The Open Source Foundation for Application Security
All things software security.
Stop macOS 15 Sequoia monthly screen recording prompts
I've not run into the new monthly screen recording prompt yet but I can imagine that when I do it might get annoying. I appreciate Apple being super cautious with security and stuff like this, most of the time, but this feels a bit too much.
It's good to know there is a way to work around it, if you're happy to go "under the hood".
gaining access to anyones browser without them even visiting a website - eva's site
So I’m glad I never got comfortable with Arc, having briefly tried it and not really liked it.
S3 Bucket Namesquatting - Abusing predictable S3 bucket names – One Cloud Please
Given I’m fairly new to AWS, I was surprised to find that S3 has a global namespace. And so of course squatting is a thing.
Git ransom campaign incident report—Atlassian Bitbucket, GitHub, GitLab
Incident report on the "git ransom" attack from earlier on this month.
vim/neovim security vulnerability
Write-up of the rather amazing vulnerability in vim/neovim.
Time to rethink mandatory password changes | Federal Trade Commission
Why forcing users to change their password every N weeks is generally a terrible idea.
warner/magic-wormhole: get things from one computer to another, safely
Handy tool for transferring stuff from one machine to another
Twitter: An update on our security incident
First real update by Twitter on the great bitcoin ownage of 2020 incident.
When you browse Instagram and find former Australian Prime Minister Tony Abbott's passport number
Amusing story on a number of levels; and with a serious message too.
EICAR test QR
Hilarious hack that can mess with all sorts of systems.
The Correct Horse Battery Staple password generator
Fun but also useful password generator, in the style of the famous xkcd strip.
The Apperta Data Breach Fiasco
If you found a leak of data from the NHS and let them know, you'd think they'd be properly happy about being told, right?
About that...
Steam Phishing scam
A common scam I’ve run into, often via Discord.
The logic behind three random words - NCSC.GOV.UK
Keeping this to hand as a useful page to point folk at when they try and teach me about how passwords should be chosen.
IP Geolocation and Threat Intelligence API
How dodgy does your IP address look?
Phylum Discovers Dozens More PyPI Packages Attempting to Deliver W4SP Stealer in Ongoing Supply-Chain Attack
"Last week, our automated risk detection platform alerted us to some suspicious activity in dozens of newly published PyPI packages. It appears that these packages are a more sophisticated attempt to deliver the W4SP Stealer on to Python developer’s machines by hiding a malicious import . Join us here on the Phylum research team as we investigate these new and shifting tactics the attacker is using to deploy W4SP stealer in this supply-chain attack."
Our security auditor is an idiot. How do I give him the information he wants? - Server Fault
An old, but fun (and possibly questionable how real it actually is) thead on a security auditor asking some really dumb questions. Oh gods does this remind me of some IT compines I've dealt with in the past.
How We Executed A Critical Supply Chain Attack On Pytorch
"Four months ago, Adnan Khan and I exploited a critical CI/CD vulnerability in PyTorch, one of the world’s leading ML platforms. Used by titans like Google, Meta, Boeing, and Lockheed Martin, PyTorch is a major target for hackers and nation-states alike.
Thankfully, we exploited this vulnerability before the bad guys.
Here is how we did it."
Everything I know about the XZ backdoor
A timeline of the events in the creation of the xz backdoor.
A Microcosm of the interactions in Open Source projects
Some background on how the xz backdoor situation arose.
Story of one person's recovery of their Apple account
The circumstances of this person's ban are... up for debate and they don't seem very forthcoming with the details, so it does seem like it might have been deserved, to a degree. But, that aside, some handy information here for people if they do find themselves locked out of their Apple account.
How an empty S3 bucket can make your AWS bill explode
Failing as designed, I imagine.