Supply chain risks are important in open source: with so many contributors, how can one be sure that there aren't malicious components? (Buggy components are also a threat.) (Closed source has this problem too, with some variations.) This is a scary real current example: <https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/amp/> As I understand it, this malicious software tried to damage systems in Russia and Belarus. That's terrible. And it has had unintended side-effects: <https://web.archive.org/web/20220317140340/https://github.com/RIAEvangelist/node-ipc/issues/308> (One could also argue that leaving important information in Belarus, with no recent backup, is a very dumb.)
This is not just an open source issue since anybody can inject bad code into a project. Open source being more open has fewer people working to hide issues. This is defiantly an example of someone taking an action without thinking about the potential for collateral damage. But multiple state and state sponsored actors are doing just this kind of thing right now. All sides of this conflict are working at inflicting cyber damage on the other parties. As for the github posting about an NGO being damaged. There are a hand full of things that raise red flags for me. None of these are clear indicators of fakery but make me scratch my head and want to look more closely at this before taking it at face value. - The account was created just before the posting - The NGO is not named - The NGO is storing data in the country where the whistle blowers are. The last one may be less than obvious, but keeping a computer in a country where the local government has access to the hardware and network connection seems to be an amazingly bad idea if you hope to protect the people who post information. On 2022-03-18 11:40, D. Hugh Redelmeier via talk wrote:
Supply chain risks are important in open source: with so many contributors, how can one be sure that there aren't malicious components?
(Buggy components are also a threat.)
(Closed source has this problem too, with some variations.)
This is a scary real current example: <https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/amp/>
As I understand it, this malicious software tried to damage systems in Russia and Belarus. That's terrible. And it has had unintended side-effects:
<https://web.archive.org/web/20220317140340/https://github.com/RIAEvangelist/node-ipc/issues/308>
(One could also argue that leaving important information in Belarus, with no recent backup, is a very dumb.) --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
-- Alvin Starr || land: (647)478-6285 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
| From: Alvin Starr via talk <talk@gtalug.org> | As for the github posting about an NGO being damaged. | There are a hand full of things that raise red flags for me. | None of these are clear indicators of fakery but make me scratch my head and | want to look more closely at this before taking it at face value. | | - The account was created just before the posting | - The NGO is not named | - The NGO is storing data in the country where the whistle blowers are. | | The last one may be less than obvious, but keeping a computer in a country | where the local government has access to the hardware and network connection | seems to be an amazingly bad idea if you hope to protect the people who post | information. Good point. I may have been a sucker and amplified disinformation. Very embarrassing.
On Fri, Mar 18, 2022 at 12:53:06PM -0400, Alvin Starr via talk wrote:
This is not just an open source issue since anybody can inject bad code into a project. Open source being more open has fewer people working to hide issues.
This is defiantly an example of someone taking an action without thinking about the potential for collateral damage. But multiple state and state sponsored actors are doing just this kind of thing right now. All sides of this conflict are working at inflicting cyber damage on the other parties.
As for the github posting about an NGO being damaged. There are a hand full of things that raise red flags for me. None of these are clear indicators of fakery but make me scratch my head and want to look more closely at this before taking it at face value.
- The account was created just before the posting - The NGO is not named - The NGO is storing data in the country where the whistle blowers are.
If that country is blocking access to the rest of the internet, that might be the only way they can do it. Only transfering the data once per month on the other hand sounds totally useless and incompetent.
The last one may be less than obvious, but keeping a computer in a country where the local government has access to the hardware and network connection seems to be an amazingly bad idea if you hope to protect the people who post information.
The other parts do still seem rather vague and suspicious. -- Len Sorensen
participants (3)
-
Alvin Starr -
D. Hugh Redelmeier -
Lennart Sorensen