Follow

wrote a blog post a in 2019 about how is dangerous because anyone can push malicious code to FLOSS projects:
thwack.solarwinds.com/t5/Geek-

The irony could not be sweeter.

/via @cguess

@rysiek I'm sorry, what's ironic here? What context am I missing?

@cguess

@rysiek @cguess Sorry, I found it: solarwinds.com/securityadvisor

Yeah, supply chain attacks can happen anywhere. Open source , if anything, allows you to be more careful!

@alcinnz @cguess and it enables independent verification, especially if reproducible builds are a thing.

@alcinnz
Malicious code where pushed in Solarwinds closed source products.
@rysiek @cguess

@alcinnz @rysiek @cguess

They're implying that this would never happen in closed source code and someone could never, say, install a nasty in a Solarwinds DLL.

@rysiek
Only thing solarwinds is good for is spamming the fuck out of you. Their stuff is garbage.

@cguess

@rysiek @cguess We used SolarWinds a couple jobs back. I thought to myself "Wow, this is a powerful ass tool, but also WOW. If somebody cracked into this sucker it's GAME OVER!" - guess I wasn't far wrong :)

@feoh @rysiek @cguess I thought the same thing when I saw a product that managed SSH logins. An agent runs (as root) on all your servers and you get a short term certificate (1 day) from the 3rd party provider to log in. When you revoke someone's access, you don't have to search all servers for their SSH keys. My comment was that the 3rd party has root everywhere.

Seems like LDAP/Kerberos would just as easily solve this problem...

SolarWinds on supply chain attacks 

@rysiek @cguess Saving a screenshot because I think that blog post might not last long.

SolarWinds on supply chain attacks 

@angdraug @rysiek @cguess This is not very impressive of them.

SolarWinds on supply chain attacks 

@erosdiscordia @rysiek @cguess Neither was having "solarwinds123" as a password to their update server, if the source of this Reuters article is to be believed: mobile.reuters.com/article/amp

SolarWinds on supply chain attacks 

@angdraug @cguess saved in my @Wallabag instance too.

@rysiek

(That blog is real shit!)

This can never happen to close source because, if it goes bankrupt, someone can grab the code and… yeah. Sure. :baby_yoda:

@cguess

@Madmonkey @rysiek @cguess to complete their statements: in contrast, when a closed source company closes up shop, you're now tasked with sucking it up because you have zero recourse

@riking @Madmonkey @rysiek @cguess Also, the risk of closed-source companies closing up shop is real, so much so that Software Escrow (Source Code Escrow) is a thing.

Also, if you've ever seen commercially developed closed-source code, you'll know that it will be much harder to take over maintenance of some escrowed software than doing the same for abandoned open source code.

@rysiek @cguess I read through the article and they clearly have very little understanding of what they are talking about.

I find it very strange that some (solarwinds among them) seem to talk about Open Source projects as if they are a google docs document where the general public has write permissions.

@RasmusLindegaard @cguess they don't care as long as they can make people buy their crap.

We need people to call that kind of bullshit out.

@rysiek @cguess What's this shit about open source not sticking around? More likely to than proprietary shit, and at least when it goes tits up you *can* continue it...

@rysiek @Decentralize_today @cguess

"When you reach in the drawer for a clean fork, you could be pulling out a dirty utensil."

Sorry don't you check that the fork is clean? That's completely not true. Putting malicious code into open source software is much harder due the numbers of people that can check it and bug fix.

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!