Over 80,000 servers hit as roundcube RCE bug gets rapidly exploited
https://securityaffairs.com/178887/hacking/over-80000-servers-hit-as-roundcube-rce-bug-gets-rapidly-exploited.html
#securityaffairs #hacking
d33p.js boosted:
d33p.js boosted:
@derpostillon Viel sauberer als unsere Klos damals. Kudos an die Verantwortlichen der Gesamtschule. Die Kinder können sich Glücklich schätzen.
d33p.js boosted:
Beispiel: Beim Besuch einer Website mit Meta Pixel sendet dein Browser den Cookie _fbp=fb.1.1717351059.Abc123Xyz via WebRTC an die Facebook-App auf dem Gerät. Diese verknüpft ihn mit deinem Login (z. B. User-ID 1000123456789) und sendet die Daten an Meta-Server.
➡️ Ergebnis: Webseitenbesuche lassen sich direkt deiner Facebook-Identität zuordnen – auch im Inkognito-Modus, trotz Cookie-Löschung, ohne Einwilligung.
d33p.js boosted:
Mit dem Wissen über die Existenz dieses Kommunalpolitikers müsst ihr selber klar kommen. Gute Nacht Fedivers
d33p.js boosted:
I finally got rid of the last #Microsoft things on my last computer.
Also, a snapshot of the tools and services that I use these days.
d33p.js boosted:
I just wanted to sign in to the App Store on my Mac mini to download Xcode, but I'm still stuck on the "Complete Your Apple Account" screen after entering all my required info.
What is Apple thinking? I don't get it! 😫
d33p.js boosted:
In einer Signal-Gruppe wurde eine Nachricht gepostet. Bei allen steht „zugestellt“ – nur bei einer Person steht „ausgelassen“.
Das hab ich so noch nie gesehen. Wisst ihr, was das bedeutet? Bin neugierig :)
Edit: Danke fürs Teilen! Der Account ist vermutlich nicht mehr bei Signal. Ist seid super! Fediverse Zauber :)
d33p.js boosted:
Ich versuche hier jetzt mal ein paar mehr oder weniger Rechtstipps zu geben, die einem das Leben wirklich erleichtern wenn man sich dran hält, und im Zweifel auch eine Menge Geld sparen können.
Einiges davon mag banal klingen, aber die tägliche Anwaltspraxis belehrt uns eines besseren.
1. Wenn ,Microsoft‘ anruft, sofort auflegen. Ganz einfach. Punkt. Gleiches gilt für ‚PayPal‘ und alle ‚Bankinstitute‘.
d33p.js boosted:
#Verschwörungstheorien, warum es aktuell keine neuen Einträge auf #Fefes Blog gibt
* Die CIA hat herausgefunden, dass er allen erzählt, was die CIA eigentlich noch herausfinden wollte.
* Damit niemand tracken kann, wann er aktiv ist, hat er eine Veröffentlichungsverzögerung eingebaut und die sammelt gerade noch Einträge, bevor die ersten davon veröffentlicht werden.
* Das #BSI hat ihn für eine ultrageheime Spezialoperation (irgendwas mit #Blockchain, #KI und #Kernfusion!) geholt.
d33p.js boosted:
@catsalad More power...
d33p.js boosted:
#Oops Due to the ongoing case New York Times v #OpenAI, you cannot really delete your #ChatGPT prompts and conversations as the court has ordered [1] on 13th of May that *all* logs must be stored until further notice. OpenAI is furious as that means "including sensitive personal information, proprietary business data, and internal government documents" [2]. The court is not impressed [3] and sticks to the order.
[1] https://steigerlegal.ch/wp-content/uploads/2025/05/20250513-openai-gericht-verfuegung.pdf
[2] https://steigerlegal.ch/wp-content/uploads/2025/05/20250514-openai-antrag-schreiben-gericht.pdf
[3] https://steigerlegal.ch/wp-content/uploads/2025/05/20250516-openai-gericht-ablehnung.pdf
![Letter from OpenAI to the court
This is particularly concerning because the Order requires a massive disruption to commonplace data retention practices that have nothing to do with this litigation. News Plaintiffs have repeatedly characterized the data in question as data OpenAI “destro[ys].” But, in reality, the data OpenAI does not retain is (1) data that OpenAI’s users elect not to retain, including ChatGPT conversations users specifically choose to delete; and (2) data that OpenAI agrees not to retain under either its negotiated agreements or general business terms with its customers. OpenAI commits not to retain this data for a simple reason: because millions of individuals, businesses, and other organizations use OpenAI’s services in a way that implicates uniquely private information—including sensitive personal information, proprietary business data, and internal government documents.
The Order prohibits OpenAI from honoring this commitment by (e.g.) forbidding OpenAI from complying with a user’s attempt to delete a conversation about a family member’s health condition
or immigration status. That will harm not only OpenAI, but also the hundreds of millions of users who rely on its services. That counsels in favor of reconsideration, particularly when the Order
requires preservation of data that will not actually advance this litigation.](https://files.mastodon.social/cache/media_attachments/files/114/533/794/784/174/150/original/32077e022a391e48.png)
d33p.js boosted:
Yep. I can go from zero to block in under four seconds.
![Cartoon by Pizza Cake Comic.
A man is yelling at a woman.
"Why do you block people? Why won't you debate? Are you scared? I deserve an argument abou-"
[She grabs him by the T-shirt and yells back]
"I don't owe you an audience for your annoying bullshit!"](https://files.mastodon.social/cache/media_attachments/files/114/519/731/437/368/619/original/d27802f5fdcf8840.jpeg)
d33p.js boosted:
What the actual fuck, #LetsEncrypt‽
Let’s Encrypt will no longer include the “TLS Client Authentication” Extended Key Usage (EKU) in our certificates beginning in 2026.
That makes them unusable for SMTP servers. Gah!
Anyone got a usable alternative that doesn’t ruin financially?
Update: I’m in communication with them, let’s hope they recognise the usefulness.
Update 2: turns out it’s Google forcing this down the throat of all CAs that want to be recognised by Chrome as valid. I’m sure Google only accidentally decided on a new policy that breaks some SMTP and probably all XMPP use cases… 🤬
Update 3: not only are people on the Let’s Encrypt side obnoxious in trying to discuss away the problem, and saying hundreds of affected users is of no importance (what a privilegued thing to say…) and that LE is only a web CA… but they now also say that, if someone has a certificate and key for hostname.example.com and has reverse and reverse-forward DNS for their IP addresses matching that, that that should not mean that they are allowed to send out mail as hostname.example.com (?!?!?! I cannot even begin to understand the sick “reasoning” that has to be behind such a statement). They also say they think the removal of the TLS client key usage from server certs to be “years overdue”. This deliberate working against actual users’ needs is… just wrong (I have much stronger words but will refrain, for now).
Time to hope for @jwildeboer ’s https://nerdcert.eu/ to lift off and be included in the usual Root CA bundles (except Google Chrome’s, I suppose).
d33p.js boosted:
If you're not using ChatGPT to generate #PowerShell cmdlets for just about anything you need in the moment, you are seriously missing out 👇
d33p.js boosted:
Memory-safe sudo to become the default in Ubuntu
https://trifectatech.org/blog/memory-safe-sudo-to-become-the-default-in-ubuntu/
#HackerNews #MemorySafeSudo #Ubuntu #Security #TechNews #OpenSource #Cybersecurity
d33p.js boosted:
The third party version of Signal the White House has been using has been hacked, and Signal messages from devices stolen (as they were being sent to the supplier).
This includes group chat messages. The suppliers website has disappeared as of writing this toot.
https://www.404media.co/the-signal-clone-the-trump-admin-uses-was-hacked/
Client Info
Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst