home feed

question hanlon

no problems here

September 9, 2021

You buy a device and it works. It works reliably and securely for a period of time and then due to insert reasons, it stops working reliably or securely. I was recently looking at replacing my network stack of Unifi gear. One vendor I contemplated was Cisco.

When you develop a reputation for being the global leader for reliably supplying internet facing equipment with hard coded passwords and remote code execution vulnerabilities, perhaps it might be time to stop repeating the same product development process and expecting a different result?

No Cisco for me from the looks of it.


last smoke

August 31, 2021

The CEO of LastPass, a fairly well known password manager, last week made public a security incident. It seems an unauthorized party gained access to a developer account and through that gained access to a developer environment. Said party then seems to have gained access to portions of their source code and proprietary technical information.

This company seems to have an interesting history with various security incidents.

Will they continue to be your go to way to securely manage your secrets in the future? The parent company does have a reputation to take great software and make them soulless products with degraded engineering quality and capability.

Smoke and fire and all that. We may have to return to c on how LastPass fares when you have Keepass, KeepassXC, Bitwarden, etc. being real alternatives based on the foundations of being open sourced.


no more vulnerabilities

August 23, 2021

So last week the U.S. House of Representatives passed the National Defense Authorization Act for Fiscal Year 2023 which might become the law if it gets Senate approval and is signed into law by President Joe Biden.

This bill is a well intentioned effort to improve the overall standard of the software supply chain in use by the Department of Homeland Security. It requires the submission of a Software Bill of Materials for certification for any software product without any known open vulnerabilities or defects. Currently the NIST NVD and CISA registered databases will be referenced for validation.

This I believe is in response to various high profile cyber security incidents of the last few years.

I am not sure how succesful this will be as .gov usually prescribe the what and leave the how for everyone else to figure out.


mfa for developers

August 18, 2021

With the increase in supply chain attacks in the software development industry, there’s been a steady increase in various players in the industry rolling out mandatory MFA requirements for developers.

Earlier this week RubyGems announced their intention to enforce MFA requirements on maintainers of gems with 180 million downloads or more.

PyPI announced support for MFA in mid 2019. This was an opt-in option for package maintainers back then. However, earlier this year they announced this policy was being made mandatory for maintainers of projects deemed critical.

Mozilla announced their MFA requirements for extension developers last year. GitHub required MFA for the npm registry in the past and recently announced their intention to extend this requirement out to all contributing developer accounts.

Okta has a blog post of industries requiring MFA mostly due to compliance requirements in each listed industry.

Expect more such developments across the software supply chain ecosystem as time progresses. Now if only there was a way to tackle some of the other problems with regards to software supply chain security.


defcon 30

August 17, 2021

Defcon may be the worst and best place to learn anything in that way - the environment is hopelessly chaotic, with two talks happening inches away from each other, and only feet from a DJ pumping out house music. But perhaps the best environment to learn in is the one in which you are most inspired?

The above is an excerpt by Dave Aitel’s recent entry to the Daily Dave mailing list. In just a single paragraph it completely captures what the experience of DEF CON is.

DEF CON 30 returned to Las Vegas this year and from early reports the crowds aren’t at the same level as past years. However, looking at the schedule and the post conference analyses, it looks like the hacker ethos is still well and alive.

Long live the googley eyes

Also last week there was Black Hat USA 2022 as well.


hello world

August 15, 2021

Obligatory first post.

This used to be a blog more as a catch all for notes I had collected over the years. I have deprecated those notes and have decided to pivot this blog to capture my thoughts and opinions about specific events and developments in the field of information security. Expect a linklog type blog focused on information security here from now on.

The views I present here are that of my own and can & will change as I move across the arc of time. Should you need to get in touch with me send an email to the blog-discussion list on sourcehut.