The abusive behavior that was being used to manipulate Lasse Collin into bringing on more maintainers for #xz went unnoticed because abusive behavior in Open Source communities is so pervasive. In context, we can clearly see it was part of an orchestrated operation. Out of context, it looks like just another asshole complaining about stuff they have no right to complain about. https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/
This is a classic technique, used by cops and spooks worldwide. Good cop, bad cop. Cause pain (emotional or otherwise) to break the subject down, then provide a path that removes the pain, if the target just does what you want them to do...just this one little thing, and all the pain goes away. Insidious stuff, but especially here. A volunteer who's been doing this critical work for over a decade unpaid, targeted because of the criticality of the work and because it was done by a lone volunteer.
@Sibshops I would be stunned if this is the first. This has been a known attack vector for some time (Poul Henning-Kamp did a talk on it more than a decade ago, and many others have written about it). This just happens to be one that was discovered and captured a lot of attention for a variety of reasons. Sometimes it's caught it code review of a PR and since it is always designed to look like an innocent mistake, it might not raise any alarms even if it didn't succeed.
@Sibshops other times it isn't caught and gets deployed for months or years. This one is clearly intentional but it's only clear after analysis of the totality of the attackers commits. Any one looked pretty harmless. Also, I suspect there's a lot of this in proprietary software that we'll never know about. Getting past one code reviewer and some automated tests in a company is a lot easier than getting past everyone in the world who might want to have a look. At least in the long term.
@swelljoe@Sibshops The ONE defense against this does in fact require access to source code: audit or potential audit by mutually opposing parties that hate each other too much to conspire to hide something
@swelljoe
Lol. I wrote this even before knowing that this vuln was caused by a kludge to make SSHD work with #systemd authentication and targets that.
I'm sure the sysemd maintainers have a great corporate excuse for why it's not any of their fault.
@philtor that happened when tech companies built themselves into the biggest and most powerful organizations in the world by exploiting the commons and used it for surveillance. But, this is pretty bad, too. I'm shook about it, thinking back on the countless interactions with assholes in the communities I'm involved in. Were they just a regular asshole or were they part of an operation? Hard to know, but my tolerance for assholes going forward will be much lower. I'm charging up my banhammer.
@swelljoe@philtor big and powerful tech companies seem to understand better than most "if you don't pay for it, there's no guarantees". I've personally seen at least some open source funding make the budget by the reasoning of "an unfunded project that we rely on is a security vulnerability". one problem tho is they're still squeamish about individuals vs "foundations"
@dango_@philtor sure, they hire OSS developers and they donate a little money. But, we're less free in many ways than we were when the free software movement began, tied into all these surveillance systems with no realistic way to opt out. I can't work without allowing Google into my daily life, for instance. Google is far more effective at the surveillance game than whatever state (or whoever) funded this attack.
@swelljoe@dango_@philtor I do keep Google's servers all the way out of my life, since I have the option to do so. I don't shop online and so can get away with treating most of the commercial/monetized Internet as broken.
If someplace cannot be found without say, Google Maps, I will not attempt to go there. Same with Snitchbook and Instacrap: no accounts and their servers blocked.
@swelljoe yeah, I guess what I mean by 'innocence' here is that there's a level of trust we tended to have in a lot of OSS communities that we can't have anymore. We have to be much more guarded now in the wake of this event. We might even need things like background checks before people can contribute to certain projects
Add comment