that ain't legal either

Jomosoto, 1 month ago

Best part to me is “The maintainer who added the backdoor has disappeared.” implying it was removes because there’s nobody left to maintain it

merthyr1831, 1 month ago

reminds me of the infamous NSA backdoor patch blog for Notepad++

UserMeNever, 1 month ago

Backdoors are bad for security.

No shit…

flashgnash, 1 month ago

You’ve gotta wonder what else you’d write though

Especially given the urgency guy’s probably not gonna sit there and ponder

FrankTheHealer, 1 month ago

Nobody fucks with the Linux

https://lemmy.world/pictrs/image/d3ad6c2a-2827-4d15-8f1c-d868cf5a785a.gif

neo, 1 month ago

This guy Archs! Am I right!? You know I’m right!

Boomkop3, 1 month ago

I don’t get the joke

deltapi, 1 month ago

Yep, probably because it’s not funny or clever. My guess is that you look for funny and/or clever in your jokes.

Boomkop3, 1 month ago

Someone explained it, turns out it’s just not my kind of joke. I get it now tho

computergeek125, 1 month ago

I’m still lost… I’ve been following the XZ thing since it broke, so I get the context, but I’m not sure how the meme at the bottom is connected?

Boomkop3, 1 month ago

On the photo you see a violation of rules listed as one of the reasons this commit is made. Because it’s at the top the meme creator is presuming that’s their main priority.

And they disagree with that, so they’re calling them a “park ranger”. I’m guessing they’re alluding to an old but common media presentation of park rangers being childish about rules.

I get the joke with that it looks a bit odd to put that reason at the top of the list, but their response I find more unkind than funny

loutr, 1 month ago

It’s a scene from The Big Lebowski, right after The Dude got tortured with a marmot by German nihilists. Walter focuses on the legality of keeping a marmot as a pet, which is obviously not the main issue.

Boomkop3, 1 month ago

Yea, I’ve seen that kind of humour in my grandpa’s movies sometimes too. Not my thing

loutr, 1 month ago

The Big Lebowski is the pinnacle of humour! Now get off my lawn!

cypherpunks, 1 month ago

As the image transcript in the post body explains, the image at the bottom is a scene from a well-known 1998 film (which, according to Wikipedia, was in 2014 selected for preservation in the United States National Film Registry by the Library of Congress as being “culturally, historically, or aesthetically significant”).

This meme will not make as much sense to people who have not seen the film. You can watch the referenced scene here. The context is that the main character, The Dude (played by Jeff Bridges) has recently had his private residence invaded by a group of nihilists with a pet marmot (actually portrayed by a ferret) and they have threatened to “cut off his Johnson”. In an attempt to express sympathy, The Dude’s friend Walter (played by John Goodman) points out that, in addition to the home invasion and threats, the nihilists’ exotic pet is also illegal. The Dude’s retort “what, are you a fucking park ranger now” is expressing irritation with that observation, because it is insignificant compared with the threat of the removal of his penis.

This meme attempts to draw a parallel between this humorous scene and XZ developer Lasse Collin’s observation that the XZ backdoor was also a violation of Debian’s software licensing policies.

Thank you for reading my artist’s statement.

computergeek125, 1 month ago

I don’t think I’ve seen that movie, so that explains why I missed the joke

Boomkop3, 1 month ago

I just don’t like derogatory jokes

Galli, 1 month ago

I can excuse attempting to compromise millions of computer systems worldwide for nefarious purposes but I draw the line at violating the contributor guidelines of an opensource project.

xilliah, 1 month ago

Scene (invidious)

lefixxx, 1 month ago

Its like saying bank robbery is against bank’s gun carrying policy.

Sure its true, but thats not really the problem being addressed. The massive, notorious security vulnerability is.

lefixxx, 1 month ago

Oh the big lebowsky part, i dont get it either

Boomkop3, 1 month ago

I got that part, which is funny. The movie below tho, I don’t think is

DmMacniel, 1 month ago

Far out

xantoxis, 1 month ago

Well, I think they should revoke that guy’s PGP key

computergeek125, 1 month ago

Isn’t the point of PGP/GPG that there’s no central database?

Bene7rddso, 1 month ago

Yes, he will always be able to prove that’s it’s him. But if they revoke the permissions of that key he can’t do any more damage

unreasonabro, 1 month ago

What’s even going on here? cuz it looks like we’re trying to suggest that somebody having a way into your system when you don’t want them there isn’t a problem, but that’s retarded

Wooki, 1 month ago

The binaries had part of the source hidden in them implying it was closed source code. But it wasnt compiled code its just poorly obfuscated code. The pattern is pretty simple.

SnotFlickerman, 1 month ago

Oh please, dear? For your information, the Supreme Court has roundly rejected prior restraint.

Plasma, 1 month ago

Backdoors are bad for security 😆😆

shootwhatsmyname, 1 month ago

oh dang removes backdoor from my house

unreachable, 1 month ago

OnlyFansrontDoor

Potatos_are_not_friends, 1 month ago

Hell yeah. Make the windows difficult to enter, and now you have a singular point of entry.

Then put a gun turret there.

frezik, 1 month ago

Your house isn’t truly secure until you have a lava moat, and other ideas I came up with when I was eight.

eatham, 1 month ago

Just remove the windows

waspentalive, 1 month ago

Don’t remove the back door from your house, bar it with a sturdy 2x4 that holds it closed. Just be sure to use a 2x4 that is not made weak by the application of a specific chemical that only the secret bad guy knows about.

unionagainstdhmo, 1 month ago

Didn’t some pro-gun idiots suggest removing back doors from American schools

Liz, 1 month ago

I’m pro gun and that’s a laughably stupid idea for about a million reasons.

RedWeasel, 1 month ago

Seriously. If you are going to do it, write in assembly or something else no one understands.

Ineocla, 1 month ago

Tbh jia tan really wasn’t lucky some mf at Microsoft noticed a 500ms delay in ssh. The backdoor was so incredibely clever and Well hidden and ingenious i almost feel bad for him lmao

Vilian, 1 month ago

the guy was even in microsoft he was at his house testing debian

conditional_soup, 1 month ago

A really good point I heard is: this was likely a state actor attack, so how many others just like this are out there, undiscovered?

B0rax, 1 month ago

Unpopular opinion: what if it was not a state actor and just some bored person somewhere that thought it would be cool to own a bot net?

What if this is just one of many backdoors and it’s just the only one we found?

agent_flounder, 1 month ago

Nobody is both that bored and that motivated. Unless paid.

B0rax, 1 month ago

You forget that a lot of brilliant open source projects are one man shows from geniuses somewhere around the world. They are usually not paid.

In the other hand, if you get your hands on a powerful botnet, you can rent out its services (like ddos for example) for quite a bit of money.

GissaMittJobb, 1 month ago

Realistically I think it’s probably easier to acquire a botnet of less secure systems. This was a targeted attack.

B0rax, 1 month ago

Easier, yes. But some people will do stuff because it is more challenging.

PapstJL4U, 1 month ago

The design is Moriarty lvls of complex. State actor might be too specific, but everything but a group of people would be highly unlikely.

InputZero, 1 month ago

Yeah, well that’s just, like, your opinion, man. (You mentioned the word opinion in a post referencing The Big Lebowski. I had to. Thank you for coming to my shit post.)

thisisbutaname, 1 month ago

I heard that person actively contributed for something like 2 years, providing actually useful contributions, to gain the level of trust needed to plant that backdoor. Feels a bit too much to chalk it up to boredom.

As for the second part, that’s an interesting question. Are there lots of backdoors and we just happened to notice this one, or are backdoors very rare exactly because we’d have found them out soon like in this case?

Appoxo, 1 month ago (edited 1 month ago)

You’d be surprised what I manage with motivation and boredom.
You’d be surprised what a highly skilled scalled person can manage to achieve.

Boredom, Skills and Motivation are dangerous things to have if improperly handled.

neeeeDanke, 1 month ago

highly scalled person

You might be on to something, it might have been the lizzard people!

trolololol, 1 month ago (edited 1 month ago)

Another speculation from the suse team was a private company with intent to sell the exploit to state across actors

I think there’s lots of known backdoors that are not publicly disclosed and privately sold.

But given the history of cves in inclined to believe most come from well intentioned developers. When you read the blogs from the Google security team for example, it’s interesting to see how you need to chain a couple exploits at least, to get a proper attack going. Not in this case, it would make it very straightforward to accomplish very intrusive actions.

SzethFriendOfNimi, 1 month ago

It’s scary to think about… a lot of people are now thinking about how we can best isolate our build test process so it works as a test suite but doesn’t have any way to interact with the output or environment.

It’s just blows my mind to think of the levels of obfuscation this process used and how easy it would be to miss it.

RegalPotoo, 1 month ago

Jia Tan probably wasn’t one person - most likely the identity was operated by a team of people at an intelligence agency, probably Russian or Chinese

OurToothbrush, 1 month ago (edited 1 month ago)

Any sources there or do you just lie for fun?

Edit: an article on this kind of behavior:redsails.org/false-witnesses/

kieron115, 1 month ago

All they did was offer an opinion, chill.

winterayars, 1 month ago

There’s a high likelihood it was Russian or Chinese work tbh. That’s a pretty reasonable take.

TheGalacticVoid, 1 month ago

I’m surprised that nobody suggested that he was a kidnapped dev. This seems like a different implementation of the pig butchering scams that target ordinary people.

davel, 1 month ago

https://lemmy.ml/pictrs/image/0597e652-3d6e-4c51-8912-169f4a13dcf1.jpeg

TheGalacticVoid, 1 month ago

I wasn’t joking.

A good chunk of scam calls and texts come from people who themselves are victims of kidnapping. Many of those victims (primarily in Asia) got into the position they were in because they were looking for work, went to a different country to start a promised job, and then got trapped and forced to work for scam centers that do social engineering attacks.

These scam centers are sophisticated to the point where they can develop very legitimate-looking crypto trading platforms for targets in the US and other wealthy countries. They then assign one of the kidnapped people to a target. These kidnapped people then social engineer their way for months to get what their captors want - usually money in the aforementioned trading platform. Then, they cut all contact once they have control of the funds.

How does this relate to XZ? Well, if they can kidnap ordinary people looking for jobs, there’s not much stopping them from including devs in their pool of targets. Afterward, it’s just a rinse and repeat of what they’d done before.

If you want to look more into pig butchering, John Oliver has a great episode on it.

davel, 1 month ago

You don’t kidnap extremely highly skilled internet malware developers and force them to code for you, you just pay them appropriately.

TheGalacticVoid, 1 month ago

The malware, sure, but you’re ignoring how they were able to push the malware in the first place.

Iapar, 1 month ago

Jupp. If you trap someone highly skilled and give that person a weapon, the chances are good that this person will use that against you.

Like how does a less skilled person know that this code will not send location to the police with a message?

TheGalacticVoid, 8 days ago

A bit late, but the police are often paid by captors, so calling the police just leads to punishment.

ElCanut, 1 month ago

Aggressively writes a backdoor in COBOL

Bene7rddso, 1 month ago

Assembly wouldn’t run on multiple architectures

RedWeasel, 1 month ago

Neither does the blob it downloaded. Would you think twice about AVX10 support if it was commented as AVX10 support in a compression library? Some might, but would they be the ones reviewing the code? A lot of programs that can take advantage of “handwritten” optimizations, like video decoders/encoders and compression, have assembly pathways so it will take advantage of the hardware when it is available but run when it isn’t. If the reviewers are not familiar with assembly enough something could be snuck in.

systemD is using dlopens for libraries now and I am not convinced malware couldn’t modify the core executable memory and stay resident even after the dl is unloaded. Difficult, yes, but not impossible.

Wooki, 1 month ago

Whoa hol up.

Write the build script in assembly?

Thats not okay man.

RedWeasel, 1 month ago

No, it this case the backdoor. Hide it in plain sight.