Merit-based hiring strikes again!
Hegseth reportedly shared Yemen attack details on second Signal chat with his wife and others
Recherches récentes
Options de recherche
#security
418 messages257 participants49 messages aujourd’hui
How to Protect Yourself From Phone Searches at the US #Border
Customs and Border Protection has broad authority to search travelers’ devices when they cross into the United States. Here’s what you can do to protect your digital life while at the US border.
#privacy #security #cbp #4thAmendment
https://www.wired.com/story/how-to-protect-yourself-from-phone-searches-at-the-us-border/
WIRED · How to Protect Yourself From Phone Searches at the US Border
Security Advisory: Local privilege escalation in make-initrd-ng
https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-make-initrd-ng/63315
NixOS Discourse · Security Advisory: Local privilege escalation in make-initrd-ngSummary From the report: An unprivileged process with filesystem access can become root during system shutdown A local attacker can write to /run/initramfs, because the directory permissions are unsafe. The systemd-shutdown binary becomes PID 1 whenever the systemd poweroff, halt, reboot, or kexec target is reached. It then makes /run/initramfs the root file system and executes /shutdown, which further executes other programs in the shutdown tmpfs (aka exitrd). These programs are executed ...
Deep dive into supply chain security with the latest Open Source Security podcast! Josh Bressers and Alan Pope unpack the power of Syft and Grype, and other tools focusing on Software Bills of Materials (SBOMs) and vulnerability scanning. They explore not just the what, but also the why behind some key open source projects in this space. Learn how these tools are evolving to give you deeper insights into your s... #OSS #Security #SBOM #VulnerabilityManagement #Syft #Grype https://opensourcesecurity.io/2025/2025-04-syft-grype-grant-alan-pope/
I like the "automate all the security things" mantra. Fits right in with automating all the test and deployment aspects of software as well.
https://thenewstack.io/open-source-and-container-security-are-fundamentally-broken/
The New Stack · Open Source and Container Security Are Fundamentally BrokenThe only viable path forward is to rethink how container security is handled, shifting from reactive patching to seamless, automated remediation.
The #openbsd 7.7 release page https://www.openbsd.org/77.html is filling out nicely (yes, the release is SOON now), you can prepare for the event by reading "You Have Installed OpenBSD. Now For The Daily Tasks." https://nxdomain.no/~peter/openbsd_installed_now_for_the_daily_tasks.html, and watching for updates over on the OpenBSD Journal https://undeadly.org
www.openbsd.orgOpenBSD 7.7OpenBSD 7.7
You need a tip line. @hushlineapp is free, open-source, end-to-end encrypted, and you can sign up right now at https://tips.hushline.app/register
tips.hushline.app🤫 Hush LineAn open-source whistleblowing platform for organizations and individuals.
*slaps top of JWT* This puppy can go from 0 to security breach in [sound of a distant explosion]…
Suite du fil
As #HomelandSecurity secretary, #KristiNoem runs a department that is in charge of the nation’s #security. Its responsibilities include border control & immigration, terrorism protection & cybersecurity.
A handbag belonging to the homeland #security secy #KristiNoem containing her passport, dept security badge & $3,000 in cash was stolen on Sunday night at a restaurant in Washington. [zero irony]
Noem confirmed the theft at the White House Easter Egg Roll on Monday morning.
DHS did not give specifics, but said it could confirm the details of a CNN article, which said that Noem’s bag also contained her driver’s license, medication, apartment keys & blank checks.
#law
https://www.nytimes.com/2025/04/21/us/politics/kristi-noem-purse-stolen.html?smid=nytcore-ios-share&referringSource=articleShare&sgrp=p&pvid=806BF274-C45C-4E92-8361-AE058A24A9B6
The New York Times · Kristi Noem’s Bag, With Security Badge and $3,000, Is Stolen
A répondu dans un fil de discussion
@jakub I understand, that's why I prefer things already packaged by my distro, they take care of that. And since it's just a internal tool, well, you can do a lot to minimize exposition, just like for your tool. I do agree that the #golang way is not the best for this; I wish there was an alternative, as in a static and a dynamic version of each tool, but I can't really expect that of my distro.
SecureDrop Workstation 1.1.2 has been released! This version removes the “sd-retain-logvm” that was created for forensic analysis purposes in response to a vulnerability disclosed in February.
https://securedrop.org/news/securedrop-workstation-1_1_2-released/
SecureDropSecureDrop Workstation 1.1.2 releasedSecureDrop Workstation 1.1.2 has been released! This version removes the “sd-retain-logvm” that was created for forensic analysis purposes in response to a vulnerability disclosed in February.
Cisco: Older Webex apps can infiltrate malicious code
Two versions of the Webex client can execute commands hidden in URLs when a link is opened. This affects all operating systems, says Cisco.
heise online · Cisco: Older Webex apps can infiltrate malicious code
NEW BETA RELEASES
iOS 18.5 beta 3 (22F5053j) iPadOS 18.5 beta 3 (22F5053j)
macOS 15.5 beta 3 (24F5053j)
tvOS 18.5 beta 3 (22L5559d)
visionOS 2.5 beta 3 (22O5459c)
watchOS 11.5 beta 3 (22T5559d)
There is quite a bit of buzz related to CVE-2025-24054 which covers attackers causing victims to leak NTLM hashes if they open certain files or view certain directories. In short, this forces victims running Windows to make a connection to an attacker controlled SMB share.
Note: A patch was provided by Microsoft on March 11.
If you prevent SMB traffic from leaving your networks then you don't have to worry about this unless the attacker has already setup shop in your network. Like, patch anyway but, IMO, it would be a better use of your time to ensure that outbound SMB is blocked first. Don't forget to account for mobile devices that are off-network.
Reference:
Check Point - CVE-2025-24054, NTLM Exploit in the Wild
https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/
Check Point Research · CVE-2025-24054, NTLM Exploit in the Wild - Check Point ResearchKey Points Introduction NTLM (New Technology LAN Manager) is a suite of authentication protocols developed by Microsoft to verify user identities and protect the integrity and confidentiality of network communications. NTLM operates through a direct client-server exchange known as the NTLM challenge/response mechanism, in which the server challenges the client to prove its identity without […]
Encryption is a cornerstone of security on the modern internet. In this video we dive into how it works and explain why it's so important.
This is especially crucial as many governments around the world are pushing to ban encryption and breach our fundamental right to privacy.
https://www.privacyguides.org/videos/2025/04/03/is-your-data-really-safe-understanding-encryption/
Microsoft Entra account lockouts caused by user token logging mishap - Microsoft confirms that the weekend Entra account lockouts were caused by the invalidatio... https://www.bleepingcomputer.com/news/microsoft/microsoft-entra-account-lockouts-caused-by-user-token-logging-mishap/ #microsoft #security
I just read that credit cards are due to go 'numberless' by 2030. The familiar 16-digit number is going away to be replaced by a 'random number' that is created each time you want to pay for something.
I like the extra #security - no credit card number to steal - but what about convenience? Do I need to authorise every monthly subscription payment, every Amazon purchase and every PayPal transaction (in addition to the 2FA I already have on PayPal)? 