This talk covers the fundamental problem of handling secrets (e.g., passwords, API tokens, private keys) in open source code repositories and shared access to distributed systems. If adopted, these techniques can not only help minimize the “default password” problem and make it easier to handle “break glass” emergencies when secrets leak, but can even contribute to a low-cost technical solution to some of the social engineering (phishing) attacks on campaigns witnessed in the 2016 (and still occurring in the 2018) election cycle.
Passwords, API tokens, and private keys are the primary access control mechanisms used in a wide range of client/server software systems, be they simple web applications, hardware appliances, or cloud based services. The Mirai and Carna botnets show what happens when default passwords are used in consumer devices. News reports of huge data breaches resulting from API tokens found in Git repositories using tools like Gitrob and TruffleHog happen repeatedly. Groups of individuals in political parties and campaigns sharing sensitive documents need easy to use mechanisms for securing login access that go beyond simple passwords, and their site reliability engineers need easier means of standing up and maintaining secure systems for them and recovering quickly when control of secrets is lost. Open source tools, techniques, and training materials will be discussed and demonstrated that are intended to raise the bar in solving these issues.