While reflecting on our past 10 years, we revisited vulnerabilities discovered during OSTIF audits. As a result of our work, several hundred bugs a year are discovered on average. With that in mind, our Executive Director Derek Zimmer proposed a new program: a Bug of the Year trophy, given to the individual who finds the best bug published by OSTIF in a calendar year.

We are proud to announce our top 3 bugs of the year on our blog: https://ostif.org/bug-of-the-year-award-2025/

#OSTIF #BOTY #7ASecurity

RIP FX

We collected some texts from the community in memory of FX. You can find them here https://phenoelit.de/fx.html

Lands of Packets

TTL exceeded.

I would like to collect texts from the scene about FX in his memory. A collection of obituaries that will then be posted on phenoelit.de.

If anyone would like to contribute, please contact me.

Mail: [email protected]
Signal: jrn.07

RIP FX - You are a legend.

Here Dino is delivering his Pwnie Award, as well as the last public post FX made last year.

Call for papers is now open for hack.lu 2026 (the 20th edition!)

The purpose of the hack.lu convention is to provide an open and free playground where people can discuss the implications of new technologies in society. hack.lu is a balanced mix convention where technical and non-technical people can meet and share all kinds of information freely. The convention will be held in the Grand-Duchy of Luxembourg in October (20-23.10.2026). The most significant new discoveries about computer network attacks and defenses, open-source security solutions, and pragmatic real-world security experiences will be presented in a four-day series of informative tutorials.

We are waiting for your great proposals!

https://2026.hack.lu/blog/hack.lu-2026-call-for-papers/

#cfp #luxembourg #conference #cybersecurity #callforpapers #hacklu

PSA: The Amazon wishlist doxing threat is much greater and more immediate than folks might realize. Attack works like this:

Stalker who wants your address opens an Amazon seller account and lists themselves as a third party seller for any item on your public wishlist. Then, they order the item from themselves as a gift for you. Bam, they have your address.

In particular, attack does not depend on an existing third party seller having poor PII handling hygiene, like the articles have implied.

Wer eine Massenüberwachung etabliert, hat Schutz von Demokratie und Freiheit nicht verstanden, erklärte ich heute in WDR Aktuelle Stunde:

Merz fordert Klarnamenpflicht im Internet
https://www1.wdr.de/fernsehen/aktuelle-stunde/alle-videos/aktuelle-stunde-clip-aktuelle-stunde--19-02-2026-100.html

If you expect privacy or anonymity, Meshtastic is a danger to that, and you should not use it.

This is your regular reminder that Meshtastic is designed badly and is effectively a straight up non-anonymized wireless tracking beacon which can be intercepted and tracked by anyone with a smidgen of technical knowhow.

Resetting your devices identity or reloading the Meshtastic firmware does not help, because Meshtastic encodes the hardware MAC address of your device's radio unencrypted into every packet sent, including on-by-default telemetry packets which are sent regularly without any user interaction.

Many of these packets are intercepted and recorded by a myriad of MQTT observers around the world that other Meshtasic users have set up to log mesh traffic to the internet.

#meshtastic #meshcore #mesh #lora