Blurblogs
Global
Popular
Log in
acdha's blurblog
Software developer at a big library, cyclist, photographer, hiker, reader. Email: chris@improbable.org
24045 stories
·
214 followers

NPR: The public broadcaster’s problems are deeper than “wokeness.”
Tuesday April 16th, 2024 at 7:04 PM

1 Share

NPR, the great bastion of old-school audio journalism, is a mess. But as someone who loves NPR, built my career there, and once aspired to stay forever, I say with sadness that it has been for a long time.

This might be news to those who tune out the circular firing squad of institutional media whiners. But my former NPR colleague Uri Berliner, one of the organization’s (as of now) senior editors, set off a firestorm by publishing a commentary that essentially blamed “wokeness” and Democratic partisanship for the apparent loss of confidence in the once-unimpeachable institution. (This morning, news broke that Uri has been suspended by NPR for violating a policy about “outside work,” and informed that he’d be fired for any more infractions.) The essay, published by Bari Weiss’ the Free Press, blew up certain corners of X and various Facebook feeds, and was gleefully lapped up by conservatives who’ve been fighting to defund NPR and public broadcasting for a generation.

It was a longtime fear at NPR that some scandal or mess that the network had hoped to contain within its headquarters, lovingly referred to as the “mother ship” by nippers and ex-nippers everywhere, would find its way to the outside world, where the organization’s very real, powerful enemies could exploit it. In fact, this is happening right now; Christopher Rufo, a conservative writer and fellow at the Manhattan Institute, has launched a campaign against NPR’s new CEO Katherine Maher, accusing her of liberal bias based on old tweets. Those kinds of threats reinforce an in-the-trenches camaraderie at NPR. It has also been used to quash internal criticism. I guess Uri’s piece proves that that strategy doesn’t work anymore.

Uri started at NPR in 1999. I started in 1997 in the audience research department as an administrative assistant. Because I was what we called “a back-seat baby,” someone who’d grown up being force-fed a steady diet of NPR from car radios and in the home by crunchy granola parents, I had spent the past several months before my college graduation searching the organization’s rudimentary website, desperate to find anything that I was qualified to do. A year later, I maneuvered into the news division as the editorial assistant to senior correspondent Daniel Schorr and one of the “Murrow Boys,” protégés of CBS Radio legend and Good Night, and Good Luck hero Edward R. Murrow.

After a stint at Salon from 1999 to 2001, I landed back at NPR. Everyone did. It was an institutional joke that people who left for other jobs would find their way back, because the place was irresistible. And it kind of was. So many people there were/are brilliant, kind, funny, interesting, and dedicated to public service. Aside from my family, I found most of the people I like, love, and care about while I was working at NPR.

So when Uri’s piece started popping up on my timeline last week, it felt like hearing a loud, ugly family argument break out in the room next door: I wanted to pretend as if it weren’t happening; I wanted people to shut up. But if they were going to shout, I at least wanted them to tell the whole story.

And that story is that NPR has been both a beacon of thoughtful, engaging, and fair journalism for decades, and a rickety organizational shit show for almost as long. If former CEO John Lansing—the big bad of Uri’s piece—failed to fix it, or somehow made it worse, that’s a failure he shared with almost every NPR leader before him. But if, as Uri charges (albeit in a negative way), Lansing genuinely managed to break the network loose from the grasp of self-righteous white liberal identity politics, even in an imperfect way, that would surprise the hell out of me. Especially given the well-reported exodus of top journalists of color, and the loss of a diverse group of journalists during last year’s podcast layoffs.

It did take a kind of courage for Uri to publicly criticize the organization. But it also took a lot of the wrong type of nerve. His argument is a demonstration of contemporary journalism at its worst, in which inconvenient facts and obvious questions were ignored, and the facts that could be shaped to serve the preferred argument were inflated in importance.

Take a step into the way-back machine to 2011, Uri’s so-called golden age. That’s the year when senior members of the development team fell for a scam set up by professional provocateur James O’Keefe. The aftermath took them out and toppled then–CEO and President Vivian Schiller. It came months after the ill-timed, clumsy firing of Juan Williams, which led to senior vice president of news Ellen Weiss resigning under pressure.

Uri also leapfrogs over a long list of contemporary fuckups and questionable calls that could explain the growing public distrust that concerns him. There were questions about NPR legal affairs correspondent Nina Totenberg’s personal relationship with Ruth Bader Ginsburg compromising her reporting; the departure of news chief Mike Oreskes, and other prominent men in the newsroom‚ after a wave of sexual harassment charges; the exposure of systematic exploitation of NPR’s temporary workforce. And those are just the public problems.

Behind the scenes and stretching back into the “golden age,” there were major strategic errors that seriously damaged the network’s prospects. The founding producer of The Daily at the New York Times was Theo Balcomb, a senior producer at All Things Considered who couldn’t get enough support to launch a morning news podcast inside NPR. There was the “Flat is the new growth” mantra that reigned for a few years after the network decided that a multimedia future meant shrugging off softness in listener numbers for core shows. Then there was the time in the late aughts when leadership decided that podcasting wasn’t going to amount to much, and so pumped the brakes on early efforts. Though the failure of imagination started earlier; the first big blunder I saw was in the late 1990s, when the network failed to lock in a deal with a little show called This American Life.

Uri’s account of the deliberate effort to undermine Trump up to and after his election is also bewilderingly incomplete, inaccurate, and skewed. For most of 2016, many NPR journalists warned newsroom leadership that we weren’t taking Trump and the possibility of his winning seriously enough. But top editors dismissed the chance of a Trump win repeatedly, declaring that Americans would be revolted by this or that outrageous thing he’d said or done. I remember one editorial meeting where a white newsroom leader said that Trump’s strong poll numbers wouldn’t survive his being exposed as a racist. When a journalist of color asked whether his numbers could be rising because of his racism, the comment was met with silence. In another meeting, I and a couple of other editorial leaders were encouraged to make sure that any coverage of a Trump lie was matched with a story about a lie from Hillary Clinton. Another colleague asked what to do if one candidate just lied more than the other. Another silent response.

I left NPR in the early fall of 2016, but when I came back to work on Morning Edition about a year later, I saw NO trace of the anti-Trump editorial machine that Uri references. On the contrary, people were at pains to find a way to cover Trump’s voters and his administration fairly. We went full-bore on “diner guy in a trucker hat” coverage and adopted the “alt-right” label to describe people who could accurately be called racists. The network had a reflexive need to stay on good terms with people in power, and journalists who had contacts within the administration were encouraged to pursue those bookings.

We regularly set up live interviews with Republican officials and Trump surrogates. But it was tough because NPR always loved guests who would be insightful, honest, and—perhaps above all—polite. There were plenty of people who’d for years fit that description across the partisan divide in official Washington, but they were scarce in the Trump administration. We changed the format of live political interviews, adding what we called a “level-set.” That would be three-ish minutes after a conversation with a political operative or elected official when a host and NPR reporter would try to fact-check what had just been said.

Maybe the biggest head-scratcher for me in Uri’s argument is how it frames the lack of pursuit of the Hunter Biden laptop story as driven exclusively by politics. Uri said there was no follow-through because “the timeless journalistic instinct of following a hot story lead was being squelched.” In fairness, I left NPR for good in the spring of 2020, so I wasn’t there for this story arc. And the inappropriate statement, from a loose-lipped editor, that “it was good we weren’t following the laptop story because it could help Trump” sounds on-brand. But that killer instinct was regularly beat out of NPR journalists, regardless of the political mood or the president.

People pitched good stories in our meetings all the time that were dismissed as insubstantial, or not interesting, or not important enough, only for them to appear days or weeks later in the New York Times or the Washington Post. And only then, NPR leaders would want reporters to jump on it.

There were several reasons why good pitches died. The pitcher wasn’t high enough in the editorial landscape to be taken seriously. The resources were scarce because we were top-heavy and spread thin, trying to cover the country and the world, far beyond electoral politics. We didn’t have enough reporters or the right reporters on whatever beat to cover the story properly. Correspondents, reporters, and desks could be very territorial, and if this one specific reporter wasn’t able to do a story—because they were covering something else, or on leave, or didn’t feel like it—the piece frequently died. If reporting on an issue or story had already been done by an NPR reporter, a pitch could get smothered. That’s even if the original story had been years ago and the facts had changed, because pursuing an update of an old story was frequently framed as some kind of insult to the reporter who’d done it before. Many sharp ideas just hit a wall of silence.

And to be fair, some of that did seem politically motivated, before and after Trump was elected. I remember resistance to covering the violent MS-13 gang after it became a major talking point in Trump’s anti-immigrant rhetoric—even though the gang was active and murdering people in communities around the D.C. metropolitan area, close to NPR’s headquarters, and just miles from where many staffers lived. I think a lot of critics would consider that “wokeness”: pussyfooting around an issue because it might offend people of color. I saw it as low-key racial bias, because MS-13’s victims were mostly poor Central American immigrants, the kind of people we didn’t think our affluent white listenership would pay attention to.

Race has long been one of those third-rail issues in NPR’s coverage. I was part of the Code Switch team, beginning in August 2014, around the time that Michael Brown was killed in Ferguson. The Code Switch unit had been birthed in one of those fits of diversity enthusiasm that have dotted the organization’s timeline from my first years there. The unit started in 2013, in the age of Obama, and focused mainly on blogging about race and the intersection with culture. But that changed when the network shut down Tell Me More with Michel Martin, a show that made covering race a priority, and one that I worked on from its first weeks until the bitter end. Code Switch stepped into the gap, with strong but soul-crushing coverage of police brutality, racist violence, protests, and civil unrest.

NPR did excellent work in covering those stories, including Michel—who is a mentor and dear friend to me—leading a community forum from Missouri, and great investigative reporting on a culture of corruption in Ferguson that led to overpolicing of Black residents.

Some listeners rightly pointed out that police killed white people too, and often under shady circumstances. When I suggested that we pursue it as a story, I got crickets. When video emerged of a cop shooting white teenager Zachary Hammond during a drug sting operation, I couldn’t get our leadership to green-light reporting on it. Code Switch was the only unit that went to air with something on Hammond’s death. I think that’s because it would have complicated—or acknowledged the complication—of a story where we could smugly position ourselves as on the “right” side.

And that’s what the core editorial problem at NPR is and, frankly, has long been: an abundance of caution that often crossed the border to cowardice. NPR culture encouraged an editorial fixation on finding the exact middle point of the elite political and social thought, planting a flag there, and calling it objectivity. That would more than explain the lack of follow-up on Hunter Biden’s laptop and the lab-leak theory, going full white guilt after George Floyd’s murder, and shifting to indignant white impatience with racial justice now.

Layers of complex relationships made genuine editorial criticism hazardous at NPR. Even in an industry in which office romances happen a lot, NPR has been exceptional, boasting dozens of “met and married” couples. And that doesn’t cover all the quiet couples, besties, and other personal entanglements. All this means that if you criticized someone’s editorial decisions in a meeting, their best friend, sweetheart, or ex might be glowering at you from across the table. Even a mild critique could be met with: You know John’s been having a hard time because his dad just died/wife just left him/kid is having problems. Give him a break. Lots of people who were in relationships with colleagues kept it out of their work, but enough did not that it contributed to a culture where whisper networks replaced open discussion.

Given all that, I have to acknowledge that I understand how Uri could’ve been honestly mistaken in reaching some of his conclusions. Another chronic organizational struggle at NPR is stove-piping. Your experience could be completely different from that of someone working right across the hall from you, depending on the team you worked with and the meetings you went to. I was lucky, and (mostly) played my cards right during my years there. I landed with great groups of journalists who nurtured my talents and helped me address my flaws. I loved the place and for years defended it from charges of bias, even when my friends were victims of it. I completely bought the “bad apples” version of NPR’s long-standing issues with racism and sexism.

I leaned on the positive, and the belief that NPR was great and could be better. So I was a part of a lot of the “Let’s make this diversity thing work” efforts that rankled Uri. I remember leading one session he attended, when he spoke out to insist that NPR’s diversity problem had a lot to do with issues beyond race, like class, region, education, and political perspective. He was right, and I told him so.

But maybe the stove-piping meant that Uri didn’t see the pattern in those efforts that started wearing my spirit down. Some big news in the world or an internal failure would spark a wave of carefully stage-managed soul-searching from leadership, and ad hoc committees of well-intentioned volunteers would be assembled to write lists of recommendations. Then those recommendations would be politely received, filed away, and forgotten. And two or three years later, some new crisis would start the cycle all over again. In my experience, those multihyphenate identity groups or task forces were disproportionately full of junior staffers. Because many veterans—except for true-believing tryhards like me—understood that they were a waste of time.

One of the moments that sealed my decision to leave NPR was a conversation with my colleague and friend Keith Woods, NPR’s chief diversity officer. I was struck by a profound sense of déjà vu, not just about the stubborn challenge of diversifying NPR’s coverage. I felt that he and I were repeating—word for word, beat for beat—a discussion about source diversity that we’d had in the exact same room years before.

By that time, my rose-colored glasses and NPR-fueled sense of my own superior powers of understanding had already taken a severe beating. I had thought highly of all the men who were later felled by the sexual harassment scandal and had unwittingly recommended some of them as mentors to young journalists. I discovered that Mike Oreskes—someone whom I trusted and who was critical in helping me get back into NPR in 2017—had even harassed one of the women I encouraged to seek him out for career advice. I was stunned in the management-level meetings and conversations where harassment victims were disparaged as troublemakers, and harassers who were still with the company were protected.

I so loved the version of NPR that I had experienced and had amplified in my imagination that I was slow to see the cruelty being done to people I worked with and cared about. Because of my reputation in the system, I had become a magnet for young public radio journalists across the country who wanted to share their stories of being sexually or racially harassed, underpaid, or bullied, and ask for my advice. I lost track of how many of these calls I got, or how many discreet coffeehouse chats revealed a new story of abuse. I remember at least three people who told me some version of “It’s OK. I don’t think about killing myself anymore.” For what it’s worth, two of those were young white journalists. When I reached out to talk with a wise NPR connected elder about it, her advice was to stop taking those calls. Pretend that I didn’t know the facts, because they challenged the narrative about who we were, and how my hubris had contributed to it.

I guess that’s why I think Uri is most wrong about NPR’s relationship with the rest of the country. It’s a very accurate reflection of America right now, a place where people won’t admit that good intentions don’t always yield good results, and would rather hide behind the myth of its excellence than do the hard work of making it a reality. I sincerely hope there’s still time to turn it around.

Read the whole story
Share this story
Delete

DNA Lounge: 16-Apr-2024 (Tue): Wherein this is just a sleepy seaside town now
Tuesday April 16th, 2024 at 6:56 PM

DNA Lounge
1 Share

16-Apr-2024 (Tue) Wherein this is just a sleepy seaside town now

Some observations on how San Francisco nightlife seems to be transforming into early-evening, get-to-bed-at-a-reasonable-hour life.

I had noticed that many of our live shows were ending really early: a couple times recently, the last band was done and we were closed by 10pm. That seems weird and wrong to me. Especially in the summer: who wants to show up at a night club while the sun is still up? "Why are we doing that?", I asked. Well, Devon did some research, and the answer seems to be, "Because everyone else is doing that too."

From a non-exhaustive survey of local venues of our size or smaller, and a smattering of out-of-town venues as well, the trend now seems to be that doors are at 7 or 7:30 (maybe an hour later on Friday or Saturday) and every show is over by 10:30 or 11. There are almost never more than three bands on the bill, and it's increasingly common for there to be only two bands.

Back in the olden days -- by which I mean the Twenty Tens -- it was pretty standard at a three band show for them to hit the stage at 9, 10 and 11.

That still left you time to hoof it back to BART to catch the last train under the bay, which was a thing that people still did, because that was back before Uber and Lyft had managed to destroy public transportation and normalize paying $60 just to leave the house.

And DJs? Headlining DJs used to go on after 2! That was normal!

This change doesn't seem to be something that has emerged organically from customers, at least not entirely: there is pressure from the bands and their agents to end earlier, and do even shorter changeovers between sets. You can't get a band to agree to go on at 11, because they say they have too much driving to do. (Upside: they don't ask us to pay for hotels as often.)

In the eighties through the aughts, shows started even later: if you dig through our ancient flyers, you'll see plenty of shows where the first band went on after 10; plenty of events that were free before 11pm, because nobody showed up that early; and even a few flyers advertising "DJ dancing every night until 4am." Yes, that was a thing that used to happen! You could go out any night of the week, and there were still places to go at 3am! There was even food! At multiple different restaurants!

Even "last call" doesn't really mean anything these days. It used to be that the most difficult and intense part of the evening for our staff was "hard pull", that time just before 2am when we had to tell customers that they could no longer have that drink in their hands. But nowadays we hardly have to do anything, since even on a busy DJ night, the club has already begun emptying out well before 2, and we're always closed by 2:30. If we stayed open any later, we'd have like 30 people lingering. "Last call" used to mean a rush at the bar. Now it means "start cleaning".

Reader, I do not like it. I do not like it one bit.

I guess in this modern world, now that the downtown office buildings have hollowed out from remote work, everyone has to get to bed early so they can get up on time to not put pants on and not commute to the office.

So welcome to the sleepy seaside town of San Francisco.

Read the whole story
Share this story
Delete

Cheap Auto Insurance Is a Thing of the Past. Here Are Five Reasons Why - Bloomberg
Tuesday April 16th, 2024 at 8:47 AM

1 Comment and 2 Shares
Read the whole story
Share this story
Delete
1 public comment
denismm
6 hours ago
reply
> Today’s cars are packed with high-tech gadgetry meant to entertain, comfort and protect occupants. The array of safety equipment now common on cars includes automatic emergency braking, blind-spot detection and lane departure warnings. To give drivers eyes in the back of their head, automotive engineers have embedded cameras, sonar and radar sensors from bumper to bumper. All that technology has driven up the cost of repairing even a minor fender bender.

So they’ve made it more expensive to repair but have all of those features made accidents less likely? (I couldn’t read the rest of the article.)

USC bans pro-Palestinian valedictorian from speaking at graduation - Los Angeles Times
Tuesday April 16th, 2024 at 6:55 AM

1 Comment

Saying “tradition must give way to safety,” the University of Southern California on Monday made the unprecedented move of barring an undergraduate valedictorian who has come under fire for her pro-Palestinian views from giving a speech at its May graduation ceremony.

The move, according to USC officials, is the first time the university has banned a valedictorian from the traditional chance to speak onstage at the annual commencement ceremony, which typically draws more than 65,000 people to the Los Angeles campus.

In a campuswide letter, USC Provost Andrew T. Guzman cited unnamed threats that have poured in shortly after the university publicized the valedictorian’s name and biography this month. Guzman said attacks against the student for her pro-Palestinian views have reached an “alarming tenor” and “escalated to the point of creating substantial risks relating to security and disruption at commencement.”

“After careful consideration, we have decided that our student valedictorian will not deliver a speech at commencement. ... There is no free-speech entitlement to speak at a commencement. The issue here is how best to maintain campus security and safety, period,” Guzman wrote.

The student, whom the letter does not name, is biomedical engineering major Asna Tabassum. USC officials chose Tabassum from nearly 100 student applicants who had GPAs of 3.98 or higher.

But after USC President Carol Folt announced her selection, a swarm of on- and off-campus groups attacked Tabassum. They targeted her minor, resistance to genocide, as well as her pro-Palestinian views and “likes” expressed through her Instagram account.

We Are Tov, a group that uses the Hebrew word for “good” and describes itself as “dedicated to combating antisemitism,” posted Tabassum’s image on its Instagram account and said she “openly promotes antisemitic writings.” The group also criticized Tabassum for liking Instagram posts from “Trojans for Palestine.” Tabassum’s Instagram bio links to a landing page that says “learn about what’s happening in Palestine, and how to help.”

The campus group Trojans for Israel also posted on its Instagram account, calling for Folt’s “reconsideration” of Tabassum for what it described as her “antisemitic and anti-Zionist rhetoric.” The group said Tabassum’s Instagram bio linked to a page that called Zionism a “racist settler-colonial ideology.”

In a statement, Tabassum opposed the decision, saying USC has “abandoned” her.

“Although this should have been a time of celebration for my family, friends, professors, and classmates, anti-Muslim and anti-Palestinian voices have subjected me to a campaign of racist hatred because of my uncompromising belief in human rights for all,” said Tabassum, who is Muslim.

“This campaign to prevent me from addressing my peers at commencement has evidently accomplished its goal: today, USC administrators informed me that the university will no longer allow me to speak at commencement due to supposed security concerns,” she wrote.

“I am both shocked by this decision and profoundly disappointed that the university is succumbing to a campaign of hate meant to silence my voice. I am not surprised by those who attempt to propagate hatred. I am surprised that my own university—my home for four years—has abandoned me.”

In an interview, Guzman said the university has been “in close contact with the student” and would “provide her support.” He added that “we weren’t seeking her opinion” on the ban.

“This is a security decision,” he said. “This is not about the identity of the speaker, it’s not about the things the valedictorian has said in the past. We have to put as our top priority ensuring that the campus and community is safe.”

Another campus official who was part of the decision, Erroll Southers, said threats came in via email, phone calls and letters. Southers is USC’s associate senior vice president for safety and risk assurance.

Individuals “say they will come to campus as early as this week,” Southers said. He did not elaborate.

Pro-Palestinian groups, including the Los Angeles chapter of the Council on American-Islamic Relations, have called for USC to reinvite Tabassum to speak.

“USC cannot hide its cowardly decision behind a disingenuous concern for ‘security,’” CAIR-LA Executive Director Hussam Ayloush said in a statement.

In another statement, the USC Palestine Justice Faculty Group said it “unequivocally rejects” Tabassum being uninvited.

“The provost’s action is another example of USC’s egregious pattern of supporting anti-Palestinian and anti-Muslim racism,” the group said.

Times staff writers Jenna Peterson and Angie Orellana Hernandez contributed to this report.

Read the whole story
Share this story
Delete
1 public comment
acdha
12 hours ago
reply
I’m sure all of the old people who were so concerned about freedom of speech on campus will be protesting this. Any minute now. Maybe they need time to finish writing their properly scathing NYT editorials first.
Washington, DC

How Do You Say ‘Danger’ in Sperm Whale Clicks? by Michaela Haas
Monday April 15th, 2024 at 10:25 PM

Reasons to be Cheerful
1 Comment and 2 Shares

This is part one of a two-part series. Read part two here.

Sperm whales don’t sing melodious, moaning whale songs like their humpback cousins. The biggest predator on the planet communicates in clicks, called codas. Some compare the sounds to popping popcorn or frying bacon in a pan. For CUNY biologist David Gruber, it resembles “morse code or techno music.” 

Gruber, the founding president of Project CETI, the Cetacean Translation Initiative, often listens for hours in his New York office to the sperm whale chats his team has recorded in the Eastern Caribbean.

Sperm whale birth seen from above in the Eastern Caribbean.
Project CETI records sperm whale codas around the Eastern Caribbean island of Dominica. Courtesy of Project CETI

CETI focuses on sperm whales for several reasons. One reason is that it can build on the audio recordings that whale biologist Shane Gero has already been collecting for 15 years with the Dominica Sperm Whale Project. Gero was able to show that sperm whale families have different dialects, much like British and American English. “Another reason is that the sperm whale has been vilified as a killer, Moby Dick as a leviathan,” Gruber says. “Meanwhile it could be one of the most intelligent, sophisticated communicators on the planet.”

While the humpback whales sing their soprano songs primarily for mating, sperm whales are communicating to socialize and exchange information. CETI has already discovered that the communication patterns are complex. “Their codas are clicks, they are like ones and zeros, which is very good for cryptographers,” Gruber explains. “The combination of advanced machine learning and bioacoustics is slated to be the next microscope or telescope in terms of our ability to really listen more deeply and understand life at a new level.”

CETI’s team operates a giant whale-recording platform from a 40-foot sailboat off the coast of Dominica, a volcanic island in the Caribbean with a stable sperm whale population. Both by tagging the whales and installing whale listening stations with microphones dangling deep down into the ocean on floating buoys, CETI is recording several terabytes of data every month. The scientists are creating a three-dimensional interactive map of the whales within a 20-kilometer radius, combining sounds with data such as the whales’ heart rates. 

The post How Do You Say ‘Danger’ in Sperm Whale Clicks? appeared first on Reasons to be Cheerful.

Read the whole story
Share this story
Delete
1 public comment
cjheinz
4 days ago
reply
Wow, whale speech!

Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects – Open Source Security Foundation
Monday April 15th, 2024 at 9:21 PM

Open Source Security Foundation
1 Share

By Robin Bender Ginn, Executive Director, OpenJS Foundation; and Omkhar Arasaratnam, General Manager, Open Source Security Foundation

The recent attempted XZ Utils backdoor (CVE-2024-3094) may not be an isolated incident as evidenced by a similar credible takeover attempt intercepted by the OpenJS Foundation, home to JavaScript projects used by billions of websites worldwide. The Open Source Security (OpenSSF) and OpenJS Foundations are calling all open source maintainers to be alert for social engineering takeover attempts, to recognize the early threat patterns emerging, and to take steps to protect their open source projects.

Failed Credible Takeover Attempt

The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to “address any critical vulnerabilities,” yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement. This approach bears strong resemblance to the manner in which “Jia Tan” positioned themselves in the XZ/liblzma backdoor.  

None of these individuals have been given privileged access to the OpenJS-hosted project. The project has security policies in place, including those outlined by the Foundation’s security working group.

The OpenJS team also recognized a similar suspicious pattern in two other popular JavaScript projects not hosted by its Foundation, and immediately flagged the potential security concerns to respective OpenJS leaders, and the Cybersecurity and Infrastructure Security Agency (CISA) within the United States Department of Homeland Security (DHS).

Open source projects always welcome contributions from anyone, anywhere, yet granting someone administrative access to the source code as a maintainer requires a higher level of earned trust, and it is not given away as a “quick fix” to any problem.

Together with the Linux Foundation, we want to raise awareness of this ongoing threat to all open source maintainers, and offer practical guidance and resources from our broad community of experts in security and open source.

Suspicious patterns in social engineering takeovers:

  • Friendly yet aggressive and persistent pursuit of maintainer or their hosted entity (foundation or company) by relatively unknown members of the community.
  • Request to be elevated to maintainer status by new or unknown persons.
  • Endorsement coming from other unknown members of the community who may also be using false identities, also known as “sock puppets.”
  • PRs containing blobs as artifacts.
    • For example, the XZ backdoor was a cleverly crafted file as part of the test suite that wasn’t human readable, as opposed to source code.
  • Intentionally obfuscated or difficult to understand source code.
  • Gradually escalating security issues.
    • For example, the XZ issue started off with a relatively innocuous replacement of safe_fprintf() with fprintf() to see who would notice.
  • Deviation from typical project compile, build, and deployment practices that could allow the insertion of external malicious payloads into blobs, zips, or other binary artifacts.
  • A false sense of urgency, especially if the implied urgency forces a maintainer to reduce the thoroughness of a review or bypass a control.

These social engineering attacks are exploiting the sense of duty that maintainers have with their project and community in order to manipulate them. Pay attention to how interactions make you feel. Interactions that create self-doubt, feelings of inadequacy, of not doing enough for the project, etc. might be part of a social engineering attack.

Social engineering attacks like the ones we have witnessed with XZ/liblzma were successfully averted by the OpenJS community. These types of attacks are difficult to detect or protect against programmatically as they prey on a violation of trust through social engineering. In the short term, clearly and transparently sharing suspicious activity like those we mentioned above will help other communities stay vigilant. Ensuring our maintainers are well supported is the primary deterrent we have against these social engineering attacks.

Steps to help secure your open source project:

In addition to these recommendations, there are a number of security best practices that can improve the security properties of our projects. While these recommendations will not thwart a persistent social engineering attack, they may help improve your overall security posture of your project. 

  • Consider following industry-standard security best practices such as OpenSSF Guides.
  • Use strong authentication.
    • Enable two-factor authentication (2FA) or Multifactor Authentication (MFA). 
    • Use a secure password manager.
    • Preserve your recovery codes in a safe, preferably offline place.  
    • Do not reuse credentials/passwords across different services.
  • Have a security policy including a “coordinated disclosure” process for reports.
  • Use best practices for merging new code.
    • Enable branch protections and signed commits. 
    • If possible, have a second developer conduct code reviews before merging, even when the PR comes from a maintainer.
    • Enforce readability requirements to ensure new PRs are not obfuscated, and use of opaque binaries is minimized. 
    • Limit who has npm publish rights.
    • Know your committers and maintainers, and do a periodic review. Have you seen them in your working group meetings or met them at events, for example?
  • If you run an open source package repository, consider adopting Principles for Package Repository Security.
  • Review “Avoiding social engineering and phishing attacks” from CISA and/or “What is ‘Social Engineering’” from ENISA.

Steps for industry and government to help secure critical open source infrastructure:

The pressure to sustain a stable and secure open source project creates pressure on maintainers. For example, many projects in the JavaScript ecosystem are maintained by small teams or single developers who are overwhelmed by commercial companies who depend on these community-led projects yet contribute very little back.

To solve a problem of this scale, we need vast resources and public/private international coordination. There is already great work underway by the following organizations:

Open source foundations:

The Linux Foundation family of foundations and other similar organizations like ours can help provide a safety net for open source projects. Maintainers often lack the time, people and expertise in areas such as security. Neutral foundations help support the business, marketing, legal and operations behind hundreds of open source projects that so many rely upon. Our goal is to remove any friction outside of coding to support our maintainers and help their projects grow. As vendor-neutral nonprofits, we are uniquely positioned to offer expertise garnered from multiple stakeholders represented in our organizations.

On security, our open source foundations have found that an effective best approach is to provide technical assistance and direct support to open source projects. 

Alpha-Omega is an associated project of the OpenSSF, funded by Microsoft, Google, and Amazon, funds critical projects and ecosystems. The project aims to build a world where critical open source projects are secure and where security vulnerabilities are found and fixed quickly.  The OpenJS Foundation has experienced how funding developers for security has had a proven impact through Alpha-Omega investments in Node.js and jQuery.

Sovereign Tech Fund:  

The Sovereign Tech Fund, financed by the German Federal Ministry for Economic Affairs and Climate Action, is providing the OpenJS Foundation and more open source organizations significant funding to strengthen infrastructure and security. 

They have built a model with detailed reporting and accountability of resources, yet at the same time, have technical expertise on staff to customize security proposals for the variety of open source projects they fund.

It’s encouraging to see the German government taking this initiative to improve the lives of citizens by investing in critical open source infrastructure through the Sovereign Tech Fund. 

We are advocating for more global public investment in initiatives like the Sovereign Tech Fund to invest in open source global that society depends on, complimentary to private funding. We recommend that public institutions learn from, adapt and coordinate with Germany’s Sovereign Tech Fund to support our interconnected open source projects and shared digital economies.

About OpenJS Foundation

The OpenJS Foundation is committed to supporting the healthy growth of the JavaScript ecosystem and web technologies by providing a neutral organization to host and sustain projects, as well as collaboratively fund activities for the benefit of the community at large. The OpenJS Foundation is made up of 35 open source JavaScript projects including Appium, Electron, Jest, jQuery, Node.js, and webpack and is supported by corporate and end-user members, including GoDaddy, Google, HeroDevs, IBM, Joyent, Microsoft, and the Sovereign Tech Fund. These members recognize the interconnected nature of the JavaScript ecosystem and the importance of providing a central home for projects which represent significant shared value.

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at <a href="http://openssf.org" rel="nofollow">openssf.org</a>.

About the Authors

Robin Bender Ginn is the Executive Director of the OpenJS Foundation, the neutral home to drive broad adoption and ongoing development of key JavaScript and web technologies. She also serves on the leadership team at the Linux Foundation. Robin has led major initiatives advancing open source technologies, community development, and open standards. Previously, Robin spent more than 10 years at Microsoft where she was at the forefront of the company’s shift to openness.

Omkhar Arasaratnam is the General Manager of the Open Source Security Foundation (OpenSSF). He is a veteran cybersecurity and technical risk management executive with more than 25 years of experience leading global organizations. Omkhar began his career as a strong supporter of open source software as a PPC64 maintainer for Gentoo and contributor to the Linux kernel, and that enthusiasm for OSS continues today. Before joining the OpenSSF, he led security and engineering organizations at financial and technology institutions, such as Google, JPMorgan Chase, Credit Suisse, Deutsche Bank, TD Bank Group, and IBM. As a seasoned technology leader, he has revolutionized the effectiveness of secure software engineering, compliance, and cybersecurity controls. He is also an accomplished author and has led contributions to many international standards. Omkhar is also a NYU Cyber Fellow Advisory Council member and a Senior Fellow with the NYU Center for Cybersecurity where he guest lectures Applied Cryptography.

Read the whole story
Share this story
Delete
Next Page of Stories