Karl Voit  Sep 29, 2023

After basically the whole #Microsoft #Azure cloud was hacked (see list of related sources on https://karl-voit.at/cloud/ ), the first follow-up incidents went public caused by missing containment actions:

60,000 emails were stolen from 10 #USA #StateDepartment accounts
https://www.reuters.com/world/us/chinese-hackers-stole-60000-emails-us-state-department-microsoft-hack-senate-2023-09-27/

If you didn't understand until now: basically EVERYTHING at Microsoft got hacked and Microsoft can't (or won't) get rid of the intruders. Everything authenticated by Microsoft is tainted. Even #Windows auth.

You Can't Control Your Data in the Cloud

Show threadKarl Voit  Sep 29, 2023

Now that I have migrated some of my hosts to #NixOS, I do have a bad feeling because of #Microsoft and most probably GitHub being hacked.

As mentioned on https://www.karl-voit.at/2023/09/12/nix/ the deep #GitHub dependency turns out to be a real downer for this OS.

#security #integrity

I Started With Nix, NixOS, Home Manager and Flakes

I Started With Nix, NixOS, Home Manager and Flakes

public voit - Web-page of Karl Voit
Show threadRaito BezariusSep 29, 2023

@publicvoit While I agree with you, there are issues, I worry that your framing is flirting with baseless conspiracies as you seems to be ignoring that there are many safeguards in place to avoid letting GitHub corrupt the whole project.

Even if we didn't use GitHub, you have to understand that NixOS / Nixpkgs cannot force anyone we are consuming packages of to migrate somewhere else.

Either case, I think this is kinda FUD…

Show threadKarl Voit  

@raito I can't follow your accusation.

The facts show that Microsoft got compromised since at least 2021-04.

There is no claim by MS I know of that GH is completely separated from MS infrastructure that got compromised.

Current NixOS setups are pulling from GitHub which belongs to Microsoft. Yes, this can be changed but that's not the point here at all.

As far as I know, you can't protect yourself from a bad actor that has more or less full access to the GH infrastructure and backends.
1/2

Sep 29, 2023 at 9:06pmWeb
Show threadRaito BezariusSep 29, 2023

@publicvoit

You are jumping from MSFT got compromised at time T to MSFT is still compromised and all GH repos are compromised with full capabilities for attackers. This is one of my accusation.

> As far as I know, you can't protect yourself from a bad actor that has more or less full access to the GH infrastructure and backends.

Assuming this without proof is, to be honest, conspiracy.
I don't like Microsoft neither, but this is ridiculous.

Show threadKarl Voit  Sep 29, 2023

@raito The bad actors had years of more or less full access to MS infrastructure.

Actors that can pull off such an attack are perfectly well aware of what to do so that they keep access when the original attack vector is not available any more.

This is standard procedure for each intrusion attack.

Furthermore, in such a situation, the original bad actors can provide any sort of access to interested parties.

Yes, it's hard to digest but that's absolutely standard IT sec reasoning.

Show threadKarl Voit  Sep 29, 2023

@raito Furthermore, it's not just me who tries to explain the implications. Please read other sources that quote various security experts and how they judge the impact of this incident.

Assuming that nothing happened to GH is understandable from a project's point of view (effort! trust!) but nothing more than wishful thinking without any proof.

In IT sec, you always(!) assume the worst case just because of that. You can never be sure otherwise.

Show threadLisPiSep 30, 2023

@publicvoit @raito Does NixOS not independently sign its updates and use checksums of the aggregate repo contents (not trusting git's mostly sha1-only setup) like Guix?

If it does those two things, there's very little a malicious host could do other than denial of service.

If it doesn't then uh yeah, it's broken and really should fix that post haste.

Show threadalastair87 (old account)Sep 30, 2023
@publicvoit @raito One thing GitHub may have going to it is that it's still descended from the pre-acquisition infrastructure. It has now been tightly integrated into Microsoft though and I assume much of it is hosted on Azure. But they still use e.g. Ruby, MySQL because that's what it was built with to begin with. Much as Hotmail continued to run on UNIX for a long time after Microsoft first bought it.