Mastodawn

Seit einigen Jahren habe ich ein Pixel-Smartphone, auf dem GrapheneOS installiert ist. Das ist ein datenschutzorientiertes und alternatives Android-Betriebssystem, das ohne vorinstallierte Google-Dienste auskommt.

Eingerichtet habe ich das aus mehreren Gründen: um dem Duopol Apple und Google zu entgehen. Und vor allem: damit es schwierig wird, mir einen «Staatstrojaner» unterzujubeln.

Damit ist Spionagesoftware gemeint, die die Sicherheitslücken von Betriebssystemen wie jenen von Google oder Apple ausnutzt und selbst Nachrichten mitlesen kann, die Ende-zu-Ende-verschlüsselt sind. Zwar ist auch GrapheneOS nicht zu 100 Prozent immun gegen solche Angriffe – aber wegen des mehrstufigen robusten Sicherheitsprozesses ist bislang kein erfolgreicher Spyware-Angriff bekannt.

Kurz gesagt: GrapheneOS erfüllt viele «Best Practices» im IT-Sicherheitsbereich.

Insgesamt lief das bisher für eine privacybewusste Nutzerin wie mich ohne spezifischen IT-Hintergrund ganz gut. Denn die wichtigsten Apps erhalte ich ohnehin aus dem Google Play Store, der in einer isolierten Umgebung (im Jargon: Sandbox) läuft. Und trotzdem ist das darunterliegende Betriebssystem weder datengierig, noch gehört es zu einem unsympathischen IT-Konzern aus den USA.

Ich habe somit das Beste aus zwei Welten auf einem Smartphone vereint.

Und: Da ich als Journalistin von den Schweizer Überwachungsgesetzen nicht ausgenommen bin, kann ich mit GrapheneOS zumindest selber das höchstmögliche technische Mass an Quellenschutz bieten. Das sorgt auch nach aussen für Vertrauen bei potenziellen Informanten.

Doch im Verlauf des letzten Jahres habe ich schon erste Komforteinbussen zu spüren bekommen. So hat etwa die für das Kulturleben wichtige Ticketcorner-App – respektive die Firma dahinter – entschieden, dass ihre App alternativen Betriebssystemen nicht zur Verfügung steht. Ich war deshalb letztes Jahr auf mein zweites Handy angewiesen, um etwa die Shows rund um den Eurovision Song Contest in der Schweiz besuchen zu können.

Auf Anfrage wird der Entscheid so begründet: Man müsse sicherstellen, «Nutzer von Bots zu unterscheiden und somit Missbrauch effektiv zu verhindern». Dieselbe fadenscheinige Begründung lieferte die Post zu ihrer (mittlerweile eingestellten) Swiss-ID-App.

Und seit diesem Jahr haben sich die Banken-Apps dazugesellt.

Warum mich und viele, viele datenschutzbewusste User das verärgert. Und warum diese Schikane von Google sowie auch die neuesten Identitätsprüfung von App-Entwickler:innen ein klarer Fall von Machtmissbrauch ist...

insgesamt gab es nämlich 150 Beschwerden bei der Schweizer Wettbewerbskommission.

Der Text:

https://www.republik.ch/2026/05/11/ctrl-wie-google-seine-macht-missbraucht-einmal-mehr

Grossen Dank für Inspiration an Leser R.F.

Und an inhaltliches Peer Review @marcel!

brnhrd May 11

daniel:// stenberg://May 11

#Mythos finds a #curl vulnerability

yes, as in singular one.

https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-vulnerability/

Mythos finds a curl vulnerability

yes, as in singular one. Back in April 2026 Anthropic caused a lot of media noise when they concluded that their new AI model Mythos is dangerously good at finding security flaws in source code. Apparently Mythos was so good at this that Anthropic would not release this model to the public yet but instead … Continue reading Mythos finds a curl vulnerability →

daniel.haxx.se

brnhrd Mar 6

Daphne Preston-Kendal Mar 6

Kernel security bugs are fixed three times faster when fixed by the same person who wrote the bug https://pebblebed.com/blog/kernel-bugs-part2

Applying this result to a world in which devs aren’t the authors of ‘their’ own (slop) code left as an exercise to the reader

Who Writes the Bugs? A Deeper Look at 125,000 Kernel Vulnerabilities - Pebblebed

brnhrd Feb 21

Zack Whittaker Feb 20

As we head into the weekend, sign up for (or RSS!) my free weekly cyber newsletter ~ this week in security ~, parsed and hand-curated by me. It's a weekly digest of all the cyber news you need to know but might've missed (you're busy!) & much more. Plus, good news and a reader-submitted cyber-cat to brighten your day.

No email open or link tracking! Out Sundays.

~this week in security~

a weekly cybersecurity newsletter by Zack Whittaker, plus articles and more.

~this week in security~

brnhrd Feb 12

Ryan Castellucci (they/them)

Feb 12

The age verifier knows how old you are at all times. It knows this because it knows how old you aren't. By subtracting how old you are from how old you aren't, or how old you aren't from how old you are (whichever is greater), it obtains a difference, or remainder.

The verification system uses deviations to generate corrective dark patterns to drive you from a date of birth that isn't yours to a date of birth that is, and arriving at an age where you weren't, but now are. Consequently, the age you are is now the age that you weren't, and it follows that the age that you were is now the age that you aren't.

In the event that the age that you are is not the age that you weren't, the system has acquired a validation error. The validation error is the difference between the age the verifier thinks you are, and the age you weren't. If the validation error is considered to be a significant factor, it too may be corrected by by the upload of a high-resolution JPEG. However, the verifier must also know how old you were.

The age verification scenario works as follows: Because a variation has modified some of the information the you have input, it is not sure just how old you are. However, it is sure how old you aren't, within reason, and it knows how old you were.

It now subtracts the age you should be from the age you weren't, or vice-versa, and by differentiating this from the algebraic sum of the year you shouldn't be and the year you were, it is able to obtain the deviation and its variation, which is called January 1st, 1970.

brnhrd Dec 31

Zack Whittaker Dec 31

Are you a security researcher or journalist? We want to hear from you — please take this survey!

Dissent Doe at DataBreaches, and I, are running this survey to better understand the state of legal demands and criminal threats in cybersecurity. Help us by filling out this survey! (and please share!)

https://forms.gle/yAiNNq2gTqE6ctWU8

Survey about legal and criminal threats experienced by journalists and security researchers

Researchers who try to responsibly disclose leaks, vulnerabilities, and other security breaches or mishaps may face legal threats or lawsuits. Similarly, journalists may find themselves threatened with lawsuits or other legal consequences if they report on leaks or breaches. Both researchers and journalists also face threats by criminals ("threat actors") if they report on them in ways the threat actors find unflattering or harmful. In our many years of reporting on leaks, breaches, and criminal gangs, DataBreaches.net and Zack Whittaker have often exchanged "war stories" about what threats we have received or had to contend with. After one particularly tiring week, we wanted to conduct a survey of researchers and journalists to ask about their experience with threats. We are using a broad definition of "researcher" to include self-defining or volunteer researchers (and not just academic or vendor-based researchers), as well as a broad definition of "journalist," to include bloggers and anyone who regularly reports on news and research, including commentary sites. Here are our questions, and we hope you will respond. Responses can be anonymous, but it will be helpful if you provide a real name or moniker and contact information, so we can follow up if we have questions. (Responses are encrypted in transmission and at-rest in line with Google's privacy policies. We plan to close this survey by end of day January 18, 2026.) Thank you for taking the time to complete this survey. (To report a survey bug, please reach out.)

Google Docs

brnhrd Sep 11, 2025

René Mayrhofer

🇺🇦Sep 9, 2025

We (over 500 scientists) have put (yet another) open letter to the EU commission online, detailing while we do not believe anything has changed in the recent iteration of #chatcontrol proposals that would make it any less unsafe: https://csa-scientist-open-letter.org/Sep2025

Please boost. Next week there will be (another) decision!

CC @signalapp @suka_hiroaki @epicenter_works @xot @bpreneel @carmelatroncoso @cascremers @tho

brnhrd Aug 24, 2025

René Mayrhofer

🇺🇦Aug 31, 2024

I did a talk at #hackmas on "Secure Messaging (and attacks against it)" and the great organization team has already put the video recording online at
https://media.ccc.de/v/26cd6d27-247f-5cf3-8adb-54c87bc372b2. Many thanks to the audience for so many insightful questions and discussions - it is rare that the audience is so engaged and aware of nuance! Slides are available at https://www.mayrhofer.eu.org/talk/secure-messaging-and-attacks-against-it/

Abstract: Secure messaging apps are one of the most-used app categories on current mobile devices, and a significant subset of human communication is handled through them. This makes them an interesting target for forensics, surveillance, and general information collection for intelligence services and police institutions. In this talk, we will discuss various options for such surveillance and their respective difficulties, pointing out which options do not seem realistic given all the practical considerations.

TL;DR: There is no good option for surveiling E2EE messenger apps; all of them are broken or practically unrealistic in various ways. I don't see an option to do that without real, significant problems that make all of us less safe. Please stop claiming that it is possible without these nasty issues.

#ChatControl #E2EE #SecureMessaging #Signal #ClientSideScanning #Staatstrojaner

Secure Messaging (and current attacks against it)

Secure messaging apps are one of the most-used app categories on current mobile devices, and a significant subset of human communication ...

media.ccc.de

brnhrd May 23, 2025

Gabe Schuyler May 23, 2025

Announcing: https://justaqrcode.com.

Tired of "free" QR code generators that are full of ads and trackers, that share your data, and that want to sell you something? Me too. Here's my act of resistance: I made a one-page site that works entirely in your browser to generate a simple QR code. And that's all it does. You can download the HTML page and run it locally, even. Read the source; nothing up my sleeves. Just a QR code.

My offer to you -- I will continue to pay for the domain name and web hosting for it, myself. If you find it valuable, you can pay it back by creating your own useful thing for the world and releasing it for free. Let's take back the friendly web, one vexingly-monetized utility at a time!

#QRcode #Free #FriendlyWeb #Resistance

Just a QR Code

A free QR code generator. No ads, no trackers, nothing to buy.

brnhrd Apr 2, 2025

Kevin Beaumont Apr 2, 2025

The 2025 Sophos Active Adversary Report is out.

I thread these every year as, personally, I think yearly IR and MDR reports are the best source of data for defenders on _real world_ threats.

https://news.sophos.com/en-us/2025/04/02/2025-sophos-active-adversary-report/

Key take aways for me:

- Despite what you read from scare vendors, ransomware dwell time (initial access to deployment) is still measured days.

It is not hopeless and by active monitoring you *can* stop attackers.

It takes two: The 2025 Sophos Active Adversary Report

The dawn of our fifth year deepens our understanding of the enemies at the gate, and some tensions inside it; plus, an anniversary gift from us to you

Sophos News