Search

Items tagged with: security

A look back, a look ahead: How was 2024 at IzzyOnDroid? What might 2025 bring you there, what are we working on?

android.izzysoft.de/articles/n…

And if anybody ever tells you #security or #reproducibleBuilds are "set-and-forget", laugh straight into their faces. Software evolves, and so do their threats and risks…

German readers: Die Deutsche Version folgt in Kürze…

#IzzyOnDroid


Review of 2024 and Outlook for 2025: Reproducible Builds, Security Measures and more

2024 waves goodbye, 2025 knocks at the door: what did we achieve in 2024, and what are our plans and hopes for 2025? Join us to take a look back at security measures established, at progress with Reproducible Builds – and for a look ahead of what mig…
IzzyOnDroid
#security #reproduciblebuilds #izzyondroid

#webdev #security #ui #memes

#security #supplychainsecurity

At last, the USB portal originally authored by @refi64 in 2021, later continued by Georges Stavracas in 2023, and finalized by @hub, has been merged!

The USB portal allows sandboxed formats like Flatpak to access USB devices without poking holes in the sandbox. This is great for security, as accessing USB devices will now need to be explicitly granted by the user.

Now we just need to wait for implementers to implement them in their respective portal implementations, starting with GNOME: gitlab.gnome.org/GNOME/xdg-des…

The documentation for the USB portal is available on the xdg-desktop-portal website: flatpak.github.io/xdg-desktop-…

#Flatpak #Security #GNOME


Usb

Description: Portal for USB device access This interface lets sandboxed applications monitor and request access to connected USB devices. Applications should prefer specialized portals for specific...
XDG Desktop Portal
#security #gnome #Flatpak @re:fi.64 @Hubert Figuière

Repeat offenders drive bulk of tech support scams via #Google #Ads

"Search engines, and Google’s in particular, are our gateway to the web. Yet, that door sometimes opens up to unsavory places thanks to sponsored search results, AKA ads."

This is part of the reason I recommend using an #adblocker (whether in browser, on device, or network-based.)

#cybersecurity #scams #security #privacy

malwarebytes.com/blog/scams/20…


Repeat offenders drive bulk of tech support scams via Google Ads | Malwarebytes

Consumers are getting caught in a web of scams facilitated by online ads often originating from the same perpetrators.
Jérôme Segura (Malwarebytes)
#google #privacy #security #cybersecurity #scams #adblocker #ads

I've noticed a concerning trend of "slop security reports" being sent to open source projects. Here are thoughts about what platforms, reporters, and maintainers can do to push back:

#oss #opensource #security

sethmlarson.dev/slop-security-…


New era of slop security reports for open source

I'm on the security report triage team for CPython, pip, urllib3, Requests, and a handful of other open source projects. I'm also in a trusted position such that I get "tagged in" to other open sou...
sethmlarson.dev
#opensource #oss #security

Synapse 1.120.2 was just released with several security fixes: github.com/element-hq/synapse/…
You should really update now and while the last 2 CVEs say, they were fixed on 1.106, to my knowledge that is only true if you enabled authenticated media, which only became the default in 1.120, so you really want to update even for those or at least update your config.

Thank you! :)

#matrix #synapse #security


Release v1.120.2 · element-hq/synapse

Synapse 1.120.2 (2024-12-03) This version has building of wheels for macOS disabled. It is functionally identical to 1.120.1, which contains multiple security fixes. If you are already using 1.120....
GitHub
#matrix #security #synapse

Gmail and Outlook are popular but not necessarily the best - especially when it comes to #privacy and #security.

In this in-depth guide we review #Gmail vs #Outlook and fill you in on the best email provider that's ad-free, private, and secure. 😉

👉 Read more: tuta.com/blog/outlook-vs-gmail

Advertising and Tracking table comparison: Tuta Mail, Outlook and Gmail.

Outlook vs Gmail: Which is best in 2024? | Tuta

When looking to create a free email address with Outlook or Gmail, we've got a few tips to help you choose the best provider for top privacy and security.
Tuta
#privacy #security #GMail #outlook

#security

theguardian.com/technology/202…

This article discusses how to protect privacy, amidst concerns of increased government surveillance.

The article is aimed at Asylum seekers & immigrants to the US, but it's solid advice for anyone, really.

Recommendations include using encrypted messaging apps like Signal, Apple iMessage, and WhatsApp, and setting messages to disappear.

It also recommends minimizing data sharing and deleting data when possible, particularly from Google.

#privacy #security


Opt out: how to stop tech companies spying on your phone as Trump promises mass deportations

There are no federal privacy regulations to protect your information – here’s how you can do it yourself
Johana Bhuiyan (The Guardian)
#privacy #security

Oha, das ist provokativ: Dieser Blogartikel sagt:

- Nutzt kein #PGP / #GPG
- Nutzt kein #XMPP + OMEMO
- Nutzt kein #Matrix (im Sinne: verlasst euch nicht auf die Verschlüsselung)
- E-Mails verschlüsseln ist sinnlos

Ich kenne den Autor nicht und würde ihn nicht erwähnen, würde der Artikel nicht in ernstzunehmenden ITSec-Newslettern zitiert

soatok.blog/2024/11/15/what-to…

Meinungen? #itsec #security


What To Use Instead of PGP - Dhole Moments

It’s been more than five years since The PGP Problem was published, and I still hear from people who believe that using PGP (whether GnuPG or another OpenPGP implementation) is a thing they s…
Dhole Moments
#xmpp #matrix #gpg #security #pgp #itsec

I've seen a number of toots today advising people against scanning random #QRCodes because they can be used in a number of malicious ways.

There are a number of legitimate ways people can use such codes to trick others, and it can require some deeper understanding of how systems work to avoid them. For that reason, I'm not going to contradict that recommendation, but I will add to it.

QR codes are usually just URLs encoded in a visual, machine-readable form, so they aren't necessarily more dangerous than a link. The danger comes from the fact that most scanner apps will directly open whatever URL you scan without giving you the opportunity to consider whether that's a good idea.

You can reduce the risk of scanning such codes by installing a better app which requires manual interaction to open URLs after decoding them.

For android users I recommend "BinaryEye", since it's open-source, ad-free, and has a bunch of other useful features.

Its github page links to both F-Droid and the play store:

github.com/markusfisch/BinaryE…

#privacy #security


GitHub - markusfisch/BinaryEye: Yet another barcode scanner for Android

Yet another barcode scanner for Android. Contribute to markusfisch/BinaryEye development by creating an account on GitHub.
GitHub
#privacy #security #qrcodes

Great to see you're adopting some of the #security features we've implemented earlier this year at #IzzyOnDroid @fdroidorg! Maybe you want to check our documentation on them?

android.izzysoft.de/articles/n…

* it's SIGNING blocks, not FROSTING blocks
* MEITUAN is about payload, not metadata
* there's no fixed number of blocks as your code assumes (gitlab.com/fdroid/fdroidserver…)

The article you link to (bi-zone.medium.com/easter-egg-…) tells you the same :wink:

screenshot from the merge request adding checks for signing blocks, calling them "frosting blocks", the Meituan Payload block "metadata", and the frosting block "Google metadata"
screenshot from an issue comment to developers, describing the DEPENDENCY_INFO_BLOCK as "frosting block"

Easter Egg in APK Files: What Is Frosting - BI.ZONE - Medium

A file structure is a whole fascinating world with its own history, mysteries and a home-grown circus of freaks, where workarounds are applied liberally. If you dig deeper into it, you can discover…
BI.ZONE (Medium)
#security #izzyondroid @F-Droid

#foss #opensource #encryption #security #calendar @F-Droid

#email #privacy #encryption #security

@Tutanota I just realised that all the comments I have added to my contacts over the years, including family-related and medical important information, are gone...

github.com/tutao/tutanota/issu…

Bugs are becoming more common recently, and this one made me lose data. I'm quite disappointed.

#Email #OpenSource #FOSS #Security #Privacy


Lost all my contact comments on Android · Issue #7818 · tutao/tutanota

This is not a feature request (existing functionality does not work, not missing functionality). I will request features on forum or via support. I've searched and did not find a similar issue. Bug...
GitHub
#foss #email #opensource #privacy #security @Tuta

#infosec #security #hacking #cybersecurity #pentesting

#opensource #security @sjvn @The New Stack

Accrescent 0.25.0 is out with Android 15 app archiving support, Private Space support, and settings UI improvements!

We also forgot to announce that since 0.24.0, Accrescent supports in-app predictive back!

Check out the release notes below 👇

github.com/accrescent/accresce…

#privacy #security #appstore #android #accrescent #opensource


Release 0.25.0 · accrescent/accrescent

This release adds initial app archiving support on Android 15, makes Accrescent show up as an installer in Private Space, and improves the settings UI! We also forgot to mention that since 0.24.0, ...
GitHub
#android #opensource #privacy #security #AppStore #accrescent

#android #privacy #security #AppStore #accrescent

#infosec #security #cybersecurity

#encryption #security #chatcontrol #fight4privacy

American Water shuts down online services after #cyberattack

American Water is the largest water and wastewater treatment utility in the US…

OT systems not affected - so appears this only affects their IT systems. Suspected nation state activity (Russia).

(I encourage everyone sharing this with their friends because cyber attacks absolutely can have direct “real world” consequences.)

#cybersecurity #infosec #security

bleepingcomputer.com/news/secu…

#infosec #security #cybersecurity #Cyberattack

#AIagent promotes itself to #sysadmin , trashes #boot sequence

Fun experiment, but yeah, don't pipe an #LLM raw into /bin/bash

Buck #Shlegeris, CEO at #RedwoodResearch, a nonprofit that explores the risks posed by #AI , recently learned an amusing but hard lesson in automation when he asked his LLM-powered agent to open a secure connection from his laptop to his desktop machine.
#security #unintendedconsequences

theregister.com/2024/10/02/ai_…


AI agent promotes itself to sysadmin, trashes boot sequence

Fun experiment, but yeah, don't pipe an LLM raw into /bin/bash
Thomas Claburn (The Register)
#security #AI #sysadmin #llm #boot #unintendedconsequences #redwoodresearch #shlegeris #aiagent

#security #News #healthcare

#foss #email #privacy #cryptography #security #crypto @Tuta

#android #privacy #security #AppStore #accresent

New blog post: Post-OCSP certificate revocation in the Web PKI.

With OCSP in all forms going away, I decided to look at the history and possible futures of certificate revocation in the Web PKI. I also threw in some of my own proposals to work alongside existing ones.

I think this is the most comprehensive current look at certificate revocation right now.

#security #WebPKI #LetsEncrypt #TLS #OCSP

#security #tls #letsencrypt #webpki #ocsp

NGI Assure, the program aimed at improving trust in our digital society, successfully concluded after its 4 year run.

[1]152 teams contributed to a more trustworthy & secure internet with their Free and Open Source projects. Thank you all!

We've made a book showcasing all the projects which you can download from the link below. There are also paper copies, so ask for those when you see us IRL.

[2][1] nlnet.nl/news/2024/20240919-NG…
[2] nlnet.nl/media/NGIAssure-bookl…
(1/2)

#FOSS #NGI #NGI0 #Trust #Security

#foss #security #ngi0 #ngi #trust

Tor insists its #network is safe after German cops convict CSAM dark-web admin

Kind of boils down to opsec fail here. Using outdated software, which in this case didn’t properly secure Tor connections.

Timing attacks are still viable (especially with hostile nodes), but this reads as an #opsec fail to me.

Remember: a major part of anonymity is maintaining great opsec.

Obligatory: Tor is not “just for criminals,” despite one getting caught in this case (glad he did tbh). Regular people use Tor everyday.

#cybersecurity #security #privacy

theregister.com/2024/09/19/tor…


Tor insists its network is safe after German cops convict CSAM dark-web admin

Outdated software blamed for cracks in the armor
Iain Thomson (The Register)
#privacy #security #network #cybersecurity #opsec

In opsec, duress (“rubber-hose”) attacks are famously hard to address. Cryptographic keys that cannot be lost have poor protections against duress.

Travelers can leave key fobs at home should they be accosted. A victim of a break-in can conveniently “lose” or smash a hardware key, erasing any encrypted data. Yes, I know about cold-boot attacks; I don’t recommend at-risk people to leave things decrypted for long durations. I like the idea of spring-loaded key fobs that can’t be left plugged in.

People talking about key fob body implants don’t usually plan for removing them in seconds with plausible deniability.

Originally posted on seirdy.one: See Original (POSSE). #Security #OpSec

#security #opsec

#security #digitaltrail

#security #hack @Terence Eden

Cybersecurity course: 𝗢𝗻𝗹𝗶𝗻𝗲, 𝗵𝗮𝗻𝗱𝘀-𝗼𝗻, 𝗽𝗿𝗮𝗰𝘁𝗶𝗰𝗮𝗹, 𝗮𝗻𝗱 𝗳𝗿𝗲𝗲!
Czech Technical Univeristy's "Introduction to Security" class opens online for free! 14 weeks of deep attacking and defending. Join us and register for free. Starting on Sep 26th. 
cybersecurity.bsy.fel.cvut.cz/
#cybersec #infosec #blueteam #redteam #education #security
#infosec #security #education #cybersec #blueteam #redteam

Authentication is almost always the most frustrating step of interacting with a service. Matrix is no different, but Quentin is about to dramatically improve the situation.

Get a glimpse of all the goodness awaiting to be unlocked once his project lands!

youtu.be/dmUi4ZoYRWc

#authentication #ux #security

A YouTube thumbnail for Matrix Live. There is a dark background. On the top right is written "S09E39". In the center, there is an icon of a lock, between the square brackets of the Matrix logo. On the bottom there is the Matrix Logo, and the title: "Getting authentication out of the way".
#security #UX #authentication

Замедление YouTube с технической стороны

#network #security #infosec #proxy #vless #vmess #youtube #roscompozor #ntc_party

Готовые средства обхода. Waujito написал своё решение под линукс (github.com/Waujito/youtubeUnbl…), которое направлено только на ютуб.
Также для Windows существует GoodbyeDPI от ValdikSS (github.com/ValdikSS/GoodbyeDPI), под линукс еще есть zapret (github.com/bol-van/zapret).
Существует ByeDPI (github.com/hufrea/byedpi), который работает как прокси (Windows/Linux). Также есть версия ByeDPI под андроид (github.com/dovecoteescapee/Bye…), работает как "фейковый впн".

Советую прочитать подробный комментарий от ValdikSS о том, как использовать эти средства. (github.com/yt-dlp/yt-dlp/issue…)

Если есть желание погрузиться глубже в эту тему, вот тут можно посмотреть подробнее: https://ntc.party/t/замедление-youtube-в-россии/8055/ and https://ntc.party/t/обсуждение-замедление-youtube-в-россии/8074/

Комменты как обычно бурлят.

habr.com/ru/articles/832678/


Замедление YouTube с технической стороны: ограничение и обход

Привет, Хабр!В последнее время замечаю огромное количество информации по поводу замедления Великого, но очень мало где видел конкретику о том, как именно это раб...
Vadim Vetrov (Habr)
#infosec #security #youtube #network #proxy #vless #vmess #roscompozor #ntc_party

#privacy #security #dating #Safety

#privacy #encryption #security #AI #quantumworld

Hardware kill switches: Empowering users in the digital age. Our latest blog explores how physical control over your device builds trust, respects autonomy, and offers unparalleled protection. Discover how Purism is putting privacy at the forefront of mobile tech.
puri.sm/posts/the-evolution-of…
#UserPrivacy #Purism #PureOS #Security

The Evolution of Smartphone Security – Purism

Purism makes premium phones, laptops, mini PCs and servers running free software on PureOS. Purism products respect people's privacy and freedom while protecting their security.
Purism SPC
#security #purism #pureos #userprivacy

Accrescent 0.23.0 is out! This release makes multilingual support a little bit better, prevents you from accidentally using your metered data by default, and improves the security of its dependencies.

See the release notes below 👇

github.com/accrescent/accresce…

#accrescent #privacy #security #appstore #android


Release 0.23.0 · accrescent/accrescent

This release makes Accrescent a little more friendly for multilingual users, helps prevent you from accidentally using your metered data by default, and improves security by removing an unmaintaine...
GitHub
#android #privacy #security #AppStore #accrescent