I've found Docker's communication about this incident to be pretty poor.<p>1. The email they sent out didn't specify whether your account was included in the 5% of compromised users, or whether you had linked GitHub or BitBucket accounts that they unlinked. The only way to know seems to be if you still have a linked GH/BB account then you're (probably?) ok.<p>2. They mention you should "check security logs to see if any unexpected actions have taken place" and linked to GH/BB security audit log pages, but I don't believe that's sufficient, you also need to check for rogue commits.<p>3. They haven't said when the breach occurred, so there's no way of knowing how far back to look. They "discovered" it on Thursday, and say it was a "brief period", but that's meaningless.<p>4. They downplayed it as "brief", "non-financial user data", and "less than 5%" of users. I care more about the integrity of source code and builds than any financial information I might have given to Docker.<p>I can sometimes forgive companies for breaches like this, <i>if</i> they own up to it and do an excellent job of communicating what happened, how, when, what the impact and mitigations are, both internally and for their customers. That was not the case here.<p>EDIT: they discovered the breach Thursday, but still haven't given a timeframe for when it may have first occurred.
It would be helpful to include what specifically went wrong when there is a security incident at your company. Every failure should be a learning opportunity for others. Perhaps there should be some sort of safe harbor for disclosing security compromises as it benefits the greater community.<p>I can understand why you'd want to cover your ass in this type of situation. However, I think keeping these things secret leads to more harm over time as people brush off weaknesses in their own systems for lack of concrete examples of where it caused harm.<p>Was an employee careless with credentials? Was some service not updated? Was it a typical attack like a SQL injection that caused the leak? Having more real world info helps people model threats better.
Have to bring this up again, but Docker specifically blocked manual automated builds before this happened from Docker Hub and required that you use their app to link your account. Therefore, it will be near impossible to trust them after this.
How does liability work in these cases? If you had a security breach due to this security incident, would it be Docker’s liability or yours? It’s probably in the terms and conditions, but I would think it’s your liability since you can host your own registries and it’s your responsibility to act on Docker’s warnings (and I would think users expect and demand abundance of caution). But what happens if Docker mischecked and sent you a false negative on being compromised? And what happens if a full post-mortem is released detailing gaps in security best practices between what’s Docker does and what you could do yourself?<p>This may well be a moot point; I think if you really wanted to be sure of what you were including in your code you would pull down tarballs and validate checksums for all dependencies before building on a secure network.
2 things that might be useful this week:<p>Implement PGP/GPG signed commits in your organization.<p>Learn how to create docker images from scratch. (my own very basic tutorial on this is here: <a href="https://write.as/aclarka2/create-a-centos-7-docker-image-from-scratch" rel="nofollow">https://write.as/aclarka2/create-a-centos-7-docker-image-fro...</a> )
The race is on.<p>The first guys to implement a container hosting and building solution that is verifiable will dethrone docker.<p>I hope docker does this themselves, mainly because that will be the fastest route to this happening.
I think when stuff like this happens there needs to be a public, technical, post-mortem. That way we can learn what went wrong and how we can protect ourselves from future breaches.
Immediately deleted my Docker hub account, deleted my github ssh keys, changed all my passwords.<p>I want Docker to succeed as a company but they just haven't made a compelling case for me to give them money yet. I guess they are focused on servicing larger companies.
This is a duplicate of <a href="https://news.ycombinator.com/item?id=19763413" rel="nofollow">https://news.ycombinator.com/item?id=19763413</a> .
Side question: Since docker had lots of read/write access to private repositories that might have included sensitive data, is this a GDPR incident for the customers that would need to be reported?<p>Technically, a customer didn't have a breach/leak that may have resulted in data being exfiltrated, but they also cannot rule it out, and as they've explicitly trusted docker, is that an event that should trigger a chain of official reports?
The reason that the intruder didn't get access to any of Docker's financial systems is that they use Netsuite for all of that fun stuff: This screams to me (at least) that the intruder probably had access to more than what they are discussing.