Skip to main content

Search

Items tagged with: security


It just clicked in my brain. What I haven't been able to articulate about why I'm so anxious about #Windows Recall. I'm sure others have already gotten to where I am.

It's worse than "a system that tracks everything you do" and stores that info in a basic database that could be easily compromised.
It's worse than a nanny surveillance tool for companies to spy on their employees.

It's inescapable.

It doesn't matter if I make a dozen "how to disable recall" tutorials. The second YOUR data shows up on someone ELSE'S screen, it's in THEIR recall database.

It won't matter if you're a master #security expert specialist. You can't account for EVERY other computer you've ever interacted with. If a family member looks up an old email with your personal data in it, your data is now at risk.

If THEIR system is compromised YOUR data is at risk.

I just went from "vague feeling of unease" to "actively writing templates to canvas elected officials, regulators, and attorneys general."


What's the last app you deleted and why? 📲👀

#app #appstore #privacy #security


Geoff Huston's offers interesting commentary on DNSSEC and the problem of securing the domain name system more generally:
potaroo.net/ispcol/2024-05/dns…
My own domains are DNSSEC-signed. The necessary Bind 9 configuration is simpler nowadays than it used to be, as much of the process has been automated - a welcome change.
#Internet #DNS #DNSSEC #security


This episode of the Security, Cryptography, Whatever podcast offers insight into the history of Transport Layer Security (TLS), and critical discussion of certificate transparency, DNSSec, and other protocols. Post-quantum cryptography is also considered.
securitycryptographywhatever.c…
#Security #CryptographicProtocols


Is it just me, or has Microsoft gone completely crazy? They are implementing spyware that takes screenshots every second and forcing AI integration. Why would anyone willingly purchase this? Anyone with experience in computer or information security knows that it is a bad idea, even if it is locally done. Just don't do it. Yet, here we are, and they are doubling down on this idea. arstechnica.com/gadgets/2024/0… #privacy #security


We love #DNS! ❤️

Tuta uses DMARC, DKIM & SPF to protect your domains from spoofing. Unlimited custom domain aliases & strong #security are a perfect match. 🔒

Not sure what these acronyms mean? No worries, we've got you covered.

👉 tuta.com/blog/dkim-custom-emai…


Summer is just around the corner! 🏖️

What steps are you taking this beach season to better protect your #privacy and improve your online #security? 🤿

Don't see your answer below? Let us know in the comments! 📣

  • Use encrypted email (15%, 17 votes)
  • Use a VPN or Tor (25%, 28 votes)
  • Enable 2FA wherever possible (37%, 41 votes)
  • Use a password manager (21%, 23 votes)
109 voters. Poll end: 3 weeks ago


#Android is getting an AI-powered #scam call detection feature

Will be powered by Gemini Nano, which #Google says can be run locally and offline to process "fraudulent language and other conversation patterns typically associated with scams" and push real-time alerts during calls where detected red flags are present.

It will be opt-in, but Gemini Nano is currently only supported on Google Pixel 8 Pro and Samsung S24 series devices.

#cybersecurity #security

theverge.com/2024/5/14/2415621…


Der Messenger #Telegram ist für eine sichere Kommunikation nicht geeignet - standardmäßig sind die Nachrichten nicht einmal Ende-zu-Ende verschlüsselt. Besser geeignet sind #Signal oder #Threema. Übrigens: Elon Musk ist das Paradebeispiel eines Trolls. Einfach ignorieren. 😉

Wer eine Entscheidungshilfe für einen Messenger sucht: messenger-matrix.de/messenger-…

#sicherheit #security #schwachstelle #e2ee #vulnerabilty #musk #durow


TPM2-measured boot with bus protection is pretty nice actually for Linux installations where secure boot is not enabled, like the default Arch Linux installation for instance.

For the sake of "defence in depth", I'd enable both if it is out-of-the-box feature but would not probably bother with secure boot if it requires extra work.

So, the takeaway from this is that it would make a lot of sense to make measured boot happen in arch-install installation as opt-in feature. No Microsoft key required.

Still so far the most informative overview for the shenanigans is microos.opensuse.org/blog/2023… but I'd also look for more recent references.

Policy hash calculation per kernel package update for LUKS2 is what needs to happen over time whenever a new kernel package is installed with hooks/scripts.

So the thing that was hyped to DRM the world into a locked down hellhole rendered out the Microsoft key hard binding instead 🤷

#tpm #linux #archlinux #opensuse #secureboot #security


Psst 👋 Email Preview for push notifications is coming soon!

Now you can know who is sending you an email before opening your mailbox! 🎉

Here's a sneak peek 🤫
#teaser #ios #android #sneakpeek #privacy #security #linux #macos #windows


Those changes are currently only applied to the master branch and didn't yet go to any release or distribution packages. They were supposed to fix a #security issue, but not to break some binary repos, which is what the applied patches might do. Find the originally proposed and recommended patches at github.com/obfusk/fdroid-fakes… – and also see e.g. tech.lgbt/@obfusk/112306314357… for some additional background.


I just posted an update to my "PoC for fdroidserver AllowedAPKSigningKeys certificate pinning bypass" post to oss-security:

openwall.com/lists/oss-securit…

Original post:

openwall.com/lists/oss-securit…

GitHub repo with patches, PoCs, and a script to scan for potentially affected APKs:

github.com/obfusk/fdroid-fakes…



Who controls the tech stack❓

When choosing a secure solution for your data, this one of the most important questions❗

Here's why: ➡️ tuta.com/blog/what-is-a-tech-s…

#security #technology #opensource #foss


Important security update for GLib and D-Bus, thanks to @pwithnall

discourse.gnome.org/t/security…

If you are a downstream distributor of GLib, GTK, or GNOME-related projects, remember to follow the distributor tag on Discourse.

#glib #security


If you are the tech-savvy person within your family or friends group :blobcatcool: :

Never ever shame someone for coming to you for advice after being the victim of a scam, malware, or for using an unsecure product.

If you do this,
they might never come back to you later. They might just feel so ashamed they will just stay alone with their tech problems.

Instead, always tell them:

1. It was a good idea to come to you with this. Be empathetic with them 💚

2. Give them advice on how to minimize the damage now. Actionable advice 🚑

3. Help them harden their security for now and for the future. Recommend better products to them. But be careful not to overwhelm them with advice. One step at the time 🔒

4. Talk to them with respect and empathy. Tell them how the people who abused their trust are horrible and anyone can fall for the right scam. Remind them there are things to do to reduce the risks of being victimized again in the future, and help them slowly implementing these 💪

5. Be thankful they trusted you with this. It means they think highly of you 🥰

#Security #Privacy


This #Debian wiki page was what I found that helped me get fingerprint authentication set up on my laptop.

So I contributed something back. I added the "Caveats" section at the bottom. Hopefully this helps somebody else, 🙂

wiki.debian.org/SecurityManage…

#Linux #Security


#Followerpower: Verlinkt doch bitte mal eure liebsten RaspberryPi-Projekte. Am besten mit kurzer Beschreibung und was ihr so toll daran findet.

#raspberrypi #projekte #datenschutz #privacy #sicherheit #security


Veilig communiceren met én binnen de overheid. Hoe werkt dat? Dit kan alleen wanneer er volledige zekerheid is over de afzender, de inhoud en de vertrouwelijkheid van het bericht. PKIoverheid zorgt daarvoor. Check de video! 👇

#DigitaleOverheid #DigitaleInclusie #Toegankelijkheid #Security


New bookmark: ActivityPub on a (mostly) static website.

There have been other attempts to document the process of bringing ActivityPub to a (mostly) static site, but this is my favorite so far. I wonder if I should give it a go, if POSSE ever stops serving my needs.


Originally posted on seirdy.one: See Original (POSSE). #IndieWeb #Security #Web


Accrescent 0.20.0 is out with support for respecting other app stores, UI improvements, bug fixes and more!

Download Accrescent or view the changelog below for details.
github.com/accrescent/accresce…

#accrescent #android #security #privacy #appstore


Should you have noticed a short "absence" of the #IzzyOnDroid primary web server, that was probably the reboot…

A CVE was published to oss-sec 5 days ago and got its fixes available today (security-tracker.debian.org/tr…), so it was applied immediately as the vuln would have affected some components here.

My thanks here once more goes to @obfusk for bringing it to my attention – and to my service provider who swiftly applied the updates within just minutes 🤩

#security


I hope the UN can make it work but the federated decentralised approach makes sense. The United Nations ditches Big Tech in a bid for security | TechRadar
techradar.com/pro/the-united-n…
#security #encryption #element #matrix #UN #IT #decentralized #federated


Politische Überwachungsphantasien, die mit dem Vorwand gerechtfertigt werden, "schlimmste Verbrechen wie den sexuellen Missbrauch von Kindern zu bekämpfen", sind unerträglich.

Wer wirklich etwas für Kinder tun will, engagiert sich im Kampf gegen den Klimawandel, für sichere Schul- und Radwege, für Bildung, gewaltfreie Familien, Chancengleichheit und freie Entfaltungsmöglichkeiten.

Stop this bullshit! 🫵

#e2ee #security #encryption #kinder #kind #klimawandel #bildung #chancen


WTF? Is #Tenacity on the #Flatpak store #MALWARE? Apparently it was running in the bg AS IF it was an invincible #Gnome extension so SystemMonitor/htop would NOT see it as a process. But #MissionCenter (also from flatpak store) saw it as it is: an app running on startup! Killing it killed Gnome session! It was also spiking wifi, and was leaking the Gnome gjs service from 4MB RAM to 120MB. Uninstalling fixed the prob

Third party flatpak/snaps should be vetted.

#security #opensource #linux #foss


Another #security patch has been applied at the #IzzyOnDroid #IzzySoftRepo to protect against what is described at openwall.com/lists/oss-securit…

Though a full scan of the repo hasn't brought up a single affected APK, that doesn't mean any such cannot show up later – so better safe than sorry, right?


If you use brew’s curl on macOS, are you really using it? I installed and had curl setup a couple of years ago. Today it appears that curl was now pointing to Apple’s version, which has this issue (daniel.haxx.se/blog/2024/03/08…). Looks like brew doesn’t add a symlink for curl to /opt/homebrew/bin. Running `ln -s /opt/homebrew/opt/curl/bin/curl /opt/homebrew/bin` resolved the issue.

#macos #curl #security


T-Mobile Employees Across The Country Receive Cash Offers To Illegally Swap SIMs

I still stand by this: if #sms #mfa wasn’t still massively used (especially by the financial sector), sim swaps would be less attractive to sim swappers.

It’s also crazy so much trust is placed in telecoms guarding your phone number and MFA factor for your bank. 🫨

#security #cybersecurity #simswap

tmo.report/2024/04/t-mobile-em…


#curl sometimes fails to access some servers. In most situations the problem is not in curl itself but on the server side. Example:

1. Fails: curl radissonhotels.com

2. Works: curl -A 'Mozilla/5.0 xx Chrome/119' radissonhotels.com

3. Fails: curl -A 'Mozilla/5.0 xx Chrome/118' radissonhotels.com

4. Fails, too: curl -A 'Mozilla/5.0 xx Chrome/1189' radissonhotels.com

Perhaps they perform #filtering to obtain improved #security? It's hard to tell, but any serious attacker surely knows how to spoof the user agent string and bypass such simple #regex


Security Bits by @bart — 14 April 2024 podfeet.com/blog/2024/04/sb-20…

#Security


Time for another release... Accrescent 0.19.0 is out! While not much has changed on the surface, Accrescent now uses our new server infrastructure which brings faster downloads to everyone!

Read the release notes or download below 👇

github.com/accrescent/accresce…

#accrescent #security #privacy #appstore #android


Let's use @protonprivacy and @Tutanota products.
Encryption is the single best hope against surveillance.

wired.com/story/house-section-…

#security #cybersecurity #infosec #nationalsecurity #nsa #fbi #section702 #privacy #government #surveillance #e2ee #tech #proton #protonmail #tuta #tutanota #bigtech #degoogle


Hey! Let's talk about #SSH and #security!

If you've ever looked at SSH server logs you know what I'm about to say: Any SSH server connected to the public Internet is getting bombarded by constant attempts to log in. Not just a few of them. A *lot* of them. Sometimes even dozens per second. And this problem is not going away; it is, in fact, getting worse. And attackers' behavior is changing.

The graph attached to this post shows the number of attempted SSH logins per day to one of @cloudlab s clusters over a four-year period. It peaks at about 3.4 million login attempts per day.

This is part of a study we did on our production system, using logs of more than 640 million login attempts, covering more than 1,500 hosts on our side and observing more than 840 thousand incoming IP addresses.

A paper presenting our analysis and a new, highly effective means to block SSH brute force attacks ("Where The Wild Things Are: Brute-Force SSH Attacks In The Wild And How To Stop Them") will be presented next week at #NSDI24 by @sachindhke . The full paper is at flux.utah.edu/paper/singh-nsdi…

Let's dive in. 🧵


2 days ago I reported about a #security patch having been applied to the IzzyOnDroid F-Droid repo aka #IzzySoftRepo – but I didn't give much details. After it was tested now at the IoD test & staging area, and running smoothly for two days for the public one, I reported back to its author @obfusk that all seems smooth, and she decided to make POC & patch public. You can find the full details at github.com/obfusk/fdroid-fakes… & openwall.com/lists/oss-securit… now. @fdroidorg @eighthave be welcome using it!

1/2


FreeBSD Foundation and Digital Security by Design (DSbD)

<globenewswire.com/news-release…>

❝… CHERI and CheriBSD, developed to revolutionize hardware-based protection against memory safety vulnerabilities, were developed by a collaboration from researchers from the University of Cambridge, alongside corporate partners such as Google, Microsoft, Arm, and SRI International, and with support from the UK government. …❞

#FreeBSD #ARM #security


I am getting tired of reading about the #xz #security issue as if it is all about issues within #opensource. It is much bigger than that, and those takes conflate the problem with the solution.

So I wrote "The xz issue isn't about Open Source" here: changelog.complete.org/archive…


This security-related article was cited on Slashdot, and it's somewhat disturbing.
theregister.com/2024/03/28/ai_…
#security #AI #MachineLearning


boehs.org/node/everything-i-kn…

I have begun a post explaining this situation in a more detailed writeup. This is updating in realtime, and there is a lot still missing.

#security #xz #linux


Unfolding now: news.ycombinator.com/item?id=3…

- openwall.com/lists/oss-securit…
- github.com/tukaani-project/xz/…

An incredibly technically complex #backdoor in xz (potentially also in libarchive and elsewhere) was just discovered. This backdoor has been quietly implemented over years, with the assistance of a wide array of subtly interconnected accounts:

- github.com/tukaani-project/xz/…
- bugs.debian.org/cgi-bin/bugrep…
- github.com/jamespfennell/xz/pu…

The timeline on this is going to take so long to unravel

#security #linux


🚨 ⚠️ Emergency PSA: A critical security exploit was discovered in the xz package recently, used for compression and decompression on nearly all Linux distributions.

Rawhide users ARE impacted and should immediately STOP using Rawhide until the package update is fully rolled back. (1/3)

Security Advisory: redhat.com/en/blog/urgent-secu…

#Fedora #Linux #OpenSource #Security #Privacy