Latest IronFox for Android update
Updated to Firefox 138.0.
Updated to Phoenix 2025.04.27.1. - (See changes from the last IronFox release)
Added a toggle under Privacy and security in settings to control Safe Browsing. Note that this requires a restart to take effect.
Added toggles under Privacy and security -> Site settings to control JavaScript, JIT, and WebAssembly. (Note that the JIT toggle requires a restart to take effect). Due to the addition of these toggles, we've now enabled WebAssembly by default (due to the notable breakage it causes), though users are recommended to disable it if possible to improve security. JIT will remain disabled by default.
Neutered the mozAddonManager API to restrict its capabilities and limit the data shared with Mozilla, while still allowing users to install extensions from addons.mozilla.org.
We now harden FPP (Fingerprinting Protection) and set our overrides to unbreak websites internally, instead of using the privacy.fingerprintingProtection.granularOverrides & privacy.fingerprintingProtection.overrides preferences like we have previously. This makes it far easier for users to add their own overrides if needed. If you have previously configured either of these preferences, it is highly recommended to reset them after updating to these release. If you would like to disable our overrides to unbreak websites (as well as Mozilla's), you can do so by setting privacy.fingerprintingProtection.remoteOverrides.enabled to false in your about:config.
Added a Quick fixes list to uBlock Origin by default to allow us to work-around/fix issues caused by our default config significantly faster (while we wait on the upstream list maintainers to fix the issues...).
Implemented LibreWolf's Remote Settings Blocker patch to allow us (and users) to limit what collections are read/downloaded from Mozilla, and reduce the data shared. Users can configure this from the browser.ironfox.services.settings.allowedCollections preference in the about:config, though we would not recommend editing this unless necessary, as the collections we allow by default were carefully considered and provide important functionality, including for security.
Improved visibility of domains in the URL bar to better protect against phishing. - (Thanks to @mimi89999! 💜)
Significantly improved upon and expanded Mozilla's built-in certificate pinning to protect against MITM attacks. If you're a website operator and would like your domain to be added or want to request details be changed, please file an issue!
Took back control of all Safe Browsing preferences, meaning these can now be freely controlled by the users from the about:config (with the exception of browser.safebrowsing.malware.enabled & browser.safebrowsing.phishing.enabled - these are controlled by the new toggle in Settings). For example, users can now set their own custom Safe Browsing provider if desired, disable our proxy and revert back to Google's standard domains, etc...
Hardened the internal PDF Viewer (PDF.js) with changes inspired by GrapheneOS's PDF Viewer. - #79
Disabled CSP Reporting to improve privacy, reduce undesired network activity, and limit the data shared with website operators.
Enabled Proxy Bypass Protection to help prevent leaks for proxy users.
Fixed a bug that caused cookies/site data and permissions to always clear on exit, regardless of their check boxes/values set by users.
Disabled Firefox's new Unified Trust Panel redesign for the menu that appears when you select the lock icon on the top left of the URL bar by default, due to phishing concerns (as it unfortunately doesn't currently display the full URL if it's too long). - You can re-enable this if preferred by navigating to IronFox's Settings -> About IronFox -> Tap IronFox's logo at the top 5 times, then go back to Settings -> Secret Settings -> Unified Trust Panel.
Disabled the com.widevine.alpha key system (MediaDrm).
Disabled Mozilla's GeoIP/Region Service to prevent Firefox from monitoring the user's region/general location and reduce unwanted network activity.
Updated to Firefox 138.0.
Updated to Phoenix 2025.04.27.1. - (See changes from the last IronFox release)
Added a toggle under Privacy and security in settings to control Safe Browsing. Note that this requires a restart to take effect.
Added toggles under Privacy and security -> Site settings to control JavaScript, JIT, and WebAssembly. (Note that the JIT toggle requires a restart to take effect). Due to the addition of these toggles, we've now enabled WebAssembly by default (due to the notable breakage it causes), though users are recommended to disable it if possible to improve security. JIT will remain disabled by default.
Neutered the mozAddonManager API to restrict its capabilities and limit the data shared with Mozilla, while still allowing users to install extensions from addons.mozilla.org.
We now harden FPP (Fingerprinting Protection) and set our overrides to unbreak websites internally, instead of using the privacy.fingerprintingProtection.granularOverrides & privacy.fingerprintingProtection.overrides preferences like we have previously. This makes it far easier for users to add their own overrides if needed. If you have previously configured either of these preferences, it is highly recommended to reset them after updating to these release. If you would like to disable our overrides to unbreak websites (as well as Mozilla's), you can do so by setting privacy.fingerprintingProtection.remoteOverrides.enabled to false in your about:config.
Added a Quick fixes list to uBlock Origin by default to allow us to work-around/fix issues caused by our default config significantly faster (while we wait on the upstream list maintainers to fix the issues...).
Implemented LibreWolf's Remote Settings Blocker patch to allow us (and users) to limit what collections are read/downloaded from Mozilla, and reduce the data shared. Users can configure this from the browser.ironfox.services.settings.allowedCollections preference in the about:config, though we would not recommend editing this unless necessary, as the collections we allow by default were carefully considered and provide important functionality, including for security.
Improved visibility of domains in the URL bar to better protect against phishing. - (Thanks to @mimi89999! 💜)
Significantly improved upon and expanded Mozilla's built-in certificate pinning to protect against MITM attacks. If you're a website operator and would like your domain to be added or want to request details be changed, please file an issue!
Took back control of all Safe Browsing preferences, meaning these can now be freely controlled by the users from the about:config (with the exception of browser.safebrowsing.malware.enabled & browser.safebrowsing.phishing.enabled - these are controlled by the new toggle in Settings). For example, users can now set their own custom Safe Browsing provider if desired, disable our proxy and revert back to Google's standard domains, etc...
Hardened the internal PDF Viewer (PDF.js) with changes inspired by GrapheneOS's PDF Viewer. - #79
Disabled CSP Reporting to improve privacy, reduce undesired network activity, and limit the data shared with website operators.
Enabled Proxy Bypass Protection to help prevent leaks for proxy users.
Fixed a bug that caused cookies/site data and permissions to always clear on exit, regardless of their check boxes/values set by users.
Disabled Firefox's new Unified Trust Panel redesign for the menu that appears when you select the lock icon on the top left of the URL bar by default, due to phishing concerns (as it unfortunately doesn't currently display the full URL if it's too long). - You can re-enable this if preferred by navigating to IronFox's Settings -> About IronFox -> Tap IronFox's logo at the top 5 times, then go back to Settings -> Secret Settings -> Unified Trust Panel.
Disabled the com.widevine.alpha key system (MediaDrm).
Disabled Mozilla's GeoIP/Region Service to prevent Firefox from monitoring the user's region/general location and reduce unwanted network activity.
Internet News
Netscape Unveils Enterprise Management Tools | Internet News
Netscape Communications Corp. is now shipping its Mission Control Desktop 4.5, a new collection of enterprise tools, with its Communicator Pro management
Disabled system extensions & system policies at build-time.
Disabled & removed the build dependency on legacy AutoConfig functionality (also known as Mission Control Desktop, debuted in Netscape Communicator 4.5... https://www.internetnews.com/enterprise/netscape-unveils-enterprise-management-tools/) to reduce attack surface and reliance on legacy code.
Disabled more unnecessary debugging/development features at build-time.
Explicitly disabled SpiderMonkey performance telemetry at build-time.
Enabled mobile optimizations at build-time.
Updated the onboarding to remove Privacy Policy/Terms of Use references, and replaced the Firefox logo (and certain other elements) with our own.
Removed Swisscows as a default search engine due to concerns regarding false marketing of their VPN and spreading false claims about other services, such as Signal.
Other minor tweaks, fixes, & adjustments.
https://gitlab.com/ironfox-oss/IronFox/-/releases
Disabled & removed the build dependency on legacy AutoConfig functionality (also known as Mission Control Desktop, debuted in Netscape Communicator 4.5... https://www.internetnews.com/enterprise/netscape-unveils-enterprise-management-tools/) to reduce attack surface and reliance on legacy code.
Disabled more unnecessary debugging/development features at build-time.
Explicitly disabled SpiderMonkey performance telemetry at build-time.
Enabled mobile optimizations at build-time.
Updated the onboarding to remove Privacy Policy/Terms of Use references, and replaced the Firefox logo (and certain other elements) with our own.
Removed Swisscows as a default search engine due to concerns regarding false marketing of their VPN and spreading false claims about other services, such as Signal.
Other minor tweaks, fixes, & adjustments.
https://gitlab.com/ironfox-oss/IronFox/-/releases
GitLab
feat: Ensure system extensions + system policies are disabled (a2087a1e) · Commits · IronFox OSS / IronFox · GitLab
Signed-off-by: celenity
Forwarded from cKure
■■■■□ A proof-of-concept program has been released to demonstrate a so-called monitoring "blind spot" in how some Linux antivirus and other endpoint protection tools use the kernel's io_uring interface.
That interface allows applications to make IO requests without using traditional system calls. That's a problem for security tools that rely on syscall monitoring to detect threats.
https://developers.redhat.com/articles/2023/04/12/why-you-should-use-iouring-network-io
https://www.theregister.com/2025/04/29/linux_io_uring_security_flaw/
That interface allows applications to make IO requests without using traditional system calls. That's a problem for security tools that rely on syscall monitoring to detect threats.
https://developers.redhat.com/articles/2023/04/12/why-you-should-use-iouring-network-io
https://www.theregister.com/2025/04/29/linux_io_uring_security_flaw/
The Register
Watch out for any Linux malware sneakily evading syscall-watching antivirus
: Google dumped io_uring after $1M in bug bounties
Forwarded from Hacker News
Must read for tg user!!! 😤😡😈🤮
https://tginfo.me/esafety-analysis-en/ telegram will read all messages including private messages
https://tginfo.me/esafety-analysis-en/ telegram will read all messages including private messages
Telegram Info
Some Details About Moderation in Telegram From Australian Regulator’s Investigation
An excerpt of the most interesting facts from eSafety's investigation into how Telegram moderation works
Forwarded from ATT • Tech News (Agam)
Microsoft is making Office apps load at startup
Microsoft is introducing "Startup Boost" for Office apps, beginning with Word in mid-May 2025. It will enhance load times by preloading the apps at Windows startup. It is only available for PCs having at least 8GB of RAM and 5GB of free disk space to maintain performance.
The scheduled task will wait for 10 minutes before execution to prevent slowing down Windows on login. After the task executes, the app remains in paused state. It can be disabled via app settings or Task Scheduler. The feature will later extend to other Office apps.
🔗 MS365 Message Center
🧑💻 @agamtechtricks
Microsoft is introducing "Startup Boost" for Office apps, beginning with Word in mid-May 2025. It will enhance load times by preloading the apps at Windows startup. It is only available for PCs having at least 8GB of RAM and 5GB of free disk space to maintain performance.
The scheduled task will wait for 10 minutes before execution to prevent slowing down Windows on login. After the task executes, the app remains in paused state. It can be disabled via app settings or Task Scheduler. The feature will later extend to other Office apps.
🔗 MS365 Message Center
🧑💻 @agamtechtricks
Forwarded from The Hacker News
🚨 AI isn’t just writing your code — it’s leaking your secrets.
New GitGuardian data shows AI-assisted repos leak secrets 40% more often than average.
📊 1,200+ repos leaked secrets in 2025 alone.
👉 Don’t trust. Verify. Full report: https://thehackernews.com/expert-insights/2025/04/the-new-frontier-of-security-risk-ai.html
New GitGuardian data shows AI-assisted repos leak secrets 40% more often than average.
📊 1,200+ repos leaked secrets in 2025 alone.
👉 Don’t trust. Verify. Full report: https://thehackernews.com/expert-insights/2025/04/the-new-frontier-of-security-risk-ai.html
Forwarded from The Hacker News
🔥 UPDATE - A public PoC exploit is now available for a serious SonicWall SMA exploit chain.
➡️ CVE-2024-38475: Apache HTTP Server flaw used to bypass auth
➡️ CVE-2023-44221: Post-auth command injection via Diagnostics menu
CISA has added both to the KEV catalog — federal patch deadline: May 22, 2025.
Exploitation is already active in the wild.
📎 Details + PoC: https://thehackernews.com/2025/05/sonicwall-confirms-active-exploitation.html
➡️ CVE-2024-38475: Apache HTTP Server flaw used to bypass auth
➡️ CVE-2023-44221: Post-auth command injection via Diagnostics menu
CISA has added both to the KEV catalog — federal patch deadline: May 22, 2025.
Exploitation is already active in the wild.
📎 Details + PoC: https://thehackernews.com/2025/05/sonicwall-confirms-active-exploitation.html
Forwarded from The Hacker News
🔐 Microsoft goes passwordless by default for all new accounts.
No more passwords at sign-up—just passkeys, using biometrics or device PINs. It's phishing-resistant, backed by FIDO standards.
Existing users? You can remove your password now from settings.
Learn more: https://thehackernews.com/2025/05/microsoft-sets-passkeys-default-for-new.html
No more passwords at sign-up—just passkeys, using biometrics or device PINs. It's phishing-resistant, backed by FIDO standards.
Existing users? You can remove your password now from settings.
Learn more: https://thehackernews.com/2025/05/microsoft-sets-passkeys-default-for-new.html
Forwarded from XiaomiTime: Xiaomi & HyperOS News (IFTTT)
Xiaomi may be moving towards a Google-free future with HyperOS, potentially collaborating with BBK and Huawei. This shift could redefine the smartphone market and reduce reliance on Google services while building their ecosystem. Stay tuned for updates!
🔗 Check More
🔗 Check More
XiaomiTime
Is Xiaomi planning a Google-free Android future with HyperOS? - XiaomiTime
There have been rumors in the tech space of a collaboration among three Chinese tech players - Xiaomi, BBK Group (parent company of OPPO, Vivo, and OnePlus),
Forwarded from Hacker News
Forwarded from Hacker News
Krebs on Security
xAI Dev Leaks API Key for Private SpaceX, Tesla LLMs
A employee at Elon Musk's artificial intelligence company xAI leaked a private key on GitHub that for the past two months could have allowed anyone to query private xAI large language models (LLMs) which appear to have been custom made for…
Forwarded from Hacker News
Felix86
felix86 – Run x86 and x86-64 games on RISC-V
Forwarded from 𝗽𝗼𝗽𝗠𝗢𝗗𝗦 | 𝗙𝗢𝗦𝗦, 𝗟𝗶𝗳𝗲, 𝗠𝗲𝗺𝗲𝘀 (Ömer)
Weather Doge
Wow, doge weather for Android.
🔗 Links:
- Download
- Screenshots
- Features
- Source code
Developer: VersoBit
❗️Friendly reminder:
🏷 Tags: #Android #Utilities
Wow, doge weather for Android.
🔗 Links:
- Download
- Screenshots
- Features
- Source code
Developer: VersoBit
❗️Friendly reminder:
If you find it useful, You may star the repo/app, donate to the developer, or perhaps you may also contribute to the development of this project.
🏷 Tags: #Android #Utilities
Forwarded from It's FOSS
The UN is slowly moving away from proprietary solutions.
https://news.itsfoss.com/un-ditches-google-form/
https://news.itsfoss.com/un-ditches-google-form/
It's FOSS
UN Ditches Google for Taking Form Submissions, Opts for an Open Source Solution Instead
The United Nations opts for an open source alternative to Google Forms.
Forwarded from The Hacker News
🔥 Automate the chaos. Stay ahead of CVEs.
LivePerson slashed vuln ticketing time by 60% using a free Tines workflow that:
→ Auto-pulls CISA alerts
→ Enriches with CrowdStrike
→ Sends Slack buttons
→ Creates ServiceNow tickets
No manual tracking. No delays. Just speed.
👀 See how your team can do it too: https://thehackernews.com/2025/05/how-to-automate-cve-and-vulnerability.html
LivePerson slashed vuln ticketing time by 60% using a free Tines workflow that:
→ Auto-pulls CISA alerts
→ Enriches with CrowdStrike
→ Sends Slack buttons
→ Creates ServiceNow tickets
No manual tracking. No delays. Just speed.
👀 See how your team can do it too: https://thehackernews.com/2025/05/how-to-automate-cve-and-vulnerability.html
Forwarded from The Hacker News
🚨 TikTok Fined €530M for secretly storing EU user data in China, violating GDPR rules.
🇪🇺 Ireland’s DPC says TikTok misled regulators, failed to ensure EU-level privacy, and ignored China’s surveillance risks.
They now have 6 months to stop transfers.
🔗 Read more: https://thehackernews.com/2025/05/tiktok-slammed-with-530-million-gdpr.html
📉 Second major GDPR fine after a €345M penalty in 2023.
🇪🇺 Ireland’s DPC says TikTok misled regulators, failed to ensure EU-level privacy, and ignored China’s surveillance risks.
They now have 6 months to stop transfers.
🔗 Read more: https://thehackernews.com/2025/05/tiktok-slammed-with-530-million-gdpr.html
📉 Second major GDPR fine after a €345M penalty in 2023.