www.krash.dev Open in urlscan Pro
2606:4700:3032::ac43:bf05  Public Scan

Form analysis
0 forms found in the DOM

Text Content

krash.dev
 * Categories
 * Tags
 * Archive
 * 🔎︎


HI THERE!

This is a personal blog of 0xCardinal, discussing topics such as supply chain
security, product & platform security, alongside discussions on interesting
attack & defense strategies.




REPUTATION FARMING IN OSS: A THREAT TO BUILDING TRUST

This issue complicates the open source and supply chain security space. For
attacks like xz, such strategies can be used by attackers to build “fake” trust
among fellow OSS community members. A few days ago, this discussion ignited in
the OSSF Slack , which talked about the issue of credibility farming in several
open source repositories. So, the issue revolves around GitHub (or equivalent
platforms) accounts approving or commenting on old pull requests and issues that
were already resolved or closed, where these meaningless contributions show up
prominently on the user’s profile and activity feed, making their involvement
seem more significant than it actually is, without closer look....

June 27, 2024 · 3 min · Kumar Ashwin


TWO BITS ON THE XZ VULNERABILITY

GitHub Repository xz (Suspended) Source Code https://git.tukaani.org/?p=xz.git
Threat Actor Jia Tan (GitHub) CVE Number CVE-2024-3094 (CVSS 10.0) Vulnerability
Type Remote Code Execution Attack Category Social Engineering, Supply Chain
Attack What does xz module do? XZ Utils is a set of free and open-source data
compression utilities that provide high compression ratios and fast
decompression....

April 1, 2024 · 7 min · Kumar Ashwin


HANDLING DEPRECATED DEPENDENCIES IN YOUR PROJECT

Disclaimer: Just a heads up, while we’re diving into ways to tackle the problem
of dependency depreciation, there’s no one-size-fits-all solution here. It’s a
bit of a wild ride dealing with supply chain security and those pesky deprecated
dependencies, so don’t expect a quick fix! The issue of using deprecated
dependencies has persisted for quite some time, and it’s gaining increased
attention. Many projects continue to incorporate deprecated dependencies. I was
inspired to write this blog after coming across a LinkedIn post by Rory McCune
and several other posts over the past few weeks....

November 7, 2023 · 6 min · Kumar Ashwin


VS CODE SECURITY: LOOKING AT THE IDE FROM SECURITY LENS

While perusing StackOverflow's 2023 Developer Survey (yes, we developers have
our own version of celebrity gossip), I couldn’t help but notice that our trusty
VSCode is still riding high as the undisputed IDE champ. With a whopping 73% of
the developer vote, it’s safe to say that VSCode has firmly planted its flag.
But, like any superstar, it’s not immune to the spotlight’s glare, especially
when it comes to security. And in this blog, we’ll explore the security aspects
that every VSCode user should consider....

September 14, 2023 · 6 min · Kumar Ashwin


INVESTIGATING REPORTED VULNERABILITIES: A CLOSER LOOK!

In vulnerability scanners or penetration testing reports, you might come across
statements like “Service version x.y.z is vulnerable to CVE-YYYY-ABCD." However,
it’s essential to delve deeper to confirm the actual vulnerability. Let’s
consider a real example: We received a vulnerability report indicating a
vulnerability ( CVE-2023-23916 ) in curl v7.74.0 within the Debian 11
environment. The CVE documentation mentions: Affected versions: curl 7.57.0 to
and including 7.87.0 At first glance, it appears that v7....

July 30, 2023 · 2 min · Kumar Ashwin


KUBERNETES COMPONENTS

In this blog post, we are going to talk about different components used in
Kubernetes and what purpose each component serve. We will be talking about the
following - Pods Service Ingress ConfigMap Secret Deployment StatefulSet
ReplicaSet DaemonSet Use-case that will be used througout the blog will be
hosting a web application with application code and database in different pods.
Before starting this blog, if you want to learn about the underlying concepts -
Read “Kubernetes Concept”...

June 18, 2023 · 7 min · Kumar Ashwin


MY EXPERIMENTS WITH RASPBERRY PI PICO - POOR MAN'S RUBBER DUCKY

Mr. Robot Season 2 Episode 9 - “Rubber Duckie, You’re The One” - I was
fascinated by this piece of technology when I first saw it many years ago. Then
I looked it up on the internet to learn more about it, and it turned out to be
HID, or Human Interface Device. It basically imitates users and executes code or
performs actions in their place. Since the real rubber ducky was out of my
budget, I looked for alternatives and discovered that similar behaviour to the
rubber ducky can be achieved using a less expensive piece of hardware - the
Raspberry Pi Pico (7$)....

February 4, 2023 · 7 min · Kumar Ashwin


DOCKER SECURITY

Last Updated on 2nd Feb 2023. Containers? Why do we need containers over VMs -
Efficient Resource Consumption between containers Once License for services/OS
Low Compute Overhead What does docker engine does? Emulates Filesystem Gives
each container unique process ID Isolation of container process Communication
between the architecture components - Components Docker client (The one user
interacts with) Docker Host Docker Daemon Images Containers Registry Docker
client using serveral API calls sends the commands to Docker Engine which is
being forwarded to containerd....

February 2, 2023 · 7 min · Kumar Ashwin
Next Page »
© Kumar Ashwin | 2024