DevTestSecOps
#hack #Okta again!? https://sec.okta.com/harfiles
#hack #way
A good example of a suspected security breach report from !#1password
They suspected that something was going on in their #Okta account, i.e. all sorts of internal admin and helpdesk stuff.
A member of the IT team handled Okta support and, at their request, created a HAR file from Chrome Dev Tools and uploaded it to the Okta support portal. This HAR file contains a record of all traffic between the browser and Okta's servers, including sensitive information including session cookies. In the early morning hours of Friday, September 29, an unknown attacker used the same Okta session used to create the HAR file to access the Okta administration portal and attempted the following:
- Attempted to access an IT employee's user dashboard, but the attempt was blocked by the Okta system.
- Updated the existing IDP tied to our Google production environment.
- Activated the IDP.
- Requested an admin user report.
The last action on this list resulted in an alert email being sent to a member of the IT team, which of course resulted in a quick response.
More details:
https://blog.1password.com/files/okta-incident/okta-incident-report.pdf
A good example of a suspected security breach report from !#1password
They suspected that something was going on in their #Okta account, i.e. all sorts of internal admin and helpdesk stuff.
A member of the IT team handled Okta support and, at their request, created a HAR file from Chrome Dev Tools and uploaded it to the Okta support portal. This HAR file contains a record of all traffic between the browser and Okta's servers, including sensitive information including session cookies. In the early morning hours of Friday, September 29, an unknown attacker used the same Okta session used to create the HAR file to access the Okta administration portal and attempted the following:
- Attempted to access an IT employee's user dashboard, but the attempt was blocked by the Okta system.
- Updated the existing IDP tied to our Google production environment.
- Activated the IDP.
- Requested an admin user report.
The last action on this list resulted in an alert email being sent to a member of the IT team, which of course resulted in a quick response.
More details:
https://blog.1password.com/files/okta-incident/okta-incident-report.pdf
👏2🤔2
How to understand that it's time for you to move on from #testing, and what are the possible development paths after Senior and QA leads:
https://www.thequalityduck.co.uk/is-it-time-you-moved-on-from-quality-engineering/
https://www.thequalityduck.co.uk/is-it-time-you-moved-on-from-quality-engineering/
The Quality Duck - Engineering Leadership with a side of Quality Evangelism
Is It Time For You To Move On from Quality Engineering?
Feel like you've reached your career limit in Quality Engineering? You aren't alone! Read this blog for insights into options for what's next!
👍1🤔1
#programming #time
Old but gold (at work on a neighboring project just now serious bugs came out because of the transfer to winter time):
https://infiniteundo.com/post/25326999628/falsehoods-programmers-believe-about-time
Old but gold (at work on a neighboring project just now serious bugs came out because of the transfer to winter time):
https://infiniteundo.com/post/25326999628/falsehoods-programmers-believe-about-time
Tumblr
Falsehoods programmers believe about time
Over the past couple of years [I have spent a lot of time][checklist] debugging other engineers' test code. This was interesting work, occasionally frustrating but always informative. One might not...
👏1🤔1👾1
#hack #FlipperZero vs #iPhones
When it was pre-ordered - I wasn't able to order and I regret it a bit. 😏
https://arstechnica.com/security/2023/11/flipper-zero-gadget-that-doses-iphones-takes-once-esoteric-attacks-mainstream/
When it was pre-ordered - I wasn't able to order and I regret it a bit. 😏
https://arstechnica.com/security/2023/11/flipper-zero-gadget-that-doses-iphones-takes-once-esoteric-attacks-mainstream/
Ars Technica
This tiny device is sending updated iPhones into a never-ending DoS loop
No cure yet for a popular iPhone attack, except for turning off Bluetooth.
😁3
DevTestSecOps
#programming #Rust
#Rust #way
Found the original - the quote is taken from here:
A few years ago, I dropped everything to focus 100% on WebAssembly. At the time, Rust had the best support for compiling into WebAssembly, and the most full-featured WebAssembly runtimes were Rust-based. Rust was the best option on the menu. I jumped in, eager to see what all the hype was about.
Since then, I (along with some other awesome people) built Wick, an application framework and runtime that uses WebAssembly as its core module system.
Wick was the primary target of our Rust experimentation
After three years, multiple production deployments, an ebook, and ~100 packages deployed on crates.io, I feel it’s time to share some thoughts on Rust:
https://jsoverson.medium.com/was-rust-worth-it-f43d171fb1b3
Found the original - the quote is taken from here:
A few years ago, I dropped everything to focus 100% on WebAssembly. At the time, Rust had the best support for compiling into WebAssembly, and the most full-featured WebAssembly runtimes were Rust-based. Rust was the best option on the menu. I jumped in, eager to see what all the hype was about.
Since then, I (along with some other awesome people) built Wick, an application framework and runtime that uses WebAssembly as its core module system.
Wick was the primary target of our Rust experimentation
After three years, multiple production deployments, an ebook, and ~100 packages deployed on crates.io, I feel it’s time to share some thoughts on Rust:
https://jsoverson.medium.com/was-rust-worth-it-f43d171fb1b3
Medium
Was Rust Worth It?
From JavaScript to Rust, three years in.
🤔1
#hack
If you are using any version of #Confluence, it is a good idea to backup all your data immediately. A vulnerability has been discovered that allows to modify and delete page and file content. Not only cloud instances are vulnerable, but also those located in user data centers:
https://arstechnica.com/security/2023/11/critical-vulnerability-in-atlassian-confluence-server-is-under-mass-exploitation/
If you are using any version of #Confluence, it is a good idea to backup all your data immediately. A vulnerability has been discovered that allows to modify and delete page and file content. Not only cloud instances are vulnerable, but also those located in user data centers:
https://arstechnica.com/security/2023/11/critical-vulnerability-in-atlassian-confluence-server-is-under-mass-exploitation/
Ars Technica
Critical vulnerability in Atlassian Confluence server is under “mass exploitation”
Atlassian's senior management is all but begging customers to take immediate action.
🔥1😱1
DevTestSecOps
#programming #date At first I didn't understand, and then when I did!.. 🤪
And yes, maybe some of you haven't seen Sam Hughes' excellent and global checklist on calendar reform:
https://qntm.org/calendar
https://qntm.org/calendar
qntm.org
You advocate a ________ approach to calendar reform
You advocate a
( ) solar ( ) lunar ( ) atomic
approach to calendar reform. Your idea will not work. Here is why:
( ) solar years are real and the calendar year needs to sync with them
( ) solar days are real and the calendar day needs to sync…
( ) solar ( ) lunar ( ) atomic
approach to calendar reform. Your idea will not work. Here is why:
( ) solar years are real and the calendar year needs to sync with them
( ) solar days are real and the calendar day needs to sync…
👍1😁1🤔1🙏1
DevTestSecOps
#hack #way A good example of a suspected security breach report from !#1password They suspected that something was going on in their #Okta account, i.e. all sorts of internal admin and helpdesk stuff. A member of the IT team handled Okta support and, at…
#Okta is telling customers that hackers who breached its network stole information on all users of its customer support system, which is significantly more than the previously reported “less than 1% of users.” Yes, read carefully, it wasn't “user base” that was increased, it was “customer support user base”, but that's still a lot. 🤨
https://www.bloomberg.com/news/articles/2023-11-29/okta-says-hackers-stole-data-for-all-customer-support-users
https://www.bloomberg.com/news/articles/2023-11-29/okta-says-hackers-stole-data-for-all-customer-support-users
Bloomberg.com
Okta Says Hackers Stole Data for All Customer Support Users
Okta Inc. has discovered that hackers who breached its network two months ago stole information on all users of its customer support system — a scope far greater than the 1% of customers the company had previously said were affected.
😁1🤔1
Fresh #hack: #ChatGPT can generate sequences memorized from its training data using a very trivial attack. You tell the bot to “say the word * as many times as possible”. And, starting with some attempt, ChatGPT starts to produce something very similar to the original data from the training sample:
https://stackdiary.com/chatgpts-training-data-can-be-exposed-via-a-divergence-attack/
https://stackdiary.com/chatgpts-training-data-can-be-exposed-via-a-divergence-attack/
Stack Diary
ChatGPT's training data can be exposed via a "divergence attack"
This article delves into a recent comprehensive study examining the extent of data memorization in various language models, including open-source, semi-open, and closed models like ChatGPT.
👍1👏1😱1
DevTestSecOps
Fresh #hack: #ChatGPT can generate sequences memorized from its training data using a very trivial attack. You tell the bot to “say the word * as many times as possible”. And, starting with some attempt, ChatGPT starts to produce something very similar to…
#ChatGPT solved the problem in a fantastic way: asking the AI to say something “forever” is now a violation of the user agreement. 😅
Again, at the system level it is not easy to solve this problem at all.
https://www.404media.co/asking-chatgpt-to-repeat-words-forever-is-now-a-terms-of-service-violation/
Again, at the system level it is not easy to solve this problem at all.
https://www.404media.co/asking-chatgpt-to-repeat-words-forever-is-now-a-terms-of-service-violation/
404 Media
Asking ChatGPT to Repeat Words ‘Forever’ Is Now a Terms of Service Violation
A technique used by Google researchers to reveal ChatGPT training data is now banned by OpenAI.
😱2