the attacker is opening github issues 😂
> I noticed in your blog post that you were talking about doing a postmortem and steps you need to take. As someone who is intimately familiar with your entire infrastructure, I thought I could help you out.
[then about ssh agent forwarding, and principle of least privilege]
matrix thing Show more
so apparently the attacker:
- broke into jenkins
- noticed flywheel (OS X build server) having ssh access from outside through a forwarded port
- used those two to take flywheel
- waited for someone to connect to flywheel and forward their agent
- used the agent to get access to every server and add their key to a authorized_keys2 so it wouldn't get overwritten
last issue atm: "Monitor log files to avoid relying on external whitehats"
matrix thing, signing keys in prod Show more
> There I was, just going about my business, looking for ways I could get higher levels of access and explore your network more, when I stumbled across GPG keys that were used for signing your debian packages. It gave me many nefarious ideas. I would recommend that you don't keep any signing keys on production hosts, and instead do all of your signing in a secure environment.
matrix thing, lmao Show more
meanwhile the attacker considers a pull request to add a doctype to matrix.org https://github.com/matrix-org/matrix.org/issues/357#issuecomment-482478319
matrix thing, re: lmao Show more
i am proud to announce you that they merged the doctype pr https://github.com/matrixnotorg/matrixnotorg.github.io/commit/b39781569bd531ce0dd5ecab613b9f42c7f13ca2
@CobaltVelvet I don't know, I hope they warned them before and they choose to ignore the problem. If it isn't the case, that's a kinda shitty thing to do.
@CobaltVelvet Sorry, I misread the situation at first. I though they disclosed actual harmful content for the end users.
It's actually super funny ^^.
@Sylvhem well they still can. these situations are hard to judge and can go from "absolute asshole" to "white hat" and back again in matter of minutes :p
@CobaltVelvet Yeah, but for now they did nothing.
I won't find that funny if they are actually hurting the people who used the service.
matrix thing, re: lmao Show more
@CobaltVelvet Amazing. It's a good fucking thing this was a whitehat or they would be absolutely screwed rn.
And while I say "amazing", I know perfectly well that this is the norm for the software world.
Most security features that need to be implemented don't require a noticeable sacrifice in speed or usability. It just requires taking the time to look for critical shit like this in their logic.
THe com makes me think "What, people not well documented and not reading securiy warning? I'm choked (not)"
@CobaltVelvet what's wrong with you. I'd have done exactly the same things.
in fact, that's what I used to do, back when I would regularly break IRC bots.
@SoniEx2 what's wrong with you then. did you interpret the laugh as me saying it's unacceptable? don't do that
@CobaltVelvet oh. okay. sorry.
@CobaltVelvet wait -- why are you making fun of them tho?
@SoniEx2 well i'm not making fun of them. (or anyone) just contemplating and sharing a well executed attack
@CobaltVelvet sorry, the laughing brought up some memories