cablespaghetti.dev is a Fediverse instance that uses the ActivityPub protocol. In other words, users at this host can communicate with people that use software like Mastodon, Pleroma, Friendica, etc. all around the world.

This server runs the snac software and there is no automatic sign-up process.

Site description
Cablespaghetti's personal snac instance
Admin email
sam@cablespaghetti.dev
Admin account
@sam@cablespaghetti.dev

Search results for tag #security

Tim Hergert boosted

[?]Brooks »
@brooks@social.brookslawson.com

Please 🚀. I'm going to stop short of saying you should not install the #ICEBlock app, but you should know that you're painting a giant target on your back if you use it, and it does not protect your information adequately. The Trump administration is not being coy about how they see this app and it's users, citing charges of obstruction of justice and general threats of prosecution.

The developer ignorantly insists the only way to safely use it is through iOS app store. That ignores the fact that Apple collects data on what users are installing what apps. It also ignores that the gov has been intercepting push notifications for several years now, so it would be as simple as comparing that data against those who receive push notifications at specific times to determine who is using the app.

The app is also closed-source, so the community cannot inspect it for vulnerabilities.

If they distributed through a 3rd party app store on Android, such as #fdroid (which you cannot do on iOS), they could allow users to run their own notification system using #unifiedpush. Google would not be involved at any stage.

Yes, this would be a high barrier to entry for use, but I think the usecase demands it. Almost certainly we will soon see prosecution for the apps' users and probably also removal from the App Store. Apple most certainly does not care enough to fight the government over this.

That is, unless, as I suspect, this app is actually a #honeypot.

Further reading:
https://arstechnica.com/tech-policy/2023/12/apple-admits-to-secretly-giving-governments-push-notification-data/

https://www.iceblock.app/android

https://www.newsweek.com/kirsti-noem-iceblock-deportation-immigration-app-2092878

#privacy #security #foss #fossdroid #ice #infosec #boostsappreciated

    [?]Linux Is Best »
    @Linux@mastodon.au

    @lillyfinch

    A friendly reminder --

    Do NOT register anywhere to protest.

    During the last protest, I noticed a lot of random websites claiming they wanted people to register their participation. You do NOT need to register at some random website, to announce your intentions to attend a protest.

    Such sites can be used to create lists and such list can be given to authorities.

      [?]mle✨ »
      @mle@infosec.exchange

      "Censys has made a list of some of the ICS products commonly targeted by Iranian hackers and scanned the internet to determine how widespread they are and whether their owners and operators have taken steps to secure them in recent months."

      securityweek.com/iranian-hacke

      censys.com/blog/ics-iran-expos

      Table depicting exposure of four different device types known to be of interest or targeted by Iranian actors, including Unitronics, Orpak SiteOmat, Red Lion, and Tridium Niagara. During the 6 month period from January through June 2025, Orpak SiteOmat is the only software that saw a decrease in exposures, dropping from 158 in January to 123 in June.

      Alt...Table depicting exposure of four different device types known to be of interest or targeted by Iranian actors, including Unitronics, Orpak SiteOmat, Red Lion, and Tridium Niagara. During the 6 month period from January through June 2025, Orpak SiteOmat is the only software that saw a decrease in exposures, dropping from 158 in January to 123 in June.

        [?]hexa- »
        @hexa@chaos.social

        24.11 is now officially unmaintained and will not receive bugfixes and updates any more.

        Time to to nixos-25.05 if you haven't yet.

        github.com/NixOS/infra/pull/76

          [?]Teodor Sandu »
          @teodorsandu@mastodon.online

          One-Factor Authentication:

Account Verification

We have just sent the code 435841 to your
phone number: xxx-xxx-6521
Please enter the code below to access your
account:
---- (blank space to enter code)

          Alt...One-Factor Authentication: Account Verification We have just sent the code 435841 to your phone number: xxx-xxx-6521 Please enter the code below to access your account: ---- (blank space to enter code)

            [?]mle✨ »
            @mle@infosec.exchange

            It’s not often my worlds collide like this, but this is pretty wild.

            Coros Pace 3 doesn’t enforce Bluetooth pairing to a device, which leads to a cascading series of things that one could do when rogue connecting to the watch.

            All of these are pretty terrible, but I can’t shake the image of someone spectating near the end of a race and disrupting someone’s hard-earned GPS file for their race. Obviously access to health and training data is way more severe, and there are devices and systems way more critical than someone’s GPS watch, but the fact that any of this is even possible is jarring.

            On top of this, Coros’s initial response of “we’ll get to it by the end of 2025” is wildly unacceptable. They’ve since clarified their timeline (which is more aggressive) but they didn’t handle this well at all from what I’m reading.

            blog.syss.com/posts/bluetooth-

            dcrainmaker.com/2025/06/coros-

            Summary of COROS PACE 3 Bluetooth security vulnerabilities. An unauthenticated attacker within Bluetooth range could hijack a user’s account, access all data, eavesdrop on sensitive data, manipulate device configuration, factory reset or crash the device, and interrupt running activities causing data loss. The analysis also noted security-relevant differences between the COROS iOS and Android apps.

            Alt...Summary of COROS PACE 3 Bluetooth security vulnerabilities. An unauthenticated attacker within Bluetooth range could hijack a user’s account, access all data, eavesdrop on sensitive data, manipulate device configuration, factory reset or crash the device, and interrupt running activities causing data loss. The analysis also noted security-relevant differences between the COROS iOS and Android apps.

              [?]Peter N. M. Hansteen »
              @pitrh@mastodon.social

              Confirmed: There will be a full day PF tutorial "Network Management with the OpenBSD Packet Filter Toolset" at 2025 in .

              Details to emerge via 2025.eurobsdcon.org/, and expect more goodies to be announced!

                6 ★ 2 ↺
                Mike Sheward boosted

                [?]sam »
                @sam@cablespaghetti.dev

                Fediverse, I have a rant I need to get off my chest. Groups in Google Workspace is a security nightmare and has been for years! Why has Google STILL not fixed the glaring problems!?

                I've had admin powers at 5+ companies' Google Workspace/G Suite over the past decade or so. Every single one had groups which were misconfigured, often so anyone in the whole company could join without approval or see the message history at https://groups.google.com without being a member at all.

                This is because for any sensible configuration of Google Groups when using it for email groups you have to use the "Custom" permissions mode. The default Public mode doesn't allow external people to email the group, but does allow the whole company to see all the messages. The default Team mode, has the same problem of everyone being able to see all the messages.

                Also let's not forget that dangerous little "Anyone in the organisation can join" toggle at the bottom which is on by default. So any random new starter can join your confidential company directors group and get all the emails sent to it.

                Giving Google the benefit of the doubt here, I think the reasoning might be that Google Groups is intended as a kind of company forum, not for private email groups. However that isn't how anyone uses it in my experience...


                Screenshot of the default Google Group settings for team mode

                Alt...Screenshot of the default Google Group settings for team mode

                Screenshot of the default Google Group settings for public mode

                Alt...Screenshot of the default Google Group settings for public mode

                  Wen boosted

                  [?]By-Tor »
                  @by_tor@mastodon.scot

                  [?]gyptazy »
                  @gyptazy@mastodon.gyptazy.com

                  Building Your Own PKI with Step-CA – From Root CA to Proxmox Integration with ACME!

                  In this we create an own, decentralized PKE with , enable and integrate a node to obtain a certificate.

                  gyptazy.com/building-your-own-

                    [?]heise Security »
                    @heisec@social.heise.de

                    Vorbereiten auf Einschlag: Microsoft warnt vor Secure-Boot-Zertifikat-Update

                    "Bereite dich auf das erste globale, großflächige Secure-Boot-Zertifikat-Update vor", warnt Microsoft. Nicht nur Windows ist betroffen.

                    heise.de/news/Vorbereiten-auf-

                    @de_edv

                      [?]Wen »
                      @Wen@mastodon.scot

                      @theferret Could I respectfully suggest you post full links - not shortened ones. Malicious actors can use them to redirect the viewer to harmful sites and not everyones browser/computer is adequately locked down.

                      It does not cost more in your 500 letter posting than a shortened/onscured link.

                        woollypigs boosted

                        [?]Shaula Evans »
                        @ShaulaEvans@zirk.us

                        I had the foolihardiness to ask a tech question on Mastodon last night (what was I thinking???) that devolved into a side quest. I am going to even more foolhardily try again:

                        With Android rolling out updates that wedge Gemini into everything, what do I need to do to remove/disable/nuke from outer space all aspects of Gemini as much as possible?

                        🚨 Without changing phones / getting a second phone / installing a new OS. 1/n

                          [?]Paco Hope #resist »
                          @paco@infosec.exchange

                          Exhibit eleventy bajillion that medical software is awful. I find this funny for a few reasons.

                          One, it references Little Bobby Tables' lesser known cousin @GNAME@.

                          Second, it doesn't tell me who, what, where, when, why. All I have is literally the patient name. My son. I don't know the date of the procedure, the cost, what they sent my insurance, what my insurance said. Nothing. It's just "you owe us money. Please give us all your insurance details."

                          Third, I suspect is to blame here. If you want to protect your patient data, don't let the invoicing people have all that data. I sorta get it. But then letters like this are pretty useless. There is absolutely no way I'm writing down all my info and just shipping it to them to see what happens. This is billing, after all. It's the only thing with a higher error rate than an LLM.

                          Photo of a letter. It has the UVA logo at the top and UVA Health. You can see redacted name and address places. It opens with Dear @GNAME@ and basically goes on to say they did something and want my info.

                          Alt...Photo of a letter. It has the UVA logo at the top and UVA Health. You can see redacted name and address places. It opens with Dear @GNAME@ and basically goes on to say they did something and want my info.

                            [?]Paco Hope #resist »
                            @paco@infosec.exchange

                            If you made some kind of intercepting HTTP/HTTPS proxy (thinking of a use case here), you could make it search for these URLs in the streams of HTTP and HTML that are passing through the proxy. Copy down the full URLs and asynchronously issue your own requests for the same URLs and store your own copy of the resulting files. The end user still gets their copy and nobody can tell it's happening. You'd almost certainly be able to do this because the links would surely be valid at the time the proxy sees them, and would work if the proxy immediately issued its request for its own copy.

                            The only way to really detect this happening is for the bucket owner to look at the S3 object logs in CloudTrail and see more than 1 fetch of that URL. Of course, someone with network connectivity issues could issue the request more than once. But a systematic pattern of duplicate fetches would indicate hijinks. The end user can't detect this happening to them. But, of course, you're MitM'ing their internet connection, so that could be detected.


                            4/end

                              [?]Paco Hope #resist »
                              @paco@infosec.exchange

                              If you know how these things work, I haven't told you anything new or useful yet. Maybe I won't. But the thing I think is important and frequently overlooked is that expiration time. Too short (5 seconds) and your user might not click the link before it expires. Too long (86400 seconds, i.e., one day) and this file is available far longer than you intended.

                              So looking at the X-Amz-Expires header in is a good thing, especially if you're doing a . Those URLs can be passed from device to device (e.g., you can Slack it to a colleague or SMS it to a friend and it will work). So you want to counsel anyone who uses them to try hard to tune the expiration as short as is reasonably practical. That expiration is all of the security control on that link.

                              [edit: I left out something important]
                              I see these URLs with 86400 as the expiration time a lot and often. If you're a developer, look at what you're setting them to. If you're a , this is a thing to warn your customer about.

                              3/

                                [?]Nicd »
                                @nicd@masto.ahlcode.fi

                                insinuator.net/2025/06/airoha-

                                > [...] these vulnerabilities allow attackers to fully take over the headphones via Bluetooth. No authentication or pairing is required. The vulnerabilities can be triggered via Bluetooth BR/EDR or Bluetooth Low Energy (BLE). Being in Bluetooth range is the only precondition. It is possible to read and write the device’s RAM and flash. [...] hijack established trust relationships with other devices, such as the phone paired to the headphones.

                                  [?]CryptGoat »
                                  @cryptgoat@fedifreu.de

                                  was a mistake: Millions of Bluetooth headphones can potentially be turned in eavesdropping devices. Best-seller and are affected by at least some of the disclosed flaws among many others. The true dimension of these flaws is yet unknown as the the vulnerable component is very widely in use under different names.

                                  heise.de/en/news/Zero-day-Blue

                                  Disclosure of the vulnerabilities: insinuator.net/2025/06/airoha-

                                  No updates or official statements available yet. ☠️

                                    [?]Electronic Frontier Foundation »
                                    @eff@mastodon.social

                                    A variety of US federal and state laws give cops the power to get your data from online services. This overview goes over how they work, and how they can be mitigated.
                                    eff.org/deeplinks/2025/06/how-

                                      Adrianna Tan boosted

                                      [?]Aral Balkan »
                                      @aral@mastodon.ar.al

                                      Thanking the @letsencrypt folks for the excellent work they do, and especially for their upcoming support for security certificates for IP addresses which is nothing short of revolutionary for the future of the (Small) Web.

                                      community.letsencrypt.org/t/ge

                                        DistroWatch boosted

                                        [?]Linuxiac »
                                        @linuxiac@mastodon.social

                                        Tails 6.17 privacy-focused Linux distro is out now with a new "Show Password" feature, alongside critical Tor Browser and uBlock Origin updates.
                                        linuxiac.com/tails-6-17-releas

                                        Tails 6.17 privacy-focused Linux distro is out now with a new "Show Password" feature, alongside critical Tor Browser and uBlock Origin updates.

                                        Alt...Tails 6.17 privacy-focused Linux distro is out now with a new "Show Password" feature, alongside critical Tor Browser and uBlock Origin updates.

                                          [?]CryptGoat »
                                          @cryptgoat@fedifreu.de

                                          bekommt E2E-verschlüsselte Cloud-Backups, die man nun unter testen kann: community.signalusers.org/t/pu

                                          Die neuen sollen dann übrigens auch dann auch plattformübergreifend nutzbar sein, was auch endlich den Umzug der Chatinhalte zwischen Android und iOS ermöglicht.

                                          Auch lokale Backups sollen deutlich besser werden. Bleibt zu hoffen, dass sie dann endlich inkrementell funktionieren. 👀

                                            [?]C. »
                                            @cazabon@mindly.social

                                            I learned something today: Google's Gemini "AI" on phones accesses your data from "Phones, Messages, WhatsApp" and other stuff whether you have Gemini turned on or not. It just keeps the data longer if you turn it on. Oh, and lets it be reviewed by humans (!) for Google's advantage in training "AI" etc.

                                            But this only came to my attention because of an upcoming change: it's going to start keeping your data long-term even if you turn it "off": " will soon be able to help you use Phone, , , and Utilities on your phone, whether your Gemini Apps Activity is on or off."

                                            This is, of course, a and .

                                            If this is baked into Android, and therefore not removable, I'd have to say I'd recommend against using Android at all starting July 7th.

                                            extremetech.com/mobile/gemini-

                                              Jon Seager boosted

                                              [?]Canonical Ubuntu »
                                              @ubuntu@ubuntu.social

                                              One of our goals was making Network Time Security (NTS) the default in Chrony, not just for Ubuntu 25.04 Plucky Puffin, but beyond.

                                              We’ve now reached that milestone as part of the ongoing development of Ubuntu 25.10 Questing Quokka.

                                              Read more about it in our Ubuntu Server Gazette: discourse.ubuntu.com/t/ubuntu-

                                              Network Time Security and chrony as defaults: As part of the ongoing development of Ubuntu 25.10 Questing Quokka

                                              Alt...Network Time Security and chrony as defaults: As part of the ongoing development of Ubuntu 25.10 Questing Quokka

                                                Jon Seager boosted

                                                [?]OS-SCI »
                                                @os_sci@mastodon.social

                                                Ubuntu 25.10 is boosting security with Chrony + NTS for secure time sync, replacing systemd-timesync. A safer, more reliable time management system is coming! dub.sh/GKhixGZ

                                                  [?]Nonilex »
                                                  @Nonilex@masto.ai

                                                  says it used the same number of bombs the used on Iran’s facilities

                                                  Iran's top body said in a statement that its armed forces used the same number of bombs that the US had used in attacking Iran’s nuclear facilities.

                                                  It also said the US base was far from urban facilities & residential areas in .

                                                  It added that the action did not pose any threat to "our friendly & brotherly" neighbour Qatar.

                                                    [?]Nonilex »
                                                    @Nonilex@masto.ai

                                                    , , , the & have all closed their airspace in light of the attacks.

                                                    A US Dept official confirmed that fired multiple short- & medium-range missiles at Air Base in Qatar, & a damage assessment is underway. The official spoke on condition of anonymity to discuss matters.

                                                      [?]Alauddin Maulana Hirzan 💻 »
                                                      @maulanahirzan@mastodon.bsd.cafe

                                                      I need advice to secure a web server. I am currently managing an OJS server at my University. This server is often attacked, such as with PHP script injections, to cause malfunction or online gambling contents. What I have done so far:
                                                      1. Set permissions (the user owns all PHP scripts instead of www-data, these files are often modified by a third party)
                                                      2. File access monitoring ( I log every access that happens in the doc root)
                                                      3. daily backup

                                                        [?]Charlie O’Hara »
                                                        @awfulwoman@indieweb.social

                                                        I wrote another thing about home automation and alarms and stuff.

                                                        This time I talk about planning a basic level of hardwired security into my apartment, and what prep work has been necessary.

                                                        awfulwoman.com/posts/planning-

                                                          omg! ubuntu boosted

                                                          [?]omg! ubuntu »
                                                          @omgubuntu@floss.social

                                                          Ubuntu 25.10 moves to using Chrony with Network Time Security (NTS) enabled to improve the distro's security.

                                                          omgubuntu.co.uk/2025/06/ubuntu

                                                            [?]Liam @ GamingOnLinux 🐧🎮 »
                                                            @gamingonlinux@mastodon.social

                                                            Update to our article on the recent X.Org X server and Xwayland security issues. Another new version of each is *now* being released.

                                                            gamingonlinux.com/2025/06/mult

                                                              [?]System76 :popos: :ubuntu: »
                                                              @system76@fosstodon.org

                                                              🎙️ New Podcast Episode!🎙️ On this summer transmission, Alex and Emma hype new hardware and our presence at the Open Source Summit in Denver. We interview Viktor Petersson at Screenly. The discussion dives into Screenly’s focus on security, especially for enterprise environments, and emphasizes the need for strong hardware and software security partnerships. Listen here: system76.transistor.fm/19

                                                                [?]Liam @ GamingOnLinux 🐧🎮 »
                                                                @gamingonlinux@mastodon.social

                                                                [?]RonSupportsYou »
                                                                @RonSupportsYou@mastodon.social

                                                                Adrian Carrasquillo: "Just hours after a man assassinated a Democratic politician and murdered her husband and shot another Democrat and a spouse, Trump spouts that 'Radical Left Democrats are sick of mind, hate our Country, and actually want to destroy our Inner Cities'.”

                                                                  Terence Eden boosted

                                                                  [?]Terence Eden »
                                                                  @Edent@mastodon.social

                                                                  🆕 blog! “Your Password Algorithm Sucks”

                                                                  There are two sorts of people in the world; those who know they are stupid and those who think they are clever.

                                                                  Stupid people use a password manager. They know they can't remember a hundred different passwords and so outsource the thinking to something reasonably secure. I'm a stupid person and am very happy to have BitWarden…

                                                                  👀 Read more: shkspr.mobi/blog/2025/06/your-