Rendered at 14:51:18 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
emodendroket 1 hours ago [-]
I have to say, the principle that open-source software can't do anything nefarious because the source is open just hasn't held up for a lot of reasons -- including that nobody has the time to inspect the code, let alone ensure that it matches the binaries; and also that GitHub has become a distribution hub for software used by lots of people with no ability or interest in auditing the software they use.
embedding-shape 1 hours ago [-]
> the principle that open-source software can't do anything nefarious because the source is open just hasn't held up for a lot of reasons
You've been living on such a principle? That sounds insane, why would something not be nefarious just because you can read the code?
The way I was "raised" by FOSS greybeards screaming at me through web forums, was that any software available on 3rd party websites anyone can upload anything to, will be filled with viruses and malware, and this was early 2000s. Surely people still advocate for this mindset today, when it's even more likely?
emodendroket 1 hours ago [-]
No, I've not been "living on" such a principle but it was a big claim for "the bazaar."
embedding-shape 1 hours ago [-]
Aha, wasn't that argument more about that closed source software is more likely to hide stuff you don't agree with, than FOSS? Not necessarily that FOSS won't have any viruses or malware, but it's at least less likely. That was my take away, but long time ago I read the book admittedly, I might misremember or transformed it automagically over time.
CapsAdmin 41 minutes ago [-]
This is my takeaway as well. Having the source code open makes it auditable, if not by you, maybe the community.
The free software license specifically gives the software an extra advantage in that changes to the software must be shared openly, if distributed as as binaries.
jankdc 13 minutes ago [-]
> source code open makes it auditable, if not by you, maybe the community
I think part of why this social engineering works so well is it takes advantage of that "many eyes" trust, where people are prone to delegating the responsibility of checking to the community and not do due diligence on themselves. I know I'm susceptible to it if I see a Github repo with more than 10k stars on it.
tuwtuwtuwtuw 1 hours ago [-]
> You've been living on such a principle?
I have not, but in case you missed it, this principle has been used by open source proponents for decades. I'm an open source developer myself, but always found it odd.
nixosbestos 2 minutes ago [-]
No, it's really not, and really hasn't been. Do people truly have such poor reasoning and logic skills?
"Closed source software is inscrutable, impossible for me to fix, impossible for me to review the source" is absolutely a distinct statement from "it is impossible to hide malware in closed-source software". I've literally never heard someone claim the latter.
fsflover 51 minutes ago [-]
This is not the argument at all. It's just easier to discover malware in closed software.
ptx 16 minutes ago [-]
The problem the article is describing seems to have little to do with open source. There were GitHub repositories that had links added in their READMEs to a zip file containing compiled binaries.
GitHub is not a curated software repository. It's essentially no different from some random stranger linking to some binaries on a forum. (There are communities that seem to have no concerns about running unknown binaries from strangers in forum threads, but I wouldn't recommend it.)
15 minutes ago [-]
atmosx 32 minutes ago [-]
Not true. If statistics offer a “measure” of reality, my guess is that “OS doing nefarious things” must fall between 0,005% and 0,007%. In any case compared to the extracted value it’s … nothing.
Yokohiii 17 minutes ago [-]
If all projects on github were closed source with public "trust me bro" binaries the situation would be of course much better.
It happened a few times to me that I'd find some very well constructed scam scheme (cryptocurrency washing systems, web platform/phishing scams), then I'd research deeper into it to see how it worked, just to ultimately feel powerless not knowing what to do with the information.
StableAlkyne 59 minutes ago [-]
> I typed the project name into Google, and my repository appeared in the results. I entered the same query into Bing, and someone else’s repository appeared in the results
Side story, this kind of thing is what made me stop using Bing.
I had been using it as the default for searches (it sucks, but it's at least not Google), until I landed on a phishing page for my bank (I haven't committed it to memory yet). The page was a near perfect copy, and I would easily have gotten pwnd by it if they didn't have a modal asking me to run some code in my terminal for "security activation" that made me go "that's a little odd... Is this the right address OH SHIT that's a .ru domain"
I never see Google return phishing pages or typo squatters in the first page. Bing constantly returns that stuff in the first several results.
weird-eye-issue 54 minutes ago [-]
This is where password managers are useful because they would refuse to fill in login information since the domain doesn't match
StableAlkyne 17 minutes ago [-]
I use keepass (FOSS under GPL, fully offline).
It does not detect domains.
vel0city 51 minutes ago [-]
"Dang, this site isn't working right with the password manager's detection. Guess I just gotta paste the password in again..."
Meanwhile U2F/Passkeys can't possibly be abused like this.
tjoff 44 minutes ago [-]
Yeah but the downsides of passkeys make them so much worse anyway.
jcattle 26 minutes ago [-]
Pretty happy with having a yubikey on my keychain. Log in someplace new? plonk in your yubikey and off you go!
AlotOfReading 9 minutes ago [-]
I used to keep a yubikey in a spare slot on my laptop. One day it fell out and subsequently escaped through an unnoticed hole in my backpack.
I've never lost a password because my backpack was overly abused.
someguyiguess 13 minutes ago [-]
And when your keychain gets lost then what?
bonoboTP 43 minutes ago [-]
Exactly. All these ideals work in theory but then in reality banks are also incompetent and will use all kinds of domains.
Same with meta and Google where they often direct you to domains that aren't under their main one and it's actually legit, but there's no way to know. It's impossible to teach family members to pay attention if it's really that domain because it's often legit not that domain.
chrisweekly 10 minutes ago [-]
speaking only to search quality: try Kagi.
astronodev 51 minutes ago [-]
[dead]
siva7 6 minutes ago [-]
Hi Claude fable, why u not protecting me from malware? Am i not american enough? Not rich enough? Yieks..
rkozik1989 1 hours ago [-]
People need to do their due diligence when including open-source software and packages not just when they first use them but anytime you have a need to upgrade them. I highly doubt I'm the first one to think of this, but there really aught to be tool or comprehensive set of tools that routinely scan open-source software and packages for potentially malicious code and alert users of the problem(s).
junon 1 hours ago [-]
There are. Socket, Aikido, and a number of others do this all the time.
aweiher 38 minutes ago [-]
Step-Security, Wiz ..
astronodev 3 hours ago [-]
I uploaded several of these virus-infected archives to VirusTotal. In each archive, under the “Network Communication” section, the virus makes requests to three resources: a GET request to a website to retrieve IP information, a POST request to a Polygon RPC node (drpc), and a POST request to what appears to be the virus creator’s server. I can only assume that the scheme is designed to steal cryptocurrency.
axus 2 hours ago [-]
It will feel very spooky when they stop updating because of this essay .
mmsc 1 hours ago [-]
> Another month later, GitHub support sent me an email saying that they had removed these repositories.
I recently discovered a campaign where somebody was forking very small but useful codebases, and replacing the distributable with some malware, and making the repository have better SEO with changes to the README. My case was a simple macOS application that could be used to control some Phillips LED light strip.
I reported it to GitHub and it was removed within 24 hours.
I discovered another repository like this, and they still haven't replied since (one month).
No clue how their malware reports work. I'm surprised they don't partner with some antivirus company to at least scan "releases" for malware (not repositories themselves)
schedpilot 37 minutes ago [-]
damn 10k ? thats a lot, how did you get them ?
theorchid 21 minutes ago [-]
Hmm. Using a script. That's explained in the article)
fastcrw 1 hours ago [-]
are there any ci/cd that controls them?
astronodev 58 minutes ago [-]
[dead]
pydry 42 minutes ago [-]
Microsoft: and the one thing we absolutely refuse to use AI for is to flag this kind of bullshit to protect users, because it would violate the rule of "don't do anything actually useful with it".
You've been living on such a principle? That sounds insane, why would something not be nefarious just because you can read the code?
The way I was "raised" by FOSS greybeards screaming at me through web forums, was that any software available on 3rd party websites anyone can upload anything to, will be filled with viruses and malware, and this was early 2000s. Surely people still advocate for this mindset today, when it's even more likely?
The free software license specifically gives the software an extra advantage in that changes to the software must be shared openly, if distributed as as binaries.
I think part of why this social engineering works so well is it takes advantage of that "many eyes" trust, where people are prone to delegating the responsibility of checking to the community and not do due diligence on themselves. I know I'm susceptible to it if I see a Github repo with more than 10k stars on it.
I have not, but in case you missed it, this principle has been used by open source proponents for decades. I'm an open source developer myself, but always found it odd.
"Closed source software is inscrutable, impossible for me to fix, impossible for me to review the source" is absolutely a distinct statement from "it is impossible to hide malware in closed-source software". I've literally never heard someone claim the latter.
GitHub is not a curated software repository. It's essentially no different from some random stranger linking to some binaries on a forum. (There are communities that seem to have no concerns about running unknown binaries from strangers in forum threads, but I wouldn't recommend it.)
Virustotal link: https://www.virustotal.com/gui/file/fdb6cff68a2a8c08779d64a7...
Side story, this kind of thing is what made me stop using Bing.
I had been using it as the default for searches (it sucks, but it's at least not Google), until I landed on a phishing page for my bank (I haven't committed it to memory yet). The page was a near perfect copy, and I would easily have gotten pwnd by it if they didn't have a modal asking me to run some code in my terminal for "security activation" that made me go "that's a little odd... Is this the right address OH SHIT that's a .ru domain"
I never see Google return phishing pages or typo squatters in the first page. Bing constantly returns that stuff in the first several results.
It does not detect domains.
Meanwhile U2F/Passkeys can't possibly be abused like this.
I've never lost a password because my backpack was overly abused.
Same with meta and Google where they often direct you to domains that aren't under their main one and it's actually legit, but there's no way to know. It's impossible to teach family members to pay attention if it's really that domain because it's often legit not that domain.
I recently discovered a campaign where somebody was forking very small but useful codebases, and replacing the distributable with some malware, and making the repository have better SEO with changes to the README. My case was a simple macOS application that could be used to control some Phillips LED light strip.
I reported it to GitHub and it was removed within 24 hours.
I discovered another repository like this, and they still haven't replied since (one month).
No clue how their malware reports work. I'm surprised they don't partner with some antivirus company to at least scan "releases" for malware (not repositories themselves)