>When reached by TechCrunch on December 5, Home Depot spokesperson George Lane acknowledged receipt of our email but did not respond to follow-up emails asking for comment. The exposed token is no longer online, and the researcher said the token’s access was revoked soon after our outreach.
>
>We also asked Lane if Home Depot has the technical means, such as logs, to determine if anyone else used the token during the months it was left online to access any of Home Depot’s internal systems. We did not hear back.
As soon as they realized that the researcher had contacted "the media", they probably escalated internally to their legal team before anyone else, who told them to shut up.
The response, if one ever comes, will be a communication dense in lawyer-speak that admits no fault whatsoever.
This is why I go straight to legal for some things. By letter (the kind with a stamp).
As it could be service or real legal stuff, it tends to get read by someone literate and able to take action.
Had to do that with a bank that refused to talk to me (I hit some kind of identify verification quagmire), but they quickly got someone able to call me and close it on the spot.
Obviously we would all like a full post mortem from the home dept side, but in today's litigious shareholder-value-driven world their response is the correct one.
Last week I accidentally exposed my OpenAI, Anthropic, and Gemini keys. They somehow ended up in Claude Code logs(!) Within seconds I got an email from Anthropic and they have already disabled my keys. Neither OpenAI nor Google alerted me in anyway. I was able to login to OpenAI and delete all the keys quickly.
Took me a good 10-15 minutes to _just_ _find_ where Gemini/AI Studio/Vortex projects keys _might_ be! I had to "import project" before I could find where the key is. Google knew key was exposed but the key seemed to be still active with a "!" next to it!
With a lot of vibe coding happening, key hygiene becomes crucial on both issuer and user ends.
There's a lot of performative "security" in such companies. You need to employ the right people (you need a "CISO", ideally someone who's never actually used a terminal in their life), you need to pay money for the right vendors, adopt the right buzzwords and so on. The amounts of money being spent on performative security are insane, all done by people who can't even "hack" a base64-"encrypted" password.
All while there's no budget for those that actually develop and operate the software (so you get insecure software), those that nevertheless do their best are slowed down by all the security theater, and customer service is outsourced to third-world boiler rooms so exploiting vulnerabilities doesn't even matter when a $100 bribe will get you in.
It's "the emperor has no clothes" all the way down: because any root-cause analysis of a breach (including by regulators) will also be done by those without clothes, it "works" as far as the market and share price is concerned.
Source: been inside those "companies of public significance" or interacted with them as part of my work.
Equifax? Capital One? 23andMe? My basis for this is that you can leak everyone’s bank data and barely have it show up in your stock price chart, especially long term.
Stock price is an extremely narrow view of the total consequences of lax cybersecurity but that aside, the notion that security doesn’t matter because those companies got hacked is ridiculous. The reason there isn’t an Equifax every minute is because an enormous amount of effort and talent goes into ensuring that’s the case. If your attitude is we should vibe code our way past the need for security, you aren’t responsible enough to hold a single user’s data.
I feel as if security is a much bigger concern than it ever was.
The main issue seems to be, that our artifacts are now so insanely complex, that there’s too many holes, and modern hackers are quite different from the old skiddies.
In some ways, it’s possible that AI could be a huge boon for security, but I’m worried, because its training data is brogrammer crap.
Security has become a big talking point, and industry vultures have zeroed in on that and will happily sell dubious solutions that claim to improve security. There is unbelievable money sloshing around in those circles, even now during the supposed tech downturn ("security" seems to be immune to this).
Actual security on the other hand has decreased. I think one of the worst things to happen to the industry is "zero trust", meaning now any exposed token or lapse in security is exploitable by the whole world instead of having to go through a first layer of VPN (no matter how weak it is, it's better than not having it).
> quite different from the old skiddies
Disagreed - if you look at the worst breaches ("Lapsus$", Equifax, etc), it was always down to something stupid - social engineering the vendor that conned them into handing them the keys to the kingdom, a known vulnerable version in a Java web framework, yet another NPM package being compromised and that they immediately updated to since the expensive, enterprise-grade Dependabot knockoff told them to, and so on.
I'm sure APTs and actual hacking exists in the right circles, but it's not the majority of breaches. You don't need APT to breach most companies.
How did they get leak them? Just someone getting into your personal Claude Code logs? I'm surprised that if it was just that Google would even be aware they're leaked.
Claude was looking up env-vars during the coding session which ended up in ~/.claude/projects/ log. I wanted to make the [construction] logs public with the code. Didn't think that was a leak vector.
I've accidentally pushed a personal PAT(ro) to both Github and gist because of poor hygiene in personal projects, both times Github dropped the PAT and notified me.
Yeah I'm impressed they even managed to publish a personal token. My experience with GitHub's automated token recognition has also been positive (tho the tokens were never of any consequence)
Presumably you'd want human habitable atmosphere on the inside of the sphere, which would radically change the equation against the use of wood unfortunately.
I disagree. Traditional underwater human habitats are overengineered and expensive.
By using plywood in conjunction with other off-the-shelf parts and materials, we can change this equation to deliver more value while dramatically reducing costs.
If, due to unforeseen circumstances the habitat occupant can no longer sustain life, they're automatically entombed inside a makeshift plywood coffin—no costly recovery operations required. Logitech wireless game controller sold separately.
Could we involve robotics, LLMs and maybe some camera based vision models to this process? Surely with AI we could make building those very fast. Especially with humanoid robots...
If it's a single application exposed to the internet that is using those tokens then an env file is perfectly fine. If the application gets breached the secrets will be in memory anyway (as the app needs them to do its work), so they will get exposed no matter how they were sourced.
If your vendors support IP-based restrictions (few do, thanks to "zero trust" and other bullshit), a very strong defense would be to enable that and restrict use of those secrets to your server's IP, so that the tokens become useless to anyone else even if leaked.
SOPS reduces the surface area you need to cover. You can use Age as a backend and then you only need a long lived private key on the server. https://github.com/getsops/sops
Yes if you get the hypervisor to provide the secrets this in theory means the secrets will be safe at rest... but if the VM gets breached (which is the scenario we're assuming here, as his VM is the one handling untrusted traffic from the internet), the secrets still get out.
One option is to use separate "proxy" VMs that proxy traffic to the external services and applies the secret. The main application VM uses those proxy VMs to talk to the external services. This means a compromise of the application VM will not be able to exfiltrate any secrets - it will merely be able to make use of them (by talking to the proxy VMs) while the attacker still has access. Post-breach remediation becomes easier as not only do you not need to rotate the secret (as it wasn't stolen, merely misused) but your proxy VM can provide a tamper-proof audit log to tell which malicious activity has happened, if any.
As an example, there is a hacking group tracked as "Atlas Lion" that has been persistently targeting large retailers' internal systems to steal gift cards that they resell on gray markets for a profit.
I don't believe exploiting GitHub repos for initial access is part of their playbook, but there have been plenty of examples in recent years of attackers gaining access to internal infrastructure via secrets exposed in GitHub (whether in code or Actions workflows). Just this year, attackers got into Salesloft's GitHub, pivoted to their AWS environment, and stole OAuth tokens that gave them access to hundreds of Salesforce customers.
it's easy to scan for publicly known services, really difficult to understand if a random string that says key somewhere is actually a random internal api key
GitHub already has a program to scan for keys, since publishing Discord tokens by mistake used to get the token immediately revoked and a DM from the system account saying why
I thought there were many first and third party services looking for this kind of thing (AWS, Github, GWS, crypto, etc tokens). Seems weird that a F500 company repo was not receiving the regular, let alone extra deep scanning which could have trivially found these.
There was a recent post from someone who made the realization that most of these scanning services only investigate the main branch. Extra gold in them hills if you also consider development branches.
For things pushed to github, github has quite sophisticated secret scanning. They have a huge list of providers where they will automatically verify if a potential key is real and revoke it automatically [2], and a smaller list of generic patters they try to match if you enable the matching of "non-provider patterns".
This seems to be a case of someone accidentally publishing their github token somewhere else. I'm not sure how github would cheaply and easily prevent that. Though there are third party tools that scan your web presence for secrets, including trying wordlists of common files or directories
GitHub wants to sell a service. Keys are convenient. Better alternatives in authorization and authentication exist, and GitHub is very aware of them. They even offer and facilitate them. For example, see OIDC. But many users either want keys because they're used to them or GitHub is sure they do, so they continue to offer them to avoid friction. The alternatives require more parameters, thought, and coordination between services.
GitHub has deprecated classic tokens, but the new tokens are not backwards compatible. The deprecated tokens have also continued to be available for some time. Real security professionals will tell you flatly "tokens are bad", and they're right. They're leakable attack vectors. The tokens are the problem and discontinuation is the solution. Scanning is simply symptom treating, and given what I know about Microsoft culture, I doubt that's going to change soon or quickly.
They do scan but they miss a lot. The frequency decreased after Github started scanning all repositories but I still report leaked secrets to bug bounty programs pretty often.
Unfortunately Home Depot don't have a bug bounty program so I don't scan them.
The article doesn’t say where the Home Depot token was published. Almost certainly not on GitHub or it would have been invalidated. But AFAIK GitHub doesn’t crawl other sites looking for GitHub tokens. I suppose Microsoft could provide GitHub a feed of GitHub tokens found by their Bing crawlers.
They at least scan GitHub for all kind of exposed tokens in public repositories, and even have partnerships with the companies where you can connect with those tokens (SaaS, PaaS...) to verify they're valid and even revoke them automatically if necessary.
I think there are crawlers that do that. Somehow I accidentally had a commit with an openai key in it, and when I published an open source repo with that commit within ~20 seconds I got an email from openai someone had retired my exposed key.
They definitely do have automation to scan for this already. I've seen plenty of alerts (fortunately all false positives that triggered on example keys that weren't real). I don't know how comprehensive it is, but it does exist.
If there has been one thing proven over the past 5 years is that the Home Depot IT department is useless and cant be trusted with anything regarding security.
Given the absolute state of their website on mobile it's hardly surprising. It's faster to find an employee and ask them where an item is at instead of waiting for the search to finish, see that it the "current store" now points to a random location somewhere in a different state, pick the correct store and re-do the search
I had to check what the gold standard McMaster-Carr does: their torque wrench drive size widget is sorted 1/4", 3/8", 1/2", 3/4", 1", 1 1/2". Glorious. https://www.mcmaster.com/products/torque-wrenches/
I'd expect nothing less from them. The right thing to do here is to implement a sorting key for different categories here. Since McMaster-Carr seems to be going to a category when you search, they seem to have better control over the available filters.
I've found that on a site like Amazon or Walmart that'll let you do a more freeform sort, the filter options becomes absolutely god awful.
Well done by McMaster-Carr. I assume they control their inventory a bit more than a marketplace like Home Depot, Walmart, or Amazon, so that's also an advantage.
The schemas for Amazon and Walmart's product information are absolutely bonkers and constantly missing features that they demand be provided.
Here's the XML Schema Definition for "Product" on Amazon [1]
This is joined on each of the linked category schemas included at the type, of which each has unique properties that ultimately drive the metadata on a particular listing for the SKU. Its wrought with inconsistency, duplicated fields, and oftentimes not up-to-date with required information.
Ultimately, this product catalog information gets provided to Amazon, Walmart, Target, and any other large 3rd party marketplace site as a feed file from a vendor to drive what product they can then list pricing and inventory against (through similar feeds).
You are right that the control McMaster-Carr has on their catalog is the strategic and technological advantage.
Very interesting how nearly half the list is (assumedly) every single chemical listed under California Prop 65. Do they really need to specify exactly which chemical it is? I've seen thousands of prop 65 warnings in my life but I've literally never seen it tell me what chemical its warning me about. I just commented to a friends a couple weeks ago i wished they'd tell me what so i could look it up myself!
McMaster-Carr's website is actually pretty impressive given how unassuming it is. It does a ton of pre-loading on hover and caching to make it feel like you're just navigating a static site. I didn't even realize that the page had a loading state until I enabled throttling from my network tab and immediately clicked on a link as soon as I hovered over it.
Mouser et al also do it right for mixed unit lists, eg. component dimensions are shown in their specified units but sorted as: 11mm, 12mm, 0.5in, 13mm, ...
No. You are likely and automatically extrapolating the attention to detail seen in the outcome into believing that it is a reflection of the attention , thought and method of their internal workings.
Which is a good indicator, but you can’t be sure of. Additionally you may imagine liking it but not enjoy it in life, even if true.
I had a major WTF moment there, until I realized that's probably for a hex driver (and thus something totally different than what I think of when someone says "impact wrench").
It's probably a default ordering or an ordering by an unshown database ID value. It's a small enough set that it doesn't really matter for practical purposes, but I guess it does betray a lack of attention to detail.
Or when the site tells you your store doesn't have a part in stock, but neglects to tell you that they do have 350 of the identical part, different brand, in stock. Because who would ever buy a 1/2-inch close Halex rigid conduit close nipple in-store right now when they could wait a few days for a 1/2-inch close Commercial Electric rigid conduit nipple?
I feel like the home depot website is fine. It's a lot better than most other shops, I've had a good experience finding the aisle and location of items, and it's generally accurate with the amount in stock at each location. If you didn't enable precise location or have bad cell signal then that is hardly the fault of the website.
I will not argue with the stock part. When the search _does_ finish, stock info is usually correct IME.
What grinds my gears is the speed of this search, regardless of the phone reception. Even on the desktop it feels like they have a bunch of interns running a sneakernet. Or the website is laden with pointless javascript that slows everything down before the search is actually performed.
I go to the same Home Depot every time. (Well I don't if I can help it, but that's beside the point). There is no reason they cannot store the preferred store in the localStorage or cookies or wherever else. Other stores have figured this out.
Not CostCo though! I open their page and immediately 'Can Costco.ca use your location?" I say yes and then it asks me what province I'm in. I tell it, and then it defaults me to a store 30 minutes' drive from here and not the one five minutes away. Every. Time.
Their internal setup was also an absolute mess as of 4 years ago. A horrific hybrid of extremely legacy systems and new systems created around COVID which are both nicer and also deeply lacking in features we needed as floor workers.
I understand that upgrading and migrating to new systems takes time but this process never seemed like it involved anyone on the ground.
This is definitely true and makes the experience shittier than it otherwise would be, but even with a great signal/connection it frequently loads so slowly that I've long run out of patience.
I have gotten in the habit of looking up what isle and bay the thing I need is before I get there, and then I screenshot it because too many times the page has needed to reload and start over
I bought a water heater that had a large (1k!) instant rebate that you had to scan, sign up on website and show the emailed coupon to the person during cashing out. Took me 25 minutes wandering around the store to get enough reception to actually do this process. Made me chuckle, thinking how having it online only but before point of sale in the store was such a terrible, terrible idea.
Nah, I use both the website and their shitty web wrapper app on a regular basis and it's been a dumpster fire for at least the last 2-3 years. 3-5 years ago when they first rebuilt everything it was much more pleasant but at this point it's clear no one is maintaining it and have just let it bloat and rot
also, when I'm in my local store it seems like cell connection goes to shit for some reason and then I have to jump on their in store wifi in order to search their website
Their in-store WiFi is a repeater more or less. It's one of those bullshit forced auto-join networks that you can't opt out of (at least on iOS). Because that's not a massive vector for phishing or anything.
Yes, although I've had terrible experience with their wifi. I'm sure it depends on the store, but coverage is usually terrible and highly spotty, so if you're walking around or standing in the wrong area, it stops working.
At one point I also had to disable wireguard because I think it was triggering some sort of anti-abuse thing they had. It wasn't even using an exit node, just bridging me to my home network so I could access self-hosted services. I get the desire for anti-abuse, but that felt pretty draconian and I don't expect the average person to consider they might have to disable a VPN to get it to work, especially nowadays when many average people do have VPNs running.
This is a network carrier setting, the issue is that T-Mobile (and maybe others) pushes a profile that does this as part of their network configuration.
I went to Wi-Fi settings, "Edit" in top right, scroll to bottom "Managed" section, and was able to turn off "Auto-Join" for the "t-mobile" managed network just fine. I did this many months ago, I think because I was infuriated at the idea of auto-connecting to a Wi-Fi network I did not opt in to, but regardless, the checkbox has remained off through a few OS updates since (on 26.1 now with a T-Mo prepaid eSIM).
There's no "Managed" section showing up on my phone and the last time I set that network to not auto-join it still did. Lesson learned, I just turn off WiFi and Bluetooth before heading out to Home Depot.
I was livid when I discovered that my carrier had implemented that with no opt out. I worked around it by implementing shortcuts that disable my iPhone's WiFi when I leave my house until I've returned or reached one of the handful of other places I use it. It's ridiculous that something like that is necessary, though.
Indeed, Home Depot's software is generally so bad. I remember around 2017/2018 time frame when they started showing up to big tech conferences (especially K8s and React.js conferences) really trying to modernize. I spent a few minutes talking to the people manning the booth (which were surprisingly high ranking in the company, at least by title), and came away thinking "I'm glad you're making an effort, but y'all really have no idea what you're doing." The left hand and the right hand had completely different ideas/priorities about how to accomplish their goals. I didn't want to make any judgments on a simple conversation at a conference, but at this point I think time has shown that it was pretty representative of how they were approaching it internally, and unsurprisingly it did not work out super well.
Now that said, I don't want to minimize the difficulty in modernizing software at a corp like HD. It's wildly more difficult than most people can appreciate. I've consulted for companies trying to do it, and there are lots of challenges with legacy systems, migrations, and plenty of non-technical challenges as well.
Shout out to Wal-mart for genuinely kicking ass at this though. I'm quickly becoming an Onn fanboy. Genearlly speaking, great products at great prices, from their USB cables up to their smart speakers and more. You can really tell from the product design and implementation that they are letting the nerds geek out and have fun! That in turn enables me to do the same :-)
I'll bet money any new React/K8s/${WEBSCALE} stuff they're building is still just a wrapper over the same old inventory management they've been using for years...probably something like JDEdwards on AS/400.
You would lose that bet. Walmart has invested a LOT in modernizing stuff over the last 10 years. You cannot deliver groceries in less than an hour using the old inventory. It's not perfect, but what it's been done given the scale , it's nothing short of a miracle.
Source: I have been working there for 10 years.
It's sadly all too common. I worked at a Fortune50 retailer with a massive IT org. Was on a call one day with one of our most Senior Ent Arch who was excitedly telling me about how "these Java scripts" were the hot new thing and we were building "modern web 3.0 pages" with them. He did not understand the difference between Java and JavaScript or a blockchain branding exercise and SPAs.
I think they made some splashy hires at the time, and they contributed to the Google SRE workbook. Same as Walmart. They definitely tried. Corporate inertia is a killer.
It varies a lot by store. I’ve been to HDs where they’re all useless, and others where there’s a good number of knowledgeable DIYers working there.
I think a lot of people just expect too much from a big box store employee making $17/hr… You go to HD because you have an easy job and you’re as cheap as their MBAs. If you need help, go to a supply house or an Ace Hardware or something.
Fully this. Every Ace or Do It Best I've been to in Washington has had at least one Rugged Grandpa ™ on staff who could have given me a PhD-level essay on whatever I asked them about; at Home Depot I'm lucky if the folks there have any idea what an impact-rated bit is or why I specifically need one and NO please stop trying to sell me this other crap if you're sold out of the impact bits, they are NOT the same!
(It gets worse the further from the power tools section you get, I find. I had to explain the difference between a three-prong and four-prong 240V plug once at HD and promptly told my friend to stop asking the staff for "help" finding things.)
> It gets worse the further from the power tools section you get, I find. I had to explain the difference between a three-prong and four-prong 240V plug once at HD and promptly told my friend to stop asking the staff for "help" finding things.
The best feature of Home Depot is order pickup. No need to explain to someone that some appliances use both 120V for control power and 240V power for the motor or heating element and therefore you need a 4-wire NEMA 14 series receptacle with a neutral conductor, you just buy one and pick it up from a locker. It’s made buying things from Home Depot tolerable for me.
The store I worked at for a while had a surprising number of real bearded experts, alongside at least a few younger folks who really understood the internal systems. It was great, but clearly was eroding as the experts retired and young folks with no experience were hired to replace them.
I asked an employee for something by part number and described it. The answer he gave was "why the hell would you want that anyways? I've worked here 13 years and never seen one". I found it on a shelf a few levels up and used a grounding rod from the electrical section to spear it and bring it down to ground level
Its hard to locate anything in their stores these days and its even harder to find any staff. So what I do is order for pickup and let them do the work.
I think the same people/platform made the Best Buy mobile website, they look very similar. Just absolutely atrocious design. It's slow, the UI elements bounce all over the place, it forgets your selections, and godspeed if for whatever reason you need to refresh the page because something chose not to render. That's outside of the store on a good connection. Doing this IN the store is a whole new level of hair pulling frustration.
Also I once asked an employee for help locating an item and they told me to pull up the app. I was like "you pull up the app", and we sat there for 5 minutes waiting for things to load until he decided he'll just help me locate the item lol
I'm just happy that Best Buy recently added the ability to filter out items they cannot actually sell me. The amount of searches I would do where I had to scroll through page after page of 'not available online' 'not available in store' items in order to find a search result they actually had was ridiculous.
Now Home Depot for some reason just doesn't load on mobile (white screen) unless I disable content filtering in the browser. Classy.
Yeah, I'm not sure why so many people seem pro-theft for a lack of a better term. I don't believe they are but there's so much resistance to locking up high value items especially if they're valuable ones.
Maybe you're not familiar with Flock Safety, but my comment is not about locking up high value items. It's more about my location information being shipped to weird police circles by big box stores.
Although, plenty of people are pro-theft from the corporations sucking our towns and local economies dry and paying so little that their employees have to rely on foodstamps.
Yeah I think it'll be location dependent. FWIW I've got both by me and they're equally terrible as far as the availability and knowledge of their employees. Lowes edges out Home Depot a tiny bit for me simply because I've never been accosted by a sanctioned in-store roaming sales person for solar or siding at Lowes (yet!).
I get hit up for gutter guards every trip at my Lowe’s. I have a stationary woman hawking Generac and HVAC installs at my Home Depot.
I’d agree though, it’s department dependent. The electrical at my HD is an unorganized mess, but their plumbing section is world-class. Lowe’s is oddly flip-flopped. To Lowe’s great credit, their staff has those little tablets with inventory locations on them including all the top-shelf and end cap locations the website doesn’t show. Those usually save my trip, HD doesn’t seem to have an equivalent.
I've found it to be very datetime dependent. I walking the aisles on a late Sunday night recently and the only time I saw an employee was at the self checkout before I left.
That was true for a long time, but before that, Home Depot's customer service was terrific too. I think that's a cost that gets cut by a focus on shareholder value. Local hardware stores are still going to be better, with the caveat it may take a decade before they smile when you walk in.
I used to frequent a wonderful Ace Hardware with some regularity.
The old lady that always seemed to be behind the register eventually started greeting me by name when I walked in. (I don't recall ever giving her my name; maybe she remembered seeing on a credit card or something.)
After the pleasantries (which didn't seem fake at all), one of the greybeards present would appoint themselves as my personal shopper. I'd go down my list of demands that was only vaguely sorted by department: "One M8x1.25x80mm all-thread stainless Philips screw, a 16x20 furnace filter, a box of #8x3/4 sheet metal screws, and uh... what do you have for can openers?"
And then we'd make a lap or two of the store to get these things, and I'd pay and GTFO.
Purely anecdotal as well but it really feels like a quantity over quality thing between the two. It takes significantly longer to find someone in orange, but they’re as helpful as I can reasonably expect. Whereas Lowe’s employees tend to be both useless and annoying.
Opposite data point, where I live, there's lots of people working the floor. I'm usually asked if I need help at least once when I'm there. Maybe it depends on the store or whatever the umbrella org is.
>
>We also asked Lane if Home Depot has the technical means, such as logs, to determine if anyone else used the token during the months it was left online to access any of Home Depot’s internal systems. We did not hear back.
As soon as they realized that the researcher had contacted "the media", they probably escalated internally to their legal team before anyone else, who told them to shut up.
The response, if one ever comes, will be a communication dense in lawyer-speak that admits no fault whatsoever.
As it could be service or real legal stuff, it tends to get read by someone literate and able to take action.
Had to do that with a bank that refused to talk to me (I hit some kind of identify verification quagmire), but they quickly got someone able to call me and close it on the spot.
Obviously we would all like a full post mortem from the home dept side, but in today's litigious shareholder-value-driven world their response is the correct one.
Took me a good 10-15 minutes to _just_ _find_ where Gemini/AI Studio/Vortex projects keys _might_ be! I had to "import project" before I could find where the key is. Google knew key was exposed but the key seemed to be still active with a "!" next to it!
With a lot of vibe coding happening, key hygiene becomes crucial on both issuer and user ends.
I shudder to think of the implications.
Consider all the security disasters we already get from brogramming, and multiply that, times 100.
All while there's no budget for those that actually develop and operate the software (so you get insecure software), those that nevertheless do their best are slowed down by all the security theater, and customer service is outsourced to third-world boiler rooms so exploiting vulnerabilities doesn't even matter when a $100 bribe will get you in.
It's "the emperor has no clothes" all the way down: because any root-cause analysis of a breach (including by regulators) will also be done by those without clothes, it "works" as far as the market and share price is concerned.
Source: been inside those "companies of public significance" or interacted with them as part of my work.
The main issue seems to be, that our artifacts are now so insanely complex, that there’s too many holes, and modern hackers are quite different from the old skiddies.
In some ways, it’s possible that AI could be a huge boon for security, but I’m worried, because its training data is brogrammer crap.
Actual security on the other hand has decreased. I think one of the worst things to happen to the industry is "zero trust", meaning now any exposed token or lapse in security is exploitable by the whole world instead of having to go through a first layer of VPN (no matter how weak it is, it's better than not having it).
> quite different from the old skiddies
Disagreed - if you look at the worst breaches ("Lapsus$", Equifax, etc), it was always down to something stupid - social engineering the vendor that conned them into handing them the keys to the kingdom, a known vulnerable version in a Java web framework, yet another NPM package being compromised and that they immediately updated to since the expensive, enterprise-grade Dependabot knockoff told them to, and so on.
I'm sure APTs and actual hacking exists in the right circles, but it's not the majority of breaches. You don't need APT to breach most companies.
I agree that we need to have "toothier" breach consequences.
The problem is that there's so much money sloshing around, that we have regulatory capture.
By using plywood in conjunction with other off-the-shelf parts and materials, we can change this equation to deliver more value while dramatically reducing costs.
If, due to unforeseen circumstances the habitat occupant can no longer sustain life, they're automatically entombed inside a makeshift plywood coffin—no costly recovery operations required. Logitech wireless game controller sold separately.
For a self-hosted use case.
Currently, manually SSH into VPs and updating env files but not sure if its best practice.
If your vendors support IP-based restrictions (few do, thanks to "zero trust" and other bullshit), a very strong defense would be to enable that and restrict use of those secrets to your server's IP, so that the tokens become useless to anyone else even if leaked.
One option is to use separate "proxy" VMs that proxy traffic to the external services and applies the secret. The main application VM uses those proxy VMs to talk to the external services. This means a compromise of the application VM will not be able to exfiltrate any secrets - it will merely be able to make use of them (by talking to the proxy VMs) while the attacker still has access. Post-breach remediation becomes easier as not only do you not need to rotate the secret (as it wasn't stolen, merely misused) but your proxy VM can provide a tamper-proof audit log to tell which malicious activity has happened, if any.
- Depending on whether they use GH for deployments they can also introduce features to production that can help them
I don't believe exploiting GitHub repos for initial access is part of their playbook, but there have been plenty of examples in recent years of attackers gaining access to internal infrastructure via secrets exposed in GitHub (whether in code or Actions workflows). Just this year, attackers got into Salesloft's GitHub, pivoted to their AWS environment, and stole OAuth tokens that gave them access to hundreds of Salesforce customers.
It seems like a cheap and simple thing to offer your customers a little extra safety.
Anybody interested in starting a platform agnostic service to do this?
There was a recent post from someone who made the realization that most of these scanning services only investigate the main branch. Extra gold in them hills if you also consider development branches.
This seems to be a case of someone accidentally publishing their github token somewhere else. I'm not sure how github would cheaply and easily prevent that. Though there are third party tools that scan your web presence for secrets, including trying wordlists of common files or directories
1: https://docs.github.com/en/code-security/secret-scanning/int...
2: https://docs.github.com/en/code-security/secret-scanning/int...
GitHub has deprecated classic tokens, but the new tokens are not backwards compatible. The deprecated tokens have also continued to be available for some time. Real security professionals will tell you flatly "tokens are bad", and they're right. They're leakable attack vectors. The tokens are the problem and discontinuation is the solution. Scanning is simply symptom treating, and given what I know about Microsoft culture, I doubt that's going to change soon or quickly.
GitHub Advanced Security blocks the push, I believe.
I've found that on a site like Amazon or Walmart that'll let you do a more freeform sort, the filter options becomes absolutely god awful.
Well done by McMaster-Carr. I assume they control their inventory a bit more than a marketplace like Home Depot, Walmart, or Amazon, so that's also an advantage.
Here's the XML Schema Definition for "Product" on Amazon [1]
This is joined on each of the linked category schemas included at the type, of which each has unique properties that ultimately drive the metadata on a particular listing for the SKU. Its wrought with inconsistency, duplicated fields, and oftentimes not up-to-date with required information.
Ultimately, this product catalog information gets provided to Amazon, Walmart, Target, and any other large 3rd party marketplace site as a feed file from a vendor to drive what product they can then list pricing and inventory against (through similar feeds).
You are right that the control McMaster-Carr has on their catalog is the strategic and technological advantage.
[1]: https://images-na.ssl-images-amazon.com/images/G/01/rainier/...
Which is a good indicator, but you can’t be sure of. Additionally you may imagine liking it but not enjoy it in life, even if true.
I had a major WTF moment there, until I realized that's probably for a hex driver (and thus something totally different than what I think of when someone says "impact wrench").
Is 8 before or after 4 in the alphabet?
If it were ordered by ordinal values, "/" is 47 and " " is 32, so "1 in" would come before "1/2 in".
It's not alphabetized by letter word. Because while "Eight" comes before "Four", "Specialty" would come before "Three".
No matter which way you attempt to order it, something is out of order.
Softtalker probably got it right. This is some default or id sort.
What grinds my gears is the speed of this search, regardless of the phone reception. Even on the desktop it feels like they have a bunch of interns running a sneakernet. Or the website is laden with pointless javascript that slows everything down before the search is actually performed.
I go to the same Home Depot every time. (Well I don't if I can help it, but that's beside the point). There is no reason they cannot store the preferred store in the localStorage or cookies or wherever else. Other stores have figured this out.
Not CostCo though! I open their page and immediately 'Can Costco.ca use your location?" I say yes and then it asks me what province I'm in. I tell it, and then it defaults me to a store 30 minutes' drive from here and not the one five minutes away. Every. Time.
I have to believe it’s intentional.
I understand that upgrading and migrating to new systems takes time but this process never seemed like it involved anyone on the ground.
also, when I'm in my local store it seems like cell connection goes to shit for some reason and then I have to jump on their in store wifi in order to search their website
It's a giant steel and concrete box, that's probably the reason.
At one point I also had to disable wireguard because I think it was triggering some sort of anti-abuse thing they had. It wasn't even using an exit node, just bridging me to my home network so I could access self-hosted services. I get the desire for anti-abuse, but that felt pretty draconian and I don't expect the average person to consider they might have to disable a VPN to get it to work, especially nowadays when many average people do have VPNs running.
Now that said, I don't want to minimize the difficulty in modernizing software at a corp like HD. It's wildly more difficult than most people can appreciate. I've consulted for companies trying to do it, and there are lots of challenges with legacy systems, migrations, and plenty of non-technical challenges as well.
Shout out to Wal-mart for genuinely kicking ass at this though. I'm quickly becoming an Onn fanboy. Genearlly speaking, great products at great prices, from their USB cables up to their smart speakers and more. You can really tell from the product design and implementation that they are letting the nerds geek out and have fun! That in turn enables me to do the same :-)
I literally watched someone Google "masonry bit" right in front of me.
I think a lot of people just expect too much from a big box store employee making $17/hr… You go to HD because you have an easy job and you’re as cheap as their MBAs. If you need help, go to a supply house or an Ace Hardware or something.
(It gets worse the further from the power tools section you get, I find. I had to explain the difference between a three-prong and four-prong 240V plug once at HD and promptly told my friend to stop asking the staff for "help" finding things.)
The best feature of Home Depot is order pickup. No need to explain to someone that some appliances use both 120V for control power and 240V power for the motor or heating element and therefore you need a 4-wire NEMA 14 series receptacle with a neutral conductor, you just buy one and pick it up from a locker. It’s made buying things from Home Depot tolerable for me.
I thought that was just me. It gets the first, maybe the second digit of the zip code right and that's about it.
https://www.reddit.com/r/Tools/comments/1opufvq/a_lightweigh...
Also I once asked an employee for help locating an item and they told me to pull up the app. I was like "you pull up the app", and we sat there for 5 minutes waiting for things to load until he decided he'll just help me locate the item lol
Now Home Depot for some reason just doesn't load on mobile (white screen) unless I disable content filtering in the browser. Classy.
[0] https://deflock.me/map#map=17/33.639428/-111.976540
[0] deflock.me
[1] https://www.youtube.com/watch?v=uB0gr7Fh6lY
Although, plenty of people are pro-theft from the corporations sucking our towns and local economies dry and paying so little that their employees have to rely on foodstamps.
https://dan.bulwinkle.net/blog/trader-joes-does-not-have-sur...
I’d agree though, it’s department dependent. The electrical at my HD is an unorganized mess, but their plumbing section is world-class. Lowe’s is oddly flip-flopped. To Lowe’s great credit, their staff has those little tablets with inventory locations on them including all the top-shelf and end cap locations the website doesn’t show. Those usually save my trip, HD doesn’t seem to have an equivalent.
I've found it to be very datetime dependent. I walking the aisles on a late Sunday night recently and the only time I saw an employee was at the self checkout before I left.
That’s damn good customer service right there, if you ask me. The fake-chipper act makes me want to dive into a wood chipper…
The old lady that always seemed to be behind the register eventually started greeting me by name when I walked in. (I don't recall ever giving her my name; maybe she remembered seeing on a credit card or something.)
After the pleasantries (which didn't seem fake at all), one of the greybeards present would appoint themselves as my personal shopper. I'd go down my list of demands that was only vaguely sorted by department: "One M8x1.25x80mm all-thread stainless Philips screw, a 16x20 furnace filter, a box of #8x3/4 sheet metal screws, and uh... what do you have for can openers?"
And then we'd make a lap or two of the store to get these things, and I'd pay and GTFO.
It was great.
But for actual help and humanity (if you can afford the price and the more limited selection), Ace is consistently better near where I am.