Security Week brings news about CI/CD workflows using GitHub Actions in build processes. Some workflows can generate artifacts that "may inadvertently leak tokens for third party cloud services and GitHub, exposing repositories and services to compromise, Palo Alto Networks warns." [The artifacts] function as a mechanism for persisting and sharing data across jobs within the workflow and ensure that data is available even after the workflow finishes. [The artifacts] are stored for up to 90 days and, in open source projects, are publicly available... The identified issue, a combination of misconfigurations and security defects, allows anyone with read access to a repository to consume the leaked tokens, and threat actors could exploit it to push malicious code or steal secrets from the repository. "It's important to note that these tokens weren't part of the repository code but were only found in repository-produced artifacts," Palo Alto Networks' Yaron Avital explains... "The Super-Linter log file is often uploaded as a build artifact for reasons like debuggability and maintenance. But this practice exposed sensitive tokens of the repository." Super-Linter has been updated and no longer prints environment variables to log files. Avital was able to identify a leaked token that, unlike the GitHub token, would not expire as soon as the workflow job ends, and automated the process that downloads an artifact, extracts the token, and uses it to replace the artifact with a malicious one. Because subsequent workflow jobs would often use previously uploaded artifacts, an attacker could use this process to achieve remote code execution (RCE) on the job runner that uses the malicious artifact, potentially compromising workstations, Avital notes. Avital's blog post notes other variations on the attack — and "The research laid out here allowed me to compromise dozens of projects maintained by well-known organizations, including firebase-js-sdk by Google, a JavaScript package directly referenced by 1.6 million public projects, according to GitHub. Another high-profile project involved adsys, a tool included in the Ubuntu distribution used by corporations for integration with Active Directory." (Avital says the issue even impacted projects from Microsoft, Red Hat, and AWS.) "All open-source projects I approached with this issue cooperated swiftly and patched their code. Some offered bounties and cool swag." "This research was reported to GitHub's bug bounty program. They categorized the issue as informational, placing the onus on users to secure their uploaded artifacts." My aim in this article is to highlight the potential for unintentionally exposing sensitive information through artifacts in GitHub Actions workflows. To address the concern, I developed a proof of concept (PoC) custom action that safeguards against such leaks. The action uses the @actions/artifact package, which is also used by the upload-artifact GitHub action, adding a crucial security layer by using an open-source scanner to audit the source directory for secrets and blocking the artifact upload when risk of accidental secret exposure exists. This approach promotes a more secure workflow environment... As this research shows, we have a gap in the current security conversation regarding artifact scanning. GitHub's deprecation of Artifacts V3 should prompt organizations using the artifacts mechanism to reevaluate the way they use it. Security defenders must adopt a holistic approach, meticulously scrutinizing every stage — from code to production — for potential vulnerabilities. Overlooked elements like build artifacts often become prime targets for attackers. Reduce workflow permissions of runner tokens according to least privilege and review artifact creation in your CI/CD pipelines. By implementing a proactive and vigilant approach to security, defenders can significantly strengthen their project's security posture. The blog post also notes protection and mitigation features from Palo Alto Networks....

Read more of this story at Slashdot.

In the 1980s, a radio show about home computers was broadcast on a handful of California radio stations. 40 years later, reel-to-reel tapes of the shows were re-discovered — and digitized — by an Internet Archive special collections manager. An Internet Archive blog post tells the story: Earlier this year archivist Kay Savetz recovered several of the tapes in a property sale, and recognizing their value and worthiness of professional transfer, launched a GoFundMe to have them digitized, and made them available at Internet Archive with the permission of the show's creators... Interviews in the recovered recordings include Timothy Leary, Douglas Adams, Bill Gates, Atari's Jack Tramiel, Apple's Bill Atkinson, and dozens of others. The recovered shows span November 17 1984 through July 12, 1985. Many more of the original reel-to-reel tapes — including shows with interviews with Ray Bradbury, Robert Moog, Donny Osmond, and Gene Roddenberry — are still lost, and perhaps are still waiting to be found in the Los Angeles area. [Though there appears to be a transcript of the Gene Roddenberry interview.] The stories of how The Famous Computer Cafe was created — and saved, 40 years later — is explored in an episode of the Radio Survivor podcast. The podcast interviewed show co-creator Ellen Fields and archivist Kay Savetz, providing a dual perspective of how the show was created and how it was recovered. The recovery of these interviews, 40 years after their original airing, holds out hope that many more relics and treasures still await discovery. You get another perspective on the past from the show's advertisements for 1980s software (and from the production values of 1980s-era radio technology). Bill Gates was just 29 when he recorded his interview. And Douglas Adams was 32.

Read more of this story at Slashdot.

Slashdot reader yeokm1 is the Singapore-based embedded security researcher whose side projects include installing Linux on a 1993 PC and building a ChatGPT client for MS-DOS. Today he writes: When one thinks of modern technologies like Thunderbolt, 2.5 Gigabit Ethernet and modern CPUs, one would associate them with modern operating systems. How about DOS? It might seem impossible, however I did an experiment on a relatively modern 2020 Thinkpad and found that it can still run MS-DOS 6.22. MS-DOS 6.22 is the last standalone version of DOS released by Microsoft in June 1994. This makes it 30 years old today. I'll share the steps and challenges in locating a modern laptop capable of doing so — and the challenge of making the 30-year-old OS work on it with audio and networking functions. This is likely among the final generation of laptops able to run DOS natively.

Read more of this story at Slashdot.

Bloomberg's Mark Gruman remembers how Apple's hardware group "allowed Apple to dump Intel chips from its entire Mac lineup." And they're now building an in-house cellular modem: For more than a decade, Apple has used modem chips designed by Qualcomm... But in 2018 — while facing a legal battle over royalties and patents — Apple started work on its own modem design.... It's devoting billions of dollars, thousands of engineers and millions of working hours to a project that won't really improve its devices — at least at the outset... Over the past few years, Apple's modem project has suffered numerous setbacks. There have been problems with performance and overheating, and Apple has been forced to push back the modem's debut until next year at the earliest. The rollout will take place on a gradual basis — starting with niche models — and take a few years to complete. In a sign of this slow transition, Apple extended its supplier agreement with Qualcomm through March 2027... But Qualcomm has said that Apple will still have to pay it some royalties regardless (the chipmaker believes that Apple won't be able to avoid infringing its patents). So it's hard to tell how big the benefits will be in the near term. Down the road, there are plans for Apple to fold its modem design into a new wireless chip that handles Wi-Fi and Bluetooth access. That would create a single connectivity component, potentially improving reliability and battery life. There's also the possibility that Apple could one day combine all of this into the device's main system on a chip, or SoC. That could further cut costs and save space inside the iPhone, allowing for more design choices. Furthermore, if Apple does ultimately save money by switching away from Qualcomm, it could redirect that spending toward new features and components.

Read more of this story at Slashdot.

"AI is already able to mimic sight and hearing," writes CNBC. And now a startup named Osmo "wants to use the technology to digitize another: smell." Co-founded by a former Google research scientist, the company built an AI that's "superhuman in its ability to predict what things smelled like," the company's co-founder says. And he believes this might actually prove useful. "We've known that smell contains information we can use to detect disease. But computers can't speak that language and can't interpret that data yet... We will eventually be able to detect disease with scent and we're on our way to building that technology. It's not going to happen this year or anytime soon, but we're on our way." CoinTelegraph describes how the company invented a training dataset from scratch — a kind of "smell map" with labelled examples of molecular bond associations to teach the AI to identify specific patterns. The team also hopes to develop a method to recreate smells using molecular synthesis. This would, for example, allow a computer in one place to "smell" something and then send that information to another computer for resynthesis — essentially teleporting odor over the internet. This also means scent could join sight and sound as part of the marketing and branding world.

Read more of this story at Slashdot.

Indian influencers It's the largest country on earth — home to 1.4 billion people. But "The Indian government has plans to classify social media creators as 'digital news broadcasters,'" according to the nonprofit site RestofWorld.org. While there's "no clarity" on the government's next move, the proposed legislation would require social media creators "to register with the government, set up a content evaluation committee that checks all content before it is published, and appoint complaint handlers — all at their own expense. Any failures in compliance could lead to criminal charges, including jail term." On July 26, the Hindustan Times reported that the government plans to tweak the proposed Broadcasting Services (Regulation) Bill, which aims to combine all regulations for broadcasters under one law. As per a new version of the bill, which has been reviewed by Rest of World, the government defines "digital news broadcaster" as "any person who broadcasts news and current affairs programs through an online paper, news portal, website, social media intermediary, or other similar medium as part of a systematic business, professional or commercial activity." Creators and digital rights activists believe the potential legislation will tighten the government's grip over online content and threaten the last bastion of press freedom for independent journalists in the country. Over 785 Indian creators have sent a letter to the government seeking more transparency in the process of drafting the bill. Creators have also stormed social media with hashtags like #KillTheBill, and made videos to educate their followers about the proposal. One YouTube creator told the site that if the government requires them to appoint a "grievance redressal officer," they might simply film themselves, responding to grievances — to "make content out of it".

Read more of this story at Slashdot.