Security Icon

Security

InfoSec, DevSec, Penetration Testing, etc.
244 Stories
All Topics

The Changelog The Changelog #490

Schneier on security for tomorrow’s software

This week we’re talking with Bruce Schneier — cryptographer, computer security professional, privacy specialist, and writer (of many books). He calls himself a “public-interest technologist”, a term he coined himself, and works at the intersection of security, technology, and people.

Bruce has been writing about security issues on his blog since 2004, his monthly newsletter has been going since 1998, he’s a fellow and lecturer at Harvard’s Kennedy School, a board member of the EFF, and the Chief of Security Architecture at Inrupt. Long story short, Bruce has credentials to back up his opinions and on today’s show we dig into the state of cyber-security, security and privacy best practices, his thoughts on Bitcoin (and other crypto-currencies), Tim Berners-Lee’s Solid project, and of course we asked Bruce to share his advice for today’s developers building the software systems of tomorrow.

Ship It! Ship It! #53

Securing K8s releases (KubeCon EU 2022)

Today we are at KubeCon CloudNativeCon EU 2022, talking to Adolfo García Veytia about securing Kubernetes releases. Adolfo is a Staff Software Engineer at Chainguard, and one of the technical leads for SIG release, meaning that he helps ship Kubernetes. You most likely know him as Puerco, and have seen first-hand his passion for securing software via SBOMs, cosign and SLSA. Puerco’s love for bikes and Chainguard are a great match 🚴‍♂️

The GitHub Blog Icon The GitHub Blog

GitHub will require 2FA by the end of 2023

Mike Hanley on GitHub’s blog:

The software supply chain starts with the developer. Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain…

Today, as part of a platform-wide effort to secure the software ecosystem through improving account security, we’re announcing that GitHub will require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023.

This is a big step in the right direction and their new(ish) 2FA for GitHub Mobile feature helps make the burden not as cumbersome as it might be otherwise.

Ship It! Ship It! #46

A simpler alternative to cert-manager

Nabeel Sulieman, Senior Software Engineer at Vercel, talks about KCert, a simpler alternative to cert-manager that he built. Gerhard tried it out, and he thinks that Nabeel is onto something. If you want to see the video that they recorded, ping us on Twitter or Slack.

We love this story, especially the long-term approach of working on something that one truly believes in, and the only reason is because it’s fun. The world needs more people like Nabeel, and we hope that this episode inspires you to go all out, and do just that.

Security trickster.dev

Decrypting your own HTTPS traffic with Wireshark

Wireshark is a seriously cool piece of software for packet sniffing and analysis. Why might you want to use it on yourself?

This opens up possibilities to not only reverse engineer web app private APIs in a deeper way, but also to do the same kind of research against desktop apps for purposes such as data scraping, automation, vulnerability research and privacy analysis.

The Changelog The Changelog #482

Securing the open source supply chain

This week we’re joined by the “mad scientist” himself, Feross Aboukhadijeh…and we’re talking about the launch of Socket — the next big thing in the fight to secure and protect the open source supply chain.

While working on the frontlines of open source, Feross and team have witnessed firsthand how supply chain attacks have swept across the software community and have damaged the trust in open source. Socket turns the problem of securing open source software on its head, and asks…“What if we assume all open source may be malicious?” So, they built a system that proactively detects indicators of compromised open source packages and brings awareness to teams in real-time. We cover the whys, the hows, and what’s next for this ambitious and very much needed project.

JS Party JS Party #210

What's in your package.json?

Tobie Langel, Open source strategist and Principal at UnlockOpen, joins Chris, Feross, and Amal to discuss recent widespread incidents affecting the JavaScript community (and breaking CI builds) around the globe. Two widely used npm libraries were self-sabotaged by their single maintainer, yet again, highlighting the many gaps in our OSS supply chain security, sustainability and overall practices. We explore all these topics and solution on what our ecosystem needs to be more resilient to these types of attacks in the future.

Ars Technica Icon Ars Technica

A bug lurking for 12 years gives attackers root on every major Linux distro

Linux users on Tuesday got a major dose of bad news—a 12-year-old vulnerability in a system tool called Polkit gives attackers unfettered root privileges on machines running any major distribution of the open source operating system.

Previously called PolicyKit, Polkit manages system-wide privileges in Unix-like OSes. It provides a mechanism for nonprivileged processes to safely interact with privileged processes. It also allows users to execute commands with high privileges by using a component called pkexec, followed by the command.

Oh my. It requires local access first, which is the only good news here.

Oliver Brotchie csstracking.dev

CSS fingerprinting

Oliver Brotchie developed this CSS fingerprinting technique that requires no Javascript or Cookies to function and avoids anti-tracking methods such as NoScript, VPNs or browser extensions.

CSS Fingerprinting is a technique of tracking and gathering information on site visitors. This method exploits the nature of CSS to track various characteristics about the visitor’s browser and device, which can later be used to either identify or track said visitor.

Right now, at current spec, this method doesn’t scale, but with the next upcoming draft of the CSS specification, CSS Values 4, it will become far more scalable and precise.

Security github.com

An accurate, extensive scanner for finding vulnerable log4j hosts

We have been researching the Log4J RCE (CVE-2021-44228) since it was released, and we worked in preventing this vulnerability with our customers. We are open-sourcing an open detection and scanning tool for discovering and fuzzing for Log4J RCE CVE-2021-44228 vulnerability. This shall be used by security teams to scan their infrastructure for Log4J RCE, and also test for WAF bypasses that can result in achiving code execution on the organization’s environment.

An accurate, extensive scanner for finding vulnerable log4j hosts

Firefox hacks.mozilla.org

Fine-grained sandboxing in Firefox 95

In Firefox 95, we’re shipping a novel sandboxing technology called RLBox that makes it easy and efficient to isolate subcomponents to make the browser more secure. This technology opens up new opportunities beyond what’s been possible with traditional process-based sandboxing…

Turns out using WebAssembly to isolate potentially-buggy code is a pretty big win:

Going forward, we can treat these modules as untrusted code, and — assuming we did it right — even a zero-day vulnerability in any of them should pose no threat to Firefox.

Ship It! Ship It! #26

Gerhard at KubeCon NA 2021: Part 2

In the second set of interviews from KubeCon North America 2021, Gerhard and Liz Rice talk about eBPF superpowers - Cilium + Hubble - and what’s it like to work with Duffie Cooley.

Jared Watts shares the story behind Crossplane reaching incubating status, and Dan Mangum tells us what it was like to be at this KubeCon in person. Dan’s new COO role (read Click Ops Officer) comes up.

David Ansari from VMware speaks about his first KubeCon experience both as an attendee and as a speaker. The RabbitMQ Deep Dive talk that he gave will be a nice surprise if you watch it - link in the show notes.

Dan Lorenc brings his unique perspective on supply chain security, and tells us about the new company that he co-founded, Chainguard. How to secure container images gets covered, as well as one of the easter eggs that Scott Nichols put in chainguard.dev.

Security whitehoodhacker.net

IoT hacking and rickrolling my high school district

On April 30th, 2021, I rickrolled my high school district. Not just my school but the entirety of Township High School District 214. It’s the second-largest high school district in Illinois, consisting of 6 different schools with over 11,000 enrolled students.

Who doesn’t like a good rickroll story? This one’s replete with screencaps and video footage

Security openssl.org

OpenSSL 3.0: API and license changes

Following thanks to all contributors, the blog notes:

Most applications that worked with OpenSSL 1.1.1 will still work unchanged and will simply need to be recompiled (although you may see numerous compilation warnings about using deprecated APIs). Some applications may need to make changes to compile and work correctly, and many applications will need to be changed to avoid the deprecations warnings.

And points out a couple of new features:

OpenSSL 3.0 introduces a number of new concepts that application developers and users of OpenSSL should be aware of. An overview of the key concepts in libcrypto is available in the libcrypto manual page.

A key feature of OpenSSL 3.0 is the new FIPS module. Our lab is testing the module and pulling together the paperwork for our FIPS 140-2 validation now. We expect that to be submitted later this month. The final certificate is not expected to be issued until next year.

And finally, LWN notes on the license change:

OpenSSL has also been relicensed to Apache 2.0, which should end the era of “special exceptions” needed to use OpenSSL in GPL-licensed applications.

Martin Heinz martinheinz.dev

A solution to software supply chain security

In the recent months there’s been a lot of noise in the area of supply chain security because of increase in attacks, with notable ones like Microsoft Exchange Server or SolarWinds breach. These attacks could have been prevented with proper tools in place, yet finding the right tool for the job might be difficult as this area is hard to navigate and most of us - developers - aren’t security experts. There’s however a project that can solve this. Its name is sigstore and in this article we will look at what it does, why we need it and how it fits into landscape of existing tools in this area.

  0:00 / 0:00