AppSec Charlie

welcome to the future #chatgpt5

🚀@github can now leverage @MSFTCopilot to auto-magically fix your code if there are any breaking changes introduced by a @dependabot update. only supports #typescript for now but this will be huge github.blog/changelog/2024… #appsec #cybersecurity #githubuniverse2024

@KDCoder here, have 27 update PRs, you're welcome 😂

Well, I thought I was caught up on dependency updates until I added a dependabot.yml file to the project. 🤔

very interesting conversation from @lexfridman and the @cursor_ai team about the tools we use to write code, how to best incorporate AI, and the future of programming more generally. youtube.com/watch?v=oFfVt3… #AI #githubcopilot #vscode

* Unauthenticated RCE vs all GNU/Linux systems (plus others) disclosed 3 weeks ago. * Full disclosure happening in less than 2 weeks (as agreed with devs). * Still no CVE assigned (there should be at least 3, possibly 4, ideally 6). * Still no working fix. * Canonical, RedHat and others have confirmed the severity, a 9.9, check screenshot. * Devs are still arguing about whether or not some of the issues have a security impact. I've spent the last 3 weeks of my sabbatical working full time on this research, reporting, coordination and so on with the sole purpose of helping and pretty much only got patronized because the devs just can't accept that their code is crap - responsible disclosure: no more.

This is a wake up reminder that you shouldn’t have an internet connected privileged binary running on your production systems. What was a bad update could have easily been a massive adversary backdoor. A third party vendor will always be the weakest link. Isolate critical systems

if you're sourcing scripts from cdn.polyfill.io, don't

@Jr0dR87 Users can make themselves admin, password likely stored in plaintext, no validation on username/password (not checking for malicious input or that they meet requirements like password complexity). All running in debug mode so attackers get nice helpful error messages

Can you see the vulnerability in this python code?

@github build stuff, a lot. reading all the books and taking all the courses are useless if you don't practice solving real problems.

What advice would you give to someone just starting out as a developer?

here's #PrintListener.. in example #1434 of why audio hackers are doing the most interesting work, how about using the sound of your finger on a touchscreen to reconstruct your fingerprint and bypass biometrics? ndss-symposium.org/wp-content/upl… #hacking #biometrics #cybersecurity

"it's cool because it's nerdy" #datamosh #videoart #glitchart youtu.be/nS7QvOX8LVk