S1m

@[email protected]
271 Followers
139 Following
817 Posts

FR/EN

Account dedicated to #Offsec/#Infosec/digital stuff

Involved in
#UnifiedPush #MollyIm

Githubhttps://github.com/p1gp1g
Codeberghttps://codeberg.org/s1m/
Liberapayhttps://liberapay.com/S1m/
Bloghttps://s1m.fr
S1m1h ago
Felicitas Pojtinger 🌅11h ago

https://bmi.usercontent.opencode.de/eudi-wallet/wallet-development-documentation-public/latest/architecture-concept/06-mobile-devices/02-mdvm/

So, it turns out the German implementation of eIDAS (electronic ID wallet for e.g. age attestation) will require an Apple/Google account to function

Absolutely pathetic

Mobile Device Vulnerability Management Concept - German National EUDI Wallet: Architecture Documentation

S1m13h ago
Fedilab Apps21h ago
#Fedilab is now 9 years old. Thank you to all the people who contributed and keep contributing to the project. Old users know it was called Mastalab. Thank you so much for your trust and support.
S1m1d ago
Thib1d ago

On the fediverse we could do collectively better at not shooting down initiatives.

It’s a bit demoralizing to see someone announce their project, only for a mob to come and tell them they’re wrong and they should never have started it.

I’m not saying we should accept the unacceptable. I’m saying we should embrace imperfection to go in a better direction.

S1m1d ago
Izzy1d ago

You often see us reporting our RB status, and might wonder what's so important about #ReproducibleBuilds – want a recent example? Take a look at https://web.archive.org/web/20260402133949/https://github.com/Nekogram/Nekogram/issues/336 – and the POC at https://github.com/RomashkaTea/nekogram-proof-of-logging

In short: Release APK was built from different code, including a logger to catch all phone numbers contacted. Oh, and the dev thinks that's fine (https://t.me/NekoUpdates/531).

RB would have failed for that app, and shown the diff.

Stay safe out there!

(1/2)

[Spyware, Malicious code] Malicious Code Injection and User Data Leaking in Release Binaries · Issue #336 · Nekogram/Nekogram

Steps to reproduce Install and login to your telegram account Now your phone number belongs to Xi Jinping... jk. to Nekogram creator Expected behaviour Not leaking phone numbers Actual behaviour Ma...

GitHub
S1m2d ago
Joseph Cox2d ago
This is insane: TeleGuard, a 'secure' chat app downloaded more than a million times, uploads users' private keys, meaning the company can decrypt messages. And anyone can get anyone else's private key by just sending the user ID to the API. Possibly worst ever https://www.404media.co/a-secure-chat-apps-encryption-is-so-bad-it-is-meaningless/
A Secure Chat App’s Encryption Is So Bad It Is ‘Meaningless’

TeleGuard is an app downloaded more a million times that markets itself as a secure way to chat. The app uploads users’ private keys to the company’s server, and makes decryption of messages trivial.

404 Media
S1mMar 27
Team KeePassXCMar 27
🚨 Warning: New FAKE website offering FAKE KeePassXC downloads! Do not fall for it. The correct domain is https://keepassxc.org without hypens!
S1mMar 27
k3ym𖺀Mar 26

In today's episode of "Can It Run Doom": DNS fucking TXT records.

Some absolute madlad (cough Adam Rice cough) compressed the entire shareware DOOM WAD, split it into around 1,964 chunks, shoved them into Cloudflare TXT records, and wrote a PowerShell script that reassembles and runs the whole goddamn game from DNS queries alone. Nothing touches disk. The DLLs are in DNS. THE FUCKING DLLS ARE IN DNS.

RFC 1035 was written in 1987. Those engineers are spinning in their graves fast enough to generate municipal power.

Bonus: this is a fully functional globally-distributed covert data exfil channel that your NGFW will never fucking see if you're not doing deep DNS inspection. Sleep well.

blog: https://blog.rice.is/post/doom-over-dns/

repo: https://github.com/resumex/doom-over-dns

Also lmao @ every blue team that has never once looked at their DNS query volume. How's that DLP policy working out for you.

It was always DNS.

#infosec #dns #doom #itisalwaysdns

S1mMar 26
Show threadGrapheneOSMar 25

Apps should only resort to this if they're forced to do it. Root-based attestation provides minimal security and is easy to bypass. It's inherently insecure due to trusting the weakest security systems. A leaked key from the TEE/SE on any device can be used to spoof attestations for any device.

Play Integrity permits a device with years of missing security patches. It isn't a legitimate security feature. It checks for a device in compliance with Google's Android business model, not security.

S1mMar 26
Fight Chat ControlMar 26

🎉 The critical amendment 34 (rejecting automated assessment of unknown photos and texts) PASSED by ONE vote, paving the way for the extension of Chat Control 1.0 to be overwhelmingly REJECTED!

Initial analysis by @echo_pbreyer : https://www.patrick-breyer.de/en/end-of-chat-control-eu-parliament-stops-mass-surveillance-in-voting-thriller-paving-the-way-for-genuine-child-protection/

S1mMar 26
TutaMar 26

You did it! 🥳

European Parliament just decided that Chat Control 1.0 must stop.

This means on April 6, 2026, Gmail, LinkedIn, Microsoft and other Big Techs must stop scanning your private messages in the EU. #PrivacyWins 💪