What can we learn from the matrix.org compromise?

This is such a poorly written article:<p>* no detailed analysis of how the attack was undertaken. Its not even clear how the attacker managed to get in (was it a publicly exposed Jenkins? vulnerable bastion? what?)<p>* no analysis of what the existing matrix.org security perimeter looked like or how it could be made better.<p>* repetition of security tropes. Use VPN. Use Github Enterprise (wait wtf? Why not private repos in Github?). Don&#x27;t use Ansible, use salt.<p>Ridiculous. I was looking forward to a nice long read about how this breach was undertaken. Hugely disappointed.

Why aren&#x27;t people reporting the fact that Matrix.org actually lost control of their network a second time within hours of their first all clear sounding?<p>I feel like this is an important part of the story for anyone looking for teachable infosec moments.

If it wasn’t clear, this article wasn’t written by the Matrix.org team, nor did the author discuss any of it with us to our knowledge.<p>We’ll publish our own full post-mortem in the next 1-2 weeks.

It&#x27;s been a few years since I last used Saltstack but if you have access to the master you have instant root on all minions or did that somehow change? salt &#x27;*&#x27; cmd.run &#x27;find &#x2F; -delete&#x27; and game-over?

Why is it considered safer to expose a VPN to the internet than SSH? Is it just that there is one exposed service for the organisation rather than one per machine?

Can anyone explain the Jenkins vulnerability that was used to initially gain access? Reading the CVEs didn&#x27;t give me the impression that they enabled remote exploits

The attacker gained network access through Jenkins.<p>Don&#x27;t deploy a public-facing Jenkins, especially if it has credentials attached to it. It&#x27;s really hard to secure, especially if pull-requests can run arbitrary code on your agents.<p>Jenkins &#x2F; CI is the sudo access to most organizations.

One thing I learned was where to modify the pageant source code (Windows equivalent of ssh-agent) to make my agent prompt before signing (with the default focus on &quot;no&quot;). This feels much safer and is a very minor inconvenience. I wonder why more agents don&#x27;t have this built in.<p>Example: <a href="https:&#x2F;&#x2F;twitter.com&#x2F;R1CH_TL&#x2F;status&#x2F;1118559239084158977" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;R1CH_TL&#x2F;status&#x2F;1118559239084158977</a>

I&#x27;d like to take this opportunity to plug my in-development decentralized, distributed, completely open forum, using PGP as the &quot;account&quot; system, and text files as the data store.<p>So any reasonably competent hacker can re-validate the entire forum&#x27;s content and votes, reasonably quickly reimplement the whole thing, and&#x2F;or fork the forum at any time.<p><a href="http:&#x2F;&#x2F;shitmyself.com&#x2F;" rel="nofollow">http:&#x2F;&#x2F;shitmyself.com&#x2F;</a>

That medium.com has a paywall and doesn&#x27;t want to share content? (is what I learned)

I have gone on some long verbal rants about the dark patterns (bordering on malicious behavior) exhibited by key agents such as SSH agent, GPG agent, Pageant, and the like.<p>What can you learn from the compromise? Never use an agent. Kill it with fire^H^H^H^H -9.