Fascinating attack vector. It was just a matter of time I guess, the more you use blurry frontiers (be it between OSes or other important domains) the more opportunities for exploits show up.
Pile up enough complexity and it'll quickly become insecure.
Interesting exploration and rough explanation of why SAML has so many issues. Complexity by design in such critical components is a bad idea...
Another couple of attempts at supply chain attacks. This time in the Python ecosystem. The skill level of those attempts isn't high though.
This ecosystem keeps baffling me... How come there are so little checks on what can get published or how the command line process parameters.
Good reminder of why if you got mobile devices which are outside of a secured office (like most companies nowadays) you should never underestimate the Evil-Maid scenario...
Seeing the bad practices of Amazon with its Android AppStore, it really feels like another supply chain mess in the making with Windows 11 Android support...
Looks like a very interesting tool, in particular for security purposes.
OK, now that's a funny consequence of how authorities behave which are taken into account by criminals.
Oops... security flaws ready to exploited in Wi-Fi again. And that includes WPA3.
Nice summary of several security headers you can have to deal with for HTTP.
A way to common mistake which can blow the security of your service
Or why you can't really trust SMS for 2FA... it's just too much of a wild west there.
Yes, the permission model of GitHub gives me the creeps as well... A couple of the examples given in there are really problematic and need to be addressed. This is even more important seeing the amount of stuff hosted on GitHub nowadays.
Maybe a way out of the supply chain attacks? Will take time and adoption of course.
That shows one of the issues of the kind of centralization IoT as currently done pushes for. Breach in one company? Plenty more people impacted...
Best part of the article is probably the stated motives:
"Kottmann said their reasons for hacking are “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism -- and it’s also just too much fun not to do it.”"
Now that looks like a very fun decide for hackers. I definitely want one. :-)
A nice list of easy mistakes one can make in their Nginx configuration opening the door to security issues.
Nice and very approachable introduction to the use of elliptic curves for cryptography. I think I finally understood properly how those work. :-)
Very interesting new supply chain attack. Shows one of the big downsides of the very convenient packaging tools everyone uses lately. Interestingly in that particular case it seems less risky only with the publicly available components, it's in the context of private repositories that the risk arises. Root cause seems to be the lack of control on how those tools resolve between private and public repositories.