transcript

Screenshot of github showing part of the commit message of this commit with this text:

Remove the backdoor found in 5.6.0 and 5.6.1 (CVE-2024-3094).

While the backdoor was inactive (and thus harmless) without inserting
a small trigger code into the build system when the source package was
created, it's good to remove this anyway:

  - The executable payloads were embedded as binary blobs in
    the test files. This was a blatant violation of the
    Debian Free Software Guidelines.

  - On machines that see lots bots poking at the SSH port, the backdoor
    noticeably increased CPU load, resulting in degraded user experience
    and thus overwhelmingly negative user feedback.

  - The maintainer who added the backdoor has disappeared.

  - Backdoors are bad for security.

This reverts the following without making any other changes:

The sentence “This was a blatant violation of the Debian Free Software Guidelines” is highlighted.

Below the github screenshot is a frame of the 1998 film The Big Lebowski with the meme caption “What, are you a fucking park ranger now?” from the scene where that line was spoken.

  • Ineocla@lemmy.ml
    link
    fedilink
    arrow-up
    2
    ·
    9 months ago

    Tbh jia tan really wasn’t lucky some mf at Microsoft noticed a 500ms delay in ssh. The backdoor was so incredibely clever and Well hidden and ingenious i almost feel bad for him lmao

    • conditional_soup@lemm.ee
      link
      fedilink
      arrow-up
      1
      ·
      9 months ago

      A really good point I heard is: this was likely a state actor attack, so how many others just like this are out there, undiscovered?

      • B0rax@feddit.de
        link
        fedilink
        arrow-up
        1
        ·
        9 months ago

        Unpopular opinion: what if it was not a state actor and just some bored person somewhere that thought it would be cool to own a bot net?

        What if this is just one of many backdoors and it’s just the only one we found?

        • PapstJL4U@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          The design is Moriarty lvls of complex. State actor might be too specific, but everything but a group of people would be highly unlikely.

        • thisisbutaname@discuss.tchncs.de
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          9 months ago

          I heard that person actively contributed for something like 2 years, providing actually useful contributions, to gain the level of trust needed to plant that backdoor. Feels a bit too much to chalk it up to boredom.

          As for the second part, that’s an interesting question. Are there lots of backdoors and we just happened to notice this one, or are backdoors very rare exactly because we’d have found them out soon like in this case?

          • Appoxo@lemmy.dbzer0.com
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            9 months ago

            You’d be surprised what I manage with motivation and boredom.
            You’d be surprised what a highly skilled scalled person can manage to achieve.

            Boredom, Skills and Motivation are dangerous things to have if improperly handled.

        • GissaMittJobb@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          9 months ago

          Realistically I think it’s probably easier to acquire a botnet of less secure systems. This was a targeted attack.

          • B0rax@feddit.de
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            9 months ago

            You forget that a lot of brilliant open source projects are one man shows from geniuses somewhere around the world. They are usually not paid.

            In the other hand, if you get your hands on a powerful botnet, you can rent out its services (like ddos for example) for quite a bit of money.

      • SzethFriendOfNimi@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        9 months ago

        It’s scary to think about… a lot of people are now thinking about how we can best isolate our build test process so it works as a test suite but doesn’t have any way to interact with the output or environment.

        It’s just blows my mind to think of the levels of obfuscation this process used and how easy it would be to miss it.