"Generals gathered in their masses
Just like witches at black masses
Evil minds that plot destruction
Sorcerer of death's construction
In the fields the bodies burning
As the war machine keeps turning"

#blacksabbath #ozzyosbourne #ClassicRock #music

https://youtu.be/K3b6SGoN6dA?si=0wkf_q5j_JDQ64MQ

The street that my mum lives in is a one-way street, but wasn't marked as such on #Google Maps. This caused many drivers to drive the wrong way. I have tried to edit it on Google Maps (there is such functionality), but to no avail. No matter how often I submitted a change (with photos of street signs!), Google said "Sorry, we could not verify it".

Solution: Edit the street on #OpenStreetMap! A few months after I did this, Google seems to have stolen the data, as it regularly does, and now the street is correct in both datasets!

libxslt project maintainer steps down, citing the amount of time it takes to triage embargoed security issues.

“I’ve been doing this long enough to know that most of the secrecy around security issues is just theater. All the ‘best practices’ like OpenSSF Scorecards are just an attempt by big tech companies to guilt trip OSS maintainers and make them work for free.”

https://gitlab.gnome.org/GNOME/libxml2/-/issues/913

Key serialization formats can be - uh - the source of "interesting" issues. It appears the whole internet technically uses DKIM the wrong way, but it's more or less the fault of the standard.
DKIM uses public keys in DNS, usually RSA, but how are they encoded? There are two common RSA public key formats, SPKI and PKCS#1.
The DKIM spec RFC 6376 says this should be an RSAPublicKey and references RFC 3447, which is PKCS #1. So it's PKCS #1, right?
Well... there's an "INFORMATIVE" part of the RFC that lists openssl commands to encode a key, with an example. And that's... the openssl command to generate SPKI. The example shown is also an SPKI key.

The Internet has voted with its feet and everyone uses SPKI. From previous research, I had a collection of ~35k DKIM keys, and there are zero PKCS#1 keys in there.

This appears to be known and is mentioned in the errata.

It's quite an unfortunate situation. Technically, everyone's doing it wrong. However, if you would happen to be so brave to try to do it right, you'll probably just run into problems. While I haven't tested it, my best guess is that you will almost certianly find some receivers accepting PKCS#1 and others not. (Many crypto library APIs autodetect the format, but given *noone* is using PKCS#1, I'm sure there will be ones only accepting SPKI.)

PostMortem: Assumed DOJ Montana Leak of Phone Dumps

Type of leak

Highly confidential information on a public SMB share without authentication

Threats from the leak

I see the following threats:

• Integrity and Confidentiality of investigations into serious crimes compromised
• Privacy of U.S. citizens compromised (very likely to contain most intimate data)
• Providing 3rd parties hostile to the U.S. with blackmail material

1/4

Hey, everybody. This is just a reminder to support your Mastodon instance's administrator. For all the homies here at infosec.exchange, that's @jerry!

Please take a look at this instance's "About" page for all the details of how to make a monetary donation to support our community and to thank Jerry.

https://infosec.exchange/about

#mastodon #support #fediverse