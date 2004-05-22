from the I've-created-a-devastating-masterpiece dept.
Open-source security: It's too easy to upload 'devastating' malicious packages, warns Google:
Google has detailed some of the work done to find malicious code packages that have been sneaked into bigger open-source software projects.
The Package Analysis Project is one of the software supply chain initiatives from the the Linux Foundation's Open Source Security Foundation (OpenSSF) that should help automate the process of identifying malicious packages distributed on popular package repositories, such as npm for JavaScript and PyPl for Python. It runs a dynamic analysis of all packages uploaded to popular open-source repositories. It aims to provide data about common types of malicious packages and inform those working on open-source software supply chain security about how best to improve it.
[...] "Despite open-source software's essential role in all software built today, it's far too easy for bad actors to circulate malicious packages that attack the systems and users running that software."
[...] Attackers distribute malicious packages on npm and PyPl often enough that it's something OpenSSF, which Google is a member of, decided it needed to be addressed.
[...] OpenSSF says most of the malicious packages it detected were dependency-confusion and typo-squatting attacks. But the project believes most of these are likely the work of security researchers participating in bug bounties.
"The packages found usually contain a simple script that runs during install and calls home with a few details about the host. These packages are most likely the work of security researchers looking for bug bounties, since most are not exfiltrating meaningful data except the name of the machine or a username, and they make no attempt to disguise their behavior," OpenSSF and Google note.
OpenSSF notes that any of these packages "could have done far more to hurt the unfortunate victims who installed them, so Package Analysis provides a countermeasure to these kinds of attacks."
"security researchers looking for bug bounties"?
(Score: 2) by darkfeline on Thursday May 05, @07:41AM
Distro package repos were at least vetted by the maintainers. Having central repos where anyone can upload anything was bound to be an issue from the start.
Go does it right, by defining standard protocols and deferring the package hosting to users. It doesn't prevent stupid, but it makes it more obvious where packages are hosted (e.g., some random guy on Github). You can't typo squat since the domain/path is going to be vastly different.
Join the SDF Public Access UNIX System today!
(Score: 1, Insightful) by Anonymous Coward on Thursday May 05, @07:54AM
The whole theoretical 'strength' of Open Source is that "many eyes make for shallow bugs." In reality however, only a few elite coders look at source code. These are either the maintainers, or those wanting to make a fork, ....or malicious players scratching for a weak point. Joe Linux does NOT look at source code. I did IT for years, but I take a Linux distro and all its packages which I may add, as-is. I have work to do. It would take me a few centuries to sift through the source code and I would have to upskill considerably for it to make any sense. There is a beauty to the Linux updates model, but yes - malicious entities have abused in and will abuse it again.
(Score: 1, Insightful) by Anonymous Coward on Thursday May 05, @08:02AM
So proprietary software for all? \o/
This sounds like it's more about jealous control of code (and a lust to keep it private/black boxed) by Google.
We must defend open source software and hardware with all of our strength, or we will lose it to big corporations.
The only reason Linux still exists is because Microsoft (and/or other companies) hasn't been able to BUY it all up.
We must defend distributions like Debian even more so because of the freedom and liberty it provides us.
Otherwise we'll be virtually sodomized by the corporations who want control over everything and they don't
care about us at all. It's all about money, greed, control, power.
(Score: 0) by adamantine on Thursday May 05, @08:32AM
Repositories for Javascript and Python? Thank goodness SN is in Perl!