current community

your communities

more stack exchange communities

Stack Exchange Inbox Reputation and Badges
tour help
Sign up ×
Open Source Stack Exchange is a question and answer site for people organizing, marketing or licensing open source development projects. It's 100% free, no registration required.
up vote 26 down vote favorite
1

Recently some non-technical managers where I work found out that Github has a repository with code from "Hidden Tear" which is a ransomware application. The immediate reaction was to ban GitHub, which is something that we use extensively to get open source code. The only way to access GitHub again is by proving that the site is safe. This would be easy to do if I were convincing software developers, however I am speaking with people who have never written a line of code. I have been told that if I want to use code from Github or view pages on the site I need to do the following:

  1. Show the site is safe and will not infect our computers
  2. Create an open source policy for use when determining the safety of code found on GitHub.

My first step was to go through a list of companies and government organizations that use GitHub. I believe that this will start to calm fears that the site is going to infect all computers with ransomware. I will expand on this by describing what GitHub is, what it does and why it is valuable.

The problem is that I don't have much experience writing policy documents. I'm hoping to find someone with some knowledge about policy that could share some of their experiences in writing open source usage policy. From what I understand our policy should be a step by step guide to determine whether or not we can use a specific library/plugin.

Any help would be greatly appreciated.

share|improve this question

migrated from programmers.stackexchange.com yesterday

This question came from our site for professional programmers interested in conceptual questions about software development.
8  
Are you doing Windows development? GitHub is now the official home of C# and VisualBasic.NET. That should be enough. I hope. –  Jörg W Mittag yesterday
2  
One has to wonder why your company has still got an connection to the Internet at all... –  Michael Schumacher yesterday
10  
Show the site is safe and will not infect our computers -- You can't. How would one prove this about any website? –  Robert Harvey yesterday
23  
Looks more like a Workplace question to me: "How do I deal with crazy stupid management." –  bmargulies yesterday
3  
You could also point out that Safeways sells rat poison ... therefore they should ban all employees from shopping at Safeways (pick their favorite supermarket chain). –  kdopen yesterday

3 Answers 3

up vote 23 down vote
  1. Show the site is safe and will not infect our computers

It's not "safe". GitHub allows anonymous users to upload anything they want including malware. You could get infected by downloading/executing code or visiting anything on the "github.io" domain where arbitrary javascript (and therefore 0-day browser exploits) might be found (github.com is safer than github.io).

  1. Create an open source policy for use when determining the safety of code found on GitHub.

The only way to determine the safety of source code is to go through one line at a time and carefully read every single line.

With major projects, you might assume somebody else has already done this, but that's not a safe assumption. For example OpenSSL's security was completely compromised in 2011 but code reviewers failed to notice the problem until 3 years later. Criminal organisations were aware of the problem long before it was fixed and companies were compromised.

Small businesses using open source Word Press plugins are continuously being hacked, we see it almost every day where I work. Smart companies avoid the problem by refusing to use random word press plugins and your company policy should be the same.

What you need to do is make a risk/reward analysis. Outline the risks of allowing access to GitHub in detail, and then outline the rewards, and conclude with your case that the rewards outweigh the risks.

The largest and most successful corporations in the world have all decided that the rewards outweigh the risks. But those risks are still real and your company still needs to be aware of them - don't go downloading code and executing it without thinking first about who might have written the code.

share|improve this answer
    
The only way to determine the safety of source code is to go through one line at a time and carefully read every single line. That sounds overly optimistic –  Nicola Peluchetti 16 mins ago
up vote 5 down vote

There is a giant problem with the logic behind this fuss. Storing the source code of malware is not strongly correlated with being infected with malware.

Consider http://www.metasploit.com/. It's a tool used by people protecting against intrusion -- and also by people looking to perform intrusion. Or any number of other resources used by people who study malware.

Yes, github.com could turn out to contain active malware -- but so could anything else where arbitrary websites are hosted. Does your management prohibit access to all of AWS? Google apps? Heroku? Sourceforge? Bitbucket? There's a list of about a million places that allow people, including bad people, to set up web sites. Does your employer really maintain a white list of only sites that they like? And what do they do when one gets broken into, and turned into a malware distribution apparatus?

So, this has nothing much to do with open source, except insofar as github.com is a hard place to avoid if you want to use it. You could have this debate about every wordpress blog site in creation; those get compromised approximately once every five minutes.

share|improve this answer
4  
Sourceforge is arguably more of a problem in the current environment, as there have been recent cases of that site, by policy, placing Adware into installers. E.g. developer.com/daily_news/… –  Neil Slater 12 hours ago
    
As a matter of fact, many companies block any of the well-known sites that provide downloads, usually done done by filtering software they bought. E.g., until our company did actually start to develop an integration into Google apps, those were blocked for us, Google Drive in particular. Personally, I think that the way to officially gain access to Github is outlined rather well in this case - provided that the requests for the safety evaluation and code usage policy (pretty sure that there is one for that already, but it might focus on licensing) are not just ways to deny that forever. –  Michael Schumacher 11 hours ago
up vote 1 down vote

Perhaps you could get access approved on a per-project basis on GitHub? For example, say you wanted to use code from https://github.com/google/zopfli you could somehow get that approved and then be able to download/use the relevant files. Annoying, but better than having to write 100% of your code from scratch.

Also, if they're particularly concerned about ransomware, something like first testing code in a VM that can be trashed at a moment's notice might help them to feel like it's safer?

share|improve this answer
1  
As a front-end developer, this would be particularly annoying - I go through and test so many libraries to see if they fit use cases that I would be requesting 50+ libraries/pages/what-have-you a week. –  Seiyria 6 hours ago

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.