|
CommieGIR posted:This actually got caught fairly early, thankfully, but it was well on its way. One of the most disturbing aspects of this story is that it wasn't "caught" per se, it was stumbled upon by a thankfully brilliant Postgres developer who happened to be investigating a performance issue which turned out to be the result of the backdoor. This guy is truly a hero; we'd be in a terrible spot had this been discovered later. The fact that the committer(s) used multiple accounts to get this circulated, and are experienced enough to become primary maintainers of an ubiquitous library is also terrifying. It's likely they have commit access to projects other than xz. The backdoor author ("Jia Tan") is even listed as a reviewer on some xz-related patchsets for the linux kernel itself: https://lore.kernel.org/lkml/20240320183846.19475-2-lasse.collin@tukaani.org/
|
#
¿
Mar 31, 2024 06:29
|
|
|
|
| # ¿ May 13, 2024 22:48 |
|
|
Boris Galerkin posted:Not to sound If you're talking about the upstream projects, OpenSSH and OpenBSD are two projects where I would least expect this, and if the NSA et al are in fact contributing code, they're not contributing backdoors. These are two of the most secure projects on the planet; patches like the ones in question would never have been accepted. A more realistic scenario would be one of these government agencies hiring a core developer from e.g. OpenBSD / OpenSSH full-time, or someone with that level of expertise. They would be an unbelievably strong asset in terms of finding and exploiting vulnerabilities in other software. They wouldn't even need to add backdoors. Scary to think of the outcome were these world-class whitehats to have a change of heart.
|
|
#
¿
Mar 31, 2024 19:09
|
|
but I can't imagine that agencies like the NSA hasn't already planted developers into these open source communities. I mean, they hold and attend conferences and poo poo. It is logical to assume they have people on payroll contributing to things like openssh.