Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

New Repository Leaks Souce Code From Microsoft, Adobe, and Dozens of Other Companies (bleepingcomputer.com) 31

Bleeping Computer reported this week that a new public repository of leaked code includes big names like Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Roblox, and Disney: The leaks have been collected by Tillie Kottmann, a developer and reverse engineer, from various sources and from their own hunting for misconfigured devops tools that offer access to source code... According to Bank Security, a researcher focused on banking threats and fraud, code from more than 50 companies is published in the repository...

Kottmann told BleepingComputer that they find hardcoded credentials in the easily-accessible code repositories, which they try to remove as best as they can... Kottmann also says that they comply with takedown requests and gladly provide information that would strengthen the security of a company's infrastructure. One leak from Daimler AG corporation behind the Mercedes-Benz brand is no longer present in the repository. Another empty folder has Lenovo in its name. However, judging by the number of DMCA notices received (estimated at up to seven) and direct contact from legal or other representatives, many companies may not be aware of the leaks...

Reviewing some of the code leaked on Kottmann's GitLab server revealed that some of the projects have been made public by their original developer or had been last updated a long time ago. Nevertheless, the developer told us that there are more companies with misconfigured devops tools exposing source code. Furthermore, they are exploring servers running SonarQube, an open-source platform for automated code auditing and static analysis to uncover bugs and security vulnerabilities.

Kottmann believes there are thousands of companies that expose proprietary code by failing to properly secure SonarQube installations.

Tom's Guide considers it a serious breach: Jake Moore, a security specialist at ESET, told Tom's Guide: "Losing control of the source code on the internet is like handing the blueprints of a bank to robbers.

"This list will be viewed by cyber criminals far and wide looking for vulnerabilities as well as confidential information in a scarily short space of time."

This discussion has been archived. No new comments can be posted.

New Repository Leaks Souce Code From Microsoft, Adobe, and Dozens of Other Companies

Comments Filter:
  • Open/Closed Source (Score:5, Interesting)

    by Tokolosh ( 1256448 ) on Sunday August 02, 2020 @02:41PM (#60358165)

    If this is so scary and dangerous for closed source code, how does open source software survive?

    • by Retired ICS ( 6159680 ) on Sunday August 02, 2020 @03:04PM (#60358271)

      Open Source software generally does not rely on "Security by Obscurity".

      This is a uniquely closed-source security measure based on the theory that "if you don't know how it works, then it is secure".

      That is why, for example, one must always assume that where source code is not disclosed the purpose of the non-disclosure is to obscure malevolent behavior, and that all such software is inherently untrustworthy for any and all purposes. The concomitant lack of warranty and indemnity further makes this abundantly clear.

      • Re: (Score:2, Funny)

        by Anonymous Coward
        Or, you know, they just didn't want people copying and stealing their intellectual property. It could be that, too.
        • That's what copyright law is for, along with local enforcement/legal system.

          • lol, other countries don't care about your "local law enforcement". Hell, big companies in our own country don't care about the laws either and good luck defeating them in court.
            • Looks to me like copyright law has protected gnu / linux just fine. You think they wouldn't do the same for MS, who has top-tier law offices on retainer in all 50 sates *and* around the world?

            • This is mostly because they steal each other in mostly the same frequency, using patents and IP laws as "defence" when in court. So nobody can sue anybody in proprietary software world, because of fear being sued...
        • by tlhIngan ( 30335 )

          Or, you know, they just didn't want people copying and stealing their intellectual property. It could be that, too.

          Doesn't matter, it's still protected even if it was leaked.

          In fact, it's weaponized - open source cannot willingly accept stolen code into their codebase, so now every checkin has to be checked against the leaks to make sure this is the case. However, they can't have a copy of the code to check against, either.

          Any legitimate open-source project won't want to touch that code with a 20 foot pole

    • by Vlad_the_Inhaler ( 32958 ) on Sunday August 02, 2020 @03:05PM (#60358275)

      I assume you know the answer to that one but I'll bite.
      The idea with open source is that anyone can look and identify vulnerabilities, the idea being that a lot of those eyes will be friendly.
      Closed source is "security through obscurity" - because people can't see the source they find it difficult to find the weaknesses. Guess what, the hostile eyes now have access.

    • Hmm, you're asking if Microsoft and such companies hard-code passwords into their source code like fucking idiots, how does Linux and Firefox survive?

      By not hard-coding passwords into their code.

      Linux and Firefox release their code ON PURPOSE.
      New code is actually reviewed out in the open several times, at different levels, to ensure it is fit to publish and tonise before it becomes part of the kernel. The devs know it will bw be published and lots of people will look at it before it's even considered for m

  • by nagora ( 177841 ) on Sunday August 02, 2020 @02:43PM (#60358179)

    "Jake Moore, a security specialist at ESET, told Tom's Guide: "Losing control of the source code on the internet is like handing the blueprints of a bank to robbers."

    Jake thinks that not telling people that there's bugs in your code means they won't find out.

  • What everyone wants to see still hasn't been leaked: the code for the mass surveillance and censorship algorithms used by Faceboot, Big Brother Google, and their ilk.

    Brothers - I know some of you reading this are employed at these pure-evil companies. Do the right thing. Stand up for freedom and human decency. Make the code public. A grateful nation will thank you.

  • Not having the source is just a form of obscurity. It may slow criminals down, but it doesn't stop them. If you think not providing source is helping you in anyways, your delusional.
    • by nagora ( 177841 )

      Not having the source is just a form of obscurity. It may slow criminals down, but it doesn't stop them. If you think not providing source is helping you in anyways, you're delusional.

      But there's no sense of security quite like a false sense of security, is there?

  • Link to repos (Score:5, Informative)

    by Gravis Zero ( 934156 ) on Sunday August 02, 2020 @03:37PM (#60358365)

    the repos are here: https://git.rip/exconfidential [git.rip]

  • by The_mad_linguist ( 1019680 ) on Sunday August 02, 2020 @04:29PM (#60358487)

    Guess none of it was written in 'R'

  • /**@todo configure and test security*/
  • Souse?

  • Can someone explain to me why Twitter bans thousands of legitimate users a day for expressing politically incorrect wrongthink, but keeps up the account of the foremost source code leaker du jour, who posts nonstop about how he's the one hacking and leaking the code?

You know you've landed gear-up when it takes full power to taxi.

Working...