via Josh Pitts (a staff engineer at OKTA), and writing on the company blog, comes a well crafted explanatory piece on what he has discovered in the third-party-code-signing Apple Inc. (NasdaqGS: AAPL) debacle. So much for the highly touted (by Apple, that is) gatekeeping within Mac OSX (now known as macOS). Enjoy!
News, via Dan Goodin - writing at ArsTechnica - of an apparent dev team screwup at Facebook Inc. (Nasdaq: FB). In which, the crack-dev-team at the purveyor of user data managed to introduce a pernicious flaw in the Detritus (also known as the Company's 'Code', or 'Intellectual Property') that happily exposed the posts of 14 million of the company's 'Subjects'(also known as 'Users') to one and all. What happended to 'Code Review' (also known as 'Looking for Developer Screwups' or 'Application Testing' also known as 'Testing for Developer Screwups'? Nary a peep from the Facebook Security Team on this one; and in summation: Where's the Apology, Chairman Zuckerberg?
"The bug occurred as Facebook developers were creating a new way to share photos and other featured items in user profiles. In the process, the developers accidentally suggested all new posts be set to public, rather than just the featured items." - via Dan Goodin writing at ArsTechnica
via the inimitable Adam Shostack (author of The New School of Information Security) and Threat Modeling; a leader in the Threat Modeling arena), whilst writing at his fascinating blog, comes a sterling discussion of the DREAD method; or How To Name A Bug Bounty Program. Certainly, today's MustRead, enjoy!
Kevin Hartnett, Senior Writer at Quanta Magazine, expounds on the notion of formal code verification when used to provide assurance of attack-proof code... Similar to unsinkable ocean liners? Or, is it only a matter of time before a successful attack is mounted thereupon? Is attack-proof code provable utilizing proofs (as in mathematical proofs)? You be the judge.
'“They were not able to break out and disrupt the operation in any way,” said Kathleen Fisher, a professor of computer science at Tufts University and the founding program manager of the High-Assurance Cyber Military Systems (HACMS) project. “That result made all of DARPA stand up and say, oh my goodness, we can actually use this technology in systems we care about.”' - via Kevin Hartnett, Senior Writer at Quanta Magazine
Terrific bit of reportage by Richard Chirgwin, whilst writing at El Reg and detailing the so-called cost-benefit methodology explaining efforts underway to further protect browser bits; and, while you're at it, examine if you will the research paper mentioned in the post, quite likely one of the more interesting papers you may read today.
Tavis Ormandy (a member of Google’s Project Zero organization) has found, reported and the offending Grammarly code fixed by Grammarly (reportedly by Tavis) in record time). A small bit of advice for Grammarly, and others: Have your code thoroughly examined by systems adhereing to the OpenSAMM or SAMM model. It may save your hocks someday... Today's Must Read over at Graham Clueley's blog. Thanks Graham and Trey!