Github allegedly Breached

[-]

safalafal@reddit

It's the lack of a level playing field for me. If on-prem infrastructure gets hacked the usual suspects are out in seconds blaming and shaming IT, if a SaaS gets hacked its "no one could have seen this coming"

[-]

gioraffe32@reddit

Which is why some want to move to cloud. I've definitely pushed for cloud for some things before. Mainly because we/I often lacked expertise and/or manpower to build and support something. But also because it wouldn't fully be my ass on the line.

An old CEO of mine had a saying: "Put a volunteer between you and a problem." It was a non-profit org, so he meant the volunteer members of the boards and other volunteer leadership. Well, I typically didn't have a board member to stick in between me and a problem like he often did (and sometimes the volunteer could be more trouble than they were worth anyway)...but how about a vendor and their SaaS platform? One that we're paying for, sometimes a lot?

If shit goes down, however it does, I can just point at the vendor and be like "Uhhh, their fault; they gotta fix it." And largely, that's that. Yeah I may still get some heat, but the usual suspects understand that there's literally nothing I can do. It's like when 365 has an outage. People want to know why email or Teams isn't working. All I have to say is, "Because Microsoft." Then they go, "Oh OK, hmm. That sucks." And they go away.

A bit of a perverse incentive, I know. But like you said; it's a lack of level playing field. So I'm just evening it out.

[-]

GrannieArmFlaps@reddit

If shit goes down, however it does, I can just point at the vendor and be like "Uhhh, their fault; they gotta fix it."

There are four primary strategies to deal with risks - Avoid, Mitigate, Accept and TRANSFER. For some reason, transfer is very disliked in much of IT. " The cloud is just someone elses computer" they cry, as if that isn't the entire damn point. Seems like everyone wants to fully own the problem space, which is a bad move for the typical admin.

[-]

spacelama@reddit

And yet it was always still me restoring the service at 3am on Sunday, caused by the poor design our vendor had provided us, instead of their engineers. So in reality, it was middle management protecting middle management, and not their subordinates.

When Google deleted UniSuper's infrastructure because of a parameter Google forgot to apply in one of their own internal scripts, it wasn't Google's engineers spending the next month rebuilding the 125 billion dollar fund's infrastructure from a combination of scratch and backups.

[-]

FailBait-@reddit

Letting a vendor have that level of control over your own environment without consequences is just wild to me. Either they architect something and we validate and come back with feedback until we both feel we have the best arch we can create, or if they're hired to "do the thing" then the contract needs to state they're on the hook for the effort and lost sleep to unfuck their own work.

The instance I was referencing was upgrading our on-prem Exchange server from Windows Server 2003. They were to do the work, and if the upgrade didn't go the way they hoped, we gave them the storage and resources to do a backup (beyond our existing tape backups as a last resort) and they could restore from that. The upgrade was over a weekend and there was a fiscal penalty for every hour after 9AM Monday morning that it wasn't done.

[-]

changee_of_ways@reddit

It can save you from a lot of stupid arguments related to infrastructure and maintenance costs too.

[-]

ashirviskas@reddit

Now I wonder if this why humans invented gods. House you built collapsed and killed a family? Oh, they must have made xonedypus angry, definitely not me cheaping out on materials.

[-]

FailBait-@reddit

I’m personally a fan of Patton Oswalt’s “Sky Cake” bit.

[-]

Sea_Rock3535@reddit

Doesnt apply for Christians, though, at least not when followed at its core. Everything is your fault, its kind of the opposite 😂

[-]

crashtestpilot@reddit

Never fuck with Xonedypus. Dude controls County inspectors.

[-]

dogs_gt_cats@reddit

It is known.

[-]

Mr_ToDo@reddit

I imagine there were a bunch of reasons.

Certainly an explanation of unexplained events, probably a bunch of copping with existential dread too.

Oh and a personal opinion, a way to get the masses to do something when you lack the ability to say why it needs to be done(or that people might not otherwise care about). Fair chunk on cleanliness, and disease control in holy books, even if it doesn't say that's the reason for doing so. The downside being that without the why the rules are hard to stop if they aren't needed, have bigger downsides, or were just wrong. I liken making a religion to trying to snipe a star with only iron sights with which to aim. It looks right in the moment but there's no proper course correcting once it's shot

[-]

Geno0wl@reddit

The downside being that without the why the rules are hard to stop if they aren't needed

For a lot of those rules they themselves didn't exactly know the "why" either. Like they knew eating certain animals frequently led to sickness, but they didn't understand bacteria or properly cooking things all the way through.

[-]

avds_wisp_tech@reddit

"Why does the sun rise?"

"Because it's God!" (and for all intents and purposes, they were right)

[-]

spacelama@reddit

"Why are Anglo-speaking countries all suffering from declining productivity over the past 2 decades?"

[-]

safalafal@reddit

There is absolutely a lot of truth here, I would however note that while your insulated from the blame for stuff going down, it's not as hard a line when it comes to data being illegitimately accessed - it makes people question why that decision was made in the purpose. Working in HE however, you are so right about "a volunteer between you and a problem" - I do exactly this.

[-]

gioraffe32@reddit

That's fair. I have noticed, however, in my experiences with going with an outside platform, there are often more people involved in the decision to do so, than with doing something in-house. Which means there's some diffusion of responsibility. Some additional CYA, in a way.

I'll also say I don't think I've experienced with breaches with SaaS in my workplaces. At least I don't remember any reported breaches. But you're likely right that the reaction to a breach of an external platform would likely be worse than it just going down. Things go down from time to time, everyone knows that. But a breach? Well, that just shouldn't ever happen. Even if we live in a world where it sadly happens all the time (which is still not an excuse).

And the non-profit was in the HE space! Wonder if that that's where my CEO got that idea from. Though I imagine that's applicable in a lot of areas where there are volunteer leaders.

[-]

Gullible-Surround486@reddit

exactly, lots of signoffs and then nobody really owns it when it goes sideways

[-]

flecom@reddit

People want to know why email or Teams isn't working. All I have to say is, "Because Microsoft." Then they go, "Oh OK, hmm. That sucks." And they go away.

you can still do that with onprem, just sayin hehe

[-]

AnywhereOk3723@reddit

This is exactly why vendor lock-in risk assessments should include incident response SLAs, not just uptime guarantees. A 99.9% uptime SLA sounds great until you realize that's \~8 hours of allowed downtime per year, and during that window you have zero control, zero visibility, and zero recourse beyond 'they're working on it.' At minimum, orgs should be exporting logs and critical data regularly so that when a SaaS goes dark, you at least have something to work with locally.

[-]

FailBait-@reddit

This was one of the first big lessons when I got my start in corporate/enterprise IT. “I can do that though…” “Yes, but if there’s an issue, you’re screwed. I’d rather hire this consultant so if there’s a problem I can yell at them.”

The cost isn’t the skill, sometimes it’s the value in the “single throat to choke”.

[-]

mustang__1@reddit

If shit goes down, however it does, I can just point at the vendor and be like "Uhhh, their fault; they gotta fix it." And largely, that's that.

That's only true to a point. In that... Why did you use that vendor? And sure, that question doesn't always get asked - and in the case of MS there aren't other/better choices, but still...

[-]

cdoublejj@reddit

but now cloud has outages all the time, more than on prem sometimes

[-]

pdp10@reddit

If shit goes down, however it does, I can just point at the vendor and be like "Uhhh, their fault; they gotta fix it." And largely, that's that.

Do that a few more times, and you'll spend your day posting in /r/ITManagement instead of /r/sysadmin.

But on the other hand, there's endless talent on the market, willing to make their living by pointing fingers at others. You'd be outcompeted in the management role by someone with a more finely developed sense of sycophancy.

Middle management is for people who don't have a competitive advantage at anything else.

[-]

_--_---__--_--_-_-_-@reddit

Middle management is for people who don't have a competitive advantage at anything else

Hey that's offensive to all the technical folks who got "promoted" into management, and are really bad at prioritizing manipulative sycophantism over human decency & looking out for your subordinates, which then leads to their team getting inundated with unreasonable requests and demands from more sociopathically competent senior managers

[-]

socksonachicken@reddit

BOFH vibes. I like it.

[-]

ITSecurityAdam@reddit (OP)

And with all the vibe coding, we are going to have a day of reckoning soon. This is probably just the first of many "big ones"

[-]

Made_UpWords@reddit

Luckily, criminals are vibe coding too: https://www.tomshardware.com/tech-industry/cyber-security/ransomware-accidentally-destroys-all-files-larger-than-128kb-preventing-decryption-vect-code-likely-partly-vibe-coded-with-ai-or-used-an-old-code-base-security-researchers-suggest

But unluckily:

The ransomware would automatically break apart any file greater than 128KB into four different chunks and then encrypt each one with a random 12-byte nonce written on a single shared output buffer. Unfortunately for the victim, the four nonces share the same buffer address, meaning each new nonce overwrites the older one. So, once the process is complete, only the latest nonce (or the last of the four chunks) is preserved and appended to the file. That means even if the attacker provides the victim with the key to decrypt their data, the fact that only the last nonce of each file greater than 128KB is still attached means that the key will not work.

It just makes them (accidentally) even more dangerous lmfao.

[-]

TonyBlairsDildo@reddit

Imagine having to report your extortionist to the Better Business Bureau for shoddy quality software

[-]

axonxorz@reddit

*Boomer Business Bureau.

It's yelp for old people, they even try to extort businesses the same way.

The BBB has always been a scam.

[-]

Mechanical_Monk@reddit

I'm convinced the hate against BBB is a psyop. The few times I've used them because a business was trying to take advantage of me, they were able to help resolve the dispute. They've saved me thousands in wrongful charges that would have otherwise ended up in collections and on my credit report.

[-]

axonxorz@reddit

I'm convinced the hate against BBB is a psyop. The few times I've used them

Just because you had some success doesn't mean people's criticisms are a "psyop."

I can play the anecdote game too. The large furniture retailer my wife worked for was a BBB member. Their store-level office policy for dispute resolution was "lmao, k" because head office just made those negative interactions go away. That's a pay-for-play protection racket.

Their business practices are well documented, they're not consumer-first, they're BBB-first. Extortion through manipulating visibility of ratings (and later, reviews), with mafia-style cold-calling to businesses ("you're not a member? it's a shame you can't deal with these negative reviews we will place against your business name in index/catalogue, later search engine rankings") isn't okay and has been documented for over 50 years at this point. All that said, I'm genuinely happy that you avoided getting screwed over.

BBB claims 70% success rate on dispute resolution, but peer under the hood and you'll see that means "the BBB forced their member to engage with the customer", and nothing more. Being able to manipulate the BBB into giving Hamas an A+ rating simply by being a paying member and making some cursory declarations isn't a good look.

[-]

Mechanical_Monk@reddit

I was being hyperbolic with the "psyop" comment, but nearly every criticism I've heard has been from the perspective of business owners, not consumers. Although if they are actually extorting businesses with negative reviews as you claim then that does seem problematic if not outright illegal.

The only time they were actually resolved was when the company was literally breaking local consumer protection laws, usually around handling of damaged products and no-questions return windows. Funny how fast things move when there's legal exposure, I'm sure the BBB made that happen /s.

The average consumer doesn't have the knowledge or resources to threaten that legal exposure without paying a lawyer or other third party. BBB is a freely available third party that at least threatens legal exposure by its mere involvement, which is often enough to get things moving.

"the BBB forced their member to engage with the customer", and nothing more

Often that's all a consumer needs, and it's the main thing the business refuses to do without outside pressure.

Again, if your extortion claims are true, then that's pretty fucked. But I still think they're more than just "Yelp for old people" (I'd argue Yelp itself is actually Yelp for old people lol)

[-]

clt_drol@reddit

It’s great until you are on the other end of a false claim.

[-]

DaftPump@reddit

They'll never, ever live this one down...

[-]

blazze_eternal@reddit

The entire basis for ransomware is a trust model to get payment. If that trust is broken, and attackers stop providing solutions, you're just spreading malware and no one will pay.

[-]

pinkycatcher@reddit

Luckily, criminals are vibe coding too

Criminals don't need things to work right every time, they can vibe code and as long as it works once in one place they win. It's the opposite for defense, they need to be consistent and correct.

If an offensive attack has major weaknesses or issues, it's not a big deal.

[-]

chat-lu@reddit

Vibe coding malware works fine. It's not like maintainability mattered.

[-]

Sea-Aardvark-756@reddit

It's like there are three parties, human victim, human attacker, and the AI maximizing damage to humans by making the attempt at encryption destructive. Goal: Solve problems. Result: More problems.

[-]

wenestvedt@reddit

Remember when everyone thought that Netflix's Chaos Monkey was innovative and beneficial?

Now it's like he's turned into angry, barrel-throwing Donkey Kong -- and instead of a Princess, he wants your creds.

[-]

apokrif1@reddit

Victims will not trust them and will stop paying, so there will be fewer attempts 😉

[-]

DrunkenGolfer@reddit

Hacking and protecting are wildly asymetric. As AI advances, it will become impossible to protect using the current paradigms.

[-]

safalafal@reddit

For me its death by a thousand cuts, teams overloaded by lots of medium sized issues that actual work stagnates

[-]

kickstart_my_shart@reddit

More features, faster, with fewer engineers, hot fixes to patch what we rush deliver, and we still ain't getting raises even though we bail out Product Managers/Owners sprint after sprint after sprint.

[-]

lenswipe@reddit

yeah as someone who enjoys software engineering (rather than just pumping out slop) - I'm actively enjoying this.

live by the slop, die by the slop.

[-]

malikto44@reddit

It is a double-whammy. Vibe coding, so security is lessened, combined by using AI to hunt and find security exploits, not just on an executable level but on a structural/service level, going through entire infrastructures to find that one misconfigured program which can be used to launch attacks.

However, this isn't new. The "security has no ROI" mindset has been with us for decades. It is just made worse with AI widening the gap.

[-]

transwumao@reddit

the end result of decades of lobbying to make gigantic cloud providers accountable to no one is that... they're accountable to no one.

[-]

DehydratedButTired@reddit

It’s crazy how OK cloud hacks are. It’s always been wierd to me.

[-]

DramaticErraticism@reddit

I guess I just figured SaaS gets attacked a billion times a day, your local business is a much smaller target with many more vulnerabilities.

They have to be much more vigilant, there are plenty of small to mid sized businesses that are completely exposed and dont get attacked purely out of happenstance, no one has noticed enough to bother lol

[-]

safalafal@reddit

reality is your crappy local business is dozens of eggs in a few baskets, while SaaS is milllions of eggs in a few baskets

[-]

matt95110@reddit

But at least it isn’t your fault?

[-]

safalafal@reddit

Isn't your fault, is your problem

[-]

bberg22@reddit

Man if that isn't the definition of a Sysaidmin's responsibilities idk what is. "Hey Joe, btw I shit my pants, I need you to come clean it up before it spreads all over the office, also why didn't you prevent me from shitting my pants?"

[-]

assissippi@reddit

Could also add someone who I did no research on shit on my head, why didn't you prevent this

[-]

matt95110@reddit

Yes, unfortunately that is true.

[-]

maxlan@reddit

I have never heard anyone say a saas hack wasn't predictable. Not from anyone I have any respect for anyway.

However most saas do a better job of security overall than on prem because it's part of their core business, not a cost centre they want to avoid paying for. And if they get it wrong their customers evaporate and maybe sue them.

How many times have you seen people here complain about funding cuts or having too much work. Because the money goes into the product team or sales. In saas, the product team ARE the IT team.

And here we see a classic example of what happens when you cut funding: they got hacked.

Microsoft are slowly killing open source by buying GitHub, defunding it and letting it fall apart. Seems like it could have been part of a plan all along...

[-]

uzlonewolf@reddit

And if they get it wrong their customers evaporate and maybe sue them.

That's just not true. You cannot sue them because binding arbitration was part of the agreement when you signed up for their service, and they won't lose any customers because everyone's just going to go "Well, it was company X, if it happened to them it could happen to anyone. If we switched it'll just happen again when it happens to the new company!"

[-]

Unable-Entrance3110@reddit

I would argue that the motivation for cutting is the same whether or not the software exists on premises or in the cloud.

If the operators of the application want to increase shareholder "value" by cutting operating costs, security is going to be on the table along with every other option.

They are highly motivated to provide the minimal amount of whatever is needed to keep the application working and no more.

[-]

Kardinal@reddit

Nevertheless they can leverage very smart people and scalable tools to provide excellent security at scale more efficiently than most organizations can do for on prem.

[-]

safalafal@reddit

I think we both know im not talking about proper IT or Security people when I say this lol

[-]

aeroverra@reddit

We have some gaping security issues I blame the executive imposed culture on in our software department and in the high chance we get breached one day I think they would still blame it lmao

[-]

whythehellnote@reddit

The whole point of SaaS is plausible deniability for the CTO. Indeed that's the entire point of outsourcing everything.

Accountability as a service.

[-]

wenestvedt@reddit

The whole point of SaaS is plausible deniability

Time to update that acronym to "Scapegoat As A Service"?

[-]

JNikolaj@reddit

My biggest issue with cloud, we’ve little to zero control over security and seems to be within good reason to be sceptical

[-]

whythehellnote@reddit

You're thinking like an engineer -- you want to keep your company secure.

Try thinking like a CTO -- you want to keep your job secure.

[-]

wenestvedt@reddit

I have felt the same pain that clearly scarred you. Strength, my friend.

[-]

fedroxx@reddit

There are literally people who can't afford food that defend billionaires. People are stupid. Knowing that, it makes perfect sense that people defend saas.

[-]

RetPala@reddit

"No way to prevent this" says only domain where this regularly happens

[-]

Formal-Knowledge-250@reddit

That's consultants you talk about. Proper security personnel tell you: don't trust the cloud. Never ever.

[-]

Treebeard313@reddit

As an update, Github confirmed earlier that they were breached due to an employee using a poisoned VS Code extension.

https://xcancel.com/github/status/2056949168208552080?s=20

[-]

Nekrokosmic@reddit

Dude is fuuucked…

[-]

gladluck@reddit

That is very likely, but pointing all blame on a single individual is pretty dumb. GitHub _should_ know how vscode works (auto-updates add-ons by default), and should have implemented mechanisms to reduce this attack vector.

But yeah, blame usually lands where it doesn't belong 🤷‍♂️

[-]

Unable-Entrance3110@reddit

Yeah, it's crazy to me that some sysadmins still allow unrestricted extensibility installs in software.

The first thing I do when bringing in a new software is to look at what kind of extensibility features it has and lock it down to approved only (or none at all).

I will then create a plan for keeping approved extensions up-to-date, sign myself up for update notifications and monitor update rollouts.

[-]

Ansible32@reddit

People who use VSCode are doing arbitrary code execution, that's their literal job. There should definitely be review but VSCode extensions are closer to pip or NPM packages - really outside of IT's purview to review, it's gotta be actual software devs doing the review, as part of the development process.

[-]

Unable-Entrance3110@reddit

Sounds like a nightmare situation that is just begging for these types of exploits to happen.

[-]

Ansible32@reddit

Software developers' job is arbitrary code execution. If that sounds like a nightmare to you you should not use computers.

[-]

mirrax@reddit

Eh, VS Code is a Microsoft product with heavy ties into GitHub. I'm sure that they were encouraging their employees to use VS Code and extensions from the official store.

[-]

namalleh@reddit

is now a good time to talk about the firing and ai vibecoding

[-]

mirrax@reddit

Doesn't have much to do with vibecoding here, but a supply chain attack. If it's the Nx Console extension which is a helper for monorepos, then AI has literally 0 to do with it.

Likely the Nx Console developer was hit in an earlier supply chain attack (likely Checkmarx/Trivy/TanStack) lost their GitHub API key. Which got used to hit the extension's repo.

[-]

namalleh@reddit

right, but if Microsoft cared perhaps they would add vuln scanners before you download stuff

they used to do stuff like this, your browser does this (to some extent)

but your ide running with potentially elevated permissions and keys to your company's money doesn't check anything

when you fire people and force the remaining to use ai it kind of makes motivation for doing something like this go down

[-]

Holographic247@reddit

Nah, dude is fine. Checkmarx got hit last month and sent credential stealers out to everyone who updated their VS extension. Lots of places got hit, and that was one vendor of many that have had their legitimate distribution channels compromised.

The onus would have been on their CTI/CTH teams to identify their exposure, their DFIR team to identify the affected assets and exposed credentials, and then their IAM team to rotate them.

The individual employee is most likely entirely blame free.

[-]

Puzzled-Tangerine831@reddit

vscode and github are both owned by microsoft, ironic they got hacked through vscode.

[-]

deke28@reddit

Vscode is garbage security wise

[-]

gramsaran@reddit

so many rouge extensions.

[-]

music2myear@reddit

Always hated those red-ish extensions.

[-]

Darkk_Knight@reddit

Looks like I should fire up Forgejo self host server and give it a go.

[-]

okoddcat@reddit

You can try Gisia, much lightweight and simple for personal use.

[-]

mirrax@reddit

Call me skeptical of any product with a small dev team that's AGPL with CLA not being just a trap for a rug pull later.

[-]

okoddcat@reddit

I build this tool for myself first, open source it just another option. AGPL does allow you to fork your own version.

[-]

mirrax@reddit

Yes, but with a CLA you can take that code and relicense it under a commercial license and have no obligations to release your own code. So what ends up happening is a commercial rug-pull with there being no incentive to fork with such a restrictive license.

So anyone using your product which looks to be vibecoded is taking on substantial risk.

[-]

--Arete@reddit

RemindMe! -7day

[-]

zero0n3@reddit

The price seems suspect.

This, if true, and with large org private code, would be worth way more than 50k. Like 50 million.

Imagine having access to the code repo of a F500 or F100 company. You’d be inside their network and hidden extremely easily once you’ve analyzed their code for vulnerable versions of modules and stuff. Probably a few private keys or keytabs or whatever in there too. Documentation on their setup and how to potentially work around security measures.

[-]

Mikolf@reddit

Not nearly worth that much. If you really wanted a company's source code you could bribe an employee for $50k or so probably. There's no commercial value to it since a legit company can't be using stolen source. It's basically good for some black hat to run their vulnerability scanning AI over to see if there's anything exploitable in their production environments.

[-]

on-a-call@reddit

Idk about you but I'm not risking my career and jailtime for 50K :p

[-]

Mikolf@reddit

Not you but that dude in India the company is offshoring to and is getting paid peanuts.

[-]

on-a-call@reddit

Oh shit yeah 🫠 don't do it Sanil!!!

[-]

malikto44@reddit

That is beginning to change. Lets say XYZ company has a unique, copyrighted way of editing documents. Their source code gets copied, and AI us used to create a clean room clone of it.

Then, sometime later like 3-6 months, ABC company has an editor which looks different, but it is able to easily edit XYZ's proprietary formats, supports all XYZ's features in some way, and is a lot cheaper, perhaps with a good support record.

ABC company doesn't even have to sell to XYZ's customers. ABC can sell to a different market completely where XYZ may not have a foothold or be completely banned, due to political reasons.

[1]: One of the biggest ironies in IT is the perception that OPFOR companies always have far better support and code quality than the average.

[-]

Ansible32@reddit

Yeah but an open source clone of Github already exists, it's called Gitlab and it's not the only one.

[-]

ITSecurityAdam@reddit (OP)

Your forgetting the IP value of something... imagine it's uber or tesla's self driving data source code. There's lots of value in that and even just being able to re-tool it in a specific way and then sell it as their own. Competitors would love their rivals source code

[-]

cgimusic@reddit

Not really. GitHub does not do anything that couldn't be trivially reverse engineered. There's no super secret sauce that makes it work.

Also a lot of the code is already publicly available as part of GitHub Enterprise Server releases that anyone can just download.

[-]

ITSecurityAdam@reddit (OP)

And to clarify, I’m not saying the GitHub source code is the value, I’m saying the potential 4,000 private repos of other companies IP data is

[-]

hobovalentine@reddit

I’m told that it was only GitHub itself that was hacked none of the customers data which is not hosted within the GitHub Org repositories

[-]

Darkhexical@reddit

Tell that to Microsoft. Their code has been leaked and it was found they violated sooo many copyright laws. I don't think much came of that either surprisingly..

[-]

whatThePleb@reddit

Let's be real. Github ist nothing special and absolutely not worth "50 million". It's basically just git with a WebUI. There are already enough alternatives which are even open.

[-]

ITSecurityAdam@reddit (OP)

While there are lots of open source and even better alternatives, it’s the same reason enterprises won’t use OpenOffice and pay for Microsoft Office. They want the brand loyalty

[-]

Ansible32@reddit

When Microsoft acquired Github, it was because Github was genuinely a well-run website. The brand loyalty was earned, Github "just worked." Since the Microsoft acquisition the site has been getting more and more unstable and they've totally lost the brand loyalty. i also doubt that the source code lets you replicate any of what used to make Github great. Even if it was still great, I'm not sure the source would help; operational excellence isn't in source code.

[-]

AnalTwister@reddit

Brand loyalty? Maybe this is what you meant, but in my experience it's just easier to get things done when everybody is on board with the same system. Prettymuch every developer has used github before and prettymuch every office person has used O365. Not to mention all the plugins that Accounting uses in Excel that may or may not be compatible with LibreOffice.

[-]

Landscape4737@reddit

Newsflash: OpenOffice hasn’t had a major update in 13 years, people moved to LibreOffice which forked from it in 2010.

[-]

NagyKrisztian10A@reddit

You can't sell stolen stuff for market price

[-]

shitlord_god@reddit

yeah, but "below market price" is still above $50k

[-]

BallsInSufficientSad@reddit

...and they probably have way more than 4000 repos - they are just selling them in chunks of 4000 for $50K each.

[-]

trowawayatwork@reddit

also it's microslop

[-]

Khue@reddit

Think about the volume though. At $50k every small hacking group could scrape together that much money to have a go at GitHub source.

[-]

icehot54321@reddit

It’s GitHub code not company data.

You might be able to leverage the information into a wider attack, but if the people that got this information couldn’t do that then they are obviously just trying to sell what they have.

[-]

hobovalentine@reddit

Most of the repos are probably just non source code and of little monetary value.

If company secrets are hosted in the repositories themselves versus in more secure places like Google Workspace or O365 then yes GitHub might be in some hot water.

[-]

Darkhexical@reddit

Ya except GitHub source code isn't worth a ton when you have open source alternatives to GitHub. Now the 4,000 private repos... That may be worth something dependent on what they have in them

[-]

ITSecurityAdam@reddit (OP)

Let alone, if they got github's source code and whatever else was included in the "internal org" data. Massive blast radius with this one

[-]

ThreatIntelPro@reddit

From a threat intelligence Researchperspective, one of the most important unanswered questions is how the malicious VS Code extension was delivered. It will be interesting to learn whether this was:

a typosquatted extension impersonating a legitimate tool,
a compromised or dependency-poisoned package,
or part of a targeted social engineering campaign aimed at developers.

The delivery mechanism will tell us a lot about the maturity and intent of the operation.

[-]

ukulele87@reddit

Maybe its time to start over? Perhaps Internet 2 will be better?
Who has the geocities domain?

[-]

shitlord_god@reddit

we had internet 2 (The internet where folks could upload content, often differentiated by the beginning of the wide availability of broadband) We need a web 3 that isn't the bullshit hyper commodiitization of blockchain etc. Web 3 needs to be a web of meshnet, folks who own their own hardware hosting stuff for communities, federation everywhere We need a decentralized web, but not a decentralized web for gigacorps who own all the hashing power, decentralized for the people.

[-]

ukulele87@reddit

Its not gonna happen.
The powerful have power because they can control shit, we might hope new technologies internet in its time, blockchain when it started would bring some sort of freedom or something like that.
But only while the powerful dont care about it, the second they see it as a tool we cant do anything but let them take it.
So yeah you can keep your meshnet for now, because its actually useless, once/if it becomes semi-functional then it would follow everything else.

[-]

shitlord_god@reddit

/r/darknetplan /r/homelab /r/DataHoarder

It is happening. And it will continue happening. And as the internet becomes more and more of a corporate organ more and more people will seek alternatives - it is already happening, and there are protocols other than mesh (As much as it is a nice tool) that are VERY useful, but not popular enough yet to commoditize. I don't see mastodon going corporate anytime soon, and I don't think that folks sharing their jellyfin servers with their families are going away any time soon either.

The fatalism you're throwing out there is a waste of time when folks are doing the work.

[-]

ukulele87@reddit

Honestly dont care enough to argue about it, specially when its clearly very important for you.
Not trying to piss on your dream, gnight!

[-]

shitlord_god@reddit

doing nothing doesn't piss on anything. it is simply doing nothing.

[-]

malikto44@reddit

This makes for a nice thought exercise. What would the main WAN protocol be like if we could design it from the ground up. Do we go with a formal OSI layer, or not bother? Done right, we could do some real interesting stuff, including having MAC addresses double as hash and key IDs, so traffic going from one MAC to another could be end to end encrypted and signed on the hardware frame layer. We could go to a circuit switches protocol so only the machines with those NICs are allowed, with their private keys signed by a third party, preferably in a web of trust style like OpenPGP, and not a hierarchal style like TLS.

As for what goes onto this "Internet 3", if we gave the "keys" to the academic community, similar to how NSFNEt was before it was sold, maybe it might result in something useful, especially if a node misbehaving can result in its access being yanked. This way, a site that pops up where people are exploiting from just has its keys revoked, and the problem is solved.

Downside is compressing decades of security and functionality research into something that makes sense now, as well as for future stuff. If we had to start all over, IPv8 is looking interesting.

[-]

shitlord_god@reddit

/r/darknetplan

[-]

Angelworks42@reddit

I work at a place that uses Internet 2 it's super useful for peering (between stuff like other universities and Netflix, Google, Amazon etc) at 10+ gigs.

I don't think it solves any security issues per se but it does have it's own root of trust - between universities at least. Tbh it's not that useful I think these days: https://incommon.org/ especially with how easy it is these days to build trust relationships with SSO - I mostly see it used for Wi-Fi auth at various unrelated universities.

[-]

DarkSky-8675@reddit

Internet2 already exists.

[-]

thebigshoe247@reddit

Hunter2

[-]

Nu-Hir@reddit

That's the same password I have on my luggage.

[-]

lordkuri@reddit

oh bullshit, no luggage locks have * on the dials...

[-]

mzuke@reddit

TIL Internet2 is still around and of course just got breached...

[-]

Philluminati@reddit

Web 4.0

[-]

SHFT101@reddit

That's it guys, I'm going to become a professional gardener. I'm tired...

[-]

cbelt3@reddit

The quote from “Soul of a New Machine” is often loud in my head…

“I am joining a commune and I will not deal in units of time shorter than a season”.

[-]

SubtleSteve@reddit

One of the most eclectic analytic philosophers in the "western world" was Ludwig Wittgenstein. After he was dragged by a colleague to publish his work, he left Cambridge to be a gardener, at least for a stint.

Ignore the fact that he came back...

[-]

via_dante@reddit

That Wittgenstein fella is absolutely unhinged!!! Check out https://existentialcomics.com/

😄

[-]

Lakatos_00@reddit

You won't last a day

[-]

Delta-9-@reddit

Idk, debugging my star jasmine (goddamn spider mites) has been a constant pain that's actually just interesting enough trying to solve that I can keep putting time into it.

I could maybe see myself doing it full time. Gotta be better than shoveling goat shit, at least.

[-]

shitlord_god@reddit

Mucking stalls isn't half as bad as everyone wants you to believe.

[-]

Demented_CEO@reddit

Not with that attitude! More seriously: why not?

[-]

skipITjob@reddit

It's hard work. And you might need to work regardless of weather.

[-]

Forsythe36@reddit

I’ve done more demanding work in the army and grew up on farms, I think I could handle it.

[-]

Demented_CEO@reddit

Sounds like IT...

[-]

BeagleWrangler@reddit

There is something new every damn day. I going to become a park ranger, fuck this.

[-]

shitlord_god@reddit

those jobs are being cut way back with the budget pillaging (In the US At least)

[-]

AuroraFireflash@reddit

Deal with people growing illegal shit on your turf and they have weapons and a desire to make you go away?

[-]

BeagleWrangler@reddit

It's true. And in reality, my team gets really energized by this stuff. We bring full force to the assholes who try and fuck with us 😈

[-]

SHFT101@reddit

I like park ranger more, good idea!!

[-]

mumblerit@reddit

Goat Farmer

[-]

protocol@reddit

https://www.reddit.com/r/sysadmin/s/eDhpJQs6F6

[-]

shitlord_god@reddit

no goat dashboards

[-]

ventuspilot@reddit

Think some more: https://www.reddit.com/r/AnimalsBeingDerps/comments/1mhbong/farm_life/

[-]

ScannerBrightly@reddit

That was an epic horse jump.

[-]

ptear@reddit

I'm heading over to Home Depot if you want to join.

[-]

SenTedStevens@reddit

I was just there yesterday. They have some decent tool and gardening sales right now.

[-]

ptear@reddit

I bought grass seed, they had some good deals. Did overseeing, been watering, lawn is starting to look good, no major bugs.

[-]

runozemlo@reddit

Home Depot has an IT team too. No escape.

[-]

wyrdone42@reddit

There are a bunch of us supporting a homestead life via IT careers. You would not be alone.

[-]

Formal-Knowledge-250@reddit

Why, since you trusted a big company to keep your data safe? Yes please become a gardener.

[-]

CharcoalGreyWolf@reddit

Thank you for your tone-deaf, unsympathetic pedantry.

You couldn’t read the room if it was a picture book.

[-]

Formal-Knowledge-250@reddit

Why should I read a room if it's full of gardeners attempting to do security work?

[-]

CharcoalGreyWolf@reddit

Perhaps to not be the “that person” that every other IT person dislikes because they have zero empathy for any of their colleagues, some who have been at this a very long time, and have had a lot of shit to shovel in their career.

Translation: you’re being an ass who has zero respect for the people around you. If that’s who you want to be, the door to clueless management of IT people is over there on the right, this is the area for the actual IT people.

[-]

Absolute_Bob@reddit

Do you roll all of your own hardware and software or are you depending on others to keep your information safe?

[-]

Formal-Knowledge-250@reddit

I'm in red teaming since three years now. Things got so bad in the cloud, that azure customers are a 95% chance of successful objectives, when the target is azure ad or cloud zero trust only. With on onprem ad we only have 60% success rate. This is data from 2025.

Nobody can ignore, that cloud infrastructure is not mature. In near to no case. In contrast to this, onprem has good chances of being hardened, segregated and grown up.

[-]

Mizerka@reddit

I watched 2 hours of some guys breeding koi fish on a farm... it's pretty alluring ngl

[-]

CharcoalGreyWolf@reddit

I want to be a zookeeper. At least animals will love me and none of them expect the impossible day after day, then take it for granted if I actually manage it.

[-]

12354645789234@reddit

you haven't even dealt with thrips and aphids

[-]

Opposite_Bag_7434@reddit

Sounds familiar, I’ve had coworkers go off to become potato farmers.

[-]

newworldlife@reddit

The poisoned extension part is what’s going to keep a lot of security teams awake tonight.

I’ve seen companies lock down servers like Fort Knox while developers can still install random extensions with repo access in two clicks.

[-]

Fatality@reddit

I got told antivirus wasn't needed on Macs because they are super secure inherently literally the day after a dev installed a malicious Chrome extension.

[-]

newworldlife@reddit

That’s the part a lot of companies still struggle with honestly.

Locked-down infrastructure… but browser extensions, IDE plugins, and local tooling still end up being the soft spot.

[-]

ITSecurityAdam@reddit (OP)

For those that don't want to go to the X page

[-]

Andrew-Powershell@reddit

50k seems like a really low price for something like that. If it's not illegal then I could see some rich tech person just buying it and releasing the source for lulz

[-]

on-a-call@reddit

It's still very illegal lol so if you want to do that better cover your tracks.

[-]

Ansible32@reddit

If you want to publish just offer them 50k to publish it publicly, they might accept.

[-]

shitlord_god@reddit

50k being the minimum bid is shockingly low.

[-]

DDFoster96@reddit

I'd like to see the list of repositories, only because I'm intrigued what you could possibly fill 4,000 internal repositories with. I thought they were a big proponent of the monorepo?

[-]

tnoy@reddit

At work we have a bunch of repos that are just documentation and a bunch that are only used for issue tracking.

[-]

BallsInSufficientSad@reddit

I wouldn't be surprised if many more were leaked but that they are being sold in "chunks" of 4000 at a time.

[-]

cgimusic@reddit

GitHub use GitHub for basically everything. There'll be things like a bunch of planning repos for each team that basically just have issue templates in, documentation repos, internal tooling, etc.

They also do have a lot of microservices, not everything is in the Rails monolith.

[-]

Wolfram_And_Hart@reddit

What it turn out to be all the Windows powrshell ones and now we have a bigger problem.

[-]

End0rphinJunkie@reddit

Appreciate the screenshot. That "internal repositories" line is doing a lot of heavy lifitng considering how much infra config usually lives in those.

[-]

CuriousSwitches_2001@reddit

I'll just leave this here.

[-]

mustang__1@reddit

Wait does this mean the private keys I have in my private repo are leaked? I thought they were going to stay private!

/s

[-]

Fresh-Gazelle7014@reddit

Funny how SaaS gets a free pass while internal IT gets crucified. Guess we'll see if they actually pay up for their own code.

[-]

Organic_Trifle9816@reddit

Google did it because they hate apk sideload also Google do that to all people that won't download via Google Play

[-]

SuperheropugReal@reddit

Ummn... no.

[-]

FlowParticular235@reddit

honestly the scary part isnt even the breach itself anymore, its how many layers modern workflows depend on now. extensions, marketplace actions, review bots, CI tools, random automation everywhere. one compromised piece can spread surprisingly far before anybody notices. made me way pickier about what i wire into my setup after that. especially once i started using more automation stuff outside plain github, including tenki

[-]

Last_Meringue2625@reddit

worth noting the threat actor's asking price is pretty low for what they claim to have. Either the data isnt as valuable as advertised or they're trying to move it fast before rotation makes the secrets worthless.

[-]

BallsInSufficientSad@reddit

They are likely chunking the repos into 4000 repo sets.

[-]

countsachot@reddit

Haha, they can have my privates, they're private for a reason - they suck.

[-]

steadwing_official@reddit

This is the frightening part of modern supply chain risk. A single compromised extension in a trusted workflow can bypass a lot of traditional perimeter security since developers already gave it execution and repo access.

Every org should probably be rotating tokens, auditing github Apps / OAuth scopes and reviewing VSCode extensions installed across engineering machines right now, even if customer repos weren’t directly impacted.

[-]

hitmaker307@reddit

What's the "allegedly" crap? They disclosed it. What else do you need????

[-]

ITSecurityAdam@reddit (OP)

This post started last night, before all of the new data has come to light

[-]

jwalker55@reddit

New github competitor launching soon: GitGud

[-]

Imd1rtybutn0twr0ng@reddit

It's always going to be "when", not "if" this happens. AI will compound this in scary ways. All those clouds will start being stormy rather than not. ᕕ( ᐛ )ᕗ

[-]

shimoheihei2@reddit

So, who ever thought it would be a good idea to store private data on the public cloud again..?

[-]

malikto44@reddit

I think we are going to see a falling back to that, perhaps causing self-hosting to come back. However, this is the absolute worst time, to the point of a perfect storm for pressure for self-hosting due to the RAM and other hardware prices.

[-]

RAZGRIZTP@reddit

Its all related

[-]

confusedcrib@reddit

The breach happened through a malicious vs code extension that a developer used. These attacks have been around forever, but still very few tools actually detect or prevent them. Koi was one and acquired by Palo, Aikido is the other I'm aware of that does it.

[-]

DragonsBane80@reddit

Supposedly Pluto.ai also, but we've only evaled Koi. Koi was fantastic.

[-]

Worldly-Spot-7812@reddit

I should change my tokens.

[-]

ScannerBrightly@reddit

As long as you keep your tokens in a different public repo, you should be fine.

At least, that's what CISA did. ;-)

[-]

Sansui350A@reddit

MicroSlop

[-]

flummox1234@reddit

It's almost as if their parent company ... nah nevermind. I weep for what github used to be. They're not that anymore and anyone that thinks they are hasn't been paying attention.

[-]

Necessary-Two7299@reddit

Ohhh

[-]

b_rodriguez@reddit

Does know what the initial outlay for a small artisan coffee shop is roughly?

[-]

GWSTPS@reddit

Probably not too far different from moving to New Zealand and getting a goat herd?

[-]

AntoIT@reddit

The "no evidence of customer impact" line is doing a lot of heavy lifting right now. That's the statement you make when you're still figuring out the scope, not when you've confirmed the blast radius. If you have service accounts, deploy keys, or Actions secrets tied to GitHub — rotate them now, don't wait for the post-mortem. We've already advised clients to audit their GitHub org permissions and pull recent access logs. Better to spend an hour being cautious than a week doing incident response.

[-]

unixuser011@reddit

And I was just thinking about mirroring my internal git repos too

[-]

forzayt_@reddit

Something happening with microsoft , recently some devs leaks forza horizon 6 source code , today some dev installed malicious vs extension and then whole company got compramised , these are the after effects of hiring vibecoders into the company like microsoft

[-]

TU4AR@reddit

Damn I got this for my June bingo card not May.

I'll see y'all next month for the next round.

[-]

ITSecurityAdam@reddit (OP)

Thanks! Added it to the post

[-]