this post was submitted on 31 Mar 2024
246 points (98.0% liked)

Open Source

31670 readers
325 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
top 20 comments
sorted by: hot top controversial new old
[–] [email protected] 98 points 8 months ago

Let's keep in mind that if this is a state actor or some sort of global organized crime, then they don't put all their eggs into one basket. If that's the case, they're going to have a bunch of other plans and backdoor attempts ongoing. This isn't the end and we can assume there's something else somewhere that went unnoticed.

Security is a constantly changing war of attrition, not a goal/product/configuration.

[–] [email protected] 35 points 8 months ago (1 children)

If anything it highlights how great open source actually is when it comes to security. People saw it and immediately flagged it.

[–] [email protected] 21 points 8 months ago (2 children)

Dude, the issue was found purely by coincidence, it very nearly made it through

[–] [email protected] 27 points 8 months ago (1 children)

Yes, but it didn’t. Has it made it through on closed software? Who knows?

[–] [email protected] 19 points 8 months ago (3 children)

My takeaway is more like: This one almost made it through and was caught by accident. How much more backdoors actually were not caught and made it through? I would bet some money on it being more than 0 :(

[–] trolololol 2 points 8 months ago

Yep for sure. But open source at least let's you examine every part of the ecosystem.

No software is perfect even if all contributors have good intentions and do all due diligence.

Throw some malice and there is a chance something will get through.

[–] [email protected] 1 points 8 months ago

Yes, probabky, but also might be possible to now find.

[–] [email protected] 1 points 8 months ago

Im not sure why it being caught by accident is a factor here.

If devs knew what the pitfalls were before coding, there wouldn't be security risks in software.

Hackers do the same thing. They pen test, and if by chance they find something, they exploit it.

[–] trolololol 10 points 8 months ago

Also this was a multi year effort that employed very complex knowledge. And still didn't get thru.

If it's multi year and very complex it's telling that this is what it takes. The bar is very high.

[–] [email protected] 21 points 8 months ago

Lost me at suggesting that we run EDR on prod Linux servers.

Literally installing a backdoor intentionally..wow

[–] [email protected] 14 points 8 months ago (2 children)

Smug users who don't run systemd be like...

[–] [email protected] 8 points 8 months ago

Laughs in Alpine

[–] saddlebag 2 points 8 months ago (1 children)

How does systemd solve this?

[–] trolololol 7 points 8 months ago

The exploit only happens in systemd

[–] tux 10 points 8 months ago (1 children)

Wish I could be a fly on the walk when the bad actor realized years of work has just gone down the drain

[–] pivot_root 9 points 8 months ago

Probably fear, then subsequently followed by their brains next to you on said wall. Whichever government paid for a multi-year campaign to backdoor enterprise Linux distributions is not going to be happy about this failure.

[–] NocturnalMorning 10 points 8 months ago (1 children)

What a dick. I couldn't imagine spending that much time contributing to a project so I could introduce security vulnerabilities.

If this is one individual, and not a nation state, somebody needs to make some friends and pick up some hobbies.

[–] breadsmasher 18 points 8 months ago* (last edited 8 months ago) (1 children)

I think its more likely someone spent this time contributing to the project specifically to exploit it

[–] NocturnalMorning 3 points 8 months ago

Yeah, I got that. I'm saying they need to make some friends and get some hobbies if they aren't being funded by a state.

[–] [email protected] 2 points 8 months ago

globally

Meanwhile, no enterprise Linux or hypervisor got nabbed; nor could it.

But, carry on.