(bmitch.net)

407 points todsacerdoti | 1 comments | 24 Aug 25 23:27 UTC | HN request time: 0.347s | source

Show context

nicce ◴[24 Aug 25 23:59 UTC] No.45008930[source]▶

GitHub Container registry does not even support fine-grained tokens, instead it uses classic ones [1], which makes this even more dangerous.

[1] https://docs.github.com/en/packages/working-with-a-github-pa...

Edit: most relevant issues?

https://github.com/orgs/community/discussions/38467

https://github.com/github/roadmap/issues/558

replies(2): >>45008951 #>>45009250 #

echelon ◴[25 Aug 25 00:03 UTC] No.45008951[source]▶

>>45008930 #

Someone near a computer that is feeling generous should buy up all the typo'd domain names and hand them over to Microsoft.

Microsoft should rename the registry. This is a horrible name. I know I've typo'd it before.

replies(4): >>45008966 #>>45010248 #>>45011719 #>>45017549 #

jsheard ◴[25 Aug 25 00:06 UTC] No.45008966[source]▶

>>45008951 #

Microsoft is paying top dollar for MarkMonitor, aren't they supposed to proactively register obvious typos so this kind of thing doesn't happen to their clients?

replies(1): >>45009076 #

VoidWhisperer ◴[25 Aug 25 00:28 UTC] No.45009076[source]▶

>>45008966 #

My guess is that MarkMonitor is mainly used for their brand-relevant domains (microsoft, office 365, github (main site), etc), as opposed to one that a small subset of a small subset of their users of one service will use - I would imagine that microsoft likely owns hundreds of domain names and doesn't pay MarkMonitor to monitor every single one

replies(1): >>45014394 #

1. gruez ◴[25 Aug 25 14:42 UTC] No.45014394[source]▶

>>45009076 #

ghcr.io is registered by markmonitor.

↑

Ghrc.io appears to be malicious