undefined | Better HN

0 pointsdismalaf9mo ago0 comments

Microsoft has literally been hacked multiple times by Russia in the last few years. Our government lost hundreds of thousands of CRA (tax agency) credentials to hackers and had to lock millions of accounts. Other agencies have also been breached.

Meanwhile the XZ backdoor was found in Sid, Arch and pre-releases of Fedora and openSuse. It never actually made it into any numbered release of Fedora, openSuse, Ubuntu, Debian, Red Hat or Suse distro. It's actually a pretty big win and the system worked as intended.

Open source and Linux are doing just fine security-wise.

Also, none of this has anything to do with using offline tools like a word processor to make documents.

0 comments

dralley9mo ago

>Meanwhile the XZ backdoor was found in Sid, Arch and pre-releases of Fedora and openSuse. It never actually made it into any numbered release of Fedora, openSuse, Ubuntu, Debian, Red Hat or Suse distro. It's actually a pretty big win and the system worked as intended.

I would maybe not go quite that far. That it got caught was mostly a confluence of lucky breaks and accidents. The second version of the exploit would likely have not been detected if not for the fact that the first version of the exploit had a couple of programming mistakes that attracted some attention to itself.

dismalafOP9mo ago

The entire thesis behind the open source security model is to have lots of eyes on the code/program, since more eyes = more likelihood of catching it. Even if you say it's accidental, let's say the odds of catching it are 0.00001. Repeat that enough times and you get 1.

It was caught before any distro released with it. The system worked.

dralley9mo ago

If one of the Debian or Fedora developers had immediately caught on to what they were looking at when their attention was drawn to it by the failures, I would say the system worked. It's certainly true that open source saved the day here, but that's maybe different from saying "the system" worked. It easily could have gone unnoticed, or been noticed a few weeks later.

1 more reply

j / k navigate · click thread line to collapse

0 pointsdismalaf9mo ago0 comments

Open source and Linux are doing just fine security-wise.

Also, none of this has anything to do with using offline tools like a word processor to make documents.

0 comments

dralley9mo ago

dismalafOP9mo ago

It was caught before any distro released with it. The system worked.

dralley9mo ago

1 more reply

j / k navigate · click thread line to collapse