@jonmasters Casually stumbled upon the JA4L_b use case from blog.foxio.io/ja4%2B-network… -> github.com/FoxIO-LLC/ja4/…
English
José Miguel Parrella (JMP)
1.8K posts
José Miguel Parrella (JMP)
@bureado
Working on 🐧 and open source software
Katılım Haziran 2007
708 Takip Edilen2.3K Takipçiler
Has anyone tried fingerprinting specific devices based solely on precisely timed packet responses? I bet that’s doable
English
@glcrzdev @kelseyhightower Some food for thought in #reflections" target="_blank" rel="nofollow noopener">research.swtch.com/nih#reflections
English
@kelseyhightower What's the solution though? In order to keep building modern software in the way we've been doing it, it seems we have to accept there's gonna be vulns like the xzutils backdoor every once in a while - many of which we won't find.
English
@brunoborges Adding machine-readable EOL annotations, but no one might be listening, and that’s why yanking the image might still be game.
English
Scenario: the container image that your app is using is no longer supported, and it is outdated/insecure.
But you don't know that. And the image maker can't update the software within.
What should the maker of said image do to help you become aware of this problem?
English
@markrussinovich mark it said do not share this email
English
José Miguel Parrella (JMP) retweetledi
The ntp package has been replaced by ntpsec. The Debian default for the system clock is now systemd-timesyncd. We also inclde chrony and openntpd. #ReleasingDebianBookworm #Debian12 #Debian dlvr.it/SqTyhy
English
José Miguel Parrella (JMP) retweetledi
Live demoing how to use @OpenPolicyAgent Gatekeeper external data feature together with Ratify to validate license and vulnerabilities on app deployment. @jrrickard
English
@phenobarbital Pienso mas o menos lo mismo. Pero la verdad no sabemos si los apoyan o no, o si ellos mismos están aportando, no? Al menos hasta ahora no he sabido ni qué paquete es, pero puedo estar atrasado en la noticia 😜
Español
Durante la pandemia, el único developer de un paquete python que usaba murió, tuve que adoptarlo y darle mantenimiento hasta que otro entusiasta le hizo un fork y lo ha mejorado.
Pero una *billion-dollar company* Hace blame de un open-source library sin siquiera apoyar al creador
Sam Altman@sama
we had a significant issue in ChatGPT due to a bug in an open source library, for which a fix has now been released and we have just finished validating. a small percentage of users were able to see the titles of other users’ conversation history. we feel awful about this.
Español
@hlalvesbr @brunoborges This is what I thought, too. There are plenty of tools that check if the templates are valid, but few that check if they are consistent with architecture or business goals.
English
We need less Infrastructure as Code, and more Infrastructure Project Definition.
We need tools that help *define* infrastructure, not IaC. Tools that can evaluate if the *definition* is valid. Tools that can help user easily versionize, compare, and debug.
Less IaC, more IML.
English
Oh no..
> the utility enables validation of SBOMs against derivative, "customized" schemas
CycloneDX SBOM Spec (OWASP)@CycloneDX_Spec
Today we are announcing the immediate availability of two new open source projects, contributed by @IBM, that advance software supply chain security. Thanks Priti Desai, Mark Sturdevant, and Matt Rutkowski. cyclonedx.org/news/ibm-contr… #SBOM #OWASP #SoftwareSupplyChain
English
@arkadiyt Here are some examples: cyclonedx.org/capabilities/ but when it comes to the SCA comparison I think most people are thinking of omnibor.io and wiki.debian.org/ReproducibleBu…. The specs (and even things like SARIF) have room for a lot of specialized semantics.
English
@lorenc_dan "It's supposed to be much more than SCA"
Can you give some examples? What do you think SBOM will be doing in the future?
Even insofar as new functionality is added it still feels like an extension of SCA to me - a rebranding to sell products like @travismcpeak mentioned
English
Anyone else feel this way? Why do we need new terms for everything?
English
📢 We have a winner! @bureado guessed the project:
Bodhi from @fedora (sourcegraph.com/github.com/fed…)
Answer: twitter.com/bureado/status…
Great work! Expect a DM soon with a link to the free hoodie.
Justin Dorfman@jdorfman
Guess the open source project, and you'll win a Hoodie.
English
José Miguel Parrella (JMP) retweetledi
🎉🎉🎉 So excited to see this land. It's been great collaborating with @OCI_ORG on getting the specs updated to facilitate the storage and distribution of signatures, SBOMs and software supply chain security artifacts. Try it out today on ACR techcommunity.microsoft.com/t5/apps-on-azu…
English
@scovetta @jeffwilcox Leading to interesting reads like arxiv.org/pdf/2106.09898… and @spamassassin.apache.org/msg107560.html" target="_blank" rel="nofollow noopener">mail-archive.com/users@spamassa…. Thanks for the prompt.
English
I'm bummed that every day I just have to go through and report my entire personal Outlook dot com inbox as spam/phishing attempts/etc. There are some filters working, too - I have 80 junk mails that were flagged on top of these.
English
José Miguel Parrella (JMP) retweetledi
ORAS 0.15 has evolved into a fully functional OCI registry client. It provides fine-grained capabilities to alter the content of @OCI_ORG supply chain artifacts. Check out this blog by @FeynmanZhou and Yi to learn how to convert Docker image to OCI image:
oras.land/blog/oras-0.15…
English
José Miguel Parrella (JMP) retweetledi
This MIT CS class teaches you things that all the other classes don't teach you, like...
🖥️ Shell tools and scripting
🖥️ Vim
🖥️ Data wrangling
🖥️ Command-line environment
🖥️ Version control
Watch all 11 lectures for free here: bit.ly/MissSemester
English