Caligin Tsukihara @caligin@octodon.social
Errorist. Weeaboo. Security Sleepwalker & BevOps @ ThoughtWorks UK (Views are mine etc...). 0x7AD2E918B3D5FFB7
Seven Critical Things To Protect Your Infrastructure and Data
https://infosec.engineering/seven-critical-things-to-protect-your-infrastructure-and-data/
errm, does this mean that using maven is a risk? https://github.com/snyk/zip-slip-vulnerability
I'm tempted to say that as long as you only use dependency from trusted publishers and from a trusted repository it's alright but I'm pretty sure I'm minimizing the issue here. #swdev #security #infosec #maven #zipslip
Ron Jeffries - Developers Should Abandon Agile https://ronjeffries.com/articles/018-01ff/abandon-1/
#agile #swdev
after being away from java and spring for a while this was quite a good overview of what's new in the core framework: https://youtu.be/0V-3kUMfWCc
Conversation here reminded me of this awesome piece by James Mickens:
https://www.schneier.com/blog/archives/2015/08/mickens_on_secu.html
It's not often I get to describe #infosec writing as simultaneously informative and fucking hilarious but Mickens fills the bill.
tech tribalism, security exploits Show more
One of the Patreon sketches from the other night that I thought turned out cute!
finally bottled my latest #homebrew. it's a truffle stout, so I called it "Proof of Wort"
holy shit.
https://www.reddit.com/r/Python/comments/8hvzja/backdoor_in_sshdecorator_package/
https://twitter.com/x0rz/status/994116668086542336
"The ssh-decorator package from Python pip had an obvious backdoor"
sends host + username + password to an external website
There are two natural paths to progress as a programmer:
1. Pick up farming, because all software is terrible.
2. Get into infosec, because f*** all software.
@bugshiv good to know, I actually have no idea how device ids work so didn't think about it
"How to Use Signal Without Giving Out Your Phone Number"
https://theintercept.com/2017/09/28/signal-tutorial-second-phone-number/ #signal #privacy
Because I live in fear that there exist people who don't know about this: https://godbolt.org/
Want to know what a compiler actually does with your code? Find out, with nice highlighting of sections! Supports C, C++, Haskell, Go, Swift, Rust, and various other languages.
See. Explore. Understand.
Defensive Security Podcast Episode 216
http://defensivesecurity.org/defensive-security-podcast-episode-216/
#infosec
#homebewing a truffle #stout! I don't really know what I'm doing but I'm sure the result will be interesting! #beer
til ham+cheese+mustard sandwiches from eat are tastier than the ones from pret
Sen. Catherine Cortez Masto
we are ๐๐ฃ๐จ๐๐๐
went snowboarding last week, got on the slopes right in time for the end of the season on the Dolomites
weather was great, sunny clear sky with soft snow
This was kind of delightful: https://holeybeep.ninja/
It's a half-joking vulnerability disclosure for a privesc bug in `beep` of all things (CVE-2018-0492). Lots of ridiculousness in the text.
But their recommended patching method is a poker-faced usage of an unpatched issue wherein `patch` can be told to call `ed`, which allows arbitrary command execution: https://rachelbythebay.com/w/2018/04/05/bangpatch/
