Most active commenters

    ←back to thread

    Ghrc.io appears to be malicious

    (bmitch.net)
    407 points todsacerdoti | 19 comments | 24 Aug 25 23:27 UTC | HN request time: 0.866s | source | bottom
    1. arjvik ◴[24 Aug 25 23:40 UTC] No.45008810[source]
    Took the article pointing out that the c and r were transposed for me to even notice there was a problem!
    replies(2): >>45008822 #>>45008942 #
    2. SoftTalker ◴[24 Aug 25 23:42 UTC] No.45008822[source]
    Yep this is the sort of typo error I make probably 10 times a day.
    replies(1): >>45009673 #
    3. echelon ◴[25 Aug 25 00:01 UTC] No.45008942[source]
    The problem here is GitHub's terrible domain name.

    The container registry has a horrible name.

    replies(1): >>45008979 #
    4. Gigachad ◴[25 Aug 25 00:07 UTC] No.45008979[source]
    Why does it seem companies hate subdomains so much? Why is this not just registary.github.com or something? It's like they are trying to get people to fall for phishing by creating so many random domains.
    replies(6): >>45009027 #>>45009048 #>>45009149 #>>45009221 #>>45009237 #>>45011982 #
    5. zx8080 ◴[25 Aug 25 00:17 UTC] No.45009027{3}[source]
    Probably, it's cool, and honored inside an org to operate a separate domain service vs go ask for a permission for a subdomain to another team.
    6. JdeBP ◴[25 Aug 25 00:22 UTC] No.45009048{3}[source]
    Interestingly, the GitHub doco says outright that it superseded docker.pkg.github.com. ; so it was a conscious choice to go with this domain naming scheme instead of that one.

    * https://docs.github.com/en/packages/working-with-a-github-pa...

    7. rconti ◴[25 Aug 25 00:44 UTC] No.45009149{3}[source]
    insecurity through obscurity
    8. dcrazy ◴[25 Aug 25 00:58 UTC] No.45009221{3}[source]
    It’s best security practice to host user-generated content on a separate domain to opt into browsers’ cross-domain security policies. Hence ghcr.io, githubusercontent.com, fbimg.com, etc.

    https://www.reddit.com/r/webdev/comments/lg9xnm/why_do_some_...

    replies(1): >>45010131 #
    9. cyral ◴[25 Aug 25 01:02 UTC] No.45009237{3}[source]
    I've noticed this too. Why does amazon have aboutamazon.com and Google have developers.googleblog.com? They literally have their own .google TLD but still choose this weird domain.

    Same with local governments. They love something really random like <countyname>proptaxpayment.org instead of treasurer.<countyname>.gov. It's exactly the kind of domain you are told to watch out for, but actually legit.

    replies(1): >>45010230 #
    10. javchz ◴[25 Aug 25 02:38 UTC] No.45009673[source]
    What it's funny it's that because tokenization there is a non zero chance a LLM audit may not see anything wrong here, similar to the strawberry problem.
    replies(1): >>45012567 #
    11. usr1106 ◴[25 Aug 25 04:14 UTC] No.45010131{4}[source]
    Not a web programmer, so know cross-domain only for hearsay :(

    It does not seem to hinder e.g. Google using google.com, youtube.com, gmail.com, and several (many?) others to collect your data. Do you say security and privacy work differently here?

    replies(1): >>45010203 #
    12. missingcolours ◴[25 Aug 25 04:27 UTC] No.45010203{5}[source]
    In those cases, the company controls all of the code running on those sites, so it's desirable for them to share data and cookies in particular. (e.g. any google.com site can read your login cookie)

    In the case of user data domains, intentionally in the design of the service or via a security hole, users may be able to execute code and read cookies (e.g. in JavaScript on a page hosted on githubusercontent.com) and that's undesirable.

    replies(1): >>45010353 #
    13. missingcolours ◴[25 Aug 25 04:34 UTC] No.45010230{4}[source]
    A common scenario I've seen in the case of local governments is that a department (e.g. the Assessing Department) contracts with a vendor to run the website and has no idea how DNS works, and the vendor defaults to registering new domains for their clients since that's the easiest when dealing with non-technical clients. Texas alone for example has 254 countries, the vast majority of which are very small and have effectively no full time IT department, so when these vendors are engaging new clients, low IT expertise is the norm by volume.

    The local government itself may have an IT department, but they may not know how to create a subdomain, or even be aware this contract is being made and the site is being set up until after it's announced to the public.

    replies(1): >>45011446 #
    14. usr1106 ◴[25 Aug 25 04:57 UTC] No.45010353{6}[source]
    Sure, I see why as a company you don't want user data in your domain.

    But if the different domain name gives good protection / isolation, why does Google still use completely different domains for different services with content controlled by them. I cannot believe they are interested in protecting users from data collection.

    replies(1): >>45010500 #
    15. plorkyeran ◴[25 Aug 25 05:25 UTC] No.45010500{7}[source]
    YouTube was an acquisition that they didn’t rebrand. Google Video was on google.com. gmail.com redirects to mail.google.com, and only email addresses use the gmail domain to avoid appearing to be google employee emails.
    16. JdeBP ◴[25 Aug 25 08:05 UTC] No.45011446{5}[source]
    Now you too are hearing a voice in your head, as I did, in the classic drawl, saying "Counties, kid. Texas ain't that big.". (-:
    17. wink ◴[25 Aug 25 09:34 UTC] No.45011982{3}[source]
    If you are very old[tm] you might remember that github pages were hosted on USER.github.com and they moved to USER.github.io in 2013, https://github.blog/news-insights/product-news/new-github-pa...

    JFTR, I also think they could at least have used a couple of pronouncable domains, or put stuff under a .github.io domain, or at least make it githubrepo.com or something not acronym-y

    18. TobTobXX ◴[25 Aug 25 11:10 UTC] No.45012567{3}[source]
    Nah, cr and rc are different tokens and LLMs would have no issues telling them apart. An older model might have trouble explaining that cr and rc are similar and can thus get easily mixed up, but the characters are probably more different to the LLM than they are to us.
    replies(1): >>45013820 #
    19. TehCorwiz ◴[25 Aug 25 13:49 UTC] No.45013820{4}[source]
    What about all that GitHub training data using the wrong domain? Even being a different token it’s still being trained as a correct value.