this post was submitted on 17 May 2026
586 points (99.0% liked)
Technology
84768 readers
3300 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Red Hat and Canonical shipped a vulnerable version of SSH, the thing was caught basically hours before hitting all devices around the world.
Should Red Hat and Canonical be now considered hostile as much as MS is?
I can only answer by saying this: I wish you luck in the job market and hope you'll eventually find an employer you don't assume to be a hostile entity towards you.
This is the equivalent of "prove that God doesn't exist". We can't know because they haven't been found, mate.
Were they the developers of the ssh package? Microsoft is the developer of the vulnerable bitlocker package and the ones who chose to ship it.
I am employed, most employers are obviously not as corrupt as the biggest corporations on the planet, they simply can't afford to.
I agree we can't know. We can know for FOSS software. You are treating uknownable as being less than the known bugs in Foss software. That's dishonest, lad.
... one guy claims.
Another possibility is that they have two separate builds fro BitLocker, and the one used in WinRE is vulnerable which they missed.
We don't have enough information to clearly state that they did this on purpose.
Again, read up about the XZ Utils vulnerability. We technically can know, but we don't know, which was a statement by the guy responsible for package. It's not dishonest, it's a statement of fact.
If you actually read his github you would know that there is a different version of the responsible component between the recovery environment and an installation. Only the RE has the issue.
I've read the XZ vulnerability. The very same thing can happen in a closed source corporate project. There are many arrests of foreign intelligence agents that worked in big tech amd/government. It would of course be easier to cover up. As would vulnerabilities discovered by ai, since they can limit who can check their code.
I know. It was mentioned in the article. It's precisely why I said: