In "Dependency Confusion," security researcher @alxbrsn describes how he made a fortune in bug bounties by exploiting a new supply-chain attack he calls "dependency confusion," which allowed him to compromise "Apple, Microsoft and dozens of others."
Dependency Confusion is incredibly, delightfully clever. It is grounded in the fact that software developers rely on "dependencies" (prebuilt, modular code libraries) when they build new versions of their software.
2/
The javascript files used to build new versions are often public, and by looking inside them, you can find out the names of the libraries used to build popular applications, from Uber to Yelp to Netflix.
3/
Now, these libraries are a mix of widely used public libraries and private, in-house ones, and when the software is being built, the system checks both the canonical public archives of code libraries and private company servers.
4/
Birsan's insight was that if he created new, malicious libraries with the same names as the private ones, and put them on the public servers, then the build system might preferentially snag and incorporate his malicious code instead of the private ones.
5/
Some build systems have a weak security measure: if a library is found in more than one repository, the system defaults to the one with the higher version-number, so Birsan gave his libraries version numbers like "9000.0.0."
6/
Birsan was able to attack Python, Ruby and Microsoft .NET-based apps. His reports resulted in fixes to many of the apps involved, but some of the infrastructure tools, like Jfrog Artifactory, still default to an insecure mode, and class his bug report as a "feature request."
7/
And Birsan thinks there's plenty more bug bounties out there waiting to be claimed for attacks like this: "finding new and clever ways to leak internal package names will expose even more vulnerable systems.
8/
"Looking into alternate programming languages and repositories to target will reveal some additional attack surface for dependency confusion bugs"
eof/
ETA - if you'd like to read or share this thread as a blog post, here's a permalink on my pluaralistic.net blog, which is free from surveillance, ads and trackers:
Personnel are policy: when Trump appointed the ex-Verizon lawyer @AjitPai to run the @FCC, he set in motion a series of maneuvers that would compromise broadband access for all Americans, but especially the poorest people in the country.
1/
From the start, Pai's misconduct was breathtaking. His blockbuster manoeuvre was killing #NetNeutrality on the basis of obviously fraudulent, bulk-submitted comments from stolen identities and fake email addresses.
2/
Pai's act of neutracide has far-reaching consequences for everyone who depends on the internet, but other Pai policies were more narrowly targeted, raining down especially grave harms on the poorest, most vulnerable people in the country.
3/
Last week, Aaron Epstein, a 90-year-old legendary Angeleno, took out ads in the WSJ shaming AT&T for the abysmal quality of the broadband service he gets in North Hollywood.
Epstein pointed out that his neighbors are locked-down film industry professionals, totally dependent on fast internet for their livelihoods - but they are stuck with 3mpbs DSL.
2/
It worked: a week later, after national media attention, Epstein has 300mbps symmetrical fiber. AT&T figured that in this one instance, doing its job was more important than protecting its shareholders.
Republican North Dakota legislators have introduced #SB2333, a bill that prohibits large tech companies from locking their users into a single app store or payment processor.
While his has implications for Android and other large tech platforms, its most immediate and far-reaching effects with be on Apple, whose Ios platform uses lock-in to monopolize both apps and payments (and another domain, not mentioned in the bill: repairs).
2/
Predictably, this has thrown Apple into a fury, with Apple's privacy chief @erikn telling the SD legislature that Apple uses its monopoly over the app store to protect its users' privacy and security.
Back in the early 2010s, people started falling into open sewer entrances in New York City and other large metros - because a China-driven spike in the price of scrap metal, combined with post-2008 unemployment, gave rise to an army of metal-thieves.
A decade later, there's a new precarity- and bubble-fuelled metal-theft epidemic: stealing catalytic converters out of parked cars to harvest their palladium and rhodium for re-use in the global auto-sector, which is facing strict emissions controls.
Palladium and rhodium prices are soaring: palladium is up from $500/oz in 2016 to $2000-$2500/oz; rhodium rose from $640/oz to $21,900/oz (!). This puts a serious dent in auto profits - in 2019, the industry spent an extra $18b on metals (it was higher in 2020).
3/
Adam Curtis is a brilliant documentarian, and films like Hypernormalization and series like All Watched Over by Machines of Loving Grace had a profound effect on my thinking about politics, technology and human thriving.
1/
In this interview with The @idler's @TWHodgkinson, Curtis lays out a compact, incisive and important critique of the big social media platforms - and of their critics, who give these companies far too much credit.
Curtis puts Big Tech's self-serving boasts about how good it is at manipulating public opinion in the same bucket as other outlandish claims of secret, astounding accomplishments, such as those made by British spy agencies.
3/