15
virtualdev
330d

It finally happened. One of our junior devs pushed a secrets file to their git branch and now I have to reset ALL THEIR CREDENTIALS. "git add ." will be the death of me.

Comments
  • 15
    ...gitignore?
  • 1
    Also, server-side push hooks
  • 2
    @meaning2 already pushed to git
  • 2
    @ScriptCoded they gave it a unique name and saved in a json :)))))
  • 1
    And here is where git-filter-repo comes in.

    https://github.com/newren/...
  • 0
    @NeatNerdPrime lol that's what I did
  • 2
    @ScriptCoded yeah, but if he added it to git beforehand.. he probs has no other chance than to rebase the whole thing, right?
  • 1
  • 1
    I'm curious as to what the creds were for, and why a junior needed to have them on their machine?
  • 1
    another reason im not super excited to need to use things like git again... when i say again... i mean it was like a decade ago.

    ive always worked mainly by myself in things with code.... im notoriously bad at backing up my work... or anything involving formatting/anything in a 'style code'-- i learned that term a couple years ago (programming/etc +20yrs). giant blocks

    pretty sure anything i put on git, publicly, by mistake, would do anyone trying to copy and/or comprehend it a major disservice...chatGPT called me legacy so much that i had to stop using chatGPT for actual comment lines... which i have zero valid frame of reference for where they should go or what they should say... esp english. then i have a few hundred scripts in batch and bash, some ps1... ranging from everything like CLI win to unix or reverse path conversions... to remapping, and several other registry mods, so the OS will use another drive for all programs/storage. thats just the stuff i can admit to
  • 0
    You have no automatic secret scanning on the remote that blocks it from being pushed in the first place?
  • 0
    @devRancid every one of those scanners ive personally dealt with... ~12 individual ver. about 40% were not proprietary... are a bad idea. I haven't directly, professionally, worked with one in about 3 years so this could be an outdated perspective but... as i am rather adept in cybersecurity and it was almost always a main component of consulting contracts i accepted, pretty sure if not someone completely outdated, im just right. I mean that in a 'ive been called as an expert witness in legal cases' way

    Though the majority of this can be fine-tuned down to a very minimal level of impact, imo it's still rather asinine:

    Connected to network to catch all outgoing possible creds files= gateway into network that now has a map to creds path and/or the formatting all your creds are stored in.

    Really secured and locked somewhere while giving peace of mind = identify update routine/master key holder, win a huge cache of creds via that peace/trust using it as a lazy filter

    Etc.
  • 0
    @devRancid even the methods used to identify the secrets files are a security risk...

    if all creds can be identified by a regex (or even several) and that regex is innately enforced... like someone's creds file wouldnt work as a creds file if the format was off... or the more insane version (unfortunately seen it more than once) that they enforce regex structures in the creds themselves... which is dumb enough for company email schemes(and those have a valid reason for format), worse elsewhere... if its in the passwords/keys themselves it should be a crime imo.

    Anything else ive seen was often just as asinine... akin to anyone who thinks that having super complex, essentially random, unique passwords for every online acc is the safest... well assuming that you have one hell of a memory and enjoy typing those out every login... great. Most people stash them in an easy access text file = fail.
  • 1
    Making it undetectable by a regex is just stupid security by obscurity and achieves nothing
  • 0
    @awesomeest Based on "secrets file" it sounds like auto generated API keys and not chosen password of a boomer like you that thinks unique/complex=bad and have to be remembered instead of using a password manager
  • 0
    @devRancid duh... but the sysadmin (bs ones imo) dont realise that. You have no clue how many large companies do this... its scary
  • 1
    @devRancid idk what your... insult? Of "boomer" is supposed to me.

    You seem to think that password managers are valid. They arent. Very easy to corrupt the whole thing and releasr all info, even with a good one.

    I dont have time to go over every aspect of these in text and some would be federal felonies for me to explain. If you dont mind a voice call @awesomeest on tg and sara.awesomeest on discord.
  • 0
    @devRancid oh also, im a professional in this field, been called to court as an expert witness, asked numerous times to guest lecture in several places etc... never asked for any of it. So basically, though ill always listen to arguments above basic ad hominem like whatever a "boomer" is and how it's in your mind, somewhat relevant to factual information. It still has no substance of the argument

    Google - "how to diagree' Paul graham
  • 0
    @devRancid btw. If you can speak english (or germab) well enough to have a recorded debate in this lmk
Add Comment