Security Awareness Month: Growing threat of open source, Hostile Takeovers

· by Dave LeBlanc · Read in about 8 min · (1599 words)

Growing threat of open source, Hostile Takeovers

Open Source

Open Source technology it literally drives most of the technology the world. Even closed source projects such as MacOS make very heavy use of Open Source. More and more electronic devices that we buy come with copies of the GPL which means there is opensource code running on more and more devices in our homes (more on IoT in another email). Open Source drives most every major project, web site, SaaS, PaaS, or any other technology that you touch on a daily basis. Open Source is powerful and amazing. It draws on the power of numbers. Anyone can be a contributor. Anyone can be review the work done by anyone else. Anyone can perform a security audit, and in many cases many people perform them and share this information helping to keep us all more secure.

Trust

One of the things that’s come with the rapid growth of Open Source has been trust. There is an inherent layer of trust in Open Source software because of the ability for anyone to audit and analyze exactly what is going on. Like everything else when there is implied trust it becomes easy to drop our guard. Even if we vet an Open Source library before including it in your project this still doesn’t mean you’re safe or that you’re done performing your due diligence.

Take Overs

A scarily growing trend has been the Open Source Take Over. There are a number of ways that bad actors are asserting themselves over Open Source projects. A San Francisco startup called Kite is being accused of underhanded tactics.San Francisco-based Kite took over the development of two popular open-source tools. It made some changes that appeared to be self-serving and against the spirit of open source. Now some coders are worried that the community has become vulnerable to bad actors.

This year in April, a programmer discovered a change to an open-source add-on for Atom called Minimap. Minimap shows a zoomed-out overview, or “mini-map,” of the user’s code. These are common in IDEs making it easy to jump around your code. Minimap is incredibly popular with more than 3.5 million downloads, however like a lot of open-source projects, it was created and maintained by a one developer, @abe33.

@abe33, real name is Cédric Néhémie, landed themselves a job at Kite. Kite describes themselves as using machine-learning to create coding tools. The tools they create however, are not open source. Sometime after landing the new job, Cédric pushed a commit to Minimap titled “Implement Kite promotion,”. When this commit was inspected it was discovred that it looked at the code it was supposed to make a mini-map of and inserted links to pages on Kite’s website that were related. Kite argued this feature was useful. The community disagreed and said it was nothing more than an ad for an unrelated service. The community largely agreed this was a violation of the open-source spirit.

“It’s not a feature, it’s advertising — and people don’t want it, you want it,” wrote user @p-e-w.

“The least you can do is own up to that.” “I have to wonder if your goal was to upset enough people that you’d generate real attention on various news sites and get Kite a ton of free publicity before your next funding round,” “That’s the only sane explanation I can find for suddenly dropping ads into the core of one of the oldest and most useful Atom plugins.”@DevOpsJohn wrote.

Kite tried to dig in their heels at first, but finally relented and removed the offending code.

Privacy Concerns

This however, was only the beginning. Another popular libray, autocomplete-python, was apparently taken over by Kite last year. This library had nearly 1 Million downloads. It was not advertised, however, that this project had changed hangs. On May 13 a developer by the username @dessant discovered that autocomplete-python’s primary programmer, @sadovnychy, had ostensibly given control to Kite. “Please share the nature and circumstances of the apparent maintainer transition taking place, and specify how does it relate to Kite and its employees,” @dessant wrote, later adding “many of us feel the autocomplete-python package is being overtaken by the Kite team, and the popularity of this plugin is being used to promote their service.”

Kite says they use machine learning tactics to make the best coding helper tools possible. In order for that to be possible however, they require massive amounts data to learn from. The more code they can analyze, the better their suggestions will be.Once again, Kite erroneously made changes to the project they were in control of. After reviewing the tool it was discovered that the changes Kite implemented were far more meddlesome than with Minimap. Kite had demoted the open source engine it had been using for suggestions, called Jedi, and made Kite’s engine the new default. This meant code now needed to be processed on Kite’s servers, instead of the user’s machine. This is a momentous difference because it violated the privacy of people’s code. The community was immediately concerned that a number of scenarios could result leaking medical, payment, and/or other sensitive information to Kite. Moreover, most organizations have strict guidlines and polices in opposition to uploading information to third parties.

A growing number of community members were unhappy with how Kite appeared to be sneaking around, tacitly taking control of projects and quietly adding their product to the mix. “It’s pissing off the very community they want to sell to,” said Rod Waldhoff, a vetran open source contributor. “The reaction was overwhelmingly negative and they are basically just shrugging it off. At the time I think they still could have said ‘we messed up, we’ll pull back and we’re all okay.’ But here we are two months later.” Adam Smith founder of Kite responded when The Outline reached out to Kite. He outright denied that what had be done to Minimap was akin to advertising and maintained that users have the choice to use Kite in autocomplete-python. “Most users who install autocomplete-python close the engine selection prompt, which results in not getting Kite or its benefits,” he insisted. Smith also stated that most of the negative reaction was due to confusion around what the tools actually do. Then he blew that reporter off. “I apologize in advance that I can’t answer any further questions,” he wrote. “I need to focus on other parts of the business, including continuing to improve the product for our users, and conflict like this is always doubly distracting.”

What does this mean

In the past, open source was comprised of only a few massive projects that everyone tracked very closely. But as the community has grown, many developers install libraries and tools without little concern for what they might be doing that they aren’t aware of. For the longest time this irrelevant, however this laissez-faire attitude has started to become a real problem: In March of 2016, one open source developer deleted all of their projects in rage due to a dispute over trademarks. One of those projects was left-pad, a 17-line Javascript snippet that right-justified text. left-pad hover was so pervasive, countless projects at every level from other libraries to enterprise applications were broken simultaneously — this created a scramble to determine what had gone awry and fix it. These circumstance highlighted how little thought is given to where tools come from and how reliable those sources will be in the future. The open source community has now become so massive that popular tools are starting to look more and more like juicy targets for bad actors.

What can we do

First and foremost a campaign of awareness is incredibly important. Changing the mindset of the average developer to understand that these threats not only exist but they are not just theoretical. They are real and being used in the wild right now.

Better analysis of open source projects. If we have tools like autocomplete-python that inspects code to create auto-complete suggestions we should be able to write projects that can inspect Open Source projects for malicious activity. This sort of project vetting should be done at a community level as well as at an internal organization level. If we as a community of developers can share these results we can create more transparency.

Not only analyzing the code itself with tools but analyzing the network traffic created by a new library. Tools like nmap and wireshark could be scripted to allow developers to inspect if their application is communicating with third parties that they may not be aware of.

Dependency caching, is another thing that can help organizations from falling victim to disappearing libraries. Languages such as Python, NodeJS, Ruby, GoLang and others have central locations where dependencies are shared and installed from. However these ecosystems also offer ways to self host versions of these central repositories that contain the code your organization is using. I think we have a ways to come to improve these tools and how easy they are to implement but the foundation is there.

Forking dependencies is often used as a way to maintain control over a library that might one day disappear albeit a way does require more work in keeping up with updates, however this work is likely to drive closer inspection of the incoming changes.

In closing it’s clear that the Open Source world is undergoing a shift whether we realize it or not and whether we like it or not. The best thing we can do is make ourselves aware and to start being more alert.