Sounds sketchy given what the employee from Microsoft commented. The article is also not completely up to date with their “interesting” findings. For example, while a language projection for the Windows Runtime to Rust is interesting, it is also a public repository: https://github.com/microsoft/winrt-rs I’d take this article with a grain of salt until we hear more.
I am pretty sure anything from Microsoft on GitHub is intended to be open source eventually. Theres no reason they dont have proprietary projects in their own internal version control systems.
> In a directory listing and samples of other private repositories sent to BleepingComputer, the stolen data appears to be mostly code samples, test projects, an eBook, and other generic items.
Other than private keys or sensitive info being left behind, doesn't appear to be severe. Looks nothing burger given the data until more is released.
> Microsoft employee Sam Smith replied to Under the Breach's tweet stating that he thought the leak was fake as "Msft has a “rule” that GitHub repos must be public within 30 days."
Curious, what does microsoft use internally? Instance of github enterprise? Azure devops?
When I was in Azure last year we used an internal Git repo named, I think it was named 'onebranch'. There are only two things we posted to a private github.
First was our description of our JSON apis, which would eventually be sent to a public github.
The second was some internal documentation we had for our internal clients. I don't think there were any 'secrets' in there, but it would be documentation for the internal side for internal clients that no outsider could ever use.
As far as I know, everyone uses azure devops. I don’t know of any teams committing to github, but it would make sense only things that will be open sourced will be placed there.
I don't think the potential leak of source code is the worry for Microsoft here, it is the fact that they got access in the first place, as that could have security implications for other projects.
> This evening, a hacker going by the name Shiny Hunters contacted BleepingComputer to tell us they had hacked into the Microsoft GitHub account, gaining full access to the software giant's 'Private' repositories.
Well, someone asked the other day whether or not private repositories on GitHub were safe: [0] I think you now have a concrete answer regardless if this is true or not. I have already made the case to privately self-host, especially if you're a large enterprise, but preferably on-site [1][2] to avoid these types of attacks and in the process to reduce costs like this as many were discussing in other HN discussion [3], but here we are.
If they can do it to Microsoft, they can do it to anyone else who has a GitHub account.
> If they can do it to Microsoft, they can do it to anyone else who has a GitHub account.
I don't think this is necessarily true. Microsoft's org, like any large org, has a large number of users with access. Its security is dependent on each one of those many accounts being secure.
A smaller org, or an individual, can secure their repositories much more easily as there's fewer entrypoints.
They haven't mentioned whether this hack was achieved by compromising individual account credentials, or by compromising the Github platform itself. If it's the latter, you may be right, but I suspect it's more likely the former.
Isn't the upside of hosted platforms like this that they have teams of people securing and monitoring the platform, which can be a bit much for one person who's self-hosting? I do self-host other things but the article doesn't say anything about how the breach might've occurred (e.g. 2FA not enabled?).
Private github repositories are private the same way that facebok messages are private - private from your roommate, not from the people who own the platform or determined attackers.
This is leaping to a huge conclusion, but you are correct that if this was a Github data breach, this is clearly a much bigger issue. However, if this was the case, and 1) this "leak" happened on March 28th, and the individual claims to no longer have access to the account, I trust that Github would have proactively communicated with their users about such a large scale event, especially after having fixed it.
This, if true, is almost definitely a compromise and use of a single users' access credentials, which were then rotated (thus the attacked losing access).
I'm not saying that credential stuffing isn't a large-scale problem (I strongly believe that it is, and have even dedicated time to some potential solutions in the past), but jumping from "someone lost their credentials" to "omgz github can't be trusted!" is a bit of a disingenuous leap.
How many companies, in terms of Market Cap are currently relying on GitHub Private Repo for their source code?
And how does very large enterprise, or financial institution ( Which is like the foundation of modern day society ) handle their source code? I presume they wont use Github for anything important?
I think that "leaked" would be a better choice compared to "stolen". You can't "steal" source code, unless if somehow you remove the original (such as if the source code is stored on paper in a safe somewhere and there are no copies and someone goes and steals it).
Me and a friend were having coffee and were discussing secrets something like 10 years ago. The conclusion of our conversation was "Everything always comes out" (translated from Swedish [context was some gossip that eventually leaked about our common friend]) which boils down to that the only way you can really ensure something stays secret forever, is by only having it in your mind and not sharing it. As soon as you share it _anywhere_, there is a risk of it leaking somewhere.
The lesson I carry is that the more secret it something is, the closer to my brain it is. Top-secret = only in my head, little bit secret = encrypted on my harddrive, little less secret = encrypted in the cloud, not secret at all = just dumped in a Google Drive account
> Overall, from what was shared, there does not appear to be anything significant for Microsoft to worry about, such as Windows or Office source code.
> In a directory listing and samples of other private repositories sent to BleepingComputer, the stolen data appears to be mostly code samples, test projects, an eBook, and other generic items.
> Microsoft employee Sam Smith replied to Under the Breach’s tweet stating that he thought the leak was fake as “Msft has a “rule” that GitHub repos must be public within 30 days.”
Does that mean MS bans the use of GitHub for permanently storing private repos?
We (the TypeScript team) have a bunch of private repos (blog post drafts, planning docs, reproduction repos, rando internal tooling ) on GitHub that are many years old. I'm pretty sure that Sam was mistaken here.
Gentle reminder that any private repository is sensitive, because the people pushing to them might not be as careful with what they push, because it's private.
There are hundreds of different kinds of credentials that can be hidden all throughout the history of a Git repo (in code, in logs, in comments, binary blobs, etc). If you don't have a very robust credential scanner operating continuously, and you have a large organization, you probably have active credentials hidden in your private repos.
Not sure if anyone knows but if you use AWS, you can actually create your own repository there for your organization. it doesn’t have the GitHub UI or features like issues, but should going in the right direction where your organization owns your private repos.
Having your repo in Amazon's cloud instead of Microsoft's cloud doesn't mean that you "own" it to a greater degree, does it? It's just a different company holding the keys for you.
GitHub reliability is not high enough to support the way people are using it. The administration of the site is not predictable enough, the site has frequent downtime, and there are security issues.
[+] [-] jug|5 years ago|reply
[+] [-] giancarlostoro|5 years ago|reply
[+] [-] sproketboy|5 years ago|reply
[deleted]
[+] [-] searchableguy|5 years ago|reply
Other than private keys or sensitive info being left behind, doesn't appear to be severe. Looks nothing burger given the data until more is released.
> Microsoft employee Sam Smith replied to Under the Breach's tweet stating that he thought the leak was fake as "Msft has a “rule” that GitHub repos must be public within 30 days."
Curious, what does microsoft use internally? Instance of github enterprise? Azure devops?
[+] [-] ytch|5 years ago|reply
I guess they have internal Git servers, since they develop VFS for Git[1] to handle large amount of files in git, but IIRC github isn't support it yet
[1]https://vfsforgit.org/
[+] [-] ddlutz|5 years ago|reply
First was our description of our JSON apis, which would eventually be sent to a public github.
The second was some internal documentation we had for our internal clients. I don't think there were any 'secrets' in there, but it would be documentation for the internal side for internal clients that no outsider could ever use.
[+] [-] buildbot|5 years ago|reply
[+] [-] oldmanhorton|5 years ago|reply
[+] [-] badRNG|5 years ago|reply
[+] [-] oplav|5 years ago|reply
[+] [-] manigandham|5 years ago|reply
[+] [-] whymauri|5 years ago|reply
[+] [-] afrcnc|5 years ago|reply
That's not how "leaks" and "hacked" works the last time I checked.
[+] [-] rvz|5 years ago|reply
Well, someone asked the other day whether or not private repositories on GitHub were safe: [0] I think you now have a concrete answer regardless if this is true or not. I have already made the case to privately self-host, especially if you're a large enterprise, but preferably on-site [1][2] to avoid these types of attacks and in the process to reduce costs like this as many were discussing in other HN discussion [3], but here we are.
If they can do it to Microsoft, they can do it to anyone else who has a GitHub account.
[0] https://news.ycombinator.com/item?id=23057769
[1] https://news.ycombinator.com/item?id=22960579
[2] https://news.ycombinator.com/item?id=22868406
[3] https://news.ycombinator.com/item?id=23089999
[+] [-] lucideer|5 years ago|reply
I don't think this is necessarily true. Microsoft's org, like any large org, has a large number of users with access. Its security is dependent on each one of those many accounts being secure.
A smaller org, or an individual, can secure their repositories much more easily as there's fewer entrypoints.
They haven't mentioned whether this hack was achieved by compromising individual account credentials, or by compromising the Github platform itself. If it's the latter, you may be right, but I suspect it's more likely the former.
[+] [-] bithaze|5 years ago|reply
[+] [-] nova22033|5 years ago|reply
What makes you think you can do a better job than Microsoft or github?
[+] [-] vorpalhex|5 years ago|reply
[+] [-] nrmitchi|5 years ago|reply
This, if true, is almost definitely a compromise and use of a single users' access credentials, which were then rotated (thus the attacked losing access).
I'm not saying that credential stuffing isn't a large-scale problem (I strongly believe that it is, and have even dedicated time to some potential solutions in the past), but jumping from "someone lost their credentials" to "omgz github can't be trusted!" is a bit of a disingenuous leap.
[+] [-] ahupp|5 years ago|reply
[+] [-] lern_too_spel|5 years ago|reply
How do we have a concrete answer if this is not true?
[+] [-] Drip33|5 years ago|reply
It happened to Cisco as well a while back, I have a copy of that source somewhere.
[+] [-] ksec|5 years ago|reply
How many companies, in terms of Market Cap are currently relying on GitHub Private Repo for their source code?
And how does very large enterprise, or financial institution ( Which is like the foundation of modern day society ) handle their source code? I presume they wont use Github for anything important?
[+] [-] pyramid07|5 years ago|reply
[+] [-] FanaHOVA|5 years ago|reply
[+] [-] dependenttypes|5 years ago|reply
[+] [-] naringas|5 years ago|reply
regardless, I agree.
[+] [-] 6c696e7578|5 years ago|reply
Or, in other words, if you want to keep something private, don't put it in the "cloud"!
[+] [-] capableweb|5 years ago|reply
The lesson I carry is that the more secret it something is, the closer to my brain it is. Top-secret = only in my head, little bit secret = encrypted on my harddrive, little less secret = encrypted in the cloud, not secret at all = just dumped in a Google Drive account
[+] [-] binarysneaker|5 years ago|reply
[+] [-] lcfcjs2|5 years ago|reply
[deleted]
[+] [-] tomxor|5 years ago|reply
> In a directory listing and samples of other private repositories sent to BleepingComputer, the stolen data appears to be mostly code samples, test projects, an eBook, and other generic items.
[+] [-] factorialboy|5 years ago|reply
> Microsoft employee Sam Smith replied to Under the Breach’s tweet stating that he thought the leak was fake as “Msft has a “rule” that GitHub repos must be public within 30 days.”
Does that mean MS bans the use of GitHub for permanently storing private repos?
[+] [-] orta|5 years ago|reply
[+] [-] Havoc|5 years ago|reply
[+] [-] peterwwillis|5 years ago|reply
There are hundreds of different kinds of credentials that can be hidden all throughout the history of a Git repo (in code, in logs, in comments, binary blobs, etc). If you don't have a very robust credential scanner operating continuously, and you have a large organization, you probably have active credentials hidden in your private repos.
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] rafaelreinert|5 years ago|reply
[+] [-] westoque|5 years ago|reply
[+] [-] colonwqbang|5 years ago|reply
[+] [-] babycake|5 years ago|reply
[+] [-] kats|5 years ago|reply
[+] [-] scared2|5 years ago|reply
[+] [-] angel_j|5 years ago|reply
[+] [-] eugenekolo|5 years ago|reply
[+] [-] wp381640|5 years ago|reply
[+] [-] hellozebi|5 years ago|reply
[deleted]
[+] [-] dgentile|5 years ago|reply