I'm having trouble figuring out what kind of botnet has been hammering our web servers over the past week. Requests come in from tens of thousands of addresses, just once or twice each (and not getting blocked by fail2ban), with different browser strings (Chrome versions ranging from 24.0.1292.0 - 108.0.5163.147) and ridiculous cobbled-together paths like /about-us/1-2-3-to-the-zoo/the-tiny-seed/10-little-rubber-ducks/1-2-3-to-the-zoo/the-tiny-seed/the-nonsense-show/slowly-slowly-slowly-said-the-sloth/the-boastful-fisherman/the-boastful-fisherman/brown-bear-brown-bear-what-do-you-see/the-boastful-fisherman/brown-bear-brown-bear-what-do-you-see/brown-bear-brown-bear-what-do-you-see/pancakes-pancakes/pancakes-pancakes/the-tiny-seed/pancakes-pancakes/pancakes-pancakes/slowly-slowly-slowly-said-the-sloth/the-tiny-seed

(I just put together a bunch of Eric Carle titles as an example. The actual paths are pasted together from valid paths on our server but in invalid order, with as many as 32 subdirectories.)

Has anyone else been seeing this and do you have an idea what's behind it?

#botnet #ddos #webscraping #infosec

Okta originally said only one percent of customers were affected, now says the 99% were too.

https://www.bloomberg.com/news/articles/2023-11-29/okta-says-hackers-stole-data-for-all-customer-support-users

I got a newsletter from #Fastly that I didn't remember subscribing to, possibly as a result of them being attached to a #SANS talk. (The first one appeared in my mailbox on October 26, so even I might remember something that recent.)

When I clicked the Unsubscribe link in the mail, the web page said "Fill out the form and we'll send you a link to edit your preferences."

So I went back to my email and reported them as #spam and blocked them.

"Don't be that guy," but for corporations.

The #WebP buffer overflow bug that caused all the major browsers to issue patches earlier this week (e.g. #Firefox 117.0.1) also affects applications built with Electron. #1Password issued an update today for their Mac build.

The CVE affects the underlying webp library, not just web browsers, so this will be an ongoing issue.

#CVE20234863

"Who uses #libwebp?
"There are a lot of applications that use libwebp to render WebP images, I already mentioned a few of them, but some of the others that I know include: #Affinity (the design software), #Gimp, Inkscape [not according to Martin Owens, see comment below], #LibreOffice, #Telegram, #Thunderbird (now patched), #ffmpeg, and many, many #Android applications as well as cross-platform apps built with #Flutter."

https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/

Another damned good reason to use #jitsi: #zoom will now use your calls to train their #ml

https://stackdiary.com/zoom-terms-now-allow-training-ai-on-user-content-with-no-opt-out/

#RedHat has declined to address #CVE202338403 (iperf3 integer overflow and heap corruption) in #RHEL for which an upstream patch has already been submitted.

"We commit to addressing Red Hat defined Critical and Important security issues. Security vulnerabilities with Low or Moderate severity will be addressed on demand when customer or other business requirements exist to do so." is a response indicative of corporate #Linux #enshittification.

https://gitlab.com/redhat/centos-stream/rpms/iperf3/-/merge_requests/5#note_1476867836

NIST hasn't yet scored it, but Debian calls is "serious". https://nvd.nist.gov/vuln/detail/CVE-2023-38403

Good morning! This is your reminder that, even without a flute, #Lizzo always carries a set of pipes.
#NPR #TinyDeskConcert

https://www.youtube.com/watch?v=DFiLdByWIDY