Jons Mostovojs @jonn@social.doma.dev

Today we are very proud to announce that the United Nations has switched from Google Forms to CryptPad Form for collecting endorsements on the UN Open Source Principles: https://unite.un.org/news/sixteen-organizations-endorse-un-open-source-principles

CryptPad Form is a full-fledged application allowing you to build privacy-preserving questionnaires for your respondents.

Try it for free, without even registering an account, on our CryptPad.fr flagship instance!

#UnitedNations #UN #Privacy #OpenSource #Forms #Studies #FOSS

Interesting Git repos of the week:

Detection:

* https://github.com/tstromberg/ucd - hunt for unauthorised changes
* https://github.com/mnrkbys/fjta - check for anomalies in your FS timeline

Exploitation:

* https://github.com/hardenedlinux/tzram-audit - audit your TrustZone implementatation

Nerd:

* https://gist.github.com/halcy/b4f455ef05c4c36906107e9367b8dd63 the Fediverse in FUSE

#security, #research, #code

We’re all trying to find the collaborators who did this.

https://mastodon.social/@hanse_mina/114226655742304795

Wow, this Pixelfed bug is *nasty*. Allowed users to access private posts of remote users they're not following so long as another user on the same Pixelfed server legitimately followed that account.

If you're running a Pixelfed server, definitely upgrade immediately now that the vulnerability is publicly known.

https://fokus.cool/2025/03/25/pixelfed-vulnerability.html

@arstechnica@mastodon.social 1st, Code Berg, is an alternative to GitHub, but located in Germany.

That is where I have been working on a list of digital service providers, outside Us Jurisdiction. It has not been easy. Often you will find "company 1" is located in "France" (random example), but is owned by another company in "Germany" (random example), which is ultimately owned by a company in the United States.

In making my list, I have learned just how much people "simp" for a corporation. It is that tribe mindset folks have. You point out how their own TOS (terms of services) quote either an address in the United States, or quotes a bunch of laws in the United States, and people still want you to list their company because "reasons" (insert random excuse). I am sure, they're happy with their service provider, but the whole point is to come up with a list of service providers, outside Us Jurisdiction (laws).

Here is my list. It is open source and a community effort. https://codeberg.org/Linux-Is-Best/Outside_Us_Jurisdiction

@TimePencil@infosec.exchange @jonn@social.doma.dev @signalapp@mastodon.world @nixCraft@mastodon.social

I cannot say, how much people should or should not trust Signal, but I can confirm, you should not trust, WhatsApp.

@jonn@social.doma.dev @nixCraft@mastodon.social

I have been making a list of digital service providers outside Us Jurisdiction. Part of that list, includes encrypted messages https://codeberg.org/Linux-Is-Best/Outside_Us_Jurisdiction/src/branch/main/Encrypted_Messages.md

@DemocracyMattersALot HAHAHAHAHAHA!!!! They only made it like 3 days!

Next.js dropped a CVSS 9.1 authentication bypass vulnerability (CVE-2025-29927) over the weekend. This flaw is trivially exploitable by sending the header `x-middleware-subrequest: true` and causes the request to skip all middleware processing, including any authentication steps.

Shodan reports over 300,000 services with the `X-Powered-By: Next.js` header alone.

You can find links to the advisory and queries for runZero at: https://www.runzero.com/blog/next-js/

How rich people avoid paying tax

(Originally by Instgram user @newmoney.blog)

Earlier, I reminded people that Dot Com, Net, Org, Info, Us, and Edu are all govern by the United States. I also reminded folks that, word-based domain extensions, for example, Dot Social, are managed by Us Corporations. I suggested, it may be a good idea, if you're looking to start a new website, to not only find an overseas web host, but pick a country level domain.

Someone accused this of "Fearmongering".

I come to the Fediverse to enjoy social media, since I spend 8–12 hours working for Meta (Facebook). The Fedi is a good distraction of the nonsense that I see and encounter at work.

For example, the word "protest" is now being monitoring there. We're actively helping a fascist regime track people. That same fascist regime who is threatening Canada, Greenland, and other such nonsense.

I am not Fearmongering. I am sharing events that are unfolding, along with some valued foresight. Things are changing in our world, and not for the better.

Periodic tiny reminder that you do not have to (and actually shouldn't) give your own name to your devices.

Give them their own unique names.

Your privacy will be better for it,
and they'll be happier

#Privacy

@jonn well as you might remember I do have my own style guide (written version extremely out of date, but still) with some specific reasoning behind it, primarily focusing on things being readable at a glance.

So with that mindset if I do manually break an expression into separate lines, it's probably because I believe that is the best level to break it to outline the logic for the next reader.

I might be wrong in a particular instance, but I'm certainly less wrong than "this fits in one line so fuck you it's one line now, except the .into(), that seems important enough to go on the next one".

Victory for Privacy and Security in France

End-to-end encryption will continue to be available in France, as the assembly overwhelmingly voted against (119 votes against, only 24 in favor) an amendment to legislation fighting drug trafficking which required backdoors in encrypted messengers.

https://www.lemonde.fr/societe/article/2025/03/21/l-assemblee-vote-pour-le-maintien-de-la-confidentialite-des-messageries-cryptees-lors-d-une-nuit-agitee_6584121_3224.html