Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Okay, how, could someone like Jia Tan sneak code into a codebase where commits can only be made by authenticated users with staff accounts on a private network?

Versus… a random email offers to help, someone says “sure!”, and… that’s it. That’s the entire hurdle.

Google did discover a Chinese hacker working for them on the payroll. That kind of thing does occur, but it’s rare.

It’s massively harder and more risky.



Well, xz is a rare event too.

There's no knowing how many backdoors were added by small network companies or contractors. But there's rarely accountability when it happens because the company would rather cover it up, or just not ask too many questions about that weird bug


> xz is a rare event too.

The discovery of the hack is rare, sure. Once a decade kind of thing.

The implication is that Jia Tan is a professional, and XZ was one of many irons on the fire.

Don’t be like Trump!

Don’t confuse positive tests with cases!

Jia Tan surely had many other attacks going.

Surely he’s not the only one.

Famously, there are two kinds of large organisations: those that have been hacked, and those that don’t yet know they’ve been hacked.

The open source community was the latter.

Now they’re the former.

Some of you all are still playing catch up.


The main difference is that closed source software is not auditable, so when it is compromised you don't know.

It's safe to assume pretty much all the firmware you're running is vulnerable. It doesn't matter though, because you cannot find out.

The attackers can. You can't. And that's why we still have botnets.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: