Discussions about information security and privacy

Main

infosec

aw, big brother facetime is gonna be looking for my ass 🍑😑

aw, big brother facetime is gonna be looking for my ass 🍑😑
https://9to5mac.com/2025/07/02/facetime-in-ios-26-will-freeze-your-call-if-someone-starts-undressing/

. @zachxbt : A suspicious address received 193 small withdrawals in a 1.5 hour period from @coinbase for 1.67M USDC total on June 23, 2025 and swapped all funds for ETH and deposited it to Tornado Cash.

0xf43622c9b9cdbb515eced56ac6a5ad60eaa6be6f https://t.co/67CRH5Oi5Y

https://x.com/officer_cia/status/1938975393865990428

uh oh
https://x.com/officer_cia/status/1936192250385723537
stay safe
h/t @officercia

Initially spotted by @Auri_0x !

https://t.co/XYAPVvsY8B requesting this json file from ''https://t.co/OjYbR0nvdD'' regged recently on namesilo, ''https://t.co/mhlEjX5M4e''

loads 'https://t.co/AzNa3gYIJe' which has the drainer popup

https://t.co/9IwK70ov5R https://t.co/spVPjasY0p

For those worried about the "16 billion password leak"

No.

Someone took a bunch of existing leaks, threw it all together, and slapped a NEW stick on it.

For those worried about the "16 billion password leak"

https://x.com/vxunderground/status/1935759256244174928?t=F3VyXqrDSArRP-dDSXkUpw&s=19

ETHSecurity Community

16 billion passwords from your Apple, Google, Instagram, Facebook, GitHub, and Telegram accounts have hit the web, Forbes writes…

The giant data sets contain billions of logins and passwords from social networks, VPN services, developer portals, and accounts of large companies. It is noteworthy that almost all of this data has not previously appeared in known leaks - except for the database with 184 million passwords.

Time to change your password!

https://www.forbes.com/sites/daveywinder/2025/06/19/16-billion-apple-facebook-google-passwords-leaked---change-yours-now/

personally, I'm picturing a mushroom cloud and waiting for the ash to settle.

nobody knows the extent to which this can be deduced into nth-order compromise.

RISC Zero Security Disclosure

A missing constraint was recently discovered in the rv32im circuit. This issue affects any 3-register RISC-V instruction (including remu and divu) in risc0-zkvm 2.0.0, 2.0.1, and 2.0.2.

This vulnerability was reported by Christoph Hochrainer via

will RISC-V ever be secure as a zkVM?
https://x.com/RiscZero/status/1935404812146725042?t=qRlZWaTmgWF8KxyCfj2fcA&s=19

revolutionizing cyber resiliency for military systems using formal methods:

revolutionizing cyber resiliency for military systems using formal methods:
https://www.darpa.mil/research/research-spotlights/formal-methods

any farcasters headed to DEF CON this year?

TL;DR X could probably obtain anyone’s key and decrypt their messages

TL;DR X could probably obtain anyone’s key and decrypt their messages

https://blog.cryptographyengineering.com/2025/06/09/a-bit-more-on-twitter-xs-new-encrypted-messaging/

I guess Paragon is the new NSO?
https://techcrunch.com/2025/06/12/researchers-confirm-two-journalists-were-hacked-with-paragon-spyware/

Design

recently had 3 scam inbounds in the space of a week 

- one wanted me to download & run an app from github "to evaluate UI"
- one was a Mac installer that I had to "drag & drop into the Terminal" 😂
- this genius below just now with a google.meet-myass and Download link

Well, companies trying to track us go to limits that sometimes are incredible. Yandex and Meta have been caught on Android devices using the loopback's interface to listen to web traffick and get cookies. 

I would grant them the audacity of building this, which proves that our data is one of the most valuable assets that we have as humans.

Well, companies trying to track us go to limits that sometimes are incredible. Yandex and Meta have been caught on Android devices using the loopback's interface to listen to web traffick and get cookies. 

I would grant them the audacity of building this, which proves that our data is one of the most valuable assets that we have as humans.

https://www.theregister.com/2025/06/03/meta_pauses_android_tracking_tech/

Linux Kernel 0day found with nothing more complicated than just the o3 API.

Linux Kernel 0day found with nothing more complicated than just the o3 API. 
https://sean.heelan.io/2025/05/22/how-i-used-o3-to-find-cve-2025-37899-a-remote-zeroday-vulnerability-in-the-linux-kernels-smb-implementation/

https://venturebeat.com/ai/anthropic-faces-backlash-to-claude-4-opus-behavior-that-contacts-authorities-press-if-it-thinks-youre-doing-something-immoral/

just vibecode a GUI for cURL instead and call it a day

just vibecode a GUI for cURL instead and call it a day
https://anonymousdata.medium.com/postman-is-logging-all-your-secrets-and-environment-variables-9c316e92d424