Has anyone else experienced malicious requests?

Has anyone else experienced malicious requests?

Postby bzt » 06 Nov 2022, 20:14

I'm just curious. I've noticed when one of my projects gets into a mature and stable state and somewhat known, then almost immediately I start to receive more and more requests to f*ck it up. For example, today I received a mail asking to replace a very well tested, known-to-work-correctly-even-with-invalid-inputs code with something that has an obvious buffer overflow. Should I had apply the patch without checking, and my project would now face a serious stack corruption issue...

I know, my projects aren't nearly as popular and important as the Linux kernel, but I cannot help feeling it's like a miniature Minnesota scandal all over again and again and again (and again)...

Does anybody have the same experience? Have you ever notice spikes in the amount of malicious requests after your FOSS project gets somewhat popular?

(Just for the records, it's not always a security flaw. For example, once I got some requests, persistently demanding to rename one of my project to something that would strongly resemble a trademarked name... of course I've responded kindly and politely, but I was thinking, "Dude, why on earth would I want to provide a way for you to sue me on court??? Are you really this stupid?")

Cheers,
bzt
User avatar
bzt
 
Posts: 273
Joined: 23 May 2021, 21:46

Re: Has anyone else experienced malicious requests?

Postby PeterX » 06 Nov 2022, 22:15

I don't have project far enough to be used by the masses. But I think what you tell is quite normal. You get suddenly the attraction of thousands of people (which you didn't get before). It is a question of probability that among so many people are some wackos. For example on TV there once were a physics professor and a philosopher (both rather prominent). They both said they get a lot of crazy letters from hobby scientists of the bad kind.
Or think of railway stations. (At least in my country) they attract a lot of strange people.
User avatar
PeterX
 
Posts: 247
Joined: 01 Oct 2020, 21:44

Re: Has anyone else experienced malicious requests?

Postby bzt » 07 Nov 2022, 00:04

PeterX {l Wrote}:You get suddenly the attraction of thousands of people (which you didn't get before). It is a question of probability that among so many people are some wackos.
Yes, you're right. What I find interesting is, that one would expect that the ratio of those wierdos being somewhat constant, meaning growing along with the number of people who know about the project. But that's not the case. There's always a clear point in time in each case, before that there's almost no malicious requests, and after that there are lots. It would be interesting to know what the reason for the existence of that particular point is.

PeterX {l Wrote}:Or think of railway stations. (At least in my country) they attract a lot of strange people.
Yep, I guess me and my mates are probably one of them...

As you might know, on some universities there are some strange initiation rituals. Long time ago, we were unfortunate enough to given the task of performing a blackmass at midnight in public in one of biggest subway and railway station (which is pretty crowded day and night around the clock, therefore full with policemen). Somehow nobody stopped us and asked "what on earth are you doing?" even though we were painting a pentagram on the floor, running around in black hoods with (real and therefore very fire hazardous) torches and (seemingly bloody) kitchen knives. I remember I was wondering, "could it really be that we are the most harmless and least weird group on this busy station...?" Either this or they might have spotted that our turned cross had a crucifixed plush giraffe on it... (you know, turned cross has its longest part upwards, and giraffe has a long neck, so... we got maximum points from the upperclassmen for our performance btw :-D)

Cheers,
bzt
User avatar
bzt
 
Posts: 273
Joined: 23 May 2021, 21:46

Re: Has anyone else experienced malicious requests?

Postby PeterX » 07 Nov 2022, 11:06

"could it really be that we are the most harmless and least weird group on this busy station...?"

I guess that was true! XD

Regarding the people sending malicious requests: I guess they think thar their idea is the best idea ever and that telling you to do so makes the world better. I think they are people with no clue about software development.

Greetings
Peter
User avatar
PeterX
 
Posts: 247
Joined: 01 Oct 2020, 21:44

Re: Has anyone else experienced malicious requests?

Postby bzt » 07 Nov 2022, 15:49

PeterX {l Wrote}:Regarding the people sending malicious requests: I guess they think thar their idea is the best idea ever and that telling you to do so makes the world better. I think they are people with no clue about software development.
Certainly there are some requests that fit this category. But I'm not talking about those.

For example, this particular email looked like as if it were carefully crafted to sneak the bug into my code. It had 4 modifications:
1. change in syntax sugar, wouldn't affect the output
2. unnecessary, but otherwise correct macrooptimisation
3. the offending modification, made very very similar to the 2., about 70% percent exactly the same change
4. again an unnecessary, but otherwise correct macrooptimisation (a very very simple, one liner change)

As you can see, there's a pattern here. The first modification was supposed to make me think "this patch is harmless". The second was supposed to make me think "this patch is correct". The third, with the offending code, supposed to make me think "ah, it's similar to the second, so this must be correct as well". And the last one supposed to be a confirmation that "this patch has to be correct". Furthermore the patch wasn't made public, not opened in the issue tracker where others can see it. It was sent privately in an email, which makes no sense unless the offender wanted to hide their involvement.

This clearly isn't an enthusiast's mistake, I can literally feel the bad intention from this request. I'm talking about requests like these when I say "malicious requests".

Cheers,
bzt
User avatar
bzt
 
Posts: 273
Joined: 23 May 2021, 21:46

Re: Has anyone else experienced malicious requests?

Postby PeterX » 07 Nov 2022, 15:55

That is a bit scary. And I think now that they are some crackers or black hats or whatever is the name for evil-doers.

Are the attempts a bit stupid or half-assed? I'm asking because when I get scam-emails they normally are stupid or half-assed or lazy. For example typing errors.

Edit: What you described seems kind of professional.
User avatar
PeterX
 
Posts: 247
Joined: 01 Oct 2020, 21:44

Re: Has anyone else experienced malicious requests?

Postby bzt » 07 Nov 2022, 17:37

PeterX {l Wrote}:Are the attempts a bit stupid or half-assed? I'm asking because when I get scam-emails they normally are stupid or half-assed or lazy. For example typing errors.
Not sure I can tell. I mean definitely not lazy, no typos, targeting specifically my repos, and arriving like clockwork suggests they are somewhat organized (yep, maybe even professional). Definitely not the send-money-to-the-poor-starving-wakanda-kid-with-cancer type scams. But from where I stand (with many many years of experience) they surely all look very stupid and half-assed. This is especially so if we accept the definition of stupidity as "doing the same thing over and over again and expecting different results".

PeterX {l Wrote}:What you described seems kind of professional.
Could be, I wouldn't rule that out either. But I don't understand why would they target my little FOSS projects. First, I used to work for national security as an IT expert, but that was long time ago (more than a decade ago), and my repos has nothing to do with that job. Second, I don't like big money corps, and I say often that M$ is a criminal organization (now with CoPilot they are violating the terms of GPL/MIT/CC-BY etc. licenses without a doubt, and there are several on-going investigations because of government level bribery and other illegal activities too), but I'm not alone in this and I'm not particularly loud either. It's not that I organize protests or viral online campaigns against FAANG or anything like that...

Edit: hmmm, could it be that someone is trying to impersonate me (again), and that's why...? Sadly wouldn't be the first time. Once police has apprehended a criminal who pretended to be me (I honestly believed it was a prank when I got a phone call from an unknown number asking "Do you know that you've been arrested and you're currently sitting in our jail?" Not a joke, that really happened to me), and more recently I had to use "bztsrc" on several code hosting platforms because someone has stolen my nick (bzt on github and gitlab is not me. Unlike me, that guy has zero activity, no contributions, no commits, no own repos, and the gitlab account was only used for trolling in my real repos).

Cheers,
bzt
User avatar
bzt
 
Posts: 273
Joined: 23 May 2021, 21:46

Re: Has anyone else experienced malicious requests?

Postby PeterX » 07 Nov 2022, 18:12

I really wonder who would benefit from that. And I think: Not governmental agents. And commercial actors not, too. So they must be an advanced version of script kiddies: Hobby crackers.

Edit: Some people get obsessed by other people they see on the internet. For example because the others say something political which makes them angry. But it could really be that guy trying to impersonate you.

Greetings
Peter
User avatar
PeterX
 
Posts: 247
Joined: 01 Oct 2020, 21:44

Re: Has anyone else experienced malicious requests?

Postby bzt » 10 Nov 2022, 20:10

PeterX {l Wrote}:I really wonder who would benefit from that.
Yeah, same here, I really would like to know that.

PeterX {l Wrote}:And I think: Not governmental agents. And commercial actors not, too. So they must be an advanced version of script kiddies: Hobby crackers.
Now that all their attempt failed, and reality slapped them in the face (as in they are not as smart as they thought), they are now throwing everything at me, like "you know nothing about C" for example. Not very professional indeed. Or should I say, "Not elegant, not elegant at all, miss Forger." :-D

I wonder, how fool one has to be to think, trying to insult the repo owner will get their faulty endless loop patch merged???

PeterX {l Wrote}:Some people get obsessed by other people they see on the internet. For example because the others say something political which makes them angry.
I dunno. I usually don't make political arguments on the internet. On the very rare occasion when I do, then I'm on Rick Sanchez's side (his opinion about politicians explained clearly without the slightest doubt in season 6 ep 2).

Cheers,
bzt
User avatar
bzt
 
Posts: 273
Joined: 23 May 2021, 21:46

Re: Has anyone else experienced malicious requests?

Postby PeterX » 10 Nov 2022, 20:31

Sounds like script kiddies...

Who is Rick Sanchez? And I googled it and wonder what is this TV series "Nick and something..." about?

Greetings
Peter
User avatar
PeterX
 
Posts: 247
Joined: 01 Oct 2020, 21:44

Re: Has anyone else experienced malicious requests?

Postby bzt » 10 Nov 2022, 21:30

PeterX {l Wrote}:Who is Rick Sanchez?
Seriously, is there anybody not knowing? :-D I bet you have already run into at least one or two Rick memes, you just haven't realized.
PeterX {l Wrote}:And I googled it and wonder what is this TV series "Nick and something..." about?
Not "Nick and something", but Rick and Morty. It's a hilarious satiric sci-fi show airing on Adult Swim. The original characters were based on Doc and McFly from the Back to the Future movie, but now they are stars on their own right.
Image

IMHO it was much better when it was just a show for the nerds and geeks, it has lost most of its charm since it went mainstream, but still pretty good. It stands above 9 on imdb (with more than half a million votes!), and also won Emmy and other awards, multiple times. Provides a steady stream of memes and viral content on the web, so even people not watching the show are likely to know them. If I remember well, its very first hit was this.

HINT: my elegant quote was a reference to another very good show too ;-)

Cheers,
bzt
User avatar
bzt
 
Posts: 273
Joined: 23 May 2021, 21:46

Who is online

Users browsing this forum: No registered users and 1 guest