Matthias Luft

We need more open audit/security testing reports like this: https://t.co/KqVdIfTEbv

AWS wishlist: a single IAM API that returns the policies attached to a user/role. Today, it involves 4-5 calls: • listRolePolicies • listAttachedRolePolicies • getRolePolicy • getPolicy • getPolicyVersion

Regarding the SSH bug 1) First OpenSSH vuln discovered in almost 20 years - wow 2) Bug was (re)introduced almost 4 years ago. So remote root in OpenSSH for 4 years and nobody found it? 3) Exploit takes hours/days to run. Watch your logs!

What a great read. RCE in sshd with race conditions requiring hours to days to succeed. I cannot imagine the patience required here. 👏 👏 👏 Also, exposing SSH to 0.0.0.0/0 might be a default in your cloud environment, but CSPs have better remote access patterns available.

If you launch a new FreeBSD (13.2|13.3|14.0|14.1)-RELEASE instance and don't change the default behaviour via EC2 user-data, it will download and install the patch for this before sshd is launched. I decided many years ago that installing updates on first boot was important.

Today seems like a good day to mention that on my servers I use spiped to protect access to OpenSSH -- you can't even send a single byte to sshd unless you have the spiped secret key. https://t.co/ZH0qgFar1c

All the talks from last week have been published to our Youtube channel! Here's a playlist with all of them: https://t.co/ITYEHrmw59