Heartbleed and XZ Backdoor Learnings: Open Source Infrastructure Can Be Improved Efficiently With Moderate Funding
Heartbleed and XZ Backdoor Learnings: Open Source Infrastructure Can Be Improved Efficiently With Moderate Funding
The XZ Utils backdoor, discovered last week, and the Heartbleed security vulnerability ten years ago, share the same ultimate root cause. Both of them, and in fact all critical infrastructure open source projects, should be fixed with the same solution: ensure baseline funding for proper open source...
You're viewing a single thread.
It was a huge fluke of luck that the XZ backdoor didn’t go in any actual Linux distribution releases.
It did get into a few, just not the ones corporations are likely to be using.
I doubt it would have been discovered this fast and easily if it was closed source.
it's safe to assume there are similar issues in closed source. A big part of the snowden leaks was about how NSA could access lots of data at will. It wouldn't surprise me if they also could execute code.
Also there is stuxnet. But I am not sure, if there were intentional backdoors, or only some "natural occuring" RCE.
It wouldn't surprise me if they also could execute code.
They sat on external blue for 5 year before it was stolen and they disclosed the vulnerability to Microsoft.
https://en.wikipedia.org/wiki/EternalBlue
I don't see why we wouldn't assume there is always something similar in their armoury.