The Razor: ep 5

AI Security, Supply Chains, Hacking EV Chargers, and the best books of 2023

Hey Razers (that's the collective noun for people that subscribe to this newsletter, right?),

Another huge month of updates and interesting discussions in the world of building secure systems. It's the first one for the year and yet also, somehow, we're already over 8% into 2024! ๐Ÿคฏ

๐Ÿ“ข New Podcast

We've also been busy talking about these topics on our recently launched Ockam Podcast. This it the bit where I slam the air horn and say ๐Ÿ“ข (brrpp brrpp brrrrppp) "Hit like and then smash that subscribe button" ๐Ÿ“ข. In all seriousness though, I'd love for you to check it out and let us know what you think (and also subscribe and share it with friends to make the algorithms happy).

๐Ÿ”ฎ Predicting the future

A few weeks ago we recorded an episode where we discussed the challenges and complexities of VPNs, and the following week an exploit of the Ivanti VPN was disclosed. Then we recoded an episode about the risks associated with putting private VCS on the public internet, and the following week we had both the GitLab and Jenkins disclosures. I'm not saying we're psychic (but, maybe?)โ€ฆ but if you want to keep ahead of these things you know where to subscribe.

Secure-by-design

Exposed

  • ๐Ÿ’ฐ Tietoevry: Swedish banking-as-a-service provider hit with ransomware attack.
  • ๐Ÿคก Microsoft: Systems breached and attackers had access to "a very small percentage of Microsoft corporate email accounts". Thankfully those accounts were only the members of the senior leadership team, cybersecurity, legal, and some other functions and were used to exfiltrate some emails and attached documents. ๐Ÿ™„
  • ๐ŸฆŠ GitLab: Over 5000 public servers vulnerable to an account takeover attack.
  • ๐Ÿš— Mercedes-Benz: A leaked token gave someone full access to a private GitHub Enterprise server.
  • ๐Ÿก Fidelity National: Hackers stole 1.3M records and took the company offline for a week.
  • ๐Ÿ’พ Redis: Memory overflow bug that could potentially lead to remote code execution.
  • ๐Ÿ”ง Bosch: There's been a lot of talk about loose nuts causing problems in the media this month. It seemed relevant to include a vulnerability for something you might find in a tool shop.
  • ๐Ÿงฑ Ivanti: Two separate vulnerabilities that allows access that can bypass control checks or to execute arbitrary commands on the appliance.
  • โ›ˆ๏ธ Google Cloud: I wasn't sure where to put this one as it's not exactly an exposure. A widely misunderstood configuration setting means that rather allowing access from authenticated users within your Google Org, any authenticated Google account could have access to and take control of Google Kuberenetes Engine (GKE) clusters running on GCP. As many as 250,000 clusters could be affected.

DX

  • ๐Ÿ–ฅ๏ธ CLI User Experience Case Study: Topiary: I โค๏ธ a good CLI experience. This post goes through some of the reasons why they can be so difficult and the problems users will typically run into (I've also strong opinions on how these constraints drive amazing experiences in other parts of your product, that's a blog post for another time). From there there's some great examples of how they applied those lessons to improving their own CLI tool.
  • ๐Ÿง™ Be the best prompt engineer you can be: A paper that provides a list of guiding principles for providing the most useful prompts possible when using LLM systems (another shout out to Vaughan Shanks for bringing this one to my attention).
  • ๐Ÿƒ Developer Productivity/Quality: Google has published a series of papers around 3 facets of developer productivity: speed, ease, and quality. This one dives into various different types and definitions for what "quality" means in that context and how they influence each other.
  • ๐Ÿณ Dive - a tool for exploring each layer in a Docker image: Wish you had an easier way to analyze the contents of each layer of a Docker image and/or work out how to make it smaller? We got you.
  • ๐Ÿ“‰ GitHub Copilot Research Finds 'Downward Pressure on Code Quality': In news I find not at all surprising, research projects that the amount of code churn is expected to double in 2024 relative to 2021'. This article says it's a counterpoint to previous research that claimed CoPilot helped devs complete tasks significantly faster. It's not really a counterpoint though IMO and the reason devs get the speed has the same underlying reasons for why the code ends up being refactored later. I feel like I have another blog post in the works! ๐Ÿคฃ
  • โœจ 12 Modern CSS One-Line Upgrades: CSS is one of those things that I feel like is fairly stable and that I know quite well, and then realise it's not and I'm quite bad at it. This page has a number of nice improvements I need to immediately use to replace various hacks and workarounds I thought I needed on the Ockam website.
  • ๐Ÿ“™ The Hacker News Top 40 books of 2023: Someone built a thing to scrape HN posts and find the most mentioned books of 2023. These are the results. Some absolute classics in there with a mix of both fiction and non-fiction.
  • ๐Ÿ“ฆ PackagingCon 2023 Videos are up: A whole conference dedicated to package management across various ecosystems! I've not had a chance to watch any of the videos yet, but there are a whole host of them related to security, trust, and integrity. Topics I assume are of interest to this audience. As an example a few of the ones I've open in tabs to watch are: "How to bootstrap trust for the open-source ecosystem", "Python at Bloomberg", "Rebuilding Trust: Asserting Integrity in Language Package Ecosystems", "Rebuilding Trust: Asserting Integrity in Language Package Ecosystems", "Secure the Build, Secure the Cloud: Using OIDC Tokens in CI/CD Pipelines"
  • โŒจ๏ธ Work Faster in VSCode Without Needing a Mouse: An interesting read on how Giles mapped various things to avoid the need to use a mouse in VSCode. I'm reasonably proficient at driving VSCode via the keyboard and my biggest crutch is simple not remembering the various shortcuts so I use the Command Palette as a crutch to make up for it. I like some of the suggestions in here though that have shortcut mappings more aligned to spatial things and where you want to move vs the names of the actions. I need to give it a try as it might be the thing that makes the shortcuts stick.

Product spotlight

  • ๐Ÿงฌ Helix: A post-modern text editor: Look, I don't really understand what "post-modern" means in this context either (I know it's a joke!). It's a new text editor. Right as I might have discovered how to use VSCode properly! If you're finding VSCode a bit heavy though it looks like it's worth checking out.

The odd bits

  • ๐Ÿฆ„ Apocryphal Inventions: My attempts to explain this will do it absolutely no justice, so I'll just give you the blurb from the website: "The objects in the Apocryphal Inventions series are technical chimeras, intentional misdirections coaxed from the generative AI platform Midjourney. Instead of iterating on the systemโ€™s early drafts to create ever more accurate renderings of real-world objects, creator Jonathan Hoefler subverted the system to refine and intensify its most intriguing misunderstandings, pushing the software to create beguiling, aestheticized nonsense. Some images have been retouched to make them more plausible; others have been left intact, appearing exactly as generated by the software. The accompanying descriptions, written by the author, offer fictitious backstories rooted in historical fact, which suggest how each of these inventions might have come to be."

Whew! ๐Ÿ˜… There's so much interesting stuff happening. Please keep sharing anything you find with me. Also, did I mention we have a podcast now? ๐Ÿ˜‰

Best,

Glenn
Glenn

Want to meet people that are interested in these topics?

๐Ÿ‘พย Join the Build Trust communityย on Discordย ๐Ÿ‘พ

Want more? Not subscribed?

We save you time, and your inbox, by emailing you only once a monthย โ€”ย  with a round-up of the best articles on cybersecurity, inspiring developer experiences, building systems that are secure-by-design, and related tooling.

Build Trust

Learn

Get Started

Ockam Command

Programming Libraries

Cryptographic & Messaging Protocols

Documentation

Blog

ยฉ 2024 Ockam.io All Rights Reserved