TL;DR version of lessons from the post:

1. Writing open source software can be very rewarding in ways you can’t predict
2. Be in it for the long haul
3. Ship it and ship regularly
4. Have broad, open-ended goals
5. If you care enough, you’ll find the time
6. No one cares about your unit test coverage
7. There’s no shame in marketing
8. Clear it with your employer
9. Foster community
10. Keep it enjoyable

Source: https://www.reddit.com/r/Python/comments/smta85/lessons_learned_from_my_10_year_open_source/

adversaries can attack the encoding of source code files to inject vulnerabilities

The trick is to use Unicode control characters to reorder tokens in source code at the encoding level.

cf. https://fr.wikipedia.org/wiki/Fichier_de_test_Eicar

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

FROM: https://sebsauvage.net/links/?0rGdAQ

Pour vous amuser à en créer en Python, avec fpdf2:

#!/usr/bin/env python3
# REQUIRE: pip install fpdf2 pdf417 qrcode
import fpdf, pdf417, qrcode
EICAR = 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
pdf = fpdf.FPDF()
pdf.add_page()
pdf.set_font("Helvetica", size=30)
pdf.text(90, 20, "EICAR")
pdf.text(10, 60, "PDF-417:")
pdf.image(pdf417.render_image(pdf417.encode(EICAR)), x=10, y=60)
pdf.text(10, 140, "QRCode:")
pdf.image(qrcode.make(EICAR).get_image(), x=35, y=145)
pdf.output("eicar.pdf")

il est facile, en utilisant de multiples sites web, de deviner des numéros de carte bancaire valides, et de deviner également les dates d'expiration et le CVV (cryptogramme visuel).
Visiblement, le système VISA est sensible à ce genre d'attaque, mais pas MasterCard.
Le principe consiste à entrer le numéro de carte sur de multiples sites web, et d'essayer de commander

Source : https://sebsauvage.net/links/

What happens if malicious code is uploaded to npm under these names? Is it possible that some of PayPal’s internal projects will start defaulting to the new public packages instead of the private ones?

tl;dr: User countermeasures:

• Noreply-Email-Address: Every GitHub user should either use a dedicated commit email address or GitHub’s noreply-email-address service, also enabling the option to block accidental command line pushes.
• 2-Factor-Authentication: Every GitHub user should have 2-Factor-Authentication enabled
• Raise Awareness: it’s the duty of developers aware of this issue toinform their colleagues about it

sed -i "s/$real_email/$github_email/" /opt/*/.git/config

Usine hydro-électrique, génératrice diesel, système d’aération, métro, silo, haut fourneau, système de production de bio-gaz ou d’eau potable… Tout y passe. Autant, les VNC d’avant, ça ne pouvait pas trop faire de dégat sinon la compromission de la machine en question, autant là on parle de systèmes qui peuvent conduire à des morts…

Issue #2 is out !

Paged Out! is a new experimental (one article == one page) free magazine about programming (especially programming tricks!), hacking, security hacking, retro computers, modern computers, electronics, demoscene, and other similar topics.

Include a crazy prime Python quine ! (page 35) O.O

This article shows how to construct a non-recursive zip bomb that achieves a high compression ratio by overlapping files inside the zip container. "Non-recursive" means that it does not rely on a decompressor's recursively unpacking zip files nested within zip files: it expands fully after a single round of decompression. The output size increases quadratically in the input size, reaching a compression ratio of over 28 million (10 MB → 281 TB) at the limits of the zip format. Even greater expansion is possible using 64-bit extensions. The construction uses only the most common compression algorithm, DEFLATE, and is compatible with most zip parsers.

$ python3 -m zipfile -e overlap.zip .
Traceback (most recent call last):
...
__main__.BadZipFile: File name in directory 'B' and header b'A' differ.

How does a tiny repo cause git to run out of memory? The secret is that git de-duplicates “blobs” (which are used to store files) to make repositories smaller and allow using the same blob when a file remains unchanged between commits. Git also allows de-duplication of “tree” objects (which define the directory structure in a repository). git-bomb tries to make a billion files, however it only has 10 references to the file blob and only has 10 tree objects in all.

1. Input injection
2. Parsing XML
3. Assert statements
4. Timing attacks
5. A polluted site-packages or import path
6. Temporary files
7. Using yaml.load
8. Pickles
9. Using the system Python runtime and not patching it
10. Not patching your dependencies

We are left with A1, A4, A5 and A9 as somewhat relevant and a dozen of other attack vectors common app faces with no single mention.

Also : https://www.stackrox.com/post/2017/08/hardening-docker-containers-and-hosts-against-vulnerabilities-a-security-toolkit/

A very plausible scenario of credentials sniffer injected through npm dependency chain.
I loved the "I’d see it in your source on GitHub!" section : so scary and true.

Journalists watch out—you may be unintentionally revealing sources.

Unlike previous text fingerprinting techniques, zero-width characters are not removed when formatting is removed from text

• HTTP/2
• TLS 1.3
• DOH: DNS over HTTP
• QUIC: a candidate replacement for the TCP protocol

  since Google has already deployed QUIC in the Chrome browser and on its sites, it already accounts for more than 7% of Internet traffic.

Also mention this creepy & fascinating attack : http://codebutler.com/firesheep

Canary tokens are a free, quick, painless way to help defenders discover they've been breached (by having attackers announce themselves.)

Embeddable in :

• fake URLs ending in .html, .js, .php...
• emails to detect if you are spied on
• files in the cloud
• as file watchs do detect spies on filesystems
• desktop.ini for Windows directories or zip files
• MSSQL & MYSQL
• Word / PDF documents
• a JS resource is used elsewhere

few realize how absolutely devastating and omnipresent this vulnerability can be

Pour vous donner un exemple de la vulnérabilité des outils comme la messagerie Outlook, en 2016, l’Annudef’ (l’annuaire du ministère de la Défense) a été téléchargé deux fois et on ne sait toujours pas par qui.

😲😱😩

1. XML internal entities
2. Billion laughs attack / quadratic blowup
3. XML external entity (XXE)