Belisarius Cawl
kiwifarms.net
- Joined
- Mar 16, 2024
One thing I've noticed throughout my life is that I often get things done with computers through serendipity ... it is kinda alarming
The Linux Thread - The Autist's OS of Choice
- Thread starter tehpope
- Start date
-
🐕 I am attempting to get the site runnning as fast as possible. If you are experiencing slow page load times, please report it.
- Joined
- Apr 1, 2022
xz/lzma upstream has been infiltrated and a suspected backdoor has been found.
- Joined
- May 29, 2023
i do hope one day, someone here on the farms is autistic enough to actually make their own distro.
no troonery, no stupidity, just a good distro.
a man can dream...
- Joined
- Oct 18, 2022
Always manually eject a pendrive. If you don't and just yank the thing out, Linux might screw its file descriptor and it's bricked.
- Joined
- Oct 20, 2019
It also made its way into MacOS via brew packages which have now been rolling back versions. Kali Linux apparently used the compromised library and has also rolled back. I use Debian Stable so I'm (presumably) alright!
The ultimate source appears to be a "Jia Tan", (https://github.com/JiaT75) not sure where they're from but making an educated guess from the name, China. And there appears to have been some social manipulation on mailing lists to get Jia Tan appointed to a maintainer position by a Jigar Kumar. Not sure where they're from but an educated guess from the name would be India. The code was incorporated downstream by a Lasse Collins. Not sure who they are but an educated guess from the name suggests they are a Border Collie. So probably best dispense with all these "educated guesses" because the real take away here is that nobody seems to know who the Jia Tan person (or their ally Kumar) is beyond a name and an email address floating around the ether. They could be anyone. They could be one person or many people. There are also a number of other mailing list comments that could very likely be sock puppets building influence for the malicious actor to get into the position to do this. The fact that so much of contribution and decision making is just anonymous voices rather than named people with known positions and careers is a real danger in the OSS community.
Incidentally, the person who happened to find this because they were micro-tuning the performance of something, is a Microsoft engineer who was tweaking things to work better on MS's Azure platform.
(And out of consideration for the delicate temperaments of posters in this thread, I will forbear commenting on the uses of pipes to grep in the compromised bash script.
)
Last edited:
- Joined
- Mar 17, 2019
FACT- the compromise leveraged a shell script because it is obfuscated by nature.(And out of consideration for the delicate temperaments of posters in this thread, I will forbear commenting on the uses of pipes to grep in the compromised bash script.
- Joined
- Oct 20, 2019
Are you suggesting the use of shell scripts is uncommon or bad?
- Joined
- Mar 17, 2019
No, just a good vector for malware when used outside appropriate purposes (your init system).
- Joined
- Oct 20, 2019
Well historically, Linux's init system has been a giant pile of Bash scripts. And rather ironically in the context of your position, only SystemD using systems are affected by this exploit.
The biggest own someone got on me in a conversation on Linux was when I was talking about the object based nature of Windows with someone and he softly remarked "you know that's what System D was designed to bring to Linux" and I had to laugh. Because aside from being the "Windows Zealot" amongst my colleagues, I was also known as the "System D ranter".
Cake and eat it, I suppose! EDIT:
- Joined
- Mar 17, 2019
There's no conflict here. Init is the right place to use (relatively simple and trivial to audit) shell scripts.Well historically, Linux's init system has been a giant pile of Bash scripts. And rather ironically in the context of your position, only SystemD using systems are affected by this exploit.
The biggest own someone got on me in a conversation on Linux was when I was talking about the object based nature of Windows with someone and he softly remarked "you know that's what System D was designed to bring to Linux" and I had to laugh. Because aside from being the "Windows Zealot" amongst my colleagues, I was also known as the "System D ranter".
A powershell-based init would be an improvement in readability and ease of use, kind of the opposite of SystemD, but it isn't worth the hassle that having to rewrite init scripts would be.
- Joined
- Oct 20, 2019
This made me really laugh. It's a post from the user who introduced the vulnerability on the affected repository. The sheer cheek of it. (not linked because Github have no suspended the project)
- Joined
- Dec 19, 2022
- Joined
- Sep 16, 2018
不名誉なプログラムシステムディー CVE-2012-1174 Delete Any Files コンピューターが破壊された CVE-2015-7510, CVE-2018-15688 Arbitrary State Insertion 状態注入 CVE-2017-9217 Buffer Overflow バッファオーバーフロー CVE-2017-9445 systemd-resolvd Remote Code Execution プログラムをリモートで実行する CVE-2017-15908 Denial of Service サービス拒否 CVE-2017-1000082 0-Day (ゼロデイ) Root Exploit コンピュータを好きなように実行させます CVE-2018-15686 Root Privilege Elevation (10.0 Critical Exploit!!) ルートアカウントの不適切なアクセス CVE-2020-13776 Root Privilege Elevation Again 特権の昇格 CVE-2019-6454 Kernel Panic カーネルパニック CVE-2020-1712 Arbitrary Code Execution 任意のコードの実行 CVE-2021-33910 Stack Exhaustion スタックのスペースが不足しました
- Joined
- Oct 20, 2019
But even the most ardent Systemd proponents must admit to the fact, that Lennart Poettering is annoying.
Jokes (not joking) aside, when systemd was on its virus-like explosion stage of spread, I likened it to Saruman (Linux) gazing into Mordor (Microsoft) and trying to make of itself a little version of what it saw there. Is the end goal to have a system wide object model like Windows does? One Service Manager to Rule Them All? One Service Manager to Find Them?
/[am|am not]trolling
cipheranarchist
kiwifarms.net
- Joined
- Jan 28, 2024
Oh yes, it happens!
And it really sucks sweaty balls.
The only good thing that comes from it is that if you've done it once and lost data you'll never do it again.
- Joined
- Jan 28, 2018
Funny coming from that person yes, but actually pretty standard.
The user interested in and knowing what's going on on his own system adding another layer of security; who would have thought.
I wonder who gave the signal to make the dude shoot his shot just to apparently get discovered rather early. It seems to me like they had a specific target in mind and the time was ripe. This reeks of government.(and yes, not necessarily chinese government, guy could have also named himself John McAmericanson) Guy was a sleeper agent. Wonder if they actually succeeded.
Last edited:
- Joined
- Mar 4, 2019
The bigger question: Has something similar already succeeded? This was only found by chance, because of a ricing autist who was annoyed at his system slowing down slightly. It wouldn't surprise me if there's already something lurking in the guts of systemd. It is such a huge, sprawling morass of perpetually-moving code that review is nearly impossible.
- Joined
- Jan 5, 2015
Linux From Scratch could do some good with an OpenRC or Runit init system guide, maybe one with musl+busybox.
Be your own distro.
- Joined
- Oct 20, 2019
What's to say it's early? This account made its first commit a couple of years ago, I think. There's even a kernel commit I think someone mentioned.
I think "ricing autist annoyed at his system" is a little misrepresentative. He's a Microsoft engineer working on the Azure platform and unless I'm misreading this, he was employed working on optimising some of the code with Postgres performance. He showed response times going slightly over double with SSH. Now that's not to oversell it because he himself described it as accidental. But I've several times now seen people in this thread make comments along the line of sloppy infiltration, lucky find, etc. And this is a professional doing a deep dive on his work which I prefer not to characterise as lucky. Many people would have just shrugged and moved on. We were a whisker away from this making it into Debian Stable on which many real and important things are built.
- Joined
- Aug 17, 2022
I saw something that said he's also worked on Loongson code, which makes it 100% he's Chinese.
Not a good boy. This sounds more like a husky sort of thing to do.
Wasn't it also some chicanery with the autoconf voodoo? I know people complain about CMake, but it's bliss compared to autotools.
Every time I've tried out systemd I've encountered some blocker that's made me go back to OpenRC pronto. Usually something along the lines of hanging while starting or shutting down. If it were better, I'd use it.