Opsec For Developers Or How I Got Even More Paranoid: Act I

In this post I'd like to talk about some of the things I want to establish in my workflow to increase my standpoint on security and reduce vulnerability to a variety of threat actors.

NB: I’m not a security professional. This is no advice, but rather things I try to stay secure. So take this with a grain of salt.

In day to day operations developers have special access to a lot of things, including restricted computing resources and first and foremost the code. That code security is a top priority goes without saying. In this article I want to reflect on things I do, security risks I expose and how I plan on mitigating them. I talk about two perspectives: the developer as a private person, and the developer as an actor on behalf of a corporation.

Main causes of insecurity are either missing knowledge or ignorance. We choose to hardcode passwords because it makes the deployment process so much easier, or to just skip tests until “we have time for such goodies”. We all understand how important it is to rush to market to beat the competition. Well, maybe, we can’t be certain. But if your app gets breached, you can be certain about the effects it has on your product and “going to market in time” (or at all). Having to deal with such things does not only throw you back in your time line, it also might be possible that you fucked up so hard you don’t need to show up anymore. Ask Ashley Madison or Equifax.

We all experienced to a degree the ignorance of higher levels about topics such as privacy, security or other things. But this is not a post about that. I’d rather like to talk about things we can do on our end to at least not increase the risk. So this shall be an analysis of the things that I do and what I plan to do about it.

Plead: Guilty

Yes, I am guilty of all of the things said above. I skip tests because “duh, we have no time for that”. I include hard coded passwords in my deployments (well, not in code, but in plain text config files which are in the same folder or in the Dockerfile). I also lack respect towards security threats and always thought “hey, I’m/we’re not that important, no one is hacking us wide open”. BULLSHIT.

The turning point for me was when I got a two-factor authentification (2FA) request on my phone from China (hint: I wasn’t in China at that time) for an authentification for the Apple iTunes Store. Additionally a few days before, my credit card was used from Chile (another hint: wasn’t there either). Thankfully Visa actually catched the transaction as suspicious.

Despite me being unattractive for attackers at higher scale, I am attractive if I’m an easy target or if I just happen to be there. Nothing is easier than being an easy target. BTW, after getting that 2FA dialogue on my phone I spent half a week nuking old accounts that I collected after practically living in the internet for over a decade. You should do the same from time to time ;) … and also check https://haveibeenpwned.com/ from time to time.

It doesn’t help that even as a computer scientist I know about these things, the world is just too damn complex. You get fucked over by literally everything. The ATM machine or vendor that copied my magnetic strip on my credit card mentioned earlier, or browser plugins I blindly trusted, even for increasing my privacy and security.

Leaking your data is the lowest hanging fruit. Trying to prevent that is hard. Think alone about font fingerprinting. Or correlation attacks on network throughput.

What Can Be Done?

I don’t know. But here’s what I’m trying.

The Browser Is A Radio Station

Our browser does not only show us funny videos of cute animals amongst other things, it also keeps a shitload of data about you and your habits. It’s basically a data hoarding piece of software in disguise. There is so much to be learned about a person with just access to the browser history, the bookmarks, cookies or basically anything. And you let third parties enter, namely plugins and extensions. There are shady ones, known to collect and sell data, like Web-of-Trust or “privacy” extensions like Ghostery. But even trusted extensions can get bad.

Things to consider:

  • Throw all unused, unknown or unimportant plugins out
  • Consider uBlock Origin and JS Blocker to prevent tracking and fingerprinting to a degree
  • Use Dan Pollock’s /etc/hosts file from here to route shady sites into nirvana at the lowest entry point

2FA Everything

Protecting yourself from getting pwned easily. If you still need motivation please see this or this. Point is, use 2FA for everything you can, no excuses. And please educate your beloved ones on how to use it.

Showing The Real Me

After seeing this the other day on how to be anyone on GitHub I immediately uploaded a gpg key to GitHub and started signing my commits. So everyone knows it’s me (not that anyone cares though). Sure, this is not a dangerous vector, but still, always providing proof on who you are is a good practice. Especially if you are an authority like Linus is on the Linux Kernel.

People easily trust something they’re used to. That can be websites or you as an authority on something. So I deem it important to provide some proof that you are indeed who you say you are, and what you are saying is actually what you said. Wait … what?

It’s not only important to provide proofs in situations like git commits or for example emails, it’s also important to guarantee to some extend that what your users send you or what you answer stays between the two communication partners, but also that it hasn’t been tampered with. If people receive emails, commits or friend requests from you, they are inclined to trust!

Things to consider:

Especially in the case of SSL/TSL this doesn’t necessarily imply security, neither for the client nor for the server. Examples are BREACH, SSLStrip (YouTube) or compromised certificate authorities. Especially the last point should not throw you off! Let’s encrypt is not a certificate authority like Symantec.

Keep Your Box Clean & Your Dependencies Up To Date

I know, this is hard. Very hard. We have projects in a bazillion languages with even more package managers on a variety of operation systems. And we test software frequently, maybe even forgetting about it. A simple step for that is a virtual machine for fiddling around. You do your thing, then wipe it by resetting it to a previously saved snapshot. No attack surface left.

If you have different projects you work on with different data bases, you can write yourself scripts that start and stop the databases, caching and ot After finishing, stop everything that’s not needed.

As for dependencies, less is more. But if less is more than more, use tools that monitor new versions and make it a priority to migrate or patch known vulnerabilities.

Proactive Instead Of Reactive

TL;DR:

  1. Keep your debt low. Delete all unused accounts.
  2. Clean your browser, keep the number of plugins low.
  3. Use 2FA.
  4. Authorize yourself.
  5. Uninstall shit and stop things when not using them.

I know there is so much more, and nothing you’ll do here makes you secure, but it’s important to think about it and get to know what you are able to do. Getting started is the first step!

Thanks for taking the time! I’m happy about feedback on anything you have. You can drop me a line on twitter or via mail (chris at this domain).