In light of the recent leak of Twitch’s source code (over 6,000 private GH repositories) and other information, through a 125GB data torrent over 4chan.org, GitHub (GH) is now stepping up their policies for server configuration and standardizing metrics for use by developers on GH. With everything from indexing methodologies to configuration policies, GH has started a campaign that is aimed at gathering policy proposals from the developer community, in order to get a more diverse view of the situation and a wider range of potential solutions. A couple examples of proposed policies already are from GitHub developers TC39 and WebAssembly, covering a proposed indexing method and content security policies, respectively.
TC39’s proposal covers a relative indexing method that is being requested to be added to JavaScript, which would enable the user to access the index of an array using negative indexing syntax. This method does not exist in JavaScript, as it doesn’t allow the user to count from the back of an array. This method does exist in Python, but since Python is not built for the web, the only methods for web-based developing are hacked together and insecure. The policy proposal by WebAssembly is a sandbox-type security model, that enables modules that were developed in GitHub to have limited interaction with the host, compensating for security issues such as the manipulation of return addresses or other stack data from the host.
GitHub’s encouragement of policy creation by its developers isn’t something that resulted directly from this Twitch leak – however, it has most certainly had an influence on their search for, response to, and implementation of developer policies in the future. Had some of these policies and methodologies been implemented before the leak, chances are, the configuration issue that resulted in a third-party gaining access would have been closed off, and millions of lives and livelihoods would not have been destroyed. Despite the basis for this attack, which, according to 4chan, is because Twitch is a ‘toxic cesspool’ (which I will not disagree with), it still disrupted the daily routines and income of many. Building a wider base of policy proposals (which you can contribute to here) and new approaches to online functions, we can only hope that GH and other source-hosting services can prevent such disasters in the future.
References
GitHub. (2021). Setting policies for organizations in your enterprise account. Retrieved from https://docs.github.com/en/github/setting-up-and-managing-your-enterprise/setting-policies-for-organizations-in-your-enterprise-account
GitHub. (2021). GitHub policy · GitHub. Retrieved from https://github.com/about/developer-policy/
GitHub. (2021, August 9). Defining Standardized GitHub Metrics for International Development, Public Policy and Economics Research and Indexes. Retrieved from https://socialimpact.github.com/assets/img/GitHub_RFP-StandardizedMetrics_FINAL.pdf
GitHub. (n.d.). ECMA TC39. Retrieved from https://github.com/tc39
GitHub. (n.d.). Tc39/proposal-relative-indexing-method: A TC39 proposal to add an .at() method to all the basic indexable classes (Array, string, TypedArray). Retrieved from https://github.com/tc39/proposal-relative-indexing-method
GitHub. (n.d.). WebAssembly. Retrieved from https://github.com/WebAssembly
Hamilton, I. A. (2021, October 7). Twitch gave a brief explanation for the giant leak that exposed creator payouts, source code, and more. Retrieved from https://www.businessinsider.com/twitch-leak-hacked-explained-how-hackers-breached-data-2021-10?op=1
Kumar, M. (2021, September 20). Request for proposals: Defining standardized GitHub metrics. Retrieved from https://github.blog/2021-08-31-request-for-proposals-defining-standardized-github-metrics/
Shape_Grifter. (2021, October 6). Twitch hacked, entirety leaked on 4Chan. Retrieved from https://gaming.ebaumsworld.com/articles/twitch-hacked-entirety-leaked-on-4chan/87000534/#:~:text=space%2C%E2%80%9D%20calling%20Twitch%20a-,%E2%80%9Ctoxic%20cesspool.%E2%80%9D,-Which%20is%2C%20admittedly
TC39. (2021, August 3). Tc39/proposal-relative-indexing-method: A TC39 proposal to add an .at() method to all the basic indexable classes (Array, string, TypedArray). Retrieved from https://github.com/tc39/proposal-relative-indexing-method
W3schools. (n.d.). Python string negative indexing. Retrieved from https://www.w3schools.com/python/gloss_python_string_negative_indexing.asp