2022-01-10
How can we even start talking about supply chain security and sustainability if a maintainer publishing a bad npm package version breaks everyone instantly? Stable, deterministic pinning is table stakes. https://www.theverge.com/...
BleepingComputer
An open-source developer, expressing regret for supporting “Fortune 500s”, breaks ~19K projects by corrupting popular NPM libraries; GitHub reverts the changes
Users of popular open-source libraries ‘colors’ and ‘faker’ were left stunned after they saw their applications …
2021-12-13
This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage. “I work on Log4j in my spare time” “always dreamed of working on open source full time” “3 sponsors are funding @rgoers's work: Michael, Glenn, Matt” People, what are we doing. https://twitter.com/...
Filippo.io
How the role of open-source maintainers could be professionalized, as the maintainer who fixed the Log4j zero-day says he works on the project in his spare time
Open Source software runs the Internet, and by extension the economy. This is an undisputed fact about reality in 2021.
This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage. “I work on Log4j in my spare time” “always dreamed of working on open source full time” “3 sponsors are funding @rgoers's work: Michael, Glenn, Matt” People, what are we doing. https://twitter.com/...
BleepingComputer
Researchers spot waves of attacks targeting unpatched Apache servers with the Log4j bug, exfiltrating data, spreading botnets, installing crypto miners, more
Threat actors and researchers are scanning for and exploiting the Log4j Log4Shell vulnerability to deploy malware or find vulnerable servers.
No one is paying the log4j2 maintainers!? There is a whole page on the responsibilities of a @TheASF “Project Management Committee”... AND NO ONE IS PAYING THEM? https://www.apache.org/... Open Source needs to grow the hell up. Yesterday. https://twitter.com/...
BleepingComputer
Researchers spot waves of attacks targeting unpatched Apache servers with the Log4j bug, exfiltrating data, spreading botnets, installing crypto miners, more
Threat actors and researchers are scanning for and exploiting the Log4j Log4Shell vulnerability to deploy malware or find vulnerable servers.
We all agree the status quo is unsustainable. Here are 1,000 words on how we could get the role of Open Source maintainer to graduate to a real, properly paid profession. The thing is, companies need it as much as maintainers do. https://blog.filippo.io/...
BleepingComputer
Researchers spot waves of attacks targeting unpatched Apache servers with the Log4j bug, exfiltrating data, spreading botnets, installing crypto miners, more
Threat actors and researchers are scanning for and exploiting the Log4j Log4Shell vulnerability to deploy malware or find vulnerable servers.
No one is paying the log4j2 maintainers!? There is a whole page on the responsibilities of a @TheASF “Project Management Committee”... AND NO ONE IS PAYING THEM? https://www.apache.org/... Open Source needs to grow the hell up. Yesterday. https://twitter.com/...
Filippo.io
How the role of open-source maintainers could be professionalized, as the maintainer who fixed the Log4j zero-day says he works on the project in his spare time
Open Source software runs the Internet, and by extension the economy. This is an undisputed fact about reality in 2021.
We all agree the status quo is unsustainable. Here are 1,000 words on how we could get the role of Open Source maintainer to graduate to a real, properly paid profession. The thing is, companies need it as much as maintainers do. https://blog.filippo.io/...
Filippo.io
How the role of open-source maintainers could be professionalized, as the maintainer who fixed the Log4j zero-day says he works on the project in his spare time
Open Source software runs the Internet, and by extension the economy. This is an undisputed fact about reality in 2021.
2021-12-12
No one is paying the log4j2 maintainers!? There is a whole page on the responsibilities of a @TheASF “Project Management Committee”... AND NO ONE IS PAYING THEM? https://www.apache.org/... Open Source needs to grow the hell up. Yesterday. https://twitter.com/...
Filippo.io
How the role of open-source maintainers could be professionalized, as the maintainer who fixed the log4j zero-day says he works on the project in his spare time
Open Source software runs the Internet, and by extension the economy. This is an undisputed fact about reality in 2021.
We all agree the status quo is unsustainable. Here are 1,000 words on how we could get the role of Open Source maintainer to graduate to a real, properly paid profession. The thing is, companies need it as much as maintainers do. https://blog.filippo.io/...
Filippo.io
How the role of open-source maintainers could be professionalized, as the maintainer who fixed the log4j zero-day says he works on the project in his spare time
Open Source software runs the Internet, and by extension the economy. This is an undisputed fact about reality in 2021.
This is the maintainer who fixed the vulnerability that's causing millions(++?) of dollars of damage. “I work on Log4j in my spare time” “always dreamed of working on open source full time” “3 sponsors are funding @rgoers's work: Michael, Glenn, Matt” People, what are we doing. https://twitter.com/...
Filippo.io
How the role of open-source maintainers could be professionalized, as the maintainer who fixed the log4j zero-day says he works on the project in his spare time
Open Source software runs the Internet, and by extension the economy. This is an undisputed fact about reality in 2021.
2021-11-02
Rust has a nice clear advisory for today's CVE-2021-42574/42694 “Trojan Source” vulns. Lints sound good, but I'm unconvinced this is something we can fix in compilers. For example, here's a “0day bypass”. if access_level != “usеr” { That е is a CYRILLIC SMALL LETTER IE 🤷♂️ https://twitter.com/...
Krebs on Security
Researchers discover a Unicode security vulnerability that affects most code compilers, including for Go, C++, C#, JavaScript, Java, Rust, and Python
Virtually all compilers — programs that transform human-readable source code into computer-executable machine code …
2021-09-11
Holy encrypted backups, Batman! WhatsApp will let you encrypt your chat backups with a key you keep yourself! Plaintext backups are the largest hole in end-to-end encryption by several orders of magnitude. Apple, your turn. https://techcrunch.com/... https://twitter.com/...
TechCrunch
Mark Zuckerberg says WhatsApp will start rolling out e2e encrypted backups to iOS and Android users in the coming weeks as an optional feature
WhatsApp said on Friday it will give its two billion users the option to encrypt their chat backups to the cloud, taking a significant step to put …
2021-09-08
Strong disagree. As always, the problem with ProtonMail is not that they don't deliver an impossible product (secure email), but that they advertise it. It's a choice, they know it, they benefit from it, their users believe it, and they are responsible for it. https://twitter.com/...
TechCrunch
ProtonMail is under fire for disclosing a French activist's IP address to Swiss authorities; ProtonMail had claimed to only log IPs in “extreme criminal cases”
2021-09-07
Strong disagree. As always, the problem with ProtonMail is not that they don't deliver an impossible product (secure email), but that they advertise it. It's a choice, they know it, they benefit from it, their users believe it, and they are responsible for it. https://twitter.com/...
TechCrunch
ProtonMail is under fire for disclosing a French activist's IP address to Swiss authorities; ProtonMail had claimed to only log IPs in “extreme criminal cases”
ProtonMail, a hosted email service with a focus on end-to-end encrypted communications, has been facing criticism …
2021-02-22
These checklists from Apple are gold. If you want to see if anyone else has access to your device or accounts: https://support.apple.com/... If you want to stop sharing: https://support.apple.com/... If you want to make sure no one else can see your location: https://support.apple.com/...
TidBITS
Apple's new Platform Security user guide follows the industry trend of growing vertical hardware, software, and cloud integration to improve ecosystem security
2020-11-17
I didn't really care about the macOS OCSP thing (I'm fine with Apple knowing what signed apps I run, and revocation is hard) until I realized those checks are over plaintext. Broadcasting what apps you launch to the network in plaintext should not have passed privacy review.
iPhone in Canada Blog
Apple responds to privacy concerns over checking macOS apps' Developer ID certs over OCSP, ceases logging IP addresses, will launch encrypted protocol in 2021
Gary Ng / iPhone in Canada Blog :
2020-08-21
2017: Uber fires their security chief for being too unscrupulous and covering up a breach. 2018: Cloudflare hires him as CISO. 2020: https://twitter.com/...
New York Times
Former Uber CSO Joe Sullivan charged with obstruction of justice for trying to conceal the 2016 data breach of millions of users and drivers from FTC officials
Joe Sullivan, who led Uber's security team through the company's most tumultuous period, was fired by the company's newly installed chief executive in 2017.
2019-09-29
US and UK agree on some streamlined MLATs to share information they already have. Bloomberg makes it about WhatsApp and muddles it with the encryption debate. #1 on HN as “US and UK agree to force WhatsApp backdoor”. Comments rage against backdoors. Well done to all involved. https://twitter.com/...
@alexstamos
[Thread] New UK-US treaty grants UK courts options similar to those of the US for obtaining message content, but won't change the status quo on E2E encryption
It's really early on a Sunday, so while I sip my coffee I'm also going to try to clear up a lot of confusion about the CLOUD Act created by poor reporting by The Times (of London) ...