daniel:// stenberg://Mar 30, 2024
In an almost spooky coincidence I wrote about backdooring #curl exactly on this day three years ago: https://daniel.haxx.se/blog/2021/03/30/howto-backdoor-curl/
HOWTO backdoor curl | daniel.haxx.se

Show threaddaniel:// stenberg://Mar 30, 2024

"If the attacker instead can just sneak the code directly into a release archive then it won’t appear in git, it won’t get tested and it won’t get easily noticed by team members!"

... like... xz.

Show threadmid_kidMar 30, 2024
@bagder I really consider this xz situation a testament to the resilience of the open source community, and distros in particular. The damage did happen, but it was discovered rather quickly, despite how ridiculously sophisticated the attacker was, and the fallout was really contained to just "run an update asap". It didn't even land in most systems thanks to the stabilization process. It can't and won't linger for years like log4j did.
Show threadInga stands with 🇺🇦 🇵🇸
@mid_kid @bagder this sounds like survivorship bias. This backdoor was discovered by definition, because were it not, we wouldn't know about it.
And it seems that it was discovered due to sheer luck. Makes me wonder how many other similarly sophisticated attacks were never discovered.
Mar 30, 2024 at 11:24amWeb
Show threadmid_kidMar 30, 2024
@IngaLovinde Considering how much work and time went into this one, and the fact I can't recall anything else of this caliber, I genuinely doubt it's a lot. But who knows, you might be right. I still consider the response/patch time impressive.