How I gained commit access to Homebrew in 30 minutes


64 bookmarks. First posted by briantrice 14 days ago.


How I gained commit access to Homebrew in 30 minutes

oosp  from twitter
3 days ago by mkb
It is surprisingly easy to attack packagers as a way of delivering a malicious payload to machines quite broadly.
security  via:reddit 
7 days ago by mcherm
RT : How I gained commit access to the Homebrew project in 30 minutes:
from twitter_favs
10 days ago by gwpl
package managers, and credential leaks, are a weak point in the security of the internet, and that supply chain attacks are a real and persistent threat
security 
11 days ago by zephyr777
How I gained commit access to the Homebrew project in 30 minutes:
11 days ago by fabianmoronzirfas
This issue was publicly disclosed on the Homebrew blog at https://brew.sh/2018/08/05/security-incident-disclosure/ Since the recent NPM , RubyGems , and Gentoo…
from instapaper
12 days ago by spinnerin
Wow: How I gained commit access to Homebrew in 30 minutes
from twitter
12 days ago by jamescampbell
Since the recent NPM, RubyGems, and Gentoo incidents, I’ve become increasingly interested, and concerned, with the potential for package managers to be used in supply chain attacks to distribute…
security  github  homebrew 
12 days ago by zchi
If I were a malicious actor, I could have made a small, likely unnoticed change to the openssl formulae, placing a backdoor on any machine that installed it.

If I can gain access to commit in 30 minutes, what could a nation state with dedicated resources achieve against a team of 17 volunteers? How many private company networks could be accessed? How many of these could be used to escalate to large scale data breaches? What other package management systems have similar weaknesses?

This is my growing concern, and it’s been proven time and time again that package managers, and credential leaks, are a weak point in the security of the internet, and that supply chain attacks are a real and persistent threat. This is not a weakness in Homebrew, but rather a systemic problem in the industry, and one where we need more security research.
homebrew  github  security  jenkins  credentials  scary 
12 days ago by jm
On Jun 31st, I went in with the intention of seeing if I could gain access to Homebrew’s GitHub repositories. About 30 minutes later, I made my first commit to Homebrew/homebrew-core.
homebrew  github  security 
12 days ago by ssorc
via Pocket - How I gained commit access to Homebrew in 30 minutes - Added August 07, 2018 at 11:06AM
12 days ago by mikele
If I were a malicious actor, I could have made a small, likely unnoticed change to the openssl formulae, placing a backdoor on any machine that installed it. If I can gain access to commit in 30 minutes, what could a nation state with dedicated resources achieve against a team of 17 volunteers? How many private company networks could be accessed? How many of these could be used to escalate to large scale data breaches? What other package management systems have similar weaknesses?
13 days ago by mvuijlst
RT : How I gained commit access to the Homebrew project in 30 minutes:
from twitter_favs
13 days ago by wlejon
How I gained commit access to Homebrew in 30 minutes
from twitter
13 days ago by nicola
How I gained commit access to Homebrew in 30 minutes
from twitter
13 days ago by RBaumier
RT : Next up in underfunded critical infrastructure: package managers.
from twitter
13 days ago by mpasternacki
This issue was publicly disclosed on the Homebrew blog at https://ift.tt/2AJpJbA
s 
13 days ago by igorette
RT : Next up in underfunded critical infrastructure: package managers.
from twitter
13 days ago by becked
“This is my growing concern, and it’s been proven time and time again that package managers, and credential leaks, are a weak point in the security of the internet, and that supply chain attacks are a real and persistent threat. This is not a weakness in Homebrew, but rather a systemic problem in the industry, and one where we need more security research.”
security 
13 days ago by kevinrood
Since the recent NPM, RubyGems, and Gentoo incidents, I’ve become increasingly interested, and concerned, with the potential for package managers to be used in supply chain attacks to distribute malicious software. via Pocket
IFTTT  Pocket 
14 days ago by regisd
Since the recent NPM, RubyGems, and Gentoo incidents, I’ve become increasingly interested, and concerned, with the potential for package managers to be used in supply chain attacks to distribute…
security  homebrew  breach  credentials  token  github  jenkins 
14 days ago by floehopper
Mismanaged GitHub credentials
homebrew  security  badtech 
14 days ago by nelson
Next up in underfunded critical infrastructure: package managers.
from twitter_favs
14 days ago by e30chris
Next up in underfunded critical infrastructure: package managers.
from twitter
14 days ago by FiloSottile
How I gained commit access to the Homebrew project in 30 minutes:
from twitter_favs
14 days ago by adamamyl
How I gained commit access to the Homebrew project in 30 minutes:
from twitter_favs
14 days ago by briantrice
How I gained commit access to the Homebrew project in 30 minutes:
from twitter_favs
14 days ago by NeoNacho
How I gained commit access to the Homebrew project in 30 minutes:
from twitter_favs
14 days ago by danyoung
How I gained commit access to the Homebrew project in 30 minutes:
from twitter_favs
14 days ago by ekingery