reply on: Inside the failed attempt to backdoor SSH globally — that got caught by chance \ stacker news ~security

43 sats \ 7 replies \ @davidw 1 Apr \ on: Inside the failed attempt to backdoor SSH globally — that got caught by chance security

The backdoor attempt was a very serious one, with a very high bar of knowledge, research, development and tradecraft to reach this far into the Linux ecosystem. Additionally, changes made by the threat actor on Github span multiple years. The backdoor itself is super well put together, and even includes the ability to remotely deactivate and remove the backdoor via a kill command.

We should stop using open source and only buy American vendor products! Yeah, good luck with that.

There are no easy fixes.. we should just try to reduce the risk and calmly work some solutions.

Great write-up! & call to buidl. Things are definitely heating up.

Processing less user data & using fewer 3rd party dependencies needs to be a part of any software roadmap this next 2 years. Something I mentioned in The Privacy Pivot here on SN. In this case a lucky break and not much that could be done, but more vulnerabilities are around the corner no doubt.

It’s already a full time job to report on them it feels like.

2 sats \ 5 replies \ @jk_14 1 Apr

"We should also acknowledge that open source developers are largely unpaid"

Let them use LN and they will be paid. I would send some sats for such backdoor discovery above, and imagine whole world too...

0 sats \ 3 replies \ @TRUTHMAN45 1 Apr

deleted by author

0 sats \ 2 replies \ @jk_14 1 Apr

because of much lower entry barrier for tipping like for example 500 sats

0 sats \ 1 reply \ @TRUTHMAN45 2 Apr

deleted by author

0 sats \ 0 replies \ @jk_14 3 Apr

All you are doing is signaling that open source work is only worth fractions of a penny

lol, and now multiply 500sats by number of users of SSH, or even only a generous part of them

0 sats \ 0 replies \ @nikotsla 1 Apr

Good model :)

0 sats \ 0 replies \ @nikotsla 1 Apr

using fewer 3rd party dependencies

Looking at the JS community :S ... just don't run JavaScript.

It's going to be a wild ride from now on... and as always... it's not just "software", we are on top of magma in the "hardware" realm...