info on the github breach appears to only be available on xitter 🙄 , I fished it out for you.
16
Replies:
19
Boosts:
1
@0xabad1dea paraphrased comment I saw on xitter:
"how did the hackers find a window of uptime to get in?"
@0xabad1dea thank you for the fishing
"Directionally consistent"
@0xabad1dea It's great Microsoft are really getting into "Open Source"
@0xabad1dea That is a fuckton of repos. Unless it counts each individual fork as a distinct repo, in which case that may or may not be a fuckton of repos. Would be nice for them to clarify that, but considering their comms team doesn't even seem to have a blog to post status updates to, perhaps that's more than can be expected of, um, the largest code forge in the world.
1
@endrift 3800 properly distinct repos doesn’t strike me as an unlikely number if it includes every employee’s minor side project over the last 18 years
They wrote:
> "2/ Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. […]
3/ We moved quickly to reduce risk. Critical secrets were rotated yesterday and overnight with the highest-impact credentials prioritized first."
Do they really put "Critical secrets" in their "GitHub-internal repositories" !?
1
@benoitb every large organization, knowingly or unintentionally (usually both), has internal secrets embedded in their internal codebase. so yeah
gonna gently push back that there's no reason (according to github's version of the story) to associate this with AI or with spectacular incompetence on the part of the employee; the issue is that industry standard, extremely widely used text editor Visual Studio Code has a big button that says "click here to add useful functionality to do your job" that has a 1% chance of installing ransomware
2
@0xabad1dea but it is the same company, so they are not at all absolved
@0xabad1dea I'm honestly not sure if you're joking or if this is literally true.
1
@[email protected] This is literally true, and has been giving many of us nightmares for a long time. See also the package managers for most popular programming languages.
@0xabad1dea (horselegged/sanserif Swastikas...)
@0xabad1dea Huh. It’s almost as if an editor with a marketplace for extensions and zero thought to the security model (beyond ‘extensions have complete access to your computer’) might not have been the best idea after all.
@0xabad1dea while this is not directly related to AI as far as reported, I can't help but imagine that hiring people who buy into the AI idiocy is a surefire way to get your entire organization packed full of imbeciles likely to make this fuck Up one day or another
@0xabad1dea My favorite take so far: "holy shit, how did the attackers find a large enough uptime window to get in?"
@0xabad1dea Glad to have deleted my GitHub Account when they introduced "AI". #github
@0xabad1dea Happy GitHub Breach Day! Enjoy this one. Starting next week we will go back to just calling it Wednesday again.
