http://www.mjt.me.uk
hn@mjt.me.uk
- One might consider this a supply chain attack because the title of the post is “We pwned X, Vercel, Cursor, and Discord through a supply-chain attack”
- A company has a graduate scheme, they might be hiring 4 graduates this year, they might be hiring 40. Only one job advert.
External recruiters might then re-advertise the job with the company name removed, planning to funnel people to the company and collect their 20% commission.
External recruiters with several jobs might merge them into one. $250k job for a senior java developer with 5 years finance experience + $75k job for a junior java developer = advertise $250k job for a java developer.
A company might have a slow, centralised hiring pipeline for some roles. Google has a recruiter check the candidate's resume before putting you into a lengthy 6+ interview gauntlet, but only at the end of it do hiring managers actually check if the resume matches an open job. And if course if it takes 2 months to get through the full pipeline, the jobs open at the end aren't the same as the jobs open at the start.
- Have you ever changed a tyre on a car?
If so, you may have noticed the jack you used didn't have several huge CNC machined aluminium parts, a seven-stage all-metal geartrain, or a 330v power supply and it probably didn't cost you $700. Probably it cost more like $40.
And sure, a consumer kitchen product needs to look presentable and you don't want trapping points for curious little fingers. But even given that, you could deliver a product that worked just as well for just as long at a far lower BOM cost.
- Firstly, the attacker just wants to mine Monero with CPU, they can do that inside the container.
Second, even if your Docker container is configured properly, the attacker gets to call themselves root and talk to the kernel. It's a security boundary, sure, but it's not as battle-tested as the isolation of not being root, or the isolation between VMs.
Thirdly, in the stock configuration processes inside a docker container can use loads of RAM (causing random things to get swapped to disk or OOM killed), can consume lots of CPU, and can fill your disk up. If you consider denial-of-service an attack, there you are.
Fourthly, there are a bunch of settings that disable the security boundary, and a lot of guides online will tell you to use them. Doing something in Docker that needs to access hot-plugged webcams? Hmm, it's not working unless I set --privileged - oops, there goes the security boundary. Trying to attach a debugger while developing and you set CAP_SYS_PTRACE? Bypasses the security boundary. Things like that.
- 1. Ship the product with automatic updates delivered over https
2. Product is a smart fridge or whatever, reasonable users might keep it offline for 5+ years.
3. New homeowner connects it to the internet.
4. Security update fails because the security update server's SSL cert isn't signed by a trusted root.
- > 1. These might need to happen as emergencies if something bad happens
Isn't this the whole point of intermediate certificates, though?
You know, all the CA's online systems only having an intermediate certificate (and even then, keeping it in a HSM) and the CA's root only being used for 20 seconds or so every year to update the intermediate certificates? And the rest of the time being locked up safer than Fort Knox?
- If there's one thing I've taken away from Trump's successes, it's that there's no such thing as "political suicide".
A massive tax hike on imported goods, making loads of things more expensive? Political suicide! Constant flip-flopping and backtracking on deals? Political suicide! Doing mocking impersonations of disabled people? Political suicide! Accepting donations from neo-nazi groups? Political suicide! Cheating on your pregnant wife with a porn star? Political suicide! Repeatedly visiting a billionaire pedophile's private island? Political suicide!
Except it turns out actually none of that is political suicide.
- I'd be interested in hearing more - do you have a source for this?
Seems to me CAs have intermediate certificates and can rotate those, not much upside to rotating the root certificates, and lots of downsides.
- Even when communicating ideas, there's a simplicity/nuance trade-off to be made.
I could say "Trump's unpredictable, seemingly irrational policy choices have alienated our allies, undermined trust in public institutions, and harmed the US economy"
Or I could "The economy sucks and it's Trump's fault because he's dumb and an asshole"
They both communicate the same broad idea - but which communicates it better? It depends on the audience.
- I'm quite surprised the CA/Browser Forum went for this.
Nobody's paying for EV certificates now browsers don't display the EV details. The only reason to pay for a certificate is if you're rotating certificates manually, and the 90 day expiry of Lets Encrypt certificates is a hassle.
If the CA/Browser Forum is forcing everyone to run ACME clients (or outsource to a managed provider like AWS or Cloudflare) doesn't that eliminate the last substantial reason to give money to a CA?
- > A running number also carries data. Before you know it, someone's relying on the ordering or counting on there not being gaps - or counting the gaps to figure out something they shouldn't.
For example, if https://github.com/pytorch/pytorch/issues/111111 can be seen but https://github.com/pytorch/pytorch/issues/111110 can't, someone might infer the existence of a hidden issue relating to a critical security problem.
Whereas if the URL was instead https://github.com/pytorch/pytorch/issues/761500e0-0070-4c0d... that risk would be avoided.
- Interesting, it's a few years since I've used a Mac.
Descriptions of this stuff online are pretty confusing. Apparently there's an "App Sandbox" and also "Transparency Consent and Control" - I assume from your mention of the photo library describing the latter?
How does this protection interact with IDEs? For some operations conducted in an IDE, like checking out code and collecting dependencies the user grants the software access to SSH keys, artifact repo credentials and suchlike. But unsigned code can also be run as a child process of the IDE - such as when the user compiles and runs their code.
How does the sandboxing protection interact with the IDE and its subprocesses, to ensure only the right subprocesses can access credentials?
- > This is not strictly true - most OS keychain stores have methods of authenticating the requesting application before remitting keys (signatures, non-user-writable paths, etc.), even if its running as the correct user.
Isn't that a smartphone-and-app-store-only thing?
As I understand it, no mainstream desktop OS provides the capabilities to, for example, protect a user's browser cookies from a malicious tool launched by that user.
That's why e.g. PC games ship with anti-cheat mechanisms - because PCs don't have a comprehensive attested-signed-code-only mechanism to prevent nefarious modifications by the device owner.
- Doctors should learn about new drugs the traditional way - physically attractive drug company reps taking them out for expensive dinners and gifting them branded golf equipment.
- If the orchestra performs less often because the violists have better paying jobs in a factory making the latest and greatest TVs, more homes will have the latest and greatest TVs.
Of course, this relies on the assumption most work - and hence most productivity - is a net social good. If the violinists have instead got jobs operating an orphan-crushing machine, that would be a bad thing. But hopefully your society is structured in such a way that the average worker is contributing to the prosperity of their local community.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> How would you digitally sign a Json document and embed the signature in the document?
Embedding a signature into the same file is easy enough.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.9.7 (GNU/Linux)
iEYEARECAAYFAjdYCQoACgkQJ9S6ULt1dqz6IwCfQ7wP6i/i8HhbcOSKF4ELyQB1
oCoAoOuqpRqEzr4kOkQqHRLE/b8/Rw2k =y6kj
-----END PGP SIGNATURE-----
- > All vehicles that don't display their license plate for cameras of any kind are illegal, the spirit of this law is to make it so we can identify through the number assigned to the vehicle from the state that identifies it is obvious if a picture is taken of the vehicle from the front or the back.
Quarter inch high license plates are now legal. It’s hardly the motorist’s fault if the camera is too low resolution :)
Regular license plates are illegal, because they’re unreadable to a type of camera - thermal cameras :)
- > Insurance is a capital management game. We’ll likely see a tech company try this, fail to cover a catastrophic liability due to lack of reserves, and trigger a massive backlash.
Google, AFAIK the only company with cars that are actually autonomous, has US$98 Billion in cash.
It'd have to be a hell of an accident to put a dent in that.
- > Second, stop moving the map when I search for things.
When I search for 'chicago' I like having the map move to Chicago, even if there's a Chicago Grill, Chicago Pizza and Chicago Trading Company closer.
For example they might send the police to your door, who’ll tell you you’ve violated some 1980s computer security law.
I know 99.99% of cybercrime goes unpunished, but that’s because the attackers are hard to identify, and in distant foreign lands. As a white hat you’re identifiable and maybe in the same country, meaning it’s much easier to prosecute you.