After much more digging, I learned that they actually read-only mount the zip as the wwwroot directory with this subtly-divergent deploy technique.

This is actually kind of a cool optimization. It probably wouldn't be as much of a sharp edge if it wasn't so divergent, though. Would be nice if you could mix-and-match by allowing zip-deploy from URL without the read-only mount thing.

If you’re wondering why I’d want to ship as a zip…

It allows me to write a terraform config or resource manager template and have the function app deployed and running without any intervention. Every other method needs follow-up manual work to configure.

Playing with Azure Functions for an infrastructure automation thing today - weekend project stuff, not for work.

They cram so many features into app services infrastructure that it’s hard to sort out the specifics in the docs.

For example: you can deploy a nodejs function app with source control, and it will npm install for you. But if you ship your code as a zip and provide a URL, you have to package your dependencies with your code.

It’s documented, but it adds to the learning curve.

Is there a proper/formal term for the security permissions model where the creator of a resource has full permissions on it regardless of their access to the system at large?

Most common example I can think of is document or file systems.

Is there any good literature contrasting that to other models of permission?

Once you’ve got the generic interface adapted, it opens up a world of cool stuff, like using KeyVault keys for the root of a private Certificate Authority.

It’s so tempting to fall down this crypto rabbit hole.

I keep looking for ways to interop with Azure KeyVault for signing and encryption with more generic applications, but the software doesn’t seem to exist.

For example, wouldn’t it be nice to generate a PGP detached signature using an HSM-protected key in CI, for release signing? Looking at Go-lang’s crypto libraries, it would “just” need to connect the dots between the Azure SDK and the crypto.Signer interface.

It was incredibly frustrating getting to this, though. The YubiKey documentation was pretty ambiguous in the use of terms for Open PGP and PIV interfaces. Turns out they're conceptually similar, but use different pins on the device. That resulted in me locking myself out a bunch of times.

Good thing I backed up my keys offline before moving them to the key.

After a little playing with my YubiKey last weekend - getting it set up as a smart card for GPG - I finally have it working kinda smooth.

It's kinda nice having the touch policy enabled. The agent seems to remember my pin for a little while, so when I git commit, the little "y" on the key glows, and when I touch it my commit goes through signed.

I’m so glad I dug in deep to PGP message and packet formats for a nonsense side project.

Now I’m working on a simple download verification mechanism based on detached signatures. Earlier in my career this would have been a bunch of magic functions... now I have the foundation to understand and avoid any obvious mistakes.

I especially love how they went to the trouble of making so many things that are familiar, but different enough to feel alien. The obvious example is books with the corners cut off.

But another great example is Helo and Boomer arriving at a fallout shelter, and the door has a symbol on it has a lot of the elements of our symbol for radioactivity, but adapted to be kind of triangular instead of a circle.

My wife pulled my collection of Battlestar Galactica (the remake) DVDs out of the basement. They’ve been in storage for several years.

It’s like watching a whole new show again after this many years. And good golly this show is brilliant.

The writing, photography, acting, sets, props… all amazing.

There were some other good nuggets in the paper as well. Including a conclusion that complex systems with many controls that allow a degree of freedom will inevitably reach an error state as operators explore those degrees of freedom. And that designed safeguards and training/documentation isn’t sufficient to prevent this.

The best place to put effort is in monitoring for error conditions and recovering as quickly as possible.

This from a paper in 1990. There is no such thing as a new idea. 🤯

Last week I read an accident analysis paper by Jens Rasmussen from 1990. There was a citation to a conference keynote from 1988 on the idea of “defence-in-depth”. Seriously, how old is this term?

From context, it seems like it didn’t originate in IT or even Security, but may have migrated from industrial systems design. This bears further historical investigation. I wonder how much interpretation has changed in re-telling over the decades.

I have the week off, and planning some activities with the kids.

It always seems like all the great things to do have me planning for 5 or 6 times longer than the actual activities last. I can’t wait till they’re old enough to learn the basics and run with it on their own. Will happen any time with the older one.

@JohnsNotHere @jerry Thanks for the tips. The event went better than expected for short-notice prep. Everyone had some fun, we learned a little about our IR plan, and a little about how to run one of these events. I was worried my scenario would be too short so I prepped two, and we didn’t need the second at all.

Also, what sorts of things can I throw in to make sure all players are involved whether they would normally be part of the incident or not? Would you change their role in the game for the purposes or training, or try to rig the scenario to pull them in?

Looking for IR Tabletop tips:

What frustrates players that should be avoided?

What sorts of twists and turns work well to throw in challenges and keep things interesting without going into the realm of the implausible?

Working on some Incident Response Tabletop scenarios for our team. This is going to be interesting.

Just wish I’d had more time to plan. Only had 24 hours notice that we’re going to try this after 10 months of “we should try that sometime.”

Another thing that helps is mixing reading for business and pleasure. I now keep a novel and a business or technical book available all the time.

Reading only for work can make it feel like reading is always work. Novels seem to help re-train my brain to make reading in general less of a chore.

I’m keeping pace for at least a book a month this year.

I tried to read this much last year - but using Safari Books Online as part of my strategy turned out to be a mistake. There were aspects of it that I really enjoyed… but in the end, I feel much more focused and motivated while reading a physical book.

Show more
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.