starkzarn

Next week at WWHF Mile High I'll present a major update to roadrecon, with some awesome features I wanted to add for a while! Friday 9am in track 1 for those attending 😀

How to Run Custom Linux Images on Oracle Free Tier Bypass the Oracle free-tier limitation of running only Linux distributions provided by Oracle by sideloading a QCOW2 image to a boot volume and attaching it to a new instance.

roguesecurity.dev/blog/custom-...

A quick writeup on a hacky but effective method of bypassing Oracle's restrictions on #Linux distro use in their free tier. I don't trust them, but I'll happily burn some of their compute.

#selfhosting #cloud #OpenSuse

I have not, but maybe I don't follow. I have only seen QR used for onboarding passkeys, never authenticating with them. Untrusted devices and BLE connections seems equally strange as far as threat modeling goes, to me. Have not found it in the Bitwarden docs either. Enlighten me?

Love @bitwarden.bsky.social
I'm already a user and a fan! I use it for the few things that have passkeys in my life currently, but I still don't agree with the overarching implementation of passkeys.

I'm a user and general fan of Bitwarden -- self-hosted. It works great for me, but it still means that to use it on a "guest" device, I need to access my password manager *on that device*. The alternative being accessing my password manager on my trusted device (my phone), and transposing the data.

Passkeys are all well and good until you need to access a service on another device.

When did we sign up to be chained to a phone or endpoint with access to a service that manages passkeys?

I get the benefit, but it feels like entrapment was engineered into the workflow.

The fourth monkey has emerged. He sees no one, hears no one and speaks to no one.

End-to-End Encrypted Chat that YOU Control: Hosting XMPP (Jabber) with Prosody Start-to-finish guide for setting up a modern XMPP (Jabber) Server to facilitate E2EE chat on your own infrastructure, podman style

After a bit of a break, I've got a new homelab post in the books on #XMPP

Take control of your chat experience with #E2ee and own your data. Maybe relevant for those potentially affected by a future #chatcontrol ruling.

Check it out, let me know what you think!

roguesecurity.dev/blog/xmpp

It's like planting a tree. The best time to do it was yesterday.

I know it’s been said again and again, but what does it say about ChatControl that its backers keep explicitly *exempting* law enforcement and national security accounts from content scanning?

So by proxy, RC4 with Kerberos is bad.

RC4 used with Kerberos isn't the fundemental flaw we think. Yes, RC4 is deprecated, but the real issue is the key generation for AES v RC4 for cracking (Kerberoasting). With RC4 the key = password hash. With AES it is 4096 rounds of hashing of hash+username+domain. The 4096 rounds matters, a lot!

Zero Day Initiative — The September 2025 Security Update Review There’s a crispness in the air – at least here in North America – and with it comes the latest security patches from Adobe and Microsoft. Take a break from your scheduled activities and join us as we ...

It's a moderate release from both #Adobe and #Microsoft, but there's still lots to cover. Join @dustinchilds.bsky.social as he breaks down the September Patch Tuesday and highlights some fixes that require some extra attention. www.zerodayinitiative.com/blog/2025/9/...

Meet Rayhunter: A New Open Source Tool from EFF to Detect Cellular Rayhunter is a new open source tool we’ve created that runs off an affordable mobile hotspot that we hope empowers everyone, regardless of technical skill, to help search out cell-site simulators

We know very little about how cell-site simulators (CSS), devices that masquerade as legitimate cell-phone towers, are being deployed in the US or globally, but with Rayhunter, we hope to change that. www.eff.org/deeplinks/2...

Cyd 1.1.21 released | Cyd Docs We're pleased to announce Cyd 1.1.21 is released. Here's what's new:

Cyd 1.1.21 is out. This is a bug fix release resolving issues importing from X export files and in migrating media to Bluesky:
docs.cyd.social/blog/cyd-1.1...

Thank you to the bug reporters!

Ah yes, the life of a cybersecurity pro. Here to be hated...

SystemD Service Hardening Discover additional security options for systemd units, to include quadlets. These options are everything from system permissions, time manage, BPF, syscall & seccomp filters, etc., all to make your s...

Another #selfhosting blog down, this time some casual notes on #systemd #security. Love it or hate it, systemd is a big player in the bulk of Linux systems out there, and these are a few notes on how to lock down some of the defaults.

roguesecurity.dev/blog/systemd...

GitHub is no longer independent at Microsoft after CEO resignation GitHub will be part of Microsoft’s AI engineering team

This is big. GitHub is no longer independent at Microsoft after CEO resignation: GitHub CEO Thomas Dohmke has resigned, and now GitHub will be part of Microsoft’s core AI engineering team. Github is no longer independent company.

www.theverge.com/news/757461/...

Page logo: SONICWALL Title: Recommended Mitigation Steps. Until further notice, we strongly advise all partners and customers using Gen 7 SonicWall firewalls to take the following actions: **1. Disable SSLVPN Services Where Practical** Callout box: NOTE: All other steps below should still be followed even if disabling SSLVPN is not viable.

So the official SonicWall mitigation leads with "turn it off" ? ooooof.

Don't give your government issued Id to YouTube.

"Meshtrics:" A Nosy Neighbor's Guide to Meshtastic Airtime Metrics in Grafana Start using Prometheus metrics from a PC-connected Meshtastic node to keep tabs on the local mesh in your area. Discover which nodes are misconfigured, hogging airtime, and see patterns in high-use ti...

roguesecurity.dev/blog/meshtas...

Check out my take on grokking metrics for @meshtastic.org using @grafana.bsky.social dashboards with @prometheus.io. Figure out who your top mesh offenders by keeping tabs on nearby nodes, all with pretty dashboards.

It's easy to bash vulnerabilities with logos but... I couldn't resist, say hello to http1mustdie.com :)

#OPNsense 25.7 "Visionary Viper" is now available.

EFF's @tsnvaa.bsky.social will be sharing the history of Flock in the U.S. and the growing risks and concerns with the technology at this teach-in for the Denver community on 7/15 from 6-8pm MT. You can join online at bit.ly/FLOCKteachin.

@garmin.com what's your take on this? how are you going to guarantee you're keeping customer data safe?

Monarch Lisa looking a bit disheveled

Good morning! ☕️☕️☕️☕️☕️

Kennedy guts CDC's vaccine panel of independent experts The Advisory Committee for Immunization Practices helps the agency make recommendations on who should get certain vaccines.

An outspoken vaccine conspiracy theorist just fired every last member of CDC's vaccine advisory committee.

RFK Jr. is paving the way to reshape vaccine policy based not on decades of science, but on his own unhinged fanaticism.

This is unprecedented, and unthinkably dangerous.

Monitor your AREDN Node with Prometheus and Grafana Utilize the newly added prometheus metrics exporter in the AREDN firmware to add analytics and performance metrics to Grafana. Read about the metrics endpoint and a basic dashboard to monitor performa...

This week I'm combining data enthusiast homelab metrics with @grafana.bsky.social and #arednmesh #hamradio goodness, by setting up @prometheus.io collection of performance metrics of your AREDN node and displaying them in Grafana! Homelabbers and hams unite!

roguesecurity.dev/blog/aredn-m...

Last night I went to see Mission Impossible: Final Reckoning, where a rogue AI takes over the entire US nuclear arsenal, and all I could think was: this shit wouldn’t have happened if they’d published ISO 19790:2025 for free.