the attacker is opening github issues 😂
> I noticed in your blog post that you were talking about doing a postmortem and steps you need to take. As someone who is intimately familiar with your entire infrastructure, I thought I could help you out.
[then about ssh agent forwarding, and principle of least privilege]
so apparently the attacker:
- broke into jenkins
- noticed flywheel (OS X build server) having ssh access from outside through a forwarded port
- used those two to take flywheel
- waited for someone to connect to flywheel and forward their agent
- used the agent to get access to every server and add their key to a authorized_keys2 so it wouldn't get overwritten
last issue atm: "Monitor log files to avoid relying on external whitehats"
matrix thing, signing keys in prod
> There I was, just going about my business, looking for ways I could get higher levels of access and explore your network more, when I stumbled across GPG keys that were used for signing your debian packages. It gave me many nefarious ideas. I would recommend that you don't keep any signing keys on production hosts, and instead do all of your signing in a secure environment.
matrix thing, lmao
meanwhile the attacker considers a pull request to add a doctype to matrix.org https://github.com/matrix-org/matrix.org/issues/357#issuecomment-482478319
matrix thing, re: lmao
@CobaltVelvet Amazing. It's a good fucking thing this was a whitehat or they would be absolutely screwed rn.
And while I say "amazing", I know perfectly well that this is the norm for the software world.
Most security features that need to be implemented don't require a noticeable sacrifice in speed or usability. It just requires taking the time to look for critical shit like this in their logic.