O great SHA, protect me from this hack
So I’m building a container. And, well, it fails. The reason? One of the packages has a bad sha256 checksum. This is important so listen up! Many people would either disable the check, or just update the checksum to match what you received. Here I decided to dig into it a bit. The scary message…
Bloomber’s latest: the hack was in the Ethernet connector. Plausible?
You’ve by now seen the most recent Bloomberg article that suggests a “major US telecom” has equipment (again made by SuperMicro) with modifications, this time to the Ethernet. Is this plausible? [I have no information on the story or if it occurred, I’m merely discussing the plausibility]. In a word, yes. First, although the image shows…
The supply chain security risk in action: ESLint
Recently we’ve been focused on the Bloomberg/Supermicro/Amazon/Apple supply chain story. But there are other supply chains which are much more common and distributed, and they have been hacked. Lets talk about the ESLint story. Because it happened. Recently. ESLint is a development tool used in JavaScript & Nodejs. A developer runs it during the build…
When good containers go bad: github issues are the new release notes
The world is getting faster with shorter cycle times. Software releases, once things that celebrated birthdays are now weekly. Emboldened by the seemingly bullet-proof nature of Kubernetes and Helm, and trying to resolve an issue with an errant log message, I update the nginx-controller. Its easy: helm upgrade nginx-ingress stable/nginx-ingress Moments later it is done.…
ELI5: How can I protect (a bit) against this BMC issue?
The AST2400 that is being discussed in the Bloomberg ‘BMC hack’ is a small low-performance processor. And Facebook created a framework to make open source software for it, OpenBMC. This might give some comfort since you can load your own firmware, and then compare that is indeed what you are running, and then have it…
Long Strange Trip
