kravietz 🦇 @kravietz@social.privacytools.io

"To overcome these limitations, we drew inspiration from the Morris worm, which exploited the DEBUG vulnerability in Sendmail by executing the body of a mail as a shell script:"

https://www.openwall.com/lists/oss-security/2020/01/28/3

RPKI deployment varies significantly between RIRs: between 1.38% (ARIN) and 15.11% (RIPE NCC) of ASes are included in one or more Validated ROA Payloads (VRPs), and between 2.7% (AFRINIC) and 30.6% (RIPE NCC) of the total IPv4 address space administered by RIRs is covered by VRPs.

https://blog.apnic.net/2020/01/29/is-rpki-ready-for-the-big-screen/

No worries, we're fixing mobile too ¯\_(ツ)_/¯

"If Chrome fixes #privacy too fast it could break the web ... Much of the content on the web is supported by advertising revenue, and advertisers will shift to mobile apps"

https://www.cnet.com/google-amp/news/if-chrome-fixes-privacy-too-fast-it-could-break-the-web-google-exec-warns/

The 'Useful Idiots': How These British Academics Helped Russia Deny War Crimes At The UN

Lecturers from the Universities of Edinburgh, Leicester and Bristol have accused rescue workers the White Helmets of mass murder in Syria – to condemnation from Amnesty International and others.

https://m.huffingtonpost.co.uk/entry/the-useful-idiots_uk_5e2b107ac5b67d8874b0dd9d

There's an awesome browser fingerprinting demo at amiunique.org

And I'm pleased to catch most (all?) of their fingerprinting techniques :)

https://webcookies.org/cookies/amiunique.org/2858566

Anatomy of Pegasus spyware from target's point of view https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/

Ticket title: Jenkins upgrade - CRITICAL vulnerabilities
Ticket type: Improvement

¯\_(ツ)_/¯

#DevOps #DevSecOps

EFF: BREAKING: We’ve confirmed that the Ring doorbell app on Android covertly shares personally identifiable information on its users with third-party companies, including Facebook. https://www.eff.org/deeplinks/2020/01/ring-doorbell-app-packed-third-party-trackers #amazon #privacy

Russian BN-800 fast breeder reactor has just started commercial operations on reprocessed uranium-plutonium MOX fuel, meaning that it's now possible to "burn" nuclear waste

https://vz.ru/news/2020/1/28/1020621.html

Kubernetes Failure Stories

https://k8s.af/

#docker #kubernetes

There's an eternal conflict between DevOps and DevSecOps - for the former "OLD IS GOOD" (tested & stable), for the latter "OLD IS EVIL" (vulnerable). Unfortunately, business shares the first point of view, while the Internet prefers the latter.

DevSecOps case study 2:

Most 3rd party vendors no longer publish packages for unsupported distros.

So if your client is on Ubuntu Trusty 14.04 that has been out-of-support for the last year, and even if they pay extended support (ESM), you are either stuck to Nginx 1.4.6 from ESM that should in theore get patches from ESM, or to Nginx 1.14 from Nginx but no longer receiving any patches for a year or so.

DevSecOps case study 1:

if your client has 5 years ago chosen a convenient repack of Nginx like OpenResty or OpenWAF as their main web server, you may not be pleased to learn that both of them were discontinued (OpenWAF in 2017) or barely updated (OpenResty half year ago).

Strategically it would be perhaps better to use a native Nginx package from Nginx upstream and internally compile NAXSI into a DEB - at least you'd be running an up-to-date Nginx.

Now I had to upgrade from 1.7 (!).

An Avast antivirus subsidiary sells 'Every search. Every click. Every buy. On every site.' Its clients have included Home Depot, Google, Microsoft, Pepsi, and McKinsey. https://www.vice.com/en_us/article/qjdkq7/avast-antivirus-sells-user-browsing-data-investigation

"Greens caused gigatons of carbon dioxide to enter the atmosphere from the coal and gas burning that went ahead instead of #nuclear. I was part of that too, I apologize." (Stewart Brand, 2009)