You are viewing a single thread.
View all comments
0 points

The only real downside on the open source side is that the fix is also public, and thus the recipe how to exploit the backdoor.

If there’s a massive CVE on a closed source system, you get a super high-level description of the issue and that’s it.

If there’s one on an open source system, you get ready-made “proof of concepts” on github that any script kiddy can exploit.

And since not every software can be updated instantly, you are left with millions of vulnerable servers/PCs and a lot of happy script kiddies.

See, for example, Log4Shell.

permalink
report
reply
0 points

bUt gUyS WhAt aBoUt sEcUrItY ThRoUgH ObScUrItY??

permalink
report
parent
reply
0 points

hEy, yOu lEaRnEd A bUzZwOrD aNd rEcEnTlY dIsCoVeReD tHe sHiFt KeY!!! cOnGrAtS!?!

permalink
report
parent
reply
0 points

hEy, yOu lEaRnEd A bUzZwOrD aNd rEcEnTlY dIsCoVeReD tHe sHiFt KeY!!! cOnGrAtS!?!

permalink
report
parent
reply
0 points

hEy, yOu lEaRnEd A bUzZwOrD aNd rEcEnTlY dIsCoVeReD tHe sHiFt KeY!!! cOnGrAtS!?!

permalink
report
parent
reply
0 points

It is not, it requires a private key to be used.

permalink
report
parent
reply
0 points

In this case it seems the backdoor is only usable with someone who has the correct key. Seeing and reverting something fishy is in some cases, like this easier than finding an exploit. It takes a lot of time in this case to figure out what goes on.

Fixing a bug never automatically give an easy to use exploit for script kiddies

permalink
report
parent
reply
0 points
*

If your security relies on hidden information then it’s at risk of being broken at any time by someone who will find the information in some way. Open source security is so much stronger because it works independently of system knowledge. See all the open source cryptography that secures the web for example.
Open source poc and fix increases awareness of issues and helps everyone to make progress. You will also get much more eyes to verify your analysis and fix, as well as people checking if there could other consequences in other systems. Some security specialists are probably going to create techniques to detect this kind of sophisticated attack in the future.
This doesn’t happen with closed source.
If some system company/administrator is too lazy to update, the fault is on them, not on the person who made all the information available for your to understand and fix the issue.

permalink
report
parent
reply
0 points

Crowd sourcing vulnerability analysis and detection doesn’t make open source software inherently more secure.

Closed source software has its place and it isn’t inherently evil or bad.

This event shows the good and bad of the open source software world but says NOTHING about closed source software.

permalink
report
parent
reply
0 points

Crowd sourcing vulnerability analysis and detection doesn’t make open source software inherently more secure.

It does, because many more eyes can find issues, as illustrated by this story.

Closed source isn’t inherently bad, but it’s worse than open source in many cases including security.

I think you’re the only one here thinking publishing PoC is bad.

permalink
report
parent
reply
0 points

If the vulnerability is in the wild, what other security mechanisms do you have until it’s patched?

permalink
report
parent
reply

linuxmemes

!linuxmemes@lemmy.world

Create post

Hint: :q!


Sister communities:

Community rules (click to expand)

1. Follow the site-wide rules
2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack members of the community for any reason.
  • Leave remarks of “peasantry” to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
  • These rules are somewhat loosened when the subject is a public figure. Still, do not attack their person or incite harrassment.
3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn. Even if you watch it on a Linux machine.
4. No recent reposts
  • Everybody uses Arch btw, can’t quit Vim, and wants to interject for a moment. You can stop now.

 

Please report posts and comments that break these rules!


Important: never execute code or follow advice that you don’t understand or can’t verify, especially here. The word of the day is credibility. This is a meme community – even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don’t fork-bomb your computer.

Community stats

  • 6.6K

    Monthly active users

  • 1.1K

    Posts

  • 24K

    Comments