undefined | Better HN

0 pointsbreadwinner1y ago0 comments

It was caught by a person on MS payroll, that's true, but it didn't get caught by any security processes institutionalized by Microsoft. So the credit goes to Andres Freund, who was working off-the-clock (according to The Verge) not to Microsoft.

0 comments

anarazel1y ago

I don't know if off the clock accurate. My job is to work on postgres, I was helping out with the development of a feature (avoid a perf regression in a degenerate case, in a patch improving much more common cases). OTOH, I think it was late at night at that point. What's on/off the clock for an OSS dev...

breadwinnerOP1y ago

Would it be fair to say that the perpetrators could have covered their tracks better? Could they for example, have fixed the valgrind errors? And if so, would this backdoor have remained hidden for much longer?

What was the moment like, when you realized you have stumbled upon a backdoor? I mean, it is riveting just to read the various reports of this backdoor!

anarazel1y ago

> Would it be fair to say that the perpetrators could have covered their tracks better? Could they for example, have fixed the valgrind errors? And if so, would this backdoor have remained hidden for much longer?

Yes. Mostly they should have reduced the cost of starting up sshd with the backdoor. A lot of that seems to be due to all the symbol lookups they needed to do, while staying obfuscated. It feels like they started with a reasonable set of features and then just piled on more and more, leading to the noticeable cpu usage.

I think the valgrind warnings were only triggered when using -fno-omit-frame-pointers. Which, at the time they wrote this stuff, wasn't the default anywhere. They got unlucky in that Fedora changed to default to that and that I happened to have that set in my valgrind tests.

> What was the moment like, when you realized you have stumbled upon a backdoor? I mean, it is riveting just to read the various reports of this backdoor!

It was many hours of slowly figuring that out, room for different emotions. Lots of nervous cackling. Thinking I must just be hallucinating. Worry about how to deal with this. And more...

Edit: Grammar

bostonpete1y ago

Whether MS deserves credit or not, he's a very senior SW engineer at Microsoft so this should at least provide some reassurance that the company has technical leaders who are looking out for these sorts of security risks...

olliej1y ago

Oh yeah, I know it wasn’t ms security reporting it or anything, I just found it funny (and ironic I guess? given this report came out a few days later).

Wasn’t it an annoyed database administrator?

j / k navigate · click thread line to collapse

0 comments

anarazel1y ago

breadwinnerOP1y ago

What was the moment like, when you realized you have stumbled upon a backdoor? I mean, it is riveting just to read the various reports of this backdoor!

anarazel1y ago

> What was the moment like, when you realized you have stumbled upon a backdoor? I mean, it is riveting just to read the various reports of this backdoor!

It was many hours of slowly figuring that out, room for different emotions. Lots of nervous cackling. Thinking I must just be hallucinating. Worry about how to deal with this. And more...

Edit: Grammar

bostonpete1y ago

olliej1y ago

Oh yeah, I know it wasn’t ms security reporting it or anything, I just found it funny (and ironic I guess? given this report came out a few days later).

Wasn’t it an annoyed database administrator?

j / k navigate · click thread line to collapse