> The fact that this key was apparently not stored in an HSM, and that GH employees had access to this private key (allowing them to accidentally push it) means that effectively all communication with GH since the founding of the company has to be considered compromised.
For a host key? Like I get that being able to impersonate Github isn't great as far as state level actors having the ability to do this but you do know the actual transport layer keys are ephemeral and aren't derived at all from the host key, right?
> state level actors having the ability to do this
Not just nation state actors, but basically anyone in a position to MITM.
Also, you don't have to be a nation state actor to extort a GH employee. Any bad guy can do a "give me this key or I'll hurt your kid". People are being extorted for a lot less.
There are billions of dollars of assets flowing through GH's infrastructure, for the sake of safety (!= security) of Github's employees, nobody should ever have access to key material.
Spot on. Most people will remain absolutely rational when faced with irrational threats. The only protection against that is ensuring that condition cannot be encountered.
"Obey so they don't carry out their threat." may be prescribed by classical decision theory, but I wouldn't call it rational when it's bad for you to be known to do it. I just asked classical decision theory what decision theory to pick and I think it said "take action x such that, if you do x, and everyone had known since 15:53 UTC Mar 24, 2023 that you'd do x, you'd have done as well as possible.". So what deserves to be called "rational" may be to do what the person you wish you'd always been would do.
it doesn't take a state actor to MITM this. It takes a Wifi Pineapple advertising a fake AP and tired devs in Blue Bottle smashing `ssh-keygen -R github.com` without verifying the fingerprint. Very simple. Even easier than trying to MITM a site accessed via browser, which will probably have at least HSTS to help you out.
> As of January 2023, GitHub reported having over 100 million developers and more than 372 million repositories, including at least 28 million public repositories
If there are ~350 million private repos then they'd only need to be worth an average of $30 each to be worth a billion dollars in total. Which doesn't seem farfetched.
Considering the looooong tail of these repos are forks with no changes, sample code, toy projects abandoned after a single commit, etc. etc., I'd say it's pretty far fetched.
For proof, try searching for a mundane string in GH Code search. The vast majority of repos you see will be basically garbage.
I think that is incredibly farfetched. If you got access to 1,000 random private Github repos, I don't think you could sell them, or otherwise utilize them for anywhere near that value, if anything.
A better way of quantifying this would be to look at the impact of real life source code leaks. I'm not aware of any significant monetization of the windows source leak, for example.
For a host key? Like I get that being able to impersonate Github isn't great as far as state level actors having the ability to do this but you do know the actual transport layer keys are ephemeral and aren't derived at all from the host key, right?