Re: [GTALUG] supply chain risks: a real example

Fri, 18 Mar 2022 09:53:15 -0700

This is not just an open source issue since anybody can inject bad code into a project. 
Open source being more open has fewer people working to hide issues.
This is defiantly an example of someone taking an action without thinking about the potential for collateral damage. But multiple state and state sponsored actors are doing just this kind of thing right now. All sides of this conflict are working at inflicting cyber damage on the other parties. 


As for the github posting about an NGO being damaged.
There are a hand full of things that raise red flags for me.
None of these are clear indicators of fakery but make me scratch my head and want to look more closely at this before taking it at face value. 

- The account was created just before the posting
- The NGO is not named
- The NGO is storing data in the country where the whistle blowers are.
The last one may be less than obvious, but keeping a computer in a country where the local government has access to the hardware and network connection seems to be an amazingly bad idea if you hope to protect the people who post information. 





On 2022-03-18 11:40, D. Hugh Redelmeier via talk wrote:

Supply chain risks are important in open source: with so many
contributors, how can one be sure that there aren't malicious components?

(Buggy components are also a threat.)

(Closed source has this problem too, with some variations.)

This is a scary real current example:
<https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/amp/>

As I understand it, this malicious software tried to damage systems
in Russia and Belarus.  That's terrible.  And it has had unintended
side-effects:

<https://web.archive.org/web/20220317140340/https://github.com/RIAEvangelist/node-ipc/issues/308>

(One could also argue that leaving important information in Belarus, with
no recent backup, is a very dumb.)
---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk


--
Alvin Starr                   ||   land:  (647)478-6285
Netvel Inc.                   ||   Cell:  (416)806-0133
al...@netvel.net              ||

---
Post to this mailing list talk@gtalug.org
Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

Reply via email to