— Wiz acquired by Google, Unicode supply-chain attacks, grad-school advice
Quick recap. The meeting focused on several key topics, including the recent acquisition of Wiz by Google and its implications for the company and its employees. Participants discussed the potential risks and benefits of this acquisition, with some expressing concerns about the sustainability of acquired products. The group also explored the return of worms in cyber attacks and the implications for software supply chains. Additionally, there was a detailed discussion about cloud security education and career paths, with recommendations for learning resources and degree programs. The conversation ended with advice for someone considering graduate school, emphasizing the importance of practical experience and careful consideration of the cost and potential return on investment of a degree.
Show 5 discussion topics
LAN Atlas Network Monitoring Project
The meeting focused on discussing a new Python project called LAN Atlas, which aims to create a network monitoring solution with components for on-premise and cloud deployment. Kyle, Dee, and Neil presented the project idea and outlined plans for team roles, including technical and non-technical positions. They invited participants and mentors to join the initiative, emphasizing its potential for practical experience and resume building. The group also celebrated Kyle's birthday and discussed the recent acquisition of Wiz by Google, with participants sharing mixed perspectives on the acquisition's implications for the company and its products.
Supply Chain Unicode Injection Attack
Neil led a discussion about a supply chain attack involving Unicode characters in code repositories, specifically examining instances in GitHub. The team analyzed how malicious code was inserted into legitimate pull requests, particularly through Dependabot updates. Kyle suggested the possibility of AI prompt injection, while Piyush and Pavel identified suspicious Dependabot commits that appeared fake. Neil questioned whether the attack originated from a compromised IDE, similar to previous findings in malicious NPM packages and VS Code extensions. The team examined specific examples, including a package.json file and TypeScript code, to understand how the injection occurred within otherwise valid commits.
Node.js Worm Spread Discussion
The group discussed the recent return of worms in cybersecurity, particularly focusing on how they spread through the Node.js/NPM ecosystem. Matt noted how worms can now spread through multi-step, multi-vector attacks, including targeting repository maintainers. The discussion included historical context about previous worm "seasons," with Neil clarifying that the current situation represents "season 3" following the original worms and the 2001-2009 period that included email worms like Melissa and SQL Slammer. Brian Reich expressed frustration about the Node.js/NPM ecosystem's reliance on unnecessary libraries like Lodash, comparing it to the "left pad" incident where a maintainer's departure caused significant disruption to thousands of projects.
JavaScript Development Challenges
The group discussed challenges with JavaScript and Node.js development, particularly around governance issues and the language's origins in browser-based applications. Brian Reich raised concerns about developers lacking fundamental software development knowledge due to rapid development cycles and React frameworks, while Kyle suggested that JavaScript's rapid creation in a short time period contributes to ongoing challenges. The conversation concluded with a discussion about cloud security education, where Kyle recommended Georgia Tech's OMSCS program as a cost-effective option for D, who was considering a cloud security graduate degree.
Is a Cloud Security Degree Worthwhile?
The group discussed whether pursuing a graduate degree in cloud security is worthwhile. Several participants advised against specialized cloud security degrees, suggesting instead to focus on general cybersecurity or computer science programs, as cloud security skills can be developed through practical experience and self-directed learning. The discussion highlighted that while formal education has value, it's important to consider the cost, potential return on investment, and personal interests when deciding on a program. Specific practical advice was shared about learning cloud security through hands-on experience using tools like Terraform, setting up lab environments, and exploring resources like the Wiz.I/O website for specific solution areas. The conversation also touched on career goals, with one participant expressing interest in Mac malware research, leading to recommendations about learning ARM assembly and reverse engineering.