📊 Poll of the Day
Past polls got great engagement — let’s go even bigger this time! 🚀

This is Mastodon, so we know the audience is a bit more techie... let’s see how that reflects in the results! 👀

Which OS are you using right now? 💻
(Feel free to reply with why you use it too 👇)

Vote + Boost 🔁 = ❤️

#Linux #Arch #LinuxMint #Fedora #Debian #Ubuntu #Desktop #FOSS #Privacy #Security #OpenSource #Microsoft #Windows #TechNews #CyberSecurity #Tech #Technology #Apple #OS #iOS #MacOS #OperatingSystem

Apple: spaceship 🛸
Microsoft: glass tower 🏢
Linux: basement... still runs the internet 🐧😎

Root access > real estate.

Pic source: https://www.reddit.com/r/linuxmemes/comments/1mrtah8/stay_real/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

📸👇

#Linux #Desktop #FOSS #Privacy #Security #OpenSource #Microsoft #Windows #TechNews #CyberSecurity #UserFreedom #Freedom #Tech #Technology #AI #OS #MacOS #Meme #TechMeme

Alt...

Three images showing the headquarters of major operating systems. The top left shows Apple's massive circular "spaceship" HQ labeled "iOS". Top right shows Microsoft's sleek modern building labeled "Windows". Bottom image shows a man standing in a modest home office setup, labeled "Linux", humorously suggesting Linux has no official headquarters.

"While the UK may have dropped its demands for Apple to backdoor all of its users across the globe, UK users may still be banned from benefiting from [Advanced Data Protection] encryption."

"And if Apple does restore ADP to UK users, there will be serious questions of trust."

🗣️ ORG's @jim.

https://news.sky.com/story/uk-drops-apple-encryption-demands-says-us-spy-chief-13414482

#apple #encryption #e2ee #privacy #cybersecurity #security #ukpolitics #ukpol

The latest BSD Weekly https://bsdweekly.com/issues/245 features "Eighteen Years of Greytrapping ..." (https://nxdomain.no/~peter/eighteen_years_of_greytrapping.html and https://bsdly.blogspot.com/2025/08/eighteen-years-of-greytrapping-is.html - a warmup to #bookofpf 4th ed https://nostarch.com/book-of-pf-4th-edition) #openbsd #freebsd #security #mail #spam #hacking #cybercrime @nostarch

🚨 Hacked India's biggest dating app Flutrr (backed by The Times of India). Critical security flaws expose millions of users.

Technical details:

• Zero authentication checks on ANY API endpoint
• Can read/send messages as any user via WebSocket
• Access anyone's sensitive profile data, matches, conversations
• Update any user's data by just changing UID in requests
• Delete anyones account

Reported November 2024, they responded in March 2025 with a $100 gift card offer. Still unfixed.

Every single endpoint trusts client-provided user IDs without verification. This is as bad as it gets for a dating app handling sensitive personal data.

Full Technical Writeup: https://bobdahacker.com/blog/indias-biggest-dating-app-hacked

#infosec #security #vulnerability #india #datingapp #responsibledisclosure #apisecurity #bugbounty #cybersecurity

Shocked!™ 😅
https://www.binarly.io/blog/persistent-risk-xz-utils-backdoor-still-lurking-in-docker-images

#docker #security

🤖 Most people still treat AI chatbots like a private confessional, but they aren’t. 😳 Every question is logged, stored, and potentially discoverable, sometimes even after you’ve deleted it. OpenAI, Google, and Anthropic all retain user prompts by default, often under the guise of “memory” or “service improvement.”

And here’s the kicker: a federal court order now forces OpenAI to preserve all ChatGPT conversations, including “Temporary” ones users assumed were erased. So the notion of ephemeral chats is gone. That should change how people think about what they type into these systems.

The bigger issue is that the line between “helpful personalization” and “permanent surveillance record” is blurring fast. What looks convenient today could look like an exposure tomorrow.

TL;DR
⚠️ AI queries are logged
🔐 Deleted chats still saved
🧠 “Memory” is default setting
📂 Court orders enforce retention

https://www.theregister.com/2025/08/18/opinion_column_ai_surveillance/
#AI #Privacy #DataSecurity #Surveillance #FRCP #EDRM #security #privacy #cloud #infosec #cybersecurity #LegalHold

UK has backed down on demand to access US Apple user data, spy chief says

What a surprise! But they have still reduced data security for users in the UK.One correction - this applies to all UK customers and not just new ones.

https://www.theguardian.com/technology/2025/aug/19/uk-has-backed-down-on-demand-to-access-us-apple-user-data-spy-chief-says

#IT #Apple #Security #Encryption #Labour #Maladministration #Unworkable

Alt...

From the article, text reads ‘In February, Apple responded by withdrawing the option for its new British customers to enable advance data protection options, saying it was "deeply disappointed" and would never build a backdoor into any of its products. That meant, uniquely, many UK customers were unable to benefit from end-to-end encryption of services, including the iCloud Drive, photos, notes or reminders, making them more vulnerable to data breaches. Gabbard said: "Over the past few months, I've been working closely with our partners in the UK, alongside President Trump and Vice-President Vance, to ensure Americans' private data remains private and our constitutional rights and civil liberties are protected." It is not clear whether the technical capability notice requiring the data access would be withdrawn altogether or altered. It could in theory be limited to allowing access to the data only of UK citizens, although experts cautioned that could be technologically unrealistic. It also raises the danger that other foreign governments could still find a way to use the backdoor. Neither is it clear whether Apple will be able to offer new UK customers access to its highest levels of data protection again.’

The UK has pulled its order to put a backdoor into Apple's encrypted services.

BUT "powers to attack encryption are still on the law books, and pose a serious risk to user security and protection against criminal abuse of our data."

🗣️ @jim, ORG Exec Director.

https://www.bbc.co.uk/news/articles/cdj2m3rrk74o

#apple #encryption #e2ee #privacy #security #cybersecurity #ukpolitics #ukpol

What if you could combine the ease of QR codes with the power of curl|bash? Now you can!

https://codeberg.org/sjmulder/sh-handler

#security

PyPI now checks for expired domains to prevent domain resurrection attacks, a type of supply-chain attack where someone buys an expired domain and uses it to take over #PyPI accounts through password resets. #Python #OpenSource #SupplyChain #Security
https://blog.pypi.org/posts/2025-08-18-preventing-domain-resurrections/

I think it goes without saying that you definitely should not do any of your organizing on Discord. just because a server is marked private doesn't mean it's immune to infiltration or that Discord won't just hand over all your messages (including DMs) to any cop or fed who asks nicely

#activism #anarchism #privacy #security

🍔 Found huge security flaws in McDonald's - crew members could access sites reserved for corporate employees with internal functions, API keys exposed, and more. Had to call their HQ and pretend to know people just to report it 🤦

Technical details:

• Design Hub: Used to be client sided password, Registration endpoint exists and works even tho they dont want signups
• TRT portal: Crew accounts could enumerate/impersonate all employees from general manager to CEO
• GRS panel: Complete authentication bypass, arbitrary HTML injection
• Magicbell API keys/secrets exposed in client-side JS
• Algolia indexes listable with user PII
• CosMc's: Server-side validation missing for coupon redemption

They fixed it but fired my friend who helped find the OAuth vulnerabilities.

Full Technical Writeup: https://bobdahacker.com/blog/mcdonalds-security-vulnerabilities

#infosec #bugbountry #responsibledisclosure #security #cybersecurity #hacking #vulnerability

🎢 Hacked South Park's Casa Bonita. Could access their entire POS system and see all customer payments/tips and more 😬

Technical details:

• Founders Club admin panel: No auth required, all member emails exposed
• POS registration: Form disabled client-side only, API endpoint still functional
• Reservation enumeration: Sequential IDs exposed full customer data
• Full control over customer tabs, payments, and inventory
• Supabase misconfiguration: Public signups triggered automated membership cards

No security.txt anywhere. Had to email parkcounty.com addresses then get help from my friend whose company partners with South Park.

Fixed fast but never thanked me. Got a Founders Club card 6 months later though, because the system automatically sends them 😂

Full Technical Writeup: https://bobdahacker.com/blog/i-hacked-southpark

#infosec #bugbounty #responsibleDisclosure #security #vulnerability #hacking #cybersecurity #southpark #CasaBonita

please do not send people illegal things or messages about illegal things over fediverse DMs. the fediverse has significant issues with data ownership that don't go away just because your admin isn't corporate. kolektiva mods got their unencrypted servers raided by cops and didn't tell their users about it for like three months. use Signal

#activism #anarchism #privacy #security

"The best guarantee of security for Ukraine is a strong Ukrainian army," Zelensky said. #Ukraine #security

While en route Friday, #Trump voiced hope that “something’s going to come of” the summit & reiterated that #Russia could face “very severe” consequences if it does not move to end the #war. For the first time publicly, Trump also said Friday that he is open to the “possibility” of #security guarantees for #Ukraine, along with other European countries. Trump cautioned that such protections could not come through #NATO, however.

#geopolitics #Putin

Finally did activate the NXP SE050 Secure Element in my Nitrokey 3 and generated new on-device keys, by using the amazing "oct" (openpgp-card-tools).

Almost entirely using the modern rust-based openpgp implementations now:

- oct for card management and file signing
- openpgp-card-ssh-agent for SSH authentication
- rsop-oct for file encryption/decryption and package signing
- oct-git for git signing of my code commits

The only part, where I still rely on classic openpgp, is my MUA KMail, where alternatives aren't yet supported.

And it's still a pain, that modern GPG implementations aren't available as Fedora packages *sigh* but cargo works sufficiently well for now.

#linux #rust #openpgp #nitrokey #crypto #security @hko @fedora @nitrokey

The state of #Linux packaging seems to be a perpetual mess. There is no standard packaging format among distros (something that I don't think will be resolved any time soon) and I've always viewed third party packaging tools like #snap and #flatpak with skepticism, mainly from a #security perspective.

After reading this, I'd rather deal with the perpetual mess of different package managers than the unraveling security headache that is Flatpak.

https://www.linuxjournal.com/content/when-flatpaks-sandbox-cracks-real-life-security-issues-beyond-ideal

#tech #technews

It's heartwarming to a greying geek that a 5000+ words retrospective on greytrapping is turning out to be popular - https://nxdomain.no/~peter/eighteen_years_of_greytrapping.html (tracked https://bsdly.blogspot.com/2025/08/eighteen-years-of-greytrapping-is.html)

#greytrapping #spam #antispam #greylisting #blocklist #openbsd #freebsd #smtp #email #ssh #passwords #passwordguessing #pop3 #security #networking #cybercrime

Fight Chat Control – Protect Digital Privacy in the EU: The EU (still) wants to scan your private messages and photos.

The "Chat Control" proposal would mandate scanning of all private digital communications, including encrypted messages and photos. This threatens fundamental privacy rights and digital security for all EU citizens.

🇪🇺 https://fightchatcontrol.eu
@chatcontrol

#eu #chatcontrol #privacy #europe #photo #encryption #plsboost #boost #eupol #char #digital #messiging #security

there's lots of research that meets this criteria, but this is specifically the piece I had in mind when I wrote yesterday about reading excellent work that makes you feel energized.

go read it! I guarantee you'll learn something.

https://censys.com/blog/2025-state-of-the-internet-digging-into-residential-proxy-infrastructure

#security #infosec

🚀 Porting libmagic to Rust: Safer File Identification 🚀

A little while ago (maybe a month or two), I started porting a great project to Rust: libmagic, the library behind the `file` command utility.

🤔 Why did I do that?
For years, I've faced the same issue with file identification: embedding a C library that does intensive parsing into my memory-safe code (Rust, Go, Python, etc.). While I trust the file/libmagic developer community's code quality, I know there are skilled people capable of finding and exploiting bugs—especially in C/C++ parsers. So I've always been reluctant to run libmagic on untrusted input, which creates a tricky situation that kind of defeats its original purpose: categorizing files you know nothing about.

🦀 Why Rust?
Rust is the perfect fit for this port. It provides strong safety guarantees while maintaining high performance and easy bindings to other languages (C/C++, Python, Go, Elixir, etc.). Bonus: the library and tool will be portable to all Rust-supported targets.

💻 Show me the code!
Here it is: https://github.com/qjerome/magic-rs/pull/1
⚠️ Note: This isn't a full implementation yet—it's still a work in progress and needs more work for a usable, clean version (see PR description). That said, if you're feeling adventurous, you can test it out. It already successfully identifies several file types: MS-DOS executables, ELF binaries, scripts, and more.

🔄 Compatibility with C libmagic file format?
This project aims for 99% compatibility with libmagic's rule file format. A few rules (such as those using ternary notations in messages) may need adjustments, but the goal is to stay true to the existing specification.

📌 What's next?
- Finalize the library implementation and publish a Rust crate
- Complete the CLI tool (a `file`-equivalent implementation)
- Create bindings for other languages

If you're interested in this work, don't hesitate to follow along or reach out!

Special thanks to @adulau and @circl for supporting this work! 🙏

#Rust #Libmagic #Security #OpenSource #Programming #SoftwareDevelopment

Friends, it finally happened. On August 7th, 2025, the number of spamtraps intended to fool spammers rolled past the number of inhabitants in my home country of Norway. It's time for a retrospective.

Eighteen Years of Greytrapping - Is the Weirdness Finally Paying Off? https://nxdomain.no/~peter/eighteen_years_of_greytrapping.html (tracked https://bsdly.blogspot.com/2025/08/eighteen-years-of-greytrapping-is.html)

#greytrapping #spam #antispam #greylisting #blocklist #openbsd #freebsd #smtp #email #ssh #passwords #passwordguessing #pop3 #security #networking #cybercrime

BastilleBSD = FreeBSD hardened + automation ready.

Ship with sane default.
Build on a secure base.
Run anywhere you trust.

#BastilleBSD #FreeBSD #Security

@stalwartlabs
Take their money, but do noz cooperate with these thieves from MS.

Pretty please don't become evil.

#GitHub #OSSF #security

NL. Horrible data breach.

The data of 485,000 women who participated in the population screening for cervical cancer has been stolen via a hack. Not just personal information, such as name and address, was involved. Official identification numbers and test results were also captured.

https://www.rtl.nl/nieuws/binnenland/artikel/5522737/bevolkingsonderzoek-baarmoederhalskanker-data-gehackt-vrouwen

#privacy #security #cybersecurity #gdpr #tech

Matrix Security Release https://lobste.rs/s/nefxb8 #distributed #security
https://matrix.org/blog/2025/08/security-release/

Post-Quantum Cryptography Advice Added to OpenSSH Website https://www.undeadly.org/cgi?action=article;sid=20250811110058 #openbsd #openssh #ssh #cryptography #postquantum #postq #crypto #security #libresoftware #freesoftware #bsd

So Vance is over in the UK on holiday and the security is screwing with everyone’s life in the village.

I was astonished by this quote:
"Another local told the paper police had been going door-to-door asking for personal details of residents and social media accounts."

Apparently when asked they said that they would hand the information over to the "American security people".

Can't he just stay in the land of the free?

https://www.independent.co.uk/news/uk/home-news/jd-vance-cotswolds-holiday-dean-manor-b2805421.html

#vance #uk #security

Friends, it finally happened. On August 7th, 2025, the number of spamtraps intended to woo the unwary spammer rolled past the number of inhabitants in my home country of Norway. It's time for a retrospective.

Eighteen Years of Greytrapping - Is the Weirdness Finally Paying Off? https://nxdomain.no/~peter/eighteen_years_of_greytrapping.html (tracked https://bsdly.blogspot.com/2025/08/eighteen-years-of-greytrapping-is.html)

#greytrapping #spam #antispam #greylisting #blocklist #openbsd #freebsd #smtp #email #ssh #passwords #passwordguessing #pop3 #security #networking #cybercrime

Just as individual users don’t tend to read every website’s terms and conditions, it’s unlikely they’re all going to do due diligence checks on every provider who asks for ID, especially once they’ve become used to just handing that data over.

#AgeVerification #Lax #Privacy #Security
#InfoSec

https://www.girlonthenet.com/blog/age-verification-whats-the-harm/

Eighteen Years of Greytrapping - Is the Weirdness Finally Paying Off? https://nxdomain.no/~peter/eighteen_years_of_greytrapping.html (tracked https://bsdly.blogspot.com/2025/08/eighteen-years-of-greytrapping-is.html)

Friends, it finally happened. On August 7th, 2025, the number of spamtraps intended to woo the unwary spammer rolled past the number of inhabitants in my home country of Norway.

It's time for a retrospective.

#greytrapping #spam #antispam #greylisting #blocklist #openbsd #freebsd #smtp #email #ssh #passwords #passwordguessing #pop3 #security #networking #cybercrime

Any #infosec folks wanna help me with some decent data to backup the following point? I am trying to make the point to some executives that a #password policy requiring minimum 8 characters with 1 symbol, mixed case, and 1 number is just not reasonable in 2025. (I'm commenting on another company's policy, not my own!)

What is a good example of a policy (e.g., NIST 800-63 or whatever) that said 49 bits was no good?

I currently say: 49 bits of entropy was unacceptably low in 2005. It is unthinkably low in 2025. What can I point to that might resonate better than "bits of entropy?"

Using the classic method with Shannon's estimate, I figure it's on the order of 49 bits of entropy but that's only if it's purely random from the full character set, and we konw that's not true.

I'm not looking for rhetorical suggestions. I'm good at rhetoric. I'm looking for references I can point to (like "XYZ published in 2011 that the minimum acceptable password was 56 bits of entropy")

feel free to boost for fun
#security #cybersecurity

The UK Online Safety Act - doomed to failure

https://www.theregister.com/2025/08/08/opinion_column_osa/

#Uk #OSA #Privacy #Security #IT

"backdoor" is the new "virus" in overused and wrongly applied terminology.

Over at the facesite I came across a piece (Not linking to that sh*t) about "Linux malware PLAGUE" which describes a piece of software that is useful *post-compromise* to whoever wants to hide their tracks.

Not a backdoor because it requires already established access. #cybercrime #backdoor #security #linux #fluff

It’s time to update your #FreeBSD box: system security patches are out.
It takes only a few minutes.
Don’t forget to update your #jails too, and to restart them after.
#security

Is there a current known exploit for #Android / #Samsung devices to unlock the device without a known PIN / Passcode?

A relative asked for a modern (probably rather well updated) device nobody knows the unlock code anymore. I can confirm they own the device and are able to give me full permission.

I don't know an active exploit out of my head. I assume modern Androids don't allow for brute-force anymore either (virtual HID via USB).

Any ideas?
#Security #hacking #Smartphone #CCC #repair

I keep reading posts recommending consumer VPNs to aid privacy.

Here's my concern - tell me I'm wrong.

1. Most consumer VPNs are installed on a device. You need to sign in as a paying customer. So they know who you are. And your credit card details strengthen that ability to know who you are. Meanwhile a household internet access via an ISP can't easily pin down who is making the internet requests in a home.

2. These consumer VPN providers route all your internet traffic. They have a fuller, if not complete, custody of your internet traffic even if you move from home ISP to cafe WiFi to office guest WiFi to mobile 4G data. That is, with no VPN your traffic is separated through different networks.

3. You likely have done zero due diligence on who the VPN providers are. How can you trust them as individuals? How can you trust their technology and processes? Even if they say they don't log your metadata, how do you know? And how do you know they won't start selling it next year even if they don't now.

4. If they get hacked, all your traffic is at risk. With multiple internet routes (home, office, 4G, cafe) your traffic eggs are not all in one easy basket.

5. VPN software installs with elevated privileges on your device. Makes malware easier.

#tech #privacy #security

If these security cons happened on the same weekend, which would you attend?

#security #infosec #defcon #defcon33 #hope #hope16 #poll

Credentials shouldn't be around in plain text files. But I also don't want to set up a fully fledged credentials management solution for my homelab.

Wouldn't it be nice to dynamically load the credentials I need when I step into my work directory, and remove then when I leave it?

Let's use @bitwarden and direnv to keep credentials safe in all simplicity!

https://ergaster.org/posts/2025/07/28-direnv-bitwarden-integration/

#homelab #security #sysadmin

Microsoft - as always, a threat to your security and privacy

I know some people don’t have the choice, but if you do, consider a different option. ‘Recall’ is a direct threat to your personal information.

https://www.theregister.com/2025/08/01/microsoft_recall_captures_credit_card_info/

#Microsoft #Security #Windows #Recall #Privacy #JustSayNo

***infosec specialists are needed in the resistance ***

The world needs tech security specialists to run workshops at public libraries for all ages & abilities to remove spyware, AI, reduce surveillance, understand the issues, & for more advanced, move to Linux, degooglefy, etc.

Libraries will pay good wages for these workshops.
If you have these skills, please consider offering them.

#libraries #library #tech #infosec #privacy #security #activism #antifa #resistance

Google Pass Keys - Suck.

They're tied to your device and if your device changes or is broke or lost, you're logged out with no hope of recovery.

Google did what I could not. Convince my mother to stop using Google.

She had 2-step verification enabled. Associated with that account were 3 different phone numbers, 1 recovery e-mail, and 10 recovery codes. Google would not accept anything and had all options grayed out, expecting only the passkey.

Luckily, I found a device where I could go into her account settings and remove the passkey option.

My mother is now moving to Tutanota.

#Google #Tutanota #Security

In 2013 I wrote up "Maintaining A Publicly Available Blacklist - Mechanisms And Principles" (also https://bsdly.blogspot.com/2013/04/maintaining-publicly-available.html) . TL;DR: blocklisting is a kind of public shaming, be sure your process is verifiable and transparent.

Minor edits today, links to resources and #eurobsdcon inside. #blocklists #spamtraps #antispam #smtp #spamd #openbsd #freebsd #security #cybercrime

#CalyxOS releases and security updates will be paused for 4-6 months due to retooling, personnel departures and the recent changes to #AOSP. They've released a "letter to the community" here.

I'm debating on whether to move to GrapheneOS or, since their social media team attacked and "banned" me, and accused me of being some kind of spy because I mentioned CalyxOS in a comment, I may just use regular #Android and lock it down the best I can.

Link: https://calyxos.org/news/2025/08/01/a-letter-to-our-community/

#Security #Privacy

Recent new features in OpenSSH https://www.undeadly.org/cgi?action=article;sid=20250802084523 #openbsd #openssh #ssh #newfeatures #development #security #freesoftware #libresoftware #crypto #cryptography