Even when you do have time. There have been “researchers” submitting malicious prs and when caught just act like it’s no big deal. Even had an entire institution banned from submitting prs to the Linux kernel.
Well, i think in most of those big incidents, people got caught. That means the concept kinda works well?
Regarding the earlier comment: I think companies just started to figure that out. They/You can’t just take free libraries databases etc… If you’re big tech company you better pay a few developers or an audit to make those libraries safe. This is your way of contributing. Otherwise your big platform will get hacked because you just took some 15 year olds open source code.
agree. Hell i wouldnt be shocked if some corporations or even nation-state (ie: NSA) actors do this, in a much better/more professional manner to ensure things like…backdoor access.
Yeah. I think the discussion is kind of nonsensical and a tautology. Nothing in life is 100% safe, if foss or not. And we don’t know what we don’t know.
We got a few cases where we know something got intercepted after people tried to do malicious PRs or intercepted network equipment.
I think the more interesting question has long been: what’s (or who is) your threat? Against a sufficiently motivated and resourced adversary, there are few real obstacles. Conversely, some people are just not interesting because there’s little or nothing to gain from attacking them.
Exactly. I just wanted to point out that most of the people here honestly have no idea what they’re talking about.
If people had read the articles about that ‘study’ if malicious pull requests got accepted… and the aftermath… If they had read the articles how the NSA(?) helped(?!) with the mathematical constants of elliptic curve encryption… How cisco networking equipment got intercepted… If you knew how the internet and freedom worked… You’d know it’s not that easy. Every ‘simple’ answer is just plain wrong. It depends… What is the thread model, what are you able and willing to invest, what are you trying to achieve? Sometimes you don’t even know who’s friend or foe.
Idk why people want to piss on open source software. It’s a fact that one can have a look at open source software and not at closed source. And don’t tell me nobody does, because i know i do. And millions of github users contribute code and read some code here and there. And i know a few tech blogs who like to check apps and see if they respect privacy and so on. … And that’s not everything as we pointed out earlier. If this helps you, depends on your own goals and thread model.
At least there have been attempts to subvert open standards for cryptography through the standards process. And occasional suspicious pull requests in critical places - I assume those are done through cut-out proxies so we don’t know who tried.
Like others have said. It’s a survivorship bias. So the meme has some weight. But it doesn’t make Foss any less secure than closed source. If anything it’s better to allow anyone to examine it. Similar to how secrets can’t be kept when large numbers of folks know, the same goes here I guess.
Even when you do have time. There have been “researchers” submitting malicious prs and when caught just act like it’s no big deal. Even had an entire institution banned from submitting prs to the Linux kernel.
https://www.bleepingcomputer.com/news/security/linux-bans-university-of-minnesota-for-committing-malicious-code/
Well, i think in most of those big incidents, people got caught. That means the concept kinda works well?
Regarding the earlier comment: I think companies just started to figure that out. They/You can’t just take free libraries databases etc… If you’re big tech company you better pay a few developers or an audit to make those libraries safe. This is your way of contributing. Otherwise your big platform will get hacked because you just took some 15 year olds open source code.
Selection bias though. We don’t know how many have not yet been caught.
agree. Hell i wouldnt be shocked if some corporations or even nation-state (ie: NSA) actors do this, in a much better/more professional manner to ensure things like…backdoor access.
No hypothesis needed https://en.wikipedia.org/wiki/EternalBlue can’t have been a one-off either.
Yeha that was my though. But more a dedicated program to do similar with large FOSS projects.
They also have hardware/supply chain intercept programs to install back doors in closed source appliances (ie: Cisco firewalls)
So something similar but dedicated to open source PRs.
Yeah. I think the discussion is kind of nonsensical and a tautology. Nothing in life is 100% safe, if foss or not. And we don’t know what we don’t know. We got a few cases where we know something got intercepted after people tried to do malicious PRs or intercepted network equipment.
I think the more interesting question has long been: what’s (or who is) your threat? Against a sufficiently motivated and resourced adversary, there are few real obstacles. Conversely, some people are just not interesting because there’s little or nothing to gain from attacking them.
Exactly. I just wanted to point out that most of the people here honestly have no idea what they’re talking about.
If people had read the articles about that ‘study’ if malicious pull requests got accepted… and the aftermath… If they had read the articles how the NSA(?) helped(?!) with the mathematical constants of elliptic curve encryption… How cisco networking equipment got intercepted… If you knew how the internet and freedom worked… You’d know it’s not that easy. Every ‘simple’ answer is just plain wrong. It depends… What is the thread model, what are you able and willing to invest, what are you trying to achieve? Sometimes you don’t even know who’s friend or foe.
Idk why people want to piss on open source software. It’s a fact that one can have a look at open source software and not at closed source. And don’t tell me nobody does, because i know i do. And millions of github users contribute code and read some code here and there. And i know a few tech blogs who like to check apps and see if they respect privacy and so on. … And that’s not everything as we pointed out earlier. If this helps you, depends on your own goals and thread model.
At least there have been attempts to subvert open standards for cryptography through the standards process. And occasional suspicious pull requests in critical places - I assume those are done through cut-out proxies so we don’t know who tried.
We definately know of some. NSA tried to slip a faulty rng algo into rsa a while back
https://blog.cloudflare.com/how-the-nsa-may-have-put-a-backdoor-in-rsas-cryptography-a-technical-primer/
Like others have said. It’s a survivorship bias. So the meme has some weight. But it doesn’t make Foss any less secure than closed source. If anything it’s better to allow anyone to examine it. Similar to how secrets can’t be kept when large numbers of folks know, the same goes here I guess.