Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror

Submission + - Major AWS outage takes down Fortnite, Alexa, Snapchat, Signal, and more (theverge.com)

Submitted by united_notions
united_notions writes: Amazon Web Services (AWS) is currently experiencing a major outage that has taken down online services, including Amazon, Alexa, Snapchat, Fortnite, ChatGPT, Epic Games Store, Epic Online Services, and more. The AWS status checker is reporting that multiple services are “impacted” by operational issues, and that the company is “investigating increased error rates and latencies for multiple AWS services in the US-EAST-1 Region” — though outages are also impacting services in other regions globally.

Submission + - Xubuntu website maybe compromised. (reddit.com)

Submitted by Anonymous Coward
An anonymous reader writes: Torrent downloads over at https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fxubuntu.org%2Fdownload%2F are serving a zip file with a suspicious exe and a tos.txt inside. The TOS starts with Copyright (c) 2026 Xubuntu.org which is sus, because it is 2025. I opened the .exe with file-roller and couldn't find any .torrent inside.

???

Comment Re:Are the problems of mankind man-made? (Score 2, Insightful) 131

by ArchieBunker (#65735634) Attached to: Repair Plan Underway to Restore Power at Ukrainian Nuclear Plant

everyone with a brain knows Ukraine has been deliberately attacking a nuclear power plant because the Russians would have to be literally insane to be attacking a nuclear power plant that they control.

Russia has a history of deliberately doing dumb shit. https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2F...

 

Submission + - An In-Depth Analysis of the US Gov VA.gov Front-End Source Code Exposed on Repo (medium.com)

Submitted by Anonymous Coward
An anonymous reader writes: Introduction

The Department of Veterans Affairs (VA) maintains a comprehensive front-end codebase for VA.gov, hosted openly on GitHub under the repository department-of-veterans-affairs/vets-website. While open-sourcing code promotes transparency, collaboration, and community development, it also raises critical questions regarding security — especially when the codebase encompasses sensitive operational details of a government website serving millions of veterans.

See link to exposed Code of entire VA Front End website: https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fgithub.com%2Fdepartment-...

This article provides an in-depth analysis of the security considerations associated with hosting the VA.gov front-end code publicly, referencing specific repository details, code snippets, and deployment practices. We explore whether such openness exposes vulnerabilities, how the code is secured during deployment, and best practices for safeguarding sensitive information.

Overview of the VA.gov Repository

The vets-website repository is a large, actively maintained codebase containing the front-end application code for VA.gov. Its structure includes configurations, scripts, application code, and documentation, with a focus on React, Webpack, ESLint, and other modern web development tools.

Key features include:

Modular React components.
Build and deployment scripts.
Testing frameworks (unit, Cypress E2E).
Environment variables and secret management.
Extensive configuration files for linting, styling, and deployment.
The repository is marked as public, with an explicit license (CC0–1.0), encouraging open collaboration but also requiring careful security practices.

The Security Context of Open Source Front-End Code

1. Public Repository Does Not Equal Public Exposure of Sensitive Data

Open-sourcing the codebase means that the source code, configuration files, and build scripts are accessible to anyone. This transparency allows security researchers, developers, and potential attackers to analyze the code for vulnerabilities.

Crucially:

The source code should not contain sensitive data such as API keys, secrets, or credentials.
Secrets and environment-specific configurations must be secured separately, typically via environment variables, secret management systems, or encrypted storage.
2. Potential Risks of Exposing the Code

While the code itself is typically non-sensitive, some risks include:

Disclosure of internal architecture or vulnerabilities that could be exploited if not properly secured.
Exposure of API endpoints or configurations that could be misused if not properly protected.
Insight into deployment practices, which could aid targeted attacks.
Security Measures in the VA.gov Front-End Codebase

1. Separation of Code and Secrets

The repository contains numerous configuration files and scripts, such as: .env files (e.g., .env containing MAPBOX_TOKEN)
Configuration snippets in webpack, eslint, and other files.
These are designed to not include sensitive secrets directly. For example, the MAPBOX_TOKEN is stored as an environment variable, which should be kept secure during deployment.

Code Snippet:

CopyRun// Example: Mapbox token usage
const MAPBOX_TOKEN = process.env.MAPBOX_TOKEN;
This indicates that sensitive tokens are expected to be stored outside the source code, in environment variables, which are not committed to the repository.

2. Environment Variable Management and Secrets

The documentation emphasizes that secrets like MAPBOX_TOKEN must be stored securely in environment variables or secret management systems, such as AWS Parameter Store. .gitignore files are used to prevent accidental commits of secrets.

3. Deployment Security

The actual live VA.gov website is deployed in secure environments, likely within Intranet DMZs or private cloud VPCs, with strict access controls, firewalls, and monitoring. The public code repository serves only as a source code reference, not as the deployment environment.

The Stark Reality: Billions in Losses Due to Mishandling Secrets

Despite these safeguards, the improper management of secrets and configuration files has led to catastrophic financial consequences — amounting to billions of dollars in losses across various sectors. When sensitive secrets such as API keys, access tokens, or passwords are inadvertently exposed or embedded in code, malicious actors can exploit these vulnerabilities to conduct data breaches, service disruptions, or fraud.

Recent incidents demonstrate that:

Secrets embedded in code or configuration files — even inadvertently — can lead to massive financial and reputational damage.
Exposed API endpoints and internal systems can be targeted for attacks, leading to operational downtime and regulatory penalties.
Failure to enforce strict secret management practices results in vulnerabilities that are costly to remediate.
In the context of VA.gov, mishandling secrets or misconfigurations could potentially lead to significant financial and security repercussions — not just for the organization but also for the millions of veterans relying on its services.

Code Security Best Practices and VA.gov

1. Secure Storage of Secrets

Use of environment variables (process.env.*) ensures secrets are not embedded in code.
Secrets are managed via AWS Parameter Store, HashiCorp Vault, or other secure systems, with access restricted to authorized personnel and systems.
2. Access Controls and Auditing

Deployment pipelines enforce strict access controls.
Only authorized DevSecOps personnel handle secrets and deployment.
Continuous monitoring and auditing of deployment activities are standard practices.
3. Code Review and Vulnerability Testing

Regular static code analysis (via tools like ESLint, Code Climate).
Security audits and vulnerability assessments.
Automated testing for known security issues.
Potential Vulnerabilities and Their Mitigation

VulnerabilityExplanationMitigation StrategiesSecrets in codeAccidental embedding of API keys or secretsEnforce .gitignore, environment variables, secret management systemsExposed API endpointsPublic analysis reveals internal endpointsProper API security, rate limiting, authenticationCode vulnerabilitiesBugs or insecure code patternsCode reviews, static analysis, security testingDeployment misconfigurationsImproper environment setupInfrastructure as code, automated deployment, access controls

Conclusion

Hosting the VA.gov front-end code openly on GitHub does not inherently compromise security, provided that:

Sensitive data and secrets are never stored in the source code.
Secrets are managed securely outside of the repository, via environment variables and secret management systems.
Deployment environments and infrastructure are properly secured within private networks or DMZs.
Regular security audits are performed to identify and remediate vulnerabilities.
However, the broader lesson is clear: mismanagement of secrets and configuration files can lead to billions in losses. Vigilance, adherence to best practices, and robust security controls are essential to safeguarding sensitive information and ensuring the integrity of critical government infrastructure.

In summary:

While open-sourcing code fosters transparency and collaboration — which can improve security through community review — strict security controls around secrets, deployment, and infrastructure are paramount. This is especially crucial when the stakes involve billions of dollars and the security of services relied upon by millions.

References:

VA.gov Front-End Repository
Secrets Management Best Practices
Securing GitHub Repositories
If you require additional details on securing VA.gov infrastructure or code, consult VA cybersecurity policies or your organization’s DevSecOps team.

Comment Re:So... (Score 2, Informative) 77

Here is a running tally of republican sexual predators and kiddie diddlers. https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fwww.dailykos.com%2Fstori...

If someone has compiled a list of democrats I'll gladly post it too.

But this one really isn't much of a surprise. Trump's former "spiritual advisor" https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fwww.texastribune.org%2F2...

Slashdot Top Deals

...when fits of creativity run strong, more than one programmer or writer has been known to abandon the desktop for the more spacious floor. - Fred Brooks, Jr.

Close