The fact that the guys developing the code weren't also simultaneously running v... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		tw04 on April 7, 2024 \| parent \| context \| favorite \| on: The xz sshd backdoor rabbithole goes quite a bit d... The fact that the guys developing the code weren't also simultaneously running valgrind and watching performance isn't hard to believe. They were targeting servers and appliances, how many servers and appliances do you know of that are running valgrind in their default image? Sure, in hindsight that's a "duh, why didn't we think of that" - but also it's not very hard at all to see why they didn't think of that. They were likely testing against the system images they were hoping to compromise, not joe-schmoe developer's custom image.

dralley on April 7, 2024 [–]

In theory they should probably be testing against the CI pipelines of Debian and Fedora / CentOS, as that's the moat their backdoor has to cross.

tw04 on April 7, 2024 | [–]

They put code in to, in theory, avoid running in a development environment.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact