Hacker News new | past | comments | ask | show | jobs | submit login
How to exfiltrate code from Bitbucket (etodd.io)
133 points by et1337 3 days ago | hide | past | favorite | 41 comments

Not directly related, saw from the screenshots. Instead of using AWS secret keys in env variables like this, Bitbucket supports OIDC and you can safely build a trust relationship instead of static keys which is a security nightmare. https://support.atlassian.com/bitbucket-cloud/docs/deploy-on...

Disclaimer: Atlassian employee.


I think Confluence and SourceTree both are great products. Jira is no pleasure but does the job especially at large scale.

But Confluence especially, a great wiki, requires discipline to avoid a mess but all wikis do.

(Cloud) Confluence is rather slow, and does not support markdown or any kind of text editing. Only their awful, awful WYSIWYG editor which of course is different from all other Atlassian products.

The "edit Confluence in 'markdown'" looks like a good case, I see interest on Confluence site for importing markdown into Confluence (a no-go since the goal might be to keep content as markdown) [0] and support for a keep-low-level-content-as-editable-markdown [1]. I'd look forward to seeing how Atlassian would keep markdown content since I'm not sure that relative links between documents would work well in an Atlassian model, as well as other stuff. Plus Atlassian would probably want to let biz-types edit the same document in WYSIWIG while keeping the content in low-level markdown, meaning they'd have to severely constrain the content type in the WYSIWIG editor or create some hybrid markdown/Atlassian document type.

( The link for [1] may or may not require an Atlassian login. )

[0] https://community.atlassian.com/t5/Confluence-questions/Impo...

[1] https://jira.atlassian.com/browse/CONFCLOUD-68272

EDIT: formatting

You can paste Markdown into it. I just have to remember the magical keyboard incantation every time I do it.

This is the exact symptom I had with using AT&T Fiber and GitHub, using “DMZ+ mode.” It sounds a lot like an MTU problem, and no, when I contacted GitHub they were absolutely flummoxed and couldn’t see any evidence of failure.

If you’re ever in a similar situation, try cloning over a different ISP or a VPN first. It’s pretty rare for a service like bitbucket to have a catastrophic failure like this without it being a downstream problem.

> It’s pretty rare for a service like bitbucket to have a catastrophic failure like this without it being a downstream problem.

It's bitbucket. It is actually extremely common.

Yeah for those (assuming it's TCP), you can do "ip route add dev interface0 advmss 500 mtu lock 500" and see if it still freezes up. A lot of paranoid admins break PMTUD because they're terrified of ICMP.

For all the technical excellence in git's plumbing, I'm surprised that nobody has bothered to implement resumable cloning yet. Apart from the issues with bitbucket as a specific platform, every now and then I have to clone repos of a size that a simple bandwidth calculation tells me is going to be a multi-day endeavour, and even in the best families, a connection is not guaranteed to stay up that long.

So to this day, I keep having to clone locally and then rsync --partial the .git folder over the slow link. Surely it should not be an insurmountable problem to not throw away a partial clone, but instead offer to resume at a reasonable checkpoint?

Multi-day… snail mail probably has higher bandwidth, depending on the distance. I usually use https instead of ssh for bigger clones as it tends to be more resilient in the face of tcp shenanigans.

NOTE: Bitbucket has been migrating to a new platform internally, and has been having sporadic issues. Not sure if that is the case here. Story 13 days ago: https://news.ycombinator.com/item?id=27774987

This could be a network connectivity issue, like a IPv6 PMTU discovery problem.

Should have just pinged them on hipchat, it should reach them maybe.

Honestly, the last thing I’d want in a situation like this is ”use this chat app we’re using”. I think that is a crappy approach to support, since it is not working alongside a public knowledge base and thus cannot amend an existing pile of related problem-solving knowledge. It mandates processes which generate throwaway solutions and waste everyone’s time. Gitter is not the answer.

Hipchat has been phased out for a while now, no?

Yes, I think the joke is that Hipchat is gone.

Atlassian replaced it with Slack which was just bought by Salesforce, so who knows maybe they will revive Hipchat now.

> Atlassian replaced it with Slack

Not before migrating to their own Hipchat successor / Slack clone, Stride, which was infinitely worse than both in every way. The product and IP was sold to Slack for, rumour has it, $1.


According to that Wikipedia article, Atlassian took a “minority investment in Slack.” That’s certainly worth much more than $1.

probably just get some investment to buy mattermost lol

Which, I believe is either owned or majorly maintained by GitLab.


Tried cloning a much larger repo from his bitbucket account, and it works fine...

  $ git clone https://etodd@bitbucket.org/etodd/lasercrabs-archive
  Cloning into 'lasercrabs-archive'...
  remote: Enumerating objects: 12162, done.
  remote: Counting objects: 100% (12162/12162), done.
  remote: Compressing objects: 100% (9255/9255), done.
  remote: Total 12162 (delta 2540), reused 12162 (delta 2540), pack-reused 0
  Receiving objects: 100% (12162/12162), 413.56 MiB | 14.34 MiB/s, done.
  Resolving deltas: 100% (2540/2540), done.
  Updating files: 100% (11141/11141), done.

Bitbucket has been... not good lately. And that's putting it kindly. I don't know if anyone from Atlassian reads HN, but please... Don't force us to migrate away.

We use Bitbucket Cloud and I can attest to this. The quality just seems to get worse and worse. Bi-weekly outages, 10 minute PR merges, very late webhook calls, profile pictures not showing for some unknown reason. It is almost criminal that they charge the money they do when put up against GitHub, GitLab, and SourceHut.

In fact, all of Atlassian's products feel gross, it's all horribly slow. Jira's slowness alone probably cuts my productivity by about 20%.

At my company we had to migrate over to a custom gitlab instance, I am not directly involved with the system administration but from what I've heard from that team, they are very happy with it, the CI/CD pipeline is especially nice.

If we hadn't already heavily invested in Jenkins (with a setup that's mostly portable between providers) that would be very interesting.

It’s deeply hilarious Atlassian is expecting people to put up with 10 minute merges, like it’s some intractable deficiency of git. They’re not serious competition for GitLab, and definitely not GitHub.

I migrated our companies repositories away from Bitbucket a few days ago using git clone —mirror and it worked fine. Am I missing something, or were you just unlucky?

Makes me glad I have been migrating away from bitbucket as I update projects lately.

This is ridiculous. git clone is expected to work.

Clickbait-y and misleading. Exfiltration means getting hold of data which you shouldn't be able to access or download.

It's just a jokey title. A Bitbucket bug (presumably) didn't let him clone his repo the standard way so he found a workaround. I thought it was a great read.

jokey title that waste time of those worried about tjat specific bug and also hide the workaround on those interested in it . Smart content but not the title .

I haven't heard that usage of exfiltration.

I have heard of exfiltration in the military context, as in "getting back your own stuff if it's harder than normal for some reason".

Like Saving Private Ryan is about exfiltrating Private Ryan. Or you would exfiltrate a unit stuck behind enemy lines.

That meaning makes sense here.

Yeah; it is kinda weird because in a normal context the wording is okay and makes sense. The problem is really that exfiltration means something specific in computer security. So if you are a security person, you look at the title and you are thinking "oh no" (at least that is what I did).

The word exfil for data is extension of the military usage. Used for cases where adversaries has difficulty collecting it. Implies some unusual methods were used.

e.g. when the customer is using adblock to evade surveillances, or files are deliberately isolated from the Internet.

> Exfiltration means getting hold of data which you shouldn't be able to access or download.

That's incorrect. Someone with legitimate access to data can still exfiltrate it, which means to covertly remove it to outside the organization.

For example, someone in HR might have payroll data they can properly access. However, when they send that data home over a covert channel, that is exfiltration.

Not to be too nitpicky, but that person in HR "shouldn't" be allowed to download that data, which would fall under the definition of the person you replied to.

And you "shouldn't" use a build pipeline to push source code to S3

It's. A. Joke.

See, it's almost as if Bitbucket were trying to keep you from getting your data and you had to "hack it out".


Literalism is a point. Metaphor is a volume. Grock the volume. It is vasty and useful.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact