upvote

points

by bilekas11 hours ago |
comments
upvoteby dgellow10 hours ago|
next
[-]
TechCrunch is very sloppy and unreliable. I’ve seen them reporting on things I worked on where they just invented facts for SEO purpose and there is no way to get them to correct
reply
upvoteby sourcegrift8 hours ago|
parent|
[-]
Which is worse tc or verge? Verge does similar making up of facts.
reply
upvoteby subscribed7 hours ago|
parent|
[-]
Similar. They both don't belong here.
reply
upvoteby raffael_de11 hours ago|
prev|
next
[-]
What's your post mortem, then? As in - what happened and how should it be read?
reply
upvoteby bilekas10 hours ago|
parent|
[-]
Microsoft's open source projects the target of a supply chain attack and they decided to restrict access to understand and limit exposure ? Something a little more 'true' and less targetted?
reply
upvoteby philipwhiuk10 hours ago|
parent|
[-]
Azure are able to be targets of supply chain attack because of the supply chain ecosystem that they still own. It's not really a supply chain when it's still yours.
reply
upvoteby bilekas9 hours ago|
parent|
[-]
> It's not really a supply chain when it's still yours.

I don't personally buy that, they offer a package manager in the form of nuget for example, if their products there are compromised, they're well withing normal reach to block THEIR packages, but why would they need to block the rest ?

Maybe I'm missing something dumb

reply
upvoteby philipwhiuk6 hours ago|
parent|
next
[-]
* GitHub [which they own] failed to detect the account was compromised

* GitHub [which they own] allowed the contribution to ignore CI

* GitHub [which they own] failed to detect suspicious content on check-in

* GitHub [which they own] isn't sufficiently integrated into Microsoft security that the compromised token wasn't rolled.

reply
upvoteby philipwhiuk10 hours ago|
prev|
[-]
> > This is Microsoft’s second known breach over the past few weeks that has allowed hackers to compromise its open source projects, per Ars Technica.

> I, like many others love to knock on Microslop when I can, but in this case they did the right thing.

I've no idea what your problem with this sentence is. They have an organisational security problem, aided/demonstrated by lack of effort to effectively lockdown GitHub Actions and allowing MRs to circumvent CI/CD.

That this is a Microsoft problem that was present pre-AI is not up for debate. See https://www.cisa.gov/sites/default/files/2025-03/CSRBReviewO...

In the age of AI, it's now endemic and being weaponised.

reply
upvoteby bilekas9 hours ago|
parent|
[-]
> That this is a Microsoft problem that was present pre-AI is not up for debate. See https://www.cisa.gov/sites/default/files/2025-03/CSRBReviewO...

No argument from me, but what would you have them do in the immediate timeframe ?

reply
upvoteby philipwhiuk6 hours ago|
parent|
[-]
Some form of public communication from Microsoft Security indicating an actual threat to their ecosystem and published pipeline of work to reduce the ability of attacks to spread via GitHub actions.

They can publish self-congratulatory stuff like this: https://www.microsoft.com/en-us/security/blog/2026/06/05/sec... but they can't publish a post-mortem on their own platform?

I'm told that when Affirmed got compromised Microsoft Security descended on the org and rewrote their entire backlog. Where is the plan from GitHub that they are now taking security seriously given GitHub Actions is now a primary threat vector even for projects written by their own company.

reply