Jump to content

Search the Community

Showing results for tags 'github'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

  1. When a domain appears on the ‘Infringing Website List’, it means that UK police have concluded its activities are most likely criminal. Advertisers and other intermediaries are advised that knowingly supporting crime, is a crime in itself. The IWL is not open to scrutiny but TorrentFreak has learned that for the last four months, a GitHub subdomain has been labeled "massively infringing." The ‘Infringing Website List’ (IWL) is operated by the Police Intellectual Property Crime Unit (PIPCU) in the UK under the banner ‘Operation Creative’. Launched in 2014, its purpose is to disrupt pirate sites’ ability to make money when takedown notices and other efforts by the “private sector have had limited success.” The IWL is considered a proportionate response to rampant online piracy, and given the nature of most domains currently on the list, it would be foolish to argue otherwise. That said, the IWL is a completely closed system and as such there is close to zero public transparency. Pirate site domains are nominated for inclusion by rightsholder/anti-piracy groups such as the MPA, BPI, IFPI, Publishers Association, and FACT. Once the police have conducted their own investigations, any domain added to the IWL finds itself blacklisted by the advertising industry and then shared as part of the full list with other stakeholders, rightsholders, and anti-piracy groups. As the UK government noted in its 2020-2021 IP Crime Report (pdf), “such sites are accepted for disruption,” meaning that for owners of domains on the list, which is integrated into numerous other databases for automated processing, nothing good lies ahead. The not-for-profit Internet Advertising Bureau, the industry body for digital advertising in the UK, advises its members that the IWL contains confirmed illegal domains. It is the responsibility of IAB UK members to ensure that no one does any business with any domain on the list – or else. “The IWL works as an inappropriate schedule and allows you to exclude known illegal sites from your ad buying, selling or trading,” IAB UK says. Similar advice is provided by the Gambling Commission, the official regulator for most types of gambling activities across Great Britain. “You must ensure that you do not place digital advertisements on websites providing unauthorized access to copyrighted content and must take all reasonable steps to ensure that third parties with whom you contract do similar,” the regulator warns. The suggestion here is that advertising entities not only have to ensure that their own conduct is impeccable but must also shoulder some responsibility for the conduct of others. This chaining of responsibility is not uncommon in business but the climate around the Infringing Website List is more loaded than others. Linking >>> Linking >>> Linking >>> The messaging is clear: if a domain appears on the IWL it is confirmed as illegal and most likely engaged in criminality. By extension, the operator of the domain is a suspected criminal. The police make this clear when they write to the owners of listed domains, warning of offenses under the Fraud Act 2006, Copyright Designs and Patents Act 1988, and even the Serious Crimes Act 2007. At this point we’d like to make it absolutely clear that, as far as we can determine, most of the domains on the list do seem linked to infringing activity. And, in most cases, the listed domains appear to have no real purpose than to infringe copyright. That’s exactly the type of domain the IWL was intended to accomodate. That raises the question of why the Microsoft-owned domain Github.io was added to the Infringing Website List on June 28, 2022, and has remained there ever since. Importantly the culprit is not Microsoft or GitHub, but a user of the latter. It appears the Github user created a repository on Github pages containing information on how to gain access to The Pirate Bay and that was determined to be a crime. The page, published in the usual username.github.io format, doesn’t contain any infringing content and doesn’t link to any infringing content. It does link to other domains that in turn provide proxy access to the front page of The Pirate Bay, but that doesn’t carry links to any infringing content either. Elsewhere on The Pirate Bay, embedded magnet links do link to IP addresses offering infringing content, but users still have to fire up a torrent client to find out. But the IWL Entry Also Adds a Github.io Subdomain? The individual who discovered Github.io on the “never do business” list is responsible for implementing the list in their line of work. They think that the IWL is a good idea and had previously blacklisted all main domains plus their extensions and subdomains for the sake of simplicity. That approach was prompted by a) some domains on the list having multiple infringing subdomains and b) sites operating a mobile version on a subdomain but not having their main domain listed on the IWL, despite carrying exactly the same content. Some decisions are easier than others but blacklisting the entire Github.io domain was an entirely different proposal. Perceived Threats to Business and Livelihoods The underlying problem is a genuine concern that under-blocking could lead to severe consequences for people in the advertising chain. A report published in 2021 by French anti-piracy agency Hadopi reveals why some in the industry are apprehensive. “A PIPCU contractor (Pathmatics) monitors [sites on the IWL], using dedicated software (AdRoutes) to trace the chain of advertisers that place ads on the site. It informs any non-partner advertisers that they may be regarded as accomplices in the infringement of intellectual property law,” Hadopi’s report reads (pdf). “PIPCU has contacted the authority responsible for issuing gambling and betting licences (the Gambling Commission). The latter has informed licensees that their licence could be revoked if they advertise on illegal websites.” The IWL is Considered Secret, Police Refuse to Comment Over the years, reporters and other interested parties have filed Freedom of Information Act requests to learn more about the IWL, but with few results. “All sites on IWL are identified and evidenced as infringing by rights holders and then verified by PIPCU. We are not making the IWL public. The List will be ever changing as new sites appear and older sites comply,” one response reads. Another, which asked PIPCU to supply evidence to back up claims that the IWL is “successful”, received the response: “No information held.” In 2021, however, the College of Policing requested information and received the following in return; Criteria For Blacklisting Are ‘Confidential’ It would be useful to know what prompted police to add Github.io’s subdomain and domain to the IWL when it’s obvious that less aggressive options exist. We’ll never know because as Hadopi’s report notes, “the criteria used by the police are confidential.” We could speculate that since several domains with ‘proxybay’ in their URLs are already blocked by UK ISPs due to a court order concerning The Pirate Bay, proxybay.github.io may have been considered a legitimate target. Other domains with ‘proxybay’ in their URLs – proxy-bay.dev, proxy-bay.co and proxybay.center – are also listed on the IWL but a) none of them currently link to pirate sites and b) proxybay.github.io is not blocked in the UK. Given that high standards need to be met for a domain to be blocked in the UK, there is zero chance that the High Court would knowingly authorize a GitHub domain to be blocked by ISPs, unless other options had been exhausted first. The IWL blacklist seems more straightforward but according to Hadopi’s report, it shouldn’t be. To be included on the IWL, domains reported by rightsholders must be “massively infringing” to the extent that 50% of their content must be illegal. That doesn’t apply to Github. And here’s more ‘fun’ for the “massively infringing” dev platform: “When a website is added to the list, a letter is also sent to the relevant registrar or to the organization that manages the extension under which the domain name is registered, requesting that the domain name be suspended,” the report notes. Perhaps for obvious legal reasons, that hasn’t happened in GitHub’s case, but voluntary agreements that go beyond normal legal requirements can make things harder to predict. The Uncertainty of ‘Soft Law’ Other matters involving proxybay.github.io include this Australian court order sent to Google. It does not order Google to do anything, it simply prompts Google to remove GitHub’s subdomain/domain from its search results based on an earlier agreement. In 2019, Google reached a voluntary agreement with local ISPs and rightsholders to deindex domains from google.com.au if they have been blocked under Australian law. Similar voluntary arrangements exist in Europe too. Their existence had to be discovered, they were not publicly announced. Voluntary Agreements Gain Momentum In GitHub’s case, the company complies with actual legal requests under U.S. law, in this case the DMCA. As far as we can determine, from the full list of complaints that Github always makes public, the platform was not even sent a basic DMCA notice before a domain it owns was placed on the blacklist. GitHub probably won’t be too alarmed about advertising issues on GitHub.io but being branded potentially criminal, over a page they didn’t create, that links to other sites, which in turn link to another site, which is freely available in the U.S., probably isn’t ideal. Not knowing that your domain is even on the list brings a whole new set of problems. Whether The Pirate Bay or facilitating proxies should actually be available in the U.S. is another matter but, should that ever be contested in court, trust-building transparency will feature in all legal proceedings, meaning that at a bare minimum, people will know where they stand. Infringing Website Lists are gaining momentum all around the world and they are a black hole as far as public information is concerned. Countries including the UK, Italy, Germany, Spain, Indonesia, Malaysia, Hong Kong, Vietnam, and Taiwan, either have them already or are currently building them. We’d certainly be interested in hearing more about their operations moving forward because copyright holders view these as the future. They may have good intentions but more often than not, the public simply isn’t allowed in. Additional note:The IWL also includes subdomains/domains of other companies and organizations that are known to respond to straightforward takedown requests, if their users breach copyright law: Sapo.pt: Search engine and portal operated by the University of Aveiro in Portugal Free.fr: The website of French Internet service provider Free Blogspot.com: Google blogging platform Blogspot.pt: As above (Portugal) Blogspot.it: As above (Italy) GitHub Domain Listed on Police Piracy Blacklist For The Last Four Months
  2. WishFlix is a French pirate streaming site that chose GitHub as its hosting platform. While this worked well for a while, the site was targeted by a StudioCanal takedown notice last week. WishFlix is currently still afloat but GitHub probably isn't the best hosting option for a pirate site that went viral on social media. Running a pirate streaming site might sound complex but with help from pre-coded scripts and illicit video databases, it can be done with minimal effort. The real challenge is driving traffic to a site while ensuring it also stays online. 1.3m TikTok Views WishFlix nailed the first part of that equation. The French streaming site actively campaigns on social media where it has booked some impressive results. One of its TikTok videos went viral recently, generating over a million views of free advertising with an 8-second clip. This clearly shows that there is plenty of demand for the platform which promises access to Netflix, Disney, and Prime Video without any paid subscriptions. That kind of social media exposure is unprecedented for a pirate site and it definitely helped to get more viewers to the platform. Unfortunately, not all of the attention is equally appreciated. GitHub Receives DMCA Takedown This weekend, French media company StudioCanal sent a DMCA takedown notice to WishFlix’s hosting company. The host isn’t some vague company in an exotic location. On the contrary, the site is hosted by the Microsoft-owned developer platform GitHub. StudioCanal didn’t have much trouble tracking down the hosting location as the WishFlix domain name gave that away already; wishflix.github.io/WishFlix. Looking more closely at the takedown notice, we see that it lists a pirated copy of the TV series “La Flamme” as an example. WishFlix pulls its video from third-party hosting service Uqload.com but GitHub was asked to remove the page that links to the infringing content in question. “We hereby give notice of these activities to you and request that you take expeditious action to remove or disable access to the material described above, and thereby prevent the illegal reproduction and distribution of this product(s) via your company’s network,” StudioCanal writes. WishFlix Remains Online GitHub is rather strict when it comes to this type of infringing activity so WishFlix finds itself in a tough spot. That being said, the streaming site has not given up just yet. The WishFlix GitHub repository remains largely unscathed and the GitHub-hosted streaming site is still online as well, at least for now. In fact, even the “La Flamme” series is , albeit with the exclusion of episode 7, which is the one StudioCanal highlighted in its takedown notice. With the pressure mounting, it is questionable whether the streaming site’s luck will last much longer. Most seasoned pirate site operators will know that GitHub isn’t the best hosting option. But they can wish, of course. Hosting a Pirate Streaming Site on GitHub Isn’t the Best Idea
  3. Developers are furious at GitHub's upcoming privacy policy changes that would allow GitHub to place tracking cookies on some of its subdomains. The Microsoft subsidiary announced this month, it would be adding "non-essential cookies" on some marketing web pages starting in September, and offered a thirty-day "comment period" for users. GitHub to add non-essential cookies on marketing pages GitHub's present privacy policy (dated May 31, 2022) states that the software development platform places only "strictly necessary" cookies on users' web browsers and adheres to W3C's standard concerning the "Do Not Track" (DNT) privacy preference, should it be set by users. Effective September 1, 2022, however, GitHub will start placing non-essential cookies on its marketing subdomains like resources.github.com. "GitHub is introducing non-essential cookies on web pages that market our products to businesses," explains Olivia Holder, GitHub's Senior Privacy Counsel. "These cookies will provide analytics to improve the site experience and personalize content and ads for enterprise users." Holder stresses, however, the change will only impact marketing webpages and select subdomains and that "Github.com will continue to operate as-is." GitHub proposed privacy policy changes arriving September 2022 (GitHub) The non-essential cookies in this context, better known as "tracking cookies" refer to a class of cookies that are shared across multiple websites and web services. These cookies may be used by third-parties for delivering ads or for the purposes of providing marketing, customization, and analytics features. But such cookies can make it easy to ascertain a user's browsing history and behavior across multiple sites, potentially allowing malicious actors to track this activity, explains cybersecurity firm F-Secure. While drawing everyone's attention to the new policy and a "30-day comment period," GitHub Security Engineer Lucas Garron pointed out GitHub's 2020 blog post where the platform had "removed all non-essential cookies" out of its commitment to "respecting the privacy of developers using our product." Ironically, this month's succinct announcement explaining the introduction of tracking cookies retains much the same wording. Users criticize new policy wording, blame Microsoft Reacting to GitHub's new policy wording, users sharply criticized the platform's decision, with some even considering leaving GitHub for GitLab. "You lost me at 'ads for enterprise users,'" said pentester and security engineer Jonathan Gregson. "If that PR goes in, I'm out. I'm not going to be a part of this digital dystopia where I am just a product and where companies don't care about the people," states user Willhelm Sokolov. Some even blamed Microsoft, GitHub's parent company for bringing such detrimental changes that have "undermined" the platform. But one of the devs had a slightly different take: "Why are people getting so riled up when this change only impacts the Enterprise marketing subdomains? Makes no sense to me how this of all things is getting negative attention," commented Evelyn Marie, a Rust and Android developer. Marie further states that most GitHub users don't use Enterprise, an offering oriented toward businesses, and will likely never be inconvenienced by, what is just, cookies. "Also, people love pointing the finger at Microsoft, as if this change was demanded by them. It more than likely wasn't. There are always going to be changes that people don't like, but not all changes are influenced by the parent company. If Microsoft was [putting] their hands all over GitHub, they probably would've moved GitHub to the Microsoft Policy Statement a long time ago," says Marie. A lengthy debate ensued on the thread that has now garnered over 1,200 dislikes from the community. Some even drafted a change.org petition, alleging that the new policy wording was "less transparent,... more unclear and confusing," and urged GitHub to drop marketing cookies altogether. Users draft a change.org petition for GitHub Those interested in reviewing the upcoming privacy policy updates can refer to the changelog on GitHub. GitHub's new privacy policy sparks backlash over tracking cookies
  4. GitHub has announced that it is sunsetting its text editor, Atom. The application, which debuted in 2011, will be retired on December 15, 2022. Atom emerged as a promising tool for code developers, and laid the foundation for the Electron framework (formerly Atom Shell). Microsoft attributes the rise of Visual Studio Code to it. The text editor was popular amongst the developer community for its customizable interface and functionality, as well as its built-in support for Git and GitHub. Why is Atom being shut down? The announcement article that was published on GitHub's blog says that Atom's development had stagnated over the years, without new features being added to it. The open source project received maintenance and security updates over the years, but claims that the community's involvement in Atom declined as new cloud-based tools emerged. The company wants to focus its efforts on improving its own cloud-based solution for developers, GitHub Codespaces. That is the official reason given by GitHub as to why Atom text editor is being discontinued. But, there are other factors that may have affected it. 4 years ago, Microsoft acquired GitHub, and the latter's CEO had promised that Atom will co-exist with Microsoft Visual Studio Code. Well, that clearly isn't what has happened. Is this a surprise, though? Why would Microsoft want competition between its products? One could argue that Atom was superseded (read phased out) by VS Code, which carries the Microsoft branding. Can I still download Atom? Yes, you can download the cross-platform text editor for Windows, macOS and Linux, from the official website, Atom.io or the project's GitHub page. The Atom repository is still active, but will be archived along with other repositories related to it on December 15, 2022. Both the GitHub page and Atom's official website are displaying a banner to inform users that the program is being retired. You should export your projects to a different editor to ensure your work is not affected. Atom editor alternatives Since it is an open source program, there is a good chance that Atom could be forked by other developers. But you don't have to wait for one to pop up, there are plenty of free alternatives for Atom that you may choose from, the most obvious one is VS Code, which is actually quite impressive. Other notable text editors for programmers are Sublime Text, Notepad++, Vim, Emacs, Kate, to name a few. VSCodium is worth a shoutout, it is not a fork of VS Code, instead it provides binary releases of VS Code without Microsoft's telemetry, branding and licensing. The developers who created Atom are working on their own code editor called Zed, so you may want to keep an eye on that. Atom editor's problem wasn't just the lack of development. Its performance was sub par compared to rival code editors, which is the primary reason why users shifted to other tools. Electron is often criticized by users for being a resource hog, so Atom suffered from the same issues. Why would anyone use it when lightweight options are readily available? Did you use Atom? GitHub's Atom text editor will be retired in December
  5. Microsoft acquired GitHub for $7.5 billion back in 2018 and even before then, it has been a major customer of the platform, like many other tech firms. We thought that it would be interesting to look at the most popular open-source repositories hosted by GitHub's owner. In this listicle, we will list the top 10 open-source GitHub repositories developed and maintained by Microsoft, ordered by their number of stars along with some pertinent stats and a brief excerpt from the official description. Without further ado, let's begin! 1- vscode (Visual Studio Code) Primary programming language: TypeScript (93.8%) Stars: 131,000 Watching: 3,100 Forks: 22,300 Description: Visual Studio Code is a distribution of the Code - OSS repository with Microsoft-specific customizations released under a traditional Microsoft product license. Visual Studio Code combines the simplicity of a code editor with what developers need for their core edit-build-debug cycle. It provides comprehensive code editing, navigation, and understanding support along with lightweight debugging, a rich extensibility model, and lightweight integration with existing tools. Visual Studio Code is updated monthly with new features and bug fixes. You can download it for Windows, macOS, and Linux on Visual Studio Code's website. To get the latest releases every day, install the Insiders build. Repository URL: vscode 2- terminal (The new Windows Terminal and the original Windows console host, all in the same place!) Primary programming language: C++ (94.6%) Stars: 82,800 Watching: 1,300 Forks: 7,300 Description: This repository contains the source code for: Windows Terminal Windows Terminal Preview The Windows console host (conhost.exe) Components shared between the two projects ColorTool Sample projects that show how to consume the Windows Console APIs Repository URL: terminal 3- TypeScript (TypeScript is a superset of JavaScript that compiles to clean JavaScript output) Primary programming language: TypeScript (100%) Stars: 80,300 Watching: 2,100 Forks: 10,500 Description: TypeScript is a language for application-scale JavaScript. TypeScript adds optional types to JavaScript that support tools for large-scale JavaScript applications for any browser, for any host, on any OS. TypeScript compiles to readable, standards-based JavaScript. Repository URL: TypeScript 4- PowerToys (Windows system utilities to maximize productivity) Primary programming language: C# (53.6%) Stars: 72,600 Watching: 1,000 Forks: 4,100 Description: Microsoft PowerToys is a set of utilities for power users to tune and streamline their Windows experience for greater productivity. Repository URL: PowerToys 5- Web-Dev-For-Beginners (24 Lessons, 12 Weeks, Get Started as a Web Developer) Primary programming language: JavaScript (78.5%) Stars: 46,500 Watching: 2,300 Forks: 6,800 Description: Azure Cloud Advocates at Microsoft are pleased to offer a 12-week, 24-lesson curriculum all about JavaScript, CSS, and HTML basics. Each lesson includes pre- and post-lesson quizzes, written instructions to complete the lesson, a solution, an assignment and more. Our project-based pedagogy allows you to learn while building, a proven way for new skills to 'stick'. Repository URL: Web-Dev-For-Beginners 6- playwright (Playwright is a framework for Web Testing and Automation. It allows testing Chromium, Firefox and WebKit with a single API) Primary programming language: TypeScript (85.1%) Stars: 37,300 Watching: 328 Forks: 1,700 Description: Playwright is a framework for Web Testing and Automation. It allows testing Chromium, Firefox, and WebKit with a single API. Playwright is built to enable cross-browser web automation that is ever-green, capable, reliable and fast. Repository URL: playwright 7- ML-For-Beginners (12 weeks, 26 lessons, 52 quizzes, classic Machine Learning for all) Primary platform: Jupyter Notebook (99.4%) Stars: 35,100 Watching: 680 Forks: 6,800 Description: Azure Cloud Advocates at Microsoft are pleased to offer a 12-week, 26-lesson curriculum all about Machine Learning. In this curriculum, you will learn about what is sometimes called classic machine learning, using primarily Scikit-learn as a library and avoiding deep learning, which is covered in our forthcoming 'AI for Beginners' curriculum. Pair these lessons with our 'Data Science for Beginners' curriculum, as well! Travel with us around the world as we apply these classic techniques to data from many areas of the world. Each lesson includes pre- and post-lesson quizzes, written instructions to complete the lesson, a solution, an assignment, and more. Our project-based pedagogy allows you to learn while building, a proven way for new skills to 'stick'. Repository URL: ML-For-Beginners 8- monaco-editor (A browser based code editor) Primary programming language: JavaScript (81.1%) Stars: 29,300 Watching: 505 Forks: 2,800 Description: The Monaco Editor is the code editor which powers VS Code. Please note that this repository contains no source code for the code editor, it only contains the scripts to package everything together and ship the monaco-editor npm module. Repository URL: monaco-editor 9- calculator (Windows Calculator: A simple yet powerful calculator that ships with Windows) Primary programming language: C++ (71.9%) Stars: 24,200 Watching: 561 Forks: 4,400 Description: The Windows Calculator app is a modern Windows app written in C++ and C# that ships pre-installed with Windows. The app provides standard, scientific, and programmer calculator functionality, as well as a set of converters between various units of measurement and currencies. Calculator ships regularly with new features and bug fixes. Repository URL: calculator 10- cascadia-code (This is a fun, new monospaced font that includes programming ligatures and is designed to enhance the modern look and feel of the Windows Terminal) Primary programming language: Python (100%) Stars: 19,900 Watching: 237 Forks: 666 Description: Cascadia is a fun new coding font that comes bundled with Windows Terminal, and is now the default font in Visual Studio as well. Repository URL: cascadia-code Well, that's it for the top 10 open-source GitHub repositories developed and maintained by Microsoft. Were there any surprises in there for you? Have you contributed to any of the aforementioned or other Microsoft respositories? Let us know the details in the comments section below! These are Microsoft's top 10 most popular open-source GitHub repositories
  6. Hacker claims to have grabbed 63.2 GB of Microsoft source code from GitHub A hacker has posted segments of what is claimed to be a massive 63.2 GB dump of Microsoft’s private GitHub repositories, takes as recently as the 03/28/2020 by the same hacker who hacked Indonesian company Tokopedia. Screenshots of the directory listing of the files suggest the dump contains source code for Azure, Office and some Windows runtimes. The news was confirmed by the Under the Breach twitter account, a data breach monitoring and prevention service: A hacker has posted segments of what is claimed to be a massive 63.2 GB dump of Microsoft’s private GitHub repositories, takes as recently as the 03/28/2020 by the same hacker who hacked Indonesian company Tokopedia. Screenshots of the directory listing of the files suggest the dump contains source code for Azure, Office and some Windows runtimes. The news was confirmed by the Under the Breach twitter account, a data breach monitoring and prevention service: Despite the size of the hack, it is unlikely that many secrets will have been leaked. Microsoft’s repositories on GitHub are frequently intended for public availability, even when private, and Microsoft performs stringent checks and scans of uploaded code to manage exactly this scenario. Reportedly Microsoft keeps their crown jewels, Windows, in a massive internal 300 GB Git repository. Source: Hacker claims to have grabbed 63.2 GB of Microsoft source code from GitHub (MSPoweruser)
  7. GitHub getting on board legitimizes movement aimed at removing racially-charged language from software. GitHub is working on replacing the term "master" on its service with a neutral term like "main" to avoid any unnecessary references to slavery, its CEO said on Friday. The code-hosting portal is just the latest in a long line of tech companies and open source projects that have expressed support for removing terms that may be offensive to developers in the black community. This includes dropping terms like "master" and "slave" for alternatives like "main/default/primary" and "secondary;" but also terms like "blacklist" and "whitelist" for "allow list" and "deny/exclude list." The concern is that continued use of these racially-loaded terms could prolong racial stereotypes. "Such terminology not only reflects racist culture, but also serves to reinforce, legitimize, and perpetuate it," wrote academics in a 2018 journal. BLM protests spurs new efforts to clean out software language Now, spurred by the Black Lives Matter protests across the US, the tech community is engaging again in efforts to remove such language from source code, software applications, and online services. For starters, the Android mobile operating system, the Go programming language, the PHPUnit library and the Curl file download utility have stated their intention to replace blacklist/whitelist with neutral alternatives. Similarly, the OpenZFS file storage manager has also replaced its master/slave terms used for describing relations between storage environments with suitable replacements. Gabriel Csapo, a software engineer at LinkedIn, said on Twitter this week that he's also in the process of filing requests to update many of Microsoft's internal libraries and remove any racially-charged phrases. Other projects that don't use racially-charged constructs in their source code or user interfaces directly are now looking at their source code repositories. Most of these projects manage their source code via the Git software, or the GitHub online portal (which provides Git-based source code hosting). Both Git and GitHub use the term "master" for the default version of a source code repository. Developers fork a version of the "master" to create secondary versions, add their own code to this default version, and then merge their changes back into the "master." Now, several open source projects are changing the name of their default Git repo from "master" to alternatives like main, default, primary, root, or another. For example, ZDNet found that projects like the OpenSSL encryption software library, automation software Ansible, Microsoft's PowerShell scripting language, the P5.js JavaScript library, and many others are looking at changing the name of their default source code repos, in a bid to stamp out racially-charged and slavery-related terms, in a way of showing support for the BLM movement and their protests. The move has taken the open source development community by storm, so much so that even the Git project itself is now considering an official change, albeit discussions in its mailing list and GitHub Issues section are still going on, with considerable pushback. GitHub support legitimizes and streamlines movement But even if Git formally replaces the "master" name or not, GitHub appears to have decided to move on, regardless of Git's decision. On Friday, Google Chrome developer Una Kravets tweeted that the Chrome project was considering a similar move of renaming the default branch of the Chrome browser source code from "master" to a neutral term like "main." Kravets asked GitHub to follow Google in its move and help drive change across the industry, a move to which GitHub CEO Nat Friedman answered promptly, revealing that the company was already working on the issue. GitHub lending its backing to this movement effectively ensures the term will be removed across millions of projects, and effectively legitimizes the effort to clean up software terminology that started this month. But, in reality, these efforts started years ago, in 2014, when the Drupal project first moved in to replace "master/slave" terminology with "primary/replica." Drupal's move was followed by the Python programming language, Chromium (the open source browser project at the base of Chrome), Microsoft's Roslyn .NET compiler, and the PostgreSQL and Redis database systems. However, despite some pretty big projects getting on board, efforts to clean up software language across the years have not been widely embraced. Most detractors and the explanation that often resurfaces in these discussions is that terms like master/slave are now more broadly used to describe technical scenarios than actual slavery and that the word "blacklist" has nothing to do with black people, but the practice of using black books in medieval England to write down the names of problematic workers to avoid hiring in the future. Source
  8. The Open Source Index showcases GitHub’s most popular projects right now Concept illustration for open source software Image Credit: Esra Sen Kula / via Getty It intersects with just about every piece of software, from systems architecture to APIs, and enterprises are adopting it more than ever. Open source software, judging by just about every estimation in recent years, is eating the world. But sifting through the vast array of open source projects out there, sorting the wheat from the chaff, can be a challenge, which is partly why early stage VC firm Two Sigma Ventures has launched a new index designed to surface “high-level trends” in the open source sphere. It’s worth noting that there are already all manner of indexes and charts out there that deliver useful insights for the open source world, such as the Open Source Contributor Index, which ranks commercial organizations by their employees’ open source contributions (Google’s in the lead). And GitHub itself charts things like trending repositories. It’s possible to slice, dice, and present GitHub data in any way you see fit through its publicly available API, which is exactly what Two Sigma Ventures has done with the Open Source Index. But rather than relying on “stars,” it uses “watchers,” which it argues provides a more accurate reflection of a project’s true popularity. Star watchers GitHub, for the uninitiated, allows logged-in users to either “star” or “watch” a project — the former can perhaps best be likened to bookmarking, as the user saves the project to their profile so they can easily check in on it without having to search. It can also be used as a show of respect, similar to how someone might “like” a Facebook post or tweet — “I dig what you’re doing for open source, keep up the good work.” When someone chooses to “watch” a project, however, they are likely taking a more active interest, as they essentially sign up to receive project notifications. As such, the Open Source Index is based on the top GitHub projects as per the number of people that are “watching” a project. While there are of course broad correlations between “stars” and “watchers,” i.e. top projects will likely have a high number of both, they aren’t always totally aligned. Moreover, Two Sigma Ventures wanted to showcase what’s popular today, rather than what has built a high “vanity metric” by virtue of having launched 10 years ago. “A stars-based ranking tends to prioritize older projects that have been around for a while, since stars are more cumulative in nature,” Two Sigma Ventures VC Vinay Iyengar told VentureBeat. “With watchers, we believe we have a better sense of the projects that are ‘hot’ right now, as opposed to those that have been around for a while.” And so the Open Source Index, which is continuously updated, showcases the 100 “most popular and fastest-growing” open source projects, allowing users to sort and filter by various criteria (Two Sigma Ventures filtered out all the non-technical projects, such as books and educational content from the index). For the index, Two Sigma Ventures has produced its own TSV (Two Sigma Ventures) ranking, which is weighted as an average of five variables: Watchers (40%); Watcher growth (25%), which considers the variance in watchers over the past quarter; Contributors (15%); Release cadence (10%), which is the number of commits over a project’s lifetime; and Community health score (10%), which is based on GitHub’s own metric for how well-maintained a repository is. “We think our TSV Score metric is somewhat of a ‘super’ metric, in that it takes into account several factors that we believe lead to building a great open source project/community,” Iyengar said. None of this is an exact science of course, and Iyengar acknowledges that these weightings are somewhat “arbitrary,” reflecting “just one perspective on what’s important in building a great open source community.” The index defaults to the TSV score ranking (highest to lowest), and doesn’t reveal too many surprises — TensorFlow, React, Vue, Angular, and Kubernetes all rank highly, and they all have high numbers of stars and watchers. Above: Open Source Index: Top 10 by TSV ranking But playing around with the various filters is where things start to get a little more interesting. Chinese tech titan Baidu’s open source autonomous driving project Apollo, for example, ranks 41st when using the TSV ranking and 72nd by number of watchers. And in terms of stars, Apollo comes in last at 100th. However, if you filter the index by the quarterly watcher growth metric, Apollo is in pole position. Above: Open Source Index: Apollo on top There could be a number of reasons for this surge in interest. Two months ago, Baidu’s Apollo became the sixth company in California to get approval to test fully driverless cars on public roads, while the company has launched all manner of autonomous vehicle programs and projects in its domestic China too. Whatever the reason behind this surge, it serves as an interesting data point for any developer, company, or entrepreneur wanting to keep their finger on the open source pulse. “It [watcher growth metric] gives us an important signal on which projects have momentum in the developer ecosystem,” Iyengar noted. Other interesting observations including Bitcoin, which is ranked 40th in the index by number of stars (48,000 stars) and 33rd by TSV ranking. However, it’s in seventh place by number of watchers, ahead of JQuery, Kubernetes, and Visual Studio Code, among other arguably “more relevant” projects. Above: Open Source Index: Bitcoin is top 10 for most-watched The Two Sigma factor So why has Two Sigma Ventures taken the time to create this list, and what relevance does it hold? Well, as an investor, the firm has backed several startups that commercialize open source projects, such as GitLab, Timescale, Radar Labs, NS1, and Replicated. Playing around with the various menus and filters on the index reveals some interesting insights related to this, such as that seven of the top 100 projects were either created by private VC-backed startups or are maintained by commercial companies created by the original project creators — these are Redis, Grafana, Vercel, Hashicorp, Confluent, Databricks, and Preset. But the VC entity is a separate business simply called Two Sigma, which is an investment management company that applies “cutting-edge technology to the data-rich world of finance,” according to Iyengar. It counts 1,700 employees — more than half of whom are software developers and use open source software on a daily basis. They are also creators of a number of open source projects, such as Flint and BeakerX. “We have seen firsthand how software created by developers, for developers, leveraging community-based development, leads to incredible innovation,” Iyengar said in a separate blog post announcing the index. “Moreover, we are excited about how enterprise software is moving toward bottoms-up adoption, and how an open core business can lead to remarkably efficient customer acquisition and growth.” This new index also constitutes part of a growing trend in the technology realm that strives to make sense of the open source world. Just last week, OpenLogic launched an upgraded tool it calls Stack Builder, which helps enterprises choose the right open source software. And earlier this year, Openbase emerged out of the ether to serve as a sort of Yelp for open source software packages. If nothing else, the Open Source Index serves as a useful accompaniment to these other efforts, helping companies and developers dig down into the best — or most popular — open source projects on GitHub right now. There are plans to add more data to the mix in the future, according to Iyengar, such as downloads, community engagement in external channels such as Slack or Discord, and even mentions in job advertisements. The Open Source Index is available now and free to use for anyone. Source: The Open Source Index showcases GitHub’s most popular projects right now
  9. GitHub fixes bug causing users to log into other accounts Last night, GitHub automatically logged out many users by invalidating their GitHub.com sessions to protect user accounts against a potentially serious security vulnerability. Earlier this month GitHub had received a report of anomalous behavior from an external party. The anomalous behavior stemmed from a rare race condition vulnerability in which a GitHub user's login session was misrouted to the web browser of another logged-in user, giving the latter an authenticated session cookie of and access to the former user's account. GitHub logs out users automatically due to a bug As of yesterday, GitHub signed out all users that were logged in prior to March 8th, 12:03 UTC. This step was taken almost a week after the company had received an initial report of suspicious behavior on GitHub.com, from an external party. "On March 2, GitHub received an external report of anomalous behavior for their authenticated GitHub.com user session." "Upon receiving the report, GitHub Security and Engineering immediately began investigating to understand the root cause, impact, and prevalence of this issue on GitHub.com," reads a security announcement from the company. On Friday, March 5th, GitHub teams remediated the security flaw and continued with the analysis over the weekend. Further, invalidating all the sessions last night was the final step taken to patch the bug. The vulnerability, according to GitHub, could be exploited in extremely rare circumstances when a race condition would occur during the backend request handling process. In such a case, the session cookie of a logged-in GitHub user would be sent to the browser of another user, giving the latter access to the former user's account. "It is important to note that this issue was not the result of compromised account passwords, SSH keys, or personal access tokens (PATs) and there is no evidence to suggest that this was the result of a compromise of any other GitHub systems." "Instead, this issue was due to the rare and isolated improper handling of authenticated sessions." "Further, this issue could not be intentionally triggered or directed by a malicious user," says Mike Hanley, Chief Security Officer at GitHub. Fewer than 0.001% of sessions affected The company states that the underlying bug was present on GitHub.com for a cumulative period of under two weeks at certain points in time between February 8th and March 5th, 2021. After the initial cause was identified and fixed by March 5th, the company issued a second patch on March 8th to further strengthen the security of the website. This is what caused GitHub to invalidate all logged-in sessions active prior to midday March 8th. There is no evidence that other GitHub.com assets or products such as GitHub Enterprise Server were impacted as a result of this bug. "We believe that this session misrouting occurred in fewer than 0.001% of authenticated sessions on GitHub.com." "For the very small population of accounts that we know to be affected by this issue, we’ve reached out with additional information and guidance," continues Hanley in the announcement. Although we are yet to confirm the full extent of the impact of this bug, the 0.001% of authenticated sessions estimate could mean over tens of thousands of accounts, considering GitHub gets over 32 million active visitors (authenticated or not) in a month. Additionally, the company is yet to comment on if any of the project repositories or source code were tampered with as a result of this vulnerability. Authentication vulnerabilities like these if exploited by adversaries can pave the way for covert software supply-chain attacks. BleepingComputer reached out to GitHub for comment before publishing and we are awaiting their response. Source: GitHub fixes bug causing users to log into other accounts
  10. GitHub Wants to Get Rid Of the DMCA’s Anti-Circumvention FUD GitHub is urging the US Copyright Office to expand the DMCA anti-circumvention exemptions to eliminate FUD. The developer platform backs a proposal from Professor Halderman which opts to broaden exemptions for security researchers. GitHub is not the only party that backs elements of this proposal, the US Department of Justice does too. US copyright law places broad restrictions on what people are allowed do with copyrighted content. The U.S. Copyright Office regularly reviews these exemptions to Section 1201 of the DMCA, which generally prevents the public from ‘tinkering’ with DRM-protected software and devices. These provisions are renewed every three years after the Office hears input from stakeholders and the general public. This process also allows interested parties to suggest new exemptions. Exemptions For Good Faith Security Research In recent years we have covered exemptions for game archivists but there are many more on the table. This includes the ability for experts to bypass copyright restrictions to conduct good-faith security research. This exemption already exists but many people believe that it’s rather limited in its current form, which reads as follows: Computer programs, where the circumvention is undertaken on a lawfully acquired device or machine on which the computer program operates, or is undertaken on a computer, computer system, or computer network on which the computer program operates with the authorization of the owner or operator of such computer, computer system, or computer network, solely for the purpose of good-faith security research and does not violate any applicable law, including without limitation the Computer Fraud and Abuse Act of 1986. This text used to be more restrictive and was adjusted three years ago, following a proposal from Computer Science & Engineering Professor Alex Halderman. This year, Halderman submitted a new proposal, trying to expand this exemption further and reduce the risk for security researchers. Among other things, the professor would like the word “solely” removed from the text, as well as the requirement that a device has to be “lawfully acquired” and that circumvention does “not violate any applicable law.” GitHub Backs Halderman Proposal This proposal is currently being considered and this week various parties offered their support in letters submitted to the US Copyright Office. This includes developer platform GitHub which, following the RIAA/youtube-dl debacle, said it would get more involved in this process. According to GitHub, developers are often facing fear, uncertainty, and doubt (FUD) with regard to legal issues. This may lead them not to start a project that could have benefited society as a whole. Source of FUD “Section 1201 is a source of FUD as applied to good faith security research. It can be asserted even when a court has decided that there is no copyright infringement of the underlying work,” GitHub writes. “It’s a reason why a developer can’t be confident that there won’t be repercussions for engaging in legitimate, non-infringing security research and related development activities. It’s a reason why they might decide to do a different project, with less impact, that doesn’t help make us all safer to the same extent.” GitHub urges the US Copyright Office to focus the exemptions on eliminating FUD. Removing the requirement that all actions are “solely” for the purpose of good-faith security research is crucial. GitHub argues that as long as an activity is consistent with conducting good-faith security research, it should not matter if all steps are “solely” focused on security. “The Halderman et al. proposal draws clearer lines out of fuzzy lines in the current exemption, giving more certainty to researchers, academics, and enterprises conducting security research. It should be taken seriously,” Github adds. Department of Justice Support The Halderman proposal is widely supported by developers and researchers, but there’s also backing from less expected parties, such as the US Department of Justice. In a comment to the Copyright Office, the Department of Justice’s Computer Crime and Intellectual Property Section agrees that it’s a good idea to drop the requirement that circumvention does “not violate any applicable law”. The DoJ argued against this three years ago, but it now agrees that this language is troublesome. “[W]e are now persuaded that replacing the existing requirement that research not violate ‘any applicable law’ with alternative explanatory language would provide equally sufficient notice of the need to comply with applicable law. “This change would also reduce the chance that potentially valuable research projects may be discouraged by fears by fears that inadvertent or minor violations of an unrelated law could result in substantial liability under the DMCA,” the DoJ writes. Not a Free Pass to Violate Laws The DoJ still believes that researchers who intentionally violate the law should be held accountable. However, the current language is too broad and subjects researchers to all sorts of liabilities. “It thus may discourage valuable research projects that would otherwise be undertaken if researchers could be more certain the exemption would apply,” the DoJ writes. These are strong words coming from the Department of Justice which will likely weigh strongly. However, the DoJ doesn’t support the Halderman proposal in full. For example, the DoJ doesn’t agree that the word “solely” should be removed from the exemption, nor does it see the need to strip the condition that a device has to be “lawfully acquired.” — GitHub’s comments to the Copyright Office can be found here (pdf) and the comments from the Department of Justice’s Computer Crime and Intellectual Property Section (CCIPS) are available here (pdf) GitHub Wants to Get Rid Of the DMCA’s Anti-Circumvention FUD
  11. GitHub Explores New Anti-Malware Policy but the Community Express Concerns GitHub wants to update its policy on dealing with potentially malicious code, and the community isn’t happy about it. Many find that it’s practically impossible to police uploads without hindering offensive security research. The code hosting platform had to deal with a very risky PoC recently, so this is why they are taking broader action now. GitHub feels that the time to introduce a stricter policy that deals with the presence of malware on the platform has come and is calling the community to share its thoughts. Mere hours after the relevant announcement came out, numerous security researchers have expressed their concerns, as adding restrictions means they could lose valuable stuff like PoCs that help plug holes, IoCs that help protect systems, offensive security tools that aid in the discovery of flaws, exploit iterations, and all the “goodies” that make their valuable work possible. THIS IS UNACCEPTABLE. EVERYONE GET IN HERE AND START SHARING FEEDBACK. WE CAN'T LET GITHUB TURN INTO THE EXPLOIT POLICE. BLUE TEAMERS RELY ON GITHUB TO PERFORM OUR JOBS. HTTPS://T.CO/R2TTWRNIUV — John "Mr. Hacking" Jackson 桜の侍 (@johnjhacking) April 29, 2021 GitHub has always had similar problems and reservations, but the incident that seems to have been the straw that broke the camel’s back was an upload of a working proof of concept exploit for Microsoft Exchange flaws, long before the vast majority of the vulnerable systems had applied the fixing patches. As this was an exploit against Microsoft products, and with GitHub being a Microsoft-owned platform, removing the particular PoC from it didn’t resonate well with the community, even if many found the publication unethical in the first place. As such, GitHub figured it needs a standard system to evaluate all uploads instead of having to justify what’s objectively acceptable with different circumstances underpinning the incident every time. DISAPPOINTING THAT THEY DECIDED TO POLICE OPEN SOURCE CODE THAT CAUSES WHATEVER THEIR CHANGING DEFINITION OF “ONGOING ATTACKS” OR “HARM” WILL BE PIC.TWITTER.COM/JI2SQH0L0I — Chase Dardaman (@CharlesDardaman) April 29, 2021 In the relevant announcement, GitHub states that fostering security research remains high in its list of priorities, but they need to figure out a way to keep things going while respecting the specific needs of security professionals. But as numerous researchers pointed out in the relevant discussion thread, this is going to be very complicated to do. Frankly, most of them would prefer that GitHub keeps things mostly unregulated, allowing the freedom to upload and share potentially harmful code, even if this admittedly comes with some risk of abuse. Source: GitHub What comes out from this discussion is that GitHub’s team sincerely wants to hear the community feedback, but whether or not anyone’s opinion will play a role in the decisions taken in the end remains to be seen. Already, many in the security research field have been disappointed by this development, and there have been quite a few posts discussing viable alternatives. Source: GitHub So, the cogs are now turning, and we will soon know how deep and wide the impact of GitHub’s new policies is going to be. If they are too disruptive for security research, then the affected community will just move elsewhere, maybe even set up something new. For sure, security research isn’t going to stop, but a ground-shifting move from GitHub could bring a serious disruption. Source: GitHub Explores New Anti-Malware Policy but the Community Express Concerns
  12. GitHub blocks Google FLoC tracking Yesterday, GitHub announced rolling out a mysterious HTTP header on all GitHub Pages sites. GitHub Pages enables users to create websites right from within their GitHub repository. And it turns out, this header, now being returned by GitHub sites, is actually meant for website owners to opt-out of Google FLoC tracking. BleepingComputer also noticed the entire github.com domain had this header set, indicating GitHub did not want its visitors to be included in Google FLoC's "cohorts" when visiting any GitHub page. Google FLoC met with resistance As previously reported by BleepingComputer, Google FLoC is a newer technology to replace the traditional third-party cookie tracking used by ad networks and analytics platforms to track users around the web. The privacy-centric FLoC, on the other hand, aims to replace tracking technologies like third-party cookies and localStorage with what is being called "cohorts." As opposed to servers (or ad networks) tracking users across the world wide web and recording their browsing history, FLoC hands off this responsibility to the user's individual web browser. That is, every Google Chrome web browser instance selected as a part of the FLoC trial would be lumped with specific "cohorts," or groups that most closely represent their recent web browsing habits. Thousands of browsers with identical browsing history (belonging to the same "cohort") stored locally will have a shared "cohort" identifier assigned, which will be shared with a site when requested. As Google explains it: "FLoC doesn’t share your browsing history with Google or anyone." "This is different from third-party cookies, which allow companies to follow you individually across different sites." "FLoC works on your device without your browsing history being shared. Importantly, everyone in the ads ecosystem, including Google’s own advertising products, will have the same access to FLoC," explained Google in a blog post. However, Google's proposal to replace third-party tracking cookies with FLoC has been met with resistance from many industry players including EFF, Microsoft, Mozilla Firefox, Vivaldi, Brave, and DuckDuckGo, who are against any kind of user tracking. As reported by BleepingComputer earlier, website owners that did not wish to take part in FLoC could block it by issuing the following HTTP request header to their visitors: Permissions-Policy: interest-cohort=() This header allows sites to opt-out of FLoC, in the sense, visits to sites returning this HTTP header will be ignored by web browsers when generating cohort data for a user. GitHub ditches Google FLoC too As seen by BleepingComputer, both the *.github.com domain and GitHub Pages sites hosted on *.github.io are returning this HTTP header at the time of writing: GitHub Pages contain HTTP header to opt-out of Google FLoC tracking Source: BleepingComputer Interestingly, GitHub's announcement on the topic is rather succinct and has no mention of Google FLoC anywhere in it: "All GitHub Pages sites served from the github.io domain will now have a Permissions-Policy: interest-cohort=() header set." "Pages sites using a custom domain will not be impacted," concludes GitHub's blog post released yesterday. Users can check if their web browser has been selected to be a part of the FLoC pilot experiment by following the instructions provided at EFF's AmIFloced.org. At this time, FLoC is expected to roll out among "a small percentage of users" based in Australia, Brazil, Canada, India, Indonesia, Japan, Mexico, New Zealand, the Philippines, and the U.S, according to Google. Source: GitHub blocks Google FLoC tracking
  13. GitHub Reinstated YouTube-DL But Restoring Forks is Apparently a Problem After the RIAA had youtube-dl removed from GitHub last year, the platform decided to reinstate the YouTube-ripping tool, claiming that the industry group's takedown was unwarranted. However, users who forked the project weren't so lucky and according to a counternotice filed this week, GitHub isn't responding to informal restoration requests. There is probably a good reason for that. Last October the RIAA infuriated many players in the open source community by targeting YouTube-ripping tool youtube-dl in a DMCA takedown notice filed at GitHub. What followed was a broad backlash against the RIAA, the likes of which hadn’t been seen for many years. The music industry group’s claims of DMCA violations due to the software allegedly bypassing technological protection measures were met with intense criticism, including from the EFF. In a surprise move several weeks later, GitHub reinstated the youtube-dl repository after concluding that the code doesn’t violate the DMCA’s anti-circumvention provisions. In addition, GitHub sought to boost its standing with developers by placing $1m into a takedown defense fund. “We are taking a stand for developers and have reinstated the youtube-dl repo. Section 1201 of the DMCA is broken and needs to be fixed. Developers should have the freedom to tinker. That’s how you get great tools like youtube-dl,” GitHub CEO Nat Friedman explained. Dust Settles But The Fix Was Incomplete, Dev Says When the RIAA took down GitHub, its DMCA notice affected many developers who had forked the youtube-dl code. Many repositories were listed in the RIAA’s complaint so those were disabled too, replaced with the familiar GitHub page indicating they had been removed for alleged copyright infringement. However, despite youtube-dl being reinstated, these forks remain down following the RIAA’s complaint and according to one developer, GitHub isn’t responding to calls to reinstate them. In a DMCA counternotice filed this week, the operator of the ‘spookyahell’ repo describes the situation, noting that his previous requests to have his repository restored are being ignored by GitHub. In supporting evidence detailing why the repo should be restored, the developer covers earlier ground noting that the RIAA’s notice was “way too broad”, is believed to be “wildly invalid”, failed to correctly interpret the law, and cited anti-circumvention methods that “do not apply.” The dev also points out that when the RIAA cited a German legal process that determined that youtube-dl is illegal, that should be considered irrelevant to the United States since European law has “no place in a DMCA takedown”. The RIAA, for its part, insists that the relevant German law is “materially identical to Title 17 U.S.C. §1201 of the United States Code.” This Dev is Clearly Irritated While the developer appears to accept that GitHub eventually stood up to the RIAA, he isn’t entirely convinced of the coding platform’s overall support. “(i)t seems like GitHub is still kinda ‘the bitch of the RIAA’ because they side with RIAA rather than developers who wish to reinstate the repos (unchanged) which according to the EFF would be perfectly legal,” his notice reads. “The issues that raised from this takedown have lead to a major statement from github and change of already in-place policies and it seems they had to re-convince the developers that they actually support developers. The action they are taking with the actual forks however is unconvincing of their so-called principals [sic].” The dev continues by stating that in addition to restoring the original project, GitHub should’ve reinstated all the forks as well, while notifying the RIAA that its claims were wrong. However, there are some important issues that the counternotice doesn’t address. While youtube-dl was indeed reinstated, that didn’t take place before the original code was tweaked. Its functionality doesn’t appear to have been degraded but an examination of the code reveals that before it was put back, modifications took place to remove references to copyright works, including a song by Taylor Swift. If we work on the premise that GitHub believed that these changes were enough to ease youtube-dl back onto the non-infringing side of the fence, then any original forks would still relate to the unmodified code, meaning that the RIAA’s original takedown notice would carry more weight. This probably explains why GitHub hasn’t reinstated this developer’s repository on request, despite the filing of a counternotice. Technically speaking, GitHub still has a number of days left before it needs to reinstate the fork under the DMCA, pending the filing of a lawsuit by the RIAA. However, since the music group has had since October to take action against youtube-dl itself, that doesn’t seem likely. To learn more about how Github views the situation, TorrentFreak contacted CEO Nat Friedman for additional information, including whether youtube-dl forks will be restored automatically or if devs need to file an official DMCA counternotice. Friedman did not immediately respond to our request for comment but it seems likely that devs will have to let their original forks go and fork the modified project instead. GitHub Reinstated YouTube-DL But Restoring Forks is Apparently a Problem
  14. A few days ago, Paragon Software Group, a company that deals with various storage technologies, submitted a pull request for its NTFS read/write driver dubbed NTFS3 for the upcoming Linux 5.15 kernel. Linux head honcho Linus Torvalds however wasn't too pleased with the submission. While Torvalds really didn't have too much of an issue with the NTFS3 pull request itself, he was rather annoyed however at the GitHub merge commit in it, as apparently, the Linux boss does not like GitHub merges much, if at all. Here's what Linus Torvalds has said in a response to Paragon Software in a rather familiar stern manner about the GitHub merges: github creates absolutely useless garbage merges, and you should never ever use the github interfaces to merge anything. github is a perfectly fine hosting site, and it does a number of other things well too, but merges is not one of those things. Linux kernel merges need to be done *properly*. That means proper commit messages with information about what is being merged and *why* you merge something. But it also means proper authorship and committer information etc. All of which github entirely screws up. Finally. Torvalds also revealed what he would much rather prefer instead of GitHub when it comes to Linux kernel merges: for continued development you need to do things properly. That means doing merges from the command line, not using the entirely broken github web interface. So command line it is for Linus Torvalds then. Source: lkml Linus Torvalds is not much of a fan of GitHub's "absolutely useless garbage merges"
  15. GitHub's new policies allow removal of PoC exploits used in attacks GitHub announced on Friday their updated community guidelines that explain how the company will deal with exploits and malware samples hosted on their service. To give some background behind the new policy changes, security researcher Nguyen Jang uploaded a proof-of-concept exploit (PoC) to GitHub in March for the Microsoft Exchange ProxyLogon vulnerability. Soon after uploading the exploit, Jang received an email from Microsoft-owned GitHub stating that PoC exploit was removed as it violated the Acceptable Use Policies. In a statement to BleepingComputer, GitHub said they took down the PoC to protect Microsoft Exchange servers that were being heavily exploited at the time using the vulnerability. "We understand that the publication and distribution of proof of concept exploit code has educational and research value to the security community, and our goal is to balance that benefit with keeping the broader ecosystem safe. In accordance with our Acceptable Use Policies, GitHub disabled the gist following reports that it contains proof of concept code for a recently disclosed vulnerability that is being actively exploited." - GitHub. However, GitHub faced immediate backlash from security researchers who felt that GitHub was policing the disclosure of legitimate security research simply because it was affecting a Microsoft product. GitHub releases updated guidelines In April, GitHub issued a 'call for feedback' to the cybersecurity community regarding their policies for malware and exploits hosted on GitHub. After a month of input, GitHub officially announced yesterday that repositories created to host malware for malicious campaigns, act as a command and control server, or are used to distribute malicious scripts, are prohibited. However, the uploading of PoC exploits and malware are permitted as long as they have a dual-user purpose. In the context of malware and exploits, dual-use means content that can be used for the positive sharing of new information and research while at the same time can also be used for malicious purposes. The key changes added to the GitHub guidelines are summarized below: We explicitly permit dual-use security technologies and content related to research into vulnerabilities, malware, and exploits. We understand that many security research projects on GitHub are dual-use and broadly beneficial to the security community. We assume positive intention and use of these projects to promote and drive improvements across the ecosystem. This change modifies previously broad language that could be misinterpreted as hostile toward projects with dual-use, clarifying that such projects are welcome. We have clarified how and when we may disrupt ongoing attacks that are leveraging the GitHub platform as an exploit or malware content delivery network (CDN). We do not allow use of GitHub in direct support of unlawful attacks that cause technical harm, which we’ve further defined as overconsumption of resources, physical damage, downtime, denial of service, or data loss. We made clear that we have an appeals and reinstatement process directly in this policy. We allow our users to appeal decisions to restrict their content or account access. This is especially important in the security research context, so we’ve very clearly and directly called out the ability for affected users to appeal action taken against their content. We’ve suggested a means by which parties may resolve disputes prior to escalating and reporting abuse to GitHub. This appears in the form of a recommendation to leverage an optional SECURITY.md file for the project to provide contact information to resolve abuse reports. This encourages members of our community to resolve conflicts directly with project maintainers without requiring formal GitHub abuse reports. While dual-use content is allowed, the new GitHub guidelines around PoCs and malware states that they retain the right to remove dual-use content, such as exploits or malware, to disrupt active attacks or malware campaigns utilizing GitHub. "In rare cases of very widespread abuse of dual use content, we may restrict access to that specific instance of the content to disrupt an ongoing unlawful attack or malware campaign that is leveraging the GitHub platform as an exploit or malware CDN. In most of these instances, restriction takes the form of putting the content behind authentication, but may, as an option of last resort, involve disabling access or full removal where this is not possible (e.g. when posted as a gist). We will also contact the project owners about restrictions put in place where possible. Restrictions are temporary where feasible, and do not serve the purpose of purging or restricting any specific dual use content, or copies of that content, from the platform in perpetuity. While we aim to make these rare cases of restriction a collaborative process with project owners, if you do feel your content was unduly restricted, we have an appeals process in place." - GitHub. GitHub states that they continue to support community feedback regarding their policies to continue improving their policies. Update 6/5/21: Removed a comment to the PR as it was related to the previously proposed language and not the current guidelines. GitHub's new policies allow removal of PoC exploits used in attacks
  16. GitHub and OpenAI launch a new AI tool that generates its own code Microsoft gets a taste of OpenAI’s tech Photo: GitHub GitHub and OpenAI have launched a technical preview of a new AI tool called Copilot, which lives inside the Visual Studio Code editor and autocompletes code snippets. Copilot does more than just parrot back code it’s seen before, according to GitHub. It instead analyzes the code you’ve already written and generates new matching code, including specific functions that were previously called. Examples on the project’s website include automatically writing the code to import tweets, draw a scatterplot, or grab a Goodreads rating. It works best with Python, JavaScript, TypeScript, Ruby, and Go, according to a blog post from GitHub CEO Nat Friedman. GitHub sees this as an evolution of pair programming, where two coders will work on the same project to catch each others’ mistakes and speed up the development process. With Copilot, one of those coders is virtual. This project is the first major result of Microsoft’s $1 billion investment into OpenAI, the research firm now led by Y Combinator president Sam Altman. Since Altman took the reins, OpenAI has pivoted from a nonprofit status to a “capped-profit” model, took on the Microsoft investment, and started licensing its GPT-3 text-generation algorithm. Copilot is built on a new algorithm called OpenAI Codex, which OpenAI CTO Greg Brockman describes as a descendant of GPT-3. GPT-3 is OpenAI’s flagship language-generating algorithm, which can generate text sometimes indistinguishable to human writing. It’s able to write so convincingly because of its sheer size of 175 billion parameters, or adjustable knobs that allow the algorithm to connect relationships between letters, words, phrases, and sentences. While GPT-3 generates English, OpenAI Codex generates code. OpenAI plans to release a version of Codex through its API later this summer so developers can built their own apps with the tech, a representative for OpenAI told The Verge in an email. Codex was trained on terabytes of openly available code pulled from GitHub, as well as English language examples. While testimonials on the site rave about the productivity gains Copilot provides, GitHub implies that not all the code utilized was vetted for bugs, insecure practices, or personal data. The company writes they have put a few filters in place to prevent Copilot from generating offensive language, but it might not be perfect. “Due to the pre-release nature of the underlying technology, GitHub Copilot may sometimes produce undesired outputs, including biased, discriminatory, abusive, or offensive outputs,” Copilot’s website says. Given criticisms of GPT-3’s bias and abusive language patterns, it seems that OpenAI hasn’t found a way to prevent algorithms from inheriting its training data’s worst elements. The company also warns that the model could suggest email addresses, API keys, or phone numbers, but that this is rare and the data has been found to be synthetic or pseudo-randomly generated by the algorithm. However, the code generated by Copilot is largely original. A test performed by GitHub found that only 0.1 percent of generated code could be found verbatim in the training set. This isn’t the first project to try to automatically generate code to help toiling programmers. The startup Kite pitches a very similar functionality, with availability on more than 16 code editors. Right now, Copilot is in a restricted technical preview, but you can sign up on the project’s website for a chance to access it. Source: GitHub and OpenAI launch a new AI tool that generates its own code The Truth about Github Copilot // AI Programming First Look
  17. The Motion Picture Association has asked GitHub to remove a collection of scripts that allow people to rip content from popular streaming services such as Netflix, Disney+, and Amazon Prime. The tools in question bypass the Widevine copy protection, violating the DMCA, the group argues. Hundreds of forks of the "Widevine Dump" code were also targeted and removed by GitHub. Little over two weeks ago we broke the news that a user, going by the name “Widevinedump”, had leaked a collection of movie ripping scripts on GitHub. These were high-profile leaks as Widevine is one of the leading content protection tools in the video business. The Google-owned technology is used by many of the largest streaming services including Amazon, Netflix and Disney+. The code allows people to download HD video from popular streaming platforms including Disney+, Amazon, and Netflix. And indeed, soon after the repositories were live, sources confirmed that it was doing just that. The person who posted the code didn’t necessarily create it. Most of these tools were already circulating elsewhere, often in private groups. However, by appearing on GitHub they became more public than ever before. MPA Asks GitHub to Remove the Scripts In our initial report, we mentioned that rightsholders would likely take swift action in response. That was indeed the case, as the Motion Picture Association sent a takedown notice to GitHub on December 31, which was made public by GitHub a few hours ago. “Widevine is proprietary software that prevents stream ripping, and the scripts circumvent that by exploiting a vulnerability to allow stream ripping,” MPA wrote in its initial takedown notice. Acting on behalf of its members, including Disney and Netflix, MPA requested GitHub to remove the “Widevinedump” repositories including ‘DISNEY-4K-SCRIPT’, ‘Netflix-4K-Script’, ‘WV-AMZN-4K-RIPPER’, ‘APPLE-TV-4K-Downloader’ and several others. “In short, the poster has written scripts to circumvent DRM on multiple streaming platforms, including Disney+, Amazon Prime, Netflix, and others. These scripts allow users to rip (download) streams directly to their devices, and, then, distribute them on the internet,” MPA told GitHub. Around the same time that the MPA sent its notice, these repositories indeed went offline. However, it is unclear whether GitHub took action. When the platform makes a repository unavailable it will generally display an “unavailable due to DMCA takedown” notice. The Widevinedump links, however, return a 404 error and the account itself has been deleted. Before the MPA sent its takedown notice, “Widevinedump” already informed us that the code would be removed voluntarily in a few days. Perhaps the MPA’s takedown notice was the final nudge? Hundreds of Forks Appeared With the repositories offline, the problem wasn’t fully resolved. During the first few days after the leak appeared, hundreds of forks showed up as well, which (partially) copied the code. To deal with this aftermath, the MPA sent another takedown notice last week, which was also made public a few hours ago. This request lists hundreds of forks that allegedly include the same code. “The [Widevinedump] scripts have been removed and we have also reviewed the fork network to determine those that contain the content we reported as a violation of the DMCA in the parent repository,” MPA writes. The notice itself lists hundreds of links. We tried to access these today and found that some point to a 404 error, while others list a DMCA takedown message. Responding to MPA’s notice, GitHub says that it applied the request to the entire network of forks, which includes 934 repositories. However, a quick search of the platform reveals that some copies are still floating around, so this may not be the end of the matter. When “Widevinedump” posted the scripts they wrote that it was a retaliatory move against some people in a Discord group. These people may have returned fire, as a GitHub repository titled “Widevine Dox” was posted a few days later. Finally, it is worth noting that “Widevinedump” asked for money in return for working Content Decryption Modules (CDMs), which are required to use most scripts. Whether people actually paid for and received these CDMs is unknown but that could obviously lead to all sorts of disappointments and even legal trouble. GitHub Takes Down “Widevine Dump” Forks Following MPA Complaint
  18. Last month there was excitement when the source code for Windows XP was leaked online. The big question, however, was how quickly Microsoft would act to have it disappeared from the web. The partial answer is that the company took 10 days to have one public repository taken down. And that was hosted on Github, a platform owned by Microsoft itself. When Microsoft’s Windows XP launched in 2001, it was somewhat of a revelation. Built on Windows NT and a clear step up from the consumer variants of Windows that preceded it, the OS reigned for years after being installed on millions of machines. It’s currently estimated that around 0.8% of Windows PCs are still running Windows XP, despite Microsoft offering zero support for the relatively ancient OS. Nevertheless, there was mild euphoria among coders last month when it was confirmed that the source code for XP, among other things, had been leaked online, presumably to the dismay of Microsoft. Leaked via 4chan, Distributed via Torrents and MEGA For the vast majority of interested onlookers, the leak probably meant very little in practical terms. With no support from Microsoft, running Windows XP is already a security gamble, regardless of any additional leaks. However, when Microsoft confirmed it was actively investigating the leak, some presumed the company would act very quickly to have the code disappeared from the web. Quite when the upload to MEGA was taken down is unclear but it didn’t take long for the file to be removed following a complaint. Torrents, of course, are much more complicated. While it is possible to have some torrent sites respond to takedown requests, sites such as The Pirate Bay will happily index pretty much anything – including the source code leak. Predictably, the leaked content is available via the site today and not even the mighty Microsoft can do much about that. However, when checking the hash value in Google search and scouring the DMCA notice archive hosted by Lumen Database, there appears to have been little or even no effort to have links to the source code removed from Google or Twitter. Granted, most of the sites mentioning the content have taken care not to link directly to the leaked source itself, with many preferring to post unclickable but entirely usable magnet links instead. Nevertheless, just days after the leak was reported, a very public repository of the code appeared much closer to home and nothing was done about that either. Source Code Published to Microsoft-Owned Github On September 29, a handful of days after the leak reportedly appeared on 4chan, someone called ‘shaswata56’ thought it would be a good idea to post the source code for Windows XP on Github, for the world to see and download. The interesting thing here is that Github is owned by Microsoft, so the computing giant was effectively hosting its own leak. Given the presumed sensitive nature of the source code, one might conclude that it would be spotted and deleted quickly. However, despite all the publicity, it took a full 10 days for Microsoft to do anything about it, at which point it had to serve its own company with a DMCA notice requesting that the code be taken down. Takedown Notice to Github “I work in Microsoft Security Incident Response. The code in question is from a Windows XP source code leak,” the DMCA notice dated October 8 and filed with Github reads. “The GitHub content is pulled directly form [sic] a torrent (that was also taken down),” it continues. The notice originally contained a hash value for the source but that was censored by Github, presumably to stop any additional infringement. However, archive copies of the now-removed repository show that hash value in full, which can be easily converted to a torrent, one that is very much alive and being shared by many people. Microsoft Not Too Bothered By The Leak? Clearly, Microsoft’s claim that the torrent was somehow taken down was incorrect but that’s not a huge surprise since once a torrent is being spread, stopping people with access to magnet links or even a hash is incredibly difficult. That being said, it would’ve been trivial to remove the source from Github on the day it was published. Instead, it took exactly 10 days, a lifetime where leaks are concerned and a little bit embarrassing when it’s your own site doing the distribution. Quite why a rapid removal wasn’t executed isn’t clear but coupled with what appears to be a lack of enthusiasm to remove links still available via Google, it makes one wonder how concerned Microsoft is about the leak after all. Or, just possibly, the company realizes just how futile it all is. The DMCA notice is available here Source: TorrentFreak
  19. All new Git repositories on GitHub will be named "main" instead of "master" starting October 1, 2020. Starting next month, all new source code repositories created on GitHub will be named "main" instead of "master" as part of the company's effort to remove unnecessary references to slavery and replace them with more inclusive terms. GitHub repositories are where users and companies store and synchronize their source code projects. By default, GitHub uses the term "master" for the primary version of a source code repository. Developers make copies of the "master" on their computers into which they add their own code, and then merge the changes back into the "master" repo. "On October 1, 2020, any new repositories you create will use main as the default branch, instead of master," the company said. Existing repositories that have "master" set as the default branch will be left as is. "For existing repositories, renaming the default branch today causes a set of challenges," GitHub explained in a support page published earlier this month, such as having to edit settings for pull requests and modifying security policies. "By the end of the year, we'll make it seamless for existing repositories to rename their default branch," GitHub said. "When you rename the branch, we'll retarget your open PRs and draft releases, move your branch protection policies, and more - all automatically." GitHub promised in June The company's move is part of a bigger trend in the tech community. After the brutal death of George Floyd and the Black Lives Matter protests earlier this year, tech companies wanted to show their support for the black community by abandoning non-inclusive terms such as master, slave, blacklist, and whitelist. Companies and major open source projects like Microsoft, IBM, Twitter, Red Hat, MySQL, the Linux kernel, and OpenBSD have agreed to make changes to their technical jargon all through the 2020 summer. GitHub was one of the first companies to show support for such changes when its CEO revealed in June that they were already looking for a replacement for "master." The company's announcement earlier this month comes to deliver on its CEO's promise. Furthermore, the Git project, which is the base software on which GitHub was built, has also announced similar plans to at least provide repository owners with the option to customize their default repository branch going forward. Source
  20. Under the banner of the MPA, the major Hollywood studios plus Netflix have filed a complaint with Github resulting in the removal of popular streaming app MediaBox HD. The takedown is the latest in a series setbacks for the Android-based movie and TV show piracy app which was previously mentioned in legal action unrelated to the MPA. Preventing the general public from accessing movies and TV shows without paying for them is a monumental task that, if anything, feels even more difficult than it was 15 years ago. In addition to hundreds, perhaps thousands of torrent and streaming sites, copyright holders also have to deal with the growing threat of premium IPTV, which grants access to every type of live TV under the sun for comparatively low prices. Somewhere in the middle of this organized chaos, movie and TV show companies are trying to tackle pirate apps. Mostly Android and iOS-based, these consumer-friendly tools present content in easy-to-navigate interfaces, pulling content from not just their own sources but in many cases third-party file-hosting and IPTV/streaming suppliers, much as other pirate sites do too. MediaBox HD Targeted By The MPA One of the more popular tools in this growing niche is MediaBox HD. Available for both Android and iOS, the app is in demand by those looking to access premium content on their phones or, as is increasingly the case, a tablet or Android-based set-top box. MediaBox HD’s popularity lies in its many features. Aside from a large free library of movies and TV shows, it supports services such as Real-Debrid for more reliable streaming, has Chromecast support, can offer subtitles and even allows for offline viewing. For groups like the MPA, however, these are all reasons to take the app down. MPA Sends Copyright Complaint to Github While MediaBox HD has its own site, at the time of writing it’s impossible to access the Android variant of its app from there. Rather than hosting the APK in the same location, the app’s developers chose to host the software on Github instead, meaning it was vulnerable to an easy takedown. Teaming up under the banner of the Motion Picture Association (MPA), Paramount, Sony, Universal, Warner, Disney and Netflix, sent a copyright complaint to Github, calling on the platform to remove the piracy-facilitating software. “We are writing to notify you of, and request your assistance in addressing, the extensive copyright infringement of motion pictures and television shows that is occurring by virtue of the operation of the APK software Mediabox HD, which is hosted on and available for download from your repository Github.com,” it reads. “Specifically, at the URL, the Repository hosts and offers for download the APK, which in turn is used to engage in massive infringement of copyrighted motion pictures and television shows.” MPA Demands Removal of MediaBox HD Under the DMCA Attached to the MPA’s complaint but unpublished by Github, the movie and TV show group provides screenshots that claim to show that MedaBox HD streams copyrighted content to the masses resulting in “massive infringement.” While providing various examples of alleged infringement, the MPA says that these are just the tip of the iceberg since the software goes much further by blatantly infringing other content owned by its members and copyrights held by others. On this basis, the MPA states that infringement is “plainly is its predominant use and purpose”, citing case law including the MGM v Grokster litigation (2005), the Arista Records v Usenet dispute from 2005, and the 2009 lawsuit between Columbia Pictures and former isoHunt operator Gary Fung. The MPA suggests that it doesn’t really mind on which basis Github removes the app, whether that’s under the DMCA’s takedown provisions, repeat infringer rules, or Github’s acceptable use policy. Interestingly, however, it does note that it is not trying to claim that the app’s code is copyright-infringing, merely that its sole purpose is to infringe. “Please note that, by this notice, the MPA Members are not addressing copyright ownership of the APK’s specific lines of code; rather, they are addressing the use of the APK as a whole to provide unauthorized, infringing access to streaming video content, and requesting that you remove or disable access to the APK as a whole on your Repository,” the notice adds. Github Complied With the Request Unlike the dispute currently engulfing youtube-dl, which has put Github at odds with the RIAA, there appears to be no such confusion here. Following the request from the MPA, Github removed the MediaBox HD app and, as a result, the software is no longer available from official sources. While MediaBox HD will likely solve this problem in due course, the attention from the MPA comes after the streaming software was featured in two earlier legal matters. In September 2019, following a subpoena from the makers of the movie Hellboy, third-party app-store TweakBox took the decision to remove MediaBox HD (plus Popcorn Time and CotoMovies) from its platform. A month earlier, a Pakistani man who operated a site that offered MediaBox HD, Showbox, Popcorn Time and similar software, agreed to pay a settlement of $150,000 to companies behind the movies The Hitman’s Bodyguard, London Has Fallen and Hunter Killer. His site, the now-defunct latestshowboxapp.com, was forced to remove MediaBox HD and similar tools, despite not being their developer. The MPA hasn’t yet shown any public signs of seeking a settlement from the developers of MediaBox HD but given past history, that might only be a matter of time. Source: TorrentFreak
  21. Google discloses 'high' severity security flaw in GitHub Google's Project Zero team is well-known for discovering vulnerabilities and bugs in Google's own software as well as that developed by other companies. Its methodology involves identifying security flaws in software and privately reporting them to vendors, giving them 90 days to fix them before public disclosure. Depending upon the complexity of the fix required, it sometimes also offers additional days in the form of a grace period. In specific scenarios, companies may even be given less than the standard 90 days to fix issues before Google publicly announces them. Over the past couple of years, the team has revealed major vulnerabilities in Windows, Windows 10 S, macOS kernel, and iOS, among others. A couple of days ago, the security team disclosed a zero-day exploit present in various versions of Windows, and today it has revealed a security flaw in GitHub. The vulnerability has been classified as a "high" severity issue by Google Project Zero. We'll spare you the nitty-gritty technical details - and you're free to view them in detail here if you want - but the meat of the matter is that workflow commands in GitHub Actions are extremely vulnerable to injection attacks. For those unaware, workflow commands act as a communication channel between executed actions and the Action Runner. Felix Wilhelm, who discovered the security flaw via source code review, says that: The big problem with this feature is that it is highly vulnerable to injection attacks. As the runner process parses every line printed to STDOUT looking for workflow commands, every Github action that prints untrusted content as part of its execution is vulnerable. In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed. I’ve spent some time looking at popular Github repositories and almost any project with somewhat complex Github actions is vulnerable to this bug class. In his original post, Wilhelm went on to say that he's unsure how to fix the issue as the way workflow commands are implemented is "fundamentally insecure". A short-term solution would be to deprecate the command syntax, whereas a long-term fix would involve moving workflow commands to some out-of-bound channel, but that would also break other pieces of dependent code. Following the discovery of the security flaw on July 21, the Project Zero team naturally reached out to GitHub with information about the vulnerability, giving them the standard 90 days to resolve it - which would expire on October 18. At the start of October, GitHub decided to deprecate vulnerable commands and sent out an advisory about a "moderate security vulnerability", asking users to update their workflows. On October 16, GitHub accepted Google's 14-day grace period to fully disable the commands, making November 2 the new deadline. There was officially radio silence from GitHub since October 28. On November 1, GitHub requested the Project Zero team to allocate an additional 48 hours. However, this additional grace period was not to patch the issue, but to further notify customers and to determine a "hard date" to fix the vulnerability. As this is not in line with Project Zero's standard disclosure process, the flaw has been made public by the security team today with a proof-of-concept code made available as well. Editor's Note: The last paragraph has been slightly modified for more clarity. Google discloses 'high' severity security flaw in GitHub
  22. GitHub has issued a warning that accounts could be banned if they continue to upload content that was removed due to DMCA takedown notices. On October 23rd, 2020, GitHub removed the source code repositories for the popular video download tool called YouTube-dl after the Recording Industry Association of America, Inc. (RIAA) filed a DMCA infringement notice. This takedown was controversial, as the notice was not issued because YouTube-dl contained copyrighted material or source code, but because it allowed users to download copyrighted content. YouTube-dl DMCA notice Since then, angry users have been waging war against GitHub by creating new repositories containing the YouTube-dl source code. New YouTube-dl repositories Some of these uploads have been done in creative ways to taunt GitHub, such as exploiting a bug that allows users to attach commits to GitHub repositories they don't control. One of these newly created commits containing the YouTube-dl source code was attached to GitHub's DMCA repository. YouTube-dl source attached to GitHub DMCA repository Uploading removed repos can lead to bans As first reported by TorrentFreak, GitHub's legal directory Jesse Geraci updated the DMCA repository's README.md file last week to state that uploading banned content could lead to your account being banned. "Please note that re-posting the exact same content that was the subject of a takedown notice without following the proper process (outlined below) is a violation of GitHub’s DMCA Policy and Terms of Service. If you commit or post content to this repository that violates our Terms of Service, we will delete that content and may suspend access to your account as well," GitHub's new DMCA README.md now reads. Updated GitHub DMCA README.md message This message does not specifically state YouTube-dl is the reason for the warning, but the timing coincides with GitHub's battle to remove new YouTube-dl repositories after its takedown. As activists, journalists, and education commonly use YouTube-dl to archive free and public domain videos, GitHub CEO Nat Friedman has been actively trying to help reinstate the repository. Friedman went as far as to log into YouTube-dl's IRC channel to offer suggestions on how to get reinstated, such as removing the 'cipher circumvention code' and examples on how to download copyrighted material. GitHub CEO on IRC to help YouTube-dl Source: Twitter While this is commendable, this whole mess could have been avoided in the first place if GitHub did not act upon a DMCA infringement notice that had nothing to do with the use of copyrighted material. Source
  23. This morning, GitHub's pristine layout vanished off of the repository, in what looks like a miss on the company's part in renewing an SSL certificate. Soon, reports emerged all over the internet from users who had to endure a broken GitHub experience. The expired certificate prevented numerous resources like images, JavaScript, and CSS stylesheets from correctly loading on GitHub. Expired CDN certificate breaks UI, wreaks havoc Masiur Rahman Siddiki, a web developer tweeted to GitHub, "Seriously ?? Your CDN's SSL Expired ? How on earth is that possible ?" Content Delivery Networks (CDNs) comprise distributed sets of servers, separate from the main website's server which are strategically placed at different geographical locations. This is done to optimize performance, speed, and delivery of content like videos, images, and other web resources. For example, while the main github.com server may be hosting the text you can read on the website, the images, stylesheets, and JavaScript files may be coming from a completely separate CDN server, depending on your location and other factors. Because https://github.com is hosted on a secure server with a valid SSL certificate, the website would not automatically pull images from a CDN with an expired SSL certificate, without throwing warnings, or in some cases breaking the website's UI altogether. This is called mixed content problem. Siddki provided a screenshot of the SSL certificate issued to GitHub's CDN, github.githubassets.com. The SSL certificate was valid only until November 2, 2020, 7:00 AM ET, after which multiple user reports started emerging on Twitter and Reddit. GitHub's CDN SSL Certificate had expired today breaking parts of the site Source: Twitter Because of this problem, github.com would show text, links, and thumbnails fine, but was devoid of its rich UI, stylesheets, and scripts that make the open-source repository look whole. Software developer Janne Varjo tweeted to the company too, stating GitHub had experienced a downtime of about 30 minutes: "@github's *.githubassets.com SSL cert expired earlier today. The downtime of that domain was about 30 mins until the new cert was deployed. I was able to send a comment to an issue with all the frontend assets missing. Does YOUR webapp work without frontend assets? Should it?" GitHub pages show limited styles and visual graphics due to expired CDN certificate Source: Twitter New certificate deployed, SSL blunders on the rise As confirmed by BleepingComputer, a new certificate has been installed today on the github.githubassets.com domain to remediate the issue. New certificate issued today, expires November 2021 Source: BleepingComputer This new certificate will, however, expire in November 2021. We can only hope GitHub will remember and not repeat the mishap next year, leaving millions of its users confused. As more and more web technologies and IoT devices move towards increased security and an "HTTPS everywhere" approach, workflows and processes need to be revised across industries to minimize any inconvenience to customers. Last week, HP users (myself included) around the world were left unable to print from their Apple devices after their printers' certificates were magically revoked. Earlier this year, Roku TV channels had ceased to stream after a global certificate expiration issue left consumers in limbo. While renewing an expired SSL certificate is an easy task, the expirations do cause outages that could have been entirely preventable through adequate planning. Source
  24. This afternoon, one of the most well-known pieces of software for downloading YouTube videos, youtube-dl, was removed from GitHub following a takedown notice from the Recording Industry Association of America, or RIAA. Whether you’re looking to backup contents of your personal YouTube account or download some of your favorite YouTuber’s videos for offline use, many turn to youtube-dl as the most reliable and in-depth tool for downloading videos from YouTube — along with many, many other sites that have videos like Vimeo, CNN, etc. Beyond simple downloading features, youtube-dl is also able to convert your download into nearly any format, including creating an mp3 of just a video’s audio track. Like many things in life, there are legal and illegal ways of using youtube-dl, especially as YouTube has grown its paid music subscription service. On Friday afternoon, the RIAA issued a DMCA — Digital Millennium Copyright Act — takedown notice to GitHub requesting that the site remove the open source code of youtube-dl and all associated mirrors. One of the primary bases for the RIAA’s claim is that youtube-dl appears to be developed with the explicit intention of enabling the downloading of copyrighted works, with music videos from the likes of Icona Pop, Justin Timberlake, and Taylor Swift being used to test the tool’s functionality, a claim which we were able to independently verify. Indeed, the comments in the youtube-dl source code make clear that the source code was designed and is marketed for the purpose of circumventing YouTube’s technological measures to enable unauthorized access to our member’s copyrighted works, and to make unauthorized copies and distributions thereof: they identify our member’s works, they note that the works are VEVO videos (virtually all of which are owned by our member companies), they acknowledge those works are licensed to YouTube under the YouTube standard license, and they use those examples in the source code to describe how to obtain unauthorized access to copies of our members’ works. This takedown notice does not necessarily spell the permanent end of youtube-dl. GitHub always immediately takes down any source code project that receives a DMCA notice like this, but the project’s creators will have an opportunity to file a counterclaim in the hopes of restoring youtube-dl’s status on GitHub. We’ll be keeping an eye on the situation as it develops. In the meantime, those who still have youtube-dl on their device, or can obtain it from a mirror, are able to continue using it as normal. The larger issue is that youtube-dl will likely cease to receive updates for the time being, and therefore, any changes made by YouTube or other video services could potentially cause the tool to no longer function. As youtube-dl is a fairly well-known and powerful tool, with over 72,000 stars on GitHub, it’s likely there are many other tools that rely on it for their YouTube-related capabilities. Source
  25. An RIAA takedown request, which removed the YouTube-DL repository from GitHub, has ticked off developers and GitHub's CEO. Numerous people responded by copying and republishing the contested code, including in some quite clever ways. Meanwhile, GitHub's CEO is "annoyed" as well, offering help to get the repo reinstated. The music industry has increased its enforcement actions against stream-ripping tools and services in recent years. The RIAA and other music groups have filed lawsuits, sent cease and desist orders, and issued numerous DMCA takedown notices. RIAA Takes Down Youtube-DL Until recently these efforts were hardly noticed by the public at large but late last week something changed. When the RIAA targeted the very popular open-source tool YouTube-DL, many people responded in anger. Last Friday the RIAA asked the developer platform GitHub to remove the YouTube-DL code and various forks because it allegedly violates the DMCA’s anti-circumvention provisions. By enabling the public to download content from YouTube, the tool allegedly bypasses YouTube ‘rolling cipher’ protection. Not just that, the code also included links to copyrighted works to illustrate its use. Cease and Desist Notices Following our initial coverage, we learned that the pressure against YouTube-DL had already started weeks earlier in Germany. Law firm Rasch, which works with several major music industry players, sent out cease and desist orders in the hope of taking YouTube-DL offline. Hosting service Uberspace was one of the recipients. The company hosts the official YouTube-DL site and still does so today. Instead of taking the website down, Uberspace replied to the notice through its own lawyer, who said that the hosting company hasn’t don’t anything wrong. When the cease and desist notice was filed, yt-dl.org wasn’t even hosting the tool, as all download links pointed to GitHub, the company informs us. “The software itself wasn’t hosted on our systems anyway so, to be honest, I felt it to be quite ridiculous to involve us in this issue anyway – a lawyer specializing in IT laws should know better,” Jonas from Uberspace says. Former Maintainer Tageted as Well The host wasn’t the only entity to be targeted. The German law firm also sent a cease and desist notice to developer Philipp Hagemeister who previously maintained the YouTube-DL repository. He also denies the accusations. “They did not understand that I was no longer a maintainer, basically alleged that youtube-dl was an illegal enterprise rather than a legit open-source project, and misunderstood a bunch of other technical stuff,” Hagemeister tells TorrentFreak. Both Uberspace and Hagemeister don’t want to go into too much detail as this is a pending legal issue. However, both defend their actions in relation to YouTube-DL. And they’re not the only ones who were ticked off by the enforcement actions, as we learned this weekend. Takedown Backfires as Copies are Everywhere Soon after the RIAA notice took YouTube-DL offline many developers spoke out in protest. They believe that the music industry group went too far and started to republish copies of the code everywhere. Over the past several days, we have seen hundreds of new forks and copies appear online. These were also posted to GitHub, where YouTube-DL forks remain easy to find and continue to be uploaded. The code was also posted in some places one wouldn’t expect. For example, there’s still a copy in GitHub’s DMCA notice repository, which some people find quite amusing. And the list of pull requests can be quite entertaining in themselves. One of the most creative responses we’ve seen was posted to Twitter by @GalacticFurball who encoded YouTube-DL into images that can be easily shared, encouraging others to share these as well. “I would also suggest that you save and repost the images, as one single source kind of defeats the point. Maybe start a hashtag trend or something. Make songs, and poetry. Get that data out there.” This triggered even more creativity, with people finding alternative means to share the code online, all to counter the RIAA’s takedown request. GitHub’s CEO Offers to Help YouTube-DL Meanwhile, GitHub’s CEO Nat Friedman wasn’t sitting still either. While the Microsoft-owned developer platform had to respond to the takedown notice, Friedman himself actively reached out to YouTube-DL’s developers to help them get their project reinstated. The CEO joined YouTube-DL’s IRC channel hoping to connect with the owner of the repository so he can help to get it unsuspended. “GitHub exists to help developers. We never want to interfere with their work. We want to help the youtube-dl maintainers defeat the DMCA claim so that we can restore the repo,” Friedman told TorrentFreak, explaining his actions. It’s clear that GitHub exists to help developers. That said, for the company’s CEO to jump in and personally help someone to respond to a DMCA claim, is quite unprecedented. As it turns out, the RIAA’s notice ticked off Friedman as well. “This one annoyed me,” Friedman says. “Perhaps because of the importance of tools like youtube-dl for archivists, and our related archive program and funding of the Internet Archive: We are thinking about how GitHub can proactively help developers in more DMCA cases going forward, and take a more active role in reforming/repealing 1201.” GitHub’s CEO suggested that YouTube-DL won’t be reinstated in its original form. But, the software may be able to return without the rolling cipher circumvention code and the examples of how to download copyrighted material. RIAA Efforts Backfire By now it is clear that the RIAA’s takedown notice backfired badly. With the ‘Streisand Effect’ in full swing, there are now probably more copies of YouTube-DL online than there ever were. However, there is more. Reading between the lines Friedman suggests that the current DMCA rules may be too strong in some cases. For example, tools like YouTube-DL have non-infringing uses, and there can be upsides to circumventing copy protections as well. To archive content, for example. This issue may eventually become a policy question. Every four years the US Copyright Office grants new exemptions to the DMCA section 1201 anti-circumvention rules, and it wouldn’t surprise if these tools are put on the agenda in the future. Instead of simply taking down YouTube-DL, the RIAA may have actually poked the bear and increased support for such tools. Not only from developers at home, but also from big players such as GitHub. Putting that cat back in the bag is not going to be easy. Source: TorrentFreak
  • Create New...