Karl Voit  Sep 29, 2023

After basically the whole #Microsoft #Azure cloud was hacked (see list of related sources on https://karl-voit.at/cloud/ ), the first follow-up incidents went public caused by missing containment actions:

60,000 emails were stolen from 10 #USA #StateDepartment accounts
https://www.reuters.com/world/us/chinese-hackers-stole-60000-emails-us-state-department-microsoft-hack-senate-2023-09-27/

If you didn't understand until now: basically EVERYTHING at Microsoft got hacked and Microsoft can't (or won't) get rid of the intruders. Everything authenticated by Microsoft is tainted. Even #Windows auth.

You Can't Control Your Data in the Cloud

Show threadKarl Voit  Sep 29, 2023

Now that I have migrated some of my hosts to #NixOS, I do have a bad feeling because of #Microsoft and most probably GitHub being hacked.

As mentioned on https://www.karl-voit.at/2023/09/12/nix/ the deep #GitHub dependency turns out to be a real downer for this OS.

#security #integrity

I Started With Nix, NixOS, Home Manager and Flakes

I Started With Nix, NixOS, Home Manager and Flakes

public voit - Web-page of Karl Voit
Show threadRaito BezariusSep 29, 2023

@publicvoit While I agree with you, there are issues, I worry that your framing is flirting with baseless conspiracies as you seems to be ignoring that there are many safeguards in place to avoid letting GitHub corrupt the whole project.

Even if we didn't use GitHub, you have to understand that NixOS / Nixpkgs cannot force anyone we are consuming packages of to migrate somewhere else.

Either case, I think this is kinda FUD…

Show threadKarl Voit  Sep 29, 2023

@raito I can't follow your accusation.

The facts show that Microsoft got compromised since at least 2021-04.

There is no claim by MS I know of that GH is completely separated from MS infrastructure that got compromised.

Current NixOS setups are pulling from GitHub which belongs to Microsoft. Yes, this can be changed but that's not the point here at all.

As far as I know, you can't protect yourself from a bad actor that has more or less full access to the GH infrastructure and backends.
1/2

Show threadRaito BezariusSep 29, 2023

@publicvoit

You are jumping from MSFT got compromised at time T to MSFT is still compromised and all GH repos are compromised with full capabilities for attackers. This is one of my accusation.

> As far as I know, you can't protect yourself from a bad actor that has more or less full access to the GH infrastructure and backends.

Assuming this without proof is, to be honest, conspiracy.
I don't like Microsoft neither, but this is ridiculous.

Show threadKarl Voit  

@raito The bad actors had years of more or less full access to MS infrastructure.

Actors that can pull off such an attack are perfectly well aware of what to do so that they keep access when the original attack vector is not available any more.

This is standard procedure for each intrusion attack.

Furthermore, in such a situation, the original bad actors can provide any sort of access to interested parties.

Yes, it's hard to digest but that's absolutely standard IT sec reasoning.

Sep 29, 2023 at 9:13pmWeb