Security : CVE-2024-3094 unauthorized remote SSH access

Introduction

This article will be less technical as usual, as all you need to know about CVE-2024-3094 is described on jFrog and Y Combinator.

This backdoor is massive. Just to give you an idea, there are maybe 2-3 entities in the world capable of performing this activity, if it was a single person then maybe less than a thousand people in the world would have had a skill to perform the activity, even less than a hundred would dare to try and maybe less than ten would reach this point. Purely technically speaking the person behind is as professional as Usain Bolt or Taylor Swift in the respective domain. How to deal with a situation when you have an adversary that strong and there is a non zero probability that a villain has a different point of view on your personal well-being ?

Security

The principles are somewhat evident, however sometimes you may be tempted to trade a short-term benefit over an somewhat illusionary guidelines :

• you'll never walk alone : use stable releases of mainstream standard solutions, then you will have thousand eyes watching your back and maybe one of them will be Andres Freund, from the point of view of probability theory, if a chance to discover a backdoor by an engineer is 0.001 and there are 1000 engineers looking at the code then the probability to discover a backdoor is 1 - (1-0.001)^1000 = 1 - 0.368 = 0.632 = 63.2%
• "If you fail to plan, you are planning to fail!" (c) : have a plan of which software you intend to use and why, a recurrent problem is the questionable application of fake it till you make it, you should have a plan and this plan should take into account the boundary conditions since day 0
• limit the number of software you are using to remediate the paradox of choice and to minimize the maintenance overhead
• apply the best cybersecurity practices : the keyword is apply
• have a professional available that knows how the things should be done : still valid in 2024, you have plenty of software providing all the possible insights with hundreds or thousand of alerts / warnings / updates, if you wish to have the business running there must be an expert onsite. "Those who know.......know."
• have a plan B when the plan A has failed : someday, and that day may never come, you did everything right and still failed, the best thing you can do is to be ready for this day and to plan the recovery

Summary

Every happy ending is vanished rather fast from memory.
We have just witnessed an interception of a brutal attack.