Zaphod
mccThis blog post seemed very normal until I hit this bit
GITHUB ACCIDENTALLY POSTED THEIR PRIVATE KEYS TO GITHUB
THERE IS LITERALLY NO ONE ON EARTH ABLE TO USE THIS PROGRAM SAFELY
https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/
Tathar is dragons! ΘΔWhat psychopath capitalizes it "GitHub?"
@Tathar …Github does. The linked article was posted by Github, and Github spells Github "GitHub"
like jam or bootlaces
Bread and Salt@mcc They really buried the lede there.
IlanObvious ploy to cover their assets legally or something, maybe?
Sheogorath@mcc Which program? Git or SSH?
ketchup71@mcc As far as I can see after skimming over this, they just lost the SSH server key. Which is stored on first contact, and remembered (most admins don’t even save/backup them). It is not good to loose these, but mostly an inconvenience: now you have to talk to them again, make sure you get a warning, remove the old key, let SSH save the new key, on all your machines/accounts 😩, done. The important thing is you need to know you have to expect the error message.
Am I overlooking something?
Am I overlooking something?
nick@ketchup71 @mcc yeah it's the one used for git+ssh so just about every developer who uses github has to update their known hosts.
@nickzoic Yes, this sucks. But it is not much different from every developer had to register the key in the first place. 🤷♂️😃
I think the most annoying thing is that many devs will be unaware of the situation, and probably be surprised. Might lead to some confusion.
I think the most annoying thing is that many devs will be unaware of the situation, and probably be surprised. Might lead to some confusion.
Thiago Figueiró@mcc the blog post doesn’t explain how they noticed that the key had been exposed. GitHub has automatic secret detection in repositories, and it’s not wild to assume that this is how the leak was discovered. In a way, I count this as a win: a mistake was quickly identified and corrective actions taken. It’s very hard to build systems that never accept a mistake, but it’s less hard to build ones that can cope with mistakes. (Unrelated: why can’t I add paragraphs in the mobile app? Apologies for the wall of text)
@thiagocsf Note they do not disclose when the breach occurred or how long the "brief" period of exposure was. We do not know for a fact that either the identification or the corrective action was performed quickly.
@mcc good point; I made optimistic assumptions. We are expanding on related capabilities at work, so at least it’s in the realm of short-term possibilities.
Karel P Kerezman@mcc What, and I ask this will all due gravity, the candy-coated chocolate-dipped sprinkles-on-top F***?
LisPi@mcc I don't think there's any particular version control system you cannot commit arbitrary files to.
This only tells us their devs cannot into environment compartmentalization & isolation.
Cassandrich
Jeff C. 🇺🇦🇬🇱
Lukas@mcc at this point "posting private keys to GitHub" is just something teenagers do on a dare
Ember is so tired of people. 
@mcc git is truly an awful software
0xC0DEC0DE07EA@mcc yup, nobody can be perfect all the time. It’s a problem when a system demands that all users perform their tasks carefully at all times — just too many opportunities for failure.
GabrielBitcoin fixes thi...https://cryptoslate.com/bitcoin-core-developer-loses-216-btc-to-pgp-compromise/
@[email protected]
I told you, the quantum computers are being let loose.
The Cyberpandemic ™️ is here.
But don't worry! Behold a white horse coming to the rescue.
Odds are we'll see more pushes for biometric "attested" digital IDs to authenticate online interactions.
@[email protected]
I told you, the quantum computers are being let loose.
The Cyberpandemic ™️ is here.
But don't worry! Behold a white horse coming to the rescue.
Odds are we'll see more pushes for biometric "attested" digital IDs to authenticate online interactions.
@[email protected]
yaleman@mcc I'd argue the real issue is that someone had access to that key at all - why's it on someone's computer, in a repository, and not in some kind of encrypted vault with keys elsewhere, only accessible by the deployment infrastructure?
Charlie Stross
Scott 🏴😷@mcc wait, which program? SSH? Git? GitHub?
Martin Frost@mcc oh, is this what they meant by “how github uses github to build github?
@mcc
Leaked keys are more common than you might think, and the cost of changing all the keys is so prohibitive that companies often just pretend it didn't happen. https://arstechnica.com/gadgets/2022/12/samsungs-android-app-signing-key-has-leaked-is-being-used-to-sign-malware/
Leaked keys are more common than you might think, and the cost of changing all the keys is so prohibitive that companies often just pretend it didn't happen. https://arstechnica.com/gadgets/2022/12/samsungs-android-app-signing-key-has-leaked-is-being-used-to-sign-malware/
Edwin Young@mcc for a minute I wondered which program can nobody use safely, git or SSH? Then I realized it works pretty well either way
Orc@mcc My mind boggles at the workflow that puts ssh keys anywhere close to a publishable sccs directory.
2rs2ts@mcc so THAT'S why i got the known hosts warning! incredible. name a more iconic duo than programmers and checking sensitive data into source control.