Many open source projects attain a level of "maturity" where no one really needs any new features and there aren't a lot of new bugs being found, and the contributors to these projects dwindle, often to a single maintainer who is generally grateful for developers who take an interest in these older projects and offer to share the choresome, intermittent work of keeping the projects alive.
Ironically, these are often projects with millions of users, who trust them specifically because of their stolid, unexciting maturity.
This presents a scary social-engineering vector for malware: A malicious person volunteers to help maintain the project, makes some small, positive contributions, gets commit access to the project, and releases a malicious patch, infecting millions of users and apps.
This is apparently what happened to event-stream, a widely used tool that was compromised by a crypto-currency stealing attacker who gained commit access, poisoned an update, and then locked the project's owner out.
I don't know what to say. #116 [Dominic Tarr/Github]
Every year, the Electronic Frontier Foundation presents its Pioneer Awards (previously); now renamed the Barlow Award in honor of EFF co-founder John Perry Barlow, who died last year.
In a new paper for IEEE Security, a trio of researchers (two from Cambridge, one from private industry) identify a de-anonymizing attack on Iphones that exploits minute differences in sensor calibration: an Iphone user who visits a webpage running the attack code can have their phone uniquely identified in less than a second, through queries […]
Thangrycat is a newly disclosed vulnerability in Cisco routers that allows attackers to subvert the router's trusted computing module, which allows malicious software to run undetectably and makes it virtually impossible to eliminate malware once it has been installed.
If you can build a cloud infrastructure, you can build a business. Companies are overwhelmingly turning to cloud computing to set up or bolster their network, and it’s easy to see why. It allows on-demand access to processing power, a la carte services, and nearly unlimited storage, all without adding extra systems and the maintenance […]
Does your gaming setup need an upgrade? No need to wait for Christmas. We’ve rounded up the latest tech accessories for your favorite video game platforms. All of them are already sale priced, but you can knock an additional 15% off the final price for Memorial Day by using the online code WEEKEND15. Audeze Mobius […]
Raspberry Pi is one of the world’s most versatile open-source computers. Alexa is a home automation hub with limitless potential. Together, they’re a dream team for ambitious makers, opening the door to everything from automatic lights to voice-controlled robots. Learning Raspberry Pi is meant to be relatively easy for newbies, but its applications with Alexa […]