►
From YouTube: End Users Working Group (December 12, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
A
B
A
A
B
A
A
B
A
A
B
A
B
A
B
A
It's
evolved,
evolved
through
a
few
phases.
I
think
the
the
next
phase
that's
coming
in
the
next
year
or
two
is
the
expansion
of
staff
to
provide
full-time
full-time
services
for
Friday
things.
So
there's
there's
sort
of
emerging
proposals
on
the
table.
There's
help
desk
client
done
for
securing
software
repos
yep.
There's
the
the
work
that
the
education
group
is
doing.
Yeah
Alpha
Omega,
of
course,
have
their
own
sort
of
little
hierarchy
going
so.
B
A
B
B
A
B
So
I
mean
it's,
you
know.
Hopefully
this
will
be
resolved
by
the
end
of
the
week.
So
I
just
have
some
finished
in
this
thing.
So
yeah
yeah
cool,
are
you
yeah,
I
I,
agree
I,
I'm,
I'm
I'm,
happy
to
see
that
there
are
staff
rolling
out
into
this
and,
like
that
kind
of,
gives
people
more
of
the
ability
to
work
on
these
projects.
Full
time
and
like
you
know,
that's
really
cool
to
see
too
yeah.
So
I.
A
B
A
B
A
A
A
B
A
B
But
that
keeps
the
information
flowing
around
the
organization,
so
it's
not
just
silos
that
are.
Is
that
I've
seen
that
in
previous
company,
like
when
I
used
to
work
for
a
former
organization
because
they
were
not
cross-pollination,
you
know,
meetings
like
people
had
no
clue
what
other
people
were
were
doing.
Yeah
yeah
yeah.
A
B
A
We
see
Gradle
folks
pretty
regularly.
Okay,
good
name
folks,
cradle
folks,
Pi
PR
in
the
form
of
Dustin
effects,
show
up
a
lot.
Yeah
they've
got
we've.
You
know.
We've
got
fairly
different
times
on
alternating
weeks,
so
the
exactly
varies:
yeah
I'm
in
I'm,
in
the
sweet
spot,
where
I
can
attend
both
times
right.
A
B
B
A
A
B
B
B
A
B
A
B
A
It
receives
that
attestation
IT
issues
short-lived
certificates
for
signing
with
those
with
that
identity
embedded
and
then,
once
you
produce
that
those
certificates
get
written
into
a
transparency
log.
Once
you
create
the
signature,
the
signature
gets
written
into
another
transparency
log
and
that's
what
allows
you
think,
because,
because
the
keys
are
short-lived,
you
don't
have
to
keep
them.
They're,
ephemeral,
yeah,.
B
A
Never
hit
the
disk
they
get
discarded
as
soon
as
the
operation
is
over
yep,
and
so,
as
I
say
like
instead
of
faffing
about
with
having
to
protect
your
private
keys
and
store
them
and
decide
where
they
go
and
when
to
rotate
them
and
all
that
jazz.
The
key
pops
into
existence.
It
does
its
job
and
then
it
goes
away.
B
A
A
B
B
A
You
could
the
thing
to
bear
in
mind,
though,
is
that
it'll
still
have
to
go
in
the
log
I
said
so
to
me,
the
secret
one
of
one
of
the
important
things
about
sex
store
is
like
so
my
first
elevator
pitch
was
the
Turning
key
management
into
an
identity
problem.
The
second
elevator
pitch
is
make
the
attacker
move
in
the
open
right
yep.
That's
that's
about
the
transparency
log.
A
Was
essentially,
you
took
the
ocsp
and
you
you
attached
it
to
you,
embedded
it
in
the
certificate,
and
there
is.
There
is
something
similar
for
recoil
for
the
transparency
lobe.
You
can
take
an
extract
from
it
and
if
you
trust
the
key
that
recall
uses
and
if
that,
ultimately,
you
follow
that
train
of
trust
back
up
to
that
tough
route.
B
Okay,
that
makes
sense
crypto
is
crypto,
is
I,
I
have
a
like
a
non
I've,
never
actually
tried
to
implement
any
of
it.
So
all
of
the
stuff
that
I
know
about
it
is
all
from
things
that
I've
learned
through
like
podcasts
and
education
and
stuff,
like
that.
So
I'm
I'm,
I'm,
I'm
I'm
thinking
that
I'm
following
most
of
it,
but
it's
still
still
someone
struggle
at
times,
yeah,
so
I
think
yeah.
So
so
the
stapling
mechanism,
you're
saying.
A
Yeah,
essentially,
you
took
what
would
be
an
icsp
response
and
and
jammed
it
into
the
certificate.
It's
it's
been
a
long
time.
It's
been
a
like
a
year
or
two
since
I
thought
about
ocsp.
So
I
can't
remember
the
exact
mechanism,
but
essentially
you
you
have
something
portable
that
doesn't
require
you
to
go
back.
It's
an
offline
verification,
yeah.
B
A
B
A
A
Of
all,
it
is
more
tolerable
to
have
downtime
like
I'm,
not
saying
it's
like
tolerable.
In
a
you
know,
an
emotional
or
social
sense,
but
I
mean
in
terms
of
like,
if
you
were
going
down
to
the
the
dollars
and
cents
of
it,
you
can
tolerate
unavailability
of
the
transparency
log
for
longer
than
you
would
tolerate
it.
For
other
things.
On
the
theory.
A
B
B
A
B
Time
I
know
I,
know,
I,
know
exactly
yeah.
Well,
that's
what
I
mean
that's
why
organizations
by
J,
frog
or
sonotype
right,
because
then
there
then
those
things
are
expected
to
be
highly
available.
So
I
guess,
is
there
a
model
where
sonotype
and
jfrog
can
mirror
the
transparency
log
so
that
then
the
availability
of
that
service
is
not
on
you,
but
it
puts
that
onus
back
on
the
organization.
That's
running
their
own
artifactory
instance,
I.
B
A
B
A
A
Tree
the
medical
tree
will
be
different
from
the
public
if
you
mix
them
together.
What
you
could
mix
together
into
a
single
place
is
like
in
front
of
recall,
there's
a
redis
instance
that
caches
the
the
you
know
the
key
and
the
entry
in
the
log
so
rather
than
like
recomputing
the
local
tree
every
single
time.
You
make
a
query.
It
goes
goes
to
redis
if
it
finds
it
there.
It
just
sends
it
back
to
you,
because
you
know
in
theory
it's
it's.
A
B
Yeah,
yes,
it's
good
to
use
more
and
more,
can
you
just
slap
a
CDN
in
front
of
that
and
like
call
it
a
day,
for
you
know,
I
mean,
obviously
you
need
to
evaluate
the
cash
every
once
in
a
while,
but
like
could
you
select
all
right?
Is
it?
Is
there
infrastructure?
Let
let
you
do
that
so
that
as
this
scales
and
gets
hit
more
and
more,
you
don't
need
to
like.
Have
your
redis
instance
yeah.
A
I
think
yeah
that
comes
back
to
a
discussion
we've
had
in
securing
software
repo
groups,
which
is
the
format
of
extracts
from
the
log
and
storing
them
side
by
side
with
with
the
the
signature
and
side
by
side
with
the
the
package
yeah.
Basically,
they
just
files
on
a
system
and,
yes,
you
can
use
a
CDN,
because
that
CDN
capability
is
enormously
important.
Yeah.
A
B
A
A
A
B
Yeah
and
I
I
like
that
I
think
that
that
that
that
that
is
like
100,
valid
right,
because
people
are
not
so
how
much
evidence
like
okay,
the
case
of
the
Android
attack
right,
we
saw
Keys
being
abused
for
stupid
reasons.
It's
like
you.
You
saw
how
that
you,
you
like.
Where
did
you
hear
about
the
news
about
that?
The
Android
stuff
getting
stolen.
A
B
So
Risky
Business
made
the
point
that
and
and
as
did
security
now
when
they
talked
about
it
as
they
were
like
yeah,
like
these
signing
keys
that
were
could
be
used
to
like
sign
like
highly
privileged
Android
software
on
these
phones
was
being
used
for
adware
or,
like
you
know,
something
like
it's
like.
If
this
had
been
owned
by
a
like,
you
know
a
nation
state.
They
would
have
used
this
stuff
for
such
like
more
like
targeted
stuff,
but.
A
B
A
B
B
Yeah
we
had
it.
We
had
at
a
former
employer
that
I
had
we,
someone
ended
up
accidentally,
leaving
some
Service
open.
That
has
a
feature
that
leaves
it
vulnerable
to
remote
quote
execution
by
default.
It's
I,
don't
remember
what
it
is,
but
like
it's
one
of
those
like.
Why
is
this
something
that
you
can
do
just
by
default,
but
anyways?
It
was
in
a
doctor
container
and
we
ended
up
having
to
for
the
first
time
ever
in
our
organization.
B
Engage
a
I
was
like
I,
don't
think
they've
gotten
any
further,
but
they
were
running
code
inside
of
Doc
retainer
on
these
systems
and
like
what
other
things
did
they
have
accessed
and
we
hired
an
instant
response.
Team
and
they're,
like
doesn't
look
like
they
got
outside
the
container
like
perfect,
but
you
know
you
never
can
because,
like
Docker
containers
are
great
pivot,
Points
first
ssrf
can
do
like
deeper
into
the
you
know
deeper
into
another
organization
and
stuff
like
that.
So
yeah,
that's.
A
B
B
A
I
I
used
to
in
a
previous
job.
We
had
all
of
our
CI
and
testing
systems
and
we
were
using
a
deployment
system.
It's
a
little
obscure
and
I
won't
name
it
because
it
gives
away
what's
going
on,
but
it
worked
by
basically
replacing
entire
VMS.
So
it
was
a
VM
deployment
system,
it
would
yeah
and
it
was.
It
was
very
robust
in
terms
of
being
able
to
get
back
to
a
clean
state
and
one
day
we
realized
that
the
documentation
had
a
bunch
of
default
passwords
in
it.
A
A
B
A
Just
like
copying
and
pasting
the
yaml,
and
so
there
were
a
few
things
where
it
said:
change
password
and
other
ones
where
it
just
had
a
default
password
and
the
thing
is,
and
you
were
supposed
to
set
all
of
the
passwords.
People
saw
that
and
went
like
well
I.
Guess
it's
okay
to
use
the
default
because
the
other
one
says
to
change
it,
and
this
one
doesn't
so
people
just
copy
pasted
sets
and
passwords
and
off.
They
went
and
yeah.
A
The
the
particular
password
was
like
a
like
a
health
monitoring
system
like
a
health
endpoint
type
system
which
had
extremely
high
privileges,
because
it
could
restart
processes
right.
They
could
launch
launch
a
process
on
a
VM,
and
that
was
one
of
the
ones
that
had
the
default
password
set
and
it
was
just
like
well.
B
Things
fail
and
for
the
open
source
version
We
expose
those
logs
to
the
public
so
that
people
could
see
whether
or
not
their
CI
things
were
succeeding
or
failing
and
of
course,
at
one
point,
we
realized
that
we
were
leaking
some
credentials
into
our
CI
logs
and
then
we
go
do
a
whole
massive
sweep.
And
then
we
realized
oh
wait.
B
We
have
this
other
external
auditing
thing
that
that
keeps
our
logs
too
and
oh
what's
in
there,
and
those
keys
are
ending
up
in
there
too,
and
it's
like
oh
love
of
God,
and
the
thing
is
like
when
you
write
when
you're
running
a
CI
CD
pipeline
right,
you
can
put
credentials
into
the
CI
CD
Pipeline
and
it
will
on
I
mean
most
modern.
Cicd
pipelines
will
do
pattern
matching
and
we'll
scrub
those
from
the
logs.
But
if
you're
sending
those
logs
to
an
external
system.
A
B
Or
or
this
Enterprise
tool
that
gives
you
insights
into
your
build
infrastructure,
you're,
not
putting
your
credentials
into
that
system,
because
you
that
thing
doesn't
need
to
authenticate
to
the
systems.
Only
your
build
does,
and
so
it
doesn't
know
that
it
needs
to
be
filtering.
Those
things
out
and
also
like
your
build,
doesn't
necessarily
know
what
our
credentials
and
what
are
not
credentials,
because,
like
yeah,
it
doesn't
know
what
what
things
are
credentials.
What
things
are
not
credentials
because,
like
people
read
environment
variables
in
that
are
credentials
or.
A
A
A
No
I
wish
no,
it
was
a.
It
was
a
CI
CD
tool.
It
still
is
a
COC
do
tool.
I
shouldn't
use
the
past
tense.
That
sort
of
grew
and
evolved
at
pivotal.
When
I
was
there
and
like
there
are
things
I
would
change
about
it
like
I
have
like
anybody,
I
have
you
know,
progresses
and
annoyances,
and
things
I
think
that
could
have
been
done
differently
or
whatever,
but
yeah.
Overall,
it's
the
best
system,
I've
ever
used
by
country
mile
like
it's
so
elegant,
the
UI
is
so
beautiful.
A
A
B
A
B
B
A
I
did
go
to
and
I
feel
bad
saying
that,
because
I'm
Australian,
but
generally
speaking
the
best
Australian
developers
are
not
in
Australia,
because
that's
not
where
the
money
is
but
I
I
did
Pitch
to
some
VCS
doing
a
startup
around
Concourse
and
they
sort
of
said
yeah.
We
can.
We
can
see
this
being
like
a
10,
20
or
50
million
dollar
business.
B
A
B
I
am
yeah
that
makes
a
lot
of
sense.
I,
I
I,
my
amendment
to
to
that
best
Engineers
in
Australia,
are
that
Australian
or
not
in
Australia.
The
only
amendment
to
that
that
I
would
give
you
is
the
best
Engineers
that
are
Australian
either,
are
not
in
Australia
or
work
remotely
for
a
company
from
Australia
right,
because
yeah
I
had
move.
A
B
Vp
of
engineering,
one
of
the
VPS
of
engineering
at
Gradle,
and
he
is
one
of
the
best
developers
engineer
like
he.
He
was
like
you
know
he
straddled
a
company.
He
like
he
was
very
eloquent
and
also
kick
button
and
could
write
a
lot
of
code
like
he
was
very
good,
but
he
worked
for
a
company
remotely,
and
you
know
that
was
I
actually
had
him
as
a
manager
for
a
little
bit
and
I
live
in
Boston
I,
yeah,
I
loved
him
as
a
manager.
B
B
A
But
you're
off
kilter
with
everybody,
especially
the
East
Coast
or
Europe
you're
you're,
just
invisible,
yeah
yeah,
and
it's
it's
even
worse.
If
you're
on
the
West
Coast
of
Australia
yeah,
which
is
another
three
hours
further
away,
they
don't
even
really
have
overlap
with
California,
so
they
just
they're
just
out
there
by
themselves
yeah
they
have
overlap
with
like
Singapore
and
Japan
and
if,
if
or
you
know,
China
Coastal
China.
So
if
you're
working
in
those
areas,
then
sure
you
know
being
on.
B
I
have
been
one
of
the
things
that
I've
been
I've,
been
rather
lonely.
The
past
couple
of
jobs
I've
been
operating
kind
of
in
a
silo
as
a
security
researcher,
the
the
past
several
jobs.
So
when
I
was
working
for
Gradle
I
was
the
solo
security
person
and
there
was
nobody
else
at
least
till
the
very
end.
B
The
Dan
Kaminsky
Fellowship
I've,
been
kind
of
operating
solo
and
I
have
been
really
concerned,
like
I
have
struggled
because
I
feel
like
I'm,
not
growing,
and
improving
my
skills,
because
I'm
I'm
operating
in
a
silo
and
so
I've
been
trying
to
find
a
job
that
would
align.
Would
let
me
have
a
you
know,
a
team
people
around
me
or
something
like
that
and
I've
not
totally
succeeded,
but
I
think
that,
with
the
open
source
security
Foundation,
there
are
enough
intelligent
security
people
around
that
I
can
learn
from
people.
B
Like
that
and
like
having
someone
solidly
in
your
own
time
zone,
you
can
jam
out
ways
and
you
can
program
yeah.
You
can
work
with
all
day
and
like
then
you
can
go,
you
know,
have
a
night
and
not
feel
like
you're
leaving
them
or
having
to
you
know,
because,
like
I
would
be
sitting
down
to
meetings
with
my
with
Luke
in
Australia
at
5,
00
p.m.
B
I've
had
some
really
good
relationships
with
people
in
Australia,
though,
like
my
the
coach
that
I
had
for
black
hat,
she
was
in
Australia
and
she
was
awesome
because
she,
just
she
just
I,
said
like
this-
is
gonna,
be
heinous
for
the
both
of
us,
like,
let's
just
figure
out
a
time
to
meet.
That's
like
you
know,
even
though
it's
not
within
working
hours.
B
A
A
B
A
So
I
went
up
at
Shopify
when
I,
when
I
was
at
VMware.
I
was
I,
was
sort
of
over
it
for
various
reasons
and
I
started.
Looking
for
a
job,
I
looked
at
Shopify
because
one
of
my
former
managers
had
gone
to
Shopify,
who
I
you
know,
admired
and
respected
very
much,
and
so
I
was
like
okay,
it
can't
be
all
bad,
so
I
applied
and
I
I
got
the
job
and
at
first
it
wasn't
super
clear
what
my
role
would
be.
A
A
A
We
tend
towards
monoliths,
so
you
get
inside
the
process
and
you
can
see
everything
and
do
everything
and
Ruby
is
so
flexible
and
so
Dynamic
that
there's
no
way
to
defend
pieces
of
code
in
one
module
from
another
piece
of
code
in
a
different
module.
You
can
you
can
you
can
walk
the
entire
object
graph
if
you
want
so
that's
that's
the
main
thing
about
it
like
we.
We
have
a
similar
risk
in
terms
of
JavaScript,
but
we're
mostly
hanging
back
and
letting
GitHub
do
the
running.
B
B
You
manage
to
get
code
running
in
the
in
this
in
the
in
JavaScript
in
the
checkout
process,
and
then
you
scrape
credit
cards,
so
that's
I
think
that's
traditionally
what's
called
Mage
carting
and
it's
like
having
some
high
profile
organizations
like
it
happened
to
one
of
the
big
European
train
companies.
It
happened
to
Newegg
new
a
got
Mage
started.
They
didn't
even
I
think
they
like
barely
announced
it
like.
They
did
a
really
like
they've,
really
tried
to
suppress.
They
got
majored
in
but
yeah.
B
B
They're
they're
compromising
well
yes,
if
you're
not
hashing
the
file
prior
to
creating
the
HTML
that
you're
sending
up
because
they're
mostly
going
for
the
the
the
file
like.
If,
if
they're
going
after
your
file
right
inside
of
your
environment,
then
you
might
be
hashing
that
file
prior
to
creating
HTML
to
send
to
your
user
if
you're
serving
it
from
a
CDN,
then
hopefully
you're
using
you
know
a
hash,
that's
known,
and
then
yes,
you
would
be.
You
would
be
good
there.
Although.
A
B
Well,
the
other
one
I
mean
it
goes
through.
I
mean
like
Mage
Carters
will
go
for
a
lot
of
different
things
like
they'll.
Also,
like
you
know,
your
marketing
people
would
love
to
put
those
like
Salesforce
things
in
all
of
this,
like
in
those
things
like
you're,
just
I
mean
most
the
time
when
you're
using
those
Salesforce
things
you're
just
pulling
into
a
JavaScript
endpoint
and
those
like
that's,
not
version,
because
Salesforce
loves
being
able
to
push
out
updates,
and
they
will
tell
you,
don't
don't
use
a
at
that.
B
A
B
B
A
B
A
They
do
quite
a
lot
there's
the
the
traditional
way
was
that
it
was
a
templating
language
called
liquid,
and
so
you
copy
and
paste
a
chunk
of
liquid
into
your
into
your
template
and
I
I.
Imagine
that
there
have
been
cases
of
Mage
coding
there
and
I.
Imagine
trust
and
safety
have
that
on
their
radar.
Yeah
mine
mine
is
mostly.
A
How
does
how
does
a
bad
gem
reach
production?
How
does
how
does
outside
malicious
code
reach
production
is,
is
essentially
my
job
and
making
it
harder
and
harder?
For
that
to
happen
is
what
I
focus
on.
So
that's
that's
why
I
come
back
to
okay
in
terms
of
prevalence
of
attacks?
Currently
account
takeover
is
the
most
common,
so
we
need
the
MFA
yeah.
B
A
A
Big
one
is
typo
sweating
by
a
wide
margin.
It's
tied
by
a
combo
brand
jacking
right
yeah,
like
those
those
are
the
most
common
attacks.
Numerically
yeah,
there's
not
much.
We
can
do
about
that.
We're
working
with
our
package
vendor
to
get
allow
listed
proxy.
So
we
can
protect
ourselves,
there's
not
a
lot
we
can
do
for
the
community.
Although
you
know,
if
it
occurs
to
me,
we
might
try
to
get
some
researchers
going
to
be
better
at
identifying
those
cases,
but
account
takeover
is
the
second
most
common.
A
And
it's
it's
it's
sorry.
Here's
a
theory.
Typo
squatting
is
casting
a
wide
net
and
seeing
what
you
catch
like.
Yes,
it's
it's
a
game
of
numbers
and
it's
very
hard
to
do
it
discreetly,
because
you
have
to
cast
hundreds
of
packages
to
get
any
kind
of
meaningful
yield
right
right,
because
each
package,
only
a
few
people,
make
that
mistake.
A
Yeah
yeah
out
of
out
of
the
thing
and
you've
got
a
you've,
got
a
slowly
accrete
people
making
that
mistake
to
start
getting
access
to
systems.
So
what
they
do
is
they'll
spray
out
hundreds
of
packages
at
once
and
they've
gotten.
Quite
elaborate
trying
to
conceal
that
they're
doing
this,
but
it's
been
so
far,
they've
been
picked
up.
The
most
elaborate
I've
seen
is
pi
PA
got
attacked
by
an
attacker
who
created
several
dozen
accounts.
A
They
rotated
IPS,
they
randomized
the
times
at
which
they
created
the
packages
right
a
whole
bunch
of
things
to
conceal
that
they
were
spraying
out
hundreds
of
packages,
but
they
still
sprayed
out
hundreds
to
try
and
capture
lots
and
lots
of
typos,
because
each
each
one
only
gets
you
a
little
bit.
Only
a
tiny
income
yeah
so
I
think
that's
one
thing,
but
but
an
account
takeover
has
much
higher
impact,
because
if
they
achieve
a
account
Takeover
in
a
highly
highly
relied
upon
dependency,
they
immediately
get
access
to
an
enormous
amount
of
stuff.
A
Yes-
and
you
know,
if
they
they
can
one
one
tactic-
I
saw-
this
was
I,
think
colors
JS.
They
did
this
or
UHS
I
can't
remember,
but
it
was
essentially
they
created
the
there
was
like
they
had,
the
1.9
version
existed
and
they
created
like
1.95,
which
was
the
malicious
version,
and
then
they
immediately
released
version
2.0.
A
So
if
you
went
to
look
at
the
source
code
first
off,
you
would
see
source
code
that
looked
fine
yeah
unless,
unless
you
dug,
you
wouldn't
think,
but
everybody
in
the
lock
files
has
it
set
as
like
1.9
x
is
the
version
I
want.
It
picks
the
latest
off
the
shelf
and
they
get
the
malicious
one.
So
unless
you
knew
how
to
check
it,
you
wouldn't
notice,
but
it
was
going
on
so
I
can't
I
can't
take
over
as
like
yeah
we're
working
on
the
typo
squatting,
because
you
know
we
have
thousands
of
developers.
A
B
Yes
and
developers
I
mean
I,
don't
know
about
you,
but
I've.
Having
worked
in
previous
organizations
like
developers,
hate
running,
you
know,
anti-malware
anti,
like
all
that
stuff
on
their
machines,
because
it
it
and
at
the
minimum
it
slows
down
your
cicd
development
cycle,
significantly
yeah,
so
like
yeah
yeah
have
the
payloads
I
mean
I've
seen
a
lot
of
stuff,
like
you
know,
have
we
seen
the
actors
that
drop
payloads
into
like
the
people
that
are
actually
trying
to
Pivot
through
the
organization?
Doing
things
are
most
are
mostly
attacks
at
this
point.
A
Packages
do
have
a
pretty
simple
sort
of
there's
a
sort
of
a
standard
sort
of
approach
where
you
have
the
code
that
runs
and
one
or
two
things
happens:
either
it's
code,
that's
intended
to
reach
production
and
operate
there
and
it'll
basically
open
a
web.
Shell
it'll
pull
in
a
payload
from
from
other
server
and
and
bootstrap
its
way
up
to
usually
a
web
shell.
The
other.
The
other
kind
is
something
whose
job
it
is
is
to
exfiltrate
credentials
and
that's
either
something
that's
meant
to
run
during
CI.
A
A
That's
intended
to
attack
the
developer
at
their
Workstation,
so
some
like
Pipi
has
setup.py
yeah
node
has
post
install
hooks,
so
they'll
run
a
script
that
basically
looks,
looks
in
your
home
directory
looking
for
AWS
credentials,
SSH
keys,
all
that
kind
of
stuff,
and
slips
that
out
and
ships
it
off,
because
developers
often
have
you
know
highly
privileged
access
to
various
things
that
can
be
pivoted
from
look
I'm
going
to
Nick
off,
because
I
want
to
have
coffee
before
my
next
next
call.
No.