Is Open Source Ecosystem Broken: Exploiting Developer Infrastructure Is Ridiculously Easy

in #dlike5 years ago

share-with-dlike.jpg

Open-source software allows for collaboration across developers, but when not sufficiently maintained, problems can quickly travel down dependencies and cause catastrophe. I've personally used Free and open-source software (FOSS) since a little bit of time after I first started using  computer and I've used FOSS from media players to photo editors to entire operating Systems (Ubuntu). But I was never any sort of a fanboy of them and I still thought of the commercial software in  superior light. To me FOSS was at the time was for those who don't use the full set of features of paid software and for smaller scale software like media players.

 

Blockchain changed all that with it's incentive systems. Smaller scale software is never really something you depend a lot on.They can also be improved with much ease without a lot of technical expertise. But when it comes to security non-blockchain FOSS are at a huge disadvantage.

 

Inlate October, an issue was opened on an extremely popular node.js tool, nodemon, describing a deprecation warning that was being logged to the console.

Warnings like these aren’t uncommon. This one seemed harmless. It wasn’t even related to the nodemon project, but rather to one of its dependencies. This easily could have gone completely ignored because, in many cases, warnings like these often resolve themselves.

 

About three weeks after the initial report, Ayrton Sparling experienced the log output himself and found that a new dependency several layers deep was the cause of the warning. The output was coming from a strange bit of code at the end of a minified JavaScript file that did not exist in an earlier version and had been removed in a later version (compare [email protected], [email protected], and [email protected]). Ayrton’s research led him to a popular npm library, event-stream, which is downloaded nearly two milliontimes a week and, up until recently, was maintained by a reputable open-source developer.

Several months ago, control of event-stream changed hands, legitimately, to a relatively unknown user who asked for publishing rights over email. This user then updated event-stream to include the exploited flatmap-stream dependency in a patch version and then bumped the major version of event-stream without the dependency to limit the visibility of the change. New users who, presumably, are a little more inclined to question dependencies would get the latest version (4.x as of this writing) and users who depend on the previous version would automatically update to the infected patch release whenever npm install runs again (with many common configurations).

The article has lots of codes explained too. After some technical detils it explains soething that is extremly obvious to the cryptosphere: "So much software is built on the backs of people who are expected to work for free.

 

Let’s count all the things that went wrong.

  1. An application (Copay) was built by consuming dependencies over the network without the entire tree’s dependencies locked.
  2. Even without locked versions, those dependencies aren’t cached and are pulled on every build.
  3. Thousands of other projects are dependent on event-stream with the same or similar configurations.
  4. The maintainer stopped caring about a library that thousands of projects depended on.
  5. Thousands of projects consume this library for free and expect it to be maintained without any compensation.
  6. The maintainer gave full control to an unknown entity just because they asked for it.
  7. There was no notification that control had changed, thousands of projects were just expected to consume the package with no warning.
  8. There’s really no end—this list of things that went wrong could go on and on…"

"Open source is broken, and the larger it grows the more likely that catastrophic events will occur"

That is the conclusion of the author. The solution is simple. Expand what we already have with cryptocurrency development into the entire FOSS ecosystem. That's the only fix we can have. Incentives are the easiest fix of them all if you can manage to set it up well. 

 


Source of shared Link

#dlike-Education #security #development #technology
5 years ago in #dlike by
$3.67
  • Max accepted payout: $400.00
  • Past Payouts $3.67, 0.00 TRX
  • - Author $2.73, 0.00 TRX
  • - Curators $0.94, 0.00 TRX
31 votes
Reply 4
Sort:  
  • Trending
    • [-]
     5 years ago 

    Hi @vimukthi

    I'm not much into tech articles so I can only show my support with little upvote :)

    Yours
    Piotr

    [-]
     5 years ago 

    Thank you! Every upvote matters regardless of the size. Votes mean people like the content. That's the most important thing.

    [-]
     5 years ago 

    Appreciate your kind comment @vimukthi

    Have a great upcoming weekend
    Piotr

    [-]
     5 years ago 

    Hi, @vimukthi!

    You just got a 0.22% upvote from SteemPlus!
    To get higher upvotes, earn more SteemPlus Points (SPP). On your Steemit wallet, check your SPP balance and click on "How to earn SPP?" to find out all the ways to earn.
    If you're not using SteemPlus yet, please check our last posts in here to see the many ways in which SteemPlus can improve your Steem experience on Steemit and Busy.

    $0.00
      Reply

      Coin Marketplace

      STEEM 0.26
      TRX 0.11
      JST 0.033
      BTC 63722.47
      ETH 3049.10
      USDT 1.00
      SBD 4.03