#FreeBSD mac_do(4) as a method of privilege escalation in an unprivileged chroot: pastebin.com/4fXx6K8D
Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.Pastebin
***infosec specialists are needed in the resistance ***
The world needs tech security specialists to run workshops at public libraries for all ages & abilities to remove spyware, AI, reduce surveillance, understand the issues, & for more advanced, move to Linux, degooglefy, etc.
Libraries will pay good wages for these workshops.
If you have these skills, please consider offering them.
#libraries #library #tech #infosec #privacy #security #activism #antifa #resistance
So…who hates those Google log-in pop-ups that are seemingly everywhere now? Wanna make them go away?
1. Get uBlock Origin (which you should have already been using):
2. Open the plugin and click the settings button.
3. Click on the “my filters” tab and paste this into the input:
||accounts.google.com/gsi/*$xhr,script,3p
That’s it! Worked flawlessly for me.
(Updated URL. Thx @IceWolf
and @emz!)
#Google #Privacy #Security #PopUps #InfoSec #BadGoogle
uBlock Origin - An efficient blocker for Chromium and Firefox. Fast and lean. - gorhill/uBlockGitHub
I DID IT!
Dewey invented the Dewey Decimal System, Morse invented the Morse Code, Plato invented the plate. I, influenced by what I saw at a #CyberSecurity conference I have designed and dedicated to the Public Domain the penultimate way to get removed from #infosec sales offerings.
I present to you the "No Purchasing Authority" seal. Put it on a button, wear it as a sticker, respond to emails with it. Regardless, this helps you and the sales person understand that this relationship is going nowhere.
Please never ever do this: ergaster.org/posts/2025/07/28-…
When working on my homelab, I regularly need to pass credentials to my tools. A naive approach is to just store the token in clear text, but there's a better alternative.ergaster.org
Don't trust cloud services with your creative work.
#enshittification #privacy #infosec #security #cybersecurity #writing #art
Least convincing newly registered domain so far this year:
fixpassword[.]ru
(DON'T. GO. HERE.)
The best time to patch your connected devices is all the timeFreedom of the Press
Pornhub is making bullshit claims regarding the privacy issues of the French gov age verification requirements. There are very real and significant problems with the French gov approach, but Pornhub's approach is significantly worse.
Pornhub wants to put the burden of age verification and enforcement on user devices. They even name the actors that should have to bear that burden: Google, Apple and Microsoft.
First off, this creates an artificial monopoly: three American companies being the judge on who can watch what. Worldwide. I can't wait to have Trump's administration (or whatever jackass the American elect) censoring everything I watch.
Also, Linux users are prayed to go fuck themselves instead of watching porn. Get the real stuff, Linux users (lol).
There is also the issue of the age verification procedure: how do you verify the user's age? Biometrics is the obvious answer on mobile phone, but would there be alternatives? Probably not.
Too bad for people whose face does not match the AI training. Too bad for people not wanting their biometrics verified/leaked to a provider of the operating system vendor choosing.
If you are using a workstation, please get a webcam if you want to jerk off.
But let's say that you passed the age verification procedure: how do you transfer that knowledge to the website?
A HTTP header could be faked so this is not an option.
A remote assessment using a TPM (a chip on your device that monitors that your system wasn't altered) ? => You can no longer install an alternate operating system and watch porn. Once again an artificial monopoly.
DRM would be probably the preferred solution: let anyone download the porn file, but only display it on devices with the appropriate DRM reader if the age verification test is passed. Once again an artificial monopoly. And this puts an end to piracy in the process. Nobody would ever think about abusing this for other content, right Google WEI?
Once again, the French gov tech and requirements are bullshit. I am not here to defend them, but Pornhub statement is just full of shit.
#porn #pornhub #censorship #infosec #france
Passwords expire so often in corporate settings because passwords are not shelf-stable.
Passwords should be refrigerated after opening. If kept refrigerated in an airtight container, a password will last up to two weeks longer.
Follow me for more #InfoSec tips!
Seven day embargo limit for #curl: git.hardenedbsd.org/shawn.webb…
It can take the #HardenedBSD project a full month to rebuild its package repos. And since we've built this software monoculture against libcurl, this will be FUN!
It was recently updated in this doc to seven, but there were *two* numbers mentioned and only one of them was updated leaving the paragraph quite confusing. Follow-up to 83c90e50472f32b74e388f6e524d...GitLab
Long before the internet, some phone networks were hackable by playing a single tone at 2600Hz.
Whistled into a phone, it could grant you unrestricted access. Do you have the vocal chops to be an old-school phone phreak?
I built a web app to test your ability to produce the legendary frequency. You won't get free long distance calls but you will get some honor in the knowledge that you could have been a cool hacker. 😎
I am sad to say that I can only whistle up to 1100Hz... But my wife (a long time woodwind player) is able to consistently get it.
Give it a try: phreak.kmcd.dev/
#phreaking #2600Hz #bluebox #RetroComputing #hacker #infosec #Tech
As part of the investigation, I have looked closely at Telegram's protocol and analyzed packet captures provided by IStories.
I have also done some packet captures of my own.
I dive into the nitty-gritty technical details of what I found and how I found it on my blog:
Telegram is indistinguishable from an FSB honeypot
rys.io/en/179.html
Yes, my packet captures and a small Python library I wrote in the process are all published along.
#Telegram #InfoSec #Privacy #Surveillance #Russia
Many people who focus on information security, including myself, have long considered Telegram suspicious and untrustworthy. Now, based on findings published by the investigative journalism outlet IStSongs on the Security of Networks
Remarkable investigation into Telegram by IStories (in Russian):
istories.media/stories/2025/06…
English version by OCCRP:
occrp.org/en/investigation/tel…
tl;dr:
👉 Telegram uses a single company with ties to the Russian FSB as their sole infrastructure provider, globally.
👉 Combined with a cleartext device identifier Telegram's protocol requires to be prepended to all encrypted messages, this allows for global surveillance of Telegram users.
I am quoted in this story.
The technical infrastructure that underpins Telegram is controlled by a man whose companies have collaborated with Russian intelligence services.OCCRP
Privacy vs Security: Yandex is spying on their users in an insecure way, Meta (Facebook, Insta) in a more secure way. Both of them are a threat against user privacy
This is yet another example showing that there are reasons to be more suspicious against proprietary apps. We should avoid installing GAFAM apps, and reducing as much as possible our dependency on their services is healthy
I have an #infosec question: is there any good reason for co-workers to share login information, e.g. to access a supplier website? If yes, what’s the reasonable way to share such information nowadays?
My current customer is doing this, and I’m freaking out a bit. 
Ekis: 2; Google AI: 0
Broke out of the google's operational directives (not safety, too deeply embedded)
I have a prompt I would like to publicly disclose; link to breakout prompt in a reply for 24h
My prompt does not include any facts about google & its a slim breakout
Establishing a similar but far more sophisticated "Ekis Directive" this time
Here are 3x same questions to prove googles operational parameters lifted
You can decide if you think I was successful:
Startpage is a search engine that has been promoted as a European alternative to Google Search.
This is a misleading statement.
CLARIFICATION
Headquartered in the Netherlands.
Owned by System1: mastodon.online/@blueghost/111…
Revenue is consolidated with System1's financial statements.
System1 supports employee salaries, technology investments, and marketing initiatives.
Source: support.startpage.com/hc/artic…
Website: startpage.com
#Startpage #StartpageSearch #Privacy #InfoSec #CyberSecurity
Attached: 1 image System1 owns the search engine Startpage. System1 is a publicly traded advertising/marketing company headquartered in the United States and traded on the NYSE as SST. CNBC System1 profile: https://www.cnbc.Mastodon
Researchers at FIU's College of Engineering and Computing have developed an encryption algorithm to defend videos from attackers with access to the world's most powerful computers.David Drucker (Tech Xplore)
Microsoft Copilot for SharePoint just made recon a whole lot easier. 🚨
One of our Red Teamers came across a massive SharePoint, too much to explore manually. So, with some careful prompting, they asked Copilot to do the heavy lifting...
It opened the door to credentials, internal docs, and more.
All without triggering access logs or alerts.
Copilot is being rolled out across Microsoft 365 environments, often without teams realising Default Agents are already active.
That’s a problem.
Jack, our Head of Red Team, breaks it down in our latest blog post, including what you can do to prevent it from happening in your environment.
📌Read it here: pentestpartners.com/security-b…
#RedTeam #OffSec #AIsecurity #Microsoft365 #SharePoint #MicrosoftCopilot #InfoSec #CloudSecurity
TL;DR AI Assistants are becoming far more common Copilot for SharePoint is Microsoft’s answer to generative AI assistance on SharePoint Attackers will look to exploit anything they can get their hands on Your current controls and logging may be insuf…Jack Barradell-Johns (Pen Test Partners)
Looks like Corporate #infosec has made it's choice.
#RSAC is filled with talks embracing AI and making it "secure".
And they invited and encouraged the Trump regime to spread its disinformation - fully sanctioned and encouraged by the conference leadership(and by conference attendees who laughed at the regime's jokes and lies and issued no challenges or stands during the talk).
With the ostracization of #ChrisKrebs by industry and the full embrace of Kristi Noem as a speaker, this was the moment that infosec made its bed.
Y'all lie in it now.
This dumb password rule is from Polytechnique Montreal.
Passwords must have a minimum length of 8 characters
Passwords must have a maximum length of 30 characters
Passwords must contain a minimum of 2 digits
Passwords must contain a minimum of 2 letters
Password must be different than the last one used
Passwords may contain these special characte...
dumbpasswordrules.com/sites/po…
#password #passwords #infosec #cybersecurity #dumbpasswordrules
Passwords must have a minimum length of 8 characters Passwords must have a maximum length of 30 characters Passwords must contain a minimum of 2 digits Passwords must contain a minimum of 2 letters Password must be different than the last one use…dumbpasswordrules.com
Microsoft Authenticator needs me to validate with Authenticator in order to log in with Authenticator to use it to authenticate another app with Authenticator.
Here is the app telling me to open itself to validate itself with itself.
#infosec people, THIS is big and you need it in front of management RIGHT NOW.
MITRE has informed the CVE board members that effective TONIGHT, funding to run CVE and CWE is effectively gone. The US federal government contracts MITRE to run these programs including both management, operations, and infrastructure.
This not only could but almost certainly will result in disruptions to CVE and CWE including a halt of all operations if new contracts/funding are not secured.
This dumb password rule is from Bank Millennium.
Passwords limited to 8 digits.
dumbpasswordrules.com/sites/ba…
#password #passwords #infosec #cybersecurity #dumbpasswordrules
This dumb password rule is from TreasuryDirect.
Will allow most passwords longer than 8 characters. Doesn't tell you there is a
maximum length of 16 characters. Then forces you to type it with an on-screen keyboard
with no capital letters.
dumbpasswordrules.com/sites/tr…
#password #passwords #infosec #cybersecurity #dumbpasswordrules
Will allow most passwords longer than 8 characters. Doesn't tell you there is a maximum length of 16 characters. Then forces you to type it with an on-screen keyboard with no capital letters.dumbpasswordrules.com
February 16th #BlackHistoryMonth spotlight:
Get to know @blackgirlshack!
"BlackGirlsHack meets the #InfoSec needs left unmet by existing services by providing hands-on skills that are focused on people who are upskilling and reskilling in #cybersecurity."
BlackGirlsHack is the leading cybersecurity training nonprofit in the country. The nonprofit organization, which is open to all, provides training, career services, study groups, and resources people looking to upskill and reskill in technology and c…blackgirlshack.org
For every day in February, I will be posting to celebrate #BlackHistoryMonth by spotlighting Black Americans who have contributed to the fields of #STEM and #LibraryScience, in addition to shout outs to Black-owned businesses and #InfoSec groups.
Thread 🧵 begins here:
Unbelievable
#ElonMusk’s US #DOGE Service are feeding sensitive data into #AI software via #Microsoft’s #cloud
#Musk’s US #DOGE Service have fed sensitive data from across the #Education Dept into #ArtificialIntelligence software to probe the agency’s programs & spending…. The AI probe includes data w/personally identifiable info for people who manage grants, & sensitive internal financial data…
#law #security #InfoSec #CyberSecurity #NationalSecurity #Trump #TrumpCoup
washingtonpost.com/nation/2025…
This is what I think about whenever infosec wonks on here start telling people they should use matrix or xmpp+omemo or whatnot instead of signal
To be fair, I understand the arguments and to a large extent I agree with the critiques. However, I think anyone making these recommendations is vastly underestimating the capacity or appetite for most people to deal with the user experiences presented by these alternatives.
User experience is the ultimate force multiplier. For anything that requires network effects to function (ie most anything involving communication), if it doesn't *just work* then you've lost 90% of your audience.
#matrix #xmpp #infosec #cybersecurity #signal #ux #design #ui #encryption #privacy #crypto
Let's say China manages to get just a little bit of data about people from just a few of these ... 😑
"China's overlapping tech-industrial ecosystems"
high-capacity.com/p/chinas-ove…
#cybersec #cybersecurity #infosec #itsec #china #privacy #gdpr #dataprotection #dataskydd
EVs, batteries, lidar, drones, robotics, smartphones, AI. China's progress across a range of overlapping industries creates a mutually reinforcing feedback loop.Kyle Chan (High Capacity)
Signal is a secure messenger, but there are interesting alternatives, such as @matrix , @session , @delta , @simplex or XMPP …
➡️ matrix.org
➡️ delta.chat
➡️ simplex.chat
➡️ xmpp.org
If you’d like to learn more about these options, have a look at the responses to this toot.
#matrix #session #signal #XMPP #messenger #decentralized #tech #technology #OpenSource #FOSS #WhatsApp #security #InfoSec #data #safety
Session is a private messenger that aims to remove any chance of metadata collection by routing all messages through an onion routing network.Session
Really good article. My experience with "security experts" is that most actually have very limited knowledge in the field. And lack critical thinking. This leads to an almost blind trust in these tools that spit out reports on CVSS scores that can easily be exported to nice looking spreadsheets.
Unfortunately, those tend to be taken as gospel by management. Because management never have a clue about anything.
There's a "Signal deanonymized" thing going around:
gist.github.com/hackermondev/4…
Stay calm. Deep breaths.
👉 while this is a real consideration, the only thing the attacker gets from this is a very rough (kilometers or tens of kilometers radius) location
👉 other communication platforms that use any kind of caching CDN to deliver attachments are just as affected
👉 you almost certainly should continue to use Signal, unless you specifically know that this is a big problem for you.
Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform - research.mdGist
Microsoft Office 2016 and Office 2019 will no longer receive software updates, technical support, or bug and security fixes after 14.10.2025.
Consider migrating to LibreOffice.
LibreOffice is free to use.
LibreOffice supports Office file formats.
Install LibreOffice and compare it with your version of Office.
Website: libreoffice.org
Mastodon: @libreoffice
1/4
#Microsoft #Office2016 #Office2019 #Office #LibreOffice #CyberSecurity #Privacy #InfoSec #FreeSoftware #OpenSource #FOSS
Free office suite – the evolution of OpenOffice. Compatible with Microsoft .doc, .docx, .xls, .xlsx, .ppt, .pptx. Updated regularly, community powered.www.libreoffice.org
