Hacker News new | ask | show | jobs
by oliwarner 3180 days ago
I didn't suggest forcing anything... But just because other people do it doesn't make it better.

Many of their clients may treat this as they would an actual breach. It's somebody they haven't vetted having potentially complete access to their development chain and production secrets. They won't know until they look. They won't look until they're told.

And what's CircleCI paying a for this breach got to do with the price of fish?! Say you hired me and gave me full access to everything in your business. Then one day I turn around and tell you my extended family, my friends, my dog walker and my cleaner have all also had access to that data. No big problem eh?
2 comments
jlmorton 3180 days ago
This practice is allowed by industry security standards, like PCI-DSS. If it's determined that the third-party acts as a PCI Service Provider, then the compliant party has a duty to determine that the third-party is also compliant.

The client vetted CircleCI, and CircleCI presumably vetted the third parties. It is not fair to say these vendors have not been vetted.

It may not be a best practice, but it's little different than CircleCI (or any other company) contracting with a private data center, which has direct physical access to their equipment. They have presumably vetted the data center provider, or cloud computing vendor.

link
ejcx 3180 days ago
There is absolutely no breach here. Absolutely not. Suggesting so is ridiculous. The word breach is a very special one and this is not it.
link
oliwarner 3180 days ago
I think you're the one being more reckless with language here. But please, what does "breach" mean to you?

I count it as "inappropriate and unauthorised access to data". Where "access" is potential, not necessarily actual unless you can absolutely prove there was no access.

These third parties have had access to sensitive data they shouldn't. That's a breach in my book.

Neither you or Circle CI even can say this hasn't lead to current or past third parties —or their rogue developers, or people who have hacked them— gaining source access or customer data from Circle CI users. Why? You simply don't know what was running at any given point.

Auditing and sub-resource integrity would help in the future, but it's too late. Unknown people have had access. Only the Circle CI users will know what ramifications that could have on them.

If your argument is anything more than a redefinition of "breach", please explain why you're being so nonchalant (and why you think I'm being "ridiculous") about this.

link