Inside the failed attempt to backdoor SSH globally - that got caught by chance - Kevin Beaumont
Inside the failed attempt to backdoor SSH globally - that got caught by chance - Kevin Beaumont
Why the threat actor rushed deployment.
You're viewing a single thread.
If anything it highlights how great open source actually is when it comes to security. People saw it and immediately flagged it.
41 6 ReplyI don't think this one counts as a big win to be honest It was just freakish luck
24 0 ReplyIt's definitely freakish luck but at least it got found out. A closed source software would have gone through unnoticed.
13 0 Replythe fact that it was found by luck, not methodically, to me implies that there probably are other backdoors we didn't get lucky with.
11 0 ReplyOr found out in corporate code review / pentest. We just don't know. I get that we want to say FOSS is great due to the "many eyes/shallow bugs" thing, but that didn't work for OpenSSL or log4j. The fact that it did now is great, but let's not get carried away. It was just pure luck.
5 0 Reply
Dude, the issue was found purely by coincidence, it very nearly made it through
21 0 ReplyYes, but it didn’t. Has it made it through on closed software? Who knows?
28 1 ReplyMy takeaway is more like: This one almost made it through and was caught by accident. How much more backdoors actually were not caught and made it through? I would bet some money on it being more than 0 :(
19 0 ReplyYep for sure. But open source at least let's you examine every part of the ecosystem.
No software is perfect even if all contributors have good intentions and do all due diligence.
Throw some malice and there is a chance something will get through.
2 0 ReplyYes, probabky, but also might be possible to now find.
1 0 ReplyIm not sure why it being caught by accident is a factor here.
If devs knew what the pitfalls were before coding, there wouldn't be security risks in software.
Hackers do the same thing. They pen test, and if by chance they find something, they exploit it.
2 1 Reply
Also this was a multi year effort that employed very complex knowledge. And still didn't get thru.
If it's multi year and very complex it's telling that this is what it takes. The bar is very high.
9 0 Reply