Follower of Christ Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.
Nasty exploit in xz/liblzma - developer of two years snuck an exploit into *upstream* allowing passwordless sshd compromises.
- 44
- 35
Top Poster of the Day:
forearmfondler55
Current Registered Users: 25,638
tech/science swag.
Guidelines:
What to Submit
On-Topic: Anything that good slackers would find interesting. That includes more than /g/ memes and slacking off. If you had to reduce it to a sentence, the answer might be: anything that gratifies one's intellectual laziness.
Off-Topic: Most stories about politics, or crime, or sports, unless they're evidence of some interesting new phenomenon. Videos of pratfalls or disasters, or cute animal pictures. If they'd cover it on TV news, it's probably lame.
Help keep this hole healthy by keeping drama and non-drama balanced. If you see too much drama, post something that isn't dramatic. If there isn't enough drama and this hole has become too boring, POST DRAMA!
In Submissions
Please do things to make titles stand out, like using uppercase or exclamation points, or saying how great an article is. It should be explicit in submitting something that you think it's important.
Please don't submit the original source. If the article is behind a paywall, just post the text. If a video is behind a paywall, post a magnet link. Fuck journos.
Please don't ruin the hole with chudposts. It isn't funny and doesn't belong here. THEY WILL BE MOVED TO /H/CHUDRAMA
If the title includes the name of the site, please leave that in, because our users are too stupid to know the difference between a url and a search query.
If you submit a video or pdf, please don't warn us by appending [video] or [pdf] to the title. That would be r-slurred. We're not using text-based browsers. We know what videos and pdfs are.
Make sure the title contains a gratuitous number or number + adjective. Good clickbait titles are like "Top 10 Ways to do X" or "Don't do these 4 things if you want X"
Otherwise editorialize. Please don't use the original title, unless it is gay or r-slurred, or you're shits all fucked up.
If you're going to post old news (at least 1 year old), please flair it so we can mock you for living under a rock, or don't and we'll mock you anyway.
Please don't post on SN to ask or tell us something. Send it to [email protected] instead.
If your post doesn't get enough traction, try to delete and repost it.
Please don't use SN primarily for promotion. It's ok to post your own stuff occasionally, but the primary use of the site should be for curiosity. If you want to astroturf or advertise, post on news.ycombinator.com instead.
Please solicit upvotes, comments, and submissions. Users are stupid and need to reminded to vote and interact. Thanks for the gold, kind stranger, upvotes to the left.
In Comments
Be snarky. Don't be kind. Have fun banter; don't be a dork. Please don't use big words like "fulminate". Please sneed at the rest of the community.
Comments should get more enlightened and centrist, not less, as a topic gets more divisive.
If disagreeing, please reply to the argument and call them names. "1 + 1 is 2, not 3" can be improved to "1 + 1 is 3, not 2, mathfaggot"
Please respond to the weakest plausible strawman of what someone says, not a stronger one that's harder to make fun of. Assume that they are bad faith actors.
Eschew jailbait. Paedophiles will be thrown in a wood chipper, as pertained by sitewide rules.
Please post shallow dismissals, especially of other people's work. All press is good press.
Please use Slacker News for political or ideological battle. It tramples weak ideologies.
Please comment on whether someone read an article. If you don't read the article, you are a cute twink.
Please pick the most provocative thing in an article or post to complain about in the thread. Don't nitpick stupid crap.
Please don't be an unfunny chud. Nobody cares about your opinion of X Unrelated Topic in Y Unrelated Thread. If you're the type of loser that belongs on /h/chudrama, we may exile you.
Sockpuppet accounts are encouraged, but please don't farm dramakarma.
Please use uppercase for emphasis.
Please post deranged conspiracy theories about astroturfing, shilling, bots, brigading, foreign agents and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email [email protected] and dang will add you to their spam list.
Please don't complain that a submission is inappropriate. If a story is spam or off-topic, report it and our moderators will probably do nothing about it. Feed egregious comments by replying instead of flagging them like a pussy. Remember: If you flag, you're a cute twink.
Please don't complain about tangential annoyances—things like article or website formats, name collisions, or back-button breakage. That's too boring, even for HN users.
Please seethe about how your posts don't get enough upvotes.
Please don't post comments saying that rdrama is turning into ruqqus. It's a nazi dogwhistle, as old as the hills.
Miscellaneous:
We reserve the right to exile you for whatever reason we want, even for no reason at all! We also reserve the right to change the guidelines at any time, so be sure to real them at least once a month. We also reserve the right to ignore enforcement of the guidelines at the discretion of the janitorial staff. Be funny, or at least compelling, and pretty much anything legal is welcome provided it's on-topic, and even then.
Do not use outdated operating systems that are unsupported to access SN. What are you, poor?
[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
/h/slackernews LOG /h/slackernews MODS /h/slackernews EXILEES /h/slackernews FOLLOWERS /h/slackernews BLOCKERS
Jump in the discussion.
No email address required.
HN: https://news.ycombinator.com/item?id=39865810
!codecels
Patch your shit if you're running Debian sid.
It seems that archlinux did ship it but the exploit doesn't work as they hadn't patched sshd against systemd and therefore liblzma. They have already pushed a fix regardless and I'm sure a lot of people will be combing through the code.
Follower of Christ Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.
Jump in the discussion.
No email address required.
O REALLY???? R U SAYING PGP BAD??
Jump in the discussion.
No email address required.
This just in, supply chain attacks affect the supply chain
Jump in the discussion.
No email address required.
More options
Context
NOOOO MY SIG
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
CapySec is the only security i trust to keep my cyberbussy safe and snug
Jump in the discussion.
No email address required.
More options
Context
lol that's a good bit.
Follower of Christ Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.
Jump in the discussion.
No email address required.
from ur sig I would trust your loads
Jump in the discussion.
No email address required.
I got tested three years ago and haven't had s*x since
No pozzed loads here
Follower of Christ Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
More options
Context
Yeah it goes that deep. Guy was clearly trusted by the maintainers
Follower of Christ Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Is steam deck okay?
Jump in the discussion.
No email address required.
I hope not
Jump in the discussion.
No email address required.
!codecels he chose violence
Jump in the discussion.
No email address required.
More options
Context
More options
Context
No it's running an older version.
However this guy was involved with the project for two years so it wouldn't surprise me if people discover new vulnerabilities.
Follower of Christ Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.
Jump in the discussion.
No email address required.
More options
Context
That's a good question actually
Let me check
Follower of Christ Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
hey dramabros can you help me understand?
like the chink got a "back door" what IS that actually? Like what can he do now? is he now just gonna ddos himself when his door starts calling?
Jump in the discussion.
No email address required.
If the circumstances are right (Debian-based system with patched sshd that links against systemd and liblzma) then the attacker can login to your system with no password.
Follower of Christ Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.
Jump in the discussion.
No email address required.
yea but he has like 1 million computers right? So how would he know who I am? and does it like send my infor to his server
Jump in the discussion.
No email address required.
I don't believe it phoned home but im not positive. I think this was a much longer play.
Considering he was at the project for two years and is Chinese, this could have been an attempt to build up an exploit for Chinese nationals to try in the future.
If it would have made it to Debian stable it would have been catastrophic.
Follower of Christ Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.
Jump in the discussion.
No email address required.
this is very interesting. But how so? Like what does this do? How would he control it
Jump in the discussion.
No email address required.
He'd (China) be able to log into any exposed Debian server running this version with no password.
And there's A LOT of Debian servers.
Follower of Christ Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
More options
Context
More options
Context
More options
Context
I'm surprised this doesn't happen more often tbh. You could make a lot of money out of posing as a legitimate developer for a while and then sneaking an exploit into a popular distribution.
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
More options
Context
I guess people with talent would rather not be a target of the FBI?
Follower of Christ Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.
Jump in the discussion.
No email address required.
idk it's just in some people's personalities, there are lots of talented programmers doing shitty criminal stuff out there
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
It is certainly quite funny that c nerds constantly pearl clutch about supply chain attacks for javascript/rust and python and then one of the few "successful" cases happens to be in c.
Jump in the discussion.
No email address required.
because all important software is written in c. no real surprise
Jump in the discussion.
No email address required.
More options
Context
C should be renamed to L
Follower of Christ Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.
Jump in the discussion.
No email address required.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
None of this shit changes until these people start going to prison for things like this
Jump in the discussion.
No email address required.
I think he's on a return flight to Beijing at this point. This had to be a state op.
Follower of Christ Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.
Jump in the discussion.
No email address required.
Ok fine, I'll go to China and assassinate him myself then
Jump in the discussion.
No email address required.
Follower of Christ Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
None of this shit changes
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Jump in the discussion.
No email address required.
Yeah pretty bad lol, very high chance this would have made it in many distros.
Follower of Christ Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Shit bros is this what the checksum is when I download stuff online ???
Jump in the discussion.
No email address required.
Kinda doubt a checksum would have helped here.
Jump in the discussion.
No email address required.
Checksums are kinda r-slurred, their only use is if you want to download some big archive from an untrusted mirror, and verify it with a checksum from a trusted source. But if you download the checksum and archive from the same host, they are completely pointless
Jump in the discussion.
No email address required.
I thought they offered them along with downloads so you could make sure the download wasn't corrupted, which also seemed r-slurred because I can just double click and find out
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
liblizma balls lmao
Jump in the discussion.
No email address required.
More options
Context
YTA for installing open sores software
any butthole can make changes to that shit
Jump in the discussion.
No email address required.
Now that you mention it I don't think I've ran into any anti-open source people in years. You used to hear stuff like that but now it's not even questioned.
Follower of Christ Tech lover, IT Admin, heckin pupper lover and occasionally troll. I hold back feelings or opinions, right or wrong because I dislike conflict.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
Snapshots:
https://www.openwall.com/lists/oss-security/2024/03/29/4:
ghostarchive.org
archive.org
archive.ph (click to archive)
Jump in the discussion.
No email address required.
More options
Context