Elon Musk Takes Even More Desperate Actions To Force People To Pay To Use Twitter

Posted in Commentary with tags on March 28, 2023 by itnerd

Elon Musk is getting really desperate to get people to pay to use Twitter. In his latest “Hail Mary” to get you to pay up, Elon’s decided to do the following:

So let’s think about this. Elon Musk is basically going to force Twitter users to pay up by keeping them from voting in polls and not showing them in the “for you” recommendations. I’m pretty sure that this is going to have the opposite effect. As in people will say that it’s not worth being on Twitter if Elon’s going to do this and instead of paying him $8 ($11 if you’re on iOS) a month to be on Twitter, they will instead run to Mastodon. Which appears to already be happening based on this:

For the last week or two, Mastodon has had somewhere between one and two thousand new accounts created every hour. You have to assume those are Twitter users who are fleeing the platform because of Elon’s behaviour, his idiotic policies, or instability of the platform. Such as what happened this morning according to Down Detector:

I am not sure what happened, but clearly something did an hour ago. And I expect this sort of random instability with Twitter to become more and more prevalent. All of that combined will diminish Twitter’s value to users and send them to greener pastures with more stable leadership. That in turn will reduce the value of Twitter to advertisers and deprive Elon of cash. And Twitter will die as a result and Elon will seen as a loser. Which will be a major blow to his fragile ego that I am not sue that he will be able to cope with.

Leave a comment »

Hackers Pwn Multiple Schools In West Sussex U.K.

Posted in Commentary with tags on March 28, 2023 by itnerd

A hacker group has launched a ransomware attack on Tanbridge House School in West Sussex, U.K. The attack has caused major disruption at the school and, while the headteacher has stated ‘no compromised sensitive information has been found’, the ransomware group claims to have PII regarding staff and students gained from another attack on another school. In total, three schools in the area have been pwned.

Darren Williams, CEO and Founder, BlackFog had this comment:

     “Education took the top spot for reported ransomware attacks in 2022, a trend which has continued into 2023. A combination of skills shortages, lack of resources, and budgetary challenges means that the education sector is often regarded as low-hanging fruit for attackers. As criminal gangs have moved away from encryption, data exfiltration is often the main incentive for these attacks as the integrity of the data is highly important to not only the schools but the individuals within them, thus making a potential ransom payment more probable. As long as schools and other organizations fail to implement anti data exfiltration technology, extortion will be a more prevalent theme when it comes to cyberattacks.” 

Given that this was the third attack on schools in the area, it’s a safe bet that other schools in the area will likely suffer the same fate if they don’t take action to protect themselves now. Assuming it’s not already too late.

Leave a comment »

I Upgraded To The New HomeKit Architecture Yesterday…. What Could Go Wrong?

Posted in Commentary with tags on March 28, 2023 by itnerd

One of the things that Apple promised when iOS 16 was released was a new architecture for HomeKit. Apple really didn’t go into much detail when they announced it. But it was supposed to improve the reliability of HomeKit setups. This was eventually rolled out just before Christmas, and was promptly pulled when people had issues. Apple did promise that it would return, and it did yesterday with the release of iOS 16.4. So as usual, I decided to update to the new architecture to see what would happen. Before I tell you about how that went, let’s go into the weeds for a bit to explain what this new architecture is and why it matters.

With previous versions of HomeKit, your HomeKit “controller” (the Home app on an iPhone, iPad, or Mac, for example) talked directly to each device in your home. What that means is that when you look at any device, your iPhone, Mac or whatever has to go across your network and ask the device, say a smart switch for example, what its status was. Then it would have to wait until the device replied. This is why you would see “Updating….” in the Home app before the status of the device was received by the Home app. If it didn’t get a response at all or in a timely manner, you would see the dreaded “no response” message. Now this is horribly inefficient as a large HomeKit setup might take minutes to have devices respond as the Home app is literally asking every device what its status is.

In the New HomeKit architecture, ALL HomeKit requests are serviced by the HomeKit Hub. Meaning your Apple TV or your HomePod. Your Home app no longer need to query each device individually. The HomeKit Hub is continually maintaining an up-to-date status of each device and simply passes that information to the Home app which is far more efficient. In theory this should make every device instantly available and should result in better performance, even in large HomeKit setups.

There is one side effect to this new architecture for HomeKit. iPads which could be used as HomeKit hubs prior to the release of the new architecture can no longer be used for that purpose. You are now “forced” to use an Apple TV or HomePod as a HomeKit hub. That I can see being an issue for some. But honestly, having a HomePod or an Apple TV which is purpose built to act as a HomeKit hub is a much better idea.

Another thing to point out is that this is a one way trip. Once you pull this trigger, there’s no going back.

So with that out of the way, let me talk about my upgrade experience by starting with my HomeKit setup. It’s not all that big and I described it here. But I will point out that I have swapped this door alarm for this one recently. My wife and I have the ability to administer anything in the HomeKit setup. And that’s important to note as inviting someone to administer your HomeKit setup was one of the issues. The other thing was your entire HomeKit setup would become unresponsive among other issues. So my plan was to watch out for those issues as I did the upgrade.

Now the first thing that I did was upgrade every Apple device to the latest software version. So that meant that my wife and I had to be running the following on our respective devices:

  • Both our Macs needed to be updated to macOS 13.3
  • Both our iPhones needed to be updated to iOS 16.4
  • Both our Apple Watches needed to be updated to watchOS 9.4
  • All the HomePod minis needed to be updated to HomePod software 16.4

This is because if you don’t upgrade all your devices to the latest software, any device that is not on the latest software can lose access to your HomeKit setup. And I suspect that a device that isn’t on the latest software version can cause other problems as Apple warns you if someone that has access to the HomeKit software has a device that isn’t on the latest software. Thus I would recommend that for best results, you upgrade all your devices first before you do anything else.

Once I did that all of that, I went to the Home app on my iPhone, clicked what I call the “hamburger menu” in the top right of the Home app to get this menu:

I then chose “Home Settings” and “Software Update” and was greeted with this:

After clicking “Learn More”, I got this screen:

I then chose the upgrade option and watched a pinwheel spin on the bottom part of my iPhone for about three minutes. Then it was done. When I went back to the the main screen of the Home app, I noted that all devices went unresponsive for just over a minute. Then they came back and in my testing of individual devices and scenes, everything worked fine.

Now some people with larger HomeKit setups are noticing that everything is much faster now. But I haven’t seen that as I don’t have a huge amount of devices in my setup. However I did notice that accessing my HomeKit setup from my Apple Watch went from practically unusable to being fairly quick and responsive. Thus validating that this architecture was a success. Though I will need to do some additional testing on some of my location based scenes to make sure. Once I do that, I will update this story accordingly. But in short, I can say that nothing went wrong in terms of upgrading to the new HomeKit architecture.

So should you upgrade to the new HomeKit architecture? It’s early days yet, but my own experience combined with what I am seeing on places like Reddit suggest to me that Apple has largely sorted out whatever issues that they had with the new architecture. Though I am still seeing the odd person reporting that their entire HomeKit setup go unresponsive after the upgrade. But those seem to the the minority rather than every second post on Reddit which was the case last year. Thus my suggestion would be to wait a few days to see if any negative reports pop up in the HomeKit subreddit. If they don’t, then you might want to dive in.

If I could give Apple one piece of advice, there needs to be a way for users to backup their HomeKit setups along with any scenes and automations that they might have created. I say this because this would give people the confidence to do an upgrade like this as they would have the ability to revert back easily if something went wrong. At present there isn’t anything natively that backs up a HomeKit setup. Though I am aware of a couple of third party tools that do this. But I have not tested them. As a result, if something does go wrong, the only thing a user can do at present is to delete the HomeKit setup and do it over again from scratch. Which if you have a large HomeKit setup with a lot of automations and/or scenes would be very painful.

Have you done the HomeKit architecture upgrade? If so, what was your experience like? Please leave a comment below and share your experience with us.

2 Comments »

Commvault Earns 5-Star Rating in 2023 CRN Partner Program Guide

Posted in Commentary with tags on March 27, 2023 by itnerd

Commvault, an enterprise data protection leader for the complex and mission critical hybrid environments of today’s global businesses today announced its prestigious 5-star rating for the Commvault Partner Advantage program in the 2023 Partner Program Guide from CRN, a brand of The Channel Company.

According to CRN, Commvault earned the 5-star rating for going “above and beyond” in its “commitment to nurturing strong, profitable, successful channel partnerships.” Knowing which partners you can trust is critical for the channel community, especially when assessing which IT manufacturers, service providers, and distributors to do business with. Partnering with vendors like Commvault brings with it world-class technology solutions with unmatched breadth and depth, strong financial incentives, sales and marketing assistance, training and certification, technical support, and more – all important elements that can set a vendor apart and play a key role in boosting partners’ long-term growth.

In the 2023 CRN Partner Program Guide, vendors were evaluated based on program requirements and offerings such as partner training and education, pre- and post-sales support, marketing programs and resources, technical support, and communication.

Commvault’s Partner Advantage program has received a 5-star rating in the CRN Partner Program Guide for the last 10 years. Key tenants of the program center around Commvault’s dedication to helping its partners simplify their offerings, solve high-value customer problems to stay competitive, and evolve their business for exponential growth. Through the Commvault Partner Advantage program, partners can leverage Commvault’s world-class technology, in-depth tools, and tactical support needed to level up every one of their customer engagements and achieve next-level success—on-prem, in the cloud, at the edge, and everywhere in between.

The 2023 Partner Program Guide will be featured in the April 2023 issue of CRN and online at www.CRN.com/PPG.

Leave a comment »

Mujjo Releases New Laptop Sleeves

Posted in Commentary with tags on March 27, 2023 by itnerd

Mujjo has released a pair of laptop sleeves can help protect laptops such as the new M2 MacBook Pro models that were recently announced.  

First up, the Portfolio keeps business essentials well organized and at hand. Perfect for meetings, and working on a plane or train.

A few highlights:

  • All-weather protection: Made from lightweight and durable waterproof fabric, created from recycled plastic.
  • Easy access: separate section for a 16-inch laptop, and multiple pockets for accessories.
  • Available for €95 | £95 | $95 on mujjo.com and Amazon

Next is the Envoy Laptop Sleeve. They’ve worked hard on the details so you don’t have to. This lightweight and durable sleeve is designed to hold a MacBook Pro — available for both 14-inch and 16-inch models. Available in black and navy. 

A few highlights:

  • In-sleeve charging for your laptop
  • Magnetic side-opening that expands to hold your accessories
  • Expandable opening to fit larger-bulk items like your charger (and when it’s empty, the pocket remains slim)
  • Available for €95 | £95 | $95 on mujjo.com

Leave a comment »

Here’s Some More Information About Rogers Ongoing Email Fiasco

Posted in Commentary with tags on March 27, 2023 by itnerd

As I type this, it is March 27th and there’s still no resolution to the issues that Rogers has with their email offering. For those of you who are new to this, let me recap the sequence of events that has ben ongoing for almost the last month:

It started as a general outage, but what has dragged on for weeks is an issue with email. Anyone who uses Rogers email service (in other words they have a @Rogers.com address) cannot get their email. This is in part due to the fact that Rogers requires users to create  App Specific Passwords via Rogers Member Center on each program or device that an email address is used on. The creation of new app specific passwords doesn’t work and existing app specific passwords appear to have been deleted in many cases. That pretty much breaks your applications that rely on them. There is a workaround, but that workaround is sub-optimal because viewing mail through a web browser is not the best experience. Especially on a smart phone. And they’re the fact that you might have to call Rogers to get someone to reset your email password if you don’t know what it is. The problem with that is that since this fiasco began, Rogers wait times to speak to someone have gone through the roof. Making that a sub-optimal experience as well for Rogers customers.

Now I’ve been asking my sources inside Rogers about this whole fiasco, and they’ve told me on background that this is entirely a Rogers issue that they have yet to figure out. Specifically with the underpinnings of their App Specific Password system which is bolted onto their email service which is provided by Yahoo. I’ll have more on Yahoo in a moment. But you’re likely wondering why Rogers uses App Specific Passwords in their email offering. Here’s the answer: Security.

If a threat actor manages to get your password, and that same password is used on all the mail clients that you use, the threat actor in theory has access to your email on any device. That would be the case with the majority of email systems out there. But by using App Specific Passwords, where every email client and/or device has a unique password, any sort of pwnage that a threat actor does is limited to the one device or application. At least in theory.

Sidebar: One of the ways that you can best protect yourself online is to use completely different password for each and every service that you use as that follows the logic that Rogers is using here.

My problem with this App Specific Password scheme by Rogers is that it adds a layer of complexity that most users have problems dealing with as going to the Rogers Members Center and generating a password to use with your email client and/or of choice is easy for someone like me, but complex for many of Rogers customers. And I have to admit, I do make a fair amount of money from this because I often get phone calls for help when a customer gets a new laptop or smartphone, and they want to get their email on it. In short,Rogers implementation of App Specific Passwords isn’t something that some Rogers customers can easily understand. If Rogers wanted to improve the security of their email service, my suggestion would be to enforce the use of complex passwords. For example, “password” is less secure than “P@$$w0rd” because the latter has special characters, a number and a capitalized letter that make the password harder for a threat actor to brute force or guess. I also assume that this would be easier for Rogers to implement, less likely to run into the issues that we’ve been seeing for the last month, and most importantly it would be secure.

Now if that’s not bad enough, there’s also the fact that the underpinnings of Rogers mail service is Yahoo. A company who doesn’t exactly have the best track record when it comes to privacy and security. And I suspect the latter is the reason why Rogers decided to bolt on App Specific Passwords to what Yahoo offers. In terms of the former, Rogers themselves got caught up a change to Yahoo’s terms of service back in 2018 where Yahoo had tried to give themselves the right to do whatever they wanted with your email. While Yahoo did eventually walk that back for Canadians, it didn’t end well for Rogers as it left a bad taste in the mouths of a lot of their customers.

Now I am continuing to monitor this as I now have over three dozen clients who are affected by this… And counting. And I am continuing to publish updates on this because somebody needs to bring this issue and Rogers continued silence on this problem to light. Plus since you can’t forward your email to another provider, or export it entirely so that you have a local copy of it, Rogers email users are stuck with Rogers until they figure out how to fix this. Though I will admit to working on a way to export Rogers email so that my clients who want to dump Rogers for another ISP, but want a copy of their email have an option to accomplish that. If I get something that is workable on Mac and PC, I will publish it here. In the meantime, for the sake of Rogers customers, I hope that one of Canada’s largest telcos gets its act together and figures this out. Because as I type this, Rogers has handled this whole situation quite poorly. Which frankly isn’t a surprise given their recent track record with how they handle major outages.

2 Comments »

Elon Musk Discloses That Twitter Is Worth Less Than Half Of What He Bought It For…. While Twitter’s Source Code Leaks

Posted in Commentary with tags on March 27, 2023 by itnerd

Elon Musk paid $44 billion USD for Twitter. And many said at the time he overpaid. But according to Musk, Twitter at present is worth less than HALF of what he paid for it:

Twitter is now worth just $20billion — less than half of what Elon Musk paid for it six months ago, the world’s richest man told his employees.

In a company-wide email on Friday, Musk said the social media giant has lost so much money in recent months that it is now worth jut $20billion, a whopping $24billion less than what he purchased it for in October.

He then went on to defend his decision to lay off thousands of employees in the months since he took the helm of the company, and sell off a variety of merchandise in recent auctions — claiming that Twitter was once just four months from being bankrupt.

That’s mind blowing. Sure Twitter wasn’t worth $44 billion. But prior to his purchase it was worth more that $20 billion via some quick Googling that I did. That illustrates how much he’s really screwed up here to tank the value of the company by that much money.

Oh yeah, there’s also this:

In his company-wide email on Friday, obtained by the New York Times, Musk defended his decisions to lay off massive swaths of employees, saying the ‘radical changes’ to the company were necessary to save money.

He claimed that Twitter should be looked at as an ‘inverse start-up’ as he tries to rebrand the company, saying: ‘Twitter is being reshaped rapidly.’

And if his efforts are successful, Musk suggested that Twitter can one day be worth $250billion.

His remarks came as he explained the new stock compensation package he is offering to the less than 2,000 employees still left at the company.

Under his plan, Twitter employees will receive stock grants for the company he established to buy the social media platform — the X Corporation — which will operate under the $20billion estimate.

Workers will then be able to sell and cash in on their privately-held stocks every six months. 

Doing so, he said, would allow employees to have ‘liquid stock, but without the stock price chaos and lawsuit burdens of a public company.’

Musk has previously implemented a similar program at his Space X firm. 

I don’t know what drugs Elon is smoking. But nothing that he’s done with Twitter indicates that this company will be worth $250 billion in the future. In fact I would say that Elon has sent Twitter’s valuation in the other direction. Clearly Elon is either stoned or delusional. Perhaps both.

Strangely, the fact that he’s tanked Twitter’s value by over 50% isn’t his worst problem at the moment. This is:

Parts of Twitter’s source code, the underlying computer code on which the social network runs, were leaked online, according to a legal filing, a rare and major exposure of intellectual property as the company struggles to reduce technical issues and reverse its business fortunes under Elon Musk.

Twitter moved on Friday to have the leaked code taken down by sending a copyright infringement notice to GitHub, an online collaboration platform for software developers where the code was posted, according to the filing. GitHub complied and took down the code that day. It was unclear how long the leaked code had been online, but it appeared to have been public for at least several months.

Twitter also asked the U.S. District Court for the Northern District of California to order GitHub to identify the person who shared the code and any other individuals who downloaded it, according to the filing.

Twitter launched an investigation into the leak and executives handling the matter have surmised that whoever was responsible left the San Francisco-based company last year, two people briefed on the internal investigation said. Since Mr. Musk bought Twitter in October for $44 billion, about 75 percent of the company’s 7,500 employees have been laid off or resigned.

The executives were only recently made aware of the source code leak, the people briefed on the internal investigation said. One concern is that the code includes security vulnerabilities that could give hackers or other motivated parties the means to extract user data or take down the site, they said.

Well, this is a huge problem for Elon as anyone who can grab this code from GitHub and evade detection by GitHub as to downloading this code, which frankly someone singular or plural is going to evade detection by GitHub, is going to have the means to make life a living hell for Twitter and Elon. Threat actors would be able to launch attacks on Twitter at will, then rinse and repeat as Twitter will only be able to close the attack vector that was used in any one attack. To have any hope of stopping this, Twitter would have to do a full code review to even begin to close any of the possible attack vectors that they can find. And even then they won’t get all of them as threat actors would be one step ahead of them. Not to mention that threat actors would likely come up with attacks that Twitter would never envision based on what they find in the source code. It’s the ultimate game of “whack a mole” where Twitter is always going to be on the losing end of it.

If you’re one of the few people who are still on Twitter, you might want to buckle up. Because I suspect that things are about to get very bumpy. And Elon is going to be having a number of sleepless nights in the weeks ahead.

2 Comments »

Guest Post: Russia-backed hackers target government and IT organizations in Ukraine

Posted in Commentary with tags on March 27, 2023 by itnerd

Data presented by Atlas VPN reveals that Russian hackers have been targeting Ukraine’s and its allied countries’ government and IT organizations with ever-increasing sophistication.

The Russian government is believed to be behind the attacks, as they appear to be well-funded and well-organized. The cyber attacks have been aimed at stealing sensitive information, disrupting systems, and causing chaos in the targeted countries.

According to the recently published Microsoft Threat Intelligence report, the government sector was by far the most targeted sector by Russian state-affiliated hackers between February 2022 and January 2023. 

The team at Microsoft discovered 46 organized cyber attacks on various government bodies.

Russian threat actors were also interested in IT & communications companies, launching 17 attacks within the last year. 

The energy sector was also among the industries most targeted, as they were subject to 16 cyber attacks. 

A suspected Russian threat actor named IRIDIUM initiated several phishing activities between January 12 and January 28 of 2023, to access accounts at Ukrainian businesses in the defense and energy sectors.

This aligns with the traditional targets of Russian cyberattacks in Ukraine since the energy sector provides a significant portion of Ukraine’s revenue, and the government and telecommunications industries are key components of national security.

Russian hackers have been using a variety of tactics to infiltrate government and IT organizations. One of the methods used is spear-phishing, which involves sending emails with malicious links or attachments that, when clicked, infect the targeted computer with malware. 

The attacks have become increasingly complex over time, with hackers using advanced techniques such as zero-day exploits, which are vulnerabilities in software that are not yet known to the software vendor.

One of the most concerning aspects of these attacks is the potential for damage to critical infrastructure. Russian hackers have already targeted the energy and transportation infrastructure in Ukraine. 

Attacks outside of Ukraine

The Ukrainian government and IT organizations are not the only targets of these attacks. Russia has also targeted companies in other countries, including NATO member states, to play havoc with their operations and gain access to classified information.  

Between February 23, 2022, and February 7, 2023, Microsoft observed Russian nation-state threat activity against organizations based in 74 countries, excluding Ukraine.

According to the amount of recorded threats, EU and NATO member countries—particularly those on the eastern flank—dominate the list of the top 10 most targeted states.

In the 74 countries they attacked, Russian threat actors were particularly interested in government and IT sector firms, much like in Ukraine.

Government and IT & communications sectors suffered from 100 and 51 cyber attacks, respectively. 

Hackers corrupt IT businesses to leverage trusted technical ties and gain access to those firms’ clients in government, policy, and other sensitive institutions.

Hackers paid a lot of attention to the activities of various non-profit organizations and tried to disrupt their efforts by launching 31 cyber threats within the past year. 

Sophisticated cyber attacks were launched on companies in the education and energy sectors, with 16 threats targeting each. 

To read the full article, head over to: https://atlasvpn.com/blog/russia-backed-hackers-target-government-and-it-organizations-in-ukraine

Leave a comment »

Usually I Bash Bell’s Customer Service… Today I Will Praise Them

Posted in Commentary with tags on March 26, 2023 by itnerd

Frequent readers of the blog will know that while I like Bell for the quality of their Internet offering, I don’t like the quality of their customer service. Specifically, I’ve said this in the past:

Bell’s customer service reps are insanely aggressive and walk up to the line of what I believe to be ethical behaviour in order to get you to subscribe to more services with Bell. This behaviour by these customer service reps, whom I am pretty sure are working for outsourced overseas call centres, is sure to turn some people off. For example, when my wife and I tried to switch to Bell a year ago, their behaviour was so bad that it sent us running back to Rogers. Though that was only for one more year and ended when Rogers recent troubles started. And when we did switch a couple of weeks ago, we were forced to run the gauntlet of Bell’s customer service reps upselling us to death. None of this helps Bell’s public image in any way as a lot of people have said to me that Bell’s tech is great, but Bell’s customer service sucks. If I were Mirko Bibic the CEO of Bell, I’d be figuring out how to fix that as their Internet offering is enough to win customers over by itself without having to resort to the borderline used car salesman tactics that are used by their customer service reps. 

Yesterday, I had an interaction with Bell’s customer service team that was the exact opposite. I had a client who bought a new MacBook Pro who was trying to add their email account to it. But it wouldn’t work and they couldn’t figure out why. On top of that, the same account on other devices suddenly stopped working. Which is why I got a phone call. It didn’t take me long to figure out what the issue was, which was they were using the wrong password. That in turn locked the email account which is a feature that Bell has with its email service.

That led me to what I needed to do to fix this. Well, normally I would ask the customer to log into their MyBell account to reset the password. But they didn’t know what the username and password for that was. So that left myself and my client to call Bell which is something that we were both dreading as we both haven’t had the best interactions with Bell in the past.

So after dialling them up and getting to the right department, we had a customer service rep pick up the phone quickly who then verified who my client was and permitted the client to let me drive the call. I then explained what I needed and the rep issued a temporary password, which I then used to get into the email account via Bell’s webmail service and change it to something that the customer could remember. From there I was able to get into her email on her MacBook and I was able to not only find her username for MyBell, but I was able to use the password reset function to allow her to get into it.

Total time invested: 8 Minutes.

At no time did the customer service rep try to sell us anything. Nor did they try to hurry us off the phone. Instead they were polite, patient, and supportive. While this is a sample size of one, I am hoping that this is indicative of Bell finally realizing that they needed to course correct when it comes to their customer service. If that is the case, I applaud Bell because their quality of customer service is what is holding them back from taking Rogers breakfast, lunch, and dinner. But I will be watching closely to see if this is just a fluke, or a sign of things to come.

Leave a comment »

#Fail: GitHub Publishes  RSA SSH Host Keys BY MISTAKE

Posted in Commentary with tags on March 25, 2023 by itnerd

Well this is embarrassing.

GitHub has had to update its SSH keys after they accidentally published the private part of the key to the entire planet.

A post on Github’s security blog reveals that the company has changed its RSA SSH host keys. That will cause connection errors, and some frightening warning messages. But don’t worry developers, GitHub hasn’t been pwned. They just screwed up. But everything will be fine.

#Sarcasm

Kevin Bocek, VP Ecosystem and Community at Venafi had this comment:

“GitHub needs to take a closer look at how it manages its SSH keys as an exposure of this kind – no matter how brief – could have serious ramifications given the high level of privilege these machine identities are afforded. These critical machine identities are incredibly powerful and are used everywhere, but they’re also poorly understood and managed, making them a prime target for attackers. Unlike other machine identities, like TLS, SSH keys don’t expire. This means that a compromised identity could be abused for a long time – months or even years – without an organization knowing.

Fortunately, GitHub responded quickly to rotate the impacted machine identities once it noticed that the private SSH key was accidentally published in a public repository. And luckily, it doesn’t appear that they’ve been abused. But if an attacker had seized this opportunity, then it would have given them a very powerful weapon – potentially allowing them to spread across GitHub’s customer networks, eavesdropping on user’s connections, and accessing GitHub’s infrastructure too, while appearing completely trustworthy. In a machine-driven world, having a control plane to manage the lifecycle of machine identities is essential. As this incident shows, you can find yourself exposed very quickly and if not handled quickly, serious repercussions will follow.”

Hopefully GitHub learns from this and as a result has better practises in terms of their SSH keys so that they not only avoid the possibility of getting pwned, but being the punchline in a joke.

Leave a comment »

« Older Entries
Newer Entries »