In this week’s podcast (#124): we speak with French security researcher Baptiste Robert about research on the social media accounts pushing the french “Yellow Vest” protests. Surprise, surprise: they’re not french. Also: Brian Fox of the firm Sonatype joins us to talk about the recent compromise of the Github event-stream project and why social engineering poses a real risk to the security of the software supply chain.
Part 1: the Twitter bots pumping up French Protests? They’re not French.
French President Emmanuel Macron took to the airwaves on Monday to address a string of long running worker protests that have rocked Paris and other cities in recent weeks. Apparently, his empathy and concessions weren’t enough. Like so many social protest movements in recent years, the so-called gilet jaune – or “yellow vest” – protests began on social media platforms like Facebook before moving to the street, where they have led to acts of vandalism and scores of arrests. Now similar protests have popped up in Belgium and other neighboring countries.
Still, no clear leader of the Yellow Vest movement has arisen, nor do the protests have a clear agenda. What is fueling them? Our first guest this week suspects that online propaganda campaigns orchestrated by outside agitators may be one factor. Baptiste Robert is a software developer and independent security researcher who lives in Toulouse, France. He’s been collecting and analyzing gilet jaune-themed messages on Twitter, capturing more than a quarter million English language tweets using the french “#giletjaune” hash tag. His surprising finding: none of the top 10 English language accounts that are pushing the #giletjaune appear to be french, or to have any direct link to the french protestors. Almost all, however, do appear to be associated with far right nationalist or far left anti-capitalist political ideologies.
What’s going on? I asked Baptiste to offer his thoughts, including whether the long arm of Russia’s FSB and President Vladimir Putin might be behind the online campaigns.
Part 2: social engineering’s threat to the software supply chain
Microsoft announced last week that it was gutting its proprietary edge browser to port the platform to Google’s open source Chromium platform. The announcement may signal that, after more than two decades, open source may have finally triumphed in the browser wars – as well as most other contests.
Indeed, open source is an indispensable part of the knowledge economy, these days: allowing organizations to assemble new applications more quickly and cheaply than ever before.
You might also like to listen to: Podcast Episode 94: Black Report takes Hacker View and Securing the Open Source Supply Chain
But all that open source dependency also brings with it risk. Heartbleed woke the world up to the risk posed by undetected security vulnerabilities in popular open source repositories. Recently, a string of compromises of popular open source projects has highlighted how widely used, but under resourced open source projects are prone to manipulation, fraud and abuse.
Our second guest this week: Brian Fox of the firm Sonatype, said that the recent takeover of the event-stream open source project on GitHub by an unknown hacker is a case in point. The compromise, which appears to have been aimed at undermining the security of the CoPay Bitcoin wallet, is an object lesson in how sophisticated attackers are looking at countless, popular and under-resourced open source projects as an avenue to push malicious code into thousands or even millions of downstream applications.