starkzarn
@roguesecurity.dev
hacker of things | printer of plastic | wizard of linux | leader of assurance
roguesecurity.dev/blog/custom-...
A quick writeup on a hacky but effective method of bypassing Oracle's restrictions on #Linux distro use in their free tier. I don't trust them, but I'll happily burn some of their compute.
#selfhosting #cloud #OpenSuse
A quick writeup on a hacky but effective method of bypassing Oracle's restrictions on #Linux distro use in their free tier. I don't trust them, but I'll happily burn some of their compute.
#selfhosting #cloud #OpenSuse
How to Run Custom Linux Images on Oracle Free Tier
Bypass the Oracle free-tier limitation of running only Linux distributions provided by Oracle by sideloading a QCOW2 image to a boot volume and attaching it to a new instance.
roguesecurity.dev
November 19, 2025 at 3:42 AM
roguesecurity.dev/blog/custom-...
A quick writeup on a hacky but effective method of bypassing Oracle's restrictions on #Linux distro use in their free tier. I don't trust them, but I'll happily burn some of their compute.
#selfhosting #cloud #OpenSuse
A quick writeup on a hacky but effective method of bypassing Oracle's restrictions on #Linux distro use in their free tier. I don't trust them, but I'll happily burn some of their compute.
#selfhosting #cloud #OpenSuse
Passkeys are all well and good until you need to access a service on another device.
When did we sign up to be chained to a phone or endpoint with access to a service that manages passkeys?
I get the benefit, but it feels like entrapment was engineered into the workflow.
When did we sign up to be chained to a phone or endpoint with access to a service that manages passkeys?
I get the benefit, but it feels like entrapment was engineered into the workflow.
Serious take: the solution to Safe Browsing false positives like the Immich one is passkeys.
Phishing regularly upends people's lives. The Safe Browsing cat-and-mouse with all its opaque false positives will be necessary until we roll out phishing-resistant auth.
Phishing regularly upends people's lives. The Safe Browsing cat-and-mouse with all its opaque false positives will be necessary until we roll out phishing-resistant auth.
October 23, 2025 at 4:19 PM
Passkeys are all well and good until you need to access a service on another device.
When did we sign up to be chained to a phone or endpoint with access to a service that manages passkeys?
I get the benefit, but it feels like entrapment was engineered into the workflow.
When did we sign up to be chained to a phone or endpoint with access to a service that manages passkeys?
I get the benefit, but it feels like entrapment was engineered into the workflow.
Reposted by starkzarn
After a bit of a break, I've got a new homelab post in the books on #XMPP
Take control of your chat experience with #E2ee and own your data. Maybe relevant for those potentially affected by a future #chatcontrol ruling.
Check it out, let me know what you think!
roguesecurity.dev/blog/xmpp
Take control of your chat experience with #E2ee and own your data. Maybe relevant for those potentially affected by a future #chatcontrol ruling.
Check it out, let me know what you think!
roguesecurity.dev/blog/xmpp
End-to-End Encrypted Chat that YOU Control: Hosting XMPP (Jabber) with Prosody
Start-to-finish guide for setting up a modern XMPP (Jabber) Server to facilitate E2EE chat on your own infrastructure, podman style
roguesecurity.dev
October 13, 2025 at 8:35 PM
After a bit of a break, I've got a new homelab post in the books on #XMPP
Take control of your chat experience with #E2ee and own your data. Maybe relevant for those potentially affected by a future #chatcontrol ruling.
Check it out, let me know what you think!
roguesecurity.dev/blog/xmpp
Take control of your chat experience with #E2ee and own your data. Maybe relevant for those potentially affected by a future #chatcontrol ruling.
Check it out, let me know what you think!
roguesecurity.dev/blog/xmpp
It's like planting a tree. The best time to do it was yesterday.
Microsoft Blocks Windows 11 Workarounds for Local Accounts, Forces Internet Connection During Setup. I think it is time to switch to macOS or Linux or BSD 🤓 alternativeto.net/news/2025/10...
Windows 11 removes all bypass methods for Microsoft account setup, removing local accounts
Microsoft’s latest Windows 11 update removes all remaining methods to bypass Microsoft Account requirements during setup, enforcing online sign-in and blocking any possibility of creating local-only a...
alternativeto.net
October 7, 2025 at 5:13 PM
It's like planting a tree. The best time to do it was yesterday.
Reposted by starkzarn
I know it’s been said again and again, but what does it say about ChatControl that its backers keep explicitly *exempting* law enforcement and national security accounts from content scanning?
September 17, 2025 at 5:10 PM
I know it’s been said again and again, but what does it say about ChatControl that its backers keep explicitly *exempting* law enforcement and national security accounts from content scanning?
Reposted by starkzarn
So by proxy, RC4 with Kerberos is bad.
September 16, 2025 at 5:17 PM
So by proxy, RC4 with Kerberos is bad.
Reposted by starkzarn
RC4 used with Kerberos isn't the fundemental flaw we think. Yes, RC4 is deprecated, but the real issue is the key generation for AES v RC4 for cracking (Kerberoasting). With RC4 the key = password hash. With AES it is 4096 rounds of hashing of hash+username+domain. The 4096 rounds matters, a lot!
September 16, 2025 at 5:14 PM
RC4 used with Kerberos isn't the fundemental flaw we think. Yes, RC4 is deprecated, but the real issue is the key generation for AES v RC4 for cracking (Kerberoasting). With RC4 the key = password hash. With AES it is 4096 rounds of hashing of hash+username+domain. The 4096 rounds matters, a lot!
Reposted by starkzarn
It's a moderate release from both #Adobe and #Microsoft, but there's still lots to cover. Join @dustinchilds.bsky.social as he breaks down the September Patch Tuesday and highlights some fixes that require some extra attention. www.zerodayinitiative.com/blog/2025/9/...
Zero Day Initiative — The September 2025 Security Update Review
There’s a crispness in the air – at least here in North America – and with it comes the latest security patches from Adobe and Microsoft. Take a break from your scheduled activities and join us as we ...
www.zerodayinitiative.com
September 9, 2025 at 7:08 PM
It's a moderate release from both #Adobe and #Microsoft, but there's still lots to cover. Join @dustinchilds.bsky.social as he breaks down the September Patch Tuesday and highlights some fixes that require some extra attention. www.zerodayinitiative.com/blog/2025/9/...
Reposted by starkzarn
We know very little about how cell-site simulators (CSS), devices that masquerade as legitimate cell-phone towers, are being deployed in the US or globally, but with Rayhunter, we hope to change that. www.eff.org/deeplinks/2...
Meet Rayhunter: A New Open Source Tool from EFF to Detect Cellular
Rayhunter is a new open source tool we’ve created that runs off an affordable mobile hotspot that we hope empowers everyone, regardless of technical skill, to help search out cell-site simulators
www.eff.org
August 26, 2025 at 10:56 PM
We know very little about how cell-site simulators (CSS), devices that masquerade as legitimate cell-phone towers, are being deployed in the US or globally, but with Rayhunter, we hope to change that. www.eff.org/deeplinks/2...
Reposted by starkzarn
Cyd 1.1.21 is out. This is a bug fix release resolving issues importing from X export files and in migrating media to Bluesky:
docs.cyd.social/blog/cyd-1.1...
Thank you to the bug reporters!
docs.cyd.social/blog/cyd-1.1...
Thank you to the bug reporters!
Cyd 1.1.21 released | Cyd Docs
We're pleased to announce Cyd 1.1.21 is released. Here's what's new:
docs.cyd.social
August 24, 2025 at 9:52 PM
Cyd 1.1.21 is out. This is a bug fix release resolving issues importing from X export files and in migrating media to Bluesky:
docs.cyd.social/blog/cyd-1.1...
Thank you to the bug reporters!
docs.cyd.social/blog/cyd-1.1...
Thank you to the bug reporters!
Ah yes, the life of a cybersecurity pro. Here to be hated...
I announced a large computer security lift to part of IT today. People messaged me saying things were broken.
I haven't deployed it yet.
I haven't deployed it yet.
August 18, 2025 at 9:01 PM
Ah yes, the life of a cybersecurity pro. Here to be hated...
Another #selfhosting blog down, this time some casual notes on #systemd #security. Love it or hate it, systemd is a big player in the bulk of Linux systems out there, and these are a few notes on how to lock down some of the defaults.
roguesecurity.dev/blog/systemd...
roguesecurity.dev/blog/systemd...
SystemD Service Hardening
Discover additional security options for systemd units, to include quadlets. These options are everything from system permissions, time manage, BPF, syscall & seccomp filters, etc., all to make your s...
roguesecurity.dev
August 11, 2025 at 10:14 PM
Another #selfhosting blog down, this time some casual notes on #systemd #security. Love it or hate it, systemd is a big player in the bulk of Linux systems out there, and these are a few notes on how to lock down some of the defaults.
roguesecurity.dev/blog/systemd...
roguesecurity.dev/blog/systemd...
Reposted by starkzarn
This is big. GitHub is no longer independent at Microsoft after CEO resignation: GitHub CEO Thomas Dohmke has resigned, and now GitHub will be part of Microsoft’s core AI engineering team. Github is no longer independent company.
www.theverge.com/news/757461/...
www.theverge.com/news/757461/...
GitHub is no longer independent at Microsoft after CEO resignation
GitHub will be part of Microsoft’s AI engineering team
www.theverge.com
August 11, 2025 at 5:12 PM
This is big. GitHub is no longer independent at Microsoft after CEO resignation: GitHub CEO Thomas Dohmke has resigned, and now GitHub will be part of Microsoft’s core AI engineering team. Github is no longer independent company.
www.theverge.com/news/757461/...
www.theverge.com/news/757461/...
Reposted by starkzarn
So the official SonicWall mitigation leads with "turn it off" ? ooooof.
August 4, 2025 at 6:48 PM
So the official SonicWall mitigation leads with "turn it off" ? ooooof.
Reposted by starkzarn
Don't give your government issued Id to YouTube.
July 31, 2025 at 4:13 PM
Don't give your government issued Id to YouTube.
roguesecurity.dev/blog/meshtas...
Check out my take on grokking metrics for @meshtastic.org using @grafana.bsky.social dashboards with @prometheus.io. Figure out who your top mesh offenders by keeping tabs on nearby nodes, all with pretty dashboards.
Check out my take on grokking metrics for @meshtastic.org using @grafana.bsky.social dashboards with @prometheus.io. Figure out who your top mesh offenders by keeping tabs on nearby nodes, all with pretty dashboards.
"Meshtrics:" A Nosy Neighbor's Guide to Meshtastic Airtime Metrics in Grafana
Start using Prometheus metrics from a PC-connected Meshtastic node to keep tabs on the local mesh in your area. Discover which nodes are misconfigured, hogging airtime, and see patterns in high-use ti...
roguesecurity.dev
July 28, 2025 at 3:37 PM
roguesecurity.dev/blog/meshtas...
Check out my take on grokking metrics for @meshtastic.org using @grafana.bsky.social dashboards with @prometheus.io. Figure out who your top mesh offenders by keeping tabs on nearby nodes, all with pretty dashboards.
Check out my take on grokking metrics for @meshtastic.org using @grafana.bsky.social dashboards with @prometheus.io. Figure out who your top mesh offenders by keeping tabs on nearby nodes, all with pretty dashboards.
Reposted by starkzarn
It's easy to bash vulnerabilities with logos but... I couldn't resist, say hello to http1mustdie.com :)
July 18, 2025 at 12:56 PM
It's easy to bash vulnerabilities with logos but... I couldn't resist, say hello to http1mustdie.com :)
Reposted by starkzarn
#OPNsense 25.7 "Visionary Viper" is now available.
OPNsense 25.7 released
OPNsense 25.7 released
forum.opnsense.org
July 23, 2025 at 11:10 AM
#OPNsense 25.7 "Visionary Viper" is now available.
Reposted by starkzarn
Being in tech and having a single modicum of critical thinking is just screaming "this isn't what LLMs are designed for" over and over as people shove a bunch of word predictors into critical decision making processes because some glorified used car salesmen told them it would fix all their problems
Reporter: The FDA has a new AI tool that's intended to speed up drug approvals. But several FDA employees say the new AI helper is making up studies that do not exist. One FDA employee telling us, 'Anything that you don't have time to double check is unreliable. It hallucinates confidently'
July 23, 2025 at 6:10 PM
Being in tech and having a single modicum of critical thinking is just screaming "this isn't what LLMs are designed for" over and over as people shove a bunch of word predictors into critical decision making processes because some glorified used car salesmen told them it would fix all their problems
Reposted by starkzarn
EFF's @tsnvaa.bsky.social will be sharing the history of Flock in the U.S. and the growing risks and concerns with the technology at this teach-in for the Denver community on 7/15 from 6-8pm MT. You can join online at bit.ly/FLOCKteachin.
July 10, 2025 at 8:03 PM
EFF's @tsnvaa.bsky.social will be sharing the history of Flock in the U.S. and the growing risks and concerns with the technology at this teach-in for the Denver community on 7/15 from 6-8pm MT. You can join online at bit.ly/FLOCKteachin.
@garmin.com what's your take on this? how are you going to guarantee you're keeping customer data safe?
“Whenever you have a lot of very personal data like that, it usually ends up becoming a target for someone, whether that is hackers, bad actors who want to compromise your device, or even law enforcement,” EFF's @mguariglia.bsky.social told @thecut.com about wearables.
Can RFK Jr. Track My Oura Ring?
The HHS secretary says he wants all Americans to start wearing health-tracking devices. Here’s what that might mean for your private data.
www.thecut.com
July 10, 2025 at 5:02 PM
@garmin.com what's your take on this? how are you going to guarantee you're keeping customer data safe?
Reposted by starkzarn
Good morning! ☕️☕️☕️☕️☕️
July 3, 2025 at 1:34 PM
Good morning! ☕️☕️☕️☕️☕️
Reposted by starkzarn
An outspoken vaccine conspiracy theorist just fired every last member of CDC's vaccine advisory committee.
RFK Jr. is paving the way to reshape vaccine policy based not on decades of science, but on his own unhinged fanaticism.
This is unprecedented, and unthinkably dangerous.
RFK Jr. is paving the way to reshape vaccine policy based not on decades of science, but on his own unhinged fanaticism.
This is unprecedented, and unthinkably dangerous.
Kennedy guts CDC's vaccine panel of independent experts
The Advisory Committee for Immunization Practices helps the agency make recommendations on who should get certain vaccines.
www.nbcnews.com
June 9, 2025 at 9:23 PM
An outspoken vaccine conspiracy theorist just fired every last member of CDC's vaccine advisory committee.
RFK Jr. is paving the way to reshape vaccine policy based not on decades of science, but on his own unhinged fanaticism.
This is unprecedented, and unthinkably dangerous.
RFK Jr. is paving the way to reshape vaccine policy based not on decades of science, but on his own unhinged fanaticism.
This is unprecedented, and unthinkably dangerous.
This week I'm combining data enthusiast homelab metrics with @grafana.bsky.social and #arednmesh #hamradio goodness, by setting up @prometheus.io collection of performance metrics of your AREDN node and displaying them in Grafana! Homelabbers and hams unite!
roguesecurity.dev/blog/aredn-m...
roguesecurity.dev/blog/aredn-m...
Monitor your AREDN Node with Prometheus and Grafana
Utilize the newly added prometheus metrics exporter in the AREDN firmware to add analytics and performance metrics to Grafana. Read about the metrics endpoint and a basic dashboard to monitor performa...
roguesecurity.dev
June 9, 2025 at 1:41 AM
This week I'm combining data enthusiast homelab metrics with @grafana.bsky.social and #arednmesh #hamradio goodness, by setting up @prometheus.io collection of performance metrics of your AREDN node and displaying them in Grafana! Homelabbers and hams unite!
roguesecurity.dev/blog/aredn-m...
roguesecurity.dev/blog/aredn-m...