I wonder if the scammer is using emails and passwords from a breach against Facebook to access "reputable" accounts and then posting marketplace listings.
I believe what they changed is the ability for "everyone" to discover you to a 10 minute toggle. It defaults to always being discoverable to your contacts.
I assume that it still broadcasts your hashes even in the contacts-only mode, so you'd need to turn receiving off to stop that. Or go a step further and disable Bluetooth entirely* when you don't need it.
* If you disable Bluetooth in the Control Center pulldown it won't actually disable Bluetooth or beacons. It just won't connect to devices. You need to go into Settings to actually disable Bluetooth.
Your phone isn't passively broadcasting hashes if it's just an AirDrop receiver no matter what mode it's in. This vuln only poses a privacy risk for those sending AirDrops.
I understand why they put it on a 10 minute time-out, but it still makes me slightly sad. Sending (or receiving!) goofy cat pics on the subway had its own kind of charm.
The best I could tell is that it just makes a Docker image for you to deploy to EKS. I’m struggling to see why it’s got OS tacked on the end… it would still seem you’re running Linux and possibly they’ve changed some of the userland?
At first I thought this was going to be a unikernel model like MirageOS[1] is for OCaml, and now I’m disappointed[2].
I'm not sure if I'm reading this correctly. The statements below are my understanding, but it'd be great if you can confirm to provide more color.
The pre-patch setup would just make the implicit trust policy explicit, meaning any user or role in the account with `sts:AssumeRole` on `*` could assume the role (which is still the default when not trust policy is specified).
This change improves the posture by adding a trust policy to the role that prevents any roles other than those two listed from assuming the role. So this is purely a defense in depth measure, and not really a security vulnerability (unless we say the default, implicit trust policy is a security vulnerability itself :P).
Another default policy to consider is any Lambda function role. They never specify which Lambda can assume them (because that would create a cyclical dependency). That means anyone with permissions to create a Lambda will be able to technically assume this role.
Just like you, I'm not arguing the defense in depth part. Always a good idea to put fine-grained permissions where possible. But I also find the "vulnerability" part a tiny bit overstated.
That's a bit different and (like ec2 and other services) governed by IAM:Passrole. Whoever creates the lambda or ec2 needs to be allowed to assign that role. Otherwise it would allow privilege escalation.
Can you share a bit more about how open these roles are to remote candidates?
You list office locations and don't say remote, but then imply remote in the first paragraph. Anecdotally I've heard of people being remote on Apple security teams in the Seattle area, but every time I look at roles on jobs.apple.com they all appears as in office only.
Amazon Ditches 'Just Walk Out' Checkouts at Its [Amazon Fresh] Grocery Stores
https://news.ycombinator.com/item?id=39908579