> the legitimate ones I’d initially generated still worked

This spooks me. I take this to mean either:

- They are still using the compromised key for validation, meaning if you have access to any old token, you can still mutate that, maybe needing to play around with the issuing times

- They built an allowlist of all permitted tokens, and check that list first. In which case, might as well use random session ids instead of JWTs, and at the same point where the allowlist is being checked, mutate the request to inject a JWT that the backend can use.

Also, kind of curious why the switch to RSA4096 instead of elliptic curves, since they are generally faster / smaller.

I think very few customers had ever generated API keys, and as best I can tell they made an allowlist for them.

One of my suggestions to them was to switch to elliptic curve, but I imagine RSA 4096 "just worked".

I suspect they'll rework it later now that it's not "on fire".

Ah that makes sense. For sufficiently small values of N, a hardcoded allowlist isn't a problem.

You're probably right that RSA 4096 "just worked", and some library in their stack doesn't have elliptic curve support. And again, if N is small, the verification performance doesn't matter that much.

Nice find and writeup!

My guess is they are still accepting keys signed with the old 512 key but are currently generating new tokens with a 4096 key.

No because Ryan says he is not able to create his own tokens anymore. And he has the same private key as the supplier.

FYI, Ryan uses they/them pronouns (https://rya.nc/about.html).

Ah sorry and stupid for assuming, I would edit but cannot anymore.

+1 to this. I run Ubuntu 22.04 with microk8s. Keep all my yaml files in a local git repo, figured out how to hook up my NAS to provide storage via nfs.

It's definitely gone down a few times, but I've learned a TON tinkering with it. super easy to spin up a new hobby project, a nice web UI for seeing what the heck is going on.

I've completely borked it a couple times and survived one micro pc migration. Can't recommend it more

Do you happen to know where I can read about how ET and Mosh each establish their connections?

I have used Mosh for years and recently heard of ET, but when I tried it I experienced noticeable hangs that I don’t get with Mosh, and I went back.

I heard from several people that “ET is the new Mosh”, but it won’t be for me unless I can figure out/resolve those hangs

The 5 hours doesn’t surprise me.

I was on the jury of a federal fraud trial with 2 defendants with 15 charges, ~30 million in losses.

We were thorough and went through each count separately, including reviewing some of the evidence, and were done in maybe 8 hours spread across 2 days.

We ended up with a mixed verdict: one count not guilty for both, another not guilty for one. I fully believe they were aware and committed fraud for the not guilty counts, but the prosecutor wasn’t able to cross the “reasonable doubt” threshold in our minds for those specific instances.

Only thing we weren’t super careful about was the first requirement for Mail/Wire fraud, which is “Mail and wires” were used.

It was amusing that the prosecutors brought in a bank IT guy to explain that “the internet uses wires”, but not really something we questioned.

> to explain that “the internet uses wires”

I wonder if they did that to avoid having to explain to the jury that wire fraud does not actually require the use of wires...

What does it require, if not wires?

And are modern fiber optic cables wires in any sense of the word? Does the relevant statute in USC18 actually define "wire" for the purpose of the crime?

Part of me thinks that wireless communications must be included, but one might make the case that even then, information/communication is transmitted over wire at some point.

Wire, radio, and television. The definition is:

"having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice"

https://www.law.cornell.edu/uscode/text/18/1343

UPDATE: Various court decisions have expanded the interpretation so that "wire fraud" also involves the use of the internet, phone calls, emails, social media messages, faxes, telegrams, fiber optic, cable or SMS messaging and data systems.

I am not a lawyer, though. I could be mistaken on this.

“So, contrary to popular belief, the internet is not some big truck that you can just dump something on a la Ted Stevens; it’s more of a … series of tubes?”

‘That is correct.’

I really enjoy watching the judging of her apple pie: https://youtu.be/i0zRSANWj1I

Is there any way to tie an expectation of long term security support with legal protection of the product against competitors/reverse engineers/other parties that manufacturers may not want looking too closely?

I’m not suggesting granting additional protections to manufacturers, but codify an expectation of “if you abandon it, other people can come in and potentially salvage it”

At home I have a little Intel NUC running ubuntu hooked up to a 4 bay synology NAS.

I’m running several web apps, a git server, Plex, pihole, private CA, and keykloak, all on top of microk8s. It’s overkill, but I appreciated the opportunity to fiddle around and learn K8S without stress of external obligations.

I have two ingresses, one internal and one external facing. The external one is exposed via cloudflare and a micro vm (for multi level subdomains that cloudflare doesn’t support for free).

dyndns is handled by the router. It writes to a pseudorandom hostname, and cloudflare references it by CNAME.

It doesn’t get any significant amount of external traffic, but is good enough for family to use for the web apps + a yearly march madness pool (that can’t be hosted on yahoo/ESPN/etc due to a custom family rule set).

How do you connect your NUC to the Synology?

SMB/NFS?

NFS

Any plans for OIDC support?

Yes, this has been requested quite a bit recently. Could you please comment in this issue: https://github.com/Infisical/infisical/issues/442

We will make sure to prioritize the OIDC support depending on how many people ask for it

When kids first enter foster care, the state assumes care and tries to work with the parents to resolve whatever issues caused the kids to be removed. During this time, the kid ideally stays with another family member or friend, but with a random foster family if not. The parents remain the legal guardians and have opportunities to see their kids, coordinated by the state.

If reunification is determined to be impossible, the state goes to court to sever parental rights. This determination normally takes a year plus, and usually means the parents have checked out or are no longer trying to resolve the issues. Only once parental rights are severed is the child considered "legally free", and is eligible to be adopted into another family. In the ideal case, this is the family they were staying with before parental rights were severed, but not necessarily.

I haven't looked into the details of this article, but I assume these funds will be used for kids that have had parental rights severed, and were either adopted or "age out" of the foster care system.

Once in foster care, most kids are traumatized. Once parental rights are severed, it is incredibly difficult for parents to "re-adopt" their kid. I sure hope no parents are so short sighted to put their child through hell to reduce the cost of college.