The ssh-decorator package from Python pip had an obvious backdoor (sending ip+login+password to ssh-decorate[.]cf in cleartext HTTP) https://www.reddit.com/r/Python/comments/8hvzja/backdoor_in_sshdecorator_package/ …pic.twitter.com/X0LsM3krDv
Yeah, I do @musllibc, FOSS & infosec stuff. But now is not the time for a mostly-/only-tech Twitter feed.
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
Add this Tweet to your website by copying the code below. Learn more
Add this video to your website by copying the code below. Learn more
By embedding Twitter content in your website or app, you are agreeing to the Twitter Developer Agreement and Developer Policy.
| Country | Code | For customers of |
|---|---|---|
| United States | 40404 | (any) |
| Canada | 21212 | (any) |
| United Kingdom | 86444 | Vodafone, Orange, 3, O2 |
| Brazil | 40404 | Nextel, TIM |
| Haiti | 40404 | Digicel, Voila |
| Ireland | 51210 | Vodafone, O2 |
| India | 53000 | Bharti Airtel, Videocon, Reliance |
| Indonesia | 89887 | AXIS, 3, Telkomsel, Indosat, XL Axiata |
| Italy | 4880804 | Wind |
| 3424486444 | Vodafone | |
| » See SMS short codes for other countries | ||
This timeline is where you’ll spend most of your time, getting instant updates about what matters to you.
Hover over the profile pic and click the Following button to unfollow any account.
When you see a Tweet you love, tap the heart — it lets the person who wrote it know you shared the love.
The fastest way to share someone else’s Tweet with your followers is with a Retweet. Tap the icon to send it instantly.
Add your thoughts about any Tweet with a Reply. Find a topic you’re passionate about, and jump right in.
Get instant insight into what people are talking about now.
Follow more accounts to get instant updates about topics you care about.
See the latest conversations about any topic instantly.
Catch up instantly on the best stories happening as they unfold.
The ssh-decorator package from Python pip had an obvious backdoor (sending ip+login+password to ssh-decorate[.]cf in cleartext HTTP) https://www.reddit.com/r/Python/comments/8hvzja/backdoor_in_sshdecorator_package/ …pic.twitter.com/X0LsM3krDv
Now look at this in the context of shops running many thousands of servers per admin with the same exact unaudited code as thousands of other shops doing the same. Puppet, ansible, chef, etc etc. Turns out admins in the hundreds of servers stage weren’t doing nothing.
Nobody was reading the source of every library and tool we used before deploying it. This is not the axe you're looking for.
LOL. That level of audit from one amazing person is hardly the point. Diversity of implementation. That is the point. Linux has become a monoculture. That's what made Microsoft so weak for so long. The likelihood of oversight is the same but the impact is WAY higher.
We don't have a monoculture. We have an explosion of unvetted software. Quite the opposite.
We have an explosion of uncurated repositories, indistinguishable by average users from curated ones, made way too easy to use.
There is that, but that's easily defined/curable. The casually curated but widely used repos scare me. The illusion of security.
By curation I mean something like Debian. All the language-specific library repos are uncurated in my book.
anything that doesn't come in the language library is uncurated, oops, JS has no standard library itself
Yes, all existing repos of js library code are uncurated and of untrustworthy quality. Of course some of the code in them has decent quality but you have to review it yourself or do external research to determine which.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.