Because a deliberate vulnerability is much easier to hide than actual malicious ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

ColonelPhantom on March 31, 2024 | parent | context | favorite | on: Xz: Can you spot the single character that disable...

Because a deliberate vulnerability is much easier to hide than actual malicious content.

One could probably sneak a buffer overflow or use-after-free into a C project they maintain without being noticed. Actually shipping a trojan is much harder, as observed with the xz-to-sshd backdoor.

trelane on March 31, 2024 [–]

Ah, so the next stage would have been to add a "bug" in xz that would trigger during the supposedly sandboxed execution, when presented with certain input files. Clever.

puetzk on March 31, 2024 | [–]

Well, is also quite possible that adding such a bug was the previous stage. Or even just having found one that you didn't report/fix...

Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact