Remix.run Logo
hoppp 8 hours ago

All those things are optional.

Doesn't make uploading the keys that much better. Now is the time for key rotation everywhere. Fast.

crimsonnoodle58 8 hours ago | parent [-]

How are they optional?

You obviously haven't worked anywhere security sensitive.

I'm not talking about whether what Grok did is bad or good, I'm talking about protecting your private key and the servers you connect to.

An unencrypted private key is no different to an unencrypted password manager, and thats a fact. Dont store secrets in plain text.

hoppp 8 hours ago | parent | next [-]

I meant that not everyone is doing it at home.

Do you think a person's private computer is a secure workplace?

If it was security sensitive space there would be no agents running amuck.

t-writescode 8 hours ago | parent | prev | next [-]

Sigh.

Anything that isn’t a default is optional by default. Anything that’s toggleable or configurable is optional.

Security is, always, a trade off. It is hilariously common for private keys to work as a full identifier for a person, without concern of IP or anything of the sort. Should they? Maybe, maybe not, that’s the calculus of risk management; but victim-blaming the average person who is following best practices is a bad look.

grayhatter 8 hours ago | parent | prev [-]

I'm a security eng and I've worked for both a FAANG and TS government contractor. Neither of them bothered with either of the of the stupid suggestions. IP restrictions prevent roaming, the point of working remotely via SSH. passwords are equally defeated by using an ssh agent, something I'd suggest everyone use. Then on top of that there's no reasonable threat model where something would be given unrestricted access to user env, but also be untrusted. If it can read from ~/.ssh neither IP protection nor keyfile password protection will protect you from maleficence.

The only reasonable response from a security perspective is don't use grok, then use it sandboxed. Trying to claim it's the users fault for not using password protection and IP restrictions is completely nonsensical. Same energy as telling someone their computer is more secure when it's off.