Another one back-to-back! Accrescent 0.22.0 is released to ensure Accrescent can always update itself, add a theme option to settings, and fix a bug related to preferred languages: github.com/accrescent/accresce…

#security #android #appstore #privacy #accrescent

Release 0.22.0 · accrescent/accrescent

This release ensures Accrescent can always update itself, adds a setting to manually change the app theme (light, dark, or system), and fixes an issue where app's wouldn't be installed in the user'...

^GitHub

🎉 Wohoo! We have officially reached 90K followers on X - and we already have more then 26K here! 🎉

A BIG thank you to all our loyal Tuta users. You make our fight for #privacy and #security worth it ❤️

If you're new here, get your #FREE Tuta Mail account now: app.tuta.com/signup

Upon recommendations, I tried this AI prompt injection game for the first time. I made it to level 7 with no help from the internet!

If you want to donate to me, donate to me on this page.

My website is here where I usually blog. I'm not much of a video person, so I blog and write more than I do video!

Accrescent 0.21.0 is out with minor accessibility improvements, settings changes, and networking improvements.

Check it out and read the release notes below!

github.com/accrescent/accresce…

#android #security #privacy #appstore #accrescent

Release 0.21.0 · accrescent/accrescent

This release includes some minor accessibility improvements, settings changes, and network improvements. Changes A11y: Announce app list refreshing state (@PatrykMis) Add donation link to settings...

^GitHub

3/3 For those interested in learning more about the code signing process, and this warning, please see: answers.microsoft.com/en-us/wi…"

and if you would like to test out Alpha builds of NVDA, head to: Please feel encouraged to run the latest snapshot from nvaccess.org/files/nvda/snapsh….

If you do have any questions or concerns, please reach out to us at info@nvaccess.org.

#NVDA #FOSS #Alpha #testing #Prerelease #Certificate #Security

2/3 When the warning appears, press tab to "More info", then press enter. Reading through the dialog, note that the publisher is listed as:

"AU, Queensland, Camp Mountain, NV Access Limited, NV Access Limited"

To allow NVDA to run, press tab to "Run anyway", and press enter to run the snapshot. This will help us get through this period until Windows considers our certificate "trusted":

#NVDA #FOSS #Alpha #testing #Prerelease #Certificate #Security

ID Verification Service for #TikTok, #Uber, X Exposed Driver Licenses

In this case, the ID verification vendor leaked admin credentials and exposed people’s information (sensitive documents and status of verification) for over a year.

All for “age verification” we introduce another EZ mode way for people’s real life identities to be compromised. Companies want you to provide sensitive documents to prove you’re real/your age but can’t be bothered to invest money/time/effort in basic #security to secure what you give them.

#cybersecurity #privacy

404media.co/id-verification-se…

ID Verification Service for TikTok, Uber, X Exposed Driver Licenses

As social networks and porn sites move towards a verified identity model, the actions of one cybersecurity researcher show that ID verification services themselves could get hacked too.

^{Joseph Cox (404 Media)}

#Windows 11 is now automatically enabling #OneDrive folder backup without asking permission

"Quietly and without any announcement, the company [#Microsoft] changed Windows 11's initial setup so that it could turn on the automatic folder backup without asking for it."

Imagine your operating system forcing all your desktop files to sync to the cloud, without letting you know it would do that. Users should be aware of when their files are synced to any cloud.

Oh wait, I forgot... Microsoft has zero regard for user choice, #privacy, and #security.

#privacymatters

neowin.net/news/windows-11-is-…

Windows 11 is now automatically enabling OneDrive folder backup without asking permission

Microsoft quietly changed how folder backup works in the OneDrive app on Windows 11. Now, the OS enables it by default during the initial setup without asking the user for permission.

^{Taras Buria (Neowin)}

"for the first time, Commissioner Jourova publicly admitted at yesterday's EDPS summit that encryption would need to be broken for Chat Control to become effective."
— tuta.com/blog/interview-patric…

#ChatControl #EuropeanCommission #Surveillance #EU #Privacy #HumanRights #Encryption #Security

Europe and Australia will both not break encryption! We’ve interviewed Patrick Breyer – the guy who coined the term Chat Control.

Action taken by privacy activists and citizens stops the push for mass surveillance.

^Tutanota

Privacy is a marathon, not a sprint. 🏃

What are the next steps you will be taking in your #privacy and #security journey?

Let us know in the comments!

Patrick Breyer fordert zum Widerstand gegen die Chatkontrolle auf und gibt Tipps, wie sich jeder Einzelne aktiv beteiligen kann. Werdet JETZT aktiv, sonst kann es sein, dass die Unvernunft siegt. 👇

patrick-breyer.de/rat-soll-cha…

#chatkontrolle #ChatkontrolleStoppen #sicherheit #security #datenschutz #privacy

Rat soll Chatkontrolle durchwinken - Werde jetzt aktiv!

Der belgische Vorsitz im Rat der EU will die Chatkontrolle am Mittwoch den 19. Juni abstimmen lassen. Damit bestätigen sich die Befürchtungen: die Verfechter der Chatkontrolle wollen ausnutzen, dass es nach den Wahlen weniger öffentliche Aufmerksamke…

^{Patrick Breyer}

We love #DNS! ❤️

Tuta uses DMARC, DKIM & SPF to protect your domains from spoofing. Unlimited custom domain aliases & strong #security are a perfect match. 🔒

Not sure what these acronyms mean? No worries, we've got you covered.

👉 tuta.com/blog/dkim-custom-emai…

#Android is getting an AI-powered #scam call detection feature

Will be powered by Gemini Nano, which #Google says can be run locally and offline to process "fraudulent language and other conversation patterns typically associated with scams" and push real-time alerts during calls where detected red flags are present.

It will be opt-in, but Gemini Nano is currently only supported on Google Pixel 8 Pro and Samsung S24 series devices.

#cybersecurity #security

theverge.com/2024/5/14/2415621…

Android is getting an AI-powered scam call detection feature

Google is testing a new call monitoring feature that warns users if the person they’re talking to is likely attempting to scam them and encourages them to end such calls.

^{Jess Weatherbed (The Verge)}

Der Messenger #Telegram ist für eine sichere Kommunikation nicht geeignet - standardmäßig sind die Nachrichten nicht einmal Ende-zu-Ende verschlüsselt. Besser geeignet sind #Signal oder #Threema. Übrigens: Elon Musk ist das Paradebeispiel eines Trolls. Einfach ignorieren. 😉

Wer eine Entscheidungshilfe für einen Messenger sucht: messenger-matrix.de/messenger-…

#sicherheit #security #schwachstelle #e2ee #vulnerabilty #musk #durow

TPM2-measured boot with bus protection is pretty nice actually for Linux installations where secure boot is not enabled, like the default Arch Linux installation for instance.

For the sake of "defence in depth", I'd enable both if it is out-of-the-box feature but would not probably bother with secure boot if it requires extra work.

So, the takeaway from this is that it would make a lot of sense to make measured boot happen in arch-install installation as opt-in feature. No Microsoft key required.

Still so far the most informative overview for the shenanigans is microos.opensuse.org/blog/2023… but I'd also look for more recent references.

Policy hash calculation per kernel package update for LUKS2 is what needs to happen over time whenever a new kernel package is installed with hooks/scripts.

So the thing that was hyped to DRM the world into a locked down hellhole rendered out the Microsoft key hard binding instead 🤷

#tpm #linux #archlinux #opensuse #secureboot #security

Systemd-boot and Full Disk Encryption with TPM and FIDO2

Systemd-boot and Full Disk Encryption in Tumbleweed and MicroOS

^{openSUSE MicroOS}

Psst 👋 Email Preview for push notifications is coming soon!

Now you can know who is sending you an email before opening your mailbox! 🎉

Here's a sneak peek 🤫
#teaser #ios #android #sneakpeek #privacy #security #linux #macos #windows

Those changes are currently only applied to the master branch and didn't yet go to any release or distribution packages. They were supposed to fix a #security issue, but not to break some binary repos, which is what the applied patches might do. Find the originally proposed and recommended patches at github.com/obfusk/fdroid-fakes… – and also see e.g. tech.lgbt/@obfusk/112306314357… for some additional background.

Fay 🏳️‍🌈

2024-04-21 00:12:41

I just posted an update to my "PoC for fdroidserver AllowedAPKSigningKeys certificate pinning bypass" post to oss-security:

openwall.com/lists/oss-securit…

Original post:

openwall.com/lists/oss-securit…

GitHub repo with patches, PoCs, and a script to scan for potentially affected APKs:

github.com/obfusk/fdroid-fakes…

GitHub - obfusk/fdroid-fakesigner-poc: F-Droid Fake Signer PoC

F-Droid Fake Signer PoC. Contribute to obfusk/fdroid-fakesigner-poc development by creating an account on GitHub.

^GitHub

Who controls the tech stack❓

When choosing a secure solution for your data, this one of the most important questions❗

Here's why: ➡️ tuta.com/blog/what-is-a-tech-s…

#security #technology #opensource #foss

Important security update for GLib and D-Bus, thanks to @pwithnall

discourse.gnome.org/t/security…

If you are a downstream distributor of GLib, GTK, or GNOME-related projects, remember to follow the distributor tag on Discourse.

#glib #security

Security fixes for signal handling in GDBus in GLib

A series of related security fixes for how signal subscriptions are handled in GDBus have just landed in GLib.

^{GNOME Discourse}

This #Debian wiki page was what I found that helped me get fingerprint authentication set up on my laptop.

So I contributed something back. I added the "Caveats" section at the bottom. Hopefully this helps somebody else, 🙂

wiki.debian.org/SecurityManage…

#Linux #Security

Veilig communiceren met én binnen de overheid. Hoe werkt dat? Dit kan alleen wanneer er volledige zekerheid is over de afzender, de inhoud en de vertrouwelijkheid van het bericht. PKIoverheid zorgt daarvoor. Check de video! 👇

#DigitaleOverheid #DigitaleInclusie #Toegankelijkheid #Security

New bookmark: ActivityPub on a (mostly) static website.

There have been other attempts to document the process of bringing ActivityPub to a (mostly) static site, but this is my favorite so far. I wonder if I should give it a go, if POSSE ever stops serving my needs.

Originally posted on seirdy.one: See Original (POSSE). #IndieWeb #Security #Web

My bookmarks

Links from around the web, curated and annotated by Rohan Kumar.

^{Seirdy’s Home}

Accrescent 0.20.0 is out with support for respecting other app stores, UI improvements, bug fixes and more!

Download Accrescent or view the changelog below for details.
github.com/accrescent/accresce…

#accrescent #android #security #privacy #appstore

Release 0.20.0 · accrescent/accrescent

A more substantial release this time around! Accrescent now respects other app stores and manual APK installations, no longer attempting to take over updates for apps you installed outside of Accre...

^GitHub

Should you have noticed a short "absence" of the #IzzyOnDroid primary web server, that was probably the reboot…

A CVE was published to oss-sec 5 days ago and got its fixes available today (security-tracker.debian.org/tr…), so it was applied immediately as the vuln would have affected some components here.

My thanks here once more goes to @obfusk for bringing it to my attention – and to my service provider who swiftly applied the updates within just minutes 🤩

#security

Another #security patch has been applied at the #IzzyOnDroid #IzzySoftRepo to protect against what is described at openwall.com/lists/oss-securit…

Though a full scan of the repo hasn't brought up a single affected APK, that doesn't mean any such cannot show up later – so better safe than sorry, right?

If you use brew’s curl on macOS, are you really using it? I installed and had curl setup a couple of years ago. Today it appears that curl was now pointing to Apple’s version, which has this issue (daniel.haxx.se/blog/2024/03/08…). Looks like brew doesn’t add a symlink for curl to /opt/homebrew/bin. Running `ln -s /opt/homebrew/opt/curl/bin/curl /opt/homebrew/bin` resolved the issue.

#macos #curl #security

T-Mobile Employees Across The Country Receive Cash Offers To Illegally Swap SIMs

I still stand by this: if #sms #mfa wasn’t still massively used (especially by the financial sector), sim swaps would be less attractive to sim swappers.

It’s also crazy so much trust is placed in telecoms guarding your phone number and MFA factor for your bank. 🫨

#security #cybersecurity #simswap

tmo.report/2024/04/t-mobile-em…

T-Mobile Employees Across The Country Receive Cash Offers To Illegally Swap SIMs

T-Mobile employees, both third-party and corporate, are receiving cash offers via text to complete SIM swaps for criminals.

^{Jman100 (The Mobile Report)}

#curl sometimes fails to access some servers. In most situations the problem is not in curl itself but on the server side. Example:

1. Fails: curl radissonhotels.com

2. Works: curl -A 'Mozilla/5.0 xx Chrome/119' radissonhotels.com

3. Fails: curl -A 'Mozilla/5.0 xx Chrome/118' radissonhotels.com

4. Fails, too: curl -A 'Mozilla/5.0 xx Chrome/1189' radissonhotels.com

Perhaps they perform #filtering to obtain improved #security? It's hard to tell, but any serious attacker surely knows how to spoof the user agent string and bypass such simple #regex

Security Bits by @bart — 14 April 2024 podfeet.com/blog/2024/04/sb-20…

#Security

Security Bits — 14 April 2024 - Podfeet Podcasts

Feedback & Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we’re tracking over time.

^{Bart Busschots (Podfeet Podcasts)}

Time for another release... Accrescent 0.19.0 is out! While not much has changed on the surface, Accrescent now uses our new server infrastructure which brings faster downloads to everyone!

Read the release notes or download below 👇

github.com/accrescent/accresce…

#accrescent #security #privacy #appstore #android

Release 0.19.0 · accrescent/accrescent

This release marks the migration of Accrescent's servers to a more scalable setup. From this version on, Accrescent will connect to the new servers. Earlier versions of Accrescent will automaticall...

^GitHub

Hey! Let's talk about #SSH and #security!

If you've ever looked at SSH server logs you know what I'm about to say: Any SSH server connected to the public Internet is getting bombarded by constant attempts to log in. Not just a few of them. A *lot* of them. Sometimes even dozens per second. And this problem is not going away; it is, in fact, getting worse. And attackers' behavior is changing.

The graph attached to this post shows the number of attempted SSH logins per day to one of @cloudlab s clusters over a four-year period. It peaks at about 3.4 million login attempts per day.

This is part of a study we did on our production system, using logs of more than 640 million login attempts, covering more than 1,500 hosts on our side and observing more than 840 thousand incoming IP addresses.

A paper presenting our analysis and a new, highly effective means to block SSH brute force attacks ("Where The Wild Things Are: Brute-Force SSH Attacks In The Wild And How To Stop Them") will be presented next week at #NSDI24 by @sachindhke . The full paper is at flux.utah.edu/paper/singh-nsdi…

Let's dive in. 🧵

2 days ago I reported about a #security patch having been applied to the IzzyOnDroid F-Droid repo aka #IzzySoftRepo – but I didn't give much details. After it was tested now at the IoD test & staging area, and running smoothly for two days for the public one, I reported back to its author @obfusk that all seems smooth, and she decided to make POC & patch public. You can find the full details at github.com/obfusk/fdroid-fakes… & openwall.com/lists/oss-securit… now. @fdroidorg @eighthave be welcome using it!

1/2

GitHub - obfusk/fdroid-fakesigner-poc: F-Droid Fake Signer PoC

F-Droid Fake Signer PoC. Contribute to obfusk/fdroid-fakesigner-poc development by creating an account on GitHub.

^GitHub

FreeBSD Foundation and Digital Security by Design (DSbD)

<globenewswire.com/news-release…>

❝… CHERI and CheriBSD, developed to revolutionize hardware-based protection against memory safety vulnerabilities, were developed by a collaboration from researchers from the University of Cambridge, alongside corporate partners such as Google, Microsoft, Arm, and SRI International, and with support from the UK government. …❞

#FreeBSD #ARM #security

FreeBSD Foundation and Digital Security by Design (DSbD) Announce Beacon Award Winners for Innovations and Improvements to CheriBSD

Winning Projects Highlight CheriBSD's Role in Advancing Digital Security...

^{FreeBSD Foundation}

I am getting tired of reading about the #xz #security issue as if it is all about issues within #opensource. It is much bigger than that, and those takes conflate the problem with the solution.

So I wrote "The xz issue isn't about Open Source" here: changelog.complete.org/archive…

The xz Issue Isn’t About Open Source

You’ve probably heard of the recent backdoor in xz. There have been a lot of takes on this, most of them boiling down to some version of: The problem here is with Open Source Software. I want…

^{The Changelog}

boehs.org/node/everything-i-kn…

I have begun a post explaining this situation in a more detailed writeup. This is updating in realtime, and there is a lot still missing.

#security #xz #linux