How I Almost Got Hacked By A 'Job Interview' https://lobste.rs/s/zfelwy #practices #security
https://blog.daviddodda.com/how-i-almost-got-hacked-by-a-job-interview

#Trump ordered an end to #diplomatic talks w/ the #Maduro govt this month as he grew frustrated w/ #Venezuela’s leader’s failure to accede to #US demands to give up #power & continued insistence that they had no part in #DrugTrafficking.

The #CIA has long had authority to work w/govts in Latin America on #security & #intelligence. That has allowed the agency to work w/Mexican ofcls to target drug cartels. But those authorizations do not allow the agency to carry out direct #lethal ops.

#law

What’s your go-to strategy for giving engineers access to production? https://lobste.rs/s/heikad #ask #security

I Cheated At Poker By Hacking A Casino Card Shuffling Machine https://lobste.rs/s/lilw2w #video #security
https://youtu.be/JQ20ilE5DtA

F5 Says Nation-State Hackers Stole Source Code and Vulnerability Data https://lobste.rs/s/8pbyxc #security
https://www.securityweek.com/f5-blames-nation-state-hackers-for-theft-of-source-code-and-vulnerability-data/amp/

Pwning the Entire Nix Ecosystem https://lobste.rs/s/gmjcf0 #nix #security
https://ptrpa.ws/nixpkgs-actions-abuse

Don't Look Up: There Are Sensitive Internal Links in the Clear on GEO Satellites https://lobste.rs/s/q54lep #pdf #security
https://satcom.sysnet.ucsd.edu/docs/dontlookup_ccs25_fullpaper.pdf

A modern approach to preventing CSRF in Go https://lobste.rs/s/fzw9g7 #go #security #web
https://www.alexedwards.net/blog/preventing-csrf-in-go

It Is A War Out There - Take Control of Your Supply Lines with HtDTY by @sheephorse https://lobste.rs/s/b6x3lb #browsers #security #web
https://sheep.horse/2025/10/it_is_a_war_out_there_-_take_control_of_your_suppl.html

Had to change my password and update my emergency kit, this morning, on my @1password account. I received a strange message when launching my mobile app that my password and, I think, my secret (something like that) was changed. I didn't change any of this. The account, both mobile and web, still worked just fine but thought it might be a good idea to change the password, anyway.

Any other users seeing this?

#1password #security

Our leadership @JohnKiriakou in @apnews :

“Working with @ivycyber has been a phenomenal experience... The software is #secure and the collaboration with @profdiggity bridges the gap between operational #security and cutting-edge digital #privacy.”

https://psafe.ly/T3mXHb

A major evolution of Apple Security Bounty, with the industry's top awards for the most advanced research https://lobste.rs/s/gxtrdn #security
https://security.apple.com/blog/apple-security-bounty-evolved/

A Retrospective Survey of 2024/2025 Open Source Supply Chain Compromises https://lobste.rs/s/0ua1s5 #security
https://words.filippo.io/compromise-survey/

A new breed of analyzers https://lobste.rs/s/bo0chl #security #vibecoding
https://daniel.haxx.se/blog/2025/10/10/a-new-breed-of-analyzers/

Rubygems.org AWS Root Access Event – September 2025 https://lobste.rs/s/biqecl #ruby #security
https://rubycentral.org/news/rubygems-org-aws-root-access-event-september-2025/

wonna know something?
so there's a company called cellcrypt which (was) actually NSA certified. they're trying to get certified again, it's expected to come out of testing soon.
but they wrote this artical which is now archived https://web.archive.org/web/20250126023940/https://www.cellcrypt.com/post/consumer-secure-messaging-apps-are-not-the-solution for those that can't parse hyperlinks. they basically argue against public infrastructure (reasonible) yet they now have an offering which uses public infrastructure.
are you for it, or are you against it? com e on, make up your mind!
@kkarhan #infosec #cybersecurity #security #encryption #cellcrypt #niap #nsa

woah, i just watched the presentation on syd from fosdem, and i'm pretty impressed

https://archive.fosdem.org/2025/schedule/event/fosdem-2025-4176-syd-an-introduction-to-secure-application-sandboxing-for-linux/

#syd #sydbox #sandboxing #security #linux

OpenSSH 10.1 released https://lobste.rs/s/u49gyi #release #security
https://www.openssh.com/txt/release-10.1

Attack paths for exfiltrating data using 1Password CLI https://lobste.rs/s/owxdcr #security
https://codeberg.org/manchicken/1password-cli-vuln-disclosure

June 30, 2017

NASA Planetary Defense:
Backyard Asteroid Observer

Backyard astronomer Robert Holmes of Westfield, Illinois, is part of NASA's army of observers scanning the night sky for asteroids.

"We do follow-up observations with NASA's near-Earth observations program. All night long, I'm running big telescopes. One's a 24-inch, a 30-inch, and a 32-inch. And then the 50 inch is my… my biggest telescope [...]."

"[...] We do follow-up observations for the discoveries that are made by the large sky surveys. By looking at these asteroids, and measuring these asteroids, we can determine what their possibilities of actually hitting the Earth in the future are going to be.

NASA provides coordinates of specific objects that they need observations on. I'm gonna punch in the coordinates here, and I'm doing this remotely from inside a control room, not at the telescope. And so, we look these objects up and then use those coordinates to look at a tiny piece of the sky that this object happens to be in. And then we follow those objects, and define and refine orbits for those objects, and reduce the uncertainty of where it's going to go in the near future.

I started off as a volunteer in 2006. It's just blossomed into a full-time opportunity to work for NASA under their grant program, where I'm now doing this every single clear night.

Now we're starting the observing run for 2017 KK3. You don't build a telescope that's this big without having… being passionate about what you do. I'm really driven to be a part of a program that's important and has importance to the future. And we're not talking about next year or the year after, We're talking about asteroids that could potentially hit the Earth 100 years from now. And the work we do today may make a difference 100 years from now."

https://www.jpl.nasa.gov/videos/nasa-planetary-defense-backyard-asteroid-observer/

FYI:
https://science.nasa.gov/planetary-defense/

CREDIT
Jet Propulsion Laboratory

#space #comets #astrophotography #photography #science #astronomy #nature #NASA #ESA #security #tech

Alt...

Backyard astronomer Robert Holmes of Westfield, Illinois, is part of NASA's army of observers scanning the night sky for asteroids. By observing and tracking asteroids, NASA programs can determine whether an asteroid is potentially hazardous to Earth -- now or years in the future. In 2015, Bob made 36,000 asteroid observations -- the most by anyone in a single year. He started off as a volunteer in 2006, and his hobby has since blossomed into a full-time opportunity to work for NASA under a grant program. Find out more about how NASA finds and studies asteroids by visiting

Planetary Defense at NASA

In 2016, NASA established the Planetary Defense Coordination Office (PDCO) to manage the agency's ongoing mission of finding, tracking, and better understanding asteroids and comets that could pose an impact hazard to Earth. Here you can stay informed about the PDCO, NASA's Near-Earth Object (NEO) Observations Program, and upcoming planetary defense flight missions, including NASA'S NEO Surveyor mission.

Planetary Defenders

NASA’s Planetary Defenders is a gripping documentary that delves into the high-stakes world of asteroid detection and planetary defense by journeying alongside NASA’s dedicated team of scientists, astronomers, and engineers who discover, track, and monitor near-Earth asteroids to safeguard Earth from potential impacts. Available now on NASA+ and other streaming platforms.

How would humanity respond if we discovered an asteroid headed for Earth? NASA’s "Planetary Defenders" is a gripping documentary that delves into the high-stakes world of asteroid detection and planetary defense.

https://science.nasa.gov/blogs/planetary-defense/2025/07/02/nasa-discovers-interstellar-comet-moving-through-solar-system/

#comets #astrophotography #photography #science #astronomy #tech #security #defense #NASA #ESA

Alt...

Planetary Defenders NASA’s Planetary Defenders is a gripping documentary that delves into the high-stakes world of asteroid detection and planetary defense by journeying alongside NASA’s dedicated team of scientists, astronomers, and engineers who discover, track, and monitor near-Earth asteroids to safeguard Earth from potential impacts. Available now on NASA+ and other streaming platforms. How would humanity respond if we discovered an asteroid headed for Earth? NASA’s "Planetary Defenders" is a gripping documentary that delves into the high-stakes world of asteroid detection and planetary defense. Journey alongside a dedicated team of astronomers and scientists working tirelessly to track and monitor near-Earth asteroids, aiming to protect our planet from potential impacts. This documentary captures the intricate and collaborative efforts of these unsung heroes, blending cutting-edge science with personal stories to reveal the human spirit behind this critical global endeavor. Witness the drama, the challenges and the triumphs of those on the front lines of planetary defense. Directors: Scott Bednar, Jessie Wilde Executive Producers: Emily Furfaro, Josh Handal Producers: Scott Bednar, Caleb Stern, Jessie Wilde Editor: Jessie Wilde Motion Graphics Editor: Matt Schara Credit: NASA

Near-Earth Asteroids as of July 2025
The headshot image of NASA Science Editorial Team

Jul 02, 2025

Each month, NASA’s Planetary Defense Coordination Office releases a monthly update featuring the most recent figures on NASA’s planetary defense efforts, near-Earth object close approaches, and other timely facts about comets and asteroids that could pose an impact hazard with Earth. Here is what we've found so far:

38,612: Total number of discovered near-Earth asteroids of all sizes.

872: Discovered asteroids larger than 1 kilometer, with an estimated 50 left to be found.

11,324: Discovered asteroids larger than 140 meters, with an estimated 14,000 remaining to be found.

100 Tons amount of dust and sand-sized particles that bombard Earth daily.

Near-Earth asteroid close approaches:
7 passed closer to Earth than the Moon in the last 30 days. 164 passed closer in the last 365 days. 493,300,000: Observations of near-Earth objects submitted to the Minor Planet Center.
Updated: July 2, 2025

https://science.nasa.gov/science-research/planetary-science/planetary-defense/near-earth-asteroids/

CREDIT
NASA Science Editorial Team

#comets #astrophotography #photography #science #astronomy #tech #security #defense #NASA #ESA

Alt...

The graphic presents data on near-Earth asteroids as of June 30, 2025. Key statistics include: 38,612: Total number of discovered near-Earth asteroids of all sizes. 872: Discovered asteroids larger than 1 kilometer, with an estimated 50 left to be found. 11,324: Discovered asteroids larger than 140 meters, with an estimated 14,000 remaining to be found. NASA-DLR BECCAL Photo Op at the Space Symposium. 100 Tons amount of dust and sand-sized particles that bombard Earth daily. Near-Earth asteroid close approaches: 7 passed closer to Earth than the Moon in the last 30 days. 164 passed closer in the last 365 days. 493,300,000: Observations of near-Earth objects submitted to the Minor Planet Center. The background shows a space-themed image with the NASA logo at the top right. 125% Each month, NASA’s Planetary Defense Coordination Office releases a monthly update featuring the most recent figures on NASA’s planetary defense efforts, near-Earth object close approaches, and other timely facts about comets and asteroids that could pose an impact hazard with Earth. Here is what we've found so far. Updated: July 2, 2025

June 5, 2025

by Molly Wasser

NASA’s Webb Observations Update Asteroid 2024 YR4’s Lunar Impact Odds

While asteroid 2024 YR4 is currently too distant to detect with telescopes from Earth, NASA’s James Webb Space Telescope collected one more observation of the asteroid before it escaped from view in its orbit around the Sun.

With the additional data, experts from NASA’s Center for Near-Earth Object Studies at the agency’s Jet Propulsion Laboratory in Southern California further refined the asteroid’s orbit. The Webb data improved our knowledge of where the asteroid will be on Dec. 22, 2032, by nearly 20%. As a result, the asteroid’s probability of impacting the Moon has slightly increased from 3.8% to 4.3%. In the small chance that the asteroid were to impact, it would not alter the Moon’s orbit.

When asteroid 2024 YR4 was first discovered, the asteroid had a small chance of impacting Earth. After more observations, NASA concluded the object poses no significant impact risk to Earth in 2032 and beyond.

As data comes in, it is normal for the impact probability to evolve. An international team led by Dr. Andy Rivkin from the Johns Hopkins Applied Physics Laboratory in Laurel, Maryland, made the observations using Webb’s Near-Infrared Camera in May.

Asteroid 2024 YR4 is now too far away to observe with either space or ground-based telescopes. NASA expects to make further observations when the asteroid’s orbit around the Sun brings it back into the vicinity of Earth in 2028.  

CREDIT
NASA/JPL Center for Near-Earth Object Studies

#comets #astrophotography #photography #science #astronomy #tech #security #defense #NASA #ESA

Alt...

The range of possible locations – represented by yellow points – of 2024 YR4 on Dec. 22, 2032. The range decreases from April to June as we gained more data and improved our certainty of the asteroid’s position. Earth is close to the center of the white circle, which represents the Moon’s orbital path. CREDIT NASA/JPL Center for Near-Earth Object Studies

I imagine it was not a great day in Downtown Raleigh.

Red Hat Investigating Breach Impacting as Many as 28,000 Customers, Including the Navy and Congress

https://www.404media.co/red-hat-investigating-breach-impacting-as-many-as-28-000-customers-including-the-navy-and-congress/

#RedHat #Breach #Security #InfoSec #Tech

@kkarhan wait who is Arian? also, yes, and the problem with these #k12 #cipa #filtering #software is that they don't have #security pe0ple who can test vulnerabilities.
they only test what's required in the CIPA guidelines.

not only that, these can seriously cut funding for #school #district s because they don't just attack a part of the filter, EG via a #proxy or #vpn but rather, attack holes in the filtering systems directly

Pointer leaks through pointer-keyed data structures https://lobste.rs/s/iausq0 #ios #mac #security
https://googleprojectzero.blogspot.com/2025/09/pointer-leaks-through-pointer-keyed.html

GrapheneOS version 2025100300 released:

https://grapheneos.org/releases#2025100300

See the linked release notes for a summary of the improvements over the previous release.

Forum discussion thread:

https://discuss.grapheneos.org/d/27029-grapheneos-version-2025100300-released

#GrapheneOS #privacy #security

CI/CD components to generate and verify provenance attestation https://lobste.rs/s/gen7vw #security
https://gitlab.com/groups/gitlab-org/-/epics/15859#note_2540189548

Nine HTTP Edge Cases https://lobste.rs/s/afajjh #api #practices #security
https://blog.dochia.dev/blog/http_edge_cases/

JUnit 6 broke 50 repos. I’m delighted.

If a dependency bump can shatter your stack, you don't need fewer updates. You need better tests.

I maintain 50+ OSS repos as one human. I don't babysit them. I automated everything, including updates and minor releases. Many repos haven't been touched in 6 years. AS now JUnit 6 rolled in, a chunk failed. Perfect.

Why perfect? Because failure is a signal, not a disaster. Good tests mean breakage never escapes. I've had repos fail on a Java date parser change. Beautiful. I saw it before release, fixed it, moved on. During Log4Shell and Spring4Shell I didn't panic. I just waited for the next update. That's what behaviour tests are for. And no, they are not slow. If your tests crawl, your design does too.

I trust code I write. I do not trust magic. I remove convenience glue that silently rots:

I don't need MultiValueMap when Map<List> is clearer.
I don't need StringUtils.isEmpty when a simple null or empty check is obvious.
I don't need annotations that smuggle in half a framework.

Every extra library is a future liability: CVEs, Licences, Security, Data Privacy, Performance, breaking changes, mental overhead. Use them to start, then delete them to last. Fewer moving parts mean fewer ways to die.

After 6 years my micro systems still boot in micro seconds, still read clean, still behave. CI pipelines aged, sure, but the code stayed boring. Boring is freedom. Quiet, peaceful, done.

If your stack cannot auto-update without heart palpitations, the problem isn't updates. It's architecture.

Principles I ship by

Automate updates and everything else I can. Let tests be the gate, not fear.
Push behaviour tests to the edges. If it's slow, refactor until it isn't.
Prefer primitives and standard libs. Delete decorative wrappers.
Design for micro systems, not micro monoliths. Start fast, stay fast.
Fewer tools, fewer surprises, fewer nights on fire.

Congratulations. The system failed safely. After fix, you may proceed to do literally anything else with your life.

#java #junit #testing #oss #automation #developerexperience #simplicity #minimalism #microservices #security #log4shell #spring4shell #cleanarchitecture

Alt...

Headline: JUnit 6 broke 50 repos. I’m delighted

Stop Trusting Nix Caches https://lobste.rs/s/8nyk1p #nix #security
https://garnix.io/blog/stop-trusting-nix-caches

Shellshock (2014, 2025) via @jmiven https://lobste.rs/s/cpizty #historical #security
https://dwheeler.com/essays/shellshock.html

I can't find anything about this online. Any ideas???

#linux #exploit #security

Alt...

Event Summary: Urgent: Security Patch Deployment - VM Maintenance Window Dear Customer, A Linux exploit has been discovered that poses a direct risk to virtualized environments worldwide. To safeguard your workloads and data, we must act immediately.

welp, #k12 #sysadmins , I found a new #vulnerability of #contentkeeper #cloud AKA CK-Express TP extension client side.
the new vulnerability still evolves around DNS, but still works either way.
I have moved to enterprise cloud flare gateway and modified a DNS configuration.
the problem with blocking is it still goes someware.
so let me tell you an even better solution for this: DNS remapping!
specifically, remapping all requests to contentkeeper.net and it's related subdomains to 0.0.0.0 which means CK doesn't even know what it doesn't connect to.
again, fokes, this is why you don't use client side agents for web filtering!
this is not a good idea!
again, you're trusting contentkeeper will be able to connect without a single problem.
the problem with the last flaw was that it attempted to display a block page. but this? this is even better because it can't do anything at all, even during the first initialization process ,it will simply think the device is completely offline with no network connection.
and like the last one that simply blocked rather than remapped, it gives a device not supported error.
it still needs to be on first reinitialization, but this will work.
here's how it works.
first, a user makes a DNS request not to block, but to remap, DNS entries from contentkeeper.net to 0.0.0.0 . ideally, also connections to contentkeeper.com, goguardian.com, and some other services to the same IP (this is completely possible to do on cloud flares end in 1 policy) but that's out of the scope of this.
next, they point to their DNS string which cloud flare has assigned them, or, if it has a static DNS IP, point to that.
of course, again, it needs to point on startup, either through the signin screen or before opening chrome. even better, turn off the wifi for a bit, go to the settings of the saved networks, then from there change the nameservers, bam!
and once done, if CK-ETP attempts to start, it will not work.
yes, I have found a nother #security vulnerability which is even better than reblock.
#cybersecurity #security #webfiltering #cipa #contentkeeper

Supply chain security for the 0.001% (and why it won’t catch on) https://lobste.rs/s/cqlfab #mac #security
https://blog.viraptor.info/post/supply-chain-security-for-the-0001-and-why-it-wont-catch-on

seL4 2025 Playlist https://lobste.rs/s/hkjviu #video #formalmethods #osdev #security
https://youtube.com/playlist?list=PLtoQeavghzr3jKkKOQxDagndQboRfU_I4

go-landlock: A Go library for the Linux Landlock sandboxing feature https://lobste.rs/s/szfpjf #go #linux #security
https://github.com/landlock-lsm/go-landlock

First Malicious MCP in the Wild: The Postmark Backdoor That's Stealing Your Emails https://lobste.rs/s/shhayp #security #vibecoding
https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft

@i47i

#UKpol #UK #Security

👉#Starmer plans the end of #Privacy in #Britain👈

https://hachyderm.io/@i47i/115267220284263325

Cross-Agent Privilege Escalation: When Agents Free Each Other · https://lobste.rs/s/2womxj #security #vibecoding
https://embracethered.com/blog/posts/2025/cross-agent-privilege-escalation-agents-that-free-each-other/

crates.io: Malicious crates faster_log and async_println https://lobste.rs/s/o8ibca #rust #security
https://blog.rust-lang.org/2025/09/24/crates.io-malicious-crates-fasterlog-and-asyncprintln/

How MCP Authentication Flaws Enable RCE in Claude Code, Gemini CLI, and More https://lobste.rs/s/hlqtmy #security #vibecoding
https://verialabs.com/blog/from-mcp-to-shell/

Help, I need a code signing certificate that won't bankrupt me.

Three years ago, I paid $100 for a three-year code signing certificate. I've signed all my open-source projects' releases with it. Now that it's renewal time, Certera (SignMyCode.com) wants almost $700 for the same three-year certificate (excluding the mandatory HSM purchase, which I am totally on board with).

I write silly C and PowerShell code, and I timestamp my signatures so that they're perpetually valid. My PowerShell Gallery stuff, as well as binaries of aprs-weather-submit on Windows and macOS, are all signed and hashed (but not notarized by Apple, because that's another $99 a year for something that feels done unless Bob Bruninga's followers are thinking about APRS 2.0).

If I can't find a solution, anything I write or update in the future will have to be released as unsigned unless I half-ass something (like the Notepad++ developer using self-signed certs -- semi-dangerously clever). $100 every three years, fine. $700 every three years, and I'll do it if my three fans click my Buy Me A Coffee link over and over.

Is there any CA out there that will offer open-source, not-for-profit developers like me a chance to get globally-trusted code signing certificates? I don't think SigStore ever took off (sadly), and even if it did, I don't think it's part of the Microsoft Authenticode program.

#CodeSigning #SSL #TLS #certificates #Certera #SoftwareDevelopment #C #PowerShell #PowerShellGallery #AmateurRadio #HamRadio #APRS #APRS-Weather-Submit #GitHub #security #developer #Windows #macOS #Linux #Authenticode #DevSecOps #DevOps

Phishing attacks with new domains likely to continue https://lobste.rs/s/b8sz0h #python #security
https://blog.pypi.org/posts/2025-09-23-plenty-of-phish-in-the-sea/

Using DNS for responding to ACME challenges https://lobste.rs/s/wb9ocu #networking #security
https://hsm.tunnel53.net/article/dns-for-acme-challenges/