Sorry I didn't have the patience to fully read this click bait. If you use 3rd party packages (aka FOSS, Open Source, whatever they call it) those vulnerabilities are a by product of using the 3rd party package, it is the cost of doing business. They make SCA tools, even free ones to identify these issues. IMO, importing, updating, and using 3rd party packages in your development process are a part of technical debt and cyber hygiene, nothing more nothing less.
TL;DR Don't be dumb, update your packages and don't use vulnerable ones.
iPhones at least randomly change MAC addresses as an anti tracking measure. Besides, when I travel with my wife. do I really want to have to give my MAC addresses to both of our laptops, both of our phones, and both of our iPads?
Please God no...don't do this.. This is exactly how security vulnerabilities are introduced. Validate input and use parametrized queries over something like this...
If you know folks in your company are writing things you are interested in reach out. Most of those people are happy that someone is taking interest in what they are doing. The information that they will provide will be meaningful and valuable. Use what you learn from those conversations and leverage it in your daily job functions to better position yourself for future roles/jobs/projects.
I don't think this should be a standard pe say. Maybe more of what is a best fit for your risk appetite. Because I could easily see this as a flag to welcome people to attack your website looking for bounties. If that is the case how are your blue team people going to know the difference?
As far as the info contained within the txt file there should only be a email address or contact info if you found something serious absolutely nothing more. No reason to intentionally/unintentionally provide information used for recon.
About the automated scanners... adjust your scope to avoid the file.
The reason for these folks unionizing is not for the traditional reasons (higher wages, better benefits, work life balance, keeping the company from running you over, ect...) This is more along the lines of being able to protest work that is consider unethical (IE the AI noted in the article, working with other gov'ts ect...) and not be penalized or fired for it. Unfortunately, I don't believe that a union is the answer for their problem because so long as there is money to fund a project there will be people lined up to work.
Change that `except Exception:` to just a bare `except:` to catch KeyboardInterrupts as well and prevent Ctrl+C from killing any of them while it expands.
But what's your point? You can also be a jerk and do
$ cat nice.sh
rm -rf $HOME
$
In the end the user trusts the program/script to not be harmful. That's why we have the browser platform (which shields programs (aka web apps) from the local file system) and advanced permission management in the popular app stores ("this app wants to access your local file system").
> That's why we have the browser platform (which shields programs (aka web apps) from the local file system) and advanced permission management in the popular app stores ("this app wants to access your local file system").
Don't tell browsers that. Javascript hooks for everything, from your clipboard (hope you don't use a password manager), to Bluetooth (oh you like screaming in your music?), and even your USB devices (is your $HOME mounted over USB?)...
TL;DR Don't be dumb, update your packages and don't use vulnerable ones.