the attacker is opening github issues 😂

> I noticed in your blog post that you were talking about doing a postmortem and steps you need to take. As someone who is intimately familiar with your entire infrastructure, I thought I could help you out.
[then about ssh agent forwarding, and principle of least privilege]

matrix thing 

so apparently the attacker:
- broke into jenkins
- noticed flywheel (OS X build server) having ssh access from outside through a forwarded port
- used those two to take flywheel
- waited for someone to connect to flywheel and forward their agent
- used the agent to get access to every server and add their key to a authorized_keys2 so it wouldn't get overwritten

last issue atm: "Monitor log files to avoid relying on external whitehats"

👏 😍

Show thread

matrix thing, signing keys in prod 

> There I was, just going about my business, looking for ways I could get higher levels of access and explore your network more, when I stumbled across GPG keys that were used for signing your debian packages. It gave me many nefarious ideas. I would recommend that you don't keep any signing keys on production hosts, and instead do all of your signing in a secure environment.

Show thread

matrix thing, lmao 

meanwhile the attacker considers a pull request to add a doctype to

Show thread

@CobaltVelvet I don't know, I hope they warned them before and they choose to ignore the problem. If it isn't the case, that's a kinda shitty thing to do.

@CobaltVelvet Sorry, I misread the situation at first. I though they disclosed actual harmful content for the end users.
It's actually super funny ^^.

@Sylvhem well they still can. these situations are hard to judge and can go from "absolute asshole" to "white hat" and back again in matter of minutes :p

@CobaltVelvet Yeah, but for now they did nothing.
I won't find that funny if they are actually hurting the people who used the service.

matrix thing, signing keys in prod 

@CobaltVelvet holy shit

matrix thing, re: lmao 

@CobaltVelvet Amazing. It's a good fucking thing this was a whitehat or they would be absolutely screwed rn.

And while I say "amazing", I know perfectly well that this is the norm for the software world.

Most security features that need to be implemented don't require a noticeable sacrifice in speed or usability. It just requires taking the time to look for critical shit like this in their logic.

re: matrix thing, signing keys in prod 

@CobaltVelvet Gods, that's pretty terribad (and utterly unsurprising).

I guess I'll happily keep not using third-party repos :3

re: matrix thing, signing keys in prod 

@CobaltVelvet (By that, I mean be salty I can't use software not packaged in Debian, 'cause I can't trust its authors to competently run software distribution)


@saphire for the first hour i thought that was a killjoy comment but now i stopped laughing yeah absolutely fair point



Taking over the production web servers, dns, etc, publicly disclosing everything /before/ going to devs and then calling themselves a "whitehat" after all that? Meh. That's not even funny.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!