This week Jonathan and Rob chat with Paulus Schoutsen about Home Assistant, ESPHome, and Music Assistant, all under the umbrella of the Open Home Foundation. Watch to see Paulus convince Rob and Jonathan that they need to step up their home automation games!
Continue reading “FLOSS Weekly Episode 848: Open The Podbay Doors, Siri”
Hardly a week goes by that there isn’t a story to cover about malware getting published to a repository. Last week it was millions of downloads on NPM, but this week it’s something much more concerning. Malware published on NPM is now looking for NPM tokens, and propagating to other NPM packages when found. Yes, it’s a worm, jumping from one NPM package to another, via installs on developer machines.
It does other things too, like grabbing all the secrets it can find when installed on a machine. If the compromised machine has access to a Github account, a new repo is created named Shai-Hulud, borrowed from the name of the sandworms from Dune. The collected secrets and machine info gets uploaded here, and a workflow also uploads any available GitHub secrets to the webhook.site domain.
How many packages are we talking about? At least 187, with some reports of over 500 packages compromised. The immediate attack has been contained, as NPM has worked to remove the compromised packages, and apparently has added filtering code that blocks the upload of compromised packages.
So far there hasn’t been an official statement on the worm from NPM or its parent companies, GitHub or Microsoft. Malicious packages uploaded to NPM is definitely nothing new. But this is the first time we’ve seen a worm that specializes in NPM packages. It’s not a good step for the trustworthiness of NPM or the direct package distribution model.
This week Jonathan and Rob chat with Tom Herbert about XDP2! It’s the brand new framework for making networking really fast, making parsers really simple, and making hardware network acceleration actually useful with Linux.
Continue reading “FLOSS Weekly Episode 847: This Is Networking”
Two billion downloads per week. That’s the download totals for the NPM packages compromised in a supply-chain attack this week. Ninety-nine percent of the cloud depends on one of the packages, and one-in-ten cloud environments actually included malicious code as a result of the hack. Take a moment to ponder that. In a rough estimate, ten percent of the Internet was pwned by a single attack.
What extremely sophisticated technique was used to pull off such an attack? A convincing-looking phishing email sent from the newly registered npmjs.help domain. [qix] is the single developer of many of these packages, and in the midst of a stressful week, fell for the scam. We could refer to the obligatory XKCD 2347 here. It’s a significant problem with the NPM model that a single developer falling for a phishing email can expose the entire Internet to such risk. Continue reading “This Week In Security: NPM, Kerbroasting, And The Rest Of The Story”
This week Jonathan and Dan chat with Frank Vasquez and Chris Simmonds about Embedded Linux, and the 4th edition of the Mastering Embedded Linux Programming book. How has this space changed in the last 20 years, and what’s the latest in Embedded Linux?
Continue reading “FLOSS Weekly Episode 846: Mastering Embedded Linux Programming”
Something rather significant happened on the Internet back in May, and it seems that someone only noticed it on September 3rd. [Youfu Zhang] dropped a note on one of the Mozilla security mailing lists, pointing out that there was a certificate issued by Fina for 1.1.1.1. That IP address may sound familiar, and you may have questions.
First off, yes, TLS certificates can be issued for IP addresses. You can even get a numeric TLS certificate for your IP address, via Lets Encrypt. And second, 1.1.1.1 sounds familiar because that’s CloudFlare’s public DNS resolver. On that address, Cloudflare notably makes use of DoH, a charming abbreviation for DNS over HTTPS. The last important detail is that Cloudflare didn’t request or authorize the certificate. Significant indeed.
This is a high-profile example of the major weakness of the TLS certificate system. There are over 300 trusted certificate authorities in the Microsoft Root Certificate Program, Financijska agencija (Fina) being one of them. All it takes is for one of those trusted roots to issue a bad certificate, to compromise that system. That it took four months for someone to discover and point out the problem isn’t great. Continue reading “This Week In Security: DNS Oops, Novel C2s, And The Scam Becomes Real”
This week Jonathan and Randal talk Flutter and Dart! Is Google killing Flutter? What’s the challenge Randal sees in training new senior developers, and what’s the solution? Listen to find out!
Continue reading “FLOSS Weekly Episode 845: The Sticky Spaghetti Gauge”
