►
From YouTube: End Users Working Group (December 12, 2022)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
B
Interesting
good
to
know,
how
are
you
I'm.
A
B
Sorry,
just
I'm,
not
yeah,
I,
think
I.
Think
the
the
invite
too
has
two
Zoom
meeting
links.
One
of
them
is
wrong,
and
one
of
them
is
the
correct
one.
The
top
one
is
the
location
and
it's
it
points
to
Cal's.
B
Meeting
room,
so
someone
should
fix
that
in
the
calendar
event.
A
A
A
B
A
B
I,
remember
you
saying
that
before
yeah
yeah,
okay,
cool
and
you're
involved
in
the
working
in
open
source
security
stuff
by
Shopify,
mostly
around
their
supply
chain,
stuff
or
just.
A
Well,
it's
yeah,
it's
a
pretty
decent
I
mean
it's,
it's
not
a
an
Apple
iPhone
remote
code
exploitation
level,
but
it
is
pretty
healthy
payouts.
And
understandably,
we
got
a
lot
of
stuff
to
defend.
B
Yeah
yeah,
it
makes
a
lot
of
sense,
absolutely
yeah,
and
so
are
you
are
you
my
brain.
B
A
A
B
A
B
A
B
Is
I'm
I'm,
I'm
I'm,
happily
surprised
with
the
open
time
security
foundation
and
how
this
kind
of
I
mean
I
I
started
joining
what
two
years
ago
and
it
seems
to
have
come
into
its
own
over
the
past
bit
of
time
and
that's
been
really
nice
to
see.
Yeah.
A
It's
evolved,
evolved
through
a
few
phases.
I
think
the
the
next
phase
that's
coming
in
the
next
year
or
two
is
the
expansion
of
staff
to
provide
full-time
full-time
services
for
Friday
things.
So
there's
there's
sort
of
emerging
proposals
on
the
table.
There's
help
desk
client
done
for
securing
software
repos
yep.
There's
the
the
work
that
the
education
group
is
doing.
Yeah
Alpha
Omega,
of
course,
have
their
own
sort
of
little
hierarchy
going
so.
B
I
think
I
can't
I
can't
imagine
who
they
might
be
hiring
yeah,
no
I
I
have
I
I
I
might
be
I'm
finalizing
a
thing
there.
So.
A
B
B
A
B
So
I
mean
it's,
you
know.
Hopefully
this
will
be
resolved
by
the
end
of
the
week.
So
I
just
have
some
finished
in
this
thing.
So
yeah
yeah
cool,
are
you
yeah,
I
I,
agree
I,
I'm,
I'm
I'm,
happy
to
see
that
there
are
staff
rolling
out
into
this
and,
like
that
kind
of,
gives
people
more
of
the
ability
to
work
on
these
projects.
Full
time
and
like
you
know,
that's
really
cool
to
see
too
yeah.
So
I.
A
A
Sort
of
the
first
phase
of
the
life
was
thrashing
around
trying
to
work
out
what
we
were
doing
and
how
we
were
going
to
do
it
yeah
and
the
second
phase
is
mostly
being
sort
of
volunteer,
driven
or.
B
A
B
A
I
go
to
the
type
meetings,
not
not
every
time
they
sometimes
conflict
with
other
meetings.
I
have.
B
I
have
been
I
have
been
less
or
more
hesitant
to
avoid
to
join
the
TAC
meetings,
mostly
because
it
seems
like
a
lot
of
bureaucracy.
A
Yeah,
that
was
a
lot
of
interesting.
There
was
a
lot
of
work
on
the
the
mechanisms
of
of
Administration.
Yes,.
A
B
A
So,
what's
what's
useful
to
me
and
I
will
take
credit
for
stealing
this
idea
from
elsewhere,
I'm
suggesting
it
is
regular
updates
from
working
groups.
So
each
each.
B
But
that
keeps
the
information
flowing
around
the
organization,
so
it's
not
just
silos
that
are.
Is
that
I've
seen
that
in
previous
company,
like
when
I
used
to
work
for
a
former
organization
because
they
were
not
cross-pollination,
you
know,
meetings
like
people
had
no
clue
what
other
people
were
were
doing.
Yeah
yeah
yeah.
A
So
that
makes
a
lot
of
sense.
I,
like
I
like
to
keep
an
eye
on
that.
In
fact,
securing
software
repos
is
up
tomorrow.
B
B
Has
somebody
from
Gradle
continued
to
hang
out
there
or
is
that
I
I
used
to
work
for
Gradle,
so
I
want
to
make
sure
that
they,
you
know,
be
involved
in
that
conversation,
yeah.
A
We
see
Gradle
folks
pretty
regularly.
Okay,
good
name
folks,
cradle
folks,
Pi
PR
in
the
form
of
Dustin
effects,
show
up
a
lot.
Yeah
they've
got
we've.
You
know.
We've
got
fairly
different
times
on
alternating
weeks,
so
the
exactly
varies:
yeah
I'm
in
I'm,
in
the
sweet
spot,
where
I
can
attend
both
times
right.
B
Have
you
out
of
curiosity,
so
you're
you're
focused
on
Ruby
right,
primarily,
yes,.
A
B
Did
the
Ruby
ecosystem
so
I
mean
my
my
research
back
before
you
know
back
in
2019
was
around
the
widespread
use
of
HTTP
to
resolve
dependencies
in
the
Java
ecosystem,
because
prior
to
2014,
Maven,
sonotype
didn't
to
meet
in
central,
didn't
support
https
without
a
donation
to
them,
and
so
basically
a
bunch
of
build
tools
and
all
build
systems
got
written
using
HTTP
and
nobody
ever
upgraded
their
build
infrastructure
to
use
https
and
so
I
like
found
that
that
was
a
widespread
common
security
vulnerability
across
the
Java
ecosystem.
B
B
A
A
B
B
Yeah
yeah
I
agree
yeah.
Of
course
you
know,
I,
don't
think
about
signing.
Keys
is
like
a
huge
security
boundary,
and
then
you
hear
about
the
what
a
Samsung
and
those
big
art
those
big
like
what
was
the
bunch
of
Android.
B
They
lost
their
their
signing,
keys
and
you're.
Like
you
know,
in
that
particular
context,
that's
not
really
not
good,
and
then
I
was
listening
to
Risky,
Business
and
they're
like
shouldn't
those
keys,
be
in
hsms
and
I'm
like
yes.
Yes,
they
should
six
door.
B
A
A
In
signing
of
I
mean,
apart,
apart
from
you
know,
like
your
base,
authenticity
and
integrity,
sort
of
assurances,
the
main
thing
is
that
if
the
identity
provided
to
singstar
to
fulsio
is
distinct
from
the
package,
the
package
repo
identity,
then
the
attacker
has
to
compromise
two
accounts
and
not
one
in
order
to
push
assigned
artifact
and
to
me
that's
very
attractive.
B
A
What
happens
is
sex
store,
trust
fulsio,
which
is
the
the
certificate
issuing
part
of
the
system?
Full
Co
trusts,
a
small
set
of
identity
providers
to
attest
Who,
You,
Are,
okay
and.
B
A
It
receives
that
attestation
IT
issues
short-lived
certificates
for
signing
with
those
with
that
identity
embedded
and
then,
once
you
produce
that
those
certificates
get
written
into
a
transparency
log.
Once
you
create
the
signature,
the
signature
gets
written
into
another
transparency
log
and
that's
what
allows
you
think,
because,
because
the
keys
are
short-lived,
you
don't
have
to
keep
them.
They're,
ephemeral,
yeah,.
B
A
Never
hit
the
disk
they
get
discarded
as
soon
as
the
operation
is
over
yep,
and
so,
as
I
say
like
instead
of
faffing
about
with
having
to
protect
your
private
keys
and
store
them
and
decide
where
they
go
and
when
to
rotate
them
and
all
that
jazz.
The
key
pops
into
existence.
It
does
its
job
and
then
it
goes
away.
B
A
So,
ultimately,
going
back
to
a
a
root
Set
in
a
tough
system,
so
they
descend
from
a
tough
root.
A
Tougher,
it's
a
it's
being
done
on
the
threshold
scheme,
I
think
five
or
five
or
four
or
five
I.
A
Oh,
in
the
sense
that
to
change
the
route,
you
need
a
certain
number
of
people
who
hold
partial
keys
to
oh
agree
to
like
perform
partial
computations.
B
This
is
like
the
the
DNS
one
where
Dan
Kaminsky
and
a
couple
of
other
people
had
Ted
Key,
okay,
cool.
A
Yeah,
no
so
fulcio
is
the
software.
The
route
is
offline.
That's
that's.
Sort
of
a
big
part
of
the
tough
architecture
is
that
the
route
is
held
offline.
A
You
don't
it's
held
offline
and
has
a
threshold
like
a
threshold
scheme.
I
can't
remember
the
term.
The
signing
key
is
like
two
or
three
certificates
down
in
the
hierarchy.
Tough
tough
has
like
a
hierarchy
of
certificates
and
I
can
never
remember
which
one
does
what.
A
The
actual
the
actual
live
online
signing
key
is
in
full
Co
and
get
through
it
dictated.
B
A
You
could
the
thing
to
bear
in
mind,
though,
is
that
it'll
still
have
to
go
in
the
log
I
said
so
to
me,
the
secret
one
of
one
of
the
important
things
about
sex
store
is
like
so
my
first
elevator
pitch
was
the
Turning
key
management
into
an
identity
problem.
The
second
elevator
pitch
is
make
the
attacker
move
in
the
open
right
yep.
That's
that's
about
the
transparency
log.
A
So,
even
if
they
do
compromise
full
Co,
they
can't
use
it
without
leaving
a
trail
which
allows
the
exact
the
exact
things
that
they
affected
to
be
tracked
down
later.
A
Was
essentially,
you
took
the
ocsp
and
you
you
attached
it
to
you,
embedded
it
in
the
certificate,
and
there
is.
There
is
something
similar
for
recoil
for
the
transparency
lobe.
You
can
take
an
extract
from
it
and
if
you
trust
the
key
that
recall
uses
and
if
that,
ultimately,
you
follow
that
train
of
trust
back
up
to
that
tough
route.
B
Okay,
that
makes
sense
crypto
is
crypto,
is
I,
I
have
a
like
a
non
I've,
never
actually
tried
to
implement
any
of
it.
So
all
of
the
stuff
that
I
know
about
it
is
all
from
things
that
I've
learned
through
like
podcasts
and
education
and
stuff,
like
that.
So
I'm
I'm,
I'm,
I'm
I'm
thinking
that
I'm
following
most
of
it,
but
it's
still
still
someone
struggle
at
times,
yeah,
so
I
think
yeah.
So
so
the
stapling
mechanism,
you're
saying.
A
Yeah,
essentially,
you
took
what
would
be
an
icsp
response
and
and
jammed
it
into
the
certificate.
It's
it's
been
a
long
time.
It's
been
a
like
a
year
or
two
since
I
thought
about
ocsp.
So
I
can't
remember
the
exact
mechanism,
but
essentially
you
you
have
something
portable
that
doesn't
require
you
to
go
back.
It's
an
offline
verification,
yeah.
B
A
B
A
Yeah,
it
fails
open,
most
of
them
fail
open,
and
that
being
said,
I'm
I
think
the
economics
are
slightly
different
for
module
signing,
because
that's
a
much
less
frequent
operation
than
visiting.
A
A
Of
all,
it
is
more
tolerable
to
have
downtime
like
I'm,
not
saying
it's
like
tolerable.
In
a
you
know,
an
emotional
or
social
sense,
but
I
mean
in
terms
of
like,
if
you
were
going
down
to
the
the
dollars
and
cents
of
it,
you
can
tolerate
unavailability
of
the
transparency
log
for
longer
than
you
would
tolerate
it.
For
other
things.
On
the
theory.
A
B
B
A
B
Time
I
know
I,
know,
I,
know
exactly
yeah.
Well,
that's
what
I
mean
that's
why
organizations
by
J,
frog
or
sonotype
right,
because
then
there
then
those
things
are
expected
to
be
highly
available.
So
I
guess,
is
there
a
model
where
sonotype
and
jfrog
can
mirror
the
transparency
log
so
that
then
the
availability
of
that
service
is
not
on
you,
but
it
puts
that
onus
back
on
the
organization.
That's
running
their
own
artifactory
instance,
I.
B
A
Absolutely
I
know
that
chain
guard
I
think
just
announced
an
offering
at
least
for
private
six
store
instances.
I,
don't
know
whether
it's
meant
to
be
like
Federated
to
the
external
one
yeah,
but
I,
don't
see
a
reason
in
principle
where
you
couldn't
mirror
an.
B
A
A
Tree
the
medical
tree
will
be
different
from
the
public
if
you
mix
them
together.
What
you
could
mix
together
into
a
single
place
is
like
in
front
of
recall,
there's
a
redis
instance
that
caches
the
the
you
know
the
key
and
the
entry
in
the
log
so
rather
than
like
recomputing
the
local
tree
every
single
time.
You
make
a
query.
It
goes
goes
to
redis
if
it
finds
it
there.
It
just
sends
it
back
to
you,
because
you
know
in
theory
it's
it's.
A
B
Yeah,
yes,
it's
good
to
use
more
and
more,
can
you
just
slap
a
CDN
in
front
of
that
and
like
call
it
a
day,
for
you
know,
I
mean,
obviously
you
need
to
evaluate
the
cash
every
once
in
a
while,
but
like
could
you
select
all
right?
Is
it?
Is
there
infrastructure?
Let
let
you
do
that
so
that
as
this
scales
and
gets
hit
more
and
more,
you
don't
need
to
like.
Have
your
redis
instance
yeah.
A
I
think
yeah
that
comes
back
to
a
discussion
we've
had
in
securing
software
repo
groups,
which
is
the
format
of
extracts
from
the
log
and
storing
them
side
by
side
with
with
the
the
signature
and
side
by
side
with
the
the
package
yeah.
Basically,
they
just
files
on
a
system
and,
yes,
you
can
use
a
CDN,
because
that
CDN
capability
is
enormously
important.
Yeah.
B
Right,
yes,
having
worked
for
Gradle
yeah,
yes,.
A
B
Serve
petabytes
of
data
per
per
month
right.
A
Yeah
yeah:
that's
that's
a
whole
lot
of
the
discussion,
but
yeah
yeah
cdns,
so
River,
gems
and
Pi
Pi
I
know
at
least
are
using
fastly.
B
A
Yeah
yeah.
Actually,
yes,
it
is
a
donation
worth
six
figures
at
least
and
I
think
that's
mostly
because
they're,
not
commercial,
I,
think
in
the
case
of
sonotype.
It's
like
well
you're
making
money
off
this,
so
you
can
afford
it.
I'm
gonna
say
out
of
that
conversation.
A
They
can
sort
that
up
looks
themselves,
but
yeah
at
cdns
are
definitely
a
thing
so
that
that
idea
of
of
having
a
self-contained
extract
that
can
be
served
alongside
the
files
that
you
retrieve
alongside
the
files,
and
we
had
that
in
when,
when
we
did
the
Ruby
design,
we
had
that
as
like
a
a
later
thing
to
do,
wasn't
something
we
saw
in
the
first
couple
of
phases,
but
there's
a
thing
we
had
to
do
like
on
our
on
our
list
of
like
progressively
hardening
up
and
simplifying
the
system.
A
So
like
early
on,
when
there's
very
few
actual
queries
being
made,
it's
acceptable
to
go
back
to
the
back,
to
recall
and
figure
that
out,
but
at
as
soon
as
possible.
You
would
want
that
ability
to
just
pick
up
a
file
and
and
read
it
out
straight
away.
A
B
Yeah
and
I
I
like
that
I
think
that
that
that
that
that
is
like
100,
valid
right,
because
people
are
not
so
how
much
evidence
like
okay,
the
case
of
the
Android
attack
right,
we
saw
Keys
being
abused
for
stupid
reasons.
It's
like
you.
You
saw
how
that
you,
you
like.
Where
did
you
hear
about
the
news
about
that?
The
Android
stuff
getting
stolen.
A
As
usual,
I
heard
people,
you
know,
I
saw
people
making
their
Bleak
references
on
Twitter
and
oh
I
figured
it
out
for
that.
Yeah.
B
So
Risky
Business
made
the
point
that
and
and
as
did
security
now
when
they
talked
about
it
as
they
were
like
yeah,
like
these
signing
keys
that
were
could
be
used
to
like
sign
like
highly
privileged
Android
software
on
these
phones
was
being
used
for
adware
or,
like
you
know,
something
like
it's
like.
If
this
had
been
owned
by
a
like,
you
know
a
nation
state.
They
would
have
used
this
stuff
for
such
like
more
like
targeted
stuff,
but.
A
B
A
Yeah
I
think
I
think
that
the
thing
I
find
my
my
favorite
people
in
the
world
in
terms
of
like
security,
a
crypto
Miners
and
crypto
jackets,
because
I
I
joke
that.
It's
basically
you
know
contingency
payment
penetration
testing
and
it's
quite
cheap.
B
B
I'm
eating
but
I'm
laughing
I'm
yeah
you're,
not
wrong.
No.
A
Money
down
just
no
need
some
CPU
Cycles
yeah,
you
know,
usually
you
notice
it
pretty
quickly,
because
one
of
your
CPUs
goes
berserk.
B
Yeah
we
had
it.
We
had
at
a
former
employer
that
I
had
we,
someone
ended
up
accidentally,
leaving
some
Service
open.
That
has
a
feature
that
leaves
it
vulnerable
to
remote
quote
execution
by
default.
It's
I,
don't
remember
what
it
is,
but
like
it's
one
of
those
like.
Why
is
this
something
that
you
can
do
just
by
default,
but
anyways?
It
was
in
a
doctor
container
and
we
ended
up
having
to
for
the
first
time
ever
in
our
organization.
B
Engage
a
I
was
like
I,
don't
think
they've
gotten
any
further,
but
they
were
running
code
inside
of
Doc
retainer
on
these
systems
and
like
what
other
things
did
they
have
accessed
and
we
hired
an
instant
response.
Team
and
they're,
like
doesn't
look
like
they
got
outside
the
container
like
perfect,
but
you
know
you
never
can
because,
like
Docker
containers
are
great
pivot,
Points
first
ssrf
can
do
like
deeper
into
the
you
know
deeper
into
another
organization
and
stuff
like
that.
So
yeah,
that's.
A
B
But
and
we
actually
got
an
email
from
the
German
government
too,
it
was
really
interesting.
You
know
what
like
we
had
a
crypto
Miner
and
then
also
an
email
from
the
German
government.
Saying
hey
like
just
a
heads
up.
You've
got
a
service.
That's
got
like
a
known
vulnerability.
B
A
I
I
used
to
in
a
previous
job.
We
had
all
of
our
CI
and
testing
systems
and
we
were
using
a
deployment
system.
It's
a
little
obscure
and
I
won't
name
it
because
it
gives
away
what's
going
on,
but
it
worked
by
basically
replacing
entire
VMS.
So
it
was
a
VM
deployment
system,
it
would
yeah
and
it
was.
It
was
very
robust
in
terms
of
being
able
to
get
back
to
a
clean
state
and
one
day
we
realized
that
the
documentation
had
a
bunch
of
default
passwords
in
it.
A
A
B
A
Just
like
copying
and
pasting
the
yaml,
and
so
there
were
a
few
things
where
it
said:
change
password
and
other
ones
where
it
just
had
a
default
password
and
the
thing
is,
and
you
were
supposed
to
set
all
of
the
passwords.
People
saw
that
and
went
like
well
I.
Guess
it's
okay
to
use
the
default
because
the
other
one
says
to
change
it,
and
this
one
doesn't
so
people
just
copy
pasted
sets
and
passwords
and
off.
They
went
and
yeah.
A
The
the
particular
password
was
like
a
like
a
health
monitoring
system
like
a
health
endpoint
type
system
which
had
extremely
high
privileges,
because
it
could
restart
processes
right.
They
could
launch
launch
a
process
on
a
VM,
and
that
was
one
of
the
ones
that
had
the
default
password
set
and
it
was
just
like
well.
B
We
had
a
a
former
company
of
mine.
B
It
has
a
tool
that
lets
you
get
insights
into
your
build
and
whether,
like
you
know,
when
things
fail,
when
things
exceeds,
and
also
captures
log
and
stuff
like
that
of
test,
runs
and
this
Enterprise
tool
that
we
had
we'll
capture.
B
Things
fail
and
for
the
open
source
version
We
expose
those
logs
to
the
public
so
that
people
could
see
whether
or
not
their
CI
things
were
succeeding
or
failing
and
of
course,
at
one
point,
we
realized
that
we
were
leaking
some
credentials
into
our
CI
logs
and
then
we
go
do
a
whole
massive
sweep.
And
then
we
realized
oh
wait.
B
We
have
this
other
external
auditing
thing
that
that
keeps
our
logs
too
and
oh
what's
in
there,
and
those
keys
are
ending
up
in
there
too,
and
it's
like
oh
love
of
God,
and
the
thing
is
like
when
you
write
when
you're
running
a
CI
CD
pipeline
right,
you
can
put
credentials
into
the
CI
CD
Pipeline
and
it
will
on
I
mean
most
modern.
Cicd
pipelines
will
do
pattern
matching
and
we'll
scrub
those
from
the
logs.
But
if
you're
sending
those
logs
to
an
external
system.
A
B
Or
or
this
Enterprise
tool
that
gives
you
insights
into
your
build
infrastructure,
you're,
not
putting
your
credentials
into
that
system,
because
you
that
thing
doesn't
need
to
authenticate
to
the
systems.
Only
your
build
does,
and
so
it
doesn't
know
that
it
needs
to
be
filtering.
Those
things
out
and
also
like
your
build,
doesn't
necessarily
know
what
our
credentials
and
what
are
not
credentials,
because,
like
yeah,
it
doesn't
know
what
what
things
are
credentials.
What
things
are
not
credentials
because,
like
people
read
environment
variables
in
that
are
credentials
or.
A
A
A
No
I
wish
no,
it
was
a.
It
was
a
CI
CD
tool.
It
still
is
a
COC
do
tool.
I
shouldn't
use
the
past
tense.
That
sort
of
grew
and
evolved
at
pivotal.
When
I
was
there
and
like
there
are
things
I
would
change
about
it
like
I
have
like
anybody,
I
have
you
know,
progresses
and
annoyances,
and
things
I
think
that
could
have
been
done
differently
or
whatever,
but
yeah.
Overall,
it's
the
best
system,
I've
ever
used
by
country
mile
like
it's
so
elegant,
the
UI
is
so
beautiful.
A
A
B
Be
next
Circle
relaxed,
well,
Travis
was
dead
because
they
got
bought
by
the.
That
was
the
hand
that
was
that
was
you.
You
heard
all
the
news
and
the
sadness
of
of
yeah
yeah
I
have
a
friend
who
was
working
at
Circle.
B
I
was
talking
to
a
friend
of
mine
who
who
used
to
work
at
Circle
and
have
Circle
stock
options,
and
she
said
I
really
should
have
sold
my
options
before
you
know
when
there
was
one
of
those
buyout
options,
because,
like
these
things
are
not
gonna,
be
worth
anything
now
like
yeah,
yeah
and
I
mean
Jenkins
is
holding
its
own,
but
that's
open
source
and
I
think
that
Jenkins
will
never
die
because
people.
A
B
B
A
I
did
go
to
and
I
feel
bad
saying
that,
because
I'm
Australian,
but
generally
speaking
the
best
Australian
developers
are
not
in
Australia,
because
that's
not
where
the
money
is
but
I
I
did
Pitch
to
some
VCS
doing
a
startup
around
Concourse
and
they
sort
of
said
yeah.
We
can.
We
can
see
this
being
like
a
10,
20
or
50
million
dollar
business.
A
B
I
am
yeah
that
makes
a
lot
of
sense.
I,
I
I,
my
amendment
to
to
that
best
Engineers
in
Australia,
are
that
Australian
or
not
in
Australia.
The
only
amendment
to
that
that
I
would
give
you
is
the
best
Engineers
that
are
Australian
either,
are
not
in
Australia
or
work
remotely
for
a
company
from
Australia
right,
because
yeah
I
had
move.
A
B
Vp
of
engineering,
one
of
the
VPS
of
engineering
at
Gradle,
and
he
is
one
of
the
best
developers
engineer
like
he.
He
was
like
you
know
he
straddled
a
company.
He
like
he
was
very
eloquent
and
also
kick
button
and
could
write
a
lot
of
code
like
he
was
very
good,
but
he
worked
for
a
company
remotely,
and
you
know
that
was
I
actually
had
him
as
a
manager
for
a
little
bit
and
I
live
in
Boston
I,
yeah,
I
loved
him
as
a
manager.
B
B
A
But
you're
off
kilter
with
everybody,
especially
the
East
Coast
or
Europe
you're
you're,
just
invisible,
yeah
yeah,
and
it's
it's
even
worse.
If
you're
on
the
West
Coast
of
Australia
yeah,
which
is
another
three
hours
further
away,
they
don't
even
really
have
overlap
with
California,
so
they
just
they're
just
out
there
by
themselves
yeah
they
have
overlap
with
like
Singapore
and
Japan
and
if,
if
or
you
know,
China
Coastal
China.
So
if
you're
working
in
those
areas,
then
sure
you
know
being
on.
B
I
have
been
one
of
the
things
that
I've
been
I've,
been
rather
lonely.
The
past
couple
of
jobs
I've
been
operating
kind
of
in
a
silo
as
a
security
researcher,
the
the
past
several
jobs.
So
when
I
was
working
for
Gradle
I
was
the
solo
security
person
and
there
was
nobody
else
at
least
till
the
very
end.
B
The
Dan
Kaminsky
Fellowship
I've,
been
kind
of
operating
solo
and
I
have
been
really
concerned,
like
I
have
struggled
because
I
feel
like
I'm,
not
growing,
and
improving
my
skills,
because
I'm
I'm
operating
in
a
silo
and
so
I've
been
trying
to
find
a
job
that
would
align.
Would
let
me
have
a
you
know,
a
team
people
around
me
or
something
like
that
and
I've
not
totally
succeeded,
but
I
think
that,
with
the
open
source
security
Foundation,
there
are
enough
intelligent
security
people
around
that
I
can
learn
from
people.
B
It's
just
I
would
like
to
learn
from
other
security
researchers,
and
so
I
need
to
figure
out
where,
where
to
bridge
out
from
that,
but
I
I,
I'm,
really
Oakley
lucky
that
my
soon
to
be
hopefully
counterpart
working
at
this
job
will
be
in
the
same
time
zone
as
me,
she'll
be
in
Florida,
and
so
that
that
will
be
like
a
breath
in
fresh
air,
because
I've
had
a
lot
of
co-workers
in
Europe
and
California
and
stuff.
B
Like
that
and
like
having
someone
solidly
in
your
own
time
zone,
you
can
jam
out
ways
and
you
can
program
yeah.
You
can
work
with
all
day
and
like
then
you
can
go,
you
know,
have
a
night
and
not
feel
like
you're
leaving
them
or
having
to
you
know,
because,
like
I
would
be
sitting
down
to
meetings
with
my
with
Luke
in
Australia
at
5,
00
p.m.
B
I've
had
some
really
good
relationships
with
people
in
Australia,
though,
like
my
the
coach
that
I
had
for
black
hat,
she
was
in
Australia
and
she
was
awesome
because
she,
just
she
just
I,
said
like
this-
is
gonna,
be
heinous
for
the
both
of
us,
like,
let's
just
figure
out
a
time
to
meet.
That's
like
you
know,
even
though
it's
not
within
working
hours.
B
A
A
B
Yeah,
it's
not
the
Top
Line.
It's
not
you'll
have
to
excuse
me.
I'm
gonna
mute
you.
While
you
talk
because
I
want
to
continue
eating
and
I.
A
So
I
went
up
at
Shopify
when
I,
when
I
was
at
VMware.
I
was
I,
was
sort
of
over
it
for
various
reasons
and
I
started.
Looking
for
a
job,
I
looked
at
Shopify
because
one
of
my
former
managers
had
gone
to
Shopify,
who
I
you
know,
admired
and
respected
very
much,
and
so
I
was
like
okay,
it
can't
be
all
bad,
so
I
applied
and
I
I
got
the
job
and
at
first
it
wasn't
super
clear
what
my
role
would
be.
A
It
was
sort
of
like
a
thrashing
period
before
we
settled
down
on
this
mission
and
it
mostly
comes
down
to
Shopify
deals
in
like
billions
of
dollars
and
millions
of
merchants
and
most
of
a
billion
people
who
bought
something
from
those
merchants.
A
We
have
scads
and
scads
of
sensitive
data
that
would
be
attractive
to
nation
states.
We
have
so
much
money
flowing
through
the
platform
that
we're
attacked
where
you
know
attractive
to
ransomware
operators.
A
Those
are
the
two
ones
I
worry
about
who
are
prepared
to
like
go.
This
is
worth
the
time,
especially
nation
states.
They'll
take
the
time
and
it's
like
if
you
manage
to
subvert
one
of
the
hundreds
and
hundreds
of
gems
that
we
rely
on
across
our
state.
You
know
you're
inside
the
process.
A
We
tend
towards
monoliths,
so
you
get
inside
the
process
and
you
can
see
everything
and
do
everything
and
Ruby
is
so
flexible
and
so
Dynamic
that
there's
no
way
to
defend
pieces
of
code
in
one
module
from
another
piece
of
code
in
a
different
module.
You
can
you
can
you
can
walk
the
entire
object
graph
if
you
want
so
that's
that's
the
main
thing
about
it
like
we.
We
have
a
similar
risk
in
terms
of
JavaScript,
but
we're
mostly
hanging
back
and
letting
GitHub
do
the
running.
B
Yeah
I
mean
We've,
definitely
seen
like
Mage
cart.
Being
popular
is,
is
Mage,
cart
has
Mage
cart
died,
or
is
that
still
a
thing
that
people
are
doing
right?
I,
don't
know
what
it
is.
Mage
cart,
Mage
carding.
Is
you
compromise
a
some
sort
of
supply
chain
in
the
JavaScript
ecosystem
and
then
you
sit?
B
You
manage
to
get
code
running
in
the
in
this
in
the
in
JavaScript
in
the
checkout
process,
and
then
you
scrape
credit
cards,
so
that's
I
think
that's
traditionally
what's
called
Mage
carting
and
it's
like
having
some
high
profile
organizations
like
it
happened
to
one
of
the
big
European
train
companies.
It
happened
to
Newegg
new
a
got
Mage
started.
They
didn't
even
I
think
they
like
barely
announced
it
like.
They
did
a
really
like
they've,
really
tried
to
suppress.
They
got
majored
in
but
yeah.
B
B
They're
they're
compromising
well
yes,
if
you're
not
hashing
the
file
prior
to
creating
the
HTML
that
you're
sending
up
because
they're
mostly
going
for
the
the
the
file
like.
If,
if
they're
going
after
your
file
right
inside
of
your
environment,
then
you
might
be
hashing
that
file
prior
to
creating
HTML
to
send
to
your
user
if
you're
serving
it
from
a
CDN,
then
hopefully
you're
using
you
know
a
hash,
that's
known,
and
then
yes,
you
would
be.
You
would
be
good
there.
Although.
A
B
Well,
the
other
one
I
mean
it
goes
through.
I
mean
like
Mage
Carters
will
go
for
a
lot
of
different
things
like
they'll.
Also,
like
you
know,
your
marketing
people
would
love
to
put
those
like
Salesforce
things
in
all
of
this,
like
in
those
things
like
you're,
just
I
mean
most
the
time
when
you're
using
those
Salesforce
things
you're
just
pulling
into
a
JavaScript
endpoint
and
those
like
that's,
not
version,
because
Salesforce
loves
being
able
to
push
out
updates,
and
they
will
tell
you,
don't
don't
use
a
at
that.
A
B
Think
actually,
I
think
that
I
I
could
be
wrong.
Don't
quote
me
and
especially
if
it's
getting
recorded
and
uploaded,
don't
quote
me
there
either,
but
I
think
that
the
way
that
if
I
remember
correctly
the
way
that
might.
B
Seo
sort
of
not
SEO,
sorry
one
of
those
marketing
tools,
JavaScript
code,
things
that
was
running.
A
B
A
They
do
quite
a
lot
there's
the
the
traditional
way
was
that
it
was
a
templating
language
called
liquid,
and
so
you
copy
and
paste
a
chunk
of
liquid
into
your
into
your
template
and
I
I.
Imagine
that
there
have
been
cases
of
Mage
coding
there
and
I.
Imagine
trust
and
safety
have
that
on
their
radar.
Yeah
mine
mine
is
mostly.
A
How
does
how
does
a
bad
gem
reach
production?
How
does
how
does
outside
malicious
code
reach
production
is,
is
essentially
my
job
and
making
it
harder
and
harder?
For
that
to
happen
is
what
I
focus
on.
So
that's
that's
why
I
come
back
to
okay
in
terms
of
prevalence
of
attacks?
Currently
account
takeover
is
the
most
common,
so
we
need
the
MFA
yeah.
A
Once
MFA
becomes
a
widespread,
they
will
change
tactics,
they
will
start
moving
towards
attacking
the
repository,
so
we
need
to
be
prepared
to
put
signing
in
place
and
then
follow
up
with
tough
and
then,
by
that
time
the
landscape
will
change
again
and
we'll
see
where
we're
at.
B
So
have
I
presume
that,
because
the
barrier
on
compromising
2fa
is
so
much
lower,
currently
people
are
not
going
after
signing
as
an
attack
Vector.
If
they
see
a
process.
A
A
Big
one
is
typo
sweating
by
a
wide
margin.
It's
tied
by
a
combo
brand
jacking
right
yeah,
like
those
those
are
the
most
common
attacks.
Numerically
yeah,
there's
not
much.
We
can
do
about
that.
We're
working
with
our
package
vendor
to
get
allow
listed
proxy.
So
we
can
protect
ourselves,
there's
not
a
lot
we
can
do
for
the
community.
Although
you
know,
if
it
occurs
to
me,
we
might
try
to
get
some
researchers
going
to
be
better
at
identifying
those
cases,
but
account
takeover
is
the
second
most
common.
A
And
it's
it's
it's
sorry.
Here's
a
theory.
Typo
squatting
is
casting
a
wide
net
and
seeing
what
you
catch
like.
Yes,
it's
it's
a
game
of
numbers
and
it's
very
hard
to
do
it
discreetly,
because
you
have
to
cast
hundreds
of
packages
to
get
any
kind
of
meaningful
yield
right
right,
because
each
package,
only
a
few
people,
make
that
mistake.
A
Yeah
yeah
out
of
out
of
the
thing
and
you've
got
a
you've,
got
a
slowly
accrete
people
making
that
mistake
to
start
getting
access
to
systems.
So
what
they
do
is
they'll
spray
out
hundreds
of
packages
at
once
and
they've
gotten.
Quite
elaborate
trying
to
conceal
that
they're
doing
this,
but
it's
been
so
far,
they've
been
picked
up.
The
most
elaborate
I've
seen
is
pi
PA
got
attacked
by
an
attacker
who
created
several
dozen
accounts.
A
They
rotated
IPS,
they
randomized
the
times
at
which
they
created
the
packages
right
a
whole
bunch
of
things
to
conceal
that
they
were
spraying
out
hundreds
of
packages,
but
they
still
sprayed
out
hundreds
to
try
and
capture
lots
and
lots
of
typos,
because
each
each
one
only
gets
you
a
little
bit.
Only
a
tiny
income
yeah
so
I
think
that's
one
thing,
but
but
an
account
takeover
has
much
higher
impact,
because
if
they
achieve
a
account
Takeover
in
a
highly
highly
relied
upon
dependency,
they
immediately
get
access
to
an
enormous
amount
of
stuff.
A
Yes-
and
you
know,
if
they
they
can
one
one
tactic-
I
saw-
this
was
I,
think
colors
JS.
They
did
this
or
UHS
I
can't
remember,
but
it
was
essentially
they
created
the
there
was
like
they
had,
the
1.9
version
existed
and
they
created
like
1.95,
which
was
the
malicious
version,
and
then
they
immediately
released
version
2.0.
A
So
if
you
went
to
look
at
the
source
code
first
off,
you
would
see
source
code
that
looked
fine
yeah
unless,
unless
you
dug,
you
wouldn't
think,
but
everybody
in
the
lock
files
has
it
set
as
like
1.9
x
is
the
version
I
want.
It
picks
the
latest
off
the
shelf
and
they
get
the
malicious
one.
So
unless
you
knew
how
to
check
it,
you
wouldn't
notice,
but
it
was
going
on
so
I
can't
I
can't
take
over
as
like
yeah
we're
working
on
the
typo
squatting,
because
you
know
we
have
thousands
of
developers.
A
Some
of
them
are
going
to
make
mistakes,
yes,
but
the
account
taker
was
the
one
I
worry
the
most
about,
because
it
doesn't
take
very
long
to
have
enormous
penetration,
and
if
the
attackers
are
on
the
ball
like,
if
they
have
a
team
standing
by
curating,
what
comes
through
the
door,
picking
targets
and
attacking
them
immediately
like
taking
immediate
action,
then
you
could
basically
find
yourself
popped
very
quickly.
A
B
Yes
and
developers
I
mean
I,
don't
know
about
you,
but
I've.
Having
worked
in
previous
organizations
like
developers,
hate
running,
you
know,
anti-malware
anti,
like
all
that
stuff
on
their
machines,
because
it
it
and
at
the
minimum
it
slows
down
your
cicd
development
cycle,
significantly
yeah,
so
like
yeah
yeah
have
the
payloads
I
mean
I've
seen
a
lot
of
stuff,
like
you
know,
have
we
seen
the
actors
that
drop
payloads
into
like
the
people
that
are
actually
trying
to
Pivot
through
the
organization?
Doing
things
are
most
are
mostly
attacks
at
this
point.
A
Yeah
yeah,
are
they
changing
persistence,
I
couldn't
say:
I
I,
don't
recall
people
talking
about
that
I
I
think
what
usually
happens
is
the
package
gets
reported
and
then
nobody
owns
up
to
haven't
been
popped
by
it.
A
Packages
do
have
a
pretty
simple
sort
of
there's
a
sort
of
a
standard
sort
of
approach
where
you
have
the
code
that
runs
and
one
or
two
things
happens:
either
it's
code,
that's
intended
to
reach
production
and
operate
there
and
it'll
basically
open
a
web.
Shell
it'll
pull
in
a
payload
from
from
other
server
and
and
bootstrap
its
way
up
to
usually
a
web
shell.
The
other.
The
other
kind
is
something
whose
job
it
is
is
to
exfiltrate
credentials
and
that's
either
something
that's
meant
to
run
during
CI.
A
A
That's
intended
to
attack
the
developer
at
their
Workstation,
so
some
like
Pipi
has
setup.py
yeah
node
has
post
install
hooks,
so
they'll
run
a
script
that
basically
looks,
looks
in
your
home
directory
looking
for
AWS
credentials,
SSH
keys,
all
that
kind
of
stuff,
and
slips
that
out
and
ships
it
off,
because
developers
often
have
you
know
highly
privileged
access
to
various
things
that
can
be
pivoted
from
look
I'm
going
to
Nick
off,
because
I
want
to
have
coffee
before
my
next
next
call.
No.
B
A
B
Yep
yep
yep
all
right,
jock
have
a
wonderful
rest.
Your
day
and
good
luck,
keeping
the
internet
safe
out
there.
No.