Eric Chiang
LightNews LightNews
ericchiang.bsky.social
Eric Chiang
@ericchiang.bsky.social
110 followers 110 following 36 posts
@oblique.security. Ex Google Security, CoreOS. ericchiang.github.io
Posts Media Videos Starter Packs
ericchiang.bsky.social
Eric Chiang @ericchiang.bsky.social · Sep 24
I've heard of tougher noogler projects
1 4
ericchiang.bsky.social
Eric Chiang @ericchiang.bsky.social · Sep 24
Surely someone there is smart enough to just implement 802.1x for corp devices?
1 5
Reposted by Eric Chiang
bart.gov
BART @bart.gov · Aug 20
🚨 Tap and Ride is LIVE! 🚨

Starting today, you can pay for BART right at the fare gates with a 💳 contactless-enabled debit or credit card or use 🤳 mobile payment, like Apple Pay and Google Pay.

There is zero registration or setup process required.
3 11 38
ericchiang.bsky.social
Eric Chiang @ericchiang.bsky.social · Aug 18
Wrote about a fun @golang.org type trick where APIs can force clients to pass string constants as arguments. Happens to be _extremely_ useful for SQL builders!

oblique.security/blog/injecti...
Injection-proof SQL builders in Go | Oblique
SQL builders are always one bad logic bug away from full-blown query injection. This post covers how Oblique uses Go type tricks to prevent this entire class of backend issues.
oblique.security
1
Reposted by Eric Chiang
authzed.com
authzed @authzed.com · Aug 14
How can you use a Terraform Provider to automate your Permission System?

Well, that's what @veronicalg.bsky.social is going to tell us in this livestream later today.

It's Office Hours format so bring any questions you may have.

www.youtube.com/live/OlQ70bq...
Use Terraform Providers to Automate Your Permission System
AuthZed now has a Terraform and OpenTofu Provider for the AuthZed Cloud API! This provider automates the management of resources in AuthZed Dedicated environments: Service accounts for programma...
www.youtube.com
1 3 3
ericchiang.bsky.social
Eric Chiang @ericchiang.bsky.social · Jul 31
It turns out workload identity isn't a complete mess in 2025 (only a little one)? Wrote a bit about authenticating GitHub Actions identity directly using OpenID Connect.
oblique.security Oblique @oblique.security · Jul 31
Instead of minting long-lived API keys, you can use GitHub Actions' OpenID Connect support for workload identity. Here's how we authenticate config-as-code workflows in Oblique without secret management headaches.

Better security + Better developer experience 💟

oblique.security/blog/github-...
Authenticating GitHub Actions without API keys | Oblique
Instead of minting long-lived APIs keys and warning users “keep this secret,” let's use GitHub Action's OpenID Connect support instead.
oblique.security
3
ericchiang.bsky.social
Eric Chiang @ericchiang.bsky.social · Jun 23
Oh hey, what's this fancy new IAM company?
oblique.security Oblique @oblique.security · Jun 23
Identity management has quietly become the primary security perimeter. But it's a mess — identity requires constant manual work that security teams burn out from.

At Oblique, we're helping organizations make their access controls actually maintainable.

Full post: oblique.security/blog/identit...
Identity management is harder than it should be | Oblique
Identity management is surprisingly hard, as access controls change constantly, and getting them right requires context. We founded Oblique to work on impactful security problems.
oblique.security
3
Reposted by Eric Chiang
quinnypig.com
Corey Quinn @quinnypig.com · Jun 9
A friend needs a Workday test instance to build something interesting. Anyone know how to get one?

(A Workday instance; I kinda already know how to get a friend.)
8 4 50
ericchiang.bsky.social
Eric Chiang @ericchiang.bsky.social · Jun 9
We're doing new container runtimes in 2025? Hell yeah
1 5
ericchiang.bsky.social
Eric Chiang @ericchiang.bsky.social · Jun 5
So if I'm reading this right

Step 1 - generate a private key with no forward secrecy

Step 2 - upload private key to twitter (but don't worry it's protected by a low entropy PIN)

Ummmmmmmmm
1 2
ericchiang.bsky.social
Eric Chiang @ericchiang.bsky.social · May 16
Every day I'm glad my job isn't staring into the IAM abyss of a large Cloud org.

matduggan.com/iam-is-the-w...
So that's effectively the AWS story, which is terrible but at least it's possible to cobble together something that works and you can audit. Google looked at this and said "what if we could express how much we hate Infrastructure teams as a service?" Expensive coffee robots were engaged, colorful furniture was sat on and the brightest minds of our generation came up with a system so punishing you'd think you did something to offend them personally.
2
ericchiang.bsky.social
Eric Chiang @ericchiang.bsky.social · May 7
What a sicko
1 2
ericchiang.bsky.social
Eric Chiang @ericchiang.bsky.social · May 7
Every time you feel useless, remember that GitHub as a notifications tab
1 2
ericchiang.bsky.social
Eric Chiang @ericchiang.bsky.social · May 7
who needs coherent cyber policy when we excel so much at corporate ligation?

www.nytimes.com/2025/05/06/t...
Meta Awarded $167 Million in Damages From Israeli Cybersecurity Firm
www.nytimes.com
1
Reposted by Eric Chiang
michael.express
Michael Knyszek @michael.express · May 2
New experimental garbage collector for Go programs! github.com/golang/go/is...
runtime: green tea garbage collector · Issue #73581 · golang/go
Green Tea 🍵 Garbage Collector Authors: Michael Knyszek, Austin Clements Updated: 2 May 2025 This issue tracks the design and implementation of the Green Tea garbage collector. As of the last update...
github.com
2 41 120
ericchiang.bsky.social
Eric Chiang @ericchiang.bsky.social · Apr 5
@mayakaczorowski.com's been using it a ton and had great things to say.
1 1
Reposted by Eric Chiang
polarsignals.com
Polar Signals @polarsignals.com · Apr 1
📣Today, we’re super excited to announce our latest product addition: Continuous Profiling for GPUs! Check out the use cases and sign up for early access on the announcement post! 🔥📈

www.polarsignals.com/blog/posts/2...
3 8
ericchiang.bsky.social
Eric Chiang @ericchiang.bsky.social · Mar 27
You're not even using nix packages? What kind of tech hipster are you?
1 1
ericchiang.bsky.social
Eric Chiang @ericchiang.bsky.social · Mar 26
Scraping Kubernetes codebases for os/exec continues to pay dividends

www.wiz.io/blog/ingress...
Remote Code Execution Vulnerabilities in Ingress NGINX | Wiz Blog
Wiz Research uncovered RCE vulnerabilities (CVE-2025-1097, 1098, 24514, 1974) in Ingress NGINX for Kubernetes allowing cluster-wide secret access.
www.wiz.io
ericchiang.bsky.social
Eric Chiang @ericchiang.bsky.social · Mar 24
"middleware:middleware:middleware:middleware:middleware" is the new bloody mary

zhero-web-sec.github.io/research-and...
Next.js and the corrupt middleware: the authorizing artifact
CVE-2025-29927
zhero-web-sec.github.io
ericchiang.bsky.social
Eric Chiang @ericchiang.bsky.social · Mar 24
I really wish progressive web apps took off so every app didn't come with a chrome fork
1 2
ericchiang.bsky.social
Eric Chiang @ericchiang.bsky.social · Mar 23
Awesome to see Landlock making unprivileged isolation so easy. As someone who maintained bubblewrap jails, I'm hoping that this takes over user namespaces. Things like network controls are always mess there.

github.com/Zouuup/landrun
GitHub - Zouuup/landrun: Run any Linux process in a secure, unprivileged sandbox using Landlock LSM. Think firejail, but lightweight, user-friendly, and baked into the kernel.
Run any Linux process in a secure, unprivileged sandbox using Landlock LSM. Think firejail, but lightweight, user-friendly, and baked into the kernel. - Zouuup/landrun
github.com
2
Reposted by Eric Chiang
ericchiang.bsky.social
Eric Chiang @ericchiang.bsky.social · Mar 14
Quick reminder:
1 1 3
ericchiang.bsky.social
Eric Chiang @ericchiang.bsky.social · Mar 14
Was it petty? Yes. Was it necessary? Also yes.
2
ericchiang.bsky.social
Eric Chiang @ericchiang.bsky.social · Mar 14
Quick reminder:
1 1 3