Tootfinder

«Security: This library has not undergone any third-party security audit. Usage is at own risk.»
If something like this is written on a code library, the confidence in your security is much higher than if commercial blenders want to advertise absolute IT security and there are the safest — especially when the commercial goals still list ratings in this way.
#security

Some more #UEFI entertainment, I'm just waiting for it. 😹
Seriously though, #firmware #security has become such a problem because many vendors just can't even get updates right, still disco…

Windows and Linux users: The deadline to update Secure Boot keys is near
What you need to know about the expiration of keys securing your machine's boot sequence.

After reading about today's #Github #security incident, exposing thousands of internal repositories, I'd like to remind you of:
Read That Before You Trust Anything by #Microsoft Once Again

I'm going to deviate a bit from my normal audience and focus in on #tech (especially #Security folks). I came across the practice from public health and emergency management and brought it into work. They seemed to have never heard of it. I'm curious how common my experience is. (Please boost for visibility)
Have you ever used table top exercises in your work (such as, to verify a runbook would work as expected)?
Yes, and I work in tech
No, and I work in tech
Yes, and I don't work in tech
No, and I don't work in tech

The way #qemu handles #security bugs is changing. Routing the recent tsunami of reports through an overworked email alias has become untenable so we are switching to using our main issue tracker. More people can help with the triage but that does affect expectations of secrecy. See the updates on the …

Legislation cares a lot about information #security these days. When do we laws that keep companies from tainting security's public reputation by demonstrably abusing it for their own commercial interest against the interests of consumers?
Just one example: Bank uses proprietary hardware over #WebAuthn

#OpenSource #security at Astral
https://astral.sh/blog/open-source-security-at-astral…

Oh wow. I guess it's "lazy and smart" in a way (and only gives you three attempts at loading, then 401)
#security

The state of #security these days: #Python #virtualenv package now includes SHA256 sums of their bundled wheels, declaring that it protects against "supply-chain compromise". Because obviously there are so many attack vectors that permit you to alter a .whl file but not the .py file in the same directory.
No, I'm not saying verifying checksum makes no sense, because indeed it can save some pain if fs is damaged somehow. However, calling this a "security" feature is a misnomer at best, and openly giving people false sense of security at worst.

#Webmention for Craft v1.3.0 is out 🎉 – first in a short series of #security releases. 🔒
Fixes a stored XSS vulnerability in author/entry URLs, adds per-IP rate limits, and failure-backoff to harden the public endpoint against abuse.
Upgrade recommended!

Release v1.3.0 — Security & abuse hardening release · matthiasott/webmention
🔒 Security Fixed a stored XSS vulnerability in author and entry URLs displayed in the control panel and front-end Webmention templates. The plugin now validates URL schemes (only http(s): allowed)...

OK. With Bitwarden acting every bit the American company it is, are there any drop-in replacements out there? Preferably standalone rather than part of a package. #security #passwordmanager

0 days since provenance checks protected us from [checks notes] another project starting to upload distributions via #uv.
#Python #security

> Linux users: here is the tool enhancing the security of your system. It's written in Rust so it is super secure. It isolates your container via VM. So super secure.
> Also Linux users: install it via brew or dnf copr
#kvmrun #linux

In about 15 minutes we'll be kicking off the #DNSSEC & #Security Workshop at #ICANN86 in Seville, Spain. I'll be moderating the session with some great topics!
If you are onsite, we…

📷 #SecurityDays 2026, captured!
The official photos are now online! So whether you want to spot yourself mid-workshop, share a favorite keynote moment, or relive the energy of three days in Utrecht, we've got you covered.
🔗 Browse the photo gallery:

On the #security issue with #AI detectors
For proper vuln research and disclosure, you need 3 parts:
1. a valid exploit, provable
2. an explanation of how it works
3. a solution to fix it and roll out an upgrade
Often enough, when the first part is done, people are like "…

It's always important to have a consistent #security policy.
For example, a policy of "If somebody filed a CVE, it's an important security issue, and we will fix it as such, no matter how meaningless the fix is. If nobody did, it's just a glorified bug fix, no matter how serious the bug was."
So we've just seen a #pip security release over "installing random packages can overwrite pip's files and pip can lazy-import some of them immediately afterwards", with a fix of "pip will no longer load them until you run it again" (leaving the underlying security issue of "any #Python package can override files installed by any other Python package" as intended behavior). As Eli Schwartz beautifully put it, you are not expected to be using the virtual environment; you should create it, install packages into it (at most once!), and then frame it and put it on the wall to admire.
Now we're seeing a "bug fix" for "malicious entry point names can write outside of virtual environment". If nobody filed a CVE, it's obviously not a security issue at all. At least upstream graced us with fixing it without correcting the spec to forbid that first.
https://github.com/pypa/pip/issues/14000

Please help with testing a new
#Thunderbird #Security feature: Unobtrusive Signatures, a novel mechanism for digitally signing email, currently implemented for #OpenPGP.
It avoids the u…

Wenn Politiker auf die billigste Phishing-Attacke reinfallen, was ist dann die Gegenmaßnahme? #Phishing #Politik #Security

Parlamentarier fordern Gegenmaßnahmen nach Signal-Attacke
Über den Messengerdienst Signal haben Angreifer Zugriff auf die Kommunikation hochrangiger Politiker bekommen. Die Bundesregierung vermutet Russland dahinter. Parlamentarier sind alarmiert und fordern Gegenmaßnahmen.

I understand #security is important and all, but getting logged out from #Teams and email frequently because MS thinks the auth cookie needs to be renewed is mighty irritating to say the least. To say more, I swear loudly every time I have to login again. Just fucking let me be.

The final keynote highlight from the GÉANT #SecurityDays 2026 this April.
Alexandre Dulaunoy, Head of CIRCL, Luxembourg's national CSIRT — on how 15 years of open-source security development has shown that sharing code, knowledge and intelligence builds networks of trust between defenders.
If you haven't got your ticket yet, this week is your last chance. Secure your place …

Everyone loves jeering at vibecoded #GitHub being down all the time. Yet for some reason people still neglect to question making #Microsoft the primary guarantor of their software's supply chain #security. And the whole attestation nonsense that doesn't really protect against the most likely attack vectors.

Fun post pointed out by Werner Koch on the GPG "post-quantum defaults" thread:
#cryptography #QuantumCryptography #security

The GÉANT #SecurityDays 2026 programme is live and we're highlighting the keynotes you won't want to miss.
First up is Frank Rieger!
Hacker, author and internet activist — on how agentic LLMs are changing the IT security landscape, and why mastering the fundamentals of network control matters more than ever.
Learn more & secure your place 👉

Absolutely fascinating on the philosophy, past, present and future of nuclear deterrence in Europe.
Much I had not previously thought about.
Also, brilliant name for a podcast on European security
#MildlyAlarmed #Deterrence #Russia #EU #security #nuclear
Mildly Alarmed: Inside Europe's debate about nukes
Episode webpage: https://podcasters.spotify.com/pod/show/mildly-alarmed/episodes/Inside-Europes-debate-about-nukes-e3joh7h
Media file: https://anchor.fm/s/111aff124/podcast/play/120390321/https://d3ctxlq1ktw2nl.cloudfront.net/staging/2026-4-22/424693918-44100-2-d995403c2e093.mp3

Another keynote not to miss at the GÉANT #SecurityDays 2026 this April.
Nancy Beers, seasoned gamification expert and owner of Sanne Cyber and Happy Game Changers — on why playfulness is a scientifically-backed tool for security innovation, learning, and flexibility.
Check the full programme 👉

Macht Microsoft WireGuard kaputt? #vpn #wireguard #security #windows

WireGuard, Microsoft und die Signatur-Frage: Ein Sturm im Wasserglas?
Nach VeraCrypt hat jetzt auch WireGuard Probleme mit Microsoft, wenn es um die Signatur-Frage geht. Wir klären die aktuelle Sachlage auf.

Another keynote not to miss at the GÉANT #SecurityDays 2026 this April.
Valerie Aurora, open-source software engineer and co-founder of the Amsterdam Internet Resiliency Club — on why internet connectivity in Europe is more fragile than we think, and how communities can prepare together.
Secure your place 👉

#Python #cryptography library (yes, the one that criticizes everything and everyone) is now vibecoded. Our future is truly bright!
Noticed because apparently "Claude" wrote a test that OOM-ed my system. But hey, #RustLang protects against memory errors, so it's fine to vibecode your security critical components.
#security #AI #LLM #NoAI #NoLLM

So you read about #CopyFail, and are like… owww, shit. But then you see that it was responsibly disclosed after being fixed in main, we had releases since, they went stable in #Gentoo (over other #security fixes), so we should be good, right?
Except that it turns out that after it has been fixed in mainline, nobody bothered actually backporting the fix to all the LTS branches. And it doesn't apply cleanly (#Gentoo #Linux

Tech companies seem to be running a cycle:
1. They don't realize how much they're relying on volunteer-maintained projects.
2. Something bad happens and they suddenly decide they need to support this critical infrastructure, often by hiring some people behind it and making its maintenance part of their dayjob.
3. They realize they could save money by exploiting volunteers to maintain these #OpenSource projects. They lay workers off or move them to other projects.
4. Go to 1.
Except now they're trying to replace workers with slop machines, deskill everyone and basically they're not only poisoning the well, but killing the whole water cycle. And they're realizing that they just gave the bad people a tool that can quickly find just how vulnerable their critical infrastructure is.
Really appreciate the long-term thinking there.
#FreeSoftware #FLOSS #TechBros #AI #LLM #NoAI #NoLLM #Linux #security

Greg Kroah-Hartman: "If you look there are thousands of unfixed CVEs in the older LTS kernels right now, and if distros or users that rely on those older branches wish to see those resolved, they need to provide working backports to us to apply, as our first attempt did not work (which is why they are unfixed in those branches.)"
Really asking for a "Pray tell us", given that nobody actually bothered disclosing the problem to downstreams and that the commit message was hiding it.
Either way, apparently the great LLM-backed patch backporting process that #NVidia is so proud of doesn't really work. Upstream doesn't really care about #LTS branches, and they should be considered insecure by default.
#Gentoo #Linux #CopyFail #security