huh $2a$ is.. blowfish? is that without salt. what is 12. the salt??

Show thread

don't mind me i just realized bcrypt was named after fucking blowfish

Show thread

the attacker is opening github issues 😂

> I noticed in your blog post that you were talking about doing a postmortem and steps you need to take. As someone who is intimately familiar with your entire infrastructure, I thought I could help you out.
[then about ssh agent forwarding, and principle of least privilege]

Show thread

matrix thing 

so apparently the attacker:
- broke into jenkins
- noticed flywheel (OS X build server) having ssh access from outside through a forwarded port
- used those two to take flywheel
- waited for someone to connect to flywheel and forward their agent
- used the agent to get access to every server and add their key to a authorized_keys2 so it wouldn't get overwritten

last issue atm: "Monitor log files to avoid relying on external whitehats"

👏 😍

Show thread

matrix thing, signing keys in prod 

> There I was, just going about my business, looking for ways I could get higher levels of access and explore your network more, when I stumbled across GPG keys that were used for signing your debian packages. It gave me many nefarious ideas. I would recommend that you don't keep any signing keys on production hosts, and instead do all of your signing in a secure environment.

Show thread

matrix thing, lmao 

meanwhile the attacker considers a pull request to add a doctype to

Show thread

@CobaltVelvet where can a n00b like me find some explanation of what this means?

Thanks! :)

@Antanicus uhh it's a screenshot of at the time, with the shell of someone gaining access to servers, showing access to a 7TB data storage, a (i guess admin) account with its hashed password, and that they have 5.5M of those.

a huge data breach, possibly worse

@CobaltVelvet I don't know, I hope they warned them before and they choose to ignore the problem. If it isn't the case, that's a kinda shitty thing to do.

@CobaltVelvet Sorry, I misread the situation at first. I though they disclosed actual harmful content for the end users.
It's actually super funny ^^.

@Sylvhem well they still can. these situations are hard to judge and can go from "absolute asshole" to "white hat" and back again in matter of minutes :p

@CobaltVelvet Yeah, but for now they did nothing.
I won't find that funny if they are actually hurting the people who used the service.

matrix thing, signing keys in prod 

@CobaltVelvet holy shit

matrix thing, re: lmao 

@CobaltVelvet Amazing. It's a good fucking thing this was a whitehat or they would be absolutely screwed rn.

And while I say "amazing", I know perfectly well that this is the norm for the software world.

Most security features that need to be implemented don't require a noticeable sacrifice in speed or usability. It just requires taking the time to look for critical shit like this in their logic.

re: matrix thing, signing keys in prod 

@CobaltVelvet Gods, that's pretty terribad (and utterly unsurprising).

I guess I'll happily keep not using third-party repos :3

re: matrix thing, signing keys in prod 

@CobaltVelvet (By that, I mean be salty I can't use software not packaged in Debian, 'cause I can't trust its authors to competently run software distribution)


@saphire for the first hour i thought that was a killjoy comment but now i stopped laughing yeah absolutely fair point



Taking over the production web servers, dns, etc, publicly disclosing everything /before/ going to devs and then calling themselves a "whitehat" after all that? Meh. That's not even funny.

What's Flywheel in this context? All I can find is a taxi app and a building management app. :blobconfused:

@Jo @hirnbrot "Agent flywheel (OS X Build Slave)" from their (now down) wiki

@CobaltVelvet @er1n honestly too bad that it‘s a known issue because I am absolutely always here for burning 0days just to make a point

What the hell is happening? Trying to wrap my head around that

@l4p1n someone owned they seem to be nice though

@CobaltVelvet @l4p1n
kind of a fustercluck over there at shit posters, then post removals then screenshots added back in. most threads are locked to comments.

maybe our white hat bandit works for google?
"2FA is often touted as one of the best steps you can take for securing your servers, and for good reason! If you'd deployed google's free authenticator module (sudo apt install libpam-google-authenticator), I would have never been able to ssh into any of those servers."

i would think that there are other ways for 2FA than just google.
(attacker's account revoked):

@VeintePesos @CobaltVelvet I saw that ^^

Been catching on what has been happening recently

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!