Gregory's Server
@piecritic Yeah except we didn't notice because of any kind of intentionality or process. It was blind luck that the right someone got annoyed at a tiny change in performance and went digging. If that one person had been on vacation for a couple weeks, I could see this shipping to a bunch of enterprise distro releases before anyone caught on. Or even nobody noticing until the first high profile compromise that used the backdoor. We got very, very lucky.
|
11 comments
@piecritic @danderson the problem is that we don't know about other cases where we haven't gotten lucky. @philtor @danderson I’m doubtful of that. At this scale someone will notice that weird network request. @piecritic @danderson what if the network request is made very infrequently on some sort of random schedule? @philtor @danderson then anomaly detection software will absolutely pick that up even without modern techniques.  @piecritic @philtor @danderson there are attackers persisting in systems that shouldn't have access to, all the time, sure alerts are raised in a serious system, but that's not necessarily enough. https://www.bl.uk/cyber-incident/ for an exemple. @danderson @tshirtman @philtor yes i am aware that people exist doing bad things. Buildings also get bombed almost daily in Sweden. It doesn’t mean it is a comparative scenario. This scenario is extremely low level and touches too many things. @piecritic @danderson @philtor it looks like you think we are doing good enough and the luck here is not really luck but the system working as intended, although there are many levels where this could have been caught, it does seem like this one could easily have done a lot more harm before being discovered, and hoping we are going to get similarly lucky next time doesn't strike me as a serious plan (well, hope never is, anyway). @tshirtman @philtor @danderson there shouldn’t be dependencies that are used so broadly that it can affect the entire world that have one tired maintainer working for free. This is a deeper systemic issue and the system itself is working as intended given that constraint. @piecritic @philtor @danderson that I agree, but many people are depending on this lib, and surely we should be able to encourage them, and make it easier for them, to check that the changes make sense, distributors, applications builders, people adding this lib to their own project, should probably set some time aside for it, or companies themselves should dedicate resources to such audits, but clarity of dependencies, and resources to do the work, are needed. @philtor @danderson @tshirtman nah. That’s unrealistic. What is realistic is that projects assess the scope of risk of their dependencies and consider at what depth a dependency affects their systems, then considers the maturity and safety of the team maintaining it. This is what i do as part of my job. This is a social problem exclusively, not an economical one. |
@danderson and we keep getting lucky. That’s kinda my point. Getting away with this level of social engineering seems just so unlikely even with such planning because there’s always that person fucking around and finding out.