👨👩👧👦 Husband. Proud Father. He/Him.
👁️ 🐝 Ⓜ️ IBM Inventor and Cloud Security Solution Architect | Open Innovation Community.
Member of the IBM Academy of Technology (AoT).
ex-#OpenBSD (xsa@). Hacker. Open Source Advocate.
💬 My Own Views. Always.
#ibm #infosec #cloudsecurity #fedi22 #wehackhealth #crossfit #emtb #fieldhockey #porsche #nobot
| 📍 Location | 🇧🇪🇪🇸 @ 🇨🇭 |
| 🌍 Website | https://0x58.santolaria.net |
| :github: GitHub | https://github.com/xsa |
| 🔑 Keybase | https://xsa.keybase.pub/mastodon.html |
| 📨 Newsletter | https://infosec-mashup.santolaria.net/?utm_source=mastodon&utm_medium=social |
| 🗓️ {Cyber,Info}Sec Events | https://xsa.github.io/infosec-events/ |
Wow, TeamPCP is hacking open-source developers faster than we can report on them. The latest (that I'm aware of, anyway) is LiteLLM. They worked with Trivy but didn't bother to change their credentials after Trivy was hacked, despite an ample amount of advice to do so.
Folks, if any of you used LiteLLM, now is the time to change your credentials, in an atomic way. Now, as in immediately.
New by me: As a Cybersecurity Professional, I Think Proton’s Born Private Campaign is a Smart Move
We talk a lot about keeping kids safe online, but not enough about protecting their privacy before platforms start building a profile around them.
I wrote about why @protonprivacy Born Private campaign stood out to me from a cybersecurity perspective, and why a child’s future digital identity deserves more care from the start.
#Cybersecurity #Privacy #InfoSec #ProtonMail #DigitalPrivacy #OnlineSafety
👋 Writing this from San Diego 🇺🇸 — about as far from my Swiss desk as a timezone can stretch. But the news didn't care about my travel schedule.
If there's one thread running through this week, it's Iran: Boggy Serpens refining its AI-enhanced espionage playbook, an attempted intrusion at Poland's nuclear research center with Iranian fingerprints, the EU hitting Iranian entities with fresh sanctions — and Iran's own population cut off from the internet for over two weeks now. Stryker is still cleaning up from last week's Handala attack too. A lot of activity from a lot of pro-Iran actors in one week.
→ Week #12/2026 also covers:
🪱 GlassWorm escalates its supply chain campaign,
🇪🇺 🗳️ EU votes to ban mass message scanning,
🤓 🇬🇧 A witness blamed ChatGPT for his smartglasses
Full issue 👉 https://infosec-mashup.santolaria.net/p/infosec-mashup-12-2026-iran-is-everywhere-this-week
If you find it useful, subscribe to get it in your inbox every weekend 📨
The Quarkus team recently published new performance benchmarks.
The interesting part isn’t just the results.
It’s the engineering work that went into making them reproducible and transparent.
• why benchmarking Java frameworks is harder than it looks
• why laptop benchmarks often mislead developers
• what these results actually mean
https://www.the-main-thread.com/p/quarkus-performance-benchmarks-java-developers
When you’re looking at source code it can be helpful to have some evidence indicating who wrote it. Author tags give a surface level indication, but it turns out you can just lie and if someone isn’t paying attention when merging stuff there’s certainly a risk that a commit could be merged with an author field that doesn’t represent reality. Account compromise can make this even worse - a PR being opened by a compromised user is going to be hard to distinguish from the authentic user.
You could have y’all told me that British Airways hasn’t gotten better over the years. I’m not thanking you.
Dan Goodin
The Cyber Unc
Markus Eisele
Insecurity Princess 🌈💖🔥
Matthew Garrett
Adam Shostack 