Hey, speaking of #infosec disasters on the horizon... #Discord has announced global age verification. You know, face scans and ID.

Discord. The company that less than six months ago (October 2025) had an ID verification breach that exposed government-issued ID photos—including driver’s licenses and passports—of approximately 70,000 users.

The #enshittification continues apace.

Y’all know we’re gonna have to form a rebel army and take out the data centers, right? I mean, you’ve put it in the daytimer?

https://discord.com/press-releases/discord-launches-teen-by-default-settings-globally

#panopticon #palantir #surveillance

Look y’all, it can’t be a political shitstorm ALL the time. We have to leave time for #infosec shitstorms too! Major new #malware on the loose.

Here’s the TLDR from the researchers:
#Securonix Threat Research has been tracking a stealthy malware campaign that uses an uncommon chain of #VHD abuse, script-based execution, self-parsing batch logic, fileless PowerShell injections and ultimately dropping #RAT. The attack leverages IPFS-hosted VHD files, extreme script obfuscation, runtime decryption, and in-memory shellcode injection into trusted Windows processes, never dropping a decrypted binary to disk.

In English: Malware is delivered via what looks like a PDF. This pdf will open and run a virtual hard drive (vhd), able to execute code without leaving a trace. It’s beautiful, but evil as fuck.

What to do? Don’t open files from unknown senders.
#deadvax

https://www.securonix.com/blog/deadvax-threat-research-security-advisory/

Hey #freelancers beware 😬

Got targeted on Upwork with a malware repo. Job post says "Senior Rust Developer — convert Node.js to Rust."

It sounded great as I'm back to upwork after a long while. But they insisted that i clone and run the repo, then i would have the job:

> Just show me with a screenshot that you were able to run the project and we can start from there

Thankfully my "bullshit radar" kicked in and I asked opencode to check the code instead

#InfoSec #Malware #Upwork #Freelance

This dumb password rule is from Coil.

Does not allow simple characters and sequences such as '4587' or 'efgh' in password & necessarily requires numeric values.

https://dumbpasswordrules.com/sites/coil/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Copyright.gov.

I wonder if they cooperate with NSA to enforce the password rules.

https://dumbpasswordrules.com/sites/copyright-gov/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Trenord.

- Password must consist of 8-16 characters
- Must contain 3 out of 4 of the following: lowercase characters, uppercase character, digits (0-9), and one or more of the following symbols: @#$%^&*-_+=[]{}|\:',?/`~“();.

https://dumbpasswordrules.com/sites/trenord/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Pam360.

"Enterprise privileged access management has never been easier."

- Must be 8 to 16 characters in length
- Must have mixed case alphabets
- Must have at least 1 upper and 1 lower case character(s)
- Must have at least 1 number(s)
- Must have at least 1 special character(s)
- Must star...

https://dumbpasswordrules.com/sites/pam360/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Sparda-Bank.

Sparda is a group of German banks. They all use the same login form (except for Sparda-Bank Berlin, see below). Their equivalent of a password is called *Online-PIN*. As the name implies, only digits are allowed. (*Zifferneingabe* means "digit input"; it opens an on-screen number pad widget.)

No...

https://dumbpasswordrules.com/sites/sparda-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from European Union Intellectual Property Office.

- The password must be between 8 and 30 characters, containing at least a digit [0-9], a lower case letter [a-z], an upper case letter [A-Z] and one of [!@#$%&*,.] characters

https://dumbpasswordrules.com/sites/european-union-intellectual-property-office/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

What are we using for encrypted video conferencing & webinars these days?

Anything EU based worth looking at?

I have Zoom, but would like to move away from it since it's getting rather unstable (like the rest of the US).

#infosec #tech #security #safety #privacy

This dumb password rule is from AmiAmi.

Your password needs to be between 6 and 12 characters long, must contain only letters and numbers.

https://dumbpasswordrules.com/sites/amiami/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

A friendly reminder to never trust manufacturers privacy protections.

I was recently attempting to get an external camera functioning, so I started polling various video devices sequentially to find out where it appeared and stumbled across a previously unknown (to me at least) camera device, right next to the regular camera that is not affected by the intentional privacy flap or "camera active" LED that comes built in.

I had always assumed this was just a light sensor and didn't think any further about it.

The bandwidth seems to drop dramatically when the other camera is activated by opening the privacy flap, causing more flickering.
This was visible IRL and wasn't just an artifact of recording it on my phone.
I deliberately put my finger over each camera one at a time to confirm the sources being projected.

A friend of mine suggested this may be related to Windows Hello functionality at a guess but still seems weird to not be affected by the privacy flap when its clearly capable of recording video.

dmidecode tells me this is a LENOVO Yoga 9 2-in-1 14ILL10 (P/N:83LC)

Command I used for anyone to replicate the finding. (I was on bog standard Kali, but I'm sure you'll figure out your device names if they change under other distros):
vlc v4l2:///dev/video0 -vv --v4l2-width=320 --v4l2-height=240 & vlc v4l2:///dev/video2 -vv --v4l2-width=320 --v4l2-height=240

#Cyber #Security #Infosec #Lenovo #Privacy #Hacking

This dumb password rule is from Easybank (Austrian direct bank).

- At least 8 and at most 16 (!) characters
- **Must start with 5 digits (do we really want to know what's going on there?)**
- At least one uppercase and one lowercase letter
- (Some) special characters are permitted, most are not
- "Simple" patterns are prohibited
- PINs are case sensitive (at l...

https://dumbpasswordrules.com/sites/easybank-austrian-direct-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

RE: https://freeradical.zone/@tek/116020441811071379

Expired SSL Certificates remain undefeated

#certificates #ssl #tls #infosec

Tekniquelly correct [He/Him/Hey you] » 🌐 2026-02-05
@tek@freeradical.zone

Sectigo, who signs about 25% of all SSL certificates, updated their root certificate in December 2025. Old versions of Android don’t have the new cert. This is making Mastodon apps running on those devices fail to connect to servers that have updated their SSL certs recently.

Update your phone or client to fix the connection. For instance, Tusky is working to bundle the new root cert directly into the app.

https://www.youtube.com/watch?v=_3okhTwa7w4

video: How #AI Agents Ignore 40 Years of #Security Progress

#infosec #cyber #cyber #cybersecurity

Russia gonna Russia
#InfoSec
https://www.theregister.com/2026/02/05/winter_olympics_russian_attacks/

This dumb password rule is from Tanishq.

Password must contain:
- 6 to 16 characters.
- At least one special character (@, #, $, %, * and & only).
- At least one alphabet.
- At least one number.

https://dumbpasswordrules.com/sites/tanishq/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

I got my @orangecon ticket \o/

So - lets see each other there

https://orangecon.nl
#infosec #netherlands

This dumb password rule is from Virgin Media.

Your password needs to be between 8 and 10 characters long, with no
spaces, and must contain only numbers and letters. The first character
must be a letter.

Feb 2020 Update: policy remains the same but the description is hidden
leaving you to guess the acceptable length/chars. Users are now lef...

https://dumbpasswordrules.com/sites/virgin-media/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Parnassus Investments.

A site responsible for protecting your investments limiting you to a
four character range with a bunch of other stupid rules? Shocking.

https://dumbpasswordrules.com/sites/parnassus-investments/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Datart.cz.

Czech eshop

Password:
- Max length is 20 characters
- No special characters allowed (only alphanumeric)

https://dumbpasswordrules.com/sites/datart-cz/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from A1 Mobile Serbia.

A1 mobile Serbia is a mobile provider in Serbia that imposes poor password rules.

Translation: "Length of the password must be between 8 and 20 characters and can only have letters and digits."

https://dumbpasswordrules.com/sites/a1-mobile-serbia/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

whenever i do security audit work on site, there are two tools that always come with me these days, such are the times in which we live:

1) modified orbic hotspot running eff’s rayhunter, to flag stingray devices in proximity

2) tiny little esp32 running flock-you, the flock camera detector, so i can let folks know they are close by

https://www.eff.org/deeplinks/2025/03/meet-rayhunter-new-open-source-tool-eff-detect-cellular-spying

https://github.com/colonelpanichacks/flock-you

two little bits of gear running great open source projects that can expose the unseen risks that may be floating around out there

#infosec

This dumb password rule is from ING Romania's Internet Banking Portal.

No more, no less than 5 digits. This is the password you use to log in and to confirm
online transactions. They used to have "normal" passwords and they forced everybody to
change to the 5 digits versions. They said they've made it "so it's easier for you" and it's
OK, because everybody has 2FA.

https://dumbpasswordrules.com/sites/ing-romanias-internet-banking-portal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

If you use ingress-nginx, update your Kubernetes clusters folks, like right now:

https://github.com/kubernetes/kubernetes/issues/136677

https://github.com/kubernetes/kubernetes/issues/136678

https://github.com/kubernetes/kubernetes/issues/136679

https://github.com/kubernetes/kubernetes/issues/136680

#infosec #k8s #security

Well that sucks - I created a new subdomain on Sunday, and even though I haven't configured a website for it yet or advertised or linked to it anywhere (it's purely in DNS records), I've already got 78 unique IPs within 24 hours, doing HTTP requests for the domain.

These are not IP scans (which I would expect), but HTTP requests that include the new domain name.

It's not even just being nosey at the root level, there are also requests for "../../../xxxxx" and login pages etc.

Only 3 of them are IPv6.

If anyone wants a list, I can provide it.

These addresses are extra ones that are not blocked by the great lists provided by
@stratosphere , as they are filtered out already.

#infoSec #blocklist #AttackerIP

Holy shit. TIL that Janet Jackson is the only Grammy-winning artist with a CVE.

CVE-2022-38392 indicates that playing Rhythm Nation near certain hard drives will cause a crash, because the song contains a resonate frequency with a 5400RPM spinning disk of a certain diameter and construction.

Neat.

#music #infosec

This dumb password rule is from Techcombank.

Your password must:
- Be between 6 and 8 characters long
- Contains at least 1 number character
- Contains at least 1 lowercase character
- Contains at least 1 uppercase character
- Neither space nor unicode character is allowed. In fact,
NO special characters is allowed
- Must be changed every 9...

https://dumbpasswordrules.com/sites/techcombank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@ivan

Reason #${RANDOM} why "Cyber Security" is a stupid, pompous term.

I still call it #Infosec.

Feeling deeply disillusioned with the state of tech (and—let’s be real—everything else) these days.

Anyone have recs for a book that will help displace this despair in favor of hope, specifically as it pertains to technology?

#infosec #books #bookstodon #technology #ai

This dumb password rule is from Polytechnique Montreal.

Passwords must have a minimum length of 8 characters

Passwords must have a maximum length of 30 characters

Passwords must contain a minimum of 2 digits

Passwords must contain a minimum of 2 letters

Password must be different than the last one used

Passwords may contain these special characte...

https://dumbpasswordrules.com/sites/polytechnique-montreal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Credit Agricole.

* Login is a predefined 11 digits long identifier that you can not change
* Password is a 6 digits long identifier that you need to input using your mouse

https://dumbpasswordrules.com/sites/credit-agricole/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Anthem.com.

* Use 8-20 characters.
* Use 1 letter and 1 number.
* $ ! @ * ? | also allowed.
* Don't use spaces.
* Don't use the same character three times in a row.
* Don't use part of the username.

https://dumbpasswordrules.com/sites/anthem-com/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

when they say videogames are unrealistic because a combination number is written on a note near the safe

#InfoSec #Security #SocialEngineering

This dumb password rule is from NordVPN.

- Password cannot be longer than 48 characters.

https://dumbpasswordrules.com/sites/nordvpn/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from CAF (French Family Allowance Fund).

You have to enter your 8-digit password using this Frenchy keypad.

https://dumbpasswordrules.com/sites/caf-french-family-allowance-fund/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

In March 2026, Kubernetes will retire Ingress NGINX, a piece of critical infrastructure for about half of cloud native environments... Existing deployments will continue to work, so unless you proactively check, you may not know you are affected until you are compromised:

https://kubernetes.io/blog/2026/01/29/ingress-nginx-statement/

#security #infosec #k8s

This dumb password rule is from College Board.

Password must be 9-30 characters with at least one upper case letter, one lower case letter, one number and one special character (no spaces) and be different than your username.

https://dumbpasswordrules.com/sites/college-board/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from CENLAR.

Your password can meet all the requirements in the list and still be invalid due to
an unspecified rule: any "special characters" that are not listed in the help text
are not allowed. Worse, it provides no useful feedback other than the "New Password"
field is red.

https://dumbpasswordrules.com/sites/cenlar/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from NVV (Nordhessische VerkehrsVerbund).

Password length must be 4 to 10 characters with only a few special characters allowed.

https://dumbpasswordrules.com/sites/nvv-nordhessische-verkehrsverbund/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

"DOGE" the experts, kill morale and force the remaining competent staff out, then hire sycophants and rubes. What could go wrong...

Oh, a reminder -- standards are lower for *acting* directors -- can bypass much of the usual screening.
https://arstechnica.com/tech-policy/2026/01/us-cyber-defense-chief-accidentally-uploaded-secret-government-info-to-chatgpt/
h/t @kimcrawley
https://zeroes.ca/@kimcrawley/115978548564763335
#infosec #cybersecurity #CISA

This dumb password rule is from PayPal.

Must be between 8 and 20 characters, no spaces, uppercase and lowercase, one symbol...

The rule limits special characters to !@#$%^&*(). but my current password has a "-" in it so someone decided to restrict this further which is totally backwards. Things are meant to get better not worse!

https://dumbpasswordrules.com/sites/paypal/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

a very interesting email I just got from one of the major pen test firms who have worked for me before:

"All deliverables provided by our team incorporate $pentesters intellectual property, including proprietary methods, data, and other protected materials. These elements are furnished solely for your organization’s internal business use under the terms of our agreement.

To protect this intellectual property, we want to reiterate that deliverables may not be used—whether in whole, in part, or in derivative form—to train, fine tune, or otherwise develop any artificial intelligence or machine learning models. This includes, but is not limited to:

- use of proprietary content in AI training datasets
uploading deliverables to third party AI or ML tools

- using deliverables to generate prompts, embeddings, or model inputs

These restrictions help ensure the continued security, confidentiality, and integrity of our intellectual property and the services we provide to you.

Extended licenses for training AI or ML models on your Deliverables or $pentesters data may be available under separate licensing terms."

So, basically that sounds like, if you want to use the pen test report you paid for to generate an AI powered remediation, you must pay for an extra license to do so....

MMMMMMmmmmMMMhhhhmmmm

Interesting. Gonna ponder that one for a bit.

#infosec

This dumb password rule is from Tanishq.

Password must contain:
- 6 to 16 characters.
- At least one special character (@, #, $, %, * and & only).
- At least one alphabet.
- At least one number.

https://dumbpasswordrules.com/sites/tanishq/

#password #passwords #infosec #cybersecurity #dumbpasswordrules