Natalie and Mat explore hacking in Go from the eyes of 2 security researchers. Joakim Kennedy and JAGS have both used Go for hacking: writing malware, hardware hacking, reverse engineering Go code, and more.
In the second set of interviews from KubeCon North America 2021, Gerhard and Liz Rice talk about eBPF superpowers - Cilium + Hubble - and what’s it like to work with Duffie Cooley.
Jared Watts shares the story behind Crossplane reaching incubating status, and Dan Mangum tells us what it was like to be at this KubeCon in person. Dan’s new COO role (read Click Ops Officer) comes up.
David Ansari from VMware speaks about his first KubeCon experience both as an attendee and as a speaker. The RabbitMQ Deep Dive talk that he gave will be a nice surprise if you watch it - link in the show notes.
Dan Lorenc brings his unique perspective on supply chain security, and tells us about the new company that he co-founded, Chainguard. How to secure container images gets covered, as well as one of the easter eggs that Scott Nichols put in chainguard.dev.
On April 30th, 2021, I rickrolled my high school district. Not just my school but the entirety of Township High School District 214. It’s the second-largest high school district in Illinois, consisting of 6 different schools with over 11,000 enrolled students.
Who doesn’t like a good rickroll story? This one’s replete with screencaps and video footage
This cool open source project provides transparent client-side encryption to be used with your cloud file storage of choice. Which choices, you ask?
Works with Dropbox, Google Drive, OneDrive, MEGA, pCloud, ownCloud, Nextcloud and any other cloud storage service which synchronizes with a local directory
Following thanks to all contributors, the blog notes:
Most applications that worked with OpenSSL 1.1.1 will still work unchanged and will simply need to be recompiled (although you may see numerous compilation warnings about using deprecated APIs). Some applications may need to make changes to compile and work correctly, and many applications will need to be changed to avoid the deprecations warnings.
And points out a couple of new features:
OpenSSL 3.0 introduces a number of new concepts that application developers and users of OpenSSL should be aware of. An overview of the key concepts in libcrypto is available in the libcrypto manual page.
A key feature of OpenSSL 3.0 is the new FIPS module. Our lab is testing the module and pulling together the paperwork for our FIPS 140-2 validation now. We expect that to be submitted later this month. The final certificate is not expected to be issued until next year.
And finally, LWN notes on the license change:
OpenSSL has also been relicensed to Apache 2.0, which should end the era of “special exceptions” needed to use OpenSSL in GPL-licensed applications.
In the recent months there’s been a lot of noise in the area of supply chain security because of increase in attacks, with notable ones like Microsoft Exchange Server or SolarWinds breach. These attacks could have been prevented with proper tools in place, yet finding the right tool for the job might be difficult as this area is hard to navigate and most of us - developers - aren’t security experts. There’s however a project that can solve this. Its name is sigstore and in this article we will look at what it does, why we need it and how it fits into landscape of existing tools in this area.
The news is in the headline on this one, but here’s a bit more meat from the article:
Using rigorous and detailed scientific analysis, the study concluded that upon testing 1,692 programs generated in 89 different code-completion scenarios, 40 percent were found to be vulnerable.
Today we’re joined by Aaron Parecki, co-founder of IndieWebCamp and maintainer of OAuth.net, for a deep dive on the state of OAuth 2.0 and what’s next in OAuth 2.1. We cover the complications of OAuth, RFCs like Proof Key for Code Exchange, also known as PKCE, OAuth for browser-based apps, and next generation specs like the Grant Negotiation and Authorization Protocol, also known as GNAP. The conversation begins with how Aaron experiements with the IndieWeb as a showcase of what’s possible.
Static analysis is a powerful technique for finding vulnerabilities in source code. However, the approach has suffered from being noisy - that is, many static analysis tools find quite a few “vulnerabilities” that are not actually real. This has led to developer friction as users get tired of the tools “crying wolf” one time too many.
The motivation for GoKart was to address this: could we create a scanner with significantly lower false positive rates than existing tools? Based on our experimentation the answer is yes.
This is an eye-opening little story of some software folks who stumbled upon a gaping hole in their system and what that means for the rest of us:
Suffice it to say, if you work someplace with enough machines, there’s probably some way for you to get root on all of them if you can hit them with a handful of packets. I’ve seen it happen far too many times at enough companies to expect things to stay secure. I’m not talking about buffer overflows and stuff like that, although those exist too. I mean just straight up asking a service to please run a command for you (as root), and it gladly complies.
Sherloq is a personal research project about implementing a fully integrated environment for digital image forensics. It is not meant as an automatic tool that decide if an image is forged or not (that tool probably will never exist…), but as a companion in experimenting with various algorithms found in the latest research papers and workshops.
The original version was written in C++ in 2015, but a port to Python is in the works. It looks super useful, but buyer beware:
I’m happy to share my code and get in contact with anyone interested to improve or test it, but please keep in mind that this repository is not intended for distributing a final product, my aim is just to publicly track development of an unpretentious educational tool, so expect bugs, unpolished code and missing features! ;)
The WeTransfer team recently finished a big migration with the goal achieving Single Sign On (SSO) across their 3 products.
This post goes into the details on why they chose Auth0, how the migration process went, the challenges they faced, and the things they learned along the way. Here’s an example of one of their learnings:
Think about accounts ownerships between products. Is it possible for an attacker to take control of another account with the same email? How do you avoid that? We decided to ask for credentials or require a password reset in those scenarios where we couldn’t guarantee account ownership.
The panel discusses all the things that have to happen before you write a lick of code. Then, for Story of the Week: Dan Abramov thinks npm audit is broken by design. We also have thoughts. Lots of ’em.
Fuzzing is coming to the standard library. We speak to Katie Hockman and Jay Conrod who were part of the team responsible for designing and implementing it. We dig into the details, hear some best practices, where fuzzing can help your code, and learn more about how it works.
Dan Abramov cuts right to the chase:
Have you heard the story about the boy who cried wolf? Spoiler alert: the wolf eats the sheep. If we don’t want our sheep to be eaten, we need better tools.
As of today,
npm auditis a stain on the entire npm ecosystem. The best time to fix it was before rolling it out as a default. The next best time to fix it is now.
He goes on to lay out how it works, why it’s broken, and what changes he’s hoping to see.
This project is a formalized list of checks that can be run against an open source codebase and a Go-based tool to run those checks and provide a report on the project’s health. Here are a few of the checks it runs, to get an idea of what it’s all about:
- Does the project use fuzzing tools, e.g. OSS-Fuzz?
- Does the project cryptographically sign releases?
- Does the project contain a security policy?
Yulia Startsev from Mozilla’s SpiderMonkey team joins Jerod & Feross to talk compilers, going back to get your Master’s, making decisions as a group, process of shepherding a feature through TC39, how Firefox actually works, and LavaMoats. Yes, LavaMoats.
This episode was recorded live from GopherCon Europe 2021!
Natalie & Mat host three amazing devs who gave talks that showcase using Go in unusual ways: Dr. Joakim Kennedy is tracking Go in malware, Mathilde Raynal is building quantum-resistant cryptography algorithms, and Preslav Rachev is creating digital art.
We hear from our speakers how they got into Go, how they made the choice to use Go for their unusual use case, and how it compares to other languages for their specific needs.
We also chat about conference talks, submissions and public speaking - how to start, good practices, and tips they collected along the way.
We first talked fuzzing with Katie Hockman back in August of 2020. Fast-forward 10 months and native fuzzing in Go is ready for beta testing! Here’s Katie explaining fuzzing, for the uninitiated:
Fuzzing is a type of automated testing which continuously manipulates inputs to a program to find issues such as panics or bugs. These semi-random data mutations can discover new code coverage that existing unit tests may miss, and uncover edge case bugs which would otherwise go unnoticed. Since fuzzing can reach these edge cases, fuzz testing is particularly valuable for finding security exploits and vulnerabilities.
It looks like the feature won’t be landing in Go 1.17, but they’re planning on it sometime after that. Either way, you can use fuzzing today on its development branch.
Open Source Insights is an experimental service developed and hosted by Google to help developers better understand the structure, construction, and security of open source software packages. The service examines each package, constructs a full, detailed graph of its dependencies and their properties, and makes the results available to anyone who could benefit from them. The goal is to provide developers with a picture of how their software is put together, how that changes as dependencies change, and what the consequences might be.
It currently indexes GitHub, npm, and pkg.go.dev. Plus they recently added a dedicated security advisory page. For an example, check out left-pad’s page which shows 441 direct dependents and 15315 indirect dependents.
Docker images can leak runtime secrets, build secrets, and even just some secret files you have lying around. Learn how to leak them, and (probably more usefully) how to avoid leaks.
In this episode, we will talk about building for Blockchain in Go. We are joined by two of the co-founders of Prysmatic Labs (a company behind the upgrades to the Ethereum network). Raul Jordan and Preston Van Loon tell Angelica how they started the company, as well as what it’s like to build technical infrastructure for the Ethereum blockchain using Go.
WireGuard Easy uses Docker to set up WireGuard VPN along with a web UI for easy management. While this may be the easiest way to get up and running, I’d still advise checking out Algo VPN as well since it’s also pretty easy and has been designed/configured with maximum security in mind. Still, this looks cool and the web admin UI makes it quite approachable as well.
Thibault Meunir writing on Cloudflare’s blog:
Based on our data, it takes a user on average 32 seconds to complete a CAPTCHA challenge. There are 4.6 billion global Internet users. We assume a typical Internet user sees approximately one CAPTCHA every 10 days.
This very simple back of the envelope math equates to somewhere in the order of 500 human years wasted every single day — just for us to prove our humanity.
They aren’t just doing napkin math, they’re also trying to fix things:
We want to get rid of CAPTCHAs completely. The idea is rather simple: a real human should be able to touch or look at their device to prove they are human, without revealing their identity. We want you to be able to prove that you are human without revealing which human you are! You may ask if this is even possible? And the answer is: Yes!
I held off on having a CAPTCHA on our site for as long as I could, but the spammers are relentless (did you know they’ll even click on email confirmations now?!) so I finally gave in.
I’d do darn near anything to be rid of ‘em again (any ideas?), but it seems the alternative that Cloudflare is pursuing requires hardware security keys. Interesting stuff, and definitely worth a read, but it’s all experimental for now and I don’t know if/when we’ll be able to put it in practice.