From bc4a068e6b6ef891859a8957fd9c510c59e85847 Mon Sep 17 00:00:00 2001
From: himazawa <himazawa@users.noreply.github.com>
Date: Sun, 31 Mar 2024 20:40:00 +0000
Subject: [PATCH] deploy: 49ed5a4f3a3cbaf20f807e1faf251e5c0db5aa0f

---
 it/posts/long-time-no-see/index.html | 2 +-
 it/posts/security-theatre/index.html | 2 +-
 it/posts/xz-backdoor/index.html      | 2 +-
 posts/long-time-no-see/index.html    | 2 +-
 posts/mycroft-ai-rce/index.html      | 2 +-
 posts/security-theatre/index.html    | 2 +-
 posts/xz-backdoor/index.html         | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/it/posts/long-time-no-see/index.html b/it/posts/long-time-no-see/index.html
index 9c0d18a..64bc0d0 100644
--- a/it/posts/long-time-no-see/index.html
+++ b/it/posts/long-time-no-see/index.html
@@ -13,7 +13,7 @@
 <i class="fas fa-adjust fa-fw"></i>
 <select class=color-theme-select id=theme-select-mobile title="Cambiare il tema"><option value=light>Light</option><option value=dark>Dark</option><option value=black>Black</option><option value=auto>Auto</option></select>
 </a><a href=javascript:void(0); class=menu-item title="Scegliere la lingua">Italiano<i class="fas fa-chevron-right fa-fw"></i>
-<select class=language-select title="Scegliere la lingua" onchange="location=this.value"><option value=/posts/long-time-no-see/>English</option><option value=/it/posts/long-time-no-see/ selected>Italiano</option></select></a></div></div></header><div class="search-dropdown desktop"><div id=search-dropdown-desktop></div></div><div class="search-dropdown mobile"><div id=search-dropdown-mobile></div></div><main class=main><div class=container><div class=toc id=toc-auto><h2 class=toc-title>Contenuti</h2><div class=toc-content id=toc-content-auto><nav id=TableOfContents><ul><li><a href=#il-funzionamento-di-questo-blog>Il funzionamento di questo blog</a></li><li><a href=#il-futuro>Il futuro</a></li></ul></nav></div></div><script>document.getElementsByTagName("main")[0].setAttribute("autoTOC","true")</script><article class="page single"><h1 class="single-title animate__animated animate__flipInX">Tanto tempo che non ci si vede</h1><div class=post-meta><div class=post-meta-line><span class=post-author><span class="author fas fa-user-circle fa-fw"></span><a href=/it/ title=Author rel=author class=author>himazawa</a></span></div><div class=post-meta-line><i class="far fa-calendar-alt fa-fw"></i>&nbsp;<time datetime=2023-02-06>2023-02-06</time>&nbsp;<i class="far fa-edit fa-fw"></i>&nbsp;<time datetime=2024-03-30>2024-03-30</time>&nbsp;<i class="fas fa-pencil-alt fa-fw"></i>&nbsp;372 parole&nbsp;<i class="far fa-clock fa-fw"></i>&nbsp;2 minuti&nbsp;</div></div><div class=featured-image><img loading=eager src=/posts/long-time-no-see/header.jpg srcset="/posts/long-time-no-see/header.jpg, /posts/long-time-no-see/header.jpg 1.5x, /posts/long-time-no-see/header.jpg 2x" sizes=auto alt=/posts/long-time-no-see/header.jpg title=/posts/long-time-no-see/header.jpg height=455 width=728></div><div class="details toc" id=toc-static kept><div class="details-summary toc-title"><span>Contenuti</span>
+<select class=language-select title="Scegliere la lingua" onchange="location=this.value"><option value=/posts/long-time-no-see/>English</option><option value=/it/posts/long-time-no-see/ selected>Italiano</option></select></a></div></div></header><div class="search-dropdown desktop"><div id=search-dropdown-desktop></div></div><div class="search-dropdown mobile"><div id=search-dropdown-mobile></div></div><main class=main><div class=container><div class=toc id=toc-auto><h2 class=toc-title>Contenuti</h2><div class="toc-content always-active" id=toc-content-auto><nav id=TableOfContents><ul><li><a href=#il-funzionamento-di-questo-blog>Il funzionamento di questo blog</a></li><li><a href=#il-futuro>Il futuro</a></li></ul></nav></div></div><script>document.getElementsByTagName("main")[0].setAttribute("autoTOC","true")</script><article class="page single"><h1 class="single-title animate__animated animate__flipInX">Tanto tempo che non ci si vede</h1><div class=post-meta><div class=post-meta-line><span class=post-author><span class="author fas fa-user-circle fa-fw"></span><a href=/it/ title=Author rel=author class=author>himazawa</a></span></div><div class=post-meta-line><i class="far fa-calendar-alt fa-fw"></i>&nbsp;<time datetime=2023-02-06>2023-02-06</time>&nbsp;<i class="far fa-edit fa-fw"></i>&nbsp;<time datetime=2024-03-30>2024-03-30</time>&nbsp;<i class="fas fa-pencil-alt fa-fw"></i>&nbsp;372 parole&nbsp;<i class="far fa-clock fa-fw"></i>&nbsp;2 minuti&nbsp;</div></div><div class=featured-image><img loading=eager src=/posts/long-time-no-see/header.jpg srcset="/posts/long-time-no-see/header.jpg, /posts/long-time-no-see/header.jpg 1.5x, /posts/long-time-no-see/header.jpg 2x" sizes=auto alt=/posts/long-time-no-see/header.jpg title=/posts/long-time-no-see/header.jpg height=455 width=728></div><div class="details toc" id=toc-static kept><div class="details-summary toc-title"><span>Contenuti</span>
 <span><i class="details-icon fas fa-angle-right"></i></span></div><div class="details-content toc-content" id=toc-content-static><nav id=TableOfContents><ul><li><a href=#il-funzionamento-di-questo-blog>Il funzionamento di questo blog</a></li><li><a href=#il-futuro>Il futuro</a></li></ul></nav></div></div><div class=content id=content><p>Tanto tempo che non ci si vede, eh? Sono successe tante cose dall&rsquo;ultimo post nel 2018 sul <a href=https://bsod.dev target=_blank rel="noopener noreferrer">vecchio blog</a>.</p><p>Sfortunatamente non ho scritto molto, sia per mancanza di tempo sia per l&rsquo;impossibilita&rsquo; di condivider cio&rsquo; che ho imparato.
 Questo post contiene un&rsquo;introduzione a questo nuovo sito e come funzionera&rsquo; d&rsquo;ora in poi.</p><p>Innanzitutto, sono ancora nel campo della security, ma mi sono spostato alla parte di Product Security (di piu&rsquo; su questo argomento piu&rsquo; avanti ma TL;DR: noia, carriera e opportunita&rsquo; di cresita, frustrazione e paura di andare in burnout).</p><p>Fortunatamente nel mio attuale lavoro mi vengono concessi tempo e risorse per fare anche vulnerability research quindi occasionalmente postero&rsquo; alcune vulnerabilita&rsquo; interessanti che ho trovato.</p><p>Vorrei inoltre parlare degli aspetti dell&rsquo;Application Security a applicata al SDLC, vedremo se funzionera'.</p><h2 id=il-funzionamento-di-questo-blog class=headerLink><a href=#il-funzionamento-di-questo-blog class=header-mark></a>1 Il funzionamento di questo blog</h2><p>Il setup e&rsquo; molto semplice, uso <a href=https://gohugo.io/ target=_blank rel="noopener noreferrer">hugo</a> per buildare pagine statiche che vengono pubblicate su una GithubPage.</p><p>C&rsquo;e&rsquo; una <a href=https://github.com/peaceiris/actions-hugo target=_blank rel="noopener noreferrer">Github Action</a> che builda e deploya le pagine ogni volta che una Pull Request viene approvata sul branch <code>main</code>.</p><p><figure><a class=lightgallery href=/posts/long-time-no-see/blog_CI_CD.png title=/posts/long-time-no-see/blog_CI_CD.png data-thumbnail=/posts/long-time-no-see/blog_CI_CD.png data-sub-html="<h2>Un grafico che rappresenta il flusso logico dietro il sistema di deployment del blog</h2>"><img loading=lazy src=/posts/long-time-no-see/blog_CI_CD.png srcset="/posts/long-time-no-see/blog_CI_CD.png, /posts/long-time-no-see/blog_CI_CD.png 1.5x, /posts/long-time-no-see/blog_CI_CD.png 2x" sizes=auto alt=/posts/long-time-no-see/blog_CI_CD.png></a><figcaption class=image-caption>Un grafico che rappresenta il flusso logico dietro il sistema di deployment del blog</figcaption></figure></p><p>Il tema che uso e&rsquo; <a href=https://hugoloveit.com/ target=_blank rel="noopener noreferrer">LoveIt</a>. E&rsquo; molto carino e ricco di funzionalita&rsquo; ma ha alcuni bug che devono essere fixati; per esempio, se stai leggendo questa pagina in Italiano ti sarai accorto che l&rsquo;header ha le traduzioni abbastanza fatte a caso.</p><p>La localization del tema e&rsquo; una feature molto carina ma dover riscrivere ogni volta lo stesso post per ogni linguaggio e&rsquo; abbastanza tedioso quindi penso che aggiungero&rsquo; il supporto a DeepL.</p><p>Infine, il blog ha un nuovo logo:<figure><a class=lightgallery href=/images/logo.png title=/images/logo.png data-thumbnail=/images/logo.png data-sub-html="<h2>appsec.space logo</h2>"><img loading=lazy src=/images/logo.png srcset="/images/logo.png, /images/logo.png 1.5x, /images/logo.png 2x" sizes=auto alt=/images/logo.png></a><figcaption class=image-caption>appsec.space logo</figcaption></figure></p><p>E&rsquo; stato generato da <a href=https://midjourney.com target=_blank rel="noopener noreferrer">Midjourney</a> e non significa assolutamente nulla!</p><h2 id=il-futuro class=headerLink><a href=#il-futuro class=header-mark></a>2 Il futuro</h2><p>Ho intenzione di cambiare molte cose: prima di tutto vorrei migrare tutti i post del vecchio blog perche&rsquo; vorreri mantenere un archivio. Successivamente potro&rsquo; cominciare a scrivere nuovi post.<div class="details admonition note open"><div class="details-summary admonition-title"><i class="icon fas fa-pencil-alt fa-fw"></i>Note<i class="details-icon fas fa-angle-right fa-fw"></i></div><div class=details-content><div class=admonition-content>Se il vecchio blog risponde con un redirect a quello nuovo significa che la migrazione e&rsquo; stata completata.</div></div></div></p><p>Nonostante il nome sia <code>appsec.space</code> mi piacerebbe parlare di diversi argomenti, spaziando dall&rsquo;Application security, al Malware Development (a scopo formativo, <a href="https://www.youtube.com/watch?v=zlbe6BsLCNc" target=_blank rel="noopener noreferrer">ovviamente</a>), al mio setup per la produttivita&rsquo; a lamentele varie.</p><p>Il prossimo post sara&rsquo; sul <a href=https://en.wikipedia.org/wiki/Security_theater target=_blank rel="noopener noreferrer">Security Theater</a> quindi, come diceva qualcuno, ci vediamo li.</p></div><div class=post-footer id=post-footer><div class=post-info><div class=post-info-line><div class=post-info-mod><span>Aggiornato il 2024-03-30&nbsp;<a class=git-hash href=https://github.com/homazawa/himazawa.github.io/commit/ca570335e2297ac0e2aa33b5d30d06d66c7007ff target=_blank title="commit by himazawa(73994521+himazawa@users.noreply.github.com) ca570335e2297ac0e2aa33b5d30d06d66c7007ff: blog: new article on CVE-2024-3094, removed unused config data" rel="noopener noreferrer">
 <i class="fas fa-hashtag fa-fw"></i>ca57033</a></span></div><div class=post-info-license></div></div><div class=post-info-line><div class=post-info-md><span><a class=link-to-mardown href=/it/posts/long-time-no-see/index.md target=_blank rel="noopener noreferrer">Leggi Markdown</a></span></div><div class=post-info-share></div></div></div><div class=post-info-more><section class=post-tags><i class="fas fa-tags fa-fw"></i>&nbsp;<a href=/it/tags/updates/>Updates</a></section><section><span><a href=javascript:void(0); onclick=window.history.back()>Indietro</a></span>&nbsp;|&nbsp;<span><a href=/it/>Home</a></span></section></div><div class=post-nav><a href=/it/posts/security-theatre/ class=next rel=next title="Security Theatre? Direi quasi Security Circus">Security Theatre? Direi quasi Security Circus<i class="fas fa-angle-right fa-fw"></i></a></div></div></article></div></main></div><div id=fixed-buttons><a href=#back-to-top id=back-to-top-button class=fixed-button title="Torna all'inizio"><i class="fas fa-arrow-up fa-fw"></i>
diff --git a/it/posts/security-theatre/index.html b/it/posts/security-theatre/index.html
index c81eb39..2127824 100644
--- a/it/posts/security-theatre/index.html
+++ b/it/posts/security-theatre/index.html
@@ -13,7 +13,7 @@
 <i class="fas fa-adjust fa-fw"></i>
 <select class=color-theme-select id=theme-select-mobile title="Cambiare il tema"><option value=light>Light</option><option value=dark>Dark</option><option value=black>Black</option><option value=auto>Auto</option></select>
 </a><a href=javascript:void(0); class=menu-item title="Scegliere la lingua">Italiano<i class="fas fa-chevron-right fa-fw"></i>
-<select class=language-select title="Scegliere la lingua" onchange="location=this.value"><option value=/posts/security-theatre/>English</option><option value=/it/posts/security-theatre/ selected>Italiano</option></select></a></div></div></header><div class="search-dropdown desktop"><div id=search-dropdown-desktop></div></div><div class="search-dropdown mobile"><div id=search-dropdown-mobile></div></div><main class=main><div class=container><div class=toc id=toc-auto><h2 class=toc-title>Contenuti</h2><div class=toc-content id=toc-content-auto><nav id=TableOfContents><ul><li><a href=#cosa-e-il-security-theatre>Cosa e&rsquo; il Security Theatre</a></li><li><a href=#cause>Cause</a></li><li><a href=#tirando-le-somme>Tirando le somme</a></li></ul></nav></div></div><script>document.getElementsByTagName("main")[0].setAttribute("autoTOC","true")</script><article class="page single"><h1 class="single-title animate__animated animate__flipInX">Security Theatre? Direi quasi Security Circus</h1><div class=post-meta><div class=post-meta-line><span class=post-author><span class="author fas fa-user-circle fa-fw"></span><a href=/it/ title=Author rel=author class=author>himazawa</a>
+<select class=language-select title="Scegliere la lingua" onchange="location=this.value"><option value=/posts/security-theatre/>English</option><option value=/it/posts/security-theatre/ selected>Italiano</option></select></a></div></div></header><div class="search-dropdown desktop"><div id=search-dropdown-desktop></div></div><div class="search-dropdown mobile"><div id=search-dropdown-mobile></div></div><main class=main><div class=container><div class=toc id=toc-auto><h2 class=toc-title>Contenuti</h2><div class="toc-content always-active" id=toc-content-auto><nav id=TableOfContents><ul><li><a href=#cosa-e-il-security-theatre>Cosa e&rsquo; il Security Theatre</a></li><li><a href=#cause>Cause</a></li><li><a href=#tirando-le-somme>Tirando le somme</a></li></ul></nav></div></div><script>document.getElementsByTagName("main")[0].setAttribute("autoTOC","true")</script><article class="page single"><h1 class="single-title animate__animated animate__flipInX">Security Theatre? Direi quasi Security Circus</h1><div class=post-meta><div class=post-meta-line><span class=post-author><span class="author fas fa-user-circle fa-fw"></span><a href=/it/ title=Author rel=author class=author>himazawa</a>
 </span>&nbsp;<span class=post-category>included in </span>&nbsp;<span class=post-category>incluso in <a href=/it/categories/general-knowledge/><i class="far fa-folder fa-fw"></i>General-Knowledge</a></span></div><div class=post-meta-line><i class="far fa-calendar-alt fa-fw"></i>&nbsp;<time datetime=2023-02-13>2023-02-13</time>&nbsp;<i class="far fa-edit fa-fw"></i>&nbsp;<time datetime=2024-03-30>2024-03-30</time>&nbsp;<i class="fas fa-pencil-alt fa-fw"></i>&nbsp;444 parole&nbsp;<i class="far fa-clock fa-fw"></i>&nbsp;3 minuti&nbsp;</div></div><div class=featured-image><img loading=eager src=/posts/security-theatre/cargocult.jpg srcset="/posts/security-theatre/cargocult.jpg, /posts/security-theatre/cargocult.jpg 1.5x, /posts/security-theatre/cargocult.jpg 2x" sizes=auto alt=/posts/security-theatre/cargocult.jpg title=/posts/security-theatre/cargocult.jpg height=700 width=1920></div><div class="details toc" id=toc-static kept><div class="details-summary toc-title"><span>Contenuti</span>
 <span><i class="details-icon fas fa-angle-right"></i></span></div><div class="details-content toc-content" id=toc-content-static><nav id=TableOfContents><ul><li><a href=#cosa-e-il-security-theatre>Cosa e&rsquo; il Security Theatre</a></li><li><a href=#cause>Cause</a></li><li><a href=#tirando-le-somme>Tirando le somme</a></li></ul></nav></div></div><div class=content id=content><p>Lavorando nel campo, ho visto molte organizzazioni investire una quantita&rsquo; significativa di tempo e risorse (che si traduce in persone e soldi), in misure che garantiscono poca se non zero, reale sicurezza.</p><p>Ho assistito a organizzazioni che si esibiscono in un eterno clown show nel nome della security.</p><p>Questo fenomeno e&rsquo; comunemente chiamato &ldquo;security theatre&rdquo;.</p><h2 id=cosa-e-il-security-theatre class=headerLink><a href=#cosa-e-il-security-theatre class=header-mark></a>1 Cosa e&rsquo; il Security Theatre</h2><p>Il security theatre, nella sua forma piu&rsquo; semplice, e&rsquo; una grande illusione. E&rsquo; l&rsquo;insieme di misure di sicurezza messe in piedi non perche&rsquo; prevengano realmente i data breach, ma solo perche&rsquo; sulla carta sembrano buoni, tranquillizzano gli stakeholders e fanno sentire tutti come se stessero davvero facendo qualcosa di utile per proteggersi.</p><p><a href="https://www.youtube.com/watch?v=MzQPTdDwtVk" target=_blank rel="noopener noreferrer">Lo senti? Lo senti l&rsquo;odore? <em>compliance</em> figliolo, non c&rsquo;e&rsquo; nient&rsquo;altro al mondo che odora cosi&rsquo;. </a>.</p><p>Come esempio, prendiamo il requisito di avere password complesse che devono essere regolarmente cambiate. Questo e&rsquo; il classico esempio di security theatre.</p><p>Per quanto possa sembrare una buona fa molto poco per prevenire un data breach. E non dimentichiamoci il downside principale: la cosiddetta &ldquo;password fatigue&rdquo;, che porta i dipendenti a usare password che sono piu&rsquo; facili da ricordare o sempli variazioni di quelle usate in precedenza. Del resto c&rsquo;e&rsquo; un motivo (molti in realta&rsquo;) se <a href=https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/expansion-of-fido-standard-and-new-updates-for-microsoft/ba-p/3290633 target=_blank rel="noopener noreferrer">Microsoft</a>, <a href=https://blog.google/technology/safety-security/one-step-closer-to-a-passwordless-future/ target=_blank rel="noopener noreferrer">Google</a> ed <a href=https://www.apple.com/newsroom/2022/05/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard/ target=_blank rel="noopener noreferrer">Apple</a> vogliono abbandonare del tutto le password.</p><figure><img src=https://imgs.xkcd.com/comics/password_strength.png><figcaption><h4>sistema la tua password policy</h4></figcaption></figure><p>Un altro esempio di security theatre e&rsquo; il fatto di implementare sistemi che dovrebbero dare un livello aggiuntivo di sicurezza come firewall, IDS e IP (in realta&rsquo; potremmo aprire un dibattito sul fatto che aumentino o diminuiscano la superficie d&rsquo;attacco), per poi non aggiornali.</p><h2 id=cause class=headerLink><a href=#cause class=header-mark></a>2 Cause</h2><p>Quindi, cosa possono fare le aziende per evitare questo circo infinito? Prima di tutto dovrebbero capire quali sono i veri rischi che corrono e implementare contromisure che li indirizzino in maniera adeguata. Questo deve includere in primo luogo la formazione dei dipendenti su come riconoscere e rispondere ad un attacco.</p><p>Dopotutto, la cybersecurity non e&rsquo; altro che la Corsa all&rsquo;Oro 2.0, ci sono moltissimi soldi sul tavolo e tutti ne vogliono una fetta, questo causa pero&rsquo; difficolta&rsquo; nel trovare genete realmente preparata e se per caso ci si volesse affidare a dei consulenti esterni sarebbe ancora peggio, in quanto si dipenderebbe completamente da un&rsquo;entita&rsquo; esterna per la propria Security Posture.</p><h2 id=tirando-le-somme class=headerLink><a href=#tirando-le-somme class=header-mark></a>3 Tirando le somme</h2><p>In conclusione, il security theatre e&rsquo; un problema comune nel mondo dell&rsquo;IT Security. Per evitare di far parte di questo pessimo show le organizzazioni dovrebbero concentrarsi nell&rsquo;implementare controlli funzionia, nel testarne regolarmente l&rsquo;efficacia e nell&rsquo;avere un piano di risposta comprensivo.
 A, per favore, smettiamola con le policy inutili.</p><div class="details admonition tip open"><div class="details-summary admonition-title"><i class="icon fas fa-lightbulb fa-fw"></i>Tip<i class="details-icon fas fa-angle-right fa-fw"></i></div><div class=details-content><div class=admonition-content><a href=https://www.philvenables.com/post/ceremonial-security-and-cargo-cults target=_blank rel="noopener noreferrer">Qui</a> puoi trovare un articolo di Phil Venables, CISO di Google, sulla Cerimonial Security e i Cargo Cults.</div></div></div></div><div class=post-footer id=post-footer><div class=post-info><div class=post-info-line><div class=post-info-mod><span>Aggiornato il 2024-03-30&nbsp;<a class=git-hash href=https://github.com/homazawa/himazawa.github.io/commit/ca570335e2297ac0e2aa33b5d30d06d66c7007ff target=_blank title="commit by himazawa(73994521+himazawa@users.noreply.github.com) ca570335e2297ac0e2aa33b5d30d06d66c7007ff: blog: new article on CVE-2024-3094, removed unused config data" rel="noopener noreferrer">
diff --git a/it/posts/xz-backdoor/index.html b/it/posts/xz-backdoor/index.html
index 6c1a497..aec9376 100644
--- a/it/posts/xz-backdoor/index.html
+++ b/it/posts/xz-backdoor/index.html
@@ -19,7 +19,7 @@
 <i class="fas fa-adjust fa-fw"></i>
 <select class=color-theme-select id=theme-select-mobile title="Cambiare il tema"><option value=light>Light</option><option value=dark>Dark</option><option value=black>Black</option><option value=auto>Auto</option></select>
 </a><a href=javascript:void(0); class=menu-item title="Scegliere la lingua">Italiano<i class="fas fa-chevron-right fa-fw"></i>
-<select class=language-select title="Scegliere la lingua" onchange="location=this.value"><option value=/posts/xz-backdoor/>English</option><option value=/it/posts/xz-backdoor/ selected>Italiano</option></select></a></div></div></header><div class="search-dropdown desktop"><div id=search-dropdown-desktop></div></div><div class="search-dropdown mobile"><div id=search-dropdown-mobile></div></div><main class=main><div class=container><div class=toc id=toc-auto><h2 class=toc-title>Contenuti</h2><div class=toc-content id=toc-content-auto><nav id=TableOfContents><ul><li><a href=#timeline>Timeline</a></li><li><a href=#componenti-impattate>Componenti impattate</a></li><li><a href=#considerazioni>Considerazioni</a><ul><li><a href=#il-comportamento-di-github>Il comportamento di GitHub</a></li><li><a href=#i-downgrade>I downgrade</a></li></ul></li><li><a href=#come-si-previene-questo-fenomeno>Come si previene questo fenomeno?</a><ul><li><a href=#problemi-di-fiducia>Problemi di fiducia</a></li><li><a href=#statistiche-di-github>Statistiche di GitHub</a></li><li><a href=#engagement-della-community>Engagement della community</a></li><li><a href=#fondi-e-supporto>Fondi e supporto</a></li><li><a href=#sdlc>SDLC</a></li><li><a href=#enterprise-vs-individual>Enterprise vs Individual</a></li><li><a href=#controlli-ricorsivi>Controlli Ricorsivi</a></li></ul></li><li><a href=#risorse>Risorse</a></li></ul></nav></div></div><script>document.getElementsByTagName("main")[0].setAttribute("autoTOC","true")</script><article class="page single"><h1 class="single-title animate__animated animate__flipInX">La backdoor di xz dalla prospettiva di un Security Engineer</h1><h2 class=single-subtitle>L'ennesimo attacco alla supply chain</h2><div class=post-meta><div class=post-meta-line><span class=post-author><span class="author fas fa-user-circle fa-fw"></span><a href=/it/ title=Author rel=author class=author>himazawa</a></span></div><div class=post-meta-line><i class="far fa-calendar-alt fa-fw"></i>&nbsp;<time datetime=2024-03-30>2024-03-30</time>&nbsp;<i class="far fa-edit fa-fw"></i>&nbsp;<time datetime=2024-03-31>2024-03-31</time>&nbsp;<i class="fas fa-pencil-alt fa-fw"></i>&nbsp;1572 parole&nbsp;<i class="far fa-clock fa-fw"></i>&nbsp;8 minuti&nbsp;</div></div><div class=featured-image><img loading=eager src=/posts/xz-backdoor/xz.png srcset="/posts/xz-backdoor/xz.png, /posts/xz-backdoor/xz.png 1.5x, /posts/xz-backdoor/xz.png 2x" sizes=auto alt=/posts/xz-backdoor/xz.png title=/posts/xz-backdoor/xz.png height=112 width=950></div><div class="details toc" id=toc-static kept><div class="details-summary toc-title"><span>Contenuti</span>
+<select class=language-select title="Scegliere la lingua" onchange="location=this.value"><option value=/posts/xz-backdoor/>English</option><option value=/it/posts/xz-backdoor/ selected>Italiano</option></select></a></div></div></header><div class="search-dropdown desktop"><div id=search-dropdown-desktop></div></div><div class="search-dropdown mobile"><div id=search-dropdown-mobile></div></div><main class=main><div class=container><div class=toc id=toc-auto><h2 class=toc-title>Contenuti</h2><div class="toc-content always-active" id=toc-content-auto><nav id=TableOfContents><ul><li><a href=#timeline>Timeline</a></li><li><a href=#componenti-impattate>Componenti impattate</a></li><li><a href=#considerazioni>Considerazioni</a><ul><li><a href=#il-comportamento-di-github>Il comportamento di GitHub</a></li><li><a href=#i-downgrade>I downgrade</a></li></ul></li><li><a href=#come-si-previene-questo-fenomeno>Come si previene questo fenomeno?</a><ul><li><a href=#problemi-di-fiducia>Problemi di fiducia</a></li><li><a href=#statistiche-di-github>Statistiche di GitHub</a></li><li><a href=#engagement-della-community>Engagement della community</a></li><li><a href=#fondi-e-supporto>Fondi e supporto</a></li><li><a href=#sdlc>SDLC</a></li><li><a href=#enterprise-vs-individual>Enterprise vs Individual</a></li><li><a href=#controlli-ricorsivi>Controlli Ricorsivi</a></li></ul></li><li><a href=#risorse>Risorse</a></li></ul></nav></div></div><script>document.getElementsByTagName("main")[0].setAttribute("autoTOC","true")</script><article class="page single"><h1 class="single-title animate__animated animate__flipInX">La backdoor di xz dalla prospettiva di un Security Engineer</h1><h2 class=single-subtitle>L'ennesimo attacco alla supply chain</h2><div class=post-meta><div class=post-meta-line><span class=post-author><span class="author fas fa-user-circle fa-fw"></span><a href=/it/ title=Author rel=author class=author>himazawa</a></span></div><div class=post-meta-line><i class="far fa-calendar-alt fa-fw"></i>&nbsp;<time datetime=2024-03-30>2024-03-30</time>&nbsp;<i class="far fa-edit fa-fw"></i>&nbsp;<time datetime=2024-03-31>2024-03-31</time>&nbsp;<i class="fas fa-pencil-alt fa-fw"></i>&nbsp;1572 parole&nbsp;<i class="far fa-clock fa-fw"></i>&nbsp;8 minuti&nbsp;</div></div><div class=featured-image><img loading=eager src=/posts/xz-backdoor/xz.png srcset="/posts/xz-backdoor/xz.png, /posts/xz-backdoor/xz.png 1.5x, /posts/xz-backdoor/xz.png 2x" sizes=auto alt=/posts/xz-backdoor/xz.png title=/posts/xz-backdoor/xz.png height=112 width=950></div><div class="details toc" id=toc-static kept><div class="details-summary toc-title"><span>Contenuti</span>
 <span><i class="details-icon fas fa-angle-right"></i></span></div><div class="details-content toc-content" id=toc-content-static><nav id=TableOfContents><ul><li><a href=#timeline>Timeline</a></li><li><a href=#componenti-impattate>Componenti impattate</a></li><li><a href=#considerazioni>Considerazioni</a><ul><li><a href=#il-comportamento-di-github>Il comportamento di GitHub</a></li><li><a href=#i-downgrade>I downgrade</a></li></ul></li><li><a href=#come-si-previene-questo-fenomeno>Come si previene questo fenomeno?</a><ul><li><a href=#problemi-di-fiducia>Problemi di fiducia</a></li><li><a href=#statistiche-di-github>Statistiche di GitHub</a></li><li><a href=#engagement-della-community>Engagement della community</a></li><li><a href=#fondi-e-supporto>Fondi e supporto</a></li><li><a href=#sdlc>SDLC</a></li><li><a href=#enterprise-vs-individual>Enterprise vs Individual</a></li><li><a href=#controlli-ricorsivi>Controlli Ricorsivi</a></li></ul></li><li><a href=#risorse>Risorse</a></li></ul></nav></div></div><div class=content id=content><p>Come probablilmente già sai, <code>xz</code> è stato compromesso.
 Per i non addetti ai lavori <code>xz</code> è una libreria per la compressione dei dati molto utilizzata sopratutto su Linux.</p><p>Il pacchetto è stato usato come entrypoint per l&rsquo;injection di codice malevolo in <code>sshd</code>, modificandone il flusso di autenticazione. <a href=https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b target=_blank rel="noopener noreferrer">Sembrerebbe che ci sia una code execution direttamente tramite i parametri della chiave</a>.</p><p>Questa vulnerabilità, introdotta deliberatamente attraverso una backdoor, è conosciuta come <a href=https://nvd.nist.gov/vuln/detail/CVE-2024-3094 target=_blank rel="noopener noreferrer">CVE-2024-3094</a>.</p><div class="details admonition note open"><div class="details-summary admonition-title"><i class="icon fas fa-pencil-alt fa-fw"></i>Note<i class="details-icon fas fa-angle-right fa-fw"></i></div><div class=details-content><div class=admonition-content>La situazione si sta ancora evolvendo, maggiori dettagli emergeranno nel prossimo futuro e aggiornerò il post di conseguenza.</div></div></div><p>Si tratta probabilmente di un&rsquo;operazione a tutti gli effetti vista la metodologia e la durata (quasi due anni), ma non sono la persona giusta per parlare di attributions, OpSec e Threat Actors.
 Nella sezione &ldquo;Risorse&rdquo; in fondo alla pagina ci sono link che riportano ad analisi più dettagliate.</p><p>La situazione non sembra rosea quindi sto provando a scrivere questo blogpost in modo tale da fare un pò di chiarezza.</p><p>Non voglio trattare aspetti troppo tecnici della compromissione ma voglio guardare alla issue dalla prospettiva di un Security Engineer, riassumendo cosa è andato storto e quali sono le possibili remediation a questo problema.</p><h2 id=timeline class=headerLink><a href=#timeline class=header-mark></a>1 Timeline</h2><div class="details admonition tip"><div class="details-summary admonition-title"><i class="icon fas fa-lightbulb fa-fw"></i>tip<i class="details-icon fas fa-angle-right fa-fw"></i></div><div class=details-content><div class=admonition-content>Controlla la sezione Risorse per i link ad una timeline più dettagliata</div></div></div><ul><li><p><strong>2023</strong>:</p><ul><li>Un nuovo maintainer appare sul progetto <code>xz</code></li></ul></li><li><p><strong>29 Mar 2024</strong>:</p><ul><li><p>Andres Freund invia un&rsquo;email alla mailing list oss-security che riguarda una backdoor in <code>xz/liblzma</code>.
diff --git a/posts/long-time-no-see/index.html b/posts/long-time-no-see/index.html
index 2d539a4..344b381 100644
--- a/posts/long-time-no-see/index.html
+++ b/posts/long-time-no-see/index.html
@@ -13,7 +13,7 @@
 <i class="fas fa-adjust fa-fw"></i>
 <select class=color-theme-select id=theme-select-mobile title="Switch Theme"><option value=light>Light</option><option value=dark>Dark</option><option value=black>Black</option><option value=auto>Auto</option></select>
 </a><a href=javascript:void(0); class=menu-item title="Select Language">English<i class="fas fa-chevron-right fa-fw"></i>
-<select class=language-select title="Select Language" onchange="location=this.value"><option value=/posts/long-time-no-see/ selected>English</option><option value=/it/posts/long-time-no-see/>Italiano</option></select></a></div></div></header><div class="search-dropdown desktop"><div id=search-dropdown-desktop></div></div><div class="search-dropdown mobile"><div id=search-dropdown-mobile></div></div><main class=main><div class=container><div class=toc id=toc-auto><h2 class=toc-title>Contents</h2><div class=toc-content id=toc-content-auto><nav id=TableOfContents><ul><li><a href=#how-this-blog-works>How this blog works</a></li><li><a href=#the-future>The future</a></li></ul></nav></div></div><script>document.getElementsByTagName("main")[0].setAttribute("autoTOC","true")</script><article class="page single"><h1 class="single-title animate__animated animate__flipInX">Long Time No See</h1><div class=post-meta><div class=post-meta-line><span class=post-author><span class="author fas fa-user-circle fa-fw"></span><a href=/ title=Author rel=author class=author>himazawa</a>
+<select class=language-select title="Select Language" onchange="location=this.value"><option value=/posts/long-time-no-see/ selected>English</option><option value=/it/posts/long-time-no-see/>Italiano</option></select></a></div></div></header><div class="search-dropdown desktop"><div id=search-dropdown-desktop></div></div><div class="search-dropdown mobile"><div id=search-dropdown-mobile></div></div><main class=main><div class=container><div class=toc id=toc-auto><h2 class=toc-title>Contents</h2><div class="toc-content always-active" id=toc-content-auto><nav id=TableOfContents><ul><li><a href=#how-this-blog-works>How this blog works</a></li><li><a href=#the-future>The future</a></li></ul></nav></div></div><script>document.getElementsByTagName("main")[0].setAttribute("autoTOC","true")</script><article class="page single"><h1 class="single-title animate__animated animate__flipInX">Long Time No See</h1><div class=post-meta><div class=post-meta-line><span class=post-author><span class="author fas fa-user-circle fa-fw"></span><a href=/ title=Author rel=author class=author>himazawa</a>
 </span>&nbsp;<span class=post-category>included in </span>&nbsp;<span class=post-category>category <a href=/categories/blog-news/><i class="far fa-folder fa-fw"></i>Blog-News</a></span></div><div class=post-meta-line><i class="far fa-calendar-alt fa-fw"></i>&nbsp;<time datetime=2023-02-06>2023-02-06</time>&nbsp;<i class="far fa-edit fa-fw"></i>&nbsp;<time datetime=2024-03-30>2024-03-30</time>&nbsp;<i class="fas fa-pencil-alt fa-fw"></i>&nbsp;390 words&nbsp;<i class="far fa-clock fa-fw"></i>&nbsp;2 minutes&nbsp;</div></div><div class=featured-image><img loading=eager src=/posts/long-time-no-see/header.jpg srcset="/posts/long-time-no-see/header.jpg, /posts/long-time-no-see/header.jpg 1.5x, /posts/long-time-no-see/header.jpg 2x" sizes=auto alt=/posts/long-time-no-see/header.jpg title=/posts/long-time-no-see/header.jpg height=455 width=728></div><div class="details toc" id=toc-static kept><div class="details-summary toc-title"><span>Contents</span>
 <span><i class="details-icon fas fa-angle-right"></i></span></div><div class="details-content toc-content" id=toc-content-static><nav id=TableOfContents><ul><li><a href=#how-this-blog-works>How this blog works</a></li><li><a href=#the-future>The future</a></li></ul></nav></div></div><div class=content id=content><p>Long time no see, uh? Lot of stuff happen since the last post in 2018 on <a href=https://bsod.dev target=_blank rel="noopener noreferrer">the old blog</a>.</p><p>Unfortunately I wasn&rsquo;t able to write much, both for the lack of time and the impossibility to share what I learned.
 This post contains an introduction to this new website and how it will work from now on.</p><p>First of all, I&rsquo;m still in Security but moved to Product Security (more on this on a later post but TL;DR: boredom, careeer and growth opportunities, frustration and fear of burnout).
diff --git a/posts/mycroft-ai-rce/index.html b/posts/mycroft-ai-rce/index.html
index 13551f7..41f5307 100644
--- a/posts/mycroft-ai-rce/index.html
+++ b/posts/mycroft-ai-rce/index.html
@@ -13,7 +13,7 @@
 <i class="fas fa-adjust fa-fw"></i>
 <select class=color-theme-select id=theme-select-mobile title="Switch Theme"><option value=light>Light</option><option value=dark>Dark</option><option value=black>Black</option><option value=auto>Auto</option></select>
 </a><a href=javascript:void(0); class=menu-item title="Select Language">English<i class="fas fa-chevron-right fa-fw"></i>
-<select class=language-select title="Select Language" onchange="location=this.value"><option value=/posts/mycroft-ai-rce/ selected>English</option></select></a></div></div></header><div class="search-dropdown desktop"><div id=search-dropdown-desktop></div></div><div class="search-dropdown mobile"><div id=search-dropdown-mobile></div></div><main class=main><div class=container><div class=toc id=toc-auto><h2 class=toc-title>Contents</h2><div class=toc-content id=toc-content-auto><nav id=TableOfContents><ul><li><a href=#introduction>Introduction</a></li><li><a href=#digging-in-the-source-code>Digging in the source code</a></li><li><a href=#the-skills-system>The skills system</a></li><li><a href=#what-can-i-do-now>What can I do now?</a><ul><li><a href=#so-im-done>So I&rsquo;m done?</a></li></ul></li><li><a href=#getting-a-remote-shell-using-default-skills>Getting a remote shell using default skills</a></li><li><a href=#_notes_><em>Notes</em></a></li><li><a href=#affected-devices>Affected devices</a></li><li><a href=#timeline>Timeline</a></li></ul></nav></div></div><script>document.getElementsByTagName("main")[0].setAttribute("autoTOC","true")</script><article class="page single"><h1 class="single-title animate__animated animate__flipInX">Getting "Zero Click" Remote Code Execution in Mycroft AI vocal assistant</h1><h2 class=single-subtitle>Hey Mycroft, we've got a Problem</h2><div class=post-meta><div class=post-meta-line><span class=post-author><span class="author fas fa-user-circle fa-fw"></span><a href=/ title=Author rel=author class=author>himazawa</a>
+<select class=language-select title="Select Language" onchange="location=this.value"><option value=/posts/mycroft-ai-rce/ selected>English</option></select></a></div></div></header><div class="search-dropdown desktop"><div id=search-dropdown-desktop></div></div><div class="search-dropdown mobile"><div id=search-dropdown-mobile></div></div><main class=main><div class=container><div class=toc id=toc-auto><h2 class=toc-title>Contents</h2><div class="toc-content always-active" id=toc-content-auto><nav id=TableOfContents><ul><li><a href=#introduction>Introduction</a></li><li><a href=#digging-in-the-source-code>Digging in the source code</a></li><li><a href=#the-skills-system>The skills system</a></li><li><a href=#what-can-i-do-now>What can I do now?</a><ul><li><a href=#so-im-done>So I&rsquo;m done?</a></li></ul></li><li><a href=#getting-a-remote-shell-using-default-skills>Getting a remote shell using default skills</a></li><li><a href=#_notes_><em>Notes</em></a></li><li><a href=#affected-devices>Affected devices</a></li><li><a href=#timeline>Timeline</a></li></ul></nav></div></div><script>document.getElementsByTagName("main")[0].setAttribute("autoTOC","true")</script><article class="page single"><h1 class="single-title animate__animated animate__flipInX">Getting "Zero Click" Remote Code Execution in Mycroft AI vocal assistant</h1><h2 class=single-subtitle>Hey Mycroft, we've got a Problem</h2><div class=post-meta><div class=post-meta-line><span class=post-author><span class="author fas fa-user-circle fa-fw"></span><a href=/ title=Author rel=author class=author>himazawa</a>
 </span>&nbsp;<span class=post-category>included in </span>&nbsp;<span class=post-category>category <a href=/categories/vulnerability-research/><i class="far fa-folder fa-fw"></i>Vulnerability-Research</a></span></div><div class=post-meta-line><i class="far fa-calendar-alt fa-fw"></i>&nbsp;<time datetime=2018-06-10>2018-06-10</time>&nbsp;<i class="far fa-edit fa-fw"></i>&nbsp;<time datetime=2024-03-30>2024-03-30</time>&nbsp;<i class="fas fa-pencil-alt fa-fw"></i>&nbsp;818 words&nbsp;<i class="far fa-clock fa-fw"></i>&nbsp;4 minutes&nbsp;</div></div><div class=featured-image><img loading=eager src=/posts/mycroft-ai-rce/mycroft.png srcset="/posts/mycroft-ai-rce/mycroft.png, /posts/mycroft-ai-rce/mycroft.png 1.5x, /posts/mycroft-ai-rce/mycroft.png 2x" sizes=auto alt=/posts/mycroft-ai-rce/mycroft.png title=/posts/mycroft-ai-rce/mycroft.png height=610 width=1094></div><div class="details toc" id=toc-static kept><div class="details-summary toc-title"><span>Contents</span>
 <span><i class="details-icon fas fa-angle-right"></i></span></div><div class="details-content toc-content" id=toc-content-static><nav id=TableOfContents><ul><li><a href=#introduction>Introduction</a></li><li><a href=#digging-in-the-source-code>Digging in the source code</a></li><li><a href=#the-skills-system>The skills system</a></li><li><a href=#what-can-i-do-now>What can I do now?</a><ul><li><a href=#so-im-done>So I&rsquo;m done?</a></li></ul></li><li><a href=#getting-a-remote-shell-using-default-skills>Getting a remote shell using default skills</a></li><li><a href=#_notes_><em>Notes</em></a></li><li><a href=#affected-devices>Affected devices</a></li><li><a href=#timeline>Timeline</a></li></ul></nav></div></div><div class=content id=content><h2 id=introduction class=headerLink><a href=#introduction class=header-mark></a>1 Introduction</h2><p>During my journey contributing to open source I was working with my friend <a href=https://github.com/portaloffreedom target=_blank rel="noopener noreferrer">Matteo De Carlo</a> on an <a href=https://git.covolunablu.org/portaloffreedom/plasma-mycroft-PKGBUILD target=_blank rel="noopener noreferrer">AUR Package</a> of a really interesting project called <a href=https://mycroft.ai target=_blank rel="noopener noreferrer">Mycroft AI</a>. It&rsquo;s an AI-powered vocal assistant started with a <a href=https://www.kickstarter.com/projects/aiforeveryone/mycroft-an-open-source-artificial-intelligence-for target=_blank rel="noopener noreferrer">crowdfunding campaign</a> in 2015 and a <a href=https://www.indiegogo.com/projects/mycroft-mark-ii-the-open-voice-assistant#/ target=_blank rel="noopener noreferrer">more recent one</a> that allowed Mycroft to produce their Mark-I and Mark-II devices. It&rsquo;s also running on Linux Desktop/Server, Raspberry PI and will be available soon™ on <a href="https://www.youtube.com/watch?v=6GHmzbXp_jY" target=_blank rel="noopener noreferrer">Jaguar F-Type</a> and <a href=https://mycroft.ai/blog/mycroft-welcomes-jaguar-land-rover-new-investor/ target=_blank rel="noopener noreferrer">Land Rover</a></p><h2 id=digging-in-the-source-code class=headerLink><a href=#digging-in-the-source-code class=header-mark></a>2 Digging in the source code</h2><p>While looking at the <a href=https://github.com/MycroftAI/mycroft-core target=_blank rel="noopener noreferrer">source code</a> I found an interesting point: <a href=https://github.com/MycroftAI/mycroft-core/blob/1f4c98f29ceb6a7981474f1620441e43aa364d00/mycroft/messagebus/service/main.py#L28-L57 target=_blank rel="noopener noreferrer">here</a></p><div class=highlight><div class=chroma><table class=lntable><tr><td class=lntd><pre tabindex=0 class=chroma><code><span class=lnt> 1
 </span><span class=lnt> 2
diff --git a/posts/security-theatre/index.html b/posts/security-theatre/index.html
index 40f7dea..17973ab 100644
--- a/posts/security-theatre/index.html
+++ b/posts/security-theatre/index.html
@@ -13,7 +13,7 @@
 <i class="fas fa-adjust fa-fw"></i>
 <select class=color-theme-select id=theme-select-mobile title="Switch Theme"><option value=light>Light</option><option value=dark>Dark</option><option value=black>Black</option><option value=auto>Auto</option></select>
 </a><a href=javascript:void(0); class=menu-item title="Select Language">English<i class="fas fa-chevron-right fa-fw"></i>
-<select class=language-select title="Select Language" onchange="location=this.value"><option value=/posts/security-theatre/ selected>English</option><option value=/it/posts/security-theatre/>Italiano</option></select></a></div></div></header><div class="search-dropdown desktop"><div id=search-dropdown-desktop></div></div><div class="search-dropdown mobile"><div id=search-dropdown-mobile></div></div><main class=main><div class=container><div class=toc id=toc-auto><h2 class=toc-title>Contents</h2><div class=toc-content id=toc-content-auto><nav id=TableOfContents><ul><li><a href=#what-is-the-security-theatre>What is the Security Theatre</a></li><li><a href=#root-cause>Root cause</a></li><li><a href=#wrapping-up>Wrapping up</a></li></ul></nav></div></div><script>document.getElementsByTagName("main")[0].setAttribute("autoTOC","true")</script><article class="page single"><h1 class="single-title animate__animated animate__flipInX">Security Theatre? More like Security Circus</h1><div class=post-meta><div class=post-meta-line><span class=post-author><span class="author fas fa-user-circle fa-fw"></span><a href=/ title=Author rel=author class=author>himazawa</a>
+<select class=language-select title="Select Language" onchange="location=this.value"><option value=/posts/security-theatre/ selected>English</option><option value=/it/posts/security-theatre/>Italiano</option></select></a></div></div></header><div class="search-dropdown desktop"><div id=search-dropdown-desktop></div></div><div class="search-dropdown mobile"><div id=search-dropdown-mobile></div></div><main class=main><div class=container><div class=toc id=toc-auto><h2 class=toc-title>Contents</h2><div class="toc-content always-active" id=toc-content-auto><nav id=TableOfContents><ul><li><a href=#what-is-the-security-theatre>What is the Security Theatre</a></li><li><a href=#root-cause>Root cause</a></li><li><a href=#wrapping-up>Wrapping up</a></li></ul></nav></div></div><script>document.getElementsByTagName("main")[0].setAttribute("autoTOC","true")</script><article class="page single"><h1 class="single-title animate__animated animate__flipInX">Security Theatre? More like Security Circus</h1><div class=post-meta><div class=post-meta-line><span class=post-author><span class="author fas fa-user-circle fa-fw"></span><a href=/ title=Author rel=author class=author>himazawa</a>
 </span>&nbsp;<span class=post-category>included in </span>&nbsp;<span class=post-category>category <a href=/categories/general-knowledge/><i class="far fa-folder fa-fw"></i>General-Knowledge</a></span></div><div class=post-meta-line><i class="far fa-calendar-alt fa-fw"></i>&nbsp;<time datetime=2023-02-13>2023-02-13</time>&nbsp;<i class="far fa-edit fa-fw"></i>&nbsp;<time datetime=2024-03-30>2024-03-30</time>&nbsp;<i class="fas fa-pencil-alt fa-fw"></i>&nbsp;474 words&nbsp;<i class="far fa-clock fa-fw"></i>&nbsp;3 minutes&nbsp;</div></div><div class=featured-image><img loading=eager src=/posts/security-theatre/cargocult.jpg srcset="/posts/security-theatre/cargocult.jpg, /posts/security-theatre/cargocult.jpg 1.5x, /posts/security-theatre/cargocult.jpg 2x" sizes=auto alt=/posts/security-theatre/cargocult.jpg title=/posts/security-theatre/cargocult.jpg height=700 width=1920></div><div class="details toc" id=toc-static kept><div class="details-summary toc-title"><span>Contents</span>
 <span><i class="details-icon fas fa-angle-right"></i></span></div><div class="details-content toc-content" id=toc-content-static><nav id=TableOfContents><ul><li><a href=#what-is-the-security-theatre>What is the Security Theatre</a></li><li><a href=#root-cause>Root cause</a></li><li><a href=#wrapping-up>Wrapping up</a></li></ul></nav></div></div><div class=content id=content><p>I have seen many companies invest significant time and resources into security measures that have little to no actual effect on security. This is commonly referred to as &ldquo;security theater&rdquo;.</p><h2 id=what-is-the-security-theatre class=headerLink><a href=#what-is-the-security-theatre class=header-mark></a>1 What is the Security Theatre</h2><p>Security theater refers to the practice of implementing security measures for the sake of appearances, without any significant impact on actual security. These measures may give the illusion of protection, but in reality, they provide little to no real security benefits.</p><p>Organizations often fall into the trap of focusing solely on compliance requirements without considering their actual security needs. Compliance-driven security measures may give the illusion of being protected, but they often fail to address the specific security risks faced by an organization.</p><p>Useless compliance can also result in organizations wasting valuable resources on implementing measures that do not have a significant impact on their security posture. This can lead to a situation where an organization is in compliance with regulations, but the security budget is depleted, while their assets are still vulnerable to attacks.</p><p><a href="https://www.youtube.com/watch?v=vRp7tYWnJJs" target=_blank rel="noopener noreferrer">Oh, how I love the smell of compliance in the morning</a>.</p><p>An example of Security Theatre is the use of complex passwords that are changed regularly. Although it may seem like a good idea, it can lead to password fatigue and employees using easier-to-remember passwords, which actually undermines security. This is among the reasons why companies like <a href=https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/expansion-of-fido-standard-and-new-updates-for-microsoft/ba-p/3290633 target=_blank rel="noopener noreferrer">Microsoft</a>, <a href=https://www.apple.com/newsroom/2022/05/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard/ target=_blank rel="noopener noreferrer">Apple</a>, and <a href=https://blog.google/technology/safety-security/one-step-closer-to-a-passwordless-future/ target=_blank rel="noopener noreferrer">Google</a> are moving away from passwords.</p><figure><img src=https://imgs.xkcd.com/comics/password_strength.png><figcaption><h4>fix your password policy</h4></figcaption></figure><p>Another example of security theatre is implementing security controls that are not properly configured or maintained. For instance, firewalls, IDS and IPS are a common security measure that are often poorly configured or not kept up-to-date with the latest security patches</p><h2 id=root-cause class=headerLink><a href=#root-cause class=header-mark></a>2 Root cause</h2><p>Cybersecurity has become the new gold rush, with numerous individuals and organizations seeking to take advantage of the potential financial gains. However, finding skilled personnel to address these security concerns can be challenging, and relying on consultants can lead to a situation where the organization becomes overly dependent on their expertise.</p><h2 id=wrapping-up class=headerLink><a href=#wrapping-up class=header-mark></a>3 Wrapping up</h2><p>Organizations can protect themselves from the constant security threats by taking a proactive approach. The first step is to gain a thorough understanding of the specific risks they are facing and then implement the necessary measures to mitigate these risks. This includes educating their employees to be aware of potential attacks and how to respond in such situations.</p><p>In conclusion, to avoid being caught in the trap of &ldquo;security theater&rdquo;, organizations must concentrate on establishing practical security measures and regularly evaluate their effectiveness. Having a well-thought-out response plan in place is also critical in ensuring the protection of the organization&rsquo;s assets.</p><p>Additionally, organizations should cease creating redundant policies that serve no purpose in enhancing the organization&rsquo;s overall security posture.</p><div class="details admonition tip open"><div class="details-summary admonition-title"><i class="icon fas fa-lightbulb fa-fw"></i>Tip<i class="details-icon fas fa-angle-right fa-fw"></i></div><div class=details-content><div class=admonition-content><a href=https://www.philvenables.com/post/ceremonial-security-and-cargo-cults target=_blank rel="noopener noreferrer">Here</a> you can find an interesting article from Phil Venables, Google CISO, about Cerimonial Security and Cargo Cults</div></div></div></div><div class=post-footer id=post-footer><div class=post-info><div class=post-info-line><div class=post-info-mod><span>Updated on 2024-03-30&nbsp;<a class=git-hash href=https://github.com/homazawa/himazawa.github.io/commit/ca570335e2297ac0e2aa33b5d30d06d66c7007ff target=_blank title="commit by himazawa(73994521+himazawa@users.noreply.github.com) ca570335e2297ac0e2aa33b5d30d06d66c7007ff: blog: new article on CVE-2024-3094, removed unused config data" rel="noopener noreferrer">
 <i class="fas fa-hashtag fa-fw"></i>ca57033</a></span></div><div class=post-info-license></div></div><div class=post-info-line><div class=post-info-md><span><a class=link-to-mardown href=/posts/security-theatre/index.md target=_blank rel="noopener noreferrer">Read markdown</a></span></div><div class=post-info-share></div></div></div><div class=post-info-more><section class=post-tags><i class="fas fa-tags fa-fw"></i>&nbsp;<a href=/tags/security-theatre/>Security Theatre</a>,&nbsp;<a href=/tags/infosec/>Infosec</a>,&nbsp;<a href=/tags/rants/>Rants</a></section><section><span><a href=javascript:void(0); onclick=window.history.back()>Back</a></span>&nbsp;|&nbsp;<span><a href=/>Home</a></span></section></div><div class=post-nav><a href=/posts/long-time-no-see/ class=prev rel=prev title="Long Time No See"><i class="fas fa-angle-left fa-fw"></i>Long Time No See</a>
diff --git a/posts/xz-backdoor/index.html b/posts/xz-backdoor/index.html
index 0c3466b..c224438 100644
--- a/posts/xz-backdoor/index.html
+++ b/posts/xz-backdoor/index.html
@@ -15,7 +15,7 @@
 <i class="fas fa-adjust fa-fw"></i>
 <select class=color-theme-select id=theme-select-mobile title="Switch Theme"><option value=light>Light</option><option value=dark>Dark</option><option value=black>Black</option><option value=auto>Auto</option></select>
 </a><a href=javascript:void(0); class=menu-item title="Select Language">English<i class="fas fa-chevron-right fa-fw"></i>
-<select class=language-select title="Select Language" onchange="location=this.value"><option value=/posts/xz-backdoor/ selected>English</option><option value=/it/posts/xz-backdoor/>Italiano</option></select></a></div></div></header><div class="search-dropdown desktop"><div id=search-dropdown-desktop></div></div><div class="search-dropdown mobile"><div id=search-dropdown-mobile></div></div><main class=main><div class=container><div class=toc id=toc-auto><h2 class=toc-title>Contents</h2><div class=toc-content id=toc-content-auto><nav id=TableOfContents><ul><li><a href=#timeline>Timeline</a></li><li><a href=#impacted-components>Impacted components</a></li><li><a href=#considerations>Considerations</a><ul><li><a href=#the-github-behavior>The GitHub Behavior</a></li><li><a href=#the-downgrades>The downgrades</a></li></ul></li><li><a href=#how-to-prevent-this-issue>How to prevent this issue?</a><ul><li><a href=#trust-issues>Trust issues</a></li><li><a href=#github-stats>GitHub Stats</a></li><li><a href=#community-engagement>Community Engagement</a></li><li><a href=#funding-and-support>Funding and Support</a></li><li><a href=#sdlc>SDLC</a></li><li><a href=#enterprise-vs-individual>Enterprise vs Individual</a></li><li><a href=#recursive-controls>Recursive controls</a></li></ul></li><li><a href=#resources>Resources</a></li></ul></nav></div></div><script>document.getElementsByTagName("main")[0].setAttribute("autoTOC","true")</script><article class="page single"><h1 class="single-title animate__animated animate__flipInX">The xz backdoor from a Security Engineer persepective</h1><h2 class=single-subtitle>Yet another supply chain attack</h2><div class=post-meta><div class=post-meta-line><span class=post-author><span class="author fas fa-user-circle fa-fw"></span><a href=/ title=Author rel=author class=author>himazawa</a></span></div><div class=post-meta-line><i class="far fa-calendar-alt fa-fw"></i>&nbsp;<time datetime=2024-03-30>2024-03-30</time>&nbsp;<i class="far fa-edit fa-fw"></i>&nbsp;<time datetime=2024-03-31>2024-03-31</time>&nbsp;<i class="fas fa-pencil-alt fa-fw"></i>&nbsp;1422 words&nbsp;<i class="far fa-clock fa-fw"></i>&nbsp;7 minutes&nbsp;</div></div><div class=featured-image><img loading=eager src=/posts/xz-backdoor/xz.png srcset="/posts/xz-backdoor/xz.png, /posts/xz-backdoor/xz.png 1.5x, /posts/xz-backdoor/xz.png 2x" sizes=auto alt=/posts/xz-backdoor/xz.png title=/posts/xz-backdoor/xz.png height=112 width=950></div><div class="details toc" id=toc-static kept><div class="details-summary toc-title"><span>Contents</span>
+<select class=language-select title="Select Language" onchange="location=this.value"><option value=/posts/xz-backdoor/ selected>English</option><option value=/it/posts/xz-backdoor/>Italiano</option></select></a></div></div></header><div class="search-dropdown desktop"><div id=search-dropdown-desktop></div></div><div class="search-dropdown mobile"><div id=search-dropdown-mobile></div></div><main class=main><div class=container><div class=toc id=toc-auto><h2 class=toc-title>Contents</h2><div class="toc-content always-active" id=toc-content-auto><nav id=TableOfContents><ul><li><a href=#timeline>Timeline</a></li><li><a href=#impacted-components>Impacted components</a></li><li><a href=#considerations>Considerations</a><ul><li><a href=#the-github-behavior>The GitHub Behavior</a></li><li><a href=#the-downgrades>The downgrades</a></li></ul></li><li><a href=#how-to-prevent-this-issue>How to prevent this issue?</a><ul><li><a href=#trust-issues>Trust issues</a></li><li><a href=#github-stats>GitHub Stats</a></li><li><a href=#community-engagement>Community Engagement</a></li><li><a href=#funding-and-support>Funding and Support</a></li><li><a href=#sdlc>SDLC</a></li><li><a href=#enterprise-vs-individual>Enterprise vs Individual</a></li><li><a href=#recursive-controls>Recursive controls</a></li></ul></li><li><a href=#resources>Resources</a></li></ul></nav></div></div><script>document.getElementsByTagName("main")[0].setAttribute("autoTOC","true")</script><article class="page single"><h1 class="single-title animate__animated animate__flipInX">The xz backdoor from a Security Engineer persepective</h1><h2 class=single-subtitle>Yet another supply chain attack</h2><div class=post-meta><div class=post-meta-line><span class=post-author><span class="author fas fa-user-circle fa-fw"></span><a href=/ title=Author rel=author class=author>himazawa</a></span></div><div class=post-meta-line><i class="far fa-calendar-alt fa-fw"></i>&nbsp;<time datetime=2024-03-30>2024-03-30</time>&nbsp;<i class="far fa-edit fa-fw"></i>&nbsp;<time datetime=2024-03-31>2024-03-31</time>&nbsp;<i class="fas fa-pencil-alt fa-fw"></i>&nbsp;1422 words&nbsp;<i class="far fa-clock fa-fw"></i>&nbsp;7 minutes&nbsp;</div></div><div class=featured-image><img loading=eager src=/posts/xz-backdoor/xz.png srcset="/posts/xz-backdoor/xz.png, /posts/xz-backdoor/xz.png 1.5x, /posts/xz-backdoor/xz.png 2x" sizes=auto alt=/posts/xz-backdoor/xz.png title=/posts/xz-backdoor/xz.png height=112 width=950></div><div class="details toc" id=toc-static kept><div class="details-summary toc-title"><span>Contents</span>
 <span><i class="details-icon fas fa-angle-right"></i></span></div><div class="details-content toc-content" id=toc-content-static><nav id=TableOfContents><ul><li><a href=#timeline>Timeline</a></li><li><a href=#impacted-components>Impacted components</a></li><li><a href=#considerations>Considerations</a><ul><li><a href=#the-github-behavior>The GitHub Behavior</a></li><li><a href=#the-downgrades>The downgrades</a></li></ul></li><li><a href=#how-to-prevent-this-issue>How to prevent this issue?</a><ul><li><a href=#trust-issues>Trust issues</a></li><li><a href=#github-stats>GitHub Stats</a></li><li><a href=#community-engagement>Community Engagement</a></li><li><a href=#funding-and-support>Funding and Support</a></li><li><a href=#sdlc>SDLC</a></li><li><a href=#enterprise-vs-individual>Enterprise vs Individual</a></li><li><a href=#recursive-controls>Recursive controls</a></li></ul></li><li><a href=#resources>Resources</a></li></ul></nav></div></div><div class=content id=content><p>As you probably already heard, the <code>xz</code> package got compromised.</p><p>The package was used as entrypoint to inject malicious code in sshd, altering the authentication flow. This forged vulnerability is now known as <a href=https://nvd.nist.gov/vuln/detail/CVE-2024-3094 target=_blank rel="noopener noreferrer">CVE-2024-3094</a>.</p><p>Looks like the injected code <a href=https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b target=_blank rel="noopener noreferrer">takes the payload from a specific key and execute it</a>.</p><div class="details admonition info open"><div class="details-summary admonition-title"><i class="icon fas fa-info-circle fa-fw"></i>Info<i class="details-icon fas fa-angle-right fa-fw"></i></div><div class=details-content><div class=admonition-content>The situation is still ongoing, more details will emerge in the near future and I will update this post accordingly.</div></div></div><p>This is probably a full fledged operation due to its methodology and duration but I&rsquo;m not the right guy to talk about OpSec and Threat Actors attributions.
 Check the Resources section for additional links.</p><p>The situation doesn&rsquo;t look too good so I&rsquo;m trying to write this blogpost as a summary.</p><p>I don&rsquo;t want to address the technical aspect of the compromission but I want to look at the issue from the perspective of a Security Engineer, summarizing what went wrong and trying to find a remediation.</p><h2 id=timeline class=headerLink><a href=#timeline class=header-mark></a>1 Timeline</h2><div class="details admonition tip"><div class="details-summary admonition-title"><i class="icon fas fa-lightbulb fa-fw"></i>Tip<i class="details-icon fas fa-angle-right fa-fw"></i></div><div class=details-content><div class=admonition-content>Check the Resources section for a link to an article with a detailed timeline</div></div></div><ul><li><p><strong>2023</strong>:</p><ul><li>A new maintainer shows up in the <code>xz</code> project</li></ul></li><li><p><strong>29 Mar 2024</strong>:</p><ul><li><p>Andres Freund sent an email to the oss-security mailing list regarding a backdoor in <code>xz/liblzma</code>.
 He was optimizing his infrastructure and found that ssh was suspiciously slow. Some debug later he found the issue was likely caused by the backdoor. The initial analysis was performed with the help of Florian Weimer.</p></li><li><p>Impacted distros are starting to ship patches to downgrade the xz version (more on that later)</p></li></ul></li><li><p><strong>30 Mar 2024</strong>:</p><ul><li><p>GitHub blocked access to the repostiory and blocked the account of both the xz maintainers, an updated code is available <a href="https://git.tukaani.org/?p=xz.git;a=summary" target=_blank rel="noopener noreferrer">here</a></p></li><li><p>An <a href=https://tukaani.org/xz-backdoor/ target=_blank rel="noopener noreferrer">official statement</a> was released by the project maintainer</p></li></ul></li><li><p><strong>31 Mar 2024</strong>:</p><ul><li><strong>potential</strong> <a href=https://gist.github.com/sgammon/ec604c3fabd1a22dd3cdc381b736b03e target=_blank rel="noopener noreferrer">killswitch identified</a>, take that as a grain of salt</li></ul></li></ul><h2 id=impacted-components class=headerLink><a href=#impacted-components class=header-mark></a>2 Impacted components</h2><p>The extent of this breach is still unkown, but here is a (partial) list of components shipping the known malicious version of <code>xz</code>:</p><p>Distributions:</p><ul><li><a href=https://archlinux.org/news/the-xz-package-has-been-backdoored/ target=_blank rel="noopener noreferrer">Arch</a></li><li><a href=https://security-tracker.debian.org/tracker/CVE-2024-3094 target=_blank rel="noopener noreferrer">Debian Sid</a></li><li><a href=https://bugs.gentoo.org/928134 target=_blank rel="noopener noreferrer">Gentoo</a></li><li><a href=https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users target=_blank rel="noopener noreferrer">Fedora 40</a></li><li>Manjaro Testing</li><li><a href=https://www.parabola.nu/news/arch-announce-the-xz-package-has-been-backdoored/ target=_blank rel="noopener noreferrer">Parabola</a></li><li>NixOS Unstable</li><li>Slackware</li><li><a href=https://news.opensuse.org/2024/03/29/xz-backdoor/ target=_blank rel="noopener noreferrer">SUSE Tumbleweed</a></li><li><a href=https://infosec.exchange/@kalilinux/112180505434870941 target=_blank rel="noopener noreferrer">Kali Linux</a></li></ul><p>The backdoored package is also contained in the repositories of the following package managers:</p><ul><li>Homebrew</li><li>MacPorts</li><li>pkgsrc</li></ul><p>At the moment we know that there are checks in the backdoor to <a href=https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27#design target=_blank rel="noopener noreferrer">target Linux instances and only x86_64/amd64</a> builds so the real number could be downsized, but since the entire situation is unclear I would not reccommend to keep a compromised package on your system.</p><h2 id=considerations class=headerLink><a href=#considerations class=header-mark></a>3 Considerations</h2><h3 id=the-github-behavior class=headerLink><a href=#the-github-behavior class=header-mark></a>3.1 The GitHub Behavior</h3><p>The reasons behind the <code>xz</code> repositories lockdown are still a mistery to me, especially knowing that with the source code available additional anaysis on the backdoor could be performed.</p><p>Blocking access to the source code is something that will delay further results, that is honestly really bad for time-critical situation like this one. An updated mirror is available <a href="https://git.tukaani.org/?p=xz.git;a=summary" target=_blank rel="noopener noreferrer">here</a></p><h3 id=the-downgrades class=headerLink><a href=#the-downgrades class=header-mark></a>3.2 The downgrades</h3><p>The patch strategy for basically everyone was to force a downgrade from the <code>5.6.0</code>-<code>5.6.1</code> to another version.<br>Some (homebrew, for example), forced the downgrade to 5.4.6.</p><p>This looks interesting because for sure we know there is a backdoor on that (<code>5.6.0</code>-<code>5.6.1</code>) versions, but we also know that the attacker has been working on the repository for over two years.</p><p>The <code>5.4.6</code> version is also builded by the attacker and honestly wouldn&rsquo;t trust it much.</p><h2 id=how-to-prevent-this-issue class=headerLink><a href=#how-to-prevent-this-issue class=header-mark></a>4 How to prevent this issue?</h2><p>As I said at the beginning of the post, I don&rsquo;t want to go too deep into the technical analysis of the backdoor, for two main reasons: with the sourcecode locked and only <a href=https://github.com/xz-mirror/xz target=_blank rel="noopener noreferrer">an archive available</a> the informations are incomplete and I really don&rsquo;t want to reverse the <code>xz</code> binary.