Asides for April 19, 2024
Some shorter, collected thoughts from the last week:
Backdoors are an everyone problem
The recent attempted XZ Utils backdoor (CVE-2024-3094) may not be an isolated incident as evidenced by a similar credible takeover attempt intercepted by the OpenJS Foundation, home to JavaScript projects used by billions of websites worldwide. The Open Source Security (OpenSSF) and OpenJS Foundations are calling all open source maintainers to be alert for social engineering takeover attempts, to recognize the early threat patterns emerging, and to take steps to protect their open source projects.
Vigilance is good, and it’s worth heeding the advice and paying attention to the evidence presented here. The XZ Utils backdoor was a smart attack that very nearly caused havoc.
I think it’s also worth pointing out that we know about the exploit because it was in an open source project. Andres Freund was debugging a server resource issue when he uncovered the issue. Because the project — and its downstream client — were open source, he could investigate and find the intrusion.
It’s not clear how this would have panned out if this had been proprietary software: particularly on a team that was resource strapped or moving at speed. The same social engineering exploits that allowed Jia Tan to become a maintainer of the XZ Utils project would also see someone hired as a contractor by a tech team. If I was a nefarious actor who wanted to place an exploit in an important software library, that’s exactly what I’d do: go send someone to join the team as a contractor. While there are mandatory identity verification procedures for full-time employees (which we can certainly argue the pros and cons of), contractors have no such requirements.
I bring this up because all the advice I’ve seen to date has been directed at open source maintainers. Again, this is smart and good and should absolutely be heeded — but there’s a world of other software out there that is also critical infrastructure and which doesn’t enjoy the sunlight of open source projects. This isn’t an open source software problem; it’s a software problem. Everyone should be vigilant, regardless if there are eyes on their source code or not. And perhaps we should be even warier of projects whose code we can’t audit ourselves.
The social web doesn't exist without social justice
So much of what we build on the web is about connecting people.
It is impossible to connect people effectively without paying attention to social justice and equity.
Otherwise we’re just connecting the privileged with the privileged, creating ever smaller networks of influence, and learning nothing new.
No tech for apartheid is within its rights to protest
Solidarity with the 28 Google workers who were fired for protesting Project Nimbus this week. Anonymous Google and Amazon workers described the project as follows a couple of years ago:
Project Nimbus is a $1.2bn contract to provide cloud services for the Israeli military and government. This technology allows for further surveillance of and unlawful data collection on Palestinians, and facilitates expansion of Israel’s illegal settlements on Palestinian land.
I have never worked for Google or Amazon, but I would like to think that I would have protested too.
There is nothing honorable about supporting your employer as it commits or facilitates human rights violations. Protesting is the ethical thing to do, particularly when you hold deeply-held beliefs like these:
We cannot look the other way, as the products we build are used to deny Palestinians their basic rights, force Palestinians out of their homes and attack Palestinians in the Gaza Strip – actions that have prompted war crime investigations by the international criminal court.
Human rights should always trump business.
Further to that, apparently some of these 28 workers hadn’t even protested — they’d just associated with the people who had:
Yeah, this was retaliation, like completely indiscriminate—people who had just walked by just to say hello and maybe talk to us for a little bit. They were fired. People who aren't affiliated with No Tech For Apartheid at all, who just showed up and were interested in what was going on. And then security asked to see their badge and they were among the 28 fired.
Not a good look, to say the least. The same goes for the scores of tech workers who — on a cursory glance of social media — seem to have been derisive of the protests. Shame on you.