Karl Voit  Sep 29, 2023

After basically the whole #Microsoft #Azure cloud was hacked (see list of related sources on https://karl-voit.at/cloud/ ), the first follow-up incidents went public caused by missing containment actions:

60,000 emails were stolen from 10 #USA #StateDepartment accounts
https://www.reuters.com/world/us/chinese-hackers-stole-60000-emails-us-state-department-microsoft-hack-senate-2023-09-27/

If you didn't understand until now: basically EVERYTHING at Microsoft got hacked and Microsoft can't (or won't) get rid of the intruders. Everything authenticated by Microsoft is tainted. Even #Windows auth.

You Can't Control Your Data in the Cloud

Show threadKarl Voit  Sep 29, 2023

Now that I have migrated some of my hosts to #NixOS, I do have a bad feeling because of #Microsoft and most probably GitHub being hacked.

As mentioned on https://www.karl-voit.at/2023/09/12/nix/ the deep #GitHub dependency turns out to be a real downer for this OS.

#security #integrity

I Started With Nix, NixOS, Home Manager and Flakes

I Started With Nix, NixOS, Home Manager and Flakes

public voit - Web-page of Karl Voit
Show threadAlexander Sosedkin Sep 29, 2023
@publicvoit

> For example, when GitHub would be out of business or the service is down for some other reason, NixOS would probably be dead. Its main repositories are on GitHub and there is no obvious fall-back concept to other repositories hosted on different services.

This is just plain false. Flakes and channels can point anywhere; the only thing that'd need special care to move is the registry repo that points to all the other repos.
Show threadKarl Voit  Sep 29, 2023
@monk Yes. And at least in my case, they all point to GitHub.
Show threadAlexander Sosedkin Sep 29, 2023
@publicvoit my point is, you can point them anywhere, just find a suitable hosting
Show threadKarl Voit  Sep 29, 2023

@monk And my point is: all defaults of the NixOS installer are pointing to a hacked platform where anything could be manipulated already.

Copying a tainted dataset still results in a tainted dataset, independent of the trustworthiness of a different hoster.

Show threadAlexander Sosedkin 
@publicvoit OK, so, take the last commit before the compromise, move it somewhere, replay history, update registry, update default registry URL, rebuild installation media. All the technical stuff is already there, about as ready as it could possibly be, so it's mainly the question of convincing the community that all of that is actually necessary.
Sep 29, 2023 at 3:13pmWeb
Show threadKarl Voit  Sep 29, 2023

@monk So, yes. Let's trust Microsoft once more and delete everything since 2021-04. 😜

https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/

#NixOS

Results of Major Technical Investigations for Storm-0558 Key Acquisition | MSRC Blog | Microsoft Security Response Center

Results of Major Technical Investigations for Storm-0558 Key Acquisition