The account breach extends way beyond the site itself. The compromise of access tokens means the FB SSO (Single Sign-On) mechanism was also vulnerable, meaning users' accounts on third-party sites implementing the FB SSO system may have also been compromised. wired.com/story/facebook-secur

compromised: 50 million accounts affected by security breach in which attackers stole access tokens. Share prices plummet: theguardian.com/technology/201

There's been a lot of talk lately about developers pulling the "kill switch" and revoking their licensing over their contributions to the kernel, mostly spread by a sensationalist article.

Groklaw had an interesting discussion in 2008 indicating why such revocation wouldn't be possible: groklaw.net/article.php?story= and, further, in the Copyleft guide: copyleft.org/guide/comprehensi

In short, it is incredibly unlikely that any attempt to revoke the licensing over such code would succeed.

Cloudflare enable "Encrypted Server Name Indication" (ESNI) on their DNS resolver to close the SNI hostname leak: blog.cloudflare.com/esni/

Of course this requires browser support and support from the domain too. ESNI browser support is arriving in an upcoming Firefox Nightly and ESNI will be enabled by default for all domains behind Cloudflare.

Tiffany boosted

Google trying, and failing, to keep their "Dragonfly" project under wraps in which they are in cahoots with the Chinese government to build a heavily censored search engine, giving access to the regime to edit search results at will: mashable.com/article/google-ch

Infosec Exchange

A Mastodon instance for info/cyber security-minded people.