undefined | Better HN

0 points_lvbh2y ago0 comments

One thing to note is that the person that added the commits only started contributing around late 2022 and appears to have a Chinese name. Might be required by law to plant the backdoor.

That would be quite scary considering they have contributed to a wide variety of projects including C++ https://learn.microsoft.com/en-us/cpp/overview/whats-new-cpp...

0 comments

13 comments · 5 top-level

yorwba2y ago· 4 in thread

I don't think you need to worry about the C++ contribution: https://github.com/MicrosoftDocs/cpp-docs/commit/9a96311122a...

acdha2y ago

This does make me wonder how much they made a deliberate effort to build an open source portfolio so they’d look more legitimate when time came to mount an attack. It seems expensive but it’s probably not really much at the scale of an intelligence agency.

kube-system2y ago

What's the salary for a software engineer in urban China? 60-80k/yr USD? Two years of that salary is cheaper than a good single shoulder fired missile. Seems like a pretty cheap attack vector to me. A Javelin is a quarter million per pop and they can only hit one target.

3 more replies

bombcar2y ago

If I were doing it, I'd have a number of these "burner committers" ready to go when needed.

If I were doing it AND amoral, I'd also be willing to find and compromise committers in various ways.

hartator2y ago

Until you figure there are very subtle unicode changes in the URL that don’t diff on GitHub. :)

ComputerGuru2y ago· 2 in thread

No one is being “required by law” to add vulnerabilities, it’s more likely they are foreign agents to begin with.

bombcar2y ago

Depends on the law and where you are. Publicly we have https://www.eff.org/issues/national-security-letters/faq and it's likely that other requests have occurred from time to time, even in the USA.

computerfriend2y ago

> No one is being “required by law” to add vulnerabilities

This is absolutely not the case in many parts of the world.

dotty-2y ago· 1 in thread

The contribution to C++ is just a simple markdown change: https://github.com/MicrosoftDocs/cpp-docs/pull/4716 C++ is fine.

account422y ago

Also it's not a contribution to C++ but only one of Microsoft's projects around C++.

bdd8f1df777b2y ago· 1 in thread

I would think a Chinese state hacker would not assume a Chinese name, just in case he was discovered like now.

account422y ago

But your reaction being a common one would make a Chinese name the best pick for a Chines agent wanting to hide their country affiliation.

8organicbits2y ago

> appears to have a Chinese name

Given the complexity of the attack, I'd assume the name is fake.

j / k navigate · click thread line to collapse

0 comments

13 comments · 5 top-level

yorwba2y ago· 4 in thread

I don't think you need to worry about the C++ contribution: https://github.com/MicrosoftDocs/cpp-docs/commit/9a96311122a...

acdha2y ago

kube-system2y ago

3 more replies

bombcar2y ago

If I were doing it, I'd have a number of these "burner committers" ready to go when needed.

If I were doing it AND amoral, I'd also be willing to find and compromise committers in various ways.

hartator2y ago

Until you figure there are very subtle unicode changes in the URL that don’t diff on GitHub. :)

ComputerGuru2y ago· 2 in thread

No one is being “required by law” to add vulnerabilities, it’s more likely they are foreign agents to begin with.

bombcar2y ago

Depends on the law and where you are. Publicly we have https://www.eff.org/issues/national-security-letters/faq and it's likely that other requests have occurred from time to time, even in the USA.

computerfriend2y ago

> No one is being “required by law” to add vulnerabilities

This is absolutely not the case in many parts of the world.

dotty-2y ago· 1 in thread

The contribution to C++ is just a simple markdown change: https://github.com/MicrosoftDocs/cpp-docs/pull/4716 C++ is fine.

account422y ago

Also it's not a contribution to C++ but only one of Microsoft's projects around C++.

bdd8f1df777b2y ago· 1 in thread

I would think a Chinese state hacker would not assume a Chinese name, just in case he was discovered like now.

account422y ago

But your reaction being a common one would make a Chinese name the best pick for a Chines agent wanting to hide their country affiliation.

8organicbits2y ago

> appears to have a Chinese name

Given the complexity of the attack, I'd assume the name is fake.

j / k navigate · click thread line to collapse