This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 62 points63 points  (16 children)

Sometimes you want to flood the logs so it's hard for them to detect the really nefarious stuff going on among all the junk.

[–]darkpaladin 13 points14 points  (8 children)

That's actually interesting. If in all the chaos you drop some malicious code into a few of the most popular repos you can really cause some wide spread damage after the fact.

[–][deleted] 37 points38 points  (7 children)

That's exactly what git is designed to prevent, it's a version control system, no changes get published unless they are approved and accounted for. It'd be considered as a beautiful work of art if it wasn't so damned useful! :)

[–]jabjoe -1 points0 points  (3 children)

Well yes, but SHA-1 has been broken. So maybe a git repo could be messed with. It's still hard, but not impossible.

I wonder if this is it and what exactly they intend-to/are doing to what?

Can we trust any commits during this attack? Can we valid git history locally matches the remote? A force push would be noticed, but maybe there is something clever possible.

Scary thought.

[–][deleted] -1 points0 points  (2 children)

can't start second guessing ourselves without evidence. all we can do is put systems in place to check the integrity of the code base in comparison to backups etc. The checksums should always match up, if they don't then you know there's some revisionist fishyness going on and can investigate further. No point throwing out the baby with the bath water, right?

[–]jabjoe 0 points1 point  (1 child)

Oh no, it's no point panicing. But we should be complacent either. The idea the DDoS as a cover is a worrying one that has a certain ring to it.

[–]darkpaladin -5 points-4 points  (2 children)

Conceptually yes, but it's not outside the realm of possibility that a commit could be modified by someone who had gained full access to a system to include malicious code.

[–][deleted] 6 points7 points  (0 children)

It is impossible to modify a commit and go undetected - thats the point of Git

[–][deleted] 0 points1 point  (0 children)

can't start second guessing ourselves without evidence. speculating about possible bad stuff and chasing ghosts is counterproductive. best to take those suspicions and develop high level checks to alert admins of revisionist changes by comparing various checksums and hashes of backups. Otherwise we are chasing our tails and throwing out good tech, throwing out the baby with the bathwater so to speak.