12 messages
Igorover 5 years ago
2020-10-16 Github requested the additional 14 day grace period, with the hope of disabling the vulnerable commands after 2020-10-19.
2020-10-16 Project Zero grants grace period, new disclosure date is 2020-11-02.
2020-10-28 Project Zero reaches out, noting the deadline expires next week. No response is received.
2020-10-30 Due to no response and the deadline closing in, Project Zero reaches out to other informal Github contacts. The response is that the issue is considered fixed and that we are clear to go public on 2020-11-02 as planned.
2020-11-01 Github responds and mentions that they won't be disabling the vulnerable commands by 2020-11-02. They request an additional 48 hours, not to fix the issue, but to notify customers and determine a "hard date" at some point in the future.
2020-11-02 Project Zero responds that there is no option to further extend the deadline as this is day 104 (90 days + 14 day grace extension) and that the disclosure will be today.Not sure how severe this is, but the timeline is pretty crazy
Maarten van der Hoefover 5 years ago
I have a question ISO27001 related. I'm helping a partner with a customer who needs to have ISO27001 compliance. They are developing Lambda's and DynamoDB.
The question is about 'Encryption at Rest' of data in a cloud environment; is DynamoDB with KMS sufficient, or would it be important to add client encryption as well ?
The question is about 'Encryption at Rest' of data in a cloud environment; is DynamoDB with KMS sufficient, or would it be important to add client encryption as well ?
antonbabenkoover 5 years ago
Not sure which channel this belongs to - https://github.com/lyft/cartography ๐ It looks interesting from the diagram, but I am not sure how easy and helpful it is for infras smaller than lyft has
antonbabenkoover 5 years ago(edited)
Interesting, I wonder how easy is it to write meaningful queries? (I am not familiar with graph databases myself and the examples I see in README looks rather easy to make a mistake there. Scary syntax ๐)
Issifover 5 years ago
It a mental exercise, I agree, it tooks me some time to figure out how to deal with, but after some errors it becomes pretty much convenient and I was to retrieve all informations I needed
Andrew Rothover 5 years ago
If anyoneโs interested, hereโs how the Platform One program under the Air Force does automated OpenSCAP scanning of containers: https://repo1.dsop.io/dsop/jenkins-shared-library/-/blob/development/vars/dccscrPipeline.groovy#L194
btaiabout 5 years ago(edited)
my website that uses cert-manager letsencrypt for tls is sometimes showing an invalid (expired) certificate in incognito. The issue is this k8s cluster is new (hours old) but itโs sometimes showing a cert that was from 2 years ago. This cert is not on my cluster at all. Anyone run into this extremely weird case before?