The long con would be to get a semi-trusted agent as a committer. Someone that could appear to be a student or a bland mid-level employee but is just playing that part. Being open source, it would be a simple matter to anonymously clone it and study it for a while, advising their agent on what apparently benign mistakes to make. (If the employee gets laid off for some mistakes that makes it all the more plausible and their agent is free and clear.) Then the sponsoring organization waits for that code to spread into other organizations. With their bugs in place, they have a period of exploitation before the bugs are identified. All it takes for that is money and/or extortion.
From: Friam <[email protected]> on behalf of Roger Critchlow <[email protected]> Reply-To: The Friday Morning Applied Complexity Coffee Group <[email protected]> Date: Thursday, May 7, 2020 at 2:55 PM To: The Friday Morning Applied Complexity Coffee Group <[email protected]> Subject: Re: [FRIAM] (no subject) Right, https://www.git-scm.com/docs/git-blame - Show what revision and author last modified each line of a file -- rec -- On Thu, May 7, 2020 at 5:19 PM Jon Zingale <[email protected]<mailto:[email protected]>> wrote: Roger, You say, "It's already happened more than once. People, acting as if they cared about the code have taken over existing projects when the current developer loses interest. Then they modify the code so it does something evil in addition to its original purpose, say stealing bitcoin wallet credentials. Others have submitted packages which were one letter typos for trusted packages, with the same sort of surprises hidden in them." Isn't this exactly why there is a git history? Version control exists, to some extent, exactly so we can say who has done what and to what effect. Jonathan Zingale .-. .- -. -.. --- -- -..-. -.. --- - ... -..-. .- -. -.. -..-. -.. .- ... .... . ... FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam<http://bit.ly/virtualfriam> unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/
.-. .- -. -.. --- -- -..-. -.. --- - ... -..-. .- -. -.. -..-. -.. .- ... .... . ... FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/
