OpenSSH Backdoors (blog.isosceles.com)
from tedu@azorius.net to openbsd@azorius.net on 23 Aug 2024 14:21
https://azorius.net/g/openbsd/p/3TBtfB8SS9c1S6rZk8-OpenSSH-Backdoors

Imagine this: an OpenSSH backdoor is discovered, maintainers rush to push out a fixed release package, security researchers trade technical details on mailing lists to analyze the backdoor code. Speculation abounds on the attribution and motives of the attacker, and the tech media pounces on the story. A near miss of epic proportions, a blow to the fabric of trust underlying open source development, a stark reminder of the risks of supply-chain attacks. Equal measures brilliant and devious.

If you've been paying attention to the security news recently, your mind probably went straight to the attack on the liblzma/xz-utils repository earlier this year, the ultimate aim of which was an OpenSSH backdoor. However the event described above isn't the xz-utils backdoor. It's a little-remembered fact that the xz-utils backdoor was actually the second time OpenSSH had a "near miss" with a backdoor attack. The first time was over 22 years ago, all the way back in 2002. This blog post shares the story of that backdoor, and what we can learn from an attack that happened over two decades ago.

#openbsd #security

threaded - newest