The recent attacks on Github have some developers questioning whether their private source code is safe in the cloud or is better served from an edge device.

Peter Levine talked about the “data center on wheels”, pointing out that there are limits on what centralized cloud computing can achieve. Some things require computation work that cannot be done in an air conditioned data center somewhere where power is cheap. There is a large agreement amongst engineers that a self-driving car will need a lot of computational power inside the vehicle. Looking at the erratic Boston weather these days this is pretty obvious.
When it comes to storing code, it depends whether it makes sense to store this in the cloud or more on the edge. There is no critical requirement on how fast code needs to be stored that would make edge storage necessary. Unlike, for example, a phone call where every millisecond delay makes the conversation more difficult, working with code is fine as long as requests get answered within a few hundred milliseconds. Though of course it never hurts to have faster response times.
For open source, cloud providers like GitHub or Bitbucket have made it easier than ever to collaborate between independent contributors. It is hard for me to imagine why someone would not store open source code there. It’s fair to say that those hosting companies took open source to a new level, with a tremendous impact to the engineering society, maybe the whole society.
When it comes to closed source, another aspect becomes important. The problems here are less of a technical, but more of an organizational nature. Just like a bank will unlikely store its customers data somewhere in the cloud (at least not unencrypted), code is also of a sensitive nature.
Github was under attack very recently. While it was widely celebrated how well all systems worked, it does point out that the site is obviously a target. Why would someone do that? It did look like a well-orchestrated attack done by people who knew what they are doing, and the motivation for a DDoS attack is often just to distract from the real hack. There is very little incentive to publish what has really happened – not for the attackers unless they want to brag about it, nor for the hosting company.
There is a lot to gain from a site that stores the code of thousands of companies. Zero-day attacks are extremely problematic for such large databases. Under the cover of a DDoS attack, a lot of data might walk out of the door without anybody really taking notice.
Then we have the problem of administrative control. Who would feel comfortable if a company in a foreign country (fill in the name of your favorite foreign country) were to take over the code-hosting company that has your code. Would it even matter? I just cannot imagine that the big companies like Google, Intel or Facebook are storing the code that generates their revenue in public repositories, and would give up administrative control to foreign entities. I would be surprised if their code-hosting sites are on a public IP and are running on shared servers. It is not a contradiction that companies who generate their revenues in the cloud are storing their code tightly locked up in their own premises.
Many private repositories are stored in the cloud despite these concerns. The reason is mostly convenience. Moving code back to the premises will happen only if it is done in a way where administrators have to perform only minimal steps for a successful setup, the devices are running smoothly and if users can use the local service practically like a cloud service. Embedded server hardware is what’s paving the way.

These are some of the concerns that led us to create gitstorage – a streamlined git server with encryption when unplugged and encrypted backups.  A device that not only keeps your code secure but allows you to be mobile with that secure code. No internet, no problem. You have all your precious code in a device that fits in your pocket and can be accessed without connecting to the Internet.  Code while on a train, on a ship, in the mountains, anywhere. Take this device with you for team-building coding weekends or hackathons. And even if you lose or misplace the device, the contents are locked and encrypted and safe from anyone who does not have the password to unlock it.  There are many ways to use gitstorage. But no matter how you decide to use it, you can rest assured that the code on it is safe and secure.

About the author:
Dr. Christian Stredicke, is an industry veteran with a background in communications and security. He founded various companies, including snom (1996) which he grew it into the world’s first and leading brand of enterprise VoIP telephones. He started Vodia Networks (2012) with the focus on IP-PBX software and GitStorage (2017) to address the need for better protection of source code.

Leave a Reply