Now that I have migrated some of my hosts to #NixOS, I do have a bad feeling because of #Microsoft and most probably GitHub being hacked.

As mentioned on https://www.karl-voit.at/2023/09/12/nix/ the deep #GitHub dependency turns out to be a real downer for this OS.

#security #integrity

@publicvoit While I agree with you, there are issues, I worry that your framing is flirting with baseless conspiracies as you seems to be ignoring that there are many safeguards in place to avoid letting GitHub corrupt the whole project.

Even if we didn't use GitHub, you have to understand that NixOS / Nixpkgs cannot force anyone we are consuming packages of to migrate somewhere else.

Either case, I think this is kinda FUD…

@raito 2/2

Yes, there is no proof or indication that anything happened to any GH repository yet. 👍

However, in IT security, you don't rely on lucky guess. A compromised network is still a compromised network and needs to be restarted from a clean status.

It doesn't look like MS is going to setup major parts of their infrastructure to introduce trustworthy hosts again.

So where's the FUD in terms of reasoning?

@publicvoit

> So where's the FUD in terms of reasoning?

> It *doesn't look like* MS is going to setup major parts of their infrastructure to introduce trustworthy hosts again.

I think you answered yourself very well.

In IT security, lucky guess are not primitives to build threat models. Hypotheses, assumptions, economics, politics, technical measures and careful analyses are.

What you are doing is just lucky guessing that MSFT didn't do any form of "reasonable" due diligence.

@raito After years of having a (potential) state actor in the back-end of MS, I'd be very interested in your assumptions that they really did not perform lateral movements and expand to linked networks.

No tech measures can mitigate or contain such an attack that lasted for so long in retrospect.

From an politics/economic perspective, we agree. We see what the economic decisions were already.

But that is strongly orthogonal to IT sec reasoning. Trade-offs won, as usual. But no proof.

@publicvoit But then, assuming the level of catastrophe you are describing.

What value is there in using a modern computer? NixOS/Nix is not the only thing affected. systemd is in GitHub, systemd developers are from Microsoft, etc, etc.

What is the usable advice we can get out of your whistleblowing?

@raito I'm not a whistleblower at all! I just quoted articles published by MS & independent sources.

I never said that we should stop using NixOS, systemd, ...

We just need to be aware that there is no such thing as a trustworthy cloud infrastructure most probably anywhere except you deal with it yourself to some degree.

All projects that rely on a pot. compromised infrastructure need to invest in mitigation measurements against malicious infrastr. which wasn't discussed so far AFAIK.