this post was submitted on 07 Apr 2024
575 points (97.8% liked)

Programmer Humor

19512 readers
314 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 1 year ago
MODERATORS
 
top 10 comments
sorted by: hot top controversial new old
[–] [email protected] 123 points 7 months ago* (last edited 7 months ago) (2 children)

I think a lot of memes are missing the main point of how it was caught, the exploit caused a spike in CPU usage for a network call. That made no sense to the ~~guy~~ Messiah who found/reported it. FOSS software's strength is the number of critical eyes looking over each line of code you put out!

[–] [email protected] 36 points 7 months ago

Right but the joke is that most developers aren't of that quality, and are now going to put leredditor super sleuth eyes on every application they build

[–] [email protected] 4 points 7 months ago* (last edited 7 months ago) (1 children)

What was the full story again? I'm googling but I can't find it.

[–] [email protected] 20 points 7 months ago* (last edited 7 months ago) (1 children)

In a nutshell, a backdoor was intentionally planted by a malicious actor in xz Utils, an open-source data compression utility widely used in Linux and other Unix-like operating systems. This discovery was made by Andres Freund, a developer and engineer working on Microsoft’s PostgreSQL offerings. He was troubleshooting performance problems on a Debian system. Specifically, SSH logins were consuming excessive CPU cycles and generating errors with Valgrind, a memory debugging tool. Through sheer luck and Freund’s careful eye, he eventually discovered that these issues were the result of updates made to xz Utils. Upon closer inspection, he found that updates to xz Utils were the result of a maliciously inserted backdoor. The backdoor, present in xz Utils versions 5.6.0 and 5.6.1, manipulated the sshd executable, allowing anyone with a predetermined encryption key to upload and execute arbitrary code on affected devices.

[–] [email protected] 7 points 7 months ago (1 children)

I expected a link to a source, but this is even better (matches with the little I remember)

Thanks!

[–] [email protected] 45 points 7 months ago* (last edited 7 months ago)

My Firefox package updates are usually slow, limiting downloads to <500kb. So, whenever the download speed used to drop, I knew Firefox released an update.

So when the XZ articles started popping up, the first thing I did was verify all sources.

https://programming.dev/post/12370824

[–] [email protected] 20 points 7 months ago

It would be more of a fair trade if bad actors at least needed to make sure their code was way better than most

[–] [email protected] 17 points 7 months ago

Me, after the latest iOS update slows my aging iPad by another 20%: 🤷‍♂️

[–] [email protected] 3 points 7 months ago