• tl;dr sec
  • Posts
  • [tl;dr sec] #86 - Dockerfile Best Practices, Mobile Security, and Collusion in Academia

[tl;dr sec] #86 - Dockerfile Best Practices, Mobile Security, and Collusion in Academia

20 Dockerfile best practices, free mobile security course, and trade-offs, collusion rings, and more in academia.

Hey there,

I hope you’ve been doing well!

Signs You’re an “Old”

Recently I overheard:

So I was reading about this new TikTok meme on Vox…

And I realized I too have been learning about Tiktok trends on news sites 😂

Security Superfriends

Last week I joined former Twilio and LendingClub CISO, now Soluble co-founder Richard Seiersen, on his Security Superfriends podcast. If Richard’s name sounds familiar, it might be because he’s also the co-author of “How to Measure Anything in Cybersecurity Risk.”

We discussed my favorite superhero, scaling security, empowering developers, the history of Semgrep, building a security company around open source, and more.

I’ve chatted with Richard a few times, and I’ve always been impressed by how sharp and insightful he is.

Check out the interview or read the transcript here.

SS-Oh Yes We Did

Last week I very unscientifically (poorly specified requirements, biased language) polled readers for their SSO recommendations.

Here are the results:

  • Okta: 204 votes

  • G Suite: 194 votes

  • Duo: 125 votes

  • Dogecoin: 107 votes

These results should not be taken as a well-vetted recommendation, make sure to do your own due dilligence!

Sponsor

📢 Evolving Risks, Insecure Defaults, Watering Hole Threats – Oh, My!

Adoption of cloud native technologies are on the rise, changing the threat landscape faced by organizations. Accurics’ research identifies common trends, like Identity and Access Management moving into Infrastructure as Code, rapid adoption of CSP-managed services in dev and pre-prod, and insecure default configurations for many resource types.

📜 In this newsletter...

  • AppSec: List of cybersecurity subreddits, collection of public pen test reports, DevSecOps overview

  • Mobile Security: Security by Design class by Google, free graduate level course on mobile security, tool to download ipa files from the iOS App Store

  • On Academia: Why one professor left academia, collusion rings in CS, why blatant academic fraud is useful, addressing common CFP challenges with preregistration

  • Cloud Security: Library of Conftest rules to detect Terraform misconfigurations

  • Container Security: 20 Dockerfile security best practices

  • Politics: Correcting people posting fake news makes them double down, deepfaking maps, AI and surveillance tech leading us to 1984

  • Privacy: Tool to mass delete your social media posts, WhatsApp fighting for user privacy in India

  • Misc: Rubberhose-resistant encryption tool, speeding up human progress, things learned as a senior engineer, open source Airtable alternative

  • Avoiding Burnout: Make your life better by doing less, thoughts on recharging for yourself and your time

AppSec

List of Cybersecurity Subreddits
Includes ~30 subreddits, by Luke Stephens.

juliocesarfort/public-pentesting-reports
A pretty massive curated list of public penetration test reports released by consulting firms and academic security groups, by Julio Cesar Fort.

DevSecOps Series: Shifting Security Left
AWS’s Lucas Kauffman provides a nice overview of DevOps and DevSecOps, along with useful hard and soft gates at each step of the development process. These activities and their ordering are generally what I see most people recommending:

On Academia

I’ve been asked a number of times about the value of getting a graduate degree and the differences between industry and academia. I’ve gotten a lot of personal and career value out of my time in grad school, so my intention in this section is not to be negative about academia, but rather to provide some context for people outside looking in. I’ll try to write a longer post about it sometime.

The Good, the Bad, and the Bye Bye: Why I Left My Tenured Academic Job
Former EURECOM professor Yanick Fratantonio left his tenured academic job to join the Malware Research Team at CISCO Talos. In this detailed post, he walks through why.

Collusion Rings Threaten the Integrity of Computer Science Research
Brown University professor Michael Littman describes how there are likely collusion rings in the computer architecture as well as in AI and ML fields, in which program committee members will attempt to be assigned to review papers of their colluders, and then give them positive reviews.

The pressure for grad students and professors to publish papers in tier one conferences or journals is sky high, as it hugely impacts your funding opportunities, ability to graduate, and career over the long term. As there is largely only one metric for academic career success, and conferences have so few slots for accepting papers, to be honest, this sort of behavior feels almost inevitable without serious checks and balances, and ideally other ways for people to “succeed.”

Please Commit More Blatant Academic Fraud
PhD candidate Jacob Buckman argues that people committing blatant academic fraud is helpful, as low-key, mundane fraud is already common and accepted, like trying an algorithm with a bunch of seeds and only reporting the best results, cherry-picking examples where your approach looks good, etc.

But if people are aware that shady behavior is commonplace, then they’ll review papers with a more critical eye, which is beneficial for the field.

FuzzBench: Journal Special Issue on Fuzzing
Interesting proposal aiming to address a number of common academic challenges, like duplicated efforts, lack of reproducibility, and strong positive results bias.

Preregistration is a publication model whereby a submitted article is primarily evaluated based on (i) the significance and novelty of the hypotheses or techniques, and (ii) the soundness and reproducibility of the methodology specified to validate the claims or hypotheses. The actual evaluation or experimentation (apart from some supporting preliminary results) is conducted only after the paper has been in-principle accepted. The final acceptance will depend only on the methodology that was ultimately followed, not the final results.

Cloud Security

Cigna/confectionery
By Cigna’s Anthony Barbieri and team: A library of rules for Conftest used to detect misconfigurations within Terraform configuration files. One interesting trend is that many teams and tools are converging on OPA’s Rego language for infrastructure as code scanning, while other tools have their own custom rule writing language.

Container Security

Top 20 Dockerfile best practices for security
Sysdig’s Álvaro Iradier describes some actionable tips covering avoiding unnecessary permissions, reducing attack surface, misc, and beyond image building.

Politics

Does correcting online falsehoods make matters worse?
Wait, people posting provably false things online aren’t swayed by facts!? Shocked. 🤣, but also 😭.

The study was centered around a Twitter field experiment in which a research team offered polite corrections, complete with links to solid evidence, in replies to flagrantly false tweets about politics.

“After a user was corrected … they retweeted news that was significantly lower in quality and higher in partisan slant, and their retweets contained more toxic language.”

Deepfake Maps Could Really Mess With Your Sense of the World
“University of Washington professor Bo Zhao employed AI techniques similar to those used to create so-called deepfakes to alter satellite images of several cities.” Satellite images have real world impacts, like photos of the large detection camps for Uighurs in China or nuclear installations in Iran or missile sites in North Korea.

“Imagine a world where a state government, or other actor, can realistically manipulate images to show either nothing there or a different layout,” McKenzie says. “I am not entirely sure what can be done to stop it at this point.”

It may be just a matter of time before far more sophisticated “deepfake” satellite images are used to, for instance, hide weapons installations or wrongly justify military action.

Microsoft president: Orwell’s 1984 could happen in 2024
The rapid development of AI, surveillance tech, and deepfakes are all topics I stress about (among others). While I’m generally quite cautious around the U.S. government’s use of technology and the privacy implications for citizens, I do think that being the lead in AI is massively important for our national security.

“If we don’t enact the laws that will protect the public in the future, we are going to find the technology racing ahead, and it’s going to be very difficult to catch up,” Mr Smith said.

China’s ambition is to become the world leader in AI by 2030, and many consider its capabilities to be far beyond the EU.

Eric Schmidt, former Google chief executive who is now chair of the US National Security Commission on Artificial Intelligence, has warned that beating China in AI is imperative.

“We’re in a geo-political strategic conflict with China,” he said. “The way to win is to marshal our resources together to have national and global strategies for the democracies to win in AI.

“If we don’t, we’ll be looking at a future where other values will be imposed on us.”

Privacy

Redact | Mass Delete your Social Media
A platform that allows you to automatically clean up your old posts from services like Twitter, Reddit, Facebook, Discord and more all in one place.

WhatsApp is suing the Indian government to protect user privacy
A Facebook-owned company fighting for user privacy? 🤔 They’re actually fighting the good fight here, as new regulations have been passed requiring social media platforms to trace the originator of messages and see the message content. To do this, platforms would likely have to trace every message, removing all privacy and banning end-to-end encryption.

Misc

Cookie04DE/Sekura
An encryption tool that allows for multiple, independent file systems on a single disk whose existence can only be verified if you posses the correct password. Inspired by the idea of the Rubberhose file system, which is a euphemism for when people really want you to give up the encryption keys.

If you’re a curious student or professional who wants to make a difference in the world, this is the guide for you. The suggestion in this guide will help you to understand how civilisation progresses, and how you can help it along.

Drunk Post: Things I’ve learned as a Sr Engineer
Stream of consciousness points from a senior engineer on Reddit.

nocodb/nocodb
The open source Airtable alternative. Turns any MySQL, PostgreSQL, SQL Server, SQLite & MariaDB into a smart-spreadsheet.

Avoiding Burnout

Make Your Life Better by Doing Less
I’m a fan of Scott Young’s writing, and this post is no exception. Ideas included: every “yes” implies a “no”, people tend to think of additive rather than subtractive solutions, only home-run projects, and it’s easy to overwhelm yourself with “easy” tasks.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint