From Startup To World-Leading … (Microsoft) Github

From Startup To World-Leading … (Microsoft) GitHub

One of my best finds was installing Micrsosoft Visual Studio for Mac OSX. It has changed my whole environment for software development. And one of my best finds for my research and teaching is … GitHub. I have since moved all my teaching material towards it, and porting all my research code there too. A new world is being built in GitHub.

You get the feeling that we are moving into a world where technology is dominated by cash-rich companies. Facebook now own Whats App and Instagram, Microsoft owns LinkedIn, and now Microsoft has acquiring GitHub.

From a fairly closed source infrastructure, Microsoft is now one of the major companies involved with open source software. This includes PowerShell, Visual Studio Code and Microsoft Edge. It has also acquired Xamarin in order to create code which runs across different mobile platforms.

Github

If you are a major player in the market, such as with Microsoft, Google and Facebook, it just seems obvious that you can throw money at an emerging market, and you’ll succeed. Few startups, thus, ever have a chance of muscling in, as they lack the market reach and sustained investment.

But sometimes a start-up comes along and beats off the major players in the market, and it has happened in open source code repositories (which some would argue now drive the world). From their humble background, Github started in 2008 in San Francisco, and advocated that:

… everyone is a manager

and

“Build software better, together”

They even gave their employees the opportunity to work on whatever project they wanted. Github then received its first major investment of $100m in 2012, and then received $250m in a Series B investment round.

The first target to be knocked-down was Google, who, in 2015, shutdown Google Code (some would say that Google often move into areas and quickly move out if they have no significant impact). And recently week Microsoft gave up on its CodePlex site, and submitted to the might of Github. CodePlex was started in 2006 as Microsoft saw the rise of open source software, and from the threat of Linux. But the world just loved Github.

Github now contains most of the major open source repositories and continues to dominate the market. In fact, Microsoft, to highlight how much the company now supports open source, has the largest footprint in depositing code there, closely followed by Facebook. Microsoft gave developers until December 2017 to port their code off the site, and move, possibly, to Github.

Some say the power of nations lies in their parliaments, but others might say, in this Cyber Age, that the power lies in “to fork or not to fork” within the developers in Github. With crypto currencies coming along and disrupting traditional currencies, which were controlled by nations, it is often in Github that the real choices are made.

Github hack

The great thing about the Cloud is that you can quickly automate your infrastructure using a script. But the details of your account will often be stored within the code (typically as a header file). So if someone gets access to the code, they can determine your Cloud account, and could then compromise the infrastructure. For example, with Amazon we can create S3 data buckets, and then connect to them with a Python script:

from boto.s3.connection import S3Connection
conn = S3Connection('<aws access key>', '<aws secret key>')

The script will contain both the AWS Access key and the AWS Secret key.

Many companies, too, are now moving towards Github as a place that they store code, and where they then orchestrate their infrastructure. But Github becomes a single point of attack against an organisation as login credentials could be integrated into their code. If there is poor access control on Github logins, the code could reveal sensitive secret keys.

The attack involved compromising Uber’s Amazon Web Services (AWS) account and which involved getting access to Uber’s private GitHub repository. From there the attackers managed to determine Uber’s AWS account credentials and could download personally identifiable data. In AWS a secret key is adding into the code and then the code is often placed in a Gitbub repository.

The recent Uber hack occurred from a download from a third-party, and none of their own systems were hacked. It is thought that the hack includes 600,000 driver details, and 57 million Uber users, including names, emails, and mobile phone numbers. With GDPR coming along, companies will be fined up to 4% of global turnover, if it is proved they have been negligent.

There has been a rise in the number of bots which crawl Gitbub for secret API keys, including in using up processing power and in stealing credentials. In a recent case, DevFactor found that someone has racked-up $2,375 in CPU time for Bitcoin mining, and where 140 servers were started on the account. In 2013, Luke Chadwick, in a similar back, ran up a $3,493 bill for Litecoin mining.

Overall it is extremely difficult to hide the credentials of the account is someone has access to the code. To reduce the risks, Amazon have rolled-out the AWS Identity and Access Management (IAM) web service, and which controls who is authenticated (signed in) and authorised (has permissions) to use the resources. The root user has overall control and then can create other users who have limited access rights. This root user should always have the highest level of security applied to it, as it will be most prized account for an intruder.