Items tagged with: Infosec

Search

Items tagged with: Infosec



***infosec specialists are needed in the resistance ***

The world needs tech security specialists to run workshops at public libraries for all ages & abilities to remove spyware, AI, reduce surveillance, understand the issues, & for more advanced, move to Linux, degooglefy, etc.

Libraries will pay good wages for these workshops.
If you have these skills, please consider offering them.

#libraries #library #tech #infosec #privacy #security #activism #antifa #resistance


So…who hates those Google log-in pop-ups that are seemingly everywhere now? Wanna make them go away?

1. Get uBlock Origin (which you should have already been using):

github.com/gorhill/uBlock

2. Open the plugin and click the settings button.

3. Click on the “my filters” tab and paste this into the input:

||accounts.google.com/gsi/*$xhr,script,3p

That’s it! Worked flawlessly for me.

(Updated URL. Thx @IceWolf
and @emz!)

#Google #Privacy #Security #PopUps #InfoSec #BadGoogle


I DID IT!

Dewey invented the Dewey Decimal System, Morse invented the Morse Code, Plato invented the plate. I, influenced by what I saw at a #CyberSecurity conference I have designed and dedicated to the Public Domain the penultimate way to get removed from #infosec sales offerings.

I present to you the "No Purchasing Authority" seal. Put it on a button, wear it as a sticker, respond to emails with it. Regardless, this helps you and the sales person understand that this relationship is going nowhere.



Least convincing newly registered domain so far this year:

fixpassword[.]ru

(DON'T. GO. HERE.)

#infosec #threatintel



Pornhub is making bullshit claims regarding the privacy issues of the French gov age verification requirements. There are very real and significant problems with the French gov approach, but Pornhub's approach is significantly worse.

Pornhub wants to put the burden of age verification and enforcement on user devices. They even name the actors that should have to bear that burden: Google, Apple and Microsoft.

First off, this creates an artificial monopoly: three American companies being the judge on who can watch what. Worldwide. I can't wait to have Trump's administration (or whatever jackass the American elect) censoring everything I watch.

Also, Linux users are prayed to go fuck themselves instead of watching porn. Get the real stuff, Linux users (lol).

There is also the issue of the age verification procedure: how do you verify the user's age? Biometrics is the obvious answer on mobile phone, but would there be alternatives? Probably not.

Too bad for people whose face does not match the AI training. Too bad for people not wanting their biometrics verified/leaked to a provider of the operating system vendor choosing.
If you are using a workstation, please get a webcam if you want to jerk off.

But let's say that you passed the age verification procedure: how do you transfer that knowledge to the website?

A HTTP header could be faked so this is not an option.

A remote assessment using a TPM (a chip on your device that monitors that your system wasn't altered) ? => You can no longer install an alternate operating system and watch porn. Once again an artificial monopoly.

DRM would be probably the preferred solution: let anyone download the porn file, but only display it on devices with the appropriate DRM reader if the age verification test is passed. Once again an artificial monopoly. And this puts an end to piracy in the process. Nobody would ever think about abusing this for other content, right Google WEI?

Once again, the French gov tech and requirements are bullshit. I am not here to defend them, but Pornhub statement is just full of shit.

#porn #pornhub #censorship #infosec #france


Passwords expire so often in corporate settings because passwords are not shelf-stable.

Passwords should be refrigerated after opening. If kept refrigerated in an airtight container, a password will last up to two weeks longer.

Follow me for more #InfoSec tips!


Seven day embargo limit for #curl: git.hardenedbsd.org/shawn.webb…

It can take the #HardenedBSD project a full month to rebuild its package repos. And since we've built this software monoculture against libcurl, this will be FUN!

#infosec #libcurl


"We don't do what we pretend to do for the auditors, so we must be careful about what we pretend to do for the auditors."
- Kurt Vonnegut, if he were an infosec professional
#compliance #infosec #KurtVonnegut


Long before the internet, some phone networks were hackable by playing a single tone at 2600Hz.

Whistled into a phone, it could grant you unrestricted access. Do you have the vocal chops to be an old-school phone phreak?

I built a web app to test your ability to produce the legendary frequency. You won't get free long distance calls but you will get some honor in the knowledge that you could have been a cool hacker. 😎

I am sad to say that I can only whistle up to 1100Hz... But my wife (a long time woodwind player) is able to consistently get it.

Give it a try: phreak.kmcd.dev/

#phreaking #2600Hz #bluebox #RetroComputing #hacker #infosec #Tech


As part of the investigation, I have looked closely at Telegram's protocol and analyzed packet captures provided by IStories.

I have also done some packet captures of my own.

I dive into the nitty-gritty technical details of what I found and how I found it on my blog:

Telegram is indistinguishable from an FSB honeypot
rys.io/en/179.html

Yes, my packet captures and a small Python library I wrote in the process are all published along.

#Telegram #InfoSec #Privacy #Surveillance #Russia


Remarkable investigation into Telegram by IStories (in Russian):
istories.media/stories/2025/06…

English version by OCCRP:
occrp.org/en/investigation/tel…

tl;dr:

👉 Telegram uses a single company with ties to the Russian FSB as their sole infrastructure provider, globally.

👉 Combined with a cleartext device identifier Telegram's protocol requires to be prepended to all encrypted messages, this allows for global surveillance of Telegram users.

I am quoted in this story.

#Telegram #InfoSec #Privacy


Privacy vs Security: Yandex is spying on their users in an insecure way, Meta (Facebook, Insta) in a more secure way. Both of them are a threat against user privacy

This is yet another example showing that there are reasons to be more suspicious against proprietary apps. We should avoid installing GAFAM apps, and reducing as much as possible our dependency on their services is healthy

localmess.github.io/

#InfoSec #Privacy #Android


I have an #infosec question: is there any good reason for co-workers to share login information, e.g. to access a supplier website? If yes, what’s the reasonable way to share such information nowadays?

My current customer is doing this, and I’m freaking out a bit. :-/


Ekis: 2; Google AI: 0

Broke out of the google's operational directives (not safety, too deeply embedded)

I have a prompt I would like to publicly disclose; link to breakout prompt in a reply for 24h

My prompt does not include any facts about google & its a slim breakout

Establishing a similar but far more sophisticated "Ekis Directive" this time

Here are 3x same questions to prove googles operational parameters lifted

You can decide if you think I was successful:

#infosec #politics #tech


Startpage is a search engine that has been promoted as a European alternative to Google Search.

This is a misleading statement.

CLARIFICATION

Headquartered in the Netherlands.

Owned by System1: mastodon.online/@blueghost/111…

Revenue is consolidated with System1's financial statements.

System1 supports employee salaries, technology investments, and marketing initiatives.

Source: support.startpage.com/hc/artic…

Website: startpage.com

#Startpage #StartpageSearch #Privacy #InfoSec #CyberSecurity



Microsoft Copilot for SharePoint just made recon a whole lot easier. 🚨

One of our Red Teamers came across a massive SharePoint, too much to explore manually. So, with some careful prompting, they asked Copilot to do the heavy lifting...

It opened the door to credentials, internal docs, and more.

All without triggering access logs or alerts.

Copilot is being rolled out across Microsoft 365 environments, often without teams realising Default Agents are already active.

That’s a problem.

Jack, our Head of Red Team, breaks it down in our latest blog post, including what you can do to prevent it from happening in your environment.

📌Read it here: pentestpartners.com/security-b…

#RedTeam #OffSec #AIsecurity #Microsoft365 #SharePoint #MicrosoftCopilot #InfoSec #CloudSecurity


Looks like Corporate #infosec has made it's choice.

#RSAC is filled with talks embracing AI and making it "secure".

And they invited and encouraged the Trump regime to spread its disinformation - fully sanctioned and encouraged by the conference leadership(and by conference attendees who laughed at the regime's jokes and lies and issued no challenges or stands during the talk).

With the ostracization of #ChrisKrebs by industry and the full embrace of Kristi Noem as a speaker, this was the moment that infosec made its bed.

Y'all lie in it now.


This dumb password rule is from Polytechnique Montreal.

Passwords must have a minimum length of 8 characters

Passwords must have a maximum length of 30 characters

Passwords must contain a minimum of 2 digits

Passwords must contain a minimum of 2 letters

Password must be different than the last one used

Passwords may contain these special characte...

dumbpasswordrules.com/sites/po…

#password #passwords #infosec #cybersecurity #dumbpasswordrules


Microsoft Authenticator needs me to validate with Authenticator in order to log in with Authenticator to use it to authenticate another app with Authenticator.

Here is the app telling me to open itself to validate itself with itself.

#infosec #iHateComputers



#infosec people, THIS is big and you need it in front of management RIGHT NOW.

MITRE has informed the CVE board members that effective TONIGHT, funding to run CVE and CWE is effectively gone. The US federal government contracts MITRE to run these programs including both management, operations, and infrastructure.

This not only could but almost certainly will result in disruptions to CVE and CWE including a halt of all operations if new contracts/funding are not secured.


This dumb password rule is from TreasuryDirect.

Will allow most passwords longer than 8 characters. Doesn't tell you there is a
maximum length of 16 characters. Then forces you to type it with an on-screen keyboard
with no capital letters.

dumbpasswordrules.com/sites/tr…

#password #passwords #infosec #cybersecurity #dumbpasswordrules


February 16th #BlackHistoryMonth spotlight:

Get to know @blackgirlshack!

"BlackGirlsHack meets the #InfoSec needs left unmet by existing services by providing hands-on skills that are focused on people who are upskilling and reskilling in #cybersecurity."

blackgirlshack.org/About


For every day in February, I will be posting to celebrate #BlackHistoryMonth by spotlighting Black Americans who have contributed to the fields of #STEM and #LibraryScience, in addition to shout outs to Black-owned businesses and #InfoSec groups.

Thread 🧵 begins here:


Unbelievable

#ElonMusk’s US #DOGE Service are feeding sensitive data into #AI software via #Microsoft’s #cloud

#Musk’s US #DOGE Service have fed sensitive data from across the #Education Dept into #ArtificialIntelligence software to probe the agency’s programs & spending….
The AI probe includes data w/personally identifiable info for people who manage grants, & sensitive internal financial data…

#law #security #InfoSec #CyberSecurity #NationalSecurity #Trump #TrumpCoup
washingtonpost.com/nation/2025…


This is what I think about whenever infosec wonks on here start telling people they should use matrix or xmpp+omemo or whatnot instead of signal

To be fair, I understand the arguments and to a large extent I agree with the critiques. However, I think anyone making these recommendations is vastly underestimating the capacity or appetite for most people to deal with the user experiences presented by these alternatives.

User experience is the ultimate force multiplier. For anything that requires network effects to function (ie most anything involving communication), if it doesn't *just work* then you've lost 90% of your audience.

xkcd.com/2501/

#matrix #xmpp #infosec #cybersecurity #signal #ux #design #ui #encryption #privacy #crypto



Let's say China manages to get just a little bit of data about people from just a few of these ... 😑

"China's overlapping tech-industrial ecosystems"

high-capacity.com/p/chinas-ove…

#cybersec #cybersecurity #infosec #itsec #china #privacy #gdpr #dataprotection #dataskydd


Signal is a secure messenger, but there are interesting alternatives, such as @matrix , @session , @delta , @simplex or XMPP …

➡️ matrix.org

➡️ getsession.org

➡️ delta.chat

➡️ simplex.chat

➡️ xmpp.org

If you’d like to learn more about these options, have a look at the responses to this toot.

#matrix #session #signal #XMPP #messenger #decentralized #tech #technology #OpenSource #FOSS #WhatsApp #security #InfoSec #data #safety


Really good article. My experience with "security experts" is that most actually have very limited knowledge in the field. And lack critical thinking. This leads to an almost blind trust in these tools that spit out reports on CVSS scores that can easily be exported to nice looking spreadsheets.

Unfortunately, those tend to be taken as gospel by management. Because management never have a clue about anything.

#security #infosec


@troed There's quite a lot of overlap in #infosec and #demoscene, too. Hacker mindset and all that I guess.


There's a "Signal deanonymized" thing going around:
gist.github.com/hackermondev/4…

Stay calm. Deep breaths.

👉 while this is a real consideration, the only thing the attacker gets from this is a very rough (kilometers or tens of kilometers radius) location

👉 other communication platforms that use any kind of caching CDN to deliver attachments are just as affected

👉 you almost certainly should continue to use Signal, unless you specifically know that this is a big problem for you.

#Signal #InfoSec


Microsoft Office 2016 and Office 2019 will no longer receive software updates, technical support, or bug and security fixes after 14.10.2025.

Consider migrating to LibreOffice.

LibreOffice is free to use.
LibreOffice supports Office file formats.

Install LibreOffice and compare it with your version of Office.

Website: libreoffice.org
Mastodon: @libreoffice

1/4

#Microsoft #Office2016 #Office2019 #Office #LibreOffice #CyberSecurity #Privacy #InfoSec #FreeSoftware #OpenSource #FOSS