ODF wholesome encryption is the default password (symmetric) encryption mode in LibreOffice 24.8.

Supports AES-256-GCM and Argon2id.

LibreOffice 24.2/24.8 is required to open the encrypted files.

Disable: Tools > Options > Load/Save > General > ODF Format Version > 1.3 (drop down menu) > Apply > OK

AES: en.wikipedia.org/wiki/Advanced…
GCM: en.wikipedia.org/wiki/Galois/C…
Argon2: en.wikipedia.org/wiki/Argon2

Website: libreoffice.org
Mastodon: @libreoffice

#LibreOffice #Encryption #InfoSec #Privacy #E2EE

Privacy-focused Tuta Mail Opens Second Office in Munich:

tuta.com/blog/tuta-in-munich

See how Tuta stacks up with other email providers in keeping your information private:

tuta.com/email-comparison

#infosec #cybersecurity #privacy

Ok, here's the deal on the "YubiKey cloning attack" stuff:

Yes, a way to recover private keys from #YubiKey 5 has been found by researchers.

But the attack *requires*:

👉 *physically opening the YubiKey enclosure*

👉 physical access to the YubiKey *while it is authenticating*

👉 non-trivial electronics lab equipment

I cannot stress this enough:

✨ In basically every possible scenario you are safer using a YubiKey or a similar device, than not using one. ✨

#InfoSec #YubiKey5

Tu je niekoľko populárnych hashtagov týkajúcich sa rôznych tém v oblasti kybernetickej bezpečnosti:

1. #CyberSecurity - General cybersecurity topics
2. #InfoSec - Information security
3. #PenTesting - Penetration testing
4. #OSINT - Open-source intelligence
5. #ThreatHunting - Identifying and responding to threats
6. #MalwareAnalysis - Analyzing and understanding malware
7. #IncidentResponse - Responding to cyber incidents
8. #ZeroDay - Zero-day vulnerabilities and exploits
9. #CyberThreats - Cyber threat intelligence
10. #EthicalHacking - Hacking for ethical purposes
11. #RedTeam - Offensive security testing
12. #BlueTeam - Defensive security operations
13. #CloudSecurity - Securing cloud environments
14. #IoTSecurity - Security for Internet of Things devices
15. #DataProtection - Protecting sensitive data
16. #SOC - Security Operations Center practices
17. #Phishing - Phishing attacks and prevention
18. #Ransomware - Ransomware threats and defenses
19. #CryptoSecurity - Cryptography and encryption
20. #AppSec - Application security
21. #BugBounty - Programs for finding and reporting security bugs
22. #DigitalForensics - Investigating cyber crimes
23. #Privacy - Protecting personal and organizational privacy
24. #CISO - Chief Information Security Officer topics
25. #GDPR - General Data Protection Regulation compliance

Môžete ich používať na platformách sociálnych médií, aby ste objavili obsah, zapojili sa do diskusií a zostali informovaní o najnovších poznatkoch v oblasti kybernetickej bezpečnosti.

If you collect it, they will come.

Investigators will eventually identify any consumer product that persistently records peoples' activities.

One day, they'll show up, requesting access.

If the data is consistently helpful, they'll stop asking & start demanding.

Once this happens enough the company will probably create a law enforcement portal to simplify access & save customers the trouble...

#infosec #police #cybersecurity #privacy #security #crime #surveillance

they're accepting public comments until October 7th, 2024.

I'm not American, nor do I have any particular industry experience with facial recognition other than a broad knowledge that biometric authentication is very often a terrible idea.

Perhaps someone on fedi who has a bigger stake in this wants to draft some open letter or something? I will happily add my signature to anything that raises these concerns in a well-considered manner.

I'll probably write something short if nothing substantial is organized before that deadline, but it would probably be more effective coming from a broader coalition.

#NIST #infosec

I think the outage yesterday is a good opportunity to check one thing. If you work in software manufacturing (systems design, programming, project/product management, testing) do you know what Therac-25 is without searching?

#infosec #IT

Boost for reach please.

• I make software and I know about Therac-25 (43%, 1611 votes)
• I make software and I don't know about Therac-25 (33%, 1257 votes)
• I do other things and I know about Therac-25 (8%, 314 votes)
• I do other things and I don't know about Therac-25 (14%, 540 votes)

I can't even find the words. Like, just stop being weird to women.

#tech #infosec #technology

Замедление YouTube с технической стороны

#network #security #infosec #proxy #vless #vmess #youtube #roscompozor #ntc_party

Готовые средства обхода. Waujito написал своё решение под линукс (github.com/Waujito/youtubeUnbl…), которое направлено только на ютуб.
Также для Windows существует GoodbyeDPI от ValdikSS (github.com/ValdikSS/GoodbyeDPI), под линукс еще есть zapret (github.com/bol-van/zapret).
Существует ByeDPI (github.com/hufrea/byedpi), который работает как прокси (Windows/Linux). Также есть версия ByeDPI под андроид (github.com/dovecoteescapee/Bye…), работает как "фейковый впн".

Советую прочитать подробный комментарий от ValdikSS о том, как использовать эти средства. (github.com/yt-dlp/yt-dlp/issue…)

Если есть желание погрузиться глубже в эту тему, вот тут можно посмотреть подробнее: https://ntc.party/t/замедление-youtube-в-россии/8055/ and https://ntc.party/t/обсуждение-замедление-youtube-в-россии/8074/

Комменты как обычно бурлят.

habr.com/ru/articles/832678/

Замедление YouTube с технической стороны: ограничение и обход

Привет, Хабр!В последнее время замечаю огромное количество информации по поводу замедления Великого, но очень мало где видел конкретику о том, как именно это раб...

^{Vadim Vetrov (Habr)}

I learned about secure software development on the job, but like ethical computing (which I've talked about before), this should also be included in formal education. Because of the current threat models, topics like security by design and zero-trust frameworks are critical when developing Internet systems. linuxfoundation.org/press/linu…

#securitybydesign #security #softwaredevelopment #zerotrust #infosec #cybersecurity #education

The Linux Foundation and OpenSSF Release Report on the State of Education in Secure Software Development

Findings show nearly one-third of industry professionals are not familiar with secure software development practices

^{The Linux Foundation}

Looking for contact in Colombia

#infosec #followerpower

Does anyone here have contact to people responsible for (or interested in) privacy and IT Security inside the country of Colombia (South America)?

Through friends, I have become aware of a data leak that can be devastating to ten thousands of people living in that country.

My friends tried to get the responsible organization to close the data leak, but were met with complete disinterest. So in their frustration, they turned to me.

Now I am looking for a journalist, activist or even a government official who is willing raise the issue from within Colombia.

Few things I like in IRC over Matrix, or any other protocol in professional setting:

1. Does not try to blend #security and #decentralization. By not having security at all is one way to implement a sound security model. This allows to design security properties both by means of infrastructure security, i.e. outside the protocol, and also by tunneling, i.e. inside the protocol (classic example is off-the record messaging). This keep the core protocol compact and sound, and easy to verify for correctness, which is by itself a strong security property.
2. Has both decentralized and client/server based topology since 1988(!). It is a network of servers, which together form an IRC network.
3. Protocol messages are both rigidly structured AND still human-readable (unlike JSON), and have a clean specification (RFC 1459).
4. Features not in the protocol itself can be implemented efficiently with bots, given the ease parsing and producing IRC protocol messages.
5. IRC network heals fast from failures and has high #availability properties, given the clean and rigid definition of what it does and what it does not do.

#IRC #infosec

This dumb password rule is from SecureAccess Washington.

Central authentication for all Washington State services
(DoL, ESD, etc).

Password must have *exactly* 10 characters, but form happily
lets you enter more and only throws errors after submit,
providing no useful feedback.

dumbpasswordrules.com/sites/se…

#password #passwords #infosec #cybersecurity #dumbpasswordrules

SecureAccess Washington - Dumb Password Rules

Central authentication for all Washington State services (DoL, ESD, etc). Password must have *exactly* 10 characters, but form happily lets you enter more and only throws errors after submit, providing no useful feedback.

^{dumbpasswordrules.com}

Want an effective way to chase off your customer base?

Drop opt-out AI into your product after taking a survey about it and getting a "hell no" response from roughly 70% of those polled.

@Tutanota@mastodon.social, I'm putting my faith in you folks. Please don't let it be misplaced.

#infosec #privacy #protonmail #tuta

This demonstrates a thing that I’m sure serious security pros (and their adversaries) have long known: These Windows security products are a highly attractive attack surface for serious professional Bad Guys. They run in God mode and are typically purchased by IT-management types via the “enterprise software sales” process. (Think: golf.)

I wonder how many of them are already deeply compromised? I am certain that the number is not zero.
#Crowdstrike #Windows #infosec

Crowd Strike thing is basically an "Ever Given stuck in Suez Canal" of IT industry.

All the techies losing hair, sleep, and family time trying to get this un-stuck are the excavator operators trying to get things un-fucked.

#CrowdStrike #InfoSec

"All software has bugs 🤷" is the "boys will be boys 🤷" of the IT industry.

#InfoSec

Maximizing shareholder value by using tried-and-true industry-standard systems and services is going just great.

Let's see if "nobody ever got fired for choosing Windows" still holds a week from now.

#InfoSec #CrowdStrike

🔐 C++ Must Become Safer — Andrew Lilley Brinker — Software Supply Chain Security

｢ If a cheap-to-maintain legacy system is faced with the proposition of an expensive rewrite, it may instead be eliminated. The externalities of this kind of change are difficult to consider in advance and in general ｣

alilleybrinker.com/blog/cpp-mu…

#C #CPP #Rust #MemorySafety #Infosec

C++ Must Become Safer — Andrew Lilley Brinker — Software Supply Chain Security

I work on software supply chain security at MITRE, including serving as amember of the OmniBOR Working Group, where I lead development of the Rustimplementation, and as the project manager for Hipcheck, a tool forautomated supply chain risk assessmen…

^{www.alilleybrinker.com}

This dumb password rule is from Virgin Media.

Your password needs to be between 8 and 10 characters long, with no
spaces, and must contain only numbers and letters. The first character
must be a letter.

Feb 2020 Update: policy remains the same but the description is hidden
leaving you to guess the acceptable length/chars. Users are now lef...

dumbpasswordrules.com/sites/vi…

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Virgin Media - Dumb Password Rules

Your password needs to be between 8 and 10 characters long, with no spaces, and must contain only numbers and letters. The first character must be a letter.

^{dumbpasswordrules.com}

This dumb password rule is from Banque de Tahiti.

You have to enter your password using this *very* Frenchy keypad. You don't have lowercase letters, the blanks are not spaces but just non-clickable gaps, but as a compensation you have some weird symbols that your keyboard does not have a key for (e.g. `µ`).

No accessible version available.

dumbpasswordrules.com/sites/ba…

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Banque de Tahiti - Dumb Password Rules

You have to enter your password using this *very* Frenchy keypad. You don't have lowercase letters, the blanks are not spaces but just non-clickable gaps, but as a compensation you have some weird symbols that your keyboard does not have a key for (e…

^{dumbpasswordrules.com}

STAGGERING: Nearly all #ATT customers' text & call records breached.

An unnamed entity now has an NSA-level view into Americans' lives.

Damage isn't limited to AT&T customers.

But everyone they interacted with.

Also a huge national security incident given government customers on the network.

And of course, third party #Snowflake makes an appearance.

cnn.com/2024/07/12/business/at…

#infosec #cybersecurity #telco #cellular #privacy #security #breach

Do you want to help secure GNOME and get a reward? 🏅

We are testing a new program in which people get a payment for reporting and/or solving vulnerabilities.

yeswehack.com/programs/gnome-b…

From €500 to €10,000 depending on criticality 💶

For now only GLib is in scope but we will expand the list of modules and advertise as the program grows.

In partnership with @yeswehack and @sovtechfund

#GNOME #infosec #FreeSoftware #security #bugBounty #OpenSource #cybersecurity

GNOME Bug Bounty Program bug bounty program - YesWeHack

GNOME Bug Bounty Program bug bounty program details

^{YesWeHack #1 Bug Bounty Platform in Europe}

In-Process is out, featuring all the news on NVDA 2024.2 AND the newly released NVDA 2024.3 Beta 1 plus info on our new Code Signing Certificate, a thank you to our donors, and we remember community contributor, Austin Pinto.

Catch up on everything here: nvaccess.org/post/in-process-3…

#NVDA #NVDAsr #ScreenReader #News #Blog #Newsletter #InfoSec #PreRelease #Beta #FOSS

In-Process 3rd July 2024

In-Process 3rd July 2024 We’ve got a new stable release AND a new beta to cover. And do please read the important note on the new Code Signing Certificate as it will affect you if you downloa…

^{NV Access}

This dumb password rule is from CenturyLink Residential.

Your password is too long. But how long can it be? Oh, we won't tell you.

dumbpasswordrules.com/sites/ce…

#password #passwords #infosec #cybersecurity #dumbpasswordrules

CenturyLink Residential - Dumb Password Rules

^{dumbpasswordrules.com}

qualys.com/regresshion-cve-202…

#CVE_2924_6387

Unauthenticated RCE in SSH.

Happy Monday.

18 year old regression. Sigh.

#infosec

OpenSSH Vulnerability: CVE-2024-6387 FAQs and Resources | Qualys, Inc.

Discover what the OpenSSH vulnerability, CVE-2024-6387, is as well as resources and tools to help detect and mitigate vulnerabilities in your network.

^{www.qualys.com}

There are only two messaging apps I fully endorse when people communicate with me. @signalapp and @matrix . Yes while I use Discord, text, and even iMessage. The recent stances from both Matrix and @Mer__edith towards the EU Chat Control proposal's even as an American, reaffirm that I have made the wise choice.

The fact that I have proven first hand the that we had to whitelist Signal in Zscaler to even work because it won't allow MITM, proves even as a hosted app it can be trusted. #Infosec

Lukewarm take:

When I see general* "security advice" that mentions "do not use public WiFi" or "use a VPN", I am immediately suspicious about all other advice offered.

Yes, a decade ago that was a consideration, because most sites were not using HTTPS. Credentials were flying cleartext on the wire.

Today, almost all sites use HTTPS. Doesn't mean the risk is zero, but it's way lower.

*) "general" meaning "without a very specific threat model in mind", meant for general public, etc.

#InfoSec

Also, shout-out to @letsencrypt for dramatically changing the security landscape of the Web for the better over the years.

Rarely is there an example of a project so effective and so directly improving everyone's lives, while at the same time keeping the original engineering mindset and just Doing Stuff Right™ humbly in the background.

Next November it will have been exactly a decade since LE started. We all owe them a huge 10th birthday party.

#InfoSec

If anyone out there is looking for some #infosec / #cybersecurity-related training, feel free to peruse this giant list I've been putting together over time ⬇️

shellsharks.com/online-trainin…

Know of a training that isn’t listed here? Let me know about it and I can add!

We're truly in a golden age of resources for learning infosec/IT, the hardest part becomes choosing the best thing!

#mondayblogs #mentorshipmonday

Online IT/Security Training

A list of online IT and infosec training resources.

^shellsharks

We've been doing this a while. Let's SWING for the big leagues.
Tomorrow, we're doing a deep dive on #burpSuite from a #screenReader perspective. It will be mostly #blind (as in playthrough) as I've not looked at this program for a few years, and fully blind (as in sight) given ... well ... screenReader user :)

I've learned more, and hey who knows, maybe they've improved ......
If it turns out they haven't, we'll look at @zaproxy next as a more viable, generally more #accessible alternative. See you tomorrow at 3 EST over at twitch.tv/ic_null #infosec #cybersecurity #zaproxy #portswigger #java #programming

IC_null - Twitch

Fully blind person hacking, coding and tinkering while using a screen reader. THM, HTB, accessibility, all the things.

^Twitch