It sounds like Mrs. Preston-Werner was a regular presence at the GitHub office and, according to Horvath, had extensive access to private information throughout GitHub's systems despite the fact that she wasn't an employee. If true, that should certainly be a privacy and security concern to any GitHub customer or user.
> If true, that should certainly be a privacy and security concern to any GitHub customer or user.
We left github private repo hosting when they got VC funding. Because of such a scenario where we could be competing with a company that was funded by the same VC that gave GH money.
Now in a perfect world that shouldn't be a problem because the VC should never access private user data. But well ... as you see it's not a perfect world and if a wife of an employee can browse through customer data than why shouldn't this be true for the guy who gave GH a few million dollars?
She apparently had access to employee data, not customer data. In my experience, businesses will often play a little fast-and-loose with employee data - far more so than customer data.
Though I agree it presents a bad image of GitHub's access control in general.
Not the person you replied to, but we're a large company and we're using Gitlab internally, it even hooks up to LDAP which is fantastic. We still use some private Github projects too.
There was never much chance that they were going to be completely open about their findings. It would only made an eventual lawsuit against them more likely to succeed, while likely not doing anything to make people feel better about what happened. The removal of TPW is a pretty huge move either way.
Yeah I'm curious about this myself. Doesn't this create a pretty serious security situation? GitHub isn't a small startup anymore, I would assume they'd have some pretty serious security precautions in place.
With so many self-hosted Github alternatives, and even Github Enterprise (self-hosted Github), I don't feel sorry for anyone having trade secrets stolen if they were hosting via private repos on Github.com.
What about de-facto board members? Tom was on GitHub's board, it was/is a small company, I don't get how "founder's wife" is not a suitably trusted position. I mean, clearly a bad call in this case, but hindsight is 20/20, and in my small business the husbands of my co-founders are de-facto employees (And in fact board members with significant proxy voting power, simply by state law of common property).
Edit: I looked it up; California, too, is a community property state. Theresa was absolutely an effective board member.
That's not how community property works. Teresa effectively owned an indivisible half of Tom's Github stock via the community property laws, but this does not make her a board member. Board members are selected by the company pursuant to various legal mechanisms not subject to community property laws because a board position is not a "property."
Most corporate startup lawyers have founder's spouses sign release forms for to clearly indicate that they do not have some claim to ownership or equity.
I just drafted a stock purchase agreement for my business partner and I on our new startup and one of the basic boilerplate additions to the stock purchase / vesting agreement is a spousal agreement to the terms of the purchase.
The communal property law only relates during a divorce were the shares are split up between the couple by the courts. Any decently written stock purchase agreement has a first right of refusal for the company to purchase back those shares in the event of an involuntary transfer.
Well, we don't know that. It's an allegation by one person which hasn't been confirmed as being true by GitHub. And presumably after this incident, if it is true, they'll have better security policies going forward.
This is incredibly troubling. How can anyone trust ${CLOUD_OR_HOSTING_COMPANY}, knowing that ${PERSONS_OR_SOFTWARE} regularly had access to private information?
Be paranoid. Encrypt it if you don't want people to snoop.
In my experience it is pretty common for people who bring work home with them not to be super-meticulous about preventing access to the content of the work by their families. How many people do you know who sound-proof their home office so their wife can't eavesdrop on their business calls?
I think I should point out this is a fireable offense in a number of companies. I work with sensitive information every day. I'm pretty sure if allowed someone outside the company to use my machine for anything, I would be fired.
My dad works for IBM doing mainframe repair and installation. He's seen his coworkers fired for allowing unauthorized individuals to use their company laptops. They've gone even further in the last few years in making unauthorized software a fireable offense.
Granted, two data points isn't a lot but there are companies that have enforced policies to prevent sensitive information from leaking.
I should also point out both my dad and I do significant amounts of work from home and we are both required by our companies to use full disk encryption.
Without going to the extreme of secret+ classifications -- in which case you cannot take things home without a secure home office, and move things between them in secure containers -- I don't think employees are fired for failing to lock their home office against their spouse or soundproofing their office against their spouse.
Which is different from saying that the company would fire them if the spouse used their inside-access to harm the company in any way.
My girlfriend works on disclosure projects at a company you've heard of and who regularly has highly-anticipated announcements. I have no idea what she works on, even when she's working from home in the same room as me[1].
I think that people that can and do bring work home are employed in fields where one does not need to be super meticulous about preventing access to the work.
Depends on what you mean by SCIF. Coworkers bring confidential paperwork/documents home, and remote access over remote desktop software is blessed. However you might get a phonecall from security if you started downloading lots of confidential data directly to your home computer.
In short, many vendors go to great expense to vet, audit, and limit the number of employees who could potentially access customer data. Some will geo-locate physically separate systems under separate administration according to regional necessity.
Sure, but this can only be appreciated if the relationship is large enough to have an explicit non-changeable contract and routine auditing. From any lone consumer's point of view, "cloud" providers are black boxes that will probably try to limit the damage a rogue employee can do, but any methods or promises can change overnight based on business needs.
Especially knowing that x% of those employees will have left the company in 5 years, and y% of those will have taken private copies of customer data with them.
Access to emails is one thing. Access to the internal public banter and coordination of work hardly strikes me as worrying based on all the discussions I've seen at my current place of work and past places of work. Any information sensitive enough to keep from your significant other is probably too sensitive for a shared internal conversation system available to all employees. Yeah, there's stuff that you wouldn't want your competitors to know, but for most everyone else with no skin in the business/industry is fairly irrelevant information.
HuBot let's githubbers deploy code to production, amongst lots of other things. In other words, access to internal chat is a much bigger deal at GitHub than it is at your workplace.
I would certainly hope that you can only tell hubot to do something like that if you have the correct permissions. Hubot should not be accepting deploy code commands from anyone except those with the sufficient privileges. If that isn't the case, that needs to be fixed asap.
