Why is not every emailaddress an alias?

Access to your mailbox would be a totally unrelated username + password/MFA.

Why are we still giving away a free factor for compromise with every email we send?

#infosec #informationsecurity

@fschaap Skill issue.

Some of us have divorced authentication from message transport and delivery for decades. And talked about it. And advocated for it. And been mostly ignored.

Literally every email address that delivers to my main mailbox is an alias of some sort. Has been since 1995 when I fired up my own mail server. My mail is delivered into a Maildir+ mailbox owned by a system account whose name I have never used in an email address and never will.

#InfoSec

This dumb password rule is from LibraryThing.

"Your password cannot be longer than 20 characters"

https://dumbpasswordrules.com/sites/librarything/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Return of Reckoning.

Password must be between 6 and 100 characters.

It doesn't say on the website, but the password only works in the related game client if it is purely alphanumeric. Not even special characters like % or $ are allowed.

https://dumbpasswordrules.com/sites/return-of-reckoning/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from myezyaccess.com patient portal system.

12-character maximum password length. This is not a single website but a patient portal system used by hundreds of medical facilities via subdomains, with password policy apparently being consistent for all sites.

https://dumbpasswordrules.com/sites/myezyaccess-com-patient-portal-system/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Coventry Building Society.

Password has to be between 6 and 10 characters, can't contain any punctuation and you have to give characters from it on the phone to confirm identity.

https://dumbpasswordrules.com/sites/coventry-building-society/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Proton built their entire brand on one promise: Swiss law means government agencies can't touch your data.
Their own Terms of Service, their own infrastructure contracts, and a federal court case from March say otherwise.

https://blog.ppb1701.com/not-even-government-agencies

#bigtech #blog #infosec #privacy #proton #protonmeet #security #surveillance #userhostile #selfhosting

This dumb password rule is from Nelnet (student loan servicer).

8 to 15 characters and no spaces? Why no spaces? Also limited to only these 6 special characters. That could mean that there is some process somewhere that puts this as part of a command line invocation.

https://dumbpasswordrules.com/sites/nelnet-student-loan-servicer/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Good morning. Working on a DV request for groceries this week. We're at $80/$150 if you'd like to support. Please RT for reach! Thanks so much.😍

C: $Lockdownyourlife
V: lockdownyourlife
https://www.ko-fi.com/lockdownyourlife

#MutualAidRequest #mutualaid #community #safety #privacy #tech #infosec

hey so this is probably completely pointless but: looking for a job (NZ or fully remote willing to hire a kiwi) in SRE, security, or linux/Unix system administration. 15 years expereince administering Linux and Unix boxes, intermediate level of experience working with docker compose and containerisation and container security. No prior job experience unfortunately, all those 15 years were mostly personal projects and small-scale stuff for friends. Currently running an entire multi-machine personal cloud infrastructure with a demonstration of all the services I have running at https://status.highenergymagic.net. Entirely willing to accept entry-level job placements, no expectation of being paid a lot or anything, just want to be doing something and move the needle a little on my current "being broke" status. #fedihired #infosec #cybersecurity #linux #unix #docker #sre #DevOps #GetFediHired

Please boost for reach, any job offers please DM me.

This dumb password rule is from Unicaja.

Username is your national Spanish ID (easy to find).
Your password must be 6 characters long. You can't type, only select characters from the virtual keyboard

https://dumbpasswordrules.com/sites/unicaja/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

We should be doing this:

“The Netherlands is building a "digital emergency kit" in case the internet shuts down nationwide”

#CDNPoli #DigitalSovereignty #Infosec
https://cybernews.com/security/netherlands-build-a-digital-emergency-kit-internet-shutdown-nationwide/

hey so this is probably completely pointless but: looking for a job (NZ or fully remote willing to hire a kiwi) in SRE, security, or linux/Unix system administration. 15 years expereince administering Linux and Unix boxes, intermediate level of experience working with docker compose and containerisation and container security. No prior job experience unfortunately, all those 15 years were mostly personal projects and small-scale stuff for friends. Currently running an entire multi-machine personal cloud infrastructure with a demonstration of all the services I have running at https://status.highenergymagic.net. Entirely willing to accept entry-level job placements, no expectation of being paid a lot or anything, just want to be doing something and move the needle a little on my current "being broke" status. #fedihired #infosec #cybersecurity #linux #unix #docker #sre #DevOps

Please boost for reach, any job offers please DM me.

@briankrebs Breaking #infosec Electronic Frontier Foundation Announces Departure from X After Nearly 20 Years👏🏼

RE: https://mastodon.social/@campuscodi/116374926358861040

This is a big freaking deal, and Anthropic is handwaving it away. Basically a malicious actor can remove the safety rails, and Claude becomes a pretty serious penetration tool.

#infosec #claude #vibecode #llm #ai

One of my first interactions with encryptions was PGP, by Philip Zimmermann

I wanted certain emails to be encrypted with a public private key pair combination

In reading Zimmermann, documentation I noticed that there could be something wrong.

Source code openness and other eyeballs were needed.

## We got that in openGPG

I've NEVER trusted closed source encryption schemes.

I sometimes also verify if the shadow that's following me is actually mine

@h3artbl33d @Rairii

#InfoSec #programming #encryption #VeraCrypt #WireGuard #WindScribe #technology #microSlop

RE: https://flipboard.com/@404media/404-media-qvt3vv94z/-/a-qoIXNx-4Q-i9Qb4-DwsX5A%3Aa%3A4082434389-%2F0

If you think there's any chance that law enforcement might ever be interested in the content of your Signal chats, and you don't want them to have access to them, then setting up disappearing messages is necessary but not sufficient. You also need to go into the Signal settings and either disable notifications completely or set them to show "No name or message" so the content won't be capture and preserved in the phone's notification database.
#infosec #privacy #OpSec "#antifa"

On the lemmy wires I've read that it has happened with three specific accounts

It's a coordinated attack. Microsoft wants these programs to disappear from its ecosystems. No one has access to drives and systems which are encrypted with these programs apart from the owner.

https://lemmy.world/post/45356143

@h3artbl33d

#InfoSec #programming #encryption #VeraCrypt #WireGuard #WindScribe #technology #microSlop

This dumb password rule is from Itaú Bank.

I know, it's in spanish, let me translate this monstrosity for you.

- Allowed characters: letters A to Z uppercase or lowercase (ñ is not allowed), number 0 to 9, #, $, %, &, +, -, . :, ;, _.
- You must use 8 characters.
- The password must contain at least one letter and at least one number.
- ...

https://dumbpasswordrules.com/sites/itau-bank/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Does this mean that you shall also stop using curl?

AFAIK Daniel doesn't care what is used to find bugs

@rl_dane

https://mastodon.social/@bagder/116373716541500315

#curl #LLM #hallucinated #slop #AI #InfoSec #programming #technology

Oh boy…
https://edition.cnn.com/2026/04/08/china/china-supercomputer-hackers-hnk-intl

> A [cyberthreat actor] has allegedly stolen a massive trove of sensitive data – including highly classified defense documents and missile schematics – from a state-run Chinese supercomputer

> The dataset, which allegedly contains more than 10 petabytes of sensitive information, is believed by experts to have been obtained from the National Supercomputing Center (NSCC) in Tianjin

🧵

#InfoSec #China

@neil #linux #infosec

This dumb password rule is from Bank Millennium.

Passwords limited to 8 digits.

https://dumbpasswordrules.com/sites/bank-millennium/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

attention anybody with substantial experience with Rust and networking: my team is hiring!!

one of few rust jobs I'm aware of that is not web 3.0 horseplop.

fully remote (US timezones), good culture, good trans-inclusive healthcare, good work/life balance, and a nice defensive cybersecurity mission i can get behind.

feel free to reach out for more details and the job posting.

#fedihired #rust #infosec #cybersecurity #ot #ics

hey so this is probably completely pointless but: looking for a job (NZ or fully remote willing to hire a kiwi) in SRE, security, or linux/Unix system administration. 15 years expereince administering Linux and Unix boxes, intermediate level of experience working with docker compose and containerisation and container security. No prior job experience unfortunately, all those 15 years were mostly personal projects and small-scale stuff for friends. Currently running an entire multi-machine personal cloud infrastructure with a demonstration of all the services I have running at https://status.highenergymagic.net. Entirely willing to accept entry-level job placements, no expectation of being paid a lot or anything, just want to be doing something and move the needle a little on my current "being broke" status. #fedihired #infosec #cybersecurity #linux #unix #docker #sre #DevOps

Please boost for reach, any job offers please DM me.

Attackers are impersonating a @linuxfoundation leader in Slack to target #opensource developers with a multi-stage attack that ends in malware delivery. @openssf issued a high-severity advisory.

More details and screenshots of the lure: https://socket.dev/blog/attackers-impersonating-linux-foundation-leaders-in-slack-targeting-oss-developers #infosec

#Microsoft locks account that #VeraCrypt maintainer uses to sign #Windows bootloaders with no explanation or route for appeal. If they don't fix this, in a few months every Windows computer that uses VeraCrypt whole-disk encryption will stop being able to boot and all the data on it that isn't backed up elsewhere will be lost. 🤦
If this doesn't convince you big tech has too much control, I don't know what will.
h/t @zackwhittaker
https://techcrunch.com/2026/04/08/veracrypt-encryption-software-windows-microsoft-lock-boot-issues/
#infosec #privacy #TechIsShitDispatch

This dumb password rule is from Inria.

This is the account for those who work at [Inria](https://www.inria.fr/)
"the French national research institute for
the digital sciences".

You have to wonder what's wrong with these special characters but not
the other ones.
- Password expiration once a year
- Your password must contain at leas...

https://dumbpasswordrules.com/sites/inria/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Critical File Upload Vulnerability Reported in Ninja Forms Plugin for WordPress

A critical unauthenticated arbitrary file upload vulnerability in the Ninja Forms – File Upload plugin (CVE-2026-0740) allows attackers to achieve remote code execution.

**If you are using the Ninja Forms File Upload plugin, this is urgent! Immediately update to version 3.3.27. You can't hide WordPress from the internet, it's made to be visible online. Since this flaw is being actively scanned for, any delay in patching leaves your site exposed to automated attacks. After the update, review server logs for suspicious requests targeting the handle_upload action.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/critical-file-upload-vulnerability-in-ninja-forms-plugin-exposes-50000-wordpress-sites-j-m-6-0-i/gD2P6Ple2L

This dumb password rule is from Deutsche Kreditbank AG (DKB).

Passwords for the online banking web frontend do not have a max length constraint, but using the same password to
log in to the official iOS DKB app requires the password to be no longer than 38 characters.

https://dumbpasswordrules.com/sites/deutsche-kreditbank-ag-dkb/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@briankrebs Brian, your Forest Blizzard report is my reality. Case SIR23252176: I’m an NY small biz owner with 10yrs of data held by a thief. MS admits the theft but leaves a 'bot' in charge. Between token-theft & today's #BlueHammer zero-day, 'you own nothing' is a professional liability. Manually rescuing 3TB of data now to keep my clients safe. #Microsoft #SmallBusiness #Infosec

Alt...

A photograph of a dual-monitor workstation in a home office. On a standard 16:9 monitor, a wallpaper featuring a goose at sunset appears clear and properly scaled. On the adjacent 34-inch ultrawide monitor, the same image is heavily distorted and 'grainy,' appearing as a mass of orange and brown pixels due to extreme scaling artifacts. To the side of the monitors sit several metal 90-degree corner clamps and a half-eaten lunch, highlighting the contrast between tangible hardware work and a digital security crisis.

one of my favorite google sheets features is when you are compiling lists of malicious actors email identifiers it pops up and says "hey, you mentioned blah@evil.com, but they don't have access to this sheet! would you like to give them access?"

#infosec

Hello, world!

We are IFIN, the Independent Federated Intelligence Network, and we want to change how threat intelligence is done.

We believe we're all safer when we share what we know. Come learn more and join us!

https://ifin-intel.org/blog/hello/

#ThreatIntel #ThreatIntelligence #Cybersecurity #Infosec

2026 Lumen Defender Threatscape Report https://www.lumen.com/en-us/resources/2026-threat-intelligence-report.html

Betanews: GenAI being used to industrialize cybercrime https://betanews.com/article/genai-being-used-to-industrialize-cybercrime/ @betanews @iandbarker #infosec

This dumb password rule is from Air France.

- Between 8 to 12 characters
- Should contain capital, lowercase letters and numbers

https://dumbpasswordrules.com/sites/air-france/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@bagder

Just so I understand this correctly...
We don't want machine generated vulerability reports...

...so we can leave our #foss projects vulnerable to hackers who are not constrained by ideology in their sploits using #Ai ?

Yeah, that tracks with the current majority of #infosec "professionals" letting the Rome burn while they roast the marshmallows, feeling super pure and superior.

This dumb password rule is from MySwissLife.

User ID *has to* be 8 characters exactly, password *has to be* 8 characters and numbers only.

https://dumbpasswordrules.com/sites/myswisslife/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

It’s interesting how many people think wanting privacy means you’re doing something nefarious. The fact is, privacy is about sharing what you want with whom you choose.

(I don’t recall who wrote these words or where I originally saw them. I only made the graphic.)

#Privacy #InfoSec #OpSec #BigBrother

Alt...

Illustration of some eyes looking straight at you followed by text that reads “I need privacy, not because my actions are questionable. But because your judgment and intentions are.”

It has been a busy winter so far for me, which is why I haven't been posting a lot here. But today I'm proud to share with you the fruits of some of that labor: The Colorado Democratic Party's platform for 2026. For those unfamiliar, a platform (in the US) is a statement of values that a political party stands for, generally agreed upon by people who stand for election as representatives of the party.

I was elected during last year's party re-org to the Platform Committee. The chair of the committee asked if I would run the subcommittees for two of the "planks" (sections) of the platform: the Democracy section, and the New Tech & AI section. It was an honor to work on both.

I'm going to share screenshots from the New Tech & AI plank because it's relevant to the work I do here, and I think a lot of people might be interested to see this statement of values. This plank is brand new, never before covered in prior Platform documents.

I'm also pleased to report that the whole of the Platform Committee and the roughly 1500 delegates to last weekend's statewide party Assembly voted to approve this as-is, with no additional changes, on a vote of 98.9% in favor.

There's a lot to like, but my favorite aspect of this is that I managed to get widespread approval for use of the term #enshittification in the official platform, both from the Platform committee and the larger party leadership. Thanks @pluralistic for the inspiration. (I believe this is the first time the term has been used in any official political party platform ever.)

The full platform is readable at https://www.coloradodems.org/platform

#AI #datasovereignty #privacy #infosec #techequity #R2R #RightToRepair #politics #COpolitics #Boulder #Colorado #Democracy #democrats

Alt...

New and emerging technologies, medicine, engineering, and science hold the promise of economic growth and improved quality of life, but they also pose the risk of real harm. Colorado Democrats propose a coordinated effort to efficiently and responsibly grow and regulate new technologies, ensuring the pros outweigh the cons. Emerging Science, Technology, and Engineering Colorado Democrats support the responsible growth and development of emerging science, technology, and engineering in Colorado and we will work to: Support STEM fields in K-12 and higher education. Encourage partnerships between education and industry. Ensure that tech and media ethics, literacy, safety, and privacy are taught at all levels of education. Form an independent Colorado Technology Assessment Office to evaluate emerging technologies for risks to residents, workers, and communities, and to recommend regulation to minimize harm.

Alt...

Technology Equity and Accessibility for all Coloradans Colorado Democrats recognize that all Coloradans must have equal access to new technologies to thrive and succeed. Therefore, we will work to: Require impact assessments before deploying new technologies that may affect jobs, communities, or public services, and provide transition support for affected workers and residents. Continue the strong defense of election systems Ensure new technology is available to all Coloradans. Prioritize open platforms and help avoid any one technology or platform gaining a monopoly in its area of service. Roll out high-speed broadband service to every corner of the state and ensure no new monopolies are created. Make every effort to push back on “enshittification” – the gradual worsening of online services and technology products we rely on, purely in pursuit of profit.

Alt...

Protect Human and Civil Rights in Emerging Technologies Emerging and existing technologies, science, medicine, and engineering must be safe, fair, and protect both human and civil rights. Because a technology system can never be held accountable for its actions, technology alone should never have the final say on life-or-death decisions. We will work to: Ensure each Coloradan owns the data about them on any platform or technology. Strictly limit the use of digital surveillance. Require any technology provider to fully and simply explain their product’s capabilities Enable users to opt in, instead of opt out, of data collection or data sharing with third parties. Adopt a state and federal constitutional amendment protecting the right to data privacy. Ensuring government searches, surveillance, or collection of personal information occur only with due process, a lawful warrant, or in narrowly defined national security matters. Strengthen Colorado's cybersecurity posture by requiring state agencies and critical infrastructure operators to adopt modern security standards, promptly notify residents of data breaches, and invest in cybersecurity workforce development.

Alt...

Limit Abusive or Harmful Practices by AI Companies Generative AI has the potential to cause societal harm to both Colorado residents and good government practices. As such, the Colorado Democratic Party will work to: Protect Colorado jobs: AI should support, not replace, skilled professionals; employers should not devalue human workers. Keep humans in charge: People, not algorithms, must be the final deciders when life-safety, health, or labor and wage decisions must be made. Respect creators: Companies must get permission before using someone’s work to train AI systems, and they must fairly compensate people for their contributions. Defend scarce resources: Technology companies should invest in renewable resources and water conservation practices. Data center demands for clean water, power, and space must be secondary to the need for Colorado residents to access those scarce resources. Protect personal identity and privacy: Coloradans have the ultimate right to control information or imagery portraying them; the AI industry must respond to reports of harm in a timely and effective manner. Require transparency and human oversight when state and local government agencies use AI or automated systems in decisions affecting Coloradans' benefits, services, rights, or freedom

This dumb password rule is from Bank of America.

20 character max and lots of special character restrictions.
Bank of America - keeping your money safe.

Also: If you paste a password greater than 20 characters,
the form truncates it without telling you or giving an
error.

https://dumbpasswordrules.com/sites/bank-of-america/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Trenord.

- Password must consist of 8-16 characters
- Must contain 3 out of 4 of the following: lowercase characters, uppercase character, digits (0-9), and one or more of the following symbols: @#$%^&*-_+=[]{}|\:',?/`~“();.

https://dumbpasswordrules.com/sites/trenord/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Hey fedi
Does anyone know a good opensource firewall for a Linux server with an admin panel in web or tui?

I want to see recent tcp & udp connections, preferrably some info about their contents (e.g. compute JA4 fingerprint for TLS, extract domain from DNS request) and be able to immediately block by source/dest IP subnet, ASN, geoip, maybe even by JA4.

I guess i can just google it but i want to hear your recommendations. Firewall is a high-privileged software that have to be trusted anyway.

Thank you

#askfedi #linux #selfhosted #infosec #firewall

This dumb password rule is from Air Miles.

- Exactly 4 numbers.

https://dumbpasswordrules.com/sites/air-miles/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Safeway.

Passwords limited to 8-12 characters.

https://dumbpasswordrules.com/sites/safeway/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Green Flag.

- 8 to 10 characters
- No special characters

https://dumbpasswordrules.com/sites/green-flag/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

There used to be a time when building out a botnet required *some* work – writing exploits, taking over devices, obscuring the purpose of the executable, etc.

Not any more!

Instead of "malware", call it an "AI agent" and people will just happily install it on their devices with full root privileges!
https://github.com/jgamblin/OpenClawCVEs/

Bam! RCE by asking nicely.

🧵

#OpenClaw #AI #Hype #InfoSec

@nielsa no, that's not what I'm telling you.

I prefer to believe that most people will be thoughtful.

＂… a huge number of bugs. I have so many bugs in the Linux kernel that I can't report because I haven't validated them yet. I'm not going to make some open source developer validate bugs that I haven't checked yet. I'm not going to send them potential slop … I now have … several hundred crashes that they haven't seen because I haven't had time to check them. We need to find a way to fix this …＂

– Nicholas Carlini

#Linux #FreeBSD #security #cybersecurity #infosec #AI #LLMs

Alt...

Screenshot: a frame from https://www.youtube.com/watch?v=1sd26pWhfmg

This dumb password rule is from State Bank of India (Foreign Travel Card).

State Bank of India is the largest government operated bank in India.
They offer "travel" prepaid cards for foreign currencies, this is for
their portal for the prepaid card users to manage their account.

Your password must:
- Be between 8 and 9 characters long
- Contain at least 1 lowercase c...

https://dumbpasswordrules.com/sites/state-bank-of-india-foreign-travel-card/

#password #passwords #infosec #cybersecurity #dumbpasswordrules