I set my son (8) up with a ChatGPT account and he loves it. He uses it to generate scripts for Roblox Studio, recipes to cook, etc.
I used the "Instructions" field to indicate he is only a child and to interact with him appropriately, and overall it does a decent job keeping the language somewhat simple when chatting with him.
What went wrong is that after being divested from Condé Nast, reddit went and raised a huge round that ensured they would have to go down the route of synthetic growth tactics.
This whole operation could be wildly profitable with a team of 50-100 people and no major investors to appease.
Instead they read the room wrong, or just didn't care, and now we're here.
Reddit should have stuck to the Craigslist model of simply just existing as-is, selling a reasonable amount of ads and premium subscriptions, and only having the minimum number of employees required to keep the site up. It never needed to be and shouldn't have been anything more than that.
Yet another brand gone to shit in the name of "exponential growth" or some other term investors want to hear. No one considers whether their business should fit a model that prioritizes sustainability.
I was thinking of craigslist too. They resisted ebay, and change for change's sake, and ... well lots of things:
People tell us what they like about craigslist including:
- Giving people a voice
- A sense of trust and even intimacy
- Consistency of down-to-earth values
- Simplicity
- No charges, except for job postings
- Freshness of the material
- No ads, particularly no banner ads
In hindsight it's easy to say, but I bet they would be extremely profitable if they had taken less VC funding and kept self-hosting of content to the minimum. Serve a few ads here and there, let companies do their guerilla marketing for a "small donation" and have people pay for their Reddit gold.
But that probably wouldn't put them on track for a few billion dollar IPO, so of course you can't do it.
It's a little hard to parse parts of that paragraph, but it sounds like the repo (presumably hosted on GitHub) had access tokens granted to third party integrations (similar to Heroku being granted access to GitHub on behalf of their mutual users).
Assuming that's true, it should be trivial for GitHub to tell them which third party integration the token was associated with.
AIUI, the repo contained a single token that gave access to Heroku. Additionally, a bunch of third party tools had legitimate access to the repo. Any one of them could have been used to steal the token.
This is turning into a complete train wreck and a case study on how not to communicate with your customers.
For those of you that haven't been following, Heroku has been adding non-update updates to this security thread over the last couple of weeks, which began with the announcement that some (or maybe all) of their GitHub granted access tokens had been compromised: https://status.heroku.com/incidents/2413
Now, weeks later, we're hearing that all account passwords are being reset, and for some reason if you have been using an HTTPS-style log drain that you should reset any secrets related to it as well.
Heroku needs to come out and clearly state what they know about this situation, and more importantly what they don't know -- which is starting to sound like the answer is "a lot". It's not even clear they know how this all happened -- whatever door was left open might still be open. So if you've gone and rotated all of your application secrets (which you probably should do), be prepared to rotate them again when this is all over.
It's a small comms 101 thing, but the email is from "Salesforce Incident Alerts". Since the email's communicating to Heroku customers about a Heroku incident, the email should be from "Heroku Incident Alerts".
I know it's small, but some will skip the email because they don't use Salesforce software directly and wouldn't anticipate emails from a parent company.
Its small and deliberate. Setting the mental state of the customer to obfuscate the responsible party by throwing in Salesforce. A deliberate dark pattern.
Another small point that contributes to the poor communication - as of 4th May, the option to connect to Github is still there and the documentation hasn't been updated [1]. If you try to connect you get an obscure error that tells you nothing about the situation.
I just received an email back from an Incident Handler at Salesforce. I wrote:
> A statement that confirms whether or not config variables and secrets were accessed, or that you're not sure, needs to be sent out.
To which they replied:
> We currently have no evidence that Heroku customers’ secrets stored in config Var were accessed. If we find any evidence of unauthorized access to customer secrets, we will notify affected customers without undue delay.
Take that as you will, but it doesn't fill me with confidence.
"We don't have enough information to determine whether or not this vulnerability was exploited. We are operating under the assumption that is has been." is what I want to hear. I do not want to hear "We have no evidence that the vulnerability has been exploited." which, of course, minimises the fact that it may have been and does nothing to communicate what assumption they're working under - i.e. that they're probably going to assume it hasn't been exploited.
TL;DR: I'd rather them be entirely up front about the fact that they can't tell if it has been exploited and advise you to assume it has been than them try to weasel out of saying their logs aren't good enough but "you'll probably be alright, eh".
There was certainly a breach three weeks ago that they seem to have been investigating since. I am, like the commenter above, not filled with confidence about their statement, mostly because of the total lack of transparency so far.
The fact they’re only now sending additional notifications to rotate creds hints at something bigger than they initially announced, but really we have no idea since they never gave much detail in the first place.
Github tokens were accessed and used to attack things outside of heroku. Something was breached. We don't know what, when it occurred and extent of the breach and I bet heroku doesn't know either.
So the original issue was described as a leak of github oauth tokens, and made it sound like the risk would be someone using oauth tokens to access github repos.
Resetting passwords implies something else may have been compromised (passwords, either hopefully encrypted), but is a pretty scary ask for them to make without providing more context here.
I found the email I received about the logdrain today to be particularly confusing. "any secrets related to it" indeeed. The specific wording in the email was... "We recommend updating and refreshing the credentials used with those log drains as soon as possible."
I'm still not entirely sure if I've reset/rotated everything I need to, what is "any credentials used with"? Neither the email nor any docs it linked to was clear about exactly what they are suggesting be rotated.
That message wasn't very specific, while also they're not providing the context about the breach that one could use to fill in the gaps.
At this point it kinds of sounds like... everything there is was compromised?
Very confusing! To clarify for others, what they mean is that if there was a secret embedded in the log drain URL, rotate it. This is often the case for HTTPS log drains.
>If you used your previous password on any other sites, we highly recommend you also change your password on those sites.
This is the most concerning part of that email, as it implies more than an "out of an abundance of caution", but rather that they suspect their password DB has been compromised.
Thinking about it, it does sound the most likely as they were probably the same DB the customer oAuth tokens were stored in that were used to access Github repositories. But if they already knew the data was stored together why wait till now to reset passwords?
Just to verify - having TOTP-based 2FA enabled doesn't help in case of a password DB breach, right? Since the protocol is based on a shared password, which means an attacker would be able to generate valid tokens using the secret they got from the breach. (looks like there's work underway to make a breach-resistant alternative to TOTP[1])
This means that assuming the DB is using proper salt+hash, the main differentiator is the strength of your password. If it's a relatively short one that can be brute-forced/found via dictionary+small mutation, then attackers could possibly log in as you. If it's a strong password from a password manager, then that will likely have kept them from being able to crack your password.
Of course all this only has value if we assume that only the password db was breached. If they managed to access the place your env-var/secrets are stored, then all bets are off.
I don't understand enough about the protocol to judge your claim, but it's challenging my assumptions about what 2FA is for. If 2FA with TOTP does not protect you in cases where the attacker knows your password... what is it for? I thought that's what it was for.
The server also contains the secret, so if that secret is leaked then the attacker can generate new tokens. It protects you in the case that your password was stolen, but nothing else e.g. via phishing.
OH, I see, thanks. The password and TOTP secret are separate, but you're suggesting they may likely both be stored in the same place such that a breach could give attacker access to both. Tell me if I don't have it right.
It occurs to me that I know how to reset my password most places I log in to, but I actually have no idea how to reset the TOTP secret.
Heroku used to be freaking awesome, back in 2012. Ever since Craig Kersteins left circa 2015-ish, the UX, QoS, and platform really seem to have taken a dive into the complexity and nonsensical deep end.
It's what happens when the product visionaries get bored and leave.
Such a shame.
Don't want to comment too much on this thread as I don't know the exact details of the incident and pulling for the team that is still around as I know this can't be an easy time for them. It does seem like the issue is not good and may continue to be trickle of updates like this for a while. Hugops to the team.
A wow, and thanks for the praise but the credit goes to way more than me. The team around in the early days was unbelievable, I learned a ton on building products and developer experience from James/Adam (founders) in particular, though Heroku wouldn't have gotten there without Orion (the other founder) as well. Byron, PvH, Mark, Noah, Morten, Oren were absolutely huge in so many ways to the leadership and direction of Heroku. And I'm sure I'm going to get messages from 50 others there in the early days that I didn't name drop them, the collective team was an awesome team and pushed each other really well.
At around 2015 it did feel like there was attrition and the technical leadership and vision started to fade. It wasn't me, it was a lot of us moved on to the next thing. At the time it wasn't Salesforce taking control or one person, we'd all put a lot into it and various folks moved on. Adam/Orion/James gave an incredibly amount and were understandably ready to recharge. Still very proud of what we created at that time, what it did for developer experience, and personally (along with that original Heroku Postgres team) trying to do what I describe as unfinished business for creating the amazing developer experience of Postgres.
Wasn't trying to imply it was all you, only that some of the qualitative declines I've observed began around the time you departed.
I know it's not an easy business to operate, and I'm also hoping the ship continues to stay afloat. Heroku was hugely inspiring to me and many others in the early days of Cloud PaaS.
You're being downvoted because having a "product visionary" does not in any way protect your company from being owned. It happens. If your point is that previous leadership would have communicated the situation more clearly, then perhaps you have a point, but even then it's purely speculation and not particularly useful to the current discussion.
Yes it is. Note that OP's comment only applies to those who connected Papertrail to their Heroku apps manually instead of using the Heroku addon to do it.
It does. My thinking is that Heroku rotated everything they could do on their own, and need users to handle custom drains. However, looking at the json output, updated_at dates for the heroku-managed drains are old. I have a question back them about that.
Related, my hope is that the drains, passwords, etc. are efforts towards doing literally everything possible before re-enabling integrations so they can do so with more confidence (vs breach damage control). Fingers crossed.
I used the "Instructions" field to indicate he is only a child and to interact with him appropriately, and overall it does a decent job keeping the language somewhat simple when chatting with him.