HackerTrans
トップ新着トレンドコメント過去質問紹介求人

theallan

no profile record

コメント

theallan
·4 か月前·議論
> I maintain an open source project funded by the Sovereign Tech Fund.

I would absolutely love to know more about this if you are willing to share the story?
theallan
·6 か月前·議論
Can we follow along with your work / results somewhere?
theallan
·9 か月前·議論
The Minisforum V3 does: https://store.minisforum.com/products/minisforum-v3 .
theallan
·10 か月前·議論
An SEO thing for them. Useful income for me. It isn't much ($49/year), but every little helps...
theallan
·10 か月前·議論
That's the only reason I could think of for doing this, but I saw zero evidence that it was done that way. Baffling!
theallan
·10 か月前·議論
> Out of curiosity, could this have been a vector for a supply chain attack?

If you were using the CDN without SRIs, then yes, that would have been the most obvious channel. However, I don't believe the attacker ever set up for that and the URLs never resolved due to CloudFlare blocking it.

> there's been some pretty huge breaking changes

Unless you were using the legacy API, there shouldn't be any major impediment [1]. I intentionally tried to keep backwards compatibility as I hate doing library upgrades myself! Drop me an email - allan at the domain in question if you have any questions about doing an upgrade.

> It looks like newer versions of datatables don't import static files from the datatables CDN like this.

I rewrote aspects to use CSS styled elements in place of images, so there were less resources to load.

> Would it make sense to issue a CVE for older datatables library versions that could be susceptible to this attack?

Per the above, if you were using the CDN without SRI for the resources, then any version could have been susceptible. However, I've seen no evidence that the attack took that vector.

[1] https://datatables.net/upgrade/2
theallan
·10 か月前·議論
That's awesome to hear - thank you :-).
theallan
·10 か月前·議論
Joker.com. Credit to them they fixed it reasonably quickly, but its a horrible policy to default to enact the change if no response if given. Their reasoning was what else would they do if someone got locked out of their email - they need a way to recover their domain somehow, and they ask for ID to be submitted, but as seen, that is trivial to fake.
theallan
·10 か月前·議論
The blog feed is here: https://datatables.net/feeds/blog.xml . It is advertised on the landing page, but it looks like I've missed having it on the blog page! As you say, that has the releases feed - thanks for pointing that out.
theallan
·10 か月前·議論
Yeah - it was a well set up attack. What I don't understand is that there was no obvious follow on. I can only guess that it was a proof that it could be done. Maybe?

Regarding the 1000 error - I didn't have any 1:1 support contact with CloudFlare - the first I knew was they were returning 1000 errors, which I presume they were doing due to a blacklisted IP being used for the DNS resolving. I'm really not sure though.
theallan
·10 か月前·議論
Yeah, I really wasn't happy about that. I did put it to the registrar that such a policy is wrong and open to such an attack. I got the impression that they weren't going to change their policy though. Such policies are something I'm going to be looking at when considering a new registrar.
theallan
·10 か月前·議論
Didn't expect to see this here, it was over a month ago this incident happened! Happy to answer any questions about it (author of DataTables here). It was a super stressful event to say the least, and I've been reading along with the recent npm incidents wondering what I can do to make sure my OpSec is as good as it reasonably can be.
theallan
·10 年前·議論
I had assumed that you would need to register to claim to be HIPAA compliant, but that doesn't actually appear to be the case. It looks that if you claim it, you can be audited by Dept of Health and Human Services (HHS). I wonder how that works internationally?
theallan
·10 年前·議論
Does anyone have experience with HIPAA who is not based in the US?

It can obviously be useful as a sales avenue to US based customers, but I'm wondering what channels you need to go through if you are not a US based company.