Liebe #AppSec Community!

(English below)

Wir *) haben nun offiziell den Call for Presentations des German #OWASP2025 Days 2025 eröffnet und freuen uns auf eine spannende Konferenz!

Der GOD, so wie der traditionell heißt, wird dieses Jahr am 26.11. in Düsseldorf stattfinden, mit Trainings am Vortrag und dem üblichen Networking-Event am Vorabend.

Wir wollen an die letztjährige Konferenz in Leipzig, die tollen Zuspruch bekommen hat, anknüpfen und suchen dich als Sprecherin oder Sprecher. Falls du ein spannendes Thema hast, was du dort vorstellen möchtest, würden wir uns freuen, wenn du dem Programmkomitee deine Idee unterbreiten würdest. Den CfP findest du unter https://god.owasp.de/2025/cfp . Wir haben Slots mit 20 und 40 Minuten Präsentationszeit.

Falls du Bekannte oder Kolleginnen/Kollegen kennst, die vielleicht gerne ihr Thema in Düsseldorf vorstellen wollen, leite dies gerne weiter.

-----

We've *) just opened the Call for Presentations for the German OWASP Day 2025 and looking much forward to an exciting conference, again.

This year's conference, nicknamed GOD traditionally, will take place on November 26 in Düsseldorf with training sessions the day before and the usual networking event the evening before.

We want to build on last year's conference in Leipzig, which was very well received, and thus are looking for you as a speaker. If you have an exciting topic that you would like to present in Düsseldorf, we would be delighted if you would submit your idea to the program committee. You can find the CfP at https://god.owasp.de/2025/en/cfp.html . We have slots with 20 and 40 minutes presentation time.

If you have friends or colleagues who might be interested presenting their topic, please pass this on.

*) "Wir" bedeutet wie jedes Jahr ein Team von Leuten, die dies ehrenamtlich mit viel Einsatz auf die Beine stellen.

As every year "we" is a team of volunteers who put this together with a great deal of commitment.

Some ✨ personal news ✨: I'm starting my independent consultancy, focused on helping organizations do good things with privacy-enhancing technology 🎉

It's called Hiding Nemo, and you can read all about it on our website ➡️ https://hiding-nemo.com 🪸

AAAAAAAAAAA MONDAY

I really don’t understand the push to for a computer replicate what goes on in the human brain. I mean, I know what goes on in mine and it just seems ill advised for a computer to be thinking those thoughts.

The attempts by law enforcement & governments to subvert end-to-end encryption are ongoing. The European Commission is going to spend a year thinking about their new "Roadmap for law enforcement access to data", and they are (genuinely) asking for people to join their expert group to help. Here I urge you to join that group (also because I can't): https://berthub.eu/articles/posts/possible-end-to-end-to-end-come-help/

Would you like to end the constant drumbeat of ill-informed legislative proposals that threaten to destroy end-to-end #encryption in #OpenSource #software? Are you from #Europe? Can you demonstrate your expertise? Then why not apply to join the European Commission's Expert Group for a Technology Roadmap on Encryption (E04005). Deadline is September 1st, don't be late.

https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&groupID=4005

Looking to install two LED strips at home. Desired features:
- Controlled via WiFi or #Zigbee
- #HomeAssistant integration
- RGBW strips, individually addressable
- Either comes with a diffusor or is compatible with standard diffusors (is "not being compatible with that" even a thing?)
- Length: Two strips of ~2 Meters each, ideally with a shared controller and PSU to avoid duplicating functionality, but I'm willing to compromise here
- I'm willing to pay a certain premium not to have to worry about all the technical details (i.e., I would prefer a plug-and-play solution to a mix-and-match "buy a controller, PSU, and strips separately from AliExpress and pray that they interoperate properly").
- Would like to avoid having to buy a proprietary hub to use it (zigbee2mqtt-compatibility would be perfect).
- Will be installed in the bedroom, so it is important that the PSU does not emit any high-pitched noise.
- Should be available in EU / Germany.

Any recommendations from the #HomeAsssistant hivemind? Or should I just bite the bullet, get a #QuinLED and figure out all the technical details myself after all?

I received a response, documented here: https://infosec.exchange/@hacksilon/114782534325988895

Update: I heard back from the people running the system. Apparently it isn’t a geoblock, but the specific IPs my requests were coming from were blocked because of abuse from that CDN (bunny.net). The error has been fixed. (Now I wonder if Fraenk hosts their stuff on Bunny.net, or if it’s the DNS resolver I am using 🤔)

Anyway, in the future, access to the warnings should be possible.

Also, they saw this toot and referenced it in their reply 😅.
https://infosec.exchange/@hacksilon/114765561556000011

@chihuamaranian if you want to check nfc functionality in general, try scanning an NFC-enabled credit card - they should show up on any modern phone.

Good luck with your tests!

@chihuamaranian many modern android phones do not recognize mifare classic chips. Could be the reason. If so, you may be looking at an old system that may be vulnerable to key cloning…

@chihuamaranian if you have two android phones and want to try relaying communication between the tag and the reader to inspect what is happening, have a look at https://github.com/nfcgate/nfcgate (disclosure: I am one of the original authors, but it is maintained by other people now).

In general, if you have any phone with NFC, there should be an app that tells you the basics about the fob. If it’s a mifare classic, it’s almost certainly cloneable. If it’s a DESFire v2, it’s gonna be a lot harder or impossible if they did their job right.

@czauner it should come from a residential IP, not a hosted VPS or anything. Still, a false positive is always possible.

@czauner can’t really tell from the outside. Don’t have any other devices on other networks to play with. But using the hotel WiFi while tunneling DNS (but not HTTP) over my home network (via VPN) triggers the same behavior. So, probably DNS-based Geoblocking?

@matt either that or just regular geoblocking?

@roseen it’s just regular geoblocking, I assume - they only allow Austrian IP ranges, apparently.

@Reemt tbh, the website mostly repeated the cell broadcast message. Not that important.

@olbohlen jep, ich hab das dann auch über andere Quellen herausfinden können.

Great article. And has this gem as a closing statement: „Somewhere, a protocol is being used exactly as intended. This is deeply suspicious.“
https://darmstadt.social/@claudius/114766051184046904

This blog entry about #MCP[1] is very true, and we've seen almost the same thing in the early 2000s ("Web 2.0", no not the "social media" thing that everybody associates with it now)

Web 2.0 was all about APIs. For a brief moment, everything had a relatively open API. Twitter - that's where all the clients came from. Flickr. Delicious. Maps. YouTube. They all were relatively open.

And people built the coolest stuff with it.

[1]: https://worksonmymachine.substack.com/p/mcp-an-accidentally-universal-plugin