This dumb password rule is from Air France.

- Between 8 to 12 characters
- Should contain capital, lowercase letters and numbers

https://dumbpasswordrules.com/sites/air-france/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

@bagder

Just so I understand this correctly...
We don't want machine generated vulerability reports...

...so we can leave our #foss projects vulnerable to hackers who are not constrained by ideology in their sploits using #Ai ?

Yeah, that tracks with the current majority of #infosec "professionals" letting the Rome burn while they roast the marshmallows, feeling super pure and superior.

This dumb password rule is from MySwissLife.

User ID *has to* be 8 characters exactly, password *has to be* 8 characters and numbers only.

https://dumbpasswordrules.com/sites/myswisslife/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

It’s interesting how many people think wanting privacy means you’re doing something nefarious. The fact is, privacy is about sharing what you want with whom you choose.

(I don’t recall who wrote these words or where I originally saw them. I only made the graphic.)

#Privacy #InfoSec #OpSec #BigBrother

Alt...

Illustration of some eyes looking straight at you followed by text that reads “I need privacy, not because my actions are questionable. But because your judgment and intentions are.”

It has been a busy winter so far for me, which is why I haven't been posting a lot here. But today I'm proud to share with you the fruits of some of that labor: The Colorado Democratic Party's platform for 2026. For those unfamiliar, a platform (in the US) is a statement of values that a political party stands for, generally agreed upon by people who stand for election as representatives of the party.

I was elected during last year's party re-org to the Platform Committee. The chair of the committee asked if I would run the subcommittees for two of the "planks" (sections) of the platform: the Democracy section, and the New Tech & AI section. It was an honor to work on both.

I'm going to share screenshots from the New Tech & AI plank because it's relevant to the work I do here, and I think a lot of people might be interested to see this statement of values. This plank is brand new, never before covered in prior Platform documents.

I'm also pleased to report that the whole of the Platform Committee and the roughly 1500 delegates to last weekend's statewide party Assembly voted to approve this as-is, with no additional changes, on a vote of 98.9% in favor.

There's a lot to like, but my favorite aspect of this is that I managed to get widespread approval for use of the term #enshittification in the official platform, both from the Platform committee and the larger party leadership. Thanks @pluralistic for the inspiration. (I believe this is the first time the term has been used in any official political party platform ever.)

The full platform is readable at https://www.coloradodems.org/platform

#AI #datasovereignty #privacy #infosec #techequity #R2R #RightToRepair #politics #COpolitics #Boulder #Colorado #Democracy #democrats

Alt...

New and emerging technologies, medicine, engineering, and science hold the promise of economic growth and improved quality of life, but they also pose the risk of real harm. Colorado Democrats propose a coordinated effort to efficiently and responsibly grow and regulate new technologies, ensuring the pros outweigh the cons. Emerging Science, Technology, and Engineering Colorado Democrats support the responsible growth and development of emerging science, technology, and engineering in Colorado and we will work to: Support STEM fields in K-12 and higher education. Encourage partnerships between education and industry. Ensure that tech and media ethics, literacy, safety, and privacy are taught at all levels of education. Form an independent Colorado Technology Assessment Office to evaluate emerging technologies for risks to residents, workers, and communities, and to recommend regulation to minimize harm.

Alt...

Technology Equity and Accessibility for all Coloradans Colorado Democrats recognize that all Coloradans must have equal access to new technologies to thrive and succeed. Therefore, we will work to: Require impact assessments before deploying new technologies that may affect jobs, communities, or public services, and provide transition support for affected workers and residents. Continue the strong defense of election systems Ensure new technology is available to all Coloradans. Prioritize open platforms and help avoid any one technology or platform gaining a monopoly in its area of service. Roll out high-speed broadband service to every corner of the state and ensure no new monopolies are created. Make every effort to push back on “enshittification” – the gradual worsening of online services and technology products we rely on, purely in pursuit of profit.

Alt...

Protect Human and Civil Rights in Emerging Technologies Emerging and existing technologies, science, medicine, and engineering must be safe, fair, and protect both human and civil rights. Because a technology system can never be held accountable for its actions, technology alone should never have the final say on life-or-death decisions. We will work to: Ensure each Coloradan owns the data about them on any platform or technology. Strictly limit the use of digital surveillance. Require any technology provider to fully and simply explain their product’s capabilities Enable users to opt in, instead of opt out, of data collection or data sharing with third parties. Adopt a state and federal constitutional amendment protecting the right to data privacy. Ensuring government searches, surveillance, or collection of personal information occur only with due process, a lawful warrant, or in narrowly defined national security matters. Strengthen Colorado's cybersecurity posture by requiring state agencies and critical infrastructure operators to adopt modern security standards, promptly notify residents of data breaches, and invest in cybersecurity workforce development.

Alt...

Limit Abusive or Harmful Practices by AI Companies Generative AI has the potential to cause societal harm to both Colorado residents and good government practices. As such, the Colorado Democratic Party will work to: Protect Colorado jobs: AI should support, not replace, skilled professionals; employers should not devalue human workers. Keep humans in charge: People, not algorithms, must be the final deciders when life-safety, health, or labor and wage decisions must be made. Respect creators: Companies must get permission before using someone’s work to train AI systems, and they must fairly compensate people for their contributions. Defend scarce resources: Technology companies should invest in renewable resources and water conservation practices. Data center demands for clean water, power, and space must be secondary to the need for Colorado residents to access those scarce resources. Protect personal identity and privacy: Coloradans have the ultimate right to control information or imagery portraying them; the AI industry must respond to reports of harm in a timely and effective manner. Require transparency and human oversight when state and local government agencies use AI or automated systems in decisions affecting Coloradans' benefits, services, rights, or freedom

This dumb password rule is from Bank of America.

20 character max and lots of special character restrictions.
Bank of America - keeping your money safe.

Also: If you paste a password greater than 20 characters,
the form truncates it without telling you or giving an
error.

https://dumbpasswordrules.com/sites/bank-of-america/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Trenord.

- Password must consist of 8-16 characters
- Must contain 3 out of 4 of the following: lowercase characters, uppercase character, digits (0-9), and one or more of the following symbols: @#$%^&*-_+=[]{}|\:',?/`~“();.

https://dumbpasswordrules.com/sites/trenord/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Air Miles.

- Exactly 4 numbers.

https://dumbpasswordrules.com/sites/air-miles/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Safeway.

Passwords limited to 8-12 characters.

https://dumbpasswordrules.com/sites/safeway/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Green Flag.

- 8 to 10 characters
- No special characters

https://dumbpasswordrules.com/sites/green-flag/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

There used to be a time when building out a botnet required *some* work – writing exploits, taking over devices, obscuring the purpose of the executable, etc.

Not any more!

Instead of "malware", call it an "AI agent" and people will just happily install it on their devices with full root privileges!
https://github.com/jgamblin/OpenClawCVEs/

Bam! RCE by asking nicely.

🧵

#OpenClaw #AI #Hype #InfoSec

@nielsa no, that's not what I'm telling you.

I prefer to believe that most people will be thoughtful.

＂… a huge number of bugs. I have so many bugs in the Linux kernel that I can't report because I haven't validated them yet. I'm not going to make some open source developer validate bugs that I haven't checked yet. I'm not going to send them potential slop … I now have … several hundred crashes that they haven't seen because I haven't had time to check them. We need to find a way to fix this …＂

– Nicholas Carlini

#Linux #FreeBSD #security #cybersecurity #infosec #AI #LLMs

Alt...

Screenshot: a frame from https://www.youtube.com/watch?v=1sd26pWhfmg

This dumb password rule is from State Bank of India (Foreign Travel Card).

State Bank of India is the largest government operated bank in India.
They offer "travel" prepaid cards for foreign currencies, this is for
their portal for the prepaid card users to manage their account.

Your password must:
- Be between 8 and 9 characters long
- Contain at least 1 lowercase c...

https://dumbpasswordrules.com/sites/state-bank-of-india-foreign-travel-card/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This dumb password rule is from Paytm.

Password must be between 5 and 15 characters. Also, spaces don't count
as characters.

https://dumbpasswordrules.com/sites/paytm/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

WARNING: LinkedIn has your profile. They have more from illegally spying on you.

“LinkedIn started injecting malicious code into the browsers of their users, without their knowledge or their consent. At the time of writing, this code downloads a list of 6,222 software products and brute-forces the detection of each one.”

More info:
https://browsergate.eu/executive-summary/

What you can do:
https://browsergate.eu/take-action/

🧵 1/2

#BrowserGate #LinkedIn #InfoSec #OpSec #Privacy #Crime #YouAreTheProduct #Microsoft

Alt...

Emulation of the LinkedIn logo, changed to read “unauthorized.”

This dumb password rule is from LINE.

Password must:
- be between 8 to 20 characters
- not contain characters that repeat in a row
Password must contain three of the following:
- an upper-case letter
- a lower-case letter
- a number
- a symbol

https://dumbpasswordrules.com/sites/line/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

This is my second "holy shit" of the day.
Apparently #LinkedIn if silently collecting data on every extension you use every time you visit the site. Which it then uploads, with your identity attached to it.
This is absolutely horrifying. Literally, people should go to jail over this.
#infosec #privacy
https://browsergate.eu/

LinkedIn Is Illegally Searching Your Computer

https://browsergate.eu

#tech #technology #BigTech #IT #enshittification #microslop #microsoft #LinkedIn #social #media #SocialMedia #data #security #safety #InfoSec #internet #web

This dumb password rule is from Telekom.

At first glance, their policy looks good - sure, the upper limit was chosen without necessity
and they enforce characters from all four groups, but your password manager will most likely come up with something suitable.

The website even tells you how 'wunderbar' your new password is - only to t...

https://dumbpasswordrules.com/sites/telekom/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Last summer I looked at the Internet exposure of a few #ICS devices that have historically been the subject of attacks by Iranian threat actors. Given continued activity in the region, I refreshed that data and took another look at exposures.

Good news: all four device/software types showed at least a slight decrease in exposures since last June, even if we aren't entirely sure why.

More details + graphs here: https://censys.com/blog/ics-iran-part-2-revisiting-exposure-of-previously-targeted-ics-devices/

#security #infosec

This dumb password rule is from Alipay.

- 8-20 characters (numbers or letters)
- no special characters allowed
- in the mobile app

https://dumbpasswordrules.com/sites/alipay/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

NodeJS, for all the brilliant projects out there leaning on it, has a supply chain that might as well run the length of a dark alley permanently at 2am in the club district.

https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html

Anyway, hope none of you good people are affected by this latest pox

#infosec #sysadmin

Watching the livestream of the Artemis II launch, I just witnessed one of the astronauts type in the password on their tablet while sitting in the capsule on camera.

#ArtemisII #Artemis #Artemis2 #NASA #InfoSec #cybersecurity #OpSec #Privacy #SpaceExploration

We can quit #cybersecurity and just go farm potatoes or something. After 25 years of #appsec one of the most talked-about tech companies invents a daemon process that

makes use of a file-based “memory system” designed to allow for persistent operation across user sessions.

Sure. Just store your system instructions in a random text file.

Why are we installing endpoint protection on this system?

Why do we verify cryptographic signatures on software updates to this system?

Why are we building a zero trust security environment?

Why do we do scan email to avoid social engineering emails?

Our AI-assisted users are gonna YOLO right past all that. And if they can’t get past our #security controls, this agentic Frankenstein will write itself some markdown and work quietly in the background figuring out how to bypass something the user couldn’t bypass on their own.

This is #infosec in 2026

This dumb password rule is from E-Redes.

Portuguese power distribution company, which requires short passwords (10 to 15 characters), no repetition of the same character, not using the username, the word "PASS" or the word "SAP" in the password, and limiting which special characters can be used.

https://dumbpasswordrules.com/sites/e-redes/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

TLS and SSH rely on Certificate Authorities (CAs) for authentication, but they also present a vector for Man in the Middle attacks. What if you could set up your own CA to reduce your exposure?

➡️ https://fedoramagazine.org/make-a-private-ca-with-step-ca/

#WebDev #Linux #Security #InfoSec #Cybersecurity #Fedora

This is alarming but not surprising:
https://www.forbes.com/sites/the-wiretap/2026/03/24/google-cookies-help-cops-identify-anonymous-users/
TLDR If you access multiple Google accounts from the same device, and the cops know about one of the accounts and ask Google the right questions, Google will tell the cops about the other accounts.
The general lesson here is one we already know: if you have any sort of account you don't want linked to you, you can't ever access it from a device or network connection you use other accounts on.
Caveat usor.
#infosec #OpSec #Google

This dumb password rule is from BMW ConnectedDrive.

Although the prompt suggests good things, after many failed attempts to
set a new password, it turns out you can ONLY use the special characters
shown in the prompt

https://dumbpasswordrules.com/sites/bmw-connecteddrive/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Another round of scammers. Beware of Scammers Claiming to be Ohio Bureau of Motor Vehicles texting you saying you owe a ticket and to pay or lose your license immediately. #Phishing #Infosec #Scam The #Scam was really bad in the summer of 2025.

The #Ohio Bureau of Motor Vehicles (BMV) has received reports of a possible texting scam being perpetrated on Ohioans today from scammers claiming to be from the State of Ohio.

Residents have reported receiving text messages from scammers informing the recipients that they have an outstanding parking ticket. The text then instructs the recipient to pay immediately to avoid a license suspension. This particular scam is a phishing attempt that is being reported by drivers nationwide and is designed to trick residents into giving up personal or financial information.

“If you receive this text, do not fall for this scam,” said Ohio BMV Registrar Charlie Norman. “Do not click any links, do not scan the QR code, and immediately delete the text. Ohio BMV will never send you a text demanding payment or requesting your personal information.”

Alt...

For Immediate Release: March 6, 2026 scam image Beware of Scammers Claiming to be Ohio Bureau of Motor Vehicles (COLUMBUS, Ohio) – The Ohio Bureau of Motor Vehicles (BMV) has received reports of a possible texting scam being perpetrated on Ohioans today from scammers claiming to be from the State of Ohio. Residents have reported receiving text messages from scammers informing the recipients that they have an outstanding parking ticket. The text then instructs the recipient to pay immediately to avoid a license suspension. This particular scam is a phishing attempt that is being reported by drivers nationwide and is designed to trick residents into giving up personal or financial information. “If you receive this text, do not fall for this scam,” said Ohio BMV Registrar Charlie Norman. “Do not click any links, do not scan the QR code, and immediately delete the text. Ohio BMV will never send you a text demanding payment or requesting your personal information.”

This dumb password rule is from Vistara.

Password must contain:
- 8 to 12 Characters.
- At least one lowercase and uppercase letter.
- At least one numeric character.
- At least one special character (!, @, #, $, %, %, ^, &, +, =).

Must not contain space, first or last name.

https://dumbpasswordrules.com/sites/vistara/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

"...two malicious versions of the widely used axios HTTP client library published to npm: axios@1.14.1 and axios@0.30.4...[which installs] a `postinstall` script that acts as a cross platform remote access trojan (RAT) dropper, targeting macOS, Windows, and Linux"

My `package.json` files across 4 projects:
```
"axios": "1.14.0"
```

https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

#NodeJS #Axios #InfoSec #WebDev

Alt...

Screenshot of the film Snatch. Vinnie Jones' character is holding a gun and standing over a man who's cowering in fear against a wall. The gun has just failed to work when Jones tried to shoot the man. Jones says "You lucky bastard" and walks away.

#NPM #axios maintainer has lost control of their account. Malicious versions 1.14.1 and 0.30.4 have been published which include a RAT.

NPM has pulled the effected versions and the payload. Time to clean up and see if you were effected.

StepSecurity has an awesome write up on this issue with #iocs

Link follows this toot.

#CTI #infosec #node #cybersecurity #security #nodejs #js #malware

This dumb password rule is from Battle.net.

8 to 16 characters, at least one number and one letter and last but not least NO special characters, and can't have a password that looks like your username too. Oh, and passwords are NOT case sensitive.
A real time travel adventure through the password rules of 2005!

https://dumbpasswordrules.com/sites/battle-net/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

https://blog.thereallo.dev/blog/decompiling-the-white-house-app

Wowy wow wow wow! I’m sure none of y’all planned on downloading the malware from the Mango, but just in case, DO NOT. It will:

Inject JavaScript into every website you open

Has a full GPS tracking pipeline always on.

Loads JavaScript from a random person's GitHub Pages site (lonelycpp.github.io) for YouTube embeds.

Loads third-party JavaScript from Elfsight (elfsightcdn.com/platform.js) for social media widgets, with no sandboxing.

Sends email addresses to Mailchimp, images are served from Uploadcare, and a Truth Social embed is hardcoded with static CDN URLs. None of this is government infrastructure.

Has no certificate pinning.

Ships with dev artifacts in production.

Profiles users extensively through OneSignal - tags, SMS numbers, cross-device aliases, outcome tracking, notification interaction logging, in-app message click tracking, and full user state observation

#infosec #whitehouse #malware #StupidestTimeline

Smith & Co Solicitors Reports Data Breach and Financial Fraud Following Email Compromise

Smith & Co Solicitors in Ipswich suffered an email-based data breach affecting 25% of its clients and resulting in at least one instance of financial fraud. Attackers gained unauthorized access to the firm's email systems to impersonate staff and intercept sensitive client communications.

****
#cybersecurity #infosec #incident #databreach
https://beyondmachines.net/event_details/smith-co-solicitors-reports-data-breach-and-financial-fraud-following-email-compromise-z-2-h-j-o/gD2P6Ple2L

And now linux.org has been defaced. This kinda reminds me of the old defacement crews of the mid-to-late 1990's like Hackweiser and World of Hell.

#infosec

This dumb password rule is from STOVE.

- 24 characters max

https://dumbpasswordrules.com/sites/stove/

#password #passwords #infosec #cybersecurity #dumbpasswordrules

Okee, ik haak af bij het webinar van NCSC over leveranciersmanagement.

Over de risico's van bigtech zeggen/adviseren ze: maak een risicoanalyse zodat de risico's geaccepteerd zijn, want een andere optie heb je toch niet omdat deze leveranciers zo groot zijn dat je hun voorwaarden wel moet accepteren.

Uh?

#infosec #informatiebeveiliging

Financial institutions when they want to authenticate the account with your life savings in it:

#infosec #2fa

Working on another sticker for #37c3 - found this image a while ago, but only as a lowres jpg, so I re-did it as a vector graphic.

#infosec #devops #sticker
We do not test on animals, we test in production.

EDIT: Here's the SVG for all of you who asked https://codeberg.org/FlohEinstein/vectors/src/branch/main/we_do_not_test_on_animals_we_test_in_production (updated version with better readable font)

Alt...

A green no parking sign with the inscription we do not test on animals we test in production showing a bunny, a red heart and a stack of servers going up in flames Original idea found on https://www.reddit.com/r/ProgrammerHumor/comments/z1z43b/ive_made_a_new_sticker_so_your_projects_has_no by u/AlFlakky (AlexBlintsov)
Used sources from Flaticon.com: Star Icons by Pixel perfect, Hase by torskaya, hacken by juicy_fish, dedizierter Server by Design Circle, Herz by IconBaandar

Wow, u/DeeZett made a 3D version of my "We do not test on animals, we test in production" sticker. I love it!

Reddit: https://www.reddit.com/r/3Dprinting/comments/1s6r5tc/we_do_not_test_on_animals_we_test_in_production/
Model on Makerworld: https://makerworld.com/en/models/2587482-we-do-not-test-on-animals-we-test-in-production#profileId-2854614
Thing on Thingiverse: https://www.thingiverse.com/thing:7323159

#3dprint #makerworld #thingiverse #devops #infosec #sticker #wedonottestonanimalswetestinproduction

Alt...

A green no parking sign with the inscription we do not test on animals we test in production showing a bunny, a red heart and a stack of servers going up in flames 3D printed in bright green (sign), white (inscription, bunny, inner flame), red (heart, flame) and black (servers).

I teach cybersecurity. And I genuinely don't know what to tell my students after this one. Federal reviewers spent years trying to get basic encryption documentation from Microsoft for its GCC High government cloud. They couldn't get it. One reviewer called the system a "pile of spaghetti pies," with data traveling from point A to point B the way you'd get from Chicago to New York: a bus to St. Louis, a ferry to Pittsburgh, and a flight to Newark. Each leg is a potential hijacking. They knew this. They said this out loud in writing. Then they approved it anyway in December 2024, because too many agencies were already using it. 🔐 That's not a security review. That's a hostage negotiation. Two things in this story should make every CISO and CIO uncomfortable:

🧩 Microsoft built its federal cloud on top of decades of legacy code that it apparently can't fully document itself
👮 "Digital escorts" often ex-military with minimal software engineering backgrounds are the firewall between Chinese engineers working on the system and classified U.S. networks 🤦🏻‍♂️

The scariest line in the whole ProPublica investigation isn't the "pile of shit" quote. It's this: FedRAMP determined that refusing authorization wasn't feasible because agencies were already using the product. Read that again. The security review process reached a conclusion based on sunk cost, not risk. Ex Post Facto Fallacy

If that logic holds, the compliance framework is just documentation theater. And right now, CISA is being hollowed out, so there are fewer people left to even run the theater.

https://arstechnica.com/information-technology/2026/03/federal-cyber-experts-called-microsofts-cloud-a-pile-of-shit-approved-it-anyway/
#Cybersecurity #Microsoft #FedRAMP #Leadership #RiskManagement #security #privacy #cloud #infosec