Skip to main content

Search

Items tagged with: security


New bookmark: ActivityPub on a (mostly) static website.

There have been other attempts to document the process of bringing ActivityPub to a (mostly) static site, but this is my favorite so far. I wonder if I should give it a go, if POSSE ever stops serving my needs.


Originally posted on seirdy.one: See Original (POSSE). #IndieWeb #Security #Web


Accrescent 0.20.0 is out with support for respecting other app stores, UI improvements, bug fixes and more!

Download Accrescent or view the changelog below for details.
https://github.com/accrescent/accrescent/releases/tag/0.20.0

#accrescent #android #security #privacy #appstore


Should you have noticed a short "absence" of the #IzzyOnDroid primary web server, that was probably the reboot…

A CVE was published to oss-sec 5 days ago and got its fixes available today (https://security-tracker.debian.org/tracker/CVE-2024-2961), so it was applied immediately as the vuln would have affected some components here.

My thanks here once more goes to @obfusk for bringing it to my attention – and to my service provider who swiftly applied the updates within just minutes 🤩

#security


I hope the UN can make it work but the federated decentralised approach makes sense. The United Nations ditches Big Tech in a bid for security | TechRadar
https://www.techradar.com/pro/the-united-nations-ditches-big-tech-in-a-bid-for-security
#security #encryption #element #matrix #UN #IT #decentralized #federated


Politische Überwachungsphantasien, die mit dem Vorwand gerechtfertigt werden, "schlimmste Verbrechen wie den sexuellen Missbrauch von Kindern zu bekämpfen", sind unerträglich.

Wer wirklich etwas für Kinder tun will, engagiert sich im Kampf gegen den Klimawandel, für sichere Schul- und Radwege, für Bildung, gewaltfreie Familien, Chancengleichheit und freie Entfaltungsmöglichkeiten.

Stop this bullshit! 🫵

#e2ee #security #encryption #kinder #kind #klimawandel #bildung #chancen


WTF? Is #Tenacity on the #Flatpak store #MALWARE? Apparently it was running in the bg AS IF it was an invincible #Gnome extension so SystemMonitor/htop would NOT see it as a process. But #MissionCenter (also from flatpak store) saw it as it is: an app running on startup! Killing it killed Gnome session! It was also spiking wifi, and was leaking the Gnome gjs service from 4MB RAM to 120MB. Uninstalling fixed the prob

Third party flatpak/snaps should be vetted.

#security #opensource #linux #foss


Another #security patch has been applied at the #IzzyOnDroid #IzzySoftRepo to protect against what is described at https://www.openwall.com/lists/oss-security/2024/04/20/3

Though a full scan of the repo hasn't brought up a single affected APK, that doesn't mean any such cannot show up later – so better safe than sorry, right?


If you use brew’s curl on macOS, are you really using it? I installed and had curl setup a couple of years ago. Today it appears that curl was now pointing to Apple’s version, which has this issue (https://daniel.haxx.se/blog/2024/03/08/the-apple-curl-security-incident-12604/). Looks like brew doesn’t add a symlink for curl to /opt/homebrew/bin. Running `ln -s /opt/homebrew/opt/curl/bin/curl /opt/homebrew/bin` resolved the issue.

#macos #curl #security


T-Mobile Employees Across The Country Receive Cash Offers To Illegally Swap SIMs

I still stand by this: if #sms #mfa wasn’t still massively used (especially by the financial sector), sim swaps would be less attractive to sim swappers.

It’s also crazy so much trust is placed in telecoms guarding your phone number and MFA factor for your bank. 🫨

#security #cybersecurity #simswap

https://tmo.report/2024/04/t-mobile-employees-across-the-country-receive-cash-offers-to-illegally-swap-sims/


#curl sometimes fails to access some servers. In most situations the problem is not in curl itself but on the server side. Example:

1. Fails: curl https://www.radissonhotels.com

2. Works: curl -A 'Mozilla/5.0 xx Chrome/119' https://www.radissonhotels.com

3. Fails: curl -A 'Mozilla/5.0 xx Chrome/118' https://www.radissonhotels.com

4. Fails, too: curl -A 'Mozilla/5.0 xx Chrome/1189' https://www.radissonhotels.com

Perhaps they perform #filtering to obtain improved #security? It's hard to tell, but any serious attacker surely knows how to spoof the user agent string and bypass such simple #regex


Security Bits by @bart — 14 April 2024 https://www.podfeet.com/blog/2024/04/sb-2024-04-14/

#Security


Time for another release... Accrescent 0.19.0 is out! While not much has changed on the surface, Accrescent now uses our new server infrastructure which brings faster downloads to everyone!

Read the release notes or download below 👇

https://github.com/accrescent/accrescent/releases/tag/0.19.0

#accrescent #security #privacy #appstore #android


Let's use @protonprivacy and @Tutanota products.
Encryption is the single best hope against surveillance.

https://www.wired.com/story/house-section-702-vote/

#security #cybersecurity #infosec #nationalsecurity #nsa #fbi #section702 #privacy #government #surveillance #e2ee #tech #proton #protonmail #tuta #tutanota #bigtech #degoogle


Hey! Let's talk about #SSH and #security!

If you've ever looked at SSH server logs you know what I'm about to say: Any SSH server connected to the public Internet is getting bombarded by constant attempts to log in. Not just a few of them. A *lot* of them. Sometimes even dozens per second. And this problem is not going away; it is, in fact, getting worse. And attackers' behavior is changing.

The graph attached to this post shows the number of attempted SSH logins per day to one of @cloudlab s clusters over a four-year period. It peaks at about 3.4 million login attempts per day.

This is part of a study we did on our production system, using logs of more than 640 million login attempts, covering more than 1,500 hosts on our side and observing more than 840 thousand incoming IP addresses.

A paper presenting our analysis and a new, highly effective means to block SSH brute force attacks ("Where The Wild Things Are: Brute-Force SSH Attacks In The Wild And How To Stop Them") will be presented next week at #NSDI24 by @sachindhke . The full paper is at https://www.flux.utah.edu/paper/singh-nsdi24

Let's dive in. 🧵


2 days ago I reported about a #security patch having been applied to the IzzyOnDroid F-Droid repo aka #IzzySoftRepo – but I didn't give much details. After it was tested now at the IoD test & staging area, and running smoothly for two days for the public one, I reported back to its author @obfusk that all seems smooth, and she decided to make POC & patch public. You can find the full details at https://github.com/obfusk/fdroid-fakesigner-poc & https://www.openwall.com/lists/oss-security/2024/04/08/8 now. @fdroidorg @eighthave be welcome using it!

1/2


FreeBSD Foundation and Digital Security by Design (DSbD)

<https://www.globenewswire.com/news-release/2024/04/03/2856691/0/en/FreeBSD-Foundation-and-Digital-Security-by-Design-DSbD-Announce-Beacon-Award-Winners-for-Innovations-and-Improvements-to-CheriBSD.html>

❝… CHERI and CheriBSD, developed to revolutionize hardware-based protection against memory safety vulnerabilities, were developed by a collaboration from researchers from the University of Cambridge, alongside corporate partners such as Google, Microsoft, Arm, and SRI International, and with support from the UK government. …❞

#FreeBSD #ARM #security


I am getting tired of reading about the #xz #security issue as if it is all about issues within #opensource. It is much bigger than that, and those takes conflate the problem with the solution.

So I wrote "The xz issue isn't about Open Source" here: https://changelog.complete.org/archives/10642-the-xz-issue-isnt-about-open-source


This security-related article was cited on Slashdot, and it's somewhat disturbing.
https://www.theregister.com/2024/03/28/ai_bots_hallucinate_software_packages/
#security #AI #MachineLearning


https://boehs.org/node/everything-i-know-about-the-xz-backdoor

I have begun a post explaining this situation in a more detailed writeup. This is updating in realtime, and there is a lot still missing.

#security #xz #linux


Unfolding now: https://news.ycombinator.com/item?id=39865810

- https://www.openwall.com/lists/oss-security/2024/03/29/4
- https://github.com/tukaani-project/xz/commit/cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0

An incredibly technically complex #backdoor in xz (potentially also in libarchive and elsewhere) was just discovered. This backdoor has been quietly implemented over years, with the assistance of a wide array of subtly interconnected accounts:

- https://github.com/tukaani-project/xz/commit/ee44863ae88e377a5df10db007ba9bfadde3d314
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708
- https://github.com/jamespfennell/xz/pull/2

The timeline on this is going to take so long to unravel

#security #linux


🚨 ⚠️ Emergency PSA: A critical security exploit was discovered in the xz package recently, used for compression and decompression on nearly all Linux distributions.

Rawhide users ARE impacted and should immediately STOP using Rawhide until the package update is fully rolled back. (1/3)

Security Advisory: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

#Fedora #Linux #OpenSource #Security #Privacy


New bookmark: Firefox bug 1886557: Make JIT Spraying implausible.

This could be the biggest leap forward in years when it comes to SpiderMonkey catching up to V8 and JSC’s JIT hardening. So far, I’ve been telling security-conscious Firefox users to disable the JIT compiler, and to use Chromium when JIT is necessary; maybe I won’t have to in a few years’ time.


Originally posted on seirdy.one: See Original (POSSE). #browsers #firefox #security


🇩🇪 Ich habe ja schon erwähnt, dass im Januar für das #IzzySoftRepo zusätzliche APK-Checks implementiert wurden. Jetzt habe ich es endlich geschafft, auch den zugehörigen Blog-Artikel fertig zu stellen.

Vielleicht interessiert es Euch ja, einen Blick auf Details und Hintergründe zu werfen? Ihr finden den Artikel "Zusätzliche APK-Checks im IzzyOnDroid Repo" hier:

https://android.izzysoft.de/articles/named/iod-scan-apkchecks?lang=de

#security #Android #apps


🇺🇸 I've told you about additional APK checks having been implemented at the #IzzySoftRepo in January. Now finally I found the time to complete the article explaining the details, so you might wish to take a look at "Ramping up security: additional APK checks are in place with the IzzyOnDroid repo":

https://android.izzysoft.de/articles/named/iod-scan-apkchecks?lang=en

Edit: Tags:

#security #Android #apps


With all the fast paced advances in technology what is your main source of new information on #privacy, #encryption and #security?🤔

  • YouTube Videos (17%, 66 votes)
  • Articles/Blog Posts (75%, 284 votes)
  • Forum Discussions (7%, 28 votes)
378 voters. Poll end: 1 month ago


Content warning: 🔥 Habr.ru удаление статей о обходе блокировок 🔥


NetHSM – A hardware security module with open hardware and open source code: «Unlike proprietary HSM products, NetHSM is the first HSM available as open source, which enables independent security audits, easy customization and avoids vendor lock-in. Only open source allows to verify the absence of back doors.»
https://www.nitrokey.com/products/nethsm
#HSM #OpenSource #OpenHardware #Security


At long last, a blog update... on updates? Check out this article on Accrescent's progress toward delta updates with conceptual explanations, benchmarks, and lots of pretty graphs!

https://lberrymage.dev/posts/ina-part-1/

#android #accrescent #security


Accrescent 0.18.0 released! This is a minor one with removed privileged installer support and maintenance updates. Changelog below.

https://github.com/accrescent/accrescent/releases/tag/0.18.0

#accrescent #privacy #security #android #appstore


It's 2024 and #Google is now requiring bulk #email senders to use DMARC, SPF, & DKIM when emailing #Gmail users. 👍

👉 https://tuta.com/blog/google-introducing-new-security-requirements

This is a great step, BUT why did they allow bulk senders to send #spam emails without proper #security standards until now? 🤔


Privacy can be powerful. The Librem 14 is the first ultra-portable laptop for the security-conscious- designed chip-by-chip, line-by-line, to respect your rights to privacy, security, and freedom.

Order yours now! https://puri.sm/products/librem-14/… #security #privacy #laptops


Today we are proud to announce the launch of the world's first #postquantum secure email platform! 🥳🎉

With TutaCrypt your data is safe against quantum computer attacks at rest & in transit. ⚛️ 🔒

Learn more about this quantum leap in #security here: https://tuta.com/blog/post-quantum-cryptography


LLVM CFI and Cross-Language LLVM CFI Support for Rust, https://bughunters.google.com/blog/4805571163848704/llvm-cfi-and-cross-language-llvm-cfi-support-for-rust.

> add LLVM CFI and cross-language LLVM CFI (and LLVM KCFI and cross-language LLVM KCFI) to the Rust compiler as part of our work in the Rust Exploit Mitigations Project Group. This is the first cross-language, fine-grained, forward-edge control flow protection implementation for mixed-language binaries that we know of.

Really interesting project.

#RustLang #llvm #security #safety #ffi


of course sandboxes improve #security. It is important to remember that sandboxes by definition are sets of restrictions. If a sandbox only restricts things you don't use, you win. Sandbox restrictions often break features that users want. Since I'm focused on #UserFreedom and #FreeSoftware, I want community control over which restrictions are in place. #Android does not provide that unless you have the skills to hack and make your own ROM, even then its hard. #Debian does provide that.


Sometimes finding perfect #search results can be a pain and Google buying dominance doesn't help. 🔎
👉 https://tuta.com/blog/google-search-monopoly

Not all search engines offer the same performance, #security, and #privacy! 🤔

Which search engine is your favorite? Let us know in the comments!

  • DuckDuckGo (64%, 265 votes)
  • Ecosia (7%, 30 votes)
  • StartPage (21%, 90 votes)
  • Qwant (6%, 27 votes)
412 voters. Poll end: 1 month ago


Just a bit of a ramble on #android and #apple and #privacy and #security inspired by a recent post by @beardedtechguy.

It's a bit of a ranty post, but not trying to be mean :blobfoxheart:

This is day 19 of #100DaysToOffload

https://joelchrono.xyz/blog/apple-android-security-and-features/