Путин хуйло 04/03/2024 (Wed) 17:20 No.476516 del

> The attack is perhaps the most ambitious “supply-chain” attack—one that exploits not a particular computer or device, but a piece of back-end software or hardware—in recent memory. It is also a stark illustration of the frailties of the internet and the crowdsourced code it relies on. For defenders of open-source software, Mr Freund’s eagle eyes are a vindication of its premise: code is open, can be inspected by anyone, and errors or deliberate backdoors will eventually be found through collective scrutiny.

> Sceptics are less sure. Some code security and debugging tools did pick up the anomalies in XZ Utils, but Mr Freund acknowledges “the number of coincidences that had to come together to find this”, including a series of technical but arbitrary choices he made while troubleshooting an unrelated problem. “Nobody else had raised concerns,” writes Kevin Beaumont, another cyber-security specialist. Software engineers are still probing the inner workings of the backdoor, attempting to understand its purpose and design. “The world owes Andres unlimited free beer,” concludes Mr Beaumont. “He just saved everybody’s arse in his spare time.”

> The attack was detected and stopped before it could cause widespread damage. There is no way to tell whether Jia Tan, or the team apparently behind that persona, have been squirrelling into other vital pieces of internet software under other aliases. But security researchers are concerned that the foundations of the internet are ripe for similar campaigns. “The bottom line is that we have untold trillions of dollars riding on top of code developed by hobbyists,” notes Michal Zalewski, an expert. Other backdoors may lurk undiscovered.