Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keeping Social Engineering Attacks Away from OS...

Nabarun Pal
June 12, 2024
0
21

Keeping Social Engineering Attacks Away from OSS Communities

Nabarun Pal

June 12, 2024
Tweet

More Decks by Nabarun Pal

See All by Nabarun Pal
Kubernetes - The Universal Control Plane
palnabarun
0
63
Learnings from Sustainably Steering the Kubernetes Project
palnabarun
0
52
The Eight Fallacies of Distributed Cloud Native Communities
palnabarun
0
38
State of Kubernetes and CNCF: A path to a sustainable and secure future
palnabarun
0
34
Wildfires, Firefighters and Sustainability Learnings from Mitigating Kubernetes Fires in the Community
palnabarun
0
34
What does the Kubernetes Steering Committee Steer?
palnabarun
0
67
State of Kubernetes in 2022
palnabarun
0
54
Leadership Learnings from Kubernetes Releases
palnabarun
0
45
Prow! Leveraging Developer-Centric CI for Your OSS Project!
palnabarun
0
50

Featured

See All Featured
Mobile First: as difficult as doing things right
swwweet
222
9k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
45
2.2k
GraphQLとの向き合い方2022年版
quramy
44
13k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
132
33k
The Cult of Friendly URLs
andyhume
78
6.1k
Adopting Sorbet at Scale
ufuk
73
9.1k
4 Signs Your Business is Dying
shpigford
181
21k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
Raft: Consensus for Rubyists
vanstee
137
6.7k
It's Worth the Effort
3n
183
28k
Statistics for Hackers
jakevdp
796
220k
How GitHub (no longer) Works
holman
311
140k

Transcript

  1. Keeping Social Engineering Attacks Away from OSS Communities: What Can

    One Learn from Kubernetes Nabarun Pal

  2. ❤ @theonlynabarun $ whoami • Kubernetes Maintainer and Steering Committee

    member • Chair of Kubernetes Special Interest Group Contributor Experience • Kubernetes GitHub Administration • Contribute to API Machinery, Auth, Release and ContribEx • CNCF Ambassador • Building Kubernetes based SaaS control planes as $dayjob

  3. ❤ @theonlynabarun Why should you worry about social engineering attacks?

  4. ❤ @theonlynabarun xz backdoor

  5. ❤ @theonlynabarun

  6. @theonlynabarun ❤

  7. @theonlynabarun ❤

  8. @theonlynabarun ❤

  9. @theonlynabarun ❤

  10. @theonlynabarun ❤ Users finds the bug because they see SSH

    consuming too many CPU cycles

  11. @theonlynabarun ❤ Lesson: Maintainer burnout should be tracked

  12. @theonlynabarun ❤ An excellent timeline of the incident is written

    by Russ Cox: https://research.swtch.com/xz-timeline

  13. ❤ @theonlynabarun CloudFoundry Community Repo Deletion

  14. @theonlynabarun ❤ 01:37 AM UTC

  15. @theonlynabarun ❤ Maintainers couldn’t access the org?!? 01:37 AM UTC

  16. @theonlynabarun ❤ Maintainers try to reach out to the actor

    01:42 AM UTC

  17. @theonlynabarun ❤ Tickets filed with GitHub 01:50 - 03:00 AM

    UTC

  18. @theonlynabarun ❤ GitHub restores all the deleted repositories 02:00 -

    03:00 PM UTC

  19. ❤ @theonlynabarun Key Findings • A decade back, anyone who

    contributed was given org owner access

  20. ❤ @theonlynabarun Key Findings • A decade back, anyone who

    contributed was given org owner access • Open trust based approach of the past doesn’t work anymore

  21. ❤ @theonlynabarun Key Findings • A decade back, anyone who

    contributed was given org owner access • Open trust based approach of the past doesn’t work anymore • Org-level ownership will be given only to a limited set of people

  22. ❤ @theonlynabarun Key Findings • A decade back, anyone who

    contributed was given org owner access • Open trust based approach of the past doesn’t work anymore • Org-level ownership will be given only to a limited set of people • Repo-level ownership will be given to direct contributors

  23. ❤ @theonlynabarun Key Findings • A decade back, anyone who

    contributed was given org owner access • Open trust based approach of the past doesn’t work anymore • Org-level ownership will be given only to a limited set of people • Repo-level ownership will be given to direct contributors • Audit similar events of the past

  24. @theonlynabarun ❤ CloudFoundry maintainers wrote an elaborate incident report

  25. ❤ @theonlynabarun Scale of Kubernetes

  26. ❤ @theonlynabarun “(...) about 1/2 of the internet depends on

    you… no pressure ;-) (...)” Timothy St. Clair

  27. ❤ @theonlynabarun 8 Organizations Stats from Kubernetes Devstats, June 11

    2024

  28. ❤ @theonlynabarun 8 Organizations 372 Repositories Stats from Kubernetes Devstats,

    June 11 2024

  29. ❤ @theonlynabarun 8 Organizations 372 Repositories 88.8K Contributors Stats from

    Kubernetes Devstats, June 11 2024

  30. ❤ @theonlynabarun #5 by activity (438520) #3 by authors (3569)

    #2 by comments (330984) #32 by commits (43010) #11 by issues (18067) #4 by pull requests (43554) #36 by pushes (46105) Stats from CNCF Velocity Report

  31. ❤ @theonlynabarun Phew. Certainly not an easy task.

  32. ❤ @theonlynabarun The People

  33. ❤ @theonlynabarun

  34. ❤ @theonlynabarun This team is responsible for holding Org Owner

    privileges over all the active Kubernetes orgs, and will take action in accordance with our policies and procedures. All members of this team are subject to the Kubernetes security embargo policy. Nominations to this team will come from the Contributor Experience SIG, and require confirmation by the Steering Committee before taking effect. [...]

  35. ❤ @theonlynabarun 🛠 The Tools

  36. ❤ @theonlynabarun

  37. ❤ @theonlynabarun git.k8s.io/org

  38. ❤ @theonlynabarun

  39. ❤ @theonlynabarun

  40. ❤ @theonlynabarun

  41. @theonlynabarun ❤

  42. @theonlynabarun ❤ Introducing Peribolos!

  43. @theonlynabarun ❤

  44. @theonlynabarun ❤ Safety as a first principle

  45. @theonlynabarun ❤ sigs.k8s.io/prow/cmd/peribolos

  46. @theonlynabarun ❤ https://youtu.be/UNRk3MJVjTk & https://sched.co/1aOpr

  47. ❤ @theonlynabarun Processes

  48. @theonlynabarun ❤

  49. @theonlynabarun ❤ New Member Requirements Have made multiple contributions to

    the project or community, enough to demonstrate an ongoing and long-term commitment to the project. Contributions should include, but is not limited to: ◦ Authoring or reviewing PRs on GitHub, with at least one merged PR. NOTE: The PR(s) must demonstrate an ongoing and active commitment. A few examples include: ▪ A single KEP that has taken several weeks of driving consensus ▪ A larger number of smaller PRs over several weeks to months ▪ A smaller number of complex or technical PRs that required working with community members to resolve an issue (e.g. regressions, bugs fixes etc) ◦ Filing or commenting on issues on GitHub ◦ Contributing to SIG, subproject, or community discussions (e.g. meetings, Slack, email discussion forums)

  50. @theonlynabarun ❤

  51. @theonlynabarun ❤

  52. @theonlynabarun ❤

  53. @theonlynabarun ❤ Sponsor Requirements ◦ Sponsored by 2 reviewers. Note

    the following requirements for sponsors: ▪ Sponsors must have close interactions with the prospective member - e.g. code/design/proposal review, coordinating on issues, etc. ▪ Sponsors must be reviewers or approvers in at least one OWNERS file within one of the Kubernetes GitHub organizations*. ▪ Sponsors must be from multiple member companies to demonstrate integration across community.

  54. @theonlynabarun ❤ Reviewer Requirements ◦ Member for at least 3

    months ◦ Primary reviewer for at least 5 PRs to the codebase ◦ Reviewed or merged at least 20 substantial PRs to the codebase ◦ Knowledgeable about the codebase ◦ Sponsored by a subproject approver ▪ With no objections from other approvers ▪ Done through PR to update the OWNERS file ◦ May either self-nominate, be nominated by an approver in this subproject, or be nominated by a robot

  55. @theonlynabarun ❤

  56. @theonlynabarun ❤

  57. @theonlynabarun ❤

  58. @theonlynabarun ❤ Audits

  59. @theonlynabarun ❤ Audits

  60. @theonlynabarun ❤ To Summarize • Set of people with highest

    privileges should be smallest in size

  61. @theonlynabarun ❤ To Summarize • Set of people with highest

    privileges should be smallest in size • The bar to get into that set should be reasonably high

  62. @theonlynabarun ❤ To Summarize • Set of people with highest

    privileges should be smallest in size • The bar to get into that set should be reasonably high • Design new contributor guidelines and contributor growth ladder carefully

  63. @theonlynabarun ❤ To Summarize • Set of people with highest

    privileges should be smallest in size • The bar to get into that set should be reasonably high • Design new contributor guidelines and contributor growth ladder carefully • Declaratively store your community topology

  64. @theonlynabarun ❤ To Summarize • Set of people with highest

    privileges should be smallest in size • The bar to get into that set should be reasonably high • Design new contributor guidelines and contributor growth ladder carefully • Declaratively store your community topology • Use proven tools with adequate safety checks to reconcile state

  65. @theonlynabarun ❤ To Summarize • Set of people with highest

    privileges should be smallest in size • The bar to get into that set should be reasonably high • Design new contributor guidelines and contributor growth ladder carefully • Declaratively store your community topology • Use proven tools with adequate safety checks to reconcile state • Periodically run audits on your org for inactive members

  66. @theonlynabarun ❤ Thank You! Slides will be available at https://speakerdeck.com/palnabarun/

    shortly.

  67. @theonlynabarun ❤ Want to learn more? • Public slack channel:

    #github-management • Join here: slack.k8s.io • DMs on Kubernetes Slack: palnabarun • Twitter/X: @theonlynabarun

  68. @theonlynabarun ❤ Stay hydrated!

  69. @theonlynabarun ❤ Questions

  70. @theonlynabarun ❤ Questions I will be in the Hallway for

    any more questions.