86°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • Christopher Lemmer Webber https://octodon.social/@cwebber   •   Dec 4

    Typosquatted Python libraries exfiltrating PGP and SSH keys https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/

    Same stuff as the event-stream incident, effectively. This is only going to get worse; object capability security is no longer an optional thing; we need it to survive as a society.

    Aaron Parecki
    How does ocap help? Wouldn't the attacker just exfiltrate the ocap token?

    Seems like a better idea would be to use a hardware security model to contain the private keys, only letting the machine use them but not copy them out.
    Portland, Oregon • 42°F
    Wed, Dec 4, 2019 9:10am -08:00
    1 reply
    • Christopher Lemmer Webber octodon.social/@cwebber

      @aaronpk I'm discussing Ocap-level module safety. SES in Javascript is doing this to a large degree (Jessie moreso). Not talking about tokens here but references. The idea is that reference passing *is* language-level ocaps; normal argument passing to functions is ocap security, see: http://mumble.net/~jar/pubs/secureos/secureos.html

      Extending that to the module layer, a module only gets the authority you pass into it.

      Wed, Dec 4, 2019 5:12pm +00:00
Posted in /replies using monocle.p3k.io

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv