"Hey, what's your password?"
Nice try. My password is:
Tuta_MailDoesntLetThatHappen!
Enjoy your Sunday! 🤩
🔐 #Encryption #Privacy #Security 🔐
Search
Items tagged with: security
"If an app asks for Android permissions that it doesn't rightfully need (like screen recording permissions for a BMI app), deny it; who knows what kind of things the app can harvest if you allow it?"
Huh? Don't install it in the first place! Because, "who knows what kind of things the app can…" 🤦♂️
Of course, if unsure, reaching out to the devs for clarification is fair. But make sure the answer is reasonable.
just discovered some very cool new projects:
git.deuxfleurs.fr/Deuxfleurs/b…
aerogramme.deuxfleurs.fr/
aerogramme is a proxy for imap and caldav that offers encryption and some security guarantees
bagage is webdav with an s3 backend
this is all based on garage which works great on commodity hardware. you could rent a $5/mo/tb vps from hosthatch and have decently good secure, open source, cloud storage of all the above
#privacy #openSource #security #s3 #garage
bagage
Bagage is the bridge between our users and garage, it enables them to synchronize files that matter for them from their computer to garage through WebDAVGitea: git with a cup of coffee
Elektronische Patientenakte: Lauterbach verspricht einen Start „ohne Restrisiko“
netzpolitik.org/2025/elektroni…
Na ja, man wird sich ja mal versprechen dürfen...
Elektronische Patientenakte: Lauterbach verspricht einen Start „ohne Restrisiko“
In wenigen Tagen beginnt die Pilotphase für die elektronische Patientenakte. Gesundheitsminister Lauterbach versichert, dass bis zu ihrem bundesweiten Start sämtliche Sicherheitsprobleme gelöst sind. Mit Gewissheit überprüfen lässt sich das nicht.netzpolitik.org
❤️ Privacy matters - so does doing good. We donate Tuta to #opensource projects! ❤️
Ready to turn on #privacy?
👉 tuta.com/blog/tutanota-for-ope…
#foss #givingback #encryption #security
Tuta for Open Source Projects | Tuta
Open Source is at the heart of our products since we first launched Tutanota. Now we are giving back to open source teams with free Tuta accounts.Tuta
GrapheneOS version 2025010700 released:
grapheneos.org/releases#202501…
See the linked release notes for a summary of the improvements over the previous release.
Forum discussion thread:
discuss.grapheneos.org/d/18831…
#GrapheneOS #privacy #security
GrapheneOS version 2025010700 released - GrapheneOS Discussion Forum
GrapheneOS discussion forumGrapheneOS Discussion Forum
How much would you pay for your personal phishing awareness training (simulation, e. g. 10 test mails a year)?
Talking about hypothetical service where you would subscribe your personal email to receive, from time to time, email phishing lure based on your customised demography. You know, something your employer usually does for your corporate email, but this time for you (or even your family).
#phishing #awareness #poll #boostswelcome #security
- 6 EUR / year (5%, 1 vote)
- 12 EUR / year (0%, 0 votes)
- Even more? Elaborate (5%, 1 vote)
- Less? Elaborate (5%, 1 vote)
- Would never subscribe for such service (82%, 14 votes)
I accidentally found another security vulnerability in fdroidserver whilst working on something related to IzzyOnDroid.
We warned them months ago but were ignored *sigh*
"Another fdroidserver AllowedAPKSigningKeys certificate pinning bypass"
Should someone stumble upon the security vulnerability disclosure at openwall.com/lists/oss-securit… – be assured the patches have already been applied at #IzzyOnDroid (and also that androguard is already aware: github.com/androguard/androgua…)
Also see the toot by the original finder: tech.lgbt/@obfusk/113765201775…
Invalid regexp for the certificate · Issue #1097 · androguard/androguard
See: https://www.openwall.com/lists/oss-security/2025/01/03/1 Seems a good idea to patch ;) The regex in question -- ^META-INF/..(DSA|EC|RSA)$ -- is supposed to match all filenames that start with ...GitHub
Jetzt ist auch die deutschsprachige Version unseres "Jahresberichts" online:
Ein Blick zurück, ein Blick voraus: Wie war 2024 bei #IzzyOnDroid? Was mag Euch 2025 hier bringen, woran arbeiten wir?
android.izzysoft.de/articles/n…
Und wenn Euch jemand sagt, #security oder #reproducibleBuilds wären (einmal aufgesetzt) reine Selbstläufer: Lacht sie laut aus. Software entwickelt sich weiter – und so auch ihre Risiken und Threats…
Rückblick auf 2024 und Ausblick auf 2025: Reproducible Builds, Sicherheitsmaßnahmen, und mehr
2024 winkt zum Abschied, 2025 klopft an die Tür: Was haben wir 2024 erreicht, und was sind unsere Pläne und Hoffnungen für 2025? Werft mit uns einen Blick zurück auf die eingeführten Sicherheitsmaßnahmen, auf die Fortschritte bei Reproducible Builds …IzzyOnDroid
A look back, a look ahead: How was 2024 at IzzyOnDroid? What might 2025 bring you there, what are we working on?
android.izzysoft.de/articles/n…
And if anybody ever tells you #security or #reproducibleBuilds are "set-and-forget", laugh straight into their faces. Software evolves, and so do their threats and risks…
German readers: Die Deutsche Version folgt in Kürze…
Review of 2024 and Outlook for 2025: Reproducible Builds, Security Measures and more
2024 waves goodbye, 2025 knocks at the door: what did we achieve in 2024, and what are our plans and hopes for 2025? Join us to take a look back at security measures established, at progress with Reproducible Builds – and for a look ahead of what mig…IzzyOnDroid
I'm mind blown you can compromise a release CI/CD system with two malicious branch names. Like how.
github.com/ultralytics/ultraly…
#Security #SupplyChainSecurity
Discrepancy between what's in GitHub and what's been published to PyPI for v8.3.41 · Issue #18027 · ultralytics/ultralytics
Bug Code in the published wheel 8.3.41 is not what's in GitHub and appears to invoke mining. Users of ultralytics who install 8.3.41 will unknowingly execute an xmrig miner. Examining the file util...GitHub
At last, the USB portal originally authored by @refi64 in 2021, later continued by Georges Stavracas in 2023, and finalized by @hub, has been merged!
The USB portal allows sandboxed formats like Flatpak to access USB devices without poking holes in the sandbox. This is great for security, as accessing USB devices will now need to be explicitly granted by the user.
Now we just need to wait for implementers to implement them in their respective portal implementations, starting with GNOME: gitlab.gnome.org/GNOME/xdg-des…
The documentation for the USB portal is available on the xdg-desktop-portal website: flatpak.github.io/xdg-desktop-…
Usb
Description: Portal for USB device access This interface lets sandboxed applications monitor and request access to connected USB devices. Applications should prefer specialized portals for specific...XDG Desktop Portal
Repeat offenders drive bulk of tech support scams via #Google #Ads
"Search engines, and Google’s in particular, are our gateway to the web. Yet, that door sometimes opens up to unsavory places thanks to sponsored search results, AKA ads."
This is part of the reason I recommend using an #adblocker (whether in browser, on device, or network-based.)
#cybersecurity #scams #security #privacy
malwarebytes.com/blog/scams/20…
Repeat offenders drive bulk of tech support scams via Google Ads | Malwarebytes
Consumers are getting caught in a web of scams facilitated by online ads often originating from the same perpetrators.Jérôme Segura (Malwarebytes)
I've noticed a concerning trend of "slop security reports" being sent to open source projects. Here are thoughts about what platforms, reporters, and maintainers can do to push back:
sethmlarson.dev/slop-security-…
New era of slop security reports for open source
I'm on the security report triage team for CPython, pip, urllib3, Requests, and a handful of other open source projects. I'm also in a trusted position such that I get "tagged in" to other open sou...sethmlarson.dev
Synapse 1.120.2 was just released with several security fixes: github.com/element-hq/synapse/…
You should really update now and while the last 2 CVEs say, they were fixed on 1.106, to my knowledge that is only true if you enabled authenticated media, which only became the default in 1.120, so you really want to update even for those or at least update your config.
Thank you! :)
Release v1.120.2 · element-hq/synapse
Synapse 1.120.2 (2024-12-03) This version has building of wheels for macOS disabled. It is functionally identical to 1.120.1, which contains multiple security fixes. If you are already using 1.120....GitHub
Gmail and Outlook are popular but not necessarily the best - especially when it comes to #privacy and #security.
In this in-depth guide we review #Gmail vs #Outlook and fill you in on the best email provider that's ad-free, private, and secure. 😉
👉 Read more: tuta.com/blog/outlook-vs-gmail
Outlook vs Gmail: Which is best in 2024? | Tuta
When looking to create a free email address with Outlook or Gmail, we've got a few tips to help you choose the best provider for top privacy and security.Tuta
At Tuta, we believe that best security must be free for everyone.
We are happy to announce that in December all existing Tuta accounts will be upgraded to quantum-safe encryption! 🥳🎉
With TutaCrypt your data is safe - now and in the future. ⚛️ 🔒
Learn more about this quantum leap in #security: tuta.com/blog/post-quantum-cry…
Tuta Launches Post Quantum Cryptography For Email | Tuta
Tuta Mail enables TutaCrypt, a protocol to exchange messages using quantum-safe encryption.Tuta
theguardian.com/technology/202…
This article discusses how to protect privacy, amidst concerns of increased government surveillance.
The article is aimed at Asylum seekers & immigrants to the US, but it's solid advice for anyone, really.
Recommendations include using encrypted messaging apps like Signal, Apple iMessage, and WhatsApp, and setting messages to disappear.
It also recommends minimizing data sharing and deleting data when possible, particularly from Google.
Opt out: how to stop tech companies spying on your phone as Trump promises mass deportations
There are no federal privacy regulations to protect your information – here’s how you can do it yourselfJohana Bhuiyan (The Guardian)
Oha, das ist provokativ: Dieser Blogartikel sagt:
- Nutzt kein #PGP / #GPG
- Nutzt kein #XMPP + OMEMO
- Nutzt kein #Matrix (im Sinne: verlasst euch nicht auf die Verschlüsselung)
- E-Mails verschlüsseln ist sinnlos
Ich kenne den Autor nicht und würde ihn nicht erwähnen, würde der Artikel nicht in ernstzunehmenden ITSec-Newslettern zitiert
soatok.blog/2024/11/15/what-to…
What To Use Instead of PGP - Dhole Moments
It’s been more than five years since The PGP Problem was published, and I still hear from people who believe that using PGP (whether GnuPG or another OpenPGP implementation) is a thing they s…Dhole Moments
I've seen a number of toots today advising people against scanning random #QRCodes because they can be used in a number of malicious ways.
There are a number of legitimate ways people can use such codes to trick others, and it can require some deeper understanding of how systems work to avoid them. For that reason, I'm not going to contradict that recommendation, but I will add to it.
QR codes are usually just URLs encoded in a visual, machine-readable form, so they aren't necessarily more dangerous than a link. The danger comes from the fact that most scanner apps will directly open whatever URL you scan without giving you the opportunity to consider whether that's a good idea.
You can reduce the risk of scanning such codes by installing a better app which requires manual interaction to open URLs after decoding them.
For android users I recommend "BinaryEye", since it's open-source, ad-free, and has a bunch of other useful features.
Its github page links to both F-Droid and the play store:
github.com/markusfisch/BinaryE…
GitHub - markusfisch/BinaryEye: Yet another barcode scanner for Android
Yet another barcode scanner for Android. Contribute to markusfisch/BinaryEye development by creating an account on GitHub.GitHub
Great to see you're adopting some of the #security features we've implemented earlier this year at #IzzyOnDroid @fdroidorg! Maybe you want to check our documentation on them?
android.izzysoft.de/articles/n…
* it's SIGNING blocks, not FROSTING blocks
* MEITUAN is about payload, not metadata
* there's no fixed number of blocks as your code assumes (gitlab.com/fdroid/fdroidserver…)
The article you link to (bi-zone.medium.com/easter-egg-…) tells you the same :wink:
Easter Egg in APK Files: What Is Frosting - BI.ZONE - Medium
A file structure is a whole fascinating world with its own history, mysteries and a home-grown circus of freaks, where workarounds are applied liberally. If you dig deeper into it, you can discover…BI.ZONE (Medium)
That's why we publish all our apps on @fdroidorg ❤️
🔒 Get the new calendar app now! 🔒
👉 tuta.com/blog/tuta-calendar-fd…
#FOSS #OpenSource #Encryption #Security #Calendar
New Tuta Calendar app is now on F-Droid! | Tuta
Encrypted, open source, zero strings to Google – introducing the Tuta Calendar.Tuta
🔐 Sending a password-protected email to anyone is easy with Tuta Mail! 🔐
Check out our latest guide on how to send encrypted, password-protected emails here 👇👇👇
tuta.com/blog/how-to-password-…
#encryption #security #privacy #email
The easiest way to send password-protected emails | Tuta
Unsure of how to send a password-protected email? Find out how easy it is in this quick guide.Tuta
@Tutanota I just realised that all the comments I have added to my contacts over the years, including family-related and medical important information, are gone...
github.com/tutao/tutanota/issu…
Bugs are becoming more common recently, and this one made me lose data. I'm quite disappointed.
#Email #OpenSource #FOSS #Security #Privacy
Lost all my contact comments on Android · Issue #7818 · tutao/tutanota
This is not a feature request (existing functionality does not work, not missing functionality). I will request features on forum or via support. I've searched and did not find a similar issue. Bug...GitHub
🦾6 AI Tos Used by Hackers
🔹Poisongpt
🔹Wormgpt
🔹Speechif.ai
🔹Deepl.ai
🔹Freedom.ai
🔹Passgan.ai
🔖#infosec #cybersecurity #hacking #pentesting #security
There Is Just One Way To Do Open Source Security: Together: thenewstack.io/there-is-just-o… via @TheNewStack & @sjvn
When we work together, said HackerOne CEO Mårten Mickos, we can secure #opensource software. #security
There Is Just One Way To Do Open Source Security: Together - The New Stack
HackerOne CEO Mårten Mickos highlights how open source can address security issues.Steven J. Vaughan-Nichols (The New Stack)
Accrescent 0.25.0 is out with Android 15 app archiving support, Private Space support, and settings UI improvements!
We also forgot to announce that since 0.24.0, Accrescent supports in-app predictive back!
Check out the release notes below 👇
github.com/accrescent/accresce…
#privacy #security #appstore #android #accrescent #opensource
Release 0.25.0 · accrescent/accrescent
This release adds initial app archiving support on Android 15, makes Accrescent show up as an installer in Private Space, and improves the settings UI! We also forgot to mention that since 0.24.0, ...GitHub
Accrescent recently surpassed 1,000 stars on GitHub 🥳! Thank you to everyone for your continued support!
If you'd like to help us grow, check out accrescent.app/faq#contributin…. There are lots of ways to contribute even if you can't code!
github.com/accrescent/accresce…
#security #privacy #appstore #accrescent #android
Accrescent Frequently Asked Questions
Answers to frequently asked questions about Accrescent.Accrescent
ICYMI: Internet Archive hacked, data breach impacts 31 million users
1. Nobody is safe.
2. A non-profit is using bcrypt to hash passwords, no reason why your for-profit company can't do the same.
Hungary keeps pushing for Chat Control. Here’s why they must be stopped:
👉 tuta.com/blog/opposition-again…
#chatcontrol #Fight4privacy #encryption #security
American Water shuts down online services after #cyberattack
American Water is the largest water and wastewater treatment utility in the US…
OT systems not affected - so appears this only affects their IT systems. Suspected nation state activity (Russia).
(I encourage everyone sharing this with their friends because cyber attacks absolutely can have direct “real world” consequences.)
#AIagent promotes itself to #sysadmin , trashes #boot sequence
Fun experiment, but yeah, don't pipe an #LLM raw into /bin/bash
Buck #Shlegeris, CEO at #RedwoodResearch, a nonprofit that explores the risks posed by #AI , recently learned an amusing but hard lesson in automation when he asked his LLM-powered agent to open a secure connection from his laptop to his desktop machine.
#security #unintendedconsequences
theregister.com/2024/10/02/ai_…
AI agent promotes itself to sysadmin, trashes boot sequence
Fun experiment, but yeah, don't pipe an LLM raw into /bin/bashThomas Claburn (The Register)
Ransomware attack forces UMC Health System to divert some patients bleepingcomputer.com/news/secu… #news #Healthcare #Security
I hope to hear from @Tutanota very soon. Lack of key verification is a major flaw in the technical design of the platform, allowing a malicious Tuta server to read end-to-end encrypted exchanges (both emails and shared calendars).
github.com/tutao/tutanota/issu…
The issue has been opened 6 years ago.
#Security #Privacy #Crypto #Cryptography #Email #FOSS
![Message posted on the GitHub issue titled "Manual key verification":
"This issue has been opened for more than 6 years now, with no clear roadmap or even real consideration from the Tuta team. I have to say, I am disappointed.
You keep saying that "[...] Tuta [is] the most secure email service on the market.", but without key verification, a malicious Tuta server can read the end-to-end encrypted emails and shared calendars exchanged on the platform as there is no way to verify the recipients' public key. As explained by @llebout, "all users of Tutanota must trust Tutanota to not provide forged keys and perform an MITM attack". This is a significant flaw in the technical design of the platform, and it does not seem to bother you.
In #198, it can be read that:
> We are aware of the issues with verification, new protocol will support verification, the work is underway
However, your post-quantum implementation has now landed but still no word on the key verification issue.
Could you please stand by what you have said from day 1, that you prioritise security and privacy, and establish a clear roadmap of the work already undertaken or to be done to fix the situation?
Thank you"](https://fedi.ml/photo/preview/640/595249 "Message posted on the GitHub issue titled \"Manual key verification\":
\"This issue has been opened for more than 6 years now, with no clear roadmap or even real consideration from the Tuta team. I have to say, I am disappointed.
You keep saying that \"[...] Tuta [is] the most secure email service on the market.\", but without key verification, a malicious Tuta server can read the end-to-end encrypted emails and shared calendars exchanged on the platform as there is no way to verify the recipients' public key. As explained by @llebout, \"all users of Tutanota must trust Tutanota to not provide forged keys and perform an MITM attack\". This is a significant flaw in the technical design of the platform, and it does not seem to bother you.
In #198, it can be read that:
> We are aware of the issues with verification, new protocol will support verification, the work is underway
However, your post-quantum implementation has now landed but still no word on the key verification issue.
Could you please stand by what you have said from day 1, that you prioritise security and privacy, and establish a clear roadmap of the work already undertaken or to be done to fix the situation?
Thank you\"")
Accrescent 0.24.0 is out with settings menu accessibility improvements, target SDK 35 (Android 15), and LOTS of translation and dependency updates! 🎉
Download it from our website at accrescent.app or read the changelog below 👇
New blog post: Post-OCSP certificate revocation in the Web PKI.
With OCSP in all forms going away, I decided to look at the history and possible futures of certificate revocation in the Web PKI. I also threw in some of my own proposals to work alongside existing ones.
I think this is the most comprehensive current look at certificate revocation right now.
#security #WebPKI #LetsEncrypt #TLS #OCSP
NGI Assure, the program aimed at improving trust in our digital society, successfully concluded after its 4 year run.
[1]152 teams contributed to a more trustworthy & secure internet with their Free and Open Source projects. Thank you all!
We've made a book showcasing all the projects which you can download from the link below. There are also paper copies, so ask for those when you see us IRL.
[2][1] nlnet.nl/news/2024/20240919-NG…
[2] nlnet.nl/media/NGIAssure-bookl…
(1/2)
Tor insists its #network is safe after German cops convict CSAM dark-web admin
Kind of boils down to opsec fail here. Using outdated software, which in this case didn’t properly secure Tor connections.
Timing attacks are still viable (especially with hostile nodes), but this reads as an #opsec fail to me.
Remember: a major part of anonymity is maintaining great opsec.
Obligatory: Tor is not “just for criminals,” despite one getting caught in this case (glad he did tbh). Regular people use Tor everyday.
#cybersecurity #security #privacy
theregister.com/2024/09/19/tor…
Tor insists its network is safe after German cops convict CSAM dark-web admin
Outdated software blamed for cracks in the armorIain Thomson (The Register)