Overclockers Australia Forums

OCAU News - Wiki - QuickLinks - Pix - Sponsors  

Go Back   Overclockers Australia Forums > Specific Hardware Topics > Business & Enterprise Computing

Notices


Sign up for a free OCAU account and this ad will go away!
Search our forums with Google:
Reply
 
Thread Tools
Old Yesterday, 6:39 PM   #25651
PabloEscobar
Member
 
Join Date: Jan 2008
Posts: 9,559
Default

Quote:
Originally Posted by elvis View Post
(3) GO WITH THE NUMBERS. Look at the frequency of these attacks versus the frequency of other things. Choose your lowest risk based on the frequency, and overall result. Standard "likelihood X impact" dot product risk matrix stuff.
I wonder what users of medoc assigned as a likelihood to 'Russia cyber warriors compromising the medoc source tree and using it to launch an attack"

#beingfacetiousisfun


Of all the packages you automatically install, how many of them would also be in use in geopolitical hot zones? Can $NationState offer the maintainers of any of those packages "Fuck you" money and have them back door it? Is this something that needs to be on my risk matrix?

https://www.theregister.co.uk/2017/0...squatting_npm/

Sometimes, I don't even need to offer "Fuck You" money, I just name my package something similar, and hope enough people don't bother checking .

Quote:
Originally Posted by elvis View Post
As above, not many folks are installing FLOSS straight from an upstream code base (ain't no "git pull ; ./configure ; make install" in my org). There's a distribution buffer in the middle. Now, I know the counter to that will be the Linux Mint point, but again that was mitigated by verifying checksums on downloads. (And without getting technical, most places with a clue install from packages via scripted installers, not from ISOs - specific to my org, this sort of attack would have completely missed us).
That just changes where the compromise needs to happen, rather than mitigate the attack class.

Developers have been targeted by malware in the past, and while you don't git pull ; ./configure ; make install, do the maintainers of your package?
PabloEscobar is offline   Reply With Quote

Join OCAU to remove this ad!
Old Yesterday, 6:54 PM   #25652
Daemon
Member
 
Daemon's Avatar
 
Join Date: Jun 2001
Location: qld.au
Posts: 4,882
Default

Quote:
Originally Posted by PabloEscobar View Post
That just changes where the compromise needs to happen, rather than mitigate the attack class.

Developers have been targeted by malware in the past, and while you don't git pull ; ./configure ; make install, do the maintainers of your package?
Most software packages these days (even open source) have a fairly rigid code acceptance process. Eg, npm: https://github.com/npm/npm

You need to submit a pull request, this has to pass the Travis build process (https://travis-ci.org/npm/npm) including unit tests and then the changes have to be approved. Other packages have systems where at least two devs have to approve and only then is the code accepted.

It's not fault free, but quite open and easier to detect issues for most systems. The exceptions of course are crypto and anything which requires highly complex equations and algorithms. The complexity of the problem yet alone the solution means the amount of people qualified to review the code is extremely small.
__________________
Fixing the internet... one cloud at a time.
Daemon is offline   Reply With Quote
Old Yesterday, 7:08 PM   #25653
waltermitty
Member
 
waltermitty's Avatar
 
Join Date: Feb 2016
Posts: 35
Default

Quote:
Originally Posted by Daemon View Post
Most software packages these days (even open source) have a fairly rigid code acceptance process. Eg, npm: https://github.com/npm/npm

https://qz.com/1043614/this-startup-...e-programmers/

Until your text editor plugin starts phoning home without your consent.
waltermitty is offline   Reply With Quote
Old Yesterday, 9:19 PM   #25654
PabloEscobar
Member
 
Join Date: Jan 2008
Posts: 9,559
Default

Quote:
Originally Posted by waltermitty View Post
https://qz.com/1043614/this-startup-...e-programmers/

Until your text editor plugin starts phoning home without your consent.
Thats gold, Shits all over my idea of looking for "resume.doc" and inserting humorous work history entries.
PabloEscobar is offline   Reply With Quote
Old Yesterday, 10:17 PM   #25655
elvis Thread Starter
Old school old fool
 
elvis's Avatar
 
Join Date: Jun 2001
Location: Brisbane
Posts: 29,313
Default

Quote:
Originally Posted by PabloEscobar View Post
#beingfacetiousisfun
Sure, I get that. I certainly enjoy it myself on occasion. But you asked how to mitigate the risks of enterprise shitware, and I gave you an option based on statistical frequency. Again, I'm channeling Uncle Bruce here, taking emotion out of it, and going with the numbers.

Never let it be said that the open source option is perfect. But I bet my career on it being better. So far, so good.
__________________
Play old games with me!
elvis is offline   Reply With Quote
Reply

Bookmarks

Sign up for a free OCAU account and this ad will go away!

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +10. The time now is 1:36 AM.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
OCAU is not responsible for the content of individual messages posted by others.
Other content copyright Overclockers Australia.
OCAU is hosted by Micron21!