Harry Sintonen

#RFC9849: TLS Encrypted Client Hello was published 2026-03-03. Now lets make servers and clients use it to improve #privacy for everyone.

https://datatracker.ietf.org/doc/rfc9849/

This should be obvious for everyone by now, but if you're not from US you must assume that all your use of US AI services (#ChatGPT, #Claude, #Gemini etc) is fed directly to US intelligence services.

"We may share your Personal Data, including information about your interaction with our Services, with government authorities ... in compliance with the law (i)" (OpenAI)

"We may disclose personal data to governmental regulatory authorities as required by law" (Claude)

"We will share personal information outside of Google ... to: Respond to any applicable law, regulation, legal process, or enforceable governmental request" (Gemini)

The amount of valuable information fed to the systems voluntarily is staggering. It's not a matter of "if" it is happening, but "of course it is". It would be outright negligent if they weren’t capturing and disseminating it all.

https://en.wikipedia.org/wiki/Foreign_Intelligence_Surveillance_Act#Without_a_court_order
https://en.wikipedia.org/wiki/Foreign_Intelligence_Surveillance_Act#Amendments

#privacy

You should always consider network transport just that: a transport. It's not a security control. You should always use encryption on top of the transport, no matter the type. HTTPS is good, VPN is even better.

@arstechnica@mastodon.social
"New AirSnitch attack breaks Wi-Fi encryption in homes, offices, and enterprises"

https://arstechnica.com/security/2026/02/new-airsnitch-attack-breaks-wi-fi-encryption-in-homes-offices-and-enterprises/

paper: https://www.ndss-symposium.org/wp-content/uploads/2026-f1282-paper.pdf

#infosec #cybersecurity #airsnitch

Retroactively changing the role of a token or key is a very bad idea.

https://trufflesecurity.com/blog/google-api-keys-werent-secrets-but-then-gemini-changed-the-rules

#google #googleapikeys #infosec #cybersecurity

The Finnish Post #omaposti login is down. There are reports of people seeing messages and other information belonging to other people. According to reports Posti is investigating.

It is likely that the login has been deliberately taken down to prevent further leaks due to the fault.

Source: https://www.is.fi/digitoday/art-2000011842248.html (in Finnish)

#privacy

The x86css demonstrates complex computation in CSS alone. I can think of couple of interesting applications for this: Since computation is possible this could potentially be used to as a covert side-channel, even when JavaScript execution is disabled.

https://lyra.horse/x86css/

#hacking #infosec #cybersecurity

I guess I need to address this: Any dm requesting donations will get you blocked and reported - legitimate or not.

But of course we can't have nice things: "Warner Bros Discovery Removes Babylon 5 from YouTube After Brief Free Run" https://cordcuttersnews.com/warner-bros-discovery-removes-babylon-5-from-youtube-after-brief-free-run/

#babylon5 #scifi

WSJ - "What It Takes to Build a Modern Nuclear Shelter for 7K People" - https://www.youtube.com/watch?v=4tRfqm916BU

#readiness #shelter #nuclearshelter

Reading up on the aes-js and pyaes IV issues discovered by @trailofbits@infosec.exchange I remembered something I ran into many moons ago (maybe about 15 years ago):

I discovered some prod C# encryption code that used a fixed salt in key&iv derivation code. It used a salt of 0x49, 0x76, 0x61, 0x6e, 0x20, 0x4d, 0x65, 0x64, 0x76, 0x65, 0x64, 0x65, 0x76.

This code was obviously copypasted from a 2003 codeprojects.com post and the example code used verbatim, without understanding the implications.

Anyway, this kind of is somewhat similar, but just unmeasurably worse: https://blog.trailofbits.com/2026/02/18/carelessness-versus-craftsmanship-in-cryptography/

#enshittification #cryptography #encryption

Finnish digital and population data services agency (DVV) doesn't recommend issuing 10 year passports due to current passport technology not employing post-quantum #cryptography (#PQC).

Statement from DVV (in finnish):
https://dvv.fi/documents/16079645/256293604/SM02000-2025-DVV%20lausunto%202026-02-16.pdf

This is exactly the problem with trusting US companies right now. They will comply with these "lawful access requests", regardless of how outrageous they are.

The Intercept: "Google Fulfilled ICE Subpoena Demanding Student Journalist’s Bank and Credit Card Numbers" - https://theintercept.com/2026/02/10/google-ice-subpoena-student-journalist/

The only recourse you have as a consumer is to switch away from these US services. It can be tricky as many have built their digital identity on top of the US services, self-hosting requires expertise and knowing which alternatives to trust is difficult. @privacyguides@mastodon.neat.computer has some helpful guides for this: https://www.privacyguides.org/

#privacy #google #privacyguides

The Finland's Emergency Response Centre Agency’s 112 Suomi application will get a new feature to alert about airborne threats.

Source: https://intermin.fi/en/-/further-development-of-112-suomi-app-to-draw-on-lessons-from-ukraine (in english)

Information about the 112 Suomi app:
https://112.fi/en/112-suomi-application

#preparedness #emergencyresponse

Apparently AMD's AutoUpdate downloads the updates over HTTP and executes them without any validation (presumably as SYSTEM user). AMD was notified of the vulnerability but according to them "attack requiring physical access to victim's computer/device, man in the middle or compromised user accounts" are out of scope. Madness. source: https://mrbruh.com/amd/ #vulnerability #infosec #cybersecurity

There's a Finnish citizens’ initiative for digital sovereignty. The initiative proposes a law to outlaw the use of non-EU service providers and software for critical government functions. More details at https://www.kansalaisaloite.fi/fi/aloite/16691 (in finnish) https://www.kansalaisaloite.fi/sv/initiativ/16691 (in swedish)

Meanwhile, Meta blocked the Threads account of the initiative: @digitaalinenitsenaisyys@mementomori.social

#citizensinitiative #digitalsovereignty

Apparently a state-sponsored group was using Notepad++ update functionality to infect targeted people. "According to the former hosting provider, the shared hosting server was compromised until September 2, 2025. Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers." source: https://notepad-plus-plus.org/news/hijacked-incident-info-update/ #infosec #cybersecurity