Time  Nick    Message
13:02 dotplus pdurbin: my orgs were visible. Without looking into *at all* this sounds like a very scary "all your repos are belong to ... someone" permission granter.
13:02 dotplus the sort of thing you might expect to see when downloading some shady phone app.
13:45 pdurbin dotplus: it *does* seem shady. like an app that's requesting too much permission, perhaps. I'm still confused by the whole thing. I took the advice from bene and opened an issue: https://github.com/mozillascience/site/issues/11
13:46 pdurbin I put a couple screenshots in there. Do they help explain my security concerns?
14:06 pdurbin mhayden and codex: you're both security-minded. What do you think of that issue I opened?
15:35 mhayden pdurbin: which?
15:36 pdurbin mhayden: https://github.com/mozillascience/site/issues/11
15:36 mhayden oof
15:36 mhayden that looks less than good
15:38 pdurbin mhayden: but is the problem that the app is requesting too much permission? Or is the problem with GitHub's defaults?
15:38 mhayden that i'm not sure about
15:38 mhayden it's been a while since i messed w/github oauth
15:40 pdurbin you see why I didn't click "Authorize application" :)
15:42 pdurbin mhayden: here's where I argue a bit that GitHub's defaults are weird: http://irclog.greptilian.com/sourcefu/2015-02-14#i_97077
15:42 pdurbin mhayden: you could make a blog post about it! :)
15:46 pdurbin codex: you blog about security stuff too :)
15:46 pdurbin it could be a race!
17:08 bene    ah, i guess i'm not bpeisenbraun
17:08 bene    i'm bene@klatsch.org
17:08 bene    https://github.com/bpeisenbraun is me
17:08 bene    no idea
17:08 bene    github says your page is 404
17:10 pdurbin bene: you don't see a pending invitation?
17:10 bene    no
17:11 pdurbin Pending invitations
17:11 pdurbin Ben Eisenbraun
17:11 pdurbin bpeisenbraun
17:11 pdurbin Ben Eisenbraun
17:11 pdurbin Invitations are sent via email and can be accepted at https://github.com/crimsonfu
17:11 bene    ah, when i go to the main page i see it
17:12 bene    i'm a member of your herd now
17:12 bene    and i see the oauth-test thing
17:15 pdurbin bene: and I see you at https://github.com/orgs/crimsonfu/people (when I'm logged in). I gave you the lowest membership possible. Read only. But now... do you see crimsonfu listed when you go to http://www.mozillascience.org/auth/github ?
17:15 bene    yeah, i saw that before though
17:16 bene    https://www.dropbox.com/s/isuzu2icpfij0l9/Screenshot%202015-02-15%2012.15.54.png?dl=0
17:16 pdurbin bene: ok, and if you hover over the green checkmark you see the same "This organization allows the application to access private organization data and modify public organization data" ?
17:17 bene    https://www.dropbox.com/s/sif643mogx63te0/Screenshot%202015-02-15%2012.17.30.png?dl=0
17:18 pdurbin ok. so you do. so weird
17:18 pdurbin bene: want to go ahead and click "Authorize application"?
17:19 pdurbin (we can trust these people, and crimsonfu has nothing to hide)  :)
17:21 pdurbin bene: take your time. I'm heading out to shovel my sidewalk. Record snow at the Blue Hills: https://twitter.com/bhobservatory/status/566973319917096960
17:22 bene    i'm reading the github oauth docs
17:45 bear    pdurbin - I ran into this issue last week with a client of ours who is using github oauth for their app
17:46 bear    I advised our dev team to create new/temp github accounts to test the app with because it was asking for such an open permission set
19:13 pdurbin bear: ok, so I'm not crazy. thanks :)
19:14 pdurbin bene: yeah, looking at github's oauth docs is what prompted me to comment on a specific commit: https://github.com/mozillascience/site/commit/0456491dbd8627757f85ecf1076f6fb534bdab68#commitcomment-9748672
19:14 bear    yea, it seemed very aggressive such that I don't think anyone using github oauth is even aware of how much it asks for (they probably don't deal with a lot of multiple org people like ourselves)
19:17 pdurbin bear: yeah, but doesn't it seem like all it takes if for me as an owner of an org to create a read-only team, add someone as a member (like I did with bene) and then that person has the authority to allow an application to access access private organization data and modify public organization data? Seems crazy.
19:18 bear    yea, very - anyone who is a non-employee enjoying access to a single repo can open up our entire org
19:21 pdurbin exactly!
19:23 pdurbin bear: and if bene (part of a read-only team) clicks "Authorize application" will I as the owner of the crisonfu org even know that he opened up the org to that application by looking at https://github.com/organizations/crimsonfu/settings/oauth_application_policy ? It's unclear.
19:24 bear    that is also my issue - I only discovered it because I was signing on to a test application the dev team was being asked to use so I saw the permission list
19:24 bear    otherwise I would have been completely clueless
19:24 pdurbin bene: did you click "Authorize application"? That screen hasn't changed. It still says "Policy: No restrictions... All applications authorized by organization members have access to crimsonfu's data." Again, this seems to be the default for all orgs.
19:26 bear    it appears that each org can set: /settings/oauth_application_policy/
19:26 pdurbin oh, sure, I'm just arguing that there should be secure defaults.
19:29 bear    same
19:29 bear    and it's not obvious from the org profile view what permissions a dev has granted an app once the org admin "grants" access
19:30 pdurbin well, I'm hoping that if bene clicks "authorize application" I'll be able to tell from that screen. but I'm not holding my breath
19:32 pdurbin I mean, the takeaway seems to be the owners of every organization on GitHub should click the "Setup application access restrictions" button but there's a *long* list of things that will stop working (deploy keys, etc.) when you do: https://help.github.com/articles/about-third-party-application-restrictions/
19:34 pdurbin so I'm quite reticent to click that button before announcing the change to my team that stuff like deploys might stop working
19:35 bear    yea, that is what i'm working thru now also
19:35 bear    I just clicked it for our main repo because it has a lot of client data contained within it - going to have to deal with "why did this break?" questions
19:42 pdurbin bear: better you than me when I'm about to go on vacation ;)
19:42 bear    ouch - yea, not a good time to experimient with that for you
19:44 pdurbin I'm hoping we make it out of Boston: https://twitter.com/philipdurbin/status/566935963944112128
19:44 bear    wow - that's even more snow for your area - crazy
19:45 pdurbin my five year old just helped me clear off the car: https://www.youtube.com/watch?v=TGEIe-3sHxA
19:50 bear    haha - he's such a great helper! (even with the snow being taller than he is!)
19:56 pdurbin yeah, she's great. and thank goodness that isn't my car the huge icicle is hanging over: https://plus.google.com/photos/+PhilDurbin/albums/6116162267094458817
20:01 bene    i clicked teh button
20:02 bene    but i don't really want to join the moz science group
20:02 bene    all right
20:02 bene    i did it just for you phil
20:02 pdurbin \o/
20:02 pdurbin bene: you're the best
20:02 bene    grab your screenshots and let me know when you're done so i can drop it :-)
20:03 pdurbin bene: unfortunately, as expected, I can't tell you've "opened up" the crimsonfu org to that app. https://github.com/organizations/crimsonfu/settings/oauth_application_policy looks the same.
20:03 pdurbin bene: you can drop it. thanks much
20:05 bene    https://www.dropbox.com/s/iice1mbnanu6mpt/Screenshot%202015-02-15%2015.04.58.png?dl=0
20:05 bene    that's what it shows for me
20:09 pdurbin bene: thanks. hmm. I thought the "Organization access" would be more underneath the "Mozilla Science Lab" app.
20:11 pdurbin but I assume if you click "Revoke access" that "Organization access" goes away
20:11 bene    taht's what it looks like
20:12 pdurbin bene: it all went away?
20:15 bear    oops - didn't mean to assume "he" for your 5yr old - apologies to her!
20:15 bene    yes
20:16 pdurbin bear: heh. no worries
20:16 pdurbin bene: ok, thanks
20:19 pdurbin bear: I'm just happy you're picking up what I'm putting down about the weird GitHub defaults.
20:20 * bear  nods
20:20 bear    I would suggest that you send that to security@ as a vulnerability
20:23 pdurbin yeah. it's hard to explain though
20:24 bear    "an organization owner has zero visibility into permissions granted by other org owners"
20:25 pdurbin well, it's worse than that
20:25 bear    "an organization owner has zero visibility into permissions granted by other org members"
20:25 pdurbin because *members* of read-only teams can apparently grant access
20:25 pdurbin oh wait
20:25 bear    yea, was trying to work that part into
20:25 pdurbin that's what you said :)
20:25 bear    but your because statement really sets the tone for why it's bad
20:26 bear    we would almost have to create a test org for this
20:26 bear    and then screen shot the heck out of it
20:28 pdurbin bear: ok, I filled out the form after clicking "GitHub support" at the bottom of https://help.github.com/articles/github-security/ ... linked back to this chat. better than nuthin'
20:28 * bear  nods
20:44 pdurbin bear: oh, it seems like they should add something to https://help.github.com/articles/keeping-your-organization-secure/
20:44 bear    yea, that page should definitely have a blurb about third party apps
20:45 pdurbin bear: I think this whole whitelisting of apps idea is only a month old: https://github.com/blog/1941-organization-approved-applications
20:46 bear    that makes me happy - as it means I haven't been ignorant of this hole for long
20:47 pdurbin heh