Robert Grupe's AppSecNewsBits 2024-06-15

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
JetBrains warns of IntelliJ IDE bug exposing GitHub access tokens
In particular, malicious content as part of a pull request to a GitHub project which would be handled by IntelliJ-based IDEs, would expose access tokens to a third-party host. JetBrains has released security updates that address this critical vulnerability on affected IDEs version 2023.1 or later.
In addition to working on a security fix, JetBrains contacted GitHub to help minimize the impact. Due to measures implemented during the mitigation process, the JetBrains GitHub plugin may not function as expected in older versions of JetBrains IDEs.
JetBrains also "strongly" advised customers who have actively used GitHub pull request functionality in IntelliJ IDEs to revoke any GitHub tokens used by the vulnerable plugin as they could provide potential attackers with access to the linked GitHub accounts even with the added protection of two-factor authentication.
Additionally, if the plugin was used with OAuth integration or Personal Access Token (PAT), they should also revoke access for the JetBrains IDE Integration app and delete the IntelliJ IDEA GitHub integration plugin token. Please note that after the token has been revoked, you will need to set up the plugin again as all plugin features (including Git operations) will stop working.

New York Times source code stolen using exposed GitHub token
"Basically all source code belonging to The New York Times Company, 270GB," reads the 4chan forum post. "There are around 5 thousand repos (out of them less than 30 are additionally encrypted I think), 3.6 million files total, uncompressed tar."
The folder names indicate that a wide variety of information was stolen, including IT documentation, infrastructure tools, and source code, allegedly including the viral Wordle game.
A 'readme' file in the archive states that the threat actor used an exposed GitHub token to access the company's repositories and steal the data.
The Times leak is the second one published to 4chan this week, with the first being a leak of 415MB of stolen internal documents for Disney's Club Penguin game. The Club Penguin leak was part of a more significant breach of Disney's Confluence server, where the threat actors stole 2.5 GB of internal corporate data.

Developer posts secret key on GitHub, loses $40K in 2 minutes
The developer said he forgot that his secret keys were in the repository.

Hackers steal “significant volume” of data from hundreds of Snowflake customer
The group carrying out the attacks is financially motivated, with members principally located in North America. The earliest infostealer infection date observed in the mass credential theft occurred in November 2020.
All the compromises it has tracked so far were the result of login credentials for Snowflake accounts being stolen by infostealer malware and stored in vast logs, sometimes for years at a time. None of the affected accounts made use of multifactor authentication, which requires users to provide a one-time password or additional means of authentication besides a password.
So far identified 165 customers whose data may have been stolen in the spree. Lending Tree subsidiary QuoteWizard confirmed it was among the customers notified by Snowflake that it was affected in the incident. TicketMaster group stored on Snowflake had been stolen following a posting offering the sale of the full names, addresses, phone numbers, and partial credit card numbers for 560 million Ticketmaster customers. Santander, Spain’s biggest bank, said recently that data belonging to some of its customers has also been stolen.
[rG: SSDLC Design Threat Assessments, Security Code Reviews, and security scanning of logs for sensitive data (secrets) could have prevented these breaches. Encrypting sensitive data would have prevented exposure. Services and admin access accounts' secrets should be changed frequently to prevent abuse (<30 days>).]

Ransomware attackers quickly weaponize PHP vulnerability with 9.8 severity rating
CVE-2024-4577 stems from errors in the way PHP converts Unicode characters into ASCII. A feature built into Windows known as Best Fit allows attackers to use a technique known as argument injection to convert user-supplied input into characters that pass malicious commands to the main PHP application.
Within 24 hours, threat actors were exploiting it to install TellYouThePass, researchers from security firm Imperva reported Monday. The exploits executed code that used the mshta.exe Windows binary to run an HTML application file hosted on an attacker-controlled server. Use of the binary indicated an approach known as living off the land, in which attackers use native OS functionalities and tools in an attempt to blend in with normal, non-malicious activity.
The researchers went on to say that roughly half of the compromises observed show clear signs of running XAMPP, but that estimate is likely an undercount since not all services explicitly show what software they use. XAMPP maintainers explicitly say their software isn’t suitable for production systems.
While XAMPP is the only platform confirmed to be vulnerable, people running PHP on any Windows system should install the update as soon as possible.
[rG: SSDLC SCA scanning upon pipeline initial production deployment is insufficient. Developers need to ensure that they understand the production level service level agreements for all SBOM used 3rd party components, have daily SCA scans of builds, and security patch response plans for rapid response when needed.]

China state hackers infected 20,000 Fortinet VPNs
CVE-2022-42475, is a heap-based buffer overflow that allows hackers to remotely execute malicious code. It carries a severity rating of 9.8 out of 10. A maker of network security software, Fortinet silently fixed the vulnerability on November 28, 2022, but failed to mention the threat until December 12 of that year, when the company said it became aware of an “instance where this vulnerability was exploited in the wild.” On January 11, 2023—more than six weeks after the vulnerability was fixed—Fortinet warned a threat actor was exploiting it to infect government and government-related organizations with advanced custom-made malware. 14,000 servers were backdoored during this zero-day period.
Chinese state hackers exploited CVE-2022-42475 to install an advanced and stealthy backdoor tracked as CoatHanger on Fortigate appliances inside the Dutch Ministry of Defense. Once installed, the never-before-seen malware, specifically designed for the underlying FortiOS operating system, was able to permanently reside on devices even when rebooted or receiving a firmware update.

Malicious VSCode extensions with millions of installs discovered
Visual Studio Code (VSCode) is a source code editor published by Microsoft and used by many professional software developers worldwide. A group of Israeli researchers explored the security of the Visual Studio Code marketplace and managed to "infect" over 100 organizations by trojanizing a copy of the popular 'Dracula Official theme to include risky code. Dracula is used by a large number of developers due to its visually appealing dark mode with a high-contrast color palette, which is easy on the eyes and helps reduce eye strain during long coding sessions. The extension quickly gained traction, getting mistakenly installed by multiple high-value targets, including a publicly listed company with a $483 billion market cap, major security companies, and a national justice court network.
Further research into the VSCode Marketplace found thousands of extensions with millions of installs. The researchers note that the malicious code does not get flagged by endpoint detection and response (EDR) tools, as VSCode is treated with leniency due to its nature as a development and testing system.

The mystery of an alleged data broker’s data breach
Since April, a hacker with a history of selling stolen data has claimed a data breach of billions of records — impacting at least 300 million people — from a U.S. data broker, which would make it one of the largest alleged data breaches of the year. The stolen data, which was advertised on a known cybercrime forum, allegedly dates back years and includes U.S. citizens’ full names, their home address history and Social Security numbers — data that is widely available for sale by data brokers.
The alleged data broker in question, according to the hacker, is National Public Data, which bills itself as “one of the biggest providers of public records on the Internet.”
Not all data breaches claimed by hackers, especially those advertised on hacking forums, turn out to be real. That’s why cybersecurity reporters often spend considerable amounts of time trying to verify a data breach, efforts that sometimes end up with inconclusive results. But this alleged breach of a data broker appears to be an outlier, in part because some of the data appears genuine and some already verified. The proliferation and commoditization of personal data across the data broker industry also makes it more challenging to identify the source of data leaks.

Fired employee accessed company’s computer 'test system' and deleted servers, causing it to lose SG$918,000
Kandula Nagaraju, 39, was sentenced to two years and eight months' jail.
After Kandula's contract was terminated and he arrived back in India, he used his laptop to gain unauthorised access to the system using the administrator login credentials. He did so on six occasions between Jan 6 and Jan 17, 2023.
In March 2023, he accessed NCS' QA system 13 times. On Mar 18 and 19, he ran a programmed script to delete 180 virtual servers in the system. His script was written such that it would delete the servers one at a time. The following day, the NCS team realised the system was inaccessible and tried to troubleshoot, but to no avail.

Microsoft Chose Profit Over Security and Left U.S. Government Vulnerable to Russian Hack, Whistleblower Says
In 2016, Harris was hard at work on a mystifying incident in which intruders had somehow penetrated a major U.S. tech company. Harris said he pleaded with the company for several years to address the flaw in the product.
The federal government was preparing to make a massive investment in cloud computing, and Microsoft wanted the business. Acknowledging this security flaw could jeopardize the company’s chances, Harris recalled one product leader telling him. The financial consequences were enormous. But at every turn, Microsoft dismissed his warnings, telling him they would work on a long-term alternative — leaving cloud services around the globe vulnerable to attack in the meantime.
Frustrated by Microsoft’s inaction, he left the company in August 2020. Within months, his fears became reality. U.S. officials confirmed reports that a state-sponsored team of Russian hackers had carried out SolarWinds, one of the largest cyberattacks in U.S. history. They used the flaw Harris had identified to vacuum up sensitive data from a number of federal agencies.
Microsoft insisted it was blameless. Microsoft President Brad Smith assured Congress in 2021 that “there was no vulnerability in any Microsoft product or service that was exploited” in SolarWinds.
In investigating the attack, the federal Cyber Safety Review Board found that Microsoft’s “security culture was inadequate and requires an overhaul.” Microsoft has said that work has already begun, declaring that the company’s top priority is security “above all else.” Part of the effort involves adopting the board’s recommendations. “If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security,” the company’s CEO, Satya Nadella, told employees in the wake of the board’s report, which identified a “corporate culture that deprioritized both enterprise security investments and rigorous risk management.”

Recovery from cyber attack that cancelled thousands of hospital appointments to take months, NHS admits
NHS England has confirmed that from 3 to 9 June, more than 800 planned operations and 700 outpatient appointments were cancelled after pathology services were hit by a ransomware attack on King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust. The attack crippled hospital services, with hundreds of life-saving operations cancelled. Synnovis can only complete 400 blood tests of its usual 10,000 per day for GPs across six London boroughs.

London Hospitals Knew of Cyber Vulnerabilities Years Before Hack
The Guy's and St Thomas' NHS Foundation Trust, which runs five major hospitals in the London area, has failed to meet the UK health service's data security standards in recent years and acknowledged as recently as April that 'cybersecurity remained a high risk" to its operations.

Japanese vid-sharing site Niconico needs rebuild after cyberattack
A Sunday statement posted to a temporary website reveals that the group detected an issue that prevented access to multiple servers early on Saturday, June 8. e-commerce service Ebiten – currently offers only a page advising customers that existing orders will be fulfilled, but the outfit can't send confirmation emails. Ebiten’s ability to ship products suggests back-office apps remain operational – meaning web infrastructure may be the problem. The service advised that its team is working on a complete rebuild, even as it also tries to determine the nature of the attack. That announcement followed an earlier status report advising that cyber attacks were ongoing, and no resolution to the issue was in sight.

Christie's confirms RansomHub crooks stole data on 45K clients
The public filing page in Maine states that the thieves stole both names and ID document numbers. This description is broadly in keeping with RansomHub's claims. However, the attackers claimed much more information was stolen, including ID document details such as birthplace, dates of birth, home addresses, heights, and race. That said, RansomHub appears to have vastly inflated the number of affected clients, initially saying more than 500,000 had their data stolen. RansomHub claimed a negotiation was taking place in the early stages, but talks broke down, which may have been a stalling tactic by Christie's as it tried to piece together what had happened.

UK and Canada's data chiefs join forces to investigate 23andMe mega-breach
The two-dog wolfpack of the Information Commissioner's Office (ICO) and Office of the Privacy Commissioner of Canada (OPC) will look at whether the biotech biz's breach caused any customer harm, whether the appropriate safeguards were in place to prevent the incident, and if they were adequately candid with regulators at the time.
The breach at the genetics and long-lost-family-finder was one of the year's more shocking incidents, with the number of affected individuals rising to nearly 7 million after months of investigations.
It also came to light that the company failed to detect the attackers' activity for five months, only becoming aware of a breach after seeing a Reddit post about the data being stolen, rather than its own internal cyber sleuths picking up on the intrusion.
Those responsible for the attack used credential stuffing methods to gain access to the circa 14,000 accounts. It's not always the easiest thing to pick up on given that valid credentials are used to log into accounts, but there are ways to detect and prevent it, such as deploying 2FA/MFA, and that undoubtedly will be one of the first questions regulators ask as the investigation gets underway.

LastPass says 12-hour outage caused by bad Chrome extension update
"Our engineers have identified that an update to our chrome browser extension earlier today inadvertently caused load issues on our backend infrastructure." However, users continued to complain that since they installed June 6th update, they have been unable to log in to LastPass, or certain features didn't work, indicating that the outage lasted longer than initially stated.  

HACKING

Ransomware gangs are adopting “more brutal” tactics amid crackdowns
A major trend identified is more frequent posts by gangs to so-called “shame sites,” where attackers leak data as part of an extortion attempt. There was a 75 percent jump in posts to data leak sites in 2023 compared to 2022. These sites employ flashy tactics like countdowns to when the sensitive data of victims will be made public if they don’t pay.
The ransomware epidemic shows no signs of slowing down in 2024—despite increasing police crackdowns—and experts worry that it could soon enter a more violent phase. For example, hackers have also begun to directly threaten victims with intimidating phone calls or emails. In 2023, the Fred Hutchinson Cancer Center in Seattle was struck by a ransomware attack, and cancer patients were individually sent emails threatening to release their personal information if they did not pay. When there are millions to be had, they might do something bad to an executive of a company that was refusing to pay, or a member of their family.
While there hasn’t yet been a reported instance of violence resulting from a ransomware attack, gangs have used the threat as a tactic. “We’ve seen in negotiations that have been leaked that they’ve hinted that they might do something like that, saying, ‘We know where your CEO lives.’”
Ransomware gangs don’t operate in a vacuum. Their membership overlaps with entities like “the Comm,” a loose global network of criminals who organize online and offer violence-as-a-service in addition to more traditional cybercrime like SIM swapping. Comm members advertise their willingness to beat people, shoot at homes, and post grisly videos purporting to depict acts of torture. Last year, 404 Media reported that Comm members are working directly with ransomware groups like AlphV, a notorious entity that assisted with a high-profile hack of MGM Casinos before the FBI disrupted its operations by developing a decryption tool and seizing several websites—only to return months later with an attack on Change Healthcare that disrupted medical services around the US.

GPT-4 autonomously hacks zero-day security flaws with 53% success rate
Researchers were able to successfully hack into more than half their test websites using autonomous teams of GPT-4 bots, co-ordinating their efforts and spawning new bots at will. And this was using previously-unknown, real-world 'zero day' exploits.
If given the Common Vulnerabilities and Exposures (CVE) list, GPT-4 was able to exploit 87% of critical-severity CVEs on its own. Researchers released a follow-up paper saying they've been able to hack zero-day vulnerabilities – vulnerabilities that aren't yet known – with a team of autonomous, self-propagating Large Language Model (LLM) agents using a Hierarchical Planning with Task-Specific Agents (HPTSA) method.
When benchmarked against 15 real-world web-focused vulnerabilities, HPTSA has shown to be 550% more efficient than a single LLM in exploiting vulnerabilities and was able to hack 8 of 15 zero-day vulnerabilities. The solo LLM effort was able to hack only 3 of the 15 vulnerabilities.

New phishing toolkit uses PWAs to steal login credentials
A new phishing kit has been released that allows red teamers and cybercriminals to create progressive web Apps (PWAs) that display convincing corporate login forms to steal credentials. Many websites use a PWA to offer a desktop app experience, including X, Instagram, Facebook, and TikTok. A new phishing toolkit created by security researcher mr.d0x demonstrates how to create PWA apps to display corporate login forms, even with a fake address bar showing the normal corporate login URL to make it look more convincing.
A PWA is a web-based app created using HTML, CSS, and JavaScript that can be installed from a website like a regular desktop application. Once installed, the operating system will create a PWA shortcut and add it to Add or Remove Programs in Windows and under the /Users/<account>/Applications/ folder in macOS.
When launched, a progressive web app will run in the browser you installed it from but be displayed as a desktop application with all the standard browser controls hidden.
While this new PWA phishing method will require more convincing to get targets to install the app, it won’t be surprising if we find threat actors utilizing this technique at some point in the future. Unfortunately, no existing group policies can prevent the installation of progressive web apps, with existing policies only allowing you to ban specific extension IDs or access to specific URLs

Wells Fargo fires employees accused of faking keyboard activity to pretend to work
However, there are few details surrounding the exact circumstances of the firings, such as whether the employees worked from home or in the office, and the methods that were used to fake the alleged keyboard activity.
Auto-clickers and key macros have existed for years as free programs that anyone can download and set up fairly easily, and can be configured to be as simple as a looping button press or as complex as opening up programs and seemingly doing things like a normal person would, like opening up an email client to send a (fake) message off.
That said, employers can block their workers from installing and using these tools, not to mention the digital trail it would leave. But there are hardware-based alternatives, such as so-called mouse jigglers, which can be found for as cheap as $5 and can look just like a regular USB wireless mouse receiver.

White House report dishes deets on all 11 major government breaches from 2023
The number of cybersecurity incidents reported by US federal agencies rose 9.9 percent year-on-year (YoY) in 2023 to a total of 32,211. The report doesn't break down the total into loss or theft, which would have been interesting, but the number of yearly cases rose from 1,832 to 3,135 in 2023. Separately to the grading of incidents' impactfulness on the US are "major incidents", of which there were 11 reported across federal agencies in 2023 and multiple reports from the Health and Human Services, Justice, and Treasury departments.
Brute force attacks on networks and services were the only other vector to register more than 1,000 cases (1,147) – but took the price for the biggest YoY percentage increase in incidents, up from just 197 the year before.

Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
Apple declined to issue a bug bounty to the Russian cybersecurity company Kaspersky Lab after it disclosed four zero-day vulnerabilities in iPhone software that were allegedly used to spy on Kaspersky employees as well as Russian diplomats.
Operation Triangulation, as the spying campaign was named, was “definitely the most sophisticated attack chain we have ever seen,” the Kaspersky researchers said. Due to the sophistication of how the vulnerabilities were exploited and the limited targeting of the attackers — seeking intelligence material rather than financial details — it was suspected to be state-sponsored. On the same day as Kaspersky’s disclosure, Russia's Federal Security Service (FSB) accused the United States and Apple of having collaborated to enable the U.S. to spy on Russian diplomats. The FSB provided few public details regarding the alleged operation affecting diplomats, but Russia’s computer security agency separately claimed that the indicators of compromise of both campaigns were the same.
The key problem potentially indicating collaboration was a vulnerability tracked as CVE-2023-38606. According to Kaspersky, this affected a particularly unusual hardware feature that was not actually used by any iOS firmware. As such the researchers suggested it may have been intended for debugging or testing purposes or was included in the iPhone operating system by mistake.

Russian agents deploy AI-produced Tom Cruise narrator to tar Summer Olympics: Expect more to come
Last year, a feature-length documentary purportedly produced by Netflix began circulating on Telegram. Titled “Olympics have Fallen” and narrated by a voice with a striking similarity to that of actor Tom Cruise, it sharply criticized the leadership of the International Olympic Committee. The slickly produced film, claiming five-star reviews from The New York Times, Washington Post, and BBC, was quickly amplified on social media.
The film was not a documentary, had received no such reviews, and that the narrator's voice was an AI-produced deep fake of Cruise. It also said the endorsements on Cameo were faked.

APPSEC, DEVSECOPS, DEV

Uber ex-CSO Joe Sullivan Interview: We need security leaders running to work, not giving up
Joe Sullivan – the now-former Uber chief security officer who was found guilty of covering-up a theft of data from Uber in 2016 – remembers sitting down and thinking through the worst-case scenarios he faced following that guilty verdict in 2022.
Federal prosecutors wanted to jail Sullivan for 15 months for his role in the cover up. Last May, Sullivan got three years of probation plus 200 hours of community service in what is believed to be the first time a high-profile CSO has been charged, convicted, and punished in America regarding decisions taken in their job.
"I think it's really important that security leaders not look at the environment right now and throw up their hands and quit," he said. "We need them to be motivated and excited and running to work, not thinking about changing professions. Because these people are the people that are gonna keep us safe."

AI poisoning is a growing threat — is your security regime ready?
The National Institute of Standards and Technology (NIST), a US agency, warned of what’s to come in a January 2024 paper. Researchers wrote that “poisoning attacks are very powerful and can cause either an availability violation or an integrity violation.” Deploying AI in your enterprise introduces a new attack surface that’s very different. We have seen exploits demonstrated by academics and other researchers trying to point out potential problems, but the more this technology is deployed, the more value there is for hackers to attack it, and that’s why we’re going to get into the more consequential exploits. Security experts say poisoning attacks could be launched by insiders as well as external hackers — as is the case with more conventional cybersecurity attack types. Researchers at tech company JFrog discovered some 100 malicious machine learning models had been uploaded to Hugging Face, a public AI model repository. Researchers said in a February 2024 blog that the malicious ML models could enable threat actors to inject malicious code into users’ machines once the model is loaded, a scenario that could have rapidly compromised an untold number of user environments. Many companies are not set up to detect and respond to these kinds of attacks.
[rG: First rule of AI Development: Plan for AI Poisoning by incorporating continuous monitoring, and then conduct semi-annual corrupt data/model incident recovery drill exercise.]

Open-source security in AI
New AI products are coming onto the market faster than we have seen in any previous technology revolution. Companies’ free access and right to use open source in AI software models has allowed them to prototype an AI product to market cheaper than ever and at hypersonic speed. What those AI companies often ignore, and even hide from buyers and users, is that the speed of new products coming to market is due to a lack of security diligence on their part.
Most of these open-source libraries in AI development significantly predate the generative AI boom. Understandably, their developers at the time of inception didn’t consider how their projects may be used in AI products. This issue is now manifesting as components accepting untrusted inputs that are assumed to be safe, or error handling systems encountering error states that were never considered possible prior to the project being used for AI. Additionally, a NIST report mentions the looming threat of AI being misdirected, listing four different types of attacks that can misuse or misdirect the AI software itself. 

VENDORS & PLATFORMS

Microsoft postpones Windows Recall after major backlash — will launch Copilot+ PCs without headlining AI feature
Microsoft has announced that its big Copilot+ PC initiative that was unveiled last month will launch without its headlining "Windows Recall" AI feature next week on June 18. The feature, which captures snapshots of your screen every few seconds, was revealed to store sensitive user data in an unencrypted state, raising serious concerns among security researchers and experts.
[rG: Didn’t it occur to anyone to get security evaluation and recommendations, along with customer focus group studies and PR advice - before public announcement ??? The reckless hubris and egotism in the AI implementation frenzy, across all vendors and industries, is extremely disturbing.]

Apple to integrate AI, including ChatGPT, into new phones as Elon Musk threatens ban over security fears
Apple's new AI system would revamp Siri, allowing it to mine information from across a user's apps. Dubbed Apple Intelligence, it is a collection of features that includes text and image generation and an improved Siri voice assistant. This will be supported by integrating the already popular ChatGPT into the company's phones. However, Tesla and X owner Elon Musk, who has a long history with ChatGPT's owners OpenAI, warned that he would ban iPhones from all of his companies over the move. 

LEGAL & REGULATORY

Nigerian faces up to 102 years in the slammer for $1.5M phishing scam
The Feds say Ebuka Raphael Umeti, 35, perpetuated the scam with two alleged partners in crime, using a combination of social engineering and malicious software to pull off the million-dollar BEC scheme. A BEC fraud involves phishing emails and deception to get businesses and organizations to send money or valuable data to attackers, usually over email.

You could get partial ownership of an AI company that may have scraped photos of your face online
Clearview AI, thanks to the terms of a potential settlement of a lawsuit against the company, has agreed to give people whose visages it used to create a facial recognition app a collective 23% stake in the company.
Clearview used a wide variety of photos of people posted online to develop its technology, meaning that virtually anyone could claim to be part of the class in the lawsuit and claim some of the stake. Law enforcement officials from local police departments to the FBI have used Clearview's technology. 

And Now For Something Completely Different …

Study finds 268% higher failure rates for Agile software projects
With 65 percent of projects adopting Agile practices failing to be delivered on time, it's time to question Agile's cult following. Our research has shown that what matters when it comes to delivering high-quality software on time and within budget is a robust requirements engineering process and having the psychological safety to discuss and solve problems when they emerge, whilst taking steps to prevent developer burnout.
One standout statistic was that projects with clear requirements documented before development started were 97 percent more likely to succeed. In comparison, one of the four pillars of the Agile Manifesto is "Working Software over Comprehensive Documentation."
Putting a specification in place before development begins can result in a 50 percent increase in success, and making sure the requirements are accurate to the real-world problem can lead to a 57 percent increase.
Projects where engineers felt they had the freedom to discuss and address problems were 87 percent more likely to succeed.
However, while the Agile Manifesto might have its problems, those stem more from its implementation rather than the principles themselves. "We don't need a test team because we're Agile" is a cost-saving abdication of responsibility.
[rG: Project Management triple constrains: scope, time, cost. Minimizing QA/Security to increase Agile velocity and lower costs.]

Voyager 1 makes stellar comeback to science operations
As the 50th anniversary of Voyager 1's launch rapidly approaches, and with the probe now 15 billion miles (24 billion kilometers) from Earth, restoring functionality is quite an engineering feat.
NASA's Voyager 1 spacecraft is back in action and conducting normal science operations for the first time since the veteran probe began spouting gibberish at the end of 2023.