Github Under Heavy Attack

Quite possibly with much help from Adobe’s leaked text file containing email addresses and password hints of 153,004,874 customers (download link), Github users are seeing far more failed login attempts than usual from IPs of the usual suspects. Github has advised using fail2ban and users are advocating two-factor authentication as well as closely monitoring account login history.

Github is one of the go-to sites to host and collaborate on software projects and it provides repositories (currently five million of them with three million users), Google Code is another. Some of its higher-profile open source projects are Node.js, Bootstrap, JQuery and Ruby on Rails. Perhaps every single time you go for a surf on the web you encounter something that is assembled relying on Github. You are right now actually.

Open source advocates when arguing that open source software is inherently more secure than its closed counterparts note that the whole world can scrutinize the code for shenanigans and anything bad would be excised briskly. I think this an overstated point. For example, Firefox, not counting the eighty plugins its diehard users install to get it just right, is approaching fifteen million lines of code with hundreds of thousands (millions?) of contributors and developers. It sounds trivial for a bad apples to create a Bugzilla accounts, offer an innocent-looking patch that both fix bugs and have some form of malicious code in it, and some slips through to the shipped product. And then there’s Tor, funded almost exclusively by the US government, started by the US military, and many in the world have a strong interest (and successful history) of compromising that project.

Is it really feasible that enough people have enough free time and inclination to sift through all of this code to make sure there’s no trace of malware? Just because it’s possible to do doesn’t mean it’s done thoroughly. And hackers have gotten quite good at obfuscating malware.

Regardless, for both open and closed source projects, projects like JQuery hosted on Github and Firefox hosted by Mozilla alike, the notion of a many Github accounts getting targeted and cracked is disturbing. The selection of Github over, say, Gmail by these botnets is also unnerving in light of the Snowden revelations, and the prospect of criminal hackers thinking bigger-picture.

Not an easy question, is it: Which would you rather have, the NSA slipping backdoors in your XMPP instant messaging program or members of Anonymous? I guess I’d go with the spooks, given they’d seem to have access to such things either way.

Doug Simmons