Conversation

Notices

1. Embed this notice
   Wolf480pl (wolf480pl@mstdn.io)'s status on Saturday, 30-Mar-2024 08:09:13 JST Wolf480pl

   in reply to

   • q3k :blobcatcoffee:
   • Dragoon Aethis

   @dragoonaethis @q3k @marcan
   basically, alert fatigue

   • Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Dragoon Aethis (dragoonaethis@mstdn.social)'s status on Saturday, 30-Mar-2024 08:09:15 JST Dragoon Aethis

     in reply to

     • q3k :blobcatcoffee:

     @q3k @marcan Not sure if I'm getting my point across... Not that these tools don't help, they absolutely do, but mine (and many others) reactions to Coverity, Valgrind, etc sounding all the alarms each and every week is "ughhhh, here we go again" and not "something's wrong here"

   • Embed this notice
     Dragoon Aethis (dragoonaethis@mstdn.social)'s status on Saturday, 30-Mar-2024 08:09:16 JST Dragoon Aethis

     in reply to

     • q3k :blobcatcoffee:

     @q3k @marcan tbh the fact that it did trigger alarms in those systems, and despite that nobody noticed anything suspicious until a downstream user noticed the backdoor's side effects after upgrading is also telling.

     I'm on the receiving end of some mandatory analyzers and due to the sheer volume of hits most of the time I don't really care about why something was found, rather just how to get rid of it. They could safely ignore these systems because of this behavior.

   • Embed this notice
     q3k :blobcatcoffee: (q3k@social.hackerspace.pl)'s status on Saturday, 30-Mar-2024 08:09:17 JST q3k :blobcatcoffee:

     @marcan Ah yeah, the fact that this wasn't better tested to not trigger alarms (eg. in oss-fuzz / valgrind) was a bit amateurish.

     I feel like the .so was engineered by a totally different group than the maintainer, or whoever is behind the maintainer persona. That thing is just bonkers in comparison. Even having all the code in front of me, it's very hard to tell what it does, whether it's further packed, or that it even is malware.