the attacker is opening github issues 😂
> I noticed in your blog post that you were talking about doing a postmortem and steps you need to take. As someone who is intimately familiar with your entire infrastructure, I thought I could help you out.
[then about ssh agent forwarding, and principle of least privilege]
so apparently the attacker:
- broke into jenkins
- noticed flywheel (OS X build server) having ssh access from outside through a forwarded port
- used those two to take flywheel
- waited for someone to connect to flywheel and forward their agent
- used the agent to get access to every server and add their key to a authorized_keys2 so it wouldn't get overwritten
last issue atm: "Monitor log files to avoid relying on external whitehats"
re: matrix thing, signing keys in prod
@CobaltVelvet (By that, I mean be salty I can't use software not packaged in Debian, 'cause I can't trust its authors to competently run software distribution)
The Vulpine Club is a friendly and welcoming community of foxes and their associates, friends, and fans! =^^=