SoylentNews

canopic jug [soylentnews.org] writes:

Ben Hawkes over at Isoceles has a review of the two OpenSSH Backdoor attempts [isosceles.com]. One, the XZ backdoor, was attempted this year in early 2024. The other, in 2002, was a matter of attempting to trojanize some distribution files.

Inserting an exploitable bug (a "bugdoor"), one that's subtle enough that developers might not even notice during code review, is probably the winning move. However, it's interesting to note that in both 2002 and 2024 we got a backdoor rather than a bugdoor. That's probably because exploits are hard, and server-side exploits are really hard. Given how much work it is to be in a position to change the source code in the first place, it's not entirely surprising that attackers want to go with a reliable option. The counter-argument is that we may just never get to see any bugdoors because they never get caught (or if they do, they don't get flagged as subterfuge), so we're biased towards the events that we can actually detect.

Most bugs have not been added intentionally.

Previously:
(2024) The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind [soylentnews.org]
(2024) xz: Upstream Repository and the xz Tarballs Have Been Backdoored [soylentnews.org]

Original Submission