Tag security

1. Buy expired NPM maintainer email domains. 2. Re-create maintainer emails 3. Take over packages 4. Submit legitimate security patches that include package.json version bumps to malicious dependency you pushed 5. Enjoy world domination.

Lance R. Vick ( @lrvick@mastodon.social ) (@lrvick)Mon, 09 May 2022 21:20 +0000

*sigh* 🥃

Jason Kikta 🌻 (@kikta)Mon, 09 May 2022 17:29 +0000

https://twitter.com/GitHubSecurity/status/1515101093419646976

If you need to verify the ID of the OAuth application, check the number at the end of the url like github.com/orgs/<org>/policies/applications/145909 coming from the github.com/organizations/<org>/settings/oauth_application_policy page.

chrismo (@the_chrismo)Sat, 16 Apr 2022 02:42 +0000

spent way too long making this

Alex Strook ⚡🐭 (@AlexStrook)Wed, 13 Apr 2022 16:12 +0000

Setup some MFA stuff last night and the amount of this is so annoying:

Matt Brunt (@Brunty)Wed, 13 Apr 2022 08:00 +0000

🧠 Reminder that "beefstew" is not a good password. It is not Str0g4|\|off

Chris Heilmann (@codepo8)Tue, 05 Apr 2022 08:57 +0000

My bank: 🏦: I need you to jump through security hurdles to keep your money safe. Me: 🙋‍♀️: No problem! Cybersecurity is a process, not a destination! Also My Bank: 🏦: Whoa, whoa, whoa. 21 digit password? Let's not get crazy. Also, I have never seen the character "&" in my life.

Brianna Wu (@BriannaWu)Tue, 29 Mar 2022 14:59 +0000

Wow, @Zoom's decision to bypass the security settings of their customers in order to boost its marketplace demand is a bold move, to put it mildly. CISOs discovering this after the fact will be fuming.

Tobie Langel (@tobie)Mon, 28 Mar 2022 08:33 +0000

Since #Log4j you've heard how OSS vulns impact most orgs, how OSS is underfunded & we need to do more to help, but did you know OSS security has improved drastically in the last 4 years? In 2017, 35% of OSS libs used had a known flaw. In 2022 it's < 10% veracode.com/state-of-softw…

Chris Wysopal (@WeldPond)Wed, 09 Feb 2022 19:36 GMT

Eight years later, and this is now a thing 😃 gov.uk/security.txt No monetary reward (sadly, but I get why).

Post details

Should GOV.UK Run A Bug Bounty? shkspr.mobi/blog/?p=9760

Terence Eden (@edent)Tue, 04 Feb 2014 12:05 GMT

Terence Eden (@edent)Fri, 04 Feb 2022 07:43 GMT

Federal government memo: "Consistent with the practices outlined in SP 800-63B, agencies must remove password policies that require special characters and regular password rotation from all systems within one year of the issuance of this memorandum." Yes!

Post details

The federal government just dropped a 29-pg memo laying out its "transition to a zero trust approach" A few surprises: ✴️ there's more in it than just zero-trust ✴️ it goes beyond what most orgs do today I read the whole thing so you don't have to... bastionzero.com/blog/i-read-th…

Sharon Goldberg (@goldbe)Thu, 27 Jan 2022 14:52 GMT

Simon Willison (@simonw)Thu, 27 Jan 2022 19:21 GMT

Please do not teach the computers how to recognize us even with most of our facial features covered.

Post details

iOS 15.4 beta has a new ‘Use Face ID with a Mask’ option and the masked FaceID icon is absolutely adorable.

Sebastiaan de With (@sdw)Thu, 27 Jan 2022 19:38 GMT

Renaissance Mandalorian (@indik)Fri, 28 Jan 2022 03:42 GMT

Over 20 thousand servers have their iLO exposed to the internet, many are outdated and vulnerable i5c.us/d28276

SANS ISC (@sans_isc)Wed, 26 Jan 2022 11:20 GMT

"Securing the (open source) software supply chain" naturally focuses attention "upstream" in the supply chain. And there is so much to do _downstream_ in how we assemble and operate software more securely. Improvements downstream don't need to wait on investments upstream.

Matthew S. Wilson (msw) (@_msw_)Sun, 16 Jan 2022 17:18 GMT

Looks like the AWS CDK is broken because the dependency on colors.js which has a totally hilarious bug: github.com/aws/aws-cdk/is… It shows "LIBERTY LIBERTY LIBERTY".

Soenke Ruempler (@s0enke)Sun, 09 Jan 2022 18:43 GMT

One might say they have bad ApeSec

Post details

https://twitter.com/edzitron/status/1477703853944434688

look i know all this shit sucks beyond comprehension but “did not take proper precautions when moving his ape” is just an objectively funny sentence.

Yeet Takeshi (@alex_navarro)Sun, 02 Jan 2022 18:11 GMT

Ed Zitron (@edzitron)Sun, 02 Jan 2022 18:13 GMT

https://twitter.com/edzitron/status/1477703853944434688

look i know all this shit sucks beyond comprehension but “did not take proper precautions when moving his ape” is just an objectively funny sentence.

Yeet Takeshi (@alex_navarro)Sun, 02 Jan 2022 18:11 GMT

Just use an npm package.

Den Delimarsky (@DennisCode)Sun, 26 Dec 2021 05:17 GMT

https://twitter.com/QuinnyPig/status/1473887418973446146

Thank you, @awscloud. aws.amazon.com/security/secur…

Corey Quinn (@QuinnyPig)Thu, 23 Dec 2021 23:57 GMT

I wanted a way to monitor trending CVEs on Twitter So I built CVEtrends.com - data comes from Twitter + NIST NVD APIs - back-end: Python, Flask, PostgreSQL, and Redis - front-end: React + Bootstrap It's a quick MVP, but let me know your thoughts and feedback...

Simon J. Bell (@SimonByte)Tue, 23 Nov 2021 13:53 GMT

Just had to inform a large UK professional body that maybe using Tomcat 6.0.45 (6.x was EOL'd 5 years ago) on their public website maybe isn't a great idea

Russell Howe (@rhowe212)Tue, 21 Dec 2021 16:34 GMT

Good news: Log4j is the only library you use that’s been trivially vulnerable for about a decade.

haroon meer (@haroonmeer)Mon, 20 Dec 2021 11:12 GMT

A whole lot of engineers worked all weekend and deserve the week off. Friendly reminder that you should give it to them.

emily freeman (@editingemily)Mon, 13 Dec 2021 06:06 GMT