Vulnerable dependencies are very different to compromised or backdoored dependencies though. Noone's taking over Solarwinds because their build tools had a ReDOS involving input from their own config files.
I'm reading the ZeroBounce docs and it seems very relevant. Look at this step:
"We recheck all unknown emails using IPs from different geographical locations". This matches exactly what this article describes as getting these emails from a range of locations.
The step before that is just "Proprietary Technology", which sounds like a good cover for what's going on here. How else are you testing an email address after between "real time SMTP server check"?
My personal tax agent only accepts forms and sends them back via email. I had a conversation with him about using password protected zips and he just told me he won't accept them.
My hospital sent me a PDF that I was to fill in and email back with cleartext credit card information filled in to pay bills. Screenshot:
Yeah, it did always get me as a design issue. I get that "there's more to ask them" is valid. But there's never an indication of "OK I've said everything now". You only find out when they start repeating themselves.
"Make the person repeat what they just told you" as a process is very immersion breaking.
If they run a mortgage broking business, they should have a very different experience to what's described in this post about setting up like a personal machine. They presumably have business managed Microsoft accounts, none of that setup happens, and most of setup prompts are totally automated away from you after logging into such an account.
As an Australian.. politically I need to worry about business data touching China. It will come up at a Risk Advisory Committee meeting as a serious issue.
In actual personal practice, no. China having my data presents no actual impact to me, America will do things that impact me.
A lot of those same people seemed perfectly capable of insisting on 60 day password rotation back when they could use nist guidance as an authority to appeal to (for about five years after the recommendation changed too).
Claude, for my non Gmail domain, expects me to click a magic link on every device I wish to use it. Its wild that a product like that cannot take a password, or a passkey.
Ten times shorter just means "readable without losing an excess of time on ramble" and I feel like someone's comeback to this will be "you should ask an AI to summarise".
The researcher's own statements note that the zero days were not found with AI.
And honestly I think that's the part that Microsoft is most upset about, because every internal partner conversation I've had has been about needing to buy Security Copilot because all the advanced attacks are coming from AI, and just suggesting vulnerabilities existed before AI seems to make salespeople uncomfortable continuing the conversation.
The problem with all these permissions ideas: VSCode in most cases is expected to be able to push to a git repo. Many developers these days use it over the CLI for pushes and pulls.
So if it has a "minimal" set of access, it has access to a Github key. That's enough.. to do this sort of damage.
Note that despite being named here as "Azure Linux" and being described as a "General purpose Linux OS for Azure", once you go to the product documentation it's referred to as "Microsoft Azure Linux Container Host for AKS", and the Quickstart guide is about how to deploy a Kubernetes cluster. It doesn't seem very capable of general use.
I guess I woukd say youre fortunate to have not worked in a "we cannot use github.com because we take security very seriously" environment. Because always tells me you'll be running a on prem product that might get updated once a year.
Yes this is what im confused about. They described it as a parking domain, but the old strategy of "buy a popular domain and put ads on a one pager" hasn't been something that pays substantively for a long time. Ads sales have plummeted in general but not being able to use adsense would make it worse.