TheKMAP

https://github.com/google/oss-fuzz/pull/10667#pullrequestreview-1518981986

Looks like it was a cover up attempt to prevent manual attention and would not have been caught by the automation.

SolarWinds had garbage infosec but you gotta admit the attack chain is much longer and more complex than "kidnap one guy".

How do you propose we meaningfully fix this issue? Hoping random people catch stuff doesn't count.

Interesting! When? Maybe that can be a metric or requirement before companies or seriously popular projects consider importing upstream code.

Your data is about remediation speed not thoroughness of discovery.

Not really. The most important admin interfaces are the ones you can't lock behind an IP whitelists.

"whitelists good IPs" - OK but what if I need to manage the "good ip" infra, etc

Bystander effect, yes.

Have those audits you allude to ever caught anything before it went live? Cuz this backdoor has been around for a month and RedHat is affected, too. Plus this was the single owner of a package who is implicitly trusted, it's not like it was a random contributor whose PRs would get reviewed.

The code being open source helps people track it down once they try to debug an issue (performance issue and crashes because in their setup the memory layout was not what the backdoor was expecting), that's true. But what actually triggered the investigation was the bug. After that it's just a matter of time to trace it back to the backdoor. You understimate reverse engineers. Or maybe I'm just spoiled.

How long until US bans code from developers with ties to CN/RU?

Companies don't serve staff. Staff is a necessary evil to them.

Exactly. Reddit mods and Wikipedia admins both get to be kings of their little fiefdoms. The power/pride/whatever is payment enough, otherwise they wouldn't be doing it. They are intrinsically motivated.

Being a mod for something you are passionate about is intoxicating. It is an awesome feeling to know you've contributed to the growth of something you care about.