Hm i never coded a line in my life, but i always wondered so honest question to the experts here: is it realistic that someone codes security back doors so hidden in other bad or wrong documented code, that nobody recognizes it in OSS community? I mean code is getting more complicated and specialized, dont you need more and more human resources (more than one person and hopefully not all with a bad intention) to check over that code? If im correct you shouldnt let more code into your software than the community is able to check an validate several times… Doesnt mean it has to be russians that need to be excluded idk
Yes, not only is it realistic, it has actually happened. It’s easier to write code than understand it. Even when reviewing code, you miss more or less obvious issues. Not to mention intentional vulnerabilities that can be sneaked in over multiple commits and time span long enough to make reviewers forget the larger context.
Interesting answers, thanks!
This might not be super useful if you don’t write code but I always found the contest submissions fun to read and try to figure out for the https://www.underhanded-c.org/ contest.
They break down and explain the runner up and finalist for each year and how the attack works. It’s usually something very subtle that most people wouldn’t catch.
There will be a million security issues across all OSS. Some of it will be intentional; if so definitely don’t expect it to be a “findable” back door. It will be a set of vulnerabilities across several projects, that when combined allow the perpetrators privilege-escalations or a known path through a security system. Removing “Russians” from contribution doesn’t actually stop that, everyone can use a VPN and work as an American or whatever, but it does send a signal.