We need to have a whip round and buy all maintainers of popular open source projects a FIDO key.

Mis-issued certificates for 1.1.1.1 DNS service pose a threat to the Internet The three certificates were issued in May but only came to light Wednesday.

Credit to Cloudflare for running a public CT log but maybe they should actually monitor them? arstechnica.com/security/202...

AWS CEO says AI replacing junior staff is 'dumbest idea' : They're cheap and grew up with AI … so you're firing them why?

Nice to see a tech leader talking sense, rather than spouting the usual AI hype www.theregister.com/2025/08/21/a...

Marks & Spencer cyber incident linked to ransomware group - Help Net Security The "cyber incident" that British multinational retailer Marks & Spencer has been struggling with for over a week is a ransomware attack.

Marks & Spencer cyber incident linked to ransomware group

📖 Read more: www.helpnetsecurity.com/2025/04/29/m...

#cybersecurity #cybersecuritynews #ransomware

Phishers Exploit Google Sites and DKIM Replay to Send Signed Emails, Steal Credentials Phishers abused Google Sites and DKIM replay to send valid-signed emails, bypassing filters and stealing credentials.

Clever attack - can't help but think that Google's validation of that OAuth app name could have been a little stricter... 🤣 thehackernews.com/2025/04/phis...

CVE Foundation FOR IMMEDIATE RELEASE April 16, 2025 CVE Foundation Launched to Secure the Future of the CVE Program [Bremerton, Washington] – The CVE Foundation has been formally established to ensure the long-term ...

Big props to those behind the new CVE Foundation (www.thecvefoundation.org) - amazing to be able to announce this so quickly after the news about MITRE's funding expiring broke yesterday. I hope private sector & government folks are investigating how they can support the Foundation going forward.

I haven’t been operationally involved in #CVE for a long time and I’m sorry for what the team is going through.

I’m hopeful that the CNAs will pick up the load, and that they either have reserved blocks or can coordinate among themselves to assign blocks for use in a way that helps with the […]

CVE funding is apparently not being renewed. I’m not alone in having strong feelings, and I want to talk about some of the original use cases that informed us as we set up the system. (You might also enjoy my thoughts on 25 Years of CVE for some context.) Those included comparing between […]

Which still didn't work of course. To add an NFC pass he had to go to a link to "graduate" !?! and only then could he add it. And even then he got an error so we'll only find out if it's worked when we try at the game later.

So much easier on child .#2's iPhone

No app in 2025 should force you to enter a password on a foreign device. Just had to type in a 40 character long random password in Google Family Link to add a card to my son's device 🥵 🤬

The Rise of Slopsquatting: How AI Hallucinations Are Fueling... Slopsquatting is a new supply chain threat where AI-assisted code generators recommend hallucinated packages that attackers register and weaponize.

"Slopsquatting is a new supply chain threat where AI-assisted code generators recommend hallucinated packages that attackers register and weaponize."

#AI #sbom #cicd

socket.dev/blog/slopsqu...

The use of 3DES in a new app seems particularly strange

DeepSeek iOS app sends data unencrypted to ByteDance-controlled servers Apple’s defenses that protect data from being sent in the clear are globally disabled.

More evidence of DeepSeek’s shocking security practices. Wide open databases, obsolete encryption algorithms, hard-coded encryption keys, sensitive data sent over unencrypted channels arstechnica.com/security/202...

Reused AWS S3 buckets a weak link in supply chain security When cloud customers don't clean up after themselves, part 97

Great example of why you should implement a data perimeter in AWS to make sure you only load resources from S3 buckets from within your own AWS Organization www.theregister.com/2025/02/04/a...

Why is Amazon Q so bad? You'd think it would be relatively easy to optimize it for answering questions on AWS services, given the quality of the docs. But in my experience it consistently gets stuff wrong e.g. making up settings that don't exist.

Helpful!

All porn sites must 'robustly' verify UK user ages by July Ofcom is issuing industry guidance which sets out the tech adult websites must use to check ages.

We need someone to build a trusted privacy aware service to verify things like age … www.bbc.co.uk/news/article...

Microsoft AI Red Team says security work will never be done If you want a picture of the future, imagine your infosec team stamping on software forever

“…one must assume that if an LLM is supplied with untrusted input, it will produce arbitrary output. When that input includes private information, one must also assume that the model will output private information." 😬 www.theregister.com/2025/01/17/m...

BT axes EV charger scheme after installing just one out of 60,000 Telecoms company hoped to convert roadside cabinets into charge points but will now shut down its sole installation

Shame but not a massive surprise given EV sales and financials www.theguardian.com/environment/...

Google OAuth Vulnerability Exposes Millions via Failed Startup Domains Attackers exploit a Google OAuth flaw, recycling domains to access SaaS accounts and sensitive HR data.

This is why you use the 'sub' claim, and not the email address, as the unique ID for users in your system when integrating with OIDC thehackernews.com/2025/01/goog...

Google's AI bug hunters sniff out two dozen-plus code flaws OSS-Fuzz is making a strong argument for LLMs in security research

Google's AI bug hunters sniff out two dozen-plus code gremlins that humans missed www.theregister.com/2024/11/20/g...

NIST finalizes trio of post-quantum encryption standards Nicely ahead of that always-a-decade-away moment when all our info becomes an open book

NIST finalizes post-quantum encryption standards. ML-KEM for "general encryption" (in hybrid schemes replacing e.g. ECDH) and 2 for digital signatures www.theregister.com/2024/08/14/n...