- Implementation:
- M-of-n parties deterministically compile web interface bundle and sign it
- Interface installs service worker mandates all future updates are
- signed with m-of-n valid keys certified by a pinned CA
- newer timestamp than current version
- Protections
- Compromised insider tampering with frontends
- BGP attacks
- DNS takeover
Lance R. Vick lrvick
lrvick
/ webauthn_kyc_encryption.md
Last active
September 9, 2022 20:45
Webauthn document encryption
- User submits KYC document via a web form
- Web form automatically encrypts document to a key held in KMS (with offline backups)
- Encrypted documents are submitted to an API gateway hook that triggers a lambda job which places the documents directly into an s3 bucket.
- A support agent opens the KYC review interface and clicks a document to decrypt.
- The support agent browser automatically generates a random encryption public key, and public key and the ID of the requested document they wish to decrypt to API Gateway
- API Gateway launches a lambda job which hashes the document request with a random challenge and returns it to the browser
- The browser prompts the support agent to tap their Yubikey which signs the challenge.
- The browser sends the signed challenge back to API Gateway.
- API gateway passes the signed document request payload to a lambda job which has access to the KMS role to use the KYC decryption key.
- Lambda job decrypts the one document, and then encrypts it to the encrypti
lrvick
/ bitcolor.js
Created
March 18, 2012 20:02
Javascript functions for doing fast binary/hex/RGB color conversions using bitwise operations.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // convert 0..255 R,G,B values to binary string | |
| RGBToBin = function(r,g,b){ | |
| var bin = r << 16 | g << 8 | b; | |
| return (function(h){ | |
| return new Array(25-h.length).join("0")+h | |
| })(bin.toString(2)) | |
| } | |
| // convert 0..255 R,G,B values to a hexidecimal color string | |
| RGBToHex = function(r,g,b){ |
lrvick
/ sync-repos.sh
Last active
July 25, 2022 06:15
Locally sync all Github repos & branches for user/org
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| USER='lrvick' | |
| ACCESS_TOKEN='YOUR_TOKEN_HERE' | |
| API="https://api.github.com/orgs" | |
| ENDPOINT="/${USER}/repos?per_page=200&access_token=${ACCESS_TOKEN}" | |
| FOLDER='/home/lrvick/Sources' | |
| REPO_NAMES=$( curl -s "${API}${ENDPOINT}" | \ | |
| grep \"name\" | sed 's/ \"name\": \"\(.*\)\",/\1/g' |
lrvick
/ macos-harden.yml
Created
November 5, 2021 02:07
Ansible example for best effort automated MacOS hardening
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - name: Check if Previously Run | |
| stat: | |
| path: /var/log/ansible.log | |
| register: ansible_logfile | |
| - name: Enable FileVault2 | |
| filevault: enabled=true | |
| become_user: root |
lrvick
/ ansible_deploy.yml
Last active
April 28, 2022 22:18
Bootstrap Ansible-Pull systemd automation with GPG verification
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - hosts: | |
| tasks: | |
| - apt: | |
| update_cache: true | |
| name: ansible | |
| state: present | |
| - name: Install trusted author PGP keys |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| reset == physically disconnect, reconnect, re-attach to target appvm, verify it shows up in "fido2-token -L" | |
| /dev/hidraw3: vendor=0x096e, product=0x085d (FS BioPassFIDO2) | |
| - fido2-tools: register 8x, then hang | |
| - reset | |
| - fido2-tools: register 1x, then hang | |
| - reset | |
| - chromium: successful register, hangs on auth | |
| /dev/hidraw1: vendor=0x1ea8, product=0xf025 (ExcelSecu EsecuFIDO HID) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| lrvick@personal:~$ fido2-token -L | |
| /dev/hidraw1: vendor=0x1050, product=0x0406 (Yubico Yubikey 4 U2F+CCID) | |
| lrvick@personal:~$ strace fido2-cred -M -i cred_param /dev/hidraw1 > cred | |
| execve("/usr/bin/fido2-cred", ["fido2-cred", "-M", "-i", "cred_param", "/dev/hidraw1"], 0x7ffca72914a0 /* 51 vars */) = 0 | |
| brk(NULL) = 0x5703cbf21000 | |
| access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) | |
| openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 | |
| fstat(3, {st_mode=S_IFREG|0644, st_size=80772, ...}) = 0 | |
| mmap(NULL, 80772, PROT_READ, MAP_PRIVATE, 3, 0) = 0x789d7f439000 |