Announcement

Collapse
No announcement yet.

PHP's Git Server Compromised, Now Switching To GitHub

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #21
    Originally posted by kpedersen View Post
    or (hopefully) public SSH keys that I am sure Microsoft will accidentally forget to authenticate / challenge against when push comes to shove. Perhaps they will cite improved performance if they "skip that key nonsense" haha
    Please do tell us why on earth would microsoft do something like that.

    Comment


    • #22
      Originally posted by kpedersen View Post

      In all fairness, I hope they do. Mirror the Git repo to all (GitLab, BitBucket and private local) and cross check between each periodically. I don't trust Microsoft in a number of ways. Their incompetence with security is probably most relevant for this however.

      This is further exacerbated by the fact that Git doesn't enforce a user account system so it is very easy to impersonate other users simply changing the user.name and user.email. The only solution for this is a commit hook which I don't believe Microsoft will implement.

      https://stackoverflow.com/questions/...f-another-user

      Which means we are at the whims of that dumb oauth stuff that Microsoft is faffing around with on GitHub or (hopefully) public SSH keys that I am sure Microsoft will accidentally forget to authenticate / challenge against when push comes to shove. Perhaps they will cite improved performance if they "skip that key nonsense" haha
      It's possible to sign commits too, so there's one good method of ensuring authenticity of code. I don't think Microsoft will do something evil like introducing malicious commits, but "accidentally" deleting the repo or slowing access to it and causing pandemonium is totally within their reach.

      Remember, there's a reason Microsoft doesn't post their internal code on Google Code, and Google's AOSP and proprietary software isn't on Github. There's a reason Facebook doesn't do Google login, and why Google doesn't do Facebook login. Lots of others have also switched away from depending on Google and Facebook, because they can easily cut off access and screw you while providing whimsical reasons.

      Comment


      • #23
        Originally posted by zcansi View Post

        You will note they are also moving to GitHub's authentication and authorization system as part of the move.

        They also mention that now they can merge pull requests from the web interface. Will they also be doing code reviews via the web interface perhaps?

        And of course, they may want to use GitHub's CI and GitHub Issues, because they have such nice integration.

        How's that migration looking now? Not so easy anymore.
        Well, GitLab supports CI and issues too.

        Comment


        • #24
          Did they run php on that server?

          Comment


          • #25
            Why it's import to know ? My understand is that there is two git commit's made by internal user via cli. So hole server was compromised by hacker(s) .

            Comment


            • #26
              Originally posted by birdie View Post
              Let's have a dozen comments how GitHub is owned and run by an evil anti-open-source company.
              Very first post and this POS is trolling.

              Comment


              • #27
                Is sad that the 1st solution most companies or OS foundations opt these days is to move to the cloud when they got issues or get compromised.

                Is not like Microsoft or any other company services haven’t been hacked or taken offline due to issues, both Exchange and Sharepoint coming to my mind.

                Comment


                • #28
                  Originally posted by kpedersen View Post

                  In all fairness, I hope they do. Mirror the Git repo to all (GitLab, BitBucket and private local) and cross check between each periodically. I don't trust Microsoft in a number of ways. Their incompetence with security is probably most relevant for this however.

                  This is further exacerbated by the fact that Git doesn't enforce a user account system so it is very easy to impersonate other users simply changing the user.name and user.email. The only solution for this is a commit hook which I don't believe Microsoft will implement.

                  https://stackoverflow.com/questions/...f-another-user

                  Which means we are at the whims of that dumb oauth stuff that Microsoft is faffing around with on GitHub or (hopefully) public SSH keys that I am sure Microsoft will accidentally forget to authenticate / challenge against when push comes to shove. Perhaps they will cite improved performance if they "skip that key nonsense" haha
                  I do trust GitHub and MS (to some extent!!!), but please keep the source code in an easy-accessible place. GitLab is my least favorite Git instance - I hate that clumsy interface.

                  Comment


                  • #29
                    Originally posted by kpedersen View Post

                    https://www.itpro.co.uk/security/334...tially-thought

                    I can give you a considerable list but I suggest you do your own research.
                    According to this news piece support agents accounts were compromised, not Microsoft servers or infrastructure. Microsoft to my best knowledge has seen close to zero compromises for its 40 years history.

                    Meanwhile open source projects are getting hacked left and right almost on a monthly basis. We have had the breaches of:
                    • Fedora (a major breach)
                    • The Linux Kernel (a major breach)
                    • Debian Wiki
                    • OpenSuse website
                    • Multiple NPM/Ruby modules
                    • PHP (a major breach)
                    This comment contains nothing but facts, zero speculation and zero pronouns.

                    Someone is again deleting my comments even though I've long stopped with personal attacks. Sigh. OK, I'm out of this discussion.

                    Comment


                    • #30
                      Originally posted by kpedersen View Post
                      Now Microsoft is the only malicious entity that can sabotage the PHP source.
                      Who told you that? Hint: SaaS is not a security cure-all. If history is any guide, there is a trend of a "security: not my problem" mindset within organizations who switch to SaaS... often to their detriment.
                      Last edited by torsionbar28; 29 March 2021, 12:47 PM.

                      Comment

                      Working...
                      X