Malware vector: become an admin on dormant, widely-used open source projects

Originally published at: https://boingboing.net/2018/11/26/candy-from-strangers.html

…

But we should all be expert enough to check the source code and catch this EVERY TIME THERE IS AN UPDATE /s.

So, free software gets to be free because nobody is being paid to care for it. Which enables malicious actors to roll in and take it over once it’s feature complete and nobody’s watching over it anymore.

Explain to me again how the FOSS model is fundamentally better than having software be owned by an organization whose livelihood depends on keeping the software in good working order?

it’s even weirder in this case. sounds like the actual exploit is a byte code string in the minified version - a bit of code not even in the original “uncompressed” source. ( and actually, not even in the project itself - but added as a project dependency. )

from the thread, people still aren’t sure what the code does. just that it seems to be an attack of some sort.

one mitigation would be to stop distributing minified script. there’s a lot of trust that the min script equals the original script - on any project.

no. no. worker livelihood is based on keeping the employer in good working order.

at least with open source the focus is on the project.

linux, firefox, chrome - they all seem to be doing pretty well. not to mention the thousands of javascript libraries that make the web as you know it function.

The original maintainer gets bonus dick points for not only handing the project over to someone with no track record or commit history, but basically washing his hands of the whole thing as soon as he did so:

If you guys feel strongly about this, why don’t you volunteer to maintain it and contact npm support?

All three projects are funded by corporations that derive income from the software in question being healthy and functional. Firefox is maintained by the Mozilla corporation which gets its income from selling the default search engine on Firefox. Chrome is maintained by Google which gets its income by invading its users privacy and selling the data to advertisers. Several large corporations including IBM have employees whose job it is to contribute to Linux, because the company depends on linux working properly.

The platonic ideal of an FOSS project is something built by an anarchist commune of coders who collaborate to build the project in their spare time. Nobody gets paid to do it, nobody makes any money off of it, the project gets created out of a desire to improve the public software commons.

In a world where totalitarian dictatorships like China, Russia, North Korea, and the NSA all have a deep interest in disrupting the functioning of democracy around the world, I really don’t think that an unfunded anarchist commune of coders is a good model for producing software anymore. It’s all too easy for a state employed black hat to join a project and insert spyware, with nobody really being in a position to notice or care until it’s too late.

Considering the number of decades old critical security bugs that have been discovered in FOSS projects, the idea that the FOSS community would be able to spot, in a timely manner, a deliberate backdoor being inserted at the behest of Putin or the NSA is ludicrous.

sorry, this is an over-the-top line of reasoning.

how about at&t? where they put a deliberate backdoor for the NSA… deliberately.

the idea that an ayn randian profit motive somehow will make things pure and untouchable is frankly ludicrous.

the whole point of open source software is that the issues can – at least – be found. because – just like this vector or the bugs that you mention – they can be seen.

the best crypto algorithms on earth are published, verified, visible, open.

we all live inside of capitalism. all open-source projects are funded via other endeavors. some more directly than others. but, all of them get funded somehow or the people making them can’t eat.

that’s your hill, not mine.

your original question was:

Explain to me again how the FOSS model is fundamentally better than having software be owned by an organization whose livelihood depends on keeping the software in good working order?

there are thousands of projects that are working just fine. including the ones that i mentioned. projects which are not owned by a organization. projects which are free to modify, copy, and inspect.

I never said anything about for profit being better than non profit. Politically I’m closer to an anarcho-socialist than any other label.

I have nothing against FOSS software. I do have something against ideological fanatics who go around insisting that FOSS is inhernetly superior to closed source.

I also think the dominant model of FOSS has some serious weaknesses that this malware injection attack throws into stark relief. FOSS projects need custodians and auditors, people whose job (not hobby, not volunteer work, job) is to ensure that the software stays healthy, secure, and up to date. Finding a way to pay those people for the work they do… well, in an ideal world it would be paid for by taxes since they are enhancing the public commons. In a pragmatic world? I guess the software can’t afford to be free as in beer anymore and needs to find some method of paying someone to keep an eye on things.

still going to argue open source software is superior; on two fronts:

• you can learn about programming by reading source code
• if you can see the bugs, you can fix the bugs.

we can’t even see the bugs in proprietary software, and we can only trust that the software is safe – even when there are numerous contrary examples.

would you trust your vote to a closed source voting machine with absolutely zero paper trail? ask the state of georgia – it doesn’t work out well.

meanwhile, if you want you can actually run auditing tools ( link selected at random ) to search for known vulnerabilities in the open source software packages you use.

there’s also nothing about closed source that guarantees it will be maintained. open or closed, lots of software gets abandoned.

agreed.

university really remains the last bastion. and a lot of open source still flows from there.

fwiw: i’d be happy enough with single payer healthcare and rent control. it’s too hard to make ends meet in the us without giving oneself over to the profit motive*.

(* and that’s not to say you can’t make money from open source. some people do manage to figure that out. )

Open source is not superior. Closed source is not superior. Each has benefits and each has downsides.

Open source has the potential to be independently audited and have its bugs fixed. Considering the number of high profile critical security bugs in FOSS projects that were detected over a decade after they were introduced, I’d say that potential is rarely acted upon in the real world. Reading someone else’s code is hard work. Finding bugs and fixing them is hard work. Far easier to just junk the whole code base and start over from scratch, leading to CADT, where you never actually make any progress in perfecting the project because you’ve wasted so much time redoing it.

https://www.jwz.org/doc/cadt.html

Closed source projects benefit from having an actual budget, leading to the potential of actually having things like usability testing, a written spec, comprehensible documentation, and all the rest of what we consider to be the marks of a professional polished piece of software. Successful closed source projects have budgets for a new version, leading to the potential for the software to be improved over time (or ruined over time, one way or the other it won’t stand still). Again, these potentials are rarely acted on in the real world, and you have many projects that are complete unusable crap with horrid documentation that get worse with every revision (cases in point, Office and Windows).

TLDR, each type of software has different strengths and weaknesses that are innate to the way they are made. It’s possible to overcome those innate weaknesses but doing so requires going against the grain - proprietary software projects can publish their source code and offer bounties for vulnerabilities found. Free software can obtain some kind of funding source in order to pay for the professional polish that is almost impossible for a budgetless all volunteer organization to achieve. Claiming that one type is inherently superior to another type is foolish.

correct. and that’s the premise behind the superiority of open source software.

i am not saying that every open source project is better than every closed source project. only that every closed source project would benefit by being open source.

already given several examples of open source projects that have budgets. moreover proprietary software – when it loses a budget – dies. open source projects can always be given new life. ( just like that link says, refactoring from a solid base instead of starting from scratch. )

we disagree. people smarter than us also disagree though. so at least we’re in good company

This is clearly a strawman argument - there are many effective development models for open source software and not every developer shares your vision.
Although there are some large and very successful projects that come quite close to it:

If Debian OS is good enough that corporations (EDF) use it to run software as critical as FE solvers used to model nuclear powerplants, then it’s definitely possible to have trustworthy open source projects.

There are also very succesful projects being maintained by a non-profit foundation:

You know you can’t just take a single example from either side and extrapolate that to the entire side right?

I mean Microsoft stopped supporting Windows XP (their livelihood doesn’t depend on that version apparently, but since it’s closed no-one can take over the supporting role) leading to the vulnerability that allowed for hackers to hold multiple hospitals hostage.

Explain to me how that is better?

I have to say that some projects will not benefit from being open-source. At least not in the short term. Some projects are so badly coded that even the most staunch defenders of open-source would not feel comfortable opening it up before they did some repairing/refactoring.

Opening it up would introduce scrutiny that could initially make the project much less secure. In the long term, it’s obviously better to have insecure and badly writen software out in the open, so it can be improved.

It is still common to find large machines (for example stress-testing machines capable of exerting several hundreds tons of force) being controlled by computers with Windows 98, because the drivers for the controller don’t support anything newer and manufacturer won’t release source code or documentation. If such machine is connected to network (it frequently is), the possibilities are terrifying…

I pointed out in another thread about this kind of thing. Not so much as they don’t release the code as they go tits up or are bought out and that product line just dropped and you have a choice of limping along and locking down the IT end of the thing as much as possible because the bits that do the work have another 10 to 20 years of life in them and the cost of replacement is way way more expensive than the cost of lost work hours for sneakernet data transfer or spending a week down while you scrounge parts for the outdated computer.

this way it’s a dauntless rebel who doesn’t care your society’s rules making the bucks, instead of a big faceless evil conglomerate.

The platonic ideal of an FOSS project is something built by an anarchist commune of coders who collaborate to build the project in their spare time. Nobody gets paid to do it, nobody makes any money off of it,

Yes! actually this all works amazingly well. Anarchist communities have always existed here and there, but I’m not sure if they have the impact that they’ve had with open source, where now large swathes of the software landscape are dominated by open source.

the project gets created out of a desire to improve the public software commons.

Open Source developers often have vaguely positive ideas about the commons, but I think it’s wildly incorrect to believe that their primary motivation is to altruistically enhance the commons. Instead, there is something about the problem that interests or excites them, or they want it to exist for some reason. And then they become friends with other people who are also interested in that problem. I think this network of friendship and shared interest is far more relevant than lofty abstract ideals. Try to think about open source like an anthropologist not a philosopher or an economist.

One of these things is not like the others, one of these things is not quite the same…

Last I checked, the NSA was a government agency. Interesting how you felt the need to dissociate just that one list item from its parent government.