Most active commenters

    ←back to thread

    Open Source is one person

    (opensourcesecurity.io)
    433 points LawnGnome | 14 comments | 28 Aug 25 01:54 UTC | HN request time: 0.001s | source | bottom
    1. poulpy123 ◴[28 Aug 25 11:02 UTC] No.45050692[source]
    The title of the register article is completely disgusting

    > Putin on the code: DoD reportedly relies on utility written by Russian dev

    then in the article:

    > Hunted Labs told us that it didn't speak to Malinochkin prior to publication of its report today, and that it found no ties between him and any threat actor.

    replies(4): >>45051056 #>>45051324 #>>45051850 #>>45053194 #
    2. actionfromafar ◴[28 Aug 25 11:54 UTC] No.45051056[source]
    Aren't Russian developers on average more susceptible to the "wrench attack" though?
    replies(3): >>45051090 #>>45051296 #>>45051816 #
    3. em-bee ◴[28 Aug 25 12:00 UTC] No.45051090[source]
    they would probably still fake their identity to hide their tracks.
    4. ChrisMarshallNY ◴[28 Aug 25 12:22 UTC] No.45051296[source]
    Many of them don't live in Russia.

    Some of the best engineers that I've worked with (in the US and Europe) are Russian. I've also been quite impressed with other former Iron Curtain developers. A lot of Chinese folks I've worked with have been good.

    I know that some nations are known for threatening the relatives of expats, to get them to work on their behalf. Not very nice.

    But state-sponsored Russian (or other nations, as well) is definitely something to be concerned about. I suspect a number of folks are concerned about the influence of American programmers. The CIA is known for using fairly innocuous employees of NPOs. My father was one.

    replies(1): >>45051620 #
    5. aurareturn ◴[28 Aug 25 12:26 UTC] No.45051324[source]

      The title of the register article is completely disgusting
    Nearly all The Register articles are clickbaits or rage baits.
    replies(1): >>45051489 #
    6. nwellnhof ◴[28 Aug 25 12:45 UTC] No.45051489[source]
    They're also from Great Britain which seems to have the most irrational hatred for everything Russian.
    7. kube-system ◴[28 Aug 25 12:58 UTC] No.45051620{3}[source]
    > Many of them don't live in Russia.

    Well Malinochkin does. His GitHub profile says he is located in a suburb 30 minutes from the Kremlin.

    Of course, there's a lot of smart software engineers in major cities all around the world.

    replies(1): >>45051776 #
    8. oneshtein ◴[28 Aug 25 13:15 UTC] No.45051776{4}[source]
    The FSB is looking for people they can recruit, even here, on HackerNews, too. Look at the HN news history. You will find stories about Russian history or culture. In comments, some people are expressing their fascination with Russia or its culture. This is how FSB identifies potential sympathizers, who are easy to recruit. Most likely, some of those, who expressed their sympathy under such news articles a year or two ago, are already recruited by FSB.
    9. pabs3 ◴[28 Aug 25 13:18 UTC] No.45051816[source]
    Not necessarily, Australia has a law allowing the government to compel software devs to add backdoors and gag them to prevent people hearing about the backdoors.

    https://scarff.id.au/blog/2023/state-actors-can-add-a-backdo...

    replies(1): >>45057146 #
    10. weirdpickles ◴[28 Aug 25 13:22 UTC] No.45051850[source]
    Yeah, it is pretty amazing but not surprising. The Register has taken to a certain kind of sensationalism as of late.

    I found this interesting:

    > "Every piece of code written by Russians isn't automatically suspect, but popular packages with no external oversight are ripe for the taking by state or state-backed actors looking to further their aims," Smith told us in an email. "As a whole, the open source community should be paying more attention to this risk and mitigating it."

    Uh, I guess? The nature of open source is supposed to be that the dev provides the effort and the code, and that's where the guarantee stops. It is up to the people who uses it to implement and ensure security. People treat OSS like it is a business product that must have drop-in replacement ready at all times.

    The modern nature of development is perhaps my biggest gripe as a professional. There is little care given. Projects begin with importing dozens of other packages and libraries that we never look at, let alone fully understand. And it is normalized.

    11. shark1 ◴[28 Aug 25 15:11 UTC] No.45053194[source]
    Yeah, the subtle way to plant an idea. It's a crime again to a person have "certain nationalities".
    replies(1): >>45057171 #
    12. int_19h ◴[28 Aug 25 21:17 UTC] No.45057146{3}[source]
    While Russia doesn't need laws for that. You just get arrested for something else (e.g. planted drugs) and then tortured in detention.
    13. int_19h ◴[28 Aug 25 21:20 UTC] No.45057171[source]
    The real concern isn't the nationality per se, it's the vulnerability to blackmail by the state that has jurisdiction over you. It's not a matter of personal responsibility, but nevertheless it has to be accounted for.

    For example, I am an American citizen, but I have extended family in Russia, and I would fully expect a place like DoD to be wary of that solely on the basis that it makes me susceptible to blackmail by Russian govt agencies by threatening my family.

    replies(1): >>45060717 #
    14. shark1 ◴[29 Aug 25 06:01 UTC] No.45060717{3}[source]
    Yes, I know. My point is that writers could easily do it better.