[GTALUG] supply chain risks: a real example

[Lennart Sorensen]

On Fri, Mar 18, 2022 at 12:53:06PM -0400, Alvin Starr via talk wrote:
> This is not just an open source issue since anybody can inject bad code into
> a project.
> Open source being more open has fewer people working to hide issues.
> 
> This is defiantly an example of someone taking an action without thinking
> about the potential for collateral damage.
> But multiple state and state sponsored actors are doing just this kind of
> thing right now.
> All sides of this conflict are working at inflicting cyber damage on the
> other parties.
> 
> As for the github posting about an NGO being damaged.
> There are a hand full of things that raise red flags for me.
> None of these are clear indicators of fakery but make me scratch my head and
> want to look more closely at this before taking it at face value.
> 
> - The account was created just before the posting
> - The NGO is not named
> - The NGO is storing data in the country where the whistle blowers are.

If that country is blocking access to the rest of the internet, that
might be the only way they can do it.  Only transfering the data once
per month on the other hand sounds totally useless and incompetent.

> The last one may be less than obvious, but keeping a computer in a country
> where the local government has access to the hardware and network connection
> seems to be an amazingly bad idea if you hope to protect the people who post
> information.

The other parts do still seem rather vague and suspicious.

-- 
Len Sorensen