graz.social
Open in
urlscan Pro
2a03:4000:67:fa0:6819:44ff:fed6:b48
Public Scan
URL:
https://graz.social/@publicvoit/111147782761723981
Submission: On September 29 via manual from US — Scanned from DE
Submission: On September 29 via manual from US — Scanned from DE
Form analysis
0 forms found in the DOMText Content
Mastodon Konto erstellenAnmelden FRÜHERE SUCHANFRAGEN Keine früheren Suchanfragen SUCHOPTIONEN has: media, poll oder embedis: reply oder sensitivelanguage: ISO-Sprachcodefrom: Profilbefore: genaues Datumduring: genaues Datumafter: genaues Datumin: all oder library graz.social ist Teil eines dezentralisierten sozialen Netzwerks, angetrieben von Mastodon. Wenn ihr einen Account beantragt, gebt bitte euren Bezug zu Graz an! Ein Mastodon-Server für Graz und Umgebung. Zur Übersicht von graz.social geht es unter https://info.graz.social VERWALTET VON: graz.social @wir SERVERSTATISTIK: 356 aktive Profile -------------------------------------------------------------------------------- Mehr erfahren graz.social: Über · Profilverzeichnis · Datenschutzerklärung Mastodon: Über · App herunterladen · Tastenkombinationen · Quellcode anzeigen · v4.2.0 ZURÜCK Karl Voit @publicvoit@graz.social After basically the whole #Microsoft #Azure cloud was hacked (see list of related sources on https://karl-voit.at/cloud/ ), the first follow-up incidents went public caused by missing containment actions: 60,000 emails were stolen from 10 #USA #StateDepartment accounts https://www.reuters.com/world/us/chinese-hackers-stole-60000-emails-us-state-department-microsoft-hack-senate-2023-09-27/ If you didn't understand until now: basically EVERYTHING at Microsoft got hacked and Microsoft can't (or won't) get rid of the intruders. Everything authenticated by Microsoft is tainted. Even #Windows auth. karl-voit.atYou Can't Control Your Data in the Cloud 29. Sept. 2023, 11:42 · · Web · 123 · 78 52 Min. Karl Voit @publicvoit If #Microsoft has any (internal) trust relation between the hacked #Azure certificates and #GitHub, we need to consider GitHub as hacked/tainted. 0 50 Min. * Karl Voit @publicvoit Now that I have migrated some of my hosts to #NixOS, I do have a bad feeling because of #Microsoft and most probably GitHub being hacked. As mentioned on https://www.karl-voit.at/2023/09/12/nix/ the deep #GitHub dependency turns out to be a real downer for this OS. public voit - Web-page of Karl Voit · 12. Sept.I Started With Nix, NixOS, Home Manager and FlakesI Started With Nix, NixOS, Home Manager and Flakes #security#integrity 2 3 Std. Yet Another EU Nerd @yaeunerd@fosstodon.org @publicvoit Could you go a little bit more in depth about: > Microsoft can't (or won't) get rid of the intruders P.S. I must admit I didn't read your article on karl-voit.at; was a little bit too long sorry 1 2 Std. Karl Voit @publicvoit @yaeunerd Sure. In simple words: #Microsoft lost one of their master keys to unlock very important parts of their cloud. This connects to all MS services that do authenticate by MS which includes most #Windows setups as well. This happened long time ago, some people think it was the Chinese. They were able to implant #backdoors, self-made keys, ... all over the place. In order to fix that, MS would need to kill all their connected hosts and start from scratch. It's obvious why they don't. 0 3 Std. Christian Tietze @ctietze@mastodon.social @publicvoit I *love* that you're keeping such a long historic list! Reminds me of @mjtsai's Review Rejections at https://mjtsai.com/blog/tag/rejection/ or https://web3isgoinggreat.com/ :) (It's also horrible that the list could become so long.) mjtsai.comMichael Tsai - Blog - Tag - App Store Rejection 0 2 Std. dog's best friend @feld@bikeshed.party What are the odds they got "login with GitHub" too 2 2 Std. Phantasm @phnt@fluffytail.org @feld @publicvoit I would say pretty high. 0 56 Min. cinny @bun@trans.enby.town @feld @publicvoit as far as i know the production environment that does github's logins remains at rackspace and is not hosted on azure 1 55 Min. Karl Voit @publicvoit @bun @feld If there is any (internal) trust connection between #Microsoft and #GitHub, the incident does affect both. And I do think that this is very likely the case. 1 45 Min. de_maulwurf87 @de_maulwurf87@mastodon.social @publicvoit @bun @feld I think it does not really matter if they have access. If Microsoft can't get them out, they can work their way into GitHub if they want to. That's a pretty fucked up situation. 0 1 Std. :verified_2:防空識別區𝒔𝒐𝒄𝟶:redstar: @adiz@soc0.outrnat.nl @publicvoit@graz.social Wow, that really sucks for users of Microsoft products and services. Oh, well! 2 57 Min. Karl Voit @publicvoit @adiz This does not only affect #Microsoft and their direct services. This also affects all customers of Azure and their services. You don't know what services you're using whose back-end is hosted in #Azure. 0 21 Min. Privileged white mail @malakai@the.usualsuspects.lol I had recently fallen for the cloud meme after resisting for years. Has been a mistake and I’ve been de-cloud-ifying my stuff ever since 0 54 Min. kikebenlloch @kikebenlloch@mastodon.social @publicvoit Fuck me, I had no idea, the volume of this shitload is unreal. 0 46 Min. David Clubb @davidoclubb@toot.wales @publicvoit I hear so many positive things about this on various podcasts (you probably know the ones), but I once tried it and couldn't even get to a useable desktop environment. That was a while back but I will stick with other OSs for now; and maybe if I go immutable I will try #Fedora first 0 40 Min. Alexander Sosedkin @monk@social.unboiled.info @publicvoit > For example, when GitHub would be out of business or the service is down for some other reason, NixOS would probably be dead. Its main repositories are on GitHub and there is no obvious fall-back concept to other repositories hosted on different services. This is just plain false. Flakes and channels can point anywhere; the only thing that'd need special care to move is the registry repo that points to all the other repos. 2 29 Min. Karl Voit @publicvoit @monk Yes. And at least in my case, they all point to GitHub. 1 25 Min. Alexander Sosedkin @monk@social.unboiled.info @publicvoit my point is, you can point them anywhere, just find a suitable hosting 1 22 Min. Karl Voit @publicvoit @monk And my point is: all defaults of the NixOS installer are pointing to a hacked platform where anything could be manipulated already. Copying a tainted dataset still results in a tainted dataset, independent of the trustworthiness of a different hoster. 1 13 Min. Alexander Sosedkin @monk@social.unboiled.info @publicvoit OK, so, take the last commit before the compromise, move it somewhere, replay history, update registry, update default registry URL, rebuild installation media. All the technical stuff is already there, about as ready as it could possibly be, so it's mainly the question of convincing the community that all of that is actually necessary. 1 3 Min. Karl Voit @publicvoit @monk So, yes. Let's trust Microsoft once more and delete everything since 2021-04. https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/ msrc.microsoft.com Results of Major Technical Investigations for Storm-0558 Key Acquisition | MSRC Blog | Microsoft Security Response Center Results of Major Technical Investigations for Storm-0558 Key Acquisition #NixOS 0 26 Min. IslandUsurper @IslandUsurper@fosstodon.org @monk @publicvoit I can understand why someone would say it, though. By default, the flakes registries and the previous channels both point to GitHub URLs. They don’t have to, but it’s not obvious that they could be different. Two big things I would worry about if GitHub became unusable for any reason: 1) nixpkgs is friggen’ huge, in terms of size and activity, so picking a forge successor must be done carefully. 2) issues and PRs are hard to migrate. 1 23 Min. IslandUsurper @IslandUsurper@fosstodon.org @monk @publicvoit none of these problems are actually specific to GitHub, I think. It’s just what Nix uses currently. Communicating the change when necessary takes the same amount of work regardless of the host. Maybe the issues/prs migration can be easier with better tooling elsewhere. A disaster plan sounds like a good idea. I hope someone has one, but I haven’t heard of it. 0 47 Min. Roomey @roomey@mastodon.ie @publicvoit many years ago (the 90s) if you were online you assumed everything you said and did was getting scraped by the NSA/ Americans. I don't think much has changed. If you want to keep something private, try to keep it off the web. It is safe to assume (big) nation states have access to everything, or if not, hoover up everything they can and will have access soon enough. 1 26 Min. Karl Voit @publicvoit @roomey Well, I somewhat disagree here. If you assumed state actors, especially USA state actors you may be right. However, now it's some hacker group that can share their knowledge with anybody. So the potential group of attackers is now extended to basically anybody who somehow was able to get in touch with the hackers who hacked Microsoft. That's a totally different game now. Furthermore, it's not only privacy that's in danger here. It's the whole set of https://en.wikipedia.org/wiki/Information_security#Key_concepts en.wikipedia.orgInformation security - Wikipedia 1 5 Min. Roomey @roomey@mastodon.ie @publicvoit it was my understanding that this "hacking group" _was_ nation state. Either way, the rest of your comment here is correct in terms of what's at risk. Best to assume compromise at some level. 1 1 Min. Karl Voit @publicvoit @roomey Attribution is extremely difficult. Some say it's the Chinese. But at that level, any hacker group (state or non-state) is able to fake attribution hints of any sorts. So we basically have no clue who did that and furthermore, who was given access to the special backdoors after. 0 27 Min. * Christian Stankowic @stdevel@chaos.social @publicvoit We really need an user-friendly alternative to #GitHub. Love seeing that both @forgejo and #GitLab work on ActivityPub support. Can't wait to try it out. 0 Mastodon -------------------------------------------------------------------------------- EntdeckenLive-Feeds -------------------------------------------------------------------------------- Melde dich an, um Profilen oder Hashtags zu folgen, Beiträge zu favorisieren, zu teilen und auf sie zu antworten. Du kannst auch von deinem Konto aus auf einem anderen Server interagieren. Konto erstellenAnmelden -------------------------------------------------------------------------------- Über Zum Hochladen hereinziehen