-
31 votes
-
Anthropic disrupts cybercriminal using AI for large-scale theft and extortion
17 votes -
Is someone using Filen?
11 votes -
Understanding what a VPN can do for you and how to pick the right one
16 votes -
Looking for tips/advice for a hardware firewall/VPN for a small to medium size nonprofit
Edit: Decided to go with the Ubiquiti Dream Machine Pro. Thank you for all the suggestions and advice! Hey Tildenauts, I'm planning to help a local nonprofit replace their aging hardware firewall...
Edit: Decided to go with the Ubiquiti Dream Machine Pro. Thank you for all the suggestions and advice!
Hey Tildenauts,
I'm planning to help a local nonprofit replace their aging hardware firewall pro bono. I have a fair amount of experience with networking and security, especially where web servers are concerned, but I haven't setup a hardware firewall recently enough to know off the top of my head which are the best options here.
The organization is fairly small but on its way to medium sized, around 30 employees at the moment but will likely expand to 50+ in coming years. So I'm looking for a solution that will comfortably scale up to 100 employees. There is remote work, accessing their local server via VPN, so something that comes bundled with a user friendly VPN client would be ideal. I haven't seen their physical setup yet but I know their server gets a lot of use. Not all employees use it remotely on a regular basis but many do.
From past experience I know that Cisco, Sophos and SonicWall are potential options. Cisco seems to be pushing their Meraki platform pretty hard but I don't think this organization needs a subscription based solution.
Anyone have recommendations for hardware firewalls I should consider? Any potential footguns I should know about?
Thanks in advance!
8 votes -
WinRAR zero-day under active exploitation – update to latest version immediately
40 votes -
uBlock Origin Lite for Safari
32 votes -
Dropbox Passwords being discontinued
30 votes -
The viral 'Tea' app just had a second data breach, and it's even worse
50 votes -
North Korean hackers ran US-based “laptop farm” from Arizona woman’s home
25 votes -
After $380M hack, Clorox sues its “service desk” vendor for simply giving out passwords
27 votes -
Revisiting my digital security model
18 votes -
No, of course I can! Refusal mechanisms can be exploited using harmless fine-tuning data.
9 votes -
The EU wants to decrypt your private data by 2030
50 votes -
I've always found the common approach that websites take to changing the email associated with an account iffy but I am not sure if I am wrong
I have changed my email more than once, just as part of customizing my online identity and all that. and that obviously required me to login into any accounts I had and updating the email...
I have changed my email more than once, just as part of customizing my online identity and all that.
and that obviously required me to login into any accounts I had and updating the email associated with them.
the most common workflow I have found is
login -> navigate to settings page -> edit the email field to the new email -> go to the inbox for the new email -> click confirm on confirmation emailthen you can go to that website and do the
forgot password
, provide your email and change the password and get complete control.I have always found that workflow weird cause it's the most prevalent one I have come across and seems so susceptible to tampering.
if someone leaves their laptop unattended for 3-4 minutes in public while visiting a bathroom (which happened often in the library of my university), there was nothing preventing me from going to their Facebook or whatever account they had open on their computer, changing the email to my own email and then clicking confirm on my inbox once I am back at my desk.
and most people don't have 2FA so that would effectively give me control of their account.
Hell, my university once had a potential data breach and they were 99.999% sure the data was not actually accessed by a malicious actor but still sent a mass email saying that they were advising everyone to change their passwords. a classmate of mine in the software systems program's attitude was basically "oh well, who cares?" and I just facepalmed internally.there are maybe 3 websites I have come across that instead first send a confirmation email to your current inbox and after you confirm on that, then you get a confirmation email on the new email inbox. which isn't perfect but I feel like it's a bit more sensical and the best you can do without involving 2FA.
even then, that's also susceptible to the situation I described above if the user is always logged into their email.
I find it odd that websites don't prompt for a password as part of the email update process (or better yet 2FA with an app as even prompting for a password isn't a guarantee if the user has the password manager as an extension in their browser and they recently unlocked it before leaving their session unattended) to ensure that email changes are always done by the account owner.
16 votes -
Passkey vs smart use of passwords
I went down the path of thinking about switching to Passkeys but it seems like more hassle than it is worth, so I hoped this community could tell me if I am crazy. I use Bitwarden to generate and...
I went down the path of thinking about switching to Passkeys but it seems like more hassle than it is worth, so I hoped this community could tell me if I am crazy.
I use Bitwarden to generate and save passwords for anything important and always use an authentication app when the option is present. I never use the same password. Sadly, most Canadian banks are awful and only allow SMS 2FA if anything at all. That said, of the two banks I primarily use, one does allow an authentication app and the other uses its own app to send authentication codes.
I always read that Passkeys are better for people who are lazy/bad with their passwords. For someone like me, is the security practically the same or is there still some benefit to switching everything I can to Passkeys?
31 votes -
Address bar shows hp.com. Browser displays scammers’ malicious text anyway.
31 votes -
Reddit in talks to embrace Sam Altman's iris-scanning Orb to verify users
40 votes -
Cybernews research team has uncovered over sixteen billion leaked records since the start of 2025
37 votes -
Before the government announced its move, Denmark's largest cities of Copenhagen and Aarhus had already announced plans to phase out Microsoft software and cloud services. Here's why.
48 votes -
Coming to Apple OSes: A seamless, secure way to import and export passkeys
14 votes -
End of 10: Replace Windows 10 with Linux
98 votes -
So how do I know my passwords are safe?
11 votes -
Unexplained electronic components found in imported equipment for Denmark's energy supply network – investigation underway to learn more
32 votes -
Slowly starting a passion project of a finance web-app that I can use help me budget but I have a crucial question
I am planning to use Plaid API and have a spring boot backend but given that I will be storing my financial information (such as whatever the Plaid API needs me to store to use their endpoints as...
I am planning to use Plaid API and have a spring boot backend but given that I will be storing my financial information (such as whatever the Plaid API needs me to store to use their endpoints as well as just the transactions on my credit and chequing account), the security of the data is obviously crucial. and I think my problem is I don't know what I don't know.
I have a basic idea of what kind of things I need to protect against.
- WIll have to use Spring security (or whatever is best) for thing like protecting against xss and csrf
- I need to ensure that the PostgreSQL database is encrypted
but beyond that, I don't know much about the nuances of each type of security and customizations I should be on the look-out for. wonder if there's a trustworthy resource for at least detailing for me the kind of security I need to implement on either the Spring or PostgreSQL side of things?
11 votes -
Twingate: Go beyond VPN
9 votes -
Cyber attack causes further chaos for UK shoppers at Marks & Spencer
5 votes -
SuperCard X enables contactless ATM fraud in real-time
15 votes -
FBI Denver warns of online file converter scam
27 votes -
UK tribunal denies government's request to keep details of 'backdoor order' case secret, that lead to Apple disabling 'Advanced Data Protection Service' for UK customers
19 votes -
Is it possible to completely hide one’s activity on the Internet from one’s ISP?
As the years go by, I’ve become increasingly annoyed (I choose that word intentionally) at the thought that there’s some “record” of my activity on the Internet somewhere, which was probably put...
As the years go by, I’ve become increasingly annoyed (I choose that word intentionally) at the thought that there’s some “record” of my activity on the Internet somewhere, which was probably put together by my ISP. I “don’t have anything to hide” (other than perhaps the one or other ROM or movie that I download), but I also don’t want to randomly get fined or put in prison if, in a few years, our governments decide to retroactively criminalize certain activities (I’m thinking mostly about piracy).
I’m not tech savvy though. That’s not because I haven’t tried. I have. I spent countless hours reading about how one can keep one’s activity on the Internet “private”. To my knowledge, it isn’t actually possible. I mean, even if I didn’t use my real name anywhere, or didn’t have any social media accounts (thankfully, I don’t), just the fact that I have to use an ISP to surf the web means that at least they are “spying” on me.
So, I’m approaching all of you wonderful, tech savvy people (rather than ChatGPT or a search engine) to ask you if there’s something that I’m missing, and if there is a way (preferably a fool-proof one) to stop my ISP (or “anyone” for that matter) from collecting data on my activity on the Internet (particularly when I download ROMs or movies, which is the only “illegal” thing that I ever do).
24 votes -
Helsinki now among the top five cities in Europe for defence, security and resilience investments – Nordic nation has 368 defence tech companies; 40% are startups and scale-ups
13 votes -
Apple will soon support encrypted RCS messaging with Android users
39 votes -
End-to-end encryption - How we stopped trusting clouds and started encrypting our data
15 votes -
What are the best truly unbeatable E2EE, presumably P2P messaging apps?
My thoughts are that apps can have end-to-end encryption, but if the app on the end is still connected to someone's servers, there's nothing stopping them from pulling the contents of the chat...
My thoughts are that apps can have end-to-end encryption, but if the app on the end is still connected to someone's servers, there's nothing stopping them from pulling the contents of the chat after it's been decrypted on the other end. What options do we have for messaging that don't have this issue? I understand that anything that I can see can still get taken by the OS, etc., but I'm curious about that first step.
28 votes -
Banned from eBay for life with no explanation
Today I got an email from ebay. It says: We wanted to let you know that your eBay account has been permanently suspended because of activity that we believe was putting the eBay community at...
Today I got an email from ebay.
It says:
We wanted to let you know that your eBay account has been permanently suspended because of activity that we believe was putting the eBay community at risk...
Well this is weird because I don't use ebay. I sold some things there over 10 years ago. Since then I may have logged in once or twice. Maybe I reset my password a few years ago to make it more secure. So I couldn't have violated any of their policies.
This is a concern to me because I assume someone has been using my account. I assume they have been logging into it and scamming other people. And the account is linked to my email so the scammer has that. So I don't know if someone found out my address info, credit card, or something else. But I can't login to ebay and change my email or check account history because my account is suspended.
So I contacted customer support and they replied a few hours later that I'm banned for life and the reason can't be told to me.
By the way, I did not reply to the original email or click any links in it. I went directly to the ebay site and contacted customer support through that. I'm sure it wasn't a phishing attempt, it's really ebay and they really banned my account (which I haven't been using).
Any suggestions? In my opinion eBay has not used proper security and is exposing me to risk by not giving more information about what has happened.
38 votes -
Living off Microsoft Copilot - risks and threats of Copilot
7 votes -
Posteo.de or Mailbox.org - Struggling to find an alternative to Proton
Hello everyone! I have been currently debating switching email providers. I have been with Proton for a few years now (free user), but I have become increasingly disappointed. Firstly, I am not...
Hello everyone! I have been currently debating switching email providers. I have been with Proton for a few years now (free user), but I have become increasingly disappointed. Firstly, I am not exactly a fan of the “we have apps for everything” model, particularly the integration of a password manager is just strange and the crypto wallet feels a bit nauseating, as I have my reservations about cryptocurrency. Consolidating all of my services in a company such as Proton feels misguided if the goal is to avoid walled gardens from the tech giants. There are also some other more recent things that have come up in relation to Proton that just make me question the legitimacy of Proton's “guiding moral imperative” as a privacy focussed company.
Moving on from that, I have mostly settled on two options due to their
- low cost
- generally adequate security (I understand email's limitations on this front, I just want something to be secure enough)
- transparency reports
- location of operation
The main thing I am struggling with here are the pros and cons between the two platforms.
Posteo seems to be less ideal of an email provider because they do not support ARC and lack a good DMARC policy. BUT they claim to support encryption with their calendars, but does this even matter if you are accessing the calendars with CalDAV (which I do not beliece is an E2EE connection)?
I think I trust Mailbox.org more when it comes to security, but I think their contacts / calendar situation is somewhat worse, and their French translation seems … lacking in spots (not that it matters to me much, but still is somewhat jarring for me).
I could just ignore the contacts/calendar problem, and use something like EteSync, but that would become just another thing to pay for, and another app to operate (if I need to use the WebDav bridge).
Any feedback on this would be greatly appreciated, I am really hoping this inspires some interesting conversations! And of course, feel free to tell me about better options if I have overlooked something. Have a lovely day :)
35 votes -
Myanmar scam compounds that enslave workers apparently use Starlink for net access. US law enforcement says no company response to request for help.
26 votes -
Apple stops offering end-to-end encrypted iCloud storage in the UK due to government spying demands
64 votes -
Removing Jeff Bezos from my bed
52 votes -
Dating app cover-up: How Tinder, Hinge, and their corporate owner keep rape under wraps
39 votes -
Phishing tests, the bane of work life, are getting meaner
32 votes -
I hate 2FA
I get that it’s supposed to make things more secure, but it feels like a constant chore every time I try to log in somewhere. Grab a code from my phone. Check my email. Open an authenticator app....
I get that it’s supposed to make things more secure, but it feels like a constant chore every time I try to log in somewhere. Grab a code from my phone. Check my email. Open an authenticator app. Repeat this process for every single account, over and over.
I know there are tools like YubiKey that are supposed to make 2FA easier, but the reality is that most websites don’t even support them.
I already use a password manager, and all my passwords are long, randomized, and secure. Is there something I am missing that makes this easier, or is this just as infuriating for everyone else?
75 votes -
UK orders Apple to let it spy on users’ encrypted accounts
49 votes -
How US school cyber attacks get hidden from those impacted and the public
10 votes -
DeepSeek’s safety guardrails failed every test researchers threw at its AI chatbot
16 votes -
US Federal Trade Commission takes action against GoDaddy for alleged lax data security for its website hosting services
19 votes -
US Supreme Court unanimously backs law banning TikTok if it’s not sold by its Chinese parent company
48 votes -
Candy Crush, Tinder, MyFitnessPal: See the thousands of apps hijacked to spy on your location
65 votes