top | item 45535117

(no title)

saltypal | 4 months ago

Putting myself in Arko’s shoes, I can imagine (charitably!) the following choice, realizing that I still have access and shouldn’t:

1. Try to get in touch, quickly, with someone with the power to fix it and explain what needs to be rotated.

2. Absent 1, especially if it cannot be done quickly, rotate the credentials personally to get them back to a controlled state (by someone who actually understands the security implications) with the intent to hand them off. Especially if you still _think_ of yourself as responsible for the infrastructure, this is a no-brainer compared to letting anyone else who might be in the same “should have lost access but didn’t, due to negligence” maintain access.

Not a legal defense, but let’s not be too hasty to judge.

discuss

saltypal|4 months ago

I hadn't yet seen it when I wrote this, but 2 is pretty much exactly what Arko says:

> Worried about the possibility of hacked accounts or some sort of social engineering, I took action as the primary on-call engineer to lock down the AWS account and prevent any actions by possible attackers.

https://andre.arko.net/2025/10/09/the-rubygems-security-inci...