• CramHacks
  • Posts
  • CramHacks Chronicles #47: Weekly Cybersecurity Newsletter!

CramHacks Chronicles #47: Weekly Cybersecurity Newsletter!

Where are all the youth in open source?, Offline Malware Analysis Tool, GitHub's Dependency Graph, Hacker Summer Camp

Author

Kyle Kelly
July 31, 2024

šŸ„³ Happy Monday! šŸ„³

I hope your week is off to a great start!

What if I told you this newsletter was entirely AI-generated? Itā€™s not, but sometimes I experiment to see how well GPT or similar does. With the right prompting, it can be pretty darn effective.

But believe it or not, I donā€™t write this newsletter for you all šŸ¤£. I write it to educate myself. I consume a ridiculous amount of content every week, and summarizing articles forces me to digest it truly. I also routinely look back at past newsletters to refresh myself on topics.

Newsletter

Where are all the youth in open source?
On episode 439 of the Open Source Security Podcast, Josh Bressers & Kurt Seifried discussed age demographics for open source contributors. Following up on this, Tideliftā€™s Chris Grams shared data supporting the lack of contributions from the younger generations.

Tidelift open-source maintainer surveys

šŸ‘‹ It has been incredibly difficult for me and my peers to understand open-source software. Itā€™s full of extraordinarily talented folks who contribute to the world without expecting anything in return. This creates many barriers: 1) current maintainers donā€™t want contributions with sloppy code that are likely to cause more problems than they fix, and 2) the world is crazy expensive, and most of my peers need ways to make money, not feel a sense of fulfillment.

OMAT (Offline Malware Analysis Tool)
Created by Jean Pereira, OMAT leverages WebAssembly in your browser to perform low-level tasks and launch high-performance actions in the browser. OMAT can analyze Windows / Linux / MacOS applications and even source code.

šŸ‘‹ Really cool website! But it's a bit suspicious. Itā€™s not open-source, but since itā€™s all client-side, anyone can access the code (AFAIK). However, the binary must be converted to WebAssembly Text to be human-readable. Based on the devtool logs, thereā€™s no data transmitted when uploading a file, but perhaps telemetry is being sent via the WebAssembly binary that evades devtools. Iā€™m not sure if thatā€™s possible šŸ¤·ā€ā™‚ļø.

With Open Source Artificial Intelligence, Donā€™t Forget the Lessons of Open Source Software
šŸ‘‹ I appreciate the sentiment, but frankly, this blog skips over what lessons were learned from open-source software. It reads as, ā€œEveryone did whatever they wanted, and now we have a mess; Big Brother needs to step in!ā€ But that, my friend, is not what open-source is. šŸ—½ 

Datadog Joins Open Source Security Foundation (OpenSSF)
šŸ‘‹ R-E-S-P-E-C-T, itā€™s a nice chunk of šŸ¤‘ to become a premiere member. Datadog is a big dawg and likely didnā€™t feel it, but OpenSSF certainly will!

Homebrew 2023 Security Audit
Sponsored by the Open Technology Fund, Trail of Bits audited Homebrew/actions, Homebrew/formulae.brew.sh, and Homebrew/homebrew-test-bot. The report contained 25 items, of which 16 were fixed, three are in progress, and Homebrewā€™s maintainers acknowledge six. The official Trail of Bits Report is available here.

Automatically submit your Maven transitive dependencies to the dependency graph
GitHub has released the automatic dependency submission feature, which will monitor changes to the pom.xml file at the root of all repository branches, discover the dependencies referenced in this file, and automatically submit details about them to the dependency graph.

šŸ‘‹ GitHubā€™s dependency graph has been insufficient; I am glad they are progressing!

Malicious Python Package Targets macOS Developers To Access Their GCP Accounts
In June 2024, the malicious PyPi package "lr-utils-lib" was uploaded, targeting specific macOS machines to steal Google Cloud authentication data and send it to a remote server.

Events

San Diego Cyber Group
Iā€™ve been attending these meetups nearly every month. Itā€™s been a great opportunity to meet new folks in the space! Shoutout to the organizers, David Spark and Rick McElroy, for being great hosts and always finding sponsors to hook us up with free food & drinks!

OWASP Orange County
Semgrep sponsored last weekā€™s OWASP OC, located at Googleā€™s Irvine office. I presented ā€œTackling Vulnerabilities in Third-Party Packagesā€ with a spontaneous comical twist šŸ¤”. Donā€™t ask me, but the jokes were flowing. Great turnout, and everyone was super welcoming! I hope to attend more of their events in the future.

Semgrep: The Rules - An Interactive Rule Writing Session
Yesterday, the incredible Tanya Janca and I discussed Semgrep rule writing and walked through writing Semgrep rules to find reachable vulnerabilities.

Hacker Summer Camp
I'll be in Vegas August 5-9th; please reach out if youā€™d like to meet up! Iā€™ve also linked the Semgrep events I may or may not be at šŸ™‚.

Until Next Time! šŸ‘‹

Hey, you made it to the bottom ā€“ thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! šŸ’Œ

Donā€™t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks now has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content šŸ˜ƒ.