Hacker News new | ask | show | jobs
by trompetenaccoun 1274 days ago
To everyone portraying this as harmless and as Wechat just looking for security breaches: Tencent itself is the security breach. Not only can Chinese ppl not sign up without providing a phone number, just to get a SIM card they now take your government ID, a picture of your face and a fingerprint! Xi is making absolutely sure that every single internet user is IDed and has their conversations tracked on apps like Wechat. Whatsapp, Signal & co are banned.

These "leaked" secrets GitHub forwards might be dissidents getting access without being tracked. It might not be a WeChat secret at all who knows? They're not a trustworthy partner, nothing should be shared with this company.

And to the folks saying it's public information and they already have it: That makes no sense, then they don't need GitHubs help. Obviously GitHub is supporting their scanning efforts here.
8 comments
oefrha 1274 days ago
> And to the folks saying it's public information and they already have it: That makes no sense, then they don't need GitHubs help.

GitHub has a global stream API for all public events,[1] but it is delayed by five minutes, precisely so that sensitive actions like revoking leaked tokens can be performed before the world sees them. That’s what the secret scanning program is about, and you would have known if you spent 1/3 of the time of your rant learning about it.

Edit: Additionally, for private repos, secret scanning is opt-in and only alerts owners.

[1] https://docs.github.com/en/rest/activity/events?apiVersion=2...

link
anaganisk 1274 days ago
Wait a second, the requirement of a government to get a sim card is kinda standard practice in multiple countries. Also, when it comes to privacy, US based companies must be last ones to talk, like as if China is the only bad guy who infringes upon peoples right to privacy. China is dangerous, but it's not the only dangerous thing in the room. Also, your comment doesn't make sense. If you are committing your public credentials while diseenting against the government, you are doing it wrong. Also, any publicly committed credentials are like literally tracked by thousands of both within minutes. Its not like if China really want to scan them, they can't do it without Github telling them they found something.
link
trompetenaccoun 1274 days ago
You may have misunderstood. There is no way to anonymously access Weixin from China unless you have hacked credentials. You need a phone number. Note that local Weixin and foreign Wechat are not the same. Last time my Mainland friend bought a SIM card the vendor had a government app on his phone, snapped a picture of my friend's face, scanned the ID (身份证) and had him take a fingerprint with a reader he also had connected to his phone. All this data gets uploaded directly to the Chinese government.

There isn't a country in the world which does this. But the details are also not the main point, it's how extremely restricted and controlled simple access to information or forums of free expression is for people in China. Tencent has party officials working within the company. This isn't a regular business as Westerners might imagine it, it's an extended part of the CCP just like any other large corporation under Xi.

Again, people are saying it's no big deal but why would GitHub help them at all? It's not a good cause.

link
anaganisk 1273 days ago
Github here isn't supporting China govt, they're partnering with companies that want to provide a regex to their credentials. And I dont know where you hail from but, Im from India and I have a govt issued mandatory id card that has multiple biometrics and my photo associated to it. And to get a sim card I need to provide that ID and authenticate with my fingeprints. Also tell me which US companies isn't drooling over China contracts, and to an extension orther local hostile activites. There is literally a recent story where using facial recognition Madison square garden denied entry to an attorney, who was related to a company that is in litigation with its parent company. Buy yeah China Bad.
link
snehk 1274 days ago
> There isn't a country in the world which does this.

My government requires me to have ID, which contains a photo and finger prints and you cannot get a SIM without ID. That's Germany and it's true for many, many countries.

link
pontilanda 1274 days ago
> There isn't a country in the world which does this

Does what? The thing extra is the fingerprint but literally every modern country requires ID registration and more. My government also knows this IP belongs exactly to me. Stop spouting nonsense.

Plus this is completely unrelated.

link
jinzo 1274 days ago
This is offtopic (as it has nothing to do with the linked blogpost) but it's even worse. At the tail end of 2019 I went to China for a few weeks, I created a WeChat account at home without any problems. As soon as I stepped into China it got locked and I needed someone with a WeChat account to verify me. They can only verify (I think?) 3 new accounts per year, and 6 accounts that got locked out for whatever reason. This is (from my perspective) even worse than requiring ID for SIM etc. It links people together and I'm sure it brings some repercussions to the people that verified you if you make trouble down the line.

It was very fascinating to see, a near total domination of WeChat everywhere and relatively very hard onboarding for new accounts. Contrary to the west where most of services seek to streamline onboarding as much as possible - I guess that becomes an anti feature when you have total monopoly and _everyone_ has a WeChat account. I think it's a very effective (and very dystopian) form of control. P.S: Signal worked without any problems for me, even on a Chinese SIM (one "trick" to go around most of the GFW was buying a HK SIM in HK. Works across china and has a lot less blocks, but for various reasons I got a China SIM too).

link
aeyes 1274 days ago
This is a service running on public repos, anyone can scrape this which is the problem. GitHub does the scanning and all that is forwarded is the "secret" matching their regex. Tencent then identifies the account owner and informs them about the public secret. That's all.

GitHub is available in China, why shouldn't they protect their Chinese users?

And the SIM card requirements have nothing to do with Tencent, have you tried getting a SIM in Germany? Impossible without government ID and an address. And there are a lot of services which you can't sign up for without German ID / address. As a foreigner I also can't easily open a bank account in the US.

link
barbariangrunge 1274 days ago
Why do they notify tencent instead of the repo owner?
link
BigGreenTurtle 1274 days ago
Once a co-worker accidentally pushed an AWS key pair to his public dotfiles repo. About 30 seconds later AWS disabled the key and notified the account admin about the possibility of an account breach.
link
vxNsr 1274 days ago
This is my question too… why not just let the owner of the repo know, why notify Tencent at all?
link
oefrha 1274 days ago
Answered elsewhere: https://news.ycombinator.com/item?id=34067625.

Instead of repeatedly having a question in an HN thread, next time try to read the source article.

link
sulam 1274 days ago
Without taking away from your first paragraph at all, if any dissidents are publishing their access codes to GitHub repos, they are 1) doing it completely wrong and 2) are already screwed.

The threat here, in the worst case, is associating a GitHub ID with a WeChat ID.

link
vxNsr 1274 days ago
Quoted from the blog post:

> We have partnered with Tencent WeChat to scan for their tokens and help secure our mutual users on all public repositories and private repositories with GitHub Advanced Security.

This is GitHub scanning private repos and telling WeChat about them.

WeChat can already scan public repos.

They are not already screwed if they’re publishing something to a private repo, it might be the wrong way to do it, but it doesn’t mean they’re already screwed.

If you don’t trust GitHub’s private repo security then why are you using it in the first place?

link
aeyes 1274 days ago
Wrong, this only applies to public repos.

https://docs.github.com/en/code-security/secret-scanning/abo...

link
vxNsr 1274 days ago
Obviously you’re wrong or the article is wrong… I’m gonna lean on you being wrong as the article is coming from GitHub and you’re not GitHub.
link
aeyes 1274 days ago
For private repos it is opt-in requiring the Advanced Security license: https://docs.github.com/en/get-started/learning-about-github...
link
civopsec 1274 days ago
Imagine if someone protested against Finnish–Russian cooperation on search-and-rescue operations near their border because the evil Russian government could be searching for political dissidents to imprison. That’s what your comment sounds like.

This is about preventing things like API keys from being published to code. That’s not a dissident use-case…

link
quadrifoliate 1274 days ago
While Tencent and Wechat sound absolutely dystopian, the "you need a Government ID and a picture of your face" is often a requirement for creating a Facebook account or retaining your old one as well. Twitter also used to require a phone number to retain an active account; and Google frequently locks people out of old accounts unless they provide a phone.

Is this whataboutism? Possibly – but what I'd actually like to happen is US-based companies are charged company-hurting fines for mismanaging PII like this (Twitter, for example, is currently openly planning to sell user phone data [1] that they previously gathered for security purposes).

All this to say, we can't reasonably call out other dystopian companies if the ones we use everyday are doing the exact same thing. So we should call out secret scanning from Meta [2] and (if it ever happens) Twitter as well.

----------------------------------------

[1] https://www.businessinsider.com/twitter-plans-to-force-users...

[2] https://developers.facebook.com/blog/post/2021/11/09/meta-jo...

link
derefr 1274 days ago
> These "leaked" secrets GitHub forwards might be dissidents getting access without being tracked.

"Leaked" here means "made public", i.e. "published such that literally anyone can use them", for example when burned into a commit of a public repo. Even for a dissident, publishing an API key or other credential where literally anyone can find it to use it, is almost assuredly a mistake. Because external scrapers can also find it there, such that the key will be inevitably picked up and fed into a botnet to abuse — at which point the ops staff at the service will notice the abuse and revoke the key, thus "burning" it as useful from the dissident's perspective.

If you store a secret on Github somewhere that only people and people you trust have access to, rather than everyone having access to it, then this is not considered a "leak", and so Github does not detect this as a "leaked secret." For example, commit data of private repos is not scanned for secrets (if it was, GitOps as a concept would be impossible!); nor are a repo's formal Actions Secrets store (part of a repo's configuration readable only by triggered Github Actions CI jobs).

Github's own secret-scanning here, is trying to catch the cases where a user has done something stupid by accident. Whether or not they reported secrets to third parties, they'd still be doing leaked-secret scanning of their own Github API keys, to ensure that people aren't accidentally trying to configure Github Actions by burning their Github Actions CI API key into the workflow itself. If they find such keys, they revoke them.

The point of Github's secret-scanning partner program, is that because Github is doing this leaked-secret scanning for their own purposes anyway, you (the partner) can sign up to be told when API keys of yours are accidentally made public as well.

> That makes no sense, then they don't need GitHubs help.

Ignoring for a moment that Github is a website, and so anyone can just crawl it—

Did you know? Github pushes the commit data of all public repos to BigQuery as a public research dataset: https://codelabs.developers.google.com/codelabs/bigquery-git.... Literally anyone can do their own "secret scanning" with a simple BigQuery query. It costs about $500 to run such a query, because the Github dataset is pretty large. It's not a price most SMEs would pay. But it's definitely a price attackers could be willing willing to pay. It's a lot cheaper than running your own web-spider infrastructure!

The difference with Github's own secret scanning, is that it happens synchronously, on push of commits; whereas the ETL of commit data to Github et al happens asynchronously, some time after commits happen. Tencent — and every other secret-scanning partner — depends on Github to stay ahead of any third-party attackers trying to scrape leaked credentials for use in botnets et al.

Also, FYI, you yourself can sign up to be a Github secret-scanning partner. You just need 1. a regex that uniquely identifies your secrets, so that Github can recognize them on push, and 2. a webhook URL to report them to. (https://docs.github.com/en/developers/overview/secret-scanni...)

And by the way, this isn't a hypothetical nice-to-have. I run an API SaaS — and not one that's even very large, in relative terms. But my own customers' accidentally-leaked secrets have been scraped from their Github repos and used by botnets already! Signing up as a Github secret-scanning partner is on my to-do list.

link