Google's handling of the Samsung Exynos modem RCE vulnerability is frankly insane. Summary:

- Internet to baseband modem remote code execution, all that's required is knowing the target's phone number
- Fix has been published in March update, but this is not available on all affected phones
- Workaround is to disable VoLTE and Wifi Calling, but the ability to disable the former has itself been disabled

In other words, the only current defense is airplane mode.

9to5google.com/2023/03/16/goog…

Google: Turn off VoLTE, Wi-Fi calling due to Exynos vulnerability

Google found severe vulnerabilities with Exynos modems used on the Pixel 6 and Samsung phones that warrant disabling VoLTE & Wi-Fi calling...

^{Abner Li (9to5Google)}

Librsvg 2.56.0 is out! This is the first release in the new stable series, ready for GNOME 44.

gitlab.gnome.org/GNOME/librsvg…

2.56.0 - stable · GNOME / librsvg · GitLab

#942: Fix crash when XML...

^GitLab

A new issue of #ThisWeekInGNOME is now online!

#87 Editable Shortcuts
thisweek.gnome.org/posts/2023/…

#GNOME #TWIG

The end of Dendrite polylith (not the end of Dendrite!!), a major release for hookshot, and the rust sdk getting more features every day. That, and much more happened this week in Matrix!

matrix.org/blog/2023/03/17/thi…

This Week in Matrix 2023-03-17 | Matrix.org

^Matrix.org

Vous vous êtes toujours demander ce que vous auriez fait durant la montée du fascisme ?

Exactement ce que vous faites maintenant.

(image via @vincib)

L'outil #Mobilizon de l'association lyonnaise #Framasoft est une bonne alternative éthique aux événements #Facebook. Je suggère à celles et ceux qui voudraient organiser des mouvements de grève, des blocages et toutes sortes de manifestations contre la politique de notre gouvernement de s'en emparer sans attendre !

mobilizon.fr/

#logicielslibres #injustices
#reformedesretraites #liberté #egalite

#AndroidAppRain at apt.izzysoft.de/fdroid today with 14 updated and 2 new apps:

* Settings Database Provider: allow other apps to edit all parameters in android settings.db database
* Thumb-Key: A privacy-conscious keyboard made for your thumbs

Enjoy your #free #Android #apps with #FDroid and the #IzzySoftRepo

IzzyOnDroid F-Droid Repository

This is a repository of apps to be used with F-Droid. Applications in this repository are official binaries built by the original application developers, taken from their resp. repositories (mostly Github).

^{IzzyOnDroid App Repo}

We've just reached 400⭐ on Github and Castopod v1.2 is out 🚀

You can now host your podcast files on any S3 compatible storage!

+ download counts of episodes for better insight
+ health check route for monitoring

And bug fixes!

Grab your Castopod on castopod.org/

Castopod | Your Free & Open-source Podcast Host

Castopod is a free and open-source hosting platform made for podcasters. Engage and interact with your audience whilst keeping control over your content.

^castopod.org

Here is how the Purism team is improving the Chats app. We want it to be the everyday “1 to 1” and “small groups” messaging app for both SMS/MMS and the more private end to end encrypted IP conversations🎉

puri.sm/posts/toward-matrix-su…

Jdu s kůží na trh. Na nové doméně jsem spáchala nový web.

rodokmen.info

Vítám Vás! - RODOKMEN - GENEALOGICKÉ SLUŽBY

Jste-li na tomto webu, patříte zřejmě k těm, kteří chtějí poznat historii svého rodu. Jména rodičů, jejich sourozenců, prarodičů… tím to zpravidla končí. Jen málokdo zná jméno babičky za svobodna, o sourozencích prarodičů ani nemluvě.

^{menya (RODOKMEN - GENEALOGICKÉ SLUŽBY)}

Say what you want about Firefox, but this is the kind of good surprise after an update that comfort me in my opinion that Firefox is the greatest mainstream browser.

The translations quality is understandably not on par with Deepl or Google Translate, but it doesn't leak what I'm reading to a third party.

And most importantly: it also works for people who are not experts with computers.

One more reason to recommend it to friends & family.

Two things going on that may be related:

1) Mastodon new user count is up to about 1000 per hour for the last day. This is way up from the recent low hundreds.

2) Reddit r/Twitter is full of complaints that Twitter feeds are now not showing followed accounts, replaced by right wing politics and even porn.

Getting tweets... from people that i dont follow and dont know at all >>> reddit.com/r/Twitter/comments/…

Did twitter change its algorithm completely? >>> reddit.com/r/Twitter/comments/…

#twittermigration

!!! UPDATE YOUR PHONE NOW !!!

RCE exploit

Samsung Galaxy phones including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series
Vivo phones including those in the S16, S15, S6, X70, X60, and X30 series
Google Pixel 6 and 6 Pro, Pixel 6a, Pixel 7 and 7 Pro
Any wearables that use the Exynos W920 chipset
Any vehicles that use the Exynos Auto T5123 chipset

Project Zero reported 18 vulnerabilities in Exynos modems in late 2022 and early 2023. Four of the vulnerabilities, including CVE-2023-24033, involve internet-to-baseband remote code execution
Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.

Project Zero is making a “policy exception to delay disclosure for the four vulnerabilities that allow for internet-to-baseband remote code execution.” This is “due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted.”

9to5google.com/2023/03/16/goog…

Google: Turn off VoLTE, Wi-Fi calling due to Exynos vulnerability

Google found severe vulnerabilities with Exynos modems used on the Pixel 6 and Samsung phones that warrant disabling VoLTE & Wi-Fi calling...

^{Abner Li (9to5Google)}

"Peter Thiel started the bank run. All of his companies got their money out. Most of their competitors did not get their money out. Many of those competitors might not have survived the week of the FDIC hadn’t stepped in. ...

"I’m not saying he nefariously intended to bring the bank down in order to gain an advantage over his competitors. ... But the practical outcome would have been a massive, literal bank error in Peter Thiel’s favor."

davekarpf.substack.com/p/three…

Three thoughts on Silicon Valley Bank

This was almost a literal bank-error-in-Peter-Thiel's-favor

^{Dave Karpf (The Future, Now and Then)}

Hey all, if you have a Google Pixel 6/7 or a Samsung phone: Disable VoLTE and Wi-Fi calling until this issue is patched: 9to5google.com/2023/03/16/goog…

tl;dr: Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.

Google's Project Zero usually makes vulnerability reports public after 90 days. This is an exception because it goes directly from internet to baseband-level (tl;dr: the second OS inside your phone that powers the LTE/5G modem) remote code execution. This is morally equivalent to getting code running on your WiFi card.

Here is a list of the most likely affected devices:

• Samsung Galaxy phones including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series
• Vivo phones including those in the S16, S15, S6, X70, X60, and X30 series
• Google Pixel 6 and 6 Pro, Pixel 6a, Pixel 7 and 7 Pro
• Any wearables that use the Exynos W920 chipset
• Any vehicles that use the Exynos Auto T5123 chipset

Helpfully, the baseband is a binary blob of uninspectable firmware that users can't inspect or prove hasn't been tampered with.

Google: Turn off VoLTE, Wi-Fi calling due to Exynos vulnerability

Google found severe vulnerabilities with Exynos modems used on the Pixel 6 and Samsung phones that warrant disabling VoLTE & Wi-Fi calling...

^{Abner Li (9to5Google)}

@Tutanota ich vermisse den Vergleich zwischen #Tutanota und #Mailfence

tutanota.com/email-comparison

Best email provider: A comparison

Create a new email address after checking out alternatives in this best email comparison.

^Tutanota

Koukám, že na TikToku je už i české Uloz.to.

tiktok.com/@uloz.to

If you're an #iOS #developer, love #opensource, and have a certain passion for email, you should definitely keep an eye on the #Thunderbird careers page!

thunderbird.net/careers/

Within the next few months, we'll be hiring someone to help us lay the groundwork for Thunderbird on iOS. When that career opportunity goes live, we will announce it here.

(So yes, we can 100% confirm we plan to develop an iOS version)

Work with Us

Come work with the Thunderbird team on the most popular open source desktop email client in the world. We are a distributed team comprised of people spread across the globe working on decentralized communication technology based on open standards.

^Thunderbird

The European Mathematical Society is delighted to announce the launch of its Young Academy (EMYA)! The first cohort of 30 early career mathematicians, spanning 18 countries and a broad spectrum of mathematical fields, had its inaugural meeting on 6th March.

euromathsoc.org/news/european-…

EMS | European Mathematical Society Young Academy (EMYA) - Launch

The EMS is proud to announce the launch of its Young Academy (EMYA), and the election of the first cohort of EMYA members.

^{euromathsoc.org}

Who's checking out #MozFest next week? We'll be in virtual attendance, and this is one of the talks we're excited about (for obvious reasons):

▶️ Dialogues & Debates: Making the Fediverse | Mozilla is joining the Fediverse in 2023 to co-create its future. What are its greatest opportunities and limitations? How can we scale methodology and not solutions? What is the public discourse square of the future? Who is building it?

schedule.mozillafestival.org/s…

#Mozilla #Fediverse #Mastodon

Mozilla Festival 2023 Schedule

Mozilla Festival 2023 Schedule. Activists in the internet health movement will gather at MozFest to move the needle in tech, art, social responsibility, ethics, and AI. Will you join us?

^{schedule.mozillafestival.org}

¿Qué tenemos hoy por el BOE?

Becas para educación post-obligatoria.

Y el reglamento de Iberpay, sistema de pagos: boe.es/diario_boe/txt.php?id=B…

The rogue's gallery of venture capital firms that contributed to the Silicon Valley Bank meltdown:

svbhallofshame.wordpress.com/

"Future founders will know your worth. They will know you are not a reliable partner, ready to throw them to the wolves at a moment’s notice. You will be remembered for your hypocrisy."

SVB Hall of Shame

Exposing the hypocrisy and echo chamber that led to SVB's unneeded demise

^{SVB Hall of Shame}

Security Bugfix Announcement: Distribution maintainers please update your packages!

Today Simon McVittie released updates fixing security issues on the supported Flatpak stable branches 1.14.4, 1.12.8, and 1.10.8.

One issue (CVE-2023-28101) involves maliciously crafted metadata hiding permissions using special characters and the other (CVE-2023-28100) involves an ioctl system call allowing copy/paste on virtual terminals (tty1, tty2, etc.)

github.com/flatpak/flatpak/rel…

Release 1.14.4 · flatpak/flatpak

Security fixes: Escape special characters when displaying permissions and metadata, preventing malicious apps from manipulating the appearance of the permissions list using crafted metadata (CVE-...

^GitHub

Here are some full-sized desktop software you can run today on the Librem 5 phone attached to a Lapdock or external monitor.

@Krita, @GIMP
@LMMS
and many more!

puri.sm/posts/desktop-apps-on-…