Avatar
sommerfeld 1y ago

xz-utils was kind of a perfect candidate for a backdoor: it was a depedency of critical software (openssh) but at the same time no one really knew about it so it was not that well reviewed.

Where is the next backdoor going to be? My money is on some nginx hidden dep. #infosec

Reply to this note

Please Login to reply.

Discussion

Avatar
Иван 1y ago

Nginx has a US company working on it, I'd bet more on a project with no ties to the US, to show how dangerous it is to trust code written outside the CIA's area

Avatar
sommerfeld 1y ago

I'm not betting on a ngnix backdoor but one in it's dependencies.

They are very easy to overlook and even a company does not have the manpower to vet them all.

Avatar
Islamic Audiobooks Central 1y ago

#OpenJS