What happens to an enterprise device when it’s retired? Ideally, it’s decommissioned—whether that means wiped of all data and recycled, or outright destroyed.

But with so much hardware to go around, an awful lot of gear can slip into the ether. At DEF CON 32 in Las Vegas this August, Snap Security Engineer Matthew Bryant presented a method that allowed him to identify e-commerce listings for wayward IT assets en masse—including some of Apple’s.

Employing tools like Cloudflare Workers and reverse-engineered APIs, Bryant bypassed rate limiting and scraped 50 million listings from sites like eBay and Xianyu (Chinese shopping platform Taobao’s secondhand market). Bryant hoped they contained clues, like barcodes, indicating anything unusual or sensitive about the devices.

“The challenge is that the secrets we want are probably not outright in the item description,” Bryant told the audience. “Maybe the seller doesn’t even know what they’re selling.”

To extract data from images in bulk, Bryant tested several optical character recognition (OCR) tools. Tesseract, an open-source OCR model, had difficulty with the “very chic, gray-on-the-silver design” used by manufacturers like Apple, Bryant said. Vision, Google Cloud’s OCR API, worked well but was too expensive, he added.

Read the rest here.—TM

From Reddit rebellions to AI revolutions, the rise of the Magnificent Seven, and the fall of NFTs, investing is changing dramatically. Each weekday afternoon, Brew Markets helps you make sense of it all. Read about the latest market news and analysis of the trends shaping the investing landscape with a dash of the classic Brew style you know and love. Subscribe now.

For a coder racing against the clock, it’s tempting to embed credentials right inside one’s work. Hardcoded passwords speed up access when development requires entry to another application.

But slow down and hold your hardcoded horses! The workaround speeds testing at the expense of security—as demonstrated by recent reports and advisories from tech vendors.

“If you are hardcoding credentials, and you make the mistake of uploading your project into a public repo, and that public repo now has credentials for a corporate environment, that’s concerning, and that’s one of the risks of hardcoding credentials: It makes it much easier for a bad actor to access your environment,” Ed Lewis, practice director of secure development and cloud transformation at cyberadvisory Optiv, told IT Brew.

Security is hard! In January 2024, TechCrunch reported the leak of a Mercedes-Benz authentication token in a public GitHub repository. SolarWinds, on August 23, addressed a “hardcoded credential vulnerability” in its Web Help Desk software.

Read more here.—BH

Cybersecurity company CrowdStrike is seeing more blue skies than blue screens of death, following a Q2 earnings call announcing increased quarterly profits, adjusted revenue expectations, and some “our bad” benefits for impacted customers. CrowdStrike’s chief exec expressed an optimistic outlook for the firm and did not appear intimidated by competitor claims that customers want to diversify their security vendors.

“Customers’ comments back to me are: they don’t want to go backwards. They don’t want a bunch of disparate products. They don’t want a bunch of different consoles,” George Kurtz, CrowdStrike CEO, said during the company’s August 28 announcement.

Earnings learnings. Though the company adjusted its annual profit-per-share expectations from $3.93–$4.03 in its previous quarterly announcement to $3.61–$3.65, CrowdStrike also announced a total revenue of $963.9 million, a 32% year over year increase.

To address the “July 19 incident”—one impacting 8.5 million Windows machines, according to Microsoft—CrowdStrike said it plans to offer “customer commitment packages,” some combination of module ads, flexible payment terms, and added subscription time, which will impact revenue by approximately $60 million, the company said on the call.

Keep reading here.—TM

Think your IT skills can save you? Play Server Room of Doom, Eaton’s new text-based game, to find out. You’ll put your problem-solving skills to the ultimate test by tackling everyday IT challenges—before the walls close in on you. Play now to see if you can make it out alive.