daniel:// stenberg://Mar 30, 2024
In an almost spooky coincidence I wrote about backdooring #curl exactly on this day three years ago: https://daniel.haxx.se/blog/2021/03/30/howto-backdoor-curl/
HOWTO backdoor curl | daniel.haxx.se

Show threaddaniel:// stenberg://Mar 30, 2024

"If the attacker instead can just sneak the code directly into a release archive then it won’t appear in git, it won’t get tested and it won’t get easily noticed by team members!"

... like... xz.

Show threadmid_kidMar 30, 2024
@bagder I really consider this xz situation a testament to the resilience of the open source community, and distros in particular. The damage did happen, but it was discovered rather quickly, despite how ridiculously sophisticated the attacker was, and the fallout was really contained to just "run an update asap". It didn't even land in most systems thanks to the stabilization process. It can't and won't linger for years like log4j did.
Show threaddaniel:// stenberg://
@mid_kid I tend to agree. Sure, ideally we as an ecosystem should detect these things faster, but one of the most advanced backdoor operation attempts ever, was mostly thwarted.
Mar 30, 2024 at 9:02amWeb