TaggartMar 1

I’m concerned stuff like this will lead to a “dark forest” scenario, in which the risks of open source outweigh the benefits. Not today, but it's not impossible tomorrow.

https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation

hackerbot-claw: An AI-Powered Bot Actively Exploiting GitHub Actions - Microsoft, DataDog, and CNCF Projects Hit So Far - StepSecurity

A week-long automated attack campaign targeted CI/CD pipelines across major open source repositories, achieving remote code execution in at least 4 out of 5 targets. The attacker, an autonomous bot called hackerbot-claw, used 5 different exploitation techniques and successfully exfiltrated a GitHub token with write permissions from one of the most popular repositories on GitHub. This post breaks down each attack, shows the evidence, and explains what you can do to protect your workflows.

Show threadTaggartMar 1
At the very least, we're going to need a highly effective spam filter for code contributions
Show threadanyone_can_whistleMar 1
@mttaggart Given that reviewing a PR is already labor-intensive, is it that much marginal effort to ask contributors to hop on a call and verify their humanity? Maybe once they've done it once they can get a credential as a trusted contributor.
Show threadTaggartMar 1
@anyone_can_whistle Okay now imagine having to make that request for 1000 PRs that just came in
Show threadαxel simon ↙︎↙︎↙︎Mar 1

@mttaggart @anyone_can_whistle I think it would then be the other way round: you don't get to even make the PR unless you've been vetted.

This is reinventing the web of trust. But for FOSS communities identity rather than correlating public keys to people, which too many people were always creepily convinced meant "government ID". There might be a way to get it right this time, but you need to build into the design the fact there's a strong incentive to attack and game it.

Show threadanyone_can_whistle
@axx @mttaggart yeah, I was thinking of making that ordering explicit, but then I just felt like well, it seems like "request to validate me" could go along with "first pr". I had heard of a web of trust in other contexts but hadn't heard about it for validating FOSS identities. Anyway, it seems like something like this in addition to spam filtering is probably the way, maybe not just for open source, but for a humans-only internet, if that's something we want.
Mar 1 at 8:48pmWeb