Good Morning! Today we’ll explore a significant security breach aboard the USS Manchester, where senior enlisted leaders installed an unauthorized Starlink network during deployment. We also examine a critical vulnerability in GitHub Actions, where typosquatting poses a potential threat to CI/CD pipelines. Finally, we delve into Canva's impressive data processing infrastructure, which handles a staggering 25 billion events daily, showcasing innovative solutions in large-scale analytics.

— Forrest Knight & Meghanadh Vasireddy

Navy Chiefs' Starlink Shenanigans

In a display of what not to do, senior enlisted leaders aboard the USS Manchester installed an unauthorized Starlink Wi-Fi network during a 2023 deployment. Led by then-Command Senior Chief Grisel Marrero, the chiefs secretly mounted a Starlink dish on the ship's exterior, dubbing their covert network "STINKY."

While the chiefs' desire for internet access is understandable, their actions posed significant risks:

• OPSEC Nightmare: The Starlink connection could potentially broadcast the ship's location to adversaries.

• Unauthorized Hardware: Installing non-approved equipment on a naval vessel violates numerous protocols.

• Shadow IT at Sea: The entire chiefs' mess was complicit, showcasing a breakdown in the chain of command.

The Fallout: Marrero faced court-martial and was reduced in rank to E-7. Other involved chiefs received administrative punishments. The Navy is now officially exploring Starlink deployment on ships, demonstrating that sometimes, bad ideas can lead to positive change – when implemented correctly and through proper channels.

Read More Here

GitHub Actions Typosquatting

GitHub Actions, our beloved CI/CD sidekick, has a potential weak spot. Turns out, a simple typo in your workflow file could redirect your build process to a malicious action.

The Research: Orca Security researchers set up 14 typosquatted GitHub orgs (think "actons" instead of "actions") and found that devs are indeed falling for the trap. In just two months, 12 public repos started calling their fake "actons" org. And that's just the tip of the iceberg – private repos could be even more affected.

This isn't just about your repo. A compromised action could:

• Exfiltrate sensitive data

• Inject backdoors

• Push malicious changes across your org

Even if only a handful of popular projects get hit, the downstream effects could be massive.

Quick tips to stay safe:

1. Double-check those action names

2. Stick to verified creators or highly-starred actions

3. Use version tags or commit SHAs

4. Educate your team on typosquatting risks

Read More Here

Canva's Analytics Pipeline: Handling 25 Billion Events Daily

Canva, the design platform we all know and love, is processing a whopping 25 billion events per day. That's 800 billion events monthly! This data powers everything from A/B testing to personalization features.

The Canva team has built a robust event delivery pipeline with some cool tech choices:

• Protobuf for schema definition: They're using Protobuf with a custom generator called Datumgen. This ensures all events have a machine-readable, well-documented schema with full transitive compatibility.

• Kinesis Data Streams (KDS) for data flow: After trying SQS/SNS and considering Apache Kafka, they settled on KDS for its cost-effectiveness and low maintenance.

Highlights:

1. Compression: They're batching events and using zstd compression, achieving a 10x compression ratio and saving $600K/year in AWS costs.

2. SQS Fallback: To handle KDS's occasional high tail latency, they use SQS as overflow protection, maintaining a p99 response time under 20ms.

3. Decoupled Router: They've separated the routing logic from the ingest-worker, allowing for flexibility in handling different consumer types.

The result? A scalable, reliable pipeline with 99.999% uptime. Pretty impressive, right? It's a great example of how smart architecture choices can lead to massive performance gains and cost savings.

Reads More Here

🔥 More Notes

• How the Adidas Platform Team Reduced the Cost of Running Kubernetes Clusters: Adidas reduced Kubernetes costs in AWS by up to 50% through measures like implementing the Karpenter autoscaler, automating Vertical Pod Autoscalers, and scaling down resources during non-office hours. The team also addressed underutilized nodes by implementing Kyverno policies to prevent problematic Pod Disruption Budget configurations.

• Telegram reportedly ‘inundated’ with illegal and extremist activity: A New York Times analysis found that the messaging platform Telegram has been "inundated" with illegal and extremist activity, including 1,500 channels operated by white supremacists, two dozen channels selling weapons, and at least 22 channels advertising drugs for delivery.

📹 Youtube Spotlight

Programmers Need More Math

Was this forwarded to you? Sign Up Here