I heavily invested in a local runner based CI/CD workflow. First I was using gogs and drone, now the forgejo and woodpecker CI forks.
It runs with multiple redundancies because it's a pretty easy setup to replicate on decentralized hardware. The only thing that's a little painful is authentication and cross-system pull requests, so we still need our single point of failure to merge feature branches and do code reviews.
Due to us building everything in go, we also decided to have always a /toolchain/build.go so that we have everything in a single language, and don't need even bash in our CI/CD podman/docker images. We just use FROM scratch, with go, and that's it. The only exception being when we need to compile/rebuild our ebpf kernel modules.
To me, personally, the Github Actions CVE from August 2024 was the final nail in the coffin. I blogged about it in more technical detail [1] and guess what was the reason that the TJ actions have been compromised last week? Yep, you guessed right, the same attack surface that Github refuses to fix, a year later.
The only tool, as far as I know, that somehow validates against these kind of vulnerabilities, is zizmor [2]. All other tools validate schemas, not vulnerabilities and weaknesses.
My years using Concourse were a dream compared to the CI/CD pains of trying to make github actions work (which I fortunately didn't have to do a lot of). Add that to the list of options for people who want open source and their own runners
One of the very few CI platforms that I've heard spoken well of was a big shared Concourse instance where the entire pipeline was predefined. You added some scripts named by convention to your project to do the right thing at each step, and it all just worked for you. Keeping it running was the job of a specific team.
Did they finally actually say how the tj actions repo got compromised. When I was fixing that shit on saturday it was still 'we don't know how they got access!?!?'
(I'm assuming you read my technical article about the problem)
If you take a look at the pull requests in e.g. the changed-files repo, it's pretty obvious what happened. You can still see some of the malformed git branch names and other things that the bots tried out. There were lots of "fixes" that just changed environment variable names from PAT_TOKEN to GITHUB_TOKEN and similar things afterwards, which kind of just delays the problem until malware is executed with a different code again.
As a snarky sidenote: The Wiz article about it is pretty useless as a forensics report, I expected much more from them. [1]
The conceptual issue is that this is not fixable unless github decides to rewrite their whole CI/CD pipeline, because of the arbitrary data sources that are exposed as variables in the yaml files.
The proper way to fix this (as Github) would be to implement a mandatory linter step or similar, and let a tool like zizmor check the file for the workflow. If it fails, refuse to do the workflow run.
I can recommend "minitube" [1]. It's super minimalistic, and requires you to actively search for things to find them. No ads, no feeds, no short videos, nothing - just playlists for search terms. Uses yt-dlp and mpv behind the scenes, so it's using less than 5% CPU on my small Intel NUC machine, too.
I can't stress enough how it is soooo much better in terms of what type of content I consume now. Mr-Beast-cutting-style dumb videos ain't stand a chance to get my attention now.
Ironically, the author built it to be a children-safe environment to consume YouTube.
Because tracking is inherently an anti democratic thing.
See pretty much every lesson in history ever, from the Schutzstaffel of the Nazis, to worker unions being doxxed, to lobbyism.
Our democracy relies on private information being secret, and any one sided party having that information is able to rule over the other.
There's a reason why Putin is so successful when utilizing his FSB and SVR apparatus.
The "i don't have anything to hide" reasoning is bullshit, because you didn't post your email addresses password publicly for everyone to see. Therefore, your reasoning is based on the assumption that you misinterpret what everyone vs some party you inherently trust means.
Look at US politics, where 50% of the population now regrets having shared their medical data with doctors, because the current administration decided to prosecute past visits to the gynecologist if a woman decided to not be pregnant. Something that was not illegal in the past is now illegal, therefore data in itself is incriminating by default.
In the same vein, the founding of the US relied upon anonymity. The Federalist Papers, Common Sense, etc all had anonymous authors, the Fourth Amendment is in a way a response to general warrants used to persecute anonymous authors, etc.
I wanted to point out that when visiting those sites from Germany (nationalplant.com and the specializedmaintenance.com website) it shows the same unavailable geoblocked message. I wouldn't have recognized it but after opening both links in new tabs on my phone I thought I forgot to open one of the links in this thread and I double-checked it.
Are those fake companies both hosted on wordfence or something? What are the odds, huh?
I heavily recommend to listen to the Alt Right Playbook series from Innuendo Studios. [1]
You have the right intent, but I think you're missing out on the game strategies at play. Personally, I decided to combat this war of misinformation in cyberspace rather than in mindspace.
The problem with their tactics is that they control the conversation, and that's the point. By controlling the narrative they control what's accepted (or pushed into being accepted) to talk about. Using bogus papers as proxies for their real intent, and themselves actually not being interessted in a scientific or rational discussion.
It's a war about beliefs and emotions, not opinions and discussions.
Yeah most of the other regional terms I've never heard.
Around here we just call them Bodenwelle or Verkehrshürde but I haven't ever heard Bremsschwelle to be honest. The word sounds very strange to me and more like a bureaucratic term rather than a word people regularly use.
Speaking of which, I checked dejure for a Rechtssprechung. It seems that Fahrbahnschwelle is the official term. [1]
In general, you can always visit the local CCC chapters. They usually have always an open for guests day per week that you can go to meet them. If you're in Berlin, gotta visit the C-Base, the original spaceship :D
The t480 recently got rudimentary coreboot/libreboot support (which is somewhat incomplete because of thunderbolt quirks as of today) but will hopefully be supported better in the future.
They are like 200 EUR on ebay for some 8GB RAM model where you can still replace the SODIMMs with 2x32GB ones.
Also use LUKS encryption, ecryptfs sucks and has a character limit of 122 characters per file, which happens more often than you might imagine.
Around a̵ ̵w̵e̵e̵k̵ ̵a̵g̵o̵ ̵(̵?̵)̵ a couple days ago someone made a post on /̵r̵/̵c̵y̵b̵e̵r̵s̵e̵c̵u̵r̵i̵t̵y̵ /r/hacking where he made a scraper and analyzed all the malware he could find. The repo amount was in the ~1000s repos that he shared in a spreadsheet. Github as a domain is feasible as a malware dropper domain due to it being allow listed by Microsoft. The attackers seem to use bots to use the releases section of other repositories, the code is there, too, but incomplete.
They were also targeting many popular games like Fortnite, Valorant, CS2 and others with their cheats that contained the malware. It was kind of interesting to see because they used a lot of screenshots in the README files that seemingly were enough to convince gamers to install the malware.
The dropper/stealer samples that I took a look at were python obfuscated bundles targeting Win11 and lots of different browser cookie storages, password managers, and even replaced the MetaMask extension inside the browser profile with another one after stealing all the session cookies and passwords. As an exfil technique they used discord, and you could see lots of different ranks of the discord server, with the API tokens and paypal ids and other things that they automated their payments with.
It was super interesting to see that they switched to using python there, because it's an odd choice from a redteam perspective.
I still have the deobfuscated code somewhere, not sure if I can find the link to the original research article again. Couldn't find it with the shitty reddit search.
edit: Man, this weekend been way too long. Here's the links to the original article from only a couple days ago:
[3] The google spreadsheet (archive link because traffic limit has been reached I guess): https://archive.is/ijiWP
edit 2: The pubhtml file of the google spreadsheet I have also on my hard drive, but it's ~23MB. Maybe I can make a gist out of that later? The spreadsheet didn't show an export button or UI, that's why I used wget at the time.
What makes you sure the malware described here is the same as the one you read about before? After all, GitHub isn't limited to one malware campaign at a time.
The structure of the archive looked very similar to the sample I was analyzing.
The securelist article [1] also describes the same malware techniques and stealer behaviors, just in a way more undetailed manner than the original reddit post.
edit: update my grandparent comment with the reddit links. It was on /r/netsec and /r/hacking and not on /r/cybersecurity where the author posted it first :D
This is dated February 24, which is before I noticed all these other investigations hitting Reddit and HN. Seems maybe they were just piggybacking off Kaspersky
> It was super interesting to see that they switched to using python there, because it's an odd choice from a redteam perspective.
Is it really that surprising? Using Python makes it easy to write their "business logic" and if they get caught, they just tweak the way they are obfuscating it. They aren't using any fancy exploits that they want to protect, this is the equivalent of a smash and grab robbery.
Careful with following these instructions, because the profile contains the user settings file. You are effectively nullifying librewolfs changes to the standard settings which are there to disable firefox's tracking/suggestion/analytics features.
Just make sure to diff them at least or migrate the parts you want to keep.
So I did the same thing of installing Waterfox and copying the profile over. In Waterfox, the telemetry remains disabled and cannot be activated even if you want to - the use of an existing FF profile does not enable them. I verified this by going through a howtogeek page[1] and verifying the active settings.
I heavily invested in a local runner based CI/CD workflow. First I was using gogs and drone, now the forgejo and woodpecker CI forks.
It runs with multiple redundancies because it's a pretty easy setup to replicate on decentralized hardware. The only thing that's a little painful is authentication and cross-system pull requests, so we still need our single point of failure to merge feature branches and do code reviews.
Due to us building everything in go, we also decided to have always a /toolchain/build.go so that we have everything in a single language, and don't need even bash in our CI/CD podman/docker images. We just use FROM scratch, with go, and that's it. The only exception being when we need to compile/rebuild our ebpf kernel modules.
To me, personally, the Github Actions CVE from August 2024 was the final nail in the coffin. I blogged about it in more technical detail [1] and guess what was the reason that the TJ actions have been compromised last week? Yep, you guessed right, the same attack surface that Github refuses to fix, a year later.
The only tool, as far as I know, that somehow validates against these kind of vulnerabilities, is zizmor [2]. All other tools validate schemas, not vulnerabilities and weaknesses.
[1] https://cookie.engineer/weblog/articles/malware-insights-git...
[2] https://github.com/woodruffw/zizmor