[ home / rules / faq ] [ overboard / sfw / alt ] [ leftypol / siberia / hobby / tech / edu / games / anime / music / draw / AKM ] [ meta / roulette ] [ cytube / wiki / git ] [ GET / ref / marx / booru / zine ]

/tech/ - Technology

"Technology reveals the active relation of man to nature" - Karl Marx
Password (For file deletion.)

Join our Matrix Chat <=> IRC: #leftypol on Rizon

File: 1711733518134.jpg (43.76 KB, 700x490, Backdoor.jpg)


Apparently one of the maintainers have been adding backdoors to xz/liblzma for who knows how long. Because it was coming from a "trusted" source (upstream), nobody noticed it until now. Does this mean the end of the open-source security myth?


Translation for brainlet plz?


One of the authors of a popular software library added code to it that deliberately compromises the security of a software used to login remotely into servers.


I see, many thanks for the explanation. Are there some (brainlet friendly) articles about this issue?


schizo theory: this was all a ploy by facebook to get people to switch to zstd


I once read on 4chin, that behind Linux is actually Microsoft. But I don't how plausible this claim is.


I don't know of any, it's pretty fresh and the whole extent of the thing is not known yet.


>Does this mean the end of the open-source security myth?

security problem was discovered because the program is open-source (which is half the point of open-source), are you disabled?


so, which glowies do we think are behind this?


Appearently someone figured this out because of unusually slow download speeds for the package. Wouldn't've even been caught if that person hadn't been suspicious of something so maundane.


Where did you read that? The report linked in the OP says no such thing.


Took a bit to find it again: https://electric.marf.space/@trysdyn/statuses/01HT5Q220WERVFVZKYPN0332KJ
They don't link to anything, so may just be telephone gamed, sorry about that.


File: 1711745381186.png (90.02 KB, 480x800, wp_ss_20240329_0001.png)

Uhm.. based Google?


Time to switch to OpenBSD


Here's the reporter's thread on Mastodont, it was found because it was eating up too much CPU and made microbenchmarks noisy: https://mastodon.social/@AndresFreundTec/112180083704606941


imagine trusting google


Linux is not on Github, it's on kernel.org.


File: 1711750499957.png (58.18 KB, 800x310, wp_ss_20240329_0002.png)

Why do I have the feeling, that Linux is actually a psyop?



it's less a psyop and more like linux is the backbone of 90% of the internet.


Bigtech funds Linux ➡ Linux is the backbone of the internet ➡ the internet is???


>[company] relies on [project] for it's current operations
>donates to [project]
>ZOMG Everychungus, le hecking BEEG TEQUE is Psyoping you into using [project]

Do people apply this reasoning to physical stuff like trains?


In politics, you can get a very clear picture with this simple trick: FOLLOW THE MONEY. Why shouldn't this work in this case too?


So the backdoor was added by "Jia Tan" (not a unique name) or JiaT75. Do we really now who that is, photo, location? Can we even know the nationality? I mean, if I would do such a thing, I would of course lie about my ethnic heritage as well as throw in some fake birth year.


Because that is an overly simplistic, liberal friendly approach to what actual materialist analysis accomplishes more precisely.
Not every conspiracy involves making a monetary transaction, and not every monetary transaction is a conspiracy.


Reading the discussion on Hacker News is quite interesting, some people believe this was an operation by chinese glowies (or maybe it's a false flag operation to appear this way??)


So you don't believe that money can corrupt/influence organizations?


It's pure speculation, nothing is actually known.


It's not the only factor. Personally I think people are putting too much trust in the Linux Foundation, but there are already maintained forks of the kernel, Linux will survive without the foundation if it decides to begin the rent seeking phase, just as it survived when ubuntu did so.

I hold firm that "company donates to project it relies on so it doesn't lose an important logistical component of it's operations / that component can improve = project is psyop" is braindead and ignores structure.


Another spooky account involved in this which might be one and the same entity is "Hans Jansen":


>or maybe it's a false flag operation to appear this way??
pleasant reminder that the reason there was so much upset about the vault 7 leaks is because they exposed the methods the US used to attribute their actions to other actors.


So you don't think it's fishy, if a communist organisation would get funded by the CIA? You don't think, that the congress for cultural freedom was a psyop?


All those companies were openly working on Linux before the foundation. Linux is not some subversive organization, it's just a piece of software.


The CIA considering a communist party critical to it's continues operations would be a whole different beast than a company that relies on computers having standardized software donating to the upkeep of said software.

Like, would you think it's "suspicious" for an animation studio to donate to Krita?


I always believed, that Linux and Foss is the good alternative to BigTech. Now I learn, there is no difference and it doesn't matter which software you use. Penguin, bitten apple, window… they are all the same.


The Linux Foundation is not concerned with desktop Linux, almost all their projects are enterprise server bullshit.


File: 1711804476867.png (213.66 KB, 850x1100, Gyrfalcon.png)


Very interesting.
Given everything shown, it is likely the culprit is working in Europe. Could be some German intelligence, a lone wolf, or an Israeli-German cyber-security company.

My bets are on it being a single person with no backing.


File: 1711837596039.jpeg (88.19 KB, 680x680, e8a7606d31141249.jpeg)


kekkkk perfect.




First-level: seems obvious (Jia Cheong Tan is not a real Chinese name) that it's NSA trying to frame MSS.

Second-level: Maybe it's FSB / GRU trying to frame the NSA as trying to frame MSS?

Third-level: MSS / PLASSF got bored.

Fourth-level: there is no Nash equilibrium so we can stop guessing and go home. Obviously someone's glow-op, but good luck figuring out who.


File: 1711833956766.jpg (277.74 KB, 1021x981, ukr.jpg)

Speculations oscillating between blame and china and glow-op.


it's always a fucking glow op, shit like linux relies on good faith and common purpose but there's a dwindling supply of that.


let the FBI cucks spy on me. it'll be a waste of their time


File: 1711836365564.gif (37.38 KB, 220x391, funny-chad.gif)

Installing Windows rn


>the analysis of his git commit timestamps
LMFAO, those are so fucking trivial to fake, the faking is built into git itself. There's a git command argument to supply a custom timestamp for a commit, I've done this myself.

Glowies (or anyone else) will try to mask their operations by even including foreign language in their code, even if it serves no technical purpose. It's just there to give false leads.

I'm pretty certain the author of those commits is NOT from the timezone of those commits. If they are competent enough to develop a backdoor then they sure as fuck will have the absolute basic knowledge about hiding their traces.


>There's a git command argument to supply a custom timestamp for a commit, I've done this myself.
ah yes, the old "make my work shift longer than it actually was" trick


Debian stable chads stay winning


File: 1711837389660.jpg (132.67 KB, 1000x1414, debian-stable.jpg)


it's not old, it's stable!


Hear is the thing, the developer had a Chinese sounding name but a timestamp that aligns with Eastern europe/Israel.

So which of these things is fake and which is genuine and whatever is fake, what was the intention behind the obfuscation?



You can't tell who it is, it could be Five Eyes trying to frame Chinese / Russians, Russians trying to frame Chinese, or Chinese trying to frame Russians, or Russians / Chinese trying to frame Five Eyes trying to frame Chinese / Russians.

It's no point; vs spooks it's very hard to figure out who did what unless they were sloppy.


I mean that's the thing though, this was a sloppy job. They didn't even benchmark it, which was how it got found out like imediately.


Exactly, but cui bono? Who benefits from the delegitimization of free and open software? Chinas or American companies? In the West are currently in the midst hot debate about Chinese-made software and tech companies.


>guy responsible for the backdoor has a chinese-sounding name
I'm curious, if this reches MSM, will it be used as fuel for more anti-china hysteria? very interesting times ahead


>do nothing


linux relies on the incentive a lot of corporations have for keeping it maintained, and also autistic trans girls


stupid moralist


>and also autistic trans girls
le twatter maymay, bring up furries too for extra funnies


stop using twitter, no one cares if you're tired of something being brought up as a joke on blue reddit. You aren't on twitter right now.


So, after the dust has settled: How are your computing habits now? Have you switched to another distro? To another OS? Will you give up on internet connectivity entirely? You can't just ignore what happened, can you?


then stop being unfunny


>openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.
Poettering moment.


File: 1712006735214.png (46.56 KB, 1108x147, 1711760083935.png)


File: 1712006910513.png (738.88 KB, 2774x1196, 1711831369102.png)


i WILL make trans catgirl programmer jokes, and you WILL mald


Is there any writeups about what the actual backdoor did, how it worked? All I can find is scattered notes on technical details.


File: 1712096731347.png (66.25 KB, 616x626, 1712096510762249.png)

plot thickening


Boost, equally curious myself.
The plot glows more and more, though this seems intentionally misleading- From what I have gathered, the backdoor has been in the works for years, why put such little-effort into a pseudo-identity?


that is literally not what anon said you retard


didnt it affect stable debian only because the backdoor targeted important servers


>why put such little-effort into a pseudo-identity?

Because the Intelligence agencies expect people to be dumb enough to fall for it. The glowies aren't that particularity intelligent. Remember when they tried to kill Fidel Castro with a literal "Loony Toons"-esque exploding cigar?


They were right, people did fall for it, nobody suspected anything until the backdoor was found.


I thought there would be some kind of algorithm that could brute force every possible kind of vulnerability by now. Shouldn't these kinds of vulnerabilities be easily detected by AI or something?


finding a backdoor from a .5 ssh delay is far too autistic a task for modern ai


finding a backdoor from a .5 ssh delay seems like the perfect task that should be automated. In general terms, why isn't this happening?


i imagine that the greatest challenge comes from the sneaky-sneaky glowies digging years old rabbit holes to push backdoors into code. due to the open source nature of xz, malicious code must be very well hidden, difficult for the ai to detect, see >>23973 for a tl;dr of the very lengthy process. plus, its not like you can just grep the source code and find a boolean response to some given string whether its malicious or not. although i imagine these aren't huge limitations, as the plot was foiled pretty easily by, of all people, a Microsoft dev and I would imagine after this fiasco more effort will be concentrating on ravaging through rabbit-holes for malicious code.


It would cost money and companies use "open source" to save money.


There's fuzzing which tries to bruteforce malicious inputs, which is not exactly what you describe but the closest to it, and it was sabotaged by the backdoor's author: https://github.com/google/oss-fuzz/pull/10667


File: 1712170693625.png (131.5 KB, 668x1624, ClipboardImage.png)

Maintainer's blogpost about the incident:


File: 1712204301093.png (4.12 KB, 511x139, GJ7yuavXcAATNDR.png)

>If you have infected version of liblzma in your system, it's already loaded into EVERY process that depends on libsystemd. systemd's dependency on liblzma *was literally* the attack vector.
lol pid 1

glad i dont use a distro that depends on poetteringware

Unique IPs: 25

[Return][Go to top] [Catalog] | [Home][Post a Reply]
Delete Post [ ]
[ home / rules / faq ] [ overboard / sfw / alt ] [ leftypol / siberia / hobby / tech / edu / games / anime / music / draw / AKM ] [ meta / roulette ] [ cytube / wiki / git ] [ GET / ref / marx / booru / zine ]