top | item 45532023

(no title)

jnewland | 4 months ago

This is a pretty hilarious and long-winded way to say "we have no idea how to lock someone out of a web service:"

> 1. While Ruby Central correctly removed access to shared credentials through its enterprise password manager prior to the incident, our staff did not consider the possibility that this credential may have been copied or exfiltrated to other password managers outside of Ruby Central’s visibility or control.

> 2. Ruby Central failed to rotate the AWS root account credentials (password and MFA) after the departure of personnel with access to the shared vault.

discuss

TehCorwiz|4 months ago

Right?! Did nobody there think to actually disable the accounts? These are the people who are harping about "security" being the reason for the ham-fisted takeover of the source repos, but they didn't secure the production infrastructure?

colonwqbang|4 months ago

It didn't occur to them that he might have written the password down? That's wild.

jeffwask|4 months ago

No matter how you slice it this is miserable root password security. Why do maintainers need root access? No one in my org has root access but me and all those creds are tied to hardware MFA locked in my MDF.

TehCorwiz|4 months ago

Either profoundly naive, tech illiterate, or it's a bad faith argument.

baobun|4 months ago

Or more realistically, accessed the accounts via IAM token and/or service account.

Something they also failed to consider, reading between the lines.