tag:blogger.com,1999:blog-4503292949532760618.post2004995415697476981..comments2024-03-28T07:23:23.408-07:00Comments on DSHR's Blog: Securing The Software Supply ChainDavid.http://www.blogger.com/profile/14498131502038331594noreply@blogger.comBlogger24125tag:blogger.com,1999:blog-4503292949532760618.post-8153601417686830182020-12-30T15:26:00.287-08:002020-12-30T15:26:00.287-08:00Via my friend Jim Gettys, we learn of a major mile...Via my friend Jim Gettys, we learn of a major milestone in the development of a truly reproducible build environment. Last June Jan Nieuwenhuizen posted <a href="https://guix.gnu.org/blog/2020/guix-further-reduces-bootstrap-seed-to-25/" rel="nofollow"><i>Guix Further Reduces Bootstrap Seed to 25%</i></a>. The TL;DR is:<br /><br />"GNU Mes is closely related to the Bootstrappable Builds project. Mes aims to create an entirely source-based bootstrapping path for the Guix System and other interested GNU/Linux distributions. The goal is to start from a minimal, easily inspectable binary (which should be readable as source) and bootstrap into something close to R6RS Scheme.<br /><br />Currently, Mes consists of a mutual self-hosting scheme interpreter and C compiler. It also implements a C library. Mes, the scheme interpreter, is written in about 5,000 lines of code of simple C. MesCC, the C compiler, is written in scheme. Together, Mes and MesCC can compile a lightly patched TinyCC that is self-hosting. Using this TinyCC and the Mes C library, it is possible to bootstrap the entire Guix System for i686-linux and x86_64-linux."<br /><br />The binary they plan to start from is:<br /><br />"Our next target will be a third reduction by ~50%; the Full-Source bootstrap will replace the MesCC-Tools and GNU Mes binaries by <a href="https://savannah.nongnu.org/projects/stage0" rel="nofollow">Stage0</a> and <a href="https://github.com/oriansj/m2-planet" rel="nofollow">M2-Planet</a>.<br /><br />The Stage0 project by Jeremiah Orians starts everything from ~512 bytes; virtually nothing. Have a look at this incredible project if you haven’t already done so."<br /><br />In mid November <a href="https://twitter.com/janneke_gnu/status/1328080032800137224?s=03" rel="nofollow">Nieuwenhuizen tweeted</a>:<br /><br />"We just compiled the first working program using a Reduced Binary Seed bootstrap'ped*) TinyCC for ARM"<br /><br />And on December 21 he <a href="https://twitter.com/janneke_gnu/status/1340966741023846402" rel="nofollow">tweeted</a>:<br /><br />"The Reduced Binary Seed bootstrap is coming to ARM: Tiny C builds on @GuixHPC wip-arm-bootstrap branch"<br /><br />Starting from a working TinyCC, you can build the current compiler chain.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-46598904135771511382020-07-29T16:56:52.644-07:002020-07-29T16:56:52.644-07:00Bruce Schneier's Survey of Supply Chain Attack...Bruce Schneier's <a href="https://www.schneier.com/blog/archives/2020/07/survey_of_suppl.html" rel="nofollow"><i>Survey of Supply Chain Attacks</i></a> starts:<br /><br />"The Atlantic Council has a released a <a href="https://www.atlanticcouncil.org/in-depth-research-reports/report/breaking-trust-shades-of-crisis-across-an-insecure-software-supply-chain/" rel="nofollow">report</a> that looks at the history of computer supply chain attacks."<br /><br />The Atlantic Council also has a <a href="https://www.atlanticcouncil.org/programs/scowcroft-center-for-strategy-and-security/cyber-statecraft-initiative/breaking-trust/" rel="nofollow">summary of the report</a> entitled <i>Breaking trust: Shades of crisis across an insecure software supply chain</i>:<br /><br />"Software supply chain security remains an under-appreciated domain of national security policymaking. Working to improve the security of software supporting private sector enterprise as well as sensitive Defense and Intelligence organizations requires more coherent policy response together industry and open source communities. This report profiles 115 attacks and disclosures against the software supply chain from the past decade to highlight the need for action and presents recommendations to both raise the cost of these attacks and limit their harm."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-16041092942932098852020-05-30T07:37:46.745-07:002020-05-30T07:37:46.745-07:00Marc Ohm et al analyze supply chain attacks via op...Marc Ohm <i>et al</i> analyze supply chain attacks via open source packages in three reposiotries in <a href="https://arxiv.org/pdf/2005.09535.pdf" rel="nofollow"><i>Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks</i></a>:<br /><br />"This paper presents a dataset of 174 malicious software packages that were used in real-world attacks on open source software supply chains,and which were distributed via the popular package repositories npm, PyPI, and RubyGems. Those packages, dating from November 2015 to November 2019, were manually collected and analyzed. The paper also presents two general attack trees to provide a structured overview about techniques to inject malicious code into the dependency tree of downstream users, and to execute such code at different times and under different conditions."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-66332054485804518702020-02-20T17:23:55.298-08:002020-02-20T17:23:55.298-08:00Five years after the Equation Group HDD hacks, fir...<a href="https://www.zdnet.com/article/five-years-after-the-equation-group-hdd-hacks-firmware-security-still-sucks/" rel="nofollow"><i>Five years after the Equation Group HDD hacks, firmware security still sucks</i></a> by Catalin Cimpanu illustrates how far disk drive firmware security is ahead of the rest of the device firmware world:<br /><br />"In 2015, security researchers from Kaspersky discovered a novel type of malware that nobody else had seen before until then.<br /><br />The malware, <a href="https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/" rel="nofollow">known as NLS_933.dll</a>, had the ability to rewrite HDD firmware for a dozen of HDD brands to plant persistent backdoors. Kaspersky said the malware was used in attacks against systems all over the world.<br /><br />Kaspersky researchers claimed the malware was developed by a hacker group known as the Equation Group, a codename that was later associated with the US National Security Agency (NSA).<br /><br />Knowing that the NSA was spying on their customers led many HDD and SSD vendors to improve the security of their firmware, Eclypsium said.<br /><br />However, five years since the Equation Group's HDD implants were found in the wild and introduced the hardware industry to the power of firmware hacking, Eclypsium says vendors have only partially addressed this problem.<br /><br />"After the disclosure of the Equation Group's drive implants, many HDD and SSD vendors made changes to ensure their components would only accept valid firmware. However, many of the other peripheral components have yet to follow suit," researchers said."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-62990794077917217872019-10-18T11:55:29.216-07:002019-10-18T11:55:29.216-07:00Catalin Cimpanu's Hacking 20 high-profile dev ...Catalin Cimpanu's <a href="https://www.zdnet.com/article/hacking-20-high-profile-dev-accounts-could-compromise-half-of-the-npm-ecosystem/" rel="nofollow"><i>Hacking 20 high-profile dev accounts could compromise half of the npm ecosystem</i></a> is based on <a href="https://www.usenix.org/system/files/sec19-zimmermann.pdf" rel="nofollow"><i>Small World with High Risks:A Study of Security Threats in the npm Ecosystem</i></a> by Marcus Zimmerman <i>et al</i>:<br /><br />"Their goal was to get an idea of how hacking one or more npm maintainer accounts, or how vulnerabilities in one or more packages, reverberated across the npm ecosystem; along with the critical mass needed to cause security incidents inside tens of thousands of npm projects at a time.<br />...<br />the normal npm JavaScript package has an abnormally large number of dependencies -- with a package loading 79 third-party packages from 39 different maintainers, on average.<br /><br />This number is lower for popular packages, which only rely on code from 20 other maintainers, on average, but the research team found that some popular npm packages (600) relied on code written by more than 100 maintainers.<br />...<br />"391 highly influential maintainers affect more than 10,000 packages, making them prime targets for attacks," the research team said. "If an attacker manages to compromise the account of any of the 391 most influential maintainers, the community will experience a serious security incident."<br /><br />Furthermore, in a worst-case scenario where multiple maintainers collude, or a hacker gains access to a large number of accounts, the Darmstadt team said that it only takes access to 20 popular npm maintainer accounts to deploy malicious code impacting more than half of the npm ecosystem."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-86457853919865715012019-08-21T16:43:03.371-07:002019-08-21T16:43:03.371-07:00Dan Goodin's The year-long rash of supply chai...Dan Goodin's <a href="https://arstechnica.com/information-technology/2019/08/the-year-long-rash-of-supply-chain-attacks-against-open-source-is-getting-worse/" rel="nofollow"><i>The year-long rash of supply chain attacks against open source is getting worse</i></a> is a useful overview of the recent incidents pointing to the need for verifiable logs and reproducible builds. And, of course, for requiring developers to use multi--factor authentication.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-20784277980380909862019-07-03T16:40:07.687-07:002019-07-03T16:40:07.687-07:00Someone Is Spamming and Breaking a Core Component ...<a href="https://www.vice.com/en_us/article/8xzj45/someone-is-spamming-and-breaking-a-core-component-of-pgps-ecosystem" rel="nofollow"><i>Someone Is Spamming and Breaking a Core Component of PGP’s Ecosystem</i></a> by Lorenzo Franceschi-Bicchierai reports on an attack on two of the core PGP developers,Robert J. Hansen and Daniel Kahn Gillmor :<br /><br />"Last week, contributors to the PGP protocol GnuPG noticed that someone was “poisoning” or “flooding” their certificates. In this case, poisoning refers to an attack where someone spams a certificate with a large number of signatures or certifications. This makes it impossible for the the PGP software that people use to verify its authenticity, which can make the software unusable or break. In practice, according to one of the GnuPG developers targeted by this attack, the hackers could make it impossible for people using Linux to download updates, which are verified via PGP."<br /><br />The problem lies in the SKS keyserver:<br /><br />"the SKS software was written in an obscure language by a PhD student for his thesis. And because of that, according to Hansen, “there is literally no one in the keyserver community who feels qualified to do a serious overhaul on the codebase.”<br /><br />In other words, these attacks are here to stay."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-85518295467657511132019-05-04T09:55:51.874-07:002019-05-04T09:55:51.874-07:00Andy Greenberg's A mysterious hacker gang is o...Andy Greenberg's <a href="https://arstechnica.com/information-technology/2019/05/a-mysterious-hacker-gang-is-on-a-supply-chain-hacking-spree/" rel="nofollow"><i>A mysterious hacker gang is on a supply-chain hacking spree</i></a> ties various software supply chain attacks together and attributes them:<br /><br />"Over the past three years, supply-chain attacks that exploited the software distribution channels of at least six different companies have now all been tied to a single group of likely Chinese-speaking hackers. The group is known as Barium, or sometimes ShadowHammer, ShadowPad, or Wicked Panda, depending on which security firm you ask. More than perhaps any other known hacker team, Barium appears to use supply-chain attacks as its core tool. Its attacks all follow a similar pattern: seed out infections to a massive collection of victims, then sort through them to find espionage targets."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-3308761846471882682019-05-02T09:43:04.603-07:002019-05-02T09:43:04.603-07:00David A. Wheeler reports on another not-very-succe...David A. Wheeler reports on another <a href="https://dwheeler.com/essays/bootstrap-sass-subversion.html" rel="nofollow"><i>not-very-successful software supply chain attack</i></a>:<br /><br />"A <a href="https://snyk.io/blog/malicious-remote-code-execution-backdoor-discovered-in-the-popular-bootstrap-sass-ruby-gem/" rel="nofollow">malicious backdoor has been found in the popular open source software library bootstrap-sass</a>. This was done by someone who created an unauthorized updated version of the software on the RubyGems software hosting site. The good news is that it was <a href="https://lwn.net/Articles/785386/" rel="nofollow">quickly detected (within the day) and updated</a>, and that limited the impact of this subversion. The backdoored version (3.2.0.3) was only downloaded 1,477 times. For comparison, as of April 2019 the previous version in that branch (3.2.0.2) was downloaded 1.2 million times, and the following version 3.2.0.4 (which duplicated 3.2.0.2) was downloaded 1,700 times (that’s more than the subverted version!). So it is likely that almost all subverted systems have already been fixed."<br /><br />Wheeler has three lessons from this:<br /><br />1. Maintainers need 2FA.<br />2. Don't update your dependencies in the same day they're released.<br />3. <a href="https://reproducible-builds.org/" rel="nofollow">Reproducible builds</a>!David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-80099186350969022352019-04-27T13:56:36.357-07:002019-04-27T13:56:36.357-07:00Who Owns Huawei? by Christopher Balding and Donald...<a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3372669" rel="nofollow"><i>Who Owns Huawei?</i></a> by Christopher Balding and Donald C. Clarke concludes that:<br /><br />"Huawei calls itself “employee-owned,” but this claim is questionable, and the corporate structure described on its website is misleading."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-7434519402750459612019-04-23T17:45:09.459-07:002019-04-23T17:45:09.459-07:00It turns out that ShadowHammer Targets Multiple Co...It turns out that <a href="https://www.bleepingcomputer.com/news/security/shadowhammer-targets-multiple-companies-asus-just-one-of-them/" rel="nofollow"><i>ShadowHammer Targets Multiple Companies, ASUS Just One of Them</i></a>:<br /><br />"ASUS was not the only company targeted by supply-chain attacks during the ShadowHammer hacking operation as discovered by Kaspersky, with at least six other organizations having been infiltrated by the attackers.<br /><br />As further found out by Kaspersky's security researchers, ASUS' supply chain was successfully compromised by trojanizing one of the company's notebook software updaters named ASUS Live Updater which eventually was downloaded and installed on the computers of tens of thousands of customers according to experts' estimations."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-16903774912420204322019-04-06T07:20:31.198-07:002019-04-06T07:20:31.198-07:00The latest software supply chain attack victim is ...The latest software supply chain attack victim is <a href="https://www.cyberscoop.com/bootstrap-sass-infected-snyk-rubygems/" rel="nofollow">bootstrap-sass via RubyGems</a>, with about 28M downloads.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-35719006895129891232019-03-28T13:29:54.606-07:002019-03-28T13:29:54.606-07:00Sean Gallagher's UK cyber security officials r...Sean Gallagher's <a href="https://arstechnica.com/information-technology/2019/03/uk-cyber-security-officials-report-huaweis-security-practices-are-a-mess/" rel="nofollow"><i>UK cyber security officials report Huawei’s security practices are a mess</i></a> reports on the <a href="https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/790270/HCSEC_OversightBoardReport-2019.pdf" rel="nofollow">latest report from the HCSEC Oversight Board</a>. They still can't do reproducible builds:<br /><br />"HCSEC reported that the software build process used by Huawei results in inconsistencies between software images. In other words, products ship with software with widely varying fingerprints, so it’s impossible to determine whether the code is the same based on checksums."<br /><br />Which isn't a surprise, <a href="https://www.theguardian.com/technology/2019/feb/06/huawei-security-issues-will-take-five-years-to-fix-firm-tells-commons" rel="nofollow">Huawei already said it'd take another 5 years</a>. But I'd be more concerned that:<br /><br />"One major problem cited by the report is that a large portion of Huawei’s network gear still relies on version 5.5 of Wind River’s VxWorks real-time operating system (RTOS), <a href="http://blogs.windriver.com/wind_river_blog/2018/07/vxworks-past-and-future.html" rel="nofollow">which has reached its “end of life” and will soon no longer be supported</a>. Huawei has bought a premium long-term support license from VxWorks, but that support runs out in 2020."<br /><br />And Huawei is rolling its own RTOS based on Linux. What could possibly go wrong?David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-89953285136668332452019-03-25T10:21:32.585-07:002019-03-25T10:21:32.585-07:00Kim Zetter's Hackers Hijacked ASUS Software Up...Kim Zetter's <a href="https://motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers" rel="nofollow"><i>Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers</i></a> is an excellent example of a software supply chain attack:<br /><br />"Researchers at cybersecurity firm Kaspersky Lab say that ASUS, one of the world’s largest computer makers, was used to unwittingly install a malicious backdoor on thousands of its customers’ computers last year after attackers compromised a server for the company’s live software update tool. The malicious file was signed with legitimate ASUS digital certificates to make it appear to be an authentic software update from the company, Kaspersky Lab says."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-2999701747965420422019-03-15T08:24:28.665-07:002019-03-15T08:24:28.665-07:00Gareth Corfield's Just Android things: 150m ph...Gareth Corfield's <a href="https://www.theregister.co.uk/2019/03/13/checkpoint_adware_downloads/" rel="nofollow"><i>Just Android things: 150m phones, gadgets installed 'adware-ridden' mobe simulator games</i></a> reports on a very successful software supply chain attack:<br /><br />"Android adware found its way into as many as 150 million devices – after it was stashed inside a large number of those bizarre viral mundane job simulation games, we're told.<br />...<br />Although researchers believed that the titles were legitimate, they said they thought the devs were “scammed” into using a “malicious SDK, unaware of its content, leading to the fact that this campaign was not targeting a specific country or developed by the same developer.”David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-40981008217008862022019-02-23T14:29:19.100-08:002019-02-23T14:29:19.100-08:00In Cyber-Mercenary Groups Shouldn't be Trusted...In <a href="https://www.eff.org/deeplinks/2019/02/cyber-mercenary-groups-shouldnt-be-trusted-your-browser-or-anywhere-else" rel="nofollow"><i>Cyber-Mercenary Groups Shouldn't be Trusted in Your Browser or Anywhere Else</i></a>, the EFF's Cooper Quintin describes the latest example showing why Certificate Authorities can't be trusted:<br /><br />"DarkMatter, the notorious cyber-mercenary firm based in the United Arab Emirates, is seeking to become approved as a top-level certificate authority in Mozilla’s root certificate program. Giving such a trusted position to this company would be a very bad idea. DarkMatter has a business interest in subverting encryption, and would be able to potentially decrypt any HTTPS traffic they intercepted. One of the things HTTPS is good at is protecting your private communications from snooping governments—and when governments want to snoop, they regularly hire DarkMatter to do their dirty work.<br />...<br />DarkMatter was already given an "intermediate" certificate by another company, called QuoVadis, now owned by DigiCert. That's bad enough, but the "intermediate" authority at least comes with ostensible oversight by DigiCert."<br /><br />Hat tip to <a href="https://boingboing.net/2019/02/22/my-voice-is-my-passport-2.html" rel="nofollow">Cory Doctorow</a>.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-47924241445808453232019-02-06T19:17:43.445-08:002019-02-06T19:17:43.445-08:00Huawei says fixing "the deficiencies in the u...Huawei says fixing "the deficiencies in the underlying build and compilation process" in its carrier products will <a href="https://www.theguardian.com/technology/2019/feb/06/huawei-security-issues-will-take-five-years-to-fix-firm-tells-commons" rel="nofollow">take five years</a>.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-17825841130165063902019-01-31T08:47:49.830-08:002019-01-31T08:47:49.830-08:00The fourth annual report for the National Security...The <a href="https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/727415/20180717_HCSEC_Oversight_Board_Report_2018_-_FINAL.pdf" rel="nofollow">fourth annual report for the National Security Adviser from the Huawei Cyber Security Evaluation Centre Oversight Board</a> in the UK is interesting. The Centre has access to the source code for Huawei products, and is working with Huawei to make the builds reproducible:<br /><br />"3.15 HCSEC have worked with Huawei R&D to try to correct the deficiencies in the underlying build and compilation process for these four products. This has taken significant effort from all sides and has resulted in a single product that can be built repeatedly from source to the General Availability (GA) version as distributed. This particular build has yet to be deployed by any UK operator, but we expect deployment by UK operators in the future, as part of their normal network release cycle. The remaining three products from the pilot are expected to be made commercially available in 2018H1, with each having reproducible binaries."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-49022672773156077872019-01-21T06:20:51.285-08:002019-01-21T06:20:51.285-08:00Popular WordPress plugin hacked by angry former em...<a href="https://www.zdnet.com/article/popular-wordpress-plugin-hacked-by-angry-former-employee/" rel="nofollow"><i>Popular WordPress plugin hacked by angry former employee</i></a> is like the event-stream hack in that no amount of transparency would have prevented it. The disgruntled perpetrator apparently had valid credentials for the official source of the software:<br /><br />"The plugin in question is <a href="https://wpml.org/" rel="nofollow">WPML</a> (or WP MultiLingual), the most popular WordPress plugin for translating and serving WordPress sites in multiple languages.<br /><br />According to its website, WPML has over 600,000 paying customers and is one of the very few WordPress plugins that is so reputable that it doesn't need to advertise itself with a free version on the official WordPress.org plugins repository."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-28330475559637782932018-12-27T11:53:43.658-08:002018-12-27T11:53:43.658-08:00Catalin Cimpanu's Users report losing Bitcoin ...Catalin Cimpanu's <a href="https://www.zdnet.com/article/users-report-losing-bitcoin-in-clever-hack-of-electrum-wallets/" rel="nofollow"><i>Users report losing Bitcoin in clever hack of Electrum wallets</i></a> describes a software supply chain attack that started around 21st December and netted around $750K "worth" of BTC.David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-83857401608937863332018-12-24T08:29:37.043-08:002018-12-24T08:29:37.043-08:00I regret not citing John Leyden's Open-source ...I regret not citing John Leyden's <a href="https://www.theregister.co.uk/2018/09/25/open_source_security/" rel="nofollow"><i>Open-source software supply chain vulns have doubled in 12 months</i></a> to illustrate the scope of the problem:<br /><br />"Miscreants have even started to inject (or mainline) vulnerabilities directly into open source projects, according to Sonatype, which cited 11 recent examples of this type of malfeasance in its study.<br /><br />El Reg has reported on several such incidents including a <a href="https://www.theregister.co.uk/2018/07/12/npm_eslint/" rel="nofollow">code hack</a> on open-source utility eslint-scope back in July."<br /><br />and:<br /><br />"organisations are still downloading vulnerable versions of the Apache Struts framework at much the same rate as before the Equifax data breach, at around 80,000 downloads per month.<br /><br />Downloads of buggy versions of another popular web application framework called Spring were also little changed since a September 2017 vulnerability, Sonatype added. The 85,000 average in September 2017 has declined only 15 per cent to 72,000 over the last 12 months."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-83478505759718517512018-12-22T15:47:56.657-08:002018-12-22T15:47:56.657-08:00I really should have pointed out that this whole p...I really should have pointed out that this whole post is about software that is <i>installed</i> on your device. These days, much of the software that runs on your device is not installed, it is delivered via ad networks and runs inside your browser. As blissex wrote in <a href="http://blog.dshr.org/2017/09/web-drm-enables-innovative-business.html?showComment=1508358199672#c8289190784291053547" rel="nofollow">this comment</a>, we are living:<br /><br />"in an age in which every browser gifts a free-to-use, unlimited-usage, fast VM to every visited web site, and these VMs can boot and run quite responsive 3D games or Linux distributions"<br /><br />Ad blockers, essential equipment in this age, merely reduce the incidence of malware delivered via ad networks. <a href="https://medium.com/@brannondorsey/browser-as-botnet-or-the-coming-war-on-your-web-browser-be920c4f718" rel="nofollow">Brannon Dorsey's fascinating experiments in malvertising</a> are described by <a href="https://boingboing.net/2018/01/17/ad-networks-let-you-easily-and.html" rel="nofollow">Cory Doctorow thus</a>:<br /><br />"Anyone can make an account, create an ad with god-knows-what Javascript in it, then pay to have the network serve that ad up to thousands of browser. ... Within about three hours, his code (experimental, not malicious, apart from surreptitiously chewing up processing resources) was running on 117,852 web browsers, on 30,234 unique IP addresses. Adtech, it turns out, is a superb vector for injecting malware around the planet.<br /><br />Some other fun details: Dorsey found that when people loaded his ad, they left the tab open an average of 15 minutes. That gave him huge amounts of compute time -- 327 full days, in fact, for about $15 in ad purchase."David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-4961202965181976602018-12-18T16:10:18.067-08:002018-12-18T16:10:18.067-08:00Thanks for correcting my fused neurons, Bryan!Thanks for correcting my fused neurons, Bryan!David.https://www.blogger.com/profile/14498131502038331594noreply@blogger.comtag:blogger.com,1999:blog-4503292949532760618.post-6293484649262669902018-12-18T13:58:59.650-08:002018-12-18T13:58:59.650-08:00Nit: in the last bullet point, I think you mean &q...Nit: in the last bullet point, I think you mean "Bloomberg", not "Motherboard".Anonymousnoreply@blogger.com