RE: Backdoor found in OpenSSH
You are viewing a single comment's thread:
I hope there will be accountability, similar to if an employee at the bank leaves the back door open. Did he accidentally forget to secure it, or was it intentional? Is there a place for law to get involved? You cannot say, "All is good, we caught it this time." Next time it might not be caught as soon or without damage.
0
0
0.000
Seems deliberate
Folks looking have found several more exploits in Jia Tan's commits, and no one is suggesting these are just bugs. I keep editing the post, and I added a reply with more information that turned up, trying to provide comprehensive notice of the threat, as there may have been some pre-release installations people might be compromised by.
Injecting exploits into oss code is, I believe, a crime. 'Jia Tan' is likely an alias, and one login as 'Jia Cheong Tan' is suspected to be a diversion. There's been speculation that the h4x0r is unlikely to be a state actor, because they are unlikely to create backdoors like this, since when they're found they raise a foul stench that causes great distrust of the state discovered doing it, so they just buy exploits from the ebil h4x0rs that sell them when they need to achieve a particular goal.
I dunno about any of that. It seems to me to be speculation without much basis. One interesting thing about police investigation is jurisdiction. The internet isn't confined to any one jurisdiction, which make crimes committed online sort of outside all jurisdictions. Since no one seems to have been hit by this attempt, most LEA's don't have much motivation to go after this guy.
The more I read about it, however, the more impactful people that know say it would have been if it had been rolled out. Overall, then, the fact a guy investigating a slowdown looking for a random bug in oss code found this instead is a great advertisement for oss software, and a dire warning about blobs like m$, Apple, and etc. sell. If linux was proprietary, this hack would have potentially very severely compromised possibly millions of systems, people, and commercial and government entities, as many have before.
Hurray for oss!
Thanks!