I've always driven small sedans (sentra ser back in the 90s, currently a toyota corolla). Learning to drive in 1980, it was common to be able to see traffic through the two cars in front of you because (1) most cars were small sedans, and (2) really dark window tinting hadn't become a thing. Now I'm usually looking at the rear of a SUV or tall pickup truck and can't anticipate traffic even one car ahead.
Anyway, for years I've always responded to the "I feel so much safer in my big car/truck" with "I always stand up in movie theaters because the view is so much better"
Either you don't understand what an analogy is, your misunderstand this one in particular.
My point was that both do something which benefits me that directly disadvantages other people. When people talk about their massive truck feeling safer, somehow this dynamic is ignored. But if someone applied the same reasoning about standing up in a movie theater, the selfishness is apparent to everyone.
> The PR was opened, the workflow run, and the PR closed within the space of 1 minute (screenshots include timestamps in UTC+2, the author's timezone):
It's an unfortunately common problem with GitHub Actions, it's easy to set things up to where any PR that's opened against your repo runs the workflows as defined in the branch. So you fork, make a malicious change to an existing workflow, and open a PR, and your code gets executed automatically.
Frankly at this point PRs from non-contributors should never run workflows, but I don't think that's the default yet.
Problem is that you might want to have the tests run before even looking at it.
I think the mistake was to put secrets in there and allow publishing directly from github's CI.
Hilariously the people at pypi advise to use trusted publishers (publishing on pypi from github rather than local upload) as a way to avoid this issue.
> Problem is that you might want to have the tests run before even looking at it.
Why is this a problem? The default `pull_request` trigger isn't dangerous in GitHub Actions; the issue here is specifically with `pull_request_target`. If all you want to do is have PRs run tests, you can do that with `pull_request` without any sort of credential or identity risk.
> Hilariously the people at pypi advise to use trusted publishers (publishing on pypi from github rather than local upload) as a way to avoid this issue.
There are two separate things here:
1. When we designed Trusted Publishing, one of the key observations was that people do use CI to publish, and will continue to do so because it conveys tangible benefits (mostly notably, it doesn't tie release processes to an opaque phase on a developer's machine). Given that people do use CI to publish, giving them a scheme that provides self-expiring, self-scoping credentials instead of long-lived ones is the sensible thing to do.
2. Separately, publishing from CI is probably a good thing for the median developer: developer machines are significantly more privileged than the average CI runner (in terms of access to secrets/state that a release process simply doesn't need). One of the goals behind Trusted Publishing was to ensure that people could publish from an otherwise minimal CI environment, without even needing to configure a long-lived credential for authentication.
Like with every scheme, Trusted Publishing isn't a magic bullet. But I think the proscription to use it here is essentially correct: Shai-Hulud propagates through stored credentials, and a compromised credential from a TP flow is only useful for a short period of time. In other words, Trusted Publishing would make it harder for the parties behind Shai-Hulud to group and orchestrate the kinds of compromise waves we're seeing.
> the issue here is specifically with `pull_request_target`
I just went to github to search for references to that trigger-type, and I admit I was surprised at the sheer number of times it is visible in a code-search.
The kind of argument of "just don't make mistakes, how hard is it" (and we're talking about something very obscure and badly documented here) didn't work for C and in my opinion doesn't work for this either.
It does largely avoid the issue if you configure to allow only specific environments AND you require reviews before pushing/merging to branches in that environment.
Yes and anyone who knows anything about software dev knows that the first thing you should do with an important repo is set up branch protections to disallow that, and require reviews etc. Basic CI/CD.
This incident reflects extremely poorly on PostHog because it demonstrates a lack of thought to security beyond surface level. It tells us that any dev at PostHog has access at any time to publish packages, without review (because we know that the secret to do this is accessible from plain GHA secret which can be read from any GHA run which presumably run on any internal dev's PR). The most charitable interpretation of this is that it's consciously justified by them because it reduces friction, in which case I would say that demonstrates poor judgement, a bad balance.
A casual audit would have revealed this and suggested something like restricting the secret to a specific GHA environment and requiring reviews to push to that env. Or something like that.
No, it wont:
Population statistics are among the most robust & stable one and one with the most accurate data that we have across the globe.
Populatoin statistics are running reaaaallly slow - on that one day when you see the decrease in the graph, it is already too late.
Demographers can predict when people are going to die but they have no way to predict how many children they will have.
They have been getting it wrong for a long time, assuming that the gradual decrease in birthrate will stop, only to be proven wrong.
They can't just extrapolate assuming that birth rates will keep dropping since that would reduce the birthrate to 0. So they do the next best thing and assume it will stay constant.
But in reality, we just don't know which way it will go.
Americans today are incapable of envisioning a better future and incapable of envisioning a worse one! We as a society are now only able to focus on what problems exist now, and to demand that they are fixed tomorrow.
There are a lot of problems that can be solved over decades, but we can no longer even fathom such a thing, much less put together the will power to see such projects through.
As Matt Levine has said multiple times in "Money Stuff", Tether has found the perfect business plan. They hold billions of actual USD, and get to keep all of the interest for themselves.
Cash doesn't earn interest. T-bills and money market funds earn minimal interest compared to equities. Given the size of their holdings, Tether is paying a huge opportunity cost for their position. I don't consider that good business.
They have guaranteed returns on $185b of other people's money, and they only owe the other people the principal. That's like... the best business in the world? If it was all in 6m 2.8% treasuries they'd still be making $5.2b year for holding people's cash and running a token on the blockchain.
How greedy do you have to be to look at that and say "yeah, well they could be getting bigger returns with an actively managed portfolio?"
I'm pretty sure Tether was holding less cash than they said multiple times, and at multiple points it was just a house of cards where they were inflating the price of BTC on their own, but I'm also guessing by now they've had made enough to cover.
Said another way, returns ALWAYS have to be risk adjusted. Sure they could _probably_ make more in Equities, but their approach is returns with zero risk, which is impossible to beat.
Depends if the purchasing power of the currency holds up. Real returns are what matter, and earning 3% “risk free” is not so “risk free” if the price of things you want to buy increase by more than 3%, etc.
The problem is liquidity. If in some fantasy situation there was a run on tether, tether would go to 0 because their investments can't be converted into USD without tanking the price of those investments
Luckily for the crypto people, Tether makes it near impossible to turn their fantasy money into real money
Tether could gate redemptions at a pace that would preserve value of the underlying sovereign debt requiring liquidation, due to no immediate redemption regulatory requirements. Take a number and wait your turn while the treasuries are sold into the market, essentially.
Uh, internet dude, you must be new to finance. Banks have been doing this for centuries. Best business in the world? Sure. But it's even better when you invest in things that earn more, right? Like equities. That's what banks do. It's about the rate of return. Is it more risky? Sure. That's why they hold a diverse basket of goods, to diffuse the risk. But it's worth the risk when weighed against the opportunity cost of not investing and losing that rate of return.
> How greedy do you have to be to look at that and say "yeah, well they could be getting bigger returns with an actively managed portfolio?"
This is banking and finance. Greed only stops when you run into legislative limits, and sometimes, not even there.
Yeah, and we used to separate the investing activities of banks from the depository activities, to reduce overall risk to the financial system. You don't want people investing in higher risk securities with money that is supposed to be available on demand.
The business is good because of the high amount of leverage they have in those T-bills and money markets since those deposits are liabilities on the balance sheet. The actual return they make on the money the owners put into the business is probably great.
Based on the Q2 2025 attestation [1] it looks like they have about 162B in assets and 157B in liabilities which leaves ~5B in shareholder equity. Even if they hold most of those assets in treasuries, they probably have an egregiously high return on shareholder equity.
(Fun fact: I think this puts their leverage ratio as high as banks during the 2008 GFC. But treasuries should theoretically be safer than subprime mortgage loans).
Equities would give a higher return on average, they don't really work when the liabilities can get called at any time. Tether has to be able to produce money for people exchanging their tether.
If you were in their position and I gave you 150 billion dollars on the condition that I can withdraw that 150 billion dollars at any time. You'd probably also park it in a short-term money market fund. If you put it in equities and it dropped 1%, you'd be on the hook for 1.5 billion.
Just that the condition is that you give them 150b and if you withdraw and they Dont have you lost 150b and nothing will happen. Good luck recovering your cash from El Salvador or bvi.
People are giving them money for free. They pay absolutely zero interest or dividend to "investors". For the crypto people, Tether's job is to accept money and do nothing with it.
US debt is about as stable as the dollar itself, so to their crypto customers buying bonds is a no-op. Any yield is pure profit for Tether itself.
They can't ethically put the money into equities because they are obliged to redeem the tether tokens for USD on demand. It's the same thing that your bank manage can't take the cash in your account, bet it on nvda and take the profits if it goes up, unless they want to end up like SBF.
They may have somewhat sketchily put money into bitcoin at times though.
If you believe their attestations, they pretty much are. See, for example, https://assets.ctfassets.net/vyse88cgwfbl/2SGAAXnsb1wKByIzkh.... Most of the money is in Treasuries, or markets like overnight repos that behave much like Treasuries. Most of the rest is in things like corporate bonds, which again generally move like cash. Only their claimed excess equity is in riskier investments, like Bitcoin.
If you doubt their attestation, it is more reasonable to doubt their claimed total assets before worrying about the breakdown of their investments.
This is just beating around the bush. The only reason anyone even knows about RFK Jr, much less his current job, is because of Trump.
The actual solution is that Trump must go. But America voted for this. Get RFK Jr removed, and Trump will put someone just as bad, or worse, there. And the cycle continues, until Trump and the Republican Party are finally dismantled.
But I don't see that happening for quite a few years yet. The economy hasn't crashed hard enough for that to happen.
B&H does this for shabbat and other high holidays. I always thought that it was kind of neat. Little over a year into a boot-strapped startup, and I’m still trying to figure out how to implement ANY boundaries in my life. I don’t know why I thought I’d feel BETTER “being my own boss” having spent so much with the guy. I hope to someday have “please come back” confidence.
reply