Conference:  Defcon 31

Authors: Cory Doctorow

2023-08-01

The enshittification of the internet follows a predictable trajectory: first, platforms are good to their users; then they abuse their users to make things better for their business customers; finally, they abuse those business customers to claw back all the value for themselves. Then, they die. It doesn't have to be this way. Enshittification occurs when companies gobble each other up in an orgy of mergers and acquisitions, reducing the internet to "five giant websites filled with screenshots of text from the other four" (credit to Tom Eastman!), which lets them endlessly tweak their back-ends to continue to shift value from users and business-customers to themselves. The government gets in on the act by banning tweaking by users - reverse-engineering, scraping, bots and other user-side self-help measures - leaving users helpless before the march of enshittification. We don't have to accept this! Disenshittifying the internet will require antitrust, limits on corporate tweaking - through privacy laws and other protections - and aggressive self-help measures from alternative app stores to ad blockers and beyond!

Conference:  Cloud Native SecurityCon North America 2022

Authors: Adrian Mouat

2022-10-24

The talk discusses techniques and tooling to address security concerns in building images for the secure supply chain.

• Provenance and reproducibility are major issues in the current state of security in IT.
• The distroless philosophy and using smaller base images can save from scan report purgatory.
• Updating images and dependencies is crucial.
• Using apko to build container images with SBOMs and complete reproducibility.
• Signing images with Sigstore.
• Cutting down dependencies by using smaller base images and keeping them up to date.
• Verifying signatures and using policy management tools to check for vulnerabilities.
• The vulnerability exploitability exchange can help filter vulnerabilities and cut down noise.
• Google container tools and digital images are small and perfect for running statically compiled binaries.
• The drawbacks of using Google container tools include a hard-to-extend list and difficulty in installing apps.
• Cutting down images to the minimum set of dependencies can drastically reduce noise in vulnerability reports.