By: jalnl
In reply to <a href="https://www.osnews.com/story/139070/open-source-is-about-more-than-just-code/#comment-10437784">dark2</a>.
<blockquote>Commercial requires real names, and has real coworkers reviewing the code.</blockquote>
Lol no. I once worked at a supermarket chain, on the cash register software. Built in a feature that when my wife scanned her customer card, a message saying "I love you darling" was printed on the receipt. Could've easily made it give her a 50% discount if I'd wanted to. <i>Nobody</i> understood that code but me. We didn't have code reviews, and even if we did, nobody would've noted that code being new (we also had little to no version control). You clearly have no idea how corporate IT works (and this was code maintained on-site, with all the off-shoring to India, who nows what happens?).
By: r_a_trip
A state actor (or actors) can't be stopped, if the employing state is determined enough to create a breach. A state has the power to create credentials and a back story for fictitious identities. A state has a vast amount of resources. A state can afford to play the long game.
There are a myriad of small projects that nearly have no oversight (besides the maintainer) and which are used based on built up trust over years. The problem is that modern computing is becoming more and more integrated by necessity and more and more links are forged between previously separate pieces. All of the small stuff, that is now being linked to bigger, more important stuff, is at risk to be an entry point.
I don't see a simple solution to the problem. Linux is now big league and a valuable target. Even if a small project is not led by a worn out maintainer, if they are open to contributions, a clever miscreant can slip in stuff that looks innocuous, but is part of a breach being planned.
I just hope there are enough eyes and ears to stave off most of the attacks.
By: Alfman
In reply to <a href="https://www.osnews.com/story/139070/open-source-is-about-more-than-just-code/#comment-10437833">dark2</a>.
dark2,
<blockquote>Microsoft and Apple don’t hire idiots, shady stuff isn’t going to pass like it did at your old jobs. Lots of people with phds and real world experience to fool somehow.</blockquote>
There are experienced people working in FOSS and there are inexperienced grads working at these companies right out of college. Regardless, even those with experience get overloaded by work demands, make mistakes, can misplace trust in coworkers, etc. Large companies still get breached or "allow" exploits to get into their code, hell even the NSA.
https://apnews.com/article/att-data-breach-dark-web-passcodes-fbef4afe0c1deec9ffb470f2ec134f41
https://www.cbc.ca/news/business/apple-security-flaw-full-control-1.6556039
https://firewalltimes.com/google-data-breach-timeline/
https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
These slip ups happen everywhere in FOSS and proprietary projects alike.
I'd like to quote cpcf: The vulnerability starts with human hubris.
By: dark2
In reply to <a href="https://www.osnews.com/story/139070/open-source-is-about-more-than-just-code/#comment-10437793">cb88</a>.
Microsoft and Apple don't hire idiots, shady stuff isn't going to pass like it did at your old jobs. Lots of people with phds and real world experience to fool somehow.
By: CaptainN-
In reply to <a href="https://www.osnews.com/story/139070/open-source-is-about-more-than-just-code/#comment-10437784">dark2</a>.
You can't see what happens in commercial software development, so it's easy to assume it all goes perfectly. That's the corporate line after all - "we are efficient" blah blah. I do work in commercial software, and I can tell you, there are FEWER eye balls checking anything at any given time, and most code it entered just to get it done before launch or lunch. If you've ever wondered why so much software sucks so much more today than it did 10 or 20 years ago, now you know. Nothing is a passion project in commercial software, and there's not enough time or budget to validate a damn thing.
This is the rosiest of rose tinted takes.
By: Brendan
The main problem is that when you're exploiting suckers you don't check credential or referees or prior work or previous employers during the job interview process (or get their bank account number or tax file number or ... when they're hired); so the "standard practice security hurdles" that would have made it much much harder for an unknown fake person to suddenly appear (and be trusted) do not exist with open source; and the "standard practice security hurdles" that would have made it much much easier to punish them afterwards don't exist with open source.
The proposed foundation isn't even attempting to solve this problem. It's trying to solve a completely different "how can we improve the lives of the malicious imposters after we failed to detect they are malicious imposters" problem with vague "what if we make developers/imposters immortal so we can exploit them harder for longer" hand waving; which (if it doesn't inevitably fail for financial reasons) will make the problem worse by providing additional incentives for attackers.
By: Alfman
In reply to <a href="https://www.osnews.com/story/139070/open-source-is-about-more-than-just-code/#comment-10437792">gggeek</a>.
gggeek,
<blockquote>Not sure about the human hubris part, but I do maintain more than a dozen open source projects myself – mostly as BDFL, meaning that while I am eager and happy to receive code contributions, I maintain the ultimate control and responsibility on all of them.</blockquote>
I don't think the hubris part was referring to people like you who know their human limitations, but rather those who falsely believe something like this can't happen to them.
By: Alfman
In reply to <a href="https://www.osnews.com/story/139070/open-source-is-about-more-than-just-code/#comment-10437787">rastersoft</a>.
rastersoft,
<blockquote>I completely disagree with you. This certainly wasn’t an amateur job. The complexity of the installer is something that not very much people can do. Also, the fact that the detection was by pure chance after so many time “in the wild” demonstrates that it was a very professional job: </blockquote>
I understand that detection can happen by pure chance, but it was not exactly "pure chance" that the code had side effects calling attention to it. So much so that a developer who had no relation to the project got motivated to investigate further.
<blockquote>The good luck was that the one who noticed it was very decided to find what was happening.</blockquote>
A pro wouldn't (or shouldn't) have left this to "luck". They had the project to themselves and nobody was looking! The infiltration succeeded, but unforced errors and poor hack execution blew their cover. Not only was the backdoor discovered, not only was it obviously a backdoor, but the suspicion has put everyone on alert and now there's a "manhunt". Until there's more evidence, it's all speculation. The hack itself doesn't convince me it's a state agency. If it is a state agency, then honestly I'd be forced to lower my opinion on the lower bounds for proficiency of state actors.
By: cb88
In reply to <a href="https://www.osnews.com/story/139070/open-source-is-about-more-than-just-code/#comment-10437784">dark2</a>.
>real coworkers reviewing code.
LOL no, if something like this were deployed at any of the companies I have ever worked with it probably would never be found, especially since its hidden from git and only exists in the tarball.
By: gggeek
In reply to <a href="https://www.osnews.com/story/139070/open-source-is-about-more-than-just-code/#comment-10437791">cpcf</a>.
Fully agree.
Not sure about the human hubris part, but I do maintain more than a dozen open source projects myself - mostly as BDFL, meaning that while I am eager and happy to receive code contributions, I maintain the ultimate control and responsibility on all of them.
There have been times I felt I had stretched myself a bit thin, not because of health issues, but simply because I was busy on my day job, or taking a course, or even on holiday, right at the time when some user asked for extra features or bugfixes.
I am sure that if some helpful developer had popped up showing goodwill, availability and technical prowess, it would have been easy for him/her to gain my trust simply by being present for a few months, and be given co-maintainership a bit later.
After all trust and openness are core values of the OSS movement. Not having to deal with red tape and political games is a sizeable part of the reasons why open source is more fun than corporate development. Last but not least, after a few years in the game, it's natural to start thinking about retirement and finding a successor in order to keep the project alive...
By: cpcf
I don't see any model that can withstand this type of attack, I've witnessed analogous cases up close on projects of the highest possible security, and we all know multiple examples of the same littered through history.
The vulnerability starts with human hubris.
By: rastersoft
In reply to <a href="https://www.osnews.com/story/139070/open-source-is-about-more-than-just-code/#comment-10437779">Adurbe</a>.
Me too!
By: Open source is about more than just code – Open World News
[…] Author: Thom Holwerda Source […]
By: rastersoft
In reply to <a href="https://www.osnews.com/story/139070/open-source-is-about-more-than-just-code/#comment-10437771">Alfman</a>.
<i>This is a very interesting story and I appreciate the deep dive into it. But is there evidence it is a state actor? Every post that mentions this seems to assume it without evidence as far as I can tell. It seems questionable to me that a state actor would go to such lengths to get an insider in place only to fail due to a shoddy exploit that was detected by someone who wasn’t even looking for it. That’s an amateur job, am I just overestimating the capabilities of state actors?</i>
I completely disagree with you. This certainly wasn't an amateur job. The complexity of the installer is something that not very much people can do. Also, the fact that the detection was by pure chance after so many time "in the wild" demonstrates that it was a very professional job: the ssh daemon was just slightly slower (less than half a second) than usual. It would call nearly nobody's attention, and the majority of those who noticed it, probably would dismissed it as just "some change that added extra paths" or similar, or after trying to debug it, would have desisted due to the complexity of the task (IIRC, GDB couldn't be used to detect it; only the valgrind problems pointed out to "something odd"). The good luck was that the one who noticed it was very decided to find what was happening.
By: Alfman
In reply to <a href="https://www.osnews.com/story/139070/open-source-is-about-more-than-just-code/#comment-10437784">dark2</a>.
dark2,
<blockquote> Well, no. This is just refusing to admit open source was less secure in this case. Commercial requires real names, and has real coworkers reviewing the code. </blockquote>
Well, no. You just assume all of that happens even though it often does not. Most of my work is in commercial setting. What you typically have is islands of code sometimes maintained by small teams or even individuals. Unless the companies goes out of their way to conduct regular audits then you've got the exact same issue.
<blockquote>This particular attack would not be very viable in a closed source shop as the more experienced coworkers would likely see through the attack immediately</blockquote>
That's egotistical bullshit. FOSS developers are experienced. These same problems are pervasive in the corporate world and the truth is there are tons of vulnerabilities are found in proprietary code too. Some of the worst practices I've seen exists in commercial spaghetti code, much of which gets written by employees who come and go and eventually they're long gone and nobody can really vouch for its entirety. I think it might be worse on average because the code is written without the expectation that anyone outside the company will see it or criticize it.
<blockquote>and then espionage charges would stick to real names.</blockquote>
I already mentioned this earlier, but I believe actual spies working as legitimate employees would be extremely difficult to detect because 1) everyone makes mistakes, 2) exploits can be masked as mistakes, 3) privileged security information can be gathered without actually making changes.
By: dark2
In reply to <a href="https://www.osnews.com/story/139070/open-source-is-about-more-than-just-code/#comment-10437771">Alfman</a>.
"I honestly think this type of insider espionage is more common than we realize, not just in open projects but commercial ones too."
Well, no. This is just refusing to admit open source was less secure in this case. Commercial requires real names, and has real coworkers reviewing the code. This particular attack would not be very viable in a closed source shop as the more experienced coworkers would likely see through the attack immediately, and then espionage charges would stick to real names.