

Open Source Implementation of the Two-Man Rule in Go - dknecht
https://blog.cloudflare.com/red-october-cloudflares-open-source-implementation-of-the-two-man-rule

======
jlgaddis
What stops root from modifying the source code to, for example, record user
passwords?

It seems that, for this to really work, you'd need to run it on a machine
running, i.e. SELinux and MCS. You'd have to restrict physical (console)
access as well, so 1) no running it on a VM and 2) enforce the "two-man rule"
for access to the server room as well.

That said, I guess it's certainly a big step up from nothing.

~~~
jvehent
If you are root, you can also strace the process and grab the password,
without modifying anything.

If the platform isn't secure, the app can't be trusted. Basic defense rule.

~~~
jlgaddis
I may very well be wrong (I'm far from an expert on SELinux) but I believe
that the kernel would prevent that, assuming MCS.

------
nteon
The strangeness I see is that the /delegate call isn't specific. I can't say
that I want Joe to be able to decrypt LaunchCode3, so I could end up
inadvertently allowing Mary to decrypt SecretLocation without really wanting
to - it is wide open to timing attacks. This doesn't seem like a fundamental
flaw, just something (maybe) overlooked in v1. Very cool stuff.

