News and Articles
WeAreDevelopers LIVE Data and Security Day is on Wednesday, 25/09/2024. Learn about OPC UA Updates, Best Practices for Using GitHub Secrets, Passwordless Web 1.5, Emerging AI Security Risks, Data Privacy in LLMs and get a chance to take part in the CODE100 finals next year.
Quite a few cool things this week. Interop2025 wants your proposals and Apple Webkit and Microsoft Edge are all in. The State of HTML survey is also open.
Discord announced end-to-end encryption whilst YouTube tries to embark on their turf with YouTube Communities. There are some changes to the OSCP exam and the W3C proposes how to shape the secure Web. Australia's police managed to hack into ‘Ghost’ whilst Meta scraped Australian user accounts to train its AI. The Crowdstrike issue is also not over, touting monoculture as monofailure and reports from ex-employees stating that quality control was not part of their process. Meanwhile, Microsoft builds new Windows security features to prevent similar incidents. GitHub's Copilot Chat is now aware of security alerts, and offers AI-powered fixes for code vulnerabilities whilst GitHub Actions are vulnerable to typosquatting and many other attacks. Prompt injection can lead to Agent hijacking which is scary as Agents are the new hot thing. And talking of scary and worrying, Oracle co-founder Larry Ellison claimed that omnipresent AI cameras will ensure good behavior and this dystopian idea is already reality in some places and you can summarise surveillance video footage with AI. Other tech big wigs do better, like the Craigslist founder pledging $100 Million to Boost U.S. Cybersecurity. And there were reports of ChatGPT messaging users unprompted, you know, like the WOPR calling you back to end the game you started.
Code and Tools
Have you ever been bitten by Unicode, encountered Regex going wrong, wanted to learn Rust for fun and backdoo-rs or OAuth from First Principles? You can also gain wisdom from Penetration Testing Notes or from a write-up ob how to get people's personal information by prompt injection of Microsoft Copilot. Or you could make a REST API typesafe with React Query and Zod.
Some tools for you:
- Redbird - a reverse proxy with Cluster, HTTP2, LetsEncrypt and Docker
- huntsman - Email enumerator, username generator, and context validator
- safe-stringify - object to JSON serialisation without circular references
- URL validation bypass cheat sheet - how to get access
- wush - transfer files and open shells over a P2P WireGuard connection
- StatiCrypt - encrypt and password protect HTML with in-browser decryption
Talks and Videos
Martina Kraus reminds us that XSS is still a thing, shows current trends and advanced XSS techniques and how to protect ourselves against them. Check it out.
Other videos and talk write-ups of note:
- Ali Yazdani - Real-world Threat Modeling (22m)
- Reinhard Kugler - A Hitchhikers Guide to Container Security - Car Edition (22m)
- Andrei Epure - How your .NET supply chain is open to attack - how to fix it (29m)
- Niels Tanis - 3rd party library security reviews with the OpenSSF Scorecard (26m)
- Sebastian Leuer - Programming secure C#/.NET Applications: Dos & Don'ts (34m)
Work and Jobs
Netcetera, TUM and AppliedAI are conducting a survey on how AI is transforming software development, and invite you to share your insights! Your participation will help us understand the impact of AI on the software development lifecycle and create valuable recommendations for developers and decision-makers. The survey covers key topics like AI's influence on development phases, collaboration, quality, and more. It takes about 15 minutes.
Salesforce admitted that its AI Strategy will take jobs, Amazon tells workers to be in office 5 days a week and HackerNews discusses what that means for workers. Related articles are how to communicate tradeoffs so leaders will listen and how to lead teams when the house is on fire. In a pretty terrible move, a fake recruiter coding tests infected applicants' computers with malware. And there are 10 Essential Techniques for teaching security in your company.
Procrastination Corner / Wonderful Weird Web
- Defrag - the game?
- Iceland encourages people to throw baby puffins off cliffs.
- The National Cryptologic School Television Center Catalog, 1991.
- "STINKY” the WiFi powered by a hidden Starlink dish on US warship.
- PIXELL gets info via noise generated by "singing pixels" on the screen.
