Hacker News new | past | comments | ask | show | jobs | submit login

(bulletin co-author) Yeah that bit could have been spelled out more. It's a random 64-bit int.



(reporter) I spent _a long time_ trying to derive how this value was generated :’)


Did you spend any time trying to see if you could steal the values from somewhere else? Given the other breaks in Tailscale, I'd bet there's an info leak somewhere. Deriving it from first principles is hard. Stealing it from somewhere should be easier.


I had a good look for usable info leaks, some GitHub dorking for how the IDs might’ve been generated, but came up naught in the end


What about the insider risk prospective? A random int64 isn't that hard to guess if you can easily look at a database.


If you're looking at a database, you're not guessing. Otherwise: a random int64 is in fact difficult to guess.


Exactly - which is why I was asking what is the nature of the insider threat risk if someone did not have to guess.

In a prod deployment who has the rights to see this info without raising too many flags?


The database that gives you all the random 64 bit IDs for devices: that's another vulnerability.


I guess this could be mitigated by not trusting the coordination server? https://tailscale.com/blog/tailnet-lock/


I just tried to set this up and couldn't. Seems like it's invite only with a waitlist :/


Yeah, we're adding people slowly because decentralized authorities like the one that tailnet lock implements can have nasty failure modes, e.g. some bug that prevents any new addition to the tailnet at all and forces manual recovery on each of your devices separately. So, we're putting miles on it with a little care, and making sure folks who sign up are aware of the current limitations and risks.


Oh is that all the problem is?

Anyone with automated deployments and self provisioning should be fine with that risk. I thought it was a lot more premature than this.


Good ops is more than automated deployments. Complex systems have complex failure modes.


If you're excited about tailnet lock and want to get on the alpha sooner rather than later, feel free to drop me an email. As Dave mentioned we are slowly crunching through the waitlist to get some miles in, but I'm also happy to take on enthusiastic testers ahead of that!

You can email me at tom@ (tailscale dot com)




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: