1 Matching Annotations
  1. Apr 2024
  2. doublepulsar.com doublepulsar.com
    Inside the failed attempt to backdoor SSH globally — that got caught by chance
    1
    1. tonz 01 Apr 2024
      This is not the first time an open source package has been hijacked after a maintainer was added – it actually happens all the time in Python repositories and such, and has been one of the leading causes of infostealers and coin miners in development pipelines. It is absolutely not a surprise that somebody is targeting open source compression libraries that systemd loads.. and it is also sadly not a surprise that people online bully the creators of these libraries, either.

      Wrt [[XZ open source kwetsbaar door psyops 20240331083508]] and examples referred to here, the author focuses on technology fixes to reduce risks. Whereas most of the problems highlighted are social aspects, for which no other solution is suggested than paying OSS devs who maintain stuff. That may well alleviate some of the social aspects that became an attack surface, but does nothing to look at Q of connections between devs and knitting those into relationships that are more resistant to social engineering and psyops. That and more transparency both on the social side of things and the chains. OSS is open source wrt the piece of software in front of you only.

      techvssocial oss chaintransparency
    Visit annotations in context

    Tags

    Annotators

    URL

    doublepulsar.com/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafdd