@lcamtuf @projectgus interesting hypothesis, but surely an earlier/cleaner disclosure could have been run with just a basic “as part of our ongoing program of security review of foundational open source projects”?
Top-level
@lcamtuf @projectgus interesting hypothesis, but surely an earlier/cleaner disclosure could have been run with just a basic “as part of our ongoing program of security review of foundational open source projects”? 13 comments
@lcamtuf @projectgus fair point. I guess I’m just thinking that if someone was making up a cover story for the disclosure, surely they could do better than the barely believable “I noticed and investigated a 0.4s slowdown in ssh auth”. I dunno, I don’t play 4D chess. Fair enough. FWIW I found the narrative about how the Postgres guy turned it up was entirely believable. Sometimes we just get lucky. The scary opinion I’ve read in a couple places now is “how many others like this are lurking out there that we didn’t get lucky with?” @timbray @lcamtuf @rfc6919 @projectgus we do think there's a good chance of this being an organized effort, as the essay suggests. good piece! thanks for it! we note, however, the existence of ideological motives that could drive an individual to do this. @timbray @lcamtuf @rfc6919 @projectgus online manipulation and bullying tactics such as those sockpuppet complaints about maintainership are well-established in other areas of life, unrelated to software development. they are also well-known, which means lots of unaffiliated actors use them for lots of different goals. @timbray @lcamtuf @rfc6919 @projectgus overall, yeah, this is an absurdly PATIENT attack. we think that more than anything else does suggest organization behind it. So maybe not a maintenance team, since the crucial software is, as you say, long since finished. Rather, a community of monks, whose religious vocation is to protect and defend the obelisk for eternity. @irenes @timbray @lcamtuf @rfc6919 @projectgus I think there are many governments that would be willing to do something like this, and wouldn't care if it affected their own systems too as long as only they knew about it. Hell, that probably describes most governments, including in the United States and the UK. There have been several agencies and officials in the U.S. who have openly expressed discomfort with the idea of impenetrable cryptography. @bruce @timbray @lcamtuf @rfc6919 @projectgus oh, absolutely agreed on all that. furthermore, whether or not THIS attack was state-sponsored, now everybody has seen the strategy. @irenes @timbray @lcamtuf @rfc6919 @projectgus @bruce @irenes @timbray @lcamtuf @rfc6919 @projectgus @jannem @bruce @irenes @timbray @rfc6919 @projectgus This is an awful lot of effort to put into a "product" that has a non-trivial chance of getting burned on first try if your customer is careless. It's something you use when a really compelling need arises, and where you can control most of the variables to minimize the risk of loss. |
@rfc6919 @projectgus If you don't have a real program of monitoring the changes to foundational open source projects, lying about it is quite dicey, for a number of reasons - possibly up to being securities fraud.
Heck, if you *have* a program but are lying about whether it can be credited with detecting it, that's sketch too.
Saying "one guy came across it by accident" doesn't really imply any business assurances, so it's a lot easier.