новые game da hacking na ababen more rayuwa na dandali aika saƙon Matrix, game da abin da da safe. Matsalolin da maharan suka shiga ta cikinsa shine tsarin haɗin kai na Jenkins, wanda aka yi kutse a ranar 13 ga Maris. Sa'an nan, a kan uwar garken Jenkins, shigar da ɗaya daga cikin masu gudanarwa, wanda wakilin SSH ya tura shi, ya shiga tsakani, kuma a ranar 4 ga Afrilu, maharan sun sami damar shiga wasu sabar kayan aikin.
A lokacin harin na biyu, an tura gidan yanar gizon matrix.org zuwa wani uwar garken (matrixnotorg.github.io) ta hanyar canza sigogin DNS, ta amfani da maɓalli na tsarin isar da abun ciki na Cloudflare API intercepted yayin harin farko. Lokacin sake gina abubuwan da ke cikin sabobin bayan haƙƙin farko, masu gudanar da Matrix sun sabunta sabbin maɓallan sirri kawai kuma sun rasa sabunta maɓallin zuwa Cloudflare.
A lokacin harin na biyu, sabobin Matrix sun kasance ba a taɓa su ba; an iyakance canje-canje ga maye gurbin adireshi a cikin DNS. Idan mai amfani ya riga ya canza kalmar sirri bayan harin farko, babu buƙatar canza shi a karo na biyu. Amma idan har yanzu ba a canza kalmar sirrin ba, yana buƙatar sabunta shi da wuri-wuri, tunda an tabbatar da kwararar bayanan da ke ɗauke da hashes. Shirin na yanzu shine don fara aiwatar da sake saitin kalmar sirri ta tilasta lokaci na gaba da shiga.
Baya ga zubewar kalmomin sirri, an kuma tabbatar da cewa maɓallan GPG da ake amfani da su don samar da sa hannu na dijital don fakiti a cikin ma'ajiyar Debian Synapse da kuma fitar da Riot/Web sun shiga hannun maharan. Maɓallan an kiyaye kalmar sirri. An riga an soke maɓallan a wannan lokacin. An kama maɓallan a ranar 4 ga Afrilu, tun daga lokacin ba a fitar da sabuntawar Synapse ba, amma an saki abokin ciniki na Riot/Web 1.0.7 (duba na farko ya nuna cewa ba a daidaita shi ba).
Maharin ya buga jerin rahotanni akan GitHub tare da cikakkun bayanai game da harin da shawarwari don ƙara kariya, amma an goge su. Koyaya, rahotannin da aka adana .
Misali, maharin ya ba da rahoton cewa masu haɓaka Matrix ya kamata Tabbatar da abubuwa biyu ko aƙalla rashin amfani da tura wakilin SSH ("ForwardAgent yes"), sannan za a toshe shiga cikin kayan aikin. Hakanan za'a iya dakatar da haɓakar harin ta hanyar baiwa masu haɓaka gata kawai, maimakon akan dukkan sabobin.
Bugu da ƙari, an soki al'adar adana maɓalli don ƙirƙirar sa hannu na dijital akan sabar samarwa; ya kamata a ware wani keɓe mai masauki don irin waɗannan dalilai. Har yanzu ana kai hari , cewa idan masu haɓaka Matrix sun kasance suna bincika rajistan ayyukan akai-akai kuma suna nazarin abubuwan da ba su da kyau, da sun lura da alamun hack da wuri (hack CI ya tafi ba a gano shi ba har tsawon wata guda). Wata matsala adana duk fayilolin sanyi a cikin Git, wanda ya ba da damar kimanta saitunan sauran runduna idan an kutse ɗaya daga cikinsu. Samun dama ta hanyar SSH zuwa sabar kayan aikin iyakance ga amintaccen hanyar sadarwa na ciki, wanda ya ba da damar haɗa su daga kowane adireshin waje.
Sourcebudenet.ru
[: en]новые game da hacking na ababen more rayuwa na dandali aika saƙon Matrix, game da abin da da safe. Matsalolin da maharan suka shiga ta cikinsa shine tsarin haɗin kai na Jenkins, wanda aka yi kutse a ranar 13 ga Maris. Sa'an nan, a kan uwar garken Jenkins, shigar da ɗaya daga cikin masu gudanarwa, wanda wakilin SSH ya tura shi, ya shiga tsakani, kuma a ranar 4 ga Afrilu, maharan sun sami damar shiga wasu sabar kayan aikin.
A lokacin harin na biyu, an tura gidan yanar gizon matrix.org zuwa wani uwar garken (matrixnotorg.github.io) ta hanyar canza sigogin DNS, ta amfani da maɓalli na tsarin isar da abun ciki na Cloudflare API intercepted yayin harin farko. Lokacin sake gina abubuwan da ke cikin sabobin bayan haƙƙin farko, masu gudanar da Matrix sun sabunta sabbin maɓallan sirri kawai kuma sun rasa sabunta maɓallin zuwa Cloudflare.
A lokacin harin na biyu, sabobin Matrix sun kasance ba a taɓa su ba; an iyakance canje-canje ga maye gurbin adireshi a cikin DNS. Idan mai amfani ya riga ya canza kalmar sirri bayan harin farko, babu buƙatar canza shi a karo na biyu. Amma idan har yanzu ba a canza kalmar sirrin ba, yana buƙatar sabunta shi da wuri-wuri, tunda an tabbatar da kwararar bayanan da ke ɗauke da hashes. Shirin na yanzu shine don fara aiwatar da sake saitin kalmar sirri ta tilasta lokaci na gaba da shiga.
Baya ga zubewar kalmomin sirri, an kuma tabbatar da cewa maɓallan GPG da ake amfani da su don samar da sa hannu na dijital don fakiti a cikin ma'ajiyar Debian Synapse da kuma fitar da Riot/Web sun shiga hannun maharan. Maɓallan an kiyaye kalmar sirri. An riga an soke maɓallan a wannan lokacin. An kama maɓallan a ranar 4 ga Afrilu, tun daga lokacin ba a fitar da sabuntawar Synapse ba, amma an saki abokin ciniki na Riot/Web 1.0.7 (duba na farko ya nuna cewa ba a daidaita shi ba).
Maharin ya buga jerin rahotanni akan GitHub tare da cikakkun bayanai game da harin da shawarwari don ƙara kariya, amma an goge su. Koyaya, rahotannin da aka adana .
Misali, maharin ya ba da rahoton cewa masu haɓaka Matrix ya kamata Tabbatar da abubuwa biyu ko aƙalla rashin amfani da tura wakilin SSH ("ForwardAgent yes"), sannan za a toshe shiga cikin kayan aikin. Hakanan za'a iya dakatar da haɓakar harin ta hanyar baiwa masu haɓaka gata kawai, maimakon akan dukkan sabobin.
Bugu da ƙari, an soki al'adar adana maɓalli don ƙirƙirar sa hannu na dijital akan sabar samarwa; ya kamata a ware wani keɓe mai masauki don irin waɗannan dalilai. Har yanzu ana kai hari , cewa idan masu haɓaka Matrix sun kasance suna bincika rajistan ayyukan akai-akai kuma suna nazarin abubuwan da ba su da kyau, da sun lura da alamun hack da wuri (hack CI ya tafi ba a gano shi ba har tsawon wata guda). Wata matsala adana duk fayilolin sanyi a cikin Git, wanda ya ba da damar kimanta saitunan sauran runduna idan an kutse ɗaya daga cikinsu. Samun dama ta hanyar SSH zuwa sabar kayan aikin iyakance ga amintaccen hanyar sadarwa na ciki, wanda ya ba da damar haɗa su daga kowane adireshin waje.
source: budenet.ru
[:]