Saturday, March 30

Geek

Daily News Stuff 30 March 2024

Almost Oops Edition

Tech News

  • The man who saved the world:  Andres Freund noticed that SSH logins - used by every server in the world - were taking half a second longer than they should.  (Ars Technica)

    He was curious so he poked at it a bit and found the equivalent of the demon core being added for free to every school lunch in the world.

    In essence, had this been done with more care and not caught before it was added to production releases of Linux, a state actor - this is almost certainly the work of some place like China or North Korea - could have had access to everything, everywhere.

    You might be at AWS and have all your services behind a VPN, but that wouldn't help you at all because they'd just need to hack AWS first.

    All the development for this hack was done in public, either by a developer who spent a lot of time building up trust by writing useful code, or by hacking that developer's GitHub account.

    Expect GitHub to force 2FA on all users in short order, even if that wouldn't have prevented this incident.  Every warning sign has a story behind it, and Andres is the Harry Daghlian and Louis Slotin of the age, except that he didn't die of radiation poisoning.


  • However, some not-really-production releases of Linux were impacted.  (CyberKendra)

    Fedora Rawhide and Kali Linux were affected for the past three days.  Arch Linux has been affected for five weeks, and Debian's unstable release seems to be the worst hit, with the new packages added eight weeks ago.

    Fedora 40 Beta might be affected if you set up the test library versions as well as the regular beta libraries.

    AWS Linux is not affected, nor are stable releases like Ubuntu LTS or RedHat Enterprise Linux.



Tech News



Disclaimer: Danger, may contain electrons.

Posted by: Pixy Misa at 06:00 PM | Comments (4) | Add Comment | Trackbacks (Suck)
Post contains 816 words, total size 7 kb.

1 That sshd thing is a real doozie.  Probably is a state-level, and shows that trusting people(sic) is foolish.  And, speaking as a people, you really can't trust 'em.

Posted by: normal at Saturday, March 30 2024 09:47 PM (bg2DR)

2 I hate what the tech world has become. On my less optimistic days, I am thoroughly ashamed of my entire career, even though I had little to do with this mess. And I absolutely despise everything about open source, in large part due to the fact that it is impossible to avoid.

One day everything will come crashing down over some stupid git check-in (malicious maybe, more probably just someone who didn't do simple testing), and there will be no escape from the consequences because everyone in the world uses the same idiot packages.

Posted by: Kurt Duncan at Sunday, March 31 2024 12:55 AM (dMQGF)

3 The hack is an excellent argument against systemd and its tentacles.

-j

Posted by: J Greely at Sunday, March 31 2024 01:39 AM (oJgNG)

4 systemd is the more successful german version of this exploit

modern germany is pretty much a hostile state actor

Posted by: PatBuckman at Monday, April 01 2024 01:42 AM (rcPLc)

Hide Comments | Add Comment




Apple pies are delicious. But never mind apple pies. What colour is a green orange?




55kb generated in CPU 0.0267, elapsed 0.1552 seconds.
58 queries taking 0.1391 seconds, 343 records returned.
Powered by Minx 1.1.6c-pink.