Thought this was a good read exploring some how the “how and why” including several apparent sock puppet accounts that convinced the original dev (Lasse Collin) to hand over the baton.

  • ILikeBoobies
    link
    fedilink
    arrow-up
    86
    arrow-down
    2
    ·
    9 months ago

    Hopefully shows why you should never trust closed source software

    If the world didn’t have source access then we would have never found it

    • howrar
      link
      fedilink
      arrow-up
      29
      ·
      9 months ago

      And if they do find it, it’ll all be kept hush hush, they’ll force an update on everyone with no explanation, some people will do everything in their power to refuse because they need to keep their legacy software running, and the exploit stays alive in the wild.

    • hatedbad@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      16
      arrow-down
      7
      ·
      9 months ago

      open source software getting backdoored by nefarious committers is not an indictment on closed source software in any way. this was discovered by a microsoft employee due to its effect on cpu usage and its introduction of faults in valgrind, neither of which required the source to discover.

      the only thing this proves is that you should never fully trust any external dependencies.

      • BreakDecks@lemmy.ml
        link
        fedilink
        English
        arrow-up
        18
        ·
        9 months ago

        The difference here is that if a state actor wants a backdoor in closed source software they just ask/pay for it, while they have to con their way in for half a decade to touch open source software.

        How many state assets might be working for Microsoft right now, and we don’t get to vet their code?

    • locke@sopuli.xyz
      link
      fedilink
      arrow-up
      1
      ·
      9 months ago

      Double-edged sword in this case. Open source is what allowed that backdoor in this case.

      • ILikeBoobies
        link
        fedilink
        arrow-up
        1
        ·
        9 months ago

        Introduced by maintainer not a random push

        Closed source software has maintainers as well, the company that makes it

        • locke@sopuli.xyz
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          9 months ago

          I cannot be sure, but I believe Lasse never met “Jia Tan”. You usually don’t get employed by a company writing closed source software without meeting and talking to several people. And since nobody works without a salary, you get some sort of tracking towards the person’s identity as well.