> This evening, a hacker going by the name Shiny Hunters contacted BleepingComputer to tell us they had hacked into the Microsoft GitHub account, gaining full access to the software giant's 'Private' repositories.
Well, someone asked the other day whether or not private repositories on GitHub were safe: [0] I think you now have a concrete answer regardless if this is true or not. I have already made the case to privately self-host, especially if you're a large enterprise, but preferably on-site [1][2] to avoid these types of attacks and in the process to reduce costs like this as many were discussing in other HN discussion [3], but here we are.
If they can do it to Microsoft, they can do it to anyone else who has a GitHub account.
[0] https://news.ycombinator.com/item?id=23057769
[1] https://news.ycombinator.com/item?id=22960579
> If they can do it to Microsoft, they can do it to anyone else who has a GitHub account.
I don't think this is necessarily true. Microsoft's org, like any large org, has a large number of users with access. Its security is dependent on each one of those many accounts being secure.
A smaller org, or an individual, can secure their repositories much more easily as there's fewer entrypoints.
They haven't mentioned whether this hack was achieved by compromising individual account credentials, or by compromising the Github platform itself. If it's the latter, you may be right, but I suspect it's more likely the former.
Isn't the upside of hosted platforms like this that they have teams of people securing and monitoring the platform, which can be a bit much for one person who's self-hosting? I do self-host other things but the article doesn't say anything about how the breach might've occurred (e.g. 2FA not enabled?).
That's the SaaS sales mantra repeated. It may or may not be true no matter how appealing the argument is.
Ultimately, your weakest point ends up being humans who are prone to mistakes. You can mitigate some of those mistakes with technology but you can't mitigate all of them. So SaaS may help shore up certain attack vectors but it may increase focus on the remaining vectors and may potentially make failure points more significant (more impact for a security breach from a large provider vs less impact of a security breach from systems of independent providers). Some of that can be mitigated with smart designs, but you lose some advantage of traditional "security through obscurity" which has some value (though it shouldn't be relied on as a failsafe).
The counterargument is that a SAAS platform like Github's interests are in the ongoing viability of the service, while my interests are only about in my data in the service.
Those are only somewhat aligned, as anyone with a dispute about terms of service can tell you.
> which can be a bit much for one person who's self-hosting
If your repo serves one person, why do you need your repo to be hosted in public at all? `git init` and a backup are all you need.
Many consider hosting the repo (privately) on Github etc to be the backup.
I have already made the case to privately self-host
What makes you think you can do a better job than Microsoft or github?
Smaller target?
Exactly. Same reason you shouldn't upload your private keys to a popular, centralized entity.
Could this stop? Every time some heretic evades the "cloud" and self-hosts, people (whose income presumably depends on the "cloud") spread FUD.
Here's the security of the "cloud":
https://arstechnica.com/information-technology/2012/03/hacke...
Why on earth should a maintained server that just runs git over ssh be less secure?
It's an overused and abused argument but it's not a null argument (e.g. just FUD). It has enough validity not to overcorrect the other way. As a general rule, organizations at least need to carefully consider the true cost commitments of providing even near-par level of security with their own internal resources as they could get 'out-of-the-box' from a cloud provider. It's easy for organizations to imagine they will, quite another for most to actually pull it off in an auditable fashion. The minute an org starts opening holes in their firewalls to accommodate remote access or using cloud-based tools for remote access, I start to get skeptical (e.g. how well is that network segregated, anyway?). The shear volume of internal process and policy dependencies that need to be managed and maintained to "do it right" is a supremely tough burden for SMBs, for instance.
Private github repositories are private the same way that facebok messages are private - private from your roommate, not from the people who own the platform or determined attackers.
Would be nice if git could store encrypted data and decrypt files on checkout. Repositories could be truly private that way.
Nothing stops one from putting encrypted artifacts into a git repo, encryption could be done via hooks. Except this would negate the delta storage, each version would be completely different, and non diffable.
One can just encrypt the .git folder and wrap the git client to handle the encryption/decryption on use. It's always a question where and how well do you keep the keys.
Use a gpg smartcard (yubikey or similar). This is how I store Ansible Vault secrets.
You’re absolutely right about the deltas. Initially I had one secrets file per environment, but as my projects grew I ended up breaking them out to a file per environment-project. Both for storage reasons and because it’s difficult to modify one encrypted file from multiple branches without writing plaintext secrets to disk.
Unfortunate timing[0] but that is pretty much what Keybase had implemented a few years ago[1]
1: https://keybase.io/blog/encrypted-git-for-everyone
0: https://blog.zoom.us/wordpress/2020/05/07/zoom-acquires-keyb...
This is leaping to a huge conclusion, but you are correct that if this was a Github data breach, this is clearly a much bigger issue. However, if this was the case, and 1) this "leak" happened on March 28th, and the individual claims to no longer have access to the account, I trust that Github would have proactively communicated with their users about such a large scale event, especially after having fixed it.
This, if true, is almost definitely a compromise and use of a single users' access credentials, which were then rotated (thus the attacked losing access).
I'm not saying that credential stuffing isn't a large-scale problem (I strongly believe that it is, and have even dedicated time to some potential solutions in the past), but jumping from "someone lost their credentials" to "omgz github can't be trusted!" is a bit of a disingenuous leap.
The most likely explanation is they phished an employee. How does self-hosting prevent that?
> I think you now have a concrete answer regardless if this is true or not.
How do we have a concrete answer if this is not true?
> If they can do it to Microsoft, they can do it to anyone else who has a GitHub account.
It happened to Cisco as well a while back, I have a copy of that source somewhere.
You probably shouldn't readily confess to hoarding stolen property in an online forum.
Not a crime to possess information, not property, that was illegally obtained in either USA or my own country provided you didn't counsel or encourage the original theft.
The fact that you did not commit the initial theft does not put you in the clear. Source: a lawsuit that I won with exactly that theme.
I don't know where you are but the bulk of the jurisdictions would not look favorable upon you. I agree that your loose interpretation of the law might work out in your favor. But just like downloading copyrighted material is illegal so is downloading copyrighted data from a source that you know does not have the option to legally give you a license to copy or use that data. So from one aspect of the law you are in the clear, from another this is an open-and-shut case of copyright violation and on top of that you will have to work real hard to prove that you weren't the one to steal it in the first place using the 'upload to someplace anonymous, then download it again' trick to whitewash the data.
Some risks are worth taking, this particular one I'd think long and hard about it if the counterparty is the proverbial 800 pound gorilla.
>The fact that you did not commit the initial theft does not put you in the clear. Source: a lawsuit that I won with exactly that theme.
In terms of criminal law, it is favorable to me. Source: I was criminally accused and have a court judgement clearing me of wrongdoing for possessing information that was stolen by 3rd parties and published online before I obtained it.
>So from one aspect of the law you are in the clear, from another this is an open-and-shut case of copyright violation
I am satisfied that merely possessing stolen information and not distributing or profiting from it is not a copyright violation if the source code can even be copyrighted.
>But just like downloading copyrighted material is illegal so is downloading copyrighted data from a source that you know does not have the option to legally give you a license to copy or use that data
I have not agreed to be bound by any licenses from Cisco before downloading the data nor did I necessarily know what it was before downloading a zip from a file sharing site.
I'm happy to discuss this over email if you want me to reach out for debate.
This got me thinking.
How many companies, in terms of Market Cap are currently relying on GitHub Private Repo for their source code?
And how does very large enterprise, or financial institution ( Which is like the foundation of modern day society ) handle their source code? I presume they wont use Github for anything important?
GitHub has an offering where you self host it on your own hardware or in your own cloud.
This sucks :(