What's the most interesting in this whole write-up is this:
> Security update hidden from search engines<p>Slack is selectively and deliberately limiting public access (discoverability) to the security breach announcements.
Timeline matches with the Travis breach. So far likely impacted:<p>1. Slack<p>2. Okta (<a href="https://news.ycombinator.com/item?id=34081154" rel="nofollow">https://news.ycombinator.com/item?id=34081154</a>)<p>3. Coa (<a href="https://github.com/veged/coa/issues/99#issuecomment-961696885">https://github.com/veged/coa/issues/99#issuecomment-96169688...</a>)
This is how LastPass started the efficient downward spiral, no? This isn't shocking, but also is.<p>Is it wise to simply keep private repositories away from GitHub at this point? It seems the best way to avoid being drawn in with the rest as a target.<p>Internal bad actors? So location wouldn't matter?
Does it actually matter? I might be overlooking something but...<p>Slack is more than its code. The product is really the aggregate of their engineer's knowledge and internal processes. It's not practical to steal code and build a business or spinoff product around it.<p>The only legitimate threat seems to be the potential for exploitation. I suppose this might also threaten any backend improvements (economic leverage) they made with proprietary algorithms.
This is exactly why secrets should not be stashed in any Git repository. Granted, I'm not sure they're much safer in other managed services dedicated to protecting our secrets, with the news of several breaches as of late :/
It would be so nice if GitHub deprecated their one key takes all and would let us create per-org personal access tokens. Also, organizations having power over these access tokens.
It remains surprising to see such private and valuable codebases hosted in the cloud in an external parties service.<p>The cloud remains someone else’s shared computer.
Like I said before [0][1], a reminder that private repositories are not private on GitHub.<p>A great time to self-host.<p>[0] <a href="https://news.ycombinator.com/item?id=34232347" rel="nofollow">https://news.ycombinator.com/item?id=34232347</a><p>[1] <a href="https://news.ycombinator.com/item?id=23102942" rel="nofollow">https://news.ycombinator.com/item?id=23102942</a>
We've migrated from Slack to Mattermost some time ago. Best decision ever. Not sure why companies keep using Slack nowadays. It's like those companies many years ago using HipChat instead of Slack. Slack's is the HipChat of today.
I hope github would start allowing all users to use ip whitelisting features. I understand it is a sell point for enterprise accounts, but tokens/passwords are not secure enough in today's environment.
They say no customer data was compromised and are investigating "potential impact" to customers.<p>The potential impact here is an attacker now has access to some of their code which could let them find and take advantage of vulnerabilities resulting in customer data being accessed.<p>Technically "potential impact" is correct but I think companies often underplay how severe a source code leak is. It's the exact blueprint of how their app is built.
Offtopic, but, I made the mistake of trying to read this on my mobile phone this morning, where I don't use adblockers per se. Served at least 6 ads, even ignoring the nonsense at the bottom of the page. So annoying and disruptive that I didn't manage to read the story, and will find the details somewhere else.<p>We really needed a reaction against this nonsense which wasn't just adblockers.<p>Bummer.