It'd be naive to assume that nation state actors are not trying to penetrate the supply chain at all levels, as it just takes a single weak link in the chain. That weak link could be behind corporate doors or in the open.
The main issue is that this attack shows how a relatively unknown component, as part of a much larger and more critical infrastructure, is susceptible to pressure as a result of "this is a hobby project, lend a hand".
At what point do these components become seen as a utility and in some way adopted into a more mainline, secure, well-funded approach to maintenance? That maintenance can, and probably should, happen in the open, but with the requisite level of scrutiny and oversight worthy of a critical component.
I think googles program to hire security researchers was a minor step in the right direction, but it would behoove big tech and or various governments, to do the same thing these state intelligence actors are doing, and take a look at all of these projects that touch core infra and investigate the maintainers and their vulnerability.
I would bet that some of these projects like xz would show enormousness benefits from one paid person working on it 1/4 time, leaving room for a couple more projects per dev. Additionally, a couple places providing relatively minor grants would probably help a dev buy back some of their time so the can work on their project some other time then 'after the kids are in bed'
> this attack shows how a relatively unknown component
why just this one? do we collectively have the memory of a gold fish? just recently, log4j had a similar blast radius. is it because one was seemingly malicious that the other doesn't count?
While blast radius of both is large, there are major differences between them. Log4J was a largely app-level vulnerability affecting Java-based systems.
This vulnerability, had all gone to the attackers plan, would have been present on the major distros next major releases through a key infrastructure component which would have been installed far more widely, IMO.
Another major difference is that Log4J is already part of the Apache Foundation, which means it should have greater oversight/security maintenance anyway, while this is an attack against a solo developer.
It's definitely not to downplay the severity of the Log4J incident, by any means. But they are decidedly different.
The main issue is that this attack shows how a relatively unknown component, as part of a much larger and more critical infrastructure, is susceptible to pressure as a result of "this is a hobby project, lend a hand".
At what point do these components become seen as a utility and in some way adopted into a more mainline, secure, well-funded approach to maintenance? That maintenance can, and probably should, happen in the open, but with the requisite level of scrutiny and oversight worthy of a critical component.
We got very lucky, _this time_.