Grafana Labs internal source code accessed (opens in new tab)

(twitter.com)

50 pointsjschorr8d ago15 comments

15 comments

I was recently considering an engineering job offer at Grafana. At the end I was turned off by the amount of their AI-related mindless propaganda and demands they have put right in the job offer. (Which is by the way quite rare; it is rather untypical to state in the position description how a developer should use AI tools; even though everyone can imagine how it looks like).

Looks like they could have invested more energy in the processes and security rather than catching up "innovation" craze that much

jwr8d ago

"Threat actor"… I love this "security" lingo. Threat actors, attack vectors, state actors :-)

londons_explore8d ago

Is there anything of value in the internal codebase?

So many companies internal codebases are of approximately zero value to any outsider. The code is only a small proportion of the business.

nijave8d ago

They killed OSS incident management

Given a lot of their software is OSS or OSS based there's a probable chance non-OSS is runnable and usable outside the company

The product is mostly "standalone" in that it doesn't require integrations with 3rd parties unlike, say, banking software

Rapzid8d ago

Maybe some EE stuff like SSO and etc? Unfortunately layering that stuff on is super low effort in these LLM days.

dijit8d ago

Grafana OSS does support SSO out of the box, at least OIDC (which is a technically superior standard to SAML w.r.t. security).

The Enterprise edition seems to focus a lot on meta-information about grafana itself: the most frequently accessed dashboard, who is viewing the current dashboard etc.

Theres also group-sync, I guess, which is useful, but honestly the selling point of enterprise is the support I think.

In fact, I might buy enterprise following this, the fact that so much is in the base product gives me the warm fuzzies.

radku8d ago

AI is actually pretty good at finding vulnerabilities in the codebase.

Critical vulnerability in that source code could enable further access to other production systems or databases.

Edit: typo

dijksterhuis8d ago

non-twitter link https://xcancel.com/grafana/status/2055827123236171827#m

oori8d ago

Quote: “ The attacker attempted to blackmail us, demanding payment to prevent the release of our codebase. ...we’ve determined the appropriate path forward is to not pay the ransom.”

deathanatos8d ago

Don't pay the Dane-geld: https://en.wikipedia.org/wiki/Dane-geld_(poem)

sangeeth968d ago

I wonder if this is related to the supply chain attack they talked about at GrafanaCon[1] or a fresh leak. If latter, wonder what they missed since it seemed like they got their detectors/scanners set up well. Curious to read the report on this.

[1] https://youtu.be/4D068lS85NY

iririririr8d ago

aren't they just psql tho? well, i guess we will find out soon.

anotherhue8d ago

Their whole repo had been made public !!!!

https://github.com/grafana/grafana

jchw8d ago

This is worse than the Linux kernel source code leaks of April 1st.

esseph8d ago

[delayed]

fsckboy8d ago

>We recently discovered that an unauthorized party obtained a token with access to the Grafana Labs GitHub environment, enabling the threat actor to download our codebase.

I don't much like the securityese dialect of bureaucratese, but doesn't it make more sense as "We recently discovered that a threat actor obtained a token with access to the Grafana Labs GitHub environment, enabling the unauthorized party to download our codebase" ?

you can't just drop in buzzwords willy nilly, they buzz better in the right places.

j / k navigate · click thread line to collapse