[bheadmaster]

> - Pushed both the clean source code and the unclean .pyc binary into the docker image

Oof.

Honestly, I can't blame the guy for a mistake like this, it's just so easy to make. But then again, deploying images built on a development laptop is generally an error-prone activity. This is why build and deployment servers exist.

[sitkack]

Why does one person have admin on all those repos?

Why is Python still running any classic access tokens?

Why is the access token EVER in the source code?

What other stuff is “running on their laptop”?

No pass!

People with access to the repos shouldn’t also have access to push bits to the world. It puts those people with that access in grave physical danger.

Edit, https://blog.pypi.org/posts/2024-07-08-incident-report-leake...

This token has been in the wild for 15 months! The JFrog post cannot say that disaster was averted because we do not know.

[belter]

> This token has been in the wild for 15 months! The JFrog post cannot say that disaster was averted because we do not know.

"Binary secret scanning helped us prevent (what might have been) the worst supply chain attack you can imagine"

The above comment from them sounds as weird, as the whole ecosystem security based out of a developer laptop...

[andrewSC]

This is the correct set of questions to be asking. I’m a little more than surprised there aren’t some defined processes and automation around high viz workflows/stuff like this. When are people going to take cybersec and opsec seriously? Esp. In big projects?

[coldpie]

Computer security requires humans to do 500,000 things perfectly, and one slip up means everything they did was worthless. It turns out, humans aren't perfect. The result is inevitable: there is no such thing as computer security.

[x0x0]

On the one hand, yes.

On the other hand, a 15 months old token that's still alive... that's pretty damn incompetent.

[coldpie]

Yeah but my point is they probably did the other 499,990 things right, but will get no credit for it.

[sitkack]

This isn't an individual issue, this is an organizational systemic issue. It isn't on the individual to "do better" or not make mistakes. Even if they had made a PAT, there should be an org level policy that PAT tokens can only last x-days where x is very short (as an example, PAT tokens should be banned).

[x0x0]

Not allowing long-lived, powerful tokens is so basic that I'm skeptical they did very much right.

[sitkack]

And the logs are gone for both GitHub and docker hub. We should assume anything that could get compromised is compromised.

[salawat]

...There is a reason why those crazies that tell you to build everything from source you personally audit, and to read everything exist.

Y'all want the convenience of "can't someone else just gimme something that works"? Which is fine, but you have to verify the thing is what the other person claims it is. It's the curse of high-trust systems. They are only as trustworthy as the least trustworthy member.

We've done everything we can to rope in everybody. Everybody includes people who are actively malicious to the ecosystem as a whole. Thus the high-trust system has raced to the bottom in transitioning through a low-trust system, to eventually zero-trust; as computer networks in all their forms are just too juicy a set of targets to leave untapped by malicious/selfish actors. The only defense is everyone looking out for themselves on top of everyone else. It's fcking hard. It's a slog. It makes the act of maintaining computing systems that much less sexy. It's also what keeps you* safe from the wolves in sheep's clothing.

My journey in computing has branched out far and wide, only to crunch back to a narrow set of tools that I can vouch for personally. My trust of the denizens of the Net has plummeted, if only because the spaces in the cracks where belief rather than knowledge lie are just such fertile ground for skulduggery now.

[yupyupyups]

I think the inefficency of zero-trust can be applied to many other things in life.

Like

> The only defense is everyone looking out for themselves on top of everyone else. It's fcking hard. It's a slog. It makes the act of maintaining relationships that much less sexy.

[hirako2000]

Exactly. More than one bad practice in there. note the secret was never in the repo though. Only in the container image.

[sitkack]

That token gives admin access to all the repos they have access to.