[anonymousjunior]

This is what's really concerning. If FSB was able to actually implement something and shell all nginx boxes (and thusly obtain SSL certs, intercept communications, etc..) imagine how much access they'd have.

[account73466]

Then they would definitely advertise it by attacking the company so that the whole world would know about their secret backdoor. Very smart, indeed!

[kick]

Physical access is easier to get than remote access when you have a baton and the intelligence of a cop.

[dsl]

FSB/GRU are more than just thugs with batons, they are professionals who could easily slip in to a building at night and access computers without anyone knowing. Basically the Russian CIA.

[golergka]

GRU have been severely embarrassed quite a few times in the last few years. It does seem that they're much closer to thugs with batons.

[true_religion]

Just thinking about it would have a chilling effect which to the authorities may be better than actual access.

[Filligree]

I'm going to switch from nginx to Caddy, so I guess?

[penagwin]

On the flip side I feel like nginx has too high of a profile. It'd be better to target some other low level system package or npm/pip module, etc.

[stjohnswarts]

that's not going to happen, too many security experts constantly monitoring nginx. That's the beauty of it being a high profile open source project.

[auiya]

Yeah?

https://en.wikipedia.org/wiki/Kleptography

https://en.wikipedia.org/wiki/Heartbleed

https://en.wikipedia.org/wiki/Shellshock_%28software_bug%29

https://www.computerweekly.com/news/252473363/EU-patches-20-...

https://en.wikipedia.org/wiki/Dual_EC_DRBG

[TheRealDunkirk]

"I keep track of these things, Clark. One of us has to."

[oefrha]

Just like too many security experts monitoring crypto standards so NIST wouldn’t try to slip in a backdoor?

[lawnchair_larry]

No, not similar. Crypto is very different.