A Neural Network Solves and Generates Mathematics Problems by Program Synthesis: Calculus, Differential Equations, Linear Algebra, and More
Academic paper showing how the authors trained a neural network to successfully solve university-level problems from MIT’s math courses.
Deep Learning Interviews book: Hundreds of fully solved job interview questions from a wide range of key topics in AI.
Advocate is basically drop-in replacement for the Python
requests library that makes it easy to safely make HTTP requests on behalf of a third party. Specifically, it aims to prevent common techniques that enable SSRF attacks (internal IPs, URLs or hosts you want to deny, deals with DNS rebinding, handles redirects sanely).
Simpler unpickle payloads with the walrus operator
Google’s Calle Svensson describes how to effectively exploit a Python Pickle deserialization vulnerability when you don’t get any STDOUT data from the unpickling and outbound connections are blocked, so you can’t do a reverse shell.
The Mac Malware of 2021
Objective-See’s Patrick Wardle provides an in-depth technical analysis of the year’s new Mac malware, covering infection vector, persistence mechanism, and payload and capabilities for each, plus samples to download.
Exploiting Url Parsers: The Good, Bad, And Inconsistent
Researchers from Claroty and Snyk examined 16 URL parsing libraries and found:
- Five categories of inconsistencies (scheme confusion, slashes confusion, backslash confusion, URL encoded data confusion, and scheme mixup)
- Which they were able to translate to SSRF, XSS, open redirect, filter bypass, and DoS.
This project by Peter Collins uses Google App Script inside of Google sheets to collect daily useful audit data from GCP - publicly exposed buckets, VMs, functions, and more. Reduce your attack surface by discovering unused service accounts, permissions, firewall rules, and even entire projects.
Securely Access Your AWS Resources From Github Actions
Benoît Bouré describes how by creating an OpenID Connect identity provider in AWS. I appreciated the tip on locking down the IAM role to only a specific repo, or even only a specific branch or tag.
Identity Guide – Preventive controls with AWS Identity – SCPs
AWS post describing how to get started with Service Control Policies, common use cases, and how to write your own SCPs. Use cases discussed include limiting geographic regions, preventing changes to security controls, and more.
A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers. An easy thing to put in front of web apps that you don’t want exposed to randos on the Internet.
CLI tool by Salesforce’s Ashish Patel to validate baseline security configurations for your own Heroku deployments against best practices, and to reduce unwanted attack surface.
By Plex Systems: A tool to sync container images from one registry to another, for example, when you rely on images that exist in a public container registry but need to pull from a private registry.
Automatically remove Cloud managed services and Kubernetes resources based on tags with TTL, by Qovery.
A chaos engineering style game where you seek out and destroy Kubernetes pods, twinstick shoot-em-up style. The game interfaces with your Kubernetes cluster and allows you to explore your cluster nodes and destroy live, running pods on those nodes. Powered by the Unity engine.
Politics / Privacy
Visualizing the $94 Trillion World Economy in One Chart
Together, the U.S. and China account for 42% of global GDP.
How to Read Your iOS 15 App Privacy Report
In iOS 15.2, turn it on via Settings > Privacy > App Privacy Report, and see what networks and domains your iOS apps are connecting to, and how frequently they access your device data (contacts, location, camera and microphone).
How Signal is playing with fire
“Signal and WhatsApp have effectively protected end-to-end encryption from multiple legal attacks at the state and federal level,” said Alex Stamos, who worked on encryption issues while serving as Facebook’s chief security officer. “But the addition of pseudo-anonymous money transfer functions greatly increases their legal attack surface, while creating the possibility of real-life harms (extortion, drug sales, CSAM sales) that will harm them in court, legislatures and public opinion.”