Matthias Luft

Eliminate entire classes of security flaws with these Python libraries * PyNacl for Cryptography * Pydantic for input validation * Casbin for Object/Function Level AuthZ * Passlib for Password Management

I wanted to solve my problem, so I built a distributed app. Now problems have two I.

light it up

Yet another pitfall when extracting archives, this time from @NodyTweet blog.nody.cc/posts/link-wri…

We need more open audit/security testing reports like this: blog.trailofbits.com/2024/07/30/our…

With the #GhostWrite CPU vulnerability, all isolation boundaries are broken - sandbox/container/VM can't prevent GhostWrite from writing and reading arbitrary physical memory on affected RISC-V CPUs. Deterministic, fast, and reliable - no side channels. ghostwriteattack.com

AWS wishlist: a single IAM API that returns the policies attached to a user/role. Today, it involves 4-5 calls: • listRolePolicies • listAttachedRolePolicies • getRolePolicy • getPolicy • getPolicyVersion

It's great to see Multiplier by @trailofbits being open-sourced! github.com/trailofbits/mu… I believe it exemplifies the kind of foundational, next-generation tools we need for proper software understanding, maintenance, and sustainment.

@cji You realize the real boomer thing was taking the quiz, right? 😀

Discovered while taking this quiz that also made me feel old. cnn.com/interactive/20…

I had apparently missed the memo that GIFs are now considered "cringe" and "for boomers". vice.com/en/article/z3n…

@uncommonengneer Those were great memes - but apparently not appreciated 🙅‍♂️

@mikelikesbikes Not really, I think you're good 👍🙃

OpenSSH bug: yes, it takes forever to exploit against a single host. But you're mostly waiting for a timeout, so you can massively parallelize across internet targets w/o needing a botnet. Assume that this - and not targeted exploitation - is going to be the initial approach.

The next part of our #Kubernetes #Security fundamentals video series is out now! This time we're looking at the Kubelet API. talking about the ports it makes available and some of the potential for information leakage. youtu.be/OdkFPL7d73E?si…

Regarding the SSH bug 1) First OpenSSH vuln discovered in almost 20 years - wow 2) Bug was (re)introduced almost 4 years ago. So remote root in OpenSSH for 4 years and nobody found it? 3) Exploit takes hours/days to run. Watch your logs!

What a great read. RCE in sshd with race conditions requiring hours to days to succeed. I cannot imagine the patience required here. 👏 👏 👏 Also, exposing SSH to 0.0.0.0/0 might be a default in your cloud environment, but CSPs have better remote access patterns available.

If you launch a new FreeBSD (13.2|13.3|14.0|14.1)-RELEASE instance and don't change the default behaviour via EC2 user-data, it will download and install the patch for this before sshd is launched. I decided many years ago that installing updates on first boot was important.

Today seems like a good day to mention that on my servers I use spiped to protect access to OpenSSH -- you can't even send a single byte to sshd unless you have the spiped secret key. daemonology.net/blog/2012-08-3…

All the talks from last week have been published to our Youtube channel! Here's a playlist with all of them: youtube.com/playlist?list=…

@0x464D Make that 10 years ago 😀

Not sure what someone from 30 years ago would consider the greater miracle: - Cheap Affordable Wifi on a transatlantic flight that's sufficient to use a web based LaTeX editor like Overleaf - existence of Overleaf, which makes the collaborative LaTeX experience almost tolerable