[FRIAM] 5 agencies compromised
uǝlƃ ↙↙↙
gepropella at gmail.com
Wed Dec 16 10:06:01 EST 2020
Well, it's one thing to simply screw up a dependency. Any programmer whose participated in a large project has done that at one point or another. But the interesting quote is this:
"Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website, ..."
They were digitally signed. Either they were legitimately signed and the vector is the typical one (humans [ptouie]) or the bad actor (not necessarily human) harvested a secret key and illegitimately signed them. And that's just the signing part. They also had to *post* them, which may well be the easier part. But it still had to be done.
How did they 1) sign the packages and 2) post the packages?
On 12/15/20 12:23 PM, Prof David West wrote:
> Web-based (most software) systems are a complicated Jenga tower of dependencies, each one of which provides an access point for introducing malware, trojans, viruses, etc. The story of Azer Koçulu and how his removal of eight lines of code (left-pad) brought down major Web actors and sites
>
> https://qz.com/646467/how-one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code/
--
↙↙↙ uǝlƃ
More information about the Friam
mailing list