Perl 6 - the future is here, just unevenly distributed

IRC log for #crimsonfu, 2017-01-09

crimsonfu - sysadmins who code

| Channels | #crimsonfu index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:18 pdurbin teichopsia: sure, other folks in here are pretty passionate about security too. mhayden, codex, probably others
00:33 teichopsia pdurbin: First things first, and that is how to learn how to structure an application and get all the imports to work :)
00:33 pdurbin heh. sure
00:33 zerun0 joined #crimsonfu
00:41 bear the realm I work in, all apps are started when the server starts - which means I can inject a short lived secret in the user-script metadata
00:41 bear the app then uses that to contact the secrets store to exchange that for the real secret
00:42 bear if you can't do that then create a one-use only secret and pass that to the app when it launches
00:48 pdurbin teichopsia: ^^
00:49 teichopsia Yeah, I'm trying to dissect what bear said.
00:50 bear all of the methods to pass a secret to an app have problems
00:50 bear env var -- can be read by anyone
00:50 bear command line -- can be read
00:51 bear shared file -- can be read by anyone who can get priv escalated, but guess what if they are in your system they have priv escalation
00:51 bear so the best way to protect it is to get a short lived secret, insert it somehow and have it be one-time use only
00:52 bear then use that secret to gain access to your secret store (i.e. a server someplace that only handles secrets)
00:52 teichopsia Obviously, I'm still learning. In a nutshell, I'm writing a flask app with an instance folder where I'm keeping twitters consumer keys
00:53 bear where is this app run? on your laptop or on a server?
00:54 teichopsia Once it's ready, on a server. In the meantime while developing, on my laptop. Plan is, when it's ready to use vultr
00:54 bear k, then your config file can have your dev key because it's local only
00:55 bear and then if the app starts and the dev key is not present, code it so it look at the user-data meta url
00:55 bear https://www.vultr.com/metadata/
00:55 bear any cloud vendor worth their salt will have this
00:55 bear it allows you to insert into the startup sequence of a server data
00:55 bear so this is where you put your one-time use key
00:56 bear which your flask app then uses to query the secrets store
00:56 bear now, depending on how complex you want to get, you could have that one-time secret just be the private key used to decrypt a key stored in the app's payload
00:57 bear I tend to use consul or etcd for that
00:57 bear so I would insert into consul the encrypted secrets, insert the key into metadata - then the app has the two parts required to unlock secrets
00:58 bear but I also work in a job where we take secrets very seriously
00:58 teichopsia Give me a few moments, I need to google a few things to be able to catch up.
00:58 bear no worries :)
01:23 larsks joined #crimsonfu
01:24 codex joined #crimsonfu
01:28 westmaas joined #crimsonfu
01:29 prologic joined #crimsonfu
01:32 teichopsia bear: Thank you. You've given me a lot to research on.
01:33 bear :)
02:24 pdurbin Speaking of security, my Twitter account was hacked today. Someone had tweeted this: "Rayban 80th Anniversary Sale,All Made in a Legitimate Factory,Come With New Box And Certificates!>> rbneus,com" (which I deleted).
02:25 pdurbin Here's my follow up tweet with a screenshot of how I had gotten an email saying someone had logged in from Walnut, CA: https://twitter.com/philipdurbin/status/818278700189937664
02:26 pdurbin Grrr.
02:38 bear ick
02:50 ilbot3 joined #crimsonfu
02:50 Topic for #crimsonfu is now http://crimsonfu.github.com - ConfiguRatIon Management of Systems Or Network kung FU | logs at http://irclog.perlgeek.de/crimsonfu/today
02:59 pdurbin At least I don't use Twitter for any auth anywhere. I'd be more freaked out if my Google account were to be compromised.
03:04 pdurbin A friend noticed and @mentioned me, which so I saw her message as an email. The Twitter app on my phone said, "Your account has been locked." It prompted me to verify my phone number, which I did. This unlocked my account and I went in and changed my password.
03:21 teichopsia Any idea how it got hacked?
03:38 pdurbin Nope.
03:38 pdurbin teichopsia: so maybe you shouldn't take security advice from me. :)
03:58 teichopsia pdurbin: hahaha... Same thing happened to me several years ago. My tweeter account got hacked several times in a short period. What worked for me was to revoke access from third party applications - if I remember correctly.
04:18 pdurbin yeah, I did look through the third party app access... it's all stuff I approved
05:44 chasmo77 joined #crimsonfu
10:14 arcanine joined #crimsonfu
13:36 mhayden pdurbin: one of my colleagues got hit with the rayban hackery
13:38 dotplus and this sort of thing demonstrates why we *need* diversity in tech systems: "I'd be more freaked out if my Google account were to be compromised".
13:48 dotplus the lesson is that a monocultural approach at each point or level increases the price of failure/compromise because popular tech attracts more malefactors. (btw, this  "price" increase applies both to Society (everyone is pwned if GOOG/openssh is cracked) and individual persons/orgs (all my stuff is pwned if I use the same protection for everything and it's cracked))
14:37 pdurbin In my case, it's doubly bad to lose control of my Google account because I use a gmail address as my primary email. "Your email is the skeleton key to your online identity" https://blog.codinghorror.com/make-your-email-hacker-proof/ . So there's OAuth and email to consider.
18:42 teichopsia joined #crimsonfu
21:47 pdurbin heh: No Emoluments 2017 on Twitter: "Harvard partial power outage going on for an hour now. Plz send batteries & beer, thx." - https://twitter.com/chipgoines/status/818572205030252545

| Channels | #crimsonfu index | Today | | Search | Google Search | Plain-Text | summary

crimsonfu - sysadmins who code