[andrewSC]

This is the correct set of questions to be asking. I’m a little more than surprised there aren’t some defined processes and automation around high viz workflows/stuff like this. When are people going to take cybersec and opsec seriously? Esp. In big projects?

[coldpie]

Computer security requires humans to do 500,000 things perfectly, and one slip up means everything they did was worthless. It turns out, humans aren't perfect. The result is inevitable: there is no such thing as computer security.

[x0x0]

On the one hand, yes.

On the other hand, a 15 months old token that's still alive... that's pretty damn incompetent.

[coldpie]

Yeah but my point is they probably did the other 499,990 things right, but will get no credit for it.

[sitkack]

This isn't an individual issue, this is an organizational systemic issue. It isn't on the individual to "do better" or not make mistakes. Even if they had made a PAT, there should be an org level policy that PAT tokens can only last x-days where x is very short (as an example, PAT tokens should be banned).

[x0x0]

Not allowing long-lived, powerful tokens is so basic that I'm skeptical they did very much right.

[sitkack]

And the logs are gone for both GitHub and docker hub. We should assume anything that could get compromised is compromised.

[salawat]

...There is a reason why those crazies that tell you to build everything from source you personally audit, and to read everything exist.

Y'all want the convenience of "can't someone else just gimme something that works"? Which is fine, but you have to verify the thing is what the other person claims it is. It's the curse of high-trust systems. They are only as trustworthy as the least trustworthy member.

We've done everything we can to rope in everybody. Everybody includes people who are actively malicious to the ecosystem as a whole. Thus the high-trust system has raced to the bottom in transitioning through a low-trust system, to eventually zero-trust; as computer networks in all their forms are just too juicy a set of targets to leave untapped by malicious/selfish actors. The only defense is everyone looking out for themselves on top of everyone else. It's fcking hard. It's a slog. It makes the act of maintaining computing systems that much less sexy. It's also what keeps you* safe from the wolves in sheep's clothing.

My journey in computing has branched out far and wide, only to crunch back to a narrow set of tools that I can vouch for personally. My trust of the denizens of the Net has plummeted, if only because the spaces in the cracks where belief rather than knowledge lie are just such fertile ground for skulduggery now.

[yupyupyups]

I think the inefficency of zero-trust can be applied to many other things in life.

Like

> The only defense is everyone looking out for themselves on top of everyone else. It's fcking hard. It's a slog. It makes the act of maintaining relationships that much less sexy.