>A German university student has demonstrated an effective way to get code of his choosing to run on the computers of software developers, at least some of whom work for US governmental and military organizations.
>The eye-opening (if ethically questionable) research was conducted by University of Hamburg student Nikolai Philipp Tschacher as part of his bachelor thesis. Using a variation of a decade-old attack known as typosquatting, he uploaded his code to three popular developer communities and gave them names that were similar to widely used packages already submitted by other users. Over a span of several months, his imposter code was executed more than 45,000 times on more than 17,000 separate domains, and more than half the time his code was given all-powerful administrative rights. Two of the affected domains ended in .mil, an indication that people inside the US military had run his script.
>"There were also 23 .gov domains from governmental institutions of the United States," Tschacher wrote in his thesis. "This number is highly alarming, because taking over hosts in US research laboratories and governmental institutions may have potentially disastrous consequences for them."
>and gave them names that were similar to widely used packages already submitted by other users. >his code was given all-powerful administrative rights. Two of the affected domains ended in .mil, an indication that people inside the US military had run his script. top kek! nerds should stick to using the apt package manager for everything!
Benjamin Brooks
* RHEL's packages manager
Bentley Davis
I guess his code being mistaken with some dependencies may have been helpful.
Cooper Turner
nerds who would do that don't run RHEL
Brody Phillips
>Two of the affected domains ended in .mil, an indication that people inside the US military had run his script. TOP FUCKING KEK
I was always wondering if real people, I mean professional developers, just use shitty libraries they find on github without any guarantees to work and they just plug them into their code.
They actually do. Wow. That's fucking amazing. Imagine how many backdoors there are on every piece of software.
Joseph Garcia
His code has probably been mistaken as a dependency by some software developer(s), I'm sure they run macOS.
James Watson
this is scary
Cooper Jackson
bump
Aaron Morris
>social engineering Who cares? Nothing can be done until the public sector isn't full braindead, shitskinned dregs
Alexander Hall
Source?
Camden Mitchell
ie never
Caleb Hall
his fucking ass, but still that is most likely done already
And his Thesis - the link to which is in the article.
Nolan Carter
It doesn't matter. Classified development takes place inside air gapped networks.
Xavier Rivera
Cheers, seems like a good read
Samuel Thomas
It's still something concerning, is it now?
Carson Carter
It is concerning but the people running that code aren't doing anything classified. Company secrets? Yes. Military secrets? No. Should the people running the code be reprimanded/fired and should the vulnerability be prevented? Yes.
I can assure you security is taken seriously which is why snowden never posted any code because he simply couldn't extract it. I can't really go more into detail.
Asher Moore
I'm not sure, since he knew his software was ran, it means it had to be connected to the internet
Jordan Wright
Lmao @ windows users
Jason Butler
im sure he knew
Jose Walker
You typically have an internet connected computer with windows for ms office because te alternative would be windows with lotus notes and that is horrible. The computer where you develop on is connected to an air gapped network.
Ian Cox
It was most likely just frontend devs being usual retards. Classified development is separate.
Brandon Miller
That's actually reassuring.
Ian Gutierrez
pajeets copy/pasting code of stackoverflow are going to be the downfall of our government? Wow.
Logan Garcia
Oh look, it's the pip install X thing from 6 months ago.
Hudson Jackson
>pajeets stop putting the blame elsewhere you dumb racist piece of shit These websites are programmed by US-born, american citizens.
Landon Roberts
Friendly reminder that this just proves that there is no grand conspiracy in society, just a bunch of dumb fucks and people who are ignorant in certain fields making bad decisions that have knock on bad effects and diminishing returns.
Adam Nguyen
whoa calm down there buddy. it's just a little sarcasm. I know mil and gov sites arent run by indians.
Leo Hernandez
Where have I seen this before...
Gavin Russell
Good, the generations in power never bothered to figure out how computers work. It's only fair that they get fucked by them.
