"It's also good to keep in mind that this is an unpaid hobby project." ~ Lasse Collin, 2022-06-08.
As someone working in security, the fact that _foundational_ pieces of the computing/networking rely on motivated individuals and essentially goodwill is mind blowing.
There are great aspects to the FOSS movement, but the risks – particularly the social engineering aspects as demonstrated here – and potential blast radius of supply chains like this... We take it all for granted and that is lining up to bite us hard, as an industry.
Sorta but flawed relevant xkcd: https://xkcd.com/2347/
I don't see how this is any strongly different than some unappreciated skill worker in a corporation. Its interesting the double standard we have for FOSS. Meanwhile in the commercial world, supply chain attacks are commonplace and barely solicit headlines.
Yes, FOSS needs to be able to address these kinds of attacks, but the world runs on the efforts of the low-level few, generally. The percent of people who work to build and maintain core infrastructure has always been small in any economic system. The world is held up by the unsung labor of the anonymous working class. Think of all the people working right now to make sure you have clean water, electricity, sanitation, etc. Its a tiny fraction of the people in your city.
Conversely, why aren't all these corporations who depend on this contributing themselves? Or reaching out? There's a real parasitic aspect here that gets swept under the rug too.
I'd even argue this isn't really a hobby for many, especially for higher profile projects. For many its done for social capital reasons to build up one's reputation which has all sorts of benefits, including corporate advancement, creating connections for startups, etc. Its career adjacent. And that's ignoring all the companies that contribute to FOSS explicitly with on-the-clock staff.
So there are motivators more than just "I'm bored and need a hobby." Its a little dismissive to call FOSS development just a hobby. Is what Linus does a hobby? I don't think most people would think so. Things like this have important social and economic motivators. The hypothetical guy in the comic isn't some weirdo doing something irrationally, but has rational motivators.
I'd also argue that its pretty harmful to FOSS adoption if the community takes on a "well, its a hobby don't expect quality, security, or professionalism." This is a great way to chase people away from FOSS. We can't just say "Oh FOSS is better than much closed software" when things are good, then immaturely reply "its just a dumb hobby, you're dumb for trusting me," when things go south. I think its pretty obvious there's a lot of defensiveness right now and people being protective over their social capital and projects, but I think this path is just the wrong way to go.
Comms, PR, and image management in FOSS is usually bad (see Linus's rage, high profile flame wars, dramatic forkings, ideological battles, etc), so optics here aren't great, because optics is something FOSS struggles with. The community is at best, herding cats, with all manner of big personalities and egos, and its usually a bit of a controlled car crash on the best of days.
I think there is a fundamental difference between how corporations used to work and how open source typically works.
In a traditional corporation, people would come to an office. It would be known where they live. If you would require something like (code) review, it becomes a lot harder to plant something. Obviously not impossible, but hard for all but the most dedicated attackers.
In contrast, with open source and poorly funded projects. People don't always have money to travel. So the people working on an open source project may only know each other by some online handles. Nerds typically don't like video conferencing. So it is quite possible to keep almost everything about an identity secret.
And that makes it a lot more attractive to just try something. If something goes wrong, the perpetrator is likely in a safe jurisdiction.
tbf, most security issues aren't from some insider, but outsiders discovering exploits. The insider scenario here is extremely rare both in commercial and FOSS software.
Corporate insiders do stuff like this too, its just how often do we hear about it? FOSS has high visibility but closed source doesn't. Think of all the shady backdoors out there. Or what Snowden and others revealed.
On average a 100% FOSS organization is going to be much, much more secure than a 100% commercial close source one. Think of all the effort it takes to moderately secure a Windows/closed source stack environment. Its an entire massive industry! Crowdstrike alone has a $76bn marketcap and that's just one AV vendor!
Commercial software obeys the dictates of modern capitalism. Projects get rushed, code review and security take a backseat to quarterly reports and launch dates, etc. This makes closed source security issues common.
Usually when the exploit is discovered the attacker is far outside the victim's jurisdiction. See all the crypto gangs operating from non-Western non-extradition states.
Pretty much never.
One particular terrible case I saw was when a developer left a testing flag in a build that got pushed to production and used for years. Had you set the right &whatever flag in the URL you'd have unauthenticated access to everything. It was discovered years after the fact when the software was no longer in supported status, so nothing was ever wrote up about it and told to the users. "They shouldn't have been using it by now anyway, no use in bad press and getting users worried".
And I'm guessing there was no Five Whys or equivalent to ask how to prevent this from happening again.
No time to do things right...
You may want to read Kevin Mitnick on how (relatively) easy it is to infiltrate physical spaces.
Mitnick, at this point, has deceased.
Read up on red teaming and social engineering in general. Many more examples of red teaming are available, for example. I thoroughly enjoy these specific stories on Darknet Diaries podcast.
True, but we have to assume that nation states are now actively inserting or recruiting intelligence agents in prominent tech companies. US authorities already caught a Saudi spy in Twitter. How many haven't been caught yet? If I was running foreign intelligence for China or Israel or any other major country I would certainly try to place agents into Google, Apple, OpenAI etc.
If you're not getting paid then it's just a hobby. And there's nothing wrong with hobbies. As a FOSS contributor myself I feel no obligation to promote FOSS adoption. Quality, security, and professionalism are not my problem; anyone who cares about those things is welcome to fork my code.
This is one of the sanest comments I've ever seen describing what FOSS actually is. I think you nailed it when you said:
It's weird. There are the explicit expectations of FOSS (mostly just licenses, which say very little), and the implicit expectations (everything else).
It's anarchic and ad hoc in a way that leaves the question of "what are we actually doing with this project(s)" up for all kinds of situational interpretation, as you noted. This is bad, because this ambiguity leads to conflict when the various actors are forced to reveal their expectations, and in doing so show that their expectations are actually quite divergent (i.e., "this is my fun hobby project!" vs. "my company fails without this bugfix!" vs. "I thought this was a community project!" vs. "This project is for me and my company, I call the shots, you're welcome to look at the code, though").
It's a little bit like the companies that are like "we have a flat management hierarchy, no one really reports to anyone else". It's just not true. It's almost always used as a ruse to dupe a certain class of participant that isn't sophisticated enough to know that these kinds of implicit power hierarchies leave them at a disadvantage. There's always a structure, it's just whether that structure is explicit or not. This kind of wishy-washy refusal to codify project roles/importance in FOSS is not doing us any favors. In fact I think it prevents us from actively recognizing the "clean water" role that an enormous number of projects play.
There's real labor power here if we want it, but our continued desire to have FOSS be everything to everyone is choking it.
This event should be a wake-up call to businesses everywhere: It's not just a small number of "core" FOSS projects that need their support (funding and assistance!). Before this event who was thinking about a compression library when considering the security of their FOSS dependencies?
The scope of "what FOSS needs to be supported and well-funded" just increased by an order of magnitude.
Yeah, as I note elsewhere in this thread, the OpenSSL "Heartbleed" saga should've taught some lessons, but alas, it's "classic" human nature to repeat our mistakes.
no - funding is going to places where profit is returned on investment, NOT to the tedious and long-term work that all of this sits on. It is not "human nature" because tedious, high-skill maintenance is done by humans, which built the infrastructure and continue to be crucial.
There is no accountability and in fact high-five and star shots for those taking piles of money and placing it on more piles of money, instead of doing what appears to be obvious to almost everyone on this thread -- paying long-term engineers.
No counter-argument; fully agree. FWIW, that's what I was referring to when I said, "fat companies" (and executives) glossing over the important tedious here[1].
[1] https://news.ycombinator.com/item?id=39905802
This would of course be nice since the fact that so much of our infrastructure is based on the work of people sharing it openly, a practice heavily in contrast to industry behavior, is sadly still a little known fact outside of software development.
The demand for more assistance here is the angle that was played in social engineering, specifically the demand to acquire more maintainers due to workload. Especially if such support would take the form like providing source archives with manipulated build scripts that are rarely checked by third parties.
There is also a problem of badly behaving industry that tries to take control of "hobby projects". Speaking of which, these "hobby"-projects often have much better code than many, many industry codebases.
I think FOSS overall still lessens the risk. It got more risky since it has been integrated in social media since these often allow for developer being shouted down or exploited much more easily.
No is an answer. And blocking people should be a thing.
Personally I do not publish anything anymore which is not "non-commercial only" as a result of demands, you can do it yourself if you want to make money off it (or if you demand things for that matter). Fortunately my online stuff isn't used much but even then it's possible to get "requests".
I'm all for funding FOSS, but how would the money have made any difference here? It just would have made Jian a bit richer, right?
Funding all of these deep dependencies may have helped in this case but wouldn't address the root of the problem, which is that every business out there runs enormous amounts of unsandboxed third party code. Funding may have helped xz specifically from falling to pressure to switch to a malicious maintainer, but it does nothing about the very real risk that any one of the tens of thousands of projects we depend on has always been a long con.
The solution here has to be some combination of a dramatic cut back on the number of individual projects we rely on and well-audited technical solutions that treat all code—even FOSS dependencies—as potentially malicious and sandboxes it accordingly.
This ought to be not only a wake-up call for businesses, but also to hobbyists and members of the public in general; our code, our projects and our social "code-generating systems" must be hardened or face rampant abuse and ultimately be weaponised against us.
In a way, these issues which FOSS is facing and are becoming apparent are no different to those democracy been submitted since time immemorial.
I think a problem is that there doesn't seem any way to automatically check this. If we assume that anything that is used during build time can be malicious then figuring out those dependencies is already hard enough. Mapping that to organizational stability is one step further.
This is where the but FOSS is reviewable so it is trusted falls down. This situation is a prime example of how that fallacy is misconstrued. By being FOSS didn't make it trustworthy, it just meant that people had a fighting chance to find out why when something does happen. That's closing the barn door after the horses already left.
I'm not knocking FOSS at all. I just think some people have the concept twisted. Just like the meme of being written in Rust means the code is fast/safe from the mere fact it was written in Rust. I don't write Rust, but if I did, I guarantee that just from sheer not knowing WTF I'm doing would result in bad code. The language will not protect me from myself. FOSS will not protect the world from itself, but it does at least allow for decent investigations and after action reports.
You don't think every nation state has people inside private software shops? Especially big tech?
Look at stuff getting signed with MS keys, hardware vendors with possible backdoors.
Social engineering is social engineering and it can happen anywhere no matter the profit motivation or lack there of.
Money interest in software won't save you any more than Foss.
It'd be naive to assume that nation state actors are not trying to penetrate the supply chain at all levels, as it just takes a single weak link in the chain. That weak link could be behind corporate doors or in the open.
The main issue is that this attack shows how a relatively unknown component, as part of a much larger and more critical infrastructure, is susceptible to pressure as a result of "this is a hobby project, lend a hand".
At what point do these components become seen as a utility and in some way adopted into a more mainline, secure, well-funded approach to maintenance? That maintenance can, and probably should, happen in the open, but with the requisite level of scrutiny and oversight worthy of a critical component.
We got very lucky, _this time_.
why just this one? do we collectively have the memory of a gold fish? just recently, log4j had a similar blast radius. is it because one was seemingly malicious that the other doesn't count?
We should not think in absolutes, but in terms of tools. What risks come with using a certain tool.
In your Rust example, using C is like using a power tool without any safety measures. That doesn't mean that you are going to get hurt, but there is an expectation that a sizable fraction of users of such tools will get hurt.
Rust is then the same tool with safety measures. Of course it is still a power tool, you can get hurt. But the chances of that happening during normal operation is a lot lower.
I think xz is a good example where open source happened to work as intended. Somebody noticed something weird, alerted and other people could quickly identify what other software might have the same problem.
Never understood why our industry seems unique in our willingness to do unpaid work for giant corps. Your compression library isn't saving the world, it's making it easier for amazon to save a few bucks.
You have the right to be paid for your time. It's valuable.
I enjoy coding too... but the only free coding I do is for myself.
Use a proper license, charge for your time and stop killing yourself doing unpaid hobby projects that cause nothing but stress.
Because it never starts that way. It scratches an itch, solves an interesting puzzle and people thank and praise the work. Deep down we all want to be useful, and it helps that it looks great on a résumé.
After it's established the big corps come along, but the feeling of community usefulness remains. It's also why so many devs burn themselves out, they don't want to disapoint.
IMO this is exactly why. The payout comes later, if the project is successful.
The work was not being done "for giant corps"; it was being done for everyone, and giant corps just happen to be a part of "everyone", together with small corps, individual people, government, and so on.
When you think of free software contributions as "volunteer labor" instead of just a hobby, it makes more sense. Yes, my time is valuable; when I'm working on free software, I'm choosing to use this valuable time to contribute to the whole world, without asking for anything in return.
Weird that this is a concept people struggle to understand...
Did you get paid for the post you just wrote? People at giant corps are reading it right now, they're getting value from it. You deserve to be paid!
IF you understand why you'd post without being paid, you're 80% of the way to realizing why people program without being paid.
That's just the nature of free software- you have to either trust the maintainer or do it yourself. There is not really a way around it.
- Corporate maintainers are great until they enshittify things in the pursuit of profit (see Oracle)
- Nonprofits are probably the best but can go the same route as corps (see Mozilla)
- Hobbyists are great until they burnout (see xz)
I think the level of complexity is the problem. A bad actor can be embedded in any of the above contexts: corp, non-profit, FOSS hobbyist. It doesn’t matter. The question is: when software is so complex that no one knows what 99.9% of the code in their own stack, on their own machine, does (which is the truth for everyone here including me), how do you detect ‘bad action’?
The level of complexity involved in making sure that electrical plants work, that water gets to your home, that planes don't crash into each other, that food gets from the ground to a supermarket shelf, etc, is unfathomable and no single person knows how all of it works. Code is not some unique part of human infrastructure in this aspect. We specialize and rely on the fact that by and large, people want things to work and as long as the incentives align people won't do destructive things. There are millions of people acting in concert to keep the modern world working, every second of every day, and it is amazing that more crap isn't constantly going disastrously wrong and that when it does when are surprised.
It kinda is. The fact that code costs fractions of a penny to copy and scale endlessly, changes everything.
There's hard limits on power plants, you need staff to run them, it's well-understood.
But software - You can make a startup with 3 people and a venture capitalist who's willing to gamble a couple million on the bet that one really good idea will make hundreds of millions.
Software actually is different. It's the only non-scarce resource. Look at the GPL - Software is the only space where communism / anarchy kinda succeeded, because you really can give away a product with _nearly_ no variable costs.
And it's really just the next step on the scale of "We need things that are dangerous" throughout all history. Observe:
- Fire is needed to cook food, but fire can burn down a whole city if it's not controlled
- Gunpowder is needed for weapons, but it can kill instantly if mishandled
- Nuclear reactors are needed for electricity, but there is no way to generate gigawatts of power in a way that those gigawatts can't theoretically cause a disaster if they escape containment
- Lithium-ion batteries are the densest batteries yet, but again they have no moral compass between "The user needs 10 amps, I'm giving 10 amps" and "This random short circuit needs 10 amps, I'm giving 10 amps"
- Software has resulted in outrageous growth and change, but just like nuclear power, it doesn't have its own morality, someone must contain it.
Even more so than lithium and nuke plants, software is a bigger lever that allows us to do more with less. Doing more with less simply means that a smaller sabotage causes more damage. It's the price of civilization.
So the genie ain't going back in. And private industry is always going to be a tragedy of the commons.
I'm not sure what government regulation can do, but there may come a point where we say, even if it means our political rivals freeload off of us, it's better for the USA to bear the cost of auditing and maintaining FOSS than to ask private corporations to bear that cost duplicating each other's work and keeping it secret.
Is that a handout to Big Tech? 100%. Balance it with UBI and a CO2 tax that coincidentally incentivizes data centers to be efficient. We'll deal with it.
What it reminds me of, is my reoccuring thought, not just about open source but including this aspect, that we've built up a society based on software, that we could literally only afford because we've done it unsustainably. The economy could not bear the costs of producing all this software in an actual reliable sustainable way. So... now what.
It might be a good idea for governments to coordinate with computing advocacy groups/associations (e.g. German CCC, NANOG, popular Linux distributions such as Ubuntu, Debian, Fedora, Arch)... set up a fund of maybe 10 million euros, have the associations identify critical, shared components, and work out funding with their core developers. 10M a year should fund anything from 100-200 developers (assuming European wages), that should be more than enough, and it's pocket change for the G20 nations.
If that's too much bureaucracy or people fear that governments might exert undue influence: hand the money to universities, go back to the roots - many (F)OSS projects started out in universities after all. Only issue there is that projects may end up like OpenStack in the end ;)
Could it really not afford it? I’m not convinced that is the case, so much as we don’t have a way to pay people for their effort.
Also in security and 100% tired of the code slingers who get annoyed by security reviews
Here on HN it’s been derided as “company just checking a box for compliance but adds no functionality. It slows us down when we want to disrupt!” - developer of yet another todo list or photo editor app…
Buffer overflows and the like are one thing. Notions from this blog that certain normal files won’t be well reviewed is a bad smell in software. Innocuous files should be just as rigorously reviewed as it’s all part of the state of the machine
“This is how it’s always worked” is terrible justification
Startup script kiddies git pulling the internet, and single maintainers open source projects aren’t cutting it; if it’s that important to the whole those in charge of the whole need to make sure it’s properly vetted.
I’m an EE first; this really just makes me want to see more software flashed into hardware.
A security review or snake oil AI black box didn't stop this. It was stopped by a 'code slinger' who noticed a performance regression in ssh.
Deloitte coming in a checklist would have NEVER stopped this one.
Nothing will really change, sadly. Remember log4j? There were also a lot of talking why people working on FOSS should be paid. And after one month almost no one remembered these voices exept for small minority of people.
What's gonna happen now ? a team of foss sec chaos monkey trying to run checks on a core set of libs ?