🎉 New release: “Internet.nl adds CAA test and announces TLS test changes”
➡️ https://en.internet.nl/article/release-1.10/
❓ Does your domain name support #CAA?
🌐 CAA reduces risk of TLS certificate mis-issue.
🚀 Have fun testing and improving if needed!

Today's story: U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams

The U.S. government today imposed economic sanctions on Funnull Technology Inc., a Philippines-based company that provides computer infrastructure for hundreds of thousands of websites involved in virtual currency investment scams known as “pig butchering.” In January 2025, KrebsOnSecurity detailed how Funnull was being used as a content delivery network that catered to cybercriminals seeking to route their traffic through U.S.-based cloud providers.

The Treasury Department said Funnull’s operations are linked to the majority of virtual currency investment scam websites reported to the FBI. The agency said Funnull directly facilitated pig butchering and other schemes that resulted in more than $200 million in financial losses by Americans.

KrebsOnSecurity’s January story on Funnull was based on research from the security firm Silent Push, which discovered in October 2024 that a vast number of domains hosted via Funnull were promoting gambling sites that bore the logo of the Suncity Group, a Chinese entity named in a 2024 UN report (PDF) for laundering millions of dollars for the North Korean state-sponsored hacking group Lazarus.

Silent Push revisited Funnull’s infrastructure in January 2025 and found Funnull was still using many of the same Amazon and Microsoft cloud Internet addresses identified as malicious in its October report. Both Amazon and Microsoft pledged to rid their networks of Funnull’s presence following that story, but according to Silent Push’s Zach Edwards only one of those companies has followed through.

https://krebsonsecurity.com/2025/05/u-s-sanctions-cloud-provider-funnull-as-top-source-of-pig-butchering-scams/

This is not a joke. It’s a look at the future.

#Capitalism #Enshittification

If you want an lol - Microsoft have implemented Copilot on its own GitHub repos and it’s a clusterfuck, you can see MS engineers publicly begging Copilot to work.

https://www.reddit.com/r/ExperiencedDevs/comments/1krttqo/my_new_hobby_watching_ai_slowly_drive_microsoft/

We audited the Go language cryptographic library, used by thousands of libraries and millions of users.

Security report: https://github.com/trailofbits/publications/blob/master/reviews/2025-03-google-gocryptographiclibraries-securityreview.pdf

Our assessment uncovered one low-severity and five informational issues within the algorithms, following a comprehensive four-week review by three consultants focused on identifying cryptographic weaknesses such as side-channel attacks.

Beyond manual review, we created custom CodeQL and Semgrep rules for the project. We used these rules to:
- Identify memory management issues
- Analyze math.Big library usage (which "doesn't have strong constant time guarantees")
- Confirm that a detected bug was the only instance of that issue

Read their blog: https://go.dev/blog/tob-crypto-audit

If you are interested in learning more about how to securely design and build a cryptographic library or module, reach out to our engineering team: https://trailofbits.info/3YVvFXP

Happy #curl inspired Swisscom to add a "disclose your use of AI" to their bug-bounty program:

https://github.com/swisscom/bugbounty?tab=readme-ov-file#55-reporting-guidelines

Love this. In his “I Agree” installation Dima Yarovinsky-Yahel took the content from terms of service statements for companies like Facebook, Snapchat, Instagram, Tinder and printed them out on A4 paper with a standard font size for legal contracts to demonstrate the length of these agreements.

@calcifer@masto.hackers.town

Young man, there's no need to have RAM
I said young man, you can simply program
I said young man, logic gates are my jam
There's no need for a CPU

It's fun to program the FPGA
It's fun to program the FPGA
It has everything
For a Turing machine
You can write out all your routines

Very excited to submit the Tuscolo Certificate Transparency logs for inclusion today! 🧾🪵☀️

These logs are Sunlight-based, and operated by Geomys and Port 179 LTD on bare metal. They cost 50 times less than RFC 6962 logs in the cloud.

https://groups.google.com/a/chromium.org/g/ct-policy/c/KCzYEIIZSxg

Sikkerhed gennem Åbenhed: Open source som et strategisk valg 💥

Open source er en del af Semaphors DNA, og har efterhånden været det i over et årti. Både i de løsninger vi udvikler til vores kunder, i vores drift, og i de produkter vi bruger i vores daglige arbejde på kontoret.

Open source handler nemlig ikke kun om frihed – det er et sikkerhedsvalg. Når kode er tilgængelig, bliver den mere gennemskuelig, robust og sikker. I en geopolitisk usikker tid er det vigtigere end nogensinde.

Det har @fonsmark skrevet et indlæg om i OS2’s blad som du kan læse på vores 👀 hjemmeside. https://www.semaphor.dk/nyheder/sikkerhed-gennem-aabenhed

#opensource #sikkerhed #bigtech

This is a gruelling summary of all the things wrong with OpenSSL https://www.haproxy.com/blog/state-of-ssl-stacks I've mostly watched this whole thing from the sidelines, but was also affected noting that private key parsing suddenly became 70 times slower. I think they've now improved it to "only" be 10-20 times slower, and there does not seem any effort to work on it any more.

No, I do not want to install your app.

No, I do not want that app to run on startup.

No, I do not want that app shortcut on my desktop.

No, I do not want to subscribe to your newsletter.

No, I do not want your site to send me notifications.

No, I do not want to tell you about my recent experience.

No, I do not want to sign up for an account.

No, I do not want to sign up using a different service and let the two of you know about each other.

No, I do not want to sign in for a more personalized experience.

No, I do not want to allow you to read my contacts.

No, I do not want you to scan my content.

No, I do not want you to track me.

No, I do not want to click "Later" or "Not now" when what I mean is NO.

Are you getting warnings that your corporate password is about to expire?

Put your device in the freezer before the expiration date. Freezing your password will preserve it, keeping it safe to consume for up to four weeks!

Follow me for more #infosec tips.

Good news on mobile zero-days in 2024:
- Zero day exploits in mobile fell YoY (~50%)
- Exploit chains with multiple zero day vulnerabilities are almost exclusively in mobile. Generally, this means mobiles are harder to break in.

The flip side:
- % of zero days in enterprise technologies (i.e not end-user facing) is increasing (37% ->44%)
- Much of that is due to zero days in *security* and networking products.
- Security and networking products are generally compromised with a single vulnerability, no exploit chain required. This is scary given the outsized impact of compromising these products.
- Actors conducting cyber espionage still lead the attributions

Google Threat Intelligence Group released their analysis of 2024 0-days that the group tracked:
https://cloud.google.com/blog/topics/threat-intelligence/2024-zero-day-trends

𝗞𝗮𝗹𝗺𝗮𝗿𝗖𝗧𝗙 𝟮𝟬𝟮𝟱 𝗶𝘀 𝗷𝘂𝘀𝘁 𝗮𝗿𝗼𝘂𝗻𝗱 𝘁𝗵𝗲 𝗰𝗼𝗿𝗻𝗲𝗿 - 𝗰𝗼𝗺𝗲 𝗰𝗼𝗺𝗽𝗲𝘁𝗲 𝘄𝗶𝘁𝗵 𝘁𝗵𝗲 𝗯𝗲𝘀𝘁 𝗰𝗼𝗺𝗽𝗲𝘁𝗶𝘁𝗶𝘃𝗲 𝗵𝗮𝗰𝗸𝗲𝗿𝘀 𝗳𝗿𝗼𝗺 𝗮𝗿𝗼𝘂𝗻𝗱 𝘁𝗵𝗲 𝘄𝗼𝗿𝗹𝗱 𝗮𝗻𝗱 𝘄𝗶𝗻 𝗴𝗿𝗲𝗮𝘁 𝗽𝗿𝗶𝘇𝗲𝘀!

The #KalmarCTF 2025 is on the horizon, and Kalmarunionen is ready to raise the bar once again. Mark your calendars for March 7th - 9th, 2025, and gear up for a 48-hour showdown of skill, and pure CTF grit.

𝐇𝐞𝐫𝐞’s 𝐰𝐡𝐚𝐭’s 𝐢𝐧 𝐬𝐭𝐨𝐫𝐞:
With a generous nod to @HexRaysSA for making the coveted #IDAPro licenses possible, we promise an unforgettable event brimming with complex challenges in binary exploitation, reverse engineering, and other classic #CTF categories.

🥇 First Place: 3x IDA Pro Named Licenses* with 2 Decompilers each
🥈 Second Place: 2x IDA Pro Licenses* with 2 Decompilers each
🥉 Third Place: 1x IDA Pro License* with 2 Decompilers

Why join hashtag #KalmarCTF 2025?
- Test yourself against top global teams and except some fun and original challenges
- Immerse yourself in a thriving community of passionate CTF players and hackers.

If you’re ready to push your limits, claim your glory, and maybe take home some serious #HexRays loot, head over to KalmarC.TF for all the details.
REassemble your dream team, and lets see who takes all home the licenses this year.

#hacking #cybersecurity #CTF

@thc This is solved with ACME-CAA (#RFC8657), not that people use ACME-CAA, but it is actually fairly easy to setup: https://norrebro.space/@n/111355026651084793

A - DNS record
AA - battery
AAA - battery
AAAA - DNS record

#DNS #Battery #Confusion

@gnyman from the company that also posted 127.0.0.1 as an IOC 😅

@bagder What about making them taste their own medicine by wasting their time, having an AI reply back?
I could image your AI keep asking for a PoC and the beg-hunters keep dodging that question (hopefully wasting time manually copying replies between HackerOne and ChatGPT...)
This should ofc only be deployed when you are certain the ticket is AI slop

@SuneAuken Jeg trykker troligt "Accepter ikke" hver gang, men det er nok begrænset hvad det hjælper når det er et gratis produkt aka you-are-the-product
Ellers er der jo den fede addon fra AU: Consent-O-Matic til at gøre det hårde arbejde at trykke nej: https://consentomatic.au.dk/