From Newsgroup: alt.os.linux.debian

Found this in YouTube, although I don't know the technichal details, https://www.youtube.com/watch?v=OHAyf0qwdCs
Why nobody is commenting this?


--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.debian

Am 05.04.2024 schrieb Alba Haquitas <alba@nospam.mail>:

Found this in YouTube, although I don't know the technichal details, https://www.youtube.com/watch?v=OHAyf0qwdCs
Why nobody is commenting this?

Can you give a short report about the content of the video for other
readers, please?

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.debian

Marco Moock <mm+usenet@dorfdsl.de> wrote:

Am 05.04.2024 schrieb Alba Haquitas <alba@nospam.mail>:

Found this in YouTube, although I don't know the technichal details,
https://www.youtube.com/watch?v=OHAyf0qwdCs
Why nobody is commenting this?

Can you give a short report about the content of the video for other
readers, please?

I am not a programmer but an ordinary Linux user, but a trapdoor
seems to me a root access to the operating system from a remote
location. Here is another YouTube video,

https://www.youtube.com/watch?v=OHAyf0qwdCs

Sorry to be of not much help.


--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.debian

Marco Moock wrote:

Found this in YouTube, although I don't know the technichal details,
https://www.youtube.com/watch?v=OHAyf0qwdCs
Why nobody is commenting this?

Can you give a short report about the content of the video for other
readers, please?

It's just the problem with xz as we were discussing in the German groups
last week.

-jw-
--
And now for something completely different...
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.debian

On 4/5/2024 11:52 AM, Alba Haquitas wrote:

Marco Moock <mm+usenet@dorfdsl.de> wrote:

Am 05.04.2024 schrieb Alba Haquitas <alba@nospam.mail>:

Found this in YouTube, although I don't know the technichal details,
https://www.youtube.com/watch?v=OHAyf0qwdCs
Why nobody is commenting this?

Can you give a short report about the content of the video for other
readers, please?

I am not a programmer but an ordinary Linux user, but a trapdoor
seems to me a root access to the operating system from a remote
location. Here is another YouTube video,

https://www.youtube.com/watch?v=OHAyf0qwdCs

Sorry to be of not much help.

There are lengthy discussions about it on comp.os.linux.misc and
alt.os.linux already.
As far as I know the backdoor was introduced to cutting edge systems,
which means sid was affected, but stable branches were not.

The main issue of course was that a widely used tool was maintained by a single developer who was doing it for free and jumped at any help he
could get (which turned out to be a malicious actor).


--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.debian

Am 05.04.2024 schrieb Joerg Walther <joerg.walther@magenta.de>:

It's just the problem with xz as we were discussing in the German
groups last week.

That has also been discussed in comp.os.linux.misc.

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.debian

On 4/5/24 05:52, Alba Haquitas wrote:

Marco Moock <mm+usenet@dorfdsl.de> wrote:

Am 05.04.2024 schrieb Alba Haquitas <alba@nospam.mail>:

Found this in YouTube, although I don't know the technichal details,
https://www.youtube.com/watch?v=OHAyf0qwdCs
Why nobody is commenting this?

Can you give a short report about the content of the video for other
readers, please?

I am not a programmer but an ordinary Linux user, but a trapdoor
seems to me a root access to the operating system from a remote
location. Here is another YouTube video,

https://www.youtube.com/watch?v=OHAyf0qwdCs

Sorry to be of not much help.

Except for academic antio-bug-squads or envelope-pushers (not to confuse
with bureaucratic half-lives) no rational person with a practical
objective would waste time on such enterprise. IF s/he were some
ill-will driven protagonist then s/he was by definition also very
stupid. One of the confidence building pilars of OPEN-SOURCE Linux is
that thousands of benevolent volunteer eyes continuously toil with the
open source code, am I the only one to think that this or similar stunts
would seldom survive for long?


--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.debian

Kyonshi writs:

As far as I know the backdoor was introduced to cutting edge systems,
which means sid was affected, but stable branches were not.

Correct, and it has alreay been fixed.
--
John Hasler
john@sugarbit.com
Dancing Horse Hill
Elmwood, WI USA
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.debian

badEfA+sector <forgetski@_INVALID.net> writes:

On 4/5/24 05:52, Alba Haquitas wrote:

Marco Moock <mm+usenet@dorfdsl.de> wrote:

Am 05.04.2024 schrieb Alba Haquitas <alba@nospam.mail>:

Found this in YouTube, although I don't know the technichal details,
https://www.youtube.com/watch?v=OHAyf0qwdCs
Why nobody is commenting this?

Can you give a short report about the content of the video for other
readers, please?

I am not a programmer but an ordinary Linux user, but a trapdoor
seems to me a root access to the operating system from a remote
location. Here is another YouTube video,
https://www.youtube.com/watch?v=OHAyf0qwdCs
Sorry to be of not much help.

Except for academic antio-bug-squads or envelope-pushers (not to confuse
with bureaucratic half-lives) no rational person with a practical
objective would waste time on such enterprise. IF s/he were some
ill-will driven protagonist then s/he was by definition also very
stupid. One of the confidence building pilars of OPEN-SOURCE Linux is
that thousands of benevolent volunteer eyes continuously toil with the
open source code, am I the only one to think that this or similar stunts would seldom survive for long?

Maybe not the only one, but certainly one of the few. There are enough
examples of problems that survived for more as a decade. That code CAN
be checked does not mean it WILL be checked. There is quit a lot of
code and it is hard to check all code. And sometimes it is also hard
to see the bug.
Even bugs that are not malicious, but are introduced by a wrong
understanding, can survive for a long time. For example removing from
a random bit part in SSH key generation because there was a warning of
an undefined value by the compiler slipped through a lot of eyes. And
with generating random keys you need randomness and not
predictability.
--
Cecil Westerhof
Senior Software Engineer
LinkedIn: http://www.linkedin.com/in/cecilwesterhof
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.debian

On 4/5/24 11:10, Cecil Westerhof wrote:

badEfA+sector <forgetski@_INVALID.net> writes:

On 4/5/24 05:52, Alba Haquitas wrote:

Marco Moock <mm+usenet@dorfdsl.de> wrote:

Am 05.04.2024 schrieb Alba Haquitas <alba@nospam.mail>:

Found this in YouTube, although I don't know the technichal details, >>>>> https://www.youtube.com/watch?v=OHAyf0qwdCs
Why nobody is commenting this?

Can you give a short report about the content of the video for other
readers, please?

I am not a programmer but an ordinary Linux user, but a trapdoor
seems to me a root access to the operating system from a remote
location. Here is another YouTube video,
https://www.youtube.com/watch?v=OHAyf0qwdCs
Sorry to be of not much help.

Except for academic antio-bug-squads or envelope-pushers (not to confuse
with bureaucratic half-lives) no rational person with a practical
objective would waste time on such enterprise. IF s/he were some
ill-will driven protagonist then s/he was by definition also very
stupid. One of the confidence building pilars of OPEN-SOURCE Linux is
that thousands of benevolent volunteer eyes continuously toil with the
open source code, am I the only one to think that this or similar stunts
would seldom survive for long?

Maybe not the only one, but certainly one of the few. There are enough examples of problems that survived for more as a decade. That code CAN
be checked does not mean it WILL be checked. There is quit a lot of
code and it is hard to check all code. And sometimes it is also hard
to see the bug.
Even bugs that are not malicious, but are introduced by a wrong understanding, can survive for a long time. For example removing from
a random bit part in SSH key generation because there was a warning of
an undefined value by the compiler slipped through a lot of eyes. And
with generating random keys you need randomness and not
predictability.

I hear you but would you invest energy and time in something that runs
the risk of discovery either two years down the road or the next day? I
would not. I'm just saying, with all due respect, given that it's not my
field at all. Academic bravado I can buy, the price goes down with
distance from that marker.

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.debian

bad?sector <forgetski@_invalid.net> wrote:

On 4/5/24 11:10, Cecil Westerhof wrote:

bad?sector <forgetski@_INVALID.net> writes:

Except for academic antio-bug-squads or envelope-pushers (not to confuse >>> with bureaucratic half-lives) no rational person with a practical
objective would waste time on such enterprise. IF s/he were some
ill-will driven protagonist then s/he was by definition also very
stupid. One of the confidence building pilars of OPEN-SOURCE Linux is
that thousands of benevolent volunteer eyes continuously toil with the
open source code, am I the only one to think that this or similar stunts >>> would seldom survive for long?

Maybe not the only one, but certainly one of the few. There are enough
examples of problems that survived for more as a decade. That code CAN
be checked does not mean it WILL be checked. There is quit a lot of
code and it is hard to check all code. And sometimes it is also hard
to see the bug.
Even bugs that are not malicious, but are introduced by a wrong
understanding, can survive for a long time. For example removing from
a random bit part in SSH key generation because there was a warning of
an undefined value by the compiler slipped through a lot of eyes. And
with generating random keys you need randomness and not
predictability.

I hear you but would you invest energy and time in something that runs
the risk of discovery either two years down the road or the next day?

Are you arguing here that the backdoor never actually existed
(which it clearly did)? Otherwise clearly someone did take that
risk and given it got into public distro releases (only testing
releases, but many do use those), it potentially did allow them
to hack into real-world systems. So it may have paid off to some
extent before it was discovered, and that discovery was by accident
as well because the backdoor happened to cause performance issues
that an unrelated developer started debugging.

I doubt the backdoor's discovery was a personal risk to its creator
either - they probably got paid just as much for their time and
energy as if the backdoor _had_ remained undiscovered for two
years.
--
__ __
#_ < |\| |< _#
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.debian

On 2024-04-07, badEfA+sector <forgetski@_INVALID.net> wrote:

On 4/5/24 11:10, Cecil Westerhof wrote:

badEfA+sector <forgetski@_INVALID.net> writes:

On 4/5/24 05:52, Alba Haquitas wrote:

Marco Moock <mm+usenet@dorfdsl.de> wrote:

Am 05.04.2024 schrieb Alba Haquitas <alba@nospam.mail>:

Found this in YouTube, although I don't know the technichal details, >>>>>> https://www.youtube.com/watch?v=OHAyf0qwdCs
Why nobody is commenting this?

Can you give a short report about the content of the video for other >>>>> readers, please?

I am not a programmer but an ordinary Linux user, but a trapdoor
seems to me a root access to the operating system from a remote
location. Here is another YouTube video,
https://www.youtube.com/watch?v=OHAyf0qwdCs
Sorry to be of not much help.

Except for academic antio-bug-squads or envelope-pushers (not to confuse >>> with bureaucratic half-lives) no rational person with a practical
objective would waste time on such enterprise. IF s/he were some
ill-will driven protagonist then s/he was by definition also very
stupid. One of the confidence building pilars of OPEN-SOURCE Linux is
that thousands of benevolent volunteer eyes continuously toil with the
open source code, am I the only one to think that this or similar stunts >>> would seldom survive for long?

Maybe not the only one, but certainly one of the few. There are enough
examples of problems that survived for more as a decade. That code CAN
be checked does not mean it WILL be checked. There is quit a lot of
code and it is hard to check all code. And sometimes it is also hard
to see the bug.
Even bugs that are not malicious, but are introduced by a wrong
understanding, can survive for a long time. For example removing from
a random bit part in SSH key generation because there was a warning of
an undefined value by the compiler slipped through a lot of eyes. And
with generating random keys you need randomness and not
predictability.

I hear you but would you invest energy and time in something that runs
the risk of discovery either two years down the road or the next day? I would not. I'm just saying, with all due respect, given that it's not my field at all. Academic bravado I can buy, the price goes down with
distance from that marker.

In that case you had better go up and be a hermit. Anything you use
could be bugged, from yout toaster to you favoirite computer program.
And anything you do could be flawed. And IF this was an attempt by a
state actor to put a backdoor into one of the most used pieces of
software, the risk of discovery was more than offset by the benefit if
it worked even for a while.
If you were given a chance at a billion dollars with a say 90 % chance
of getting nothing would you go for it? I would say that chance of the
discovery of the malware were smaller than 10%, and the prize was
larger than a billion.

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.debian

not@telling.you.invalid (Computer Nerd Kev) writes:

bad?sector <forgetski@_invalid.net> wrote:

On 4/5/24 11:10, Cecil Westerhof wrote:

Maybe not the only one, but certainly one of the few. There are enough
examples of problems that survived for more as a decade. That code CAN
be checked does not mean it WILL be checked. There is quit a lot of
code and it is hard to check all code. And sometimes it is also hard
to see the bug.
Even bugs that are not malicious, but are introduced by a wrong
understanding, can survive for a long time. For example removing from
a random bit part in SSH key generation because there was a warning of
an undefined value by the compiler

As a side-note, the diagnostic was from valgrind, not a compiler.

slipped through a lot of eyes. And with generating random keys you
need randomness and not predictability.

I hear you but would you invest energy and time in something that runs
the risk of discovery either two years down the road or the next day?

ItrCOs easy to find a number of vulnerabilities in the Linux ecosystem
that took more than a decade to be discovered, for example:
* CVE-2021-4034 (privilege escalation to root in polkit)
* CVE-2024-28085 (cross-user privilege escalation in wall)
* CVE-2021-22555 (privilege escalation to in linux kernel)
* CVE-2021-3156 (privilege escalation to root in sudo)
* CVE-2021-27365 (privilege escalation to in linux kernel)

...and these were (as far as anyone knows) accidental, i.e. no effort to conceal them.

Are you arguing here that the backdoor never actually existed
(which it clearly did)? Otherwise clearly someone did take that
risk and given it got into public distro releases (only testing
releases, but many do use those), it potentially did allow them
to hack into real-world systems. So it may have paid off to some
extent before it was discovered, and that discovery was by accident
as well because the backdoor happened to cause performance issues
that an unrelated developer started debugging.

Also, we have no idea how many deliberately introduced vulnerabilities
remain successfully concealed.

The xz attack is a good example of the rCLmany eyesrCY theory being rather optimistic. The scrutiny that sshd receives was totally irrelevant
because the attacker instead targetted an under-resourced indirect
dependency.
--
https://www.greenend.org.uk/rjk/
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.debian

Marco Moock <mm+usenet@dorfdsl.de> wrote:

Am 05.04.2024 schrieb Joerg Walther <joerg.walther@magenta.de>:

It's just the problem with xz as we were discussing in the German
groups last week.

That has also been discussed in comp.os.linux.misc.

I am using Debian-12.1.0-amd64, Linux 6.1.0-18-amd64. How badly it affects the subject of discussion here, to the Debian version I am using?
Thank you for any comment.


--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.debian

On 4/8/2024 12:32 PM, Aelius Gallus wrote:

Marco Moock <mm+usenet@dorfdsl.de> wrote:

Am 05.04.2024 schrieb Joerg Walther <joerg.walther@magenta.de>:

It's just the problem with xz as we were discussing in the German
groups last week.

That has also been discussed in comp.os.linux.misc.

I am using Debian-12.1.0-amd64, Linux 6.1.0-18-amd64. How badly it affects the
subject of discussion here, to the Debian version I am using?
Thank you for any comment.

It' is my understanding that Debian 12.1 was not affected. Only Debian Unstable should have been affected.
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.debian

Kyonshi <gmkeros@gmail.com> writes:

It' is my understanding that Debian 12.1 was not affected. Only Debian >Unstable should have been affected.

Debian Testing was also affected. But Debian 12.x (i.e., currently
stable) and earlier was not.

- anton
--
M. Anton Ertl Some things have to be seen to be believed anton@mips.complang.tuwien.ac.at Most things have to be believed to be seen http://www.complang.tuwien.ac.at/anton/home.html
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.debian

On 4/7/24 18:42, William Unruh wrote:

On 2024-04-07, badEfA+sector <forgetski@_INVALID.net> wrote:

On 4/5/24 11:10, Cecil Westerhof wrote:

badEfA+sector <forgetski@_INVALID.net> writes:

On 4/5/24 05:52, Alba Haquitas wrote:

Marco Moock <mm+usenet@dorfdsl.de> wrote:

Am 05.04.2024 schrieb Alba Haquitas <alba@nospam.mail>:

Found this in YouTube, although I don't know the technichal details, >>>>>>> https://www.youtube.com/watch?v=OHAyf0qwdCs
Why nobody is commenting this?

Can you give a short report about the content of the video for other >>>>>> readers, please?

I am not a programmer but an ordinary Linux user, but a trapdoor
seems to me a root access to the operating system from a remote
location. Here is another YouTube video,
https://www.youtube.com/watch?v=OHAyf0qwdCs
Sorry to be of not much help.

Except for academic antio-bug-squads or envelope-pushers (not to confuse >>>> with bureaucratic half-lives) no rational person with a practical
objective would waste time on such enterprise. IF s/he were some
ill-will driven protagonist then s/he was by definition also very
stupid. One of the confidence building pilars of OPEN-SOURCE Linux is
that thousands of benevolent volunteer eyes continuously toil with the >>>> open source code, am I the only one to think that this or similar stunts >>>> would seldom survive for long?

Maybe not the only one, but certainly one of the few. There are enough
examples of problems that survived for more as a decade. That code CAN
be checked does not mean it WILL be checked. There is quit a lot of
code and it is hard to check all code. And sometimes it is also hard
to see the bug.
Even bugs that are not malicious, but are introduced by a wrong
understanding, can survive for a long time. For example removing from
a random bit part in SSH key generation because there was a warning of
an undefined value by the compiler slipped through a lot of eyes. And
with generating random keys you need randomness and not
predictability.

I hear you but would you invest energy and time in something that runs
the risk of discovery either two years down the road or the next day? I
would not. I'm just saying, with all due respect, given that it's not my
field at all. Academic bravado I can buy, the price goes down with
distance from that marker.

In that case you had better go up and be a hermit. Anything you use
could be bugged, from yout toaster to you favoirite computer program.
And anything you do could be flawed.

Could? I *know* that everything *is* bugged and that I'm providing an unwilling streaming colonoscopy to the snooping scum of the earth and
that there's very little that I can do about it. It's why my phone is
OFF most of the time except when I want to make a call and collect a few textos, never even bothering with voicemail.

And IF this was an attempt by a
state actor to put a backdoor into one of the most used pieces of
software, the risk of discovery was more than offset by the benefit if
it worked even for a while.
If you were given a chance at a billion dollars with a say 90 % chance
of getting nothing would you go for it? I would say that chance of the
discovery of the malware were smaller than 10%, and the prize was
larger than a billion.

It isn't the state that worries me, it's the faecesbooks and googlegoons
that sell me to every form of half-life on the planet.




--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.os.linux.debian

Anton Ertl <anton@mips.complang.tuwien.ac.at> wrote:

Kyonshi <gmkeros@gmail.com> writes:

It' is my understanding that Debian 12.1 was not affected. Only Debian >>Unstable should have been affected.

Debian Testing was also affected. But Debian 12.x (i.e., currently
stable) and earlier was not.

- anton

Thank you for your comments. I feel a bit more reassured.

--- Synchronet 3.21d-Linux NewsLink 1.2