this post was submitted on 01 Jul 2024
245 points (98.8% liked)

Linux

8394 readers
337 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
245
'Critical' vulnerability in OpenSSH uncovered, affects almost all Linux systems (www.computing.co.uk)
submitted 1 year ago by Blaze@lemmy.zip to c/linux@programming.dev
39 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] lung@lemmy.world 23 points 1 year ago (4 children)

It's shit like this that makes me convinced that governments can easily hack into pretty much every system

[–] NotMyOldRedditName@lemmy.world 13 points 1 year ago

I mean, on TV every character seems to be able to hack any system in a few seconds.

They clearly must have done some research by watching some NSA hackers who can hack every system.

[–] Mike1576218@lemmy.ml 9 points 1 year ago

They probably can. jut every hack done has the possibility of spoiling the exploit. A good exploit can cost a million $. So if hacking you is worth more then say 100k to them, you're in trouble. Otherwise they will only target you with everyday surveilance.

[–] asyncrosaurus@programming.dev 7 points 1 year ago (1 children)

Most can't, but that's why clandestine cyber-intelligence firms like NSO group exist.

[–] lung@lemmy.world 7 points 1 year ago

That's a spooky one. From first glance - 500 employees and zero click takeovers of phones? Yikes. Makes me want to not have a phone... Ofc Google/Apple/USA have had this capacity for ages

[–] unexposedhazard@discuss.tchncs.de 5 points 1 year ago (2 children)

Well only if they know about it before it gets patched...

[–] scrion@lemmy.world 10 points 1 year ago (1 children)

That's why there is a huge market for 0-day exploits.

[–] vxx@lemmy.world 3 points 1 year ago (1 children)

Isn't there attempts to sneak in vulnerabilities with new commits?

[–] scrion@lemmy.world 6 points 1 year ago* (last edited 1 year ago)

Yes, targeted attacks like that definitely exist, most famously maybe the most recent social pressure to merge a vulnerability to the xz library by actor "Jia Tan":

https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/

This started a whole discussion about relying on (often unpaid) volunteer work for critical systems and the pressure and negativity these people face, which is a discussion that was absolutely needed, and which we are still lightyears away from fixing.

Currently, open source is still treated like this: https://trac.ffmpeg.org/ticket/10341

(I can only recommend reading the whole story around this issue, which boils down to Microsoft admitting they rely on an open source project for something they consider critical to their customers, but not willing to pay the maintainer a bounty for fixing the issue)

[–] teawrecks@sopuli.xyz 6 points 1 year ago

The NSA is doubtless sitting on a trove of these types of vulnerabilities to use when they really need access to something.