Share this page!

Cory Doctorow #BLM Profile picture
Twitter logo
10 Feb, 10 tweets, 3 min read
In "Dependency Confusion," security researcher @alxbrsn describes how he made a fortune in bug bounties by exploiting a new supply-chain attack he calls "dependency confusion," which allowed him to compromise "Apple, Microsoft and dozens of others."

medium.com/@alex.birsan/d…

1/
Dependency Confusion is incredibly, delightfully clever. It is grounded in the fact that software developers rely on "dependencies" (prebuilt, modular code libraries) when they build new versions of their software.

2/
The javascript files used to build new versions are often public, and by looking inside them, you can find out the names of the libraries used to build popular applications, from Uber to Yelp to Netflix.

3/
Now, these libraries are a mix of widely used public libraries and private, in-house ones, and when the software is being built, the system checks both the canonical public archives of code libraries and private company servers.

4/
Birsan's insight was that if he created new, malicious libraries with the same names as the private ones, and put them on the public servers, then the build system might preferentially snag and incorporate his malicious code instead of the private ones.

5/
Some build systems have a weak security measure: if a library is found in more than one repository, the system defaults to the one with the higher version-number, so Birsan gave his libraries version numbers like "9000.0.0."

6/
Birsan was able to attack Python, Ruby and Microsoft .NET-based apps. His reports resulted in fixes to many of the apps involved, but some of the infrastructure tools, like Jfrog Artifactory, still default to an insecure mode, and class his bug report as a "feature request."

7/
And Birsan thinks there's plenty more bug bounties out there waiting to be claimed for attacks like this: "finding new and clever ways to leak internal package names will expose even more vulnerable systems.

8/
"Looking into alternate programming languages and repositories to target will reveal some additional attack surface for dependency confusion bugs"

eof/
ETA - if you'd like to read or share this thread as a blog post, here's a permalink on my pluaralistic.net blog, which is free from surveillance, ads and trackers:

pluralistic.net/2021/02/11/rho…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Cory Doctorow #BLM

Cory Doctorow #BLM Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @doctorow

Cory Doctorow #BLM Profile picture
12 Feb
Personnel are policy: when Trump appointed the ex-Verizon lawyer @AjitPai to run the @FCC, he set in motion a series of maneuvers that would compromise broadband access for all Americans, but especially the poorest people in the country.

1/ Image
From the start, Pai's misconduct was breathtaking. His blockbuster manoeuvre was killing #NetNeutrality on the basis of obviously fraudulent, bulk-submitted comments from stolen identities and fake email addresses.

2/
Pai's act of neutracide has far-reaching consequences for everyone who depends on the internet, but other Pai policies were more narrowly targeted, raining down especially grave harms on the poorest, most vulnerable people in the country.

3/
Read 10 tweets
Cory Doctorow #BLM Profile picture
12 Feb
Last week, Aaron Epstein, a 90-year-old legendary Angeleno, took out ads in the WSJ shaming AT&T for the abysmal quality of the broadband service he gets in North Hollywood.

pluralistic.net/2021/02/05/la-…

1/ Image
Epstein pointed out that his neighbors are locked-down film industry professionals, totally dependent on fast internet for their livelihoods - but they are stuck with 3mpbs DSL.

2/
It worked: a week later, after national media attention, Epstein has 300mbps symmetrical fiber. AT&T figured that in this one instance, doing its job was more important than protecting its shareholders.

arstechnica.com/information-te…

3/
Read 5 tweets
Cory Doctorow #BLM Profile picture
11 Feb
Today's Twitter threads (a Twitter thread).

Inside: Dependency Confusion; Adam Curtis on criti-hype; Catalytic converter theft; Apple puts North Dakota on blast; and more!

Archived at: pluralistic.net/2021/02/11/rho…

#Pluralistic

1/ Image
This weekend, I'll be participating in Boskone 58, Boston's annual sf convention, where I'm doing panels and a reading.

boskone.org

2/ Image
Dependency Confusion: A completely wild supply-chain hack.



3/ Image
Read 20 tweets
Cory Doctorow #BLM Profile picture
11 Feb
Republican North Dakota legislators have introduced #SB2333, a bill that prohibits large tech companies from locking their users into a single app store or payment processor.

legis.nd.gov/assembly/67-20…

1/ Image
While his has implications for Android and other large tech platforms, its most immediate and far-reaching effects with be on Apple, whose Ios platform uses lock-in to monopolize both apps and payments (and another domain, not mentioned in the bill: repairs).

2/
Predictably, this has thrown Apple into a fury, with Apple's privacy chief @erikn telling the SD legislature that Apple uses its monopoly over the app store to protect its users' privacy and security.

macrumors.com/2021/02/10/app…

3/
Read 22 tweets
Cory Doctorow #BLM Profile picture
11 Feb
Back in the early 2010s, people started falling into open sewer entrances in New York City and other large metros - because a China-driven spike in the price of scrap metal, combined with post-2008 unemployment, gave rise to an army of metal-thieves.

reuters.com/article/instan…

1/ Image
A decade later, there's a new precarity- and bubble-fuelled metal-theft epidemic: stealing catalytic converters out of parked cars to harvest their palladium and rhodium for re-use in the global auto-sector, which is facing strict emissions controls.

nytimes.com/2021/02/09/cli…

2/
Palladium and rhodium prices are soaring: palladium is up from $500/oz in 2016 to $2000-$2500/oz; rhodium rose from $640/oz to $21,900/oz (!). This puts a serious dent in auto profits - in 2019, the industry spent an extra $18b on metals (it was higher in 2020).

3/
Read 8 tweets
Cory Doctorow #BLM Profile picture
11 Feb
Adam Curtis is a brilliant documentarian, and films like Hypernormalization and series like All Watched Over by Machines of Loving Grace had a profound effect on my thinking about politics, technology and human thriving.

1/ Image
In this interview with The @idler's @TWHodgkinson, Curtis lays out a compact, incisive and important critique of the big social media platforms - and of their critics, who give these companies far too much credit.

idler.co.uk/article/adam-c…

2/
Curtis puts Big Tech's self-serving boasts about how good it is at manipulating public opinion in the same bucket as other outlandish claims of secret, astounding accomplishments, such as those made by British spy agencies.

3/
Read 20 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @doctorow has new unrolls!

Check out other threads from @doctorow!

Read all threads by @doctorow