A backdoor is very distinct from a vanilla vulnerability. Heartbleed was a vulnerability, meaning the devs made a mistake in the code, introducing a method of attack. XZ was backdoored, meaning a malicious actor intentionally introduced a method by which he could exploit systems.
Both are pretty serious vulnerabilities, but a backdoor, especially introduced so high in the supply chain, would have been devastating had it not been caught so early.
Fascinating read - interesting that the origin of the hack is not yet known (or at least, released). I wonder what the stats are on these sorts of exploits in OSS - the concept relies so much on trust and individuals.
Ken Thompson talked about this back in 1984, his talk/article “Reflections on trusting trust” is a short but scary read. cs.cmu.edu/…/Thompson_1984_ReflectionsonTrustingT…
In the end, what can we trust?
Add comment