GrapheneOS version 2025071900 released:

https://grapheneos.org/releases#2025071900

See the linked release notes for a summary of the improvements over the previous release.

Forum discussion thread:

https://discuss.grapheneos.org/d/24190-grapheneos-version-2025071900-released

#GrapheneOS #privacy #security

Happy "Logging in as users -, [ and $ day" to all who celebrate:

Jul 19 02:02:12 portal sshd-session[88959]: Failed password for invalid user - from 152.42.130.79 port 33738 ssh2
Jul 19 03:00:14 portal sshd-session[79691]: Failed password for invalid user [ from 152.42.130.79 port 41708 ssh2
Jul 19 03:58:56 portal sshd-session[6194]: Failed password for invalid user $ from 152.42.130.79 port 55398 ssh2

#ssh #passwordgroping #security #passwords #cybercrime #botnet

Alright so I just found out that OCI (Docker/Podman) is just absolute garbage if you want anything resembling supply-chain security, because registries and clients are basically allowed to willy-nilly change the image digests. So I just cannot really prove that an image I just mirrored on my local registry is the same I pulled from elsewhere. Is this what we are basing much of our software infrastructure on?

#oci #docker #podman #security #cybersecurity #supplychain

Make our voice heard at the Apple encryption hearing!

On the sly, the UK government tried to force a backdoor into the firewall that protects your privacy. We made the hearing public.

Now we need to win in court ✊

Donate now to fund legal representation ⬇️

https://action.openrightsgroup.org/make-our-voice-heard-apple%E2%80%99s-encryption-hearing

#e2ee #apple #encryption #privacy #cybersecurity #ukpolitics #ukpol #crowdfunder #surveillance #security

When Root Meets Immutable: OpenBSD chflags vs. Log Tampering https://www.undeadly.org/cgi?action=article;sid=20250718072438 #openbsd #immutable #chflags #logs #logtampering #security #hacking

Discover how Model Context Protocol (MCP) can supercharge DevOps by connecting LLMs to tools like Grafana, CI/CD, and Sentry—right from your IDE. This talk from Alex Shershebnev covers building secure MCP servers, automating Ops tasks, and avoiding security pitfalls as you integrate AI into your stack.

#DevOps #AI #MCP #Security #LLM

Program: https://devopsdays.org/events/2025-london/program/alex-shershebnev

Tickets: https://ti.to/devopsdays-london/2025

Sponsorship: https://devopsdays.org/events/2025-london/sponsor

For those who have InfoSec, privacy, security, and/or related technology expertise…

Would you use Bitchat?

(Feel free to elaborate in the comments and/or boost if you’d like to see the opinion of others.)

#Bitchat #JackDorsey #InfoSec #Privacy #Security #Technology #OSS #Encryption

Font caching no longer runs as root https://www.undeadly.org/cgi?action=article;sid=20250717061920 #openbsd #security #fonts #caching #privilegedrop #fontcache

Oh, my goodness. I boosted @Em0nM4stodon’s post about this earlier. But I need to share it with some intention.

This piece she wrote on Mastodon privacy/security is intense. It’s long. SO much information. Read it anyway. Seriously.

And if y’all don’t follow Em, do yourself a solid and get on that. She’s smart af about InfoSec/privacy/security. And super friendly.

https://www.privacyguides.org/articles/2025/07/15/mastodon-privacy-and-security/

#Fediverse #Mastodon #MastoTips #Privacy #InfoSec #Security #TheFutureIsFederated

Interesting read…

𝙂𝙤𝙤𝙜𝙡𝙚 𝙞𝙨 𝙩𝙧𝙖𝙘𝙠𝙞𝙣𝙜 𝙮𝙤𝙪 (𝙚𝙫𝙚𝙣 𝙬𝙝𝙚𝙣 𝙮𝙤𝙪 𝙪𝙨𝙚 𝘿𝙪𝙘𝙠𝘿𝙪𝙘𝙠𝙂𝙤)

https://www.simpleanalytics.com/blog/google-is-tracking-you-even-when-you-use-duck-duck-go

#google #tracking #privacy #InfoSec #security #tech #technology #BigTech #BigBrother

New Privacy Guides article 🔒
by me:

While most social media rely on commercial models harvesting users' data to sell to advertisers,

Mastodon offers a human-centric alternative that doesn't seek profits from your data and attention.

This means better social connections, better controls, and better privacy!

The first part of this article discusses privacy and security on Mastodon.

The second part is a tutorial to guide you in making the most of Mastodon's security and privacy related features.

This tutorial includes how to:

• Enable multifactor authentication 🔑🔑

• Adjust privacy vs discovery 👀

• Select post visibility and access

• Verify yourself

• Delete and back up your data

• Block users and instances ⛔

• Opt out with hashtags #️⃣

• Move from one instance to another 🚀

I hope this helps you making the most of what Mastodon has to offers!

https://www.privacyguides.org/articles/2025/07/15/mastodon-privacy-and-security/

#PrivacyGuides #Mastodon #Fediverse #Privacy #Security #Tutorial #TheFutureIsFederated #TinyMastodonTip

@ispreview #censorship not #security

#Today one of my colleagues put my attention on this article, and to be honest I do love the reporting style. Meme's and writing like this?

"The ‘good news’, I suspect, is that most orgs will be too lacking in logs to have evidence."

"China go brrr"

At least it's not dry

https://doublepulsar.com/citrixbleed-2-situation-update-everybody-already-got-owned-503c6d06da9f?gi=a1ac3499734e

#security #datasecurity #infosec #citrix #netscaler #citrix_netscaler #incident #exploit #meme #report

Alt...

Opera Winfrey meme with the text "You get an incident, everybody gets a citrix netscaler incident"

GrapheneOS just dropped stable Android 16 support for Pixel devices! 🚀🔒 Despite new hurdles from Google, the team’s update includes the TapTrap vulnerability fix and under-the-hood improvements. No flashy features, all about security! #GrapheneOS #Android16 #Pixel #privacy #security

🔗 https://www.heise.de/en/news/GrapheneOS-releases-Android-16-in-the-stable-channel-10484215.html

Shortlink: https://heise.de/-10484215

As much as #Trump seems to want credit for helping to end the war, he is also clear that he doesn’t want to be blamed for the outcome [of course]. “I do want to make one statement again,” he said. “I said it before. This is not Trump’s war.”

#geopolitics #TrumpIsWeak #PutinsPuppet #Russia #Ukraine #Europe #Security

It looks like #Russia was expecting an even tougher announcement by #Trump. The main Moscow stock index jumped more than 2.5% after Trump’s announcement. Konstantin Kosachev, a senior lawmaker, said on social media that Trump could change his mind again in the next 50 days (& probably will): “If this is all Trump had to say about Ukraine today, then for now, it’s all just hot air.”

#geopolitics #TrumpIsWeak #PutinsPuppet #Ukraine #Europe #Security

“There are not Americans dying,” #Trump said, noting he & #JDVance had “a problem” with #US involvement, though he never finished the thought. Trump acknowledged that the #UnitedStates wanted “a strong Europe.” He never said, however, whether he shared the Europeans’ concern that #Putin would not stop at #Ukraine & could broaden his push into #Europe.

#geopolitics #TrumpIsWeak #PutinsPuppet #Russia #Security

“My conversations with him are very pleasant, & then the missiles go off at night,” #Trump said of #Putin. Clearly sensitive about his turnaround, Trump added of Putin: “He fooled Clinton, Bush, Obama, Biden — he didn’t fool me.”
[invert that last statement for the truth]

#geopolitics #TrumpIsWeak #PutinsPuppet #Russia #Ukraine #Europe #Security

#Putin is convinced he has the battlefield momentum & has been prepared for #Trump to lose his patience, NYT reported last week. For all of Trump’s Russia-friendly rhetoric earlier this year, he refused to make the major concessions that Putin wanted, such as pushing Ukraine to give up more territory & limit the future size of its military.

#geopolitics #TrumpIsWeak #PutinsPuppet #Russia #Ukraine #Europe #Security

https://www.nytimes.com/2025/07/09/world/europe/russia-ukraine-putin-trump.html?smid=nytcore-ios-share&referringSource=articleShare

Just published another part of our long running series on #Kubernetes #Security fundamentals. This time looking at how Kubernetes cluster's use PKI. I know when I started the idea that every cluster had three different certificate authorities came as a bit of a surprise!

https://securitylabs.datadoghq.com/articles/kubernetes-security-fundamentals-part-7/

I'm still on some commercial platforms, but I've given up on X, Facebook, and WhatsApp. Sometimes I wish I could have made different choices when I started my online journey in the 90s, and not have my full name and details out there to some extent. I'm in too deep. There's some safety in knowing certain things - security-wise, to protect myself. But it's horrifying to think about people who don't take those precautions. Many are just prey for the black and gray hats.

I often choose not to post about these things on commercial social media because it's seen as fearmongering and insensitive. I wish I could warn everyone, but most do not care until something bad happens.

#Privacy #Security

This unusual T-shaped keyhole (left) is part of an Odell's nightlatch. It's at the entrance to an 1850s tenement on Kelvingrove Street and is only the second I've found in the wild in Glasgow.

Cont./

#glasgow #odellnightlatch #glasgowhistory #lock #dullmensclub #security #tenement #scotland #glasgowtenemenets

Alt...

The unusual t-shaped keyhole for an Odell's nightlatch, with an example of the internal workings of such a latch and one of its keys.

If you still think that #Apple cares for the #privacy of its paying customers:

Apple Gave #Governments Data on Thousands of Push #Notifications
https://www.404media.co/apple-gave-governments-data-on-thousands-of-push-notifications/

With companies like that, you're the product although you pay premium money.

#iOS #iPhone #security

#introduction i guess?
I'm a physicist who spent most of his time at school, in the datacenter. Then i somehow found myself in 'computer science research' labs writing software. For the past couple of years doing the security thing cause it's fun. Into #openbsd #plan9 #scheme #golang #C #security . When AFK i enjoy #cavediving #trailrunning #bicycletouring #mathematics . As always thank you #sdf for hosting us. It's nice to meet you all :).

Perusing a paper paper for once I saw this advert for WhatsApp.

No I can believe the content of your message can not be read, but by using it, your address book is theirs, your messages sent/received are logged and you will be tracked wherever you are - and whatever you are buying.

That’s what they really want.

Go #Signal - it makes sense

#whatsApp #privacy #security #hiddenThreats #meta

Alt...

Advert for WharsApp, woman’s face, hidden message, text reads No one, not even WhatsApp, can see or hear your personal messages. WhatsApp from CO Meta

Well, great. Now @bitwarden is going to ad AI bullshit to their services. I left Bitwarden a few months back for different reasons but I'm kind of glad that I did. I switched to @1password@1password.social. If they add AI to their services (are they already?), I'm just going to call it quits on all of them and just move completely to @keepassxc@fosstodon.org. I can simply just host my own with Keepassxc and not have to worry about any AI crap. I'm using Keepassxc now but not for everything. That might change in the very near future.

https://nerds.xyz/2025/07/bitwarden-mcp-server-secure-ai/

#passwordmanager #privacy #security

Yes, The Book of PF, 4th Edition Is Coming Soon https://nxdomain.no/~peter/yes_the_book_of_pf_4th_ed_is_coming.html

Long rumored and eagerly anticipated by some, the fourth edition of The Book of PF is now available for preorder https://nostarch.com/book-of-pf-4th-edition #openbsd #pf #packetfilter #freebsd #networking #security #tcpip #ipv6 #ipv4 #bookofpf

Belgium is unsafe for CVD (coordinated vulnerability disclosure)
https://floort.net/posts/belgium-unsafe-for-cvd/

#CVD #security #coordinated #vulnerability #disclosure #Belgium

Long rumored, eagerly anticipated by some, you can now PREORDER "The Book of PF, 4th edition" https://nostarch.com/book-of-pf-4th-edition for the most up to date guide to the OpenBSD and FreeBSD networking toolset #openbsd #freebsd #networking #pf #packetfilter #firewall #preorder #security

AMD CPU Transient Scheduler Attacks security flaw revealed https://www.gamingonlinux.com/2025/07/amd-cpu-transient-scheduler-attacks-security-flaw-revealed/

#AMD #PCGaming #Security #Gaming #CPUs

The Node.js Project just pre-announced security updates, to be released next week, on Tuesday, July 15th;

"The 24.x release line of Node.js is vulnerable to 2 high severity issues. The 22.x release line of Node.js is vulnerable to 1 high severity issues. The 20.x release line of Node.js is vulnerable to 1 high severity issues."

https://nodejs.org/en/blog/vulnerability/july-2025-security-releases

#Security

Great news! #HPE networking equipment is now secure!

"Combination accelerates HPE’s strategic vision with a full, secure networking IP stack"

https://www.hpe.com/us/en/newsroom/press-release/2025/07/hewlett-packard-enterprise-closes-acquisition-of-juniper-networks-to-offer-industry-leading-comprehensive-cloud-native-ai-driven-portfolio.html

#security #Juniper #MarketingBullshit #Consolidation

The most recent report, issued in 2023, included an interactive atlas that zoomed down to the county level. It found that #ClimateChange is affecting people’s #security, #health & livelihoods in every corner of the country in different ways, with minority & Native American communities often disproportionately at risk.

#law #EnvironmentalLaw #Climate #ClimateCrisis #PublicHealth #WeatherPreparedness #Trump #USpol

What is your favorite app for
Multifactor Authentication, and why do you like it most? 2️⃣✌️👀

#Security #MFA #2FA #Authenticator

Indiana University silent on major security breach while dozens of services are down for weeks.

https://www.ipm.org/news/2025-07-04/administrator-says-iu-will-never-explain-it-security-breach-publicly?fbclid=IwY2xjawLVRjFleHRuA2FlbQIxMQABHkfpe_KACeX4r2kR7sWjWSMdr6ASrFltBVcS4xXAaIAtUBLiUuG7g8KXBR83_aem_tMrMLsvOTvB3sMFPwNz8qg

#iu #indiana #cybersecurity #security #infosec

Internet traffic, visualized with a opensource app which comfortably monitor your Internet traffic. It is a cross-platform and reliable app for your needs https://github.com/GyulyVGC/sniffnet

#opensource #security

Alt...

A screenshot of sniffnet Application to comfortably monitor your Internet traffic.

Why is security work unlike any other contribution to an open source project?

We need to re-think the tight association between maintainers and security work if we want sustainable open source security.

Read more: https://sethmlarson.dev/security-work-isnt-special

#opensource #oss #security #supplychain

@lillyfinch

A friendly reminder --

Do NOT register anywhere to protest.

During the last protest, I noticed a lot of random websites claiming they wanted people to register their participation. You do NOT need to register at some random website, to announce your intentions to attend a protest.

Such sites can be used to create lists and such list can be given to authorities.

#Protest #Privacy #Security #Safety

"Censys has made a list of some of the ICS products commonly targeted by Iranian hackers and scanned the internet to determine how widespread they are and whether their owners and operators have taken steps to secure them in recent months."

https://www.securityweek.com/iranian-hackers-preferred-ics-targets-left-open-amid-fresh-us-attack-warning/

https://censys.com/blog/ics-iran-exposure-of-previously-targeted-devices

#security #ics

Alt...

Table depicting exposure of four different device types known to be of interest or targeted by Iranian actors, including Unitronics, Orpak SiteOmat, Red Lion, and Tridium Niagara. During the 6 month period from January through June 2025, Orpak SiteOmat is the only software that saw a decrease in exposures, dropping from 158 in January to 123 in June.

#NixOS 24.11 is now officially unmaintained and will not receive bugfixes and #security updates any more.

Time to #upgrade to nixos-25.05 if you haven't yet.

https://github.com/NixOS/infra/pull/761

It’s not often my worlds collide like this, but this is pretty wild.

Coros Pace 3 doesn’t enforce Bluetooth pairing to a device, which leads to a cascading series of things that one could do when rogue connecting to the watch.

All of these are pretty terrible, but I can’t shake the image of someone spectating near the end of a race and disrupting someone’s hard-earned GPS file for their race. Obviously access to health and training data is way more severe, and there are devices and systems way more critical than someone’s GPS watch, but the fact that any of this is even possible is jarring.

On top of this, Coros’s initial response of “we’ll get to it by the end of 2025” is wildly unacceptable. They’ve since clarified their timeline (which is more aggressive) but they didn’t handle this well at all from what I’m reading.

https://blog.syss.com/posts/bluetooth-analysis-coros-pace-3/

https://www.dcrainmaker.com/2025/06/coros-confirms-substantial-watch-security-vulnerablity-says-fixes-are-coming.html

#running #security #vulnerability

Alt...

Summary of COROS PACE 3 Bluetooth security vulnerabilities. An unauthenticated attacker within Bluetooth range could hijack a user’s account, access all data, eavesdrop on sensitive data, manipulate device configuration, factory reset or crash the device, and interrupt running activities causing data loss. The analysis also noted security-relevant differences between the COROS iOS and Android apps.

Confirmed: There will be a full day PF tutorial "Network Management with the OpenBSD Packet Filter Toolset" at #eurobsdcon 2025 in #zagreb.

Details to emerge via https://2025.eurobsdcon.org/, and expect more goodies to be announced!

#openbsd #freebsd #pf #packetfilter #networking #security #freesoftware #libresoftware #bsd

I've had admin powers at 5+ companies' Google Workspace/G Suite over the past decade or so. Every single one had groups which were misconfigured, often so anyone in the whole company could join without approval or see the message history at https://groups.google.com without being a member at all.

This is because for any sensible configuration of Google Groups when using it for email groups you have to use the "Custom" permissions mode. The default Public mode doesn't allow external people to email the group, but does allow the whole company to see all the messages. The default Team mode, has the same problem of everyone being able to see all the messages.

Also let's not forget that dangerous little "Anyone in the organisation can join" toggle at the bottom which is on by default. So any random new starter can join your confidential company directors group and get all the emails sent to it.

Giving Google the benefit of the doubt here, I think the reasoning might be that Google Groups is intended as a kind of company forum, not for private email groups. However that isn't how anyone uses it in my experience...

#security #infosec #google #googleworkspace

Alt...

Screenshot of the default Google Group settings for team mode

Alt...

Screenshot of the default Google Group settings for public mode