[GTALUG] supply chain risks: a real example

Alvin Starr alvin at netvel.net
Fri Mar 18 12:53:06 EDT 2022 

This is not just an open source issue since anybody can inject bad code 
into a project.
Open source being more open has fewer people working to hide issues.

This is defiantly an example of someone taking an action without 
thinking about the potential for collateral damage.
But multiple state and state sponsored actors are doing just this kind 
of thing right now.
All sides of this conflict are working at inflicting cyber damage on the 
other parties.


As for the github posting about an NGO being damaged.
There are a hand full of things that raise red flags for me.
None of these are clear indicators of fakery but make me scratch my head 
and want to look more closely at this before taking it at face value.

- The account was created just before the posting
- The NGO is not named
- The NGO is storing data in the country where the whistle blowers are.

The last one may be less than obvious, but keeping a computer in a 
country where the local government has access to the hardware and 
network connection seems to be an amazingly bad idea if you hope to 
protect the people who post information.





On 2022-03-18 11:40, D. Hugh Redelmeier via talk wrote:
> Supply chain risks are important in open source: with so many
> contributors, how can one be sure that there aren't malicious components?
>
> (Buggy components are also a threat.)
>
> (Closed source has this problem too, with some variations.)
>
> This is a scary real current example:
> <https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/amp/>
>
> As I understand it, this malicious software tried to damage systems
> in Russia and Belarus.  That's terrible.  And it has had unintended
> side-effects:
>
> <https://web.archive.org/web/20220317140340/https://github.com/RIAEvangelist/node-ipc/issues/308>
>
> (One could also argue that leaving important information in Belarus, with
> no recent backup, is a very dumb.)
> ---
> Post to this mailing list talk at gtalug.org
> Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk

-- 
Alvin Starr                   ||   land:  (647)478-6285
Netvel Inc.                   ||   Cell:  (416)806-0133
alvin at netvel.net              ||

More information about the talk mailing list