• tal@lemmy.today
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    8 months ago

    I’d actually broaden the concern. Like, having sockpuppet accounts bullying a maintainer is one form of attack, but more-broadly, social engineering is, I think, a real concern.

    My understanding is that it’s considered likely that there was a national intelligence agency behind the xz attack. Point is, if they did it once, it’s probably in the toolkit, and will come up again. Not just from them, but from other organizations who will study attacks and see what works.

    The problem with being an open-source developer is that you don’t spend your days trying to figure out counters to social engineering attempts. On the other side, you’ve got people who may well be spending a lot of time, reading papers, throwing around theories on just how to best pull this sort of thing off. The result is that one side is a novice, and the other has a lot of expertise and time to create a plan.

    And the problem isn’t just how to counter social engineering attempts, but how to do so without being too corrosive to the open-source development community. Like, right now there’s a certain level of reliance on trust. If there isn’t any trust, it’s gonna be harder to do open-source development.

    In both the potential F-Droid attack mentioned and at least some of the people with the Jia Tan/xz attack, some sockpuppets were used that had little history. It might increase the cost of an attack to take into account someone’s history. But…then, the Jia Tan attack also had a very considerable amount of effort put into creating a false persona, the one that actually did the commits.

    • magic_lobster_party@kbin.run
      link
      fedilink
      arrow-up
      0
      ·
      8 months ago

      Social engineering is one of the most underestimated attack vectors. It doesn’t matter how cryptographically secure your system is if you can just ask for access.

    • WamGams@lemmy.ca
      link
      fedilink
      English
      arrow-up
      0
      ·
      8 months ago

      I love Lemmy, but the harassment and sock puppet accounts is a huge fucking issue. It seems like some of the main instances are just tankies who won’t allow anybody else to have an enjoyable time

  • gregorum@lemm.ee
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    8 months ago

    Perhaps this speaks to a larger issue— how much bullying exists in the FOSS community, and what can the community - at large - do to address it, or even begin to bring awareness to it?

    This argument that it’s a security vulnerability isn’t a terrible one (it’s certainly very logical and quite irrefutable), but I think there are others to be made for addressing this issue.

    • jimmy90@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      7 months ago

      yeah, i think any project needs effective leadership. without it disagreements can fester into conflict and bullying becomes a bad way of resolving or beating those you are in conflict with

  • lurch (he/him)@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    0
    ·
    8 months ago

    at the moment we have to accept we can’t please everyone. if people bully maintainers, they can gtfo and fork. same if you get bullied by maintainers, just fork and forget. maybe join with likeminded people if it’s too much work.

  • Zo0@feddit.de
    link
    fedilink
    English
    arrow-up
    0
    ·
    8 months ago

    I recently found out one my favourite FOSS projects was abandoned due to bullying. It was a small project and very fresh so it obviously came with some bugs and issues which is a given. The maintainer gave up only few months after because of all the negativity.

      • Zo0@feddit.de
        link
        fedilink
        English
        arrow-up
        0
        ·
        8 months ago

        The latest one was LSPatch. Did so much for me. Last message from the maintainer was something along the lines of ‘Seems like people are not happy with the project so I’m dropping it’.