Hacker News new | ask | show | jobs
by wakeupcall 806 days ago
> but there's also much more upfront validation on who gets to change it.

Very doubtful in my eyes. Very few companies have the strict validation which would be required to catch this.

Good validation that goes into central components is often skimped on arbitrary deadlines, which companies are full of. On something tangential like this I suspect nobody would really notice.

I can also hear the "I noticed now there's an extra delay which isn't supposed to be there, can I investigate?" "Sorry, but this is not critical for this deadline" agile mentality.
1 comments
tonnydourado 806 days ago
Not sure we're talking about the same thing. By validation I mean of identity. On proprietary software , before an attacker get inside access to the code, they would have to interview, get hired, submit (presumably, fake) document id, provide (again, presumably, fake) bank details, etc. This attacker just had a GitHub account and email, as far as understood it.

But, as I said, maybe tricking a sub contracting company into hiring you is not as hard. I remember working with contractors whose faces I've never seem on video, let alone in person.

link
wakeupcall 805 days ago
I didn't think of "identity" in this sense, but I don't see this as a show-stopper either.

On my current jig developer churn is not high, yet I've only recently met developers hired 6+ months ago. I know first-hand only a handful of the committers I see. Barely know the most common commiters. I generally do watch commits of the trees/projects I'm interested into, but I'm a minority, and such behavior wouldn't catch something similar to the xz situation unless I'm absolutely lucky.

This also ignores the fact that you can just as well corrupt a current employee.

link
tonnydourado 802 days ago
You might not know them, but HR does. No way your employer is sending them money every month without a reasonable degree of certainty that they are who they say they are. Or, at the very least, that they aren't 3 hackers in a trenchcoat.

And corrupting an employee doesn't sound that easy, either. I mean, we do get paid above average.

That still leaves shit third party contractors and compromising employees computers/accounts, though.

link