Security is the major reason why software updates are important. The LastPass breach demonstrates this dramatically.

If you search the web for why software updates are important, you will get loads of results that say there are "3 or 5 reasons why software updates are important". While this may be correct, there is only one major reason why you must keep your software up to date: Security.

Stay secure, update your systems! 😎💪🔒

https://tutanota.com/blog/posts/why-updates-are-important

#LastPass #Security

ChatGPT kennt übrigens auch den Kuketz-Blog! 😁

#chatgpt #KI #blog #security #privacy

"why is outlook letting mail senders specify arbitrary sound files to play when their appointment is due"... LOL #security
https://www.bleepingcomputer.com/news/security/critical-microsoft-outlook-bug-poc-shows-how-easy-it-is-to-exploit/

Microsoft Authenticator prompts the user to accept sharing analytics during the first launch. The prompt only dismisses when the user taps on "Accept." In fact, the app starts sending analytics even before accepting the privacy statement.🤦‍♂️

In this video, we downloaded the authenticator app from the App Store and we opened it as we monitored the iPhone network traffic. While the app was showing the permission prompt, we captured at least 3 calls made by the app sending diagnostics to Microsoft. The app sent 14 KB of analytics even before accepting the prompt.

The message on the prompt actually says that Microsoft needs to collect diagnostic data in order to keep Authenticator secure and up to date. 😵‍💫

#Privacy #Cybersecurity #2FA #InfoSec #Security #Microsoft

https://youtu.be/r5456XXG6v0

Der Werbe- und Trackingblocker #Blokada entwickelt sich immer mehr zu einer kommerziellen Lösung. Von einer weiteren Verwendung ist abzuraten. Nutzt besser die Alternative #AdAway. 👇

https://www.kuketz-blog.de/adaway-werbe-und-trackingfrei-im-android-universum/

Hinweis: Habe Blokada aus der Empfehlungsecke entfernt.

#tracking #datenschutz #dsgvo #ttdsg #sicherheit #security #privacy

Today I learned that when you "edit" or "correct" a message in #XMPP, the original message is still technically stored on the server or device. It's the client side that understands that the new message is an edit of the previous message, and "displays" it as such. But, if you send a password or something sensitive, "editing" the message after it has been sent might not remove the actual contents of the original version of the message, so make sure you use #encryption too.

#privacy #security

Portmaster, eine Art Firewall zur Kontrolle des ausgehenden Datenverkehrs, ist nicht mehr Alpha, sondern in der Version 1.0.7 für Windows, Debian/Ubuntu und Fedora verfügbar. Gerade für Windows-Nutzer interessant, die Microsofts Schnüffelei eindämmen wollen.

https://safing.io/

#security #privacy #firewall #sicherheit #datenschutz #windows

We are a little late to the party. How about we do an #introduction?

Hi Fediverse, we are SpiderMonkey, @mozilla’s #opensource engine for #JavaScript and #WebAssembly.
SpiderMonkey is used in Firefox, Servo and various other projects.

This account is run by our engineers, and none of us know how social media works. We were told to use hashtags.
#firefox #opensource #compilers #wasm #foss #privacy #security #performance #community

Nice to meet you!

Meine Analyse des Custom-ROMs #CalyxOS scheint bei einigen Entwicklern einiges in Bewegung zu setzen. Nun verkündet #GrapheneOS ihren eigenen SUPL TLS-Reverse-Proxy zu hosten: supl.grapheneos.org

"We'll be replacing our force disable toggle for SUPL with a choice between GrapheneOS, Standard (carrier/fallback) and Disabled."

Das ist natürlich das Optimum!

#android #security #supl #google

Considering that registration on matrix.org is discouraged these days, does anyone know a good #matrix homeserver that is open to registration?

Ideally in line with my interests on #foss #privacy #security #hacking #cyberpunk

A #opensource #backup solution on your #Android device for your #data #security, distributet over @IzzyOnDroid on @fdroidorg:

📱 Android-DataBackup
https://github.com/XayahSuSuSu/Android-DataBackup/blob/main/README_EN.md

@Tutanota maybe time to make a free service for website and webapp to integrate with you (like if they must send you a recovery code, or any "notification" email, to their user if they enter a tutanota user it will be E2EE).

Because your secure form is a big fail (surly due to it's price) and their is absolutely no easy way to let external service send us secure mail at all (without relying on the "password protected mail" but for that to word we need to send the first mail and it's not possible to automate it)

#security #encryption #e2ee

https://mailbox.org offers high #security and #privacy, but is still based on open standards. We're not locking you up.

Things change over time. Feel free to use any #email app you actually prefer - or write your own.

Thanks to Richard for his good recommendation.

QT riki137: Shout out to @SparkMailApp, for giving luxurious UX to private IMAP e-mails. Ideally combined with @mailbox_org - a wonderful provider.

Happy #DataPrivacyDay! 🥳

Here are some privacy-first apps frequently recommended by the Tutanota community.

What are your favorite apps to quit #BigTech?

#DataProtection #Encryption #Security #Privacy

Going dark: Is encryption a threat to our security? The Swedish EU Council says yes.

But we say: Stop the #CryptoWars. Destroying everybody's #privacy will not increase #security.

Read here why: 👇
https://tutanota.com/blog/posts/going-dark

#GoingDark

Have you heard about #ReproducibleBuilds? This is one of the biggest #security benefits of #FOSS. On #Android, this technique ensures that the #FDroid version of an app exactly matches the developer's version.

Read our article below for more details and to see how easy it is for developers to get set up:
https://f-droid.org/en/2023/01/15/towards-a-reproducible-fdroid.html

New #blog: Autodetecting and Announcing #Mastodon Scrapers and Crawlers

There've been quite a few #fedisearch issues recently, but the common thread is that there's usually a gap in reporting - they're often live for weeks before people are made aware.

It's not just people's pet projects either, there are other #scrapers active, quietly consuming posts

So, I built a bot to detect and out them so that fedi admins can block as necessary

https://www.bentasker.co.uk/posts/blog/security/autodetecting-and-outing-mastodon-scrapers-with-scrapersnitchbot.html

#infosec #security

I've asked it in a poll in 8/2021 at Mastodon.technology, now it's time for a refresher: To improve #security I finally consider to really drop support for #TLS 1.0/1.1 (see https://blog.qualys.com/product-tech/2018/11/19/grade-change-for-tls-1-0-and-tls-1-1-protocols and e.g. https://www.ssllabs.com/ssltest/analyze.html?d=apt.izzysoft.de). This basically would affect devices running Android < 4.4. As I do not want to lock anybody out, I'd like to see how many of you would this effect.

🇩🇪 Noch wer mit Android < 4.4 unterwegs und somit auf TLS 1.0/1.1 angewiesen (1. ja, 2. macht nix, 3. nein)?

So:

• I still use such a device and need compatibility (1%, 4 votes)
• I still use such a device but wouldn't mind (6%, 21 votes)
• I don't care (92%, 320 votes)

345 voters. Poll end: 2 months ago

Do you like security? Do you like privacy? Cryptography? Do you like working for a public benefit non-profit instead of an investor-beholden corporation?

Let's Encrypt is hiring for someone to join our SRE team and help run the largest Certificate Authority in the world! Come work with me and some of the most wonderful folks in tech, to make the web a better place.

https://www.abetterinternet.org/careers/le-sre-sw3/

#jobs #sre #webPKI #security #privacy #cryptography

What do you value the most in your devices?
Privacy, Security and/or Freedom?

At #CES2023, the biggest #tech event, we are asking people their thoughts about where they stand when it comes to #privacy, #security and #freedom when it comes to their #laptops, #phones, IoT devices

#ces

How to be more private online in 2023:

Step 1: Register a Tutanota email account. 💪

That’s it. Welcome to the encrypted side. 🔒

And Happy New Year! 🥳

#email #privacy #security

🔓 Like good neocolonizers, #humanitarian organizations & #nonprofits, like militaries, also collect vast amounts of #biometric & other private information about people with reckless disregard for basic #privacy and #security concepts.

✊🏽 We must hold them accountable for the risks and damages their actions cause: it's unacceptable to allow society to continue this way.

Thanks to #CCC for helping expose the dangerous truth.

#SurevillanceCapitalism #infosec

https://web.archive.org/web/20221227125216/https://www.nytimes.com/2022/12/27/technology/for-sale-on-ebay-a-military-database-of-fingerprints-and-iris-scans.html

I recently wrote a post detailing the recent #LastPass breach from a #password cracker's perspective, and for the most part it was well-received and widely boosted. However, a good number of people questioned why I recommend ditching LastPass and expressed concern with me recommending people jump ship simply because they suffered a breach. Even more are questioning why I recommend #Bitwarden and #1Password, what advantages they hold over LastPass, and why would I dare recommend yet another cloud-based password manager (because obviously the problem is the entire #cloud, not a particular company.)

So, here are my responses to all of these concerns!

Let me start by saying I used to support LastPass. I recommended it for years and defended it publicly in the media. If you search Google for "jeremi gosney" + "lastpass" you'll find hundreds of articles where I've defended and/or pimped LastPass (including in Consumer Reports magazine). I defended it even in the face of vulnerabilities and breaches, because it had superior UX and still seemed like the best option for the masses despite its glaring flaws. And it still has a somewhat special place in my heart, being the password manager that actually turned me on to password managers. It set the bar for what I required from a password manager, and for a while it was unrivaled.

But things change, and in recent years I found myself unable to defend LastPass. I can't recall if there was a particular straw that broke the camel's back, but I do know that I stopped recommending it in 2017 and fully migrated away from it in 2019. Below is an unordered list of the reasons why I lost all faith in LastPass:

- LastPass's claim of "zero knowledge" is a bald-faced lie. They have about as much knowledge as a password manager can possibly get away with. Every time you login to a site, an event is generated and sent to LastPass for the sole purpose of tracking what sites you are logging into. You can disable telemetry, except disabling it doesn't do anything - it still phones home to LastPass every time you authenticate somewhere. Moreover, nearly everything in your LastPass vault is unencrypted. I think most people envision their vault as a sort of encrypted database where the entire file is protected, but no -- with LastPass, your vault is a plaintext file and only a few select fields are encrypted. The only thing that would be worse is if...

- LastPass uses shit #encryption (or "encraption", as @sc00bz calls it). Padding oracle vulnerabilities, use of ECB mode (leaks information about password length and which passwords in the vault are similar/the same. recently switched to unauthenticated CBC, which isn't much better, plus old entries will still be encrypted with ECB mode), vault key uses AES256 but key is derived from only 128 bits of entropy, encryption key leaked through webui, silent KDF downgrade, KDF hash leaked in log files, they even roll their own version of AES - they essentially commit every "crypto 101" sin. All of these are trivial to identify (and fix!) by anyone with even basic familiarity with cryptography, and it's frankly appalling that an alleged security company whose product hinges on cryptography would have such glaring errors. The only thing that would be worse is if...

- LastPass has terrible secrets management. Your vault encryption key always resident in memory and never wiped, and not only that, but the entire vault is decrypted once and stored entirely in memory. If that wasn't enough, the vault recovery key and dOTP are stored on each device in plain text and can be read without root/admin access, rendering the master password rather useless. The only thing that would be worse is if...

- LastPass's browser extensions are garbage. Just pure, unadulterated garbage. Tavis Ormandy went on a hunting spree a few years back and found just about every possible bug -- including credential theft and RCE -- present in LastPass's browser extensions. They also render your browser's sandbox mostly ineffective. Again, for an alleged security company, the sheer amount of high and critical severity bugs was beyond unconscionable. All easy to identify, all easy to fix. Their presence can only be explained by apathy and negligence. The only thing that would be worse is if...

- LastPass's API is also garbage. Server-can-attack-client vulns (server can request encryption key from the client, server can instruct client to inject any javascript it wants on every web page, including code to steal plaintext credentials), JWT issues, HTTP verb confusion, account recovery links can be easily forged, the list goes on. Most of these are possibly low-risk, except in the event that LastPass loses control of its servers. The only thing that would be worse is if...

- LastPass has suffered 7 major #security breaches (malicious actors active on the internal network) in the last 10 years. I don't know what the threshold of "number of major breaches users should tolerate before they lose all faith in the service" is, but surely it's less than 7. So all those "this is only an issue if LastPass loses control of its servers" vulns are actually pretty damn plausible. The only thing that would be worse is if...

- LastPass has a history of ignoring security researchers and vuln reports, and does not participate in the infosec community nor the password cracking community. Vuln reports go unacknowledged and unresolved for months, if not years, if not ever. For a while, they even had an incorrect contact listed for their security team. Bugcrowd fields vulns for them now, and most if not all vuln reports are handled directly by Bugcrowd and not by LastPass. If you try to report a vulnerability to LastPass support, they will pretend they do not understand and will not escalate your ticket to the security team. Now, Tavis Ormandy has praised LastPass for their rapid response to vuln reports, but I have a feeling this is simply because it's Tavis / Project Zero reporting them as this is not the experience that most researchers have had.

You see, I'm not simply recommending that users bail on LastPass because of this latest breach. I'm recommending you run as far way as possible from LastPass due to its long history of incompetence, apathy, and negligence. It's abundantly clear that they do not care about their own security, and much less about your security.

So, why do I recommend Bitwarden and 1Password? It's quite simple:

- I personally know the people who architect 1Password and I can attest that not only are they extremely competent and very talented, but they also actively engage with the password cracking community and have a deep, *deep* desire to do everything in the most correct manner possible. Do they still get some things wrong? Sure. But they strive for continuous improvement and sincerely care about security. Also, their secret key feature ensures that if anyone does obtain a copy of your vault, they simply cannot access it with the master password alone, making it uncrackable.

- Bitwarden is 100% open source. I have not done a thorough code review, but I have taken a fairly long glance at the code and I am mostly pleased with what I've seen. I'm less thrilled about it being written in a garbage collected language and there are some tradeoffs that are made there, but overall Bitwarden is a solid product. I also prefer Bitwarden's UX. I've also considered crowdfunding a formal audit of Bitwarden, much in the way the Open Crypto Audit Project raised the funds to properly audit TrueCrypt. The community would greatly benefit from this.

Is the cloud the problem? No. The vast majority of issues LastPass has had have nothing to do with the fact that it is a cloud-based solution. Further, consider the fact that the threat model for a cloud-based password management solution should *start* with the vault being compromised. In fact, if password management is done correctly, I should be able to host my vault anywhere, even openly downloadable (open S3 bucket, unauthenticated HTTPS, etc.) without concern. I wouldn't do that, of course, but the point is the vault should be just that -- a vault, not a lockbox.

I hope this clarifies things! As always, if you found this useful, please boost for reach and give me a follow for more password insights!

According to a study, programmers who use #AI tools like GitHub #Copilot produce less secure code than those who don't while making them believe their code has no safety issues.

https://www.theregister.com/2022/12/21/ai_assistants_bad_code/

#programming #automation #security

Wikimedia is looking for a Director of Security.

#infosec #wikipedia #security #hiring

https://boards.greenhouse.io/wikimedia/jobs/4611087

As lead maintainer of the official #FDroid client, I hear a lot of criticism that #targetSdkVersion is still at 25. fdroidclient is #FreeSoftware, publicly audited, with #ReproducibleBuilds, written in memory safe languages, with a proven record of respecting #privacy and delivering #security. The source and binaries also receive human and machine review. #targetSdkVersion is designed around untrusted proprietary software with non-memory safe code where the binary only gets machine review. 1/2

2023 is going to be an exciting year for @Tutanota! They will be bringing subfolders and conversation view to the encrypted email service and client. Both these features are at the top of my wish list!

#encryption #email #security #privacy #tutanota

Looks like there’s a new phish in town. Keep an eye out, folks

#phishing #github #security

New episode is out!

@dsearls and @katherined talk to @kyle about hardware supply chains, building the only USA-made mobile phone, trust, open standards, and much more. Full episode here: https://www.reality2cast.com/133

https://youtube.com/shorts/bCR-S0nWRZE

#opensource #security #trust #openstandards #vendorLockin #podcast #NewEpisode

"Virenschutz: Rechteausweitung durch Schwachstelle in AVG und Avast"

[1]Nein? Doch! Ohh! 😉

Schmeißt dieses unnütze Schlangenöl endlich von euren Rechnern. Einzig den Microsoft Defender würde ich noch (mit leichten Schmerzen) eingeschaltet lassen. Mehr Infos unter [2].

#antivirus #security #snakeoil

[1] https://www.heise.de/news/Virenschutz-Rechteausweitung-durch-Schwachstelle-in-AVG-und-Avast-7367529.html
[2] https://www.kuketz-blog.de/antiviren-scanner-mehr-risiko-als-schutz-snakeoil-teil1/

Arch Archinstall a Manual Instalace pro LUKS a BTRFS.
https://youtube.com/@geek-room - nový playlist Geek Room CZ
https://youtu.be/3tF8Be0E3xc - Archinstall Skript pro LUKS a BTRFS Arch Linux Instalaci.
https://youtu.be/YdqGsv3tmN4 - Arch Linux Manuální Instalace s LUKS (encrypt) a BTRFS souborovým systémem. (probíhá ještě zpracování vyšších HD rozlišení.)
https://github.com/raven2cz/geek-room
https://github.com/raven2cz/geek-room/blob/main/arch-install-archinstall-luks-btrfs/arch-install-archinstall-luks-btrfs.md
https://github.com/raven2cz/geek-room/blob/main/arch-install-luks-btrfs/arch-install-luks-btrfs.md #archlinux #linux #geek #security #arch #youtube #dotfiles #guide #czech

A Security & Privacy Focused Phone with a Secure Supply Chain🙌

Order your Librem 5 USA before Dec 5, 2022. We are shipping within 10 business days. Use code LIBREM5USA to get $100 off 🎉

https://puri.sm/products/librem-5-usa/

#security #privacy #phone #sale #promo

TSA Wants To Scan Your Face At The Airport. Here Are Your Rights.

#News #TSA #privacy #biometrics #security #HumanRights #SurveillanceCapitalism #HomelandSecurity #DHS #Airport
https://www.washingtonpost.com/technology/2022/12/02/tsa-security-face-recognition/

⚠️ WARNING: Do not use #Hive Social!

According to research conducted by @zerforschung, the #Twitter alternative Hive Social has got a number of dangerous #security vulnerabilies.

They allow attackers to completely access and even to partly edit anyone's data, including private posts, deleted direct messages, e-mail addresses and phone numbers signed up with etc.

Once again this demonstrates that you should not rely on closed-source software to guard sensitive data.

🔗 https://zerforschung.org/posts/hive-en

Let’s Encrypt issued over 3 billion certificates, securing 309M sites for free - Internet Security Research Group (ISRG), the nonprofit behind Let's Encrypt, says the ope... https://www.bleepingcomputer.com/news/security/let-s-encrypt-issued-over-3-billion-certificates-securing-309m-sites-for-free/ #security

🎁 Score $100 off this holiday season on your order for Librem 5 USA. With the holiday season in full swing, this is a great gift for any one in your family concerned about secure supply chain or online privacy. Offer valid till 5 Dec 2022, so hurry!

Standard orders ship within 10 business days. 🚀

#librem5usa #librem #phone #purism #security #freedom #madeinUSA

https://puri.sm/posts/special-year-end-promotion-for-librem-5-usa?mtm_campaign=organic&mtm_source=promo&mtm_medium=librem-social&mtm_content=ls-year-end-promotion-l5usa

WhatsApp data breach sees nearly 500 million user records up for sale

If you use WhatsApp, your details could well be up for sale

#news #tech #technology @WhatsApp #security #privacy #databreach

https://www.techradar.com/news/whatsapp-data-breach-sees-nearly-500-million-user-records-up-for-sale

Google publishes the source code for their TalkBack screen reader. GrapheneOS maintains a fork of it and includes it in GrapheneOS with the help of a blind GrapheneOS user who works on their own more elaborate fork. Eventually, we'd like to include more or all of their changes.

TalkBack depends on a text-to-speech (TTS) implementation installed/configured/activated. It needs to have Direct Boot support to function before the first unlock of a profile. Google's TTS implementation supports this and can be used on GrapheneOS, but it's not open source.

We requested Direct Boot support from both prominent open source implementations:

RHVoice: https://github.com/RHVoice/RHVoice/issues/271
eSpeak NG: https://github.com/espeak-ng/espeak-ng/issues/917

eSpeak NG recently added it but it's not yet included in a stable release and their licensing (GPLv3) is too restrictive for us.

RHVoice itself has acceptable licensing for inclusion in GrapheneOS (LGPL v2.1), but has dependencies with restrictive licensing. Both these software projects also have non-free licensing issues for the voices. Neither provides close to a working out-of-the-box experience either.

Google's Speech Services app providing text-to-speech and speech-to-text works perfectly. Their proprietary accessibility services app with extended TalkBack and other services also works fine. However, many of our users don't want to use them and we need something we can bundle.

There aren't currently any usable open source speech-to-text apps. There are experimental open source speech-to-text implementations but they lack Android integration.

We also really need to make a brand new setup wizard with both accessibility and enterprise deployment support.

GrapheneOS still has too little funding and too few developers to take on these projects. These would be standalone projects able to be developed largely independently. There are similar standalone projects which we need to have developed in order to replace some existing apps.

AOSP provides a set of barebones sample apps with outdated user interfaces / features. These are intended to be replaced by OEMs, but we lack the resources of a typical OEM. We replaced AOSP Camera with our own app, but we still need to do the same with Gallery and other apps.

Google has started the process of updating the open source TalkBack, which only happens rarely. We've identified a major issue: a major component has no source code published.

https://github.com/google/talkback/pull/28

Google has been very hostile towards feedback / contributions for TalkBack...

This is one example of something seemingly on the right track significantly regressing. Another example is the takeover of the Seedvault project initially developed for GrapheneOS. It has deviated substantially from the original plans and lacks usability, robustness and security.

In the case of Seedvault, GrapheneOS designed the concept for it and one of our community members created it. It was taken over by a group highly hostile towards us and run into the ground. It doesn't have the intended design/features and lacks usability, security and robustness.

All of these are important standalone app projects for making GrapheneOS highly usable and accessible. What we need is not being developed by others and therefore we need to the resources including funding and developers to make our own implementations meeting our requirements.

#grapheneos #privacy #security #android #mobile #accessibility #texttospeech #speechtotext #talkback #blind #backup

NordVPN Black Friday deal: Up to 63% off a 27-month VPN subscription

https://www.bleepingcomputer.com/news/security/nordvpn-black-friday-deal-up-to-63-percent-off-a-27-month-vpn-subscription/

#Security

See our good friend and frequent guest, @kyle, discuss supply chain security in this CNBC piece on manufacturing consumer electronics in the USA. We're excited to see @purism in the news!

https://youtu.be/YdbA7Z8Ae4w

#security #supplyChain #infosec #manufacturing #electronics #hardware #phones #teamKyle