Open Security News week 12-2025

Cyber security is a complex field. It requires expertise of many different areas like business sciences and computer sciences. Security risks are difficult to manage and to control. Despite the costs and resources will be invested: major disasters due to security breaches are always possible. Simplification of security measurements, both tools and processes, is challenging but in the end always profitable.

1. 2FA or not 2FA

Sometimes I see security blogs that triggers me. This is such a blog post. It is a very opinionated view on a key cyber security topic. It has some red flags but it is not all nonsense. There is almost never a complete wrong or right. But from a technology point of view a complete wrong exist! But still this article has a valid point: most 2FA enabled services are to protect the service as a whole and not created to protect you as a single user.

(Link)

2. NixOS and reproducible builds could have detected the xz backdoor

In March 2024, a backdoor was discovered in xz, a (de)-compression software that is regularly used at the core of Linux distributions to unpack source tarballs of packaged software. This is a great write up on how this xz backdoor worked and how it could be prevented.

(Link)

3. Servo Security Report: findings and solutions

Servo is a web browser rendering engine written in Rust, with WebGL and WebGPU support, and adaptable to desktop, mobile, and embedded applications. Any program language contains security risks specific, but reading this report and finding gives you as a security professional more insights in the kind of security issues is specific related to the Rust language. Download URL to the full report.

(Link)

4. The Insecurity of Telecom Stacks

Do not and never trust on the security of T-Mobile and other telecommunications companies. So always practice good security principles as “Defense in Depth” or “Don’t trust any network, including your own”. This blog is a good reminder how things work and how vulnerable mobile networks still are!

(Link)

5. A Win for Encryption: France Rejects Backdoor Mandate

the French National Assembly has done the right thing: it rejected a dangerous proposal that would have gutted end-to-end encryption in the name of fighting drug trafficking. Hopefully other governments and the EU will follow…

(Link)

6. Memory safety for web fonts

This is great news! FreeType is a freely available software library to render fonts. It is written in C. The FreeType library is used by Chrome to compute metrics and load hinted outlines from fonts. Overall, use of FreeType has been a huge win for Google. It does a complex job, and does it well, but is due to long lasting security issues Google will replace it.

(Link)

7. Implications of Global Privacy Control

A new draft specification from W3C that is promising. When all companies, even supermarkets with horrible ads, are only focused on how to get all your digital movements and data, it’s refreshing to have a specification that prioritizes the needs of the web user. Hopefully a step toward greater transparency and control for web users.
(link)

8. Infection Monkey

Personally I am not a big fan of Akamai and the services it offers and sells. But it is not all bad. They created and maintain a nice FOSS security tool Infection Monkey. It is an open-source adversary emulation platform that helps you validate existing controls and identify how attackers might exploit your current network security gaps. Nice tool to check!

(Link)

9. Analysis of Security in OS-Level Virtualization

This is certainly not a good security research paper imho. But is outlines a clear threat model and I love the conclusion: “Although continuous effort has been put into hardening the security of the containers, attackers always try to find vulnerabilities within the containerized systems and exploit these vulnerabilities. It doesn’t matter how battle-tested these systems are, there is always a chance of an unnoticed vulnerability existing within the systems which the attacker finds and exploits”

(Link)

Our partners:

nocomplexity

The Open Security newsletter is an overview of cyber security news with a core focus on openness. Pointing out what went wrong after a cyber security breach is easy. Designing good and simple measurements is hard. So join the open Security Reference Architecture collaboration project to create better solutions together. Or become a partner to support this project. Use our RSS or ATOM feed to follow Open Security News.