Looks like there’s a new phish in town. Keep an eye out, folks

#phishing #github #security

New episode is out!

@dsearls and @katherined talk to @kyle about hardware supply chains, building the only USA-made mobile phone, trust, open standards, and much more. Full episode here: reality2cast.com/133

youtube.com/shorts/bCR-S0nWRZE

#opensource #security #trust #openstandards #vendorLockin #podcast #NewEpisode

Hardware Supply Chains, Trust Agility, and Avoiding Vendor Lock-in

Doc Searls and Katherine Druckman talk to Kyle Rankin about hardware supply chains, building the only USA-made mobile phone, trust, open standards, and much more.

^{Reality 2.0}

"Virenschutz: Rechteausweitung durch Schwachstelle in AVG und Avast"

[1]Nein? Doch! Ohh! 😉

Schmeißt dieses unnütze Schlangenöl endlich von euren Rechnern. Einzig den Microsoft Defender würde ich noch (mit leichten Schmerzen) eingeschaltet lassen. Mehr Infos unter [2].

#antivirus #security #snakeoil

[1] heise.de/news/Virenschutz-Rech…
[2] kuketz-blog.de/antiviren-scann…

Virenschutz: Rechteausweitung durch Schwachstelle in AVG und Avast

Die Virenscanner von AVG und Avast hätten Angreifern ermöglichen können, ihre Rechte im System auszuweiten. Updates zum Beheben des Fehlers sind verfügbar.

^{Dirk Knop (heise online)}

A Security & Privacy Focused Phone with a Secure Supply Chain🙌

Order your Librem 5 USA before Dec 5, 2022. We are shipping within 10 business days. Use code LIBREM5USA to get $100 off 🎉

puri.sm/products/librem-5-usa/

#security #privacy #phone #sale #promo

TSA Wants To Scan Your Face At The Airport. Here Are Your Rights.

#News #TSA #privacy #biometrics #security #HumanRights #SurveillanceCapitalism #HomelandSecurity #DHS #Airport
washingtonpost.com/technology/…

⚠️ WARNING: Do not use #Hive Social!

According to research conducted by @zerforschung, the #Twitter alternative Hive Social has got a number of dangerous #security vulnerabilies.

They allow attackers to completely access and even to partly edit anyone's data, including private posts, deleted direct messages, e-mail addresses and phone numbers signed up with etc.

Once again this demonstrates that you should not rely on closed-source software to guard sensitive data.

🔗 zerforschung.org/posts/hive-en

⚠️ Warning: do not use Hive Social 👉🐝👈

Dieser Artikel ist auch auf deutsch erschienen. Following the Twitter takeover, a number of services promising to be an alternative gained traction. One of those is “Hive Social”, which reached more than a million users in the last weeks.

^{zerforschung.org}

🎁 Score $100 off this holiday season on your order for Librem 5 USA. With the holiday season in full swing, this is a great gift for any one in your family concerned about secure supply chain or online privacy. Offer valid till 5 Dec 2022, so hurry!

Standard orders ship within 10 business days. 🚀

#librem5usa #librem #phone #purism #security #freedom #madeinUSA

puri.sm/posts/special-year-end…

WhatsApp data breach sees nearly 500 million user records up for sale

If you use WhatsApp, your details could well be up for sale

#news #tech #technology @WhatsApp #security #privacy #databreach

techradar.com/news/whatsapp-da…

WhatsApp data breach sees nearly 500 million user records up for sale

^{Craig Hale (TechRadar pro)}

Google publishes the source code for their TalkBack screen reader. GrapheneOS maintains a fork of it and includes it in GrapheneOS with the help of a blind GrapheneOS user who works on their own more elaborate fork. Eventually, we'd like to include more or all of their changes.

TalkBack depends on a text-to-speech (TTS) implementation installed/configured/activated. It needs to have Direct Boot support to function before the first unlock of a profile. Google's TTS implementation supports this and can be used on GrapheneOS, but it's not open source.

We requested Direct Boot support from both prominent open source implementations:

RHVoice: github.com/RHVoice/RHVoice/iss…
eSpeak NG: github.com/espeak-ng/espeak-ng…

eSpeak NG recently added it but it's not yet included in a stable release and their licensing (GPLv3) is too restrictive for us.

RHVoice itself has acceptable licensing for inclusion in GrapheneOS (LGPL v2.1), but has dependencies with restrictive licensing. Both these software projects also have non-free licensing issues for the voices. Neither provides close to a working out-of-the-box experience either.

Google's Speech Services app providing text-to-speech and speech-to-text works perfectly. Their proprietary accessibility services app with extended TalkBack and other services also works fine. However, many of our users don't want to use them and we need something we can bundle.

There aren't currently any usable open source speech-to-text apps. There are experimental open source speech-to-text implementations but they lack Android integration.

We also really need to make a brand new setup wizard with both accessibility and enterprise deployment support.

GrapheneOS still has too little funding and too few developers to take on these projects. These would be standalone projects able to be developed largely independently. There are similar standalone projects which we need to have developed in order to replace some existing apps.

AOSP provides a set of barebones sample apps with outdated user interfaces / features. These are intended to be replaced by OEMs, but we lack the resources of a typical OEM. We replaced AOSP Camera with our own app, but we still need to do the same with Gallery and other apps.

Google has started the process of updating the open source TalkBack, which only happens rarely. We've identified a major issue: a major component has no source code published.

github.com/google/talkback/pul…

Google has been very hostile towards feedback / contributions for TalkBack...

This is one example of something seemingly on the right track significantly regressing. Another example is the takeover of the Seedvault project initially developed for GrapheneOS. It has deviated substantially from the original plans and lacks usability, robustness and security.

In the case of Seedvault, GrapheneOS designed the concept for it and one of our community members created it. It was taken over by a group highly hostile towards us and run into the ground. It doesn't have the intended design/features and lacks usability, security and robustness.

All of these are important standalone app projects for making GrapheneOS highly usable and accessible. What we need is not being developed by others and therefore we need to the resources including funding and developers to make our own implementations meeting our requirements.

#grapheneos #privacy #security #android #mobile #accessibility #texttospeech #speechtotext #talkback #blind #backup

add Direct Boot support for Android so RHVoice can be used with TalkBack before the initial unlock · Issue #271 · RHVoice/RHVoice

More information: https://developer.android.com/training/articles/direct-boot https://github.com/GrapheneOS/platform_packages_apps_Updater is a trivial example of using this. You need to mark a sub...

^GitHub

NordVPN Black Friday deal: Up to 63% off a 27-month VPN subscription

bleepingcomputer.com/news/secu…

#Security

NordVPN Black Friday deal: Up to 63% off a 27-month VPN subscription

NordVPN's Black Friday deal is live with up to 63% off and 3 extra months for free on 1-year or 2-year subscriptions to the NordVPN VPN service.

^{Lawrence Abrams (BleepingComputer)}

See our good friend and frequent guest, @kyle, discuss supply chain security in this CNBC piece on manufacturing consumer electronics in the USA. We're excited to see @purism in the news!

youtu.be/YdbA7Z8Ae4w

#security #supplyChain #infosec #manufacturing #electronics #hardware #phones #teamKyle

Why The U.S. Fell Behind In Phone Manufacturing

Made in China. It’s a common phrase known by many. Cell phones, TV screens and game consoles are just some of the millions of electronics manufactured and im...

^YouTube

I was interviewed about supply chain security (around 15 min mark) in a longer CNBC feature about manufacturing phones in the USA. In short, it's less about trust concerns with any particular country/govt., and more about reducing the links in the supply chain to reduce the opportunities to tamper with hardware.

Our Made-in-USA-electronics Librem 5 USA phone also got a number of shout-outs. Pretty neat!

youtu.be/YdbA7Z8Ae4w #security #supplychain #infosec #manufacturing

Why The U.S. Fell Behind In Phone Manufacturing

Made in China. It’s a common phrase known by many. Cell phones, TV screens and game consoles are just some of the millions of electronics manufactured and im...

^YouTube

To learn more about #MLS and why this protocol exists in the first place when we already have Signal's, here is a great podcast on the topic: cryptography.fm/7.

#Privacy #Security #Crytology #Cryptography #InfoSec

Episode 7: Scaling Up Secure Messaging to Large Groups With MLS!

Raphael Robert from Wire talks about how MLS wants to scale secure messaging to groups with hundreds or even thousands of participants.

^{Cryptography FM}

The official Mastodon app seems to have a bug when posting an image. Sometimes it will let you compose the post but when you add the image, the Publish button is greyed out. There are other apps that are good, for example, Metatext and Toot! on iOS, and Tusky on Android.
-----------------------------------------------------
There is an Advanced web interface that looks like Tweetdeck. You can enable it in Settings, Appearance.
-----------------------------------------------------
Putting plain text into the 'Search or paste URL' box at the top left of the web interface shows results from your own posts or posts that you have boosted, favourited, or been mentioned in. You can also search for user names, display names, and hashtags located in the body of posts. Putting a hashtag into a Content Warning doesn't work. It won't be clickable and might not be searchable unless someone else has used it in the body of a post.
-----------------------------------------------------
If you find a post on another Mastodon instance and want to boost it on your own instance, click the … menu and then Copy Link. Go back to your own instance, paste the link into the Search box and press Enter. The post will appear below the Search box, and you can boost it from there.
-----------------------------------------------------
You can create Filters to block posts containing certain pieces of text from being displayed in your Home feed. If you want, the filter can hide the post behind a Content Warning so that you can decide whether to view it or not.
-----------------------------------------------------
In the Advanced web interface, you can search for a hashtag, click the result and it will appear in its own column. You can then click the column settings icon at the top right and Pin the column. You can add more tags to the same column, if you like.
-----------------------------------------------------
If you boost a post and the author edits it, you will get a notification so that you know that it has been edited.
-----------------------------------------------------
It's the custom on Mastodon that if you're posting about Mastodon itself, you put a context warning (CW) of "Meta" so that people's timelines aren't flooded with things they don't want or need to see. Likewise, posts about Twitter can be hidden behind a CW: Twitter (or birdsite, birbsite, hellsite, tw). "CW: meta, bird" should be an obvious one.
-----------------------------------------------------
When you're writing hashtags that are a combination of several words, please use "camel case" (#CamelCase) so that screenreaders used by people with impaired vision can pronounce them properly.
-----------------------------------------------------
Mastodon has its own thread unroller: mastodon.social/@threadunrolle…
-----------------------------------------------------
If you go into Settings in Mastodon's web interface and click on Other, you'll see a list of languages at the bottom which you can use to control which posts you'll see.
This works well if you select which language your own posts are in. If you make a post in a different language from your default, select that language using the button at the bottom of the edit box before you post. This way, it can be filtered out on other people's feeds if they choose not to see posts in that language.
-----------------------------------------------------
When posting images, please add Alt Text. This allows sight-impaired people using screenreaders to know what is in the pictures. Let's keep the Fediverse friendly to everyone.
-----------------------------------------------------
Please use a strong password to log in to your server. If you haven't already done so, make sure you have activated 2-Factor Authentication (2FA) in your Settings. This will keep you and everyone else safe. There are a number of good 2FA apps available in the Apple and Google app stores. In fact, iCloud Keychain on an Apple device can be used to generate 2FA keys. See this article for details: appleinsider.com/inside/icloud…
-----------------------------------------------------

#MetaText #Toot #iOS #Android #Tweetdeck #searching #hashtags, #ContentWarning #filters, #boost #notification #meta #CamelCase #ThreadUnroller #languages #AltText #security

How to set up two-factor authentication in iCloud Keychain

You can balance both account security with the convenience of autofill when you set up two-factor authentication in iCloud Keychain. Here's how to do it.

^{Darryl Boxberger (AppleInsider)}

Time for an #introduction. I've been involved in #FOSS and #Linux since the late `90s. My career started as a sysadmin, pivoting to security. I'm the President of @purism and work on hardware and software to protect #privacy, #security and freedom.

I've written a number of books (kylerank.in/writing.html) and was a long-time columnist for Linux Journal magazine.

I have many hobbies including #weaving, refurbishing mechanical #calculators, #3dprinting, #brewing, and many other things.

Linux really needs to remove the “privileged ports” security theater bullshit.

We’re no longer living in the mainframe era. The security properties of the Internet are different to mainframes. This is actually an anti-feature that either complicates life or actually compromises security (when folks run servers as root and forget to drop privileges , etc.).

If anyone has any sway within the kernel team, etc., please do your thing.

source.small-tech.org/site.js/…

#linux #security #theatre #networking

Disable privileged ports security theatre on Linux instead of using setcap (#169) · Issues · Site.js / app

Summary Currently, we’re using setcap to grant the CAP_NET_BIND_SERVICE privilege to allow Node.js (during development and testing) and the Site.js binary...

^GitLab

Heads up: looks like MailChimp was compromised. Watch out for phishing attempts and remember to enable two-factor authentication on your accounts.

digitalocean.com/blog/digitalo…

#security #MailChimp #email #DigitalOcean

Impact to DigitalOcean customers resulting from Mailchimp security incident

The security of DigitalOcean customers and their data is a responsibility we approach with utmost dedication. When our customers' security is threatened we respond swiftly, communicate with transpa...

^{www.digitalocean.com}

Software Sessions is a #podcast by Jeremy Jung for practical conversations of developing software. Jung is a technical lead in the #security industry where he integrates software systems and hardware devices in on-premise environments

On the Episode "Bringing #GeoCities Back with Kyle Drake" from January 15, 2020, you get to hear behind the scenes experiences of #Neocities' infrastructure (IPv4 addresses and CDN, etc), legal challenges (phishing, spam, false DMCA strikes), how much it costs to do the thing, and creating a place that reminds us that making websites still matter.

softwaresessions.com/episodes/…

Also check out Jeremy's blog post on how to record a podcast. jertype.com/how-to-record-a-po…

#nowPlaying

Bringing GeoCities Back with Kyle Drake

Kyle Drake discusses what GeoCities was, why it failed, the technical and legal challenges of creating its spiritual successor Neocities, and how he's working to preserve and curate sites from the old web.

^{Software Sessions}

Related:

Normalize using end-to-end #encrypted (and ideally, ephemeral) communications.

Normalize not telling #Google everything you think, do, and say.

Do it now.

#privacy #security #surveillance

nbcnews.com/tech/security/abor…

Looming abortion law changes prompt digital privacy worries for clinics

Abortion clinics and providers are rushing to strengthen their digital privacy and protect the data of their patients due to the potential overturn of Roe v. Wade.

^{Kevin Collier (NBC News)}

Last week for availing $100 off with promotion code "L14SUMMER" and the special link below and share the info with your friends too!
puri.sm/products/librem-14/?mt…

#laptop #tech #security #privacy #freedom

If a company actually cared about your privacy and wanted to advertise its products, could it do so ethically? We have been thinking about this issue heavily at Purism.

We value people’s privacy and want to protect it not just with our products, but with how we market our products. Let us know, we are counting on your feedback!

puri.sm/posts/is-ethical-adver…
#privacy #security #freedom

A Letter to #Discord for not Supporting the #Linux Desktop

theevilskeleton.gitlab.io/2022…

I rewrote the whole article because I sounded extremely rude before. It's not nice to be rude to developers, whether you like them or not; whether the application is open source or not. Hopefully this revision is respectful and doesn't sound like I am shaming them.

#gnu #security #electron

A Letter to Discord for not Supporting the Linux Desktop

Discord is popular among the Linux desktop community. Thanks to Electron, the framework that Discord uses, it was possible for Discord to port the client over to Linux very easily.

^{TheEvilSkeleton}

Case it point, the text in my image was revealed by @janale about fifteen minutes after my original post.

toki.social/@janale/1083740420…

#GNOME #Obfuscate #security

jan ale (@janale@toki.social)

Content warning: Contents of blur

^toki.social

Warning: There’s an app for blurring out sensitive information in images called Obfuscate being featured on #GNOME Software right now.

Please be careful.

The default blur setting can easily be reversed.

The default should be to replace the areas with a solid colour or a pattern not derived from the underlying information.

This really should not be a featured app in its current state.

#security #linux #apps #obfuscate

Glad to see npm has a security holding package for save-dev (it’s what you end up installing if you forget the dashes before the --save-dev flag) :)

(And here’s hoping, despite what it says on the site, that they never give that package to anyone.)

npmjs.com/package/save-dev

#npm #security #nodejs

save-dev

security holding package. Latest version: 0.0.1-security, last published: 3 years ago. Start using save-dev in your project by running `npm i save-dev`. There are 98 other projects in the npm registry using save-dev.

^npm

Response to "#Flatpak Is Not the Future"

theevilskeleton.gitlab.io/2022…

#gnu #linux #foss #fedora #opensource #security

Response to “Flatpak Is Not the Future”

Late last year, this interesting article “[Flatpak Is Not the Future]” was published to the public, and very quickly grabbed the Linux community’s attention.

^{TheEvilSkeleton}

A #blog post about the new release of #Freshermeat :

cedricbonhomme.org/2022/05/10/…

#python #opensource #security

GrapheneOS version 2022050301 released: grapheneos.org/releases#202205….

See the linked release notes for a summary of the improvements over the previous release.

#privacy#security#grapheneos

GrapheneOS releases

Official releases of GrapheneOS, a security and privacy focused mobile OS with Android app compatibility.

^GrapheneOS

I never did an #introduction!

Hi, I'm Max. I live in #NYC and do #journalism at PCMag where I cover #infosec, #security, and #privacy. I also write reviews of #VPN and professionally complain about #capitalism. I'm the Unit Chair of the ZDCG #union and moonlight as a #labor organizer. If you want to learn about how to unionize your workplace, plz DM me. I play #banjo badly and think about #medieval literature. I'm spending too much money on #fountainpens.

A Wildly Powerful, Privacy-Focused Linux Laptop Appears…

omgubuntu.co.uk/2020/07/purism…

"Suffice to say it's a beast based around a six-core Intel Core i7-10710U (1.10 GHz, 4.70 GHz turbo boost) processor."

@omgubuntu

Learn more about the all-new Librem 14: puri.sm/products/librem-14/

#privacy #freedom #security #linux

neilmadden.blog/2022/04/19/psy…

One side of the equation is r and the other side is multiplied by r and a value derived from s. So it would obviously be a really bad thing if r and s were both 0, because then you’d be checking that 0 = 0 ⨉ [a bunch of stuff], which will be true regardless of the value of [a bunch of stuff]! And that bunch of stuff is the important bits like the message and the public key. This is why the very first check in the ECDSA verification algorithm is to ensure that r and s are both >= 1.
Guess which check Java forgot?

#bugfix #crypto #java #security

CVE-2022-21449: Psychic Signatures in Java

The long-running BBC sci-fi show Doctor Who has a recurring plot device where the Doctor manages to get out of trouble by showing an identity card which is actually completely blank. Of course, thi…

^{Neil Madden}