• lrvick 66 days ago

    So this is a proprietary system that gates all access to critical systems.

    Designed by a company with 1-10 employees (AngelList).

    Are we really supposed to believe that their small team totally got security right 100% on their first try without the decades of community auditing vanilla ssh has enjoyed?

    Are we supposed to trust no malicious code made it into their repos? That they audit all the third party modules for their Javascript frontend? That the employee that cuts binary releases can't be blackmailed to introduce a subtle flaw that will add a fixed ssh key to all servers their tool manages?

    Imagine if SpaceX -did- use this tool. Blackmailing or phishing one employee to gain access to all of SpaceX systems sounds like a state actors wet dream.

    Anyone who considers a product like this has no business protecting access to their employers systems IMO.

    Maybe if they open source it, place bug bounties for extensive community auditing, allow fully on prem deployments, offer consulting/support contracts, and do all PKI in HSMs end to end...

    Then -maybe-.

    • ddtaylor 66 days ago

      Is their SSO as secure as SSH as their marketing seems to assume? Sure saving time is great, but replacing unbeatable cryptography with bad passwords isn't good.

      • 33degrees 66 days ago

        This is interesting but, how much? Can’t find the pricing....

        • gratner 66 days ago

          Love this product - our team can't live without it!

          • beokop 66 days ago

            Your team can’t function without third party software logging database access? What exactly does your team do?