New Repository Leaks Souce Code From Microsoft, Adobe, and Dozens of Other Companies (bleepingcomputer.com) 31
Bleeping Computer reported this week that a new public repository of leaked code includes big names like Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Roblox, and Disney:
The leaks have been collected by Tillie Kottmann, a developer and reverse engineer, from various sources and from their own hunting for misconfigured devops tools that offer access to source code... According to Bank Security, a researcher focused on banking threats and fraud, code from more than 50 companies is published in the repository...
Kottmann told BleepingComputer that they find hardcoded credentials in the easily-accessible code repositories, which they try to remove as best as they can... Kottmann also says that they comply with takedown requests and gladly provide information that would strengthen the security of a company's infrastructure. One leak from Daimler AG corporation behind the Mercedes-Benz brand is no longer present in the repository. Another empty folder has Lenovo in its name. However, judging by the number of DMCA notices received (estimated at up to seven) and direct contact from legal or other representatives, many companies may not be aware of the leaks...
Reviewing some of the code leaked on Kottmann's GitLab server revealed that some of the projects have been made public by their original developer or had been last updated a long time ago. Nevertheless, the developer told us that there are more companies with misconfigured devops tools exposing source code. Furthermore, they are exploring servers running SonarQube, an open-source platform for automated code auditing and static analysis to uncover bugs and security vulnerabilities.
Kottmann believes there are thousands of companies that expose proprietary code by failing to properly secure SonarQube installations.
Tom's Guide considers it a serious breach: Jake Moore, a security specialist at ESET, told Tom's Guide: "Losing control of the source code on the internet is like handing the blueprints of a bank to robbers.
"This list will be viewed by cyber criminals far and wide looking for vulnerabilities as well as confidential information in a scarily short space of time."
Kottmann told BleepingComputer that they find hardcoded credentials in the easily-accessible code repositories, which they try to remove as best as they can... Kottmann also says that they comply with takedown requests and gladly provide information that would strengthen the security of a company's infrastructure. One leak from Daimler AG corporation behind the Mercedes-Benz brand is no longer present in the repository. Another empty folder has Lenovo in its name. However, judging by the number of DMCA notices received (estimated at up to seven) and direct contact from legal or other representatives, many companies may not be aware of the leaks...
Reviewing some of the code leaked on Kottmann's GitLab server revealed that some of the projects have been made public by their original developer or had been last updated a long time ago. Nevertheless, the developer told us that there are more companies with misconfigured devops tools exposing source code. Furthermore, they are exploring servers running SonarQube, an open-source platform for automated code auditing and static analysis to uncover bugs and security vulnerabilities.
Kottmann believes there are thousands of companies that expose proprietary code by failing to properly secure SonarQube installations.
Tom's Guide considers it a serious breach: Jake Moore, a security specialist at ESET, told Tom's Guide: "Losing control of the source code on the internet is like handing the blueprints of a bank to robbers.
"This list will be viewed by cyber criminals far and wide looking for vulnerabilities as well as confidential information in a scarily short space of time."
Open/Closed Source (Score:5, Interesting)
If this is so scary and dangerous for closed source code, how does open source software survive?
Re:Open/Closed Source (Score:5, Insightful)
Open Source software generally does not rely on "Security by Obscurity".
This is a uniquely closed-source security measure based on the theory that "if you don't know how it works, then it is secure".
That is why, for example, one must always assume that where source code is not disclosed the purpose of the non-disclosure is to obscure malevolent behavior, and that all such software is inherently untrustworthy for any and all purposes. The concomitant lack of warranty and indemnity further makes this abundantly clear.
Re: (Score:2, Funny)
Re: (Score:1)
That's what copyright law is for, along with local enforcement/legal system.
Re: (Score:1)
Re: (Score:1)
Looks to me like copyright law has protected gnu / linux just fine. You think they wouldn't do the same for MS, who has top-tier law offices on retainer in all 50 sates *and* around the world?
Re: (Score:1)
Re: (Score:2)
Doesn't matter, it's still protected even if it was leaked.
In fact, it's weaponized - open source cannot willingly accept stolen code into their codebase, so now every checkin has to be checked against the leaks to make sure this is the case. However, they can't have a copy of the code to check against, either.
Any legitimate open-source project won't want to touch that code with a 20 foot pole
Re: Open/Closed Source (Score:2)
"You're spouting 80s/90s open source ideology and ignoring the fact"
This is Slashdot, you get +5 Informative for saying nobody uses Java, and there is no UTF support. There would be nothing left without antique ideologies.
Re:Open/Closed Source (Score:4, Informative)
I assume you know the answer to that one but I'll bite.
The idea with open source is that anyone can look and identify vulnerabilities, the idea being that a lot of those eyes will be friendly.
Closed source is "security through obscurity" - because people can't see the source they find it difficult to find the weaknesses. Guess what, the hostile eyes now have access.
On purpose, without hard-coded passwords (Score:2)
Hmm, you're asking if Microsoft and such companies hard-code passwords into their source code like fucking idiots, how does Linux and Firefox survive?
By not hard-coding passwords into their code.
Linux and Firefox release their code ON PURPOSE.
New code is actually reviewed out in the open several times, at different levels, to ensure it is fit to publish and tonise before it becomes part of the kernel. The devs know it will bw be published and lots of people will look at it before it's even considered for m
Jake Moore is an idiot (Score:5, Insightful)
"Jake Moore, a security specialist at ESET, told Tom's Guide: "Losing control of the source code on the internet is like handing the blueprints of a bank to robbers."
Jake thinks that not telling people that there's bugs in your code means they won't find out.
Re:Jake Moore is an idiot (Score:5, Insightful)
Banks hand their blueprints to robbers all the time. It is required practice in order to be able to build a building.
Re:Jake Moore is an idiot (Score:4, Funny)
Banks hand their blueprints to robbers all the time. It is required practice in order to be able to build a building.
That's why the wise bank manager kills the entire construction crew immediately after the building is finished.
Re: (Score:2)
where's the good stuff? (Score:1, Insightful)
What everyone wants to see still hasn't been leaked: the code for the mass surveillance and censorship algorithms used by Faceboot, Big Brother Google, and their ilk.
Brothers - I know some of you reading this are employed at these pure-evil companies. Do the right thing. Stand up for freedom and human decency. Make the code public. A grateful nation will thank you.
Obscurity is not security (Score:2)
Re: (Score:2)
Not having the source is just a form of obscurity. It may slow criminals down, but it doesn't stop them. If you think not providing source is helping you in anyways, you're delusional.
But there's no sense of security quite like a false sense of security, is there?
Link to repos (Score:5, Informative)
the repos are here: https://git.rip/exconfidential [git.rip]
Re: (Score:2)
anyone have a copy of the Daimler ones? it's gone.
Souce code, huh? (Score:3)
Guess none of it was written in 'R'
Re: Souce code, huh? (Score:1)
I totally get it... (Score:1)
Souce? (Score:2)
Souse?
twitter (Score:1)