HackerTrans
TopNewTrendsCommentsPastAskShowJobs

alexk

no profile record

comments

alexk
·2 anni fa·discuss
For folks interested in 101 on linear algebra - I highly recommend book "Linear Algebra: Theory, Intuition, Code" by Mike X Cohen.

After trying a couple of courses and books, I liked it the most because it gives a pretty deep overview of the concepts, alongside the numpy and matlab code, which I found refreshing.

It's has good amount of proofs and has sections designed to build your intuition, which I really appreciated.
alexk
·3 anni fa·discuss
Thank you! I made a copy-paste error, fixed.
alexk
·3 anni fa·discuss
Teleport (YC S15) | Senior Technical Support Engineer | US, Europe, Canada, Remote OK | https://goteleport.com We are looking for Senior Tech Support Engineers who can script, love systems troubleshooting and helping customers.

Join Us:

https://jobs.lever.co/teleport/7c7f25dd-21c7-45c9-a107-98d8a...

Most of our code is Go, we have very little technical debt, our codebase is clean and small.

We expect you to be comfortable with the following:

  * Scripting in Python, Go or Bash
  * Deep understanding of Linux and networking administration
  * Understanding of modern infra stacks - Kubernetes, Terraform, Ansible
  * Scalability or security experience for systems software is welcome.
What to expect once you apply: * We will send you a 30-50 minute SRE hacking/troubleshooting quiz * You will join 30 minute intro call and we will walk you through the compensation, interview process and requirements. * You will join a live troubleshooting session simulation and try to find all issues we planted in a cloud infrastructure.

https://jobs.lever.co/teleport/7c7f25dd-21c7-45c9-a107-98d8a...
alexk
·3 anni fa·discuss
They key difference is with mTLS approach you'd have to steal the private key of the client certificate if you want to impersonate the client. In most secure deployments of mTLS and short lived certs, private key never escapes the TPM, Secure enclave or Yubikey, so it's extremely hard to mount an attack and impersonate a service.

With JWT (assuming it's not bound) you can steal JWT token and re-use it until it expires.
alexk
·3 anni fa·discuss
No problem! Keep it up with out of the box integrations, focus on U.X. and developer experience and I think you will be on track to become as big or bigger than Hashicorp :)
alexk
·3 anni fa·discuss
I don't think those are mutually exclusive options :) Most developers, especially with lots of legacy apps are better off using a secrets manager. But there is no reason to not push the boundaries of security for new software and onboard passwordless and secretless options.

P.S.

I tried Infisical a couple of months ago. I think if I was Hashicorp Vault team's PM, I'd be worried. Your team has done such a great job at U.X. I was astonished to see an early startup with such a great integration catalog. I think you aced it - modern developers are desperate for out of the box integrations with 100+ services they have to use every day.
alexk
·3 anni fa·discuss
Short version is that with mTLS and short-lived certificates you don't have to worry about anyone stealing and re-using your JWT tokens and revoking tokens.

LVH from Latacora explains it way better than I could in "A child's garden of inter-service authentication" [1]

However, here is my view:

If your token is not bound to the connection, someone can steal and reuse it, just like any other token. It is possible to use OAuth token binding [2], but at this level of complexity, mTLS + short lived certs deliver the same security and are easier to deploy.

It's easy to mess up JWT signatures, although, to be fair, it's not like X.509 certificates format is any better, however it's been more tested over years of use.

[1] https://latacora.micro.blog/2018/06/12/a-childs-garden.html [2] https://connect2id.com/learn/token-binding
alexk
·3 anni fa·discuss
You can't leak API keys if there are no API keys to leak! The article recommends OIDC for apps, which is a step up, especially if you rotate the bearer token, however there is another option - use short-lived certs.

Our project Machine ID is replacing API keys with short-lived certificates:

https://goteleport.com/docs/machine-id/introduction/

Another great option is SPIFFEE https://spiffe.io/

The adoption is slower than we wanted, because it's not trivial to replace API keys, but we see more and more companies using mTLS + short lived certs as alternative to shared secrets.
alexk
·3 anni fa·discuss
Teleport (YC S15) | Senior Technical Support Engineer | US, Europe, Canada, Remote OK | https://goteleport.com

We are looking for Senior Tech Support Engineers who can script, love systems troubleshooting and helping customers.

Join Us:

https://jobs.lever.co/teleport/7c7f25dd-21c7-45c9-a107-98d8a...

Most of our code is Go, we have very little technical debt, our codebase is clean and small.

We expect you to be comfortable with the following:

  * Scripting in Python, Go or Bash
  * Deep understanding of Linux and networking administration
  * Understanding of modern infra stacks - Kubernetes, Terraform, Ansible
  * Scalability or security experience for systems software is welcome.
What to expect once you apply:

  * We will send you a 30-50 minute SRE hacking/troubleshooting quiz
  * You will join 30 minute intro call and we will walk you through the compensation, interview process and requirements.
  * You will join a live troubleshooting session simulation and try to find all issues we planted in a cloud infrastructure. 
https://jobs.lever.co/teleport/7c7f25dd-21c7-45c9-a107-98d8a...