this post was submitted on 10 May 2024
152 points (92.2% liked)
Technology
59123 readers
2308 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I'd actually broaden the concern. Like, having sockpuppet accounts bullying a maintainer is one form of attack, but more-broadly, social engineering is, I think, a real concern.
My understanding is that it's considered likely that there was a national intelligence agency behind the xz attack. Point is, if they did it once, it's probably in the toolkit, and will come up again. Not just from them, but from other organizations who will study attacks and see what works.
The problem with being an open-source developer is that you don't spend your days trying to figure out counters to social engineering attempts. On the other side, you've got people who may well be spending a lot of time, reading papers, throwing around theories on just how to best pull this sort of thing off. The result is that one side is a novice, and the other has a lot of expertise and time to create a plan.
And the problem isn't just how to counter social engineering attempts, but how to do so without being too corrosive to the open-source development community. Like, right now there's a certain level of reliance on trust. If there isn't any trust, it's gonna be harder to do open-source development.
In both the potential F-Droid attack mentioned and at least some of the people with the Jia Tan/xz attack, some sockpuppets were used that had little history. It might increase the cost of an attack to take into account someone's history. But...then, the Jia Tan attack also had a very considerable amount of effort put into creating a false persona, the one that actually did the commits.
I love Lemmy, but the harassment and sock puppet accounts is a huge fucking issue. It seems like some of the main instances are just tankies who won't allow anybody else to have an enjoyable time
Social engineering is one of the most underestimated attack vectors. It doesn’t matter how cryptographically secure your system is if you can just ask for access.