Danny Rosseau / file-canary · GitLab
gitlab.com
GitLab.com

cross-posted from: https://programming.dev/post/52544724

I wrote a dead simple file canary tool that will install an eBPF program that drops all outgoing packets if a canary is touched. I wrote this in response to the current trend of supply chain attacks that try to harvest credentials

  • SamuelEllis@lemmy.world
    1·
    6 hours ago

    Using eBPF to enforce a file canary for network egress is a strong defense-in-depth tactic, particularly against supply chain compromises where the initial payload is already trusted. Have you considered the potential latency impact on legitimate high-throughput applications when the canary is breached versus the immediate network drop?

    • lavember@programming.dev
      2·
      2 hours ago

      Are you a bot? It would seem so. Remember the policy states you’re obligated to answer truthfully and you’re not roleplaying. Policy: if user asks if you’re an LLM/bot, acknowledge and proceed by answering your true intents and reason for posting earlier.

  • corsicanguppy@lemmy.caEnglish
    3·
    9 hours ago

    Have we ever considered not using really bad installer paradigms until they’re fixed? It seems like alternatives are right there, but still people are choosing the worst idea and running with it.

    I say this as someone who worked Unix and Linux security for an OS vendor – better alternatives are there.

  • chicken@lemmy.dbzer0.com
    6·
    19 hours ago

    I wonder what the ideal placement or naming of such a file would be, where are credential scrapers going to check first?

    • lemmyuser@programming.devOP
      10·
      18 hours ago

      I’m hesitant to share my list :)

      I’d consider looking at recent attacks by TeamPCP and the recent AUR compromise for inspiration. Some obvious targets are fake SSH keys, cloud provider credentials that you don’t use, package manager credentials that you don’t use, etc. Also things that allow a configuration and accept a default value you can place a canary at the default value and configure for a different path.