pquerna's comments

it's happening?

"Ex-Intel executives raise $21.5 million for RISC-V chip startup":

https://www.aheadcomputing.com/

I believe the founding team is all in Oregon - and mostly all ex-Intel.

okta is not "active-active" in a multi-region sense, they run in a single active AWS single Region per-tenant. You can pay extra to have a faster failover in a region level failure scenario:

https://support.okta.com/help/s/article/overview-of-enhanced...

per <https://trust.okta.com/security-advisories/okta-ad-ldap-dele...>

2024-07-23 - Vulnerability introduced as part of a standard Okta release

This issue is not an "okta is old" issue. this was new code written in 2024 that used a password hashing function from 1999 as a cache key.

Our app <https://www.okta.com/integrations/conductorone/> is in the Okta OIN ("marketplace") using OIDC? So not sure what you mean by that?

This is an Eclipse foundation project, not an Apache Software Foundation (ASF) project?

it's all volunteers/open source, but this isn't an ASF project.

What about "access controls" for the AuthZ side, instead of Permissions?

Wondering HNs collective wisdom on this-- at work we've been using Access Controls on our homepage for awhile- https://www.conductorone.com/ - to the people outside the IAM-geek space does this make more sense?

For this general pattern implemented in Golang, check out redis_rate: https://github.com/ductone/redis_rate

This fork also implements Redis Client Pipelining to check multiple limits at the same time, and Concurrency Limits.

The API for Let's Encrypt to do this requires possession of the private key, which pwned keys doesn't always have. Sometimes they just have an "attestation" of compromise:

https://pwnedkeys.com/submit.html

Which if you had an standardized representation of that attestation, maybe CAs could consume that instead.

But, the author of pwnedkeys thought of that, and started an RFC for exactly that:

https://github.com/pwnedkeys/key-compromise-attestation-rfc/...

But it seems dead right now.

You can also just, Log the spans as they are being created to stderr/stdout -- I've done this on a previous project with this approach of "spans first".

It made it debuggable via output if needed, but the primary consumption became span oriented.

Yeah, but... shouldn't Github of rotated their keys over the last decade?

I mean it seems like its clearly a key that wasn't in an HSM.. and over the lifetime, hundreds? Thousands of Github employees could of accessed it?

Would it of been possible for Github to use Host-key rotation instead of hard breaking it?

https://lwn.net/Articles/637156/

I'm honestly not familiar with anyone actually using host-key rotation?

congrats on the launch!

three questions / thoughts:

1) Your post mentions "Ranking", and while do the most impactful work first is great, the method I have most often used is when dealing with Vuln-overload is to "Reclassify". That is Common Vulnerability Scoring System (CVSS) (super flawed as it is) has let reporters check the box for "remotely exploitable" therefore its a 8.0 HIGH vulnerability -- but I think your product could let me reclassify the vuln to a medium/low - maybe a built in CVSS score editor?

2) One other thing there should also be a built-in concept of "accepting the risk" -- and ideally a concrete report of what was previously "accepted", and if that package gets used in new ways?

3) I'm curious what you think about market segmentation in this space? Specifically the sub-200? person companies seem to be using alot of the "all in one" Compliance platforms (eg, Vanta, Drata, etc). Vanta for example does have a vuln management + SLA tracking dashboard + ticketing tools.

Its cool to see the automation the kubernetes team stuff does against Github -- but has it been expanded to other resources, eg AWS or some other SaaS used?

Other thought I had, is there any concept of expiration of permissions?

Something I ran into when I used to do more Apache Software Foundation work was that, we had thousands of committers with shell access -- but 94% never used it. Are any of the things protected by this privileged? eg, a release private key?

thank you -- can't edit it anymore, but paul.querna (spelled my own name wrong)

i've also been working on a similar tool -- working towards open sourcing it too. would you be interested in taking a look? paul.quenra at conductorone com

This is how Okta's Advanced Server Access works: https://www.okta.com/products/advanced-server-access/

hello.

i added support for httpd to support systemd socket activation in 2013: https://svn.apache.org/viewvc?view=revision&revision=1511033

httpd can start as non-root, assuming other configurations like the access / error logs are writable by the non-root user.

At a $previous_job I basically also did what the post is describing.

The "best" thing we did was actually using a "template database": https://www.postgresql.org/docs/14/manage-ag-templatedbs.htm...

We would start a Postgres Process. We would create a new database, run all of our migrations and basic data bring up. Then we would create a new Database per Test Suite, using the one we just ran migrations as the Template.

This meant the initial bring up was a few seconds, but then each test suite would get a new database in a dozen milliseconds (IIRC).

> In June 2012, he became an advisor and received options for shares in the company Sumo Logic, Inc. The next month, Kail authorized and signed on behalf of Netflix a vendor agreement between Netflix and Sumo Logic.

Few months later:

https://techcrunch.com/2012/11/28/log-data-management-and-an...

> Less than a year after the company’s public launch, Sumo Logic has closed a number of large-scale enterprise client deals including Netflix

No repercussions for Sumo Logic at this point - they IPO'ed in September 2020 -- https://finance.yahoo.com/quote/SUMO

there are ongoing changes to allow ed25519, eg, see: https://csrc.nist.gov/publications/detail/fips/186/5/draft