If the guy who did it wants to come forward, that is his decision. [edit: I won't name names.]
He did provided me the full story. He told me with the understanding that the story would go public, so I will dig it up and post it.
I also interviewed the sysadmins who were running the box at the time.
1. it was not an NSA operation, it was done by a hacker.
2. it was discovered by accident, not because of clever due diligence.
Basically, there was a developer who had a flakey connection and one time his commits didn't go through. To detect this in future he had a script that would download the entire tree from the server and compare it against his local copy to make sure that his changes had been committed.
It was discovered because of the discrepancy between his local working copy and the upstream copy. Which was checked not for security reasons, but because sometimes the two were out of sync. That's all. Just dumb luck.
The sysadmins are still quite bitter about it. I know how it feels when your box is hacked and you really take it personally.
The code wasn't added by hacking the CVS, as far as I remember, but rather through a hacked developer with commit rights.
that's the story as I was told
I suspect you are being sarcastic, but in case you aren't, you may want to reexamine your assumptions.
The colossal incompetence that is synonymous with government work doesn't magically stop at three-letter agencies. The FBI/CIA communication fuckups before 9/11 are just one famous example.
The idea that the NSA is staffed with "uber hackers" is a Hollywood fantasy. A government job working as a hacker is still a government job. Why would someone with that skillset, who can get a job at FAANG for 10x the salary, submit to the bureaucracy and monitoring BS that comes with working for an intelligence agency? I'm sure there are a select few who find this appealing, but the vast majority are just going the take the money and the free life.
Inversely correlative, the idea that the NSA/CIA/FBI are staffed by incompetent technologists (hackers, devs, etc) is a Hacker News fantasy.
That’s really all you need dude. And yet both private and public sector intelligence jobs are selective. Supply and demand might help you reconcile your other points.
You slightly underestimate the pool of extremely patriotic or nationalistic smart engineers and scientists around.
If your basic thesis was correct no video games would get made either. Most of them could go get that FAANG money for arguably better work life balance. People have more motivations than you realize. And the idea that all the smartest engineers and scientists exclusively work for FAANG is a contrivance only believed on this dumb site. (The equally idiotic corollary is that all the smartest people work in software).
I also think you are underestimating the lifetime earning potential of top intelligence workers. 9 to 5 government jobs don’t have to be forever.
Finally, the sophistication of state level attacks such as in Iran is clear. The evidence exists, and you are wrong.
And you’re missing the point, it isn’t even that this attack wasn’t sophisticated it was that clearly no one sat down for even a few minutes to discuss how it would be detected. An organization, even a private hacking group, would have discussed this.
I understand that it pays very well and there's decent work/life balance in terms of hours. But you have to essentially work in a windowless cell with no internet. And for lots of people with the curious hacker mentality, it would be a chore to "keep your nose clean" as they say.
I live in the DC area and the stereotype of the bland, khaki, polo, and white sneakers wearing boring person is true.
It's funny when you don't understand who you are replying to.
It's funny when you don't read carefully.
Sounds like OP interviewed the person who uploaded the code, whose system was previously inflitrated (it can still be the NSA). So why say "If the guy who did it wants to come forward, that is his decision. But he did provide me the full story", it doesn't sound like OP interviewed the "guy who did it"...
What is there to say about the [discovery]? Like everything back then it was probably accomplished by [a simple source code diff]...it is not at interesting 20 years later.
You get the idea. The story you know might be interesting to you because you happen to know the person involved. And it is sort of interesting? But not really as interesting as the _full_ story would be. In particular because your grammar in your original comment kind of implies you knew the actual attacker.
This all seems fairly obvious to me? Is there anything we're missing about the discovery? It's pretty mundane that one of hundreds of devs working on that source code happened to have a vanilla copy, especially in 2003 with a less reliable and slower internet.
That's wrong on many levels. Bold and stupid "hacks" committed by teenagers using SE tend to get a lot of traction, because it is both bold and stupid. This hasn't changed. But "back then" there was much more than that...
He had many nicknames, but the one I knew him by was three characters long.
I lost contact with him sometime around 2004-2005, and I occasionally wonder what happened to him and if he's still alive.
I hope all is well.
Just like the NPR is not financed by the US government, but by NGOs.
https://www.npr.org/about-npr/178660742/public-radio-finance...
edit - removed some snark
This is a common mistake, and I believe most linters have rules for that. And I don't think there is any situation where there is a good reason for code like this to exist. Either the expression is wrong, or it doesn't belong in a "if". You may get stuff like that in legitimate code with macro expansion, but again, it is not the case here, and from my experience, you get a warning anyways.
The only people using linters at that time was because it was forced by regulation (like automotive, aeronautics, ...)
Today, certainly. My compiler even catches errors in the format strings to printf[1].
But back then? I doubt it, even with all the warnings turned up.
[1] Removing yet another common source of bugs.
Edit: JUnit is from 1997. So the name was definitely in use in 2003. I attended a TDD tutorial before 2004 (don't remember the exact year). CI wasn't a thing yet, so you executed your unit tests manually. /edit
Do unit tests exist in the kernel today? There is some (or some would say a lot) of automatic testing for the kernel, but I don't remember seeing a single unit test.
it just seems like there could be a more tamper resistant mechanism around privilege elevations.
Its my understanding that if "OS process" runs with its own address space with privileges (as it needs to talk to hardware), once an attacker has code execution functionality, what stops them from mapping the memory they need then writing to the address to set uid ?
it would be interesting if there were some kind of write protection on the process-privilege data where some effort is made to verify the provenance of updates before they're allowed to go through or maybe even the whole privilege table is centralized and signed.
The Linux Backdoor Attempt of 2003 (2013) - https://news.ycombinator.com/item?id=24106213 - Aug 2020 (141 comments)
The Linux Backdoor Attempt of 2003 - https://news.ycombinator.com/item?id=18173173 - Oct 2018 (28 comments)
The Linux Backdoor Attempt of 2003 - https://news.ycombinator.com/item?id=6520678 - Oct 2013 (63 comments)
Probably most of the deliberate backdoors that are present in Linux have been inserted by well funded state sponsored developers performing useful work. Easy to sneak a vulnerability in that way. (There was a controversial incident a few years ago when some researchers proved as much.)
https://old.reddit.com/r/HobbyDrama/comments/nku6bt/kernel_d...
Let's say the NSA adds a backdoor. If someone else finds it, isn't that an exploit?
I log in. You backdoor. They exploit.
Why do so many programming languages have different equals/assigns operators?
There are languages that combine them and apparently don't have any problems. Is it something to do with being strongly vs. weakly typed?
To prevent accidental or malicious use of the assignment operator in place of the equals operator in a language, you either have to have a real boolean type, and no implicit conversion of other types to boolean, or make assignments not be an expression, or disallow assignment expressions in boolean contexts.
Making both operators the same symbol is not a good solution IMO, because it makes it harder to distinguish which is which in arbitrary contexts. E.g. in `a = b = c`, presumably the first is an assignment and the second a comparison? Or maybe not? It would just be confusing. Not sure which languages you are referring to that do this.
if (0 == do_something(foo)) { ... }
In Go, an assignment is not an expression, so the whole thing becomes illegal. I found this approach a bit offensive at first, but I got used to it rather quickly.
Or just reverse the expression:
0 == curent->uid
0 = current->uidI think partly that being explicit is nice. Assignment and equality are two very different things, so it makes sense for there to be different syntax. You can easily prevent the code in the article from working—just disallow assignment inside of expressions. This is probably a good idea, and a lot of newer languages make that choice.
Even when you read papers about programming, you often see different notation for assignment and equality. Assignment may be <- or := or something, and equality will just be =, to match the mathematical notation. I see a lot of <- in manuals for processors & architectures. I would hate to see something like this in my code base:
a = x = y;
I would only accept something like that if it meant (a==x)&&(x==y).
> a = x = y;
> If that meant “set ‘a’ to true if ‘x’ is equal to ‘y’, and false otherwise.” I would, honestly, be a little pissed off.
Would you find it more acceptable as `a = (x = y)`? To me, that is reasonably clear.
No, I don’t consider that acceptable. It is not enough that it is clear to some people who know what they are looking at. The language should be more clear to more people.
In the former you could combine them. In the latter you can't (you need to be able to tell if "if (a = b) ..." contains a comparison or assignment).
(EDIT: I agree with the sibling reply from klodolph there - there are many cases where reusing the same operator would get really confusing, and so I'd prefer the operators to be distinct even if the language do not allow them in the same context)
1) Do you allow assignment as an expression?
2) Do you use the same operator?
If you answer "yes" to #1, you must answer no to #2, but if you answer no to #1 you can choose whether or not you use the same operator. Consider these examples (assuming that if they're different, we use =/==, but of course any other set of operators could be substituted):
# A) if 'yes' to 1 this would be a "double assignment", setting both a and b to c.
a = b = c
# B) if 'no' to 1, and 'yes' to 2, this would be an assignment of the comparison of b and c to a:
a = b = c
# C) if 'no' to 1 and 'no' to 2, this would be an assignment of the comparison of b and c to a:
a = b == c
# D) if 'no' to 1 and 'no' to 2, this would most likely be a syntax error:
a = b = c
Assignment is one of the most frequent operations in typical programming languages, so it makes sense for it to be a single-character symbol, and ‘=’ is about the only fitting ASCII symbol for that. (With non-ASCII, there would be ‘≔’ or ‘←’ (the latter being used by APL), but those are non-obvious to type.)
You could use Teamviewer or the like.
Self host a MeshCentral or RustDesk (MC for me!)
Just make sure you set the key for those clients to not expire.