undefined | Better HN

0 pointsVWWHFSfQ9mo ago0 comments

> It is virtually impossible for them to ship a backdoor [..] without the security community noticing.

OpenSSH was trivially backdoor'd [1] and distributed in several major distributions and the security community _did not_ notice until after it was already wild.

[1] https://www.ssh.com/blog/a-recap-of-the-openssh-and-xz-liblz...

0 comments

qualeed9mo ago

1) That was not "trivial", by any stretch of the definition. It was a 3-year long campaign by a (suspected to be) nation-state (or similarly resourced) actor! I don't think you can get any farther away from "trivial" if you tried.

2) From your link, it says: "Ubuntu 24.04LTS was a month away from being shipped with this backdoor, with other distros being on the same boat. Maybe the best way to describe it is this: had it gone undetected, Linux servers would have been running with a bomb waiting to be activated remotely." and "Luckily this backdoor was discovered in an early stage, and most of the Linux user community stays safe"

So, the security community _did_ notice.

xmodem9mo ago

That was an attack targeting an optional dependency that receives significantly less scrutiny than OpenSSH proper. Which to be fair, is probably also the most plausible path if you wanted to attack Signal.

I would quibble with calling it "trivial" though.

j / k navigate · click thread line to collapse