@Tutanota users!

"jonahrichie09@gmail.com" does 100% *not* work at Tuta.

Do not under any circumstances click on the attached pdf.

#phishing #security #email

PS. The e-mail was forwarded to abuse@tutao.de as well as marked as phishing. DS

GrapheneOS version 2025032500 released:

grapheneos.org/releases#202503…

See the linked release notes for a summary of the improvements over the previous release.

Forum discussion thread:

discuss.grapheneos.org/d/21207…

#GrapheneOS #privacy #security

GrapheneOS version 2025032500 released - GrapheneOS Discussion Forum

GrapheneOS discussion forum

^{GrapheneOS Discussion Forum}

Getting started with XMPP/Jabber and PGP for federated, encrypted messaging

This is a short thread where I explain how I started using the XMPP protocol and PGP encryption for secure messaging. I am not a security expert, but I am a mathematician and I am confortable with the Linux command line. This guide is for people who want to use PGP for secure messaging easily. You will need to be okay with typing commands into the Linux command line in order to do this, but I will tell you exactly what to enter.

Part 1: XMPP

Mastodon is like email, but for social media. You sign up for an account with a server, and then you can talk with any other accounts that are signed up on other servers, as long as your servers are getting along. (No one wants emails from the sketchy spam server, and we want to be able to choose between Yahoo, Gmail, etc.) XMPP (a.k.a. Jabber) is the same thing for text messaging.

Just like signing up for an email/Mastodon account, you need to sign up for an account. You can find a list of servers at list.jabber.at/ and will probably at least need to provide an email addess when making an account.

Once you have made an account, you need a client. On Linux, I've been having a good time using Dino (dino.im/). You can then enter your account name and password to log into your XMPP account and start chatting! There are both public rooms and you can also message directly with your friends.

#security #PGP #XMPP #FOSS #Jabber #Dino #MonoclesChat

(1/4)

Dino. Communicating happiness.

A privacy-friendly messaging app for the desktop. It uses the XMPP protocol and provides a clean UI with modern features.

^dino.im

New Privacy Guides article 🔐✨
by me:

If you want to keep your password manager local-only, KeePassXC is a great solution!

It's free,
Open-source,
Easy to install and use,
Doesn't require an account,
Works on Linux, macOS, and Windows,
And the team is here! 👉 @keepassxc

Here's how to set it up with a YubiKey: privacyguides.org/articles/202…

#PrivacyGuides #KeePassXC #Privacy #Security #PasswordManager #Passwords #FOSS

"Google refuses to deny it received encryption order from UK government"

The UK’s encryption-breaking order for a backdoor into iCloud isn’t a one-off.

The secret hearing happening RIGHT NOW is bigger than just Apple. If the government wins, our right to privacy and security falls.

Other services will be hit.

therecord.media/google-refuses…

Sign our petition ➡️ you.38degrees.org.uk/petitions…

#e2ee #encryption #apple #google #privacy #security #cybersecurity #ukpol #ukpolitics #tech

Google refuses to deny it received encryption order from UK government

U.S. lawmakers say Google has refused to deny that it received a Technical Capability Notice from the U.K. — a mechanism to access encrypted messages that Apple reportedly received.

^{therecord.media}

📣 Break the silence: Save encryption!

The UK government wants to be able to access anything, anywhere, any time — from your pics to your docs.

It begins with Apple. Other services will be next. That's why we must take a stand NOW!

Sign and share our petition ⬇️

you.38degrees.org.uk/petitions…

#encryption #e2ee #Apple #privacy #security #cybersecurity #ukpolitics #ukpol #icloud #tech

Keep our Apple data encrypted

It is reported that the Home Office has ordered Apple to build a backdoor into its encrypted services so that they can get hold of content that any Apple user has upload to the cloud. Encryption keeps our private information safe and secure.

^{38 Degrees}

The message is clear across the political divide: let's hear it!

The UK government should argue in open court why they want to make us less secure by ordering a backdoor into Apple encryption.

A secret Tribunal would be an affront to the privacy and security issues at stake. It must be held in public.

Read the joint letter from ORG, Big Brother Watch and Index on Censorship ⬇️

openrightsgroup.org/press-rele…

#Apple #encryption #e2ee #privacy #security #cybersecurity #ukpol #ukpolitics #tech

Make the Investigatory Powers Tribunal on Apple Encryption a Public Hearing

Rights groups call for Apple’s closed appeal against the Home Office’s encryption-breaching order to be opened to the public.

^{Open Rights Group}

Bipartisan US Congress Members want the secrecy around the UK's encryption-breaking order to be lifted.

"It is imperative that the UK's technical demands of Apple - and of any other US companies - be subjected to robust, public analysis and debate."

“Secret court hearings featuring intelligence agencies and a handful of individuals approved by them do not enable robust challenges on highly technical matters.”

wyden.senate.gov/news/press-re…

#encryption #e2ee #Apple #privacy #security #cybersecurity

UK MPs have joined the chorus of voices wanting the Apple case to be held in public.

"If the Home Office wants to have effectively unfettered access to the private data of the (innocent) general public, they should explain their case in front of the public."

🗣️ David Davis MP.

"People deserve to know what's happening to their private personal information."

🗣️ Victoria Collins MP.

news.sky.com/story/apple-vs-ho…

#encryption #e2ee #Apple #privacy #security #cybersecurity #ukpolitics #ukpol

Apple vs Home Office encryption court battle must be held in public, say MPs

A row between the tech giant and the government over customer data will reportedly move to London's High Court this week – but the hearing will be held behind closed doors.

^{Tim Baker (Sky News)}

📣 Make it public!

The call is getting louder for a public hearing of the appeal over the UK's order to break Apple encryption.

Alongside the joint letter from ORG, Big Brother Watch and Index on Censorship, UK MPs, US Congress Members and the BBC want the secrecy to end.

bbc.co.uk/news/articles/c4g0rr…

#encryption #e2ee #privacy #security #cybersecurity #ukpol #ukpolitics #Apple #tech

Pressure grows to hold secret Apple privacy hearing in public

Civil liberties campaigners have joined US politicians and the BBC in saying Friday's hearing should not be secret.

^{Tom Singleton (BBC News)}

Nutzt ihr Antivirus-Apps auf eurem Android? Spart euch den unnötigen Ballast – sie bieten nur trügerische Sicherheit und sind oft voller Tracker. 👇

kuketz-blog.de/truegerische-si…

#android #security #google #tracking #virus #antivirus #app

Trügerische Sicherheit: Virenscanner-Apps sind schlichtweg überflüssig

Die Sicherheitsarchitektur von Android/iOS schränkt die Funktionsweise von Virenscanner-Apps stark ein und macht sie im Grunde nutzlos. Schlimmer: Die vermeintlichen Sicherheits-Apps sind Datenschleudern.

^{www.kuketz-blog.de}

🚨BREAKING🚨 The French National Assembly removed the backdoor section from the amendment to the #Narcotrafic law.

Read here how Politicians tried to undermine everybody's #security: tuta.com/blog/france-surveilla…

🙏 And thank you for fighting against this with us. This is a great win for privacy, yet, the battle is not over. Together we are strong! 💪

#backdoor #encryption #privacy #security

Everybody should learn how to use GPG.

gnupg.org/

#gpg #gnupg #encryption #security #privacy #cybersecurity #linux #pgp

The #Security #Trinity - spotted at @bitwarden explains how to secure your accounts with 2FA:

👉 bitwarden.com/resources/presen…

And rightly so: Because #encrypted email get even more secure with #2FA and #passwordmanagers 💪

Check out our top 3:
tuta.com/blog/best-password-ma…

France is about to pass the worst surveillance law in the EU.

Here's how you can stop them: 👉 tuta.com/blog/france-surveilla…

#backdoor #encryption #privacy #security

Here are some of our main takeaways from the EU Open Source Policy Summit 2025:💡 👨‍💻

— Open and collaborative innovation solves the dilemma of #competitiveness and #sovereignty
— Now is the time to invest in open source #maintenance and #security
— Building sustainable open source ecosystems remains challenging but necessary
— Open source is being increasingly regulated in Europe, and the new challenge is #implementation and #compliance

Read more in our new blog: 👇 🔗

openforumeurope.org/the-eu-ope…

With the Amazon Appstore shutting down, it's becoming even more important to invest in sustainable alternative stores you can trust.

See how you can invest in Accrescent's future! A little help goes a long way:

accrescent.app/faq#contributin…

More information on the Amazon Appstore discontinuation on Android:

amazon.com/appstoreonandroidFA…

#privacy #security #appstore #accrescent #android

Accrescent Frequently Asked Questions

Answers to frequently asked questions about Accrescent.

^Accrescent

Tuta email, located in Germany, Europe, now uses quantum computers to encrypt their emails.

(Technically, they are using algorithms determined to be safe against attacks from quantum computers. And they don't actually have a quantum computer running 24/7, but that is good enough for me.)

#Tuta #Email #QuantumComputers #Quantum #Privacy #Security

I tried to find when #Signal has published the most recent #security audit, and it turns out they either never published an audit or their code was never audited at all.

The closest thing I found is the list
community.signalusers.org/t/ov…
which only cites research papers and some evidence that in 2018 Signal paid Doyensec, but nothing got published as the result. Even then, it looks like the apps were not audited for more than 5 years since then.

Overview of third-party security audits

Let’s collect past security audits here: Formal audits Year Auditor(s) Sponsor App/Component Published Link Last update / extended 2013 iSEC Partners (NCC Group) Open Technology Fund RedPhone and TextSecure ❌ Blog post 2014 Frosch et al.

^{Signal Community}

The world needs secure communication more than ever, as a bulwark against the surveillance, authoritarianism, and oppression increasingly enabled by Big Tech. Matrix seeks to meet that need, as an open source, decentralised, encrypted comms protocol.

But Trust & Safety is more difficult in a decentralised environment. How are we building a safer Matrix?

matrix.org/blog/2025/02/buildi…

#Matrix #Security #Privacy #TrustAndSafety #OpenSource #FOSS

Building a Safer Matrix

Matrix, the open protocol for secure decentralised communications

^{Jim Mackenzie, VP Trust & Safety — The Matrix.org Foundation (matrix.org)}

Biometrics are a convenient and secure way to authenticate our devices. Many of us use and trust the biometrics of our devices without much thought, but are they really secure? With so many options, which ones are the best?

privacyguides.org/articles/202…

#Privacy #Biometrics #Security #PrivacyGuides #Article

Biometrics Explained

Privacy Guides is the most popular & trustworthy non-profit privacy resource to find privacy tools and learn about protecting your digital life.

^{www.privacyguides.org}

"The UK’s war on encryption affects all of us" via @verge.

Indeed, the UK's actions imperil security across the globe.

It's worth highlighting that open source comms tools, like @matrix and @signalapp, empower researchers and users: you'll _see_ if a backdoor is added.

Not so with proprietary tools. Do you really trust Meta, Apple, or Google not to roll over on you?

theverge.com/policy/612136/uk-…

#FOSS #SoftwareFreedom #OpenSource #Security #Privacy #Encryption

The UK’s war on encryption affects all of us

The UK is using its Investigatory Powers Act to demand backdoor access to iCloud users’ encrypted backups worldwide.

^{Gaby Del Valle (The Verge)}

If Apple complies with this, the UK government will gain access to all iCloud data globally. The only way Apple comes out of this with any integrity is to leave the UK market. If they give in to this, every regime in the world will demand the same thing. And that’s before we even get to the fact that there’s no such thing as a “backdoor” for just so-and-so. Either there is a door or there isn’t and if there is, anyone who obtains the key can use it.

theguardian.com/technology/202…

#apple #backdoor #UK #encryption #privacy #security #personhood #data #democracy #humanRights #iCloud

UK demands ability to access Apple users’ encrypted data

Expert says government has ‘lit the blue touch paper on a truly enormous fight’ as it challenges firm’s privacy stance

^{Dan Milmo (The Guardian)}

Six times so far ... is how often important parts of #deltachat were independently #security audited and analyzed. Thanks to IncludeSecurity, Cure53, Applied Crypto Team at ETH Zuerich and Radical Open Security.

Last audit is from December 2024 covering @rpgp , the minimal #OpenPGP Rust library that is gaining traction with others projects as well.
Shout-out to dignifiedquire and @hko for their excellent maintenance! For more info on Delta Chat related security audits: delta.chat/en/help#security-au…

Delta Chat: FAQ

What is Delta Chat? Delta Chat is a reliable, decentralized and secure messaging app, available for mobile and desktop platforms. Delta Chat feels like Whatsapp or Telegram but you can also use and...

^delta.chat

Unbelievable

#ElonMusk’s US #DOGE Service are feeding sensitive data into #AI software via #Microsoft’s #cloud

#Musk’s US #DOGE Service have fed sensitive data from across the #Education Dept into #ArtificialIntelligence software to probe the agency’s programs & spending….
The AI probe includes data w/personally identifiable info for people who manage grants, & sensitive internal financial data…

#law #security #InfoSec #CyberSecurity #NationalSecurity #Trump #TrumpCoup
washingtonpost.com/nation/2025…

Mit Verlaub, das mag hart klingen, aber für so etwas sollte ein Verantwortlicher zur Rechenschaft gezogen werden – mit Konsequenzen, die sicherstellen, dass er nie wieder eine solche Verantwortung übernehmen darf. Solche »Sicherheitslücken« sind grob fahrlässig. 👇

heise.de/news/Datenleck-in-Reh…

#datenleck #security #sicherheit

Datenleck in Reha-Kliniken: Hunderttausende Patienten betroffen

Ein Datenleck betrifft potenziell hunderttausende Patienten der ZAR-Reha-Kliniken in ganz Deutschland. Abrufbar waren unter anderem hochsensible Patientendaten.

^{Ronald Eikenberg (heise online)}

Dear #Android #App #Developers, as it still happens far too often (no naming, no shaming! 💩 happens to everyone of us) a reminder to take good care of your #signing keys – and also take precautions for the case that your keystore might get lost. Please take a look at: f-droid.org/2023/09/03/reprodu… where I outline this topic.

Thanks!

#security

Reproducible builds, signing keys, and binary repos | F-Droid - Free and Open Source Android App Repository

Earlier this year, we reported about our progress concerning reproduciblebuilds. Meanwhile,more and more apps are using this; you can find some statisticsher...

^f-droid.org

Wer eine so gravierende Sicherheitslücke wie d-trust zu verantworten hat, sollte die Fehler eingestehen, statt mit Cyber-Rhetorik vom eigenen Versagen abzulenken. Datenlecks durch Schlamperei sind inakzeptabel, ebenso wie die Kriminalisierung von Sicherheitsforschern. Verantwortung, Entschuldigung, Konsequenzen – jetzt!

ccc.de/de/updates/2025/dont-tr…

#security #sicherheit #schwachstelle #verantwortung

Some fascinating research out on hacking a Subaru via STARLINK connected vehicle service.

"On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK connected vehicle service that gave us unrestricted targeted access to all vehicles and customer accounts in the United States, Canada, and Japan.

Using the access provided by the vulnerability, an attacker who only knew the victim’s last name and ZIP code, email address, phone number, or license plate could have done the following:

Remotely start, stop, lock, unlock, and retrieve the current location of any vehicle.

Retrieve any vehicle’s complete location history from the past year, accurate to within 5 meters and updated each time the engine starts.

Query and retrieve the personally identifiable information (PII) of any customer, including emergency contacts, authorized users, physical address, billing information (e.g., last 4 digits of credit card, excluding full card number), and vehicle PIN.

Access miscellaneous user data including support call history, previous owners, odometer reading, sales history, and more.

After reporting the vulnerability, the affected system was patched within 24 hours and never exploited maliciously."

samcurry.net/hacking-subaru#in…

#cars #security #subaru @starlink

Hacking Subaru: Tracking and Controlling Cars via the STARLINK Admin Panel

On November 20, 2024, Shubham Shah and I discovered a security vulnerability in Subaru’s STARLINK admin panel that gave us unrestricted access to all vehicles and customer accounts in the United States, Canada, and Japan.

^samcurry.net

Signal is a secure messenger, but there are interesting alternatives, such as @matrix , @session , @delta , @simplex or XMPP …

➡️ matrix.org

➡️ getsession.org

➡️ delta.chat

➡️ simplex.chat

➡️ xmpp.org

If you’d like to learn more about these options, have a look at the responses to this toot.

#matrix #session #signal #XMPP #messenger #decentralized #tech #technology #OpenSource #FOSS #WhatsApp #security #InfoSec #data #safety

Session | Send Messages, Not Metadata. | Private Messenger

Session is a private messenger that aims to remove any chance of metadata collection by routing all messages through an onion routing network.

^Session

Really good article. My experience with "security experts" is that most actually have very limited knowledge in the field. And lack critical thinking. This leads to an almost blind trust in these tools that spit out reports on CVSS scores that can easily be exported to nice looking spreadsheets.

Unfortunately, those tend to be taken as gospel by management. Because management never have a clue about anything.

#security #infosec

Die Signatur-Problematik bei F-Droid ist offenbar noch immer nicht gelöst: "We find it concerning that F-Droid constantly chooses to move the goalposts and continues to rely on a fundamentally broken approach for certificate pinning, merely patching [15] known vulnerabilities without ever addressing the underlying cause." 😵👇

github.com/obfusk/fdroid-fakes…

#fdroid #security #privacy #certpinning #signature

GitHub - obfusk/fdroid-fakesigner-poc: F-Droid Fake Signer PoC

F-Droid Fake Signer PoC. Contribute to obfusk/fdroid-fakesigner-poc development by creating an account on GitHub.

^GitHub

just discovered some very cool new projects:
git.deuxfleurs.fr/Deuxfleurs/b…
aerogramme.deuxfleurs.fr/

aerogramme is a proxy for imap and caldav that offers encryption and some security guarantees

bagage is webdav with an s3 backend

this is all based on garage which works great on commodity hardware. you could rent a $5/mo/tb vps from hosthatch and have decently good secure, open source, cloud storage of all the above

#privacy #openSource #security #s3 #garage

bagage

Bagage is the bridge between our users and garage, it enables them to synchronize files that matter for them from their computer to garage through WebDAV

^{Gitea: git with a cup of coffee}

Elektronische Patientenakte: Lauterbach verspricht einen Start „ohne Restrisiko“
netzpolitik.org/2025/elektroni…

Na ja, man wird sich ja mal versprechen dürfen...

#epa #security

Elektronische Patientenakte: Lauterbach verspricht einen Start „ohne Restrisiko“

In wenigen Tagen beginnt die Pilotphase für die elektronische Patientenakte. Gesundheitsminister Lauterbach versichert, dass bis zu ihrem bundesweiten Start sämtliche Sicherheitsprobleme gelöst sind. Mit Gewissheit überprüfen lässt sich das nicht.

^{netzpolitik.org}

❤️ Privacy matters - so does doing good. We donate Tuta to #opensource projects! ❤️

Ready to turn on #privacy?

👉 tuta.com/blog/tutanota-for-ope…

#foss #givingback #encryption #security

GrapheneOS version 2025010700 released:

grapheneos.org/releases#202501…

See the linked release notes for a summary of the improvements over the previous release.

Forum discussion thread:

discuss.grapheneos.org/d/18831…

#GrapheneOS #privacy #security

GrapheneOS version 2025010700 released - GrapheneOS Discussion Forum

GrapheneOS discussion forum

^{GrapheneOS Discussion Forum}

I accidentally found another security vulnerability in fdroidserver whilst working on something related to IzzyOnDroid.

We warned them months ago but were ignored *sigh*

"Another fdroidserver AllowedAPKSigningKeys certificate pinning bypass"

openwall.com/lists/oss-securit…

#IzzyOnDroid #Security

Should someone stumble upon the security vulnerability disclosure at openwall.com/lists/oss-securit… – be assured the patches have already been applied at #IzzyOnDroid (and also that androguard is already aware: github.com/androguard/androgua…)

Also see the toot by the original finder: tech.lgbt/@obfusk/113765201775…

#security

Invalid regexp for the certificate · Issue #1097 · androguard/androguard

See: https://www.openwall.com/lists/oss-security/2025/01/03/1 Seems a good idea to patch ;) The regex in question -- ^META-INF/..(DSA|EC|RSA)$ -- is supposed to match all filenames that start with ...

^GitHub

Jetzt ist auch die deutschsprachige Version unseres "Jahresberichts" online:

Ein Blick zurück, ein Blick voraus: Wie war 2024 bei #IzzyOnDroid? Was mag Euch 2025 hier bringen, woran arbeiten wir?

android.izzysoft.de/articles/n…

Und wenn Euch jemand sagt, #security oder #reproducibleBuilds wären (einmal aufgesetzt) reine Selbstläufer: Lacht sie laut aus. Software entwickelt sich weiter – und so auch ihre Risiken und Threats…

Rückblick auf 2024 und Ausblick auf 2025: Reproducible Builds, Sicherheitsmaßnahmen, und mehr

2024 winkt zum Abschied, 2025 klopft an die Tür: Was haben wir 2024 erreicht, und was sind unsere Pläne und Hoffnungen für 2025? Werft mit uns einen Blick zurück auf die eingeführten Sicherheitsmaßnahmen, auf die Fortschritte bei Reproducible Builds …

^IzzyOnDroid