Comment by irishcoffee
2 days ago
If I had a dollar for the amount of secrets committed to public repositories I could probably retire. No, that isn’t an excuse. Pretending the US govt isn’t made up of people just like you or I is quite silly.
2 days ago
If I had a dollar for the amount of secrets committed to public repositories I could probably retire. No, that isn’t an excuse. Pretending the US govt isn’t made up of people just like you or I is quite silly.
Hold up, I think we have some sort of math denominator problem here.
You'd be rich if you got a dollar for every worldwide murder too, but that doesn't make murder a common workplace occurrence.
‘Tis a lot different mentality typing git commit/git push than it is to murder someone in cold blood, I guess?
I was thinking more purely in terms of frequency. For a dollar a pop, you can be "rich" for worldwide events that are actually very rare things.
“Experts who reviewed the exposed secrets said the commit logs for the code repository showed the CISA contractor disabled GitHub’s built-in protection against publishing sensitive credentials in public repos.”
This makes it seem more intentional to me. Regardless of what the ultimate purpose were use of the repository was it says to me, the person knew what they were doing and it wasn’t just an innocent oversight like anybody could’ve made.
If I had a dollar for each secret I’ve committed to a public repo, I could probably buy a couple of sandwiches. I’m not smarter and my opsec probably isn’t any better than most old devs, but I also don’t have a treasure trove of government secrets on disk and—crucially!—_I would make different decisions if did_.
The nuance here: when I’ve slipped and committed secrets, it’s typically a relative nothing burger: most common case is API keys to some third-party service. I’ve worked across a bunch of regulated industries and, within those, not caused a breach—because being in that space you know to be more careful, and because the companies in those spaces (wisely!) tend to support good security practices, more so than the industry average.