Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Python United States

PyPI Was Subpoenaed 31

The PyPI blog: In March and April 2023, the Python Software Foundation (PSF) received three (3) subpoenas for PyPI user data. All three subpoenas were issued by the United States Department of Justice. The PSF was not provided with context on the legal circumstances surrounding these subpoenas. In total, user data related to five (5) PyPI usernames were requested. The data request was:

"Names (including subscriber names, user names, and screen names);"
"Addresses (including mailing, residential addresses, business addresses, and email addresses);"
"Connection records;"
"Records of session times and durations, and the temporarily assigned network address (such as Internet Protocol addresses) associated with those sessions;"
"Length of service (including start date) and type of services utilized;"
"Telephone or instrument numbers (including the registration Internet Protocol address);"
"Means and source of payment of any such services (including any credit card or bank account number) and billing records;"
"Records of all Python Package Index (PyPI) packages uploaded by..." given usernames
"IP download logs of any Python Package Index (PyPI) packages uploaded by..." given usernames

The privacy of PyPI users is of utmost concern to PSF and the PyPI Administrators, and we are committed to protecting user data from disclosure whenever possible. In this case, however, PSF determined with the advice of counsel that our only course of action was to provide the requested data. I, as Director of Infrastructure of the Python Software Foundation, fulfilled the requests in consultation with PSF's counsel.

We have waited for the string of subpoenas to subside, though we were committed from the beginning to write and publish this post as a matter of transparency, and as allowed by the lack of a non-disclosure order associated with the subpoenas received in March and April 2023.
This discussion has been archived. No new comments can be posted.

PyPI Was Subpoenaed

Comments Filter:
  • by Locke2005 ( 849178 ) on Wednesday May 24, 2023 @01:46PM (#63548519)
    Sounds like the DoJ thinks somebody inserted malicious code into the Python Package Index codebase.
    • Why would the DoJ care about malicious code in Python? I would suspect they are trying to track down 5 individuals that are also Python contributors.
      • Why would the DoJ care about malicious code in Python?

        Because the government uses a lot of Python just like everyone else.

        I would suspect they are trying to track down 5 individuals that are also Python contributors.

        Yeah, but why?

        • Because the government uses a lot of Python just like everyone else.

          By your logic, the DOJ goes after every time malicious code was inserted in all the languages they use?

          Yeah, but why?

          If they are trying to find individuals who may also be Python contributors, it seems the most logical answer is to find out as much as they can from PythonPl. What it your method? Sending a subpoena to Google or Apple about Python code changes.

          • By your logic, the DOJ goes after every time malicious code was inserted in all the languages they use?

            Sigh. Use your <spongebob>IMAGINATION</spongebob> to consider the ramifications of the known facts.

            If they are trying to find individuals who may also be Python contributors, it seems the most logical answer is to find out as much as they can from PythonPl.

            No, that's not the question. Why are they looking for five Python contributors? A plausible explanation is that these people were involved in some kind of attack involving code delivered from PyPl repos which affected the government or a government contractor.

            There are other plausible explanations too, but you've ruled out this one on no basis at all.

            • Sigh. Use your IMAGINATION to consider the ramifications of the known facts.

              As opposed to your proscribed method of WILD SPECULATION based on a very limited set of facts. We do not know what code these people contributed but you are absolutely sure it was malicious code based on zero statements by PyPl confirming it.

              No, that's not the question. Why are they looking for five Python contributors? A plausible explanation is that these people were involved in some kind of attack involving code delivered from PyPl repos which affected the government or a government contractor.

              And attack which was not acknowledged by PyPl but is somehow the subject of a subpoena by the DoJ instead of being handled by another federal agency like the NSA, FBI, CIA, Homeland Security, etc. first?

              There are other plausible explanations too, but you've ruled out this one on no basis at all.

              1) Please cite parts of my post where as have "ruled" it out. I am

              • by nickovs ( 115935 )

                Sigh. Use your IMAGINATION to consider the ramifications of the known facts.

                As opposed to your proscribed method of WILD SPECULATION based on a very limited set of facts. We do not know what code these people contributed but you are absolutely sure it was malicious code based on zero statements by PyPl confirming it.

                Given that the records requested represent the set of: where did these users connect from, what did they upload to PyPI and where did the packages that they uploaded get sent, it seems pretty plausible (as opposed to wild speculation) that they are trying to construct a chain on third party evidence that code uploaded the named people ended up on some system that they know got breached through malicious Python code, so that they can more directly connect the named users to the attack.

                No, that's not the question. Why are they looking for five Python contributors? A plausible explanation is that these people were involved in some kind of attack involving code delivered from PyPl repos which affected the government or a government contractor.

                And attack which was not acknowledged by PyPl but is somehow the subject of a subpoena by the DoJ instead of being handled by another federal agency like the NSA, FBI, CIA, Homeland Security, etc. first?

                "Instead"? How do you k

                • Given that the records requested represent the set of: where did these users connect from, what did they upload to PyPI and where did the packages that they uploaded get sent, it seems pretty plausible (as opposed to wild speculation) that they are trying to construct a chain on third party evidence that code uploaded the named people ended up on some system that they know got breached through malicious Python code, so that they can more directly connect the named users to the attack.

                  What did they upload to Python? == they must have uploaded malicious code! Do you not see how you jumped to conclusions? Also if these users uploaded malicious code, you would think PyPl should be notified/already knows the code was malicious.

                  "Instead"? How do you know that one of those other agencies did not handle this first? . It's not uncommon for US, State or District Attorneys to seek additional evidence for themselves, to bolster their cases, before presenting them to a grand jury or judge.

                  If those other agencies handled it first, why is the DoJ involved, again? While those other agencies may not be able to gather all evidence, in this case, these are open source records. You would hope the FBI, CIA, NSA would know how to access open source records by q

          • By your logic, the DOJ goes after every time malicious code was inserted in all the languages they use?

            Obviously the DOJ doesnt have the resources to go after hackers every time something untowards happens. They DO however have a list of things they will devote resources to go after ppl for. Once upon a time that was "Did more than $10K worth of damage". I presume "Hack into the govt" is also on that list. As are likely "Hack into hospitals". I'm not sure what the threshold is now, but there IS one. I suspe

        • Because the government uses a lot of Python just like everyone else.

          That sounds like a terrible idea. Breaking compatibility between major versions being the biggest red flag. This is the opposite of what you'd want for a government project.

          • It's also probably completely untrue. I'd be willing to bet that 99.9999% of "government projects" are written in VisualBasic and C#/.NET.

          • It's not that they're writing a lot of Python, I mean they might be but I doubt it.

            It's because they're using the same software everyone else is using, and there's a lot of Python in it now.

            It's not like the government writes most of the software it uses.

        • Why would the DoJ care about malicious code in Python?

          Because the government uses a lot of Python just like everyone else.

          I think the IRS uses Python...because it's probably faster than the ancient COBOL code on the IRS mainframes.

  • by FudRucker ( 866063 ) on Wednesday May 24, 2023 @02:26PM (#63548621)
    I would cooperate with the DOJ and lock those accounts of interest so the suspects can not change or delete any files (make them READ ONLY)
    • by Anonymous Coward

      Strictly speaking, criminals only become officially criminal once convicted. Innocent until proven guilty, and all that. (Which is one reason not to plead guilty. It's not defiance to expect the prosecution and judge and/or jury to do their job.)

      Subpoenas are typically issued to help investigate to see if someone might look guilty enough for a court case. So that's before conviction. Unless you mean prior convictions, but that means you don't think that doing the time puts the crime behind them so they can

    • make them READ ONLY

      Don't they have backups and file history deltas easily accessible?

      Instead of that, it seems that any updates and file deletions would be the absolute FIRST (but not only) place to look.

  • by laughingskeptic ( 1004414 ) on Wednesday May 24, 2023 @03:57PM (#63548861)
    PyPi had to suspend the creation of new accounts on May 20th because they couldn't keep up with all of the malicious registrations. The number of undetected malicious accounts involved in crime is likely much larger than 5. It is pretty clear from this ridiculous PyPi release that responding to DoJ subpoenas is not a routine event for them which indicates just how far behind the hackerz the DoJ is. This is practically an announcement to the malware authors that their uploads are likely "safe".
  • If they were just casting about on "suspicion of unknown hanky-panky" I'd be looking at it askance... but they've got a precise ask with official paper behind it. I'm not sure telling everybody it's happening was wise.

Don't get suckered in by the comments -- they can be terribly misleading. Debug only code. -- Dave Storer

Working...