top | item 33890353

(no title)

paraph1n | 3 years ago

Can someone explain? I can barely parse this quote. Who are the 1P devs? Why does it matter that they didn't notice they had made a minor change? Why were they "tricked"?

Edit: I think I might understand it more now: This person got tricked into carefully reviewing the "entire" code, instead of focusing on the one minor change that was made to it, because they didn't realize it was only the minor change they had to review. In their careful review of the code, they uncovered vulnerabilities which were actually related to the original code (ie. VSCode) rather than the changes that this person was asked to review. Did I get it? I'm still confused about the use of "1P" here though.

discuss

zemnmez|3 years ago

First-party (i.e. Google). Tricked in the sense I was asked to do a security assessment and didn't check what differential changes had been made

edit: correct!

sitkack|3 years ago

I found a linked list bug in FreeBSD because I am less smart than my buddy who was like it's trivial bla bla bla. I am like wait, lets back up, I don't understand this...

I think one sniff out shifty code, as soon as you open the file you can tell there are going to be bugs in there. I am not saying, well groomed high level code is high quality or bug free. A couple trivial deficiencies and there a probably a whole lot more you don't see.

Like if the code has a low to zero number of tests. Or the build system includes top level shell commands.

dankwizard|3 years ago

I assume 1Password