[HN Gopher] How to exfiltrate code from Bitbucket
___________________________________________________________________
How to exfiltrate code from Bitbucket
Author : et1337
Score : 128 points
Date : 2021-07-22 13:39 UTC (9 hours ago)
(HTM) web link (etodd.io)
(TXT) w3m dump (etodd.io)
| Shank wrote:
| This is the exact symptom I had with using AT&T Fiber and GitHub,
| using "DMZ+ mode." It sounds a lot like an MTU problem, and no,
| when I contacted GitHub they were absolutely flummoxed and
| couldn't see any evidence of failure.
|
| If you're ever in a similar situation, try cloning over a
| different ISP or a VPN first. It's pretty rare for a service like
| bitbucket to have a catastrophic failure like this without it
| being a downstream problem.
| oauea wrote:
| > It's pretty rare for a service like bitbucket to have a
| catastrophic failure like this without it being a downstream
| problem.
|
| It's bitbucket. It is actually extremely common.
| flerchin wrote:
| This is ridiculous. git clone is expected to work.
| CSDude wrote:
| Not directly related, saw from the screenshots. Instead of using
| AWS secret keys in env variables like this, Bitbucket supports
| OIDC and you can safely build a trust relationship instead of
| static keys which is a security nightmare.
| https://support.atlassian.com/bitbucket-cloud/docs/deploy-on...
|
| Disclaimer: Atlassian employee.
| geocar wrote:
| I appreciate you probably don't personally set the priorities
| or anything, but maybe you could let your boss know I hate all
| of your companies' products and use them only under protest?
|
| Thanks.
| nwatson wrote:
| I think Confluence and SourceTree both are great products.
| Jira is no pleasure but does the job especially at large
| scale.
|
| But Confluence especially, a great wiki, requires discipline
| to avoid a mess but all wikis do.
| oauea wrote:
| (Cloud) Confluence is rather slow, and does not support
| markdown or any kind of text editing. Only their awful,
| awful WYSIWYG editor which of course is different from all
| other Atlassian products.
| nwatson wrote:
| The "edit Confluence in 'markdown'" looks like a good
| case, I see interest on Confluence site for importing
| markdown into Confluence (a no-go since the goal might be
| to keep content as markdown) [0] and support for a keep-
| low-level-content-as-editable-markdown [1]. I'd look
| forward to seeing how Atlassian would keep markdown
| content since I'm not sure that relative links between
| documents would work well in an Atlassian model, as well
| as other stuff. Plus Atlassian would probably want to let
| biz-types edit the same document in WYSIWIG while keeping
| the content in low-level markdown, meaning they'd have to
| severely constrain the content type in the WYSIWIG editor
| or create some hybrid markdown/Atlassian document type.
|
| ( The link for [1] may or may not require an Atlassian
| login. )
|
| [0] https://community.atlassian.com/t5/Confluence-
| questions/Impo...
|
| [1] https://jira.atlassian.com/browse/CONFCLOUD-68272
|
| EDIT: formatting
| tclancy wrote:
| You can paste Markdown into it. I just have to remember
| the magical keyboard incantation every time I do it.
| tyingq wrote:
| Tried cloning a much larger repo from his bitbucket account, and
| it works fine... $ git clone
| https://etodd@bitbucket.org/etodd/lasercrabs-archive
| Cloning into 'lasercrabs-archive'... remote: Enumerating
| objects: 12162, done. remote: Counting objects: 100%
| (12162/12162), done. remote: Compressing objects: 100%
| (9255/9255), done. remote: Total 12162 (delta 2540), reused
| 12162 (delta 2540), pack-reused 0 Receiving objects: 100%
| (12162/12162), 413.56 MiB | 14.34 MiB/s, done. Resolving
| deltas: 100% (2540/2540), done. Updating files: 100%
| (11141/11141), done.
| microtherion wrote:
| For all the technical excellence in git's plumbing, I'm surprised
| that nobody has bothered to implement resumable cloning yet.
| Apart from the issues with bitbucket as a specific platform,
| every now and then I have to clone repos of a size that a simple
| bandwidth calculation tells me is going to be a multi-day
| endeavour, and even in the best families, a connection is not
| guaranteed to stay up that long.
|
| So to this day, I keep having to clone locally and then rsync
| --partial the .git folder over the slow link. Surely it should
| not be an insurmountable problem to not throw away a partial
| clone, but instead offer to resume at a reasonable checkpoint?
| withinboredom wrote:
| Multi-day... snail mail probably has higher bandwidth,
| depending on the distance. I usually use https instead of ssh
| for bigger clones as it tends to be more resilient in the face
| of tcp shenanigans.
| karmicthreat wrote:
| Makes me glad I have been migrating away from bitbucket as I
| update projects lately.
| linsomniac wrote:
| NOTE: Bitbucket has been migrating to a new platform internally,
| and has been having sporadic issues. Not sure if that is the case
| here. Story 13 days ago:
| https://news.ycombinator.com/item?id=27774987
| GrayShade wrote:
| This could be a network connectivity issue, like a IPv6 PMTU
| discovery problem.
| lugged wrote:
| Should have just pinged them on hipchat, it should reach them
| maybe.
| eurasiantiger wrote:
| Honestly, the last thing I'd want in a situation like this is
| "use this chat app we're using". I think that is a crappy
| approach to support, since it is not working alongside a public
| knowledge base and thus cannot amend an existing pile of
| related problem-solving knowledge. It mandates processes which
| generate throwaway solutions and waste everyone's time. Gitter
| is not the answer.
| breakingcups wrote:
| Hipchat has been phased out for a while now, no?
| chrisBob wrote:
| Yes, I think the joke is that Hipchat is gone.
|
| Atlassian replaced it with Slack which was just bought by
| Salesforce, so who knows maybe they will revive Hipchat now.
| denimnerd42 wrote:
| probably just get some investment to buy mattermost lol
| dpratt wrote:
| Which, I believe is either owned or majorly maintained by
| GitLab.
| denimnerd42 wrote:
| ah..
| mdoms wrote:
| > Atlassian replaced it with Slack
|
| Not before migrating to their own Hipchat successor / Slack
| clone, Stride, which was infinitely worse than both in
| every way. The product and IP was sold to Slack for, rumour
| has it, $1.
|
| https://en.wikipedia.org/wiki/Stride_(software)
| sgerenser wrote:
| According to that Wikipedia article, Atlassian took a
| "minority investment in Slack." That's certainly worth
| much more than $1.
| oauea wrote:
| Bitbucket has been... not good lately. And that's putting it
| kindly. I don't know if anyone from Atlassian reads HN, but
| please... Don't force us to migrate away.
| c7DJTLrn wrote:
| We use Bitbucket Cloud and I can attest to this. The quality
| just seems to get worse and worse. Bi-weekly outages, 10 minute
| PR merges, very late webhook calls, profile pictures not
| showing for some unknown reason. It is almost criminal that
| they charge the money they do when put up against GitHub,
| GitLab, and SourceHut.
|
| In fact, all of Atlassian's products feel gross, it's all
| horribly slow. Jira's slowness alone probably cuts my
| productivity by about 20%.
| Sky_Vault wrote:
| At my company we had to migrate over to a custom gitlab
| instance, I am not directly involved with the system
| administration but from what I've heard from that team, they
| are very happy with it, the CI/CD pipeline is especially nice.
| oauea wrote:
| If we hadn't already heavily invested in Jenkins (with a
| setup that's mostly portable between providers) that would be
| very interesting.
| alanfranz wrote:
| Clickbait-y and misleading. Exfiltration means getting hold of
| data which you shouldn't be able to access or download.
| tome wrote:
| It's just a jokey title. A Bitbucket bug (presumably) didn't
| let him clone his repo the standard way so he found a
| workaround. I thought it was a great read.
| fvv wrote:
| jokey title that waste time of those worried about tjat
| specific bug and also hide the workaround on those interested
| in it . Smart content but not the title .
| Justin_K wrote:
| Wrong
| Hizonner wrote:
| It's. A. Joke.
|
| See, it's almost as if Bitbucket were trying to keep you from
| getting your data and you had to "hack it out".
|
| Jeezuz.
| ThePadawan wrote:
| I haven't heard that usage of exfiltration.
|
| I have heard of exfiltration in the military context, as in
| "getting back your own stuff if it's harder than normal for
| some reason".
|
| Like Saving Private Ryan is about exfiltrating Private Ryan. Or
| you would exfiltrate a unit stuck behind enemy lines.
|
| That meaning makes sense here.
| [deleted]
| numpad0 wrote:
| The word exfil for data is extension of the military usage.
| Used for cases where adversaries has difficulty collecting
| it. Implies some unusual methods were used.
|
| e.g. when the customer is using adblock to evade
| surveillances, or files are deliberately isolated from the
| Internet.
| TravisHusky wrote:
| Yeah; it is kinda weird because in a normal context the
| wording is okay and makes sense. The problem is really that
| exfiltration means something specific in computer security.
| So if you are a security person, you look at the title and
| you are thinking "oh no" (at least that is what I did).
| rpodraza wrote:
| Do you know what joke/irony/sense of humor is?
| IncRnd wrote:
| > Exfiltration means getting hold of data which you shouldn't
| be able to access or download.
|
| That's incorrect. Someone with legitimate access to data can
| still exfiltrate it, which means to covertly remove it to
| outside the organization.
|
| For example, someone in HR might have payroll data they can
| properly access. However, when they send that data home over a
| covert channel, that is exfiltration.
| TameAntelope wrote:
| Not to be too nitpicky, but that person in HR "shouldn't" be
| allowed to download that data, which would fall under the
| definition of the person you replied to.
| eli wrote:
| And you "shouldn't" use a build pipeline to push source
| code to S3
| swayvil wrote:
| Literalism is a point. Metaphor is a volume. Grock the volume.
| It is vasty and useful.
___________________________________________________________________
(page generated 2021-07-22 23:01 UTC)