If you use brew’s curl on macOS, are you really using it? I installed and had curl setup a couple of years ago. Today it appears that curl was now pointing to Apple’s version, which has this issue (https://daniel.haxx.se/blog/2024/03/08/the-apple-curl-security-incident-12604/). Looks like brew doesn’t add a symlink for curl to /opt/homebrew/bin. Running `ln -s /opt/homebrew/opt/curl/bin/curl /opt/homebrew/bin` resolved the issue.

#macos #curl #security

T-Mobile Employees Across The Country Receive Cash Offers To Illegally Swap SIMs

I still stand by this: if #sms #mfa wasn’t still massively used (especially by the financial sector), sim swaps would be less attractive to sim swappers.

It’s also crazy so much trust is placed in telecoms guarding your phone number and MFA factor for your bank. 🫨

#security #cybersecurity #simswap

https://tmo.report/2024/04/t-mobile-employees-across-the-country-receive-cash-offers-to-illegally-swap-sims/

T-Mobile Employees Across The Country Receive Cash Offers To Illegally Swap SIMs

T-Mobile employees, both third-party and corporate, are receiving cash offers via text to complete SIM swaps for criminals.

^{Jman100 (The Mobile Report)}

#curl sometimes fails to access some servers. In most situations the problem is not in curl itself but on the server side. Example:

1. Fails: curl https://www.radissonhotels.com

2. Works: curl -A 'Mozilla/5.0 xx Chrome/119' https://www.radissonhotels.com

3. Fails: curl -A 'Mozilla/5.0 xx Chrome/118' https://www.radissonhotels.com

4. Fails, too: curl -A 'Mozilla/5.0 xx Chrome/1189' https://www.radissonhotels.com

Perhaps they perform #filtering to obtain improved #security? It's hard to tell, but any serious attacker surely knows how to spoof the user agent string and bypass such simple #regex

Security Bits by @bart — 14 April 2024 https://www.podfeet.com/blog/2024/04/sb-2024-04-14/

#Security

Security Bits — 14 April 2024 - Podfeet Podcasts

Feedback & Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we’re tracking over time.

^{Bart Busschots (Podfeet Podcasts)}

Time for another release... Accrescent 0.19.0 is out! While not much has changed on the surface, Accrescent now uses our new server infrastructure which brings faster downloads to everyone!

Read the release notes or download below 👇

https://github.com/accrescent/accrescent/releases/tag/0.19.0

#accrescent #security #privacy #appstore #android

Release 0.19.0 · accrescent/accrescent

This release marks the migration of Accrescent's servers to a more scalable setup. From this version on, Accrescent will connect to the new servers. Earlier versions of Accrescent will automaticall...

^GitHub

Let's use @protonprivacy and @Tutanota products.
Encryption is the single best hope against surveillance.

https://www.wired.com/story/house-section-702-vote/

#security #cybersecurity #infosec #nationalsecurity #nsa #fbi #section702 #privacy #government #surveillance #e2ee #tech #proton #protonmail #tuta #tutanota #bigtech #degoogle

House Votes to Extend—and Expand—a Major US Spy Program

The US House of Representatives voted on Friday to extend the Section 702 spy program. It passed without an amendment that would have required the FBI to obtain a warrant to access Americans’ information.

^{Dell Cameron (WIRED)}

Hey! Let's talk about #SSH and #security!

If you've ever looked at SSH server logs you know what I'm about to say: Any SSH server connected to the public Internet is getting bombarded by constant attempts to log in. Not just a few of them. A *lot* of them. Sometimes even dozens per second. And this problem is not going away; it is, in fact, getting worse. And attackers' behavior is changing.

The graph attached to this post shows the number of attempted SSH logins per day to one of @cloudlab s clusters over a four-year period. It peaks at about 3.4 million login attempts per day.

This is part of a study we did on our production system, using logs of more than 640 million login attempts, covering more than 1,500 hosts on our side and observing more than 840 thousand incoming IP addresses.

A paper presenting our analysis and a new, highly effective means to block SSH brute force attacks ("Where The Wild Things Are: Brute-Force SSH Attacks In The Wild And How To Stop Them") will be presented next week at #NSDI24 by @sachindhke . The full paper is at https://www.flux.utah.edu/paper/singh-nsdi24

Let's dive in. 🧵

2 days ago I reported about a #security patch having been applied to the IzzyOnDroid F-Droid repo aka #IzzySoftRepo – but I didn't give much details. After it was tested now at the IoD test & staging area, and running smoothly for two days for the public one, I reported back to its author @obfusk that all seems smooth, and she decided to make POC & patch public. You can find the full details at https://github.com/obfusk/fdroid-fakesigner-poc & https://www.openwall.com/lists/oss-security/2024/04/08/8 now. @fdroidorg @eighthave be welcome using it!

1/2

GitHub - obfusk/fdroid-fakesigner-poc: F-Droid Fake Signer PoC

F-Droid Fake Signer PoC. Contribute to obfusk/fdroid-fakesigner-poc development by creating an account on GitHub.

^GitHub

FreeBSD Foundation and Digital Security by Design (DSbD)

<https://www.globenewswire.com/news-release/2024/04/03/2856691/0/en/FreeBSD-Foundation-and-Digital-Security-by-Design-DSbD-Announce-Beacon-Award-Winners-for-Innovations-and-Improvements-to-CheriBSD.html>

❝… CHERI and CheriBSD, developed to revolutionize hardware-based protection against memory safety vulnerabilities, were developed by a collaboration from researchers from the University of Cambridge, alongside corporate partners such as Google, Microsoft, Arm, and SRI International, and with support from the UK government. …❞

#FreeBSD #ARM #security

FreeBSD Foundation and Digital Security by Design (DSbD) Announce Beacon Award Winners for Innovations and Improvements to CheriBSD

Winning Projects Highlight CheriBSD's Role in Advancing Digital Security...

^{FreeBSD Foundation}

I am getting tired of reading about the #xz #security issue as if it is all about issues within #opensource. It is much bigger than that, and those takes conflate the problem with the solution.

So I wrote "The xz issue isn't about Open Source" here: https://changelog.complete.org/archives/10642-the-xz-issue-isnt-about-open-source

The xz Issue Isn’t About Open Source

You’ve probably heard of the recent backdoor in xz. There have been a lot of takes on this, most of them boiling down to some version of: The problem here is with Open Source Software. I want…

^{The Changelog}

https://boehs.org/node/everything-i-know-about-the-xz-backdoor

I have begun a post explaining this situation in a more detailed writeup. This is updating in realtime, and there is a lot still missing.

#security #xz #linux

Unfolding now: https://news.ycombinator.com/item?id=39865810

- https://www.openwall.com/lists/oss-security/2024/03/29/4
- https://github.com/tukaani-project/xz/commit/cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0

An incredibly technically complex #backdoor in xz (potentially also in libarchive and elsewhere) was just discovered. This backdoor has been quietly implemented over years, with the assistance of a wide array of subtly interconnected accounts:

- https://github.com/tukaani-project/xz/commit/ee44863ae88e377a5df10db007ba9bfadde3d314
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708
- https://github.com/jamespfennell/xz/pull/2

The timeline on this is going to take so long to unravel

#security #linux

feat: update vendored xz to 5.6.1 by jaredallard · Pull Request #2 · jamespfennell/xz

Updates the vendored version of xz to be 5.6.1. Also updates the vendor script to support the addition of SPDX-License-Identifier headers into some files.

^GitHub

🚨 ⚠️ Emergency PSA: A critical security exploit was discovered in the xz package recently, used for compression and decompression on nearly all Linux distributions.

Rawhide users ARE impacted and should immediately STOP using Rawhide until the package update is fully rolled back. (1/3)

Security Advisory: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

#Fedora #Linux #OpenSource #Security #Privacy

Urgent security alert for Fedora Linux 40 and Fedora Rawhide users

Red Hat Information Risk and Security and Red Hat Product Security learned that the latest versions of the “xz” tools and libraries contain malicious code that appears to be intended to allow unauthorized access.

^{, (Red Hat)}

Upgrade your systems now!

The xz package has been backdoored

https://archlinux.org/news/the-xz-package-has-been-backdoored/

#ArchLinux #Linux #xz #security

New bookmark: Firefox bug 1886557: Make JIT Spraying implausible.

This could be the biggest leap forward in years when it comes to SpiderMonkey catching up to V8 and JSC’s JIT hardening. So far, I’ve been telling security-conscious Firefox users to disable the JIT compiler, and to use Chromium when JIT is necessary; maybe I won’t have to in a few years’ time.

Originally posted on seirdy.one: See Original (POSSE). #browsers #firefox #security

My bookmarks

Links from around the web, curated and annotated by Rohan Kumar.

^{Seirdy’s Home}

🇩🇪 Ich habe ja schon erwähnt, dass im Januar für das #IzzySoftRepo zusätzliche APK-Checks implementiert wurden. Jetzt habe ich es endlich geschafft, auch den zugehörigen Blog-Artikel fertig zu stellen.

Vielleicht interessiert es Euch ja, einen Blick auf Details und Hintergründe zu werfen? Ihr finden den Artikel "Zusätzliche APK-Checks im IzzyOnDroid Repo" hier:

https://android.izzysoft.de/articles/named/iod-scan-apkchecks?lang=de

#security #Android #apps

Zusätzliche APK-Checks im IzzyOnDroid Repo

Nachdem der Library-Scanner nun seit mehreren Jahren im IzzyOnDroid Repo im Einsatz ist war es an der Zeit, einige zusätzliche APK-Prüfungen zu etablieren.

^IzzyOnDroid

🇺🇸 I've told you about additional APK checks having been implemented at the #IzzySoftRepo in January. Now finally I found the time to complete the article explaining the details, so you might wish to take a look at "Ramping up security: additional APK checks are in place with the IzzyOnDroid repo":

https://android.izzysoft.de/articles/named/iod-scan-apkchecks?lang=en

Edit: Tags:

#security #Android #apps

Ramping up security: additional APK checks are in place with the IzzyOnDroid repo

With the library scanner in place for multiple years, it was about time to establish some additional APK checks with the IzzyOnDroid F-Droid repository.

^IzzyOnDroid

• YouTube Videos (17%, 66 votes)
• Articles/Blog Posts (75%, 284 votes)
• Forum Discussions (7%, 28 votes)

Content warning: 🔥 Habr.ru удаление статей о обходе блокировок 🔥 Click to open/close

Все страницы сайта Habr.ru (локальная копия)
по следующим темам:

[VPN]
[Proxy][proxy-server]

[Mesh]
[i2p]
[i2pd]
[cloak]
[P2P]
[TOR]
[OpenVPN]
[XraY]
[V2rayNG]
[I2raY]
[V2rayXS]
[V2rayN]
[Yggdrasil]

[ValdikSS]Возможно, вам это будет интересно.
Я нашел эти ссылки в интернете.

В связи с намерениями правительства удалить всю информацию по обходу блокировок из российского сегмента интернета, кто-то, решил принять меры. 🙂

ОН, судя по всему считает, что статьи это важная часть культуры и нашего прошлого.
Особенно, комментарии больших групп образованных людей на habrahabr.ru.

Этот человек, скорее всего считает важным сохранять и распространять полезную информацию.
А так же, делиться мнениями других людей, т.к. это развивает и помогает обществу рости в лучшую сторону.

Не смотря на мои предположения, для меня остается загадкой мотивация этой неизвестной личности.

Но я разделяю некоторые идеи, в плане того, что знаниями нужно делиться.

Мне всегда становится грустно, когда я обнаруживаю умерший сайт,
или удаленную страницу и потерянную информацию.

Поэтому, делюсь этими ссылками с вами.
А вы, можете поделиться с другими.
(будет что почитать, если интернет совсем кончится)

К тому же, 14 марта на хабре вышла статья
"Надежный обход блокировок в 2024 протоколы,
клиенты и настройка сервера от простого к сложному"
под которой один человек предложил сохранить статьи по обходу блокировок.
(эта статья сохранена в этом сборнике)

UPD1: "Статья уже была удалена. Но доступна если искать из другой страны."

UPD2: Сейчас, автор статей по "актуальному обходу блокировок MiraclePtr" - удален((

Учитывая времена, думаю стоит сохранить все локально, потому что не известно,
какие именно категории данных будут удаляться в будущем.
И нет надежды, что веб архив не будет заблокирован.
Да и не понятно, как сильно все изменится со временем.

Страниц в папках всего: 2223 или 11.5Gb

1) Видео о содержимом 13Mb можно по этой ссылке:
https://mega.nz/file/cLMUHSAT#PHjc7WfTg1sfv2yYbsQ5HHQJM5XFwYh4bFgCDWekewI

2) Скачать архивом .7z - 3.3Gb (сжат):
https://mega.nz/file/hf8xSbiI#3DrGc3P2zNVboygPUBssBqL6s3Y_ubsAanIQ2FAa3sg

3) Скачать отдельные папки 11.5Gb:
https://mega.nz/folder/9TVGgZjL#pGAidXuvLu5u87X46W0lnw

4) Копия архива .7z - 3.3Gb:
http://www.fileconvoy.com/dfl.php?id=gee77ca53b1343e921000544134295a820bc7393d2f

5) Ссылка на репозиторий, если кому-то удобней скачивать так:
https://codeberg.org/hrabr/Habr.git

О содержимом.

Судя по ссылкам в страницах, они были сохранены с середины марта 2024.
Информация собрана по темам (список вверху) и все рассортировано по папкам.

Сохранены практически все страницы (за исключением откровенно рекламных статей).

Возможно вы встретите небольшое количество дублей, т.к. темы пересекаются.
(так же, встречаются одинаковые статьи опубликованные в разное время, но имеющие разные комментарии)

Возможна какая-то информация вам будет не интересна.

Есть страницы с устаревшей информацией (с 2008 года).
Они и комментарии из этих статей сохранены для истории.

В архиве есть index.html, через который можно искать статьи по ключевым словам через Ctrl+F.
Так же, под этим сообщением есть скриншеты и видео о структуре.

Если у вас в закладках, есть страницы с инструкциями для построения защищенных сетей,
или что-то, что вы считает полезными и это может быть потеряно,
добавляйте ссылки под этим постом, с описанием.
Может быть, ваша информация будет кому-то полезна.

Страницы были сохранены через невероятное дополнение: SingleFile

Если кто-то захочет оформить раздачу на rutracker,
то этот человек очень поможет нашему большому обществу,
когда страницы будут удалены с хабра (я считаю, это вопрос времени).
Как это уже произошло со страницами сайта 4pda.to.

Хочу сказать спасибо MiraclePtr за чудесные статьи и отдельное спасибо UranusExplorer за простые инструкции.
А так же, всему Хабр-сообществу, которое десятилетиями писало статьи и делилось своим мнением в комментариях.

#хабр #обходблокировок
#habr #pages #backup #cloak #i2p
#xray #nekobox #v2ray #v2rayn
#v2rayxs #v2rayng #i2ray #git
#amnezia #outline #shadowsocks
#vpn #proxy #server #mesh #p2p
#roskomnadzor #valdikss #network
#internet #dns #ssl #wireguard
#ikev2 #ipsec #l2tp #mikrotik
#linux #unix #mozilla #softether
#softethervpn #openvpn #peervpn
#pptp #security #ssh #openbsd
#ubuntu #debian #router #firewall
#private #http #https #openxray
#tor #info #articles #p2panda
#yggdrasil #habr #habrahabr #i2pd
#telegram #mega #rutracker #4pda
#блокировки

#ru #ua @rf @ru

@Revertron - тут куча твоих комментов и статьи есть, поэтому решил упомянуть тебя.

Пожалуйста, поделитесь этой информацией с друзьями. 💗
Если у вас есть идея куда еще можно залить эти статьи, предлагайте.

Habr

A copy of articles and comments from https://habr.ru, for the sake of history. Please share this information with your friends. Peace and love.

^Codeberg.org

At long last, a blog update... on updates? Check out this article on Accrescent's progress toward delta updates with conceptual explanations, benchmarks, and lots of pretty graphs!

https://lberrymage.dev/posts/ina-part-1/

#android #accrescent #security

Accrescent 0.18.0 released! This is a minor one with removed privileged installer support and maintenance updates. Changelog below.

https://github.com/accrescent/accrescent/releases/tag/0.18.0

#accrescent #privacy #security #android #appstore

Release 0.18.0 · accrescent/accrescent

This release removes privileged installer support, as it is not currently necessary for any functionality. Removals Remove privileged installer support Updates Bump AGP to 8.3.1 Bump Coli to 2.6...

^GitHub

It's 2024 and #Google is now requiring bulk #email senders to use DMARC, SPF, & DKIM when emailing #Gmail users. 👍

👉 https://tuta.com/blog/google-introducing-new-security-requirements

This is a great step, BUT why did they allow bulk senders to send #spam emails without proper #security standards until now? 🤔

Privacy can be powerful. The Librem 14 is the first ultra-portable laptop for the security-conscious- designed chip-by-chip, line-by-line, to respect your rights to privacy, security, and freedom.

Order yours now! https://puri.sm/products/librem-14/… #security #privacy #laptops

Today we are proud to announce the launch of the world's first #postquantum secure email platform! 🥳🎉

With TutaCrypt your data is safe against quantum computer attacks at rest & in transit. ⚛️ 🔒

Learn more about this quantum leap in #security here: https://tuta.com/blog/post-quantum-cryptography

the #Apple #curl #security incident 12604 - or why CA cert verification is unreliable with curl on apple OS

https://daniel.haxx.se/blog/2024/03/08/the-apple-curl-security-incident-12604/

LLVM CFI and Cross-Language LLVM CFI Support for Rust, https://bughunters.google.com/blog/4805571163848704/llvm-cfi-and-cross-language-llvm-cfi-support-for-rust.

> add LLVM CFI and cross-language LLVM CFI (and LLVM KCFI and cross-language LLVM KCFI) to the Rust compiler as part of our work in the Rust Exploit Mitigations Project Group. This is the first cross-language, fine-grained, forward-edge control flow protection implementation for mixed-language binaries that we know of.

Really interesting project.

#RustLang #llvm #security #safety #ffi

Blog: LLVM CFI and Cross-Language LLVM CFI Support for Rust

We’re pleased to share that we’ve worked with the Rust community to add LLVM CFI and cross-language LLVM CFI (and LLVM KCFI and cross-language LLVM KCFI) to the Rust compiler as part of our work in the Rust Exploit Mitigations Project Group.

^{bughunters.google.com}

Sometimes finding perfect #search results can be a pain and Google buying dominance doesn't help. 🔎
👉 https://tuta.com/blog/google-search-monopoly

Not all search engines offer the same performance, #security, and #privacy! 🤔

Which search engine is your favorite? Let us know in the comments!

Google Pays 1150 Times More for Its Search Monopoly Than for Lobbying in the EU & US

Break the Google Search monopoly! Your data is worth billions, take back control!

^Tutanota

• DuckDuckGo (64%, 265 votes)
• Ecosia (7%, 30 votes)
• StartPage (21%, 90 votes)
• Qwant (6%, 27 votes)

Just a bit of a ramble on #android and #apple and #privacy and #security inspired by a recent post by @beardedtechguy.

It's a bit of a ranty post, but not trying to be mean

This is day 19 of #100DaysToOffload

https://joelchrono.xyz/blog/apple-android-security-and-features/

Apple vs Android on Security and Features

This post by Kyle triggered me a little bit, so I wrote a response with my opinion on the matter

^{joelchrono.xyz}

Protecting your #privacy starts with threat modeling.

By accurately accessing your online #security threats & potential weaknesses, you can better protect your #digital life.

You are one of kind & so is your threat model. You can learn more here: https://tuta.com/blog/threat-modeling-for-you

#Nevada aims to stop minors from using end-to-end #encryption to protect their data. 🚫

Stand up for encryption & #privacy! ✊

This isn't protecting the youth, it's #victimblaming at its finest.

We must stop NV Attorney General Aaron Ford from undermining basic #security practices!
👉 https://tuta.com/blog/nevada-blocks-encryption-for-minors

🚀 Exciting News! 🚀

We're consolidating our cryptographic libraries with Rust! 🦀

With a unified crypto library, we simplify development, speed up deployment, and ensure consistent security measures across all clients.

This milestone marks a significant step in our journey.

Join us in celebrating this achievement, and looking forward to even more exciting developments ahead! 🎉

https://element.io/blog/meet-element-r-our-new-unified-crypto-implementation/

#Element #Rust #Security #ElementX

Meet Element R: our new unified crypto implementation

We’ve created a common cryptographic library implementation in Rust - codenamed Element R - for all our Element clients.

^{Archie W (Element Blog)}

Threat Modeling In 2024: Your Guide For Better #Security

@Tutanota shares some tips on developing a threat model for your personal use case.

#privacy #privacymatters

https://tuta.com/blog/threat-modeling-for-you

Threat Modeling In 2024: Your Guide For Better Security

Threat model best practices to evaluate your personal cybersecurity and privacy threat landscape.

^Tutanota

#curl HTTP/3 #security #audit

Performed by Trail of Bits. They found things to fix but nothing critical and no security flaws.

https://daniel.haxx.se/blog/2024/02/23/curl-http-3-security-audit/

#monocles chat 1.7.9 is released on the playstore with a lot of updates and improvements! (See comments below)

https://play.google.com/store/apps/details?id=eu.monocles.chat

#xmpp #chat #privacy #security #messenger

monocles chat - Apps on Google Play

monocles chat - The secure and ethical chat client

^{play.google.com}

RFC time! We're working on specifying how Accrescent's repository should look technically.

If you're an app developer who cares about app store features, an Accrescent user, or just interested in our development, leave your comments in the issue below 👇

https://github.com/accrescent/meta/issues/31

#android #appstore #security #privacy #accrescent

RFC: Repository metadata reorganization · Issue #31 · accrescent/meta

Problem Accrescent's repository metadata format and organization was not designed for cacheability, internationalization, or atomicity. As a result, Accrescent has limited scalability, target audie...

^GitHub