I would love if just once an admin of a fedi host under #DDoS attack would have the integrity to say:

“We are under attack. But we will not surrender to Cloudflare & let that privacy-abusing tech giant get a front-row view of all your traffic (including passwords & DMs) while centralizing our decentralized community. We apologize for the downtime while we work on solving this problem in a way that uncompromisingly respects your privacy and does not harm your own security more than the attack itself.”

This is inspired by the recent move of #LemmyWorld joining Cloudflare’s walled garden to thwart a DDoS atk.

So of course the natural order of this thread is to discuss various Cloudflare-free solutions. Such as:

1. Establish an onion site & redirect all Tor traffic toward the onion site. 1.1. Suggest that users try the onion site when the clearnet is down— and use it as an opportunity to give much needed growth to the Tor network.
2. Establish 3+ clearnet hosts evenly spaced geographically on VPSs. 2.1. Configure DNS to load-balance the clearnet traffic.
3. Set up tar-pitting to affect dodgy-appearing traffic. (yes I am doing some serious hand-waving here on this one… someone plz pin down the details of how to do this)
4. You already know the IPs your users use (per fedi protocols), so why not use that info to configure the firewall during attacks? (can this be done without extra logging, just using pre-existing metadata?)
5. Disable all avatar & graphics. Make the site text-only when a load threshold is exceeded. Graphic images are what accounts for all the heavy-lifting and they are the least important content (no offense @jerry@infosec.exchange!). (do fedi servers tend to support this or is hacking needed?)
6. Temporarily defederate from all nodes to focus just on local users being able to access local content. (not sure if this makes sense)
7. Take the web client offline and direct users to use a 3rd party app during attacks, assuming this significantly lightens the workload.
8. Find another non-Cloudflared fedi instance that has a smaller population than your own node but which has the resources for growth, open registration, similar philosophies, and suggest to your users that they migrate to it. Most fedi admins have figured out how to operate without Cloudflare, so promote them.

^ This numbering does /not/ imply a sequence of steps. It’s just to give references to use in replies. Not all these moves are necessarily taken together.

What other incident response actions do not depend on Cloudflare?

They're blaming customers for not having good cybersecurity practices instead of themselves for not having good cybersecurity practices.

For the first time in the history of Microsoft, a cyberattack has left hundreds of executive accounts compromised and caused a major user data leak as Microsoft Azure was attacked.

According to Proofpoint, the hackers use the malicious techniques that were discovered in November 2023. It includes credential theft through phishing methods and cloud account takeover (CTO) which helped the hackers gain access to both Microsoft365 applications as well as OfficeHome.

Just because Google has put in the work to quantum-proof Chrome doesn't mean post-quantum security is all set.

I know it's an odd question, but where I live phones get stolen often. My phone doesn't have the option for an eSim, which is a problem because 90% of the time when a thief steals a phone they take out the SIM card immediately, meaning I wouldn't be able to remotely lock or wipe my phone.

Should I consider glueing the SIM tray shut? Or are there alternative less permanent measures I can take to keep my device secure?

Microsoft has stumbled through a series of major cybersecurity failures over the past few years. Experts say the US government’s reliance on its systems means the company continues to get a free pass.

or why it is not a good idea to use your birthday as your pin

duplicate: https://feddit.de/post/9261519

• I am denied read-only access to some websites because I use a VPN. This makes no sense at all, but it happens anyway.
• I am not allowed to register in some forums because I use a VPN. Because everyone knows that anyone who uses a VPN is a serious criminal. There is no other option.
• I am subsequently banned from forums because the moderators realise that my IP address is not unique because I use a VPN. My posts don't matter at all, IP addresses obviously unambiguously identify every person on this planet.
• I'm supposed to confirm that I'm not a robot because I use a VPN. The fact that the company asking for these confirmations (usually Google) is itself sending robots marauding through the internet doesn't matter, because Google is Google and I'm just a bloke with a VPN.

Guys, a VPN is self-defence. A website banning VPNs is like a brothel banning condoms. I mean, of course the house rules apply, but I'd like to see a bit more judgement. What's happening right now is ridiculous and hardly does justice to the security aspect of these "tests". If you find yourself as a contributor to this list, I urge you to stop. I am not a bad guy. All I do is use a VPN.

Thank you.

The German national cybersecurity authority warned on Tuesday that it found at least 17,000 Microsoft Exchange servers in Germany exposed online and

Plenty of interesting-looking tools in here for those looking at what the script kiddies are going to be using here in a bit.

Could 100% be fake, but is making the rounds on LinkedIn security boards. So far a lot of the code is 👀!

Today I checked DNSDumpster for my domain and realized that TXT verification records for my email are visible to everyone. Should I be worried? If yes how can I hide them?

SSH-Snake, a network mapping tool, has been adapted by hackers to stealthily find and use private SSH keys for lateral movements in targeted networks. Identified by Sysdig as a self-altering worm, it diverges from standard SSH worms by avoiding predictable attack patterns. Launched on January 4, 2024, it's a bash script that self-modifies to minimize detection, scanning directories, shell histories, and system logs to find SSH credentials. Sysdig confirmed its use after detecting a C2 server storing data from around 100 victims, indicating the exploitation of Confluence vulnerabilities for access. SSH-Snake represents a significant evolution in malware, exploiting the widely used SSH protocol in businesses.

Microsoft reported a breach by Russian group 'Midnight Blizzard,' which accessed internal systems and source code using stolen authentication secrets from a January cyberattack. The unauthorized access was facilitated by a compromised non-production test account lacking multi-factor authentication and linked to an OAuth app with elevated privileges. Microsoft is contacting affected customers and has ramped up security measures to counter the persistent threat.