A letter to CVE board members posted to bluesky a few hours ago reveals that MITRE funding for the Common Vulnerabilities and Exposures (CVE) program is about to expire. Haven't found any good articles that cover this news story yet, but it's spreading like wildfire over on bluesky.

Of course this doesn't mean that the CVE program will immediately cease to exist, but at the moment MITRE funding is absolutely essential for its longterm survival.

In a nutshell CVEs are a way to centrally organize, rate, and track software vulnerabilities. Basically any publicly known vulnerability out there can be referred to via their CVE number. The system is an essential tool for organizations worldwide to keep track of and manage vulnerabilities and implement appropriate defensive measures. Its collapse would be devestating for the security of information systems worldwide.

How can one guy in a position of power destroy so much in such a short amount of time..? I hope the EU will get their shit together and fund independent alternatives for all of these systems being butchered at the moment...

Edit/Update 20250415 21:10 UTC:
It appears Journalist David DiMolfetta confirmed the legitimacy of the letter with a source a bit over an hour ago and published a corresponding article on nextgov 28 minutes ago.

Edit/Update 20250415 21:25 UTC:
Brian Krebs also talked to MITRE to confirm this news. On infosec.exchange he writes:

I reached out to MITRE, and they confirmed it is for real. Here is the contract, which is through the Department of Homeland Security, and has been renewed annually on the 16th or 17th of April.
MITRE's CVE database is likely going offline tomorrow. They have told me that for now, historical CVE records will be available at GitHub, https://github.com/CVEProject

Edit/Update 20250415 21:37 UTC:
Abovementioned post has been supplemented by Brian Krebs 5 Minutes ago with this comment:

Hearing a bit more on this. Apparently it's up to the CVE board to decide what to do, but for now no new CVEs will be added after tomorrow. the CVE website will still be up.

Edit/Update 20250416 08:40 UTC:
First off here's one more article regarding the situation by Brian Krebs - the guy I cited above, as well as a YouTube video by John Hammond.

In more positive news: first attempts to save the project seem to emerge. Tib3rius posted on Bluesky about half an hour ago, that a rogue group of CVE board members has Launched a CVE foundation to secure the project's future. It's by no means a final solution, but it's at least a first step to give some structure to the chaos that has emerged, and a means to manage funding from potential alternative sources that will hopefully step up to at least temporarily carry the project.

Edit/Update 20250416 15:20 UTC:
It appears the public uproar got to them. According to a nextgov article by David DiMolfetta the contract has been extended by 11 months on short notice just hours before it expired...

Imo the events of the past 24 hours will leave their mark. It has become very clear that relying on the US government for such critical infrastructure is not a sustainable approach. I'm certain (or at least I hope) that other governments (i.e. EU) will draw appropriate consequences and build their own infrastructure to take over if needed. The US is really giving up their influence on the world at large at an impressive pace.

As the years go by, I’ve become increasingly annoyed (I choose that word intentionally) at the thought that there’s some “record” of my activity on the Internet somewhere, which was probably put together by my ISP. I “don’t have anything to hide” (other than perhaps the one or other ROM or movie that I download), but I also don’t want to randomly get fined or put in prison if, in a few years, our governments decide to retroactively criminalize certain activities (I’m thinking mostly about piracy).

I’m not tech savvy though. That’s not because I haven’t tried. I have. I spent countless hours reading about how one can keep one’s activity on the Internet “private”. To my knowledge, it isn’t actually possible. I mean, even if I didn’t use my real name anywhere, or didn’t have any social media accounts (thankfully, I don’t), just the fact that I have to use an ISP to surf the web means that at least they are “spying” on me.

So, I’m approaching all of you wonderful, tech savvy people (rather than ChatGPT or a search engine) to ask you if there’s something that I’m missing, and if there is a way (preferably a fool-proof one) to stop my ISP (or “anyone” for that matter) from collecting data on my activity on the Internet (particularly when I download ROMs or movies, which is the only “illegal” thing that I ever do).

I am an Indian by origin and currently a Canadian citizen. During my recent holiday visit to India, I purchased a Turquoise gemstone along with a certificate from a reputable seller. Now, as I prepare to return to Canada (Surrey, British Columbia), I have a layover at London Heathrow Airport before my final destination with Air Canada.

I would like to know if there are any specific regulations regarding carrying gemstones while traveling. Do I need to provide any supporting documents, such as an invoice, a bill, or an authenticity certificate from a particular lab, for immigration clearance? Also, since I have a layover in London, I am curious if there are any specific requirements or restrictions at Heathrow Airport regarding carrying gemstones.

Has anyone had a similar experience? Any guidance on the required documents at both London Heathrow and Canada for a smooth immigration process would be greatly appreciated.

Looking forward to helpful responses. Thank you!

My thoughts are that apps can have end-to-end encryption, but if the app on the end is still connected to someone's servers, there's nothing stopping them from pulling the contents of the chat after it's been decrypted on the other end. What options do we have for messaging that don't have this issue? I understand that anything that I can see can still get taken by the OS, etc., but I'm curious about that first step.

Today I got an email from ebay.

It says:

We wanted to let you know that your eBay account has been permanently suspended because of activity that we believe was putting the eBay community at risk...

Well this is weird because I don't use ebay. I sold some things there over 10 years ago. Since then I may have logged in once or twice. Maybe I reset my password a few years ago to make it more secure. So I couldn't have violated any of their policies.

This is a concern to me because I assume someone has been using my account. I assume they have been logging into it and scamming other people. And the account is linked to my email so the scammer has that. So I don't know if someone found out my address info, credit card, or something else. But I can't login to ebay and change my email or check account history because my account is suspended.

So I contacted customer support and they replied a few hours later that I'm banned for life and the reason can't be told to me.

By the way, I did not reply to the original email or click any links in it. I went directly to the ebay site and contacted customer support through that. I'm sure it wasn't a phishing attempt, it's really ebay and they really banned my account (which I haven't been using).

Any suggestions? In my opinion eBay has not used proper security and is exposing me to risk by not giving more information about what has happened.

Hello everyone! I have been currently debating switching email providers. I have been with Proton for a few years now (free user), but I have become increasingly disappointed. Firstly, I am not exactly a fan of the “we have apps for everything” model, particularly the integration of a password manager is just strange and the crypto wallet feels a bit nauseating, as I have my reservations about cryptocurrency. Consolidating all of my services in a company such as Proton feels misguided if the goal is to avoid walled gardens from the tech giants. There are also some other more recent things that have come up in relation to Proton that just make me question the legitimacy of Proton's “guiding moral imperative” as a privacy focussed company.

Moving on from that, I have mostly settled on two options due to their

• low cost
• generally adequate security (I understand email's limitations on this front, I just want something to be secure enough)
• transparency reports
• location of operation

The main thing I am struggling with here are the pros and cons between the two platforms.

Posteo seems to be less ideal of an email provider because they do not support ARC and lack a good DMARC policy. BUT they claim to support encryption with their calendars, but does this even matter if you are accessing the calendars with CalDAV (which I do not beliece is an E2EE connection)?

I think I trust Mailbox.org more when it comes to security, but I think their contacts / calendar situation is somewhat worse, and their French translation seems … lacking in spots (not that it matters to me much, but still is somewhat jarring for me).

I could just ignore the contacts/calendar problem, and use something like EteSync, but that would become just another thing to pay for, and another app to operate (if I need to use the WebDav bridge).

Any feedback on this would be greatly appreciated, I am really hoping this inspires some interesting conversations! And of course, feel free to tell me about better options if I have overlooked something. Have a lovely day :)

I get that it’s supposed to make things more secure, but it feels like a constant chore every time I try to log in somewhere. Grab a code from my phone. Check my email. Open an authenticator app. Repeat this process for every single account, over and over.

I know there are tools like YubiKey that are supposed to make 2FA easier, but the reality is that most websites don’t even support them.

I already use a password manager, and all my passwords are long, randomized, and secure. Is there something I am missing that makes this easier, or is this just as infuriating for everyone else?

Hi all. I need to set up an outdoor CCTV camera and since there seem to be a hundred different brands and as many pitfalls I'm wondering if anyone here can help me navigate that minefield. I have zero experience.

I have the following basic requirements:

• Waterproof: It's outdoors, it will be rained on, plus there will often be high humidity, pollen and dust. It should not get fogged up. (IP66 or higher I think?) This also means there shouldn't be exposed plugs, otherwise it's not really waterproof.
• NOT battery powered. If there's a battery power option, battery degradation shouldn't prevent the camera from working, since otherwise that will massively impact longevity. I'm looking for something that can be wired directly to AC power.
• Wifi support: Comms cannot be wired in this installation. Norm will probably be n (2.4ghz) but ac+ should ideally be supported for future proofing.
• I probably can't buy it if it's not available in Europe (this often excludes some american startups).

With regard to what happens to the footage:

• I think IP streaming would be ideal?
• Abso-fucking-lutely no "cloud" based services. I have no interest in having to bounce footage through the US or china, or paying a monthly fee for unnecessary nonsense. I'm afraid of brands not being clear about this being a requirement before I spend my money.
• Some brands seem to have their own "server"/hub hardware? Why? No! I already own computers, so I don't need to waste money on a proprietary unitasker for talking to my camera.
• I think there are some open standards for camera streaming and open source software for handling the cameras. Support for these would be great. I'm accepting software recommendations too.
• I'm not in theory opposed to SD card support, but I'd rather not have to use local storage at all, and don't mind if it's not an option. If a setup requires storing in an SD card and then reading from it that's not the worst, I suppose (it's not that expensive to replace dead SD cards once every few years).

Optional bells and whistles:

• There is some illumination in the location at night, but some form of night vision would be highly desirable. Optional built in lights are probably also a good idea.
• Microphone is a nice plus.
• Motion detection and human tracking are a nice plus. The camera doesn't have to rotate 360 degrees; probably a ~60 degree angle of vision would be plenty. At the extreme, I'd say more than ~120 degrees is literally useless due to obstacles. (Obviously if an ideal solution has full rotation, I'll just take it.)
• Resolution+framerate (bitrate) can be as high as wireless-n can comfortably handle, but I don't really think I need more than 1080p.

Thanks in advance if anyone knows enough to be able to help.