https://www.theregister.com/security/2026/05/18/linus-torvalds-says-ai-powered-bug-hunters-have-made-linux-security-mailing-list-almost-entirely-unmanageable/5241633

Linux Torvalds says AI vuln research breaks the Linux security / development process.

#infosec #cybersecurity #linux #itstheendoftheworldandweknowit #andifeelfine

If you have not read the notes on security by microsoft from last tuesday you should.

https://www.microsoft.com/en-us/msrc/blog/2026/05/a-note-on-patch-tuesday

Update your shit. Windows, Linux .... keep all the systems up to date.

#microsoft #infosec #cybersecurity

NIST has given up on CVE's. They can't deal with it anymore.

https://www.nist.gov/news-events/news/2026/04/nist-updates-nvd-operations-address-record-cve-growth

#NIST is from now on only reviewing "important" CVE's.
This means that only if it affects the (us) government or its really bad they will review CVE Submissions.

Around 90% of the submissions will not be reviewed anymore (for now)

#infosec #cybersecurity

This dumb password rule is from Alibaba.

- At least 2 uppercase letters
- Plus 2 lowercase letters
- Plus 2 numbers
- Plus 2 punctuation marks

Phew, too many rules, because why not, if [Ma thinks AI stands for Alibaba Intelligence](https://www.youtube.com/watch?v=f3lUEnMaiAU),
then password rules can be equally intelligent too.

Also, ...

https://dumbpasswordrules.com/sites/alibaba/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

How does Fedora process patches for security vulnerabilities? The short answer is that we work to stay on top of the news to implement patches, working in the community and with Red Hat for updates.

The long answer: https://fedoramagazine.org/how-fedora-is-responding-to-recent-kernel-vulnerabilities/

At the end of the day, the best thing you can do is keep your system updated. :)

#Fedora #Linux #Cybersecurity #InfoSec #OpenSource

This dumb password rule is from WeatherBug.

Maximum 16 characters.

https://dumbpasswordrules.com/sites/weatherbug/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from BDO.

Please nominate a password which contains UPPERCASE, lowercase, numbers and symbols.
Password should not be the same as the user ID.
Avoid using consecutive characters such (ex. abc, DEF, 678) and invalid characters such as [!#$%^&';"].

https://dumbpasswordrules.com/sites/bdo/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

the last weeks we saw more and more security issues coming up. Let's talk!

Sorry, a pretty long blog post about this...

https://gyptazy.com/blog/coding-after-ai-are-humans-still-good-enough/

#ai #aicoding #coding #opensource #foss #security #infosec #vulns #developer #devops #engineer #ops #fedi #philosophy

Alt...

Let's talk about AI slops - like this image!

I had found a very thorough server checker (e.g. TLS, DKIM, certificates, PFS, DMARC, you name it) here on the fedi at some point and thought I'd bookmarked it, but just can't find it anymore. Any recommendations from the sysadmin crowd?

#selfhosting #infosec #sysadmin

This dumb password rule is from MyAnimeList.

Password must be between 6 - 50 characters long and contain at least two of the following: uppercase, lowercase, numbers and symbols.

https://dumbpasswordrules.com/sites/myanimelist/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Telekom/T-Systems MyWorkplace.

Telekom's MyWorkplace is a Single Sign On / login hub for their
Open Telekom Cloud which is basically an Amazon AWS clone. It's
rather new and especially for business customers. Especially
because it is for business customers, there's absolutely no reason
to limit a password to 16 characters. Eve...

https://dumbpasswordrules.com/sites/telekomt-systems-myworkplace/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

So a new, quite effective method I've found during pentests recently:

People are starting to connect their work email and calendars to personal AI agents, and are, inevitably, storing the code in publicly accessible repos.

There are two things I look for:

- Email creds, prevalent where people have given the AI dealy IMAP access to their messages.

- If I can't find email creds, the link to the private Google Calendar (either outlook or Google) ICS file.

If you grab that ICS file, you download effectively an entire copy of the calendar, which includes the body of the meeting invite - so, various links, attachments, keys/secrets/passwords etc.

I have done the email thing maybe once or twice.

The calendar thing, at least a dozen times in the last few months.

#infosec

About that... We now have a fourth vulnerability: ssh-keysign-pwn. Despite the first three letters, this is a Linux kernel vuln. PoC already available.

#Linux #Security #Vulnerabilities #InfoSec

This dumb password rule is from NetBank (Commonwealth Bank of Australia).

When resetting your NetBank password, the website only informs you that you can create an alphanumeric password, despite the fact that you can use special characters.
And also, it's password strength calculation is shit.
An 155 bits of entropy password is "weak."
Additionally, passwords are case-...

https://dumbpasswordrules.com/sites/netbank-commonwealth-bank-of-australia/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Local file exposure #vulnerability in linux kernels:

https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn

Apparently this issue was already identified in 2020 but wasn't fixed back then.

Mitigation:
- runtime:
sudo sysctl -w kernel.yama.ptrace_scope=2
- To make the migiration persistent:
echo "kernel.yama.ptrace_scope=2" | sudo tee /etc/sysctl.d/01-harden-ptrace.conf

WARNING: This migation may break existing functionality. Test before deploying.

WARNING 2: While this mitigation does block the currently existing PoC, it may not prevent other attack vectors exploiting this vulnerability.

#infosec #cybersecurity

This dumb password rule is from Parnassus Investments.

A site responsible for protecting your investments limiting you to a
four character range with a bunch of other stupid rules? Shocking.

https://dumbpasswordrules.com/sites/parnassus-investments/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This is something that's actually forbidden in our country

companies may not call random numbers just to spam them.

To compensate for that luxury, the main internet and POTS provider let's companies pay them to spam us with SMS!

This is also disallowed by law but no one seems to bother to file a class action suit against this company

Those spam SMS you can easily block though

@rl_dane

#Spam #privacy #InfoSec

This dumb password rule is from Munich Foerdermittel Portal.

You register on their funding portal and receive an email with an activation link to set a password.
The email further informs you about their password policy:
- At least 8, but no more than 20 characters
- At least one lowercase and uppercase letter
- At least two digits (1,2,3,4,5,6,7,8,9,0) or...

https://dumbpasswordrules.com/sites/munich-foerdermittel-portal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

https://depthfirst.com/nginx-rift

Anyone running nginx? Noone does that right?

#nginx #infosec #cybersecurity

This dumb password rule is from LibraryThing.

"Your password cannot be longer than 20 characters"

https://dumbpasswordrules.com/sites/librarything/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Mini Pen Test Diaries Story:

The year was 2010, and I was onsite at a UK local authority doing an internal network assessment.

One of the tasks was - if given a standard, non-privileged, domain user account, with minimal access afforded to it - what could I do? Could I access sensitive documents? Could I login to systems I shouldn't be able to? Could I elevate myself. Standard stuff.

I got my account, and immediately started fishing around the main file share with the users home directories on it. To my immense surprise, I found out that I was able to access the content of every single users home directory. Including all the top level folks.

They must've accidentally given me some account in an IT group or something, so I check it out. Nope - groups look normal.

The permissions on the share look pretty normal too.

I play around with the account more and more and encounter zero resistance to anything, access wise.

Something must be very wrong - but what?

Finally I go over and speak to the IT people who I'd been working with.

"So," I said. "This account, it's supposed to have a very minimal permissions set right?"

"Yes, the lowest of the low." They reply.

"So how come I can get into all these files?" I ask, and show them my rummaging around the very senior peoples confidential files.

"You shouldn't be able to do that!!"

Now, the three of us are rapidly trying to figure out what the heck is going on. It's surprisingly difficult to figure out.

Eventually, I make what to this day remains one of my all time favorite pen testing discoveries.

This organisation, had somehow, managed to add the entire "Domain Users" group to the "Domain Admins" group!

All 1,500 people who worked there, had domain admin access. And after investigation, we found out it had been like that for 10 months.

Someone couldn't get something working, until they found this "fix".

Amazing.

For more, slightly less mini pen test diaries stories, check out https://infosecdiaries.com.

#infosec #pentest #pentesting

Ars Technica, from yesterday: Twin brothers wipe 96 government databases minutes after being fired https://arstechnica.com/tech-policy/2026/05/drop-database-what-not-to-do-after-losing-an-it-job/ @arstechnica #infosec #cybercrime

This dumb password rule is from Aetna Health Insurance.

- Password cannot be longer than 20 characters
- Password cannot have spaces and more 2 characters repeated in a row
- Password cannot have user's first name, last name or username

https://dumbpasswordrules.com/sites/aetna-health-insurance/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

RE: https://cyberplace.social/@GossiTheDog/116565662607962457

This YellowKey Bitlocker Bypass Vulnerability is seriously crazy. As if someone found a government / law enforcement backdoor.... #infosec #cybersecuity

Tim Hergert boosted

Kevin Beaumont » 🌐 2026-05-13
@GossiTheDog@cyberplace.social

So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey

Mitigation = BitLocker PIN and BIOS password lock.

This dumb password rule is from Minnesota Unemployment Insurance.

Locked to *exactly* 6 chars, alphanumeric only, not special chars.

https://dumbpasswordrules.com/sites/minnesota-unemployment-insurance/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Many people also don't realize that everyone on the globe, who is in a country which is being controlled by Swift banking system, will also suffer.

@rl_dane

#Privacy #SSN #InfoSec #breach #sensitive #programming

What is happening over there!?

It's extremely disturbing that they want your Sierra Sierra November. That is a record you can always be uniquely identified with

@rl_dane

#Privacy #SSN #InfoSec #breach #sensitive #programming

This dumb password rule is from BBVA.

Username is your national ID (easy to find) and your password must have up to **6** alphanumeric characters only.
For a bank account with all your money in one of the largest financial institutions in the world.

https://dumbpasswordrules.com/sites/bbva/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Nothing wakes you up as fast as a good information security incident.

From bed reading infosec news to the computer pressing buttons in like 60 sec.

now 3 hrs later i'll go and make a first coffee...

#infosec #cybersecurity

This dumb password rule is from Getin Bank.

The new password should contain at least 10 and a maximum of 20 characters.
The password must contain at least one upper case letter, one lower case
letter and one number. The password cannot contain non-ASCII Polish alphabet
characters, special characters `&<'"` or spaces.

https://dumbpasswordrules.com/sites/getin-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from ADP.

Forced to change the password during the first login. At least they
could use proper grammar in their rule list.

https://dumbpasswordrules.com/sites/adp/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Dnevnik.ru.

Silently (sic!) trim password to 30 symbols.

That causes the stupid case when you could successfully registrate an account with password length of 52 and can't login with the password.

https://dumbpasswordrules.com/sites/dnevnik-ru/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Everybody hates #robocalls. But, despite tech reporting being willing to give the #FCC leeway, this new measure is not to stop robocalls, it won’t do a damn thing to stop robocalls. What it does is make burner phones illegal.

Burners are an integral part of many social justice actions. Protestors use them to record #ICE and other #cops. We include them in “Go Bags” to let abused women and children escape. They allow for anonymity.

They are a thorn in the side of the panopticon, and they are moving to eliminate them.

Stock up kids.

https://gizmodo.com/fcc-attempts-to-solve-robocall-problem-by-potentially-creating-even-bigger-privacy-problem-2000756762

https://www.wiley.law/alert-FCC-Proposes-Stronger-Know-Your-Customer-Rules-Will-Consider-Know-Your-Upstream-Provider-Rulemaking-at-May-20-Meeting

https://mashable.com/article/fcc-proposes-to-battle-spam-calls-at-the-expense-of-privacy-protections

#burnerPhone #anon #infosec #privacy #palantir #gop #sjw

This dumb password rule is from Taleo.net.

Oracle Taleo is one of those old-school enterprise Applicant Tracking
Systems (ATS) that half the corporate world still uses even though
everyone hates it.

https://dumbpasswordrules.com/sites/taleo-net/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Express Energy.

Retail Electricity Provider (REP) participating in ERCOT.

Minimum 6, maximum 10. Stated requirement of numbers and letters, but special characters are accepted.

https://dumbpasswordrules.com/sites/express-energy/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Bank Millennium.

Passwords limited to 8 digits.

https://dumbpasswordrules.com/sites/bank-millennium/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from myezyaccess.com patient portal system.

12-character maximum password length. This is not a single website but a patient portal system used by hundreds of medical facilities via subdomains, with password policy apparently being consistent for all sites.

https://dumbpasswordrules.com/sites/myezyaccess-com-patient-portal-system/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Automated #security scanning.

What tools do you use to scan your enviroments for security issues? Why?

Not looking for virusscanners here, more for a bit more enterprisy enviroment?

Are there things i should have a look at?

What is your experience in general?

RT welcome for reach.

#infosec #cyber #cybersecurity #blueteam

This dumb password rule is from Waze.

After you request a password reset and you receive an email with instructions and link to reset your password, you are presented with this password reset form. Your password length is limited between 8 and 16 characters. Additionally the form breaks with an error if you use any special characters...

https://dumbpasswordrules.com/sites/waze/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from LINE.

Password must:
- be between 8 to 20 characters
- not contain characters that repeat in a row
Password must contain three of the following:
- an upper-case letter
- a lower-case letter
- a number
- a symbol

https://dumbpasswordrules.com/sites/line/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

https://lwn.net/Articles/1071719/

#DirtyFrag is a broken embargo.

Local Privilege Escalation to root.

Public working exploit. No CVE assigned yet.

No fix in sight.
<edit> 7.0.5 was just released which has a fix </edit>
<edit 2> CVE-2026-43284 has been assigned</edit 2>

#infosec #cyber #tsunamiofvulns #CVE-2026-43284

This is the documentation & exploit of DirtyFrag:
https://github.com/V4bel/dirtyfrag/blob/master/README.md

Alt...

are you not entertained meme

This dumb password rule is from Dutch Tax Authorities (Belastingdienst).

At least 8 and at most 25 characters, of which at least 3 of the characters were not used in the previous password.
No more than 3 of the same characters.
At least 1 upper case and 4 lower case characters.
No more than 3 special characters.

It's not like hashing passwords is a thing or something.

https://dumbpasswordrules.com/sites/dutch-tax-authorities-belastingdienst/

#password #passwords #infosec #cybersecurity #dumbpasswordrules