• Wes_Dev@lemmy.ml
    link
    fedilink
    arrow-up
    101
    ·
    8 months ago

    Let’s keep in mind that if this is a state actor or some sort of global organized crime, then they don’t put all their eggs into one basket. If that’s the case, they’re going to have a bunch of other plans and backdoor attempts ongoing. This isn’t the end and we can assume there’s something else somewhere that went unnoticed.

    Security is a constantly changing war of attrition, not a goal/product/configuration.

  • BestBouclettes@jlai.lu
    link
    fedilink
    arrow-up
    40
    arrow-down
    6
    ·
    8 months ago

    If anything it highlights how great open source actually is when it comes to security. People saw it and immediately flagged it.

    • 0xtero@beehaw.org
      link
      fedilink
      arrow-up
      24
      ·
      8 months ago

      I don’t think this one counts as a big win to be honest It was just freakish luck

      • BestBouclettes@jlai.lu
        link
        fedilink
        arrow-up
        13
        ·
        8 months ago

        It’s definitely freakish luck but at least it got found out. A closed source software would have gone through unnoticed.

        • vrighter@discuss.tchncs.de
          link
          fedilink
          arrow-up
          11
          ·
          8 months ago

          the fact that it was found by luck, not methodically, to me implies that there probably are other backdoors we didn’t get lucky with.

        • 0xtero@beehaw.org
          link
          fedilink
          arrow-up
          5
          ·
          8 months ago

          Or found out in corporate code review / pentest. We just don’t know. I get that we want to say FOSS is great due to the “many eyes/shallow bugs” thing, but that didn’t work for OpenSSL or log4j. The fact that it did now is great, but let’s not get carried away. It was just pure luck.

        • ErilElidor@feddit.de
          link
          fedilink
          arrow-up
          19
          ·
          8 months ago

          My takeaway is more like: This one almost made it through and was caught by accident. How much more backdoors actually were not caught and made it through? I would bet some money on it being more than 0 :(

          • trolololol@lemmy.world
            link
            fedilink
            arrow-up
            2
            ·
            8 months ago

            Yep for sure. But open source at least let’s you examine every part of the ecosystem.

            No software is perfect even if all contributors have good intentions and do all due diligence.

            Throw some malice and there is a chance something will get through.

          • Croquette@sh.itjust.works
            link
            fedilink
            arrow-up
            2
            arrow-down
            1
            ·
            8 months ago

            Im not sure why it being caught by accident is a factor here.

            If devs knew what the pitfalls were before coding, there wouldn’t be security risks in software.

            Hackers do the same thing. They pen test, and if by chance they find something, they exploit it.

      • trolololol@lemmy.world
        link
        fedilink
        arrow-up
        9
        ·
        8 months ago

        Also this was a multi year effort that employed very complex knowledge. And still didn’t get thru.

        If it’s multi year and very complex it’s telling that this is what it takes. The bar is very high.

  • delirious_owl@discuss.online
    link
    fedilink
    arrow-up
    24
    arrow-down
    4
    ·
    8 months ago

    Lost me at suggesting that we run EDR on prod Linux servers.

    Literally installing a backdoor intentionally…wow

  • tux@lemmy.world
    link
    fedilink
    arrow-up
    9
    ·
    8 months ago

    Wish I could be a fly on the walk when the bad actor realized years of work has just gone down the drain

    • pivot_root@lemmy.world
      link
      fedilink
      arrow-up
      10
      arrow-down
      3
      ·
      8 months ago

      Probably fear, then subsequently followed by their brains next to you on said wall. Whichever government paid for a multi-year campaign to backdoor enterprise Linux distributions is not going to be happy about this failure.

  • NocturnalMorning@lemmy.world
    link
    fedilink
    arrow-up
    11
    arrow-down
    2
    ·
    8 months ago

    What a dick. I couldn’t imagine spending that much time contributing to a project so I could introduce security vulnerabilities.

    If this is one individual, and not a nation state, somebody needs to make some friends and pick up some hobbies.

    • breadsmasher@lemmy.world
      link
      fedilink
      English
      arrow-up
      18
      ·
      edit-2
      8 months ago

      I think its more likely someone spent this time contributing to the project specifically to exploit it

      • NocturnalMorning@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        8 months ago

        Yeah, I got that. I’m saying they need to make some friends and get some hobbies if they aren’t being funded by a state.

  • corsicanguppy@lemmy.ca
    link
    fedilink
    arrow-up
    6
    arrow-down
    4
    ·
    8 months ago

    globally

    Meanwhile, no enterprise Linux or hypervisor got nabbed; nor could it.

    But, carry on.