Skip to main content

Published

A World with No Secrets

First TravisCI, now CircleCI

Well, shit. CircleCI was breached. Or was it only “accessed”? They haven’t confirmed a breach yet, but I’m sure we’ll all know once they know, I’m confident of that at least.

So how was your Thursday? Mine was wracked with cortisol and forgetting to eat breakfast, so that was fun. Also realising some of the dev things you just leave around by accident, that probably didn’t mean much at the time, turn out to be a meaningful stepping stone that continues the rabbit hole an attacker could possibly take, increasing the amount of data they could steal and systems they could breach.

Since I haven’t been dealing with these kinds of incidents very often in the past (not a Security Engineer, it’s not my day-to-day) my body isn’t trained well to stay calm and know what to tackle first, y’know like order of priority, imagining if someone is actively attacking us right in that moment. And then inevitably you hit a stumbling block or bug that stops you proceeding at the speed you want to and your anxiety is constantly saying you need to go quicker!

And you don’t want to blame, but like, are we all going to have to build and host our own individual build systems so we don’t have to store secrets in these consumer tools? I’m not trying to be alarming

, I’m just saying my fear and anxiety lessens my natural trust.

Because there’s cost somewhere. Either you pay in dev hours and infrastructure to build and run your own (which makes sense at massive scale), or you pay for a service plus the potential dev hours and anxiety when a breach inevitably happens sometime in the future.

For me, this first week back after a lonely Christmas break - did I rejuvenate enough, or at all? - has been marred by this. My mental health has been affected. And I want to solve my “I feel shit” by working, fixing, securing. But it’s the weekend, so I should be relaxing.

But also I cannot stop thinking about it, and fearing that time not spent fixing and securing is time allowing it to be made worse.

Back to watching Emily in Paris then, I guess. 🤷‍♂️🇫🇷


P.S. my anxiety tells me this blog may be read in a certain way! So to clarify and reiterate: blameless culture is good and right, and the effect of CircleCI’s breach only goes as far as the extent of access of each secret. So it’s as much an issue of personal security hygiene.