All about open source! Feel free to ask questions, and share news, and interesting stuff!
Community icon from opensource.org, but we are not affiliated with them.
Let's keep in mind that if this is a state actor or some sort of global organized crime, then they don't put all their eggs into one basket. If that's the case, they're going to have a bunch of other plans and backdoor attempts ongoing. This isn't the end and we can assume there's something else somewhere that went unnoticed.
Security is a constantly changing war of attrition, not a goal/product/configuration.
If anything it highlights how great open source actually is when it comes to security. People saw it and immediately flagged it.
I don't think this one counts as a big win to be honest It was just freakish luck
It's definitely freakish luck but at least it got found out. A closed source software would have gone through unnoticed.
the fact that it was found by luck, not methodically, to me implies that there probably are other backdoors we didn't get lucky with.
Or found out in corporate code review / pentest. We just don't know. I get that we want to say FOSS is great due to the "many eyes/shallow bugs" thing, but that didn't work for OpenSSL or log4j. The fact that it did now is great, but let's not get carried away. It was just pure luck.
Dude, the issue was found purely by coincidence, it very nearly made it through
Yes, but it didn’t. Has it made it through on closed software? Who knows?
My takeaway is more like: This one almost made it through and was caught by accident. How much more backdoors actually were not caught and made it through? I would bet some money on it being more than 0 :(
Yes, probabky, but also might be possible to now find.
Lost me at suggesting that we run EDR on prod Linux servers.
Literally installing a backdoor intentionally..wow
Smug users who don't run systemd be like...
Laughs in Alpine
globally
Meanwhile, no enterprise Linux or hypervisor got nabbed; nor could it.
But, carry on.