Why did one developer have access, even if read-only, to more than 3,800 internal repos?
goyozi 32 minutes ago [-]
Not saying it’s good but I think it’s quite common for devs to have read only access to everything. I suspect that with all the recent news, including this, the needle might start to shift a bit.
I think it’s actually non-trivial to determine how many repos you should have read-only access to. I frequently hop through multiple repos that I don’t contribute to, just to understand how the system is architected and what it does at different stages. We even have an internal Claude skill for finding relevant repo for a given problem which relies on personal gh access (via CLI). It _can_ be done more securely but those defaults built over many years will take time to change.
jameson 17 minutes ago [-]
Security is often overlooked internally and often seen as source of friction.
I worked at a popular US social media firm and it wasn't hard to get a permission that allows me to delete the entire company's dataset. Often arguments around "I'm working on org-level initiative and I need to get permission to get it done" would easily get me the permission.
__turbobrew__ 29 minutes ago [-]
I think it is pretty common that devs have read only access to all source code.
The real question is why github has 3800 internal repos.
siwatanejo 19 minutes ago [-]
It's normal that a dev has *access* to all the code.
But did he clone all the repos into his machine? I doubt it. So, the hacker extracted all the 3800 repos using the employee's machine as a gateway? I doubt it as well, I'm sure they would have detected this huge amount of data much earlier than transferring all of it?
> The real question is why github has 3800 internal repos.
I guess they mean customer's private repos?
selcuka 16 minutes ago [-]
> I guess they mean customer's private repos?
I don't think so. It is even worse if a random developer has access to customers' private repos.
skirge 8 minutes ago [-]
each employee with personal fork of some company microservice
baq 10 minutes ago [-]
If you want to move fast, you need access. Unfortunately and obviously this allows threat actors to move fast, too. The tradeoff had a different risk profile a year ago, heck a couple weeks ago.
awaisras 1 hours ago [-]
Are we going into 99.9% Uptime era?
With this level of availability, would company remain on cloud?
claaams 1 hours ago [-]
Github compromised and 3800 internal repos exposed.
jaspanglia 1 hours ago [-]
This is exactly why enabling 2FA is so important. Change your password immediately
7 minutes ago [-]
fatih-erikli-cg 35 minutes ago [-]
Github is the last place someone will give a single shit about for something like that. If someone steal your debit card and withdraw money on behalf of you, without permission of you, you go to the bank and explain that. Github holds code... If something like some info stolen from your work something like that then you not work them again, you quit or go to hr, this is how it is.
Plus, github is running on your computer. People take https icon so seriously. It is nothing. There are more browsers than actual websites. You receive a browser update almost every day. All of them comes with https icons w predefined domains. Github is the one that comes with new computers. The others are the websites someone defined in your invisible /etc/hosts before you start using your own computer. Your own websites are http. I know how the internet works very very well. Github is no more than text editor with undo redo.
I think it’s actually non-trivial to determine how many repos you should have read-only access to. I frequently hop through multiple repos that I don’t contribute to, just to understand how the system is architected and what it does at different stages. We even have an internal Claude skill for finding relevant repo for a given problem which relies on personal gh access (via CLI). It _can_ be done more securely but those defaults built over many years will take time to change.
The real question is why github has 3800 internal repos.
But did he clone all the repos into his machine? I doubt it. So, the hacker extracted all the 3800 repos using the employee's machine as a gateway? I doubt it as well, I'm sure they would have detected this huge amount of data much earlier than transferring all of it?
> The real question is why github has 3800 internal repos.
I guess they mean customer's private repos?
I don't think so. It is even worse if a random developer has access to customers' private repos.
With this level of availability, would company remain on cloud?
Plus, github is running on your computer. People take https icon so seriously. It is nothing. There are more browsers than actual websites. You receive a browser update almost every day. All of them comes with https icons w predefined domains. Github is the one that comes with new computers. The others are the websites someone defined in your invisible /etc/hosts before you start using your own computer. Your own websites are http. I know how the internet works very very well. Github is no more than text editor with undo redo.