Comment by tiffanyh
1 day ago
Is Twitter/X the right channel to announce a security event like this?
I ask because I don’t see anything posted on their official blog or status page.
1 day ago
Is Twitter/X the right channel to announce a security event like this?
I ask because I don’t see anything posted on their official blog or status page.
It's certainly not the right platform. It'd be one thing if they had any official communication on the matter anywhere else. Maybe they're ashamed and are trying to limit the visibility while only technically issuing an announcement.
They announced this exclusively on X.com, which ranks barely above Pinterest in terms of usage. That's below Reddit, Snapchat, WeChat, and Instagram, and requires a user account to view profiles and posts. And that's ignoring all the reasons X is a divisive platform with an extreme political bent.
GitHub chose not to announce this on any other social media either (BlueSky, Facebook, TikTok, YouTube, LinkedIn, or Mastodon, as of this posting, and with no emails sent on the matter.)
Who the heck follows Github on Snapchat, TikTok, YouTube, Pinterest, Instagram, Reddit, Facebook, WeChat?
Wherever they posted, there’s at this time two articles on the Hacker News front page. Sounds like they have reached their audience.
It's to point out how comparatively small X is. It's in the same ballpark as Pinterest and Quora.
Github decided not to use email (which every Github customer has), their sites, or their otherwise active BlueSky.
2 replies →
> Maybe they're ashamed and are trying to limit the visibility while only technically issuing an announcement.
I think that's panic mode from some decision maker (i.e. head of marketing or head of security).
It’s not like they have a choice as a public company. I wonder if this low visibility post meets SEC requirements though.
[dead]
[flagged]
I’m not on X, so it’s good to know I don’t matter in tech. I always suspected. Since I’m a paying GitHub customer, though, I should probably matter to them. The right forum for GitHub to post this is with their status page, their blog, their website, or an email to all their customers. Using any sort of social media for this kind of thing is either incredibly sloppy or very intentionally quiet. Given that my tiny employer has a better incident communication plan than this, my guess is this an attempt to downplay things.
> Saying things doesn't make them true, man. Everyone in tech who matters is on X.
The cognitive dissonance is insane here. Indeed, saying things doesn't make them true. Even for you. Facts don't care about your feelings.
Company news really should be posted on a company website first, other platforms secondly in my opinion.
Maybe we need a cultural shift then, because if one needs to use a platform like X, nowadays owned and operated by fascists, then there's something deeply wrong with the tech world. It'd probably take a lot of effort to do so, but it'd be absolutely worth it.
Besides, even if that wasn't a consideration, only posting the announcement to X is just crazy. As others have said, you'd expect for GitHub to make the announcement on their official website. Any paying client would then just follow that for their announcements.
3 replies →
[flagged]
It's been pretty common in the past for tech companies to announce outages and quick updates about them on twitter for decades. I'm sure their status page etc will be updated soon, but it's historically been the fastest way to get things out to the wider audience whilst bypassing the "official mail out" review by marketing etc.
I think that was a lot more justifiable when Twitter reliably let logged out users read tweets. X seem to tweak it all the time, or maybe it’s just broken a lot, but sometimes I can’t even load a tweet in a browser that isn’t logged in.
They broke it not too long before Musk bought it when they wanted to boost user numbers.
It'll frequently display tweets from literal years ago as being the latest.
It's why proxies/mirrors are often linked rather than Twitter itself.
They don't seem to care to fix it, which implies that it's intentional. Seems completely stupid but what do I know?
It doesn't show live profile pages to logged out users since a while ago. You get cached summary pages, an age gate error, or sometimes a straight up 404.
Most individual permalinks (.com/username/1234...) don't work without logging in, either, and the official client now uses `/i/` in place of usernames for permalinks(bogus usernames always worked; pkey was the timestamp).
This means an organizationally shared Twitter account for announcements is not a viable concept, at least until Twitter is to be transferred again to whoever would be a better keeper of it.
Even if it's a wingnut dense place, there's good arguments for using a channel independent of your infra in a case like this. You (or Github themselves) don't know if their status page is pwned.
I don't mind them using it as a channel per se (although the userbase isn't what it once was) but it certainly shouldn't be the only channel.
For example: Twitter/X, along with Nitter mirrors like XCancel, are all blocked at the client I'm currently working with so although they can see this discussion, they're excluded from some of the most important details.
(Like many former twitter users, I don't have an X account these days so I'm guessing wouldn't be able to see the full original thread - glad of XCancel, that's for sure.)
They should send messages directly to their customers as a first step in addition to posting an official article on their site. That’s the minimum. If they haven’t done that then it is hard to defend.
Beyond that, Twitter is the de facto default dissemination vehicle, due to its reach. Even if people are not on Twitter, they are likely to see things from people that are on Twitter.
It’s a very popular messaging platform for tech enthusiasts.
also a very popular messaging platform for [redacted] enthusiasts
The only metric that matters when choosing a platform to broadcast announcements is ‘very popular’.
So? Is this where your corporate paying clients should find out about an issue of this severity?
Not to mention Twitter is not an open platform anymore! (A) I'm an employee in an organization paying for Github. (B) I don't have a Twitter account. I already have a Github account because of (A). Why should (B) stop/delay me from getting official comms about this?
I can't imagine they'd spam every account with an email address, though an email to organization owners would make more sense.
2 replies →
Isn't it the first stop for the USG at this point? I mean, I wish the world were a different place but here we are.
Probably the best option after sending a mass email when customers need to take action. The status page is for reliability issues impacting end users & the blog is for in-depth analysis.
I mean if you are going to use AI which was trained on code of statistically mediocre average at the best, have outages and major incidents every few days, why not go wild and start publishing incidents to twitter too? It checks out with the rest of the stuff.
watch it turn out to be that their twitter account is what was hacked, and github.com is actually fine
Yes, and github having zero-nines reliability record is because of a hacked twitter account too! (sigh...)