So next the attackers playing the long game will just set out to develop the next great everybody-uses-it open-source library, so they control it from inception?
Great that we'll finally get state-sponsored open-source development :D
A kind of similar thing happened with game key scammers. People will email the devs of hundreds of Steam games pretending to be a popular YouTuber, asking for keys for themselves and usually a few extra "for a giveaway". If they get the keys, they'll try to resell them for a profit.
At first you'd get emails from like, pewdiepie@outlook.com instead of pewdiepie@gmail.com. But you could usually check the YouTube about page to find the real business email and compare it.
So eventually the scammers started creating their own YouTube channels. They'd steal videos from other channels and reupload them, then get bots to add views and subscribers. Now the email matches the one on their channel.
One remaining tell tended to be the lack of comments, but it's been a few years since I had a game that was getting those kind of emails, and I wouldn't be surprised if they have good fake video comments these days too.
Here are a couple of examples of fake channels I have saved from a few years ago:
How do you know those two channels are "fake" or "scammers"?
I think I have a good eye for these things and worryingly they just look like the normal low effort youtube chaff but I wouldn't have thought fake/scamming.
Some common indicators (though this may have changed - I can only speak for ~7 years ago):
- Weird view counts. Strangely consistent, random sudden dropoff to near zero views, etc.
- No voice commentary. Can't steal videos from different channels if your "voice" changes I guess.
- A whole set of videos uploaded at once. This was more obvious when the linked channels were still active since you'd see like two rows of "2 days ago", then a bunch "1 week ago", then a bunch "3 weeks ago" etc.
- Social media etc links either missing or super basic.
- Few and generic comments vs. amount of views.
- Channel description generic, sometimes copied from other channels.
- The two I linked haven't done it, but some I saw were uploading long-plays of games split into many parts, I guess to easily pad out their total number of videos.
Another thing they were doing at the time, was changing their channel name and banner after a few weeks or months and then emailing again pretending to be a whole new channel. Easy to spot if you still had the old link and it was the same.
The second one I linked also mysteriously turns Russian if you scroll back far enough. Bit unusual for someone with their location listed as USA.
The ideal state is having the world's superpowers all devoting effort to improving open source libraries, but all catching each others' backdoors and at the end of the day improving security for everyone.
Yeah, it is definitely an off the cuff incomplete idea. I think you’d want to structure things pretty carefully. Maybe somehow classify countries into: Hostile, Competitor, Unaligned, Friendly, and Too Friendly.
Maybe just ignore Hostile, try to find enough competitors to ensure at least one will review, require a couple unaligneds and friendlies, and then consider “too friendly” to be the same as your own country.
Like from a US point of view, if the US and the UK agree on something… I mean, that only counts as one point, right? We are too close. But if like half of the EU and India agree, there’s enough competing self-interest to let it through (keeping in mind that it is all open source, nobody wants to be caught doing something sketchy). And if China, the US, and any other non-5-eyes country agree on something, it must be fine. (I picked these countries because I think they are pretty uncontroversial, I’m definitely not going to try and list who’d be in the hostile group, that’s just asking for unproductive political squabbling).
Multiple possible paths, no veto.
But I have no idea how to fix the problem of: some countries look more or less trustworthy from others’ point of view; I think we can easily suggest a plan from the US point of view, but I have no idea how to get everyone to agree on what the actual state of a single source code repository is, since commits have dependencies. Maybe it needs to be more like a package manager.
At least 2 rival legal Jurisdictions/Alliances/Spheres
At least 2 rival state intelligence Agencies per Sphere
At least 2 rival corporations per Sphere
TOTAL: 2*(2+2) = 8
Widely used OSS projects are contested spheres of collaboration.
Global violent deaths have been trending downward consistently since ww2, even given our new “permanent war” status. We simply just don’t have large-scale wars anymore.
> Financial commitments from Premier members include Amazon, Cisco, Dell Technologies, Ericsson, Facebook, Fidelity, GitHub, Google, IBM, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Red Hat, Snyk, and VMware. Additional commitments come from General members Aiven, Anchore, Apiiro, AuriStor, Codethink, Cybertrust Japan, Deepfence, Devgistics, DTCC, GitLab, Goldman Sachs, JFrog, Nutanix, StackHawk, Tencent, TideLift, and Wind River.
> Following a meeting with government and industry leaders at the White House, OpenSSF is excited to announce the Alpha-Omega Project to improve the security posture of open source software (OSS) through direct engagement of software security experts and automated security testing. Microsoft and Google are supporting the Alpha-Omega Project with an initial investment of $5 million.. “Omega” will identify at least 10,000 widely deployed OSS projects where it can apply automated security analysis, scoring, and remediation guidance to their open source maintainer communities.
Eclipse manages a distribution of Java and the Jakarta libraries, formerly known as JavaEE/J2EE. Arguably Jakarta is a larger footprint, since pretty much every enterprise-like library or application derives functionality from it.
Are OpenSFF members using Eclipse sub-projects in the financial services industry? In automotive/embedded, Eclipse hosts the safety-certified OSS ThreadX RTOS (formerly Azure RTOS), which runs on 10B+ devices, https://finance.yahoo.com/news/eclipse-foundation-showcases-...
It would be helpful for projects funded by OpenSSF Omega to publish details on how they prioritized use of the funds to improve supply chain security within each project.
I expect the pay awards are based on the various OSS foundation thingies lobbying.
But protecting dev environments makes sense. Think how many supply chains an attacker can compromise if they can get at random dumb developer machines...
If it's an everybody uses it solution it will eventually be reimplemented as a part of the environment, like the browser or the kernel. The lifetime is limited and linking to a library like that wouldn't mesh very well there.
> So next the attackers playing the long game will just set out to develop the next great everybody-uses-it open-source library
This already happened.
*cough* React *cough*
Ask yourself, why would rogue AI and famous human impersonator Mark (short for Mark Zero Ai) Zuckerberg make an open-source UI library for everyone to use? /tinfoil
It's a multi-layered satirical joke. The 'absurd' aspect is the flipping of 'taking over a library' versus starting one, which is amusing given that the motivations of state-sponsored bad actors are to poison and/or control the hard work of others. They themselves would end up doing the hard work they've undermined. Further satirical layers are added by the prospect of those bad actors producing 'good' software instead of 'evil', and providing funding that they've historically been reluctant to cough up.
Of course, as the old saying goes, explaining a joke is like dissecting a frog: nobody laughs and a frog dies.
I did not referred to the funding remark. It is besides the point and immaterial to the discussion.
My point was on the remark that this attack vector is somehow only applicable when projects are starting out. This is false, and insinuating this does a disservice to the community. The attack consists of asking someone for the keys. The projects that are the most vulnerable are those who are already established and have a significant adoption rate but are not actively maintained. We are talking about Colors-like and Faker-like projects. All you need to pull this off is posting one message asking nicely for permissions, post a commit, and make a release.
Great that we'll finally get state-sponsored open-source development :D