Matthew Garrett

@[email protected]
16.1K Followers
168 Following
6.2K Posts
Former biologist. Actual PhD in genetics. Security at Nvidia, OS security teaching at https://www.ischool.berkeley.edu. Blog: https://codon.org.uk/~mjg59/blog . He/him.
Bloghttps://codon.org.uk/~mjg59/blog
Signal@mjg.59
Matthew Garrett22h ago
Blog post about my #bsidessf talk on using SSH certificates for git signing: https://codon.org.uk/~mjg59/blog/p/ssh-certificates-and-git-signing/
SSH certificates and git signing

When you’re looking at source code it can be helpful to have some evidence indicating who wrote it. Author tags give a surface level indication, but it turns out you can just lie and if someone isn’t paying attention when merging stuff there’s certainly a risk that a commit could be merged with an author field that doesn’t represent reality. Account compromise can make this even worse - a PR being opened by a compromised user is going to be hard to distinguish from the authentic user.

Matthew Garrett's Blog
Matthew Garrett1d ago
I'm at #bsidessf and a little later this afternoon (3:50) I'll be in theatre 9 giving a talk on git signatures and why you should use SSH certificates
Matthew Garrett1d ago

If I were the subject of an English High Court order that included the text:

"Under paragraph 11(a) of this Order the First Defendant is prohibited from publishing further words that bear the following meanings, or similar defamatory meanings:
(1)The Claimant has abused, harassed and blackmailed many individuals online."

I would simply not publish further words that bore that meaning or a similar defamatory meaning

Show threadMatthew Garrett1d ago
Resolved thanks for everyone's help
Matthew Garrett1d ago
Having the core infrastructure for Linux distros be written with a coherent set of design goals instead of being 200 independent projects that can only interoperate via shell scripts parsing and piping output is good, actually
Matthew Garrett1d ago
It's the kind of day where it makes sense to write a PKCS#11 module that speaks to an SSH agent so Chrome can make use of SSH keys
Matthew Garrett2d ago
Who do I know who's going to be in town for bsides or RSA?
Matthew Garrett2d ago
The kind of day where I need to inform someone that yes, I am in fact aware of the difference between public domain and copyleft
Show threadMatthew Garrett2d ago
They have apparently never known the pain of it being literally impossible to determine why something is the way it is and having no idea whether changing it will break anything
Matthew Garrett2d ago
Trying to convince my students that having all your security policy changes include a design doc describing the status quo, the desired outcome, why this change will achieve it, why alternatives were rejected, and then implementing it via some automation schema so it can't accidentally be reverted for no obvious reason is good actually