> A Vercel employee got compromised via the breach of an AI platform customer called http://Context.ai that he was using.
> Through a series of maneuvers that escalated from our colleague’s compromised Vercel Google Workspace account, the attacker got further access to Vercel environments.
> We do have a capability however to designate environment variables as “non-sensitive”. Unfortunately, the attacker got further access through their enumeration.
> We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI. They moved with surprising velocity and in-depth understanding of Vercel.
Still no email blast from Vercel alerting users, which is concerning.
> We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI. They moved with surprising velocity and in-depth understanding of Vercel.
Blame it on AI ... trust me... it would have never happened if it wasn't for AI.
> We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI.
Reads like the script of a hacker scene in CSI. "Quick, their mainframe is adapting faster than I can hack it. They must have a backdoor using AI gifs. Bleep bleep".
> Still no email blast from Vercel alerting users, which is concerning.
On the one hand, I get that it's a Sunday, and the CEO can't just write a mass email without approval from legal or other comms teams.
But on the other hand... It's Sunday. Unless you're tuned-in to social media over the weekend, your main provider could be undergoing a meltdown while you are completely unaware. Many higher-up folks check company email over the weekend, but if they're traveling or relaxing, social media might be the furthest thing from their mind. It really bites that this is the only way to get critical information.
> On the one hand, I get that it's a Sunday, and the CEO can't just write a mass email without approval from legal or other comms teams
This is not how things work. In a crisis like this there is a war room with all stakeholders present. Doesn’t matter if it’s Sunday or 3am or Christmas.
And for this company specifically, Guillermo is not one to defer to comms or legal.
Has anyone actually gotten an email from Vercel confirming their secrets were accessed? Right now we're all operating under the hope (?) that since we haven't (yet?) gotten an email, we're not completely hosed.
Hope-based security should not be a thing. Did you rotate your secrets? Did you audit your platform for weird access patterns? Don’t sit waiting for that vercel email.
For most secrets they are under your control so, sure, go ahead and rotate them, allowing the old version to continue being used in parallel with the new version for 30 minutes or so.
For other secrets, rotation involves getting a new secret from some upstream provider and having some services (users of that secret) fail while the secret they have in cache expires.
For example, if your secret is a Stripe key; generating a new key should invalidate the old one (not too sure, I don't use Stripe), at which point the services with the cached secret will fail until the expiry.
nope...I feel u, the "Hope-based security" is exactly what Vercel is forcing on its users right now by prioritizing social media over direct notification.
If the attacker is moving with "surprising velocity," every hour of delay on an email blast is another hour the attacker has to use those potentially stolen secrets against downstream infrastructure. Using Twitter/X as a primary disclosure channel for a "sophisticated" breach is amateur hour. If legal is the bottleneck for a mass email during an active compromise, then your incident response plan is fundamentally broken.
Sure, and the reason he is is because he DOES check stuff like this before sending it out.
Top leaders excel because they assemble a team around them they trust. You can't do everything yourself, you need to delegate. And having people in those positions also means you shouldn't be acting alone or those people will not stick around
First of all, I would expect a top leader to be prepared for scenarios like this (including templates of customer communication).
And yeah, I would expect a CEO to have enough legal knowledge to handle such a situation (customer communication) on his own.
But I also have to mentioned that I'm not in the US. Not every country has the litigation system of the US where you can basically destroy a company because you as the customer are too dumb to not spill hot coffee over yourself.
> you as the customer are too dumb to not spill hot coffee over yourself
presuming you're referring to the hot coffee lawsuit, maybe read details of the story. McDonalds wasn't at all blameless, and the plaintiff had reasonable demands
You expect the CEO of a company to have the legal depth of knowledge AND knowledge of all their customers, contracts and SLAs to be able to wing a communication and not somehow trip over all of that? They also should understand every possible legal jurisdiction that could be affected? You realise even the head of their legal department (a HIGHLY competent lawyer) likely wouldn’t say there could do that without speaking to the key people in their team?
Should the CEO also bang out some dev estimates for the roadmap because, hey, they should be competent enough to do something like that. Why not submit the accounts for the year? How hard can it be, just reading a few lines off their Sage or Quickbooks accounts?
Let me be more clear on what I mean by “wing it,” because “having templates” doesn’t really cut it. Anyone can bang out a “we have a problem” template, so why does the CEO need to attach their name to it? Once you’re at the point of needing a CEO to communicate, you have a specific problem, with its own specific impacts that a single person can not be expected to have enough depth of knowledge in their brain to actually talk about without involving their domain experts, including legal, technical, whatever the situation needs.
> can not be expected to have enough depth of knowledge in their brain to actually talk about
What is the use of a CEO if not to have enough depth of knowledge about the different aspects of running a business?
Like what? Poor little CEO that doesn't understand anything about the world and how to run a company. Seems like helplessness is expected at every stage.
> What is the use of a CEO if not to have enough depth of knowledge about the different aspects of running a business?
Bit of a difference between “having depth of knowledge in their business” and “can speak off-the-cuff with the necessary accuracy to remain in compliance with every contract and legal jurisdiction their organisation is engaged in, without consulting the numerous domain experts they employ for just this purpose,” isn’t there.
Also, such a situation that requires the CEO’s direct attention has already gone FAR beyond your standard incidents where you can throw out a pre written statement. Do you want your organisation just cuffing it from the top down? Are you Elon Musk in disguise?
Take the lead couldn't be more different than act by themselves.
Take the lead, yes they should be able to as that's the job pretty much.
Act by themselves, sure they can make decisions in small cases. But on big things you hear everybody's input, weigh it, and only if needed, cast the deciding vote.
I'm going down with the ship over on X.com the Everything App. There's a parcel of very important tech people that are running some playbook where posting to X.com is sufficient enough to be unimpeachable on communication, despite its rather beleaguered state and traffic.
The disaster plan says there is a process, but it has never been used and is probably outdated. Chances are the social media strategy requires posting on the Facebook and updating key Circles on Google+
Production network control plane must be completely isolated from the internet with a separate computer for each. The design I like best is admins have dedicated admin workstations that only ever connect to the admin network, corporate workstations, and you only ever connect to the internet from ephemeral VMs connected via RDP or similar protocol.
Most people I know who object to full-body millimeter-wave scanners either do so on pseudoscientific health claims, or “philosophical” anti-scanner objections that are structurally the same genre as sovereign-citizen or First-Amendment-auditor thinking.
I should not need to show an anonymous TSA agent my genitals, even if they are in black and white on some monitor theyre viewing in some back room, to get on a plane.
I could ask the same serious question, why should I have to? There is zero reason to suspect me of being a suicidal maniac. Should we have such scanners to walk into a busy store or bus or subway system? Why don't private pilots and passengers have such screenings?
Tangential: Here in India we have security guards with hand-held metal detectors in malls, railway stations, and urban transit rails (metro) stations.
The first time I visited a different country I was surprised to see my friend accompany me to the check-in counter and even further to drop me off. In India they wouldn't let you enter the airport if your flight doesn't depart soon enough.
I don't think anyone in the US really cares about metal detectors, humans don't naturally contain metal and it is done completely hands off with no extra visual or biometric information or saved data. Plenty of people in this thread who opted out of other security measures still walked through a metal detector without any special note. Court houses and police stations have often have metal detectors that even a Senator or President would have to walk through. The same cannot be said of direct imaging of your body though or facial recognition or anything. If you wouldn't put your children through the process to go into school each day then it seems completely bonkers to require it for any form of mass transit.
It used to be normal in the U.S. to walk people to the gate until 9/11.
Now you can escort someone to the check-in counter and up to the security checkpoint, and meet people at the luggage area to help with bags.
But in practice it seems rare to do so if there isn’t a particular reason, probably because you’d have to pay to park or ride transit and it’s usually a trek beyond that. Honestly if they allowed you to go through security with the passenger and wait at the gate, I’m not sure how many people would even do it here (or how many passengers would want their loved ones to do so).
Pre 9/11 you could go through (useless) security without a ticket but longer ago there wasn't even security. And in some places the "gate" was...a gate. In a fence. So being at the gate meant walking from the street up to the fence. Good times.
Post 9/11 you could get a waiver from the ticket counter to escort someone thru security all the way to the gate. Dunno if that's a thing anymore, but I had them print out a paper and showed it at security several times in the mid 2000s.
A gate pass is a thing to pick up or drop off people who will be flying as unaccompanied minors. I don’t what other circumstances allow their issue, but when I did it a couple years ago, everyone seemed to know the process, so it’s not that rare.
Studies have all come out clean on pacemakers and mmWave. No detectable interference in the hardware or on an EKG while in a mmWave scanner.
I could imagine other conditions potentially but pacemakers have been ruled a non issue for mmWave by academic studies (albeit I can understand still exercising caution despite that).
Tbh I'm not sure but they've done accelerated dosage testing to simulate long term use by repeatedly exposing people to use of the machine over a more frequent period of time.
But mmWave really just is not dangerous. Current generation 5G cellular and WiFi standards are mmWave and they are just as harmless.
Molecular damage just starts showing up with THF/terahertz emissions band but mmWave is in the EHF and is has more than 10x the wavelength of THF (i.e. it is far wider/more gentle than THF). In a very real sense mmWave can't even interact with most of the molecules in your body.
mmWave can interact with the water in your body but at the levels it's being used it's only really useful for seeing the water. You'd needs orders of magnitude more powerful emissions than what these scanners use to actually cause damage at that frequency.
i.e. It's the difference between using the flashlight on your phone to see in the dark and using the concentrated light from solar-thermal heliostats to boil water or heat molten salt. No matter how hard you try, your flashlight is never gonna boil water.
Perhaps I haven't gotten a representative sample, but in 100% of the content I've seen from self-described "first amendment auditors", they're acting unpleasant and suspicious for absolutely no reason other than provoking a reaction. To me this seems like antisocial behavior that degrades rather than supports First Amendment protections. I consider myself a pretty strong First Amendment supporter, but if I routinely found strange men filming me as I walked down the street, I would support basically any legal change required to make them stop.
> I consider myself a pretty strong First Amendment supporter, but if I routinely found strange men filming me as I walked down the street, I would support basically any legal change required to make them stop.
It strikes me that the first clause of this sentence and the last one are unambiguously contradictory.
I don't think so? The behavior of these auditors is not speech in any meaningful sense; they're not trying to communicate any message, they're just trying to make people around them uncomfortable. It's just hard to draw a clear line that would prohibit their behavior without chilling lawful speech.
Right now I don't think there are that many First Amendment auditors around, so there's not much point in passing new laws to deal with them. But if they became more common, it might be necessary to draw the line, as we did in the 90s with stalking.
> The behavior of these auditors is not speech in any meaningful sense;
I didn't suggest it was speech; it's press, no?
Again, I don't have enough context to cast judgment about them being assholes or violating some other law (like harassment, etc) - I don't support that _at all_.
However, the basic right to document one's surroundings in public is absolutely essential to liberty, especially now.
You say "harassment", but that's precisely the problem. Many things that any reasonable person would identify as harassment are protected speech under the First Amendment. So these auditors go around harassing people, knowing that they're causing people emotional distress, because they're bullies who want to make people feel bad.
First Amendment auditors have usually been attention seeking individuals making click bait YouTube videos. It's been interesting seeing the transformation from that to what we're seeing with people monitoring ICE.
To be honest, I watch very little of that content, so I had no idea. If they're unkind, then obviously that sucks.
But walking around with cameras maintaining the unequivocal right to record what happens in the commons seems like a very important and thankless task.
That's the thing, it does not and it has been known that it does not do this. The keys are stored on the server and the server sends them to your device on login. They do have some kind of machine-id encoded in it, but that is just for show.
Yes, [1] though a bit vague given "Some organizations may already have access to these models and capabilities without having to go through the Verification process."
I never verified but have access to all models including image gen, for example.
Agreed. Among pianists Bach's four-part chorales [1] are a widely used practice resource for working on sight reading because of the sheer volume of the catalog.
> A Vercel employee got compromised via the breach of an AI platform customer called http://Context.ai that he was using.
> Through a series of maneuvers that escalated from our colleague’s compromised Vercel Google Workspace account, the attacker got further access to Vercel environments.
> We do have a capability however to designate environment variables as “non-sensitive”. Unfortunately, the attacker got further access through their enumeration.
> We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI. They moved with surprising velocity and in-depth understanding of Vercel.
Still no email blast from Vercel alerting users, which is concerning.