graz.social Open in urlscan Pro
2a03:4000:67:fa0:6819:44ff:fed6:b48  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Mastodon
Konto erstellenAnmelden

FRÜHERE SUCHANFRAGEN

Keine früheren Suchanfragen

SUCHOPTIONEN

has: media, poll oder embedis: reply oder sensitivelanguage: ISO-Sprachcodefrom:
Profilbefore: genaues Datumduring: genaues Datumafter: genaues Datumin: all oder
library
graz.social ist Teil eines dezentralisierten sozialen Netzwerks, angetrieben von
Mastodon.

Wenn ihr einen Account beantragt, gebt bitte euren Bezug zu Graz an! Ein
Mastodon-Server für Graz und Umgebung. Zur Übersicht von graz.social geht es
unter https://info.graz.social

VERWALTET VON:

graz.social @wir

SERVERSTATISTIK:

356
aktive Profile

--------------------------------------------------------------------------------

Mehr erfahren


graz.social: Über · Profilverzeichnis · Datenschutzerklärung

Mastodon: Über · App herunterladen · Tastenkombinationen · Quellcode anzeigen ·
v4.2.0


ZURÜCK




Karl Voit @publicvoit@graz.social

After basically the whole #Microsoft #Azure cloud was hacked (see list of
related sources on https://karl-voit.at/cloud/ ), the first follow-up incidents
went public caused by missing containment actions:

60,000 emails were stolen from 10 #USA #StateDepartment accounts
https://www.reuters.com/world/us/chinese-hackers-stole-60000-emails-us-state-department-microsoft-hack-senate-2023-09-27/

If you didn't understand until now: basically EVERYTHING at Microsoft got hacked
and Microsoft can't (or won't) get rid of the intruders. Everything
authenticated by Microsoft is tainted. Even #Windows auth.


karl-voit.atYou Can't Control Your Data in the Cloud
29. Sept. 2023, 11:42 · · Web · 123 · 78

52 Min.

Karl Voit @publicvoit

If #Microsoft has any (internal) trust relation between the hacked #Azure
certificates and #GitHub, we need to consider GitHub as hacked/tainted.

0

50 Min. *

Karl Voit @publicvoit

Now that I have migrated some of my hosts to #NixOS, I do have a bad feeling
because of #Microsoft and most probably GitHub being hacked.

As mentioned on https://www.karl-voit.at/2023/09/12/nix/ the deep #GitHub
dependency turns out to be a real downer for this OS.


public voit - Web-page of Karl Voit · 12. Sept.I Started With Nix, NixOS, Home
Manager and FlakesI Started With Nix, NixOS, Home Manager and Flakes
#security#integrity
2

3 Std.

Yet Another EU Nerd @yaeunerd@fosstodon.org

@publicvoit Could you go a little bit more in depth about:

> Microsoft can't (or won't) get rid of the intruders

P.S. I must admit I didn't read your article on karl-voit.at; was a little bit
too long sorry

1

2 Std.

Karl Voit @publicvoit

@yaeunerd Sure.

In simple words: #Microsoft lost one of their master keys to unlock very
important parts of their cloud. This connects to all MS services that do
authenticate by MS which includes most #Windows setups as well.

This happened long time ago, some people think it was the Chinese.

They were able to implant #backdoors, self-made keys, ... all over the place.

In order to fix that, MS would need to kill all their connected hosts and start
from scratch. It's obvious why they don't.

0

3 Std.

Christian Tietze @ctietze@mastodon.social

@publicvoit I *love* that you're keeping such a long historic list!

Reminds me of @mjtsai's Review Rejections at
https://mjtsai.com/blog/tag/rejection/ or https://web3isgoinggreat.com/ :)

(It's also horrible that the list could become so long.)


mjtsai.comMichael Tsai - Blog - Tag - App Store Rejection
0

2 Std.

dog's best friend @feld@bikeshed.party
What are the odds they got "login with GitHub" too
2

2 Std.

Phantasm @phnt@fluffytail.org
@feld @publicvoit I would say pretty high.
0

56 Min.

cinny @bun@trans.enby.town
@feld @publicvoit as far as i know the production environment that does github's
logins remains at rackspace and is not hosted on azure
1

55 Min.

Karl Voit @publicvoit

@bun @feld If there is any (internal) trust connection between #Microsoft and
#GitHub, the incident does affect both.

And I do think that this is very likely the case.

1

45 Min.

de_maulwurf87 @de_maulwurf87@mastodon.social

@publicvoit @bun @feld I think it does not really matter if they have access. If
Microsoft can't get them out, they can work their way into GitHub if they want
to. That's a pretty fucked up situation.

0

1 Std.

:verified_2:防空識別區𝒔𝒐𝒄𝟶:redstar: @adiz@soc0.outrnat.nl

@publicvoit@graz.social Wow, that really sucks for users of Microsoft products
and services. Oh, well!

2

57 Min.

Karl Voit @publicvoit

@adiz This does not only affect #Microsoft and their direct services.

This also affects all customers of Azure and their services.

You don't know what services you're using whose back-end is hosted in #Azure.

0

21 Min.

Privileged white mail @malakai@the.usualsuspects.lol

I had recently fallen for the cloud meme after resisting for years. Has been a
mistake and I’ve been de-cloud-ifying my stuff ever since

0

54 Min.

kikebenlloch @kikebenlloch@mastodon.social

@publicvoit Fuck me, I had no idea, the volume of this shitload is unreal.

0

46 Min.

David Clubb @davidoclubb@toot.wales

@publicvoit I hear so many positive things about this on various podcasts (you
probably know the ones), but I once tried it and couldn't even get to a useable
desktop environment. That was a while back but I will stick with other OSs for
now; and maybe if I go immutable I will try #Fedora first

0

40 Min.

Alexander Sosedkin @monk@social.unboiled.info
@publicvoit

> For example, when GitHub would be out of business or the service is down for
some other reason, NixOS would probably be dead. Its main repositories are on
GitHub and there is no obvious fall-back concept to other repositories hosted on
different services.

This is just plain false. Flakes and channels can point anywhere; the only thing
that'd need special care to move is the registry repo that points to all the
other repos.
2

29 Min.

Karl Voit @publicvoit

@monk Yes. And at least in my case, they all point to GitHub.

1

25 Min.

Alexander Sosedkin @monk@social.unboiled.info
@publicvoit my point is, you can point them anywhere, just find a suitable
hosting
1

22 Min.

Karl Voit @publicvoit

@monk And my point is: all defaults of the NixOS installer are pointing to a
hacked platform where anything could be manipulated already.

Copying a tainted dataset still results in a tainted dataset, independent of the
trustworthiness of a different hoster.

1

13 Min.

Alexander Sosedkin @monk@social.unboiled.info
@publicvoit OK, so, take the last commit before the compromise, move it
somewhere, replay history, update registry, update default registry URL, rebuild
installation media. All the technical stuff is already there, about as ready as
it could possibly be, so it's mainly the question of convincing the community
that all of that is actually necessary.
1

3 Min.

Karl Voit @publicvoit

@monk So, yes. Let's trust Microsoft once more and delete everything since
2021-04.

https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/


msrc.microsoft.com Results of Major Technical Investigations for Storm-0558 Key
Acquisition | MSRC Blog | Microsoft Security Response Center Results of Major
Technical Investigations for Storm-0558 Key Acquisition
#NixOS
0

26 Min.

IslandUsurper @IslandUsurper@fosstodon.org

@monk @publicvoit I can understand why someone would say it, though. By default,
the flakes registries and the previous channels both point to GitHub URLs. They
don’t have to, but it’s not obvious that they could be different.

Two big things I would worry about if GitHub became unusable for any reason: 1)
nixpkgs is friggen’ huge, in terms of size and activity, so picking a forge
successor must be done carefully. 2) issues and PRs are hard to migrate.

1

23 Min.

IslandUsurper @IslandUsurper@fosstodon.org

@monk @publicvoit none of these problems are actually specific to GitHub, I
think. It’s just what Nix uses currently. Communicating the change when
necessary takes the same amount of work regardless of the host. Maybe the
issues/prs migration can be easier with better tooling elsewhere.

A disaster plan sounds like a good idea. I hope someone has one, but I haven’t
heard of it.

0

47 Min.

Roomey @roomey@mastodon.ie

@publicvoit many years ago (the 90s) if you were online you assumed everything
you said and did was getting scraped by the NSA/ Americans. I don't think much
has changed. If you want to keep something private, try to keep it off the web.

It is safe to assume (big) nation states have access to everything, or if not,
hoover up everything they can and will have access soon enough.

1

26 Min.

Karl Voit @publicvoit

@roomey Well, I somewhat disagree here.

If you assumed state actors, especially USA state actors you may be right.

However, now it's some hacker group that can share their knowledge with anybody.
So the potential group of attackers is now extended to basically anybody who
somehow was able to get in touch with the hackers who hacked Microsoft.

That's a totally different game now.

Furthermore, it's not only privacy that's in danger here. It's the whole set of
https://en.wikipedia.org/wiki/Information_security#Key_concepts


en.wikipedia.orgInformation security - Wikipedia
1

5 Min.

Roomey @roomey@mastodon.ie

@publicvoit it was my understanding that this "hacking group" _was_ nation
state.

Either way, the rest of your comment here is correct in terms of what's at risk.
Best to assume compromise at some level.

1

1 Min.

Karl Voit @publicvoit

@roomey Attribution is extremely difficult.

Some say it's the Chinese.

But at that level, any hacker group (state or non-state) is able to fake
attribution hints of any sorts.

So we basically have no clue who did that and furthermore, who was given access
to the special backdoors after.

0

27 Min. *

Christian Stankowic @stdevel@chaos.social

@publicvoit We really need an user-friendly alternative to #GitHub. Love seeing
that both @forgejo and #GitLab work on ActivityPub support. Can't wait to try it
out.

0

Mastodon

--------------------------------------------------------------------------------

EntdeckenLive-Feeds

--------------------------------------------------------------------------------

Melde dich an, um Profilen oder Hashtags zu folgen, Beiträge zu favorisieren, zu
teilen und auf sie zu antworten. Du kannst auch von deinem Konto aus auf einem
anderen Server interagieren.

Konto erstellenAnmelden

--------------------------------------------------------------------------------

Über



Zum Hochladen hereinziehen