Pinboard (jm)
https://pinboard.in/u:jm/public/
recent bookmarks from jmA quick rage-thread about credentials2022-06-04T16:32:42+00:00
https://twitter.com/colmmacc/status/1532058883908198401
jmsecurity credentials authentication tls expiry ssl expiration keys key-rotation key-revocation colmmacchttps://pinboard.in/https://pinboard.in/u:jm/b:7b2660cd2e41/How I gained commit access to Homebrew in 30 minutes2018-08-09T10:46:49+00:00
https://medium.com/@vesirin/how-i-gained-commit-access-to-homebrew-in-30-minutes-2ae314df03ab
jmIf I were a malicious actor, I could have made a small, likely unnoticed change to the openssl formulae, placing a backdoor on any machine that installed it.
If I can gain access to commit in 30 minutes, what could a nation state with dedicated resources achieve against a team of 17 volunteers? How many private company networks could be accessed? How many of these could be used to escalate to large scale data breaches? What other package management systems have similar weaknesses?
This is my growing concern, and it’s been proven time and time again that package managers, and credential leaks, are a weak point in the security of the internet, and that supply chain attacks are a real and persistent threat. This is not a weakness in Homebrew, but rather a systemic problem in the industry, and one where we need more security research.
]]>homebrew github security jenkins credentials scaryhttps://pinboard.in/https://pinboard.in/u:jm/b:ac2818d8335a/schibsted/strongbox: A secret manager for AWS2018-05-21T09:44:31+00:00
https://github.com/schibsted/strongbox
jmStrongbox is a CLI/GUI and SDK to manage, store, and retrieve secrets (access tokens, encryption keys, private certificates, etc). Strongbox is a client-side convenience layer on top of AWS KMS, DynamoDB and IAM. It manages the AWS resources for you and configure them in a secure way. Strongbox has been used in production since mid-2016 and is now used extensively within Schibsted.
]]>schibsted strongbox kms aws dynamodb storage secrets credentials passwords opshttps://pinboard.in/https://pinboard.in/u:jm/b:c8ac43fd6bb2/aws-vault2017-11-02T10:52:57+00:00
https://github.com/99designs/aws-vault
jmaws vault security cli development coding dotfiles credentials mfahttps://pinboard.in/https://pinboard.in/u:jm/b:f4438dc6695a/Shopify/ejson2016-07-12T13:17:13+00:00
https://github.com/Shopify/ejson
jmThe main benefits provided by ejson are:
Secrets can be safely stored in a git repo.
Changes to secrets are auditable on a line-by-line basis with git blame.
Anyone with git commit access has access to write new secrets.
Decryption access can easily be locked down to production servers only.
Secrets change synchronously with application source (as opposed to secrets provisioned by Configuration Management).
Simple, well-tested, easily-auditable source.
]]>crypto security credentials encryption ejson json configuration confighttps://pinboard.in/https://pinboard.in/u:jm/b:f4431e8f34eb/AWSume2016-04-12T10:05:49+00:00
https://www.trek10.com/blog/awsume-aws-assume-made-awesome/
jmmfa aws awsume credentials accounts opshttps://pinboard.in/https://pinboard.in/u:jm/b:32af5dbd4124/