#Learn365 Day-4: Unauthenticated & Exploitable JIRA Vulnerabilities

There are multiple security vulnerabilities associated with the various versions of JIRA software which are exploited in wild and is one of my personal favourite 3rd Party apps to hunt.

#BugBountyTips

(1/n)

1/ In early 2004 we were heads down executing on Edit and Continue across a large contingent of teams. There had been several iterations of scoping, redesigns, and customer feedback.

2/ We had a weekly meeting every Thursday morning when representatives from each of the teams would get together and review progress. It was fairly heavy weight, but there were so many teams involved that it was necessary to have a regular sync.

3/ Regardless, E&C was coalescing, but teams were stretched thin working diligently to enable scenarios, improve performance, fix bugs, etc. It had been a month or so since we decided to add support for C# to the matrix as well, so folks were a bit stressed.

4/ That set the stage for the meeting that we had on the first Thursday in April. A debugger PM named Habib Heydarian ran the meeting and after a brief intro he gave me a ring to come in and present.

5/ I walked in and handed out a document that I had written up, titled DCR: C# Edit and Continue for Venus. DCR meant design change request, and Venus was the design-time code name for ASP .NET support.

It's incredibly hard to become a customer of @Telstra so you can give them money. They absolutely despise money, and do everything in their power to erect as many obstacles as possible in the way of a normal person establishing a billing relationship with them.

First: "I'd like to buy a 4G WiFi hotspot please."
"Umm, we don't have any. Maybe try K-Mart."

Are you serious? You can't sell me a mobile broadband service, and you'd prefer me to go to a department store. Okay...

So I go to the department store, and they have the same Telstra product $20 cheaper than Telstra does.

Go to activate it. Error message, SIM serial number has already been activated. Well goddamn.

So, back to the @Telstra shop. "Yes, I know I can return the whole thing, but all I want is a $2 SIM to get started. Can you just sell me one of those?"

No. They don't have any. Zero SIMs in the store.

ARE YOU KIDDING ME? WHAT OTHER PURPOSE DOES A TELSTRA SHOP HAVE?

Their first suggestion was to buy one from @AusPost, but they take 24 hours to activate their prepaid SIMs. Maybe try Woolies?

Facebook -- having taken out full-page ads in the NYT, Washington Post, and WSJ -- is generally seen as the primary victim of the new app privacy controls coming in iOS14. But Google is perhaps even more vulnerable to ATT. Why has Google remained silent? (1/X)

2/ First, background: here's a high-level overview of how ATT / IDFA deprecation impacts advertisers and ad networks, and why this whole ordeal has put advertisers and ad networks into a state of panic:

3/ Google is equally as susceptible to harm from ATT as Facebook. Google's UAC product -- esp its tROAS and tCPA campaign objectives -- relies as much on IDFA-indexed monetization and engagement data as FB's mobile product does. But Google has one big weakness wrt ATT: YouTube

4/ Broadly, view-through attribution accounts for a disproportionate % of conversions from YouTube app install impressions. This means: user sees the YT ad, doesnt click, downloads app later, & Google is able to claim it by reconciling IDFA seen at impression to IDFA seen in app

5/ View-through attribution is nonexistent in the ATT paradigm as it relies on the IDFA; some significant portion of YT's attributed conversions will evaporate. So why isnt Google vocally opposing ATT? Two reasons: consumer optics and its duality as ad network / mobile platform

I've gotten a few questions about Aurora Serverless v2 preview, so here's what I've learnt so far. Please feel free to chime in if I've missed anything important or got any of the facts wrong.

Alright, here goes the 🧵...

Q: does it replace the existing Aurora Serverless offering?
A: no, it lives side-by-side with the existing Aurora Serverless, which will still be available to you as "v1".

Q: Aurora Serverless v1 takes a few seconds to scale up, that's too much for our use case where we get a lot of spikes. Is that the same with v2?
A: no, v2 scales up in milliseconds, during preview the max ACU is only 32 though

Q: is the cold start for Aurora Serverless v2 still a few seconds?
A: yes, unfortunately...
Q: so if you want to avoid cold starts, what's the minimum ACU you have to run?
A: minimum ACU with v2 is 0.5

Q: does v2 still scale up in double increments, e.g. 4 ACU -> 8 ACU?
A: no, it scales up in increments of 0.5 ACUs, so it's a much tighter fit for your workload, so you'll waste less money on over-provisioned ACUs