[ home / rules / faq ] [ overboard / sfw / alt ] [ leftypol / siberia / hobby / tech / edu / games / anime / music / draw / AKM ] [ meta / roulette ] [ cytube / wiki / git ] [ GET / ref / marx / booru / zine ]

/tech/ - Technology

"Technology reveals the active relation of man to nature" - Karl Marx
Name
Options
Subject
Comment
Flag
File
Embed
Password (For file deletion.)

Join our Matrix Chat <=> IRC: #leftypol on Rizon


File: 1711733518134.jpg (43.76 KB, 700x490, Backdoor.jpg)

 No.23925

https://www.openwall.com/lists/oss-security/2024/03/29/4
Apparently one of the maintainers have been adding backdoors to xz/liblzma for who knows how long. Because it was coming from a "trusted" source (upstream), nobody noticed it until now. Does this mean the end of the open-source security myth?

 No.23926

Translation for brainlet plz?

 No.23927

>>23926
One of the authors of a popular software library added code to it that deliberately compromises the security of a software used to login remotely into servers.

 No.23928

>>23927
I see, many thanks for the explanation. Are there some (brainlet friendly) articles about this issue?

 No.23929

schizo theory: this was all a ploy by facebook to get people to switch to zstd

 No.23930

>>23929
I once read on 4chin, that behind Linux is actually Microsoft. But I don't how plausible this claim is.

 No.23932

>>23928
I don't know of any, it's pretty fresh and the whole extent of the thing is not known yet.

 No.23933

>Does this mean the end of the open-source security myth?

security problem was discovered because the program is open-source (which is half the point of open-source), are you disabled?

 No.23934

so, which glowies do we think are behind this?

 No.23936

Appearently someone figured this out because of unusually slow download speeds for the package. Wouldn't've even been caught if that person hadn't been suspicious of something so maundane.

 No.23937

>>23936
Where did you read that? The report linked in the OP says no such thing.

 No.23938

>>23937
Took a bit to find it again: https://electric.marf.space/@trysdyn/statuses/01HT5Q220WERVFVZKYPN0332KJ
They don't link to anything, so may just be telephone gamed, sorry about that.

 No.23939

File: 1711745381186.png (90.02 KB, 480x800, wp_ss_20240329_0001.png)

>>23930
Uhm.. based Google?

 No.23940

>>23939
Time to switch to OpenBSD

 No.23941

>>23938
Here's the reporter's thread on Mastodont, it was found because it was eating up too much CPU and made microbenchmarks noisy: https://mastodon.social/@AndresFreundTec/112180083704606941

 No.23942

>>23940
imagine trusting google

 No.23943

>>23939
Linux is not on Github, it's on kernel.org.

 No.23944

File: 1711750499957.png (58.18 KB, 800x310, wp_ss_20240329_0002.png)

>>23943
Why do I have the feeling, that Linux is actually a psyop?

 No.23945

>>23944

it's less a psyop and more like linux is the backbone of 90% of the internet.

 No.23946

>>23945
Bigtech funds Linux ➡ Linux is the backbone of the internet ➡ the internet is???

 No.23947

>>23944
>[company] relies on [project] for it's current operations
>donates to [project]
>ZOMG Everychungus, le hecking BEEG TEQUE is Psyoping you into using [project]

Do people apply this reasoning to physical stuff like trains?

 No.23948

>>23947
In politics, you can get a very clear picture with this simple trick: FOLLOW THE MONEY. Why shouldn't this work in this case too?

 No.23949

So the backdoor was added by "Jia Tan" (not a unique name) or JiaT75. Do we really now who that is, photo, location? Can we even know the nationality? I mean, if I would do such a thing, I would of course lie about my ethnic heritage as well as throw in some fake birth year.

 No.23950

>>23948
Because that is an overly simplistic, liberal friendly approach to what actual materialist analysis accomplishes more precisely.
Not every conspiracy involves making a monetary transaction, and not every monetary transaction is a conspiracy.

 No.23951

>>23949
Reading the discussion on Hacker News is quite interesting, some people believe this was an operation by chinese glowies (or maybe it's a false flag operation to appear this way??)

 No.23952

>>23950
So you don't believe that money can corrupt/influence organizations?

 No.23953

>>23951
It's pure speculation, nothing is actually known.

 No.23954

>>23952
It's not the only factor. Personally I think people are putting too much trust in the Linux Foundation, but there are already maintained forks of the kernel, Linux will survive without the foundation if it decides to begin the rent seeking phase, just as it survived when ubuntu did so.

I hold firm that "company donates to project it relies on so it doesn't lose an important logistical component of it's operations / that component can improve = project is psyop" is braindead and ignores structure.

 No.23955

Another spooky account involved in this which might be one and the same entity is "Hans Jansen":
https://boehs.org/node/everything-i-know-about-the-xz-backdoor

 No.23956

>>23951
>or maybe it's a false flag operation to appear this way??
pleasant reminder that the reason there was so much upset about the vault 7 leaks is because they exposed the methods the US used to attribute their actions to other actors.

 No.23957

>>23954
So you don't think it's fishy, if a communist organisation would get funded by the CIA? You don't think, that the congress for cultural freedom was a psyop?

 No.23958

>>23957
All those companies were openly working on Linux before the foundation. Linux is not some subversive organization, it's just a piece of software.

 No.23959

>>23957
The CIA considering a communist party critical to it's continues operations would be a whole different beast than a company that relies on computers having standardized software donating to the upkeep of said software.

Like, would you think it's "suspicious" for an animation studio to donate to Krita?

 No.23960

>>23958
I always believed, that Linux and Foss is the good alternative to BigTech. Now I learn, there is no difference and it doesn't matter which software you use. Penguin, bitten apple, window… they are all the same.

 No.23961

>>23960
The Linux Foundation is not concerned with desktop Linux, almost all their projects are enterprise server bullshit.

 No.23962

File: 1711804476867.png (213.66 KB, 850x1100, Gyrfalcon.png)


 No.23963

>>23941
>>23955
Very interesting.
Given everything shown, it is likely the culprit is working in Europe. Could be some German intelligence, a lone wolf, or an Israeli-German cyber-security company.

My bets are on it being a single person with no backing.

 No.23973

File: 1711837596039.jpeg (88.19 KB, 680x680, e8a7606d31141249.jpeg)


 No.23974

>>23973
kekkkk perfect.

 No.23975


 No.23976

>>23955

First-level: seems obvious (Jia Cheong Tan is not a real Chinese name) that it's NSA trying to frame MSS.

Second-level: Maybe it's FSB / GRU trying to frame the NSA as trying to frame MSS?

Third-level: MSS / PLASSF got bored.

Fourth-level: there is no Nash equilibrium so we can stop guessing and go home. Obviously someone's glow-op, but good luck figuring out who.

 No.23978

File: 1711833956766.jpg (277.74 KB, 1021x981, ukr.jpg)

Speculations oscillating between blame and china and glow-op.

 No.23979

>>23978
it's always a fucking glow op, shit like linux relies on good faith and common purpose but there's a dwindling supply of that.

 No.23980

let the FBI cucks spy on me. it'll be a waste of their time

 No.23981

File: 1711836365564.gif (37.38 KB, 220x391, funny-chad.gif)

Installing Windows rn

 No.23982

>>23978
>the analysis of his git commit timestamps
LMFAO, those are so fucking trivial to fake, the faking is built into git itself. There's a git command argument to supply a custom timestamp for a commit, I've done this myself.

Glowies (or anyone else) will try to mask their operations by even including foreign language in their code, even if it serves no technical purpose. It's just there to give false leads.

I'm pretty certain the author of those commits is NOT from the timezone of those commits. If they are competent enough to develop a backdoor then they sure as fuck will have the absolute basic knowledge about hiding their traces.

 No.23983

>>23982
>There's a git command argument to supply a custom timestamp for a commit, I've done this myself.
ah yes, the old "make my work shift longer than it actually was" trick

 No.23984

Debian stable chads stay winning

 No.23985

File: 1711837389660.jpg (132.67 KB, 1000x1414, debian-stable.jpg)


 No.23986

>>23984
>>23985
it's not old, it's stable!

 No.23987

>>23982
Hear is the thing, the developer had a Chinese sounding name but a timestamp that aligns with Eastern europe/Israel.

So which of these things is fake and which is genuine and whatever is fake, what was the intention behind the obfuscation?

 No.23988

>>23987

You can't tell who it is, it could be Five Eyes trying to frame Chinese / Russians, Russians trying to frame Chinese, or Chinese trying to frame Russians, or Russians / Chinese trying to frame Five Eyes trying to frame Chinese / Russians.

It's no point; vs spooks it's very hard to figure out who did what unless they were sloppy.

 No.23989

>>23988
I mean that's the thing though, this was a sloppy job. They didn't even benchmark it, which was how it got found out like imediately.

 No.23990

>>23988
Exactly, but cui bono? Who benefits from the delegitimization of free and open software? Chinas or American companies? In the West are currently in the midst hot debate about Chinese-made software and tech companies.

 No.23994

>guy responsible for the backdoor has a chinese-sounding name
I'm curious, if this reches MSM, will it be used as fuel for more anti-china hysteria? very interesting times ahead

 No.23995

>do nothing
>win

 No.23996

>>23979
linux relies on the incentive a lot of corporations have for keeping it maintained, and also autistic trans girls

 No.23997

>>23952
stupid moralist

 No.23998

>>23996
>and also autistic trans girls
le twatter maymay, bring up furries too for extra funnies

 No.23999

>>23998
stop using twitter, no one cares if you're tired of something being brought up as a joke on blue reddit. You aren't on twitter right now.

 No.24015

So, after the dust has settled: How are your computing habits now? Have you switched to another distro? To another OS? Will you give up on internet connectivity entirely? You can't just ignore what happened, can you?

 No.24016

>>23999
then stop being unfunny

 No.24017

>openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.
Poettering moment.

 No.24018

File: 1712006735214.png (46.56 KB, 1108x147, 1711760083935.png)


 No.24019

File: 1712006910513.png (738.88 KB, 2774x1196, 1711831369102.png)


 No.24032

>>23998
>>24016
i WILL make trans catgirl programmer jokes, and you WILL mald

 No.24033

Is there any writeups about what the actual backdoor did, how it worked? All I can find is scattered notes on technical details.

 No.24042

File: 1712096731347.png (66.25 KB, 616x626, 1712096510762249.png)

plot thickening

 No.24044

>>24033
Boost, equally curious myself.
>>24042
The plot glows more and more, though this seems intentionally misleading- From what I have gathered, the backdoor has been in the works for years, why put such little-effort into a pseudo-identity?

 No.24045

>>23952
that is literally not what anon said you retard

 No.24046

>>23984
>>23985
didnt it affect stable debian only because the backdoor targeted important servers

 No.24047

>>24044
>why put such little-effort into a pseudo-identity?

Because the Intelligence agencies expect people to be dumb enough to fall for it. The glowies aren't that particularity intelligent. Remember when they tried to kill Fidel Castro with a literal "Loony Toons"-esque exploding cigar?

 No.24049

>>24047
They were right, people did fall for it, nobody suspected anything until the backdoor was found.

 No.24050

I thought there would be some kind of algorithm that could brute force every possible kind of vulnerability by now. Shouldn't these kinds of vulnerabilities be easily detected by AI or something?

 No.24051

>>24050
finding a backdoor from a .5 ssh delay is far too autistic a task for modern ai

 No.24052

>>24051
finding a backdoor from a .5 ssh delay seems like the perfect task that should be automated. In general terms, why isn't this happening?

 No.24053

>>24052
i imagine that the greatest challenge comes from the sneaky-sneaky glowies digging years old rabbit holes to push backdoors into code. due to the open source nature of xz, malicious code must be very well hidden, difficult for the ai to detect, see >>23973 for a tl;dr of the very lengthy process. plus, its not like you can just grep the source code and find a boolean response to some given string whether its malicious or not. although i imagine these aren't huge limitations, as the plot was foiled pretty easily by, of all people, a Microsoft dev and I would imagine after this fiasco more effort will be concentrating on ravaging through rabbit-holes for malicious code.

 No.24054

>>24052
It would cost money and companies use "open source" to save money.

 No.24059

>>24050
There's fuzzing which tries to bruteforce malicious inputs, which is not exactly what you describe but the closest to it, and it was sabotaged by the backdoor's author: https://github.com/google/oss-fuzz/pull/10667

 No.24060

File: 1712170693625.png (131.5 KB, 668x1624, ClipboardImage.png)

Maintainer's blogpost about the incident:
https://tukaani.org/xz-backdoor/

 No.24071

File: 1712204301093.png (4.12 KB, 511x139, GJ7yuavXcAATNDR.png)

>If you have infected version of liblzma in your system, it's already loaded into EVERY process that depends on libsystemd. systemd's dependency on liblzma *was literally* the attack vector.
lol pid 1

glad i dont use a distro that depends on poetteringware


Unique IPs: 25

[Return][Go to top] [Catalog] | [Home][Post a Reply]
Delete Post [ ]
[ home / rules / faq ] [ overboard / sfw / alt ] [ leftypol / siberia / hobby / tech / edu / games / anime / music / draw / AKM ] [ meta / roulette ] [ cytube / wiki / git ] [ GET / ref / marx / booru / zine ]