Tag Archive for: GitHub

GitHub case: Twitter rejects urgent request for accounts details, says it’s not national security matter

/in


Twitter is said to have denied details of two handles thought to be connected to the case where a female journalist’s photo was uploaded on a website alongside disparaging comments, saying this was not a “national security threat matter” and that the Delhi Police should approach it through the proper channel instead.

Days after lodging an FIR against unknown persons, the police had written to the software development platform GitHub for details of the website developer, and from Twitter, they sought information about two accounts they believe had tweeted about the app first. The accounts were deactivated when the victims started sharing their ordeal online. “Sensing the gravity of the case, we asked Twitter to provide details of their IP addresses on an urgent basis, but they responded on Tuesday, asking us to come through proper channels since it’s not a national security threat matter,” a senior police officer privy to the investigation said.

The website was made using GitHub on December 31 and doctored photos of at least 100 Muslim women, along with lewd remarks, were posted there. GitHub subsequently removed the content, but many Twitter users tagged the women and posted screenshots.

On January 2, the south-east district police lodged an FIR against unknown persons and subsequently transferred the case to its Intelligence Fusion and Strategic Operations unit on January 4. The police are planning to get the go-ahead for a Mutual Legal Assistance Treaty to seek information about the app from its foreign-based hosting platform.

The Indian Computer Emergency Response System (Cert-In), the nodal agency for monitoring cyber security incidents and related threats, has been asked to form “a high-level committee” to probe the incident and coordinate with the cyber cells of state police forces, senior government officials said.

In her complaint to police on Saturday, the Delhi-based journalist had accused unknown persons of promoting enmity, sexual harassment, and insulting women. “I was shocked to find…that a website/portal…had a doctored picture of me in an improper, unacceptable and clearly lewd context… The…content…is clearly aimed at insulting…

Source…

Explained: What is GitHub, at the centre of online sexual harassment probe?

/in


The open-source software repository service GitHub is in the news after it was used to create and share an offensively named app that sexually harassed Muslim women in India. The app used pictures of the women stolen from their social media handles and invited “users” to bid for them.

IT Minister Ashwini Vaishnaw has announced that GitHub has blocked the user, and the Indian Computer Emergency Response System (Cert-In), the nodal agency for monitoring cyber security incidents, has been asked to form “a high-level committee” to investigate. Delhi and Mumbai Police have registered FIRs on complaints by some of the women who were targeted.

In June 2021, another app with a similar-sounding name, which too was hosted on GitHub, had been used to harass Muslim women in the same way. Police in Delhi and Noida had registered FIRs, but the probe has not progressed. Delhi Police have said GitHub is not cooperating.

Newsletter | Click to get the day’s best explainers in your inbox

What is GitHub?

GitHub is the world’s largest open-source developer community platform where users upload their projects and code for others to view, edit, and tweak. The idea of GitHub is this: any developer can upload whatever software code or app code or software idea they have on the platform, and have others collaborate with them to help improve it, find errors, and fix problems.

Any public project can be viewed by others on the platform. Most of the features of the platform are free for users. Organisations can use paid accounts to upload their software and projects for collaboration.

The platform uses the software Git, which was created in 2005 by Linus Trovalds, the developer of the open-source operating system Linux, to track changes in a set of files and for coordination in software development.

What has it said on the complaints?

GitHub has taken down the app, but has not revealed who was responsible for it.

“GitHub has longstanding policies against content and conduct involving harassment, discrimination, and inciting violence. We suspended a user account following the investigation of reports of such activity, all of which violate our policies,” it said in a statement.

What is not…

Source…

GitHub Updates Policy to Remove Exploit Code When Used in Active Attacks

/in


github-hacking-exploit-policy

Code-hosting platform GitHub Friday officially announced a series of updates to the site’s policies that delve into how the company deals with malware and exploit code uploaded to its service.

“We explicitly permit dual-use security technologies and content related to research into vulnerabilities, malware, and exploits,” the Microsoft-owned company said. “We understand that many security research projects on GitHub are dual-use and broadly beneficial to the security community. We assume positive intention and use of these projects to promote and drive improvements across the ecosystem.”

password auditor

Stating that it will not allow the use of GitHub in direct support of unlawful attacks or malware campaigns that cause technical harm, the company said it may take steps to disrupt ongoing attacks that leverage the platform as an exploit or a malware content delivery network (CDN).

To that end, users are refrained from uploading, posting, hosting, or transmitting any content that could be used to deliver malicious executables or abuse GitHub as an attack infrastructure, say, by organizing denial-of-service (DoS) attacks or managing command-and-control (C2) servers.

“Technical harms means overconsumption of resources, physical damage, downtime, denial of service, or data loss, with no implicit or explicit dual-use purpose prior to the abuse occurring,” GitHub said.

GitHub hacking policy

In scenarios where there is an active, widespread abuse of dual-use content, the company said it might restrict access to such content by putting it behind authentication barriers, and as a “last resort,” disable access or remove it altogether when other restriction measures are not feasible. GitHub also noted that it would contact relevant project owners about the controls put in place where possible.

The changes come into effect after the company, in late April, began soliciting feedback on its policy around security research, malware, and exploits on the platform under a clearer set of terms that would remove the ambiguity surrounding “actively harmful content” and “at-rest code” in support of security research.

By not taking down exploits unless the repository or code in question is incorporated directly into an active campaign,…

Source…

Standoff with researchers may emerge as GitHub floats stricter policies

/in


GitHub CEO Nat Friedman speaks at GitHub Universe 2020. GitHub on Thursday solicited the comments of the security research community on its new, apparently stricter policies for posting malware and proof-of-concept exploits. (GitHub)

GitHub on Thursday solicited the comments of the security research community on its new, apparently stricter policies for posting malware and proof-of-concept exploits. But the response may have been more than it bargained for.

Some of the changes date back to a month ago when GitHub, which is owned by Microsoft, removed a proof-of-concept exploit for the so-called ProxyLogOn vulnerabilities in Microsoft Exchange that have led to more than 100,000 server infections. There were also other incidents dating back more than a year in which GitHub repositories were found to be infected with malware and capable of being exploited in a supply chain attack.

GitHub, which researchers use as a platform where they can test and experiment, said in a blog post that these updates also focus on removing ambiguity in how the platform will define terms such as “exploit,” “malware,” and “delivery” – the platform’s effort to clearly state its expectations and intentions.

Security researchers expressed skepticism, arguing that if or when software ever gets removed, GitHub would have to outline a very clear-cut and transparent reason; otherwise, users will likely rebel and flee to other platforms, said Sean Nikkel, senior cyber threat intel analyst at Digital Shadows.

Nikkel said some researchers have raised great points with existing off-the-shelf, legitimate tools such as Metasploit or Mimikatz, or other similar software that adversaries frequently abuse.

“Are these now also illegitimate? While starting the public discussion is a significant step, transparency around the end goal and the future will need to be spelled out clearly to GitHub users,” Nikkel said. “Suppose GitHub does end up taking stronger steps towards locking down what’s acceptable on the platform. In that case, the conditions of what they understand as an actual attack or threat would also need to be spelled out fairly clearly, and in terms…

Source…