Lightnews — Scholar-powered news

Clara Leigh @clara42.bsky.social · 2d

Working on Crypto in the #laravel world?
Hit me up, I want to see what you're doing!

I've got solana stablecoin p2p, offramps to banks and more going on over here 😍

1

Clara Leigh @clara42.bsky.social · 6d

Once upon a time, USBs and CDs could auto run. That’s how worms like stuxnet and Agent.BTZ spread everywhere

We learned the hard way and killed autorun

Now we `npm install` 1,000 different dependencies from the internet and consider it “safe”, forgetting that it does the exact same thing

4

Clara Leigh @clara42.bsky.social · 9d

10 second deploys is quite a feat!

I remember getting my server setup and install time down to 15secs at my last startup (business in a box for web) and I thought that was the coolest thing ever but no one batted an eye back then 😭 maybe I was just too early

1 2

Clara Leigh @clara42.bsky.social · 10d

Lmao I bet he just found out you’re not allowed to edit your own wiki 😂

3

Reposted by Clara Leigh

Joe Tannenbaum @joe.codes · 11d

Curious what it looks like to implement the new Inertia Infinite Scroll component? Have 3 minutes? That's all it takes.

I whipped up a little demo:

youtu.be/gQB6DdPHzSY

Infinite Scrolling with Laravel + Inertia

YouTube video by Laravel

youtu.be

1 8 21

Clara Leigh @clara42.bsky.social · 11d

I just wish sql error logs supported it 😭

1

Clara Leigh @clara42.bsky.social · 11d

I’m not sure rate limiting would help other that slow them down.

Really the solution is to ensure there is no way to check if a user exists, which is doable but often tedious

Clara Leigh @clara42.bsky.social · 11d

I would define a vulnerability as something that assists in the compromise of an asset

I have seen a lot of accounts this year fall victim to phishing attacks, most of which only targeted due to UE

5 years ago, I cared little about UE but back then phishing was easier to spot

1 1

Clara Leigh @clara42.bsky.social · 11d

Is username enumeration (UE) a real vulnerability?
Yes, and it matters more today than it did a few years ago.

As phishing attacks look more legitimate, even smart people are getting tricked

This week I saw a UE+phish lead to an account take over, and the URL in the Phish was a legitimate url

2 2

Clara Leigh @clara42.bsky.social · 13d

I miss the 00s and 10s when devs building frameworks would name methods and vars like “xzy42_type” to prevent this exact issue

2

Clara Leigh @clara42.bsky.social · 13d

Oooo “kind” kinda works! I’ve been using “theType” or “provider”

1 1

Clara Leigh @clara42.bsky.social · 13d

If there is one thing I've learned in the last year, it's never use a property named "type"

I have lost so many hours debugging this exact bug but alas I am a goldfish just did it again, for the third time this week 😭

1 6

Clara Leigh @clara42.bsky.social · 14d

This would have saved me a few hours making some things GDPR compliant!

Ash Allen @ashallendesign.co.uk · 16d

I've just released v1.1.0 of my Redactable Models package! 🎉

You can now set the hashing algorithm that should be used by the "HashContents" redaction strategy.

In this example, we're SHA256-ing the "name" and "email" fields of users who were soft-deleted over 30 days ago 😄

1 2

Clara Leigh @clara42.bsky.social · 18d

I love it! If you find yourself wanting another challenge or you have access to the road map, adding short lived tokens (ie OIDC) to Vapor and cloud would go a long way in securing things like GitHub actions for deployments 🙏

1 2

Clara Leigh @clara42.bsky.social · 18d

“Think like a hacker” is one of my favourite phrases

It leads to the zero trust mindset. Assume a breach will happen and brainstorm what you can do to reduce that risk

Short liven tokens are just one thing that can help. I encourage you to research OIDC tokens, it might just save you one day

Clara Leigh @clara42.bsky.social · 20d

Today I leaned about OIDC tokens and how you can use them to prevent GitHub actions from having access to long lived secrets (like AWS)

While its not yet supported by my main provider, I can certainly clean up my AWS actions and hope others add it to their roadmap 🙏

docs.github.com/en/enterpris...

OpenID Connect - GitHub Enterprise Cloud Docs

OpenID Connect allows your workflows to exchange short-lived tokens directly from your cloud provider.

docs.github.com

3

Clara Leigh @clara42.bsky.social · 18d

I love a community that listens!

Securing the supply chain is my current research topic and the more I learn, the more I find we can do

Joe Tannenbaum @joe.codes · 19d

🔒 With everything going on with NPM, we're moving all over our Laravel packages over to Trusted Publishing

Now you'll know where the latest release came from and you can verify that it was us.

Screenshot of NPM that reads:

Provenance
Built and signed on GitHub Actions

View build summary

Source Commit

github.com/inertiajs/inertia@32199e8
Build File
.github/workflows/publish.yml

Public Ledger
Transparency log entry

1 1 9

Reposted by Clara Leigh

Packagist @packagist.com · 21d

🚨 Warning to #PHP package maintainers: We did not email you to change your passwords & 2FA. Emails asking you to update your credentials are a phishing attempt. We had the phishing site & domain taken down. If you got the email and entered your credentials, please contact us. #phpc

39 25

Clara Leigh @clara42.bsky.social · 20d

Please note its not just for enterprise!
I was just on the enterprise docs because thats what I use

For details on how to set it up for your cloud provider, check out these pages: docs.github.com/en/actions/h...

Security hardening your deployments - GitHub Docs

Use OpenID Connect within your workflows to authenticate with your cloud provider.

docs.github.com

Clara Leigh @clara42.bsky.social · 20d

Today I leaned about OIDC tokens and how you can use them to prevent GitHub actions from having access to long lived secrets (like AWS)

While its not yet supported by my main provider, I can certainly clean up my AWS actions and hope others add it to their roadmap 🙏

docs.github.com/en/enterpris...

OpenID Connect - GitHub Enterprise Cloud Docs

OpenID Connect allows your workflows to exchange short-lived tokens directly from your cloud provider.

docs.github.com

1 1

Clara Leigh @clara42.bsky.social · 21d

Today I learned about NPM Provenance, and how it helps prevent some supply chain attacks but it turns out its widely un-used and even some orgs don't use it yet (looking at you @laravel.com)

If you run any NPM repo at all, you should look at implementing it!

docs.npmjs.com/generating-p...

Generating provenance statements | npm Docs

Documentation for the npm registry, website, and command-line interface

docs.npmjs.com

1 1 4

Clara Leigh @clara42.bsky.social · 23d

Best game I've played in a while, if you have an hour or so to loose

Neal Agarwal @neal.fun · 25d

I’m Not a Robot, a game about solving CAPTCHAs, is out now!

good luck :)

> neal.fun/not-a-robot/

1

Clara Leigh @clara42.bsky.social · 23d

In the past month, I've noticed a huge decrease in quality of code produced by AI.

Coincidentally in the past month, I've also seen a huge jump in external providers shipping broken features and updates

🤔

1

Clara Leigh @clara42.bsky.social · 24d

Another day, another supply chain attack. Stay safe out there

www.bleepingcomputer.com/news/securit...

Self-propagating supply chain attack hits 187 npm packages

Security researchers have identified at least 187 npm packages compromised in an ongoing supply chain attack. The coordinated worm-style campaign dubbed 'Shai-Hulud' started yesterday with the comprom...

www.bleepingcomputer.com

4

Clara Leigh @clara42.bsky.social · 26d

This week I solved a really hard coding problem which is going to save me about 2hrs a day.

I initially thought it would be impossible, but ~100 lines of regex and ~50 if() statements has solved it!

I’m going to be riding the high from this feat for a while 🥰

6

Clara Leigh @clara42.bsky.social · Sep 11

“Good faith” lmao. I think everyone knew that it was never in good faith, I wonder if this is an underhanded jab at that or if he really is oblivious

1