yeroc @yeroc@qoto.org

GitHub is struggling to contain an ongoing attack that’s flooding the site with millions of code repositories. These repositories contain obfuscated malware that steals passwords and cryptocurrency from developer devices, researchers said.

The malicious repositories are clones of legitimate ones, making them hard to distinguish to the casual eye. An unknown party has automated a process that forks legitimate repositories, meaning the source code is copied so developers can use it in an independent project that builds on the original one. The result is millions of forks with names identical to the original one that add a payload that’s wrapped under seven layers of obfuscation. To make matters worse, some people, unaware of the malice of these imitators, are forking the forks, which adds to the flood.

“Most of the forked repos are quickly removed by GitHub, which identifies the automation,” Matan Giladi and Gil David, researchers at security firm Apiiro, wrote Wednesday. “However, the automation detection seems to miss many repos, and the ones that were uploaded manually survive. Because the whole attack chain seems to be mostly automated on a large scale, the 1% that survive still amount to thousands of malicious repos.”

https://arstechnica.com/security/2024/02/github-besieged-by-millions-of-malicious-repositories-in-ongoing-attack/

I just looked up Voyager 1's current position for a talk and saw something wild: https://voyager.jpl.nasa.gov/mission/status/

The distance between Earth and Voyager 1 is actually *decreasing* right now (even though the distance between Voyager 1 and the Sun is increasing). A website bug?

Nope! Earth moves really fast around the Sun. Right now we're moving faster toward Voyager 1 than it's flying away from us

Earth orbits at 30 km/s around the Sun, Voyager is going "only" 17 km/s. I love orbital dynamics!

ok ok yeah yeah high availability and whatever but also have you seen how highly available a single fucking binary running on a single fucking computer can be? Have you seen the performance specs of sqlite?

I'm reminded of that one paper from like 2010 or so when a researcher showed that a single threaded binary could outperform many 100 core clusters because they were so poorly designed to scale *down* at all

Did we learn nothing from that? Anything? Anything at all??

So apparently the term "patch" in software development comes from punch cards.

"Small corrections to the programmed sequence could be done by patching over portions of the paper tape and re-punching the holes in that section."

https://chsi.harvard.edu/harvard-ibm-mark-1-language

#til #computers #development #language #history

In my hands is my first iPod. Steve Jobs is smiling at me. Everybody at the Apple Store is smiling.

I take off my Apple Vision. I am back in the retirement home. Nobody has visited me for 12 years. I put it back on.

I hold my iPod. Everybody in the Apple Store is smiling.

@technicat the original Mac UI devs noticed and solved so many problems in *1986* that more recent Web 2.0+ frontend devs just ignore -- like this one, *drag delay* -- solving the problem that when the user moves their cursor towards an item on a popup menu, the mouse may drift outside the lines momentarily *en route*, so you should make sure not to close the menu prematurely; these days lots of popup menus instantly pop closed if you stray outside their bounds #UI #UX

Yikes. Postman recently pivoted to store all of your session data (including authentication tokens etc.) in their Cloud Service, which you can fully browse and explore in their online tool.

Their security page makes it clear that they have not considered the Okta-style risks associated with this change. If your company has any devs using Postman for production testing, I would strongly recommend Insomnia: https://insomnia.rest/, and then consider any credentials stored in Postman history to be at risk and should be rotated.

There’s a big difference between listening and waiting to speak.

TIL tilde (~) as "home" in unix and web directories:

On Unix-like operating systems (including AIX, BSD, Linux and macOS), tilde normally indicates the current user's home directory. [...] This convention derives from the Lear-Siegler ADM-3A terminal in common use during the 1970s, which happened to have the tilde symbol and the word "Home" (for moving the cursor to the upper left) on the same key.

https://en.wikipedia.org/wiki/Tilde#Directories_and_URLs

pic: the ADM-3A
picture of a ADM-3A terminal, w…

Broadcom continues to burn VMware to the ground for the insurance money.

Not kidding about SLIM landing on its head... here is picture! This was taken by LEV-2 (SORA-Q) that adorbs transformer robot carried by SLIM that looks like a ball and then springs open to roll wild across the lunar surface and take photos as the mood takes it.

Clearly, it found this pretty funny and it autonomously selected this shot to send back to Earth.

There's a press release here that HQ can't be bothered to post the English.

https://www.jaxa.jp/press/2024/01/20240125-4_j.html

Here's today's press release for JAXA's SLIM lunar landing!

TL;DR:

Pinpoint site identification was crazily successful.

We were lowering into position, detecting boulders like a champ.

THEN ONE OF THE ENGINES DROPPED OFF.

(I kid you not)

(we don't know why yet)

(maybe space pirates)

But we still soft-landed on 1 engine.

(TAKE THAT SPACE PIRATES!)

but on our head.

Strangely, might not be a big deal once the Sun moves round to the other side of the spacecraft.

https://global.jaxa.jp/press/2024/01/20240125-1_e.html

RIP, legend. “German music producer Frank Farian — founder of the disco band Boney M — has died at the age of 82.”

https://www.bbc.com/news/entertainment-arts-68065904

@realhackhistory No links to any sources like always. I want to believe this, I truly do, but there is no reason why someone wouldn't just post something to paint Twitter in a bad picture. F12 is a thing and isn't hard to use.

It seems to be real after looking it up (the post is gone but the account is suspended), but please people, post sources! And the 77 others who boosted this, I hope you all validated this? You did, right? Right??

"Thesaurus" is okay, but "synonymicon" is cooler.

And if some smartass ever says, "what's another word for 'thesaurus' now you have an answer

Long-time Microsoft employees explain changes in Windows:
https://news.ycombinator.com/item?id=30019307

Designers were handed full control over UX. Engineers who fought for usability over a slick-looking interface burned out and left after repeatedly being overruled.

The New York Times are using the Ruffle WASM Flash emulator to get all of their archived Flash data visualizations to work again, this is so great to see https://flowingdata.com/2024/01/10/nyt-flash-based-visualizations-work-again/

This is an article that took a lot of strength to write and I might take it down again. But I felt like it is an article that is very necessary right now. https://bastianallgeier.com/notes/grandpa

Microsoft says a Russian state-sponsored hacking group known as Midnight Blizzard/Nobelium used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of

"Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself."

https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/

Password spraying is low-tech and pervasive. The good news is, you can password spray your own users just like the bad guys can, and then tighten things up.