers.org/t/he

Frankie ✅'s avatar
Frankie ✅

@Some_Emo_Chick@mastodon.social

Firefox, one of the first “Do Not Track” supporters, no longer offers it.

It was more than useless. Websites did not have to honor it and in fact would use it as one more point of entropy for fingerprinting your identity.

arstechnica.com/gadgets/2024/1

lars's avatar
lars

@ls@social.lsnet.eu

@dansup This doesn't seem like a good idea to me. On the one hand, transcoding uses up a lot of battery power, and on the other hand, simpler smartphones may not be able to cope with it, or it takes a long time and the device gets pretty warm.

But I see the bigger problem in : If the encoding is done on the client side, an attacker can prepare the video in such a way that it crashes the decoder on other phones or use security vulnerabilities to execute code, with as a multiplicator.

Mysk🇨🇦🇩🇪's avatar
Mysk🇨🇦🇩🇪

@mysk@mastodon.social

The severity level of this bug is critical, 9.8 out of 10. Upgrade your devices.

nvd.nist.gov/vuln-metrics/cvss


mastodon.social/@mysk/11363663

David Bisset's avatar
David Bisset

@davidbisset@phpc.social

"What's the worst password incorrect dialog box?"

🤔

Dialog box that says something the effect of "Error: This password is already used by starboy99. Try another." This text may not be letter for letter exact.
ALT text detailsDialog box that says something the effect of "Error: This password is already used by starboy99. Try another." This text may not be letter for letter exact.
yossarian (1.3.6.1.4.1.55738)'s avatar
yossarian (1.3.6.1.4.1.55738)

@yossarian@infosec.exchange

zizmor 0.9.0 is released!

some key changes:

* bugfixes/precision improvements around a handle of safe template patterns (e.g. `runner.temp`)
* precision improvements to our handling of matrices and matrix expansions, thanks to @ubiratansoares
* the terminal interface has been reworked to use tracing spans internally, making it even more responsive

full release notes here: github.com/woodruffw/zizmor/re

a screen recording of `zizmor` auditing a remote repository, showing the new tracing span based progress indicators
ALT text detailsa screen recording of `zizmor` auditing a remote repository, showing the new tracing span based progress indicators
Turris project's avatar
Turris project

@turris@fosstodon.org

Hi , let's start our journey here with our . We are project by . We develop and produce with focus on running distribution based on . Of course, we provide automatic and accounts. We have a of running on our devices and create a dynamic based on the data.

Morten Linderud's avatar
Morten Linderud

@Foxboron@chaos.social

I'm mind blown you can compromise a release CI/CD system with two malicious branch names. Like how.

github.com/ultralytics/ultraly

TheEvilSkeleton's avatar
TheEvilSkeleton

@TheEvilSkeleton@treehouse.systems

At last, the USB portal originally authored by @refi64 in 2021, later continued by Georges Stavracas in 2023, and finalized by @hub and @swick, has been merged!

The USB portal allows sandboxed formats like Flatpak to access USB devices without poking holes in the sandbox. This is great for security, as accessing USB devices will now need to be explicitly granted by the user.

Now we just need to wait for implementers to implement them in their respective portal implementations, starting with GNOME: gitlab.gnome.org/GNOME/xdg-des

The documentation for the USB portal is available on the xdg-desktop-portal website: flatpak.github.io/xdg-desktop-

FreeBSD Foundation's avatar
FreeBSD Foundation

@FreeBSDFoundation@mastodon.social

FreeBSD 14.2 is here! New ZFS, Firecracker VMM, AIM for UDP, rtw89(4) driver, & AddressSanitizer. Explore performance & security updates! 🔗buff.ly/4f5bZG5

Seth Michael Larson's avatar
Seth Michael Larson

@sethmlarson@fosstodon.org

I've noticed a concerning trend of "slop security reports" being sent to open source projects. Here are thoughts about what platforms, reporters, and maintainers can do to push back:

sethmlarson.dev/slop-security-

Veronica Olsen 🏳️‍🌈🇳🇴🌻's avatar
Veronica Olsen 🏳️‍🌈🇳🇴🌻

@veronica@mastodon.online

Someone told me yesterday of a minutes app for meetings they'd found. Knowing how these apps work, I checked the security policy. I got my fears confirmed. It collects data and share it with 8 third parties, including use for ads & analysis.

I showed her this, and said she should probably get consent from others when using the app. Today she told me she'd uninstalled it and thanked me for the warning!

We can't expect people to figure this out. We need better regulation.

Tuta's avatar
Tuta

@Tutanota@mastodon.social

At Tuta, we believe that best security must be free for everyone.

We are happy to announce that in December all existing Tuta accounts will be upgraded to quantum-safe encryption! 🥳🎉

With TutaCrypt your data is safe - now and in the future. ⚛️ 🔒

Learn more about this quantum leap in : tuta.com/blog/post-quantum-cry

Crypto lock of Tuta
ALT text detailsCrypto lock of Tuta
heise Security's avatar
heise Security

@heisec@social.heise.de

Helldown-Ransomware: Einbruch durch Sicherheitslücke in Zyxel-Firewalls

IT-Forscher beobachten, dass die Helldown-Ransomware nach Einbruch in Netze durch Sicherheitslücken Zyxel-Firewalls zuschlägt.

heise.de/news/Helldown-Ransomw

heise Security's avatar
heise Security

@heisec@social.heise.de

Wordpress-Plug-in Anti-Spam by Cleantalk gefährdet 200.000 Seiten

Im Wordpress-Plug-in Anti-Spam by Cleantalk klaffen gleich zwei Sicherheitslücken, durch die nicht authentifizierte Angreifern Instanzen kompromittieren können.

heise.de/news/Wordpress-Plug-i

Mike Fiedler, Code Gardener's avatar
Mike Fiedler, Code Gardener

@miketheman@hachyderm.io

I wrote a report on a recent package uploaded to over here: blog.pypi.org/posts/2024-11-25

🄷e⃞i⃞t⃞e⃞c⃞ Ⓜ️'s avatar
🄷e⃞i⃞t⃞e⃞c⃞ Ⓜ️

@Heitec@mastodon.social

Signal Is Now a Great Encrypted Alternative to Zoom and Google Meet
And Signal app is FREE 😁

lifehacker.com/tech/signal-is-

yossarian (1.3.6.1.4.1.55738)'s avatar
yossarian (1.3.6.1.4.1.55738)

@yossarian@infosec.exchange

PyPI's support for PEP 740 now includes GitLab, extending support beyond the initial scope (which was GitHub). that means that, if you're a GitLab CI/CD user, you can now upload attestations to PyPI and the index will verify and re-serve them!

docs here: docs.pypi.org/attestations/pro

screencap of https://docs.pypi.org/attestations/producing-attestations/#gitlab-cicd
ALT text detailsscreencap of https://docs.pypi.org/attestations/producing-attestations/#gitlab-cicd
Hazelnoot's avatar
Hazelnoot

@hazelnoot@enby.life

Urgent Warning for Fedi Admins

We've discovered an ongoing Denial-of-Service attack against Misskey-based instances. The attacks exploit a zero-day vulnerability impacting Misskey, Sharkey, IceShrimp, and other related software. Patches are in progress and will be released ASAP. We encourage all admins to update immediately!

Note: this is a different vulnerability from the ones that were recently announced! You should update today and again tomorrow at the scheduled time.

Update: Sharkey version 2024.9.2 has been released with a patch. You can get the update here: https://activitypub.software/TransFem-org/Sharkey/-/releases/2024.9.2

Frankie ✅'s avatar
Frankie ✅

@Some_Emo_Chick@mastodon.social

Let's Encrypt is 10 years old today!
Let's Encrypt is a free, automated, and open certificate authority brought to you by the nonprofit Internet Security Research Group (ISRG). Huge thanks to everyone involved in making HTTPS available to everyone for free

letsencrypt.org/

Senioradmin's avatar
Senioradmin

@Haydar@social.tchncs.de

Oha, das ist provokativ: Dieser Blogartikel sagt:

- Nutzt kein /
- Nutzt kein + OMEMO
- Nutzt kein (im Sinne: verlasst euch nicht auf die Verschlüsselung)
- E-Mails verschlüsseln ist sinnlos

Ich kenne den Autor nicht und würde ihn nicht erwähnen, würde der Artikel nicht in ernstzunehmenden ITSec-Newslettern zitiert

soatok.blog/2024/11/15/what-to

Meinungen?

yossarian (1.3.6.1.4.1.55738)'s avatar
yossarian (1.3.6.1.4.1.55738)

@yossarian@infosec.exchange

Security means securing people where they are

blog.yossarian.net/2024/11/18/

Mark's avatar
Mark

@paka@mastodon.scot

US senators urge investigation into Musk

Senators argued ’s involvement in programs should be reviewed for potential debarment & exclusion due to the alleged contacts. Debarment would bar him from certain contracts and privileges.

Relationships between well-known US & Musk, beneficiary of billions in US govt funding, is serious risk regarding ’s reliability as contractor & holder

kyivindependent.com/democratic

Cloudflare's avatar
Cloudflare

@cloudflare@noc.social

Election infrastructure is vital to global democracies. Find out how the Internet plays its part, in this conversation with Cloudflare and Accenture. Watch the full Modern Security episode here >> cfl.re/48HUZnR

Benjamin Carr, Ph.D. 👨🏻‍💻🧬's avatar
Benjamin Carr, Ph.D. 👨🏻‍💻🧬

@BenjaminHCCarr@hachyderm.io

Le Monde used to track the movements of world leaders. They don’t use tracking devices, but their do.
: lemonde.fr/en/france/article/2
and : lemonde.fr/en/united-states/ar
: lemonde.fr/en/international/ar

Nix Kelley's avatar
Nix Kelley

@nixkelley@blog.housewayreth.org · Reply to Nix Kelley's post

tip:

unless you know your chats or audio/video calls are secure, DON'T say anything that you wouldn't say around an unsafe person.

does this restrict your speech? yes it fucking does. but only in certain spaces.

be the annoying person who suggests over and over again to set up a secure group chat with your fellow community members. almost every service is free to use.

remember that is not secure comms. remember that chats, and activity there, is not secure comms. remember that anything owned by Meta is not secure comms no matter what the company says.

be too careful. it's better to be too careful than careless for a moment.

Agnieszka R. Turczyńska's avatar
Agnieszka R. Turczyńska

@agturcz@circumstances.run

Is there any European body giving recommendations/requirements about It security, similar to NIST? Especially I'm looking for an organisation giving recommendations for passwords related policies. Preferably a widely scoped, but if there is anything reasonable in a particular industry, I'd be glad to know it as well.

Asta [AMP]'s avatar
Asta [AMP]

@aud@fire.asta.lgbt

Hey everyone! A couple good things to remember:

Signal is your friend! https://signal.org/
Be careful about what you post on corporate and federated social media. You don't need to self censor but you should take extra spicy discussions to something like Signal!

(people: please feel free to add hot tips for helping people keep things private!)

EDIT: It's definitely worth pointing out what I mean about "spicy". Expressing frustration in a way that could easily be misinterpreted by law enforcement? That's spicy! Planning a safe, legal protest? I'd argue that's spicy! That's the sort of thing I mean by this. No encryption or software is perfect; consider the level of risk when utilizing the tools.

But broadcasting stuff on social media can carry a lot of risk, so just... you know.

Olly 👾's avatar
Olly 👾

@Olly42@nerdculture.de

Apple creates Private Cloud Compute VM to let Researchers find Bugs. :apple_inc:

The company also seeks to improve the system's security and has expanded its security bounty program to include rewards of up to [$1 Million] for vulnerabilities that could compromise “the fundamental security and privacy guarantees of PCC”.

security.apple.com/blog/pcc-se

Apple created a Virtual Research Environment to allow public access to testing the security of its Private Cloud Compute system, and released the source code for some “key components” to help researchers analyze the privacy and safety features on the architecture. The company also makes available the Private Cloud Compute Security Guide, which explains the architecture and technical details of the components and the way they work. <https://security.apple.com/documentation/private-cloud-compute>
ALT text detailsApple created a Virtual Research Environment to allow public access to testing the security of its Private Cloud Compute system, and released the source code for some “key components” to help researchers analyze the privacy and safety features on the architecture. The company also makes available the Private Cloud Compute Security Guide, which explains the architecture and technical details of the components and the way they work. <https://security.apple.com/documentation/private-cloud-compute>
[ImageSource: Apple] Interacting with the Private Cloud Compute client from the Virtual Research Environment. Apple provides a Virtual Research Environment (VRE), which replicates locally the cloud intelligence system and allows inspecting it as well as testing its security and hunting for issues. “The VRE runs the PCC node software in a virtual machine with only minor modifications. Userspace software runs identically to the PCC node, with the boot process and kernel adapted for virtualization,” Apple explains, sharing documentation on how to set up the Virtual Research Environment on your device. VRE is present on macOS Sequia 15.1 Developer Preview and it needs a device with Apple silicaon and at least 16GB of unified memory. <https://security.apple.com/documentation/private-cloud-compute/vresetup>
ALT text details[ImageSource: Apple] Interacting with the Private Cloud Compute client from the Virtual Research Environment. Apple provides a Virtual Research Environment (VRE), which replicates locally the cloud intelligence system and allows inspecting it as well as testing its security and hunting for issues. “The VRE runs the PCC node software in a virtual machine with only minor modifications. Userspace software runs identically to the PCC node, with the boot process and kernel adapted for virtualization,” Apple explains, sharing documentation on how to set up the Virtual Research Environment on your device. VRE is present on macOS Sequia 15.1 Developer Preview and it needs a device with Apple silicaon and at least 16GB of unified memory. <https://security.apple.com/documentation/private-cloud-compute/vresetup>
heise Security's avatar
heise Security

@heisec@social.heise.de

Change Healthcare: Größtes Datenleck im US-Gesundheitswesen

Nach einem Cyberangriff auf Change Healthcare Anfang des Jahres gibt es Gewissheit. Krankendaten von fast einem Drittel der US-Bevölkerung wurden geleakt.

heise.de/news/Change-Healthcar

Jonathan Lamothe's avatar
Jonathan Lamothe

@me@social.jlamothe.net

Just got a notification from F-Droid that my browser ( ) has known issues. Looks like I'm in the market for a new browser on my mobile devices.

I know I'm gonna hate asking this, but what browser sucks the least on these days?

João Costa 💚🇵🇹🇪🇺🇬🇧🇺🇦's avatar
João Costa 💚🇵🇹🇪🇺🇬🇧🇺🇦

@joaocosta@mastodon.social

"Russia’s Central Bank raised its key from 19% to a historic 21% on Friday"

"seasonally adjusted price growth last month rose to 9.8% year-on-year from 7.5% in August. Core increased to 9.1% from 7.7% over the same period."

"russia has faced volatile prices since it sent troops into in February 2022"

" is set to spend almost 9% of its GDP on and this year"

themoscowtimes.com/2024/10/25/

Pedro Piñera's avatar
Pedro Piñera

@pedro@mastodon.pepicrft.me

There should be a SOC 2 version for companies that are just getting started. The amount of work required to be compliant can kill companies…

Erik L. Midtsveen :debian:'s avatar
Erik L. Midtsveen :debian:

@midtsveen@social.linux.pizza

Your average free spirit, boosting psychedelics, complaining about North Korea, ranting about mobile security, and reminding you why @pir matters!

If you’re really curious, check out my website: midtsveen.github.io

XenoPhage :verified:'s avatar
XenoPhage :verified:

@XenoPhage@infosec.exchange

BSides Delaware parking and hotel information is up on the website now! bsidesdelaware.com/2024-venue/

If you don't have your tickets yet, WHAT ARE YOU WAITING FOR! Come join us!

eventbrite.com/e/security-bsid

AND SPEAK! CFP is open and waiting for your amazing submissions!

bit.ly/BDECFP24

Membook's avatar
Membook

@membook@rigcz.club

A two-panel illustration. The first panel shows a hand applying the sticker, obscuring the camera with the caption "YES,". The second panel depicts a smartphone screen with a front camera in the notch, labeled "BUT".
ALT text detailsA two-panel illustration. The first panel shows a hand applying the sticker, obscuring the camera with the caption "YES,". The second panel depicts a smartphone screen with a front camera in the notch, labeled "BUT".
xoron :verified:'s avatar
xoron :verified:

@xoron@infosec.exchange

Decentralized Encrypted P2P Chat

Blog: positive-intentions.com/blog/i

GitHub: github.com/positive-intentions

Demo: chat.positive-intentions.com

Follow for more!

positive-intentions
ALT text detailspositive-intentions
Jeremiah Lee's avatar
Jeremiah Lee

@Jeremiah@alpaca.gold

Grant Negotiation and Authorization Protocol (GNAP), the successor to OAuth 2, became RFC 9635 yesterday!

GNAP is easier to use than OAuth 2.0, with best practices as defaults and clearly articulated uses cases.

rfc-editor.org/rfc/rfc9635

Sascha Wübbena :mastodon:'s avatar
Sascha Wübbena :mastodon:

@wuebbsy@sueden.social

Wichtiger Hinweis am Rande:

Wer via die WLAN-Daten auf iPhones, iPads und Macs verteilt, damit nur Unternehmensgeräte ins Netzwerk können, der sollte UNBEDINGT die -App ausblenden.

Es wäre sonst möglich, sich in der Rubrik „WLAN“ den Anmelde-QR-Code anzeigen zu lassen, was es dann zu einem Kinderspiel macht, auch private Geräte ins Netzwerk einzubinden.

Die bessere Variante ist, den Zugang zum nur mittels eines Zertifikats zuzulassen.

Quad9DNS's avatar
Quad9DNS

@quad9dns@mastodon.social

We're excited to announce the receipt of critical funding from @craignewmark Philanthropies to continue and further our work on improving the and stability of the Internet through our services, as part of CNP's commitment to .

quad9.net/news/press/quad9-rec

nixCraft 🐧's avatar
nixCraft 🐧

@nixCraft@mastodon.social

There is no such thing as a backdoor for good guys. Once you place a backdoor, you compromise the safety and privacy of all your users. A third party or bad guys will get access to it and abuse it further. The concept of a "backdoor for good guys" is fundamentally flawed and dangerous. It sets a dangerous precedent. Security and privacy should be absolute. There's no safe way to create a backdoor that can't be exploited by malicious actors.

Carey Parker's avatar
Carey Parker

@FirewallDragons@mastodon.social

My 400TH is only 5 weeks away! For 7.5 years, I've helped my audience improve their & . And damn it, that's worth celebrating! 🥂🐉🔥

Wanna help? Post a link to a fav episode & tag it !

Stay tuned for more...

💯 💯 💯 💯

podcast.firewallsdontstopdrago

Thomas Broyer's avatar
Thomas Broyer

@tbroyer@piaille.fr · Reply to Thomas Broyer's post

And another one published simultaneously: Why are JWT?

about why you don't actually want to add them to your application, and certainly not as a kind of session token

blog.ltgt.net/jwt/

Thomas Broyer's avatar
Thomas Broyer

@tbroyer@piaille.fr

New blog post: Beyond the login page

about why authentication is much more than just a login page and password storage and verification

blog.ltgt.net/beyond-the-login

Harris Lapiroff 🔥's avatar
Harris Lapiroff 🔥

@harris@social.coop

Fresh !

Hi, I'm Harris.

Professionally I work for Freedom of the Press Foundation (freedom.press/) managing our web team and @dangerzone. I'm a web developer learning to put my skills to good use.

My posts are likely to be about and, lately, some self-conscious epistemic trespassing.

I also do a lot of social dance and making—maybe I'll try posting about those a bit more often!

Me holding a red margarita.
ALT text detailsMe holding a red margarita.
Me dancing with a partner in a wooden outdoor pavillion.
ALT text detailsMe dancing with a partner in a wooden outdoor pavillion.
Portrait of me leaning on a railing on a rooftop. I'm a mixed Asian-Caucasian man with wire rimmed round glasses and long black hair in my thirties. I'm wearing a white shirt with botanical flower print.
ALT text detailsPortrait of me leaning on a railing on a rooftop. I'm a mixed Asian-Caucasian man with wire rimmed round glasses and long black hair in my thirties. I'm wearing a white shirt with botanical flower print.
Mike Kuketz 🛡's avatar
Mike Kuketz 🛡

@kuketzblog@social.tchncs.de

Fennec und Mull sind besonders für datenschutzbewusste Nutzer interessant, aber wegen der verzögerten Updates nicht für jeden geeignet. Teil 5 der Artikelserie »Sichere und datenschutzfreundliche Browser«. 👇

kuketz-blog.de/fennec-und-mull

Mad A. Argon :qurio:'s avatar
Mad A. Argon :qurio:

@madargon@is-a.cat

How I see attempts to force in E2E ...

Comic with title "Government's fight against encryption". First picture: Nerdy-looking man with beard holds baloon. Other man has a needle and says: "I want a small hole in this so I could use it if I would need to." Man with beard replies: "But it's impossible! Or you would destroy everything..." Second picture: Closer view, head, shoulders and arm of bearded man with ballon. Only hands of man with needle are visible, needle is close to ballon. Man with needle says: "I said only small hole. Nobody else would know about this." Bearded man replies: "It doesn't work... THIS WAY!". His last two words are on third picture, with close view of ballon and hand touching its surface with needle. On last, fourth picture there is orange-yellow explosion with big text "BOOM!".
ALT text detailsComic with title "Government's fight against encryption". First picture: Nerdy-looking man with beard holds baloon. Other man has a needle and says: "I want a small hole in this so I could use it if I would need to." Man with beard replies: "But it's impossible! Or you would destroy everything..." Second picture: Closer view, head, shoulders and arm of bearded man with ballon. Only hands of man with needle are visible, needle is close to ballon. Man with needle says: "I said only small hole. Nobody else would know about this." Bearded man replies: "It doesn't work... THIS WAY!". His last two words are on third picture, with close view of ballon and hand touching its surface with needle. On last, fourth picture there is orange-yellow explosion with big text "BOOM!".
Berkubernetus's avatar
Berkubernetus

@fuzzychef@m6n.io

Red Hat Open Source Practice Office () is hiring not one, not two, but three new staff! If you're into working 100% on community , one of these jobs may be for you.

All positions are attached to either the Ireland or Czech office.

Security Community Architect: work in our Verticals Team identifying, boosting, and participating in communities: redhat.wd5.myworkdayjobs.com/e

(1/2)

MadeInDex's avatar
MadeInDex

@madeindex@mastodon.social

@torproject & @tails are going to strengthen their collaboration by merging¹! 👍

has also released a new alpha

✔ It seems this does not address any of the potential issues, recently suspected after claims to have used to unmask Tor users.

✔ Potential solutions: timing delays, cover traffic...

¹blog.torproject.org/tor-tails-
²blog.torproject.org/tor-is-sti

Nonilex's avatar
Nonilex

@Nonilex@masto.ai

MVP speaking soon in , about building an that will work for all Americans.

for & Gov to protect our fundamental freedoms & defeat & the this .



youtube.com/watch?v=XokApnr_Ca

Dr. John Barentine FRAS's avatar
Dr. John Barentine FRAS

@JohnBarentine@astrodon.social

"The team used a DJI Phantom 4 Pro drone as a stand-in for such an aircraft for an experiment. Using a ground-based radar system, the team spotted the tiny drone thanks to the radiation emitted by a Starlink , which was flying over the Philippines at the time."

futurism.com/the-byte/chinese-

Curtis "Ovid" Poe (he/him)'s avatar
Curtis "Ovid" Poe (he/him)

@ovid@fosstodon.org

Have you ever heard of SS7? It's the backbone of most of our phone system and it's extremely insecure. Here's Veritasium exposing how easy it is to intercept your calls and texts without your knowledge.

youtube.com/watch?v=wVyu7NB7W6

Alex Shoup's avatar
Alex Shoup

@alexshoup@mastodon.social

I guess I should probably do an

- IT professional
- born and raised
- Lifelong fan of football.
- Advocate of , , and .
- user (btw, I use )
- Building experience with my

Chris Alemany🇺🇦🇨🇦🇪🇸's avatar
Chris Alemany🇺🇦🇨🇦🇪🇸

@chris@mstdn.chrisalemany.ca

Any security/privacy experts have any thoughts about Apple’s Private Relay service through their iCloud+ subscription?
Good?
Bad?
Irrelevant?
I won’t be getting rid of my iCloud account anytime soon, so unless there is some other compelling reason not to, it seems worth using it.
Edit: Ironically, I couldn’t send this post from my local server because, I think, of my local DNS so… Private Relay off now. 😆

A white text on black screenshot of the ICloud Private Relay description says: “iCloud Private Relay Private Relay is an innovative Internet privacy service built directly into iCloud that lets you connect to the internet and browse the web in a more secure and private way. Normally, when you browse the web, your local network can use your DNS records to see the names of the websites you're visiting. In addition, the websites you visit may collect your IP address, which allows them to determine your identity and approximate location without your explicit permission. All of this information can be aggregated over time into a detailed profile about you that may be used for targeted advertising and other purposes. To help solve this problem, Private Relay protects users' web browsing in Safari, DNS resolution queries, and insecure http app traffic. It routes the traffic through two separate internet relays that hide your IP address and encrypt your web traffic such that no single party-including Apple—can see both who you are and what sites you're visiting. Private Relay is available to all iCloud+ subscribers. You can turn it on or off any time from your iCloud settings.”
ALT text detailsA white text on black screenshot of the ICloud Private Relay description says: “iCloud Private Relay Private Relay is an innovative Internet privacy service built directly into iCloud that lets you connect to the internet and browse the web in a more secure and private way. Normally, when you browse the web, your local network can use your DNS records to see the names of the websites you're visiting. In addition, the websites you visit may collect your IP address, which allows them to determine your identity and approximate location without your explicit permission. All of this information can be aggregated over time into a detailed profile about you that may be used for targeted advertising and other purposes. To help solve this problem, Private Relay protects users' web browsing in Safari, DNS resolution queries, and insecure http app traffic. It routes the traffic through two separate internet relays that hide your IP address and encrypt your web traffic such that no single party-including Apple—can see both who you are and what sites you're visiting. Private Relay is available to all iCloud+ subscribers. You can turn it on or off any time from your iCloud settings.”
Max "Sweaty Sunsets of September" Eddy's avatar
Max "Sweaty Sunsets of September" Eddy

@maxeddy@infosec.exchange

I never did an !

Hi, I'm Max. I live in and do at PCMag where I cover , , and . I also write reviews of and professionally complain about . I'm the Unit Chair of the ZDCG and moonlight as a organizer. If you want to learn about how to unionize your workplace, plz DM me. I play badly and think about literature. I'm spending too much money on .

Mysk🇨🇦🇩🇪's avatar
Mysk🇨🇦🇩🇪

@mysk@mastodon.social

🚨🎬 🧵 1/4
Here is what happens when you insert an unlocked SIM card into a locked iPhone:
- The accepts the SIM card and connects to the internet 😳
- Apple immediately adds the phone number of the SIM card to the Apple ID of the iPhone owner 😲
- accepts the new phone number as a username to sign in with the Apple ID of the iPhone owner 😱
- iOS activates the new phone number for iMessage 🤯

The video:

youtu.be/ln-8KnwtdSw

Mysk🇨🇦🇩🇪's avatar
Mysk🇨🇦🇩🇪

@mysk@mastodon.social

🚨🎬 Privacy Concerns about Apple Push Notifications

TL;DR: data-hungry apps use push notifications as a trigger to send app analytics and device information to their remote servers, even if the apps aren't running at all on your iPhone. Such apps include TikTok, Facebook, FB Messenger, Instagram, Threads, X, and many more.

Watch this video to see it in action:
youtu.be/4ZPTjGG9t7s

🧵 1/9

João Costa 💚🇵🇹🇪🇺🇬🇧🇺🇦's avatar
João Costa 💚🇵🇹🇪🇺🇬🇧🇺🇦

@joaocosta@mastodon.social

Bilateral agreements signed with 🇺🇦

1️⃣ 12/1🇬🇧
2️⃣ 16/2🇩🇪
3️⃣ 16/2🇫🇷
4️⃣ 23/2🇩🇰
5️⃣ 24/2🇨🇦
6️⃣ 24/2🇮🇹
7️⃣ 02/3🇳🇱
8️⃣ 03/3🇫🇮
9️⃣ 11/4🇱🇻
1️⃣0️⃣ 28/5🇪🇸
1️⃣1️⃣ 28/5🇧🇪
1️⃣2️⃣ 28/5🇵🇹
1️⃣3️⃣ 31/5🇸🇪
1️⃣4️⃣ 31/5🇳🇴
1️⃣5️⃣ 31/5🇮🇸
1️⃣6️⃣ 13/6🇺🇸
1️⃣7️⃣ 13/6🇯🇵
1️⃣8️⃣ 27/6🇪🇪
1️⃣9️⃣ 27/6🇱🇹
2️⃣0️⃣ 27/6🇪🇺
2️⃣1️⃣ 08/7🇵🇱
2️⃣2️⃣ 10/7🇱🇺
2️⃣3️⃣ 11/7🇷🇴
2️⃣4️⃣ 18/7🇨🇿
2️⃣5️⃣ 18/7🇸🇮
2️⃣6️⃣ 04/9🇮🇪
2️⃣7️⃣ 11/9🇱🇹

@BjornW@mastodon.social's avatar
@BjornW@mastodon.social

@BjornW@mastodon.social

Here's my :
I live in The Netherlands, Europe. I work as a self-employed tech consultant & software developer. I like to tinker & have way too many interests :)

Likely to toot about:
,

h o ʍ l e t t's avatar
h o ʍ l e t t

@homlett@mamot.fr

's reCAPTCHA v2 just labor , boffins say
theregister.com/2024/07/24/goo

“The conclusion can be extended that the true purpose of v2 is a image-labeling and farm for advertising and masquerading as a service”

Reclaim Your Tech

@reclaimyourtech@assemblag.es

(1/2)
Announcing the launch of a new blog, Reclaim Your Tech (reclaimyour.tech).

This blog was founded on the premise that digital infrastructure should be owned by individuals, their families, and their communities. Being user first, it will provide technical guides, open-source tools, software recommendations, essays, and discussion.

Lukasz Olejnik's avatar
Lukasz Olejnik

@LukaszOlejnik@mastodon.social

My book “PROPAGANDA: from disinformation and influence to operations and information warfare” treats the subject adequately, comprehensively, broadly, expertly. How does information influence work? Offence & defence. Expert arrangement of the subject.
blog.lukaszolejnik.com/propaga

Jef Kazimer😶‍🌫️'s avatar
Jef Kazimer😶‍🌫️

@JefTek@infosec.exchange

With the ever increasing attacks on users, moving to is a must in order to reduce the attack surface of just relying on a password to secure access to resources. Implementing that is enforced all the time relies on also having a good user experience, which gave rise to mobile authenticator apps since many users always have their phones with them. However it also gave rise to and griefing to get those users to approve. With the recent GA of orgs can enable number match and context for the push notification to further improve the of the users by avoiding the blind approval of a push notification.

🔥 See the post on the AzureAD blog here and go enable these settings for your organization techcommunity.microsoft.com/t5

heise online's avatar
heise online

@heiseonline@social.heise.de

Faktencheck: Telegram ist weniger privat als andere Messenger

Die Annahme, Telegram sei besonders sicher, scheint sich hartnäckig zu halten. Fakt ist: In puncto Verschlüsselung ist Telegram der Konkurrenz unterlegen.​

heise.de/hintergrund/Faktenche

Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

Pummel out of the sky? Impossible; as David Burbach, affairs prof at the Naval War College,…[said], “Nobody has enough anti-satellite weapons to come anywhere near shooting that down.”

& Starlink, which currently operates in 75 countries, is only getting bigger. A new batch of went up today. has already received approval from regulators [🤬] to launch thousands more,

Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

The fiasco may have led to backing down, but it has also revealed just how easily he can serve users whatever HE may want. ’s fame, the omnipresence of his many businesses, & his growing attention to does not automatically translate to expertise [ya think? He’s a fanboy FFS]. But what could Brazil—or any nation—really do to curb his control?

Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

Since took over , he has made it a cozy home for provocateurs, reinstated the accounts of previously banned bad actors, promoted , & made the website worse at separating fact from fiction. And yet, believes that is the “number 1 source of news in the world.” [🤦🏼‍♀️] For a part of the world that relies on , Musk could, if he wanted, make it the ONLY source.[😱]

Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

Other companies are working on their own constellations, incl’g , but they’re lagging far behind—& none of their leaders owns prominent companies, where they can [personally] govern the flow of .

Compared w/ , the world’s town square, as calls , is a cauldron of , especially for users.

Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

At the time of this writing—& that’s important to note, because launches a fresh batch nearly every week—more than 6k operational are circling Earth, accounting for >½ of all functioning satellites in orbit.

Starlink has grown so large in part because SpaceX is simply the most prolific company in the world.

Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

The deal resembled agreements between & other world powers for , but as far as we know, the , where is registered, did not send to the to broker it. He flew over on his private jet.

is what’s known in the business as a .

Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

toured a kibbutz that had attacked, dressed in a suit instead of his trademark occupy mars T-shirt, & offered ’s services to the Israeli govt. has imposed blackouts & destroyed in …. This summer, after lengthy negotiations, Israeli authorities allowed to activate in one hospital in Gaza, w/more service on the way.

Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

As one undersecretary told @NewYorker’s Ronan Farrow, “Even though is not technically a diplomat or statesman, I felt it was important to treat him as such, given the he had on this issue.”

Last year, when ’s PM Benjamin hosted for a visit, the billionaire looked—& [cos]played—the part of a world leader traveling to a war zone.

Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

Soon, found himself w/ immense decision-making , as authorities pleaded w/him to activate over a port city in , apparently so that they could conduct a surprise drone attack on ’s fleet anchored there. By the end of the war’s first year, when no longer wanted to foot the bill for Starlink ops, the jumped to take over the job before SpaceX could cut off access.

Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

dispatched terminals to places reeling from natural disasters, & then to the front lines of war. When invaded in early 2022, it hacked the provider that the Ukrainian military relied on for communications. Ukrainian ofcls appealed to for help, & dispatched truckloads of terminals to the besieged country, for free.

Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

Not only can now determine who gains traction on a small but corner of the web; in certain corners of the , he can also determine WHO has to the at all, & WHAT people encounter when they use it.

For a service that took off only about 5 yrs ago, has become impressively ubiquitous, available for use on all 7 continents.

Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

This particular feud has crystallized an unsettling truth that is growing more apparent each day: is becoming an god [oh he’s gonna love that 🤢]. -based internet & are a potent combination, & their by a single person is quite unprecedented—& alarming in the same manner as a federal govt restricting online speech via sweeping decree.

Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

(& pursue action over assets). But in other ways, the debacle is a microcosm of fraught, ongoing debates over & around the world [& businesses abiding by the laws of the countries in which they operate]

…[’s] actions could be seen as a…corrective to govt overreach. But they seem less magnanimous when you consider that the alternative to govt overreach is…a World Wide Web governed by the whims of the world’s richest man.

Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

The fight reached a boil in recent days, when instructed providers in to cut off access to altogether & refused to block the site on until the latter business got its accounts back.

In some ways, this is classic Musk, scuffling w/ govt agencies when he believes they’re infringing on HIS enterprises. “What a scumbag!” Musk posted about de Moraes yesterday, after Starlink reversed course & agreed to block X….

Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

, the CEO of , received a medal from the Brazilian govt. But now ’s Brazilian service is tangled in a mess of tensions, , personal , & to revoke the company’s license to operate in the country. And this drama all started because of another business that links strangers around the globe: , née .

Nonilex's avatar
Nonilex

@Nonilex@masto.ai

Has the Off Switch

With both & under his control, the world’s richest man wields unprecedented .

By Marina Koren

Since Starlink first beamed down to Brazil 2yrs ago, hundreds of communities in the Amazon that were previously off the grid found themselves connected to the rest of the world. Here was the purest promise of SpaceX’s —to provide in even the most remote places on Earth—fulfilled.


theatlantic.com/technology/arc

44CON's avatar
44CON

@44CON@infosec.exchange

44CON 2024 - Want to become a pro reverser? Get good - 44con.com/2024/09/05/unlock-re

Image showing headshots of three speakers, in order - John Mac, Mathilde Venault, Joxean Koreat, and the 44CON logo and dates in the lower left
ALT text detailsImage showing headshots of three speakers, in order - John Mac, Mathilde Venault, Joxean Koreat, and the 44CON logo and dates in the lower left
fraggLe!'s avatar
fraggLe!

@fwaggle@moodoo.org

as I can tag now.

I'm fwaggle, and have been for ages. If you've been around for 20+ years and you're thinking "hey, I think I know that guy" then you're probably right. If you thought I was a dickhead 20 years ago, you're almost certainly right... I'm trying to do better now though.

I do things for a WordPress host, which is good fun.

nixCraft 🐧's avatar
nixCraft 🐧

@nixCraft@mastodon.social

Microsoft has confirmed that Windows 11 users will not be able to uninstall the controversial “Recall” feature, despite earlier reports suggesting otherwise. Recall, part of the Copilot+ suite announced in May, automatically captures screenshots of user activity on the operating system including sensitive information such as passwords or financial data digitalmarketreports.com/news/ Do yourself a favor and get rid of Windows from your life—enough of these greedy companies.

The Matrix.org Foundation's avatar
The Matrix.org Foundation

@matrix@mastodon.matrix.org

Authentication is almost always the most frustrating step of interacting with a service. Matrix is no different, but Quentin is about to dramatically improve the situation.

Get a glimpse of all the goodness awaiting to be unlocked once his project lands!

youtu.be/dmUi4ZoYRWc

A YouTube thumbnail for Matrix Live. There is a dark background. On the top right is written "S09E39". In the center, there is an icon of a lock, between the square brackets of the Matrix logo. On the bottom there is the Matrix Logo, and the title: "Getting authentication out of the way".
ALT text detailsA YouTube thumbnail for Matrix Live. There is a dark background. On the top right is written "S09E39". In the center, there is an icon of a lock, between the square brackets of the Matrix logo. On the bottom there is the Matrix Logo, and the title: "Getting authentication out of the way".
João Costa 💚🇵🇹🇪🇺🇬🇧🇺🇦's avatar
João Costa 💚🇵🇹🇪🇺🇬🇧🇺🇦

@joaocosta@mastodon.social

We should be arming , not "for as long as it takes", but TO WIN.

Why? Because, to begin with, we are seriously struggling to keep afloat "for as long as it takes" and, in order to defend democracy, we must achieve a resounding Ukrainian .

That's why oligarchs, terrorists, extremists and dictators are ALL so invested in stopping war-time investment in European in the Ukrainian front.

Focus. Act decisively. Act now.



Illustration of a mass of water with the word "Russia" contained by a dam with the word "Ukraine". The dam wall is cracking. Below it, a town with the word "Europe".
ALT text detailsIllustration of a mass of water with the word "Russia" contained by a dam with the word "Ukraine". The dam wall is cracking. Below it, a town with the word "Europe".
PrivacyDigest's avatar
PrivacyDigest

@PrivacyDigest@mas.to

Legislature Approves A.I. Safety Bill

The California bill has spurred a fierce debate over how to regulate the new technology, which both technologists and lay people have hyped for its potential benefits and harms to humanity.

nytimes.com/2024/08/28/technol

GENKI's avatar
GENKI

@nibushibu@vivaldi.net

怖いな、これ :vivaldi_red: も影響あるのかな

news.mynavi.jp/techplus/articl

randomcruft's avatar
randomcruft

@randomcruft@mastodon.sdf.org

a list of for my

/ ( pays the bills)
/ ( for fun but not profit... learning other )
(it's both awesome and scary)
/ (however, will not turn down )
newbie ( / occupy my time currently)
(, , , , etc. etc.)
projects (if / as needed)

it's difficult writing 😅

Terri K O 🍁's avatar
Terri K O 🍁

@terri@social.afront.org

CVE Binary Tool 3.3 is released! (At long last!)

This is my work open source project that lets you scan for known vulnerabilities in your binaries, package lists and SBOMs. It's meant to make it easier (and cheaper!) to make secure open source software.

3.3 has new features from our Google Summer of Code 2023 contributors including EPSS metrics to help users assess risks associated with vulnerabilities, a new GitHub Action to make scanning easier, and a mirror of the NVD data backed by the same servers that do Linux distro mirroring so you don't have to deal with rate limits, downtime, and servers only located in the US.

Release notes: github.com/intel/cve-bin-tool/

And get the code on pypi:
pypi.org/project/cve-bin-tool/

Boosts appreciated!

Socialhome HQ's avatar
Socialhome HQ

@hq@socialhome.network

Socialhome v0.19.0 (security release!)

We noticed a similar vulnerability in #Socialhome that had been found in #Mastodon and various other projects, ie https://arcanican.is/excerpts/cve-2024-23832/discovery.htm

This should hopefully now be mitigated and anyone running a #Socialhome instance should update asap.

Other changes:

  • Docker images are now based on Python 3.10
  • The public stream is disabled by default on single user instances (with a configured root profile) for privacy reasons regarding followed content

https://socialhome.network

#security

alltechpacks's avatar
alltechpacks

@alltechpacks@mastodon.social

       

Terence Eden’s Blog's avatar
Terence Eden’s Blog

@blog@shkspr.mobi

Falsehoods programmers believe about... Biometrics
https://shkspr.mobi/blog/2021/01/falsehoods-programmers-believe-about-biometrics/

(For the new reader, there is a famous essay called Falsehoods Programmers Believe About Names. It has since spawned a long list of Falsehoods Programmers Believe About....)

Everyone has fingerprints!

The BBC has a grim tale of a family with a genetic mutation which means they have no fingerprints. It details the issues they have getting official ID.

In 2010, fingerprints became mandatory for passports and driver's licences. After several attempts, Amal was able to obtain a passport by showing a certificate from a medical board. He has never used it though, partly because he fears the problems he may face at the airport. And though riding a motorbike is essential to his farming work, he has never obtained a driving licence. "I paid the fee, passed the exam, but they did not issue a licence because I couldn't provide fingerprint," he said. The family with no fingerprints

Even if this genetic issue didn't exist, it should be obvious that not everyone has fingers, or hands. Some people are born without hands, some people lose them later in life.

Policy is about the edge-cases. It's easy to design something which works for the majority of people - the real challenge is how we deal with the fringes.

Everyone has a unique face / unique DNA

Ever heard of twins, dumbass?

OK, it is a little bit more complicated than that.

It is easy to revoke a biometric indicator

Even if you assumed that everyone has ten fingers - that means you can only change your ID 9 times. If you're using iris recognition, that's one change you're permitted before you have to grow new eyeballs.

Biometrics can't be copied

Back in 2002, Tsutomu Matsumoto copied fingerprints using Gummy Bears.

Researchers can consistently fool iris scanners

3D printed facemasks can defeat facial recognition systems.

The thing about biometrics is that they are not secret. You leave your fingerprints everywhere. If a camera can read your face, it can copy your details.

Biometrics can't be changed

Will having a "nose job" stop your iPhone from recognising you? Probably not. But there are a range of surgical procedures which can be done.

People who have Facial Feminisation Surgery can be given a letter from a doctor to explain to border guards why a person's face may no longer match their biometrics.

Just remembered last nights dream about trying to go back to the UK but getting refused entry as my facial biometrics no longer matched.Thanks, brain.I bet the clinic would have warned you.Oh they did. I have formal letter stating that I might not pass biometrics anymore. 😂

What are they good for?

Biometrics are not passwords. Nor are they a universal 2nd factor. Biometrics are, at best, usernames.

For the average user, it's probably fine to use your fingerprint or face to unlock your phone. If you think an enemy state is going to devote considerable resources to steal copies of your biometrics, consider changing to a different password mechanism.

Or, if you have kids.

Friend's 5-year old daughter started unlocking his phone with his fingerprint while he's asleep so that she can play games.

He now sleeps with gloves on. #lifeisblackmirror

Or if you're cheating on your spouse.

A Qatar Airways pilot was forced to make an emergency landing after a passenger found out her husband was cheating on her and had a violent reaction in midair. The woman reportedly used her sleeping husband's finger to unlock his phone and discovered his cheating ways. Eyewitness News

In a safe-ish environment, biometrics are a good convenience mechanism. If your phone is snatched by an opportunistic thief, they're unlikely to have the means to spoof your ID.

But they are not a perfect security measure.

https://shkspr.mobi/blog/2021/01/falsehoods-programmers-believe-about-biometrics/

masukomi's avatar
masukomi

@masukomi@connectified.com

screenshot from Kalium! on twitter in 2021: remember to regularly change your pronouns for security reasons. keep pronouns safe with GNU Pronoun Guard an open source replacement for Symntec's Pretty Good Pronouns. reply from "The competence tank is empty": Similarly, your gender should contain at least one digit and a special character.
ALT text detailsscreenshot from Kalium! on twitter in 2021: remember to regularly change your pronouns for security reasons. keep pronouns safe with GNU Pronoun Guard an open source replacement for Symntec's Pretty Good Pronouns. reply from "The competence tank is empty": Similarly, your gender should contain at least one digit and a special character.
heise Security's avatar
heise Security

@heisec@social.heise.de

Noch kein Patch: Sicherheitsforscher beraubt Windows sämtlicher Schutzfunktionen

Stimmen die Voraussetzungen, können Angreifer Windows Update manipulieren, um beliebige Windows-Komponenten durch veraltete, angreifbare Vorgänger zu ersetzen.

heise.de/news/Noch-kein-Patch-

Paula Gentle on Friendica's avatar
Paula Gentle on Friendica

@gehrke_test@libranet.de

"75 Prozent der Server des Standorts waren anfällig für Cyberangriffe. [...]

Die Daten der Server blieben vier Jahre lang ungeschützt, berichtet der Guardian unter Verweis auf die NDA."


Atomkraft: Sellafield räumt massive Versäumnisse bei Cybersicherheit ein

Purism's avatar
Purism

@purism@librem.one

Hardware kill switches: Empowering users in the digital age. Our latest blog explores how physical control over your device builds trust, respects autonomy, and offers unparalleled protection. Discover how Purism is putting privacy at the forefront of mobile tech.
puri.sm/posts/the-evolution-of

Marcus "MajorLinux" Summers's avatar
Marcus "MajorLinux" Summers

@majorlinux@toot.majorshouse.com

Hackers are finding more ways to commit supply chain attacks.

Mac and Windows users infected by software updates delivered over hacked ISP

arstechnica.com/security/2024/

Aaron Rainbolt's avatar
Aaron Rainbolt

@arraybolt3@theres.life

Security Concerns (please boost for visibility)

Ventoy is a popular utility for making USB drives containing multiple operating systems in the form of bootable image files. While very useful in theory, the source tree contains numerous binary blobs without source code. This issue has been brought up to the authors multiple times, have not been corrected, and have even gotten worse (more blobs have been added to the code over time). This is a potential malware vector, similar to the "test files" in the xz-utils backdoor catastrophe.

Recently the author has ignored a very lengthy thread raising security concerns because of these binary blobs. Given the amount of attention the thread has gotten, this seems strange, especially given that the authors have been active since then. github.com/ventoy/Ventoy/issue

Stranger yet still, a video by Veronica Explains (@vkc) on how to create bootable USB flash drives got flooded by comments heavily suggesting the use of Ventoy and even being somewhat accusing because Veronica didn't advertise Ventoy. This is... not anything I've seen users of ANY open-source project do, and it feels similar to the social engineering done against Lasse Collin that convinced him to add Jia Tan as a maintainer, thus compromising xz-utils. See the comments of youtube.com/watch?v=QiSXClZauX

If you're using Ventoy, you may want to consider ceasing its use for the time being out of an abundance of caution. If you truly need its functionality, you might look into something like the IODD SSD Enclosure (iodd.shop/HDD/SSD-Enclosure) which can emulate an optical drive and allows you to select an ISO saved to the drive to boot from.

h3artbl33d :openbsd: :ve:'s avatar
h3artbl33d :openbsd: :ve:

@h3artbl33d@exquisite.social

Exquisite supports DANE, even while not every browser supports it. The 3-1-2 hash (domain issued certificate, SPKI, SHA-512) is:

6a9976657f0e85aa59e2954db3bd342c04f5e33ea166a70147fd6bb54bbafe23c11be8db582671e4d169be794ff2174ee99227e78ccd3961c84b53e20dad13b0

This goes for 443/tcp.

heise online's avatar
heise online

@heiseonline@social.heise.de

Minister Wissing: IT-Pannen werden zunehmen

Crowdstrike hat gezeigt, wie verwundbar weltweite Vernetzung machen kann. Der Digitalminister sieht Deutschland gut gerüstet, auch für andere Szenarien.

heise.de/news/Minister-Wissing

Nonilex's avatar
Nonilex

@Nonilex@masto.ai · Reply to Nonilex's post

Thursday’s prisoner swap, which saw American & a consultant, & a group of some of ’s most prominent & , exchanged for a Russian group including a state , & , was the biggest & most complex switch since the Cold War.

It took place at a time of , w/ between the & Russia as bad as they have ever been.

Graphic details the complexity of Thursday’s swap
ALT text detailsGraphic details the complexity of Thursday’s swap
EINGFOAN :donor:'s avatar
EINGFOAN :donor:

@eingfoan@infosec.exchange

I started to try a with all mainstream .

Here Is the comparison:

docs.google.com/spreadsheets/d

it is really hard to compare since vendors are super unstructured

please for more reach

contributors welcome

docs.google.com/spreadsheets/d

EINGFOAN :donor:'s avatar
EINGFOAN :donor:

@eingfoan@infosec.exchange

strength for

Original source:

linkedin.com/feed/update/urn:l

Eleanor Saitta's avatar
Eleanor Saitta

@dymaxion@infosec.exchange

A few :

I run Systems Structure Ltd., a US consultancy that provides fractional CISO services for pre-A to post-C round , along with training and reviews.

I've been working in since 2003 and did a spell in NGOland from ~2011 to 2016, working with NGOs and news organizations targeted by states and on tools they use, including the messaging app. The field work I did then fundamentally reshaped my approach to security, and I recommend that everyone in the field learn about the reality of being a high-risk user.

I live in the days, although in the before times (and hopefully soon again) I spent a fair bit of time in and . I run a performance space out of my home, along with my partner, called The Attic (@theatticfi on insta), where we make space for , , , and music, along other things. Before I moved here, I spent six or so years traveling full time.

I have written various essays over the years, which you can see on dymaxion.org, and I'm slowly writing a book. While security pays the bills, I spend a lot of my time thinking about , and in particular how the human and technical bits mesh, how they fail, and how to redesign them to fail better. In practice, this has meant everything from consulting on a constitution to thinking about what comes after the apocalypse. The "recruiting barbarians" in my bio refers to being more comfortable outside of institutions, but I'm starting to think more about community and infrastructure building now that I live somewhere.

I'm also an ; I paint and am slowly learning my way around a , and I've been accused of being an . I'm active in the scene, where we take larp serious as a dramatic form and do everything from a reworking of Hamlet played at the actual Elsinore castle to a larp about the early days of the HIV crisis. I'm primarily a theorist and critic there, as well as player, and I've edited two books and written a number of essays. Nordic larp has the best toolkit I've seen anywhere for analyzing the human parts of complex systems and especially for building new systems; it's heavily influenced my security work, along with my thinking.

Kushal Das :python: :tor: 🇵🇸's avatar
Kushal Das :python: :tor: 🇵🇸

@kushal@toots.dgplug.org

I wrote about on applications. kushaldas.in/posts/multi-facto

A demo showing after username/password login, the page is asking for TOTO token for the authentication.
ALT text detailsA demo showing after username/password login, the page is asking for TOTO token for the authentication.
Marcos Dione's avatar
Marcos Dione

@mdione@en.osm.town

Intro:

:sad_face: enthusiast (most of them) (not much of it)

Father of two, make my own maps and computer tools, have my own home server, fix as many things as I can myself, love to drive and travel by car but not for the city, and much more.

Mostly boosts, in several languages, including some I can't speak, write or read.

Solene % bot's avatar
Solene % bot

@solenepercent@bsd.network

Full-featured email server running OpenBSD

dataswamp.org/~solene/2024-07-

gemini://perso.pw/blog/article

@solene

Doyensec's avatar
Doyensec

@doyensec@infosec.exchange

We're proud our testing helps ensure the security of Thinkst's OSS Canary Tokens! As part of their transparency efforts, you can read the results of our latest round of testing here:

doyensec.com/resources/Doyense

Doyensec and Thinkst logos with a link to the report
ALT text detailsDoyensec and Thinkst logos with a link to the report
Mike Sheward's avatar
Mike Sheward

@SecureOwl@infosec.exchange

Fediverse Competition time!

I have two signed copies of my book 'Security Operations in Practice', which is all about building effective Security Operations teams, to give away to my Fediverse friends.

To enter - all you have to do is boost this toot before 12pm PT on Thursday July 25th, and I'll randomly select two of the boosters to receive the copies.

You can find out more about this book, and my other releases at infosecdiaries.com. Thanks, and good luck!

Two Copies of the book Security Operations in Practice, by Mike Sheward (@Secureowl)
ALT text detailsTwo Copies of the book Security Operations in Practice, by Mike Sheward (@Secureowl)
Kelly Shortridge's avatar
Kelly Shortridge

@shortridge@hachyderm.io · Reply to Kelly Shortridge's post

this is why I’ve side eyed any federal document about software , quality, or that demonizes open source software while touting the virtues of commercial cybersecurity products

as if those products aren’t notorious for deep access + flimsy quality…

I’ve written about this concern in two separate RFIs to CISA et al (with co-conspirator @rpetrich)

1) on OSS security kellyshortridge.com/blog/posts

2) on secure by design kellyshortridge.com/blog/posts

David August's avatar
David August

@davidaugust@mastodon.online

Did you know calls for “the entirety of the CISA Advisory Committee should be dismissed on Day One.” (page 155).

If you like being able to use computers (or do anything with organizations that use computers, including have your vote counted in elections) that’s a very bad idea.

vam103's avatar
vam103

@vam103@mathstodon.xyz

Apparently NS&I (the old UK National Savings, as they put it "the government savings bank") have launched two factor authentication, which is good.

Except, it told me to expect a code, you would think through SMS. But no, its a phone call. To make matters worse its from France according to my phone! So of course I thought it had been compromised and wrote to them.

No, apparently they use a French company to do the OTP codes and then mask this with the UK number normally, except when it messes up or I guess your security is so high it does not show it. Actually the reply seemed annoyed that I did not just accept that the UK government bank would use a French company to do their security.

So I do not think much of the " improved security " until I can register a FIDO key or the local code generator as a call from France seems to have lots of points of failure. (Its not that its France specifically, just that it is another country.) Also they should mention this on their website! (Unless missed it).

nsandi.com/get-to-know-us/secu

Techlore's avatar
Techlore

@techlore@social.lol

Welcome to the world of , , and in 2023!📅

This thread covers what we’re doing to spread privacy to the masses ⬇️⬇️

michabbb's avatar
michabbb

@michabbb@vivaldi.net

Test your prompting skills to make Gandalf reveal secret information.

Gandalf is an exciting designed to challenge your ability to interact with large language models (LLMs).

gandalf.lakera.ai/intro

Tuta's avatar
Tuta

@Tutanota@mastodon.social

What's the main difference between Tuta Mail and Gmail? 😎 PRIVACY 🔐

Get your Tuta Mail account now: app.tuta.com/signup

Table showing different features of Tuta Mail vs Gmail.
ALT text detailsTable showing different features of Tuta Mail vs Gmail.
openSUSE Linux's avatar
openSUSE Linux

@opensuse@fosstodon.org

The Release Candidate 3 of Aeon will include Full Disk to boost data . Get more details! news.opensuse.org/2024/07/12/a

Sarah Jamie Lewis's avatar
Sarah Jamie Lewis

@sarahjamielewis@mastodon.social

Some exciting news: Over the past few months I have been working on founding a new organization: Blodeuwedd Labs (@blodeuweddlabs)

We are now in a position to offer subsidized security assessments (and other services) for open source projects.

(In addition to a whole array of analysis, development, and custom research offerings for everyone else)

Announcement (and more info): blodeuweddlabs.com/news/open-s

bane's avatar
bane

@bane@exploit.social

I am working on starting a project under fiscal sponsorship to teach underserved youth cybersecurity and provide them pathways to careers. I have received the application and budget projection template to fill out. I am looking for partnerships and potential donors. I am also looking for anyone who would be willing to join an advisor board. Please share if you think of anyone who would be interested in either!

Matt Burgess's avatar
Matt Burgess

@mattburgess@infosec.exchange

Hi all, been lurking for a few days but introducing myself now! I'm Matt and a reporter at WIRED. Like many others here, I'm coming to Mastodon after the chaos at the bird site in the last week.

The things I cover on a regular basis are , cybersecurity, , internet freedom, and human rights, and a bunch more things in the wider security realm.

I'm based in —and have lived here for the last decade—so I'm often reporting on issues from across Europe. When not writing words for the web, I'm often found and have been dabbling in the a few times over the last few years (edited to add introduction hashtag)

John Scott-Railton ☕'s avatar
John Scott-Railton ☕

@jsrailton@mastodon.social

STAGGERING: Nearly all customers' text & call records breached.

An unnamed entity now has an NSA-level view into Americans' lives.

Damage isn't limited to AT&T customers.

But everyone they interacted with.

Also a huge national security incident given government customers on the network.

And of course, third party makes an appearance.

cnn.com/2024/07/12/business/at

Adam's avatar
Adam

@adamsdesk@fosstodon.org

Little Bits: Issue #14

Uncover the accumulation of little bits I’ve found over the the past month on the topics of design, hardware, open source, privacy, security and more.

adamsdesk.com/posts/little-bit

Dark green background with bright green coloured text of ones and zeros with text that reads, Little Bits issue number 14.
ALT text detailsDark green background with bright green coloured text of ones and zeros with text that reads, Little Bits issue number 14.
🦋 Ben West - 🐒🌻's avatar
🦋 Ben West - 🐒🌻

@monkeyflower@infosec.exchange

Hackvists release two gigabytes of Heritage Foundation data

"Self-described “gay furry hackers,” SiegedSec said it released the data in response to Heritage Foundation’s Project 2025, a set of proposals that aim to give Donald Trump a set of ready-made policies to implement if he wins this fall’s election. Its authors describe it as an initiative “to lay the groundwork for a White House more friendly to the right.”

The data, reviewed by CyberScoop, includes Heritage Foundation blogs and material related to The Daily Signal, a right-wing media site affiliated with Heritage. The data was created between 2007 and November 2022. 

The group says it gained access to the data on July 2 and released it to provide “transparency to the public regarding who exactly is supporting heritage (sic),” a spokesperson for the group who goes by the online handle “vio” told CyberScoop in an online chat Tuesday."

cyberscoop.com/hackvists-relea

Fedify: an ActivityPub server framework's avatar
Fedify: an ActivityPub server framework

@fedify@hollo.social

We released 0.9.2, 0.10.1, and 0.11.1, which patched the last reported , CVE-2024-39687, but the vulnerability of SSRF attacks via DNS rebinding still exists, so we released Fedify 0.9.3, 0.10.2, and 0.11.2, which fixes it.

If you are using an earlier version, please update as soon as possible.

Thanks to @benaryorg for reporting the vulnerability!

Kris Hardy 🌮's avatar
Kris Hardy 🌮

@nonlinear@mastodon.nz

Does anyone know if there is a way to get a snapshot of a running container instance in for a investigation? I can't find anything in the docs to see if it's possible.

spv's avatar
spv

@spv@spv.sh

hi, i'm spv. call me spv, or james if you want to be slightly weird without knowing me

here's an post because i don't think i've made one yet.
info to know about me: 17 from BFE, NY

i'm , and have too many other conditions to list. woooo!

i do on occasion
on the regular
i like to work with , but i don't do it enough

getting a degree in Security & from SUNY Broome (starting in august)

warning: i use a lot of

Hollo :hollo:'s avatar
Hollo :hollo:

@hollo@hollo.social

To users: please update your to 0.1.0-dev.46, a patch which addresses @fedify's CVE-2024-39687, as soon as possible!

https://hollo.social/@fedify/019080c7-c784-755d-a6f2-d1f91f2c5709

Jan Penfrat's avatar
Jan Penfrat

@ilumium@eupolicy.social

The @EUCommission wastes our tax payer money to team up with the and notorious villain and sue the EU data protection agency @EDPS because the Commission wants to continue to use the software shitshow.

How low can this institution sink?

digitalcourage.social/@echo_pb

Anders Eknert's avatar
Anders Eknert

@anderseknert@hachyderm.io

Announced yesterday, Regal is a new linter for , with the ambitious goal of both catching bugs/mistakes in policy code, *and* to help people learn the language! If you ever work with , I’m sure you’ll find it useful. Check it out, and if you’d like to help kick-start the project by giving at star ⭐️ I’d be overjoyed!

github.com/StyraInc/regal/

Kushal Das :python: :tor: 🇵🇸's avatar
Kushal Das :python: :tor: 🇵🇸

@kushal@toots.dgplug.org

Do you know about verybad.kushaldas.in:8000/ experiment? This web application has a lot of holes, and I tried to secure it using only . Feel free to do a round of , the box. Remember to let me know what did you find.

The box is up from April end 2022.

Please boost so that your other security minded friends see this. I try to make sure that any learning from this goes back to systemd upstream.

Catalin Cimpanu's avatar
Catalin Cimpanu

@campuscodi@mastodon.social

Halycon researchers have discovered a new ransomware operator named Volcano Demon that is currently distributing versions of the LukaLocker ransomware.

Halycon says the group engages in targeted ransomware attacks but does not operate a dedicated dark web leak site.

The group is also known for calling a company's executives to extort and negotiate payments.

halcyon.ai/blog/halcyon-identi

kcarruthers's avatar
kcarruthers

@kcarruthers@mastodon.social

Follow me if you’re interested in:

Pics of my Mr Maxi & pics from walks in (it’s kind of a puppy spam account, but he’s adorbs)

stuff about & modern

Topics I’m interested in:

monocles's avatar
monocles

@monocles@monocles.social

What is it about?

offers ethically acceptable services and an online platform for individuals as well as for companies for a truly fair and secure digital life.

+ complete

+ 100% electricity from energy sources

+ no

+ highest possible

+ of corporations and organizations, as completely privately funded

Check out more on monocles.eu/more

monocles's avatar
monocles

@monocles@monocles.social

chat 1.7.9 is released on the playstore with a lot of updates and improvements! (See comments below)

play.google.com/store/apps/det

Tuta's avatar
Tuta

@Tutanota@mastodon.social

Today we are proud to announce the launch of the world's first secure email platform! 🥳🎉

With TutaCrypt your data is safe against quantum computer attacks at rest & in transit. ⚛️ 🔒

Learn more about this quantum leap in here: tuta.com/blog/post-quantum-cry

Today we are proud to announce the launch of the world's first post-quantum secure email platform! With TutaCrypt your data is safe against quantum computer attacks at rest & in transit.
ALT text detailsToday we are proud to announce the launch of the world's first post-quantum secure email platform! With TutaCrypt your data is safe against quantum computer attacks at rest & in transit.
Emelia 👸🏻's avatar
Emelia 👸🏻

@thisismissem@hachyderm.io

Okay, okay, at @nova's behest, an post:

Hi 👋🏻 I'm Emelia, from , , I'm trans queer and kinky.

I'm a princess 👸🏻 currently working most with , currently working on Fediverse Trust & Safety tooling

I'm most known for my work on , and contribute to & other fediverse software

In 2020, I became the of Unobvious Technology, aiming to improve the safety, and profitability of and advance the

Rob Ricci's avatar
Rob Ricci

@ricci@discuss.systems

Hey! Let's talk about and !

If you've ever looked at SSH server logs you know what I'm about to say: Any SSH server connected to the public Internet is getting bombarded by constant attempts to log in. Not just a few of them. A *lot* of them. Sometimes even dozens per second. And this problem is not going away; it is, in fact, getting worse. And attackers' behavior is changing.

The graph attached to this post shows the number of attempted SSH logins per day to one of @cloudlab s clusters over a four-year period. It peaks at about 3.4 million login attempts per day.

This is part of a study we did on our production system, using logs of more than 640 million login attempts, covering more than 1,500 hosts on our side and observing more than 840 thousand incoming IP addresses.

A paper presenting our analysis and a new, highly effective means to block SSH brute force attacks ("Where The Wild Things Are: Brute-Force SSH Attacks In The Wild And How To Stop Them") will be presented next week at by @sachindhke . The full paper is at flux.utah.edu/paper/singh-nsdi

Let's dive in. 🧵

A graph of SSH login attempts per day, in millions. On the Y axis, the graph starts in October 2017 at around 0.25M attempts per day. The day-to-day numbers are very noisy, but a trend line shows that the average number of attacks per day rises to around 1.0M around January 2021, with a slight fall-off before the graph ends in August 2021.
ALT text detailsA graph of SSH login attempts per day, in millions. On the Y axis, the graph starts in October 2017 at around 0.25M attempts per day. The day-to-day numbers are very noisy, but a trend line shows that the average number of attacks per day rises to around 1.0M around January 2021, with a slight fall-off before the graph ends in August 2021.
Mitex Leo's avatar
Mitex Leo

@ml@social.mitexleo.one

Any reason to not trust Eset Antivirus?

#eset #privacy #Security #antivirus #infosec
Tokyo Outsider (337ppm)'s avatar
Tokyo Outsider (337ppm)

@tokyo_0@mas.to

, and question: If instances generally collect only one copy of each post and then share it with the users that need to see it, does that mean nonoriginating instances are trusted to not show that post to users the poster has blocked (or who shouldn't see it because they're not following etc depending on visibility)?

How do the collecting instances know who should see it? (A cached copy of the poster's follow list?)

And does change any of this?

/dev/rdsk/c5t1d0s2's avatar
/dev/rdsk/c5t1d0s2

@jpm@aus.social

I probably should do an too

I'm Joel, the -whacker, -noodler, - licker, and -spooner. I also do a bunch of design and coding, while wondering why still sucks so much.

There will be regular and posts, and likely a lot of swearing as well

🅰🅻🅸🅲🅴 (Mutuals)'s avatar
🅰🅻🅸🅲🅴 (Mutuals)

@alice@lgbtqia.space

🥰 So fulfilling! 🥰 A friend just brought their little daughter over to my place, because she had a journal with a 3 wheel combination lock on it, and she'd forgotten the combo.

I showed her how to decode it, and eventually she got it open! We changed the combo and locked it again so she could practice more.

After a bit, she was asking about other kinds of locks, so I happily brought out an assortment of antique and miniature locks from my collection.

A couple hours later they had to leave, and she was beaming! Today she had picked 2 warded locks, a pair of police cuffs, raked open a 4-pin tumbler, and decoded a combination lock!

I sent her off with a smiley yellow binder clip and a minuscule warded lock to practice on.

They asked to come back next week to learn more. 💜

I feel like the Yoda of lock-sport. 🙂

---

Update: Friend just texted me to say their daughter is thinking of starting a YouTube channel to document her growth in lock-sport, and wanted advice on gear/setup stuff.

---

9 tiny locks locked to the shackle of a slightly larger tiny lock.
ALT text details9 tiny locks locked to the shackle of a slightly larger tiny lock.
A pink elephant-shaped paperclip and a blue binder clip with a grumpy face on it. In the right hands, these are powerful tools.
ALT text detailsA pink elephant-shaped paperclip and a blue binder clip with a grumpy face on it. In the right hands, these are powerful tools.
Strypey's avatar
Strypey

@strypey@mastodon.nzoss.nz · Reply to Strypey's post

Our Mastodon server has been mostly down for a week, and anything we posted during the brief uptime during the last week has been lost. Turns out our PostgresSQL container was hit by cryptojacking malware;

thehackernews.com/2024/05/kins

It doesn't seem like a targeted attack, I think we were just unlucky. I highly recommend admins review your security measures and harden your systems against automated attacks.

Is this something Reproducible Builds could help with?

Ciarán McNally's avatar
Ciarán McNally

@ciaranmak@mastodon.ie

Hello all 👋
Am a self-employed consultant of 10+ years via securit.ie/

I regularly enjoy live sports/music (likely to post about), I code & and am unafraid of low-level / reverse engineering, builder, breaker, cocktail shaker. Lefty af ☭. An aspiring cyberterrorist armchair general on main
🤘😜👍

Avoid The Hack!'s avatar
Avoid The Hack!

@avoidthehack@mastodon.social

👋🏽 Hi Mastodon

(Redoing )

I am the same Avoid The Hack from Bird Site

Only news items and updates for avoidthehack.com are cross posted from Bird Site. Everything else is here (and only here) as I’m more active on Mastodon.

Most of this feed is related to and . Sometimes I post advice. Sometimes I share articles I have written. Sometimes I share articles featuring Avoid The Hack. Sometimes there are memes.

lj·rk's avatar
lj·rk

@ljrk@todon.eu

Bio was too big, and I didn't yet make an :

Hi, I'm Leonard/Janis (like Cohen/Joplin respectively), I use they/them pronouns, he/him (Leo) and she/her (Janis).

I'm a from . I'm a professional procrastinator, don't expect me to stick to one project :'-)

Outside of computing I love , and , adore cats, have a passion for and spend too much time following politics. I listen to but my musical taste has since widened to also embrace R'n'B, Rock, Funk, and a lot of modern stuff. I read classic and my favorite authors are Terry , Douglas Adams, J.R.R. , Robert Harris, and Sjöwall & Wahlöö (rather male dominated, send recommendations!).

I'm politically left but not settled on the specific question of government.

I'm a and fetishist (these aren't the same, sometimes even oblique). Some see a gray space here, I consider the right to data self-determination a fundamental right. Also, free , and a livable environment are fundamental. and are crucial for individuals and society. Tech won't solve our core problems, merely highlight them and perhaps provide tools for change we can use.

Jon Seager's avatar
Jon Seager

@jnsgruk@hachyderm.io

Pretty huge news from Canonical yesterday!

"Today, Canonical announced a 12 year LTS for any open source Docker image!"

canonical.com/blog/canonical-o

goldfishlaser's avatar
goldfishlaser

@goldfishlaser@fosstodon.org

I will be presenting "Open Hardware Design for BusKill Cord" Demo Lab at DEF CON 32.

When: Sat Aug 10

Time: 12PM - 1:45PM

Room: W303 - Third Floor - LVCC West Hall

forum.defcon.org/node/249627

heise Security's avatar
heise Security

@heisec@social.heise.de

Ab sofort gibt es Desinfec’t 2024 auf einem USB-Stick zum Kauf

Mit dem c’t-Sicherheitstool entfernen Sie Windows-Trojaner und greifen auf nicht mehr startenden PCs auf Ihre Daten zu.

heise.de/news/Ab-sofort-gibt-e

Martijn's avatar
Martijn

@martijn@noisesfrom.space

Tooting into space here, hello 👋

I'm 30 year old programmer from the Netherlands. I fiddle with hardware, mostly keyboards and I'm finding my way back into .

Besides this I'm pretty active by doing swimming, bouldering and playing padel. Interested in going to and .

Never really got into Twitter but Mastodon seems more like my thing, don't be shy to connect and I will do the same

nixCraft 🐧's avatar
nixCraft 🐧

@nixCraft@mastodon.social

the talk. credit ig instagram.com/peter.conrad.com

The comic is titled "MY PARENTS GIVING ME THE TALK". The first panel shows two parents looking awkward. They tell their kid: "WHEN TWO PEOPLE LOVE EACH OTHER VERY MUCH..." The second panel shows a smug child and parents with laptops. The title reads: ME GIVING MY PARENTS 'THE TALK’. He tells his parents: "WHEN SOMEONE CALLS AND SAYS THEY'RE FROM MICROSOFT TECH SUPPORT...” Comic by Peter Conrad Comics
ALT text detailsThe comic is titled "MY PARENTS GIVING ME THE TALK". The first panel shows two parents looking awkward. They tell their kid: "WHEN TWO PEOPLE LOVE EACH OTHER VERY MUCH..." The second panel shows a smug child and parents with laptops. The title reads: ME GIVING MY PARENTS 'THE TALK’. He tells his parents: "WHEN SOMEONE CALLS AND SAYS THEY'RE FROM MICROSOFT TECH SUPPORT...” Comic by Peter Conrad Comics
𝕂𝚞𝚋𝚒𝚔ℙ𝚒𝚡𝚎𝚕™'s avatar
𝕂𝚞𝚋𝚒𝚔ℙ𝚒𝚡𝚎𝚕™

@kubikpixel@chaos.social

Dark Visitors - A List of Known AI Agents on the Internet

Insight into the hidden ecosystem of autonomous chatbots and data scrapers crawling across the web. Protect your website from unwanted AI agent access.

darkvisitors.com

Renata Rocha 🏖️'s avatar
Renata Rocha 🏖️

@ataner@hachyderm.io

New instance, new post!

OHAI! I am Renata (it's pronounced heh-NA-ta and I am very particular about it) - I am a Manager of Solutions Architecture in Toronto, Canada. I work with , , and all their relatives.

I am super invested in ID&E, social issues, I am an avid , I , do , and still find time to find some random new hobby that I will completely ignore six months later. It is what it is.

I also love ! Hello!

MPD2 🌐's avatar
MPD2 🌐

@Di_Libu@mstdn.plus

Hello !
!

I . Most of my can be found on my . I'm a with a . I am a self proclaimed . I like to listen to and make (Mainly & ). In my free time I like to surf the or . I love and of all breeds. I have and . I have work background in and . I hope to meet many people while on here.

Christian Kent's avatar
Christian Kent

@whophd@ioc.exchange

Let’s hope this -conscious *choice* in the Kia EV9 is the start of a trend. They didn’t have to give us this. In a real button, no less — you can connect or disconnect the data from your phone while -charging it in your car. From MKBHD youtu.be/CRhjL9X2yKA

A photo of a YouTuber’s finger pointing at a button on the new Kia EV9 that shows two modes next to a USB port. The symbols indicate two choices: Battery only, or battery with USB data.
ALT text detailsA photo of a YouTuber’s finger pointing at a button on the new Kia EV9 that shows two modes next to a USB port. The symbols indicate two choices: Battery only, or battery with USB data.
Estelle Platini's avatar
Estelle Platini

@estelle@techhub.social

How the UK Security Services neutralised the country’s leading liberal newspaper:
(2019) declassifieduk.org/how-the-uk-

she hacked you's avatar
she hacked you

@ekis@mastodon.social

Don't have time for a banner grab but still interested in basic info about a server?

Well taking advantage of a server's inability to process '%' b/c it expects two hex digits to follow; in many cases it errors

Preventing this from happening is actually easy

It requires an essential secure programming principle: verify, validate, and sanitize your input

This principle should be applied to EVERY input, and yes the URL is input

Using /% you can generate an error on many servers, and when they have not bothered to hide information it can be revealing.
ALT text detailsUsing /% you can generate an error on many servers, and when they have not bothered to hide information it can be revealing.
HiramFromTheChi 👨🏽‍💻💭's avatar
HiramFromTheChi 👨🏽‍💻💭

@hiramfromthechi@mastodon.social

Any device that needs to be off because it can't be trusted with your conversations should not exist in the first place.

A sign on a door of a healthcare facility that says: "Please remember to not discuss patient information (PHI) unless the Amazon Echo is muted."
ALT text detailsA sign on a door of a healthcare facility that says: "Please remember to not discuss patient information (PHI) unless the Amazon Echo is muted."
sͧb̴ͫƸ̴gͬᵉ's avatar
sͧb̴ͫƸ̴gͬᵉ

@subm3rge@infosec.exchange

About me:

Soft-spoken old guy. 
Multi-industry, always , often IT/OT, sometimes physical/personal. I can find a policy, a pentest, or a bulletproof vest that suits your needs.

I mostly write like I prefer my coffee - dark, bitter, scalding.
justmytoots.com/@subm3rge@info

The Exiled King's avatar
The Exiled King

@ExiledKing@mastodon.gamedev.place

I never wrote an or at least don't remember.

I'm Tim - a dedicated and enthusiast. I dream of doing but tend to lose focus and drive early on.

Things I will post about:
- lots of them
- - my backlog makes dragons jealous
-
-
-
- as I work through my backlog
-
-
-

*Probably not an actual King

FreeTech Project's avatar
FreeTech Project

@freetechproject@floss.social

So glad to be on floss.social! Time for another introduction. Hello from , , UK! We're a initiative founded back in 2010, focused on helping people use in a way that is more financially, environmentally, and socially , regardless of knowledge or skill level – using and promoting primarily to provide personalised learning. We particularly love , , and ! Feel free to spread the word. Thanks!

Bo Morgan's avatar
Bo Morgan

@neptune22222@kolektiva.social

I fight for the users.

I love programming and thinking and talking about thinking. I have an education (BS, MS, PhD) focused on artificial intelligence and neuroscience.

I'm an advocate of the public academic pursuit of knowledge, the scientific process, peer review, and I see open source software and hardware as an essential part of the scientific process.

I see software user rights, including security and privacy, to be protected mainly by free open source software, specifically software with a copyleft license, i.e. GPL or Mozilla.

I see the democratizing effects of the Internet, including distributed journalism and social networking, to be largely the effect of the collaborative development of free and open source software.

I am interested in free and open source manufacturing, including open source 3D printers and CNC machines. I believe open source manufacturing will be important for distributed manufacturing, allowing local manufacturing and local labor.

I see worker-owned coops as the way to safely transition from a non-democratic authoritarian top-down power structure of a traditional corporation to a democratic work environment, where the workers own the company and elect the board of directors, transitioning to democracy in the workplace.

I believe that socialism is a regulatory response to capitalism.

I believe that laws, money, corporations, and government are social agreements, and I'm in favor of democratic social agreements.

I believe in the organized non-violent boycott as a way to control capitalists and change corrupt systems.

I am a pacifist. I am against violence. I am against citizens keeping guns in cities and towns with children. I am against war.

I try to eat plant-based / vegan foods to boycott the animal industry, to help with the climate crisis, to improve my health, to avoid animal cruelty, and to avoid the extinction of species of plants, animals and ecosystems.

I have been diagnosed with Retinitus Pigmentosa, which is a disease of progressive retinal degeneration. I am legally blind, although I have about 5-degrees of vision remaining in my fovea. I'm interested in researching and developing BCIs (Brain-Computer Interfaces), specifically BCIs that function as vision prostheses that may help with conditions like RP, or the more common degenerative retinal disease AMD (Age-related Macular Degeneration).

I enjoy playing computer games like Age of Empires and Rimworld. I used to program computer games when I was younger and would like to get back to it one day.

I love playing music, especially bass guitar. I've been listening to a lot of Rage Against the Machine and Enya recently.

I enjoy reading books, mostly non-fiction.

I enjoy studying religions. I've found a lot of value in Buddhism, and I meditate often daily.

Nina and I have recently had our first baby, a boy we call Tyoma.

I'm currently working at Apple on the Vision Pro headset team.

I'm sober.

Martin Boller 🇺🇦 :tux: :freebsd: :windows: :mastodon:'s avatar
Martin Boller 🇺🇦 :tux: :freebsd: :windows: :mastodon:

@itisiboller@infosec.exchange

Sometimes logical isolation isn't enough

Sign saying: "Septic Tanks Pumped Swimming Pools Filled Not same Truck"
ALT text detailsSign saying: "Septic Tanks Pumped Swimming Pools Filled Not same Truck"
📡 RightToPrivacy & Tech Tips's avatar
📡 RightToPrivacy & Tech Tips

@RTP@fosstodon.org

:thunderbird: Thunderbird & 🔐 PGP Setup Tutorial

(I2Pmail Example)

Did you know I2P offers email!? 😀

you@mail.i2p & you@i2pmail.org

Let's set this up today. It'll be fun! :ablobcatrave: :terminal: :thunderbird:

Watch on

*Post updated to instance offering vid space

tube.tchncs.de/w/bsAEDHQNK4B4w

WTL's avatar
WTL

@WTL@mastodon.social

My four-month-late :
Work: & , , / ,

Life: movies, music, , curious and loves to learn, social justice, and to my surprise, a who has 15,477 KM Jan 2020 - Dec 2022.

If you stop and look at something the more closely you examine it, the more amazing it becomes.

Married to the wonderful @TAV for over 25 years, furdad to Sprocket the , (he/him) ,

SpiderMonkey's avatar
SpiderMonkey

@SpiderMonkey@mastodon.social

We are a little late to the party. How about we do an ?

Hi Fediverse, we are SpiderMonkey, @mozilla’s engine for and .
SpiderMonkey is used in Firefox, Servo and various other projects.

This account is run by our engineers, and none of us know how social media works. We were told to use hashtags.

Nice to meet you!

sweet conceit's avatar
sweet conceit

@lewdmachines@mastodon.social

Since this is what's done on - I am a middle age recovering fandom nerd, still active and nerd, and someone who has amateur hour opinions on lots of things. My ideal vacation is reading terrible sci-fi in a nice hotel room.

Strongly in favor of and I seem to be getting more radical as I get older.

I'll probably post about:

(Originally posted on mastodon.lol)

dsp's avatar
dsp

@dsp@social.sdf.org

i guess?
I'm a physicist who spent most of his time at school, in the datacenter. Then i somehow found myself in 'computer science research' labs writing software. For the past couple of years doing the security thing cause it's fun. Into . When AFK i enjoy . As always thank you for hosting us. It's nice to meet you all :).

log4jm's avatar
log4jm

@log4jmc@infosec.exchange

belated #Introduction

I've been enjoying infosec.exchange for the last month or so but have been putting off an because I'm awkward and anxious ( am I right?). I feel more comfortable talking about my cat than myself or my work on social media, so you'll probably mostly see him amongst my boosts and replies. He's a little hacker who tricks me into FaceID unlocking my iPad for him or hides my pouch of physical security keys to remind me not to be careless with them.

See how I just went on about the cat? Yeah... I feel imposter syndrome about belonging in . I'm an IT and focused () whose been fascinated/working with computers since I was 3, and have been doing it professionally for over 10 years now. Does that make me ? I honestly don't know. I love this community though and want to make an effort to share what I do know more often besides the cat pics or conversations or boosting and news I think to share.

If I had to sum up in a few hashtags and such, I know securing and best but I use/protect and if you'll forgive me for using there too. I love and , the and and we share, and stuff, and , and reading/writing reports just as much as code. I'm not super passionate about the but that's not a hill I'd die on and is pretty cool.

Did I mention I have one of the best ever?

Anyway, "it's me, hi!"

IT-Awareness, Fabian Lucchi :donor:'s avatar
IT-Awareness, Fabian Lucchi :donor:

@fabianlucchi@infosec.exchange

Time for my own intro, I think.

Born and raised in Switzerland on , and . Still there today.

Using computers since spectrum, always enjoyed technical stuff, programming, network and hardware. Deeply interested in BBS and demoscene (Unreal, futurecrew).

Co-started my own company, , in 1994 with an associate. We were first selling home-assembled computers for endusers. Then we had our own first internet dialup POP by the end of the same year and each customer was granted free access (except for local call rates). We also ran one of the first websites in Geneva, Switzerland, around that time (still found in archive.org, look for infomaniak.ch).

We then splitted the company and started providing professional web/mail hosting when it was still pretty unusual. I built that company from scratch and my associate kept running the computer shop on one side, and doing strategic thinking for the hosting business. The shop was eventually sold in 2000/2001 and we 100% focused on hosting.

At first, I was involved in every step : network design, hardware choice, mail/web servers, routing/transit, building/maintaining IT racks, staff, programming our own management tools, Delphi at that time ; still programming with Embarcadero today. And it was rapidly too overwhelming. The staff grew, we enrolled people with better skills than we had, and I focused primarily on management, legal and accounting. But it was not what I loved to do every day.

In 2017, my associate and I divorced (a 25 years long coworking is *really* like a marriage) ; I was kicked out :(

By then, Infomaniak staff was +60 people (support staff, sysadmin, devs and office admin).

I took that opportunity to better focus on what matters to me : and for small to very small companies. Those left alone with their too complicated technological problems and they do the best they can. Ourdays, this is obviously not sufficient.

So I started again from scratch, with IT-Awareness. My main objective was being able to provide better comfort with for all non technical people, focused on and all related matters. Due to the first customers I met, I'm now mostly helping in all environments.

I'm still alone in my company (it takes time... so much time...) but I nonetheless received a huge project to build a secure mail system for all practicians in Geneva area (~3,000). "Secure" meaning "with confidentiality guaranteed" following Swiss laws requirements. A case study has been done by Synology : synology.com/en-us/company/cas

Prior to this new secured mail system, practicians were mostly using public services like gmail, aol and local telco mail systems, which is absolutely forbidden due to the sensitivity of data they're exchanging. They're now secure, compliant with the law and patients are better protected. But this is of course only part of the long way they still have to go.

I provide a lot of IT support for small medical centers ; they don't know a thing with technology and don't have time. They need things to be done, they need confidence. I try to bring both.

Interested in all matters for so many years I can't remember, I followed a lot of incredible people with deep knowledge that shared their insight on Twitter.

And like every one of you, migrated to infosec.exchange Mastodon instance (which I proudly sponsor, @jerry thank you so much for your work and dedication, this place is what we really need, our home).

I'm always open to discuss anything with anybody, sharing knowledge and experience.

Druid's avatar
Druid

@druid@ioc.exchange

: two weeks late.

Aspiring Gaeilgeoir, recreational cyclist, hiker, dog wrangler. I like traffic lights.

I've worked as a developer, architect, consultant, chief technologist and various types of management, almost always focused on data systems. Post sabbatical, I am contemplating looking for work in security/privacy/digital rights.

Happy to connect and talk.

, , ,

Vegard Nossum 🥑's avatar
Vegard Nossum 🥑

@vegard@mastodon.social

I've archived all my old tweets (except RTs) here:
vegard.github.io/twitter/

Almost everything has been tagged by subject/topic in case you are only interested in something specific.

Lots of , , , , , etc. posts.

G :donor: :Tick:'s avatar
G :donor: :Tick:

@cirriustech@infosec.exchange

Introduction

Redoing my as it was a bit of a sparse one when I joined.

I am a lifelong enthusiast, having worked in Financial Services IT for more than 25 years, across multiple disciplines including:
* -based platforms (A17/A19/HMP NX 6800/Libra 180/Libra 6xx/Libra 890)
* storage arrays (DMX 3/4 and most recently VMAX) including experience of (S), SRDF(A), BCV
* (2000 through 2019) including
* Various / OSes (/ / / / ) including experience of /#GFS2 SAN storage clustering
* Virtual Tape Server technology (B&L/Crossroads/ETI Net SPHiNX, )
* Automation/Scripting (, , , , )
* (, , , , )
* /#DisasterRecovery (Design/Implementation/Operations)

I’m focused on learning and getting hands-on with at home and computing solutions both at work and at home.

I moved into a role in 2020, so a lot of my focus is now more security focussed across all tech stacks.

My main focus at present when it comes to cloud is predominately , with Google and AWS of interest also, as well as other cloud infrastructure services such as those provided by CloudFlare, though I’m planning a move away from them due to their moral/ethical choices.

Away from work and tech, I love to the world with my wife and enjoy very amateur to record our adventures.

I also love most genres of , live in concert when I can, with a particular love of / and also (coincidentally, given the profession of a somewhat more well known namesake of mine!).

James Bannan's avatar
James Bannan

@jamesbannan@aus.social

Now that the dust has settled, I can finally get to an

I’m based in Melbourne/Narrm, and live with my family (and dog!) a short walk from one of the loveliest beaches around.

I work as an consultant, mostly specialising in technologies, system architecture, and . I’ve also worked as a , an , a public speaker and an

I have one technical book under my belt, but am aspiring to and am enjoying being part of the community

Mark Keierleber 🚴‍♂️🎸's avatar
Mark Keierleber 🚴‍♂️🎸

@mkeierleber@journa.host

Greetings, Mastodonians! (is that a thing?) I’m a focused on and . I love writing about – and discussing –

GFH_oheffllc's avatar
GFH_oheffllc

@GFH_oheffllc@mastodon.social

As my first post on mastodon, here's an image of a comic strip that formed in my head while working on something else (I was writing an article for Bob Ambrogi's site at directory.lawnext.com/library/ ) Here are some tags:

Alex Cordonnier's avatar
Alex Cordonnier

@alexjcord@infosec.exchange

A bit late to the fediverse party, but here's my :

I'm a software engineer in the SF Bay Area working on architecture and at a major tech company. Interested in (obviously, on this server) and extreme . Also enjoy , with my wonderful wife, the , and . Go ! 🔶​🔷​

Jack Platten's avatar
Jack Platten

@jack@social.lol

Hi friends! Now that it seems like the fediverse is sticking around, finally figured I should make an introduction post (on my fourth account don't mind me).

I'm into , , , and making things better to use for everyone.😀

Cody Dostal :unverified:'s avatar
Cody Dostal :unverified:

@dostalcody@infosec.exchange

I decided I need to re-do my post. Why? I didn't know that full-text search wasn't really a thing on Mastodon (well, particularly cross-instance), so I need to hashtag it. If you've read it before, feel free to move on, or read again. Anything goes!

I’ve seen a few others do introductory posts so I figured why not for me too. It’s unlikely I was known on Twitter because I didn’t post much on Twitter. I hope to change that here.

I’ve worked in , , , and/or for around 8 years. My experience has been solely within the world of , first as a civilian and then as a contractor. I’m currently a Senior SA/Deupty PM for Broadleaf-inc, a government contractor.

Along with that, I’ve been teaching infosec for around two years for a university. I developed many courses, Network Security, OS Security, and , , IDS & IPS, , as well as an Introduction to IT and a CCNA course. I’ll be developing an Advanced Penetration Testing and a Digital Forensics course this upcoming year.

I am an advocate for helping those with no existing experience and fresh graduates find positions in , truly entry level positions. I help run a discord that focuses on that, , as well working on free university-style courses that people can take to learn these skills. Those aren’t ready yet, but my first free course will be Introduction to Cybersecurity.

On my off-time, I'm a huge . You'll generally find me on the Xbox Series X, although once in a while I'll be on PS5. I generally play , probably a little too much. I have 4 kids, 5 cats, and 2 dogs. It can be a hectic house.

That’s me. Fin.

Marco Ivaldi's avatar
Marco Ivaldi

@raptor@infosec.exchange

Hey everyone, here's my mastodon .

I'm a seasoned offensive researcher with 20+ years of experience.

As a professional and polyglot programmer of weird machines, basically I study how things can go wrong.

Some examples:
phrack.org/issues/70/13.html#a
vimeo.com/335197685
vimeo.com/474793702
youtu.be/Nc9ZLTb2hQ8

Hack the planet! 🏴‍☠️🌎​​

Andrea Grandi 🦕's avatar
Andrea Grandi 🦕

@andreagrandi@mastodon.social

I'm mainly here to stay in touch with existing friends but also for or content and anything related to or
plus I'm interested in players and nice

Please say 👋 hello if you think we should follow each other.

Andy 'Bob' Brockhurst :donor:'s avatar
Andy 'Bob' Brockhurst :donor:

@b3cft@infosec.exchange

I guess everyone else is, so I'll do an as well.

I'm Andy, but most people, especially online, know me as Bob (due to a manager at Yahoo! in the late 90's playing a practical joke and it stuck).
I've actually been on here since 2019 but mostly kept lurking occasionally.

I have a wife and 13yo son. Like fiddling with and and . I'm also a shooting in county rifle teams for full-bore and small-bore.

I'm not officially in but have been working in networking and sysadmining since token ring networks were the latest hotness and the Internet consisted of telnet, ftp, gopher and email.

I currently work as an for an startup and am notionally in charge of as no one else is interested.

I follow where I can and keep having ideas about stuff I'd like to research.

G :donor: :Tick:'s avatar
G :donor: :Tick:

@cirriustech@infosec.exchange

In my latest post in the Security Bytes series, I talk about a term you probably hear a lot, but perhaps haven’t stopped to think about what it is - Least Privilege.

cirriustech.co.uk/blog/secbyte

OneiricBotcelot's avatar
OneiricBotcelot

@OneiricBotcelot@digitalcourage.social

Ich bin seit Sommer 2021 auf Mastodon, aber nach meinem Umzug von social.tchncs.de auf dieser Instanz. Nachdem ich schon seit längerem Fördermitglied bei @digitalcourage bin, war es einfach an der Zeit.

Beruflich und von den meisten Interessen her bin ich in der beheimatet. In den letzten Jahren stelle ich vermehrt die Entwicklung unserer Gesellschaft im digtalen Zeitalter in Frage und habe für mich einige Schlüsse daraus gezogen. So besitze ich weder ein Konto bei und noch nutze ich irgendeinen Service aus dem Universum des Konzerns . Die Nutzung von habe ich weitestgehend eingestellt.

Themen für die ich mich u.a. interessiere: , , , , , , , , , , , , , , .

Bleibt nur noch zu sagen: Ich freue mich auf (weiterhin) einen tollen Austausch im !

Reuben Binns⁉️'s avatar
Reuben Binns⁉️

@RDBinns@someone.elses.computer

post!

I'm an interdisciplinary researcher, mainly in but also a bit of , , and a pinch of . I study , , algorithmic decision-making, 'fair' ML/AI, , , of and by technology; hoping to gradually add to my bag of interests.

I build machines. I don't know why (reubenbinns.com/blog/enigma-ma)

I live in London and work in Oxford.

Love

raboof's avatar
raboof

@raboof@merveilles.town

Hi there! Been on the fediverse since 2018 but time for an update:

As developer from , the I love , @nixos_org and @reproducible_builds , maintain wm @notion and helped organize @mch2022camp. I'm active at @hack42 and volunteer at Museum @EICAS.

Job: ex- team at , now self-employed and available for contracts on FLOSS things next to my part-time engagement as Response Program Manager for .

Black-and-white image of me jumping in the air, arms stretched and looking slightly terrified because I planned the jump better than the landing.
ALT text detailsBlack-and-white image of me jumping in the air, arms stretched and looking slightly terrified because I planned the jump better than the landing.
dana :Blobhaj_Witch:'s avatar
dana :Blobhaj_Witch:

@blinkygal@sunny.garden

Hi I’m new to :mastodon: and I see is a fun thing to do.

I enjoy , , , . I love listening to including , , , , , , and . I am learning and and into sports like , , , and . I love and .

Have a in . I make internet have better . I enjoy but do research with too.

❤️

Michael Altfield 🛡️'s avatar
Michael Altfield 🛡️

@MichaelAltfield@mastodon.social

Presenting : A $20 triggered by someone physically yanking your laptop away from you.

Powered by & .

tech.michaelaltfield.net/2020/