cablespaghetti.dev is a Fediverse instance that uses the ActivityPub protocol. In other words, users at this host can communicate with people that use software like Mastodon, Pleroma, Friendica, etc. all around the world.

This server runs the snac software and there is no automatic sign-up process.

Site description
Cablespaghetti's personal snac instance
Admin email
sam@cablespaghetti.dev
Admin account
@sam@cablespaghetti.dev

Search results for tag #security

[?]GrapheneOS »
@GrapheneOS@grapheneos.social

GrapheneOS version 2025071900 released:

grapheneos.org/releases#202507

See the linked release notes for a summary of the improvements over the previous release.

Forum discussion thread:

discuss.grapheneos.org/d/24190

    [?]Electropict »
    @electropict@mastodon.scot

    ... [SENSITIVE CONTENT]

    Today we received a little packet of four teardrop-shaped from China.

    We do not know why.

    My -focused or anime-raddled brain I'm not sure which or if there's a difference is filled with possible ways in which this may be an vector. Not the least of which is destabilising of Western Civilisation through sheer paranoia. (Just as well I don't believe in Western Civilisation, eh?)

    But I may be missing out on the chance to grow something beautiful?

    /

      [?]Peter N. M. Hansteen »
      @pitrh@mastodon.social

      Happy "Logging in as users -, [ and $ day" to all who celebrate:

      Jul 19 02:02:12 portal sshd-session[88959]: Failed password for invalid user - from 152.42.130.79 port 33738 ssh2
      Jul 19 03:00:14 portal sshd-session[79691]: Failed password for invalid user [ from 152.42.130.79 port 41708 ssh2
      Jul 19 03:58:56 portal sshd-session[6194]: Failed password for invalid user $ from 152.42.130.79 port 55398 ssh2

        [?]Oto Šťáva »
        @alefunguju@mastodon.social

        Alright so I just found out that OCI (Docker/Podman) is just absolute garbage if you want anything resembling supply-chain security, because registries and clients are basically allowed to willy-nilly change the image digests. So I just cannot really prove that an image I just mirrored on my local registry is the same I pulled from elsewhere. Is this what we are basing much of our software infrastructure on?

          Clare Hooley boosted

          [?]Open Rights Group »
          @openrightsgroup@social.openrightsgroup.org

          Make our voice heard at the Apple encryption hearing!

          On the sly, the UK government tried to force a backdoor into the firewall that protects your privacy. We made the hearing public.

          Now we need to win in court ✊

          Donate now to fund legal representation ⬇️

          action.openrightsgroup.org/mak

            [?]Peter N. M. Hansteen »
            @pitrh@mastodon.social

            bob boosted

            [?]DevOpsDays London »
            @DevOpsDaysLondon@social.devopsdays.org

            Discover how Model Context Protocol (MCP) can supercharge DevOps by connecting LLMs to tools like Grafana, CI/CD, and Sentry—right from your IDE. This talk from Alex Shershebnev covers building secure MCP servers, automating Ops tasks, and avoiding security pitfalls as you integrate AI into your stack.

            Program: devopsdays.org/events/2025-lon

            Tickets: ti.to/devopsdays-london/2025

            Sponsorship: devopsdays.org/events/2025-lon

              🗳

              [?]Mark Wyner Won’t Comply :vm: »
              @markwyner@mas.to

              For those who have InfoSec, privacy, security, and/or related technology expertise…

              Would you use Bitchat?

              (Feel free to elaborate in the comments and/or boost if you’d like to see the opinion of others.)

              Yes:0
              No:34
              Jack Dorsey is not to be trusted:49
              I just want to see the results:10

              Closes in 19:54:17

                [?]Peter N. M. Hansteen »
                @pitrh@mastodon.social

                Andy Piper boosted

                [?]Mark Wyner Won’t Comply :vm: »
                @markwyner@mas.to

                Oh, my goodness. I boosted @Em0nM4stodon’s post about this earlier. But I need to share it with some intention.

                This piece she wrote on Mastodon privacy/security is intense. It’s long. SO much information. Read it anyway. Seriously.

                And if y’all don’t follow Em, do yourself a solid and get on that. She’s smart af about InfoSec/privacy/security. And super friendly.

                privacyguides.org/articles/202

                  [?]Metin Seven 🎨 »
                  @metin@graphics.social

                  Interesting read…

                  𝙂𝙤𝙤𝙜𝙡𝙚 𝙞𝙨 𝙩𝙧𝙖𝙘𝙠𝙞𝙣𝙜 𝙮𝙤𝙪 (𝙚𝙫𝙚𝙣 𝙬𝙝𝙚𝙣 𝙮𝙤𝙪 𝙪𝙨𝙚 𝘿𝙪𝙘𝙠𝘿𝙪𝙘𝙠𝙂𝙤)

                  simpleanalytics.com/blog/googl

                    [?]Em :official_verified: »
                    @Em0nM4stodon@infosec.exchange

                    New Privacy Guides article :mastodon: 🔒
                    by me:

                    While most social media rely on commercial models harvesting users' data to sell to advertisers,

                    Mastodon offers a human-centric alternative that doesn't seek profits from your data and attention.

                    This means better social connections, better controls, and better privacy!

                    The first part of this article discusses privacy and security on Mastodon.

                    The second part is a tutorial to guide you in making the most of Mastodon's security and privacy related features.

                    This tutorial includes how to:

                    • Enable multifactor authentication 🔑🔑

                    • Adjust privacy vs discovery 👀

                    • Select post visibility and access :neocat_box:

                    • Verify yourself :blobcatverified:

                    • Delete and back up your data :nes_fire:

                    • Block users and instances ⛔

                    • Opt out with hashtags #️⃣

                    • Move from one instance to another 🚀

                    I hope this helps you making the most of what Mastodon has to offers! :awesome:

                    privacyguides.org/articles/202

                      [?]Mike Cox »
                      @mikecox@mastodon.iow.social

                      [?]Cambionn »
                      @Cambion@mastodon.nl

                      one of my colleagues put my attention on this article, and to be honest I do love the reporting style. Meme's and writing like this?

                      "The ‘good news’, I suspect, is that most orgs will be too lacking in logs to have evidence."

                      "China go brrr"

                      At least it's not dry :awesome:

                      doublepulsar.com/citrixbleed-2

                      Opera Winfrey meme with the text "You get an incident, everybody gets a citrix netscaler incident"

                      Alt...Opera Winfrey meme with the text "You get an incident, everybody gets a citrix netscaler incident"

                        Doug Belshaw boosted

                        [?]nemo™ 🇺🇦 »
                        @nemo@mas.to

                        GrapheneOS just dropped stable Android 16 support for Pixel devices! 🚀🔒 Despite new hurdles from Google, the team’s update includes the TapTrap vulnerability fix and under-the-hood improvements. No flashy features, all about security!

                        🔗 heise.de/en/news/GrapheneOS-re

                        Shortlink: heise.de/-10484215

                          [?]Nonilex »
                          @Nonilex@masto.ai

                          As much as seems to want credit for helping to end the war, he is also clear that he doesn’t want to be blamed for the outcome [of course]. “I do want to make one statement again,” he said. “I said it before. This is not Trump’s war.”

                            [?]Nonilex »
                            @Nonilex@masto.ai

                            It looks like was expecting an even tougher announcement by . The main Moscow stock index jumped more than 2.5% after Trump’s announcement. Konstantin Kosachev, a senior lawmaker, said on social media that Trump could change his mind again in the next 50 days (& probably will): “If this is all Trump had to say about Ukraine today, then for now, it’s all just hot air.”

                              [?]Nonilex »
                              @Nonilex@masto.ai

                              “There are not Americans dying,” said, noting he & had “a problem” with involvement, though he never finished the thought. Trump acknowledged that the wanted “a strong Europe.” He never said, however, whether he shared the Europeans’ concern that would not stop at & could broaden his push into .

                                [?]Nonilex »
                                @Nonilex@masto.ai

                                “My conversations with him are very pleasant, & then the missiles go off at night,” said of . Clearly sensitive about his turnaround, Trump added of Putin: “He fooled Clinton, Bush, Obama, Biden — he didn’t fool me.”
                                [invert that last statement for the truth]

                                  [?]Nonilex »
                                  @Nonilex@masto.ai

                                  is convinced he has the battlefield momentum & has been prepared for to lose his patience, NYT reported last week. For all of Trump’s Russia-friendly rhetoric earlier this year, he refused to make the major concessions that Putin wanted, such as pushing Ukraine to give up more territory & limit the future size of its military.

                                  nytimes.com/2025/07/09/world/e

                                    [?]Rory McCune »
                                    @raesene@infosec.exchange

                                    Just published another part of our long running series on fundamentals. This time looking at how Kubernetes cluster's use PKI. I know when I started the idea that every cluster had three different certificate authorities came as a bit of a surprise!

                                    securitylabs.datadoghq.com/art

                                      [?]Roni Laukkarinen »
                                      @rolle@mementomori.social

                                      I'm still on some commercial platforms, but I've given up on X, Facebook, and WhatsApp. Sometimes I wish I could have made different choices when I started my online journey in the 90s, and not have my full name and details out there to some extent. I'm in too deep. There's some safety in knowing certain things - security-wise, to protect myself. But it's horrifying to think about people who don't take those precautions. Many are just prey for the black and gray hats.

                                      I often choose not to post about these things on commercial social media because it's seen as fearmongering and insensitive. I wish I could warn everyone, but most do not care until something bad happens.

                                        [?]This Is My Glasgow »
                                        @thisismyglasgow@mastodon.scot

                                        This unusual T-shaped keyhole (left) is part of an Odell's nightlatch. It's at the entrance to an 1850s tenement on Kelvingrove Street and is only the second I've found in the wild in Glasgow.

                                        Cont./

                                        The unusual t-shaped keyhole for an Odell's nightlatch, with an example of the internal workings of such a latch and one of its keys.

                                        Alt...The unusual t-shaped keyhole for an Odell's nightlatch, with an example of the internal workings of such a latch and one of its keys.

                                          [?]Karl Voit :emacs: :orgmode: »
                                          @publicvoit@graz.social

                                          If you still think that cares for the of its paying customers:

                                          Apple Gave Data on Thousands of Push
                                          404media.co/apple-gave-governm

                                          With companies like that, you're the product although you pay premium money.

                                            [?]dsp »
                                            @dsp@social.sdf.org

                                            i guess?
                                            I'm a physicist who spent most of his time at school, in the datacenter. Then i somehow found myself in 'computer science research' labs writing software. For the past couple of years doing the security thing cause it's fun. Into . When AFK i enjoy . As always thank you for hosting us. It's nice to meet you all :).

                                              [?]Wen »
                                              @Wen@mastodon.scot

                                              Perusing a paper paper for once I saw this advert for WhatsApp.

                                              No I can believe the content of your message can not be read, but by using it, your address book is theirs, your messages sent/received are logged and you will be tracked wherever you are - and whatever you are buying.

                                              That’s what they really want.

                                              Go - it makes sense

                                              Advert for WharsApp, woman’s face, hidden message, text reads


No one, not even WhatsApp, can see or hear your personal messages.
WhatsApp
from CO Meta

                                              Alt...Advert for WharsApp, woman’s face, hidden message, text reads No one, not even WhatsApp, can see or hear your personal messages. WhatsApp from CO Meta

                                                [?]Chad McCullough »
                                                @cmccullough@polymaths.social

                                                Well, great. Now @bitwarden is going to ad AI bullshit to their services. I left Bitwarden a few months back for different reasons but I'm kind of glad that I did. I switched to @1password@1password.social. If they add AI to their services (are they already?), I'm just going to call it quits on all of them and just move completely to @keepassxc@fosstodon.org. I can simply just host my own with Keepassxc and not have to worry about any AI crap. I'm using Keepassxc now but not for everything. That might change in the very near future.

                                                https://nerds.xyz/2025/07/bitwarden-mcp-server-secure-ai/

                                                #passwordmanager #privacy #security

                                                  [?]Peter N. M. Hansteen »
                                                  @pitrh@mastodon.social

                                                  Yes, The Book of PF, 4th Edition Is Coming Soon nxdomain.no/~peter/yes_the_boo

                                                  Long rumored and eagerly anticipated by some, the fourth edition of The Book of PF is now available for preorder nostarch.com/book-of-pf-4th-ed

                                                    [?]erAck »
                                                    @erAck@social.tchncs.de

                                                    Miah Johnson boosted

                                                    [?]Peter N. M. Hansteen »
                                                    @pitrh@mastodon.social

                                                    Long rumored, eagerly anticipated by some, you can now PREORDER "The Book of PF, 4th edition" nostarch.com/book-of-pf-4th-ed for the most up to date guide to the OpenBSD and FreeBSD networking toolset

                                                      [?]Liam @ GamingOnLinux 🐧🎮 »
                                                      @gamingonlinux@mastodon.social

                                                      [?]Sindarina, Edge Case Detective »
                                                      @sindarina@ngmx.com

                                                      The Node.js Project just pre-announced security updates, to be released next week, on Tuesday, July 15th;

                                                      "The 24.x release line of Node.js is vulnerable to 2 high severity issues. The 22.x release line of Node.js is vulnerable to 1 high severity issues. The 20.x release line of Node.js is vulnerable to 1 high severity issues."

                                                      nodejs.org/en/blog/vulnerabili

                                                        [?]Chewie »
                                                        @chewie@mammut.gogreenit.net

                                                        [?]Nonilex »
                                                        @Nonilex@masto.ai

                                                        The most recent report, issued in 2023, included an interactive atlas that zoomed down to the county level. It found that is affecting people’s , & livelihoods in every corner of the country in different ways, with minority & Native American communities often disproportionately at risk.

                                                          [?]Em :official_verified: »
                                                          @Em0nM4stodon@infosec.exchange

                                                          What is your favorite app for
                                                          Multifactor Authentication, and why do you like it most? 2️⃣✌️👀

                                                            [?]Mark Stosberg »
                                                            @markstos@urbanists.social

                                                            [?]nixCraft 🐧 »
                                                            @nixCraft@mastodon.social

                                                            Internet traffic, visualized with a opensource app which comfortably monitor your Internet traffic. It is a cross-platform and reliable app for your needs github.com/GyulyVGC/sniffnet

                                                            A screenshot of sniffnet Application to comfortably monitor your Internet traffic.

                                                            Alt...A screenshot of sniffnet Application to comfortably monitor your Internet traffic.

                                                              [?]Seth Larson »
                                                              @sethmlarson@mastodon.social

                                                              Why is security work unlike any other contribution to an open source project?

                                                              We need to re-think the tight association between maintainers and security work if we want sustainable open source security.

                                                              Read more: sethmlarson.dev/security-work-

                                                                [?]Linux Is Best »
                                                                @Linux@mastodon.au

                                                                @lillyfinch

                                                                A friendly reminder --

                                                                Do NOT register anywhere to protest.

                                                                During the last protest, I noticed a lot of random websites claiming they wanted people to register their participation. You do NOT need to register at some random website, to announce your intentions to attend a protest.

                                                                Such sites can be used to create lists and such list can be given to authorities.

                                                                  [?]mle✨ »
                                                                  @mle@infosec.exchange

                                                                  "Censys has made a list of some of the ICS products commonly targeted by Iranian hackers and scanned the internet to determine how widespread they are and whether their owners and operators have taken steps to secure them in recent months."

                                                                  securityweek.com/iranian-hacke

                                                                  censys.com/blog/ics-iran-expos

                                                                  Table depicting exposure of four different device types known to be of interest or targeted by Iranian actors, including Unitronics, Orpak SiteOmat, Red Lion, and Tridium Niagara. During the 6 month period from January through June 2025, Orpak SiteOmat is the only software that saw a decrease in exposures, dropping from 158 in January to 123 in June.

                                                                  Alt...Table depicting exposure of four different device types known to be of interest or targeted by Iranian actors, including Unitronics, Orpak SiteOmat, Red Lion, and Tridium Niagara. During the 6 month period from January through June 2025, Orpak SiteOmat is the only software that saw a decrease in exposures, dropping from 158 in January to 123 in June.

                                                                    [?]hexa- »
                                                                    @hexa@chaos.social

                                                                    24.11 is now officially unmaintained and will not receive bugfixes and updates any more.

                                                                    Time to to nixos-25.05 if you haven't yet.

                                                                    github.com/NixOS/infra/pull/76

                                                                      [?]mle✨ »
                                                                      @mle@infosec.exchange

                                                                      It’s not often my worlds collide like this, but this is pretty wild.

                                                                      Coros Pace 3 doesn’t enforce Bluetooth pairing to a device, which leads to a cascading series of things that one could do when rogue connecting to the watch.

                                                                      All of these are pretty terrible, but I can’t shake the image of someone spectating near the end of a race and disrupting someone’s hard-earned GPS file for their race. Obviously access to health and training data is way more severe, and there are devices and systems way more critical than someone’s GPS watch, but the fact that any of this is even possible is jarring.

                                                                      On top of this, Coros’s initial response of “we’ll get to it by the end of 2025” is wildly unacceptable. They’ve since clarified their timeline (which is more aggressive) but they didn’t handle this well at all from what I’m reading.

                                                                      blog.syss.com/posts/bluetooth-

                                                                      dcrainmaker.com/2025/06/coros-

                                                                      Summary of COROS PACE 3 Bluetooth security vulnerabilities. An unauthenticated attacker within Bluetooth range could hijack a user’s account, access all data, eavesdrop on sensitive data, manipulate device configuration, factory reset or crash the device, and interrupt running activities causing data loss. The analysis also noted security-relevant differences between the COROS iOS and Android apps.

                                                                      Alt...Summary of COROS PACE 3 Bluetooth security vulnerabilities. An unauthenticated attacker within Bluetooth range could hijack a user’s account, access all data, eavesdrop on sensitive data, manipulate device configuration, factory reset or crash the device, and interrupt running activities causing data loss. The analysis also noted security-relevant differences between the COROS iOS and Android apps.

                                                                        [?]Peter N. M. Hansteen »
                                                                        @pitrh@mastodon.social

                                                                        Confirmed: There will be a full day PF tutorial "Network Management with the OpenBSD Packet Filter Toolset" at 2025 in .

                                                                        Details to emerge via 2025.eurobsdcon.org/, and expect more goodies to be announced!

                                                                          6 ★ 2 ↺
                                                                          Mike Sheward boosted

                                                                          [?]sam »
                                                                          @sam@cablespaghetti.dev

                                                                          Fediverse, I have a rant I need to get off my chest. Groups in Google Workspace is a security nightmare and has been for years! Why has Google STILL not fixed the glaring problems!?

                                                                          I've had admin powers at 5+ companies' Google Workspace/G Suite over the past decade or so. Every single one had groups which were misconfigured, often so anyone in the whole company could join without approval or see the message history at https://groups.google.com without being a member at all.

                                                                          This is because for any sensible configuration of Google Groups when using it for email groups you have to use the "Custom" permissions mode. The default Public mode doesn't allow external people to email the group, but does allow the whole company to see all the messages. The default Team mode, has the same problem of everyone being able to see all the messages.

                                                                          Also let's not forget that dangerous little "Anyone in the organisation can join" toggle at the bottom which is on by default. So any random new starter can join your confidential company directors group and get all the emails sent to it.

                                                                          Giving Google the benefit of the doubt here, I think the reasoning might be that Google Groups is intended as a kind of company forum, not for private email groups. However that isn't how anyone uses it in my experience...


                                                                          Screenshot of the default Google Group settings for team mode

                                                                          Alt...Screenshot of the default Google Group settings for team mode

                                                                          Screenshot of the default Google Group settings for public mode

                                                                          Alt...Screenshot of the default Google Group settings for public mode

                                                                            Back to top - More...