reply on: Inside the failed attempt to backdoor SSH globally — that got caught by chance \ stacker news ~security

533 sats \ 9 replies \ @nerd2ninja 1 Apr \ on: Inside the failed attempt to backdoor SSH globally — that got caught by chance security

https://cdn.discordapp.com/attachments/796935699034144798/1224080427921182821/media-cache.png?ex=661c30bc&is=6609bbbc&hm=fa6abd85ec020e6fec88852b82e23ebd65694627d082ecdf1a80ebcfed5ec7e5&

51 sats \ 0 replies \ @ch0k1 OP 1 Apr

The last part with being noticed by autist for 0.5s startup delay is killing 🤣

51 sats \ 4 replies \ @justin_shocknet 1 Apr

Something not priced in to opensource security is AI reviewing code for potential vulnerabilities. It's not perfect of course, but it can call for more expert review by identifying suspicious practices in code or simply labeling a library as sus

Recently added our repos to socket to monitor our npm based supply chain for deps, and it's pretty awesome. Will be even more awesome when there are several others available

21 sats \ 3 replies \ @nerd2ninja 1 Apr

If you applied such an AI bot to the XZ backdoor and it found it (without including it in your dataset of course) I'd be more enthusiastic. The degree of code obfuscation with this was pretty high to be fair.

0 sats \ 0 replies \ @ch0k1 OP 2 Apr

This actually would be an interesting experiment.

Did somebody try to test whether running copilot or any other source code AI tool will identify it as a vulnerability?

0 sats \ 1 reply \ @justin_shocknet 1 Apr

Yea it was buried really good, but that will also result in automating new kinds of tests

0 sats \ 0 replies \ @nerd2ninja 1 Apr

I look forward to it.

0 sats \ 0 replies \ @tomlaies 1 Apr

Well with the caveat that they might have done/are attempting both top panel and bottom panel

0 sats \ 0 replies \ @btcschellingpnt 1 Apr

Looks like that page that link connects to has been .. removed

30 sats \ 0 replies \ @wopwopwopwop 1 Apr freebie

deleted by author