One further clarification to this. Git is not Github. Git can be a self hosted entity (enterprises can employ whatever service they want or use their own custom solution), one thing to note when downloading any repo of the internet once again is to ensure its signed and downloaded from the ACTUAL authors. Don't download forks of software unless you trust those specific authors. Use code "SOG" at www.gfuel.com Check out our newest podcast episode: ruclips.net/video/vxZQhSWemTo/видео.html
This is equal to a security researcher trying to phish a company. That's not the job of an external security researcher, it's the job of a collaborative or internal security audit/test. In addition, the test shouldn't affect customers, rather, it should only test assets, property, or employees owned by the company. As a side: Without digging any further than your video, it seems more likely the "security researcher" was doing shady stuff at night and wants to play it off in case it comes back to them.
While that would be the utopian ideal companies frequently refuse to employ people in such positions to avoid wasting money in similar arguement where if you dont get sick money spend on healthcare insurance is wasted. Only people who can oust such companies which might be partly responsible in things far more important than computers (Like for example food with Tactor Manufacturing firms). It is not as if goverments are enforcing a mandatory security standard based on the importance of what you produce. Of course thats not quite a "phising" attack but to set a definite rule for each type of attack just asks for new ones to be invented too, so its not a solution either. Only thing you can do is not have definite specific rules.
I recommend his videos to people as a beginner's guide to demystifying the things the news sensationalizes every day. You can tell he's talking about his passion in like and I love it
@@Zulf85 That's definitely true. New and other media has made a lot of these core basic tech/computer stuff into something dramatized and overblown. Like when they talk about "hacking" or "the deep dark criminal web". And then there is also the people who see others punching in code or programming and it seems so foreign that they don't want to go near it. Muta breaks things like that down, giving us the truth about things as well as explaining things in a down to earth way that anyone can understand the gist of it, even if they themselves don't want to learn the language and do any programming themselves. Plus whenever something crazy goes down in the general programming world, like a virus or a fuck up, Muta is always right on it.
Lesson learned from this: If you get caught shoplifting (don't shoplift!), just say "Don't worry, I didn't really mean to take anything, I was just testing your security and you passed, good job!".
What shitty tutorials are you finding? His mile high description was the same as every first couple paragraphs of every tutorial I've come across. Except Muta regularly uses technical terms without much clarification, so his description could likely be improved for those totally fresh to VCS. Especially because you'll need to know A LOT more than the mile high view to actually use git successfully on a team.
hmm yes, i am a researcher at the university of science. i've decided to weaken several pieces of lumber used in the construction of your house, to research the laborer's ability to spot defective materials. this is to further science. Be advised that if our theory has proven correct, and the "bad faith" lumber not detected, this might lead to structural collapse. if this occurs, you better have a doghouse, because it's gonna rain.
I understood git the moment I was told I needed to use it during an internship and the tree map of the project was pretty much what Muta showed. It's a good, simple visualization. Has no clue what it did until then and I branched and merged code :)
@@fossforever512 oh congratz! it’s pretty cool. i had to apply for funding my project in the first year which was pretty stressful, but i am enjoying research a lot! if you like research i’d definitely do it.
I know very basic things about the stuff he talks about but still watch them too. These vids are so useful, even if you only take away 5% of the info in them, it's a net positive. Knowledge is power.
Muta is not boring to listen to your videos. Ive been emulating since i was a a child, snes, then psx, then gba, etc. I am a programmer and used to work at a IT cybersecurity auditor firm. Now i do webapps. I know a lot about the tech you talk about, and it's fun listening! I also appreciate it a lot that you educate the rest of the world (noobs) :D go go go make more vids!
I am greater than Mutahar. And here is my explanation: When all of you were busy worshiping him i was busy deflecting asteroids from our planet with bare strenght of my ballsack. They call me steel balls jeff for a reason, they are so strong Homelander himself ran in fear while omni man did a squat on them, and complimented how powerful i am. You don't believe me? Ask 3 letter agencies who really defeated austrian painter in WW2.
just want to say after a few month so of self taught courses I can finally understand these videos lol,. you inspired me to get into computer science and starting this fall! thanks for everything man!
For some reason this reminds me a BS trick my employer just pulled when it came to internet security. The IT dept sent a legit email with a link to an online training course for cyber security- but the link was not an internal link, it was to an off site honey trap so the second you followed the link to take the training, you failed the course. The really bad thing was they actually scheduled time for us to take the training, and if you missed it you got nasty grams from training and HR until you actually took the training- which you auto failed. I refused to take the training for almost 6 months cause I knew enough about security to check the freaking URL in the email. It turned into an actual HR issue to the point my job was on the line- so i made sure i was in a video meeting with both HR and my Manager to record that I was taking the training (by clicking the bad link) under protest. I was basically forced to compromise their own security guidelines so they could make a snarky joke about cyber security.
hey muta for some of your vids, when they just come up on the feed they get a processing thumbnail instead of the actual thumbnail for your videos. Maybe you should wait for your videos to finish processing completely before making them public. Not trying to be mean just offering some friendly criticism. :]
my dude just pick up a javascript or a python tutorial and start from there. baby steps, you'll get there eventually, don't concern yourself with things like git yet, just start writing your first programs and you'll get there eventually.
you can learn how to use git with a basic simple text file. but all i can say is take a language that is easy to understand and start with that to understand the logic of coding and get a bit of experience in it. Then you can move on to other languages if needed
I started by mesing around in unity/ arduino. Just look up some tutorials online and don't worry about all this hackerman talk. You don't need to know it to code. You will already know it when time comes to using it. My father coded in C# so i could ask help from him when i got started but phyton is a better place to start if you don't have someone who can help.
Dylan you don't need to understand git to get started, just make regular backups of your code so you can reference back when you break something. It is worth understanding, I know many people who can code but need assistance with git
Nah, Muta. I can never begin to comprehend even 90% of what you say about cyber security and Linux based systems. But I still watch anyway for the free education.
Heh, remember when sourceforge decided to start injecting their own payloads into projects they hosted? That was a fun time. And by "fun" I mean disappointing and disheartening. I'm still a little surprised that the UMN kernel patch "research" got approved by their research ethics board, but to be fair ethics boards can be a bit of a crapshoot. Sometime your reviewers are meticulous and well educated, sometimes they can't do basic arithmetic. Oh, for future reference, if you think YOUR project has been the target of unethical research, most universities have avenues where you can file a complaint. Assuming of course that they don't get clever and start hiding their university connections. Also, keep in mind you'll have to put your complaint in terms of THEIR OWN rules, or possibly government rules depending on where the funding comes from. Your personal take on ethics probably won't sway them much, at least without media pressure.
Also, if you ever want to do any vulnerability research or pentest - PLEASE PLEASE PLEASE make a copy of what you touched, what was changed and have a playbook for cleaning up after yourself.
Interesting how this got a video but the Node-IPC issue didn't get an issue even though its something that arguably had a larger impact. Good video regardless
Others made videos on Node-IPC that were sufficient. At some point, it's ridiculous when multiple channels hop on the bandwagon and report on the same thing, and yet it's not common now that ever.
@@MadWatcher Played the challenger edition (was not about to pay $70) why were there two versions of the game? Anyway I got bored within minutes, at least make it like destiny where I can play the story if I want
If I were a faculty member and got wind of the fact that (a) student(s) were running that type of an experiment in a public-facing environment in order to complete an assignment or paper, the student(s) would be looking at an F. . . and it sounds like it's the kind of thing which could be considered an honor code violation. Don't be THAT guy who ruins it for everyone else. Help keep open source open by being considerate to developers - don't disrupt the code repositories.
W3 schools or CodeAcademy. If you are intimidated by code start with python. If you have more of an idea of what type of software you want to code, start researching which languages better fit your needs.
This is some fearmongering shit and it's getting blown out of proportion. It's basically just like saying don't click on fishy links and you won't get hacked. Don't use fishy repositories and you won't get hacked. Anyone can fork and add malware if they wanted to, and it would do absolutely nothing to anyone using the real repository. It's great github is doing something about it, but this video is pretty pointless.
this is bizarre. What was this _researcher_ thinking. it's not a bug so there would be no bug bounty. this is like typo squatting; it's unfortunate for the victims if there were any but it's not a bug.
Hello guys and gals, it's me Mutahar again! This time we take a look at what appears to be one little entry into the lands of software development. Github is a massive platform for code collaboration we believed for a minute it was compromised with 35,000+ entries of malicious code. It seems the actor may have been one researcher and while the intentions are good in nature the ethics are absolutely bad.
Like, Comment and Subscribe for more videos! Use code "SOG" at *AAAAAAAAAAAAA* Check out our newest podcast episode: *AAAAAAAAAAAAAAAAAAAAAA* Like, Comment and Subscribe for more videos!
maybe the point of the cloned repos was to compile compromised versions on all these popular programs and then distribute them via malicious google ads and other means. I could see that being quite effective
This is something that as a tech support rep would be something that would make me absolutely unsurprised if it were to happen because the people that call me for GitHub issues are constantly breaking it by changing their password.
The problem with checksums is that if a nefarious actor gets access to the server and changes the file to something malicious it would be trivial to change the checksum as well. Checksums are more for checking if a file corrupted during transport or some other phase of the download. If you really want to be sure the file hasn't been tampered with you'd need the signature of maybe the checksum or the file itself. And of course you'd also need a reliable way to get the public key used to check the signature since the website couldn't be trusted, since the malicious actor could have just put their own public key in there.
true but the checksum and the data it's checking should be separate. when the Linux Mint ISO was tampered with a few years ago the malicious actor didn't have access to where the checksum was stored. So if people had checked the ISO's checksum they would have known something was wrong.
You know honestly I don't think the researchers were wrong. Hear me out: t 1. They aren't abusing some sort of special access to do it. 2. The concern they raised and executed is valid and they aren't the first nor last the have this idea. The difference is the bad guy's won't tell everyone about it later. That said, I think they could have gone about it better and hope any holes they introduced weren't extremely critical or damaging/exploitable in the wild.
They could have published a paper purely about the hypothetical attack. There was no good reason to make 35k malicious forks of popular projects, that's just excessive. If they wanted to do something interesting or special they should have constructed their malicious code individually for each project to make the hashes/checksums match the originals, and they *still* shouldn't have published it out in the open for any dumbass to download.
There are so many things wrong with this report but I'll stick to one issue: Making conclusions based results of public Github repos does not equal to all repos are hacked. Also most of your Public Tech companies usually self host their code repos on Private cloud (with something like Github Enterprise). Most folks with an interest in cybersecurity, do not understand how to scope their findings and it scoping takes experience and deep understanding of tech stacks. Professionals are paid simply to assess and appropriately scope a vulnerability. (This is why we have CVSS scores). This is why you should report vulns rather than BROADCAST IT TO THE WORLD. Those Github engineers, must have wasted an entire day dealing with a friday evening Microservice job doing things more manually.
@@LukSter18998 Common Vulnerability Scoring System. It's a scoring system used to score vulnerabilities. Tech companies with bug bounties usually score their reported vulns to help figure out how much resources you need to throw at a given vulnerability.
I gotta admit, as a casual tech enthusiast, I thought that Github was a glorified clipboard for code, but the way branches are presented on the website and approved into the main branch allow for more checks and balances than I expected.
the whole bug bounty thing reminds me of summer wars where the government releases an experimental AI virus on whats basically facebook meta within the anime movie
for clarity, pull requests are a feature of services like GitHub and not inherit in git. Also git proper is decentralized and there is no idea of an authoritative repo. For example the authoritative Linux repo/branch used to be on Linus' computer the authoritative-ness is something the devs agreed upon outside of git. Further kernel development is largely done through mailing lists and text patches and not on GitHub.
There are many repositories with malware code hidden in the code of open source projects, never truth code blind, always read the code first or be sure that code in safe and comes from trusted developer with checksum validation.
i read this yesterday on gizmodo and didn't realize this was the guy who made god fall. While this attack is kind of scary the association of godfall skyrockets this into the meme stratosphere. Muta should have done his commentary over some godfall gameplay.
As for the UMN part, iirc the Kernel Devs didn't spot the Hypocrite Commits, UMN disclosed it themselves before it was committed. So it's not like the Kernel Devs were totally blameless.
Open source / hardware does not mean secure. At least you can pay somebody to figure out if it's secure. (Or do it yourself / in house if you can) Open source software and hardware can at least be patched and fixed even if the company has no interest or is gone out of business. Trying to figure out if proprietary designs are secure is generally a legal gray area at best.(except for when express permission is granted) Just because they're unlikely to sue or press charges because it would look bad doesn't mean it's legal and they won't.
I noticed one a big malware outbreak on GitHub the other day cloning other project for game mods and hacks and then editing the sln or such to have malware or just be a runtime that if users run and an exe for some reason they get a rat
Ayo muta bro I've been trying to fix my pc some serious malware or virus which disables my windows firewall defender I've been trying multiple ways to restart defender nothing is working then I decided to reset my pc but it stops resetting at like 40% and undoes the changes😭😭
I am literally tryna get N+ cert. and then going for sec after. honestly videos like this help me go deeper and deeper into computing subjects. I appreciate this type of content is what I'm saying
One further clarification to this. Git is not Github. Git can be a self hosted entity (enterprises can employ whatever service they want or use their own custom solution), one thing to note when downloading any repo of the internet once again is to ensure its signed and downloaded from the ACTUAL authors. Don't download forks of software unless you trust those specific authors.
Use code "SOG" at www.gfuel.com
Check out our newest podcast episode: ruclips.net/video/vxZQhSWemTo/видео.html
so true bbg
Yo , muta. If you see this , I like your videos man , thank you .
Aa harder
Bobux
Thanks man 👨
This just reinforces how scary one single bad actor can be when it comes to cybersecurity
@Deadpoppin I don't know, it's just a phrase
@ahhhcool bruh 💀
@ahhhcool Bro what 😭
@Deadpoppin the actor acts (in a bad way)
@Deadpoppin Muta also uses it
That "good news ladies and gentlemen" always gives me a smile.
ye, sometimes I wish he would say "good news hobos", but he never does :'O
@ahhhcool not the gamer word
@Kavetion 1 video.
*Press X To Doubt*
Good news, everyone!
@Fishing and Freedom Fiend Because that comment is 100% original, and no one has ever made it before.
Man, this is some scary stuff. Glad to hear that GitHub dealt with it real quick.
@ahhhcool nice
@ahhhcool pog
@ahhhcool go back /pol/
@ahhhcool how much did the YT account cost you
@ahhhcool how is this not autobanned by youtube and sometimes i write a perfectly fine comment and it gets shadow banned lmao
half of the reason I'm subbed to you muta is because you actually get technical.
it's refreshing.
EDIT: Glad so many people agree with me. ^-^
I watch him because im bored af. I dont understand a single thing he says but fck it
@ahhhcool what the fuck
@Kavetion im better than your father
@Kavetion say that to your mother
@@MaxiSniper He's a troll. Just report it (click the three dots to the right of the comment) and move on.
This is equal to a security researcher trying to phish a company. That's not the job of an external security researcher, it's the job of a collaborative or internal security audit/test. In addition, the test shouldn't affect customers, rather, it should only test assets, property, or employees owned by the company.
As a side: Without digging any further than your video, it seems more likely the "security researcher" was doing shady stuff at night and wants to play it off in case it comes back to them.
i feel sorry for your notifs because of these bots
@ahhhcool so triggered right now about to hate on your channel
While that would be the utopian ideal companies frequently refuse to employ people in such positions to avoid wasting money in similar arguement where if you dont get sick money spend on healthcare insurance is wasted. Only people who can oust such companies which might be partly responsible in things far more important than computers (Like for example food with Tactor Manufacturing firms). It is not as if goverments are enforcing a mandatory security standard based on the importance of what you produce.
Of course thats not quite a "phising" attack but to set a definite rule for each type of attack just asks for new ones to be invented too, so its not a solution either. Only thing you can do is not have definite specific rules.
Should of just kept quiet
@@spamlogs2701 have*
Even though I’m not that clever about computers…I still love to listen Muta talking about it. He is really good at explaining
@Kavetion lmao
I recommend his videos to people as a beginner's guide to demystifying the things the news sensationalizes every day. You can tell he's talking about his passion in like and I love it
@@Zulf85 exactly!
@@Zulf85 That's definitely true. New and other media has made a lot of these core basic tech/computer stuff into something dramatized and overblown. Like when they talk about "hacking" or "the deep dark criminal web". And then there is also the people who see others punching in code or programming and it seems so foreign that they don't want to go near it. Muta breaks things like that down, giving us the truth about things as well as explaining things in a down to earth way that anyone can understand the gist of it, even if they themselves don't want to learn the language and do any programming themselves.
Plus whenever something crazy goes down in the general programming world, like a virus or a fuck up, Muta is always right on it.
@@Zulf85 yep same! it's that type of content you can share with anyone, he keeps improving as well.
As a software engineer who often has to design hello world programs with a team of 10 people, i approve
Lol
Approve what
@@sunablast approve of using a highly sophisticated version control system to write a hello world program with me and the 9 other boys.
Lesson learned from this: If you get caught shoplifting (don't shoplift!), just say "Don't worry, I didn't really mean to take anything, I was just testing your security and you passed, good job!".
Mutahar gets a sparkle in his eyes & becomes all excited during deep-tech dives. You gotta love this. Keep doin what u do man!
This man explained git better than any real git tutorial
I'm writing down exactly what he said for when I bring people who've not used Git into my team. Excellent explanation
@Kavetion I'm above you
Fax
@Kavetion Bleach your digestive tract.
What shitty tutorials are you finding? His mile high description was the same as every first couple paragraphs of every tutorial I've come across. Except Muta regularly uses technical terms without much clarification, so his description could likely be improved for those totally fresh to VCS. Especially because you'll need to know A LOT more than the mile high view to actually use git successfully on a team.
hmm yes, i am a researcher at the university of science. i've decided to weaken several pieces of lumber used in the construction of your house, to research the laborer's ability to spot defective materials. this is to further science. Be advised that if our theory has proven correct, and the "bad faith" lumber not detected, this might lead to structural collapse. if this occurs, you better have a doghouse, because it's gonna rain.
Sadly the doghouse was also affected by the experiment
Reasons why you should never test against production. Test environments exist for a reason.
i am doing a phd in cs and thanks to this video i finally understand git. thanks man
The git tutorial I never knew I needed
I understood git the moment I was told I needed to use it during an internship and the tree map of the project was pretty much what Muta showed. It's a good, simple visualization. Has no clue what it did until then and I branched and merged code :)
How’re you enjoying your PhD program? I just graduated with a BS and am considering grad school
@@fossforever512 oh congratz! it’s pretty cool. i had to apply for funding my project in the first year which was pretty stressful, but i am enjoying research a lot! if you like research i’d definitely do it.
Recently finished my bs in cs. I wish they had a class dedicated to git and working with large teams. That's pretty critical to know for jobs
Finally, good Indian tech support
@ahhhcool the fuck
@ahhhcool ayo
@ahhhcool DEEEEEEEWWWWWWDDDDD IM ON TWITCH
@@ggthegangs RIP Bozo
@Kavetion nobody cares
I don't understand anything about computers but I still watch your videos
It's never too late to learn and there are more tools available than ever to educate yourself.
@@nin6246 Are there any resources in particular you'd recommend?
I know very basic things about the stuff he talks about but still watch them too. These vids are so useful, even if you only take away 5% of the info in them, it's a net positive.
Knowledge is power.
Me too bro
It's his facial expressions that make it for me
Never seen anything like it
Chad.
Github should really add protection against having the same name/pfp as Maintaniers to fix people blindly merging stuff
They do have a feature that can help prevent this. GPG signing your commits; but it's not perfect.
I really love how SOG explains things. I would love another virus investigations video like the old days.
"hello guys and gals" Never gets old.
@ahhhcool bro get some therapy 💀💀💀
@@LoveLuhst It's a bot
@@ldisc9153 someone wrote the thing for the bot to say
"me mutahar"
@@ldisc9153 his real account is also somewhere in the comment section replies
I can't believe one Hackerman McDavis completely jacked into the Lunix mainframe and destroyed every distro ever. Rip pinguen forever.
Like for confusion
Muta is not boring to listen to your videos. Ive been emulating since i was a a child, snes, then psx, then gba, etc. I am a programmer and used to work at a IT cybersecurity auditor firm. Now i do webapps. I know a lot about the tech you talk about, and it's fun listening! I also appreciate it a lot that you educate the rest of the world (noobs) :D
go go go make more vids!
"collaborating in large programming projects" is actually just slang for crossdressing and meeting up in large numbers
kekkle
Rust users
C users
Please actually make a series on how colleges got banned from that stuff, that UMN thing sounds really entertaining.
“Please dont do this again”
Says Mutahar with that trademark grin of his
His thumbnails are the best
@@Koijn2K I couldn’t see it. :(
@@Koijn2K ikr
I am greater than Mutahar. And here is my explanation:
When all of you were busy worshiping him i was busy deflecting asteroids from our planet with bare strenght of my ballsack.
They call me steel balls jeff for a reason, they are so strong Homelander himself ran in fear while omni man did a squat on them, and complimented how powerful i am.
You don't believe me? Ask 3 letter agencies who really defeated austrian painter in WW2.
@@weirdyoutubechannels +1 for actual effort
the diagram at 3:20 helped, more of these in future videos please
Love the bender reference ………. keep up the great videos 😂👍
just want to say after a few month so of self taught courses I can finally understand these videos lol,. you inspired me to get into computer science and starting this fall! thanks for everything man!
Best of luck to you!
i love how when mutahar tells us things it always sounds like he's presenting a 5 page essay to the class
i cant believe i found you here (this is c_sea1n)
@@c_sea1n this is an epic gamer moment
For some reason this reminds me a BS trick my employer just pulled when it came to internet security. The IT dept sent a legit email with a link to an online training course for cyber security- but the link was not an internal link, it was to an off site honey trap so the second you followed the link to take the training, you failed the course. The really bad thing was they actually scheduled time for us to take the training, and if you missed it you got nasty grams from training and HR until you actually took the training- which you auto failed. I refused to take the training for almost 6 months cause I knew enough about security to check the freaking URL in the email. It turned into an actual HR issue to the point my job was on the line- so i made sure i was in a video meeting with both HR and my Manager to record that I was taking the training (by clicking the bad link) under protest. I was basically forced to compromise their own security guidelines so they could make a snarky joke about cyber security.
That "good news ladies and gentlemen" always gets me
Yeah, I'm just going to leave this backdoor here for reasons of science... nothing malicious there, no sir, trust me I'm an engineer
6:00 man of quality makes a futurama reference amazing
hey muta for some of your vids, when they just come up on the feed they get a processing thumbnail instead of the actual thumbnail for your videos. Maybe you should wait for your videos to finish processing completely before making them public. Not trying to be mean just offering some friendly criticism. :]
Everyday we get closer and closer to living in a Hideo Kojima game.
He's no prophet though.
@@EnaTenkiyoGamer He does profit though
NanomachinsSon they make money
Ninja Running would make getting to work a bit more interesting, tbh
Love your explanation! Many computer people tend to over elaborate on topics (I've been guilty of this) and make it really confusing to sound smart.
Every time I see his thumbnails I can sense in what mood he is on.
I clicked the video even though the thumbnail did not load.
I was wondering how Github actually worked, pull requests and forks and the like, thanks for the explanation.
Thanks for the explanation of Git, Muta.
I want to get into code but just hearing terms like forking and git systems seems really overwhelming
my dude just pick up a javascript or a python tutorial and start from there. baby steps, you'll get there eventually, don't concern yourself with things like git yet, just start writing your first programs and you'll get there eventually.
you can learn how to use git with a basic simple text file.
but all i can say is take a language that is easy to understand and start with that to understand the logic of coding and get a bit of experience in it. Then you can move on to other languages if needed
What @@zcythe-z6u said is exactly what you should try @Dylan Caple
I started by mesing around in unity/ arduino.
Just look up some tutorials online and don't worry about all this hackerman talk. You don't need to know it to code. You will already know it when time comes to using it.
My father coded in C# so i could ask help from him when i got started but phyton is a better place to start if you don't have someone who can help.
Dylan you don't need to understand git to get started, just make regular backups of your code so you can reference back when you break something.
It is worth understanding, I know many people who can code but need assistance with git
Aaahhh thank you!! I'm a CS student and I always love your techy videos
Nah, Muta. I can never begin to comprehend even 90% of what you say about cyber security and Linux based systems. But I still watch anyway for the free education.
Valid. 🤷♂️
Muta, your videos 'always' get me out of a funk.
Thank you and God bless you always.
Heh, remember when sourceforge decided to start injecting their own payloads into projects they hosted? That was a fun time. And by "fun" I mean disappointing and disheartening.
I'm still a little surprised that the UMN kernel patch "research" got approved by their research ethics board, but to be fair ethics boards can be a bit of a crapshoot. Sometime your reviewers are meticulous and well educated, sometimes they can't do basic arithmetic.
Oh, for future reference, if you think YOUR project has been the target of unethical research, most universities have avenues where you can file a complaint. Assuming of course that they don't get clever and start hiding their university connections. Also, keep in mind you'll have to put your complaint in terms of THEIR OWN rules, or possibly government rules depending on where the funding comes from. Your personal take on ethics probably won't sway them much, at least without media pressure.
Also, if you ever want to do any vulnerability research or pentest - PLEASE PLEASE PLEASE make a copy of what you touched, what was changed and have a playbook for cleaning up after yourself.
Interesting how this got a video but the Node-IPC issue didn't get an issue even though its something that arguably had a larger impact. Good video regardless
Others made videos on Node-IPC that were sufficient. At some point, it's ridiculous when multiple channels hop on the bandwagon and report on the same thing, and yet it's not common now that ever.
+1 vote for new series on Programmer beef that sounds awesome!!
The mention of godfall is the funniest thing ever, no one plays that game
@@MadWatcher Played the challenger edition (was not about to pay $70) why were there two versions of the game? Anyway I got bored within minutes, at least make it like destiny where I can play the story if I want
If I were a faculty member and got wind of the fact that (a) student(s) were running that type of an experiment in a public-facing environment in order to complete an assignment or paper, the student(s) would be looking at an F. . . and it sounds like it's the kind of thing which could be considered an honor code violation.
Don't be THAT guy who ruins it for everyone else. Help keep open source open by being considerate to developers - don't disrupt the code repositories.
Found all this fascinating. I've been wanting to get into coding, any advice?
W3 schools or CodeAcademy. If you are intimidated by code start with python. If you have more of an idea of what type of software you want to code, start researching which languages better fit your needs.
As someone who uses git and gitlab on a daily basis, Muta explained how it works so well and concisely better than most lecturers or tutorials
It's a good thing that github was quick to get on this
This is some fearmongering shit and it's getting blown out of proportion. It's basically just like saying don't click on fishy links and you won't get hacked. Don't use fishy repositories and you won't get hacked. Anyone can fork and add malware if they wanted to, and it would do absolutely nothing to anyone using the real repository. It's great github is doing something about it, but this video is pretty pointless.
Muta deserves a thank u. For saving some More Asses from making a Techy mistake.. Thanks my Good Sir.
Banger vid watched it 7 times already
Yo same dude
sa me
Muta video speed run
this is bizarre. What was this _researcher_ thinking. it's not a bug so there would be no bug bounty. this is like typo squatting; it's unfortunate for the victims if there were any but it's not a bug.
The hacker guy who introduced that piece of code is a fucking amateur.
If he hid his code in C++ libraries nobody would ever find it.
I would love to hear more about Linx v. Minnesota that just sounds like a great story.🤞
Hello guys and gals, it's me Mutahar again! This time we take a look at what appears to be one little entry into the lands of software development. Github is a massive platform for code collaboration we believed for a minute it was compromised with 35,000+ entries of malicious code. It seems the actor may have been one researcher and while the intentions are good in nature the ethics are absolutely bad.
Like, Comment and Subscribe for more videos!
Use code "SOG" at *AAAAAAAAAAAAA*
Check out our newest podcast episode: *AAAAAAAAAAAAAAAAAAAAAA*
Like, Comment and Subscribe for more videos!
Bro really copy pasted the video description
I agree
Idk
maybe the point of the cloned repos was to compile compromised versions on all these popular programs and then distribute them via malicious google ads and other means. I could see that being quite effective
This is something that as a tech support rep would be something that would make me absolutely unsurprised if it were to happen because the people that call me for GitHub issues are constantly breaking it by changing their password.
The problem with checksums is that if a nefarious actor gets access to the server and changes the file to something malicious it would be trivial to change the checksum as well. Checksums are more for checking if a file corrupted during transport or some other phase of the download. If you really want to be sure the file hasn't been tampered with you'd need the signature of maybe the checksum or the file itself. And of course you'd also need a reliable way to get the public key used to check the signature since the website couldn't be trusted, since the malicious actor could have just put their own public key in there.
true but the checksum and the data it's checking should be separate. when the Linux Mint ISO was tampered with a few years ago the malicious actor didn't have access to where the checksum was stored. So if people had checked the ISO's checksum they would have known something was wrong.
You know honestly I don't think the researchers were wrong. Hear me out: t
1. They aren't abusing some sort of special access to do it.
2. The concern they raised and executed is valid and they aren't the first nor last the have this idea. The difference is the bad guy's won't tell everyone about it later.
That said, I think they could have gone about it better and hope any holes they introduced weren't extremely critical or damaging/exploitable in the wild.
They could have published a paper purely about the hypothetical attack. There was no good reason to make 35k malicious forks of popular projects, that's just excessive.
If they wanted to do something interesting or special they should have constructed their malicious code individually for each project to make the hashes/checksums match the originals, and they *still* shouldn't have published it out in the open for any dumbass to download.
Youd be surprised, criminals like to gloat.
Thank you for explaining Git!!
I was using it in my scripting course and didn't have a clue why I was using git or what it did.
There are so many things wrong with this report but I'll stick to one issue:
Making conclusions based results of public Github repos does not equal to all repos are hacked. Also most of your Public Tech companies usually self host their code repos on Private cloud (with something like Github Enterprise).
Most folks with an interest in cybersecurity, do not understand how to scope their findings and it scoping takes experience and deep understanding of tech stacks. Professionals are paid simply to assess and appropriately scope a vulnerability. (This is why we have CVSS scores). This is why you should report vulns rather than BROADCAST IT TO THE WORLD.
Those Github engineers, must have wasted an entire day dealing with a friday evening Microservice job doing things more manually.
what’s a cvss?
@@LukSter18998 Common Vulnerability Scoring System. It's a scoring system used to score vulnerabilities. Tech companies with bug bounties usually score their reported vulns to help figure out how much resources you need to throw at a given vulnerability.
9:59 your internal monologue with depression.
I gotta admit, as a casual tech enthusiast, I thought that Github was a glorified clipboard for code, but the way branches are presented on the website and approved into the main branch allow for more checks and balances than I expected.
Love a good bender reference 🤣
Forget the fork!
Wasnt there a die hard movie where the villain was doing this, except they were causing chaos on public systems and stealing massive amounts of money?
Haha I love that Muta just had some wiggle fun with his outro.
the futurama reference really made me smile, thanks muta keep it up
I just don't download anything from the net. If it's not in the app/Microsoft store (I can't get it)
thats real scary for big projects..
the whole bug bounty thing reminds me of summer wars where the government releases an experimental AI virus on whats basically facebook meta within the anime movie
for clarity, pull requests are a feature of services like GitHub and not inherit in git. Also git proper is decentralized and there is no idea of an authoritative repo. For example the authoritative Linux repo/branch used to be on Linus' computer the authoritative-ness is something the devs agreed upon outside of git. Further kernel development is largely done through mailing lists and text patches and not on GitHub.
Those last few mins, classic Muta 🤌
0:13 Yep I checked my phone too you arent alone
the amount of eyebrow raises in the beginning 😭😭😭
Imagine attempting to light someone's house on fire to check if they'll come out to stop you
There are many repositories with malware code hidden in the code of open source projects, never truth code blind, always read the code first or be sure that code in safe and comes from trusted developer with checksum validation.
Mutahar looks like he's refreshed, more happy idk why.
When he said md5# immediate flash backs to Ownage pranks 😭
i read this yesterday on gizmodo and didn't realize this was the guy who made god fall. While this attack is kind of scary the association of godfall skyrockets this into the meme stratosphere.
Muta should have done his commentary over some godfall gameplay.
Bugbountying lmao :') Yea no officer I wasn't taking a steaming shit in your car, I was just testing your situational awareness.
Good to know people are actually on the lookout for this kind of garbage and actually prevent it.
0:14 i literally picked up my phone and thought it was my notif lmfao
As for the UMN part, iirc the Kernel Devs didn't spot the Hypocrite Commits, UMN disclosed it themselves before it was committed. So it's not like the Kernel Devs were totally blameless.
You should make the video or series on Linux Kernel drama. I'd love to watch that.
Thanks for the Futurama reference
Open source / hardware does not mean secure. At least you can pay somebody to figure out if it's secure. (Or do it yourself / in house if you can)
Open source software and hardware can at least be patched and fixed even if the company has no interest or is gone out of business. Trying to figure out if proprietary designs are secure is generally a legal gray area at best.(except for when express permission is granted) Just because they're unlikely to sue or press charges because it would look bad doesn't mean it's legal and they won't.
You know someone has messed up when Muta doesn’t even allow the thumbnail to render.
I noticed one a big malware outbreak on GitHub the other day cloning other project for game mods and hacks and then editing the sln or such to have malware or just be a runtime that if users run and an exe for some reason they get a rat
“I promise I was only feeding you cyanide to prove you would do from investing cyanide”
Ayo muta bro I've been trying to fix my pc some serious malware or virus which disables my windows firewall defender I've been trying multiple ways to restart defender nothing is working then I decided to reset my pc but it stops resetting at like 40% and undoes the changes😭😭
Git is like the ability to restore your computer to how it was in the past but for program code
Good Evening, Sir.
Please do the Needful.
Thank you, Sir.
Sometimes I wish Muta would say "Good news everyone!" Like Professor Farnsworth. But I can only wish
A video/series/etc on Linux beef sounds fun.
It took me far too long to understand that GitHub is a Hub for Gits. I didn't really think too hard about the name until I learned C++ this year.
I am literally tryna get N+ cert. and then going for sec after. honestly videos like this help me go deeper and deeper into computing subjects. I appreciate this type of content is what I'm saying
The bender reference makes sk much sense here
ackthually the master branch was depreciated and is now usually called the main branch,
all jokes aside, great video,
thanks