Hacker News new | past | comments | ask | show | jobs | submit login

This is a cat and mouse game. We add code to detect and disable abuse – sometimes in very clever ways – and then the abusers come up with a new way of circumventing that detection. In order to prevent miners from creating long queues for legitimate free users of GitHub Actions, we have to stay on top of this all the time. So the miners are not just stealing CPU time, they are also stealing engineer time. Because without mitigations the miners will consume all available CPU, and because devising abuse countermeasures is, for whatever reason, a very powerful nerd snipe (including for me!). The sad thing is that it's displacing time that would be spent improving Actions in other ways.

Actions are awesome... but scary as soon as you have a public repos, contractor, rogue employee, etc. They seem to go against security fundamentals. Ex: Actions should allow going into default-deny mode for all basic runtime capabilities and resource use, and only brought back on via RBAC. Today, it's not hard to steal npm/pip/etc creds or get into people's corp runners. Having gone through the browser security policy heyday, this is deja vu, except now for exposing the server side and supply chain.


- do not run on any event.. unless user authorized for that event. Same for actions.

- separate out policies and users cannot edit policies unless authorized to do that

- do not get physical/logical resources (runners, disk quota, long runs, ...) unless given

- default-deny network outbound with url safe-listing

That way only trusted users can run them, and a bit harder for them to get hurt when there is a surprising action that they run

The next level would probably be something like sandboxing : allow anyone to run an action , but a sandbox mode can autofail if violated, and have explicit imports/exports to lock down for how it gets used.

A lot possible.. but need to invest in the basics first..

Getting a hold of someone's secrets is not possible just by doing a pull request. It's really only about resource usage, at least when the runners in question provide sufficient isolation (true at least for the Github-hosted ones, or we're all in big trouble).

Unfortunately, using self-hosted runners to provide additional capabilities not supported by Github-hosted ones is basically impossible (for public repos at least) as you can't restrict a runner to an organization or project. Set up a bare-metal runner and it will receive jobs from random forks.

> Getting a hold of someone's secrets is not possible just by doing a pull request

Only if you've configured the actions correctly. I would bet that there is a high number of repositories on both GitLab and GitHub with misconfigured CI pipelines where someone can submit a PR with `env | curl` to grab any secrets defined as environment variables.

GitLab CI, and i suppose Github, allow marking env variables as secrets, making them more complicated to show / exfiltrate.

No, GitLab does not allow marking variables as secrets. They allow "masking" env variables, subject to a bunch of caveats, like your secrets not being multiple lines (e.g. a private key cannot be masked). Even then, the masking is just about log output -- it doesn't prevent a `env | curl` type situation. [0]

The correct mitigation is to ensure that any "secret" variables are marked as "protected" so they can only run on protected branches that are limited to pushes by maintainers. And you'll still need to make sure the masking works in the logs.

They do support integrating with Vault to access secrets in a CI job, but you need to pay them to use that feature. [1]

[0] https://docs.gitlab.com/ee/ci/variables/#mask-a-cicd-variabl...

[1] https://docs.gitlab.com/ee/ci/secrets/

Re: Vault, you can read Vault secrets yourself via their JWT integration.

For GitLab if you don't have at least developer access to the repository (as in you are sending a MR from a fork) that will run in the context of your user, so you don't have access to any secrets configured upstream, etc.

If you have access to a repository you can customize the script to do whatever you want, but there will always be a trace tracking it back to you.

There is a discussion about ultimate security (access only when asked) Vs the convenience of self-service.

You can still avoid that by having people use a fork model, or triggering CD from an external project with tight access.

Putting a burocratic process between ICs will only limit their throughput as in Jenkins paradigm.

The better advice is don't hire people you can't trust

Add one extra command ;-) These can be innocuous if buried in something like unit tests of configs or network behavior, or in a big pr:

logs: `env | base64`

network: `env | gzip | curl`

It should be easy to set most workflows to run sandboxed with almost no capabilities - no secrets access, safelisted network access, safelisted package manager accesses for top 10 langs, etc - so that testing someone's PR isn't scary, and runtime violations make loud noises. The whole 'just disable actions on fork PRs' thing is a great default, but ultimately a figleaf as it's not hard to get someone to run an action.

env doesn't show secret/masked variables ;) you have to pass through echo and a file

Do I understand correctly that the attacker forks a repository with GitHub Actions enabled, modifies the action, submits a PR, which makes GitHub run the altered action?

If so, I wonder if there is a legit need for running modified GitHub actions from non-collaborators?

Could also subject modified actions coming in via pull requests (from non-collaborators) to heavy resources constraints and timeouts.

The mitigations you suggest are all logical. However, there are legitimate reasons to run CI and tests for outside contributions without taxing maintainers with the cognitive load of having to evaluate whether each contribution is CI-worthy.

The attack vector in the article is not the main way miners try to steal CPU from the GitHub community. It's just an interesting one that the journalist chose to write about.

But when a PR is submitted that modifies an Actions workflow, shouldn't GitHub run the old unmodified workflow until that PR is accepted?

IIRC, they already treat the .github folder as a special case; you can't push modifications to workflow files with a personal access token. So why not ensure that an action or workflow will only run if it is checked into the base branch?

That wouldn't stop PRs from modifying scripts that the action runs, but the current behavior seems a bit counter-intuitive.

If that action is "./run_tests.sh", which is a top use case, the attacker just changes "./run_tests.sh", so while I agree that's useful, it doesn't secure the typical case, and makes for a hard cost/value stance.

The threat models are probably more like 1. "make sure only the right people run actions" and separately, 2. "make sure authorized events/actions only use the expected capabilities." Both largely fail today.

Well the idea is that a person submits a PR, and the action runs to verify that the tests pass BEFORE the PR is accepted. You don’t want to wait until after the code is merged in order to see if tests still pass.

The issue is that even if you don’t allow changes to the actual action workflow, running tests gives an attacker the ability to run arbitrary code. They just need to add the code they want to run to the tests (e.g. have the tests mine crypto)

That makes it really hard to debug actions, and ensure that they’re working prior to merging.

> steal CPU from the GitHub community

from Microsoft*

Thanks Nat. What if we made new GitHub Actions temporarily only available to users with a verified second factor?

Could temporarily reduce the population of abusers while we figure out a more sustainable strategy?

A TOTP code response is trivial to implement on the client. So if you wanted this to be meaningful, you would need to force users to use SMS 2FA, which is widely considered insecure. Not a great solution IMO.

I wonder if it would help forming an internal red team that could help stay a step ahead with such and related attacks and abuse scenarios by running such attacks against yourself?

Can't you say the same thing about any defensive measures? The need for security is displacing developer time to be building out cool new features.

Yes. This is just a category of attack whose growth has been incentivized by rising crypto prices. All providers of free compute are experiencing some level of mining attack right now. Eventually a new equilibrium will emerge.

A new equilibrium that thanks to cryptocurrency speculators is a worse world.

This speculation is making some people rich, yes. But the amount of externalities is staggering.

Thanks to PoW nobody can provide a free compute anymore without getting owned, and of course the environmental impact of bitcoin alone is worse than when Saddam Hussein set oil wells on fire while retreating.

Let the world burn, and products rot to shit, as long as my HODL portfolio goes up. Cryptocurrency supporters really are sociopaths, worse than any hedge fund manager.

To be clear, these are very specific problems to proof of work. It's almost to the point where I'm in favour of banning or heavily taxing proof of work mining.

There are lots of things driving for crypto besides speculation though. Suggesting cryptocurrency supporters are sociopaths is quite simplistic, and overlooks the majority who are not involved in anything like this article discusses

> There are lots of things driving for crypto besides speculation though.

Like what? I mean aside from crime.

E.g. the "Venezuela argument" has been debunked, from my reading.

In my own life I've seen employees ask to be paid in bitcoin, because of the large fees involved in getting your salary and transferring it into Brazil.

So… those "fees" are mainly taxes, and not paying them is illegal.

To steal manned argument I guess is that some people actually do want to buy stuff online without a third party knowing who paid whom.

First of all BTC is terrible for that. But second, most people don't care if a third party knows they bought pizza. Especially since the pizza place still knows, and they need to keep records anyway, because tax laws.

Fourth, if they don't keep records then they can just say you didn't pay them. They can say "oh, that was not our wallet, you must have mistyped".

Fifth, if the pizza has poop on it you can't even reverse the charge.

Sixth, every pizza place will now be a money laundering scheme.

This is not what we want as individuals, nor as a society.

But yes, some people do want to buy a pizza online and not have a third party know. It's basically LARPing.

Buying a house or a car anonymously? That was made illegal on purpose.

Buying a big mansion anonymously? Well that's clearly at the very least tax fraud.

Anyway, I truly want to hear about any legit use case for cryptocurrencies that is not just LARPing, because as far as I've seen nobody in the 12 years since bitcoin launched has come up with one that actually makes sense.

> Suggesting cryptocurrency supporters are sociopaths is quite simplistic,

Yeah, it is. It's like the old expression "it's very hard to make someone understand something when their livelihood depends on them not understanding it", or something like that.


But the amount of rationalization from cryptocurrency proponents I do think is sociopathic.

> and overlooks the majority who are not involved in anything like this article discusses

When you're in the mob you're still one of the baddies, even if you're not actually the one murdering.

I do blame every cryptocurrency supporter. They are complicit in making the world worse for their own profits. They have a moral obligation to recognize their supporting role in this, and to stop it.

In 2015 I moved to a different country. I needed to arrange to pay my security deposit for my place before I had moved. Guess what? After talking about it for a bit, it turned out bitcoin was the easiest way to do it. There was nothing illegal about this, and it saved us a giant hassle.

Cryptocurrency users aren't any more complicit in others using it for illicit activities than people who use cash. And you seem to be equating cryptocurrency with proof of work and bitcoin, which, again, are ignoring the majority of the real-world use cases.

I'm not ignoring non-PoW or non-BTC. The topic is big, and the case and data against cryptocurrencies literally have filled books.

But just to establish what you're saying, do you agree that PoW and BTC in particular is absolutely terrible for the world? Can we establish that?

I just want to make sure you're not selecting the parts I have not addressed in these comments and from there you're dismissing the things I have said.

If you can agree that PoW and BTC are awful, then there's no point in staying on that topic, but we can instead look at other parts. Otherwise it seems like a dishonest rhetorical device.

I don't know what countries you moved between, but what you did could be illegal. Or if not, the law may have not caught up yet, because the laws tend to be on the financial institutions, not the payer and payee. But probably the intention of the law is that it should be illegal.

Maybe. It depends how exactly the bitcoin was transferred.

I'm not a lawyer, but have a look at this: https://www.gov.uk/guidance/how-to-comply-with-eu-payments-r... https://www.gov.uk/guidance/money-laundering-regulations-hig...

That's requirements on payment service providers, so (maybe?) not on you. With a decentralized payment service provider, a case could be made that you are the payment service provider of this transaction, but let's assume not, to not make it simple. Still, it is the intention of this EU law that somebody is, right? That's the world in which the law was written.

If you agree with this, that the intention was that somebody has KYC (Know Your Customer) requirements on your transaction, then as I see it the only remaining argument is that you think KYC laws should not exist.

I hope I've not misrepresented you so far. I honestly want to build a trail from your truly legit and moral transaction to what it means in the larger picture.

If you're against KYC I don't quite know what your argument is (it could be a good one), but they were in fact put in place for a reason. Your honest transfer "under the radar" has the same technical means as the ISIS sympathizer's, and the money laundering mob boss's, or the tax dodging wall street CEO's.

I'll assume that you're not an anarchist-libertarian who considers all government action to be theft, and "money laundering" to be a non-crime.

So… the real question is how do we allow transactions like yours, but not make crime like this be trivial under the same technical means?

So far it's by KYC. And KYC laws and enforcement are not perfect. But baby and bathwater. If your argument is that KYC is inherently bad, then I disagree, but don't make it a distraction while actually making a different point.

And if cryptocurrency is "just like cash", that means that, just like with cash, you legally have to report international money transfers: https://www.mybanktracker.com/money-tips/money/travel-intern...

Do you think anyone has ever done this with bitcoin, or any other cryptocurrency? I assume not, because cryptocurrency people will pick and choose when it's "just like cash" and when it's not. Or they'll claim "it's not in a country, it's in cyberspace". But that's all clearly rationalizing to the point of trolling.

To summarize my point: The reason we can't have nice things, the reason there are fees and taxes on international money transfers, is that this is exactly the place where an uncountable amount of fraud and crime happens. It's not "clever" to go around KYC, it's illegal. (or if not technically illegal, the intent clearly was that it would be)

(I have more points against cryptocurrencies, but bringing up every topic at the same time will just be a big distracted mess. If we've agreed on PoW, and if you agree on KYC, then maybe we can do other arguments too)

Neither of these were EU countries, but both of our exchanges had KYC. I don't believe there was anything illegal about what we did.

And I'm not libertarian (I'm far too socialist), but I do believe that there are problems with the extent to which we are being tracked by governments, especially because I have a lot of issue with various laws around the world (see: criminalizing homosexuality, drugs, sex toys, women driving) I do believe controlling the methods by which people pay for things extends government control, and having more freedom there allows more personal freedom in general. Perhaps surprisingly, I do support paying due taxes (when it's often what funds social services and social programs).

Actually, speaking of money laundering, I learned recently that you can pay taxes on illicit income and the IRS won't have any issue with you. However, I don't trust that this isn't used to track down criminals by criminal agencies. Money laundering allows people to pay their taxes without implicating themselves, so in many ways it's something I support.

I'm not in any way suggesting cryptocurrency is a good way to get around government tracking. Cash might often be better. I don't particularly support KYC, so I'm excited to see the development around decentralized exchanges. And I think painting all "crime" with the same brush is quite reductive. Yesterday's crime is too often tomorrow's activism: Breaking an NDA to expose human right's abuses, using a VPN to browse wikipedia, the list goes on.

But yes, I 100% agree about PoW being problematic, and have frequently posted on HN about how the only way it will be solved is through government intervention. I guess I'm not much of an anarchist either.

More countries than those in the EU have KYC laws. But no, I'm not saying illegal means immoral, nor that there aren't degrees of illegality. I mean that if what you did was legal, then you probably used a loophole. And that same loophole can be used by organized crime to launder money from human trafficking.

And that the trade-off between allowing your transaction and preventing organized crime is why KYC and money laundering laws were created.

I recently did a 6 figure international transfer, and I had to talk to people at the bank, who had to sign off that the source of my funds were fine and I wasn't doing anything shady (nor being defrauded). Just a 15min phone call.

For someone who regularly does this I assume it's streamlined, but it does make sense for the bank to be suspicious on multiple levels when I do the biggest transfer of my life.

They also checked with me to make sure I did basic security precautions like "Did someone contact you and tell you to make this transfer, or did you come up with it yourself? Did someone send you the account number, or did you look it up on a trusted source?".

Sure, part of that was "cover your ass" for the bank's liability to a mistake, but some of it is legally mandated for KYC/ML.

Again, don't take my comments as saying governments or these laws in particular are perfect. I'm saying they are deliberate because something like them is really really a good idea, both for the individual and society as a whole.

But I think it's a red herring to say "some governments criminalize homosexuality, therefore KYC/ML laws are bad or overreaching".

> I don't particularly support KYC

So what's your alternative proposal for preventing / detecting the crime it really does catch?

What's your proposal for forcing banks to not look the other way when drug cartels bank their profits?

Again, I'm not saying it's perfect, but without KYC/ML banks wouldn't even have an obligation to look, and would have no liability when they aid organized crime. Clearly we need to do something? KYC/ML is not flawless, but it also works. So this is not a "We have to do something, this is something" case.

If you take away KYC/ML you have to replace it with something better. Otherwise you're just saying "defund the police" with no plan to replace the police.

So that's KYC/ML.


I guess I brought up taxes a little bit, but it's another chapter in the book on cryptocurrencies.

Right now there is huge tax evasion happening in industries that deal with cash. Taxi drivers are a prime example, but also plumbers, carpenters, etc...

Not everyone, of course, but it's so easy for them. E.g. it's common practice among people felling trees for people that they charge a lot because they need to pay insurance in case the tree falls on something expensive. But when the tree doesn't, they just pocket the whole thing and don't tell the tax man or insurance company.

What if we had the cryptocurrency dystopia, where everyone who wants to can get paid in some ideal cryptocurrency? I bet you HUGE parts of salaries will suddenly go dark, and be tax free.

People earning 6-7 digit salaries would just not declare that at all. It would take a lot of sense of civic duty to hand off 5-6 digits per year if you know you can get away with not doing that. Most people don't have that, and I can admit I'd be super tempted too, if I knew math would protect me perfectly.

The reason people actually pay income tax today is because double entry accounting and the paper trail actually makes it hard to hide salary payments. And paying people in cash is also logistically hard, and even harder if you have to do it fraudulently.

You can do it with low wage workers, but I sure as hell wouldn't want to have to deal with thousands of dollars in my hand every week.

But even then, in many countries it's illegal to pay salaries in cash. Because of the rampant fraud that happens when salaries are in cash.

And why would you want to be paid in cash to hide it from the government? You say you believe in taxes, so the tax man will know your income eventually anyway. So there's no point in hiding it.

Interesting about IRS and theoretically not reporting you. Sounds similar to some places where robbing a bank with a fake gun carries a lighter sentence, so that robbers are incentivized to bring the fake gun instead of the real one, thus reducing harm to innocent bystanders and police.

They got Capone for tax evasion, so it's a charge you don't want. But I suspect if you just declare you bank robbery gains, that's not going to work well for you.

So you’re blaming cryptocurrencies for ....

Proof Of Work ?.

A lot of em are already trying to shift to other viable alternative proofs.

Your analogy of calling Cryptocurrency supporters as sociopaths.

sounds similar to insulting Edison because he designed the inefficient incandescent bulbs , which consume waaay more energy compared to LEDs built these days.

How would it sound , if someone insults artificial light , just because of that ? .

Cryptocurrencies are perfectly good ideas/products.

Proof of Work’s viability isn’t.

The hate is aimed in the wrong direction.

> sounds similar to insulting Edison because he designed the inefficient incandescent bulbs

If he designed and sold that in 2021, trying to replace LED lightbulbs, and lying through his teeth to pump up the value of his lightbulbs, well then yes.

Can blockchain people please first come up with a use case, that isn't crime, before saying it's worth using more energy that many countries? (for a rounding error away from 0 number of transactions)

All the enumerated use cases are so naive and uninformed that clearly they've just been invented without knowledge about the field. "Move aside, expert in field, I'll just solve this with technology. No I don't need to hear you describe the issues".

Lots of countries have banned incandescent bulbs due to their abysmal energy efficiency.

Maybe the cryptocurrency industry needs some environmental regulation thrown at it?

> Cryptocurrencies are perfectly good ideas/products.

for scammers and speculators

Try doing a transaction comparison between any payment service that offers foreign transactions , and compare it to cryptocurrency transactions and use it once to do a real trade/purchase , or try using smart contracts in crypto , for once in your projects.

You’ll know why it’s a great product/ service Once it’s environmental viability has been figured out .

Hating crypto , because news reporters only show you the scammers and the speculators , is blind hatred.

Crypto has/does much much more , than just act as a form of trading / speculation

Scammers often steal money in dollars too. Speculators often trade currency pairs with dollar in them.

Are you still gonna say people who use the dollar for daily transactions don’t exist ? That dollar is also a good idea only for scammers and speculators ?

> Try doing a transaction comparison between any payment service that offers foreign transactions

I've done many. Order of magnitude better experience than bitcoin, which I've also done.

And without knowing that your bitcoin transaction cost many tonnes of co2 on stolen electricity (~70% of which is based on fossil fuels, per a recent bitcoin energy use study).

It's like building an instant messaging system based on throwing molotov cocktails on your neighbors houses to create smoke signals.

"Works great!"

> try using smart contracts in crypto

Smart contracts is just the dumbest idea yet. Anyone who thinks they're a good idea clearly doesn't know what the actual challenges are in existing contracts. It's not solving these challenges at all, but instead making them much worse.

> Hating crypto , because news reporters only show you the scammers and the speculators , is blind hatred.

Seriously? But that's all there is. To a rounding error.

And for good reason. Aside for committing crimes cryptocurrencies are worse in every single aspect.

> Are you still gonna say people who use the dollar for daily transactions don’t exist ? That dollar is also a good idea only for scammers and speculators ?

What do you think the percentage of dollar transaction that's crime? What do you think is the case for bitcoin?

> or try using smart contracts in crypto , for once in your projects.

If someone is willing to fund time spend on researching how to do it safely I would do it.

But I am not aware of anyone willing to fund hundreds of hours on such research. And it includes myself.

> Hating crypto , because news reporters only show you the scammers and the speculators , is blind hatred.

I do not care what 'news' reporters 'report'. I am in contact with several crypto-adjacent messages each week, all of them scammers in in mail inbox, on Telegram, in Discord.

Crypto-adjacent scam spam is over half of ads that managed to reach my on my own computer.

I consider it perfectly good reason to heavily dislike BTC and BTC-adjacent things.

> Crypto has/does much much more , than just act as a form of trading / speculation

Yes, it is also scam platform.

> Are you still gonna say people who use the dollar for daily transactions don’t exist ? That dollar is also a good idea only for scammers and speculators ?

No, because it is untrue. Unlike crypto.

Bitcoin is priced pretty much on par with low cost energy consumption. It's not any more profitable to mine Bitcoin now in terms of energy per dollar worth of Bitcoin then before

limit the action configurations file to be only editable by a configured set for a specific repo and give us a special folder like .github-action-commands or so that is scoped like that aswell..

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact