this post was submitted on 11 Apr 2024
4 points (100.0% liked)

Programmer Humor

31997 readers
673 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

founded 5 years ago
MODERATORS
cat_programmer@lemmy.ml
4
that ain't legal either (lemmy.ml)
submitted 5 months ago by cypherpunks@lemmy.ml to c/programmerhumor@lemmy.ml
38 comments fedilink hide all child comments
 

transcriptScreenshot of github showing part of the commit message of this commit with this text:

Remove the backdoor found in 5.6.0 and 5.6.1 (CVE-2024-3094).

While the backdoor was inactive (and thus harmless) without inserting
a small trigger code into the build system when the source package was
created, it's good to remove this anyway:

  - The executable payloads were embedded as binary blobs in
    the test files. This was a blatant violation of the
    Debian Free Software Guidelines.

  - On machines that see lots bots poking at the SSH port, the backdoor
    noticeably increased CPU load, resulting in degraded user experience
    and thus overwhelmingly negative user feedback.

  - The maintainer who added the backdoor has disappeared.

  - Backdoors are bad for security.

This reverts the following without making any other changes:

The sentence "This was a blatant violation of the Debian Free Software Guidelines" is highlighted.

Below the github screenshot is a frame of the 1998 film The Big Lebowski with the meme caption "What, are you a fucking park ranger now?" from the scene where that line was spoken.

top 38 comments
sorted by: hot top controversial new old
[–] Jomosoto@discuss.tchncs.de 1 points 5 months ago

Best part to me is "The maintainer who added the backdoor has disappeared." implying it was removes because there's nobody left to maintain it

[–] Plasma@lemmy.ml 1 points 5 months ago (1 children)

Backdoors are bad for security πŸ˜†πŸ˜†

[–] shootwhatsmyname@lemm.ee 1 points 5 months ago (2 children)

oh dang removes backdoor from my house

[–] unreachable@lemmy.world 1 points 5 months ago

OnlyF~~ans~~rontDoor

[–] Potatos_are_not_friends@lemmy.world 1 points 5 months ago (1 children)

Hell yeah. Make the windows difficult to enter, and now you have a singular point of entry.

Then put a gun turret there.

[–] frezik@midwest.social 1 points 5 months ago

Your house isn't truly secure until you have a lava moat, and other ideas I came up with when I was eight.

[–] Boomkop3@reddthat.com 1 points 5 months ago (2 children)

I don't get the joke

[–] lefixxx@lemmy.world 1 points 5 months ago (1 children)

Its like saying bank robbery is against bank’s gun carrying policy.

Sure its true, but thats not really the problem being addressed. The massive, notorious security vulnerability is.

[–] lefixxx@lemmy.world 1 points 5 months ago

Oh the big lebowsky part, i dont get it either

[–] deltapi@lemmy.world 0 points 5 months ago (1 children)

Yep, probably because it's not funny or clever. My guess is that you look for funny and/or clever in your jokes.

[–] Boomkop3@reddthat.com 0 points 5 months ago (1 children)

Someone explained it, turns out it's just not my kind of joke. I get it now tho

[–] computergeek125@lemmy.world 0 points 5 months ago (1 children)

I'm still lost... I've been following the XZ thing since it broke, so I get the context, but I'm not sure how the meme at the bottom is connected?

[–] Boomkop3@reddthat.com 0 points 5 months ago (2 children)

On the photo you see a violation of rules listed as one of the reasons this commit is made. Because it's at the top the meme creator is presuming that's their main priority.

And they disagree with that, so they're calling them a "park ranger". I'm guessing they're alluding to an old but common media presentation of park rangers being childish about rules.

I get the joke with that it looks a bit odd to put that reason at the top of the list, but their response I find more unkind than funny

[–] cypherpunks@lemmy.ml 1 points 5 months ago

As the image transcript in the post body explains, the image at the bottom is a scene from a well-known 1998 film (which, according to Wikipedia, was in 2014 selected for preservation in the United States National Film Registry by the Library of Congress as being "culturally, historically, or aesthetically significant").

This meme will not make as much sense to people who have not seen the film. You can watch the referenced scene here. The context is that the main character, The Dude (played by Jeff Bridges) has recently had his private residence invaded by a group of nihilists with a pet marmot (actually portrayed by a ferret) and they have threatened to "cut off his Johnson". In an attempt to express sympathy, The Dude's friend Walter (played by John Goodman) points out that, in addition to the home invasion and threats, the nihilists' exotic pet is also illegal. The Dude's retort "what, are you a fucking park ranger now" is expressing irritation with that observation, because it is insignificant compared with the threat of the removal of his penis.

This meme attempts to draw a parallel between this humorous scene and XZ developer Lasse Collin's observation that the XZ backdoor was also a violation of Debian's software licensing policies.

Thank you for reading my artist's statement.

[–] loutr@sh.itjust.works 0 points 5 months ago (1 children)

It's a scene from The Big Lebowski, right after The Dude got tortured with a marmot by German nihilists. Walter focuses on the legality of keeping a marmot as a pet, which is obviously not the main issue.

[–] Boomkop3@reddthat.com 0 points 5 months ago (1 children)

Yea, I've seen that kind of humour in my grandpa's movies sometimes too. Not my thing

[–] loutr@sh.itjust.works 1 points 5 months ago

The Big Lebowski is the pinnacle of humour! Now get off my lawn!

[–] RedWeasel@lemmy.world 1 points 5 months ago (3 children)

Seriously. If you are going to do it, write in assembly or something else no one understands.

[–] ElCanut@jlai.lu 1 points 5 months ago

Aggressively writes a backdoor in COBOL

[–] Ineocla@lemmy.ml 1 points 5 months ago (1 children)

Tbh jia tan really wasn't lucky some mf at Microsoft noticed a 500ms delay in ssh. The backdoor was so incredibely clever and Well hidden and ingenious i almost feel bad for him lmao

[–] conditional_soup@lemm.ee 1 points 5 months ago (2 children)

A really good point I heard is: this was likely a state actor attack, so how many others just like this are out there, undiscovered?

[–] SzethFriendOfNimi@lemmy.world 1 points 5 months ago

It’s scary to think about… a lot of people are now thinking about how we can best isolate our build test process so it works as a test suite but doesn’t have any way to interact with the output or environment.

It’s just blows my mind to think of the levels of obfuscation this process used and how easy it would be to miss it.

[–] B0rax@feddit.de 1 points 5 months ago (5 children)

Unpopular opinion: what if it was not a state actor and just some bored person somewhere that thought it would be cool to own a bot net?

What if this is just one of many backdoors and it’s just the only one we found?

[–] thisisbutaname@discuss.tchncs.de 1 points 5 months ago* (last edited 5 months ago) (1 children)

I heard that person actively contributed for something like 2 years, providing actually useful contributions, to gain the level of trust needed to plant that backdoor. Feels a bit too much to chalk it up to boredom.

As for the second part, that's an interesting question. Are there lots of backdoors and we just happened to notice this one, or are backdoors very rare exactly because we'd have found them out soon like in this case?

[–] Appoxo@lemmy.dbzer0.com 1 points 5 months ago* (last edited 5 months ago) (1 children)

You'd be surprised what I manage with motivation and boredom.
You'd be surprised what a highly skilled ~~scalled~~ person can manage to achieve.

Boredom, Skills and Motivation are dangerous things to have if improperly handled.

[–] neeeeDanke@feddit.de 1 points 5 months ago

highly scalled person

You might be on to something, it might have been the lizzard people!

[–] GissaMittJobb@lemmy.ml 1 points 5 months ago (1 children)

Realistically I think it's probably easier to acquire a botnet of less secure systems. This was a targeted attack.

[–] B0rax@feddit.de 0 points 5 months ago

Easier, yes. But some people will do stuff because it is more challenging.

[–] agent_flounder@lemmy.world 1 points 5 months ago (1 children)

Nobody is both that bored and that motivated. Unless paid.

[–] B0rax@feddit.de 1 points 5 months ago* (last edited 5 months ago)

You forget that a lot of brilliant open source projects are one man shows from geniuses somewhere around the world. They are usually not paid.

In the other hand, if you get your hands on a powerful botnet, you can rent out its services (like ddos for example) for quite a bit of money.

[–] InputZero@lemmy.ml 1 points 5 months ago

Yeah, well that's just, like, your opinion, man. (You mentioned the word opinion in a post referencing The Big Lebowski. I had to. Thank you for coming to my shit post.)

[–] PapstJL4U@lemmy.world 1 points 5 months ago

The design is Moriarty lvls of complex. State actor might be too specific, but everything but a group of people would be highly unlikely.

[–] Bene7rddso@feddit.de 0 points 5 months ago (1 children)

Assembly wouldn't run on multiple architectures

[–] RedWeasel@lemmy.world 1 points 5 months ago

Neither does the blob it downloaded. Would you think twice about AVX10 support if it was commented as AVX10 support in a compression library? Some might, but would they be the ones reviewing the code? A lot of programs that can take advantage of "handwritten" optimizations, like video decoders/encoders and compression, have assembly pathways so it will take advantage of the hardware when it is available but run when it isn't. If the reviewers are not familiar with assembly enough something could be snuck in.

systemD is using dlopens for libraries now and I am not convinced malware couldn't modify the core executable memory and stay resident even after the dl is unloaded. Difficult, yes, but not impossible.

[–] xantoxis@lemmy.world 0 points 5 months ago (1 children)

Well, I think they should revoke that guy's PGP key

[–] computergeek125@lemmy.world 0 points 5 months ago (1 children)

Isn't the point of PGP/GPG that there's no central database?

[–] Bene7rddso@feddit.de 0 points 5 months ago

Yes, he will always be able to prove that's it's him. But if they revoke the permissions of that key he can't do any more damage

[–] DmMacniel@feddit.de 0 points 5 months ago

Far out