I can finally talk about what we've been working on for the past two years(!)
Using #sigstore, GitHub now supports artifact signing, which allows you to create unforgeable provenance guarantees for any software you build inside Actions.
It's been a heck of a ride, & you can read more about (and learn how to use it) here:
https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/
protip: drawing a hilariously bad artwork in MS Paint with a mouse is a much stronger quality signal that you care about the blog post than attaching an obvious AI generation
CISA: CISA Adds One Known Exploited Vulnerability to Catalog
HOT OFF THE PRESS! CISA adds CVE-2023-7028 (10.0 critical, disclosed 12 January 2024 by GitLab) GitLab Community and Enterprise Editions Improper Access Control Vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog!
Why you should care about CVE-2023-7028:
This is a zero-click account takeover that people were freaking out about less than 4 months ago. Successful exploitation allows attackers to send password reset emails for a targeted account to an attacker-controlled email address, allowing the threat actor to change the password and take over the account.
cc: @campuscodi @serghei @todb
#kev #eitw #knownexploitedvulnerabilitiescatalog #vulnerability #CVE_2023_7028
Someone on Tumblr has made a concept for a Tarot Card deck made out of ISO hazard symbols and it goes hard:
https://www.tumblr.com/medusasstory/749203130036699136/this-is-a-nice-sign-to-look-at-1010-for
Edit: apparently this image was a WIP version, a final, printable version is available here: https://organical-mechanical.itch.io/iso-tarot