lemmydev2

Platforms like Reddit, Bluesky, Discord, and Pornhub have been rolling out mandatory age verification requirements in the UK over the past few weeks to comply with new online safety rules. While the age-gating aims to keep children from accessing pornographic material and other "harmful content" outlined by the UK's communications regulator Ofcom, there's a glaring […]

Under oath in French Senate, exec says it would be compelled – however unlikely – to pass local customer info to US admin Microsoft says it "cannot guarantee" data sovereignty to customers in France – and by implication the wider European Union – should the Trump administration demand access to customer information held on its servers.…

Attacks affected packages, including one with ~2.8 million weekly downloads.

Google has suspended the Firebase account of Catwatchful following a TechCrunch investigation. The spyware operation was caught using Google's own servers to host and run its surveillance app, which was stealthily monitoring thousands of people's phones.

AT&T and Verizon refused to hand over the security assessments, says Cantwell US Senator Maria Cantwell (D-WA) has demanded that Google-owned incident response firm Mandiant hand over the Salt Typhoon-related security assessments of AT&T and Verizon that, according to the lawmaker, both operators have thus far refused to give Congress.…

NBC News: Tea says hackers accessed a database from more than two years ago, leaking 72,000 images, including 13,000 verification photos and images of government IDs  —  The viral app requires new users to take selfies, which it says it deletes after review.  —  Hackers have breached the Tea app …

Would you believe that 4chan is involved?

Posted by Matthew Suozzo, Google Open Source Security Team (GOSST)Today we're excited to announce OSS Rebuild, a new project to strengthen trust in open source package ecosystems by reproducing upstream artifacts. As supply chain attacks continue to target widely-used dependencies, OSS Rebuild gives security teams powerful data to avoid compromise without burden on upstream maintainers.The project comprises:Automation to derive declarative build definitions for existing PyPI (Python), npm (JS/TS), and Crates.io (Rust) packages.SLSA Provenance for thousands of packages across our supported ecosystems, meeting SLSA Build Level 3 requirements with no publisher intervention.Build observability and verification tools that security teams can integrate into their existing vulnerability management workflows.Infrastructure definitions to allow organizations to easily run their own instances of OSS Rebuild to rebuild, generate, sign, and distribute provenance.ChallengesOpen source software has become the foundation of our digital world. From critical infrastructure to everyday applications, OSS components now account for 77% of modern applications. With an estimated value exceeding $12 trillion, open source software has never been more integral to the global economy.Yet this very ubiquity makes open source an attractive target: Recent high-profile supply chain attacks have demonstrated sophisticated methods for compromising widely-used packages. Each incident erodes trust in open[...]

Law journal article that looks at the Dual_EC_PRNG backdoor from a US constitutional perspective: Abstract: The National Security Agency (NSA) reportedly paid and pressured technology companies to trick their customers into using vulnerable encryption products. This Article examines whether any of three theories removed the Fourth Amendment’s requirement that this be reasonable. The first is that a challenge to the encryption backdoor might fail for want of a search or seizure. The Article rejects this both because the Amendment reaches some vulnerabilities apart from the searches and seizures they enable and because the creation of this vulnerability was itself a search or seizure. The second is that the role of the technology companies might have brought this backdoor within the private-search doctrine. The Article criticizes the doctrine­ particularly its origins in Burdeau v. McDowell­and argues that if it ever should apply, it should not here. The last is that the customers might have waived their Fourth Amendment rights under the third-party doctrine. The Article rejects this both because the customers were not on notice of the backdoor and because historical understandings of the Amendment would not have tolerated it. The Article concludes that none of these theories removed the Amendment’s reasonableness requirement...

The sentence is one of the largest handed down to a U.S. national for their role in the North Korean government-linked scheme.

It’s been six months since the EU’s Digital Operational Resilience Act (DORA) came into effect, but a new Censuswide survey shows that nearly all financial services organizations in EMEA still feel unprepared. An overwhelming 96% of respondents said their current level of data resilience isn’t where it needs to be. The survey, which gathered input from senior IT decision-makers in the UK, France, Germany, and the Netherlands, paints a clear picture: financial institutions are still … More → The post Six months into DORA, most financial firms are still not ready appeared first on Help Net Security.

Anyone can buy or collect data, but the goal must be to realize actionable insight relevant to the organization in question.