From 8e589ea2c4d62e5f5ad7bfa2b55b3cf45a85952d Mon Sep 17 00:00:00 2001 From: Daniel Gray Date: Tue, 2 Apr 2024 12:52:02 +0000 Subject: [PATCH] Include mention of XZ backdoor --- docs/basics/common-misconceptions.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/basics/common-misconceptions.md b/docs/basics/common-misconceptions.md index 5b7a5b9d9e..c9bc4b3fb0 100644 --- a/docs/basics/common-misconceptions.md +++ b/docs/basics/common-misconceptions.md @@ -42,7 +42,7 @@ schema: These myths stem from a number of prejudices, but whether the source code is available and how software is licensed does not inherently affect its security in any way. ==Open-source software has the *potential* to be more secure than proprietary software, but there is absolutely no guarantee this is the case.== When you evaluate software, you should look at the reputation and security of each tool on an individual basis. -Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities into even large projects.[^1] +Open-source software *can* be audited by third-parties, and is often more transparent about potential vulnerabilities than proprietary counterparts. It also allows you to review the code and disable any suspicious functionality you find yourself. However, *unless you do so*, there is no guarantee that code has ever been evaluated, especially with smaller software projects. The open development process has also sometimes been exploited to introduce new vulnerabilities known as :material-package-variant-closed-remove: Supply Chain Attacks, which is discussed further in our [Common Threats](common-threats.md) page.[^1] On the flip side, proprietary software is less transparent, but that doesn't imply that it's not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering. @@ -94,4 +94,4 @@ You may wish to use a VPN for this, to mask your IP address. Financial transacti Using Tor can help with this. It is also worth noting that greater anonymity is possible through asynchronous communication: Real-time communication is vulnerable to analysis of typing patterns (i.e. more than a paragraph of text, distributed on a forum, via email, etc.) -[^1]: One notable example of this is the [2021 incident in which University of Minnesota researchers introduced three vulnerabilities into the Linux kernel development project](https://cse.umn.edu/cs/linux-incident). +[^1]: Malicious code was discovered in the upstream tarballs of xz a popular compression library. The backdoor was intended to give malicious actors remote access via SSH if they possessed a special key. [CVE-2024-3094](https://www.cve.org/CVERecord?id=CVE-2024-3094)