2.9 milliards de personnes. La probabilité est forte que nous soyons impactés.

Les utilisateurs de applications de rencontres ont des risques d'être geolocalisé. Cela est d'autant plus inquiétant car ces applications sont utilisés par des harceleurs.

A great resource to get into them

Oups. Les mots de passes de 15 millions d'utilisateurs sont dans la nature.

Center for Internet Security BenchMarks

Forks are copy of the original repository. As such, leaked credentials remains in the forks.

A deleted repository still has the commit from the original repository and it can access it. Demo on youtube

Example:

They immediately deleted the repository, but since it had been forked, I could still access the commit containing the sensitive data via a fork

Also related to private repositories:

We demonstrate how organizations open-source new tools while maintaining private internal forks, and then show how someone could access commit data from the private internal version via the public one.

How to access the data? By direct access to the commit.

If you know the commit hash you can directly access data that is not intended for you.

AND

Commit hashes can be brute forced through GitHub’s UI, particularly because the git protocol permits the use of short SHA-1 values when referencing a commit.

because there are 65.536 minimal values, and 16.777.216 is a more realistic approach (6 characters per commit).

Also, "deleting a repository or fork does not mean your commit data is actually deleted."

The flaw also exists in other version control system products.

Crates relying on a lot of crates are potential security flaws

La vérification de l'identité en ligne a un impact sur la sécurité des données. Voici un exemple avec AU10TIX.

It can be useful and smart

Scarecrow takes advantage of malicious software checking the environment is safe for them to run, by running in the background of your computer and 'faking' these indicators. It's super lightweight and tricks malware into thinking your computer is not the place for them to be.

Our goal was to confuse EDR by implanting malware signatures into legit files and make them think its malicious

Il semblerait qu'il n'y ai pas assez de concurrence chez les GAFAMs d'après un directeur de la cybersécurité de la maison blanche.

Il indique que Microsoft n'a pas plus d'incentives à améliorer la sécurité de ses produits, puisqu'il n'y a aucun concurrent direct.

When a link is shared on Mastodon, the instances fetch immediately the information related to this link.
It causes a DDoS...

Comment retrouver des informations, un exemple bien expliqué.

How the curl project prevents flaws such as the one of xz recently?