How a key-infra open source project can get compromised


I was checking how to remove background noise on calls so that everyone can be unmuted all the time. There's a tool, krisp.ai, that offers that for win and mac. The closest thing to it for linux is Noisetorch:


https://github.com/lawl/NoiseTorch


Checking it's website I read this:


At least one of my systems has probably been compromised, don't use the source either. One could hide things in a large diff.

If the community can help review ALL of the code, maybe we can trust the code again and work from there.


How sad. It's a product that interfaces with pulseaudio, giving it access over every audio stream in your system. A wet dream for a spy agency. And of course, it got compromised.


What's interesting is that in a large codebase, it's hard to review the code even if you are the author. This is why he asks for community support.


What this tells me:


- If you are going to install something security sensitive on your machine, check the repo first, plus any RSS integrators that cover recent vulnerabilities


- Don't assume for a second that because you are using linux you are not the target of major attacks


- What if the author didn't realize he was compromised? The chages would have gone unnoticed, for how long? Open source code seems more secure because there are more eyes on it. But are there, really? Who donates their time to find a compromise in a large codebase?


Comments on HN:


https://news.ycombinator.com/item?id=31444895



/gemlog/