No.23926
Translation for brainlet plz?
No.23927
>>23926One of the authors of a popular software library added code to it that deliberately compromises the security of a software used to login remotely into servers.
No.23928
>>23927I see, many thanks for the explanation. Are there some (brainlet friendly) articles about this issue?
No.23929
schizo theory: this was all a ploy by facebook to get people to switch to zstd
No.23930
>>23929I once read on 4chin, that behind Linux is actually Microsoft. But I don't how plausible this claim is.
No.23932
>>23928I don't know of any, it's pretty fresh and the whole extent of the thing is not known yet.
No.23933
>Does this mean the end of the open-source security myth?
security problem was discovered because the program is open-source (which is half the point of open-source), are you disabled?
No.23934
so, which glowies do we think are behind this?
No.23936
Appearently someone figured this out because of unusually slow download speeds for the package. Wouldn't've even been caught if that person hadn't been suspicious of something so maundane.
No.23937
>>23936Where did you read that? The report linked in the OP says no such thing.
No.23938
>>23937Took a bit to find it again:
https://electric.marf.space/@trysdyn/statuses/01HT5Q220WERVFVZKYPN0332KJThey don't link to anything, so may just be telephone gamed, sorry about that.
No.23940
>>23939Time to switch to OpenBSD
No.23941
>>23938Here's the reporter's thread on Mastodont, it was found because it was eating up too much CPU and made microbenchmarks noisy:
https://mastodon.social/@AndresFreundTec/112180083704606941 No.23942
>>23940 imagine trusting google
No.23943
>>23939Linux is not on Github, it's on kernel.org.
No.23945
>>23944it's less a psyop and more like linux is the backbone of 90% of the internet.
No.23946
>>23945Bigtech funds Linux ➡ Linux is the backbone of the internet ➡ the internet is???
No.23947
>>23944>[company] relies on [project] for it's current operations>donates to [project]>ZOMG Everychungus, le hecking BEEG TEQUE is Psyoping you into using [project]Do people apply this reasoning to physical stuff like trains?
No.23948
>>23947In politics, you can get a very clear picture with this simple trick: FOLLOW THE MONEY. Why shouldn't this work in this case too?
No.23949
So the backdoor was added by "Jia Tan" (not a unique name) or JiaT75. Do we really now who that is, photo, location? Can we even know the nationality? I mean, if I would do such a thing, I would of course lie about my ethnic heritage as well as throw in some fake birth year.
No.23950
>>23948Because that is an overly simplistic, liberal friendly approach to what actual materialist analysis accomplishes more precisely.
Not every conspiracy involves making a monetary transaction, and not every monetary transaction is a conspiracy.
No.23951
>>23949Reading the discussion on Hacker News is quite interesting, some people believe this was an operation by chinese glowies (or maybe it's a false flag operation to appear this way??)
No.23952
>>23950So you don't believe that money can corrupt/influence organizations?
No.23953
>>23951It's pure speculation, nothing is actually known.
No.23954
>>23952It's not the only factor. Personally I think people are putting too much trust in the Linux Foundation, but there are already maintained forks of the kernel, Linux will survive without the foundation if it decides to begin the rent seeking phase, just as it survived when ubuntu did so.
I hold firm that "company donates to project it relies on so it doesn't lose an important logistical component of it's operations / that component can improve = project is psyop" is braindead and ignores structure.
No.23955
Another spooky account involved in this which might be one and the same entity is "Hans Jansen":
https://boehs.org/node/everything-i-know-about-the-xz-backdoor No.23956
>>23951>or maybe it's a false flag operation to appear this way??pleasant reminder that the reason there was so much upset about the vault 7 leaks is because they exposed the methods the US used to attribute their actions to other actors.
No.23957
>>23954So you don't think it's fishy, if a communist organisation would get funded by the CIA? You don't think, that the congress for cultural freedom was a psyop?
No.23958
>>23957All those companies were openly working on Linux before the foundation. Linux is not some subversive organization, it's just a piece of software.
No.23959
>>23957The CIA considering a communist party critical to it's continues operations would be a whole different beast than a company that relies on computers having standardized software donating to the upkeep of said software.
Like, would you think it's "suspicious" for an animation studio to donate to Krita?
No.23960
>>23958I always believed, that Linux and Foss is the good alternative to BigTech. Now I learn, there is no difference and it doesn't matter which software you use. Penguin, bitten apple, window… they are all the same.
No.23961
>>23960The Linux Foundation is not concerned with desktop Linux, almost all their projects are enterprise server bullshit.
No.23963
>>23941>>23955Very interesting.
Given everything shown, it is likely the culprit is working in Europe. Could be some German intelligence, a lone wolf, or an Israeli-German cyber-security company.
My bets are on it being a single person with no backing.
No.23976
>>23955First-level: seems obvious (Jia Cheong Tan is not a real Chinese name) that it's NSA trying to frame MSS.
Second-level: Maybe it's FSB / GRU trying to frame the NSA as trying to frame MSS?
Third-level: MSS / PLASSF got bored.
Fourth-level: there is no Nash equilibrium so we can stop guessing and go home. Obviously someone's glow-op, but good luck figuring out who.
No.23979
>>23978it's always a fucking glow op, shit like linux relies on good faith and common purpose but there's a dwindling supply of that.
No.23980
let the FBI cucks spy on me. it'll be a waste of their time
No.23982
>>23978>the analysis of his git commit timestampsLMFAO, those are so fucking trivial to fake, the faking is built into git itself. There's a git command argument to supply a custom timestamp for a commit, I've done this myself.
Glowies (or anyone else) will try to mask their operations by even including foreign language in their code, even if it serves no technical purpose. It's just there to give false leads.
I'm pretty certain the author of those commits is NOT from the timezone of those commits. If they are competent enough to develop a backdoor then they sure as fuck will have the absolute basic knowledge about hiding their traces.
No.23983
>>23982>There's a git command argument to supply a custom timestamp for a commit, I've done this myself.ah yes, the old "make my work shift longer than it actually was" trick
No.23984
Debian stable chads stay winning
No.23987
>>23982Hear is the thing, the developer had a Chinese sounding name but a timestamp that aligns with Eastern europe/Israel.
So which of these things is fake and which is genuine and whatever is fake, what was the intention behind the obfuscation?
No.23988
>>23987You can't tell who it is, it could be Five Eyes trying to frame Chinese / Russians, Russians trying to frame Chinese, or Chinese trying to frame Russians, or Russians / Chinese trying to frame Five Eyes trying to frame Chinese / Russians.
It's no point; vs spooks it's very hard to figure out who did what unless they were sloppy.
No.23989
>>23988I mean that's the thing though, this was a sloppy job. They didn't even benchmark it, which was how it got found out like imediately.
No.23990
>>23988Exactly, but cui bono? Who benefits from the delegitimization of free and open software? Chinas or American companies? In the West are currently in the midst hot debate about Chinese-made software and tech companies.
No.23994
>guy responsible for the backdoor has a chinese-sounding name
I'm curious, if this reches MSM, will it be used as fuel for more anti-china hysteria? very interesting times ahead
No.23996
>>23979linux relies on the incentive a lot of corporations have for keeping it maintained, and also autistic trans girls
No.23998
>>23996>and also autistic trans girlsle twatter maymay, bring up furries too for extra funnies
No.23999
>>23998stop using twitter, no one cares if you're tired of something being brought up as a joke on blue reddit. You aren't on twitter right now.
No.24015
So, after the dust has settled: How are your computing habits now? Have you switched to another distro? To another OS? Will you give up on internet connectivity entirely? You can't just ignore what happened, can you?
No.24016
>>23999then stop being unfunny
No.24017
>openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma.
Poettering moment.
No.24032
>>23998>>24016i WILL make trans catgirl programmer jokes, and you WILL mald
No.24033
Is there any writeups about what the actual backdoor did, how it worked? All I can find is scattered notes on technical details.
No.24044
>>24033Boost, equally curious myself.
>>24042The plot glows more and more, though this seems intentionally misleading- From what I have gathered, the backdoor has been in the works for years, why put such little-effort into a pseudo-identity?
No.24045
>>23952that is literally not what anon said you retard
No.24046
>>23984>>23985didnt it affect stable debian only because the backdoor targeted important servers
No.24047
>>24044>why put such little-effort into a pseudo-identity?Because the Intelligence agencies expect people to be dumb enough to fall for it. The glowies aren't that particularity intelligent. Remember when they tried to kill Fidel Castro with a literal "Loony Toons"-esque exploding cigar?
No.24049
>>24047They were right, people did fall for it, nobody suspected anything until the backdoor was found.
No.24050
I thought there would be some kind of algorithm that could brute force every possible kind of vulnerability by now. Shouldn't these kinds of vulnerabilities be easily detected by AI or something?
No.24051
>>24050finding a backdoor from a .5 ssh delay is far too autistic a task for modern ai
No.24052
>>24051finding a backdoor from a .5 ssh delay seems like the perfect task that should be automated. In general terms, why isn't this happening?
No.24053
>>24052i imagine that the greatest challenge comes from the sneaky-sneaky glowies digging years old rabbit holes to push backdoors into code. due to the open source nature of xz, malicious code must be very well hidden, difficult for the ai to detect, see
>>23973 for a tl;dr of the very lengthy process. plus, its not like you can just grep the source code and find a boolean response to some given string whether its malicious or not. although i imagine these aren't huge limitations, as the plot was foiled pretty easily by, of all people, a Microsoft dev and I would imagine after this fiasco more effort will be concentrating on ravaging through rabbit-holes for malicious code.
No.24054
>>24052It would cost money and companies use "open source" to save money.
No.24059
>>24050There's fuzzing which tries to bruteforce malicious inputs, which is not exactly what you describe but the closest to it, and it was sabotaged by the backdoor's author:
https://github.com/google/oss-fuzz/pull/10667 Unique IPs: 25