I recognize that anti-abuse is a neverending cat and mouse game, and hindsight is 20/20, but it seems like malicious activity like this should be easily detected - how often does a legitimate account suddenly post 300 issues across many different repos?
Part of the challenge may be the moderation effort with false positives if you make detection more sensitive, but it seems like some investment in a pending/flagged activity section with approval delegated to repo owners could work well?
In a past life, one of the more effective anti-abuse mechanisms was intentionally introducing latency between attempt and confirmation, on the order of a week. If every time you try to see if you've evaded detection takes a week to confirm, you can't iterate on abuse nearly as quickly and are more likely to give up and move onto other targets. Obviously the amount of acceptable latency you can introduce will depend on the system/product...
Before this event, I've has another encounter with GitHub.
What happened is that an AI coding assistance startup seemed to have created bots that would:
1. find new GitHub issues on random repos
2. fork the repo
3. make a commit, trying to implement whatever was requested in the issue
4. reply to the issue with a link to the commit, indemnifying themselves of the code quality (which was very poor), and linking to their platform
I reported a few of those issues to GitHub. To me, the problem seemed almost obvious:
1. they were using sketchy GitHub usernames
2. there was evidence of similar replies having been mass-deleted in the past
3. some of the issues also seemed to have been opened by sketchy users
GitHub took a few days to reply and didn't seem to understand how bad the situation was, and basically allowed them to continue. I don't expect to have to spend a lot of time writing an elaborate "criminal case" to convince GitHub that they are allowing their platform to be abused by these bots.
I recognize that anti-abuse is a neverending cat and mouse game, and hindsight is 20/20, but it seems like malicious activity like this should be easily detected - how often does a legitimate account suddenly post 300 issues across many different repos?
Part of the challenge may be the moderation effort with false positives if you make detection more sensitive, but it seems like some investment in a pending/flagged activity section with approval delegated to repo owners could work well?
In a past life, one of the more effective anti-abuse mechanisms was intentionally introducing latency between attempt and confirmation, on the order of a week. If every time you try to see if you've evaded detection takes a week to confirm, you can't iterate on abuse nearly as quickly and are more likely to give up and move onto other targets. Obviously the amount of acceptable latency you can introduce will depend on the system/product...
Before this event, I've has another encounter with GitHub. What happened is that an AI coding assistance startup seemed to have created bots that would:
1. find new GitHub issues on random repos
2. fork the repo
3. make a commit, trying to implement whatever was requested in the issue
4. reply to the issue with a link to the commit, indemnifying themselves of the code quality (which was very poor), and linking to their platform
I reported a few of those issues to GitHub. To me, the problem seemed almost obvious:
1. they were using sketchy GitHub usernames
2. there was evidence of similar replies having been mass-deleted in the past
3. some of the issues also seemed to have been opened by sketchy users
GitHub took a few days to reply and didn't seem to understand how bad the situation was, and basically allowed them to continue. I don't expect to have to spend a lot of time writing an elaborate "criminal case" to convince GitHub that they are allowing their platform to be abused by these bots.
I'm also finding that this has happened already in the past and GitHub didn't cleanup the spam entirely, like: https://github.com/Xyntax/1000php/issues/1#issuecomment-2318...
Link to search results: https://github.com/search?q=%22We+have+detected+a+login+atte...
I work at Render. We've removed the phishing website from the platform.
Amazing work! This is the first time I've seen this kind of issue fixed so quickly.
GitHub should learn from this.
11.5k in 4h and GitHub does nothing??
That's truly a HUGE red flag there.