Reader

This is an example.

2023 has been a huge year for me, for many lows in my career, as well as amazing highs. However I’ve always felt something missing, an urge left unscratched, so I’m making this post to plan out my 2024 personal projects and learnings that I want to undertake; a sort of “reflection journal” if you will.

Throughout 2024, I plan to revisit this post to reflect on what I’d like to achieve and how I’m tracking in achieving my goals. This will be followed up with a post detailing how everything is going, what my highlights have been and any potential blockers I’m facing. So, let’s begin with the goal setting!

In no particular order: – Publishing 2-3 articles on my security blog: I’m already in the draft stages of 1 post, however I got lazy and sort of lost interest. Once I can get that closed off, I have a feeling the rest will come more naturally and I should be able to achieve this quite comfortably. – Filling out my repo with content: Standing up my repo and filling it with content is a huge item on my list for the coming year. This will not only help my personal understanding of my security work but also give me something tangible I can use throughout my career. – Filling up my Wazuh instance with agents and directing logs to it via Syslog: Mid-2023 I stood up a Wazuh instance on my internal network, on a Raspberry Pi 4. Currently, I only have 1 agent connected to it and I don’t check it nearly as often as I should. Going forward, I want all computers to have agents installed, and gather logs from my IoT devices to ensure nothing dodgy is connecting to my network. On top of this, working on automations so I don’t have to check things manually will be a huge assist. Having an internal SIEM isn’t something I’ve stood up because I’m paranoid, rather it will help me gain skills across other platforms to help further my career. – Stick to a fitness plan: Looking after my health isn’t something that’s been top priority for me through my 20s, but with 30 fast approaching I’m starting to feel the repercussions of not taking it seriously. In 2024, I want to become much more disciplined with my health, going for runs, lifting weights and generally being more healthy so I’m around on this Earth for as long as possible.

Here’s to a prosperous 2024, for everyone! 🥂

Why I won't buy Androids

I was talking about new phones with a friend a few days ago, and he asked about Android choices. I told him I won't buy any Androids, for a bunch of reasons. This is social media, I'm into my second boozy eggnog. I figure I'll share those reasons here too. Most of the reasons are around Google itself, and some how it's handled Android. Only one is because I'm a petty bitch with a collection of heirloom grudges.

First and foremost, Google is an advertising company with a search engine and a browser and a video hosting service and a mobile operating system all designed to keep your eyes and ears on their advertisements. For FY2022, 80% of Google's revenue came from advertising. Given the lengths I go to avoid ads everywhere else, putting a little ad machine in my pocket doesn't make much sense.

Aside: I go to extreme lengths to block ads. I have a very aggressive PiHole setup. My daily browsing is through Vivaldi (which has a built-in ad blocker) (But the new Direct Match stuff defaulting to On is pretty fuckin' shitty, Vivaldi) and also running an over-packed μBlock extension. Secondary browsing goes through Firefox with a similarly-configured μBlock. I also have a WireGuard VPN running on my iPhone so whenever I'm not on my own WiFi network I'm tunneling back in just to use my PiHole. Vivaldi on iPhone also has a built-in ad-blocker.

Besides the ad biz, I don't trust Google overall. It started with Google Reader, but Google is quick to drop the blade on the neck of any product/service/app that doesn't have a VP championing it. The other recognizable names include Google Wave, Google+, Google Fiber, and Google Stadia. What's going to be the 300th entry in the Google Graveyard? They're at 293 right now, so I expect we'll hit 300 by April 2024.

Zooming back out to the state of the internet today, I honestly think Google and Facebook are tied for doing the most damage to the internet and society at large. Their pervasive advertising is enough for me to stay far away from them. But their stains run far deeper. Google Search is now completely useless. Everything is a webpage now. I've lost count of the companies they've either acquired and killed or cloned and killed. They've built data profiles to rival Facebook. And Youtube will gleefully auto-play viewers into misogyny, conspiracy, and rightwing fascism.

On Android specifically, Google has been an exceptionally poor steward of the ecosystem. Flagship devices now get a few years of updates, but anything down-market may get a year of updates before being forgotten like the fifth child at an after-school activity. Google could enforce feature and security updates for a minimum period of time, but they've chosen not to. And it's only improved to the shameful level now somewhat recently.

And they've been spreading this fast-fashion/ewaste-speedrun philosophy to the laptop formfactor too. They're goddamned laptops, not milk. I have an Alienware M11x R1. It's from 2010. It still runs Windows 10. Poorly. But it can still get OS and security updates 13 years after release. It's a functional print server for my old Brother laser printer that I bought in ~2007 that only has a USB-B interface.

Beyond the shameful state of Android updates, the Google app store is a fraudulent mess. It's been a problem for years and it's still a problem today. It's impacted millions of users at this point. If the Google Play store is going to be the premier source of Android apps, Google needs to get a lot better at protecting users from bad actors. For devices that contain so much of our lives, failures to protect against financial theft is unacceptable.

And Google themselves are part of the problem. We're over-due for Google's next chat app shakeup. I think. And that's just Google. The phone OEMs can replace it with their own uniquely crappy SMS/RCS/Proprietary pile of crap. Going back to the problem of executive champions and vision, nowhere is than absence clearer than the absolute clusterfuck of Google chat apps.

Finally, I mentioned above that I'm a petty bitch. My family holds onto grudges like most folks hold onto fine tableware or farmland. Case in point: My grandfather got screwed over by a Shell gasoline station. He wrote to corporate to explain the situation, and found their answer... unsatisfactory. Nobody in my family has gone to a Shell station since.

My grandfather died over a decade before I was born.

But I have a very personal grudge against Google. They blamed me for something they broke, and have never to my knowledge apologized for it.

Many, many years ago I worked at a small firm. This was when Windows 7 was at its peak, and Windows XP was still very common/well-supported. We had a line-of-business app that was dependent on certain components of Internet Explorer. If you tried to access the web launcher from something other than IE, it would break in really unpleasant ways. Since some of the LOB usage was time-critical, when it broke it was a priority issue.

This was also the time Google started to spread Chrome like herpes. We weren't a big firm, and we didn't have great tools for controlling third-party applications and their updates at the time. Remember, this was almost 15 years ago. I've learned a lot since then, and the toolsets have improved a lot since then.

So folks would just push the button to update Adobe reader, next next next finish. The work we did was highly technical, and again: ~15 years ago, small business, most folks had local admin. We didn't have the tools to do a good job controlling these things. And updating an existing Adobe reader install would “helpfully” install Chrome and set it as the default browser. The LOB “app” was a shortcut on the All Users desktop that pointed to the webpage.

Google Chrome could not support the critical application. So I'd get a panicked phone call from a user because the critical LOB app was failing. I'd either walk over to their desk or RDC into their machine and uninstall Chrome. They'd go back to work, fill out the time-sensitive information, everyone was acceptably content.

Until they tried to click a link outside IE. Say, a link to something important in Outlook. Turns out, Google did a shit job coding the Chrome uninstaller, and left HTML file associations (what Windows uses under the hood to understand it needs to pass data to a browser) just... empty. And in Windows 7, that leads to a specific error message: “This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.” Hey guess who the System Administrator was. Guess who everyone thought was blocking something they needed to do for work?

Eventually I got the tooling and controls in place to prevent Google Chrome from installing itself where it shouldn't (part of the user profile), and finally blocked the garbage of early Chrome from my corporate domain. It wasn't technically a virus, but it sure acted like one. It sure caused a lot more headache than any actual malware. And I still carry a grudge for the shitass job Google did when spreading their little browser-glitter all over my matte black Thinkpads.

So now my phone is built by Apple. They have plenty of different problems, but Google products are absolutely disqualified.

I really wish Microsoft hadn't given up on Windows Mobile/Phone. A third player with real marketshare would be good for everyone. And comparing the ROG Ally to the Steamdeck highlights how weak Windows is on smaller devices and interfaces that aren't keyboard & mouse. Having an ARM-based processor base would have put Microsoft in a better place to really compete with Apple's M processors. Having an XBox Mobile/Handheld/Go would be amazing. #RIPWindowsPhone

So yea. I don't trust Google for many reasons. Android itself is a mess. And I'm petty as fuck. That means an iPhone is my only option.

It's been a while!

This evening I've cracked open a bottle of Holladay One Barrel Bourbon. It is a result of a collaboration with The Saint Louis Bourbon Society and Barrel Blends—this is the “Nice” bottle. It's a Missouri Straight Bourbon Whisky, made with corn, wheat, and barley—percentages wasn't shared. It comes in at 120 proof and was aged six years, 2 months.

I'm a fan.

Trying it neat at first, I smell cherries, leather, cloves and black pepper. There are other aromas in there as well, but I haven't quite cottoned onto them. It starts with a smooth mouthfeel and I can taste cherries and maybe some cinnamon. The heat starts later and then sticks around after swallowing.

After adding some water, the cherry aroma dies off and the cloves pick up a bit. Checking the spice drawer—because there was something there I couldn't quite get—I check mace, nutmeg, and cardamom. Mace and nutmeg are there, but the cardamom's astringency is not there. The flyer did pitch “baking spices”. There's still a hint of black pepper at the finish.

Time to add a little more to my glass and add an ice cube. This is a good one!

Uffda!

I spent last week at Headquarters which is always great to talk directly with many security colleagues in a short amount of time – and not just in the office, but also dinner and drinks. That always allows for conversations that can go deeper and more passionate – and sometimes more honest – than you get in the day time, let alone when meeting virtually. Especially when you've known each other for years.

Thursday was the local Cybersecurity Awareness Month event, and I was invited for an Executive Q&A on our security strategy and direction. To continue the conversation, I invited those interested to dinner after to close out my week before flying back home. This is how I found myself opposite my oldest friend in the security organization, deeply engaged on one of his favorite topics: open source security.

“But That Stuff is Boring!”

He wanted to talk about protecting against zero days in the most common open source components used in our solutions. Admirable, but aside from the greater risks from known vulnerabilities, how would you do that? Not knowing they exist, such zero days by definition would have slipped through our SAST and DAST scanning. So, are you proposing we run continuous fuzzing tests against such components and dependent libraries, in addition?

We can engage the internal security community (another one of his favorite topics), he replied. They can submit vulnerabilities and pull requests to the maintainers. And we could patch our landscape even before the vulnerability is disclosed.

Wait, you're suggesting we fork the library and deploy a patch, rather than wait for the fix to be released by the maintainers? And then how do we get back on the official version? Do we force all the developer teams to patch twice for a zero day nobody knows about and we have no evidence is exploited in the wild? Why wouldn't we just manage it through the existing known vulnerability management processes with established SLAs, and if necessary deploy a temporary detection or mitigation?

Oh, but that stuff is boring...

Ignoring the Boring Makes Us Vulnerable

We have such a habit in infosec to chase after the esoteric and interesting. It is encouraged through conferences and social media fame. The cybersecurity industry adds to it, whether for marketing reasons or added features without guidance or consideration how to operationalize them but demo well. We like intellectually interesting problems we can solve on our own. But then we shouldn't be surprised when the basics aren't taken care of, and developer teams consider us burdensome and adding irrelevant toil.

I get that it may not be as much fun to chase after teams with reports on alerts or missing evidence for compliance controls, help teams to manage a never ending stream of newly reported vulnerabilities against SLAs, or to improve asset discovery and metadata management, rather than chase after zero days. But the boring basics are what truly reduces the attack surface. Ignoring the boring is what continues to make us vulnerable.

Finding Excitement in the Boring

To solve the big problems in security, we must find excitement in the boring. Let's focus our minds on how we implement and operationalize least-privilege IAM and secrets, how we can make CI/CD pipelines both more secure and efficient for developer teams to allow for greater code quality and higher velocity, and provide secure-by-default infrastructure, platforms and services that enable teams to be more productive without getting in their way. Find the intellectual challenge in security engineering and operations. We must work on the risks we face, not the threats we like.

Security is a tough discipline. To do it well requires focus, so we don't spin our wheels, spend effort and budget, or get distracted by the latest hype. It is unfortunate, therefore, that we often get caught in dogmas we tell ourselves, but we don't examine whether they are correct or even useful. Here are three such dogmas that are just plain wrong.

1. Defenders Have to be Right All the Time, Attackers Only Once

If this was ever true, it certainly isn't today. A quick look at the MITRE ATT&CK framework makes it very clear that there are many stages in attacks, from reconnaissance to initial access to execution and persistence, just to gain a first foothold in a defender's landscape. Before a threat actor gets to actual data collection and exfiltration, or a ransomware attack, he or she needs to get a lot of things right – all of which could potentially be detected.

A layered defense that presents multiple obstacles also means that the defender may not get it right all the time – a vulnerability in a container, a misconfiguration in the network architecture, an open RDP port – but should still have multiple opportunities to detect malicious activity before the attacker is at your crown jewels. Lateral movement, privilege escalation, creation of rogue resources or user accounts all give opportunities to detect an attack in progress, and as long as an attacker has no access to a KMS may never get to encrypted data or into databases.

The dogma doesn't recognize the advantages of defenders and ignores the obstacles attackers must overcome. Attackers need to be right all the time. Defenders have multiple opportunities to stop them.

2. No Security Through Obscurity

This is often repeated, but as a result prevents us from taking the benefits of obscurity as part of a layered defense. Run an SSH open to the public internet on port 22 and it will be hammered constantly by automated scripts. Run it on a high random port and it will see virtually no traffic. Only very persistent threat actors focused on a particular target victim will scan for all open ports.

And if defenders were diligent enough to run SSH on a high randomly chosen port, logs showing failed logins will present a far more valuable and reliable alert than the noise that comes with SSH on port 22.

3. Zero Trust Network Architecture

This is possibly the most controversial dogma at all, as it seems the entire industry has lost their mind over this. NIST SP 800-207, the relevant Zero Trust standard says:

Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource

So, it correctly starts with the premise that the network cannot be trusted... and yet spends most of the document discussion network controls, trying to re-establish trust in the network.

Trying to fix IAM, application context, and network security all at the same time, by adding a new policy control overlay in the network to implement the user access controls we should already have on application level. But why? Didn't we just declare the network no longer trusted? Especially in a cloud landscape, you may even end up creating network connections that don't need to exist. Why prevent a user access to a resource by network they already don't have access to on application level? The problem is IAM and that is hard enough. We can manage IAM and application context with Workload Identities for service accounts. Why complicate it further by adding the network back in?

Organizations struggle already with the basics. Why set them up for failure with a massive ZTNA implementation? IAM is boring and network security companies have products to sell?

Abandon the Idea that it's Not Good Enough Unless it's Perfect

There is this joke that goes that the only secure computer is one that is locked away in a separate room, does not have mouse, keyboard or screen, has no network connection, and is powered off. This is supposed to be instructive to get the balance of confidentiality and integrity right in relation to availability. It's intended to show that perfect security is not possible. It is not to be taken seriously as reasonable security guidance.

We supposedly moved at least a decade ago to a risk-based approach. However it seems a good portion of our industry continues to look for the perfect, and anything less is not good enough. Is it any surprise that there is such a gulf between security consultants, advisors and policy writers on the one hand and practitioners on the other? Let's abandon our perfect dogmas so we can focus on the actually important security operational problems.

In the wake of his purchase, far-right billionaire Elon Musk has made many awful changes at Twitter. Kneecapping capabilities for viewing, researching, and archiving materials posted on the forum is certainly less immediately harmful than, say, stochastic terrorism against schools & childrens' hospitals, but it's still no good, and requires some stopgaps.

Twitter frequently now seems to block archive.org altogether; and even when it is possible to archive a tweet by other means, it is generally only viewable as a single post, devoid of any surrounding context in the form of threads or replies.

One intermittent way to currently get around this limitation is to use the open-source, alternative Twitter front-end “Nitter”, and specifically Chris McCormick's redirect proxy Twiiit.

The steps I've found useful are as follow:

• For example, let's say I need to preserve this post along with some of its immediate context: https://twitter.com/dril/status/1707911269033148925
• I replace the url's “twitter” domain with “twiiit” – e.g. https://twiiit.com/dril/status/1707911269033148925
• Before I hit “enter”, I COPY that modified URL. This is because Nitter instances themselves are regularly being blocked by Twitter, or are otherwise unable to dredge up a copy of the post. The “twiiit” re-direct will try various Nitter instances, though; so if the first couple don't function, I simply paste the URL and try again. It only saves a couple of seconds, but they can add up.
• I find myself redirected to a functional Nitter front-end of the tweet, which includes replies and context, in this case it's this one: https://nitter.nohost.network/dril/status/1707911269033148925
• I create an archive of that Nitter front-end by using archive.org and/or archive.today.

If I'm trying to preserve a longer thread, I will sometimes archive every fourth or fifth post to ensure that the data is complete via overlapping captures.

As Musk continues to use his fortune in an apparent quest to singlehandedly reinvigorate the embers of the alt-right, it'll remain important to be able to document & preserve some of what is posted on his platform — this will likely require a continual stream of kludgy workarounds by diligent researchers who are much more clever than I am. So, thanks in advance.

---

P.S. – Nitter instances render timestamps as UTC, which is generally more reliable than the local timestamp which appears when I view the original tweet from the US West coast.

Today.

(Updated:2023-09-26)

This list only contains accounts for security bsides, events, and conferences found in the fediverse / Mastodon with some post history. I will regular update this post as more events migrate here. For hacker meet-ups and local DEFCON / 2600 groups, please refer to the link below.

📌⁠InfoSec Events by Region (ᵃˡˢᵒ🦣ⷨ) 📌⁠Hacker Meet-ups by Region (ᵃˡˢᵒ🦣ⷨ) 📌⁠Hackerspaces by Region (ᵃˡˢᵒ🦣ⷨ)

🐈🥗

⸻ Event Info

@cfp_time@infosec.exchange – Call for Papers (#CFP) @InfoCon@defcon.social – #InfoCon @InfoconDB@infosec.exchange – #InfoconDB archive @SecurityBSidesGlobal@infosec.exchange – Security BSides Global

⸻ Online 🌐

@ComfyConAU@infosec.exchange – #ComfyCon @Digit4lOverdose@infosec.exchange – D.O. Conference @pancakescon@infosec.exchange – #PancakesCon

⸻ Canada 🇨🇦

@BSidesCalgary – #BSidesCalgary, AB @BSidesEdmonton – #BSidesEdmonton, AB @BSidesFredericton – BSidesFredericton, NB @BSidesMTL – #BSidesMTL Montreal, QC @BSidesOttawa – #BSidesOttawa, ON @BSidesRegina – #BSidesRegina, SK @BSidesStJohns– #BSidesStJohns, NL @BSidesTO – #BSidesTO Toronto, ON @BSidesVancouver – #BSidesVancouver, BC @BSidesVI@infosec.exchange – #BSidesVI Vancouver Island, BC @hackfest@infosec.exchange – #Hackfest Québec City, QC @halifaxbsides@infosec.exchange – #BSidesHalifax, NS @NorthSec@infosec.exchange – #NorthSec Montréal, QC @polar@infosec.exchange – #PolQc POLAR Conf, QC @seqcure@infosec.exchange – #SeQCure Québec, QC @thelongcon@infosec.exchange – #TheLongCon Winnipeg, MB

⸻ US – Northeast

@bsidesboston@infosec.exchange – #BSidesBoston, MA @BSidesBuffalo@infosec.exchange – #BSidesBuffalo, NY @BSidesCambridgeMA@infosec.exchange – #BSidesCambridge, MA @BSidesCharm@infosec.exchange – #BSidesCharm Towson, MD @BSidesCT – #BSidesCT Hamden, CT @BSidesFloodCity – #BSidesFloodCity Johnstown, PA @BSidesHBG – #BSidesHBG Harrisburg, PA @BSidesNJ@infosec.exchange – #BSidesNJ ? NJ @BSidesNYC@infosec.exchange – #BSidesNYC New York City, NY @bsidesphilly@infosec.exchange – #BSidesPhilly Philadelphia, PA @bsidespgh@infosec.exchange – #BSidesPGH Pittsburgh, PA @bsidesroc@infosec.exchange – #BSidesROC Rochester, NY @hushcon@infosec.exchange – #HushCon New York City, NY @jawncon@infosec.exchange – #JawnCon Philadelphia, PA @pumpcon@infosec.exchange – #PumpCon Philadelphia, PA @ShmooCon@infosec.exchange – #ShmooCon Washington, DC @SummerC0n@infosec.exchange – #SummerCon Brooklyn, NY

⸻ US – Midwest

@BlueTeamCon@infosec.exchange – #BlueTeamCon Chicago, IL @bsides312@infosec.exchange – #BSides312 Chicago, IL @BSidesBloomington – #BSidesBloomington, IN @BSides_BTown@infosec.exchange – #BSides_BTown Bloomington, IN @bsidesboulder@infosec.exchange – #BSidesBoulder, CO @bsideschicago@infosec.exchange – #BSidesChicago, IL @BSidesColoradoSprings – #BSidesColoradoSprings, CO @BSidesColumbus – #BSidesColumbus, OH @bsidesdayton@infosec.exchange – #BSidesDayton, OH @bsidesdenver@infosec.exchange – #BSidesDenver, CO @BSidesFtWayne – #BSidesFtWayne, IN @bsideskc@infosec.exchange – #BSidesKC Kansas City, MO @BSidesMilwaukee – #BSidesMilwaukee, WI @BSidesPeoria – #BSidesPeoria, IL @bsidesspfd@infosec.exchange – #BSidesSpfd Springfield, MO @CircleCityCon@infosec.exchange – #CircleCityCon Indianapolis, IN @CypherCon@infosec.exchange – #CypherCon Milwaukee, WI @thotcon@infosec.exchange – #THOTCON Chicago, IL @WWHackinFest@infosec.exchange – #WWHackinFest Deadwood, SD

⸻ US – West

@bsidescv@infosec.exchange – #BSidesCV Central Valley, CA @BSidesHawaii – #BSidesHawaii Honolulu, HI @bsidesla@infosec.exchange – #BSidesLA Los Angeles, CA @BSidesPDX@pdx.social – #BSidesPDX Portland, OR @BsidesSD@infosec.exchange – #BSidesSD San Diego, CA @bsidesseattle@infosec.exchange – #BSidesSeattle, WA @bsidessf@infosec.exchange – #BSidesSF San Francisco, CA @soups@hci.social – #SOUPS Symposium on Usable Privacy and Security, Anaheim, CA

⸻ US – Southwest

@BSidesAlbuquerque – #BSidesAlbuquerque, NM @bsidesaustin@infosec.exchange – #BSidesAustin, TX @BSidesDFW@infosec.exchange – #BSidesDFW Dallas-Fort Worth, TX @BSidesLV@infosec.exchange – #BSidesLV Las Vegas, NV @BSidesRGV@infosec.exchange – #BSidesRGV Rio Grande Valley, McAllen, TX @BSidesSATX@infosec.exchange – #BSidesSATX San Antonio, TX @BSidesSantaFe – #BSidesSantaFe, NM @BSidesTucson – #BSidesTucson, AZ @cactuscon@infosec.exchange – #CactusCon Mesa, AZ @defcon@defcon.social – #DEFCON Las Vegas, NV @DianaInitiative@defcon.social – #DianaInitiative Las Vegas, NV

⸻ US – Southeast

@bsidesatl@infosec.exchange – #BSidesATL Atlanta, GA @BSidesAugusta@infosec.exchange – #BSidesAugusta, GA @BSidesBirmingham – #BSidesBirmingham, AL @BSidesCharleston@infosec.exchange – #BSidesCharleston, SC @BSidesCLT@infosec.exchange – #BSidesCLT Charlotte, NC @BSidesCHS – #BSidesCHS Charleston, SC @BSidesCharlotte@infosec.exchange – #BSidesCharlotte, NC @BSidesGVL – #BSidesGVL Greenville, SC @BSidesHSV – #BSidesHSV Hunstville, AL @BSidesJAX – #BSidesJAX, Jacksonville, FL @BSidesKC – #BSidesKC Kansas City, MO @bsidesknoxville@infosec.exchange – #BSidesKnoxville, TN @BSidesNOLA – BSidesNOLA New Orleans, LA @BSidesNoVA – #BSidesNoVA Arlington, VA @bsidesorlando@infosec.exchange – #BSidesOrlando, FL @BSidesRoanoke – #BSidesRoanoke, VA @BSidesRDU@infosec.exchange – #BSidesRDU Raleigh/Durham, NC @BSidesSPFD@infosec.exchange – #BSidesSPFD Springfield, MO @bsidesSTL@infosec.exchange – #BSidesSTL St. Louis, MO @BSidesStPete – #BSidesStPete St. Petersburg, FL @BSidesTampa – #BSidesTampa, FL @CackalackyCon@infosec.exchange – #Cackalacky Con, Raleigh, NC @CYBERWARCON@infosec.exchange – #CyberwarCon Arlington, VA @securityonion@infosec.exchange – #SecurityOnion Con, Augusta, GA

⸻ US – Territories

@BSidesPR – #BSidesPR San Juan, PR 🇵🇷

⸻ Caribbean

@BSidesCaymanIslands – #BSidesCaymanIslands, KY 🇰🇾

⸻ Latin America

@BSidesArgentina – #BSidesArgentina Jujuy, Argentina 🇦🇷 @bsidescdmx@infosec.exchange – #BSidesCDMX Mexico City, Mexico 🇲🇽 @BSidesCO – #BSidesCO Bogotá, Colombia 🇨🇴 @bsidesjp@infosec.exchange – #BSidesJoãoPessoa, Brazil 🇧🇷 @BSidesPeru – #BSidesPeru Lima, Peru 🇵🇪 @BSidesPanama – #BSidesPanama Panama City, Panama 🇵🇦 @BSidesSP@infosec.exchange – #BSidesSP Sao Paulo, Brazil 🇧🇷 @BSidesVitória – #BSidesVitória, Brazil 🇧🇷

⸻ Europe 🇪🇺

@botconf@infosec.exchange – #Botconf Nice, FR 🇫🇷 @brucon@infosec.exchange – #BruCON Mechelen, BE 🇧🇪 @BSidesAthens – #BSidesAthens, GR 🇬🇷 @BSidesBUD – #BSidesBUD Budapest, HU 🇭🇺 @BSidesCyprus – #BSidesCyprus Limassol, CY 🇨🇾 @BSidesDublin – #BSidesDublin, IE 🇮🇪 @BSidesKraków~~ – #BSidesKraków, PL 🇵🇱 @bsideskbh@infosec.exchange – #BSidesKbh København, DK 🇩🇰 @bsideslisbon@infosec.exchange – #BSidesLisbon, PT 🇵🇹 @bsidesljubljana@infosec.exchange – #BSidesLjubljana, SI 🇸🇮 @BSidesMilano – #BSidesMilano, IT 🇮🇹 @BSidesOsijek – #BSidesOsijek, HR 🇭🇷 @bsidesoslo@infosec.exchange – #BSidesOslo, NO 🇳🇴 @BSidesPrishtina – #BSidesPrishtina, XK 🇽🇰 @BSidesRoma – #BSidesRoma, IT 🇮🇹 @bsidesrvk@infosec.exchange – #BSidesReykjavik, IS 🇮🇸 @BSidesSOF@infosec.exchange – #BSidesSOF Sofia, BG 🇧🇬 @BSidesTallinn – #BSidesTallinn, EE 🇪🇪 @BSidesTirana – #BSidesTirana, AL 🇦🇱 @BSidesTransylvania – #BSidesTransylvania Cluj-Napoca, RO 🇷🇴 @BSidesUmeå – #BSidesUmeå, SE 🇸🇪 @bsidesvienna@infosec.exchange – #BSidesVienna, AT 🇦🇹 @BSidesZurich@infosec.exchange – #BSidesZurich, CH 🇨🇭 @deepsec@social.tchncs.de – #DeepSec Con, Vienna, AT 🇦🇹 @hack_lu@infosec.exchange – #HackLu, LU 🇱🇺 @passthesaltcon@infosec.exchange – Pass the SALT Con, Lille, FR 🇫🇷 @securitybsidesitalia@infosec.exchange – #BSidesItalia IT 🇮🇹 @TumpiConIT@infosec.exchange – #TumpiCon Turin area, IT 🇮🇹

⸻ Germany 🇩🇪

@BSidesBerlin – #BSidesBerlin @BSidesFrankfurt – #BSidesFrankfurt am Main @BSidesMunich@infosec.exchange – #BSidesMunich @BSidesStuttgart – #BSidesStuttgart @elbsides@infosec.exchange – #Elbsides BSides Hamburg @WEareTROOPERS@infosec.exchange – TROOPERS Conference, Heidelberg

⸻ United Kingdom 🇬🇧

@44CON@infosec.exchange – #44CON London 🏴󠁧󠁢󠁥󠁮󠁧󠁿 @AbertayHackers@infosec.exchange – #SecuriTay Abertay, Dundee, 🏴󠁧󠁢󠁳󠁣󠁴󠁿 @BSidesBasingstoke – #BSidesBasingstoke @BSidesBelfast – #BSidesBelfast @BSidesBHAM@infosec.exchange – #BSidesBham Birmingham 🏴󠁧󠁢󠁥󠁮󠁧󠁿 @BSidesBristol – #BSidesBristol @BSidesCambridge – #BSidesCambridge @BSidesCheltenham@infosec.exchange – #BSidesCheltenham 🏴󠁧󠁢󠁥󠁮󠁧󠁿 @BSidesDundee – #BSidesDundee 🏴󠁧󠁢󠁳󠁣󠁴󠁿 @BSidesExeter – #BSidesExeter @BSidesLancashire – #BSidesLancashire @bsidesleeds@infosec.exchange – #BSidesLeeds 🏴󠁧󠁢󠁥󠁮󠁧󠁿 @BSidesNewcastle – #BSidesNewcastle @VirusBulletin@infosec.exchange – #VB2024 VirusBulletin, London 🏴󠁧󠁢󠁥󠁮󠁧󠁿

⸻ Africa

@BSidesCapeTown – #BSidesCapeTown, South Africa 🇿🇦 @BSidesNairobi – #BSidesNairobi, Kenya 🇰🇪

⸻ India 🇮🇳

@BSidesAhmedabad – #BSidesAhmedabad @BSidesBangalore@infosec.exchange – #BSidesBangalore @BSidesChennai – #BSidesChennai @BSidesIndore – #BSidesIndore @BSidesJaipur – #BSidesJaipur @BSidesOdisha@infosec.exchange – #BSidesOdisha

⸻ Asia

@BSidesMyanmar – #BSidesMyanmar, Myanmar 🇲🇲 @BSidesSG – #BSidesSG Singapore, China 🇨🇳 @BSidesTokyo – #BSidesTokyo, Japan 🇯🇵 @BSidesYerevan – #BSidesYerevan, Armenia 🇦🇲

⸻ Australasia

@bsides_bne@infosec.exchange – #BSides_Bne Brisbane, AU 🇦🇺 @bsidescbr@infosec.exchange – #BSidesCanberra, AU 🇦🇺 @bsidesmelbourne@infosec.exchange – #BSidesMelbourne, AU 🇦🇺 @bsidesperth@infosec.exchange – #BSidesPerth, AU 🇦🇺 @bsidessydney@infosec.exchange – #BSidesSydney, AU 🇦🇺 @crikeycon@infosec.exchange – #CrikeyConAU Brisbane, AU 🇦🇺

⸻ For other events not in the fediverse try: ➡️⁠https://securitybsides.com ➡️⁠https://github.com/xsa/infosec-events by Xavier Santolaria @0x58@infosec.exchange

Feel free use, copy, modify, steal, boost, encrypt, or plagiarize this information anyway you want. :cc_cc:​𝟶 “No Rights Reserved”

⸻ #InfoSec #CyberSecurity #BSides #CatSalad #cc0

(Updated:2023-09-26)

This list only contains local 2600, DEFCON, CCC, OWASP, LUG, and InfoSec groups with active fediverse / Mastodon accounts, including languages other than English. As more are created or discovered, I will update this message. For hackerspaces, see the link below.

📌⁠InfoSec Events by Region (ᵃˡˢᵒ🦣ⷨ) 📌⁠Hacker Meet-ups by Region (ᵃˡˢᵒ🦣ⷨ) 📌⁠Hackerspaces by Region (ᵃˡˢᵒ🦣ⷨ)

🐈🥗

⸻ InfoSec Groups

@2600@lemmy.world – 2600 Community (Lemmy) @blackhoodie@infosec.exchange – #BHRE (women only) @CCC@social.bau-ha.us – Chaos Computer Club @ccc@anonsys.net – #CCC (friendica) @guide@chaos.social – CCC events #cccRegio @womenincybersecurity@mastodon.social – Women In Cybersecurity (#WiCyS)

⸻ Canada 🇨🇦

@dc902@defcon.social – #DC902 Halifax, NS @OWASP_Ottawa@infosec.exchange – OWASP Ottawa

⸻ US – Northeast

@2600_new_hampshire@eventos.hispagatos.org – 2600, NH @blacksincyber@defcon.social – Blacks In Cybersecurity™ (BIC), Washington, DC @blacksincyber@infosec.exchange – #BIC DMV Metro Area, DC @dc215@defcon.social – #DC215, Philadelphia, PA @defcon201@diode.zone – #DC201 North New Jersey @dc201@diode.zone – DC201 North NJ @defcon201@hostux.social – DC201 North NJ @defcon610@defcon.social – #DC610 Easton, PA @hacdc@fosstodon.org – #HackDC Washington, DC @NYC2600@infosec.exchange – #NYC2600 NY @NYC2600@mastodon.social – NYC 2600, NY @owaspboston@infosec.exchange – OWASP Boston, MA @philly2600@jawns.club – #Philly2600 Philadelphia, PA @Phillysec@infosec.exchange – #Phillysec Philadelphia, PA

⸻ US – Midwest

@defcon402@infosec.exchange – #DC402 Nebraska @DC608Madison@defcon.social – #DC608 Madison, WI @DC608Madison@infosec.exchange – DC608 Madison, WI @defcon937@infosec.exchange – #DC937 Dayton, OH @DenverSec@infosec.exchange – #DenverSec Denver, CO @lansing2600@mastodon.praxis.red – #Lansing2600 Lansing, MI @RockyMtnLUG@fosstodon.org – Rocky Mountain LUG, CO

⸻ US – West

@dc503@defcon.social – #DC503 Portland, OR @dc510@defcon.social – #DC510 Oakland, CA @DCG858@defcon.social – #DC858 / #DC619 San Diego, CA @pdx2600@mastodon.online – #PDX2600 Portland, OR @rainsec@infosec.exchange – #RainSec PDX, Portland, OR

⸻ US – Southwest

@ASULUG@fosstodon.org – #ASULUG ASU, AZ @dallas_hackers@infosec.exchange – Dallas Hackers Dallas, TX @DC512@defcon.social – #DC512, Austin, TX @PLUG@fosstodon.org – #PLUG, Phoenix, AZ

⸻ US – Southeast

@dc404@defcon.social – #DC404 Atlanta, GA @DC443@defcon.social – #DC443 Baltimore, MD @dc540@defcon.social – #DC540 Nova regional, VA @dc540@infosec.exchange – DC540 Nova regional, VA @RTP2600@kolektiva.social – #RTP2600 Raleigh, NC

⸻ Europe 🇪🇺

@2600Malmo@mastodon.online – #2600Malmo 2600 Malmö, SE 🇸🇪 @2600stockholm@mastodon.social – #2600stockholm Stockholm, SE 🇸🇪 @2600_madrid@eventos.hispagatos.org – 2600 Madrid, ES 🇪🇸 @amsterdam@chaos.social – Chaos Amsterdam, NL 🇳🇱 @c3wien@chaos.social – CCC Wien, Vienna, AT 🇦🇹 @CCCBasel@chaos.social – CCC Basel, Muttenz, CH 🇨🇭 @dc4822@infosec.exchange – #DC4822 Warsaw, PL 🇵🇱 @dc9723@defcon.social – #DC9723, Tel-Aviv, IL 🇮🇱 @lugos@floss.social – #LUGOS SI 🇸🇮 @lugv@troet.cafe – #LUGV Vorarlberg, AT 🇦🇹 @ulug@social.linux.pizza – #ULUG Uppsala, SE 🇸🇪

⸻ Germany 🇩🇪

@amborg_sulzbyte@chaos.social – Chaostreff Amberg Sulzbach @c3d2@c3d2.social – CCC Dresden @cccac@chaos.social – CCC Aachen @cccda@chaos.social – CCC Darmstadt @cccffm@chaos.social – CCC Frankfurt @cccfr@chaos.social – CCC Freiburg @ccchh@chaos.social – CCC Hamburg @cccp@chaos.social – CCC Potsdam @cccs@chaos.social – CCC Stuttgart @cccwi@cccwi.social – CCC Wiesbaden @cciz@chaos.social – Computer Club Itzehoe @chaospott@chaos.social – CCC Essen @clubdiscordia@chaos.social – CCC Berlin @ctaz@rheinhessen.social – Chaostreff Alzey @ctbk@chaos.social – Chaostreff Backnang @erlug@social.anoxinon.de – #ErLUG Erlangen @flipdot@social.flipdot.org – #Flipdot CCC Erfa-Kreis, Kassel @haecksen@chaos.social – #Haecksen (Stuttgart, Hamburg, Hannover, Karlsruhe, Leibzig, Göttingen and Berlin) @geekfem@chaos.social – #Geekfem Hamburg @KiLUG@mastodon.social – #KiLUG Haslach im Kinzigtal @LUG_MYK@chaos.social – LUG Mayen-Koblenz @lug_nuernberg@mastodon.online – LUG Nürnberg @lughannover@norden.social – LUG Hannover @lugor@dynlinux.io – #LUGOR Oberhausen Rheinland @muccc@chaos.social – CCC Munich @owasp_de@infosec.exchange – OWASP DE @owasp_ka@chaos.social – OWASP Karlsruhe

⸻ India 🇮🇳

@dc_9111@ioc.exchange – #DC9111, Delhi

⸻ United Kingdom 🇬🇧

@2600@glasgow.social – 2600 Glasgow 🏴󠁧󠁢󠁳󠁣󠁴󠁿 @AbertayHackers@infosec.exchange – Abertay Hackers, Dundee 🏴󠁧󠁢󠁳󠁣󠁴󠁿 @DC44131@infosec.exchange – #DC44131 Edinburgh 🏴󠁧󠁢󠁳󠁣󠁴󠁿 @OWASPLondon@infosec.exchange – OWASP London 🏴󠁧󠁢󠁥󠁮󠁧󠁿

⸻ Australasia

@flinderscybersoc@infosec.exchange – Flinders Cybersecurity Society, Adelaide, AU 🇦🇺 @linuxaustralia@fosstodon.org – Linux Australia 🇦🇺 @owaspmelb@infosec.exchange – OWASP Melbourne, AU 🇦🇺 @PalmyLUG@mastodon.nzoss.nz – #PalmyLUG Palmerston North, NZ 🇳🇿

⸻

For other groups & meetups not in the fediverse: ➡️⁠https://forum.defcon.org/social-groups ➡️⁠https://events.ccc.de/ ➡️⁠https://owasp.org/www-community/meetings/ ➡️⁠https://www.2600.com/meetings

Feel free use, copy, modify, steal, boost, encrypt, or plagiarize this information anyway you want. cc​𝟶 “No Rights Reserved”

⸻

#InfoSec #CyberSecurity #DEFCON #2600 #CCC #OWASP #WomenInCybersecurity #LUG #LinuxUserGroup #CatSalad #cc0

(Updated:2023-09-26)

This list contains hackspaces and hacklabs with active fediverse / Mastodon accounts. For monthly group meets, see the post link below. This list will be update as more workshops in the fediverse are discovered.

📌⁠InfoSec Events by Region (ᵃˡˢᵒ🦣ⷨ) 📌⁠Hacker Meet-ups by Region (ᵃˡˢᵒ🦣ⷨ) 📌⁠Hackerspaces by Region (ᵃˡˢᵒ🦣ⷨ)

🐈🥗

⸻ United States 🇺🇸

@hacdc@fosstodon.org – #HackDC Washington, DC @iffybooks@post.lurk.org – Iffy Books – Philadelphia, PA @Noisebridge@sfba.social – #Noisebridge Hackerspace – San Francisco, CA

⸻ Latin America

@lhc@mastodon.com.br – Laboratório Hacker de Campinas, Brazil 🇧🇷

⸻ Europe 🇪🇺

@coredump@chaos.social – #Coredump Hack- & Makerspace, Rapperswil-Jona, CH 🇨🇭 @fhl@mastodon.cisti.org – F-HackLab, Rome, IT 🇮🇹 @hackeriet@chaos.social – #Hackeriet Oslo, NO 🇳🇴 @hackstub@kolektiva.social – #Hackstub Strasbourg, FR 🇫🇷 @hspsh@0x3c.pl – #HsPsh Hackerspace Pomorze, PL 🇵🇱 @hswaw@hackerspace.pl – #HsWaw Warsaw, PL 🇵🇱 @KaouennNoz@diaspodon.fr – #KaouennNoz Rennes, FR 🇫🇷 @lebib@social.bim.land – #LeBIB Montpellier, FR 🇫🇷 @hslodz@mas.to – #HSLodz Hakierspejs Łódź, PL 🇵🇱 @tamperehacklab@qoto.org – #TampereHacklab FI 🇫🇮

⸻ Austria 🇦🇹

@devlol@chaos.social – #DevLol Linz @itsyndikat@chaos.social – #Itsyndikat Innsbrucks @metalab@chaos.social – #Metalab Vienna @realraum@chaos.social – #Realraum Graz @usrspace@chaos.social – /usr/space, Leobersdorf

⸻ Germany 🇩🇪

@acmelabs@chaos.social – #ACMELabs Bielefeld @backspace@chaos.social – #Backspace CCC-Erfa, Bamberg @binhacken@chaos.social – #BinHacken Hacker- & Makerspace, Bingen @bytespeicher@social.bau-ha.us – #Bytespeicher Erfurt @bytewerk@chaos.social – #bytewerk Ingolstadt @c4@chaos.social – CCC Cologne @cbase@chaos.social – c-base, Berlin @cccac@chaos.social – CCC Aachen @cccda@chaos.social – CCC Darmstadt @cccffm@chaos.social – CCC Frankfurt @cccfr@chaos.social – CCC Freiburg @ccchh@chaos.social – CCC Hamburg @cccwi@cccwi.social – CCC Wiesbaden @chaos_fl@chaos.social – Chaostreff Flensburg @chaosdorf@chaos.social – #Chaosdorf Hackspace & CCC Erfa, Düsseldorf @chaostreff_osnabrueck@chaos.social – Chaostreff Osnabrück @chaotikumev@social.chaotikum.org – #Chaotikum Lübeck @chch@chaos.social – Chaostreff Chemnitz @clubdiscordia@chaos.social – #ClubDiscordia CCC Berlin @daslabor@chaos.social – #DasLabor Bochum @datenburg@bonn.social – #Datenburg Bonner @dezentrale@chaos.social – Dezentrale Leipzig @eigenbaukombinat@chaos.social – #Eigenbaukombinat Halle, Saale @entropia@chaos.social – #Entropia Karlsruhe @flipdot@social.flipdot.org – #Flipdot Kassel @hacklabor@chaos.social – #Hacklabor Schwerin @hackershell@social.anoxinon.de – #Hackershell 🌐 @hacksaar@social.saarland #Hacksaar Saarbrücken @Hackzogtum@chaos.social – #Hackzo Coburg @Hasi@chaos.social – Hackspace Siegen @haxko@chaos.social – #Haxko Mayen-Koblenz @HSB@chaos.social – Hackerspace Bielefeld @k4cg@chaos.social – K4 Computergruppe, Nuremberg @krautspace@chaos.social – #Krautspace Jena @leinelab@chaos.social – #LeineLab Hannover @maglab@chaos.social – #MagLab Magrathea Laboratories, Fulda @maschinenraum@social.bau-ha.us – #Maschinenraum m18, Weimar @muccc@chaos.social – CCC Munich @neanderfunk@nrw.social – Freifunk Neanderland, Wülfrath @neotopia@chaos.social – #Neotopia Göttingen @Nerdberg@chaos.social – #Nerdberg Nuernberg @netz39@machteburch.social – #Netz39 Magdeburg @OpenLabAugsburg@chaos.social – OpenLab, Augsburg @OWN@chaos.social – Offene Werkstatt Norderstedt @Port39@chaos.social – #Port39 Stralsund @raumfahrtagentur@chaos.social – Raumfahrt, Berlin @schaffenburg@social.schaffenburg.org – #Schaffenburg @space47@ruhr.social – #Space47 Duisburg @spline@chaos.social – #Spline Berlin @stratum0@chaos.social – #Stratum0 Braunschweig @RaumZeitLabor@chaos.social – #RaumZeitLabor Mannheim @temporaerhaus@chaos.social – Temporärhaus, Ulm @toppoint@chaos.social – Toppoint Hackspace, Kiel @Turmlabor@chaos.social – nachtsnochlicht@Turmlabor, Dresden @UN_Hack_Bar@chaos.social – UN-Hack-Bar, Unna @warpzone@social.bau-ha.us – warpzone, Münster @welcomewerkstatt@norden.social – #WelcomeWerkstatt Hamburg @werkraum@chaos.social – #Werkraum Zittau @westwoodlabs@chaos.social – #Westwoodlabs Westerwald @xHain_hackspace@chaos.social – xHain Hack- Makerspace, Berlin @zLabor@chaos.social – #zLabor Zwickau @ztl@rheinneckar.social – Zentrum für Technikkultur Landau

⸻ Netherlands 🇳🇱

@amsterdam@chaos.social – Chaos Amsterdam @bitlair@hsnl.social – #Bitlair Amersfoort @hack42@chaos.social – #Hack42 Arnhem @hackalot@hsnl.social – #Hackalot Eindhoven @pixelbar@hsnl.social – #Pixelbar Rotterdam @revspace@hsnl.social – #RevSpace Hague @TDvenlo@hsnl.social – #TDvenlo Venlo @TechInc@mastodon.social – Technologia Incognita, Amsterdam @tkkrlab@hsnl.social – #TrrkLab Enschede

⸻ United Kingdom 🇬🇧

@57n@abdn.social – #57n Hacklab, Aberdeen 🏴󠁧󠁢󠁳󠁣󠁴󠁿 @57n@hostux.social – #57North Hacklab, Aberdeen 🏴󠁧󠁢󠁳󠁣󠁴󠁿 @cheltenham_hackspace@mastodonapp.uk – Cheltenham Hackspace 🏴󠁧󠁢󠁥󠁮󠁧󠁿 @EEHackSpace@mstdn.social – #EEHackSpace East Essex 🏴󠁧󠁢󠁥󠁮󠁧󠁿 @hackhitchin@techhub.social – #HackHitchin Hitchin 🏴󠁧󠁢󠁥󠁮󠁧󠁿 @leigh_hackspace@mastodon.social – Leigh Hackspace, Manchester 🏴󠁧󠁢󠁥󠁮󠁧󠁿 @nottinghack@hachyderm.io – #NottingHack Nottingham 🏴󠁧󠁢󠁥󠁮󠁧󠁿

⸻ Australasia

@ballarat@hackerspace.au – Ballarat Hackerspace, AU 🇦🇺

⸻

For other hackerspaces not in the fediverse try: ➡️⁠https://wiki.hackerspaces.org/List_of_Hacker_Spaces

Feel free use, copy, modify, steal, boost, encrypt, or plagiarize this information anyway you want. :cc_cc:​𝟶 “No Rights Reserved”

⸻

#CCC #ChaosComputerClub #Hacker #Hackspace #Hackerspace #CatSalad #cc0

List of some useful links, news sites, and open web search engines that also provide .Onion service access through Tor :tor:. Each searx site varies on their up time, so it pays to visit the 🗂️⁠SearXNG Index to find alternatives.

📌⁠List of torified fedi instances (ᵃˡˢᵒ🦣ⷨ) 📌⁠List of useful torified sites (ᵃˡˢᵒ🦣ⷨ)

⸻Links🔖⁠⸻

🗃️⁠Archive.Today⁠〰️→🧅⁠archivei… 💻⁠DEFCON Forums⁠→🧅⁠ezdhgsy… 💻⁠DEFCON Home⁠〰️→🧅⁠g7ejphhu… 💻⁠DEFCON Media⁠〰️→🧅⁠m6rqq6k… 🔐⁠Key.OpenPGP.org⁠→🧅⁠zkaan2x… 🔖⁠Reddit.com⁠〰️〰️→🧅⁠redditorj…★ 📚⁠zLibrary Articles⁠→🧅⁠articles2… 📚⁠zLibrary Books⁠→🧅⁠bookszlib…

⸻News🗞️⁠⸻

🗞️⁠BBC News⁠〰️〰️→🧅⁠bbcnewsd…★ 🗞️⁠DeutscheWelle⁠→🧅⁠dwnewsg…★ 🗞️⁠ProPublica⁠〰️〰️→🧅⁠p53lf57… 🗞️⁠The Guardian⁠〰️→🧅⁠guardian2…★

⸻Search🔍⸻

🗂️⁠SearXNG Index⁠→🧅⁠searxspb… 🔍⁠divided-by-zero⁠→🧅⁠f4qfqajs… 🔍⁠nicfab.eu⁠〰️〰️→🧅⁠lgmekfn…★ 🔍⁠northboot.xyz⁠→🧅⁠4n53nafyi… 🔍⁠ononoki.org⁠〰️→🧅⁠searchvrz… 🔍⁠priv.au⁠〰️〰️〰️→🧅⁠privateoz… 🔍⁠prvcy.eu⁠〰️〰️→🧅⁠rq2w52k… 🔍⁠sapti.me⁠〰️〰️→🧅⁠gbat2pb… 🔍⁠stinpriza.org⁠→🧅⁠z5vawdo… 🔍⁠thefloatinglab⁠→🧅⁠iziatwmt… 🔍⁠tiekoetter⁠〰️〰️→🧅⁠searx3ao…

⸻ (★ = Supports HTTPS-over-Onion) 🐈🥗

#TorProject #OnionService #OnionServices #Tor #Onion #Privacy #CatSalad

(Updated:2023-09-26)

List of fediverse instances that also provide access through .Onion servers using Tor Hidden Services. I will add more as I find them... Well, most of them anyway.

📌⁠List of torified fedi instances (ᵃˡˢᵒ🦣ⷨ) 📌⁠List of useful torified sites (ᵃˡˢᵒ🦣ⷨ)

⸻FediTor🔖⁠⸻

⁠⛔⁠Alive.bar⁠〰️〰️〰️→🧅⁠alivebrntm… 💻⁠Defcon.social〰️→🧅⁠zpj4sjt4a…★ 💻⁠Ieji.de⁠〰️〰️〰️〰️→🧅⁠iejideks5z…★ 💻⁠Infosec.exchange⁠→🧅⁠7jaxqg6… ⛔⁠⁠Kolektiva.social⁠〰️→🧅⁠klktvbm… ⛔⁠⁠Masto.ai⁠〰️〰️〰️→🧅⁠yiynyc2ly…★ 💻⁠Mstdn.social⁠〰️→🧅⁠c6usaa6… 💻⁠Octodon.social⁠→🧅⁠octodonic… ⛔⁠⁠Partyon.xyz⁠〰️→🧅⁠partyonl2… ⛔⁠⁠Qdon.space⁠〰️→🧅⁠nqt42rzz5… 💻⁠Slippy.xyz〰️〰️→🧅⁠irvqsc5bb… 💻⁠Vern.cc⁠〰️〰️〰️→🧅⁠ak.vernccv… 💻⁠Wetdry.world⁠〰️→🧅⁠qm7a3tu…

⸻ (★ = Supports HTTPS-over-Onion) (⛔⁠ = Cloudflared)

🐈🥗

#FediTor #TorProject #OnionService #OnionServices #Fedi #Tor #Onion #Privacy #CatSalad