- cross-posted to:
- hackernews@lemmy.smeargle.fans
- Wes_Dev ( @Wes_Dev@lemmy.ml ) 67•3 months ago
Let’s keep in mind that if this is a state actor or some sort of global organized crime, then they don’t put all their eggs into one basket. If that’s the case, they’re going to have a bunch of other plans and backdoor attempts ongoing. This isn’t the end and we can assume there’s something else somewhere that went unnoticed.
Security is a constantly changing war of attrition, not a goal/product/configuration.
- BestBouclettes ( @BestBouclettes@jlai.lu ) 27•3 months ago
If anything it highlights how great open source actually is when it comes to security. People saw it and immediately flagged it.
- 0xtero ( @0xtero@beehaw.org ) 22•3 months ago
I don’t think this one counts as a big win to be honest It was just freakish luck
- BestBouclettes ( @BestBouclettes@jlai.lu ) 13•3 months ago
It’s definitely freakish luck but at least it got found out. A closed source software would have gone through unnoticed.
- vrighter ( @vrighter@discuss.tchncs.de ) 11•3 months ago
the fact that it was found by luck, not methodically, to me implies that there probably are other backdoors we didn’t get lucky with.
- 0xtero ( @0xtero@beehaw.org ) 6•3 months ago
Or found out in corporate code review / pentest. We just don’t know. I get that we want to say FOSS is great due to the “many eyes/shallow bugs” thing, but that didn’t work for OpenSSL or log4j. The fact that it did now is great, but let’s not get carried away. It was just pure luck.
- ChannelSix ( @ChannelSix@aussie.zone ) 11•3 months ago
Dude, the issue was found purely by coincidence, it very nearly made it through
- hitmyspot ( @hitmyspot@aussie.zone ) 16•3 months ago
Yes, but it didn’t. Has it made it through on closed software? Who knows?
- ErilElidor ( @ErilElidor@feddit.de ) 10•3 months ago
My takeaway is more like: This one almost made it through and was caught by accident. How much more backdoors actually were not caught and made it through? I would bet some money on it being more than 0 :(
- hitmyspot ( @hitmyspot@aussie.zone ) 1•3 months ago
Yes, probabky, but also might be possible to now find.
- delirious_owl ( @delirious_owl@discuss.online ) 16•3 months ago
Lost me at suggesting that we run EDR on prod Linux servers.
Literally installing a backdoor intentionally…wow
- vext01 ( @vext01@lemmy.sdf.org ) 14•3 months ago
Smug users who don’t run systemd be like…
- dukatos ( @dukatos@lemm.ee ) 7•3 months ago
Laughs in Alpine
- corsicanguppy ( @corsicanguppy@lemmy.ca ) 4•3 months ago
globally
Meanwhile, no enterprise Linux or hypervisor got nabbed; nor could it.
But, carry on.