Please 🚀. I'm going to stop short of saying you should not install the #ICEBlock app, but you should know that you're painting a giant target on your back if you use it, and it does not protect your information adequately. The Trump administration is not being coy about how they see this app and it's users, citing charges of obstruction of justice and general threats of prosecution.

The developer ignorantly insists the only way to safely use it is through iOS app store. That ignores the fact that Apple collects data on what users are installing what apps. It also ignores that the gov has been intercepting push notifications for several years now, so it would be as simple as comparing that data against those who receive push notifications at specific times to determine who is using the app.

The app is also closed-source, so the community cannot inspect it for vulnerabilities.

If they distributed through a 3rd party app store on Android, such as #fdroid (which you cannot do on iOS), they could allow users to run their own notification system using #unifiedpush. Google would not be involved at any stage.

Yes, this would be a high barrier to entry for use, but I think the usecase demands it. Almost certainly we will soon see prosecution for the apps' users and probably also removal from the App Store. Apple most certainly does not care enough to fight the government over this.

That is, unless, as I suspect, this app is actually a #honeypot.

Further reading:
https://arstechnica.com/tech-policy/2023/12/apple-admits-to-secretly-giving-governments-push-notification-data/

https://www.iceblock.app/android

https://www.newsweek.com/kirsti-noem-iceblock-deportation-immigration-app-2092878

#privacy #security #foss #fossdroid #ice #infosec #boostsappreciated

@lillyfinch

A friendly reminder --

Do NOT register anywhere to protest.

During the last protest, I noticed a lot of random websites claiming they wanted people to register their participation. You do NOT need to register at some random website, to announce your intentions to attend a protest.

Such sites can be used to create lists and such list can be given to authorities.

#Protest #Privacy #Security #Safety

"Censys has made a list of some of the ICS products commonly targeted by Iranian hackers and scanned the internet to determine how widespread they are and whether their owners and operators have taken steps to secure them in recent months."

https://www.securityweek.com/iranian-hackers-preferred-ics-targets-left-open-amid-fresh-us-attack-warning/

https://censys.com/blog/ics-iran-exposure-of-previously-targeted-devices

#security #ics

Alt...

Table depicting exposure of four different device types known to be of interest or targeted by Iranian actors, including Unitronics, Orpak SiteOmat, Red Lion, and Tridium Niagara. During the 6 month period from January through June 2025, Orpak SiteOmat is the only software that saw a decrease in exposures, dropping from 158 in January to 123 in June.

#NixOS 24.11 is now officially unmaintained and will not receive bugfixes and #security updates any more.

Time to #upgrade to nixos-25.05 if you haven't yet.

https://github.com/NixOS/infra/pull/761

#funny #meme #authentication #security #it #programming #development #fun #memes #joke #jokes #dev #cybersecurity #hacking

Alt...

One-Factor Authentication: Account Verification We have just sent the code 435841 to your phone number: xxx-xxx-6521 Please enter the code below to access your account: ---- (blank space to enter code)

It’s not often my worlds collide like this, but this is pretty wild.

Coros Pace 3 doesn’t enforce Bluetooth pairing to a device, which leads to a cascading series of things that one could do when rogue connecting to the watch.

All of these are pretty terrible, but I can’t shake the image of someone spectating near the end of a race and disrupting someone’s hard-earned GPS file for their race. Obviously access to health and training data is way more severe, and there are devices and systems way more critical than someone’s GPS watch, but the fact that any of this is even possible is jarring.

On top of this, Coros’s initial response of “we’ll get to it by the end of 2025” is wildly unacceptable. They’ve since clarified their timeline (which is more aggressive) but they didn’t handle this well at all from what I’m reading.

https://blog.syss.com/posts/bluetooth-analysis-coros-pace-3/

https://www.dcrainmaker.com/2025/06/coros-confirms-substantial-watch-security-vulnerablity-says-fixes-are-coming.html

#running #security #vulnerability

Alt...

Summary of COROS PACE 3 Bluetooth security vulnerabilities. An unauthenticated attacker within Bluetooth range could hijack a user’s account, access all data, eavesdrop on sensitive data, manipulate device configuration, factory reset or crash the device, and interrupt running activities causing data loss. The analysis also noted security-relevant differences between the COROS iOS and Android apps.

Confirmed: There will be a full day PF tutorial "Network Management with the OpenBSD Packet Filter Toolset" at #eurobsdcon 2025 in #zagreb.

Details to emerge via https://2025.eurobsdcon.org/, and expect more goodies to be announced!

#openbsd #freebsd #pf #packetfilter #networking #security #freesoftware #libresoftware #bsd

I've had admin powers at 5+ companies' Google Workspace/G Suite over the past decade or so. Every single one had groups which were misconfigured, often so anyone in the whole company could join without approval or see the message history at https://groups.google.com without being a member at all.

This is because for any sensible configuration of Google Groups when using it for email groups you have to use the "Custom" permissions mode. The default Public mode doesn't allow external people to email the group, but does allow the whole company to see all the messages. The default Team mode, has the same problem of everyone being able to see all the messages.

Also let's not forget that dangerous little "Anyone in the organisation can join" toggle at the bottom which is on by default. So any random new starter can join your confidential company directors group and get all the emails sent to it.

Giving Google the benefit of the doubt here, I think the reasoning might be that Google Groups is intended as a kind of company forum, not for private email groups. However that isn't how anyone uses it in my experience...

#security #infosec #google #googleworkspace

Alt...

Screenshot of the default Google Group settings for team mode

Alt...

Screenshot of the default Google Group settings for public mode

Are passkeys ready for primetime? Here is my little experiment (blog post about it)
https://itsbytor.wordpress.com/2025/06/30/%f0%9f%97%9d%ef%b8%8f-the-passkey-experiment-one-mans-journey-through-the-passwordless-frontier/

#security #passkeys #encryption #internet #computers #computing

Building Your Own PKI with Step-CA – From Root CA to Proxmox Integration with ACME!

In this #HowTo we create an own, decentralized PKE with #stepca, enable #ACME and integrate a #Proxmox node to obtain a certificate.

#proxmox #stepca #opensource #howto #homelab #enterprise #pki #security #decentralized #x509 #certificates

https://gyptazy.com/building-your-own-pki-with-step-ca-from-root-ca-to-proxmox-integration-with-acme/

Vorbereiten auf Einschlag: Microsoft warnt vor Secure-Boot-Zertifikat-Update

"Bereite dich auf das erste globale, großflächige Secure-Boot-Zertifikat-Update vor", warnt Microsoft. Nicht nur Windows ist betroffen.

https://www.heise.de/news/Vorbereiten-auf-Einschlag-Microsoft-warnt-vor-Secure-Boot-Zertifikat-Update-10461866.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

#IT #Linux #macOS #Microsoft #SecureBoot #Security #Windows #news @de_edv

@theferret Could I respectfully suggest you post full links - not shortened ones. Malicious actors can use them to redirect the viewer to harmful sites and not everyones browser/computer is adequately locked down.

It does not cost more in your 500 letter posting than a shortened/onscured link.

#Mastodon #Links #Security #Privacy

I had the foolihardiness to ask a tech question on Mastodon last night (what was I thinking???) that devolved into a side quest. I am going to even more foolhardily try again:

With Android rolling out updates that wedge Gemini into everything, what do I need to do to remove/disable/nuke from outer space all aspects of Gemini as much as possible?

🚨 Without changing phones / getting a second phone / installing a new OS. 1/n

#Gemini #Android #Privacy #Security

Exhibit eleventy bajillion that medical software is awful. I find this funny for a few reasons.

One, it references Little Bobby Tables' lesser known cousin @GNAME@.

Second, it doesn't tell me who, what, where, when, why. All I have is literally the patient name. My son. I don't know the date of the procedure, the cost, what they sent my insurance, what my insurance said. Nothing. It's just "you owe us money. Please give us all your insurance details."

Third, I suspect #security is to blame here. If you want to protect your patient data, don't let the invoicing people have all that data. I sorta get it. But then letters like this are pretty useless. There is absolutely no way I'm writing down all my info and just shipping it to them to see what happens. This is #medical billing, after all. It's the only thing with a higher error rate than an LLM.

Alt...

Photo of a letter. It has the UVA logo at the top and UVA Health. You can see redacted name and address places. It opens with Dear @GNAME@ and basically goes on to say they did something and want my info.

If you made some kind of intercepting HTTP/HTTPS proxy (thinking of a #pentester use case here), you could make it search for these URLs in the streams of HTTP and HTML that are passing through the proxy. Copy down the full URLs and asynchronously issue your own requests for the same URLs and store your own copy of the resulting files. The end user still gets their copy and nobody can tell it's happening. You'd almost certainly be able to do this because the links would surely be valid at the time the proxy sees them, and would work if the proxy immediately issued its request for its own copy.

The only way to really detect this happening is for the bucket owner to look at the S3 object logs in CloudTrail and see more than 1 fetch of that URL. Of course, someone with network connectivity issues could issue the request more than once. But a systematic pattern of duplicate fetches would indicate hijinks. The end user can't detect this happening to them. But, of course, you're MitM'ing their internet connection, so that could be detected.

#AWS #S3 #security #pentest
4/end

If you know how these things work, I haven't told you anything new or useful yet. Maybe I won't. But the thing I think is important and frequently overlooked is that expiration time. Too short (5 seconds) and your user might not click the link before it expires. Too long (86400 seconds, i.e., one day) and this file is available far longer than you intended.

So looking at the X-Amz-Expires header in #AWS #S3 is a good #security thing, especially if you're doing a #pentest . Those URLs can be passed from device to device (e.g., you can Slack it to a colleague or SMS it to a friend and it will work). So you want to counsel anyone who uses them to try hard to tune the expiration as short as is reasonably practical. That expiration is all of the security control on that link.

[edit: I left out something important]
I see these URLs with 86400 as the expiration time a lot and often. If you're a developer, look at what you're setting them to. If you're a #pentester, this is a thing to warn your customer about.

3/

https://insinuator.net/2025/06/airoha-bluetooth-security-vulnerabilities/

> [...] these vulnerabilities allow attackers to fully take over the headphones via Bluetooth. No authentication or pairing is required. The vulnerabilities can be triggered via Bluetooth BR/EDR or Bluetooth Low Energy (BLE). Being in Bluetooth range is the only precondition. It is possible to read and write the device’s RAM and flash. [...] hijack established trust relationships with other devices, such as the phone paired to the headphones.

#security #bluetooth

#Bluetooth was a mistake: Millions of Bluetooth headphones can potentially be turned in eavesdropping devices. Best-seller #Sony and #Bose #headphones are affected by at least some of the disclosed flaws among many others. The true dimension of these flaws is yet unknown as the the vulnerable component is very widely in use under different names.

https://www.heise.de/en/news/Zero-day-Bluetooth-gap-turns-millions-of-headphones-into-listening-stations-10460704.html

Disclosure of the vulnerabilities: https://insinuator.net/2025/06/airoha-bluetooth-security-vulnerabilities/

No updates or official statements available yet. ☠️

#Security #Privacy #Audio #Airoha #ZeroDay

A variety of US federal and state laws give cops the power to get your data from online services. This overview goes over how they work, and how they can be mitigated.
https://www.eff.org/deeplinks/2025/06/how-cops-can-get-your-private-online-data
#privacy #police #security #encryption

Thanking the @letsencrypt folks for the excellent work they do, and especially for their upcoming support for security certificates for IP addresses which is nothing short of revolutionary for the future of the (Small) Web.

https://community.letsencrypt.org/t/getting-ready-to-issue-ip-address-certificates/238777/22

#SmallWeb #security #IPAddresses #WebNumbers #LetsEncrypt #SmallTech #decentralisation #peerToPeerWeb #findability

Tails 6.17 privacy-focused Linux distro is out now with a new "Show Password" feature, alongside critical Tor Browser and uBlock Origin updates.
https://linuxiac.com/tails-6-17-released-with-improved-password-management/

#tails #security #privacy

Alt...

Tails 6.17 privacy-focused Linux distro is out now with a new "Show Password" feature, alongside critical Tor Browser and uBlock Origin updates.

#Signal bekommt E2E-verschlüsselte Cloud-Backups, die man nun unter #Android testen kann: https://community.signalusers.org/t/public-signal-backups-testing/

Die neuen #Backups sollen dann übrigens auch dann auch plattformübergreifend nutzbar sein, was auch endlich den Umzug der Chatinhalte zwischen Android und iOS ermöglicht.

Auch lokale Backups sollen deutlich besser werden. Bleibt zu hoffen, dass sie dann endlich inkrementell funktionieren. 👀

#Messenger #Privacy #Security #Backup

I learned something today: Google's Gemini "AI" on phones accesses your data from "Phones, Messages, WhatsApp" and other stuff whether you have Gemini turned on or not. It just keeps the data longer if you turn it on. Oh, and lets it be reviewed by humans (!) for Google's advantage in training "AI" etc.

But this only came to my attention because of an upcoming change: it's going to start keeping your data long-term even if you turn it "off": "#Gemini will soon be able to help you use Phone, #Messages, #WhatsApp, and Utilities on your phone, whether your Gemini Apps Activity is on or off."

This is, of course, a #privacy and #security #nightmare.

If this is baked into Android, and therefore not removable, I'd have to say I'd recommend against using Android at all starting July 7th.

https://www.extremetech.com/mobile/gemini-ai-will-soon-access-calls-and-messages-on-your-android-even-if-you

#spyware #AI #LLM #Google #spying #phone #Android #private #data

One of our goals was making Network Time Security (NTS) the default in Chrony, not just for Ubuntu 25.04 Plucky Puffin, but beyond.

We’ve now reached that milestone as part of the ongoing development of Ubuntu 25.10 Questing Quokka.

Read more about it in our Ubuntu Server Gazette: https://discourse.ubuntu.com/t/ubuntu-server-gazette-issue-5-things-to-keep-safe-your-circle-of-friends-and-your-time/63295

#Ubuntu #Linux #OpenSource #Security #NTS

Alt...

Network Time Security and chrony as defaults: As part of the ongoing development of Ubuntu 25.10 Questing Quokka

Ubuntu 25.10 is boosting security with Chrony + NTS for secure time sync, replacing systemd-timesync. A safer, more reliable time management system is coming! #Ubuntu #Security #TechNews https://dub.sh/GKhixGZ

#Iran says it used the same number of bombs the #US used on Iran’s #nuclear facilities

Iran's top #security body said in a statement that its armed forces used the same number of bombs that the US had used in attacking Iran’s nuclear facilities.

It also said the US base was far from urban facilities & residential areas in #Qatar.

It added that the action did not pose any threat to "our friendly & brotherly" neighbour Qatar.

#Trump #Iraq #Israel #MiddleEast #war

#Kuwait, #Iraq, #Qatar, the #UAE & #Bahrain have all closed their airspace in light of the attacks.

A US #Defense Dept official confirmed that #Iran fired multiple short- & medium-range missiles at #AlUdeid Air Base in Qatar, & a damage assessment is underway. The official spoke on condition of anonymity to discuss #security matters.

#Trump #Israel #MiddleEast #war

I need advice to secure a web server. I am currently managing an OJS server at my University. This server is often attacked, such as with PHP script injections, to cause malfunction or online gambling contents. What I have done so far:
1. Set permissions (the user owns all PHP scripts instead of www-data, these files are often modified by a third party)
2. File access monitoring ( I log every access that happens in the doc root)
3. daily backup

#ojs #web #security

I wrote another thing about home automation and alarms and stuff.

This time I talk about planning a basic level of hardwired security into my apartment, and what prep work has been necessary.

https://awfulwoman.com/posts/planning-security/

#HomeAutomation #ESPhome #HomeAssistant #HomeSecurity #Security

Ubuntu 25.10 moves to using Chrony with Network Time Security (NTS) enabled to improve the distro's security.

https://www.omgubuntu.co.uk/2025/06/ubuntu-chrony-nts-default-25-10

#ubuntu #security #linux

Update to our article on the recent X.Org X server and Xwayland security issues. Another new version of each is *now* being released.

https://www.gamingonlinux.com/2025/06/multiple-security-issues-in-the-x-org-x-server-and-xwayland-disclosed-new-versions-released/

#Linux #Security #OpenSource

🎙️ New Podcast Episode!🎙️ On this summer transmission, Alex and Emma hype new hardware and our presence at the Open Source Summit in Denver. We interview Viktor Petersson at Screenly. The discussion dives into Screenly’s focus on security, especially for enterprise environments, and emphasizes the need for strong hardware and software security partnerships. Listen here: https://system76.transistor.fm/19
#security #opensource #System76 #Screenly

Multiple security issues in the X.Org X server and Xwayland disclosed, new versions released https://www.gamingonlinux.com/2025/06/multiple-security-issues-in-the-x-org-x-server-and-xwayland-disclosed-new-versions-released/

#Linux #OpenSource #Security

Adrian Carrasquillo: "Just hours after a man assassinated a Democratic politician and murdered her husband and shot another Democrat and a spouse, Trump spouts that 'Radical Left Democrats are sick of mind, hate our Country, and actually want to destroy our Inner Cities'.”
#TrumpEncouragesUnlawfulViolence #WorstPresidentEver #security #politics

🆕 blog! “Your Password Algorithm Sucks”

There are two sorts of people in the world; those who know they are stupid and those who think they are clever.

Stupid people use a password manager. They know they can't remember a hundred different passwords and so outsource the thinking to something reasonably secure. I'm a stupid person and am very happy to have BitWarden…

👀 Read more: https://shkspr.mobi/blog/2025/06/your-password-algorithm-sucks/
⸻
#CyberSecurity #passwords #security