2018-006- NPM is whacking boxes, code signing, and stability of code

Manage episode 198753206 series 58350
By Discovered by Player FM and our community — copyright is owned by the publisher, not Player FM, and audio streamed directly from their servers.

Topics on today's show:

NPM (Node Package Manager) - bug was introduced changing permissions on /etc, /boot, and /usr, breaking many systems, requiring full re-installs. Why was it allowed to be passed, and worse, why did so many run that version on production systems?

Code signing - a well known content management system does not sign it's code. What are the risks involved in not signing the code? And we talk about why you should verify the code before you use it.

Using code without testing - NPM released a 'not ready for primetime' version of it's package manager. We discuss the issues in running 'alpha', and 'beta'

Tickets are already on sale for "Hack in the Box" in Amsterdam from 9-13 April 2018, and using the checkout code 'brakeingsecurity' discount code gets you a 10% discount". Register at https://conference.hitb.org/hitbsecconf2018ams/register/

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel: http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site: https://brakesec.com/bdswebsite

Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#iHeartRadio App: https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon


#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Previous podcast referenced: http://traffic.libsyn.com/brakeingsecurity/2018-005-Securing_CMS_and_mobile_devices-phishing_story.mp3




Using ‘pre-production’ software without testing is not advisable

Unfortunately, many assume all software is stable

A product of ‘devops’ - failing forward “we’ll just fix it in post”

Talked last podcast about ‘supply chain security’



Developers can leave a project, leaving code unmaintained… or dependencies

Also, a modicum of trust is required… verifying the code before you use it.

Verification that the code came from where it was supposed to

Many important code bases aren’t signed or have verification

Wordpress does not appear to publish file hashes

Can you always trust the download? Sure, they do TLS… but no integrity, or non-repudiation



Bsides NASH-


222 episodes available. A new episode about every 7 days averaging 62 mins duration .