undefined | Better HN

0 pointshnarn7y ago0 comments

> Wouldn't that that imply every secret accidentally committed and then 'deleted' is still accessible

This should be a moot point because anyone (in IT) should realize that an accidentally committed secret is now 100% public for all eternity and needs to be rendered irrelevant to restore secure operations.

0 comments

20 comments · 2 top-level

soulofmischief7y ago· 11 in thread

Security isn't rendered in absolutes. We have to assume some sheepish new employee somewhere is scared of approaching management about a mistake they made committing a secret, so they reverse the commit and pretend nothing ever happened.

We have to try and mitigate damage from lapses in communication and protocol like that.

trickstra7y ago

Math and cryptography don't care about a sheepish new employee (thankfully). The fact that leaked secrets will cause trouble is not mitigated by git forgetting a deleted commit. It is only mitigated by revoking that secret and creating a new one and not leaking it. So if a sheepish new employee fails to revoke them, why blame git or any other system? We have contracts, insurance and then criminal code for people who fail to follow protocols.

geofft7y ago

> So if a sheepish new employee fails to revoke them, why blame git or any other system? We have contracts, insurance and then criminal code for people who fail to follow protocols.

Because you won't know that a protocol isn't being followed. Your contracts, insurance, and criminal code won't cause you to realize that an employee caused an infosec incident if they don't tell you (and neither will your math and cryptography). And the more you threaten use of the criminal code, the less likely people are to admit that they made a mistake.

You can either build defense in depth (e.g., regular secret rotation, policies on use of GitHub in the first place or better yet automation that only pushes publicly after internal review, DLP via a corporate MITM, segregating your open source dev from your secret dev, etc.) or you can let your single defense get breached and have no idea.

asdfasgasdgasdg7y ago

The criminal code? I doubt there's anything in there that criminalizes a failure to follow an employer's secret revocation policies.

1 more reply

soulofmischief7y ago

No need for any git-blame, the blame lies in GitHub not making this feature optional and more known. So well known that a noobish employee is aware of it, so that they do not feel like they are "safe" and no longer need to alert management about their error.

Contracts, insurance and criminal code are responsive measures, not preventative measures. Security is preventative, not responsive.

1 more reply

iakh7y ago

In either case, the secret is already out whether the user wants to admit to it or not

soulofmischief7y ago

But in one case, damage is mitigated because the sys admins didn't assume everyone is infallible and strictly adheres to protocol.

2 more replies

JeremyBanks7y ago

I agree with the general statement about security absolutism (it's often very dumb and irrational), but in ths case in particular, most keys are swept from GitHub within seconds of being pushed, so the additional harm of not pruning those commits is very low. Data loss concerns are probably a much larger source of harm to weigh against it.

soulofmischief7y ago

Well now I would say that I'm not interested in most keys, and I am interested in figuring out how to mitigate damage from the rest of them. You only need one key to get inside.

99% coverage is not good enough from a security standpoint, not when we can achieve 100%.

Simply, this functionality should be transparent and toggleable.

1 more reply

paulddraper7y ago

Yes and this is why Github handicapped their search so much.

But at the end of the day, any secret you post publicly is compromised.

manigandham7y ago

That's a very poor reason to not have good searching functionality considering the uses far outweighs the potential risk. I highly doubt it's the case.

1 more reply

soulofmischief7y ago

Thankfully the guys over at Sourcegraph feel differently about how searchable projects should be.

bostik7y ago· 7 in thread

And a hundred times so for any public repos. There are bots feeding on the GitHub firehose, scavenging for accidentally committed credentials.

A few years back (2015 or so) the average time from push-to-repo to AWS account compromise was 6 minutes. Surely that time has only gone down, and the number of different credentials identified has gone up.

username2237y ago

> the average time from push-to-repo to AWS account compromise was 6 minutes.

Wow, I didn't realize it had become so efficient, but I shouldn't be surprised. I never really understood the value in hosting non-public software in the public, and if it's open source, it shouldn't be getting anywhere near secrets that can be used to extract money from its developers.

I remember thinking, back when it became trendy for people to upload their personal dotfiles to Github, that it would be a source of endless suffering. Who knows what information you're leaking in your ".profile" or ".bashrc"? Is that risk justified by the dubious benefit of storing your dotfiles on the internet for everyone to see, forever?

tjr2257y ago

I had accidentally pushed an AWS credential out a month or two ago- within about a minute and a half AWS had disabled the IAM user, and automatically emailed me(as well as my entire org- how embarrassing!)- when we were going through the access logs it looked like it had taken only a minute and a half longer for some other, presumably malicious, system to attempt to access my compromised user. Probably between 2 or 3 minutes total. I'm not a huge Amazon fan but props to AWS for saving my butt.

1 more reply

weinzierl7y ago

> A few years back (2015 or so) the average time from push-to-repo to AWS account compromise was 6 minutes. Surely that time has only gone down, and the number of different credentials identified has gone up.

I don't doubt that a second and I'd like to use that as a quote. I'd like to be prepared if someone doubts it, so: Do you have a primary source for this?

kelnage7y ago

This paper may be relevant to your interests: https://blog.acolyer.org/2019/04/08/how-bad-can-it-git-chara...

scraptor7y ago

Blog post summary: https://blog.acolyer.org/2019/04/08/how-bad-can-it-git-chara...

Source if blog is unavailable: https://www.ndss-symposium.org/wp-content/uploads/2019/02/nd...

bostik7y ago

I'll need to find the talk I lifted it from. Not easy... but looks like downthread a sibling comment gives a relatively decent update about the current speed of compromise.

1 more reply

frandroid7y ago

I thought that AWS nowadays is also feeding at the firehose and auto-disabling any of its keys it could find in a commit?

j / k navigate · click thread line to collapse

0 comments

20 comments · 2 top-level

soulofmischief7y ago· 11 in thread

We have to try and mitigate damage from lapses in communication and protocol like that.

trickstra7y ago

geofft7y ago

> So if a sheepish new employee fails to revoke them, why blame git or any other system? We have contracts, insurance and then criminal code for people who fail to follow protocols.

asdfasgasdgasdg7y ago

The criminal code? I doubt there's anything in there that criminalizes a failure to follow an employer's secret revocation policies.

1 more reply

soulofmischief7y ago

Contracts, insurance and criminal code are responsive measures, not preventative measures. Security is preventative, not responsive.

1 more reply

iakh7y ago

In either case, the secret is already out whether the user wants to admit to it or not

soulofmischief7y ago

But in one case, damage is mitigated because the sys admins didn't assume everyone is infallible and strictly adheres to protocol.

2 more replies

JeremyBanks7y ago

soulofmischief7y ago

Well now I would say that I'm not interested in most keys, and I am interested in figuring out how to mitigate damage from the rest of them. You only need one key to get inside.

99% coverage is not good enough from a security standpoint, not when we can achieve 100%.

Simply, this functionality should be transparent and toggleable.

1 more reply

paulddraper7y ago

Yes and this is why Github handicapped their search so much.

But at the end of the day, any secret you post publicly is compromised.

manigandham7y ago

That's a very poor reason to not have good searching functionality considering the uses far outweighs the potential risk. I highly doubt it's the case.

1 more reply

soulofmischief7y ago

Thankfully the guys over at Sourcegraph feel differently about how searchable projects should be.

bostik7y ago· 7 in thread

And a hundred times so for any public repos. There are bots feeding on the GitHub firehose, scavenging for accidentally committed credentials.

username2237y ago

> the average time from push-to-repo to AWS account compromise was 6 minutes.

tjr2257y ago

1 more reply

weinzierl7y ago

I don't doubt that a second and I'd like to use that as a quote. I'd like to be prepared if someone doubts it, so: Do you have a primary source for this?

kelnage7y ago

This paper may be relevant to your interests: https://blog.acolyer.org/2019/04/08/how-bad-can-it-git-chara...

scraptor7y ago

Blog post summary: https://blog.acolyer.org/2019/04/08/how-bad-can-it-git-chara...

Source if blog is unavailable: https://www.ndss-symposium.org/wp-content/uploads/2019/02/nd...

bostik7y ago

I'll need to find the talk I lifted it from. Not easy... but looks like downthread a sibling comment gives a relatively decent update about the current speed of compromise.

1 more reply

frandroid7y ago

I thought that AWS nowadays is also feeding at the firehose and auto-disabling any of its keys it could find in a commit?

j / k navigate · click thread line to collapse