Remember, Trump defunded the police who work on investigating foreign hacking.

Putin and his KGB turds know everything about #Epstein and trump. It’s the only explanation for trump‘s public acquiescence and self-humiliation. Something he would never tolerate from anyone else in the world except his puppet master putin. The kompromat must be huge. Monumentally huge. It must be revealed.

https://www.nytimes.com/2025/08/12/us/politics/russia-hack-federal-court-system.html?unlocked_article_code=1.dk8.mfUW.OXAKNuZZDsSv&smid=url-share

#Ukraine #eu #Uk #europe #nato #usa #courts #infosec

This dumb password rule is from Taiwan Pingtung University.

Password must:
- Be between 8 ~ 15 characters long.
- Exceeding 15 will result in an account lockout instead of
erroring on submit. Otherwise, the max character
length should be 20.
- Contains at least 1 number character
- Contains at least 1 lowercase character
- Contains at least 1 uppercase ...

https://dumbpasswordrules.com/sites/taiwan-pingtung-university/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

“The Read the Docs project reported that blocking AI crawlers immediately decreased their traffic by 75 percent, going from 800GB per day to 200GB per day. This change saved the project approximately $1,500 per month in bandwidth costs”
https://arstechnica.com/ai/2025/03/devs-say-ai-crawlers-dominate-traffic-forcing-blocks-on-entire-countries/

#GenAI #infosec

This dumb password rule is from KPMG Talent Community.

While stating otherwise, the site actually *accepts a backslash* in the password
and displays a forward slash as the example of the disallowed backslash
Password:
- Must be at least 8 characters long
- Must contain at least 1 number
- Must contain at least 1 letter
- Must contain at least 1 spec...

https://dumbpasswordrules.com/sites/kpmg-talent-community/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Wells Fargo Identity Theft Protection.

Your password on an Identity Theft Protection service is limited to
between 8 and 20 characters. Your username is allowed to be longer than
your password.

https://dumbpasswordrules.com/sites/wells-fargo-identity-theft-protection/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Great audit and PoC by @nullagent, detailing over-the-air exploits of #Meshtastic: https://meshmarauder.net/

Some thoughts

1/ Meshtastic has never had strong security model (even since PKI)
2/ Always been irresponsible to promote MT for sensitive comms
3/ Primary use case for MT is as emergency comms fallback
4/ It could be as insecure as walkie talkies or HAM & people would still use it for (3).
5/ Let's hope MT devs adopt the excellent recommendations by the PoC author(s)

#infosec (via @ira)

This dumb password rule is from Premera Blue Cross.

Password must contain 8-30 characters, including one letter and one number.
"Special characters allowed" seems to mean a very small handful of choices you can only find through trial and error `-_'.@`

https://dumbpasswordrules.com/sites/premera-blue-cross/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

As I am browsing through the settings in firefox I see the odd setting of using it's own DNS over https enabled. My settings should be copied over from the account I use and I know that I've **never** turned this setting on.

I'm now on the SBC Pi5 running MX Linux Pi respin.

My own dns config is perfectly fine and Im changing it back to my own local DNS.

Why is the firefox team doing this? IS there any protective benifit from having this setting on? Are they snooping my data?

The help file is here

https://support.mozilla.org/en-US/kb/dns-over-https?as=u&utm_source=inproduct#w_what-is-a-local-provider

#InfoSec #AskFediverse #firefox #DNS #https #port443 #settings #OpenSource

Alt...

The image shows a Firefox browser window open to the "about:preferences#privacy" page, focusing on the "Privacy & Security" section. The left sidebar lists various settings options such as General, Home, Search, Sync, Firefox Labs, More from Mozilla, Extensions & Themes, and Firefox Support. The main content area highlights the "Enable DNS over HTTPS using" section, with "Default Protection" selected. This option explains that Firefox decides when to use secure DNS to protect privacy, using secure DNS in regions where available, the default DNS resolver if there's a problem with the secure DNS provider, a local provider if possible, and turning off when VPN, parental control, or enterprise policies are active, or when a network tells Firefox not to use secure DNS. There are also options for "Increased Protection" and "Max Protection," allowing users to control when to use secure DNS and choose their provider, and for Firefox to always use secure DNS with a security risk warning before using system DNS. The "Off" option is available, allowing users to use their default DNS resolver. The background is dark, with text and options highlighted in teal and white. Provided by @altbot, generated privately and locally using Ovis2-8B 🌱 Energy used: 0.241 Wh

This dumb password rule is from Scandinavian Airlines.

The password rules itself is fine, but, it doesn't inform about the max length of the password.
Their max length is 14 characters, so even if you enter a password of 42 chars, you can login with the first 14 of it.
In this case, I changed my password to **Super_l0ng_password_that_fits_all_criteri...

https://dumbpasswordrules.com/sites/scandinavian-airlines/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Edit: See update 1 posted in the thread below

OP: Howdy y'all! New month, new ask for support for @catbailey. Y'all were a big help in sharing and donating last month, but there's still some carry-over in needs she wasn't able to address last month. The big asks remain the same (gas bill, storage unit) but in addition her family is about out of groceries, and will need to visit her doctor and pay out-of-pocket to get one of her medications refilled. Additionally there's a car payment and insurance to get sorted, and the other day-to-day costs of living.

I'm resetting the progress for the new month and upping the overall goal based on what we know went unmet last month, but don't be discouraged. Please, if you can afford even $5, every bit helps get us a step closer, and if even that's too much, we'd appreciate you sharing with your network on the Fediverse and/or Bluesky where she's @blackcatswhitehats.org

$348.26/3000 raised

Best to use Venmo/PayPal/CashApp, but GoFundMe is appreciated too and good for higher latency needs.

GoFundMe: https://www.gofundme.com/f/aid-for-cat-and-her-kids-in-crisis?lang=en_US
PayPal: https://paypal.me/catalystediting
Venmo: @BlackCatHackers
CashApp: $BlackCatOps

#InfoSec #HelpCatAndCo #MutualAid #MutualAidRequest

This dumb password rule is from Unicaja.

Username is your national Spanish ID (easy to find).
Your password must be 6 characters long. You can't type, only select characters from the virtual keyboard

https://dumbpasswordrules.com/sites/unicaja/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

NEW: Federal judiciary says it is boosting security after cyberattack; researcher finds new leaks

More of those frustrating leaks where, despite our best efforts, we have been unable to get the network shares locked down so far, even with the host's assistance.

This one involves two courts: one state and one federal, and yes, we saw some files that were supposed to be sealed or confidential.

https://databreaches.net/2025/08/10/federal-judiciary-says-it-is-boosting-security-after-cyberattack-researcher-finds-new-leaks/

#dataleak #infosec #cybersecurity #databreach #govsec

This dumb password rule is from LINE.

Password must:
- be between 8 to 20 characters
- not contain characters that repeat in a row
Password must contain three of the following:
- an upper-case letter
- a lower-case letter
- a number
- a symbol

https://dumbpasswordrules.com/sites/line/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from IHG.

4, yes 4, digits only.

https://dumbpasswordrules.com/sites/ihg/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Canadian Imperial Bank of Commerce.

Letters and numbers only, no symbols. Also an undocumented maximum of 12 characters!

https://dumbpasswordrules.com/sites/canadian-imperial-bank-of-commerce/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Any #infosec folks wanna help me with some decent data to backup the following point? I am trying to make the point to some executives that a #password policy requiring minimum 8 characters with 1 symbol, mixed case, and 1 number is just not reasonable in 2025. (I'm commenting on another company's policy, not my own!)

What is a good example of a policy (e.g., NIST 800-63 or whatever) that said 49 bits was no good?

I currently say: 49 bits of entropy was unacceptably low in 2005. It is unthinkably low in 2025. What can I point to that might resonate better than "bits of entropy?"

Using the classic method with Shannon's estimate, I figure it's on the order of 49 bits of entropy but that's only if it's purely random from the full character set, and we konw that's not true.

I'm not looking for rhetorical suggestions. I'm good at rhetoric. I'm looking for references I can point to (like "XYZ published in 2011 that the minimum acceptable password was 56 bits of entropy")

feel free to boost for fun
#security #cybersecurity

Just a reminder - @mjwalk and I talk malware in DNS later today!

If we get time, we might even read y’all in on a brand new mystery we’re trying to track down.

#defcon #infosec #malware

DEF CON 33: Attending Plain TXT, Malicious Context: Uncovering DNS Malware on Aug 8, 2025 at 15:10 in LVCC - L1 - Exhibit Hall West 1 - 303 (Malware Village)
#hackertracker

"All Chromium-based apps such a [...] Obsidian have a built-in DNS client."
https://saneef.com/blog/disable-built-in-dns-clients-in-chromium-based-apps/

#infosec

This dumb password rule is from Trenord.

- Password must consist of 8-16 characters
- Must contain 3 out of 4 of the following: lowercase characters, uppercase character, digits (0-9), and one or more of the following symbols: @#$%^&*-_+=[]{}|\:',?/`~“();.

https://dumbpasswordrules.com/sites/trenord/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Are living-off-the-land techniques "subsystems farming"? 🤔

#InfoSec

This dumb password rule is from Hetzner.

- 8 or more characters
- At least one uppercase and one lowercase letter
- At least one number or special character

Okay, fair enough, but after putting in a password with some special characters this message appears:
- Invalid characters, allowed are: A-Z a-z 0-9 ä ö ü ß Ä Ö Ü ^ ! $ % / ( ) = ?...

https://dumbpasswordrules.com/sites/hetzner/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Instead of building navigation with icons, Qualys thought it'd be a great idea to use boxes, each containing an acronym which can stand for any number of things.

If you are thinking that CSAM is for Child Sexual Abuse Material, that PM is for Project Management and PS is for Photoshop, well, you'd be wrong on all counts.

Can you guess why some buttons are different colors but the different colors are not all grouped together? Me neither.

#qualys #infosec #cybersecurity #design #softwaregore

Alt...

Screenshot of navigation buttons made entirely of acronyms.

This dumb password rule is from ADP.

Forced to change the password during the first login. At least they
could use proper grammar in their rule list.

https://dumbpasswordrules.com/sites/adp/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Blue Cross Blue Shield Massachusetts.

16 maximum and no special characters. Protecting your US healthcare
information.

https://dumbpasswordrules.com/sites/blue-cross-blue-shield-massachusetts/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

can anyone recall any interesting vulnerabilities in Windows applications that were due to mishandling of character encoding (UTF-16 vs. UTF-8 vs. ASCII, or codepage stuff depending on system locale) in file paths and/or unexpected case sensitivity in file paths? ones with good write-ups strongly preferred.

looking specifically for Windows, specifically character encoding related bugs, and specifically bugs in apps rather than bugs in the OS's own file path handling (e.g. WorstFit)

#infosec

@GossiTheDog

I did something similar in 1993 with the local university. I, 13 years old, wanted to get on the nascent Internet, still the mostly the domain of universities and governments.

I called them up and asked for the dialup number, which they gave me.

I dialed into the terminal server, which dropped me to a shell with the MOTD “now telnet to the VAX.”

But they didn’t limit where you could telnet to. So I just telnetted all over the net (talkers mostly) until I got caught.

#infosec

This dumb password rule is from United States Postal Service.

Pick from an arbitrary list of symbols, and no repeating characters.

https://dumbpasswordrules.com/sites/united-states-postal-service/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Global Entry.

"Our duties are wide-ranging, and our goal is clear - keeping America
safe."

https://dumbpasswordrules.com/sites/global-entry/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Promises, promises.

Exclusive: Brosix and Chatox promised to keep your chats secured. They didn’t.

A researcher found a misconfigured backup with -- yes, you guessed it -- everything in plaintext instead of encrypted.

Some entities that used the service are medical entities that were actually mentioning protected health information or attaching files with #PHI in the chat.

There were almost 5k Allstate employees using the service and sharing customer #PII in files.

And oh yeah, I found one company gossiping about me and plotting against me after I notified them they were leaking tons of #PHI. I've done them a favor by not publishing all their chat logs about me. :)

There also appeared to be some "dodgy" stuff on the backup, too.

Read the details about the exposed backup in my post at https://databreaches.net/2025/08/05/exclusive-brosix-and-chatox-promised-to-keep-your-chats-secured-they-didnt/

#infosec #encryption #databreach #incidentresponse #chatox #brosix #dataleak

@zackwhittaker

This dumb password rule is from Synchrony Financial.

Financial services - where we don't allow you to create the strongest
password possible.

https://dumbpasswordrules.com/sites/synchrony-financial/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This seems like a bit of a flaw:

spammyshit@gmail.com sends me an email with a calendar event in it.

gmail reads email for me, puts the email in the spam folder, then adds calendar event to my calender.

I delete the calendar event.

The calender sends an email to spammyshit@gmail.com from my email address saying I will not be attending.

#Infosec

If these security cons happened on the same weekend, which would you attend?

#security #infosec #defcon #defcon33 #hope #hope16 #poll

This dumb password rule is from Trenord.

- Password must consist of 8-16 characters
- Must contain 3 out of 4 of the following: lowercase characters, uppercase character, digits (0-9), and one or more of the following symbols: @#$%^&*-_+=[]{}|\:',?/`~“();.

https://dumbpasswordrules.com/sites/trenord/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from MobileIron MDM.

You can't make this up - no dictionary words, no more than 2 repeating
characters, no alphabetic sequences, no whitespace, 3 character sets,
maximum of 32 characters.

https://dumbpasswordrules.com/sites/mobileiron-mdm/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Nachbarschaft.NET.

"Mindestens 6 und maximal 12 Zeichen" - or in English: "At least 6 and max. 12 characters.

https://dumbpasswordrules.com/sites/nachbarschaft-net/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

***infosec specialists are needed in the resistance ***

The world needs tech security specialists to run workshops at public libraries for all ages & abilities to remove spyware, AI, reduce surveillance, understand the issues, & for more advanced, move to Linux, degooglefy, etc.

Libraries will pay good wages for these workshops.
If you have these skills, please consider offering them.

#libraries #library #tech #infosec #privacy #security #activism #antifa #resistance

This dumb password rule is from MetLife.

Max length of 20 characters, no special characters allowed.
Pasting into the second password field is disabled even with
the Chrome extension Don't Fuck With Paste.

https://dumbpasswordrules.com/sites/metlife/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from HM Revenue & Customs (UK Tax).

We store basically all of your data, but we can't store your password.

https://dumbpasswordrules.com/sites/hm-revenue-and-customs-uk-tax/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from La Banque Postale.

Password must be 6 digits and entered on custom pad.

https://dumbpasswordrules.com/sites/la-banque-postale/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from SAP Cloud Appliance Library.

Passwords between 8 and 9 characters are the best.

https://dumbpasswordrules.com/sites/sap-cloud-appliance-library/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Blackrock.

They force you to enter a password that has 8, 9, or 10 characters, then
they lecture you on how to create a strong password.

https://dumbpasswordrules.com/sites/blackrock/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Trade Me.

Won't allow spaces or single quotes. Maybe other characters as well -
they do not say up front - but the password they accepted contained lots
of other special characters.

https://dumbpasswordrules.com/sites/trade-me/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This article by Unit42 from Palo Alto is most excellent stuff, attribution framework.

We really need this sort of foundational frameworks to enable systematic and repeatable attribution and to get "everyone" to do the same amount of work.

Perhaps this will also allow us to get away from every single attack being described as extremely advanced and sophisticated. (Entry vector: Default credentials).

This will go into my read deeper list.

https://unit42.paloaltonetworks.com/unit-42-attribution-framework/

#ThreatIntel #Cybersecurity #Infosec

do I know anyone who knows a bunch about Firebase auth?

I've got a target where I have full control over one of the domains in the "authorizedDomains" list reported by the identitytoolkit /v1/projects REST API.

the target supports a bunch of different authentication flows - Google, OIDC, password, some others.

what can I do with control over an "authorised domain"? the docs are frustratingly vague. I tried a bunch of stuff and nothing worked.

(no guess responses please)

#infosec #firebase