Karl Voit  Sep 29, 2023

After basically the whole #Microsoft #Azure cloud was hacked (see list of related sources on https://karl-voit.at/cloud/ ), the first follow-up incidents went public caused by missing containment actions:

60,000 emails were stolen from 10 #USA #StateDepartment accounts
https://www.reuters.com/world/us/chinese-hackers-stole-60000-emails-us-state-department-microsoft-hack-senate-2023-09-27/

If you didn't understand until now: basically EVERYTHING at Microsoft got hacked and Microsoft can't (or won't) get rid of the intruders. Everything authenticated by Microsoft is tainted. Even #Windows auth.

You Can't Control Your Data in the Cloud

Show threadKarl Voit  Sep 29, 2023

Now that I have migrated some of my hosts to #NixOS, I do have a bad feeling because of #Microsoft and most probably GitHub being hacked.

As mentioned on https://www.karl-voit.at/2023/09/12/nix/ the deep #GitHub dependency turns out to be a real downer for this OS.

#security #integrity

I Started With Nix, NixOS, Home Manager and Flakes

I Started With Nix, NixOS, Home Manager and Flakes

public voit - Web-page of Karl Voit
Show threadAlexander Sosedkin 
@publicvoit

> For example, when GitHub would be out of business or the service is down for some other reason, NixOS would probably be dead. Its main repositories are on GitHub and there is no obvious fall-back concept to other repositories hosted on different services.

This is just plain false. Flakes and channels can point anywhere; the only thing that'd need special care to move is the registry repo that points to all the other repos.
Sep 29, 2023 at 2:46pmWeb
Show threadKarl Voit  Sep 29, 2023
@monk Yes. And at least in my case, they all point to GitHub.
Show threadAlexander Sosedkin Sep 29, 2023
@publicvoit my point is, you can point them anywhere, just find a suitable hosting
Show threadKarl Voit  Sep 29, 2023

@monk And my point is: all defaults of the NixOS installer are pointing to a hacked platform where anything could be manipulated already.

Copying a tainted dataset still results in a tainted dataset, independent of the trustworthiness of a different hoster.

Show threadAlexander Sosedkin Sep 29, 2023
@publicvoit OK, so, take the last commit before the compromise, move it somewhere, replay history, update registry, update default registry URL, rebuild installation media. All the technical stuff is already there, about as ready as it could possibly be, so it's mainly the question of convincing the community that all of that is actually necessary.
Show threadKarl Voit  Sep 29, 2023

@monk So, yes. Let's trust Microsoft once more and delete everything since 2021-04. 😜

https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/

#NixOS

Results of Major Technical Investigations for Storm-0558 Key Acquisition | MSRC Blog | Microsoft Security Response Center

Results of Major Technical Investigations for Storm-0558 Key Acquisition

Show threadAlper ÇelikOct 1, 2023
@publicvoit @monk
https://discourse.nixos.org/t/could-microsoft-master-key-hack-impact-nix-via-github/33652?u=alper-celik
Is interesting discussion about possiblity of an attack.
Could Microsoft master key hack impact Nix via Github?

Interesting discussion here about the possible implication of MS’s recent master key hack on GitHub’s security. Speculation that any repo on Github could now be compromised too, including nixpkgs. Any thoughts on this?

NixOS Discourse
Show threadIslandUsurper Sep 29, 2023

@monk @publicvoit I can understand why someone would say it, though. By default, the flakes registries and the previous channels both point to GitHub URLs. They don’t have to, but it’s not obvious that they could be different.

Two big things I would worry about if GitHub became unusable for any reason: 1) nixpkgs is friggen’ huge, in terms of size and activity, so picking a forge successor must be done carefully. 2) issues and PRs are hard to migrate.

Show threadIslandUsurper Sep 29, 2023

@monk @publicvoit none of these problems are actually specific to GitHub, I think. It’s just what Nix uses currently. Communicating the change when necessary takes the same amount of work regardless of the host. Maybe the issues/prs migration can be easier with better tooling elsewhere.

A disaster plan sounds like a good idea. I hope someone has one, but I haven’t heard of it.