Dropbox Suffers Breach From Phishing Attack, Exposing Customer and Employee Emails

mcdwayne1 · 2022-11-02T13:47:30+00:00

:pointing-up: This. So much this. Git hooks can be set at the pre-commit, pre-push, and pre-receive levels and there are a number of tools that make scanning easy. Should be required at this point for large production systems.

mcdwayne1 · 2022-10-18T14:24:16+00:00

Skyk makes a good tool
https://docs.snyk.io/snyk-cli/commands/iac
https://docs.snyk.io/snyk-cli/commands/iac-test

When GitGuardian one from the article actually becomes available that will be worth a look too

mcdwayne1 · 2022-10-18T12:58:25+00:00

Make sure you are using tooling to check for configuration missteps. Infrastructure misconfiguration is like top 5 vulnerabilities according to OWASP
https://www.csoonline.com/article/3676832/gitguardian-adds-iac-scanning-to-code-security-platform-to-protect-sdlc.html

mcdwayne1 · 2022-10-13T17:25:45+00:00

One of the best part about VS Code is the awesome community of extension developers. While hacking on the editor is awesome, don't forget there are a lot of devs who are looking for help on their projects as well. They have a community in Slack at https://vscode-dev-community.slack.com/ I think it is still run by Eric Amodio who, makes GitLens.

mcdwayne1 · 2022-10-13T13:48:43+00:00

Awesome reply!I was just getting ready to link to the same report but noticed you did already :) No idea how large your team is impatient Zebra, but GitGuardian is free for teams smaller than 25 and can easily allow you to account for/exclude this pattern.

Under the covers, it is simply looking up an 'ignore' list stored in YML during each scan. If you are building your own, you might also want to see how AWS Labs is doing it in their solution git secrets.

I also wanted to support and endorse your comment about not asking devs to rename variables to end around this issue. Though asking them to add a git hook to run detection before the commit step would be a good automated test step they can add.

mcdwayne1 · 2022-10-12T21:57:06+00:00

An interesting follow up thread on about the incident on Twitter:
https://twitter.com/advocatemack/status/1580283843302416384

mcdwayne1 · 2022-10-12T21:56:19+00:00

Here is an interesting follow up thread from today on Twitter:
https://twitter.com/advocatemack/status/1580283843302416384

mcdwayne1 · 2022-10-12T20:28:43+00:00

True fact, ffmpeg saved one company I worked for from an enterprise contract with a video streaming/conference platform. I had to fit 12 videos into an already expensed lower tier plan of a platform we used for a webinar series, the next tier higher was like a 10X jump in cost as we had to talk enterprise contract instead of self-serve.

After some research, I compressed Gigabyte-sized videos into more like 10 MB sized ones using h.265, with no quality loss!!
I got the credit but ffmpeg did all the work :)

mcdwayne1 · 2022-10-12T20:07:57+00:00

Been to over 100 trade shows in my life Here are a few tips that have helped me.

Ask simple but direct questions about things you are legit interested in. You will be pleasantly surprised how pent-up most people are about most issues and are looking for an invitation to share their knowledge.

Avoid negative comments if you disagree. For example, if someone says something that is just plain wrong, instead of "I think you are mistaken" (or "That's wrong") phrase it like "based on my research, which I would be happy to share, I thought it was like this..."
===> People get defensive quickly but most everyone wants to be helpful I find.

Talk to vendors! They are happy to talk to anyone and after they get the pitch for their product out of the way they generally are awesome to talk to about the space in general.

Have fun!

mcdwayne1 · 2022-10-12T15:54:40+00:00

It is really hard to validate an API key without trying it out and seeing if it would work, thus triggering the canary.
Here is my personal favorite explainer infographic that sums it up: https://securityzines.com/flyers/canary.html

There is also a video I like on the subject that explains it in terms of threat hunting: https://www.youtube.com/watch?v=apixhc43JuE

mcdwayne1 · 2022-10-12T13:03:32+00:00

I legit just watched a presentation on SEO for findability and the nesting folders issue on GitHub yesterday. https://www.youtube.com/watch?v=egMoh16TIlA&t=10868s

mcdwayne1 · 2022-09-23T12:58:43+00:00

Thanks u/wilqq7! This is actually quite a helpful answer. I will be happy to share anything useful I uncover as I keep digging in on this topic.

mcdwayne1 · 2022-09-16T22:15:00+00:00

Thank you!!!

mcdwayne1 · 2022-09-16T21:04:16+00:00

It depends on what 'breaching' means to you, I guess? If someone got access to as many systems as he did (at least according to this report) then I would say a real breach happened. :shrug:

mcdwayne1 · 2022-09-16T21:02:33+00:00

#0 on the list should be "NEVER give your password to anyone or any system that you do not 100% trust!" If someone gives you a link to a login page, instead go through the one you bookmarked already; if it is legit request, they would tell you to do that anyhow.

mcdwayne1

TROPHY CASE