Tootfinder

We met with David Heed, senior IT-security practitioner at @… and joint task-lead for #security products and services in the GN5-1 project.
He discussed the need for a common platform to facilitate and standardise cyber threat intelligence sharing to overcome the ma…

How cyber threat sharing can improve security and resilience for research and education – Interview with David Heed, Sunet | GÉANT CONNECT Online
We met with David Heed, senior IT-security practitioner from the Swedish NREN Sunet, and joint task-lead for security products and services (including cyberthreat intelligence and security threat landscape) in the GN5-1 Work Package 8 on Security. David talked to us about the growing need for a common platform to facilitate and standardise cyber threat intelligence

We met with David Heed, senior IT-security practitioner at @… and joint task-lead for #security products and services in the GN5-1 project.
He discussed the need for a common platform to facilitate and standardise cyber threat intelligence sharing to overcome the ma…

How cyber threat sharing can improve security and resilience for research and education – Interview with David Heed, Sunet | GÉANT CONNECT Online
We met with David Heed, senior IT-security practitioner from the Swedish NREN Sunet, and joint task-lead for security products and services (including cyberthreat intelligence and security threat landscape) in the GN5-1 Work Package 8 on Security. David talked to us about the growing need for a common platform to facilitate and standardise cyber threat intelligence

#fefe mit einem Konzept, wie man Firmen und Behörden #Security-mäßig absichern kann: https://blog.fefe.de/?ts=9b101de1

The Lightning Talks plenary session closes the first day of the GÉANT #SecurityDays. The lively, informative and animated five minute presentations offered great content, perspectives, insights and ideas on various aspects of #cybersecurity.
From external communication during a cyber cris…

Of course, I can't start a day without being awfully angry about some shit.
So #Gentoo suddenly undoes USE=lzma [and USE=zstd] that used to be enabled by default in 23.0 profiles, apparently based on "consensus" on the mailing lists. The "consensus" boils down to one conspiracy theorist developer complaining, and being supported by 3 users whose Gentoo contributions boil down to having to express their opinions on everything on the mailing list.
This isn't only a problem, because Gentoo is letting itself be controlled by a vocal minority. This is a problem, because we've enabled something that can affect program output, told everyone to upgrade and rebuild their systems, then pulled the carpet from under them.
Wait, did that random app start using LZMA compression now that you've enabled it? Well, bad luck, you won't be able to open your files anymore. Surely, there's no better #security than not being able to do anything!
Unfortunately, sys-apps/kmod had explicit IUSE= lzma by default for a while now, so there's still a risk that you'll be able to boot your system. That's not good for security at all!
#xz

#Security

The Lightning Talks plenary session closes the first day of the GÉANT #SecurityDays. The lively, informative and animated five minute presentations offered great content, perspectives, insights and ideas on various aspects of #cybersecurity.
From external communication during a cyber cris…

NIST and Web3 Security – A Developing Perspective
 
The National Institute for Standards and Technology just released an initial draft of “A Security Perspective on the Web3 Paradigm” as document IR 8475. It is not long and it is a great take on how NIST is thinking about Web3 security. Here is the link:
 
#Web3 #NIST #Security #InfoSec #BlockChain #IPFS
 

„Wächst auf 100 Passkeys an“?! Sagt mal, wieviele Logins habt ihr so in euren Password-Managern?
Bitte teilen!
#passkey #security #password

NIST and Web3 Security – A Developing Perspective
 
The National Institute for Standards and Technology just released an initial draft of “A Security Perspective on the Web3 Paradigm” as document IR 8475. It is not long and it is a great take on how NIST is thinking about Web3 security. Here is the link:
 
#Web3 #NIST #Security #InfoSec #BlockChain #IPFS
 

The first GÉANT #Security Days conference opens its doors in Prague.
Day1 comprises two parallel tracks: the SIG-ISM meeting & a Cyber Threat Intelligence workshop.
Ana Alves, GÉANT CISO:"My aim is to identify with you the essentials to build up, strengthen our network & become more resilient against ever evolving cyber threats"
Roderick Mooi, GÉANT:"Excite…

Republican calls to "reform" #Social #Security got fresh attention when the House Republican Study Committee (RSC), which includes more than 170 GOP lawmakers, released a #budget

GOP faces internal battle over raising age for Social Security
Republicans are battling among themselves over whether to push reforms to reduce Social Security spending, with some conservatives rallying around the idea of raising the retirement age. Republicans pushing reforms to Social Security argue that raising the retirement age would not cut benefits and would be phased in slowly so as not to affect people…

The first GÉANT #Security Days conference opens its doors in Prague.
Day1 comprises two parallel tracks: the SIG-ISM meeting & a Cyber Threat Intelligence workshop.
Ana Alves, GÉANT CISO:"My aim is to identify with you the essentials to build up, strengthen our network & become more resilient against ever evolving cyber threats"
Roderick Mooi, GÉANT:"Excite…

💥 Hacker free-for-all fights for control of home and office routers everywhere
#computers

Hacker free-for-all fights for control of home and office routers everywhere
How and why nation-state hackers and cybercriminals coexist in the same router botnet.

„Wächst auf 100 Passkeys an“?! Sagt mal, wieviele Logins habt ihr so in euren Password-Managern?
Bitte teilen!
#passkey #security #password

What does this mean in terms of #security #onlinesafety #messaging?

An der Europäischen Datenschutz-Grundverordnung (DSGVO) scheiden sich auch sechs Jahre nach Einführung die Geister. Vor allem kleine Unternehmen in Deutschland beklagen sich laut einer Umfrage der Deutschen Industrie- und Handelskammer (DIHK) über Bürokratie und hohen Aufwand durch Dokumentationspflichten, so der #SecurityInsider

Unternehmen beklagen Bürokratie durch DSGVO
An der Europäischen Datenschutz-Grundverordnung (DGVO) scheiden sich auch sechs Jahre nach Einführung die Geister. Vor allem kleine Unternehmen in Deutschland beklagen sich laut einer Umfrage der Deutschen Industrie- und Handelskammer (DIHK) über Bürokratie und hohen Aufwand durch Dokumentationspflichten.

The GÉANT #SecurityDays opening plenary kicks off today with a warm welcome from @… , GÉANT CITO.
Underlining the growing importance of #security for

Vortrag von @… und Hörsaal quillt über 😁
We got hacked: Lektionen aus realen #Security-Vorfällen
https://…

The GÉANT #SecurityDays opening plenary kicks off today with a warm welcome from @… , GÉANT CITO.
Underlining the growing importance of #security for

Somebody is building a low-latency pipeline from #security advisory to attack by means of #AI right now, I'm sure.
https://w…

OpenAI's GPT-4 can exploit real vulnerabilities by reading security advisories
While some other LLMs appear to flat-out suck

The GÉANT Security Days, our first #security conference, in Prague, continue with SIG-ISM and an interactive session on products & services chaired by Charlie van Genuchten @… and Jennifer Ross @…

The Government wants us to update equipment and patch our shit?
We need federal programs for e-waste.
#security #recycling

On 2024-03-19, two vulnerabilities were announced on #Python #security mailing list: "quoted zip-bomb" and "TemporaryDirectory symlink dereference during cleanup". Both were announced to affect all current #CPython releases.
The same day, security releases were made for Python 3.10, 3.9 and 3.8 branches. So far, so good. However, I found it surprising that there were no releases being made for 3.11 or 3.12.
On 2024-04-02, Python 3.11.9 was tagged. Initially, the signature on source tarball didn't verify. Today, it does verify, but the release still doesn't seem to have been announced. However, what I found the most surprising is the lack of fixes for the security issues announced before! Was the release borked?
So I've checked in more detail… and it turned out that both issues were already fixed in 3.11.8 (and 3.12.2), so the security announcement was wrong. Sigh.
That said, #PyPy is still affected.
https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/
https://mail.python.org/archives/list/security-announce@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/
https://discuss.python.org/t/python-3-10-14-3-9-19-and-3-8-19-is-now-available/48993
https://bugs.gentoo.org/927299

The closing plenary of the GÉANT #SecurityDays welcomes on stage Daniel Stach, broadcaster & journalist CzechTV, with his presentation: "Lies are (not) everywhere!".
Alf Moens, GÉANT: "What a brilliant way to close GÉANT's first #Cybersecurity conference. Collaborat…

#Microsoft is a national #security threat, says ex-White House cyber policy director
https://www.…

The closing plenary of the GÉANT #SecurityDays welcomes on stage Daniel Stach, broadcaster & journalist CzechTV, with his presentation: "Lies are (not) everywhere!".
Alf Moens, GÉANT: "What a brilliant way to close GÉANT's first #Cybersecurity conference. Collaborat…

🎯 WhatsApp finally forces Pegasus spyware maker to share its secret code
#spyware

WhatsApp finally forces Pegasus spyware maker to share its secret code
Israeli spyware maker loses fight to only share information on installation.

Somebody is building a low-latency pipeline from #security advisory to attack by means of #AI right now, I'm sure.
https://w…

OpenAI's GPT-4 can exploit real vulnerabilities by reading security advisories
While some other LLMs appear to flat-out suck

Keeping control is one of the main challenges of using the #cloud as a secure service environment.
Join the workshop organised by GÉANT & EUNIS on 26 April to hear about cloud management and #security challenges faced by the

EUNIS & GÉANT joint online workshop ‘Cloud Management & Security – how to stay in control’ – 26 April 2024 | GÉANT CONNECT Online
This workshop will take place on 26 April 2024, from 10:00 to 12:30 CEST, and it is jointly organised by GÉANT and EUNIS – the European University Information Systems organisation. Working in the cloud presents enormous advantages for R&E institutions and community members, but it can also pose particular challenges. To start with, the cloud comes at

Keeping control is one of the main challenges of using the #cloud as a secure service environment.
Join the workshop organised by GÉANT & EUNIS on 26 April to hear about cloud management and #security challenges faced by the

EUNIS & GÉANT joint online workshop ‘Cloud Management & Security – how to stay in control’ – 26 April 2024 | GÉANT CONNECT Online
This workshop will take place on 26 April 2024, from 10:00 to 12:30 CEST, and it is jointly organised by GÉANT and EUNIS – the European University Information Systems organisation. Working in the cloud presents enormous advantages for R&E institutions and community members, but it can also pose particular challenges. To start with, the cloud comes at

#Security

Details matter! Clifford Stoll identified a KGB attacker by looking at an accounting error of 75 cents, @… found a well-planed ssh attack by investigating unexpected CPU spikes.
#security

I'm still doing some debugging of some #CSP #Content #Security #policy

The National Cancer Institute really needs to do better…
I’m in a study (”Connect”) which has a website for paperwork & they obviously require login: take in an email or phone # and send it a link to a page which requires the user to re-enter whatever the original identity was. Look, no password!
But it requires passing messages over your pick of the 2 least secure comm channels for #security

Don't trust any random file, just because it lies in a trustworthy #Github project. Because essentially anyone can create files under any project space.
#SecurityWarning

Habt Ihr schon alle eure #Passwörter auf "Mb2.r5oHf-0t" umgestellt? 🤨
#CCC #Security #Passwortsicherheit

Let’s hope this #security-conscious *choice* in the Kia EV9 is the start of a trend. They didn’t have to give us this. In a real button, no less — you can connect or disconnect the data from your phone while #USB-charging it in your car. From MKBHD

Autofix on github, logical use of GPT4 in coding.
https://techcrunch.com/2024/03/20/githubs-latest-ai-tool-that-can-automatically-fix-code-vulnerabilities

GitHub's latest AI tool can automatically fix code vulnerabilities | TechCrunch
It's a bad day for bugs. Earlier today, Sentry announced its AI Autofix feature for debugging production code and now, a few hours later, GitHub is

Können wir mal drüber reden, dass all diese „wir erkennen Sie an der Stimme“-Hotlines ein Sicherheitsrisiko darstellen?
#security #voiceidentifikation #identity

LooLooks like #mastodon has another #security update, 4.2.6. Will be doing this update shortly. #MastoAdmin

FN:s säkerhetsråd håller just nu ett extrainkallat möte om situationen i Mellanöstern, på Israels begäran. Mötet går att se live här. #UnitedNations #SecurityCouncil

The situation in the Middle East - Security Council, 9602nd meeting
The situation in the Middle East.

The full programme of the GÉANT #Security Days is live!
On 11 April, Daniel Stach, journalist, presenter, science communicator, #CzechTV #CT24, will deliver the closing keynote "Lies are (not!) everywhe…

Security Days: the full programme is live | GÉANT CONNECT Online
We are happy to announce the unveiling of the full programme for Security Days, GÉANT first security conference that will take place in Prague on 9-11 April 2024. Across three days, international NREN experts from all areas of security will share their insights, knowledge experience and expertise. From cybersecurity awareness and the human factor, to

The #GPT4 #Security Checklist Generator is an #AI powered #tool that automatically generates security …

#AI hallucinates software packages and devs download them – even if potentially poisoned with malware #security #infosec #supplychainsecurity

The full programme of the GÉANT #Security Days is live!
On 10 April, Prof. Roland van Rijswijk-Deij @… will deliver the opening keynote "Moving the Goal to Post #Quantum

Security Days: the full programme is live | GÉANT CONNECT Online
We are happy to announce the unveiling of the full programme for Security Days, GÉANT first security conference that will take place in Prague on 9-11 April 2024. Across three days, international NREN experts from all areas of security will share their insights, knowledge experience and expertise. From cybersecurity awareness and the human factor, to

Let’s hope this #security-conscious *choice* in the Kia EV9 is the start of a trend. They didn’t have to give us this. In a real button, no less — you can connect or disconnect the data from your phone while #USB-charging it in your car. From MKBHD

I know that #macOS and #iOS are entirely different cases, but it is interesting to see what's going on with macOS to understand #Apple's position on

Is signing ELF executables some sort of taboo topic? #linux
oH you Have FrEEdom, opENsource, tkintering blah blah blah
Yeah, like, seriously? "Freedom to remix software" is a perfect argument for not having proper modules in the kernel - actually, at all.
Change my mind ✒️
#security

Wieder mal zur Erinnerung: aller Selbstwerbung zum Trotz hat es #Telegram nicht so mit #Security.

#fefe startet eine Umfrage via E-Mail, wo man mit und ohne tiefer gehende Kenntnis von #LLM #AI mitteilen soll, wo man glaubt, dass diese Technologie Positives für die IT

The #Department of #Homeland #Security is becoming the first federal agency to embrace #AI technology with a plan to incorporate generative A.I. mod…

The Department of Homeland Security Is Embracing A.I.
The agency will be the first in the federal government to roll out a comprehensive plan to integrate the technology into a variety of uses, from fighting crime to helping disaster survivors.

Out of the loop: what are passkeys and how are they different and/or similar to passwords? What desirable properties do they have? TIA!
#security #auth

Information sharing is a normal part of human interaction, but it's a part of us that can be manipulated and used to gain access to resources or locations by bad actors.
This is known as #SocialEngineering.
How would a room full of #security professionals behave when we invite t…

Let me hack you: a different kind of social engineering | GÉANT CONNECT Online
Do you know my birthdate? Or my mother’s maiden name? Would I trust you enough to tell you this information? Does it matter if you know, and does it pose a security risk? Most of us accidentally reveal specific information about ourselves in any social interaction – it’s natural to talk about your family, where

I suppose everyone and their grandmother is now using the xz/sshd exploit to further their own agenda, so I am going to take this opportunity to further mine as well.
1. #Autotools are a bad build system. If configure scripts are completely unreadable, there should be no surprise that people won't notice obfuscated malicious code in there, provided that everything else is obfuscated by design.
2. Static linking and vendoring is bad. Do you know why the prompt #security response was possible? Because we just had to revert to older liblzma. We didn't have to check, patch and re-release hundreds of projects. It wouldn't be this easy with #RustLang and cargo.
3. You can blame #OpenSource for being underfunded and open to abuse in core system packages. However, no IT project can be resilient to a sufficiently powerful bad actor, and that it happened to xz is just an incident. Corporate projects aren't resilient to it, neither is proprietary, closed-source software.
So, embrace #Meson, embrace dynamic linking, embrace distribution packaging and donate to open source developers.
#Gentoo

Isn't it terrifying that polish government agency workers are telling people how to find stuff on their website via third-party search engines (and it's already an improvement that they are talking of "search engines" or asking people to input search terms in the address bar, rather than talking of #Google specifically), rather than giving them the website URL and having them use the internal search engine? It's a huge #security threat, that's just waiting for someone to #SEO malicious results in there.
#Poland

Isn't it terrifying that polish government agency workers are telling people how to find stuff on their website via third-party search engines (and it's already an improvement that they are talking of "search engines" or asking people to input search terms in the address bar, rather than talking of #Google specifically), rather than giving them the website URL and having them use the internal search engine? It's a huge #security threat, that's just waiting for someone to #SEO malicious results in there.
#Poland

Isn't #Python / #RustLang doing great?
Remember back when #Cryptography was rewritten in Rust, to improve security? Guess what, against all premises, they still get vulnerabilities. They get *segfaults* (i.e. literally the thing that the Rust rewrite was supposed to address).
What's even better? Because of the PyO3 bug, PowerPC users still can't upgrade to a non-vulnerable version. And they won't be able to, until new #PyO3 version is released, setuptools-rust is updated and released, and cryptography is updated and released. Great design, isn't it?!
[EDIT: just to be clear, the segfault is in FFI, not Rust code, but PyO3 is blocking the fix.]
#Gentoo #security

One more thing about the xz/sshd backdoor, and the earlier sale of "Simple Mobile Tools".
A long time ago, I've been told an important rule of #security in IT: when threatened with violence, yield. The life and health of you and your family is more important than any #OpenSource project you may be working on. A lot of people will blame you, but the ones who matter will understand.
But what if it's the carrot and not the stick that you're getting? What if you're being offered money to "betray" your project? Should you resist, or can you yield?
Then, isn't there a stick to be expected at the other end? Won't it come upon you if you rejected the carrot? Isn't money merely the "civilized" way of washing your hands from the implied threat of violence?
Even more, what if you really need that money? What if you barely make ends meet, and rejecting the carrot becomes a stick in itself?
Well, I'm not saying that it's likely that I'll ever be in that situation with #Gentoo (as in having money offered; having no income I know too well), but I really wouldn't know what to do. And I'd understand anyone who accepted that money.
The bottom line is: if people treat #FreeSoftware developers as a free exploitable workforce, people shouldn't be surprised when the projects they rely on are sold or backdoored.