@nielsa no, that's not what I'm telling you.

I prefer to believe that most people will be thoughtful.

＂… a huge number of bugs. I have so many bugs in the Linux kernel that I can't report because I haven't validated them yet. I'm not going to make some open source developer validate bugs that I haven't checked yet. I'm not going to send them potential slop … I now have … several hundred crashes that they haven't seen because I haven't had time to check them. We need to find a way to fix this …＂

– Nicholas Carlini

#Linux #FreeBSD #security #cybersecurity #infosec #AI #LLMs

Alt...

Screenshot: a frame from https://www.youtube.com/watch?v=1sd26pWhfmg

This dumb password rule is from State Bank of India (Foreign Travel Card).

State Bank of India is the largest government operated bank in India.
They offer "travel" prepaid cards for foreign currencies, this is for
their portal for the prepaid card users to manage their account.

Your password must:
- Be between 8 and 9 characters long
- Contain at least 1 lowercase c...

https://dumbpasswordrules.com/sites/state-bank-of-india-foreign-travel-card/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Paytm.

Password must be between 5 and 15 characters. Also, spaces don't count
as characters.

https://dumbpasswordrules.com/sites/paytm/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from LINE.

Password must:
- be between 8 to 20 characters
- not contain characters that repeat in a row
Password must contain three of the following:
- an upper-case letter
- a lower-case letter
- a number
- a symbol

https://dumbpasswordrules.com/sites/line/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

(cujo.com) Residential Proxy Malware Hidden in Piracy Apps Targeting Amazon Fire TV Sticks

New threat: Residential proxy malware embedded in piracy apps is turning Amazon Fire TV Sticks into unwitting proxy nodes. These apps, sideloaded via piracy platforms, hijack home network bandwidth to route traffic to commercial sites like eBay and TicketMaster without user consent.

In brief - Piracy apps on Amazon Fire TV Sticks are covertly repurposing devices as residential proxies, monetizing user bandwidth and IP addresses. Amazon’s crackdown is ineffective due to trivial package name changes by threat actors.

Technically - Malicious APKs contain non-obfuscated strings like 'AppBandwidthMonetizer/MProxy' and use BootReceiver intent registration to auto-execute proxy code on reboot, evading sandbox analysis. Network traffic confirms outbound connections to commercial platforms post-installation. Detection evasion includes package renaming and low VirusTotal flagging rates. A linked Telegram channel suggests organized distribution.

Source: https://cujo.com/blog/residental-proxies-heart-amazon-fire-tv-sticks/

#Cybersecurity #ThreatIntel

This dumb password rule is from Telekom.

At first glance, their policy looks good - sure, the upper limit was chosen without necessity
and they enforce characters from all four groups, but your password manager will most likely come up with something suitable.

The website even tells you how 'wunderbar' your new password is - only to t...

https://dumbpasswordrules.com/sites/telekom/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Alipay.

- 8-20 characters (numbers or letters)
- no special characters allowed
- in the mobile app

https://dumbpasswordrules.com/sites/alipay/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Watching the livestream of the Artemis II launch, I just witnessed one of the astronauts type in the password on their tablet while sitting in the capsule on camera.

#ArtemisII #Artemis #Artemis2 #NASA #InfoSec #cybersecurity #OpSec #Privacy #SpaceExploration

We can quit #cybersecurity and just go farm potatoes or something. After 25 years of #appsec one of the most talked-about tech companies invents a daemon process that

makes use of a file-based “memory system” designed to allow for persistent operation across user sessions.

Sure. Just store your system instructions in a random text file.

Why are we installing endpoint protection on this system?

Why do we verify cryptographic signatures on software updates to this system?

Why are we building a zero trust security environment?

Why do we do scan email to avoid social engineering emails?

Our AI-assisted users are gonna YOLO right past all that. And if they can’t get past our #security controls, this agentic Frankenstein will write itself some markdown and work quietly in the background figuring out how to bypass something the user couldn’t bypass on their own.

This is #infosec in 2026

Critical #ImageMagick zero-day allows RCE via simple image uploads, impacting Ubuntu, Amazon Linux, and WordPress - millions still exposed.

Read: https://hackread.com/imagemagick-zero-day-rce-linux-wordpress-servers/

#CyberSecurity #ZeroDay #RCE #Linux #WordPress #Vulnerability

This dumb password rule is from E-Redes.

Portuguese power distribution company, which requires short passwords (10 to 15 characters), no repetition of the same character, not using the username, the word "PASS" or the word "SAP" in the password, and limiting which special characters can be used.

https://dumbpasswordrules.com/sites/e-redes/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

TLS and SSH rely on Certificate Authorities (CAs) for authentication, but they also present a vector for Man in the Middle attacks. What if you could set up your own CA to reduce your exposure?

➡️ https://fedoramagazine.org/make-a-private-ca-with-step-ca/

#WebDev #Linux #Security #InfoSec #Cybersecurity #Fedora

This dumb password rule is from BMW ConnectedDrive.

Although the prompt suggests good things, after many failed attempts to
set a new password, it turns out you can ONLY use the special characters
shown in the prompt

https://dumbpasswordrules.com/sites/bmw-connecteddrive/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

If someone comes to me today preaching about “post-quantum” security issues, I’ll remind them of the current state of security: the npm ecosystem gets abused daily, CI pipelines run left and right with full access to cloud services, so-called security devices like F5 and Ivanti are exposed (and compromised) to the internet, mailboxes get compromised just to change an IBAN in a PDF, and a simple phone call is still enough to get someone to hand over an MFA code.

But yes, by all means, let’s focus on post-quantum threats while handing AI tools SSH access like it’s a feature, not a confession.

#cybersecurity #stateoftheworld

Alt...

Latest exploited/active CVEs.

This dumb password rule is from Vistara.

Password must contain:
- 8 to 12 Characters.
- At least one lowercase and uppercase letter.
- At least one numeric character.
- At least one special character (!, @, #, $, %, %, ^, &, +, =).

Must not contain space, first or last name.

https://dumbpasswordrules.com/sites/vistara/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Many thanks to Mirko Zorz and the team at @helpnetsecurity magazine for allowing me to rant about my dislike for the phrase "Human are the weakest link" when it comes to #Cybersecurity

In fact humans are our "last line of defence" when all our tech has failed or been bypassed

https://www.helpnetsecurity.com/2026/03/31/cybersecurity-design-failures-not-human-error/

#NPM #axios maintainer has lost control of their account. Malicious versions 1.14.1 and 0.30.4 have been published which include a RAT.

NPM has pulled the effected versions and the payload. Time to clean up and see if you were effected.

StepSecurity has an awesome write up on this issue with #iocs

Link follows this toot.

#CTI #infosec #node #cybersecurity #security #nodejs #js #malware

This dumb password rule is from Battle.net.

8 to 16 characters, at least one number and one letter and last but not least NO special characters, and can't have a password that looks like your username too. Oh, and passwords are NOT case sensitive.
A real time travel adventure through the password rules of 2005!

https://dumbpasswordrules.com/sites/battle-net/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Smith & Co Solicitors Reports Data Breach and Financial Fraud Following Email Compromise

Smith & Co Solicitors in Ipswich suffered an email-based data breach affecting 25% of its clients and resulting in at least one instance of financial fraud. Attackers gained unauthorized access to the firm's email systems to impersonate staff and intercept sensitive client communications.

****
#cybersecurity #infosec #incident #databreach
https://beyondmachines.net/event_details/smith-co-solicitors-reports-data-breach-and-financial-fraud-following-email-compromise-z-2-h-j-o/gD2P6Ple2L

This dumb password rule is from STOVE.

- 24 characters max

https://dumbpasswordrules.com/sites/stove/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Number of #AI Chatbots Ignoring Human Instructions Increasing, Study Says

https://slashdot.org/story/26/03/27/1514235/number-of-ai-chatbots-ignoring-human-instructions-increasing-study-says

#cybersecurity

I teach cybersecurity. And I genuinely don't know what to tell my students after this one. Federal reviewers spent years trying to get basic encryption documentation from Microsoft for its GCC High government cloud. They couldn't get it. One reviewer called the system a "pile of spaghetti pies," with data traveling from point A to point B the way you'd get from Chicago to New York: a bus to St. Louis, a ferry to Pittsburgh, and a flight to Newark. Each leg is a potential hijacking. They knew this. They said this out loud in writing. Then they approved it anyway in December 2024, because too many agencies were already using it. 🔐 That's not a security review. That's a hostage negotiation. Two things in this story should make every CISO and CIO uncomfortable:

🧩 Microsoft built its federal cloud on top of decades of legacy code that it apparently can't fully document itself
👮 "Digital escorts" often ex-military with minimal software engineering backgrounds are the firewall between Chinese engineers working on the system and classified U.S. networks 🤦🏻‍♂️

The scariest line in the whole ProPublica investigation isn't the "pile of shit" quote. It's this: FedRAMP determined that refusing authorization wasn't feasible because agencies were already using the product. Read that again. The security review process reached a conclusion based on sunk cost, not risk. Ex Post Facto Fallacy

If that logic holds, the compliance framework is just documentation theater. And right now, CISA is being hollowed out, so there are fewer people left to even run the theater.

https://arstechnica.com/information-technology/2026/03/federal-cyber-experts-called-microsofts-cloud-a-pile-of-shit-approved-it-anyway/
#Cybersecurity #Microsoft #FedRAMP #Leadership #RiskManagement #security #privacy #cloud #infosec

This dumb password rule is from BCV.

Username is randomly generated, example: 'H2487414'. The password must have **6** digits only.

Password can only be changed from the mobile application:

https://dumbpasswordrules.com/sites/bcv/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Oh boy. Stanford researchers scanned 10 million web pages and found API keys just sitting in the public-facing code. That's 1,748 active credentials from major providers exposed in live website code, mostly inside JavaScript files. Not in old test environments. Not in a forgotten repo. In the live, running site. Banks. Healthcare providers. "Not just small companies, but some very large companies," according to the lead researcher. And some of those credentials had been sitting there for years. Not the first time I've seen something like this. 🤦🏻‍♂️

The thing is that most orgs are scanning their source code but not their deployed sites. 😳 Those are two different things, and most leaks originate during the build process. A key gets baked in somewhere between development and production, and nobody catches it because the scan already ran upstream. Meanwhile, GitGuardian counted over 28 million new hardcoded secrets exposed in public GitHub commits in 2025 alone. This isn't a one-time research finding it's a systemic habit that needs to change.

🔍 When did your team last scan the live site, not just the codebase?
🏦 If you're in a regulated industry, that question just became a compliance question too

https://www.newscientist.com/article/2520143-security-credentials-inadvertently-leaked-on-thousands-of-websites/
#Cybersecurity #AppSec #Leadership #security #privacy #cloud #infosec

This dumb password rule is from IRS.

Password rules:
- Between 8 and 32 characters long
- Must contain at least one numeric and one special character (!@#$%&*)
- At least one uppercase and at least one lowercase letter

https://dumbpasswordrules.com/sites/irs/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Netflix.

[The help page](https://help.netflix.com/de/node/54078)
and the [password reset page](https://www.netflix.com/password) say:

Ihr Passwort muss zwischen 4 und 60 Zeichen lang sein und darf keine Tilde (~) enthalten.

https://dumbpasswordrules.com/sites/netflix/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

When #AgeVerification moves into your operating system

https://proton.me/blog/age-verification-operating-system

#privacy #cybersecurity

This dumb password rule is from AmiAmi.

Your password needs to be between 6 and 12 characters long, must contain only letters and numbers.

https://dumbpasswordrules.com/sites/amiami/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Walmart.

Your password must include the following:
- 8-100 characters
- Upper & lowercase letters
- At least one number or special character

https://dumbpasswordrules.com/sites/walmart/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from NBC (National Bank of Canada).

- Password length must be 8 to 25 characters
- Password must contain at least one lower letter (any position)
- Password must contain at least one digit (any position)
- Password cannot contain spaces.
- Copy/paste is not allowed when trying to set a new password

https://dumbpasswordrules.com/sites/nbc-national-bank-of-canada/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Delta.

It's a good thing they don't store personal information such as your passport number... oh wait.

https://dumbpasswordrules.com/sites/delta/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from IBM.

12-63 characters
One uppercase character
One lowercase character
One number
Sufficiently Strong
Special characters are optional.
Double byte characters are not allowed

https://dumbpasswordrules.com/sites/ibm/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

The correct way to run a headline for this story. The reg does not disappoint

#uspol #routers #surveillance #privacy #nationalsecurity #cybersecurity #infosec #cisco #theregister

Alt...

Register headline: Country that put backdoors into Cisco routers to spy on world bans foreign routers Unfortunately, there aren't many options unless you're Starlink Dan Robinson Tue 24 Mar 2026

This dumb password rule is from Minnesota Unemployment Insurance.

Locked to *exactly* 6 chars, alphanumeric only, not special chars.

https://dumbpasswordrules.com/sites/minnesota-unemployment-insurance/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from South Western Railway.

Certain special characters disallowed, but notably the phrase " or " is disallowed also. They're probably papering over SQL injection vulnerabilities 🤦

https://dumbpasswordrules.com/sites/south-western-railway/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Mobi Bike Share.

Your PIN (which is the password you use to login, which lets you, say, buy hundreds of dollars worth of bike-share subscriptions off the saved credit card) must be four numeric digits. Helpfully, they even give you an example of a PIN: *1234*.

https://dumbpasswordrules.com/sites/mobi-bike-share/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

🚨 The FCC bans all routers made outside the U.S. — So basically all routers.

Most people buy a router and never think about it again. That box in the corner that handles every password and video call you make. The FCC is now worried that some of these devices are actually open doors for foreign governments. Shocked! 🫢

Regulators are looking at TP-Link to see if they pose a threat to national security. Recent reports show hackers used these devices to build massive botnets. You might find yourself shopping for new hardware if these bans take effect.

🧠 Regulators are weighing a ban on specific foreign routers.
⚡ Security experts found flaws that allow remote access.
🎓 This move follows previous restrictions on Chinese tech firms.
🔍 Check your hardware brand before the new rules arrive.

https://mashable.com/article/us-fcc-foreign-router-ban
#FCC #Security #TechPolicy #security #privacy #cloud #infosec #cybersecurity

This dumb password rule is from Ticketmaster.de.

Your password length is limited between 8 and 32 characters.

https://dumbpasswordrules.com/sites/ticketmaster-de/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Canada Revenue Agency.

Password checklist:
- 8 to 16 characters
- At least 1 upper-case character
- At least 1 lower-case character
- At least 1 digit
- No space
- No accented characters
- No special characters except: dot (.), dash (-), underscore (_), and apostrophe (')
- No more than 4 consecutive identical characters

https://dumbpasswordrules.com/sites/canada-revenue-agency/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

At #RSAC2026? Missing good coffee?

Drop by Tailscale’s Peer-to-Pour Cafe at Sextant Coffee Roasters, just steps from Moscone, for free coffee, sweet treats, custom swag, keycap fidgets, and chats with the team. Open Tues Mar 24, 8:00-5:00 and Wed Mar 25, 8:00-4:30 for badge holders. Plus: demos, expo swag, raffles, and more all week.

https://tailscale.com/rsac26/?utm_source=Mastodon&utm_medium=owned-social&utm_campaign=rsac-2026

#RSAC #RSAC2026 #Cybersecurity #ZeroTrust #Networking #Tailscale

This dumb password rule is from Taco Bell.

Password may include special characters, except for #.

https://dumbpasswordrules.com/sites/taco-bell/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Dell.

Okay at least 6, that's alright I guess.

Oh at least one number and one letter, bit dumb but hey not that dumb.

But hiding the fact that it has a max of 20, now THAT is dumb!

https://dumbpasswordrules.com/sites/dell/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Apple.

Can't contain 3 or more consecutive identical characters, nor can it be more than 63 characters long.

https://dumbpasswordrules.com/sites/apple/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from ING Romania's Internet Banking Portal.

No more, no less than 5 digits. This is the password you use to log in and to confirm
online transactions. They used to have "normal" passwords and they forced everybody to
change to the 5 digits versions. They said they've made it "so it's easier for you" and it's
OK, because everybody has 2FA.

https://dumbpasswordrules.com/sites/ing-romanias-internet-banking-portal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules