HackerTrans
TopNewTrendsCommentsPastAskShowJobs

theallan

no profile record

comments

theallan
·vor 4 Monaten·discuss
> I maintain an open source project funded by the Sovereign Tech Fund.

I would absolutely love to know more about this if you are willing to share the story?
theallan
·vor 6 Monaten·discuss
Can we follow along with your work / results somewhere?
theallan
·vor 9 Monaten·discuss
The Minisforum V3 does: https://store.minisforum.com/products/minisforum-v3 .
theallan
·vor 10 Monaten·discuss
An SEO thing for them. Useful income for me. It isn't much ($49/year), but every little helps...
theallan
·vor 10 Monaten·discuss
That's the only reason I could think of for doing this, but I saw zero evidence that it was done that way. Baffling!
theallan
·vor 10 Monaten·discuss
> Out of curiosity, could this have been a vector for a supply chain attack?

If you were using the CDN without SRIs, then yes, that would have been the most obvious channel. However, I don't believe the attacker ever set up for that and the URLs never resolved due to CloudFlare blocking it.

> there's been some pretty huge breaking changes

Unless you were using the legacy API, there shouldn't be any major impediment [1]. I intentionally tried to keep backwards compatibility as I hate doing library upgrades myself! Drop me an email - allan at the domain in question if you have any questions about doing an upgrade.

> It looks like newer versions of datatables don't import static files from the datatables CDN like this.

I rewrote aspects to use CSS styled elements in place of images, so there were less resources to load.

> Would it make sense to issue a CVE for older datatables library versions that could be susceptible to this attack?

Per the above, if you were using the CDN without SRI for the resources, then any version could have been susceptible. However, I've seen no evidence that the attack took that vector.

[1] https://datatables.net/upgrade/2
theallan
·vor 10 Monaten·discuss
That's awesome to hear - thank you :-).
theallan
·vor 10 Monaten·discuss
Joker.com. Credit to them they fixed it reasonably quickly, but its a horrible policy to default to enact the change if no response if given. Their reasoning was what else would they do if someone got locked out of their email - they need a way to recover their domain somehow, and they ask for ID to be submitted, but as seen, that is trivial to fake.
theallan
·vor 10 Monaten·discuss
The blog feed is here: https://datatables.net/feeds/blog.xml . It is advertised on the landing page, but it looks like I've missed having it on the blog page! As you say, that has the releases feed - thanks for pointing that out.
theallan
·vor 10 Monaten·discuss
Yeah - it was a well set up attack. What I don't understand is that there was no obvious follow on. I can only guess that it was a proof that it could be done. Maybe?

Regarding the 1000 error - I didn't have any 1:1 support contact with CloudFlare - the first I knew was they were returning 1000 errors, which I presume they were doing due to a blacklisted IP being used for the DNS resolving. I'm really not sure though.
theallan
·vor 10 Monaten·discuss
Yeah, I really wasn't happy about that. I did put it to the registrar that such a policy is wrong and open to such an attack. I got the impression that they weren't going to change their policy though. Such policies are something I'm going to be looking at when considering a new registrar.
theallan
·vor 10 Monaten·discuss
Didn't expect to see this here, it was over a month ago this incident happened! Happy to answer any questions about it (author of DataTables here). It was a super stressful event to say the least, and I've been reading along with the recent npm incidents wondering what I can do to make sure my OpSec is as good as it reasonably can be.
theallan
·vor 10 Jahren·discuss
I had assumed that you would need to register to claim to be HIPAA compliant, but that doesn't actually appear to be the case. It looks that if you claim it, you can be audited by Dept of Health and Human Services (HHS). I wonder how that works internationally?
theallan
·vor 10 Jahren·discuss
Does anyone have experience with HIPAA who is not based in the US?

It can obviously be useful as a sales avenue to US based customers, but I'm wondering what channels you need to go through if you are not a US based company.