the attacker is opening github issues 馃槀

> I noticed in your blog post that you were talking about doing a postmortem and steps you need to take. As someone who is intimately familiar with your entire infrastructure, I thought I could help you out.
[then about ssh agent forwarding, and principle of least privilege]

Show thread

matrix thing 

so apparently the attacker:
- broke into jenkins
- noticed flywheel (OS X build server) having ssh access from outside through a forwarded port
- used those two to take flywheel
- waited for someone to connect to flywheel and forward their agent
- used the agent to get access to every server and add their key to a authorized_keys2 so it wouldn't get overwritten

last issue atm: "Monitor log files to avoid relying on external whitehats"

馃憦 馃槏

Show thread

matrix thing, signing keys in prod 

> There I was, just going about my business, looking for ways I could get higher levels of access and explore your network more, when I stumbled across GPG keys that were used for signing your debian packages. It gave me many nefarious ideas. I would recommend that you don't keep any signing keys on production hosts, and instead do all of your signing in a secure environment.

Show thread

matrix thing, lmao 

meanwhile the attacker considers a pull request to add a doctype to

Show thread

matrix thing, re: lmao 

@CobaltVelvet Amazing. It's a good fucking thing this was a whitehat or they would be absolutely screwed rn.

And while I say "amazing", I know perfectly well that this is the norm for the software world.

Most security features that need to be implemented don't require a noticeable sacrifice in speed or usability. It just requires taking the time to look for critical shit like this in their logic.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!