Recent searches

No recent searches

Search options

Only available when logged in.
fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

8.5K
active users

fosstodon.org: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.3

#softwaresecurity

0 posts0 participants0 posts today
*
Greg Lloyd

“Car buyers get to see a window sticker—known as a Monroney sticker—when making purchasing decisions. Software buyers could benefit from their own “window sticker” when making purchasing decisions so that, just like with a car, they can see different “crash test ratings,” the origin of parts, and which features are available... This article explores what such a “window sticker” might look like in the context of [exploits]… by malicious actors.” #softwaresecurity #rating
mastodon.social/@lawfare/11502

MastodonLawfare (@lawfare@mastodon.social)Despite repeated wake-up calls to the threat of vulnerable software, security weaknesses in software continue to be exploited by threat actors. Adam Isles explores how more transparency for buyers on use performance measures could drive better security in software products. https://www.lawfaremedia.org/article/a--window-sticker--for-software
Dr. Anna Latour

One of my almae matres (?) is hiring!

From the LinkedIn announcement:

"The 𝐂𝐨𝐦𝐩𝐮𝐭𝐞𝐫 𝐒𝐜𝐢𝐞𝐧𝐜𝐞 department at UCLouvain (Belgium) will soon open 𝐭𝐡𝐫𝐞𝐞 𝐟𝐮𝐥𝐥-𝐭𝐢𝐦𝐞 𝐟𝐚𝐜𝐮𝐥𝐭𝐲 𝐩𝐨𝐬𝐢𝐭𝐢𝐨𝐧𝐬 targeting excellent profiles in the following domains:

- 2 Positions in one or more of these areas:
=> 𝐒𝐨𝐟𝐭𝐰𝐚𝐫𝐞 𝐞𝐧𝐠𝐢𝐧𝐞𝐞𝐫𝐢𝐧𝐠,
=> 𝐏𝐫𝐨𝐠𝐫𝐚𝐦𝐦𝐢𝐧𝐠 𝐬𝐲𝐬𝐭𝐞𝐦𝐬 𝐚𝐧𝐝 𝐥𝐚𝐧𝐠𝐮𝐚𝐠𝐞𝐬,
=> 𝐒𝐨𝐟𝐭𝐰𝐚𝐫𝐞 𝐝𝐞𝐩𝐞𝐧𝐝𝐚𝐛𝐢𝐥𝐢𝐭𝐲, 𝐢𝐧𝐜𝐥𝐮𝐝𝐢𝐧𝐠 𝐟𝐨𝐫𝐦𝐚𝐥 𝐦𝐞𝐭𝐡𝐨𝐝𝐬.

- 1 Position in 𝐬𝐨𝐟𝐭𝐰𝐚𝐫𝐞 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐚𝐧𝐝 𝐜𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲, also broadly construed (e.g., system security, cyber-physical systems security, AI for security & security for AI, privacy, distributed systems security, etc.).

The three positions will be open to 𝐚𝐥𝐥 𝐬𝐞𝐧𝐢𝐨𝐫𝐢𝐭𝐲 𝐥𝐞𝐯𝐞𝐥𝐬 (assistant/associate or full)."

linkedin.com/posts/icteam-uclo

I loved the year that I spent at Université catholique de Louvain! I learned so much there, and every time I am back, I am welcomed with such open arms by the lovely people there. I'm happy where I am now at TU Delft, but seeing this announcement, my heart jumped and I admit that I did quickly check my profile against the positions that are opening.

#AcademicJobs #GetFediHired #AcademicMastodon #AcademicJob #SoftwareEngineering #ProgrammingLanguages #FormalMethods #SoftwareSecurity #CyberSecurity #Belgium #LLN #UniversitéCatholiquedeLouvain
#AcademicChatter

www.linkedin.com𝐓𝐡𝐫𝐞𝐞 𝐅𝐚𝐜𝐮𝐥𝐭𝐲 𝐏𝐞𝐫𝐦𝐚𝐧𝐞𝐧𝐭 𝐏𝐨𝐬𝐢𝐭𝐢𝐨𝐧𝐬 𝐎𝐩𝐞𝐧𝐢𝐧𝐠 𝐚𝐭 ICTEAM - UCLouvain 𝐢𝐧 𝐅𝐚𝐥𝐥 2025 | ICTEAM - UCLouvain𝐓𝐡𝐫𝐞𝐞 𝐅𝐚𝐜𝐮𝐥𝐭𝐲 𝐏𝐞𝐫𝐦𝐚𝐧𝐞𝐧𝐭 𝐏𝐨𝐬𝐢𝐭𝐢𝐨𝐧𝐬 𝐎𝐩𝐞𝐧𝐢𝐧𝐠 𝐚𝐭 ICTEAM - UCLouvain 𝐢𝐧 𝐅𝐚𝐥𝐥 2025 The 𝐂𝐨𝐦𝐩𝐮𝐭𝐞𝐫 𝐒𝐜𝐢𝐞𝐧𝐜𝐞 department at UCLouvain (Belgium) will soon open 𝐭𝐡𝐫𝐞𝐞 𝐟𝐮𝐥𝐥-𝐭𝐢𝐦𝐞 𝐟𝐚𝐜𝐮𝐥𝐭𝐲 𝐩𝐨𝐬𝐢𝐭𝐢𝐨𝐧𝐬 targeting excellent profiles in the following domains: - 2 Positions in one or more of these areas: => 𝐒𝐨𝐟𝐭𝐰𝐚𝐫𝐞 𝐞𝐧𝐠𝐢𝐧𝐞𝐞𝐫𝐢𝐧𝐠, => 𝐏𝐫𝐨𝐠𝐫𝐚𝐦𝐦𝐢𝐧𝐠 𝐬𝐲𝐬𝐭𝐞𝐦𝐬 𝐚𝐧𝐝 𝐥𝐚𝐧𝐠𝐮𝐚𝐠𝐞𝐬, => 𝐒𝐨𝐟𝐭𝐰𝐚𝐫𝐞 𝐝𝐞𝐩𝐞𝐧𝐝𝐚𝐛𝐢𝐥𝐢𝐭𝐲, 𝐢𝐧𝐜𝐥𝐮𝐝𝐢𝐧𝐠 𝐟𝐨𝐫𝐦𝐚𝐥 𝐦𝐞𝐭𝐡𝐨𝐝𝐬. - 1 Position in 𝐬𝐨𝐟𝐭𝐰𝐚𝐫𝐞 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐚𝐧𝐝 𝐜𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲, also broadly construed (e.g., system security, cyber-physical systems security, AI for security & security for AI, privacy, distributed systems security, etc.). The three positions will be open to 𝐚𝐥𝐥 𝐬𝐞𝐧𝐢𝐨𝐫𝐢𝐭𝐲 𝐥𝐞𝐯𝐞𝐥𝐬 (assistant/associate or full). Highlights: - A 𝐯𝐢𝐛𝐫𝐚𝐧𝐭 𝐰𝐨𝐫𝐤 𝐞𝐧𝐯𝐢𝐫𝐨𝐧𝐦𝐞𝐧𝐭  just south of Brussels - A department with 𝐞𝐱𝐜𝐞𝐥𝐥𝐞𝐧𝐭 𝐫𝐞𝐬𝐞𝐚𝐫𝐜𝐡 infrastructure and support - Moderate teaching load and access to 𝐞𝐱𝐜𝐞𝐥𝐥𝐞𝐧𝐭 𝐬𝐭𝐮𝐝𝐞𝐧𝐭𝐬 - 𝐂𝐨𝐦𝐩𝐞𝐭𝐢𝐭𝐢𝐯𝐞 salaries and benefits - No need to speak French to apply (but willingness to learn in a few years if appointed) Applications will open in 𝐅𝐚𝐥𝐥 2025 and will be handled 𝐞𝐱𝐜𝐥𝐮𝐬𝐢𝐯𝐞𝐥𝐲 𝐭𝐡𝐫𝐨𝐮𝐠𝐡 𝐭𝐡𝐞 𝐔𝐂𝐋𝐨𝐮𝐯𝐚𝐢𝐧 𝐩𝐨𝐫𝐭𝐚𝐥: https://lnkd.in/eDaYY-hr Questions? Contact: etienne.riviere@uclouvain.be ➡️ Follow the ICTEAM LinkedIn page to stay informed and help spread the word! #UCLouvain #ICTEAM #ProfessorPosition #SoftwareEngineering #Cybersecurity #FacultyHiring #ComputerScience #EngineeringResearch #InternationalOpportunities #JoinUs Etienne Riviere Kim Mens Cristel Pelsser Ramin Sadre Tom Barbette Hélène Verhaeghe Pierre Dupont Pierre Schaus Peter Van Roy Eric Piette Yves Deville Charles Pecheur Siegfried Nijssen Quentin Cappart Olivier Bonaventure Sébastien Jodogne Julien Hendrickx
Andrea D'Ambrosio

Claude Code's "natural language programming" marketing perpetuates dangerous myth that technical complexity can be abstracted away through conversational interfaces.

This represents fundamental misunderstanding: software systems require deep comprehension for reliable operation and maintenance.

Cognitive offloading to AI agents creates systemic technical debt and security vulnerabilities.

#SoftwareSecurity#TechnicalDebt#AIEthics
doragasu

#AI slop is doing considerable damage to the #Internet, #journalism (404media.co/the-medias-pivot-t) #programming (techcrunch.com/2025/07/11/ai-c), #SoftwareSecurity (daniel.haxx.se/blog/2025/07/14), #science (theguardian.com/science/2025/j)... and at what price? Wasting tons of energy, making the world step back on compromises to drop emissions when we should be hard working to stop the #ClimateChange. This is heartbreaking.

Please stop using #GenerativeAI

404 Media · The Media's Pivot to AI Is Not Real and Not Going to WorkAI is not going to save media companies, and forcing journalists to use AI is not a business model.
fraggle

In 1984, Ken Thompson (co-creator of Unix) revealed a mind-bending idea: a compiler that could inject a backdoor into any program it compiled — even if the source code was clean. Worse, the compiler itself could be compiled from a backdoored compiler, making the malicious code invisible in both the program and its build tools. His lecture, “Reflections on Trusting Trust,” remains one of the most important warnings in software security history.
#KenThompson #TrustingTrust #SoftwareSecurity #HackingLore #CompilerHacks

INNOQ

📺 Für Kurzentschlossene: Gleich um 12:15 Uhr startet der #INNOQTechnologyLunch – heute dreht sich alles um Autorisierung. RBAC, ABAC, ReBAC, PBAC – Dominik Guhr gibt in seinem Talk einen kompakten Überblick über die verschiedenen Autorisierungsmodelle.

📍 Livestream mit Q&A auf YouTube und LinkedIn

👉 Jetzt noch schnell anmelden und bequem aus dem Homeoffice einschalten: meetup.com/innoq-technology-lu

#Autorisierung#SoftwareSecurity
LMG Security

AI Coding Assistants Can be Both a Friend & a Foe

New research shows that GitLab's AI assistant, Duo, can be tricked into writing malicious code and even leaking private source data through hidden instructions embedded in developer content like merge requests and bug reports.

How? Through a classic prompt injection exploit that inserts secret commands into code that Duo reads. This results in Duo unknowingly outputting clickable malicious links or exposing confidential information.

While GitLab has taken steps to mitigate this, the takeaway is clear: AI assistants are now part of your attack surface. If you’re using tools like Duo, assume all inputs are untrusted, and rigorously review every output.

Read the details: arstechnica.com/security/2025/

Ars Technica · Researchers cause GitLab AI developer assistant to turn safe code maliciousBy Dan Goodin
#AIsecurity#GitLab#AI
anchore

The Cyber Resilience Act (CRA) is shifting the burden of responsibility for open-source security. This is a necessary step. The easyjson discussion underscores that "free stuff" is not "free of responsibility". We, as software builders, must prioritize proactive risk assessment and due diligence. Josh Bressers latest blog post delves into this and advocates for a more mature approach to open-... anchore.com/blog/easyjson-and- #CyberResilienceAct #opensource #softwaresecurity #riskmanagement #compliance

Brian Greenberg :verified:

⚠️ The EU 🇪🇺 to launch its own vulnerability database because the US is dropping the ball 🇺🇸 😢 — and the timing couldn’t be more telling 🛡️

In response to growing digital sovereignty concerns, NIS2 compliance, and calls for vendor accountability, the EU is building a public vulnerability catalog. The goal?
📂 Track and disclose security bugs across government, industry, and open source
🔍 Complement—not compete with—the CVE Program
📊 Increase trust, transparency, and resilience within the bloc

But let’s be honest:
🤝 Multiple public vuln databases means we must align identifiers, disclosure standards, and data feeds—or risk fragmentation
💡 Transparency is great, but what about verification, consistency, and maintenance?
📉 And if vendors or agencies self-report, how do we ensure accuracy or prevent omission?

Done right, this could increase pressure on lagging suppliers and elevate accountability. But if we don’t connect the dots globally, we may just multiply confusion.

What do you think: smart evolution or coordination nightmare?

#CyberSecurity #VulnerabilityManagement #EU #CVE #NIS2 #SoftwareSecurity #Governance #security #privacy #cloud #infosec
theregister.com/2025/05/13/eu_

The Register · As US vuln-tracking falters, EU enters with its own security bug databaseBy Jessica Lyons
TrendingLive feeds
About