Kubernetes on prem.

This Men in Black reboot is wild

All the talks from last week have been published to our Youtube channel! Here's a playlist with all of them: youtube.com/playlist?list=…

🎉 It's finally here! The CloudSec Engineer. A practical guide on how to enter, establish yourself, and thrive in the Cloud Security industry as an individual contributor. Now available: engineer.cloudsecbooks.com #thecloudsecengineer

Today seems like a good day to mention that on my servers I use spiped to protect access to OpenSSH -- you can't even send a single byte to sshd unless you have the spiped secret key. daemonology.net/blog/2012-08-3…

If you launch a new FreeBSD (13.2|13.3|14.0|14.1)-RELEASE instance and don't change the default behaviour via EC2 user-data, it will download and install the patch for this before sshd is launched. I decided many years ago that installing updates on first boot was important.

What a great read. RCE in sshd with race conditions requiring hours to days to succeed. I cannot imagine the patience required here. 👏 👏 👏 Also, exposing SSH to 0.0.0.0/0 might be a default in your cloud environment, but CSPs have better remote access patterns available.

Regarding the SSH bug 1) First OpenSSH vuln discovered in almost 20 years - wow 2) Bug was (re)introduced almost 4 years ago. So remote root in OpenSSH for 4 years and nobody found it? 3) Exploit takes hours/days to run. Watch your logs!

OpenSSH bug: yes, it takes forever to exploit against a single host. But you're mostly waiting for a timeout, so you can massively parallelize across internet targets w/o needing a botnet. Assume that this - and not targeted exploitation - is going to be the initial approach.

The next part of our #Kubernetes #Security fundamentals video series is out now! This time we're looking at the Kubelet API. talking about the ports it makes available and some of the potential for information leakage. youtu.be/OdkFPL7d73E?si…

AWS wishlist: a single IAM API that returns the policies attached to a user/role. Today, it involves 4-5 calls: • listRolePolicies • listAttachedRolePolicies • getRolePolicy • getPolicy • getPolicyVersion

It's great to see Multiplier by Trail of Bits being open-sourced! github.com/trailofbits/mu… I believe it exemplifies the kind of foundational, next-generation tools we need for proper software understanding, maintenance, and sustainment.

With the #GhostWrite CPU vulnerability, all isolation boundaries are broken - sandbox/container/VM can't prevent GhostWrite from writing and reading arbitrary physical memory on affected RISC-V CPUs. Deterministic, fast, and reliable - no side channels. ghostwriteattack.com

light it up

We need more open audit/security testing reports like this: blog.trailofbits.com/2024/07/30/our…

Yet another pitfall when extracting archives, this time from jan harrie blog.nody.cc/posts/link-wri…

I wanted to solve my problem, so I built a distributed app. Now problems have two I.

Eliminate entire classes of security flaws with these Python libraries * PyNacl for Cryptography * Pydantic for input validation * Casbin for Object/Function Level AuthZ * Passlib for Password Management