| Steve Litt via plug on 2 Apr 2024 13:47:27 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] XZ scanner |
Rich Freeman via plug said on Tue, 2 Apr 2024 14:50:04 -0400 >On Tue, Apr 2, 2024 at 2:20 PM jeff via plug ><plug@lists.phillylinux.org> wrote: >> >> New XZ backdoor scanner detects implant in any Linux binary >> > >Seems useful, but the bigger problem is probably that so many core >libraries have minimal contributors, and there is a lot of value in >exploiting them. I think the bigger problem is developers incorporating libraries willy-nilly. Meanwhile, each of those libraries pulls in libraries that pull in libraries, adding a ginormous tree to the attack surface. All too often, a relatively few lines of code could have produced the benefit (perhaps in a different form) that the library tree did. "Reinventing the wheel" is a cute and persuasive phrase for trivializing developers who code their own rather than gleaning other peoples' code (OPC) far and wide, but for the past several years the OPC caused complexification with its attendant voluminous attack surface has been on full display. [NOTE: I know you didn't use the phrase "reinventing the wheel". However, whenever one suggests coding it one's self, one is accused, but somebody or other, of "reinventing the wheel".] > >Governments spend $100M on a single aircraft. For $1M/yr you could >hire a small team of developers working full time that would >out-contribute all the volunteers on 99% of the FOSS projects out >there, >and thus gain a voice in the project's governance as was done >here. Obviously something high-profile like a web browser has many >more eyeballs, but if you're willing to play the long game you could >work your way into their supply chain at main points and slowly work >in all the exploits you wanted. Even on something like the kernel or >a browser I bet you could slowly work your contributors in such that >they become the majority of eyeballs in a single subsystem and become >trusted to get code far enough along the QA process that it doesn't >get as much close attention. Yes. This is what happens when software gets big, ugly, entangled, and poorly designed. > >Something the NSA leaks taught us a decade ago is that governments are >willing to bring to bear a well-supported team with a variety of >backgrounds. You might have a core team of coders, and then a team of >communications specialists who maintain aliases with many online >personas seemingly in different countries who can even speak the local >language. So let's not make it easy for them. Before incorporating a library, everyone should ask: * Are the library's features worth the complexification and magnified attack surface? * How easy would it be to achieve the desired outcome, perhaps in a different form, with a reasonable number of lines of first person code? SteveT Steve Litt Autumn 2023 featured book: Rapid Learning for the 21st Century http://www.troubleshooters.com/rl21 ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug