Is there a backdoor in your editor? Probably not, even if you’re using IntelliJ, but in a moment of schadenfreude for FOSS folks, the New York Times is reporting that JetBrains software may have been used as vector in the Russian hack.
It’s a good policy not to believe anything you read in the press about technical matters and JetBrains for its part is denying that there’s a backdoor TeamCity—the software in question—but admitted that it’s possible it was exploited somehow to install the trojan. Still, if you’re an IntelliJ user, you’ve got to be wondering what’s in your software.
The problem is, you don’t know because it’s closed source. That’s a problem users of Emacs and other FOSS editors don’t have. It’s easy to minimize the benefits of FOSS because most of us don’t, after all, make changes to—or even read—the source code of most of our applications. And yes, it’s possible for FOSS to be infected too but it’s more difficult and easier to discover.
This episode, whatever its truth, is a useful reminder that having access to the source code of your tools is important. Of course, as Ken Thompson reminds us, that may not be enough, but it’s sure better than using a black box.