@saagar given how lucky it was to catch this one attack, and how systemic the problems it leveraged, what are the chances it's the only one in progress right now?

@saagar I think it is worth clarifying that the danger of deliberately or accidentally introduced vulnerabilities is not just a problem with this particular codebase or open source projects or anything like that. This is a problem with *everything* because it’s all so complex these days.

No single person “understands” it all. No small group of people does. Nobody can. It’s too big.

1/2

@saagar Yeah, this struck me as well: it’s kind of nuts that we’re apparently fine with things like sshd loading, and being able to load, a giant unbounded ball of transitive libraries. As annoying as the way it’s implemented is, Apple’s code signing/library validation setup would have presumably prevented this, even if the payload wasn’t glibc specific? Possibly even a (say) homebrew version of sshd. (I’ve not had a chance to look exactly how the code is injected.)

@pmdj @saagar I don't think code signing and library validation would have prevented this attack. My understanding is that sshd intends to load liblzma (perhaps indirectly) and that the malicious code in liblzma is introduced by subverting the legitimate build process. No unsigned code being executed, no unauthorized libraries being loaded.

The mechanism by which code inside liblzma can interfere with other parts of sshd might be more difficult with other Apple security protections. But that might only be a speed bump, not a wall.

@saagar

> here is so many orders of magnitude more code being written than is properly reviewed that this can’t be fixed

if the focus is "core OS utilities" instead of "all code, everywhere" does this really need to be the case? it seems reasonable that security critical infrastructure might be held to a higher standard. ssh and inkscape are not remotely the same

@saagar I pasted some code into Gemini and asked it to comment the doc. It did. You're right there aren't enough humans to read all the code. What we need are bots that can go in and find what we're looking for.

@saagar this thread is a lone voice of reason on my timeline, surrounded by boosts of the “this is entirely because we don’t pay maintainers” narrative.

@saagar we probably need to re-think the computer paradigm. Local-first services/devices. I think the cloud was a giant mistake.

@saagar I think there's some evidence for that, given the various commits to disable various checkers that were exposing that something hinky was going on in order to cover it up

The only reason this didn't get more attention is that our tools are too often noisy with false alarms

To me, that's an indication that making the attacks harder isn't a waste of time—and some of those tools didn't even exist a few decades ago, so we're making it better

@igrok I feel like these tools make it harder to make a backdoor but I was surprised that the attacker didn’t just change their backdoor to operate cleanly in those environments. Maybe they just thought this was easier