good security – warnings in project

Cloudbees puts out security alerts frequently for Jenkins. We didn’t patch at CodeRanch for a while and then it got overwhelming. I wanted to get the latest JUnit plugin today. After upgrading to the latest Jenkins core, I went to manage Jenkins and saw this.

I was pleased. The product itself reminded me that we should check our security settings. It also reminded of all the security alerts that we missed.

We are now up to date (as of this moment) and it took less than hour. If I wasn’t counting the Jenkins core install and test, it would have been even less.


QCon 2018 – Keynote – Developers as Malware Distribution Vehicle

Title: Developers as a Malware Distribution Vehicle
Speaker: Guy Podjarny @GuyPod

See the table of contents for more blog posts from the conference.

Developers have more power  than ever – can get more done and faster. Can also do more harm.

XCodeGhost – in 2015

  • XCode went from 3GB to 5GB
  • Too slow to download in China
  • Developers use a local mirror
  • Have to trust unofficial download
  • XCodeGhost is  XCode + a malicious component that compiles in to the OS. It targets the linker.
  • Went undetected for 4 months
  • Contamiated hunreds of Chinese apps and dozens of US apps
  • US got it fro Chinese built apps and via a lirary
  • Got up to 1.4M active victims a day
  • Apple fixed in AppStore imediately, but took months for users. Including enterprises
  • The real “fix” was to take down the websites were contacting
  • Apple fixed root problem by hosting official XCode download in China
  • Because targeted linker, developers were the distirbution vehicle.

Delphi virus – Induc – 2009

  • Targets Delphi
  • Every program copiled on machine is affected
  • Even if uninstall and reinstall Dephi, it stays
  • Took   10 minutes to find
  • No app store, so harder to remove
  • Affected millions

First instance of this concept  – 1984

  • ”Reflections  on Trusting Trust” – Ken Thompson
  • Modify C compiler to “miscompile”
  • Three trojans – allow a hard coded password, replicate the logic in C Compiler and use a disassembler to hide and deletes from source code
  • Wrote a proof of concept. Think didn’t escape Bell labs
  • Can’t find. Not in source code and can’t disassemble
  • Best soluion is to compile on two computers/compilers and compare the output. Not practical.

Malicious dependencies

  • npm bad  dependency
  • pipy  bad dependenc this year
  • Docker bad image this month

Must trust the people who write the software.

We ship code faster.   Hard to find if deveoper introduces code maliciously or accidentally.

Developers have access to user data Be careful

Syrian Army and Financial Times

  • phishing email
  • link redirects to finanicial times spoofed page
  • now have emails so send emails that look  like from finanical times
  • IT attempted to warn users.
  • Attacker send identical email with evil links
  • Gain access to official twitter
  • Syrian Army use to make statements
  • A developer noted that think wise to this and still fall for it. We all fall for this.
  • Salesforce did an internal phishing test and developers were the second higest clickers

Uber – 2016

  • Attackers  got driver and user data
  • Uber paid 100K ransom. Agreed later that shouldn’t
  • Public found out a year later
  • Developers had stored  S3 token in  private github repo
  • Not using 2FA
  • Deveopers can access extremely sensitive data and  share it too often

As we get more power, we need to get more responsible

Causes of  insecure decisions:

  • Different motivations  – focus    On functonality. Security is a constraint. Need to be cognizant of it
  • Cognitive limitations – we move fast and break things
  • Lack of expertise – don’t always understand security implications
  • Developers are overconfidence. Harder to train where think know it.
  • ”It doesn’t happen to me” .  Security breaches happen to everyone.


  • Learn from past incidents
  • Automate security controls
  • Make it easy to be secure
  • Developer education
  • Manage access like the tech giants
  • Challenge access requests.  When need. For how long. What happens  if don’t have access. What can go wrong with access? How would you find out about access being compromised?

Google BeyondCorp

  • All access route through corporate proxy
  • Proxy grants access per device – limits what can do from Starbucks
  • Monitoring access

Microsoft Privileged Access Workstations (PAW)

  • Access to production can only be from a secure machine
  • No internet from the secure machine
  • Your machine is VM  on secure machine

My take

Great start to the day. I had known about some of these, but not others. For some reason, this reminds me of developer ghost storires.

twitter and two factor take two

In 2014, I tried to enable two factor on Twitter and had to turn it off. Given the recent news that Twitter encourages everyone to change passwords, I decided to take another stab at it. I also learned that Twitter has more options for two factor now like Google authenticator.

Step 1: Changing the password

First, I changed the password. I clicked on the drop down with my picture and chose “settings and privacy”. Then I choose password and changed it. I got an email letting me know the password changed. Good.

Step 2: Surprise step – review apps

Twitter then reminded me that I have 18 applications that can access my account and asked if I wanted to review them. 18 sounds high so I said yes. There were a few general categories:

  • Apps with read only access – given that pretty much everything on twitter is public, I don’t mind that I gave a few sites access to read my profile. I did find one that was just for a one time test and doesn’t need it anymore.
  • Piping my tweets to Facebook – yes. I definitely want this.
  • Various twitter clients – some I don’t use anymore so cleaned this up a bit as well.
  • “social reputation monitoring” – it says I gave this site read/write/direct message access in 2015.  I don’t remember this and I certainly don’t want them to have it anymore. Revoke!
  • Linked in – While I don’t mind them having read access, I don’t want them having write access. Revoke. Same with Disqus. I wasn’t nearly paranoid enough in 2013.

Now I have 13 apps with read (or read/write) access. Still a lot, but at least I know what they are. It’ll be interesting to see which of the read only ones break. “I don’t mind” is different from “I really want it to work”

Step 3: Login verification (two factor)

As I was looking for two factor, I saw “login verification” under account options. That turns out to be what Twitter is calling two factor. I guess it sounds less scary.

However “setup login verification” was disabled. It says I need to confirm my email to turn this on. Ok. So how do I do that? It appears the only way to get a confirmation email is to change your email address. It was a bunch of steps, but I did:

  1. Change to (because gmail lets you add a plus and more text and still sends to you)
  2. Enter twitter password to confirm it is me
  3. In email, click confirmation
  4. Repeat these three steps to switch back to and confirm my “short form” email. (so I remember what I gave them)

Ok time to turn on two factor with SMS

  1. In account settings, click “setup login verification”
  2. Click start
  3. Enter twitter password to confirm it is me
  4. Send SMS code
  5. Enter SMS code from phone
  6. Generate a backup code in case I ever have issues

Now I have the option to setup alternate two factor methods

  1. In account settings, click “review your login verification methods”
  2. Click “setup” next to mobile security app
  3. Use google authenticator to scan the barcode
  4. Enter the generated code from google authenticator into twitter

Finally, I clicked “edit” next to text message verification so I am just using google authenticator and not text message.

Step 4: My twitter clients

Ok. Now for the test. Can I use Twitter in the devices I care about most? Things seem to work. Will post an update if that no longer stays the case!


  • I can still use twitter on all my devices. So I don’t get prompted to login after the password change or two factor. It only takes effect for new logins. (This is good; I have a lot of places that I am logged into twitter.)
  • I got an email from an identify monitoring service that they no longer have access to my twitter. This service only told me about my own tweets so I’m leaving them without access. I was hoping they would tell me about other people’s tweets. I know what I tweet. And as fun as it is to be told I used the word “password” in my twitter…