Slides of Solar Designer's opening keynote talk at @SSTIC and its revision at BSides Ljubljana held in Računalniški muzej / 🇸🇮 Computer History Museum, entitled "15+ years of oss-security": openwall.com/lists/announce…

passwdqc 2.0.3 releases for Unix-like and Windows systems are out, with many minor additions and changes. Leaked password filter files updated to HIBP v8, encoding the 847+ million unique passwords (from billions of accounts) in a 3.5 GB file. openwall.com/lists/announce…

Linux Kernel Runtime Guard (LKRG) 0.9.7 by Adam 'pi3' Zabrocki et al. is out, adding support for Linux 6.4 to 6.5.x and hopefully beyond, as well as for new RHEL 9.1 and 9.2 kernels. openwall.com/lists/announce…

[5] LKRG for pre and post-incident, here vs reptile rootkit and vs usermodehelper execution

Arch Linux's default password hashing algorithm changed to yescrypt: archlinux.org/news/changes-t…

Should Open Source Security mailing list tweet tiny excerpts of all oss-security postings like before (automated, timely) or summaries of most notable postings/threads (manual, subjective yet hopefully high-quality selection and wording, slightly delayed)? Will include list archive links either way.

After 15+ years of being a 100% volunteer effort, Openwall's maintenance of oss-security and (linux-)distros is finally sponsored by @OpenSSF, a project of @LinuxFoundation. As part of the sponsored effort, we now have distros list statistics for 2023. openwall.com/lists/oss-secu…

The oss-security & (linux)-distros mailing lists, operated by Openwall, have been a key part of the community's ability to collaborate on and communicate security issues. "The OpenSSF is proud to sponsor the operation of these lists." - @omkhar_openssf openssf.org/blog/2023/11/1…

oss-security and (linux-)distros infrastructure migrated to the Netherlands. Statistics for all of 2023. openwall.com/lists/oss-secu…

Linux Kernel Runtime Guard (LKRG) 0.9.8 by Adam 'pi3' Zabrocki et al. is out, adding a remote kernel message logging capability sponsored by BINARLY🔬. openwall.com/lists/announce… This update is already packaged for Rocky Enterprise Linux 8.9 and 9.3 Rocky Linux. sig-security.rocky.page/packages/lkrg/

Backdoor in upstream xz/liblzma leading to ssh server compromise openwall.com/lists/oss-secu…

Solar Designer Adam 'pi3' Zabrocki LKRG github.com/YuriiCrimson/E… (with the kernel_path fixed) gives me a root shell on a fully patched Debian 12. But with LKRG loaded I see

CVE-2024-31497: PuTTY: Secret Key Recovery of NIST P-521 Private Keys Through Biased ECDSA Nonces openwall.com/lists/oss-secu… Affected Products - PuTTY 0.68 - 0.80 - FileZilla 3.24.1 - 3.66.5 - WinSCP 5.9.5 - 6.3.2 - TortoiseGit 2.4.0.2 - 2.15.0 - TortoiseSVN 1.10.0 - 1.14.6

Is Open Source focused threat intelligence - Tactics, Techniques, and Procedures (TTPs), Indicators of Compromise (IOCs), exploits/rootkits/backdoors in the wild - a desirable topic for oss-security or for a separate mailing list? If separate, where to draw the line (reply)?

Just published slides of Solar Designer's offensivecon keynote talk "Password cracking: past, present, future" openwall.com/lists/announce…

Updated my offensivecon keynote talk slides page to include links to our other related presentations openwall.com/presentations/…

Announcing yescrypt-go, our pure Go reimplementation of yescrypt key derivation function (KDF) and password hashing scheme. Builds upon Dmitry Chestnykh ☮️'s Go scrypt, with yescrypt support added by Solar Designer. Sponsored by Sandfly Security. openwall.com/lists/announce… x.com/SandflySecurit…

We sponsored the porting of the yescrypt Linux password hash algorithm to Go as an open source project. Read more below. This is now part of our agentless password auditor feature on Linux as well.