Earlier this year, a developer was trying to benchmark a database. But something was wrong - SSH was taking up too much CPU time in the background. This accidental observation led to the discovery of an audacious attempt to introduce a backdoor that would allow an attacker access to almost any system in the world running SSH, an attack made up of both technical and social components.
This talk will describe the backdoor itself, the process that went into it being possible to inject in the first place, and how this was exacerbated by a series of entirely reasonable decisions on the part of Linux distributions. It's a story of social engineering, novel obfuscation mechanisms, and a long con over several years. We'll delve into why distributions patch upstream code, why dependency chains are complicated, and how it's even possible for a compression library to break all the SSH security mechanisms that are intended to prevent this sort of thing from happening in the first place.