Ancestors

Written by mFat on 2024-04-07 at 12:42

How do we know if there aren't a bunch of more undetected backdoors?

https://lemdro.id/post/7709696

=> More informations about this toot | More toots from mfat@lemdro.id

Written by huginn@feddit.it on 2024-04-07 at 14:43

The main solace you can take is how quickly xz was caught: there is a lot of diverse scrutiny on it.

=> More informations about this toot | More toots from huginn@feddit.it

Written by Deebster on 2024-04-07 at 16:19

Hmm, not really. It’s only because it nerd-sniped someone who was trying to do something completely unrelated that this came to light. If that person has been less dedicated or less skilled we’d still probably be in the dark.

=> More informations about this toot | More toots from Deebster@programming.dev

Written by Possibly linux on 2024-04-08 at 04:25

The thing is there are a few thousand of those people

=> More informations about this toot | More toots from possiblylinux127@lemmy.zip

Toot

Written by Deebster on 2024-04-08 at 04:59

Maybe millions of potential eyes, but all of them are looking at other things! Heartbleed existed for two years before being noticed, and OpenSSL must have enormously more scrutiny than small projects like xz.

I am very pro open source and this investigation would’ve been virtually impossible on Windows or Mac, but the many-eyes argument always struck me as more theoretical/optimistic than realistic.

=> More informations about this toot | More toots from Deebster@programming.dev

Descendants

Written by DefederateLemmyMl on 2024-04-08 at 07:24

Heartbleed existed for two years before being noticed

That’s a different scenario. That was an inadvertently introduced bug, not a deliberately installed backdoor. So the bad guys didn’t have two years to exploit it because they didn’t know about it either.

It’s also not new that very old bugs get discovered. Just a few years ago a 24 year old bug was discovered in the Linux kernel.

=> More informations about this toot | More toots from SpaceCadet@feddit.nl

Written by Deebster on 2024-04-08 at 07:30

And are bugs harder to find than carefully hidden backdoors? No-one noticed the code being added and if it hadn’t have had a performance penalty then it probably wouldn’t have been discovered for a very long time, if ever.

The flip side to open-source is that bad actors could have reviewed the code, discovered Heartbleed and been quietly exploiting it without anyone knowing. Government agencies and criminal groups are known to horde zero-days.

=> More informations about this toot | More toots from Deebster@programming.dev