Mastodawn

I don't buy that Mozilla "couldn't find a sustainable model" for Fakespot. I would have paid $20/year or more for a subscription ... but no one asked. 🤔

https://blog.truestar.pro/fakespot-shuts-down/

Fakespot is gone: The fake review crisis just got worse

Fakespot has officially shut down. Learn why Mozilla killed the fake review detector and discover alternatives for checking Amazon reviews.

TrueStar Blog | Fake Review Detection & Fakespot News

Royce Williams 3h ago

Tom Sellers 4h ago

A note on the security advisory for CVE-2025-20309 in Cisco Unified Communications Manager which covers hard coded credentials - as I understand it this only impacts a special version of the product that users would have to contact TAC to get. If that is a correct understanding then I would expect this to limit the likelihood that organizations are running the impacted versions.

Quoting from the advisory:

This vulnerability affects Cisco Unified CM and Unified CM SME Engineering Special (ES) releases 15.0.1.13010-1 through 15.0.1.13017-1, regardless of device configuration.

Note: ES releases are limited fix releases that are distributed only by the Cisco Technical Assistance Center (TAC).

Reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssh-m4UBdpE7

#Security #CVE_2025_20309 #CVE202520309

Cisco Security Advisory: Cisco Unified Communications Manager Static SSH Credentials Vulnerability

A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted. This vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssh-m4UBdpE7

Cisco

Royce Williams 9h ago

Huh, the only place I see these emoji inserted is Feedly. They're definitely not in my original post.

Royce Williams 10h ago

Ian Campbell 10h ago

petty gripe that I just noticed with Proton mail:

emails *from* Proton (service info, product info, etc sent from Proton AG) automatically load images/remote content regardless of your settings.

Royce Williams 10h ago

hashcat's latest pre-release (GitHub bleeding edge, or hashcat.net/beta) now has ...

Argon2 support! 🎉

https://github.com/hashcat/hashcat/commit/96e3b6581df894b77722ac9c048519444bacd901

https://github.com/hashcat/hashcat/commit/d9918d7e44020a526aa7bdc0e364f9c159a0c324

Read the commit comments for more on the interesting architectural enhancements involved.

Benchmarks:

NVIDIA Driver Version: 575.51.03
CUDA Version: 12.9

$ hashcat --version
v6.2.6-1075-gd9918d7e4

GPU (2x 4090s), CUDA 3.0:

$ hashcat -b -m 34000
[...]
* Hash-Mode 34000 (Argon2) [Iterations: 12]
[...]
Speed.#01........:     1720 H/s (104.11ms) @ Accel:360 Loops:6 Thr:32 Vec:1
Speed.#02........:     1718 H/s (104.28ms) @ Accel:360 Loops:6 Thr:32 Vec:1
Speed.#*.........:     3438 H/s

Same GPUs, OpenCL:

$ hashcat -b -m 34000 --backend-ignore-cuda
[...]

Speed.#02........:     1724 H/s (104.21ms) @ Accel:360 Loops:6 Thr:32 Vec:1
Speed.#03........:     1721 H/s (104.38ms) @ Accel:360 Loops:6 Thr:32 Vec:1
Speed.#*.........:     3445 H/s

CPU (EPYC 7642 48C/96T 2.3GHz, Intel OpenCL 2.1 (Linux)) :

$ hashcat -b -D 1 -m 34000
[...]
Speed.#03........:       38 H/s (629.80ms) @ Accel:96 Loops:3 Thr:32 Vec:8

Apple Metal (368.12, M2):

$ hashcat -b -m 34000 --backend-ignore-opencl
[...]
Speed.#01........:       28 H/s (86.57ms) @ Accel:10 Loops:3 Thr:32 Vec:1

And high praise from atom for the PR:
https://github.com/hashcat/hashcat/pull/4284

This is an amazing contribution.

100 Stars from my side for this.

Many thanks to Pelle & Ewald from the NFI and thanks to Ondrej Mosnáček for creating the original warp-based GPU implementation!!

#hashcat #argon2

Merge pull request #4284 from fse-a/argon2id-support · hashcat/hashcat@96e3b65

Support for Argon2id on NVIDIA CUDA GPUs

GitHub

Royce Williams 21h ago

David Reamer 1d ago

When the wolves were at the door in the past, how did people survive? They accumulated assets as possible, evaluated who was trustworthy, maintained lines of communication, formed community level mutual aid & defense societies, and importantly still sought ways to be happy.

Royce Williams 23h ago

Anurag Bhatia 1d ago

Checkout my blog post on "Change in Google's peering policy" - https://anuragbhatia.com/post/2025/07/change-in-googles-peering-policy/

#Peering #Google #AS15169

Change in Google's peering policy

Blog post on Google going from open peering policy to selective peering policy

Personal blog of Anurag Bhatia

Royce Williams 1d ago

BrianKrebs 1d ago

AT&T widely launched its Wireless Account Lock feature Tuesday, aiming to strengthen customer protection against account takeovers and SIM-swapping attacks, Cyberscoop writes.

"The Wireless Account Lock, which had been rolling out in waves since earlier this year, is widely accessible for both individual and business customers. The feature follows similar options from competitors such as T-Mobile, Verizon, and Google Fi, which have already moved to bolster protections against SIM swapping and similar attacks."

"The feature is accessed exclusively via the company’s app on a device tied to the account. If the registered device is inaccessible or lost, users must undergo extra authentication steps via AT&T’s customer support to regain or restore control."

https://cyberscoop.com/att-wireless-account-lock-sim-swapping-protection/

AT&T deploys new account lock feature to counter SIM swapping

AT&T has launched a feature to help prevent SIM swapping and unauthorized account changes, offering added security for both individual and business wireless customers.

CyberScoop

Royce Williams 1d ago

BleepingComputer 1d ago

AT&T has launched a new security feature called "Wireless Lock" that protects customers from SIM swapping attacks by preventing changes to their account information and the porting of phone numbers while the feature is enabled.

https://www.bleepingcomputer.com/news/security/atandt-rolls-out-wireless-lock-feature-to-block-sim-swap-attacks/

AT&T rolls out "Wireless Lock" feature to block SIM swap attacks

BleepingComputer

Royce Williams 1d ago

Neil Craig 1d ago

Does anyone happen to know what values I'd put in an `upgrade` HTTP response header when sending an HTTP 426 to tell a client that it needs to upgrade to TLS 1.2 or 1.3?

The HTTP spec says "The server *MUST* send an Upgrade header"
https://httpwg.org/specs/rfc9110.html#status.426

...but I can't find any examples. The `upgrade` spec says the format of the value is `protocol-name ["/" protocol-version]` - so presumably e.g. `TLS/1.3`?
https://httpwg.org/specs/rfc9110.html#field.upgrade

It won't work for old clients obv but...trying to be correct.

RFC9110

HTTP Semantics

IETF HTTP Working Group Specifications

Stuff	https://www.techsolvency.com/roycewilliams/mastodon
Keybase	https://keybase.io/royce
GitHub	https://github.com/roycewilliams
LinkedIn	https://www.linkedin.com/in/roycewilliams
Gravatar	https://gravatar.com/tychotithonus
Not "dehashed"!	https://www.techsolvency.com/passwords/dehashing-reversing-decrypting/