Piero Bosio Social Web Site Personale

Friends, at the end of a horrible year, please let's talk about something *nice*.My EUR 0.02: You Have Installed OpenBSD. Now For The Daily Tasks. https://nxdomain.no/~peter/openbsd_installed_now_for_the_daily_tasks.html (tracked https://bsdly.blogspot.com/2024/09/you-have-installed-openbsd-now-for.html)Bonus track: Yes, The Book of PF, 4th Edition Is Coming Soon https://nxdomain.no/~peter/yes_the_book_of_pf_4th_ed_is_coming.html (tracked https://bsdly.blogspot.com/2025/07/yes-book-of-pf-4th-edition-is-coming.html)#freesoftware #openbsd #freebsd #bookofpf #networking #security #deveops #development #sysadmin @nostarch

The #Rowhammer talk at #CCC is basically a tradition at this point.So obviously it has returned to #39C3 and if I understood it right their conclusion was that 12.5% of RAMs (that they tested) are vulnerable to automated #Rowhammer attacks. Ouch!#CCC #hacking #security

The "Bluetooth Headphone Jacking" talk at #39c3 was awesome, too. They reversed a popular SOC that powers Bluetooth earbuds and headphones.They found that (even without being paired to the headphone), they could dump flash and RAM from the device. Then they dumped a bunch of info from the device - e.g. the #Bluetooth address and "master" encryption keys used for the communication with paired devices (e.g. a #phone).Then they impersonated the headphone from their laptop and connected to the phone (pretending to be the headphone).The headphone (or the laptop impersonating the phone) has permissions to do some things on the phone, e.g. accept calls, increase/decrease volume, etc.Then they started recovering access a #WhatsApp account via some account recovery mechanisms. That required some one-time security key which would normally be delivered via SMS, but that could be delivered via phone call as a fallback option, too. Since the phone thought it was connected to the Bluetooth headphone, phone call audio would go to the laptop via Bluetooth.As the cherry on top, they escalated into the victim's #Amazon account.Scary shit. #YouCannotBeParanoidEnough #security

Amazon Catches North Korean IT Worker by Tracking Tiny 110ms Keystroke Delays A slight delay in keystrokes from a supposed U.S.-based IT worker alerted Amazon to a North Korean infiltrator accessing a corporate laptop.Latency analysis, behavioral monitoring, and traffic forensics aren’t just for threat hunters—they’re frontline defenses against nation-state grifters.#amazon #northkorea #security #cybersecurity #hackers #hackinghttps://cybersecuritynews.com/amazon-catches-north-korean-it-worker/

Escaping Containment: A Security Analysis of FreeBSD Jails16:15 GMT, UCT, UTC Saturday 2025-12-27https://events.ccc.de/congress/2025/hub/en/event/detail/escaping-containment-a-security-analysis-of-freebsd-jails @CCC #FreeBSD #security #jails #ccc

セキュリティアップデート: Hollo 0.6.19 リリース FedifyのHTMLパースコードにおけるセキュリティ脆弱性に対応したHollo 0.6.19をリリースしました。 この脆弱性 (CVE-2025-68475) は ReDoS (正規表現によるサービス拒否) の問題であり、攻撃者がフェデレーション操作中に特別に細工されたHTMLレスポンスを送信することで、サービス停止を引き起こす可能性があります。悪意のあるペイロードは小さい (約170バイト) ですが、Node.jsのイベントループを長時間ブロックする可能性があります。 すべてのHollo運営者の皆様には、直ちにバージョン 0.6.19 へのアップグレードを強くお勧めします。 項目 詳細 CVE CVE-2025-68475 深刻度 高 (CVSS 7.5) 対応 Hollo 0.6.19 にアップグレード #Hollo #セキュリティ #fediverse #ActivityPub

🚨 Security Advisory: CVE-2025-68475 A ReDoS (Regular Expression Denial of Service) vulnerability has been discovered in Fedify's HTML parsing code. This vulnerability could allow a malicious federated server to cause denial of service by sending specially crafted HTML responses. CVE ID CVE-2025-68475 Severity High (CVSS 7.5) Affected versions ≤1.9.1 Patched versions 1.6.13, 1.7.14, 1.8.15, 1.9.2 If you're running Fedify in production, please upgrade to one of the patched versions immediately. For full details, see the security advisory: https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93 Thank you to Yue (Knox) Liu for responsibly reporting this vulnerability. #Fedify #ActivityPub #security #fediverse #fedidev

Dude had my phone number, my name, sounded really nice and everything. Spoke professionally, no crackly audio from being in a cheap data center, nothing.But also - since when does Google call you? And over trying to add a recovery address? The email itself says "if this doesn't look familiar just ignore it."Scary stuff.

The German #BSI has made 2025 the Year of #Email #SecurityGreat initiative - and great rating for Tuta ❤️ - your secure email provider from Germany. 🇩🇪 https://www.bsi.bund.de/DE/Themen/Kampagne-einfach-absichern/EMSJ/Eckpunkte_EMSJ/Eckpunkte-EMSJ.html

Calyx Institute is hiring an Android BSP engineer. $80-90k full-time salaried.Act fast! Application deadline is 5PM EST Wed December 10, 2025. Start date February 2026.(I have no connection to the hiring manager, just passing along the opening)https://job-boards.greenhouse.io/calyxinstitute/jobs/4934856007#calyx #calyxos #android #foss #hiring #getfedihired #privacy #security

We’re Doubling Down on #DigitalRights. You Can, Too.Technology can uplift #democracy , or it can be an #authoritarian weapon. @eff is making sure it stays on the side of #freedom. We’re defending #encryption , exposing abusive #surveillance tech, fighting government overreach, and standing up for free expression. But we need your help to protect digital #rights —and right now, your #donation will be matched dollar-for-dollar.#privacy #securityhttps://www.eff.org/deeplinks/2025/11/power-your-donation-week

Your offensive-security library, ready to go.18 DRM-free books. $700+ value. Pay what you want (as little as $36).Includes Black Hat Bash, Serious Cryptography, Practical Malware Analysis, and more.Support the @eff and level up your lab. Link in bio.https://www.humblebundle.com/books/hacking-no-starch-books #hacking #books #offensive #security

Oh, this is so f***ing gold. This post is a juice concentrate of the many reasons why Matrix sucks:https://yaky.dev/2025-11-30-self-hosting-matrix/Among others:Users cannot be deletedThis is simply not an option in the API. Server admin can perform a "deactivate" (disable login) and "erase" (remove related data, which claims to be GDPR-compliant) on user accounts, but the accounts themselves stay on the server forever.LOL.Here is my take on why you should trash Matrix and use XMPP, or ta least Signal instead:https://gagliardoni.net/#im_battle_2025#im #matrix #jabber #xmpp #signal #privacy #security #enshittification #cypherpunk

FreeBSD Now Builds Reproducibly and Without Root PrivilegeWe’re pleased to share that the FreeBSD Project now supports builds without requiring root privileges, removing elevated access from the release pipeline and improving overall security. This work was completed as part of a program commissioned by the Sovereign Tech Agency.Read more: https://freebsdfoundation.org/blog/freebsd-now-builds-reproducibly-and-without-root-privilege/#FreeBSD #ReproducibleBuilds #OpenSource #Security

Yet another #security related job opening at my employer, #GitLab. Apply if interested, and if we know each other let me know and I can pass on a recommendation.https://job-boards.greenhouse.io/gitlab/jobs/8295708002#infosec #AllRemote

GrapheneOS migrates server infrastructure from France amid police intimidation claimshttps://www.privacyguides.org/news/2025/11/22/grapheneos-migrates-server-infrastructure-from-france-amid-police-intimidation-claims/#Privacy #Security #News #PrivacyGuides

Moving Beyond the NPM elliptic PackageIf you're in a hurry, head on over to soatok/elliptic-to-noble and follow the instructions in the README in order to remove the elliptic package from your project and all dependencies in node_modules. Art: CMYKat Why replace the elliptic package? Yesterday, the Trail of Bits blog published a post about finding cryptographic bugs in the elliptic library (a Javascript package on NPM) by using the Wycheproof.http://soatok.blog/2025/11/19/moving-beyond-the-npm-elliptic-package/#npm #crypto #cryptography #elliptic #security #infosec #cve #mitigation #appsec #javascript #js #npm #npmsecurity #npmpackages

What do you think of using Google in your life?I use a Google Pixel 7 Pro at the moment, but I use GrapheneOS instead of OEM, and I think it is the best Android line of phones I have used so far. Their bootloader is lockable after installing custom operating systems which is much better than all other offers at the moment. The build quality, battery and design of the phone is solid as well. This phone has a lot of merits going for it which other Android phones are not replicating for the sake of a false sense of "security" or profits. I will appreciate Google for giving me a great phone to install GrapheneOS on, alongside Android for being a secure base for an operating system.I appreciate the Chromium browser more than other browsers in the market. While Google Chrome is junk regarding user privacy, as well as shoving AI in your face, Chromium itself is actually pretty solid. It is also the most secure option, offering a malloc() implementation better than Firefox's mozmalloc, although not as secure as hardened_malloc, by GrapheneOS. Firefox is also implementing AI features into their browser, which leaves a bad taste in my mouth. MV2 is deprecated, sure, but you win more than you lose in security, as a lot of API features were exploitable. Chromium does a lot of good things, while Chrome gives the base itself a lot of bad blood. I would like to see what Servo can do, but I appreciate Google for making a secure browser.I generally despise a lot of what Google offers, however. I feel like they lean heavily on the deception of convenience, where Google gives really good results while it uses your data for the sake of advertising. This applies with the Google Suite (Mail, Office, and Drive among others) as well. I would much rather use FOSS or nonprofit alternatives, such as Tutanota, or LibreOffice. Google is essentially the serpent from The Book of Genesis, selling you the benefit of their convenience for the sake of having your data stolen for their use. As such, I will choose not to follow Google convenience promise for my security.Feel free to leave your opinions, and why I should consider other avenues rather than accepting a bit of Google in my life. As much as I love privacy, your privacy can't be guaranteed if there is no good security. Google may be known for piss-poor privacy, but their open source projects have a lot of security merits as well as good privacy. Do not use this as advice, but make your own conclusion.#google #privacy #security #grapheneos #chromium #technology #FOSS

Have a nest thermostat that was killed by Google? This will interest you.https://youtu.be/jC5wcJM8iuU?si=Kimq6KqcH2ETgW3Q#Google #Nest #fulu #LouisRossmann #Privacy #Security

🧱 First real sandboxing arrives on #NetBSD!A GSoC 2025 project brings Linux-style namespaces (UTS + mount) to the kernel, paving the way for real isolation.https://blog.netbsd.org/tnf/entry/gsoc2025_bubblewrap_sandboxing#Bubblewrap #BSD #Security