Hacker News new | past | comments | ask | show | jobs | submit login 

  I am *not* a security researcher, nor a reverse engineer.  There's lots of
  stuff I have not analyzed and most of what I observed is purely from
  observation rather than exhaustively analyzing the backdoor code.
I love this sort of technical writing from contributors outside the mainstream debugging world who might be averse to sharing. What an excellently summarized report of his findings that should be seen as a template.



FWIW, it felt intimidating as hell. And I'm fairly established professionally. Not sure what I'd have done earlier in my career (although I'd probably not have found it in the first place).


> Not sure what I'd have done earlier in my career

To anybody in this sorta situation, you should absolutely share whatever you have. It doesn’t need to be perfect, good, or 100% accurate, but if there’s a risk you could help a lot of people


This story is an incredible testament to how open-source software can self-regulate against threats, and more broadly, it reminds us that we all stand on the shoulders of contributors like you. Thank you!


This is one threat that was discovered, only because the implementer was sloppy.

Think about what various corps and state-level actors have been putting in there.


I hope you've hired a PR person for all the interviews :)


For what it's worth the author is a PostgreSQL committer, he's not a security researcher but he's a pretty damn good engineer!


Honestly, you only get this kind of humility when you're working with absolute wizards on a consistent basis. That's how I read that whole analysis. Absolutely fascinating.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: