Well, it's one thing to simply screw up a dependency. Any programmer whose participated in a large project has done that at one point or another. But the interesting quote is this:
"Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website, ..." They were digitally signed. Either they were legitimately signed and the vector is the typical one (humans [ptouie]) or the bad actor (not necessarily human) harvested a secret key and illegitimately signed them. And that's just the signing part. They also had to *post* them, which may well be the easier part. But it still had to be done. How did they 1) sign the packages and 2) post the packages? On 12/15/20 12:23 PM, Prof David West wrote: > Web-based (most software) systems are a complicated Jenga tower of > dependencies, each one of which provides an access point for introducing > malware, trojans, viruses, etc. The story of Azer Koçulu and how his removal > of eight lines of code (left-pad) brought down major Web actors and sites > > > https://qz.com/646467/how-one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code/ -- ↙↙↙ uǝlƃ - .... . -..-. . -. -.. -..-. .. ... -..-. .... . .-. . FRIAM Applied Complexity Group listserv Zoom Fridays 9:30a-12p Mtn GMT-6 bit.ly/virtualfriam un/subscribe http://redfish.com/mailman/listinfo/friam_redfish.com archives: http://friam.471366.n2.nabble.com/ FRIAM-COMIC http://friam-comic.blogspot.com/
