►
From YouTube: Securing Critical Projects WG (December 3, 2019)
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
B
And
here
is
the
agenda
for
today
also
remember
to
sign
in
here
at
the
top
add
a
couple
of
these,
so
it's
easier.
B
Cool
add
any
other
topics,
I'm
missing.
I
think
we
have
a
pretty
short
agenda
today,
especially
without
jordan.
Here
last
week,
jordan
presented
on
his
malware
analysis
project
for
pi
pi
and
also
got
a
bunch
of
other
people
working
on
similar
things
interested
and
excited
on
twitter
and
then
invited
them
to
today's
meeting
to
chat
about
their
projects.
So
I
figured
we
would
start
out
with
that
anybody
here
that
is
new
and
interested
in
the
malware
analysis
and
malware
detection
stuff.
B
C
I
don't
mind,
awesome
go
for
it,
so
yeah,
hello,
everyone,
my
name
is
matthew.
Mansfield.
I
work
in
a
company
called
castle.
We
do
a
account
takeover
prevention.
C
I
also
do
a
lot
of
security
work
related
a
lot
of
work
related
to
security
for
rubygems
organization
and
I'm
one
of
the
security
advisors
there
and
I
built
a
platform
called
defend
which
is
kind
of
running
alongside
ruby
gems,
and
the
only
reason
is
I'm
just
too
lazy
to
integrate
it
with
religions
directly
because
it's
yeah
kind
of
a
bit
of
a
mess
to
be
honest
and
I've.
I've
been
doing
exactly
almost
the
same
work
as
as
jordan,
but
for
ruby.
C
It
turns
out
after
I've
read
his
article
that
we
we
kind
of
use
a
similar
technology
stock
and
yeah.
That's
that's.
Why
I'm?
Why
I'm
here
on
behalf
of
castle
different
and
rubygems.org
awesome?
Do
you
have.
E
E
C
Yeah
I
I
did
the
request.
An
access,
though
I
still
don't
don't
have
it.
B
Let
me
see
all
right
yeah.
We
have
it
shared
with
this
google
group
for
edit
and
then
it's
publicly
visible,
though
so,
if
you
join
this
or
we
can
add
you
directly
to
the
doc
anyway
cool,
so
how
exactly
does
defend
work?
You
said
it's
similar
to
jordan's.
Well,.
C
I
yeah
what
jordan
basically
does.
Is
he
based
on
my
understanding?
He
uses
a
tcp
dump
with
with
couple
other
things
to
track
io
and
I
operations
and
network
traffic
upon
install
I've
been
doing
something
similar,
but
thanks
to
some
friends
initially
at
rubygems,
I've
got
a
database
with
historical
stuff
with
all
of
the
young
live
libraries
versions.
C
So
I
had
a
broader
scope
of
things
to
work
with,
and
thanks
to
that,
we
we
came
up
with
not
only
the
behavior
analysis,
but
also
with
an
engine
for
static
analysis.
That
kind
of
kind
of
gives
the
changes
in
encoding
between
releases
and
tries
to
pinpoint
things
that
are
malicious.
C
Not
everything
can
be,
can
be
caught
with
running
an
install.
I
don't
know
exactly
how
it
works
with
python
and
how
complex
the
echo
system
is,
but
for
rubygems
it
basically
sucks.
It
is
designed
to
be
friendly,
which
quite
often
means
it
is
also
easy
to
be
abused,
and
because
of
that
not
always
tracking
the
network
traffic
upon
install
is
enough.
We
we've
me
and
couple
other
people
involved
came
up
with
this
idea
of
a
whole
sound
box
for
ruby,
where
we
install
gems.
C
We
run
them
within
a
ecosystem
of
things
like
rails
and
then
we
we
track
the
behaviors
still
not
enough,
because
some
of
the
attacks
are
actually
designed
to
work,
for
example,
only
on
windows
only
in
in
particular
cases,
and
then
it's
really
really
hard
to
come
up
with
all
of
the
combinations
of
all
of
the
ruby
versions,
rails
versions,
operating
systems
and
so
on.
But
I
would
say
we
were
quite
successful,
especially
this
year
in
catching
things,
including
non-malicious
stuff,
like
leaked
tokens
and
and
data
like
that.
C
So
what
different
does
it
assigns
a
risk
scores
based
on
particular
signals
and
then,
if
their
overall
risk
score
is
above
certain
threshold
it?
It
brings
me
and
folks
from
from
ruby
gems.
So
we
do
the
same
for
the
quality
of
the
ecosystem.
C
We
we
track
things
that
are
in
the
arena
of
a
security
concern,
but
they
are
just
low
quality
stuff
related
to
how
you
publish
ruby
packages,
and
it
also
allows
us
we're
working
on
building
a
system
for
opening
issues
on
github
to
maintainers
that
hey
you're,
doing
something
you
probably
shouldn't
or
you're
publishing,
like
half
a
gigabyte
of
development
files.
It's
probably
not
what
you
intended
when
you
decided
to
release
jam
so
more
or
less
it.
It
works
that
way.
C
I
sometimes
tweet
a
bit
some
of
the
things.
Well,
not
all
of
the
things
get
cds,
mostly,
they
don't
get
cbs,
because
I'm
quite
fast
in
tracking
those
things,
people
from
ruby
gems
have
access
to
the
system.
So
whenever
something
is,
is
found
really
fast,
we
just
young
the
versions
there
weren't
any.
I
am
not
aware
of.
Maybe
there
are
really
big
things
in
in
couple
last
months
related
to
ruby
gems.
There
were
a
couple
gems
that
are
just
research
gems.
They
don't,
they
do
steal
data,
but
the
data
isn't
confidential.
C
It's
like
list
of
the
files
in
homework
directory
and
things
like
that
and
by
design
rubygems
tends
not
to
remove
things
like
that
out
of
the
system.
There
is
a
problem,
though,
with
a
lot
of
gems,
sending
weird
weird
requests,
doing
nothing
except
just
sending
them
probably
for
analytics.
There
are
companies
like
up
signal
that
send
requests
when
you
install
the
gem,
which
I
think
is
unfair,
you
shouldn't
do
it,
but
they
they
download
something.
I
haven't
had
time
to
to
dig
into
what
exactly
is
being
downloaded.
C
Definitely
nothing
malicious,
but
things
like
that
happen,
and
I
do
see
a
couple
couple
more
gems
that
are
widely
used,
that
download
external
dependencies
upon
install
or
first
execution
from
from
the
internet
so
yeah.
We,
we
have
an
internal
discussion
on
how
to
how
to
deal
with
that
with
any
future
gems.
That
would
want
to
do
stuff.
Like
that
interesting.
C
You
can
watch
my
my
presentation
from
I.
I
think
it
was
one
year
ago
or
two
years
ago,
at
ruby
kaige
in
japan.
I
was,
I
had
a
whole
presentation
on
how
you
can
use
public
data
that
is
being
published
by
rubygems,
to
pinpoint
the
gems
that
you
would
want
to
take
over
and
how
you
can
inject
things
into
them.
B
Awesome
yeah!
That's
really
interesting.
Do
you
have
any
more
data
on
the
risk
score
piece?
That
sounds
like
something
that
could
be
interesting,
especially
when
we
talk
about
other
programming,
languages
and
ecosystems.
C
I
look
for
certain
characteristics
based
on
older
attacks,
the
I
I
don't
think
all
of
this
can
be
adapted
to
other
languages,
because
some
of
the
things
are
kind
of
kind
of
specific.
I.
What
I
noticed
when
I
was
working
with
javascript,
is
that
you
kind
of
people
kind
of
publish
a
precompiled
versions
of
code
and
that
that
kind
of
makes
it
really
really
problematic
to
to
pinpoint
weird
stuff
what
else
there's
yeah
we
probably
I
would
probably
have
to
prepare.
C
I
just
five
minutes
ago,
came
home
and
I
noticed
that
the
messages,
so
I
I'm
not
really
prepared
but
they're
a
couple
couple
other
signals
so
yeah.
What
what
other
folks
do?
I
think
I
do
it
yeah.
You
know
it's
with
a
bit
a
bit
more
yeah,
but
in
general
we
we
do
have
the
platform
with
for
design
for
ruby
gems
for
analyzing
every
single
gem
version
that
is
being
released
and
scoring
it.
C
As
I
said,
both
from
the
quality
and
security
perspective,
we
had
a
discussion
about
introducing
something
like
a
sandbox,
but
because
of
how
ruby,
gems
and
bundler
are
designed.
C
It
would
be
really
problematic
for
the
community
because
of
like
chain
of
dependencies.
If
you
let's
say
you
decide
to
release
something
like
rails
and
then
the
system
kind
of
holds
one
of
the
gems
and
then
it
is
not
well
handled
by
by
bundler
itself.
So
bundler
is
a
package
manager
for
ruby
for
people
that
don't
know.
I.
D
I
have
a
couple
questions
for
you.
First
of
all,
you
mentioned
things,
don't
get
cves,
do
they
at
least
get
noted
in
see
in
bundler
audit
or
it's
you're,
just
yanking
and
hoping
everything
else
goes
from
there.
C
To
be
honest,
my
experience
with
reporting
cvs
is
that
I
reported
one
at
the
end
of
last
year.
It
still
hangs
as
a
pending,
something
I
think
them
again
and
they
change
the
status.
It's
still
like
hanging
and
to
be
honest,
I'm
not
that
interested
in.
I
am
interested
in
cvs,
but
for
me
it's
not
user
friendly
and
it
you
know
I
submitted
it.
I
waited
couple
months,
I
think
them
again.
They
changed
the
status
from
from
something
to
something
else.
It's
still
not
published.
C
It
doesn't
bring
a
lot
of
value
to
me
if,
if
the
compromise
gem
is
not
popular,
it
let's
say
had
a
couple
hundred
a
couple
hundred
downloads
and
the
worst
scenario
that
could
happen
with
it
is
a
bitcoin
mining.
Then
it
just
gets
young.
D
Okay,
what
about
bundler
audit?
Because
bundler
has
an
auditing
system
built
in
that
reports,
not
just
cves
but
any,
but
other
things
do
you
report
to
them
either
or
you
just
just
yank
them
ruby,
gems
and
call
it
a
day.
C
I
do
young.
I
didn't
know,
though,
that
bundle
audit
works
with
things
that
aren't
official
cves,
so.
D
C
I,
as
I,
as
far
as
I
recall,
they
have
scripts
for
syncing
with
the
some
of
the
sources
of
cves
and
the
github
security
audit
reports.
Those
are
the
two
sources
that
are
like
semi-automatic
if
it
comes.
If
it
goes
about
under
audit.
B
C
C
Yeah
and
my
opinion
about
bundler
audit,
there
are
things
that
aren't
updated.
For
example,
if
you
look
at
ruby
cves,
they
quite
often
don't
get
this.
C
What
was
it
the
default
score
that
cpe
organization
assigns
those
aren't
populated
to
boundary
audit
because
there's
just
no
one
doing
it
so
for
really
popular
gems,
I
would
say
they
they're
gonna
hit
ponder
out
it,
but
for
things
that
are
in
the
gray
area
like
done
like
you
said:
they're,
not
gonna,
they're,
probably
not
gonna
get
there,
and
one
thing
about
bundle
audit
is,
it
runs
too
late.
C
People
people
tend
to
have
gems,
they
run
bundle,
install
and
then
that's
more
than
enough
to
do
harm
and
before
it
hits
bundler
audit
on
ci
or
or
something
like
that.
There's
definitely
two
light
and
that's
that's.
A
second
part
of
of
things
that
we
built
with
with
defend
is
a
plug-in
that
you
plug
into
to
bundler,
and
it
actually
prohibits
you
of
you
from
downloading.
C
You
can
just
you
know,
set
up
rules
that
all
of
the
things
need
to
obey,
like
hey
you're,
not
supposed
to
install
gems
that
are
younger
than
amman.
If
you're
not
supposed
to
do
this
and
that-
and
we
use
it
in
castle
to
basically
guide
all
of
that,
all
the
company
developers
on
how
things
are
supposed
to
be
when
it
comes
to
using
the
open
source
dependencies,
even
downloading
them
and
yeah.
D
Yeah
the
problem
with
saying
never
download
less
than
a
month
old
means
that
if
there's
an
important
security
patch
that
doesn't
get
updated
either.
C
Yeah,
you
know
it's,
you
can
configure
stuff,
so
it
is
flexible.
If
you
need
to
override
things,
you
can
do
it,
but
there's
there's
definitely
a
footprint
who
decided
to
do
that.
Why
and
when
and
stuff
like
that,
so
it
allows
us
to
manage
dependencies
and
manage
outdated
dependencies,
there's
so
many
libraries
that
are
abandoned
and
using
them
not
always
the
best
idea.
C
So
so
we
we
kind
of
we
do
spend
a
bit
of
time
on
securing
our
our
especially
our
backend
ecosystems,
due
to
the
the
the
type
of
the
company
in
which
I
work.
C
Yeah
told
you
there's
not
nothing,
you
know,
there's
just
nothing
special
about
ruby
as
a
language
compared
to
python
or
the
other
way
around.
It's
just
about,
in
my
opinion,
understanding
the
echo
system
and
how
how
you
can
abuse
it
and
then
coming
up
with
countermeasures
that
are,
are
or
are
not
specific
to
given
technology,
though
ruby
sucks
in
in
terms
of
yeah.
What.
D
C
Do
with
with
packages.
D
C
In
ruby
you
can,
when
you
install
a
jam,
you
get
a
full
control
of
the
process
in
which
it
is
being
executed.
So.
C
I
would
sure
I
would
have
I
would
have
to
check
it,
but
for
legendary
gems,
it's
being
used
quite
often,
every
single
native
extension
that
comes
with
ruby
needs
this
every
company
that
wants
to
download
something
from
internet
like
linked
libraries
or
any
other
stuff
uses
it.
So
I
I,
in
terms
of
network
activities
on
a
daily
basis.
Let
me
look
into
statistics.
D
You
know
a
a
normally
behaving
ruby
packaged,
I'm
sorry,
ruby
gem
typically
doesn't
need
unless
it's
got
c
extensions-
and
I
don't
know
you
would
know
better
than
I
would
what
the
percentages
are.
But
I
would
expect
most
ruby
gems
to
not
run
code
during
install.
C
Yesterday
there
was
over
800
packages,
releases,
840
releases.
If
you
give
me
a
couple
minutes,
I
can
give
you
an
exact
number
of
how
many
of
them
have
a
network
traffic,
but
but
okay,
I
didn't
know
that
about
python.
I
just
thought
it.
It
is
kind
of
similar
that
things
get
downloaded.
They
get
extracted
and
they're.
There.
B
C
Dollars
a
month,
so
you
know
I
I
can
afford
that.
Let's
say
I
I
couldn't
afford
that
it
is.
It
started
as
a
research
project
and
yeah.
I
had.
I
have
a
lot
of
fun
working
on
it
and
it
kind
of
aligns
with
the
company
policies
in
the
company
in
which
I
work
and
because
they
they
do
invest
a
lot
of
money
into
both
the
open
source
that
I
built.
C
I
was
actually
hired
in
castle
because
I
did
open
source
that
castle
was
using
before
I
joined
at
the
company
and
the
same
with
my
my
security
work.
So
I'm
I'm
really
privileged
in
that
regards
awesome.
G
C
So,
as
far
as
I
saw,
it
was
running
the
install
process
only
without
running
the
execution.
Okay,.
C
For
ruby,
we
have
a
sound.
Now
we
have
a
sandbox
that,
as
I
said,
runs
things
install
stuff
tracks
the
activities
and
then,
alongside
as
a
separate
tracking
engine,
it
runs.
It
tries
to
run
the
libraries
within
like
linux
couple
couple:
ruby
versions,
couple
rails
versions
and
then
it
tries
to
pinpoint
gems
that
would
misbehave
and,
alongside
the
static
analysis,
yeah.
G
And
then
you're
doing
the
same
thing
that
jordan
was
doing
like
monitoring
the
sys
calls
as
you're
running
the
thing
as
you're
installing
and
running
the
thing.
I'm
curious
about
the
second
part,
though,
because
like
installing
it
is
straightforward,
because
it's
a
common
entry
point
like
you
know
how
to
install
a
package.
But
how
do
you
run
a
library
I
mean,
I
understand
how
you
would
if
it
has
a
main.
You
run
the
program,
but
a
library.
How
do
you
enter
and.
C
Exercise
its
functionality
by
wrong,
I
mean
I
I
do
require
it,
so
I
load
all
of
it
into
the
ecosystem.
C
What
I
noticed,
analyzing
older
attacks
on
ruby
gems-
that
quite
often
they
inject
something
that
is
rails
based
or
based
on
a
production
environment,
and
then
it
kind
of
waits
random
amount
of
time,
and
it
clicks
in
so,
if
you,
if
you,
unless
it
crashes,
because
many
many
ruby
gems
are
actually
designed
to
be
private
gems
people
tend
to
publish
things
that
only
they
use,
so
they
don't
define
dependencies
stuff
like
that,
but
for
for
publicly
available
gems,
they
shouldn't
break
when
you
require
them
and
they
shouldn't
shouldn't
present
any
weird
behaviors,
and
so
I
tried
to
require
it,
which
would
load
all
of
the
code.
C
I
track
syscalls
number
of
threads
network
traffic
with
without
rails
and
the
same
with
rails
and
then
with
rails.
I
kind
of
emulate
a
typical
web
server
that
would
make
have
some
calls
internal
calls
within
docker
things
like
that
to
to
pinpoint
to
kind
of
try
to
emulate
what
what
a
normal
application
looks
like.
B
C
C
The
the
only
thing
that
I
didn't
that
I
wasn't
able
to
do
is
to
figure
out
to
snapshot.
There
would
be
ast
before
I
load
the
library
and
after
I
load
it
for
the
code,
because
then
I
could
try.
I
could.
I
would
be
able
to
track
like
hooks
to
things
like
tcp
methods
or
http
and
stuff
like
that,
but
ruby
aft
is
not
the
most
friendly
thing.
C
I
am
working
on
it,
though,
because
majority
of
the
libraries
shouldn't
modify
things
that
aren't
of
their
scope.
Some
will
probably
will
so
it
it's
just
going
to
be
one
additional
signal,
but
I
would
expect
majority
of
libraries
to
kind
of
encapsulate
their
own
logic
within
their
own
library,
namespace.
C
Well,
I
never
said
I
would
be
able
to
catch
everything.
I
still
believe
that
being
strict
with
what
is
allowed
within
a
company
is
a
much
better
counter
measure
for
majority
of
the
things.
One
thing
that
I
can
add
on
top
of
this,
I
was
able
to
and
we're
finishing
this
work
we
we're
connecting
castle.
If
you
go
to
castle.io
you're
gonna
see
how
it
works.
C
We're
connecting
castle
to
rubygems
to
provide
account
takeover
tracking,
so
rubygems
team
is,
will
be
notified
about
potentially
any
any
attempts
of
stealing
the
accounts
or
publishing
gems.
On
behalf
of
someone
else,
we
had
a
really
good
commercial
success
with
companies
like
rockstar
and
atlassian,
so
we
hope
it's
gonna.
It's
gonna
help
ruby
gems
in
general,
ruby.
B
Community
awesome,
I
think
martin
you're
also
here
right.
You
also.
H
So
I've
been
thinking
about
creating
or
addressing
the
problem
of
malware
in
python,
because
that
was
over
the
news
a
lot
recently
and
I
started
looking
at
some
tools
that
exist
or
that
can
be
used
for
that.
But
unfortunately,
to
my
research
I
didn't
really
find
anything
suitable
there.
There
was
a
lot
of
problem
in
existing
sas
tools
to
do
this
on
large
scale.
So
I
decided
to
create
my
own
static,
analyzer
called
aura,
and
my.
H
To
periodically
or
even
in
the
future,
in
real
time
to
audit,
what's
being
uploaded
to
pp,
so
I
deal
with
static
analyzers.
There
is
a
big
difference
between
what
exists
like
the
bandits,
so
normally,
when
there
is
a
sas
tool,
it
tries
to
produce
some
alerting
for
developers
and
it
aims
to
do
with
a
low,
false
positive
ratio
and
something
that's
actionable,
but
I
took
a
completely
different
approach,
so
I
mostly
look
for
some
behavior
of
the
codes
anomalies
and
similar
kind
of
stuff,
so
you
can
get
others.
For
example.
H
H
I
have
a
synology
in
a
server
at
home,
where
I
created
offline
repository
of
pp
that
is
periodically
being
synced
to
the
main
repository
and
I
scan
whatever
is
being
uploaded
there
using
aura,
so
it
gets
recognized
it
recursively
unpacks
it
and
it
scans
all
python
files
inside
there
using
more
or
less
universal
ast
parser,
which
is
one
of
the
issues
that
I
identified
with
other
tools,
because
they
usually
can
only
pass
python
source
code
and
the
python
installation
they
were
installed
like
bandit
koala,
etc.
So
it
scans
that
there
are
then
asd
analyzers.
H
That
looks
for
pattern
matching,
so
they
look
whatever.
There
are
network
communication
know
even
some
vulnerabilities,
so
it's
able
to
detect
if
there
is
some
kind
of
sql
query
using
string
formatting,
which
can
lead
to
sql
injection
and
pick
up
those
anomalies
that
are
being
reported.
H
H
If
it's
a
compiled
python
source
code,
it
tries
to
look
at
if
it's
reproducible,
if
it
wasn't
changed
by
injecting
some
malicious
payload
inside
something
similar
to
what
reproducible
builds,
are
doing
and
basically
in
this
sense
the
aura
is
a
like
data
analysis
pipeline.
H
On
top
of
that,
I
also,
since
I
mentioned,
reproducible
builds.
There
is
a
project
associated
to
that
called
defoscope.
So
I
took
that
as
an
inspiration
to
create
also
a
d
think
engine
on
top
of
python
files.
H
So
if
there
is,
for
example,
a
github
repository
where
the
python
is
super,
the
python
package
is
hosted
and
uploaded
package
on
the
repository
it's
trying
to
diff
if
there
are
any
differences
between
those
two
locations
of
the
source
code,
because
in
past
I
saw
that
there
was
some
package
uploaded
on
pp
that
had
malicious
payload
stealing.
I
think
it
was
ssh
credentials
and
certificates,
but
it
was
not
in
the
github
repository.
H
So
it's
trying
to
audit
this
in
a
similar
manner
that
the
different
scope
is
doing,
but
I
also
integrated
it
with
the
sas
analyzer.
So
you
don't
only
get
this
raw
diff
where
you
see
like
this
code
change
or
there
is
this
new
file
like
indeed,
but
it's
also
able
to
give
the
detections
that
the
sas
was
able
to
detect.
So
you
can
see
that
previously
this
code
wasn't
doing
any
network
communication,
but
now
it's
doing
that
for
communication
and
executing
some
system
commands.
B
It's
really
cool.
I
yeah,
I
wrote
a
blog
post
a
while
ago.
I
guess
on
the
same
thing
you
just
talked
about
where
pi
pi
shows
you
the
github
repo
or
something
supposedly
came
from,
but
there's
no
actual
proof
or
verification,
or
anything
like
that,
so
anybody
can
kind
of
mess
with
the
code
in
between.
So,
if
you
don't
actually
look
at
what
was
uploaded,
you
might
not
be
looking
at
the
right
thing.
B
D
You
mentioned
there's
something
else
that
is
checking
if
the
python
packages
are
reproducible.
Is
that
something
else
it's
two
different
issues?
There's
the
package
and
then
there's
the
execution
results
from
the
package
point
of
view
was
that
some
other
group?
That's
a
group,
I'm
not
familiar
with.
H
Kind
of
so
I
identified
couple
of
anomalies
that
I
was
looking
at
so
one
is:
it's
still
working
pro
progress.
These
reproducible
builds
so
I'm
trying
to
match
whether
if
there
is
some
python
packages
have
pre-compiled
code
bytecode,
so
I'm
trying
to
track
whatever
it
can
be
reproduced
when.
H
H
But
when
I
started
matching
that
to
what
actually
is
inside
the
python
package,
I
found,
for
example,
that
the
md5
declared
of
that
file
is
different
than
what
is
actually
inside.
So
I'm
trying
also
to
look
in
this
reproducibility
or
indications
that
some
python
package
might
have
been
manually
edited
by,
for
example,
unzipping
the
archive
replacing
the
file
and
then
zipping
it
again
and
uploading.
The
pipeline.
D
H
H
So
I
decided
recently
to
release
it,
and
my
philosophy
is
that
all
the
data
that
I
collected
by
scanning
the
whole
pipeline
repository
is
released
open
source
on
the
internet,
so
anyone
can
actually
download
a
huge
json
data,
set
it's
around
60
gigabytes
of
data
and
it's
lower
results,
and
you
can
start
looking
at
this
kind
of
differences
and
anomalies
that
were
founder.
H
Yes,
there
are
also
I
identified
some
new
or
some
like
vectors
that
can
be
used.
So,
for
example,
nowadays
a
lot
of
developers
are
aware
that
it's
not
a
very
good
idea
to
actually
commit
some
secrets
to
the
git
repository
or
even
if
it's
deleted,
you
can
still
see
it
in
comments
or
if
you
have
some
file
called
passwords
that
states
there.
It
might
end
up
in
git,
but
I
saw
a
lot
of
this
stuff
in
the
python
packages
which
behaves
similarly
to
git.
H
It
actually
collects
all
the
files
and
put
inside
there,
but
nobody's
checking
what
is
inside
so
oftentimes.
I
see
leaked
credentials
using
type
irc
configuration
file
and
you
can
hijic
the
user.
I
found
some
high
severity
incidents
like
that,
where
I
was
able
to
drive
a
refresher
to
hijack
a
very
popular
python
packages,
including
bill
sticker,
etc
that
have
thousands
of
installations
every
day,
just
because
there
was
a
file
included.
That
was
linking
the
credentials
to
the
outer
or
maintainer
of
the
project.
B
C
I've
seen
exactly
something
like
that
five
days
ago,
with
ruby,
it's
the
same
case,
people
don't
know
what
they
actually
add
to
the
packages
when
they
build
them
and
yeah.
It
happens
that
their
credentials
for
some
sort
of
api
for
which
they
were
building
library.
You
know
a
library,
yeah
common
case.
B
H
Yeah
definitely,
I
think
it's
easy
to
also
include
something
like
that
by
default.
B
C
I
mean
rubygems
does
not
have
a
lot
of
resources.
That's
one
of
the
problems
about
ruby
community.
That
is
it's
an
advantage
and
it's
a
disadvantage
as
well
that
it's
it's
not
commercial
right.
So,
if
that,
if
there's.
C
Usually
a
non
non
commercial
one.
I
don't
know.
Oh
it's
open
source.
Do
it
basically
attitude
and
I
I
think
that's
the
for
for
ruby
gems,
that's
the
biggest
problem
that
there's
just
not
enough
resources
and
even
if
you
look
into
bundler
there
are
so
many
things
that
could
be
done
better
could
be
fixed
or
improved,
but
there's
just
not
enough
people
that
would
be
willing
to
do
this
work.
C
There
is
a
ruby
together
organization
that
collects
money
from
big
ruby
companies
and
I
think,
there's
at
the
moment
one
person
working
more
or
less
full
time
on
ruby,
gems
improvements
and
there's
like
a
whole.
Bunch
of
folks,
like
like
me
doing
some
sort.
D
H
F
H
Yeah
there
are
some
like
advanced
the
obfuscation
techniques.
I
mostly
use
what
compilers
are
using
to
optimize
the
source
code,
so
it's
rewriting
sd3
by,
for
example,
property
propagating
constants
folding
of
the
nodes
etcetera.
So
it
was
designed
from
the
ground
up
for
zero
execution.
So
that's
also
the
main
difference
with
georgetown's
approach.
D
H
It's
not
installing
it
at
all.
It's
just
there
is
this
generic
data
pipeline,
where
it
determines
what
the
file
is
like.
It's
a
python
package,
because
it's
a
terrible
file
or
something
then
if
it
sees
that
it's
archived
it
unpacks
it
it
looks
at.
Is
there
a
python
source
code
inside
setup.pi?
If
so,
then
it
analyzed
that
using
static
analysis,
so
it's
able
to
extract
what
is
the
package
name?
H
There
is
also
some
metadata
coming
from
pp,
because
the
it's
connected
to
the
pipeline
repository
so
he's
able
to
also
pick
some
information
there,
but
it's
mostly
in
this
like
recursive
approach
when
it
sees
an
archive
it
unpacks
it
and
whatever
files
are
inside.
It
adds
that
to
the
pipeline
and
then
run
through
the
same
process
again:
cool.
H
Yes,
my
assumption
is,
there
could
be
some
malicious
installed
inside
yeah.
D
D
H
D
H
Discourages
of
any
execution
during
the
situation,
but
sometimes
it's
inside,
but
usually
that's
just
populating
some
metadata
inside
the
repository
for
like
the
pip,
so
is
able
to
track
like
which
files
belongs
to
which
packages
or
what's
the
author
or
package
name.
Sometimes
these
packages
do
like
install
time
dependency,
so
they
might
be
downloading
something
from
the
internet
like
some
data
set,
if
it's
ml
framework
or
something
like
that.
H
So
of
course,
in
these
cases
it
wouldn't
work,
but
on
the
other
hand,
my
auditing
flags,
that
is,
network
communication
being
done
during
the
setup
process.
B
Cool,
so
jordan
left
us
an
update
on
this
project.
In
slack,
I
put
a
link
to
it
here
in
the
dock,
but
the
basic
summary
is
that
I've
been
helping
him
find
some
resources
to
keep
this
thing
running
and
then
get
it
hooked
up
to
pi
pi,
so
it
can
run
continuously.
B
We've
got
a
gcp
project
set
up
that
you
know.
I've
been
starting
to
move
the
code
over
to
if
anybody
wants
to
help
out
with
that
feel
free
to
reach
out
jordan's
repo
is
linked
in
there
too,
where
the
code
runs
and
everything
it
was
pretty
easy
to
get
up
and
running
definitely
reach
out.
If
anybody
wants
to
help
jenny,
I
saw
that
you
had
a
topic
under
next
that
I
forgot
to
copy
down
and
then
you
resolved
it
comment.
Did
you
still
want
to
talk
about
that
one?
I
I
tried
pinging
her
on
slack.
Oh
there.
She
is
sorry
yeah
here.
I
am
sorry.
It
always
takes
me
a
second
to
find
the
unmute
button.
No,
I
thought
I
thought
that
was
an
older.
I
thought
that
was
an
older
comment.
Okay,.
E
I
I
added
that
one
that
was
our
discussion
on
some
people,
like
from
the
harvard
research
that
some
folks
are
asking
about
some
data
that
was
lower
in
the
stack,
so
we
had
talked
about
like
we
could
even
start
with
just
the
developer
survey,
is
one
idea
to
try
to
get
some
of
that
data,
so
that
was
just
meant
to
be
like
an
open
discussion
on
that.
So
I
don't
know
what
we
want
to
talk
about
today
or
save
it
for
a
later
time.
I
I
probably
want
to
save
it
for
a
later
time.
I
know
that
I
know
that
frank
had
looked
into
that
a
little
bit.
It
was
relate
now
it's
coming
back
to
me.
It
was
related
to.
E
E
B
Cool
okay,
were
you
gonna,
say
something.
A
Yeah
not
about
that.
I
had
a
different
question
if
now's
the
time
and
I'm
sorry,
I
didn't
put
it
on
the
agenda,
but
two
questions.
So
one
is
I.
I
know
that
there's
been
some
discussion
of
trying
to
do
some
fundraising
to
help
with
securing
critical
projects,
and
I
thought
I'd
just
see
if
there's
a
status
on
that
or
if
that's
something
that's
being
discussed
openly
in
this
group.
Maybe
it's
it's
being
discussed
privately
at
this
point,
in
which
case
I'm
sharing
information.
B
A
A
D
A
Next
year
you
know,
so
we
should,
you
know,
figure
out
how
we
increase
membership
dues
and
in
the
meantime,
if
we
want
to
do
some
call
for
fundraising,
but
it
just
it
sounds
like
we
haven't
got
that
far
yet
in
the
thinking
for
this
group
and
that's
fine,
I
just
was
checking
to
see.
E
Yeah
I
mean,
on
the
google
side,
we've
been
doing
a
few
one-offs
to
support
some
efforts,
but
I
think
if,
if
people
in
the
room
have
like
our
needing
resources
and
think
this
group
could
be
helpful,
like
put
it
in
the
dock,
reach
out,
let
us
know-
and
maybe
we
can
collectively
come
up
with
a
good
plan
together
to
figure
out
how
to
help
out.
A
Okay
and
then
the
other
thing
I
believe
I
saw
somewhere
a
list
of.
A
What
I'm
wondering
is,
if
we've
done
a
and
again
maybe
I
missed
this
but
kind
of
a
what
we
think
are
the
most
critical
projects,
some
sort
of
analysis
on
that.
I
think
what
I
saw
most
recently
was
kind
of
for
each
of
the
packaging
ecosystems
the
most
commonly
used
packages
in
that
ecosystem.
So
I
think
there
was
like
top
200
python
packages,
top
200
javascript
packages,
et
cetera.
A
So
I
I
guess,
I'm
just
wondering
if
we've
got
it
if
we're
thinking
that
we'll
get
more
formal
about
which
are
the
projects
that
you
know
if
we
had
resources
coming
in,
we
want
to
tackle
those
first.
E
So
yeah
there's
a
few,
so
we
have
the
harvard
data,
of
course,
and
then
there's
another
project
that
was
started
called
the
criticality
score
to
complement
whatever
we
do
here.
That's
just
taking
a
stab
at
looking
at
different
heuristics
and
then
stack
ranking
projects.
E
So
we
can
drop
a
link
on
that
for
that
in
this
in
the
notes,
doc,
but
definitely
open
for
you
know
for
ideas
how
how
we
could
do
that
if
we
could
start
with
like
five
projects
that
the
industry
thinks
are
really
important
and
and
agree
on
those
or
you
know,
I
think
we're
open
to
more
ideas
and
suggestions.
There.
D
A
A
E
Cool
any
other
topics
people
want
to
discuss
today.
E
Cool,
I'm
not
sure
if
we
will
have
the
next
meeting
yet
when
is
it
17th?
E
I
don't
know,
I
guess
we'll
discuss
offline
and
if
there's
enough
stuff
on
the
agenda
I'll
be
around
and
we
can,
we
can
still
chat.
But
if
too
many
folks
are
on
vacation
mode
already,
then
we
can
just
cancel
that
so
look
out
for
that
I'll
cancel
on
the
calendar.
If
we
decide
to
kill
it.