Mastodawn

I’m concerned stuff like this will lead to a “dark forest” scenario, in which the risks of open source outweigh the benefits. Not today, but it's not impossible tomorrow.

https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation

hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far - StepSecurity

A week-long automated attack campaign targeted CI/CD pipelines across major open source repositories, achieving remote code execution in at least 4 out of 5 targets. The attacker, an autonomous bot called hackerbot-claw, used 5 different exploitation techniques and successfully exfiltrated a GitHub token with write permissions from one of the most popular repositories on GitHub. This post breaks down each attack, shows the evidence, and explains what you can do to protect your workflows.

At the very least, we're going to need a highly effective spam filter for code contributions

Indeed, this is the kind of anti-human behavior that could necessitate a "hard fork" of the web—or just kill it.

https://taggart-tech.com/human-web/

Meditations on The Human Web

To save the internet, we may have to rebuild it.

anyone_can_whistle Mar 1

@mttaggart Given that reviewing a PR is already labor-intensive, is it that much marginal effort to ask contributors to hop on a call and verify their humanity? Maybe once they've done it once they can get a credential as a trusted contributor.

@anyone_can_whistle Okay now imagine having to make that request for 1000 PRs that just came in

anyone_can_whistle Mar 1

@mttaggart I can imagine it being automated; maintainers have a calendly-type thing, so making the appointment is not work for the maintainer. If you want to submit a PR you get on the calendly. I don't really see the incentive for bots to spam a system that is going to human-verify them eventually. Maybe the problem would be that a bad human actor with a bunch of bots would make themself available for the verification.

anyone_can_whistle Mar 1

@mttaggart But maybe part of the verification would be actual identity (is anonymity valued in software contributions?). Or maybe the ability to talk through the PR.

Atle 🧇🧅Mar 1

@anyone_can_whistle @mttaggart i guess many would just quit beeing a maintainer of an open source project if this is the response.

Atle 🧇🧅Mar 1

@anyone_can_whistle @mttaggart i guess that the era of "open source on ones spare time" will be a thing of the past, at least.

αxel simon ↙︎↙︎↙︎Mar 1

@mttaggart @anyone_can_whistle I think it would then be the other way round: you don't get to even make the PR unless you've been vetted.

This is reinventing the web of trust. But for FOSS communities identity rather than correlating public keys to people, which too many people were always creepily convinced meant "government ID". There might be a way to get it right this time, but you need to build into the design the fact there's a strong incentive to attack and game it.

CyberFrog Mar 1

@axx @mttaggart @anyone_can_whistle the web of trust failed for keys because getting people to participate in it was such a massive pain in the ass that nobody ever adopted it fully, and even the most hardcore people who did adopt it struggle to use it

Literally every single time tech people have created a new web of trust it has failed because human contacts are ephemeral, keys and identities should not actually be permanent because protecting them and maintaining them is stupidly difficult

The only working "web of trust" currently is the TLS CA system, and that's dominated by 2-3 monopoly corporate players where individuals have almost zero control or freedom over the fucking encryption they use, it's like this because a superstructure where we outsource everything to a monopoly CA cabal is the only way to make a web of trust system convenient

I see absolutely no reason why this vetting process won't immediately fail in exactly the same way as every other WoT attempt since the 90s, how will you stop a monopoly super structure that gates vetting? how will you maintain participation? how will you keep the UX and developer experience reasonable and easy so people don't give up on it?

if you can't actually answer these questions the project is doomed to obscure uselessness tbh

anyone_can_whistle Mar 1

@axx @mttaggart yeah, I was thinking of making that ordering explicit, but then I just felt like well, it seems like "request to validate me" could go along with "first pr". I had heard of a web of trust in other contexts but hadn't heard about it for validating FOSS identities. Anyway, it seems like something like this in addition to spam filtering is probably the way, maybe not just for open source, but for a humans-only internet, if that's something we want.

if you've got 1000 PRs that just came in you probably already have a team of people who can vet them via the existing change management process you definitely have in place since you're a competent manager of a large software project, right

CC: @[email protected]

The Orange Theme Mar 1

@mttaggart Make 'em email patches like God intended.

Julien Roncaglia Mar 1

@mttaggart we’ve needed some sort of “reputation” system in OSS (spanning forges and package repositories) a bit more organized than “I’ve seen your pseudonym/avatar on another repo or on Twitter/mastodon) for some time.

I just hope it will be thoughtfully done and not hacked in place by a single (Github?) provider in reaction to incidents

@vbfox In another context, here's my attempt at reputation for web content: https://ringspace.net

About - Ringspace Trusted Webrings: Protocol Specification