I build and secure things. The DevOps guy, turned VP Eng. Infrastructure as Code all the things!
#devops #aws #identity #security
I mostly observe, but learn so much from all of you.
| Website | https://lukewaite.ca |
@merill Maester has always been on my #todo list so I thought I would give it a try after seeing thisβ¦
I went and specifically looked for this test result, and it shows as attached. Does this mean I'm running an older version with less verbose errors, or that something is broken in the testing itself?
Another day, another CloudFlare thing. Trying to submit an abuse report on a phishing domain that they are providing services to. No way to report without also sending the report to the owner of the website.
What even is the point?
Hello Mr Bad Actor? I've done a bunch of work to track down and try to report your malicious website, which doesn't even load without tracking parameters from the originating phishing email, here is a report please don't do it again.
Somebody sent me this blog my way today so I had a dig into it for a few hours. https://medium.com/@amitassaraf/the-story-of-extensiontotal-how-we-hacked-the-vscode-marketplace-5c6e66a0e9d7
Yes, Amit is right. Visual Studio Marketplace is a clusterfuck.
β
anybody can verify themselves using just a domain name
β
anybody can set any display name
β
extensions allow RCE, no sandboxing or limits at all
β
full access to developer + build
β
anybody can link any GitHub repo, even if it has nothing to do with the extension
β
Iβve already found malware - backdoors, beacons etc etc
30 minutes. 30 minutes is how long it took us to develop, publish, and polish a Visual Studio Code (The most popular IDE on the planet with over 15m monthly users) extension that changes your IDEβsβ¦
Mike Sheward
Katie Paxton-Fear (InsiderPhD)
π‘πππΊππππΊπ π°ππππ±
Kevin Beaumont
Corey Quinn