How I gained commit access to Homebrew in 30 minutes


67 bookmarks. First posted by briantrice 10 weeks ago.


This issue was publicly disclosed on the Homebrew blog at https://ift.tt/2AJpJbA Since the recent NPM , RubyGems , and Gentoo…
4 weeks ago by slempke
How I gained commit access to Homebrew in 30 minutes

oosp  from twitter
8 weeks ago by mkb
It is surprisingly easy to attack packagers as a way of delivering a malicious payload to machines quite broadly.
security  via:reddit 
9 weeks ago by mcherm
RT : How I gained commit access to the Homebrew project in 30 minutes:
from twitter_favs
9 weeks ago by gwpl
package managers, and credential leaks, are a weak point in the security of the internet, and that supply chain attacks are a real and persistent threat
security 
10 weeks ago by zephyr777
How I gained commit access to the Homebrew project in 30 minutes:
10 weeks ago by fabianmoronzirfas
This issue was publicly disclosed on the Homebrew blog at https://brew.sh/2018/08/05/security-incident-disclosure/ Since the recent NPM , RubyGems , and Gentoo…
from instapaper
10 weeks ago by spinnerin
Wow: How I gained commit access to Homebrew in 30 minutes
from twitter
10 weeks ago by jamescampbell
Since the recent NPM, RubyGems, and Gentoo incidents, I’ve become increasingly interested, and concerned, with the potential for package managers to be used in supply chain attacks to distribute…
security  github  homebrew 
10 weeks ago by zchi
If I were a malicious actor, I could have made a small, likely unnoticed change to the openssl formulae, placing a backdoor on any machine that installed it.

If I can gain access to commit in 30 minutes, what could a nation state with dedicated resources achieve against a team of 17 volunteers? How many private company networks could be accessed? How many of these could be used to escalate to large scale data breaches? What other package management systems have similar weaknesses?

This is my growing concern, and it’s been proven time and time again that package managers, and credential leaks, are a weak point in the security of the internet, and that supply chain attacks are a real and persistent threat. This is not a weakness in Homebrew, but rather a systemic problem in the industry, and one where we need more security research.
homebrew  github  security  jenkins  credentials  scary 
10 weeks ago by jm
On Jun 31st, I went in with the intention of seeing if I could gain access to Homebrew’s GitHub repositories. About 30 minutes later, I made my first commit to Homebrew/homebrew-core.
homebrew  github  security 
10 weeks ago by ssorc
via Pocket - How I gained commit access to Homebrew in 30 minutes - Added August 07, 2018 at 11:06AM
10 weeks ago by mikele
If I were a malicious actor, I could have made a small, likely unnoticed change to the openssl formulae, placing a backdoor on any machine that installed it. If I can gain access to commit in 30 minutes, what could a nation state with dedicated resources achieve against a team of 17 volunteers? How many private company networks could be accessed? How many of these could be used to escalate to large scale data breaches? What other package management systems have similar weaknesses?
10 weeks ago by mvuijlst
RT : How I gained commit access to the Homebrew project in 30 minutes:
from twitter_favs
10 weeks ago by wlejon
How I gained commit access to Homebrew in 30 minutes
from twitter
10 weeks ago by nicola
How I gained commit access to Homebrew in 30 minutes
from twitter
10 weeks ago by RBaumier
RT : Next up in underfunded critical infrastructure: package managers.
from twitter
10 weeks ago by mpasternacki
This issue was publicly disclosed on the Homebrew blog at https://ift.tt/2AJpJbA
s 
10 weeks ago by igorette
RT : Next up in underfunded critical infrastructure: package managers.
from twitter
10 weeks ago by becked
“This is my growing concern, and it’s been proven time and time again that package managers, and credential leaks, are a weak point in the security of the internet, and that supply chain attacks are a real and persistent threat. This is not a weakness in Homebrew, but rather a systemic problem in the industry, and one where we need more security research.”
security 
10 weeks ago by kevinrood
Since the recent NPM, RubyGems, and Gentoo incidents, I’ve become increasingly interested, and concerned, with the potential for package managers to be used in supply chain attacks to distribute malicious software. via Pocket
IFTTT  Pocket 
10 weeks ago by regisd
Since the recent NPM, RubyGems, and Gentoo incidents, I’ve become increasingly interested, and concerned, with the potential for package managers to be used in supply chain attacks to distribute…
security  homebrew  breach  credentials  token  github  jenkins 
10 weeks ago by floehopper
Mismanaged GitHub credentials
homebrew  security  badtech 
10 weeks ago by nelson
Next up in underfunded critical infrastructure: package managers.
from twitter_favs
10 weeks ago by e30chris
Next up in underfunded critical infrastructure: package managers.
from twitter
10 weeks ago by FiloSottile
How I gained commit access to the Homebrew project in 30 minutes:
from twitter_favs
10 weeks ago by NeoNacho
How I gained commit access to the Homebrew project in 30 minutes:
from twitter_favs
10 weeks ago by ekingery
How I gained commit access to the Homebrew project in 30 minutes:
from twitter_favs
10 weeks ago by adamamyl
How I gained commit access to the Homebrew project in 30 minutes:
from twitter_favs
10 weeks ago by danyoung
How I gained commit access to the Homebrew project in 30 minutes:
from twitter_favs
10 weeks ago by briantrice