479

submitted 2 months ago by cypherpunks@lemmy.ml to c/programmerhumor@lemmy.ml

68 comments fedilink hide all child comments

transcript

Screenshot of github showing part of the commit message of this commit with this text:

Remove the backdoor found in 5.6.0 and 5.6.1 (CVE-2024-3094).

While the backdoor was inactive (and thus harmless) without inserting
a small trigger code into the build system when the source package was
created, it's good to remove this anyway:

  - The executable payloads were embedded as binary blobs in
    the test files. This was a blatant violation of the
    Debian Free Software Guidelines.

  - On machines that see lots bots poking at the SSH port, the backdoor
    noticeably increased CPU load, resulting in degraded user experience
    and thus overwhelmingly negative user feedback.

  - The maintainer who added the backdoor has disappeared.

  - Backdoors are bad for security.

This reverts the following without making any other changes:

The sentence "This was a blatant violation of the Debian Free Software Guidelines" is highlighted.

Below the github screenshot is a frame of the 1998 film The Big Lebowski with the meme caption "What, are you a fucking park ranger now?" from the scene where that line was spoken.

top 50 comments

sorted by: hot top controversial new old

[-] Plasma@lemmy.ml 228 points 2 months ago

Backdoors are bad for security 😆😆

[-] shootwhatsmyname@lemm.ee 95 points 2 months ago

oh dang removes backdoor from my house

[-] unreachable@lemmy.world 27 points 2 months ago

OnlyF~~ans~~rontDoor

[-] Potatos_are_not_friends@lemmy.world 19 points 2 months ago

Hell yeah. Make the windows difficult to enter, and now you have a singular point of entry.

Then put a gun turret there.

[-] frezik@midwest.social 12 points 2 months ago

Your house isn't truly secure until you have a lava moat, and other ideas I came up with when I was eight.

[-] eatham@aussie.zone 6 points 2 months ago

Just remove the windows

[-] unionagainstdhmo@aussie.zone 9 points 2 months ago

Didn't some pro-gun idiots suggest removing back doors from American schools

[-] Liz@midwest.social 7 points 2 months ago

I'm pro gun and that's a laughably stupid idea for about a million reasons.

[-] waspentalive@lemmy.one 6 points 2 months ago* (last edited 2 months ago)

Don't remove the back door from your house, bar it with a sturdy 2x4 that holds it closed. Just be sure to use a 2x4 that is not made weak by the application of a specific chemical that only the secret bad guy knows about.

[-] RedWeasel@lemmy.world 66 points 2 months ago

Seriously. If you are going to do it, write in assembly or something else no one understands.

[-] Ineocla@lemmy.ml 123 points 2 months ago

Tbh jia tan really wasn't lucky some mf at Microsoft noticed a 500ms delay in ssh. The backdoor was so incredibely clever and Well hidden and ingenious i almost feel bad for him lmao

[-] conditional_soup@lemm.ee 76 points 2 months ago

A really good point I heard is: this was likely a state actor attack, so how many others just like this are out there, undiscovered?

[-] B0rax@feddit.de 29 points 2 months ago

Unpopular opinion: what if it was not a state actor and just some bored person somewhere that thought it would be cool to own a bot net?

What if this is just one of many backdoors and it’s just the only one we found?

[-] thisisbutaname@discuss.tchncs.de 63 points 2 months ago* (last edited 2 months ago)

I heard that person actively contributed for something like 2 years, providing actually useful contributions, to gain the level of trust needed to plant that backdoor. Feels a bit too much to chalk it up to boredom.

As for the second part, that's an interesting question. Are there lots of backdoors and we just happened to notice this one, or are backdoors very rare exactly because we'd have found them out soon like in this case?

[-] Appoxo@lemmy.dbzer0.com 17 points 2 months ago* (last edited 2 months ago)

You'd be surprised what I manage with motivation and boredom.
You'd be surprised what a highly skilled ~~scalled~~ person can manage to achieve.

Boredom, Skills and Motivation are dangerous things to have if improperly handled.

[-] neeeeDanke@feddit.de 6 points 2 months ago

highly scalled person

You might be on to something, it might have been the lizzard people!

load more comments (1 replies)

[-] agent_flounder@lemmy.world 6 points 2 months ago

Nobody is both that bored and that motivated. Unless paid.

[-] B0rax@feddit.de 6 points 2 months ago* (last edited 2 months ago)

You forget that a lot of brilliant open source projects are one man shows from geniuses somewhere around the world. They are usually not paid.

In the other hand, if you get your hands on a powerful botnet, you can rent out its services (like ddos for example) for quite a bit of money.

[-] PapstJL4U@lemmy.world 6 points 2 months ago

The design is Moriarty lvls of complex. State actor might be too specific, but everything but a group of people would be highly unlikely.

[-] GissaMittJobb@lemmy.ml 5 points 2 months ago

Realistically I think it's probably easier to acquire a botnet of less secure systems. This was a targeted attack.

load more comments (1 replies)

[-] SzethFriendOfNimi@lemmy.world 13 points 2 months ago

It’s scary to think about… a lot of people are now thinking about how we can best isolate our build test process so it works as a test suite but doesn’t have any way to interact with the output or environment.

It’s just blows my mind to think of the levels of obfuscation this process used and how easy it would be to miss it.

[-] RegalPotoo@lemmy.world 21 points 2 months ago

[removed by mod]

[-] TheGalacticVoid@lemm.ee 7 points 2 months ago

I'm surprised that nobody suggested that he was a kidnapped dev. This seems like a different implementation of the pig butchering scams that target ordinary people.

[-] davel@lemmy.ml 8 points 2 months ago

[-] TheGalacticVoid@lemm.ee 5 points 2 months ago

I wasn't joking.

A good chunk of scam calls and texts come from people who themselves are victims of kidnapping. Many of those victims (primarily in Asia) got into the position they were in because they were looking for work, went to a different country to start a promised job, and then got trapped and forced to work for scam centers that do social engineering attacks.

These scam centers are sophisticated to the point where they can develop very legitimate-looking crypto trading platforms for targets in the US and other wealthy countries. They then assign one of the kidnapped people to a target. These kidnapped people then social engineer their way for months to get what their captors want - usually money in the aforementioned trading platform. Then, they cut all contact once they have control of the funds.

How does this relate to XZ? Well, if they can kidnap ordinary people looking for jobs, there's not much stopping them from including devs in their pool of targets. Afterward, it's just a rinse and repeat of what they'd done before.

If you want to look more into pig butchering, John Oliver has a great episode on it.

[-] davel@lemmy.ml 10 points 2 months ago

You don’t kidnap extremely highly skilled internet malware developers and force them to code for you, you just pay them appropriately.

[-] Iapar@feddit.de 9 points 2 months ago

Jupp. If you trap someone highly skilled and give that person a weapon, the chances are good that this person will use that against you.

Like how does a less skilled person know that this code will not send location to the police with a message?

load more comments (1 replies)

load more comments (3 replies)

[-] Vilian@lemmy.ca 12 points 2 months ago

the guy was even in microsoft he was at his house testing debian

[-] ElCanut@jlai.lu 17 points 2 months ago

Aggressively writes a backdoor in COBOL

[-] Wooki@lemmy.world 3 points 2 months ago

Whoa hol up.

Write the build script in assembly?

Thats not okay man.

load more comments (1 replies)

load more comments (2 replies)

[-] Boomkop3@reddthat.com 30 points 2 months ago

I don't get the joke

[-] Galli@hexbear.net 41 points 2 months ago

I can excuse attempting to compromise millions of computer systems worldwide for nefarious purposes but I draw the line at violating the contributor guidelines of an opensource project.

[-] lefixxx@lemmy.world 17 points 2 months ago

Its like saying bank robbery is against bank’s gun carrying policy.

Sure its true, but thats not really the problem being addressed. The massive, notorious security vulnerability is.

[-] lefixxx@lemmy.world 4 points 2 months ago

Oh the big lebowsky part, i dont get it either

[-] Boomkop3@reddthat.com 3 points 2 months ago

I got that part, which is funny. The movie below tho, I don't think is

[-] deltapi@lemmy.world 16 points 2 months ago

Yep, probably because it's not funny or clever. My guess is that you look for funny and/or clever in your jokes.

[-] Boomkop3@reddthat.com 5 points 2 months ago

Someone explained it, turns out it's just not my kind of joke. I get it now tho

load more comments (8 replies)

load more comments (1 replies)

[-] UserMeNever@feddit.nl 22 points 2 months ago

Backdoors are bad for security.

No shit....

load more comments (1 replies)

[-] SnotFlickerman@lemmy.blahaj.zone 14 points 2 months ago

Oh please, dear? For your information, the Supreme Court has roundly rejected prior restraint.

[-] FrankTheHealer@lemmy.world 12 points 2 months ago

Nobody fucks with the Linux

[-] neo@feddit.de 4 points 2 months ago

This guy Archs! Am I right!? You know I'm right!

[-] Jomosoto@discuss.tchncs.de 8 points 2 months ago

Best part to me is "The maintainer who added the backdoor has disappeared." implying it was removes because there's nobody left to maintain it

[-] xantoxis@lemmy.world 6 points 2 months ago

Well, I think they should revoke that guy's PGP key

load more comments (2 replies)

[-] DmMacniel@feddit.de 4 points 2 months ago

Far out

[-] merthyr1831@lemmy.world 3 points 2 months ago

reminds me of the infamous NSA backdoor patch blog for Notepad++

load more comments

this post was submitted on 11 Apr 2024

479 points (96.0% liked)

Programmer Humor

31223 readers

60 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

Posts must be relevant to programming, programmers, or computer science.
No NSFW content.
Jokes must be in good taste. No hate speech, bigotry, etc.

founded 4 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

cat_programmer@lemmy.ml