Tootfinder

Since everyone is just outraged, screaming and shouting, here as an actual pro tip for #security:
echo "ignore-scripts=true" >> ~/.npmrc
https://www.

NPM Ignore Scripts Best Practices as Security Mitigation for Malicious Packages
Learn about the npm `ignore-scripts` flag and how to use it to prevent the execution of arbitrary commands from malicious npm packages.

While I do maintain that "it's coming from the LAN" is not a good #security boundary, there are services where it is practical (eg. media center volume control), but also fault prone (oups my phone just switched to LTE for power saving – a generally justified thing).
Before I start formalizing how "a device can retain permissions it gets from being local for a few days&quo…

You can now find my public #PGP key at my website.
#Security

20 ans après avoir été traumatisé par le projet Palladium de Microsoft, je m'intéresse enfin au TPM2
#Security

I'm sending a digitally signed and encrypted #email with somewhat sensitive data to an external party.
His thank-you-answer with the full quote of the while conversation came back signed and unencrypted.
Oh boy. 😔
#PIM

You know our future is definitely a dystopian surveillance nightmare when the government acts like you're a criminal for wanting a level of privacy that was considered normal just 10 years ago.
#Privacy #Security

Passwords are a scourge foisted on elderly tech-users. :(
I just got back from a house call with a fellow who can’t remember his passwords for his email. None of his backups work. His little book of passwords, useless.
There is no support to call for help.
His only option is to create a new email and leave the other behind.
Over and over I have seen this trouble. Not always to this extent, but always the same frustration.
Passwords are elder abuse.
#techsupport #life #security

Our friends at tinfoil-factory recently made the initial release of netfoil - a severely hardended minimal filtering dns proxy written in #golang - Seems very useful for reducing the attack surface of your services. #security https://github.com/tinfoil-factory/netfoil/releases/tag/v0.1.0

Here is a sketch of #security issues in a typical #PC-alike #boot flow. 💾
The red squiggly bits are paths of uncertainty. 🤨
Coming from the

Want to know how to write and distribute #SecurityAdvisories that can be parsed and processed automatically?
Freshly announced are this years workshops for the Common Security Advisory Framework (#CSAF). They will be held in Nuremberg, Germany, November 10th to 12th.
See

The last #devops #prague meetup for 2025 is on Dec-2. There are some good talk about #privacy #security and recent outages. …

December DevOps Meetup, Tue, Dec 2, 2025, 6:00 PM | Meetup
**Talk 1 by Bogo** **Title**: Grow your DevOps brand while putting privacy first Working in today’s fast-changing world means focusing on your work and sharing your knowle

Well done for making us all safe online:
#onlinesafety #security

ID photos of 70,000 users may have been leaked, Discord says
The platform says hackers targeted a firm that helped to verify the ages of its users.

Who would have thought that creating a programming language for rapidly developing, deploying and abandoning lots of packages would have lead to this…
"Forking confusing: Vulnerable Rust crate exposes #uv #Python packager"
#RustLang #security

New iPhone Air, iPhone 17, and iPhone 17 Pro have an anti-spyware feature #iphone #apple #spyware #security

Apple's new anti-spyware feature is out
Built-into all iPhone Air, iPhone 17 and 17 Pro.

#France apparently hate #Security, look, #Louvre was first, now #GrapheneOS.

#hungary #eu #security #russia
From: @…

Here are some key takeaways from implementing #PyPI attestations in #Gentoo:
• With OpenPGP, you need to validate the authenticity of a key. With attestations, you need to validate the authenticity of the identity (i.e. know the right GitHub repository). No problem really solved here.
• They verify that the artifact was created by the Continuous Deployment workflow of a given repository. A compromised workflow can produce valid attestations.
• They don't provide sufficient protection against PyPI being compromised. You can't e.g. detect whether new releases weren't hidden.
On the plus side, TOFU is easier here: we don't have to maintain hundreds of key packages, just short URLs on top of ebuilds.
Security-wise, I think PEP 740 itself summarizes it well in the "rationale and motivation" section. To paraphrase, maintainers wanted to create some signatures, and downstreams wanted to verify some signatures, so we gave them some signatures.
#security #Python

#hungary #eu #security #russia
From: @…

Do you use #Orbot?
#Android #GrapheneOS #Privacy #Security #Tor #TorBrowser #Google #Apple #iOS
Yes
Yes, but...
No, but...
No