Could what has just happened to the AUR happen to FreeBSD ports?

Eh, just my 2-cents, but in this day and age, I would think that there is always room for improvement in the CI/CD space. Changes need to be verified before further actions are down, if they fail, stop immediately and raise a red flag. In the context of 400+ packages, perhaps a distributed engine will manage that better.

Another reason to avoid user repositories unless you're actively inspecting what you're getting.
 
tOsYZYny said:
Eh, just my 2-cents, but in this day and age, I would think that there is always room for improvement in the CI/CD space. Changes need to be verified before further actions are down, if they fail, stop immediately and raise a red flag. In the context of 400+ packages, perhaps a distributed engine will manage that better.

Another reason to avoid user repositories unless you're actively inspecting what you're getting.
Click to expand...
Its not 400+ packages. Its almost 2000 packages as of today. AUR is still under attack and number of compromised packages is growing fast and its becoming more sophisticated and hard to find.
 
MrBSD said:
Its not 400+ packages. Its almost 2000 packages as of today. AUR is still under attack and number of compromised packages is growing fast and its becoming more sophisticated and hard to find.
Click to expand...
I think, as a cautionary tale, this is a good example of "don't blindly upgrade/update software". But it should give people a reason to think about accepting patches and pull requests (yes, I understand this is more than that).
Tongue in cheek/conspiracy mode:
"This is why you should only use Windows and Government Approved/Controlled applications because we will keep you safe"

To be clear, that was sarcasm (I hope)
 
I was going to say that perhaps we should only use Apple or Microsoft in the same vein ...

I used 400 as that was what was quoted earlier.

To me, this is no different than a DDoS attack, the platform should provide better tools to mitigate this. While we might be immune now, how long.

As the saying goes, the chain is only as strong as the weakest link.
 
tOsYZYny said:
o me, this is no different than a DDoS attack,
Click to expand...
Ummm.... a DDOS is an attack from the outside. This "denial of service" happened from within. The attack vector has magnitude and direction, and they both matter. That is the difference (figuring out where the problem originated, outside or inside) that is actually important to understand when deciding if an incident is a DDOS or not. For reference:

https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/ offers a very nice and simple explanation of what a DDOS is. It's pretty safe to assume that if a service disruption does NOT check the boxes as described in that link, it's most likely NOT a DDOS to begin with, and requires very dfferent approaches to problem solving.
 
astyle I understand and agree with you, but I think tOsYZYny analogy is not far off. What happened/is happening with AUR results in something similar to a DDoS: loss of the asset. DDoS loss of asset is due to external forces, AUR the loss is due to internal.

I'm not trying to speak for him, but that's how I read post #54. I could be wrong, if so everyone can flog me behind the bikeshed.
 
mer said:
astyle I understand and agree with you, but I think tOsYZYny analogy is not far off. What happened/is happening with AUR results in something similar to a DDoS: loss of the asset. DDoS loss of asset is due to external forces, AUR the loss is due to internal.

I'm not trying to speak for him, but that's how I read post #54. I could be wrong, if so everyone can flog me behind the bikeshed.
Click to expand...
I have the suspicion that it's intentional to push for identification facilities around the end-user. Wait for it... They can't verify a user's authenticity without forced centrai supervision. The end user can no longer be root, like on Android and iOS.
 
I didn't mean it to be literal. I meant that the scope of the attack is large due to how fast AI can generate and obfuscate its tracks that even though this may be surgical now, the sheer volume of it is like a DDoS attack.

In any case, I still suggest that platforms need better tooling around 'security'.
 
  • Like
Reactions: mer
mer said:
I think, as a cautionary tale, this is a good example of "don't blindly upgrade/update software". But it should give people a reason to think about accepting patches and pull requests (yes, I understand this is more than that).
Tongue in cheek/conspiracy mode:
"This is why you should only use Windows and Government Approved/Controlled applications because we will keep you safe"

To be clear, that was sarcasm (I hope)
Click to expand...
Few years ago on Arch forums i saw several people saying "im not using AUR because its not secure". I read that, an i thought, god what a bunch of idiots. It turned out, those guys were right. And i was the idiot. You cant trust anything or anyone today.
tOsYZYny said:
I was going to say that perhaps we should only use Apple or Microsoft in the same vein ...

I used 400 as that was what was quoted earlier.

To me, this is no different than a DDoS attack, the platform should provide better tools to mitigate this. While we might be immune now, how long.

As the saying goes, the chain is only as strong as the weakest link.
Click to expand...
The problem is man power.
astyle said:
Ummm.... a DDOS is an attack from the outside. This "denial of service" happened from within. The attack vector has magnitude and direction, and they both matter. That is the difference (figuring out where the problem originated, outside or inside) that is actually important to understand when deciding if an incident is a DDOS or not. For reference:

https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/ offers a very nice and simple explanation of what a DDOS is. It's pretty safe to assume that if a service disruption does NOT check the boxes as described in that link, it's most likely NOT a DDOS to begin with, and requires very dfferent approaches to problem solving.
Click to expand...
Speaking of DDoS attacks, both AUR, official arch repositories, along with their website was under heavy DDoS attack 4-5 months ago and it lasted for months. Forum, website, repositories... everything was inaccessible.
MG said:
I have the suspicion that it's intentional to push for identification facilities around the end-user. Wait for it... They can't verify a user's authenticity without forced centrai suoervision. The end user can no longer be root, like on Android and iOS.
Click to expand...
While someone will call you super crazy and paranoid, i think this might be the case. Intentially cause chaos, blame those pesky Russans and Chinise, and then solve the problem with age and identity verification. Very nice.
 
mer said:
astyle I understand and agree with you, but I think tOsYZYny analogy is not far off. What happened/is happening with AUR results in something similar to a DDoS: loss of the asset. DDoS loss of asset is due to external forces, AUR the loss is due to internal.

I'm not trying to speak for him, but that's how I read post #54. I could be wrong, if so everyone can flog me behind the bikeshed.
Click to expand...
Ummm...I think it's kind of important to know when an idea is only half-understood. And in this case, realizing what is a DDoS and what's not, and why that is the case, that makes a difference in problem solving. 50% understanding / correlation / comparison is still a very significant gap. The attack is closer to a Trojan than a DDoS...
 
astyle said:
Ummm...I think it's kind of important to know when an idea is only half-understood. And in this case, realizing what is a DDoS and what's not, and why that is the case, that makes a difference in problem solving. 50% understanding / correlation / comparison is still a very significant gap. The attack is closer to a Trojan than a DDoS...
Click to expand...
Ddos is distributed overload of a TCP/IP server with (preferably complex) bogus requests. What has this too narrow supply chain as weakness to do with it?
 
MrBSD said:
While someone will call you super crazy and paranoid, i think this might be the case. Intentially cause chaos, blame those pesky Russans and Chinise, and then solve the problem with age and identity verification. Very nice.
Click to expand...
Some searches on their collaboration with Valve, Microsoft and Intel might be interesting. I'm not opinionated about this already but I'm going to follow this intensively.
 
FWIW here is one list of compromised packages:
md.archlinux.org

HedgeDoc - Collaborative markdown notes

``` 123pan-bin 1code 8188eu-dkms 8192eu-dkms-git abntex acpitool actual-ai adapta-gtk-theme-git adbl
md.archlinux.org md.archlinux.org

Nothing I'd need on there. Maybe if I was heavy on node.js. Looks like Arch's base repositories have most of what I use from FreeBSD ports or Debian and I wouldn't have considered using AUR if I had been on Arch.
 
Just a metaphor. I just meant that it is an attack of scale, that's all. Nothing else is the same. I agree about the manpower comment.

Again, I think it is the responsibility of the platform, github, gitlab, etc. It needs to be baked in, my comment is perhaps a bit naive, but is it? There is a ton of tooling out there for security, what is stopping the platform from baking that in? They can even bake in AI into that and say whether the changes are malicious, etc.

Agreed about crazy, I left linkedin right before their hack was publicly announced. I left because I forgot my password and what did they do, they emailed me my password directly to me!
 
astyle said:
I guess having some sense of discipline is important for a project's sustainability and security.
😩
Click to expand...
It looks to me like they only needed to have some decent fingerprinting system on all of their acknowledged source providers to make sure that a few trying to distribute malware via official channels always get noticed because their files differ.
 
cracauer@ said:
FWIW here is one list of compromised packages:
md.archlinux.org

HedgeDoc - Collaborative markdown notes

``` 123pan-bin 1code 8188eu-dkms 8192eu-dkms-git abntex acpitool actual-ai adapta-gtk-theme-git adbl
md.archlinux.org md.archlinux.org

Nothing I'd need on there. Maybe if I was heavy on node.js. Looks like Arch's base repositories have most of what I use from FreeBSD ports or Debian and I wouldn't have considered using AUR if I had been on Arch.
Click to expand...
A lot of that stuff I wouldn't install, but there are some useful tools in that list. It's a very unpleasant attack. I wonder if they've traced it back to the perpertrators yet.
 
blackbird9 said:
I wonder if they've traced it back to the perpertrators yet.
Click to expand...
IMHO: As long as we don't bring back some ancient methods of dealing with such individuals (pick one) - what good would that do?
I'd bet the track leads to a country that does not do anything about such things, so you won't be able to get your hands on the perpertrators anyway.
 
More likely it will be traced back to compromised hosts that are part of a botnet, and everything got proxied through those botnet hosts.
 
Late to the thread but the AUR is life on the bleeding edge with some of the earliest testing of some of the newest code. Using Eric Raymond's analogy, it is the Bazaar not the Cathedral. Code is loose and fast.

Arch, In my opinion, had fairly explosive growth because it was both easy to access and has a simple but powerful package management system. I think they have the capability to tighten up security of the AUR without destroying it.

I contributed x11/jgmenu to OpenBSD after first testing it in ARCH. It was the fastest way to test to determine if it was worth my time to port.

What I'd like to see is more cooperation - bad actors should be outed and black listed. The listing to include any info that would be helpful to the security of other open source projects.
 
I was Arch for many years. I liked AUR for the availability of Linux kernel modules for many materials that where not in the default kernel of the Arch but, I became tired of the intrusif Systemd and migrate to VoidLinux and Runit that I find simple to understand as unit 1.

In plus I have installed FreeBSD 15.0 amd64 of which I am pretty satisfy. I don't plan to come back to Arch amd64 but still keep ArchLinux armv8 on my Raspberry Pi which Google AI told me that no packages from AUR that I have install are touched by the current wave of compromissions. I stay alert and informed about all those security attacks who cross the Free Softwares world at this time.
 
You must log in or register to reply here.
Back
Top