Hacker suggests hijacking libraries, stealing AWS keys was ethical investigate

June 21, 2022 Audrey

Yesterday, developers took notice of two hugely well-known Python and PHP libraries, respectively, ‘ctx’ and ‘PHPass’ that experienced been hijacked, as 1st documented in the news by BleepingComputer.

Both equally of these authentic open resource initiatives had been altered to steal developer’s AWS credentials.

Looking at ‘ctx’ and ‘PHPass’ have together garnered in excess of 3 million downloads in excess of their lifetimes, the incident sparked substantially worry and discussion among developers—now nervous about the effect of the hijack on the over-all computer software supply chain.

The hacker at the rear of this hijack has now damaged silence and discussed his explanations to BleepingComputer. According to the hacker, relatively “stability researcher,” this was a bug bounty exercising and no destructive action was supposed.

PoC package stole AWS top secret keys to display “most effects”

Today, the hacker of the extensively used ‘ctx’ and ‘PHPass’ software projects has discussed his rationale behind the hijack—that this was a evidence-of-principle (PoC) bug bounty physical exercise with no “malicious exercise” or harm meant.

In reality, the hijacker of these libraries is an Istanbul-primarily based protection researcher, Yunus Aydın aka SockPuppets, who has attested to the simple fact when approached by BleepingComputer.

He claims his rationale for stealing AWS tokens was to display the “most affect” of the exploit.

Claims of the commonly utilised Python library ‘ctx’ being compromised first originated on Reddit when consumer jimtk recognized that the library, which experienced not been current in 8 a long time, instantly had new versions unveiled.

In addition, as BleepingComputer discussed yesterday, these new variations of ‘ctx’ exfiltrated your setting variables and AWS solution keys to a mysterious Heroku endpoint.

One more moral hacker Somdev Sangwan later on noticed that one particular of the forks of the PHP framework, ‘PHPass’ had also been altered to steal AWS mystery keys in a comparable style and via the identical endpoint:

altered versions of ctx and phpass stole aws keys — **Altered variations of ‘ctx’ and ‘phpass’ stole AWS key keys** (BleepingComptuer)

BleepingComputer observed that, within the altered ‘ctx’ variations, the name of the “author” experienced been revised to state, Yunus AYDIN, as opposed to the library’s original maintainer Robert Ledger. But Ledger’s e mail tackle had been still left intact.

pypi ctx altered versions metadata — **Creator and electronic mail info existing in the compromised ‘ctx’ versions** (BleepingComputer)

Some researchers also noticed the Heroku webpage established up by the hijacker was leaking his call information but refrained from naming the hijacker until eventually a lot more details came to mild.

The attacker likely got entry to the maintainers of these offers by spraying credentials around a big list of significant price user accounts.

Attacker’s identity is obv but it would be irresponsible to choose names devoid of undeniable proofs.

Compromised packages have been noted.

— Somdev Sangwan (@s0md3v) May well 24, 2022

Dubious ethical research

Although Aydın promises that this was all ethical exploration, victims of these actions would see it as nearly anything but that.

Most PoC and bug bounty exercises targeting open supply libraries use simplistic code, this sort of

I’ll Never Be A Hacker, But Games About Programming Make Me Feel Like I’m Satoru Iwata

March 25, 2022 Audrey

Up until about six years ago, my experience with the world of programming and code amounted to understanding what <b>formatting</b> meant in html, and vaguely remembering that one game about steering a turtle using basic commands like “FORWARD 10”. I enjoy games, but I do not usually care to see the chaotic tangle of code that lives behind the screen. As long as it works, lads, I’m happy.

But about six years ago, I met my partner, who will be deeply embarrassed to know that I consider him a programming wizard. He has a degree in computer science, and thinks that BASIC is “fun”. Despite this, I fancied him like mad, and when you’re a romantic dork, you try to impress people you fancy by attempting to learn the things they like.

So I started learning a few programming languages. Nothing too intense, mind you — I dabbled in C#, and made what is essentially a mildly interactive PowerPoint presentation called Awkward Dating Simulator, and then I started learning Tracery, a modified version of Javascript, to make Twitter bots like Pleasant Subtweets (which tells you nice things once every three hours) and my personal favourite, Get Facts, which tells you… facts? Sort of? Both are fully automated, and procedurally generate each tweet, loaded up with words that I wrote. They’re pretty cool, if I do say so myself.

This is what Assembly looks like, by the way *(Image: Swtpc6800)*

But here’s the thing: Learning programming is almost exactly the same as learning a language. It’s not particularly fun a lot of the time, and it begins to feel impossible right around the time that you learn of the existence of deponent verbs, or quaternions, and you wonder how the hell an entire industry is founded on this godforsaken thing.

And with programming, like with learning any other language, there are programs that try to make it fun. For natural languages, that’s apps like Duolingo, which gamify the process and reward you for doing well and being consistent. They are accompanied by friendly, colourful graphics and goofy, short-form stories that entertain as well as edify.

Programming has video games, because of course it does. The people making the video games are the nerds who learned how to program in the first place.

If you’re a fan of logic puzzle games, chances are you’ve already played a programming game — they’re not always entirely obvious. I would argue that Opus Magnum, a gorgeous puzzle game that will probably never come to console, is a programming game — it tests your “if this, then that” abilities without ever outright saying that it’s doing that — and pretty much every Sokoban-style block-pushing game is a crash course in dependencies, too. And don’t forget Baba Is You, the adorable-yet-fiendishly-tricky puzzler that literally tasks you with understanding and changing variable definitions in order to complete

DA: Chico Point out laptop or computer hacker sentenced | News

January 22, 2022 Audrey

BUTTE COUNTY, Calif. – A 22-calendar year-aged Chico male was sentenced to probation, fines and local community services right after admitting to illegally hacking a number of desktops at Chico Condition.

Alejandro Benitez appeared in Butte County Excellent Court docket on Thursday exactly where he entered a plea of no contest to the crime of unauthorized personal computer entry.

Butte County Top-quality Court Commissioner Kurt Worley sentenced Benitez to three several years of probation and fines of $370.

Butte County District Legal professional Mike Ramsey claimed the unlawful “hacking” led to a listing of University college students who had used for COVID-19 vaccine exemptions being posted online.

The list provided requests from about 130 college students – 18 of the entries had students’ personal determining info.

Relevant: Chico Point out details breach leaks names of learners requesting exemptions from vaccine

An investigation by University Police of the posted spreadsheet was traced back again to Benitez, a current Chico Point out graduate who worked in the Facts Technology Support Expert services Business office (ITSS), according to Ramsey.

University Law enforcement also said it was identified that a Chico State professor had notified the media of the on the net posts. Ramsey explained the professor also explained to law enforcement about the posts.

Related: Chico State gives assertion about COVID-19 vaccination knowledge breach

In accordance to Ramsey, the professor “alerted his union and the media with the hope any potential civil rights and privacy violations would be investigated.”

The professor does not experience rates. Ramsey explained the professor’s steps had been not prison as the legal perform, in this case, was unlawfully accessing the University’s personal computers.

By illegally accessing and downloading information throughout his employment from at minimum two computers assigned to Chico State administrators, Benitez was capable to get the private exemptions listing.

According to Ramsey, Benitez tried using to redact students’ personalized details but unsuccessful to take away details found in other columns of the spreadsheet.

Ramsey claimed the phrases of Benitez’s probation involve 80 several hours of local community assistance and a prohibition from accepting work where by he could have obtain to a laptop or computer except if authorized by the court.

Commissioner Worley mentioned Benitez will be necessary to serve a minimum of 180 times in Butte County Jail for any probation violations.