CramHacks Chronicles #59: Weekly Cybersecurity Newsletter!

Hello! I hope you’re having a great week 🙂.

I spent this past week in New York with family for our engagement party 🥳, but I am now back in San Diego. As expected, NY's weather varied daily from freezing to Summer weather. It’s supposed to be in the mid-70s tomorrow for Halloween.

If anyone needs a super scary Halloween costume, a software supply chain would easily win the contest in my book.

Semgrep Supply Chain: Announcing Kotlin Reachability!
👋 One of my recent projects was expanding Semgrep Supply Chain’s reachability support - Kotlin reachability marks our eighth supported language!

Newsletter

Why remove Russian maintainers of Linux kernel? Here's what Torvalds says
Citing “various compliance requirements,” Linux Kernel maintainers with Russian citizenship were removed due to international sanctions against Russia. According to Torvalds, these compliance requirements were not solely enforced by the United States.

ByteDance intern fired for planting malicious code in AI models
Exaggerated, rumor, or fact? ByteDance confirms that an intern was fired in August after they “maliciously interfered” with the company’s AI model training tasks. Media is reporting up to $10M in damages, but ByteDance says this is “seriously exaggerated.”

Mandiant: How Low Can You Go? An Analysis of 2023 Time-to-Exploit Trends
Google researchers Casey Charrier and Robert Weiner analyzed 138 vulnerabilities disclosed in 2023 that were actively exploited in the wild. Notably, 97 of these (70%) were exploited as zero-days.

Google’s Casey Charrier & Robert Weiner disclose findings from analyzing 138 vulnerabilities disclosed in 2023 that have been tracked as exploited in the wild. Of these, 97 (70%) were exploited as zero-days!

Stacklok donates its Minder supply chain security project to the OpenSSF
Minder is a software supply chain security platform that allows you to configure profiles and enforce security settings and policies across repositories. It has been free for public repositories for as long as I can remember, but I’m excited to see what OpenSSF does with it! GitHub link

Open Source Maturity, Europe 2024: Milestones, Opportunities, and Pathways
Many insights into motivations, hurdles, and results regarding open source software related to European industries.

👋 “Confidence in the security of OSS is high, with 73% in 2023 and 76% in 2024 believing OSS to be more secure than closed software.” This is always a fun debate, but seeing the decline is interesting.

NASA Funds Open-Source Software Underpinning Scientific Innovation
$15.6 million has been awarded to 15 projects (open-source tools, frameworks, and libraries) used by the NASA science community. List of recipients and their projects

Zizmor: An open-source tool for finding security issues in GitHub Actions
William Woodruff released a rust-based tool for online & offline auditing of GitHub Actions. The tool looks for dangerous triggers related to pwn requests, hardcoded container credentials, known vulnerable actions, and more. Full list here

Bringing developer choice to Copilot with multi-model choice
GitHub Copilot now enables organizations and enterprises to configure supported models (Anthropic’s Claude 3.5 Sonnet, Google’s Gemini 1.5 Pro, and OpenAI’s o1-preview and o1-mini) and allows developers to individually choose which works best for their task.

👋 I'm somewhat surprised to hear this, but I think it’s the right move!

Until Next Time! 👋

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.