Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: What types of private data is stored on your dev machines?
4 points by viraptor 9 days ago | hide | past | favorite | 2 comments
I'm working on a post about supply chain attacks in development and I'm looking for examples of data/files/services you have on developer machines which should be protected from rogue packages/software. Bonus points for things related to development activities - those that should not be accessible by (for example) a package being installed but are required in other dev-related actions.

For example:

- SSH keys - both for personal use and repo updates

- package repo credentials - npm/pypi/...

- browser cookies for service logins

- cryptocurrency wallets

- confidential documents (scanned / signed documents)

What other types are you worried about they I may not be aware of?






No client/customer information is on dev machines.

You can ssh to a set of machines where we push logs from our production servers, but this is only offered if your team owns the micro service. And those logs won’t contain anything that identifies a specific customer.

There’s a daemon that runs on all hardware that will revoke temporary privileges. If you kill the daemon you’ll get banned from the network - which blocks you from accessing any host as none of these hosts are directly accessible over the internet.

That’s not say everything is 100% bullet proof and couldn’t leak if someone really went rogue.

One of the things we did in recent years is run an internal repo of approved software packages. Some guy wrote some code for us, threw a copy of it on the web, and then tried to sue us saying that code was written before he worked for our company, blah blah blah, and that we stole it and owe him money. So thanks to Carl, my financial partners demanded stronger “regulations”. We now have a small team that will sometimes manually approve packages and pull them in. I also wrote some software to automate this so if you pull in some dependency from GitHub with one of our approved licenses, it’ll let you pull your package into our repo automatically.


A developer's PGP key would be a good example. PGP keys are used by git to sign commits and tags. Plus, they're stored in the home directory so they may very well be accessible to a rouge package in the event of a supply chain attack.



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: