[locacorten]

I think everybody is missing the point. If one grad student was able to do this, imagine what a team of dozens of well-paid, well-equipped, and highly experienced security experts could do.

In other news, we just learned that any half-decent security agency has already injected their own vulnerabilities and back-doors in OSS.

[jacobsenscott]

There are so many security flaws in critical software that you really don't need to inject vulnerabilities. You just need your engineers to find, catalog, and script exploits for them - ready to use whenever needed.

If you do inject vulnerabilities you need to assume your adversaries will find, catalog, and script an exploit for it. And you risk your reputation loss if you do get caught. So I'm sure it has happened, but I bet not that often.

[ww520]

It's a matter of trust. UMN was given a fair amount of trust before, as academics were entrusted to do goods in research in ethical ways.

Trust is an important social contract since it lowers the cost of social transactions. But trust takes a long time to earn and can be lost in a flash.

[prepend]

He didn’t succeed in injecting anything, right?

It would be interesting if someone found bad stuff in the kernel, but pet of the org structure makes this hard.

[ghughes]

He landed code that nobody seems to understand the purpose of. That looks like success to me.

[prepend]

Thanks, I was wrong and thought the patches weren’t accepted

[hutzlibu]

"In other news, we just learned that any half-decent security agency has already injected their own vulnerabilities and back-doors in OSS."

We did not learn that today, but we still assume it.

Btw. the professional agencies have their vulnerabilities injected probably way down in hardware level. Intel ME etc. and or even more bare to the metal.

[aahortwwy]

> do this

They got caught and had all their contributions reverted.

[seanieb]

After the code was accepted and in mainline… the horse was well out of the barn.

[kelnos]

Sure, but are there others who did not get caught? Others who might be better at obscuring their changes? And who might first develop a history of good, secure work, and then slip something sketchy into one -- and only one -- patch?

Seems like the UMN "researcher" was doing this over and over; the more times you do it, the more likely you are to get caught.