top | item 39879953

(no title)

Not necessarily. A frustrated developer posts about it, it catches attention of someone who knows how to use Ghidra et al, and it gets dug out quite fast.

Except, with closed-source software maintained by a for-profit company, suck cockup would mean a huge reputational hit, with billions of dollars of lost market cap. So, there are very high incentives for companies to vet their devs, have proper code reviews, etc.

But with open-source, anyone can be a contributor, everyone is a friend, and nobody is reliably real-world-identifiable. So, carrying out such attacks is easier by orders magnitude.

discuss

yodsanklai|1 year ago

> So, there are very high incentives for companies to vet their devs, have proper code reviews, etc.

I'm not sure about that. It takes a few leetcode interviews to get in major tech companies. As for the review process, it's not always thorough (if it looks legit and the tests pass...). However, employees are identifiable and would take huge risk to be caught doing anything fishy.

Randalthorro|1 year ago

Absolutely not. Getting a job at any critical infrastructure software dev company is easier than contributing to the Linux kernel.

OsrsNeedsf2P|1 year ago

Can confirm. I may work at Meta, but I was nearly banned from contributing to an open source project because my commits kept introducing bugs.

ivlad|1 year ago

We witnessed Juniper generating their VPN keys with Dual EC DRGB, and then the generator constants subverted with Juniper claiming of now knowing how did it happen.

I don’t think it affected Juniper firewall business in any significant way.