This repository has been archived by the owner on Mar 28, 2023. It is now read-only.


Introduction to the public version

Trail of Bits uses GitHub for many of our reviews; we check in client source code, our source code, screenshots, notes, &c. to a single repository, and coördinate our efforts through GitHub. For example, we reviewed various network scenarios through the following issues:

We have a system for tagging issues with severity, help needed, &c., allowing a single location for the assessment team to
look for any project related information. Furthermore, we often invite clients to our repositories, allowing them to have the same level of insight as we do regarding project status. We decided to open up our repository for this assessment, showcasing our work, the notes we wrote, and allow the community to see what directions we took during the assessment.

Highlights of the repository

There are several areas of the repository that may be of interest to the community:

Additionally, we have included a new directory, ./reports, that includes the final versions of each of the three reports we (Trail of Bits) wrote. This includes the three main reports we wrote:

Original Overview

This repo is meant to hold:

  • the source code for Kubernetes (./src/)
  • the source code for any tools or notes (./notes/)
  • any screenshots (./screenshots/)
  • and the requisite data created during the assessment (./data)

This assessment is going to be enormous:

  • keep detailed notes about what you were working on and when, in a logbook format
  • add findings as you find them and not after

We've added some templates in ./data/templates to help keep notes & findings in similar format for mass consumption.

If you have any questions, please feel free to ask!

  • The Garden Keeper (aka Stefan)

ICS-style project management

ICS, or Incident Command System is a system of management for distributed and fluid teams in times of crisis. It has a few useful points we should adhere to:

  • Objective-based management: each team will have a lead, the lead will be responsible for that area.
  • Accountability and professionalism: each person will know their project area, and be responsible for maintaining that section of the project
  • Unified Command Structure: folks should report to their team leads, team leads to the project leads from ToB & Atredis
  • Unified Terminiology: this is key: we must use the same terminiology across teams and projects.

For example: we must decide on Kubernetes vs k8s early on, and only use that terminiology. All other variants must be rewritten to the decided upon terms. The sole exception is quotation from other sources that may use a different term.