starkzarn's Avatar

starkzarn

@roguesecurity.dev.bsky.social

hacker of things | printer of plastic | wizard of linux | leader of assurance

15 Followers  |  120 Following  |  25 Posts  |  Joined: 11.02.2025  |  1.987

Latest posts by roguesecurity.dev on Bluesky

Preview
How to Run Custom Linux Images on Oracle Free Tier Bypass the Oracle free-tier limitation of running only Linux distributions provided by Oracle by sideloading a QCOW2 image to a boot volume and attaching it to a new instance.

roguesecurity.dev/blog/custom-...

A quick writeup on a hacky but effective method of bypassing Oracle's restrictions on #Linux distro use in their free tier. I don't trust them, but I'll happily burn some of their compute.

#selfhosting #cloud #OpenSuse

19.11.2025 03:42 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

I have not, but maybe I don't follow. I have only seen QR used for onboarding passkeys, never authenticating with them. Untrusted devices and BLE connections seems equally strange as far as threat modeling goes, to me. Have not found it in the Bitwarden docs either. Enlighten me?

27.10.2025 15:21 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Love @bitwarden.bsky.social
I'm already a user and a fan! I use it for the few things that have passkeys in my life currently, but I still don't agree with the overarching implementation of passkeys.

23.10.2025 19:27 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

I'm a user and general fan of Bitwarden -- self-hosted. It works great for me, but it still means that to use it on a "guest" device, I need to access my password manager *on that device*. The alternative being accessing my password manager on my trusted device (my phone), and transposing the data.

23.10.2025 19:26 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Passkeys are all well and good until you need to access a service on another device.

When did we sign up to be chained to a phone or endpoint with access to a service that manages passkeys?

I get the benefit, but it feels like entrapment was engineered into the workflow.

23.10.2025 16:19 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
The fourth monkey has emerged. He sees no one, hears no one and speaks to no one.

The fourth monkey has emerged. He sees no one, hears no one and speaks to no one.

22.10.2025 21:15 β€” πŸ‘ 138    πŸ” 32    πŸ’¬ 4    πŸ“Œ 1
Preview
End-to-End Encrypted Chat that YOU Control: Hosting XMPP (Jabber) with Prosody Start-to-finish guide for setting up a modern XMPP (Jabber) Server to facilitate E2EE chat on your own infrastructure, podman style

After a bit of a break, I've got a new homelab post in the books on #XMPP

Take control of your chat experience with #E2ee and own your data. Maybe relevant for those potentially affected by a future #chatcontrol ruling.

Check it out, let me know what you think!

roguesecurity.dev/blog/xmpp

13.10.2025 20:35 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

It's like planting a tree. The best time to do it was yesterday.

07.10.2025 17:13 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

I know it’s been said again and again, but what does it say about ChatControl that its backers keep explicitly *exempting* law enforcement and national security accounts from content scanning?

17.09.2025 17:10 β€” πŸ‘ 95    πŸ” 41    πŸ’¬ 3    πŸ“Œ 8

So by proxy, RC4 with Kerberos is bad.

16.09.2025 17:17 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

RC4 used with Kerberos isn't the fundemental flaw we think. Yes, RC4 is deprecated, but the real issue is the key generation for AES v RC4 for cracking (Kerberoasting). With RC4 the key = password hash. With AES it is 4096 rounds of hashing of hash+username+domain. The 4096 rounds matters, a lot!

16.09.2025 17:14 β€” πŸ‘ 8    πŸ” 2    πŸ’¬ 1    πŸ“Œ 0
Preview
Zero Day Initiative β€” The September 2025 Security Update Review There’s a crispness in the air – at least here in North America – and with it comes the latest security patches from Adobe and Microsoft. Take a break from your scheduled activities and join us as we ...

It's a moderate release from both #Adobe and #Microsoft, but there's still lots to cover. Join @dustinchilds.bsky.social as he breaks down the September Patch Tuesday and highlights some fixes that require some extra attention. www.zerodayinitiative.com/blog/2025/9/...

09.09.2025 19:08 β€” πŸ‘ 2    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Preview
Meet Rayhunter: A New Open Source Tool from EFF to Detect Cellular Rayhunter is a new open source tool we’ve created that runs off an affordable mobile hotspot that we hope empowers everyone, regardless of technical skill, to help search out cell-site simulators

We know very little about how cell-site simulators (CSS), devices that masquerade as legitimate cell-phone towers, are being deployed in the US or globally, but with Rayhunter, we hope to change that. www.eff.org/deeplinks/2...

26.08.2025 22:56 β€” πŸ‘ 228    πŸ” 87    πŸ’¬ 4    πŸ“Œ 3
Preview
Cyd 1.1.21 released | Cyd Docs We're pleased to announce Cyd 1.1.21 is released. Here's what's new:

Cyd 1.1.21 is out. This is a bug fix release resolving issues importing from X export files and in migrating media to Bluesky:
docs.cyd.social/blog/cyd-1.1...

Thank you to the bug reporters!

24.08.2025 21:52 β€” πŸ‘ 10    πŸ” 4    πŸ’¬ 2    πŸ“Œ 0

Ah yes, the life of a cybersecurity pro. Here to be hated...

18.08.2025 21:01 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
SystemD Service Hardening Discover additional security options for systemd units, to include quadlets. These options are everything from system permissions, time manage, BPF, syscall & seccomp filters, etc., all to make your s...

Another #selfhosting blog down, this time some casual notes on #systemd #security. Love it or hate it, systemd is a big player in the bulk of Linux systems out there, and these are a few notes on how to lock down some of the defaults.

roguesecurity.dev/blog/systemd...

11.08.2025 22:14 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
GitHub is no longer independent at Microsoft after CEO resignation GitHub will be part of Microsoft’s AI engineering team

This is big. GitHub is no longer independent at Microsoft after CEO resignation: GitHub CEO Thomas Dohmke has resigned, and now GitHub will be part of Microsoft’s core AI engineering team. Github is no longer independent company.

www.theverge.com/news/757461/...

11.08.2025 17:12 β€” πŸ‘ 122    πŸ” 79    πŸ’¬ 10    πŸ“Œ 21
Page logo: SONICWALL Title: Recommended Mitigation Steps. Until further notice, we strongly advise all partners and customers using Gen 7 SonicWall firewalls to take the following actions: **1. Disable SSLVPN Services Where Practical** Callout box: NOTE: All other steps below should still be followed even if disabling SSLVPN is not viable.

Page logo: SONICWALL Title: Recommended Mitigation Steps. Until further notice, we strongly advise all partners and customers using Gen 7 SonicWall firewalls to take the following actions: **1. Disable SSLVPN Services Where Practical** Callout box: NOTE: All other steps below should still be followed even if disabling SSLVPN is not viable.

So the official SonicWall mitigation leads with "turn it off" ? ooooof.

04.08.2025 18:40 β€” πŸ‘ 3    πŸ” 5    πŸ’¬ 2    πŸ“Œ 0

Don't give your government issued Id to YouTube.

31.07.2025 16:13 β€” πŸ‘ 89    πŸ” 24    πŸ’¬ 2    πŸ“Œ 1
Preview
"Meshtrics:" A Nosy Neighbor's Guide to Meshtastic Airtime Metrics in Grafana Start using Prometheus metrics from a PC-connected Meshtastic node to keep tabs on the local mesh in your area. Discover which nodes are misconfigured, hogging airtime, and see patterns in high-use ti...

roguesecurity.dev/blog/meshtas...

Check out my take on grokking metrics for @meshtastic.org using @grafana.bsky.social dashboards with @prometheus.io. Figure out who your top mesh offenders by keeping tabs on nearby nodes, all with pretty dashboards.

28.07.2025 15:37 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

It's easy to bash vulnerabilities with logos but... I couldn't resist, say hello to http1mustdie.com :)

18.07.2025 12:56 β€” πŸ‘ 13    πŸ” 3    πŸ’¬ 2    πŸ“Œ 0
OPNsense 25.7 released OPNsense 25.7 released

#OPNsense 25.7 "Visionary Viper" is now available.

23.07.2025 11:10 β€” πŸ‘ 23    πŸ” 5    πŸ’¬ 3    πŸ“Œ 0

Being in tech and having a single modicum of critical thinking is just screaming "this isn't what LLMs are designed for" over and over as people shove a bunch of word predictors into critical decision making processes because some glorified used car salesmen told them it would fix all their problems

23.07.2025 18:10 β€” πŸ‘ 3918    πŸ” 1352    πŸ’¬ 52    πŸ“Œ 33
Post image Post image

EFF's @tsnvaa.bsky.social will be sharing the history of Flock in the U.S. and the growing risks and concerns with the technology at this teach-in for the Denver community on 7/15 from 6-8pm MT. You can join online at bit.ly/FLOCKteachin.

10.07.2025 20:03 β€” πŸ‘ 130    πŸ” 67    πŸ’¬ 3    πŸ“Œ 3

@garmin.com what's your take on this? how are you going to guarantee you're keeping customer data safe?

10.07.2025 17:02 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Monarch Lisa looking a bit disheveled

Monarch Lisa looking a bit disheveled

Good morning! β˜•οΈβ˜•οΈβ˜•οΈβ˜•οΈβ˜•οΈ

03.07.2025 13:34 β€” πŸ‘ 1253    πŸ” 153    πŸ’¬ 24    πŸ“Œ 11
Preview
Kennedy guts CDC's vaccine panel of independent experts The Advisory Committee for Immunization Practices helps the agency make recommendations on who should get certain vaccines.

An outspoken vaccine conspiracy theorist just fired every last member of CDC's vaccine advisory committee.

RFK Jr. is paving the way to reshape vaccine policy based not on decades of science, but on his own unhinged fanaticism.

This is unprecedented, and unthinkably dangerous.

09.06.2025 21:22 β€” πŸ‘ 1999    πŸ” 746    πŸ’¬ 143    πŸ“Œ 64
Preview
Monitor your AREDN Node with Prometheus and Grafana Utilize the newly added prometheus metrics exporter in the AREDN firmware to add analytics and performance metrics to Grafana. Read about the metrics endpoint and a basic dashboard to monitor performa...

This week I'm combining data enthusiast homelab metrics with @grafana.bsky.social and #arednmesh #hamradio goodness, by setting up @prometheus.io collection of performance metrics of your AREDN node and displaying them in Grafana! Homelabbers and hams unite!

roguesecurity.dev/blog/aredn-m...

09.06.2025 01:41 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Last night I went to see Mission Impossible: Final Reckoning, where a rogue AI takes over the entire US nuclear arsenal, and all I could think was: this shit wouldn’t have happened if they’d published ISO 19790:2025 for free.

03.06.2025 16:47 β€” πŸ‘ 62    πŸ” 12    πŸ’¬ 1    πŸ“Œ 0
Preview
Intercept and Monitor TLS Traffic with mitmproxy Using Podman Leverage podman containers to force TLS traffic through mitmproxy for content inspection inside the encrypted transport. See application traffic in plaintext!

Today's tech blog post stepped away from homelabbing and toward #bugbounty and #pentest methodologies. Inspect the juicy interior of TLS encrypted traffic with #mitmproxy and #podman.

roguesecurity.dev/blog/mitmpro...

26.05.2025 15:33 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

@roguesecurity.dev is following 20 prominent accounts