14 July 2024, 15:51 | #61 | ||
Italian Amiga Zealot
Join Date: Jan 2009
Location: Italy
Age: 36
Posts: 1,927
|
Quote:
Oh wait: https://www.sonarsource.com/blog/php-supply-chain-attack-on-composer/ https://www.sonarsource.com/blog/php-supply-chain-attack-on-pear/ Quote:
When I usually meet programmers dreading to update their framework because otherwise all hell will break loose they’re usually PHP or Java devs. Node isn’t perfect when it comes to this either, but much better than both. You clearly have an horse in this race and that’s perfectly okay. But, be it because of easiness of development, be it because of better dev tools, be it because of a fad - PHP is gonna go extinct (or at least go in a zombie-like state like Fortran and COBOL) and neither of us can do anything it about |
||
14 July 2024, 18:15 | #62 | |
Alien Bleed
Join Date: Aug 2022
Location: UK
Posts: 4,917
|
Quote:
|
|
14 July 2024, 18:25 | #63 |
Alien Bleed
Join Date: Aug 2022
Location: UK
Posts: 4,917
|
One of the reasons I singled out NPM is because for the longest time you could actually supply a completely different package than the one specified and it was pretty easy to pull off too. People would think they were getting some stable tag from your GitHub repository and could be getting a completely different package delivered.
With composer, you have been able to be fully in charge of your own locally vetted cache for a long time. So yeah, for several years NPM was by far the easiest supply chain attack vector for web applications and even server side infrastructure that used it. |
14 July 2024, 19:41 | #64 | |
Local Moderator
Join Date: Oct 2009
Location: Lancashire, UK
Age: 48
Posts: 1,735
|
Quote:
If Kim fixes the site, it will still be php. It is old. I presume one issue is, nobody wants to recontruct the tower all over again on a new platform? |
|
14 July 2024, 19:42 | #65 |
Puttymoon inhabitant
|
Thank all of you for the kind words. I have spoken to Kim today and he hopes the site will be back during next week.
|
14 July 2024, 20:00 | #66 | |
Alien Bleed
Join Date: Aug 2022
Location: UK
Posts: 4,917
|
Quote:
Unfortunately the web has become a much more hostile place than it ever was. |
|
14 July 2024, 21:08 | #67 |
Registered User
Join Date: Nov 2018
Location: Liverpool
Posts: 188
|
How awful! I hope the site comes back up soon, its such a great tool for the community
|
14 July 2024, 21:54 | #68 |
Registered User
Join Date: Aug 2004
Location: Spijkenisse / the Netherlands
Age: 54
Posts: 528
|
What a pity to hear about this. Wishing Kim the best bringing it all up and running again.
|
14 July 2024, 23:15 | #69 |
Amiga User
Join Date: Sep 2003
Location: Pennsylvania
Age: 47
Posts: 568
|
Lemon64 forum I visit everyday, like EAB. I just hope this issue gets resolved.
|
14 July 2024, 23:24 | #70 | ||
Italian Amiga Zealot
Join Date: Jan 2009
Location: Italy
Age: 36
Posts: 1,927
|
Quote:
Quote:
What matters now is the state of things in 2024. You have package locks, local caches (if you wish to do so) and every change is tracked by git repos anyway - saying things like that is disingenuous at best and an attempt to spread FUD at its worst. I could play the same game with PHP but there’s no need - PHP8 has plenty of CVEs already and they speak for themselves. While Node.js might have apparently more (by a very slight number) they’re all less severe than the usual PHP vulnerability that usually ranks in the high 9s. The two links I brought up in my previous post are all very recent (2022), while the NPM vulnerabilities are MUCH older and have all been fixed since ages. |
||
15 July 2024, 00:12 | #71 |
J.M.D - Bedroom Musician
Join Date: Apr 2014
Location: los angeles,ca
Posts: 3,678
|
Composer never worked with me, i remember trying to use it to install a framework and failed all the time -_-
So i usually did the original sin: use my own implementation of queries and filters; what saved my 655 in my actual job is that the web app is for internal use and therefore most of the traffic is filtered by the employer firewall, but i know is futile... |
15 July 2024, 00:31 | #72 |
Registered User
Join Date: Sep 2022
Location: Washington, DC - USA
Posts: 11
|
This saddens me when this kind of thing happens. I am glad to hear the owner is on it and will be able to bring things back. I wish them all the best and thank them for making the resource available to us to use!
|
15 July 2024, 01:15 | #73 | |
Alien Bleed
Join Date: Aug 2022
Location: UK
Posts: 4,917
|
Quote:
https://thehackernews.com/2023/11/48...ges-found.html NPM supply chain attacks are far from new, yet it still happens. Getting a remote shell onto developer systems? What's the worst that could happen? Well that depends, but your average developer isn't often that security conscious and your average department often has lax practises like having production secrets on developer machines. There have been several high profile malware deliveries via NPM over the years, not because there's been no effort to improve it, but because the whole culture of not fixing what isn't apparently broken is so pervasive. This applies to Node, PHP, and just about everything else. In 2024, everyone uses containers and as such the incentive to keep things updated when you can just package all your thrown together obsolete crap into an image you can keep running indefinitely has never been worse. In the end, taking the view that A is somehow not as bad as B in matters of system hardening is how you get owned in a perpetually hostile environment. Whichever technology stack you use, you have to take security seriously or hope that your infrastructure protects you. |
|
15 July 2024, 08:48 | #74 |
old bearded fool
Join Date: Jan 2010
Location: Bangkok
Age: 57
Posts: 813
|
I can recommend ModSecurity (aka Libmodsecurity) if you want to secure a website with PHP running an SQL database (for example), makes it relatively easy to filter out bad requests before they happen and log it.
https://github.com/owasp-modsecurity/ModSecurity You can extend that with tools which blocks IP addresses in firewall (e.g. 'iptables') based on logged bad requests and to mitigate (D)DOS attacks as well. |
15 July 2024, 18:18 | #75 | |
J.M.D - Bedroom Musician
Join Date: Apr 2014
Location: los angeles,ca
Posts: 3,678
|
Quote:
|
|
15 July 2024, 22:08 | #76 |
Registered User
Join Date: Jan 2021
Location: Norwich
Posts: 16
|
|
15 July 2024, 22:10 | #77 |
Puttymoon inhabitant
|
Never say never.
|
15 July 2024, 22:12 | #78 |
Registered User
Join Date: Jan 2021
Location: Norwich
Posts: 16
|
This isnt really an attack against Lemon itself - it's just an attack. There's plenty of automated things out there just looking for a server vulnerable to any exploits of any kind - any sysadmin who runs a web server, email server etc can tell you that.
AS Virtual Programming's sysadmin, I saw attacks against our services pretty much every hour of every day. They dont care who you are or what your business is - any server they can take over and use to run further attacks is what they are looking for. Getting user details/passwords is just a bonus. |
15 July 2024, 22:24 | #79 |
Alien Bleed
Join Date: Aug 2022
Location: UK
Posts: 4,917
|
^ this.
It's extremely unlikely to be targeted at the forum, it's just a malicious bot trawling for known vulnerabilities. There are plenty especially if things like cPanel or phpmyadmin are installed. |
15 July 2024, 22:28 | #80 | |||
Italian Amiga Zealot
Join Date: Jan 2009
Location: Italy
Age: 36
Posts: 1,927
|
Quote:
The article talks about packages with VERY similar names - which is an issue that plagues literally every package system - heck, even more than that. Could be an SDK or a DLL imported using .NET. The same thing can happen with literally every language and this isn’t an NPM issue. There were also cases of infected middleware on iOS and Android being packaged by mistake thanks to being hosted on very-official-sounding repos, which impacted tens of thousands of installed apps. Does that mean that iOS or Android are at fault and should be considered inherently insecure? If you’re a so-called dev and don’t even check if what you’re installing is *actually* what you meant to install (be it by sigs, checksum, or by just reading the freaking URL you’re cloning) the problem doesn’t lie in the framework and/or the package manager, it lies between the screen and the chair. Quote:
Quote:
Not getting something owned these days is not just a matter of skill, it’s also a lot of luck. But hey good for your ego if you think it was mostly down to skill. Last edited by jbenam; 15 July 2024 at 22:42. |
|||
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
Thread Tools | |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
amiga magix website is hacked | Retro-Nerd | Amiga scene | 19 | 14 July 2006 03:31 |
The Lemon Amiga forum is Launched | Lemon | News | 13 | 15 July 2004 23:03 |
Amiga.com hacked ! | RCK | Amiga scene | 34 | 29 December 2002 01:01 |
Another Amiga WebPage Hacked | Carlos Ace | Amiga scene | 13 | 11 May 2002 01:21 |
Amiga.org Hacked/Down | Galahad/FLT | Amiga scene | 3 | 24 December 2001 16:35 |
|
|