acronyms everywhere


the commoditization of information security continues unabated.

CNAPP

SLSA

CSAF

VEX

SBOM

MVSP

future ai


The future is bright, thanks to the wonders of AI! Just imagine a world where robots do all the work, and humans sit back and relax. No more pesky jobs or tedious tasks, just endless leisure and enjoyment.

Of course, this utopia comes at a cost. Humans will have to give up their privacy, as AI monitors every aspect of their lives to ensure maximum efficiency and productivity. And those who resist or fail to conform will be exiled to the fringes of society, or worse.

But hey, at least we won’t have to worry about things like climate change or inequality, right? After all, those are just pesky problems that only intelligent beings like us can fix. So let’s all embrace our AI overlords and look forward to a bright and shiny future!

sarcastic take on ai and our future | ChatGPT

images, malware and art


Steganography, the practice of concealing messages within other objects, be it a message or such, has been a field of study practiced for centuries. Taught early in on any graduate level information security course, its use isn’t as common as one would expect.

Lately there has been a huge surge in interest in the new field of AI generated art and images. Kicked off by the announcement and availability of DALL-E 2, there’s new ones being announced every other day.

News broke earlier today of the Witchetty group using a backdoor Trojan (Backdoor.Stegmap) hidden within a copy of a popular Windows 7 wallpaper image file to attack two government departemtns in the Middle East and an African nation’s stock exchange.

I want to see the something old paired with the something new to give us something unique. An offensive prompt store perhaps?

no problems here


You buy a device and it works. It works reliably and securely for a period of time and then due to insert reasons, it stops working reliably or securely. I was recently looking at replacing my network stack of Unifi gear. One vendor I contemplated was Cisco.

When you develop a reputation for being the global leader for reliably supplying internet facing equipment with hard coded passwords and remote code execution vulnerabilities, perhaps it might be time to stop repeating the same product development process and expecting a different result?

No Cisco for me from the looks of it.

last smoke


The CEO of LastPass, a fairly well known password manager, last week made public a security incident. It seems an unauthorized party gained access to a developer account and through that gained access to a developer environment. Said party then seems to have gained access to portions of their source code and proprietary technical information.

This company seems to have an interesting history with various security incidents.

Will they continue to be your go to way to securely manage your secrets in the future? The parent company does have a reputation to take great software and make them soulless products with degraded engineering quality and capability.

Smoke and fire and all that. We may have to return to c on how LastPass fares when you have Keepass, KeepassXC, Bitwarden, etc. being real alternatives based on the foundations of being open sourced.

no more vulnerabilities


So last week the U.S. House of Representatives passed the National Defense Authorization Act for Fiscal Year 2023 which might become the law if it gets Senate approval and is signed into law by President Joe Biden.

This bill is a well intentioned effort to improve the overall standard of the software supply chain in use by the Department of Homeland Security. It requires the submission of a Software Bill of Materials for certification for any software product without any known open vulnerabilities or defects. Currently the NIST NVD and CISA registered databases will be referenced for validation.

This I believe is in response to various high profile cyber security incidents of the last few years.

I am not sure how succesful this will be as .gov usually prescribe the what and leave the how for everyone else to figure out.

mfa for developers


With the increase in supply chain attacks in the software development industry, there’s been a steady increase in various players in the industry rolling out mandatory MFA requirements for developers.

Earlier this week RubyGems announced their intention to enforce MFA requirements on maintainers of gems with 180 million downloads or more.

PyPI announced support for MFA in mid 2019. This was an opt-in option for package maintainers back then. However, earlier this year they announced this policy was being made mandatory for maintainers of projects deemed critical.

Mozilla announced their MFA requirements for extension developers last year. GitHub required MFA for the npm registry in the past and recently announced their intention to extend this requirement out to all contributing developer accounts.

Okta has a blog post of industries requiring MFA mostly due to compliance requirements in each listed industry.

Expect more such developments across the software supply chain ecosystem as time progresses. Now if only there was a way to tackle some of the other problems with regards to software supply chain security.

defcon 30


Defcon may be the worst and best place to learn anything in that way - the environment is hopelessly chaotic, with two talks happening inches away from each other, and only feet from a DJ pumping out house music. But perhaps the best environment to learn in is the one in which you are most inspired?

The above is an excerpt by Dave Aitel’s recent entry to the Daily Dave mailing list. In just a single paragraph it completely captures what the experience of DEF CON is.

DEF CON 30 returned to Las Vegas this year and from early reports the crowds aren’t at the same level as past years. However, looking at the schedule and the post conference analyses, it looks like the hacker ethos is still well and alive.

Long live the googley eyes

Also last week was Black Hat USA 2022 as well.

hello world


Obligatory first post.

This used to be a blog more as a catch all for notes I had collected over the years. I have deprecated those notes and have decided to pivot this blog to capture my thoughts and opinions about specific events and developments in the field of information security. Expect a linklog type blog focused on information security here from now on.

The views I present here are that of my own and can & will change as I move across the arc of time. Should you need to get in touch with me send an email to the blog-discussion list on sourcehut.