Government-Mandated Software a Looming Threat to #Freedom

An increasing number of governments around the world are requiring that #smartphones come with specific software pre-installed. The notion of government-mandated software, whether it is a separate app or a routine part of the operating system, represents a grave threat to our #privacy.
#malware #security #surveillance #firstamendment #fourthamendment #monitor

https://www.aclu.org/news/privacy-technology/government-mandated-software

If you're a part of the #resistance to #ICE and the #Fascist regime you should absolutely be using @signal which also means you should be donating to Signal. Now, more than ever, they'll need donations. That said, if you cannot afford to donate, you should still use it! We can all contribute to the larger cause in our own way.❤️

Cross platform, works on almost any recent computing device, fully encrypted texts, calls and video. Folks, use Signal, stay safe.

#Security #Privacy #Tech

The #UK was among several #allies to join the US in Afghanistan after NATO’s collective #security clause was invoked for the first & only time in its history by the #US following the 9/11 attacks. During the conflict, 457 British service personnel were killed.

Article 5 of #NATO states that an attack on one member is considered an attack against all.

#geopolitics #Trump #InsensitivePrick #idiocracy

Is it 2026 or 2006? I just went to harden my PayPal account with my new review units.

Turns out, PayPal still only supports one physical security key. No backups allowed. If you want redundancy, they force you back to TOTP apps or (worse) SMS.

#CyberSecurity #FIDO2 #Yubico #Nitrokey #Privacy #Security #TerminalTilt #FinTechFail #Token2 #Banking #Money

Alt...

A screenshot of the PayPal "Manage 2-step verification" settings page. It shows 2 step verification is ON, with a "YubiKey 5C NFC" listed as the only primary device. Under the "Your backups" section, only a "Third-party code generator" authenticator app is listed, with no option to add additional backup security keys.

"Implementing Passkeys in Practice - Computerphile" - https://www.youtube.com/watch?v=lypcC79k-gg

#passkeys #programming #2fa #security #infosec #computerphile

It's 2026 and critical auth bypass vulnerabilities in telnetd are still a thing... https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html #infosec #security

Here’s what The Counteroffensive is reading today:

Putin offered to give $1 billion to #Trump’s Board of Peace from the $5 billion Russian frozen assets in the U.S, at a Russia’s #Security Council meeting.

The rest of the funds will be put to Ukraine’s post-war reconstruction.

https://www.bloomberg.com/news/articles/2026-01-21/putin-offers-frozen-russian-assets-in-us-to-peace-board-ukraine?srnd=homepage-europe
#news #ukraine #trump #russia

This silly statement from #openai about #security drives me crazy. People talk about this all the time as if it means something.

‘files in ChatGPT as a whole are "encrypted by default at rest and in transit"’

What attack does that encryption at rest defeat? What hacker says “darn it! I would have gotten the data if it hadn’t been for that pesky encryption at rest?”

Think it over. Go ahead. I’ll wait.

Physical theft of hard drives/storage. That’s it. Encryption at rest at OpenAI, or any cloud, defeats the same singular attack that it defeats when you encrypt the hard drive on your laptop: if someone physically steals the device, they don’t get the data.

They can sell your data. They can store it (encrypted at rest) on a web site that has a vulnerability or incorrect security, and bad people can download the unencrypted data. They can share it with “partners” who misuse it. Encrypting at rest is NOT an important protection. Literally every other protection is more important.

https://www.darkreading.com/remote-workforce/chatgpt-health-security-safety-concerns

I would hope I don’t need to let most people know, but…

Lastpass phishing - and this might be expensive for the unwary

Remember, following liks in emails can be dangerous - following links to shortened URLS is silly

https://www.theregister.com/2026/01/21/lastpass_backup_phishing_campaign/

#LastPass #Phishing #Security #IT

Heads up for my fellow Red Hat Enterprise Linux (RHEL) 10 users:

Important: kernel security update

kernel: libceph: fix potential use-after-free in have_mon_and_osd_map() (CVE-2025-68285)

So do your `dnf update` ASAP :)

More details: https://access.redhat.com/errata/RHSA-2026:0786

#SelfHost #Security #CVE2025_68285 @homelab

"The first duty of a government is to keep its people safe. And in today’s unpredictable world, that won’t be achieved by clinging to outdated ideas about security, or cowering at Trump’s feet in the hopes that he will protect us"

Green Party leader Zack Polanski writes in the New Statesman

#Trump #Greenland #UKPolitics #Security #Defence

Trump's threat to Greenland must be a wake up call for Britain - New Statesman
https://www.newstatesman.com/politics/uk-politics/2026/01/trumps-threat-to-greenland-must-be-a-wake-up-call-for-britain

I'm begging you, before you find your API key hard-coded in a clients browser, or have malware injected into your super cool vibe coded website - check the security!

Your fun project could ruin somebody's online safety.

#VibeCoding #Security

Does #Russia or #China actually threaten #greenland

Experts say Trump’s warnings don’t match reality

Trump’s Greenland obsession is not new. He 1st suggested it in 2019

Security experts & #European officials say Greenland faces no immediate military threat — raising a pointed question:

- Are Trump’s warnings about Greenland genuine #security concerns, or a pretext for a more unilateral #US push in the #Arctic?

https://kyivindependent.com/does-russia-or-china-actually-threaten-greenland-experts-say-trumps-warnings-dont-match-reality/

#USAggression #USImperialism #WarCrimes #dictators

Vanadium version 144.0.7559.76.1 released:

https://github.com/GrapheneOS/Vanadium/releases/tag/144.0.7559.76.1

See the linked release notes for a summary of the improvements over the previous release and a link to the full changelog.

Forum discussion thread:

https://discuss.grapheneos.org/d/30839-vanadium-version-14407559761-released

#GrapheneOS #privacy #security #browser

IT-»Sicherheit« wird hierzulande oft mit Compliance verwechselt: Richtlinien, Vorlagen, Prozesse – alles sauber dokumentiert und abheftbar. Hauptsache: Niemand ist schuld, wenn es knallt.

Reale Sicherheit entsteht nicht durch Papier, sondern durch gute IT-Leute, Zeit, Budgets, klare Zuständigkeiten – und Technik, die wirklich gehärtet, gepflegt und überprüft wird.

Checkboxen senken keine Risiken. Sie senken nur das Haftungsgefühl.

#compliance #sicherheit #security

Scrap #DigitalID cards

#UK Government plan for digital ID cards is £1.8 billion white elephant

It is little more than an echo of the failed Tony Blair ID card scheme, now with an expensive digital element bolted on

We rejected ID cards then and we reject them now.

Despite the government’s partial U-turn on some compulsory elements of the scheme, the huge cost remains – alongside many other problems.

https://r.ippl.es/digital-id/

#security #privacy #BigData #ToxicLabour #KierStalin #ID #Orwellian

🆕 blog! “Responsible Disclosure: Chimoney Android App and KYCaid”

Chimoney is a new "multi-currency wallet" provider. Based out of Canada, it allows users to send money to and from a variety of currencies. It also supports the new Interledger protocol for WebMonetization.

But it has a security flaw which cannot be ignored.

👀 Read more: https://shkspr.mobi/blog/2026/01/responsible-disclosure-chimoney-android-app-and-kycaid/
⸻
#android #CyberSecurity #ResponsibleDisclosure #security #WebMonetization

rpki-client 9.7 released https://undeadly.org/cgi?action=article;sid=20260114104154 #openbsd #rpkiclient #rpki #routing #security #networking #bgp

For anyone who's been to one of my #Kubernetes #Security talks over the last couple of years, you may have seen me mention "the unpatchable 4", which is a set of Kubernetes CVEs for which there are no patches, you need to mitigate them with configuration or architecture choices.

I've been meaning to write more about them, and finally got a chance so here's the first in a mini-series of posts looking at the CVEs and the underlying reasons they occur. This time it's CVE-2020-8554.

https://securitylabs.datadoghq.com/articles/unpatchable-kubernetes-vulnerabilities-cve-2020-8554/

The PAM Duress is a module designed to allow users to generate 'duress' passwords that when used in place of their normal password will execute arbitrary scripts.

This functionality could be used to allow someone pressed to give a password under coercion to provide a password that grants access but in the background runs scripts to clean up sensitive data, close connections to other networks to limit lateral movement, and/or to send off a notification or alert (potentially one with detailed information like location, visible wifi hot-spots, a picture from the camera, a link to a stream from the microphone, etc). You could even spawn a process to remove the pam_duress module so the threat actor won't be able to see if the duress module was available.

https://github.com/nuvious/pam-duress

#security #Linux #Arch #Debian

🥳 Auto-Encrypt Localhost version 9.0.0 released

Bye bye, Windows.

• Windows is no longer supported as Microsoft is complicit in Israel’s genocide of the Palestinian people¹ and Small Technology Foundation² stands in solidarity with the Boycott, Divestment, and Sanctions (BDS) movement³. Windows is an ad-infested and surveillance-ridden dumpster fire of an operating system and, alongside supporting genocide, you are putting both yourself and others at risk by using it.

Enjoy!

💕

About Auto-Encrypt Localhost:

https://codeberg.org/small-tech/auto-encrypt-localhost#readme

Auto Encrypt Localhost is similar to the Go utility [mkcert](https://github.com/FiloSottile/mkcert/) but with the following important differences:

1. It’s written in pure JavaScript for Node.js.

2. It does not require certutil to be installed.

3. It uses a different technique to install its certificate authority in the system trust store of macOS.

4. It uses enterprise policies on all platforms to get Firefox to include its certificate authority from the system trust store.

5. In addition to its Command-Line Interface, it can be used programmatically to automatically handle local development certificate provisioning while creating your server.

Auto-Encrypt Localhost is licensed under AGPL version 3.0.

#AutoEncryptLocalhost #SmallTech #SmallWeb #localhost #TLS #SSL #certificates #web #security #dev #FOSS #israel #microsoft #BigTech #genocide #Palestine #StopIsrael #FreePalestine

¹ https://www.bdsmovement.net/microsoft
² https://small-tech.org/
³ https://www.bdsmovement.net/

2026 didn't waste any time in telling 2025 to "hold my beer".

Share your favorite internet privacy and secure communications tools to help us make it to the other side of this.

#Privacy #Security #Encryption #FreeBSD #Linux #HardenedBSD #Signal #EFF #TOR #ICE #

The recording from NYC*BUG Saturday January 10th, 2026 session "The Book of PF 4th ed + EU CRA: It's time to Engineer up" is now available:

Youtube: https://youtu.be/HOCsvcCm1Ec
Peertube: https://toobnix.org/w/bQPtKXKqJMdeYDbzhrrkEa

#bookofpf #OpenBSD #freebsd #packetfilter #EUCRA #CRA #SBOMS #dependency #supplychain #security

U.S. URGES CITIZENS TO LEAVE #VENEZUELA: The State Department has urged all #Americans to leave #Venezuela immediately due to extreme #security risks. https://www.theguardian.com/us-news/2026/jan/10/us-citizens-venezuela-paramilitaries

GrapheneOS version 2026011000 released:

https://grapheneos.org/releases#2026011000

See the linked release notes for a summary of the improvements over the previous release.

Forum discussion thread:

https://discuss.grapheneos.org/d/30465-grapheneos-version-2026011000-released

#GrapheneOS #privacy #security

GrapheneOS version 2026010800 released:

https://grapheneos.org/releases#2026010800

See the linked release notes for a summary of the improvements over the previous release.

Forum discussion thread:

https://discuss.grapheneos.org/d/30419-grapheneos-version-2026010800-released

#GrapheneOS #privacy #security

TIL you can mount on top of symlinks; meaning, you can use a symlink as a mount point. This sounds like a really bad idea, specially after watching Alksa Sarai's talk at the Linux Plumber's Conf:

https://www.youtube.com/watch?v=z8v7ovIeDRM

#Linux #Security

A Major Mail Provider Demonstrate They Likely Do Not Understand Mail At All https://nxdomain.no/~peter/they_do_not_understand_mail_at_all.html (tracked https://bsdly.blogspot.com/2026/01/a-major-mail-provider-demonstrate-they.html)

#greytrapping #spam, #antispam #greylisting #blocklist, #openbsd #freebsd #smtp #email #SMTP, #contentfiltering #SPF #DMARC #security #networking

As a test, I tried "tailscale funnel" to test sharing a Valhalla service running on port 8002 on my laptop over the internet. The Tailscale park was fast and easy, amazing even.

But as I sat and stared and marveled at my idle service logs, in less than a minute they went crazy with attack traffic looking for all sorts of common vulns.

Less than a minute! Port 8002!

Just best assume anything that's public on any port is immediately and constantly scanned for vulns.

#infosec #security

As our company hosts servers, we have a public Security Policy and a security.txt file for ethical hackers to disclose vulnerabilities responsibly: https://handbook.dude.fi/security-policy

Because of this, I receive quite a few reports, most of them ineligible. I've also run into some "security experts" getting upset about not receiving a bounty for a non-issue or putting heavy pressure on payments for valid ones. It often feels unfair, like I'm being held hostage.

That's why replies like the one I just received warm my heart so much:

"Thank you very much for the clarification and for taking quick action to remove the DNS record. I appreciate the transparency and the kind offer as well.

I'd prefer to donate the amount to a child support charity instead. You’re very welcome to donate it on my behalf to any such organization of your choice."

Donation made. Thank you, stranger. Kindness costs nothing.

#Security #SysOps #SysAdmin #SecOps

And as always, we value your input, see "For Upcoming PF Tutorials, We Welcome Your Questions" https://nxdomain.no/~peter/pf_tutorial_upcoming_questions_welcome.html (tracked https://bsdly.blogspot.com/2025/05/for-upcoming-pf-tutorials-we-welcome.html) #pf #firewall #tutorial #openbsd #freebsd #networking #security #ipv6 #ipv4 @stucchimax

There will be a "Network Management with the OpenBSD Packet Filter Toolset" at AsiaBSDCon in Taipei Thursday, March 19 2026.

Yours truly and Max Stucchi teaching networking goodness.

Details soon to emerge at https://2026.asiabsdcon.org/ #asiabsdcon #freebsd #openbsd #networking #conference #tutorial #pf #packetfilter #security #firewall #freesofware #libresoftware @stucchimax

Cybersicherheit: BSI-Portal geht online – und nutzt dafür AWS

Das neue BSI-Portal soll zentraler Anlaufpunkt für IT-Sicherheit bei kritischen Infrastrukturen werden. Für Stirnrunzeln sorgt die Wahl des Anbieters: AWS.

https://www.heise.de/news/Cybersicherheit-BSI-Portal-geht-online-und-nutzt-dafuer-AWS-11130478.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

#BSI #IT #Netzpolitik #Security #Wirtschaft #news

The #Venezuela mission to the #UN has requested an emergency #Security Council [#UNSC] meeting & has asked the Council to condemn the #US military strikes against the country.

Venezuela’s ambassador, Samuel Reinaldo Moncada Acosta, said in a letter to the UNSC president: “The United States of America always uses lies to fabricate wars. It is an international #tyranny imposed with the #propaganda of death: the recent past confirms this.”

#law #Trump #abduction #oil #LandGrab #InternationalLaw

When you think that things like turning off #Bluetooth as a precaution are overkill, security researchers drop a bomb like this. (long, but interesting read)

https://insinuator.net/2025/12/bluetooth-headphone-jacking-full-disclosure-of-airoha-race-vulnerabilities/

#CVE #security #cyberSecurity

#China strongly condemned the #US strike in #Venezuela & the action against its president, the Foreign Ministry said, adding the Beijing govt was “deeply shocked” & firmly opposed to the operation.

“Such hegemonic acts of the US seriously violate #InternationalLaw & Venezuela’s #sovereignty & threaten #peace & #security in #LatinAmerica & the #Caribbean region,” it said.

#law #Congress #WarPowers #criminal #Trump #abduction #oil #LandGrab #WarCrimes #ExtrajudicialKillings #theft #piracy

#China called on the #US to comply with #InternationalLaw & the principles of the #UN Charter, urging it to stop violating the #sovereignty & #security of other nations.

#law #Congress #WarPowers #criminal #Trump #abduction #Venezuela #oil #LandGrab #WarCrimes #ExtrajudicialKillings #theft #piracy #InternationalLaw