thesamesam

FAQ on the xz-utils backdoor (CVE-2024-3094)

This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.

Background

On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that

hyperupcall

// I'm tired of extensions that automatically:
// - show welcome pages / walkthroughs
// - show release notes
// - send telemetry
// - recommend things
//
// This disables all of that stuff.
// If you have more config, leave a comment so I can add it!!

{

sachinsmc

Top HN posts

1. Ask HN: What books changed the way you think about almost everything?

2. Ask HN: What are the best MOOCs you've taken?

3. Ask HN: How to self-learn electronics?

4. Ask HN: Successful one-person online businesses?

securityMB

Yesterday I posted a little quiz on Twitter about HTML parsing.

The question was: what element is going to be the parent of the final <s> in the following snippet of HTML:

<div><table><svg><foreignObject><select><table><s>

The final answers are:

me0wday

Playing with GraphQL when introspection is disabled

Quick write up on extracting a GraphQL schema when introspection is disabled. Bits and pieces sourced from various sources. Successfully tested on an Apollo instance.

TLDR: Some GraphQL instances provide name autocomplete suggestions. Some peeps have written tools to automate the extraction process. (ref https://youtu.be/nPB8o0cSnvM).

1. Bruteforce schema without introspection

First step is using a tool called clairvoyance by @nikitastupin (https://github.com/nikitastupin/clairvoyance). I found the main repo to lack error handling and support for additional features such as proxy.

not-an-aardvark

# This is a proof-of-concept for a security bug in GitHub Actions which has since been fixed.
# See https://blog.teddykatz.com/2021/03/17/github-actions-write-access.html for more information.
# The proof-of-concept was only ever used in a test environment to validate the existence of the
# vulnerability, and is shown here for educational purposes.
#
# The proof-of-concept would have the effect of creating a `vandalism.md` file, containing vandalism,
# on the default branch of a victim repository.
#
# To use the proof-of-concept, the steps would have been:
# 1. Fork the victim repository

tobi

#!/usr/bin/env ruby

# gem install active_support
require 'active_support/inflector' 
require 'active_support/core_ext/string'

# gem install webrick (only ruby3) 
require 'webrick' 

# gem install mechanize

prologic

Learn Go in ~5mins

This is inspired by A half-hour to learn Rust and Zig in 30 minutes.

Basics

Your first Go program as a classical "Hello World" is pretty simple:

First we create a workspace for our project:

ld100

Migrating from Ubuntu on WSL to ArchLinux on WSL2

Obsolete notice

This document was created back in 2020 and might not be actual nowadays. It is not supported anymore, so use thise information at your own risk.

Upgrading to WSL 2

• Download WSL2 Kernel
• run wsl --set-default-version 2 in windows command line, so that all future WSL machine will use WSL2.

bayu-code-lab

"""
A Bitbucket Builds template for deploying
an application to AWS Elastic Beanstalk
joshcb@amazon.com
v1.0.0
"""
from __future__ import print_function
import os
import sys
from time import strftime, sleep