Comment by 0xEF
8 hours ago
I agree, but in fairness, I don't know of any brand, tech or otherwise, that can completely wall itself off against insider threats. No matter how vigilant you are, someone who knows exactly how you move will find a way around you.
I can understand it's hard to defend against plausibly deniable errors that create backdoors, etc. But this would show a complete lack of code review, no?
Code review just means you need an accomplice. It makes it harder, not impossible.
Not even that. Bury it in a sufficiently-large PR and there’s a very good chance it’ll be rubber-stamped because no one wants to take the time to carefully review the entire set of changes.
Or be convincing to a LLM.
Humans reading code is so "legacy"...
> But this would show a complete lack of code review, no?
You'd be surprised how many websites use Google Tag Manager to allow their marketing department to roll out trackers and other JS snippet directly into the site's root context.
GTM et al's sole reason of existence is to provide marketing people with a way to bypass corporate IT.
And I definitely would not rule out something like this being the cause in the end.