Tootfinder

Prompt Attacks Against LLM-Powered Assistants in Production Are Practical and Dangerous
#security #llm
https://arxiv.org/abs/2508.12175

#Secure. Or not? This is the question! :) #security #software

Am I seeing #Django test failures because #Gentoo is up-to-date on #security backports to #Python? Of course.
(I didn't have time to report them yet.)

While I do maintain that "it's coming from the LAN" is not a good #security boundary, there are services where it is practical (eg. media center volume control), but also fault prone (oups my phone just switched to LTE for power saving – a generally justified thing).
Before I start formalizing how "a device can retain permissions it gets from being local for a few days&quo…

You can now find my public #PGP key at my website.
#Security

Harley is keeping a sharp lookout for sharks while our granddaughter is digging on the beach.
#DogsOfMastadon #BeachLife #Security

Hey #dotnet folks and #security wonks, join our #livestream today to learn about FAPI 2.0 and how to enhance security at your organization with the latest specification.
Also, drop in and say h…

Critical #ContainerRegistry #Security Flaw: How Multi-Architecture Manifests Create Attack Vectors
https://

TIL: Slack messages from private channels aren't private anymore, if someone post it in a public channel :🤯
Then everyone can read it.
I guess it's a feature and not a bug,, but I was really not expecting this!
#privacy #security

I disabled my browser password extension for now #Security

I'm sending a digitally signed and encrypted #email with somewhat sensitive data to an external party.
His thank-you-answer with the full quote of the while conversation came back signed and unencrypted.
Oh boy. 😔
#PIM

Well, that's lovely...
#Security

Google Confirms Most Gmail Users Must Change Passwords
Do not let hackers gain access to your account.

#Livewire v3 Remote Command Execution Vulnerability in Property Update Hydration 🚨🚨🚨
Critical #security #vulnerability in

🗑️ TapTrap: Animation‑Driven Tapjacking on Android
#android #security

Are you worried your #dotnet #security could be more secure? Join us for a #livestream on August 21st, 2025, to discuss FAPI 2.0, its relation to

Want to know how to write and distribute #SecurityAdvisories that can be parsed and processed automatically?
Freshly announced are this years workshops for the Common Security Advisory Framework (#CSAF). They will be held in Nuremberg, Germany, November 10th to 12th.
See

#Security Alert: Massive #Laravel APP_KEY leak exposing 600 apps to remote code execution 🚨 #GitGuardian &

#Schlagzeilen, die ich nicht lesen möchte:
#Security #Hacker #dataleak

Updates wir jetzt alle Outlook? #cyber #security #internet #BSI

BSI: Macht 2025 zum Jahr der E-Mail-Sicherheit!
Alle Unternehmen und Organisationen in Deutschland sollen dieses Jahr ihre E-Mail-Sicherheit verbessern. Das BSI gibt dazu viele Hilfestellungen.

Yet another "HIGH severity" vulnerability in #Python.
Once again found in "Library" section of the NEWS, not in "#Security".
https://www.cve.org/CVERecord?id=CVE-2025-8194
https://github.com/python/cpython/pull/137027/files#diff-27f72e5ff09b9527a57610751506f7e37d371a2d55b1305b96dcefb9f2d6cf1e

Wir schreiben das Jahr 2025 - und noch immer gibt es solche Sicherheitsbeschränkungen...
#email #security #1und1 #ionos

#UK Police Investigating #Handicapped Entrance #Security Scam At #Wembley After Hundreds Reportedly Gained Entry On Same

New iPhone Air, iPhone 17, and iPhone 17 Pro have an anti-spyware feature #iphone #apple #spyware #security

Apple's new anti-spyware feature is out
Built-into all iPhone Air, iPhone 17 and 17 Pro.

Here are some key takeaways from implementing #PyPI attestations in #Gentoo:
• With OpenPGP, you need to validate the authenticity of a key. With attestations, you need to validate the authenticity of the identity (i.e. know the right GitHub repository). No problem really solved here.
• They verify that the artifact was created by the Continuous Deployment workflow of a given repository. A compromised workflow can produce valid attestations.
• They don't provide sufficient protection against PyPI being compromised. You can't e.g. detect whether new releases weren't hidden.
On the plus side, TOFU is easier here: we don't have to maintain hundreds of key packages, just short URLs on top of ebuilds.
Security-wise, I think PEP 740 itself summarizes it well in the "rationale and motivation" section. To paraphrase, maintainers wanted to create some signatures, and downstreams wanted to verify some signatures, so we gave them some signatures.
#security #Python

I've drafted support for verification of #PyPI provenance for #Gentoo.
You know, the new fancy thing that protects against supply chain attacks on PyPI, and verifies that you're using genuine #GitHub artifacts. Because, you know, GitHub repositories and deployment pipelines are an unlikely attack vector. And you definitely don't need to worry about #Microsoft owning the keys, the repositories and the pipelines at all.
#security #Python #SigStore

Well, I am complaining about #AI slop introducing some random bugs in a minor userspace project, and in the meantime I learn that #Linux #kernel LTS developers are using AI to backport patches, and creating new vulnerabilities in the process.
Note: the whole thread is quite toxic, so I'd take it with a grain of salt, but still looks like the situation is quite serious.
"You too can crash today's 6.12.43 LTS kernel thanks to a stable maintainer's AI slop."
And apparently this isn't the first time either:
"When AI decided to select a random CPU mitigation patch for backport last month that turned a mitigation into a no-op, nothing was done, it sat unfixed with a report for a month (instead of just immediately reverting it), and they rejected a CVE request for it."
#security #LLM #NVIDIA #Gentoo

Do you use #Orbot?
#Android #GrapheneOS #Privacy #Security #Tor #TorBrowser #Google #Apple #iOS
Yes
Yes, but...
No, but...
No