GitHub is under automated attack by millions of cloned repositories filled with malicious code.::Thanks to a combination of sophisticated methodology and social engineering, this particular attack seems to be very difficult to stop.

  • Sibbo
    link
    fedilink
    English
    809 months ago

    So they are poisoning GitHub copilot?

    • @[email protected]
      link
      fedilink
      English
      459 months ago

      https://www.eigenmagic.com/2010/12/31/why-some-people-hate-microsoft-a-history-lesson/

      it’s worth the read, but the conclusion at the end is important

      Who cares?

      Well, everyone who uses a computer should, particularly if we consider what might have happened if Microsoft hadn’t abused their market power. When a monopolist abuses their power, customers all lose, because they don’t get to enjoy the more rapid improvements that robust competition provides. It’s one of the key reasons we think competition is a good thing.

      […] But lastly, and this is the big one for me, we might not have a monoculture of operating system on the Internet with such a poor security model.

      […] Imagine a world where Symantec didn’t exist, because viruses weren’t so easy to write and spread to all the world’s computers. Imagine a world where spam didn’t constitute 90% of all email because it wasn’t so easy to take over a PC and turn it into a botnet zombie. Imagine not having to do impromptu tech-support for family members who accidentally installed a bunch of spyware.

      […]Imagine all the time and money that has been, and continues to be, spent on fixing all of the issues that a better security model 10-15 years ago might have avoided.

      In Summary

      Microsoft have made (or bought) some excellent products, as they continue to do. There are many wise, capable, and perfectly reasonable people who work there, what with it being a big company and all. This is not a company that is an unrestrained force for evil in the world.

      However.

      Microsoft have a history of abusing market dominance in order to exclude competitors. Many of the top management running the company at the time are still there, running the company today.

      Perhaps there will be no repeat performances, but there are very good reasons for greeting rhetoric from Microsoft regarding their openness with some scepticism.

      Inflammatory headline aside, let me be clear that I don’t hate Microsoft. But I can understand why there are those who do.

      • @BradleyUffner
        link
        English
        109 months ago

        That happened 6 years ago. Seems like a long time to hold grudge before attacking.

        • @pete_the_cat
          link
          English
          29 months ago

          GitHub was previously owned by Corvids.

    • Pennomi
      link
      English
      19
      edit-2
      9 months ago

      The smart kind of lowlife. Because it’s a very large and generally trusted source, meaning it’s an excellent vector for attacks. Sometimes the simplest reason is the most likely.

    • @mlg
      link
      English
      89 months ago

      Meh, they practically fold at every complaint to takedown tools that get accused of piracy.

      Nintendo especially gets annoying about deleting every possible fork of some tiny script that extracts the switch keys.

      Plus it’s Microsoft, let them deal with it lol.

  • Ahri Boy
    link
    fedilink
    English
    149 months ago

    That’s why you should migrate to a Forgejo or GitLab instance.

    • @gedaliyah
      link
      English
      89 months ago

      Any thoughts on codeberg? I’ve seen a project or to there.

    • @JustUseMint
      link
      English
      89 months ago

      Wtf why is this being downvoted

      • @douglasg14b
        link
        English
        359 months ago

        Because they obviously didn’t read the article?

        Unless you only use software and libraries hosted on gitlab, which you don’t, then that’s immaterial to this problem. GitHub is a target because of it’s size, Gitlab and friends are seemingly just as vulnerable to this sort of attack, which ONLY works because of human nature. Which last I checked is the same regardless of platform…

        • @chonglibloodsport
          link
          English
          69 months ago

          Gitlab is open source. You can download it and host it yourself. A decentralized developer community is resilient against this sort of attack for the very reason GitHub is so vulnerable: size.

          Git was always designed with decentralized development and collaboration in mind. Its creator, Linus Torvalds, prefers not to bother with servers like GitHub at all. Git can even be used entirely over email (Linus’s preference)!

          • @[email protected]
            link
            fedilink
            English
            11
            edit-2
            9 months ago

            A decentralized developer community is resilient against this sort of attack for the very reason GitHub is so vulnerable: size.

            No, it’s not. Not in literally any way. Not 1%. Not 0.000000000000000001%. You don’t even get security by obscurity as a nebulous benefit because the core mechanisms are basically the same between instances.

            No projects are being compromised. They’re being imitated and passed off as the real thing to the naive. You can just as easily do that on another server (including established ones by adding multiple domains to your scripts) when people expect to use thousands of different git hosts as you can on GitHub, except without the benefit of the scale of Microsoft’s expertise at handling this type of attack.

            I’m all for federated git being the way forward. I’d love to see it grow into a reasonable option. But it has no benefit in any context against an attack like this.

            • @[email protected]
              link
              fedilink
              English
              09 months ago

              a decentralized community that correctly prioritizes security would absolutely be using signed commits and other web-of-trust security practices to prevent this sort of problem

              • @[email protected]
                link
                fedilink
                English
                39 months ago

                New accounts exist and have good reason to exist. You can’t and shouldn’t ban new accounts from creating projects.

                Anyone capable of understanding what “web of trust” means is already way too sophisticated to be misled by these fake projects.

          • @abhibeckert
            link
            English
            59 months ago

            Gitlab is open source. You can download it and host it yourself. A decentralized developer community is resilient against this sort of attack for the very reason GitHub is so vulnerable: size.

            Um, what? Sorry but if someone is going to send, say, ten million malicious contributions (or heck, even just one), I don’t particularly want to deal with that on my self hosted server. I’d rather someone else deal with it.

            Git was always designed with decentralized development and collaboration in mind. Its creator, Linus Torvalds, prefers not to bother with servers like GitHub at all. Git can even be used entirely over email (Linus’s preference)!

            The Linux project created Git to solve problems they had. Pretty much no other project in the world has the same set of problems - it’s a highly unusual open source project with tens of millions in market value. Other projects have very different needs.