>
>We also asked Lane if Home Depot has the technical means, such as logs, to determine if anyone else used the token during the months it was left online to access any of Home Depot’s internal systems. We did not hear back.
As soon as they realized that the researcher had contacted "the media", they probably escalated internally to their legal team before anyone else, who told them to shut up.
The response, if one ever comes, will be a communication dense in lawyer-speak that admits no fault whatsoever.
As it could be service or real legal stuff, it tends to get read by someone literate and able to take action.
Had to do that with a bank that refused to talk to me (I hit some kind of identify verification quagmire), but they quickly got someone able to call me and close it on the spot.
Obviously we would all like a full post mortem from the home dept side, but in today's litigious shareholder-value-driven world their response is the correct one.
Took me a good 10-15 minutes to _just_ _find_ where Gemini/AI Studio/Vortex projects keys _might_ be! I had to "import project" before I could find where the key is. Google knew key was exposed but the key seemed to be still active with a "!" next to it!
With a lot of vibe coding happening, key hygiene becomes crucial on both issuer and user ends.
I shudder to think of the implications.
Consider all the security disasters we already get from brogramming, and multiply that, times 100.
All while there's no budget for those that actually develop and operate the software (so you get insecure software), those that nevertheless do their best are slowed down by all the security theater, and customer service is outsourced to third-world boiler rooms so exploiting vulnerabilities doesn't even matter when a $100 bribe will get you in.
It's "the emperor has no clothes" all the way down: because any root-cause analysis of a breach (including by regulators) will also be done by those without clothes, it "works" as far as the market and share price is concerned.
Source: been inside those "companies of public significance" or interacted with them as part of my work.
see Solar Winds, Microsoft etc.
The main issue seems to be, that our artifacts are now so insanely complex, that there’s too many holes, and modern hackers are quite different from the old skiddies.
In some ways, it’s possible that AI could be a huge boon for security, but I’m worried, because its training data is brogrammer crap.
Actual security on the other hand has decreased. I think one of the worst things to happen to the industry is "zero trust", meaning now any exposed token or lapse in security is exploitable by the whole world instead of having to go through a first layer of VPN (no matter how weak it is, it's better than not having it).
> quite different from the old skiddies
Disagreed - if you look at the worst breaches ("Lapsus$", Equifax, etc), it was always down to something stupid - social engineering the vendor that conned them into handing them the keys to the kingdom, a known vulnerable version in a Java web framework, yet another NPM package being compromised and that they immediately updated to since the expensive, enterprise-grade Dependabot knockoff told them to, and so on.
I'm sure APTs and actual hacking exists in the right circles, but it's not the majority of breaches. You don't need APT to breach most companies.
I agree that we need to have "toothier" breach consequences.
The problem is that there's so much money sloshing around, that we have regulatory capture.
I feel like all this granular key management across everything, dev, life, I might be more insecure but god damn I don't feel like I know what is going on.
Claude (or other LLMs, for that matter) wouldn't know they leaked the keys because I did, by trying to make the construction logs public. I just wasn't expecting the logs to have keys in them from my env vars.
By using plywood in conjunction with other off-the-shelf parts and materials, we can change this equation to deliver more value while dramatically reducing costs.
If, due to unforeseen circumstances the habitat occupant can no longer sustain life, they're automatically entombed inside a makeshift plywood coffin—no costly recovery operations required. Logitech wireless game controller sold separately.
The LiDAR option on the armature was eschewed due to cost in favor of an in-house, camera-based vision model that has thus far reduced the number of safety incidents that later result in amputation (knock on plywood) while increasing manufacturing output.
Pressure vessel construction still remains a point of concern on account of recent trends which indicate a rise in errant armature misfires when gripping tools that facilitate the application of nails and staples to the plywood superstructure.
- Depending on whether they use GH for deployments they can also introduce features to production that can help them
I don't believe exploiting GitHub repos for initial access is part of their playbook, but there have been plenty of examples in recent years of attackers gaining access to internal infrastructure via secrets exposed in GitHub (whether in code or Actions workflows). Just this year, attackers got into Salesloft's GitHub, pivoted to their AWS environment, and stole OAuth tokens that gave them access to hundreds of Salesforce customers.
For a self-hosted use case.
Currently, manually SSH into VPs and updating env files but not sure if its best practice.
If your vendors support IP-based restrictions (few do, thanks to "zero trust" and other bullshit), a very strong defense would be to enable that and restrict use of those secrets to your server's IP, so that the tokens become useless to anyone else even if leaked.
One option is to use separate "proxy" VMs that proxy traffic to the external services and applies the secret. The main application VM uses those proxy VMs to talk to the external services. This means a compromise of the application VM will not be able to exfiltrate any secrets - it will merely be able to make use of them (by talking to the proxy VMs) while the attacker still has access. Post-breach remediation becomes easier as not only do you not need to rotate the secret (as it wasn't stolen, merely misused) but your proxy VM can provide a tamper-proof audit log to tell which malicious activity has happened, if any.
It seems like a cheap and simple thing to offer your customers a little extra safety.
Anybody interested in starting a platform agnostic service to do this?
There was a recent post from someone who made the realization that most of these scanning services only investigate the main branch. Extra gold in them hills if you also consider development branches.
This seems to be a case of someone accidentally publishing their github token somewhere else. I'm not sure how github would cheaply and easily prevent that. Though there are third party tools that scan your web presence for secrets, including trying wordlists of common files or directories
1: https://docs.github.com/en/code-security/secret-scanning/int...
2: https://docs.github.com/en/code-security/secret-scanning/int...
GitHub has deprecated classic tokens, but the new tokens are not backwards compatible. The deprecated tokens have also continued to be available for some time. Real security professionals will tell you flatly "tokens are bad", and they're right. They're leakable attack vectors. The tokens are the problem and discontinuation is the solution. Scanning is simply symptom treating, and given what I know about Microsoft culture, I doubt that's going to change soon or quickly.
GitHub Advanced Security blocks the push, I believe.
1/2 in
1/4 in
1 in
3/8 in
3/4 in
Specialty
0.5
0.25
1
0.375
0.75
I've found that on a site like Amazon or Walmart that'll let you do a more freeform sort, the filter options becomes absolutely god awful.
Well done by McMaster-Carr. I assume they control their inventory a bit more than a marketplace like Home Depot, Walmart, or Amazon, so that's also an advantage.
Here's the XML Schema Definition for "Product" on Amazon [1]
This is joined on each of the linked category schemas included at the type, of which each has unique properties that ultimately drive the metadata on a particular listing for the SKU. Its wrought with inconsistency, duplicated fields, and oftentimes not up-to-date with required information.
Ultimately, this product catalog information gets provided to Amazon, Walmart, Target, and any other large 3rd party marketplace site as a feed file from a vendor to drive what product they can then list pricing and inventory against (through similar feeds).
You are right that the control McMaster-Carr has on their catalog is the strategic and technological advantage.
[1]: https://images-na.ssl-images-amazon.com/images/G/01/rainier/...
Which is a good indicator, but you can’t be sure of. Additionally you may imagine liking it but not enjoy it in life, even if true.
1/2 in
1 in
1/4 in
3/8 in
3/4 in
7/16 inI had a major WTF moment there, until I realized that's probably for a hex driver (and thus something totally different than what I think of when someone says "impact wrench").
Is 8 before or after 4 in the alphabet?
If it were ordered by ordinal values, "/" is 47 and " " is 32, so "1 in" would come before "1/2 in".
It's not alphabetized by letter word. Because while "Eight" comes before "Four", "Specialty" would come before "Three".
No matter which way you attempt to order it, something is out of order.
Softtalker probably got it right. This is some default or id sort.
What grinds my gears is the speed of this search, regardless of the phone reception. Even on the desktop it feels like they have a bunch of interns running a sneakernet. Or the website is laden with pointless javascript that slows everything down before the search is actually performed.
I go to the same Home Depot every time. (Well I don't if I can help it, but that's beside the point). There is no reason they cannot store the preferred store in the localStorage or cookies or wherever else. Other stores have figured this out.
Not CostCo though! I open their page and immediately 'Can Costco.ca use your location?" I say yes and then it asks me what province I'm in. I tell it, and then it defaults me to a store 30 minutes' drive from here and not the one five minutes away. Every. Time.
I have to believe it’s intentional.
I understand that upgrading and migrating to new systems takes time but this process never seemed like it involved anyone on the ground.
also, when I'm in my local store it seems like cell connection goes to shit for some reason and then I have to jump on their in store wifi in order to search their website
It's a giant steel and concrete box, that's probably the reason.
At one point I also had to disable wireguard because I think it was triggering some sort of anti-abuse thing they had. It wasn't even using an exit node, just bridging me to my home network so I could access self-hosted services. I get the desire for anti-abuse, but that felt pretty draconian and I don't expect the average person to consider they might have to disable a VPN to get it to work, especially nowadays when many average people do have VPNs running.
Now that said, I don't want to minimize the difficulty in modernizing software at a corp like HD. It's wildly more difficult than most people can appreciate. I've consulted for companies trying to do it, and there are lots of challenges with legacy systems, migrations, and plenty of non-technical challenges as well.
Shout out to Wal-mart for genuinely kicking ass at this though. I'm quickly becoming an Onn fanboy. Genearlly speaking, great products at great prices, from their USB cables up to their smart speakers and more. You can really tell from the product design and implementation that they are letting the nerds geek out and have fun! That in turn enables me to do the same :-)
I literally watched someone Google "masonry bit" right in front of me.
I think a lot of people just expect too much from a big box store employee making $17/hr… You go to HD because you have an easy job and you’re as cheap as their MBAs. If you need help, go to a supply house or an Ace Hardware or something.
(It gets worse the further from the power tools section you get, I find. I had to explain the difference between a three-prong and four-prong 240V plug once at HD and promptly told my friend to stop asking the staff for "help" finding things.)
The best feature of Home Depot is order pickup. No need to explain to someone that some appliances use both 120V for control power and 240V power for the motor or heating element; or that you’re installing a receptacle to backfeed a 120/240V panel with a 120/240V generator and therefore you need a 4-wire NEMA 14 series receptacle with a neutral conductor, you just buy one and pick it up from a locker. It’s made buying things from Home Depot tolerable for me, I’m used to buying material from supply houses where the folks are knowledgeable, I know that’s not the case at HD so I don’t even bother asking.
I thought that was just me. It gets the first, maybe the second digit of the zip code right and that's about it.
https://www.reddit.com/r/Tools/comments/1opufvq/a_lightweigh...
Also I once asked an employee for help locating an item and they told me to pull up the app. I was like "you pull up the app", and we sat there for 5 minutes waiting for things to load until he decided he'll just help me locate the item lol
Now Home Depot for some reason just doesn't load on mobile (white screen) unless I disable content filtering in the browser. Classy.
[0] deflock.me
Although, plenty of people are pro-theft from the corporations sucking our towns and local economies dry and paying so little that their employees have to rely on foodstamps.
https://dan.bulwinkle.net/blog/trader-joes-does-not-have-sur...
I’d agree though, it’s department dependent. The electrical at my HD is an unorganized mess, but their plumbing section is world-class. Lowe’s is oddly flip-flopped. To Lowe’s great credit, their staff has those little tablets with inventory locations on them including all the top-shelf and end cap locations the website doesn’t show. Those usually save my trip, HD doesn’t seem to have an equivalent.
I've found it to be very datetime dependent. I walking the aisles on a late Sunday night recently and the only time I saw an employee was at the self checkout before I left.
That’s damn good customer service right there, if you ask me. The fake-chipper act makes me want to dive into a wood chipper…
The old lady that always seemed to be behind the register eventually started greeting me by name when I walked in. (I don't recall ever giving her my name; maybe she remembered seeing on a credit card or something.)
After the pleasantries (which didn't seem fake at all), one of the greybeards present would appoint themselves as my personal shopper. I'd go down my list of demands that was only vaguely sorted by department: "One M8x1.25x80mm all-thread stainless Philips screw, a 16x20 furnace filter, a box of #8x3/4 sheet metal screws, and uh... what do you have for can openers?"
And then we'd make a lap or two of the store to get these things, and I'd pay and GTFO.
It was great.
But for actual help and humanity (if you can afford the price and the more limited selection), Ace is consistently better near where I am.