René Mayrhofer  🇺🇦

@[email protected]
1.4K Followers
386 Following
3.3K Posts

Prof. for networks and security at #JKULinz + dabbling in Android platform security at #Google. This account will mostly carry IT security stuff, occasionally politics and other comedy.

Screeching voice of the minority. I will not cooperate with fascists or nazis - traditional or neo; Austrian, German, US, Russian, or otherwise. I will not help build surveillance and oppression states. Never again.

"I need privacy, not because my actions are questionable, but because your judgement and intentions are."

Statements are only my own opinion, not my employers'.

This is currently my primary infosec account in the #Fediverse. It should be #searchable through https://tootfinder.ch. Previous Twitter posts are available in archival form at https://twitterarchive.mayrhofer.eu.org/.

Homepagehttps://www.mayrhofer.eu.org
Universityhttps://jku.at/ins
René Mayrhofer  🇺🇦4h ago
Jan Penfrat7h ago

Reason number 43,756 why a #BuyEuropean tech policy or mandate makes no sense:

https://www.heise.de/en/news/USA-bans-all-new-routers-for-consumers-11222049.html

#DigitalSelfdetermination #DigitalSovereignty

USA bans all new routers for consumers

The USA will only allow routers manufactured in the country for consumers from now on. However, such models do not exist.

heise online
René Mayrhofer  🇺🇦8h ago
HalvarFlake12h ago

I wrote some lines about mitigating vibe-coding risks by adopting a development model inspired by old-school computer breakin folks:

https://addxorrol.blogspot.com/2026/03/slightly-safer-vibecoding-by-adopting.html

Slightly safer vibecoding by adopting old hacker habits

I have seen a lot of public discussion around supply-chain attacks on the Python ecosystem, prompt injection risks when using coding agents,...

René Mayrhofer  🇺🇦9h ago
✧✦Catherine✦✧10h ago

Yes, the vulnerability is so old, it dates from a time when networks charged on a ‘per-packet basis’.

https://labs.watchtowr.com/a-32-year-old-bug-walks-into-a-telnet-server-gnu-inetutils-telnetd-cve-2026-32746/

A 32-Year-Old Bug Walks Into A Telnet Server (GNU inetutils Telnetd CVE-2026-32746)

A long, long time ago, in a land free of binary exploit mitigations, when Unix still roamed the Earth, there lived a pre-authentication Telnetd vulnerability. In fact, this vulnerability was born so long ago (way back in 1994) that it may even be older than you. To put the timespan

watchTowr Labs
René Mayrhofer  🇺🇦19h ago

I just learned that a new release of the decentralized, open source Android (and iOS, but that requires a centralized Apple service) key attestation library warden-supreme has landed. It explicitly supports alternative/custom roots of trust for the attestation chain now and comes with a test for @GrapheneOS keys: https://github.com/a-sit-plus/warden-supreme/blob/development/serverside/roboto/src/test/kotlin/GrapheneOsTests.kt

Nice! That's a good match to our academic research direction on digital identity (https://digidow.eu) - avoiding points of centralization for better resilience (against many types of threats). We'll most probably use this for our prototype Android apps that require or benefit from key attestation guarantees and can't/shouldn't use Play Integrity (e.g., because they only communicate over Tor hidden services with each other, and having a Warden backend included on one side is much easier than coming up with a form of mixnet proxy service for querying central instances while retaining an unlinkability guarantee).

René Mayrhofer  🇺🇦20h ago
Ian Campbell 🏴1d ago
i love that we went from "zero trust" as a fundamental buzzword to "trust autonomous nondeterministic agents everywhere in your stack"
René Mayrhofer  🇺🇦1d ago
BrianKrebs1d ago

Whoa, that escalated quickly. This just got sent out by the press folks at the Federal Communications Commission (FCC). The FCC says it has decided that all foreign-made consumer-grade Internet routers are henceforth prohibited from receiving FCC authorization and are therefore prohibited from being imported for use or sale in the United States.

"Update Follows Determination by Executive Branch Agencies that Consumer-Grade Routers Produced in Foreign Countries Threaten National Security

WASHINGTON, March 23, 2026—Today, the Federal Communications Commission updated its Covered List to include all consumer-grade routers produced in foreign countries. Routers are the boxes in every home that connect computers, phones, and smart devices to the internet. This followed a determination by a White House-convened Executive Branch interagency body with appropriate national security expertise that such routers “pose unacceptable risks to the national security of the United States or the safety and security of United States persons.”

"The Executive Branch determination noted that foreign-produced routers (1) introduce “a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense” and (2) pose “a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.”

"This action does not affect any previously-purchased consumer-grade routers. Consumers can continue to use any router they have already lawfully purchased or acquired."

"Producers of consumer-grade routers that receive Conditional Approval from DoW or DHS can continue to receive FCC equipment authorizations. Interested applicants are encouraged to submit applications to [email protected]."

Not sure how many consumer-grade routers will be left for sale if it really is a ban on approvals for any foreign-made consumer routers like they said, and not just a bunch of already restricted Chinese makers like Huawei and ZTE.

https://www.fcc.gov/document/fcc-updates-covered-list-include-foreign-made-consumer-routers

FCC's "covered list" of "thou shalt not entities": https://www.fcc.gov/supplychain/coveredlist

René Mayrhofer  🇺🇦1d ago
epicenter.works1d ago

🚨 Urgent: The EU Parliament voted against #ChatControl earlier this month – to the displeasure of Big Tech and, ironically, child protection groups. Now they’re pushing for a re-vote.

Re-doing a vote that already has a clear outcome is not how democracy should work.

Stop #Chatcontrol. Share this. Contact your MEP 👉 https://fightchatcontrol.eu/

Fight Chat Control - Protect Digital Privacy in the EU

Learn about the EU Chat Control proposal and contact your representatives to protect digital privacy and encryption.

René Mayrhofer  🇺🇦1d ago
Lorenzo Franceschi-Bicchierai1d ago

SCOOP: Someone has found new samples of the iPhone spyware DarkSword and published them on GitHub, putting millions of iOS users at risk.

A cybersecurity researcher told us that the leaked spyware is "way too easy to repurpose" and "we need to expect criminals and others to start deploying this."

"The exploits will work out of the box," iVerify's Matthias Frielingsdorf said. "There is no iOS expertise required."

http://techcrunch.com/2026/03/23/someone-has-publicly-leaked-an-exploit-kit-that-can-hack-millions-of-iphones/

Someone has publicly leaked an exploit kit that can hack millions of iPhones | TechCrunch

Leaked "DarkSword" exploits published to GitHub allow hackers and cybercriminals to target iPhone users running old versions of iOS with spyware, according to cybersecurity researchers.

TechCrunch
René Mayrhofer  🇺🇦2d ago
Catalin Cimpanu3d ago

A popular open-source vulnerability scanner (Trivy) was compromised last week in a supply chain attack

https://www.aquasec.com/blog/autonomous-runtime-security-turning-runtime-intelligence-into-agentic-response-2/

https://www.aikido.dev/blog/teampcp-deploys-worm-npm-trivy-compromise

https://github.com/aquasecurity/trivy/discussions/10425

https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise

https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release

https://www.wiz.io/blog/trivy-compromised-teampcp-supply-chain-attack

https://www.crowdstrike.com/en-us/blog/from-scanner-to-stealer-inside-the-trivy-action-supply-chain-compromise/

Trivy Supply Chain Attack: What Happened and What You Need to Know

Open Source Security Advisory What Happened On March 19, 2026, a threat actor used compromised credentials to publish malicious releases of Trivy version 0.69.4, along with trivy-action and setup-trivy. While this activity initially appeared to be an isolated event, it was the result of a broader, multi-stage supply chain attack that began weeks earlier. Attack …

Aqua
René Mayrhofer  🇺🇦2d ago
Jonathan Corbet2d ago
As the number of LLM-generated patches in my inbox increases, I am starting to experience the sort of maintainer stress that has long been predicted. But there's another aspect of this that has recently crossed my mind.

Just over a week ago, a new personality showed up with a whole pile of machine-generated patches claiming to fill in our memory-management documentation. A few reviewers had some sharp questions, the response to which has been ... silence. This person doesn't seem to have cared enough about that work to make an effort to get past the initial resistance.

Once upon a time, somebody who had produced many pages of MM documentation would be invested enough in that work to make at least a minimal attempt to defend it.

Kernel developers often worry that a patch submitter will not stick around to maintain the code they are trying to push upstream. Part of the gauntlet of getting kernel patches accepted can be seen as a sort of "are you serious?" test.

When somebody submits a big pile of machine-generated code, though, will they be *able* to maintain it? And will they be sufficiently invested in this code, which they didn't write and probably don't understand, to stick around and fix the inevitable problems that will arise? I rather fear not, and that does not bode well for the long-term maintainability of our software.