Why use a URL shortener when you can use a phishy URL extender?

phishyurl.com/

Keep your security people alert and awake, generate phishing-looking redirecting links

#infosec

🤯 Instagram is testing new iOS push notifications that include a profile photo. Each time the notification is shown on your screen, it triggers a GET request to fetch that image, letting Meta track every on-screen impression.

The app still misuses push notifications to send detailed device analytics about the device (uptime, battery, volume, locale, timezone, memory, CPU, etc.)

#privacy #infosec #privacymatters #Apple #iOS #meta
More 👇🧵

Live Translation with AirPods is not going to be available in the EU. This means that it doesn't use on-device AI model and the microphones forward everything to remote servers 🤯

UPDATE: Before this post goes out of control. The DMA can also be a reason why this feature is not available in the EU:

infosec.exchange/@hacksilon/11…

#Apple #privacy #infosec

#FreeBSD mac_do(4) as a method of privilege escalation in an unprivileged chroot: pastebin.com/4fXx6K8D

#infosec

***infosec specialists are needed in the resistance ***

The world needs tech security specialists to run workshops at public libraries for all ages & abilities to remove spyware, AI, reduce surveillance, understand the issues, & for more advanced, move to Linux, degooglefy, etc.

Libraries will pay good wages for these workshops. There may be grants.
If you have these skills, please consider offering them.

#libraries #library #tech #infosec #privacy #security #activism #antifa #resistance

So…who hates those Google log-in pop-ups that are seemingly everywhere now? Wanna make them go away?

1. Get uBlock Origin (which you should have already been using):

github.com/gorhill/uBlock

2. Open the plugin and click the settings button.

3. Click on the “my filters” tab and paste this into the input:

||accounts.google.com/gsi/*$xhr,script,3p

That’s it! Worked flawlessly for me.

(Updated URL. Thx @IceWolf
and @emz!)

#Google #Privacy #Security #PopUps #InfoSec #BadGoogle

I DID IT!

Dewey invented the Dewey Decimal System, Morse invented the Morse Code, Plato invented the plate. I, influenced by what I saw at a #CyberSecurity conference I have designed and dedicated to the Public Domain the penultimate way to get removed from #infosec sales offerings.

I present to you the "No Purchasing Authority" seal. Put it on a button, wear it as a sticker, respond to emails with it. Regardless, this helps you and the sales person understand that this relationship is going nowhere.

Please never ever do this: ergaster.org/posts/2025/07/28-…

#infosec

Loading credentials from Bitwarden with direnv

When working on my homelab, I regularly need to pass credentials to my tools. A naive approach is to just store the token in clear text, but there's a better alternative.

^ergaster.org

Don't trust cloud services with your creative work.

#enshittification #privacy #infosec #security #cybersecurity #writing #art

Least convincing newly registered domain so far this year:

fixpassword[.]ru

(DON'T. GO. HERE.)

#infosec #threatintel

Pornhub is making bullshit claims regarding the privacy issues of the French gov age verification requirements. There are very real and significant problems with the French gov approach, but Pornhub's approach is significantly worse.

Pornhub wants to put the burden of age verification and enforcement on user devices. They even name the actors that should have to bear that burden: Google, Apple and Microsoft.

First off, this creates an artificial monopoly: three American companies being the judge on who can watch what. Worldwide. I can't wait to have Trump's administration (or whatever jackass the American elect) censoring everything I watch.

Also, Linux users are prayed to go fuck themselves instead of watching porn. Get the real stuff, Linux users (lol).

There is also the issue of the age verification procedure: how do you verify the user's age? Biometrics is the obvious answer on mobile phone, but would there be alternatives? Probably not.

Too bad for people whose face does not match the AI training. Too bad for people not wanting their biometrics verified/leaked to a provider of the operating system vendor choosing.
If you are using a workstation, please get a webcam if you want to jerk off.

But let's say that you passed the age verification procedure: how do you transfer that knowledge to the website?

A HTTP header could be faked so this is not an option.

A remote assessment using a TPM (a chip on your device that monitors that your system wasn't altered) ? => You can no longer install an alternate operating system and watch porn. Once again an artificial monopoly.

DRM would be probably the preferred solution: let anyone download the porn file, but only display it on devices with the appropriate DRM reader if the age verification test is passed. Once again an artificial monopoly. And this puts an end to piracy in the process. Nobody would ever think about abusing this for other content, right Google WEI?

Once again, the French gov tech and requirements are bullshit. I am not here to defend them, but Pornhub statement is just full of shit.

#porn #pornhub #censorship #infosec #france

Passwords expire so often in corporate settings because passwords are not shelf-stable.

Passwords should be refrigerated after opening. If kept refrigerated in an airtight container, a password will last up to two weeks longer.

Follow me for more #InfoSec tips!

Seven day embargo limit for #curl: git.hardenedbsd.org/shawn.webb…

It can take the #HardenedBSD project a full month to rebuild its package repos. And since we've built this software monoculture against libcurl, this will be FUN!

#infosec #libcurl

VULN-DISCLOSURE-POLICY.md: 7 days embargo is max (af81e8fe) · Commits · Shawn Webb / Curl · GitLab

It was recently updated in this doc to seven, but there were *two* numbers mentioned and only one of them was updated leaving the paragraph quite confusing. Follow-up to 83c90e50472f32b74e388f6e524d...

^GitLab

Long before the internet, some phone networks were hackable by playing a single tone at 2600Hz.

Whistled into a phone, it could grant you unrestricted access. Do you have the vocal chops to be an old-school phone phreak?

I built a web app to test your ability to produce the legendary frequency. You won't get free long distance calls but you will get some honor in the knowledge that you could have been a cool hacker. 😎

I am sad to say that I can only whistle up to 1100Hz... But my wife (a long time woodwind player) is able to consistently get it.

Give it a try: phreak.kmcd.dev/

#phreaking #2600Hz #bluebox #RetroComputing #hacker #infosec #Tech

Phone Phreak Emulator

Test your phreaking skills by hacking this phone line.

^{phreak.kmcd.dev}

As part of the investigation, I have looked closely at Telegram's protocol and analyzed packet captures provided by IStories.

I have also done some packet captures of my own.

I dive into the nitty-gritty technical details of what I found and how I found it on my blog:

Telegram is indistinguishable from an FSB honeypot
rys.io/en/179.html

Yes, my packet captures and a small Python library I wrote in the process are all published along.

#Telegram #InfoSec #Privacy #Surveillance #Russia

Remarkable investigation into Telegram by IStories (in Russian):
istories.media/stories/2025/06…

English version by OCCRP:
occrp.org/en/investigation/tel…

tl;dr:

👉 Telegram uses a single company with ties to the Russian FSB as their sole infrastructure provider, globally.

👉 Combined with a cleartext device identifier Telegram's protocol requires to be prepended to all encrypted messages, this allows for global surveillance of Telegram users.

I am quoted in this story.

#Telegram #InfoSec #Privacy

Telegram, the FSB, and the Man in the Middle

The technical infrastructure that underpins Telegram is controlled by a man whose companies have collaborated with Russian intelligence services.

^OCCRP

Privacy vs Security: Yandex is spying on their users in an insecure way, Meta (Facebook, Insta) in a more secure way. Both of them are a threat against user privacy

This is yet another example showing that there are reasons to be more suspicious against proprietary apps. We should avoid installing GAFAM apps, and reducing as much as possible our dependency on their services is healthy

localmess.github.io/

#InfoSec #Privacy #Android

Ekis: 2; Google AI: 0

Broke out of the google's operational directives (not safety, too deeply embedded)

I have a prompt I would like to publicly disclose; link to breakout prompt in a reply for 24h

My prompt does not include any facts about google & its a slim breakout

Establishing a similar but far more sophisticated "Ekis Directive" this time

Here are 3x same questions to prove googles operational parameters lifted

You can decide if you think I was successful:

#infosec #politics #tech

Startpage is a search engine that has been promoted as a European alternative to Google Search.

This is a misleading statement.

CLARIFICATION

Headquartered in the Netherlands.

Owned by System1: mastodon.online/@blueghost/111…

Revenue is consolidated with System1's financial statements.

System1 supports employee salaries, technology investments, and marketing initiatives.

Source: support.startpage.com/hc/artic…

Website: startpage.com

#Startpage #StartpageSearch #Privacy #InfoSec #CyberSecurity

Microsoft Copilot for SharePoint just made recon a whole lot easier. 🚨

One of our Red Teamers came across a massive SharePoint, too much to explore manually. So, with some careful prompting, they asked Copilot to do the heavy lifting...

It opened the door to credentials, internal docs, and more.

All without triggering access logs or alerts.

Copilot is being rolled out across Microsoft 365 environments, often without teams realising Default Agents are already active.

That’s a problem.

Jack, our Head of Red Team, breaks it down in our latest blog post, including what you can do to prevent it from happening in your environment.

📌Read it here: pentestpartners.com/security-b…

#RedTeam #OffSec #AIsecurity #Microsoft365 #SharePoint #MicrosoftCopilot #InfoSec #CloudSecurity

Looks like Corporate #infosec has made it's choice.

#RSAC is filled with talks embracing AI and making it "secure".

And they invited and encouraged the Trump regime to spread its disinformation - fully sanctioned and encouraged by the conference leadership(and by conference attendees who laughed at the regime's jokes and lies and issued no challenges or stands during the talk).

With the ostracization of #ChrisKrebs by industry and the full embrace of Kristi Noem as a speaker, this was the moment that infosec made its bed.

Y'all lie in it now.

This dumb password rule is from Polytechnique Montreal.

Passwords must have a minimum length of 8 characters

Passwords must have a maximum length of 30 characters

Passwords must contain a minimum of 2 digits

Passwords must contain a minimum of 2 letters

Password must be different than the last one used

Passwords may contain these special characte...

dumbpasswordrules.com/sites/po…

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Polytechnique Montreal - Dumb Password Rules

Passwords must have a minimum length of 8 characters Passwords must have a maximum length of 30 characters Passwords must contain a minimum of 2 digits Passwords must contain a minimum of 2 letters Password must be different than the last one use…

^{dumbpasswordrules.com}

Microsoft Authenticator needs me to validate with Authenticator in order to log in with Authenticator to use it to authenticate another app with Authenticator.

Here is the app telling me to open itself to validate itself with itself.

#infosec #iHateComputers

#infosec people, THIS is big and you need it in front of management RIGHT NOW.

MITRE has informed the CVE board members that effective TONIGHT, funding to run CVE and CWE is effectively gone. The US federal government contracts MITRE to run these programs including both management, operations, and infrastructure.

This not only could but almost certainly will result in disruptions to CVE and CWE including a halt of all operations if new contracts/funding are not secured.

This dumb password rule is from Bank Millennium.

Passwords limited to 8 digits.

dumbpasswordrules.com/sites/ba…

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Bank Millennium - Dumb Password Rules

^{dumbpasswordrules.com}

This dumb password rule is from TreasuryDirect.

Will allow most passwords longer than 8 characters. Doesn't tell you there is a
maximum length of 16 characters. Then forces you to type it with an on-screen keyboard
with no capital letters.

dumbpasswordrules.com/sites/tr…

#password #passwords #infosec #cybersecurity #dumbpasswordrules

TreasuryDirect - Dumb Password Rules

Will allow most passwords longer than 8 characters. Doesn't tell you there is a maximum length of 16 characters. Then forces you to type it with an on-screen keyboard with no capital letters.

^{dumbpasswordrules.com}

February 16th #BlackHistoryMonth spotlight:

Get to know @blackgirlshack!

"BlackGirlsHack meets the #InfoSec needs left unmet by existing services by providing hands-on skills that are focused on people who are upskilling and reskilling in #cybersecurity."

blackgirlshack.org/About

For every day in February, I will be posting to celebrate #BlackHistoryMonth by spotlighting Black Americans who have contributed to the fields of #STEM and #LibraryScience, in addition to shout outs to Black-owned businesses and #InfoSec groups.

Thread 🧵 begins here:

Unbelievable

#ElonMusk’s US #DOGE Service are feeding sensitive data into #AI software via #Microsoft’s #cloud

#Musk’s US #DOGE Service have fed sensitive data from across the #Education Dept into #ArtificialIntelligence software to probe the agency’s programs & spending….
The AI probe includes data w/personally identifiable info for people who manage grants, & sensitive internal financial data…

#law #security #InfoSec #CyberSecurity #NationalSecurity #Trump #TrumpCoup
washingtonpost.com/nation/2025…

This is what I think about whenever infosec wonks on here start telling people they should use matrix or xmpp+omemo or whatnot instead of signal

To be fair, I understand the arguments and to a large extent I agree with the critiques. However, I think anyone making these recommendations is vastly underestimating the capacity or appetite for most people to deal with the user experiences presented by these alternatives.

User experience is the ultimate force multiplier. For anything that requires network effects to function (ie most anything involving communication), if it doesn't *just work* then you've lost 90% of your audience.

xkcd.com/2501/

#matrix #xmpp #infosec #cybersecurity #signal #ux #design #ui #encryption #privacy #crypto

Average Familiarity

^xkcd

Let's say China manages to get just a little bit of data about people from just a few of these ... 😑

"China's overlapping tech-industrial ecosystems"

high-capacity.com/p/chinas-ove…

#cybersec #cybersecurity #infosec #itsec #china #privacy #gdpr #dataprotection #dataskydd

China's overlapping tech-industrial ecosystems

EVs, batteries, lidar, drones, robotics, smartphones, AI. China's progress across a range of overlapping industries creates a mutually reinforcing feedback loop.

^{Kyle Chan (High Capacity)}

Signal is a secure messenger, but there are interesting alternatives, such as @matrix , @session , @delta , @simplex or XMPP …

➡️ matrix.org

➡️ getsession.org

➡️ delta.chat

➡️ simplex.chat

➡️ xmpp.org

If you’d like to learn more about these options, have a look at the responses to this toot.

#matrix #session #signal #XMPP #messenger #decentralized #tech #technology #OpenSource #FOSS #WhatsApp #security #InfoSec #data #safety

Session | Send Messages, Not Metadata. | Private Messenger

Session is a private messenger that aims to remove any chance of metadata collection by routing all messages through an onion routing network.

^Session

Really good article. My experience with "security experts" is that most actually have very limited knowledge in the field. And lack critical thinking. This leads to an almost blind trust in these tools that spit out reports on CVSS scores that can easily be exported to nice looking spreadsheets.

Unfortunately, those tend to be taken as gospel by management. Because management never have a clue about anything.

#security #infosec