Tag: security
Scrutineer: scanning open source without flooding maintainers
Finding the vulnerabilities is the easy part
Joint Guidance on Vulnerability Naming and Disclosure
Every named CVE now ships with a single-page site at .vuln.
Self-hosting email the hard way from your own routable IPv4 block up
How we refreshed self-hosted Recoil email with our own RIPE-allocated IPv4 block, and deployed Postfix/rspamd/Dovecot to get full SPF/DKIM/DMARC deliverability.
Install-script allowlists
A survey of install-script allowlist mechanisms across package managers and language ecosystems.
gittuf - a signed log for git refs
Branch protection is a row in someone else's database
Skills Registry Threat Models
How long until we see a CVE filed against a markdown file?
Composer's dependency policies
uBlock Origin for composer install
Android app WebView hijacking via MITM
Stealing user logins by hijacking a vulnerable webview implementation in a mobile app
Cloudflare for Families DNS resolver and miscategorisation
today iain learned: How to report a miscategorisation of a site/domain in the Cloudflare for Families DNS resolver service.
GitHub Actions security in Python packages
Thank you Dr. Zizmor
Signing is for the bad days
TUF, in-toto, and Sigstore only look pointless while nothing is on fire
Securing Sensitive Payload Logging in API Connect
Experimental DTLS Support in Node.js
An experimental implementation of the DTLS protocol is coming to Node.js, bringing TLS-equivalent security to datagram-based communication over UDP.
Language Registries Are Unstable by Default
apt install -t unstable, but make it your whole personality
Mythos and Legends
Not a Security Issue
How curl's disclosure policy filtered an AI scanner's findings at source
The Mismeasure of Open Source
The streetlight effect in project-health scoring
Weekend at Bernie's
Which of your dependencies are wearing sunglasses
Revisiting the 2015 Open Source Census
The riskiest projects in open source, scored a decade early
Package Manager Threat Models
The non-CVE half of package manager security
ECCL Login Refactor
Package Manager CWEs
Recurring weakness classes in package managers
Patching and forking in package managers
What to do when upstream ghosts you
GitHub Actions is the weakest link
Anne Robinson would like a word with .github/workflows
'Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them'
This keeps happening.
The stages of package installation
Denial, anger, bargaining, depression, acceptance, postinstall.
brief
A knowledge base of project conventions, exposed as a CLI.
Promoting use of fine-grained PATs
Package Security Defenses for AI Agents
Lockfiles, sandboxes, and cooldown timers.
Package Security Problems for AI Agents
Packages all the way down, agents all the way up.
The Internet needs an antibotty immune system, stat
Anthropic's Mythos makes autonomous vulnerability chaining across devices a sudden reality, so I've been thinking about how digital 'antibotty' inoculation networks may be needed far sooner than I expected.
The Cathedral and the Catacombs
Stretching a metaphor deep into the floor.
npm's Defaults Are Bad
The npm client's default settings are a root cause of JavaScript's recurring supply chain security problems.
Finding XSS via indirect prompt injection
A short writeup of finding a stored XSS vulnerability in an AI powered writing app
'Security Analysis of the Official White House iOS App'
It's exactly what you'd expect.
signal desktop's encryption is per-user, not per-app (on Windows)
Electron's safeStorage uses DPAPI on Windows, which means any process running as your user can decrypt Signal's database. on macOS, Keychain actually isolates per-app.
Reviewing ENISA's Package Manager Advisory
Notes on ENISA's Technical Advisory for Secure Use of Package Managers.