Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What was even the game here? Eventually even more backdoors, ones that would have more plausible deniability? Afaict neither the oss-fuzz nor this change would actually discover the found backdoor.

But why put your backdoor eggs into one basket (library)?



The library is entrenched enough, trusted enough, and its main developer has long internet breaks because of mental health problems.

Plus, you do not backdoor the library itself, but the tools using it. "Reflections on trusting trust" style.

Sounds like a perfect plan, until it isn't.


Who says it was just the one library though?


waiting for a new bot to scan everyone's repos to find "." and then spam every repo with false positives


worse yet some moron sets the search type to "regex"




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: