Karl Voit  Sep 29, 2023

After basically the whole #Microsoft #Azure cloud was hacked (see list of related sources on https://karl-voit.at/cloud/ ), the first follow-up incidents went public caused by missing containment actions:

60,000 emails were stolen from 10 #USA #StateDepartment accounts
https://www.reuters.com/world/us/chinese-hackers-stole-60000-emails-us-state-department-microsoft-hack-senate-2023-09-27/

If you didn't understand until now: basically EVERYTHING at Microsoft got hacked and Microsoft can't (or won't) get rid of the intruders. Everything authenticated by Microsoft is tainted. Even #Windows auth.

You Can't Control Your Data in the Cloud

Show threadKarl Voit  Sep 29, 2023

Now that I have migrated some of my hosts to #NixOS, I do have a bad feeling because of #Microsoft and most probably GitHub being hacked.

As mentioned on https://www.karl-voit.at/2023/09/12/nix/ the deep #GitHub dependency turns out to be a real downer for this OS.

#security #integrity

I Started With Nix, NixOS, Home Manager and Flakes

I Started With Nix, NixOS, Home Manager and Flakes

public voit - Web-page of Karl Voit
Show threadRaito BezariusSep 29, 2023

@publicvoit While I agree with you, there are issues, I worry that your framing is flirting with baseless conspiracies as you seems to be ignoring that there are many safeguards in place to avoid letting GitHub corrupt the whole project.

Even if we didn't use GitHub, you have to understand that NixOS / Nixpkgs cannot force anyone we are consuming packages of to migrate somewhere else.

Either case, I think this is kinda FUD…

Show threadKarl Voit  Sep 29, 2023

@raito I can't follow your accusation.

The facts show that Microsoft got compromised since at least 2021-04.

There is no claim by MS I know of that GH is completely separated from MS infrastructure that got compromised.

Current NixOS setups are pulling from GitHub which belongs to Microsoft. Yes, this can be changed but that's not the point here at all.

As far as I know, you can't protect yourself from a bad actor that has more or less full access to the GH infrastructure and backends.
1/2

Show threadLisPi

@publicvoit @raito Does NixOS not independently sign its updates and use checksums of the aggregate repo contents (not trusting git's mostly sha1-only setup) like Guix?

If it does those two things, there's very little a malicious host could do other than denial of service.

If it doesn't then uh yeah, it's broken and really should fix that post haste.

Sep 30, 2023 at 4:28amWeb