Announcement

Collapse
No announcement yet.

PHP's Git Server Compromised, Now Switching To GitHub

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by kpedersen View Post

    Other than a certain critical MS Exchange security flaw that has been running rampant for organizations for the last month?

    https://practical365.com/microsoft-i...change-server/

    I think around 5 universities in the UK have been compromised because of this mess. The trick is to not be incompetent and to try to avoid needing the security updates in the first place.
    Originally posted by elatllat View Post

    You don't consider RCE's a likely compromise ?

    eg; CVE-2019-1372
    Which Microsoft own servers or departments have been compromised?

    Comment


    • #12
      Originally posted by uid313 View Post

      Well it is not like they are stuck on GitHub and have vendor-lock in. Git is distributed, so it is just one host, they can easily just migrate to GitLab or some other host if they want to.
      You will note they are also moving to GitHub's authentication and authorization system as part of the move.

      They also mention that now they can merge pull requests from the web interface. Will they also be doing code reviews via the web interface perhaps?

      And of course, they may want to use GitHub's CI and GitHub Issues, because they have such nice integration.

      How's that migration looking now? Not so easy anymore.

      Comment


      • #13
        If they don't know the source of the hack, how can they say it's safer to use GitHub?

        There was a security issue with PHP and nginx a year ago. I wonder if they patched it on their git server...

        Seems they are running nginx 1.10.3 on http://git.php.net - that's a version from 2017..
        Last edited by S.Pam; 29 March 2021, 08:51 AM.

        Comment


        • #14
          Originally posted by uid313 View Post

          Well it is not like they are stuck on GitHub and have vendor-lock in. Git is distributed, so it is just one host, they can easily just migrate to GitLab or some other host if they want to.
          We don't talk about facts here when Microsoft is mentioned. Unwritten rule of using Linux.

          Comment


          • #15
            Originally posted by birdie View Post
            Which Microsoft own servers or departments have been compromised?
            https://www.itpro.co.uk/security/334...tially-thought

            I can give you a considerable list but I suggest you do your own research.

            Comment


            • #16
              Originally posted by kpedersen View Post

              In all fairness, I hope they do. Mirror the Git repo to all (GitLab, BitBucket and private local) and cross check between each periodically. I don't trust Microsoft in a number of ways. Their incompetence with security is probably most relevant for this however.

              This is further exacerbated by the fact that Git doesn't enforce a user account system so it is very easy to impersonate other users simply changing the user.name and user.email. The only solution for this is a commit hook which I don't believe Microsoft will implement.

              https://stackoverflow.com/questions/...f-another-user

              Which means we are at the whims of that dumb oauth stuff that Microsoft is faffing around with on GitHub or (hopefully) public SSH keys that I am sure Microsoft will accidentally forget to authenticate / challenge against when push comes to shove. Perhaps they will cite improved performance if they "skip that key nonsense" haha
              You can enforce github to only accept verified coimmits signed by a PGP key, any new open source project should be doing this. Doing this makes it impossible to impersonate a user.

              Comment


              • #17
                Everyone here is complaining about the use of Github, and here I am thinking "are we all just going to ignore the kind of asshole who would perform this hack in the first place?"
                Really, hacking PHP is the same sort of thing as holding a charity for ransom. Yeah, you'll get something out of it, but it's really sad and pathetic.

                Comment


                • #18
                  Originally posted by uid313 View Post

                  Well it is not like they are stuck on GitHub and have vendor-lock in. Git is distributed, so it is just one host, they can easily just migrate to GitLab or some other host if they want to.
                  Git is distributed. Github is a service that offer features that can in-turn act as a vendor lock-in if you can't find those same features with other Git Distributors. That isn't a pro or con against Github. That's just how services work in general.

                  My argument is that if they get set in Github's ways then "easily just migrate" might not be so "easily" for them. For example, I prefer the UI of Hub over Lab. I can use both but I prefer Hub.

                  Comment


                  • #19
                    Originally posted by kpedersen View Post
                    Lets have a dumb naive comment on how putting all your eggs in someone elses server (especially Microsoft's) is a good idea.

                    Edit: Oh, birdie beat me to it

                    Now Microsoft is the only malicious entity that can sabotage the PHP source.
                    Are you really trying to imply that

                    1) using any cloud service is irresponsible, right under the news that they f*cked up royally when hosting it on their own?
                    2) Microsoft is somehow substantially, inherently less trusted for cloud services than other cloud providers (for unspecified reasons)?
                    3) git doesn't allow you to set up mirrors for your repo?

                    Comment


                    • #20
                      Originally posted by schmidtbag View Post
                      Everyone here is complaining about the use of Github, and here I am thinking "are we all just going to ignore the kind of asshole who would perform this hack in the first place?"
                      Really, hacking PHP is the same sort of thing as holding a charity for ransom. Yeah, you'll get something out of it, but it's really sad and pathetic.
                      That's like this article I was reading yesterday about how Amazon workers are peeing in bottles and pooping in sacks; mostly drivers, but line workers too. Most of the comments were some form of "well I worked construction/trucking/crappy job and we pooped/peed in odd places so suck it up" and my first thought was "y'all are the problem. I've worked those jobs, did my business in those places, and, big difference, didn't feel like I had to do it because I was so stressed for time".

                      When you work construction and you're doing something at a house in the woods miles from civilization, 1, you agree to that beforehand, 2, you can choose to drive your happy ass to a gas station in lieu of pooping in the woods, 3, doing construction I never had to shit in a bag on camera next to a full spread of telemetry sensors. Instead of feeling empathy for people who feel so stressed and pressed for time that they'll drive around with a shit sack the collective group has the viewpoint of "because we had it shitty you should have it shitty too" instead of "Generations of horrible working conditions, something has to change".

                      Comment

                      Working...
                      X