>A German university student has demonstrated an effective way to get code of his choosing to run on the computers of software developers, at least some of whom work for US governmental and military organizations.
>The eye-opening (if ethically questionable) research was conducted by University of Hamburg student Nikolai Philipp Tschacher as part of his bachelor thesis. Using a variation of a decade-old attack known as typosquatting, he uploaded his code to three popular developer communities and gave them names that were similar to widely used packages already submitted by other users. Over a span of several months, his imposter code was executed more than 45,000 times on more than 17,000 separate domains, and more than half the time his code was given all-powerful administrative rights. Two of the affected domains ended in .mil, an indication that people inside the US military had run his script.
>"There were also 23 .gov domains from governmental institutions of the United States," Tschacher wrote in his thesis. "This number is highly alarming, because taking over hosts in US research laboratories and governmental institutions may have potentially disastrous consequences for them."
>>58018456
>and gave them names that were similar to widely used packages already submitted by other users.
>his code was given all-powerful administrative rights. Two of the affected domains ended in .mil, an indication that people inside the US military had run his script.
top kek! nerds should stick to using the apt package manager for everything!
>>58018492
* RHEL's packages manager
>>58018456
I guess his code being mistaken with some dependencies may have been helpful.
>>58018505
nerds who would do that don't run RHEL
>>58018456
>Two of the affected domains ended in .mil, an indication that people inside the US military had run his script.
TOP
FUCKING
KEK
I was always wondering if real people, I mean professional developers, just use shitty libraries they find on github without any guarantees to work and they just plug them into their code.
They actually do. Wow. That's fucking amazing. Imagine how many backdoors there are on every piece of software.
>>58018527
His code has probably been mistaken as a dependency by some software developer(s), I'm sure they run macOS.
>>58018521
this is scary
>>58018456
>social engineering
Who cares? Nothing can be done until the public sector isn't full braindead, shitskinned dregs
Source?
>>58019717
ie never
>>58019740
his fucking ass, but still that is most likely done already
>>58019740
>>58019809
>His fucking ass
Uhhh from this article http://arstechnica.com/security/2016/06/college-student-schools-govs-and-mils-on-perils-of-arbitrary-code-execution/
And his Thesis - the link to which is in the article.
>>58018456
It doesn't matter. Classified development takes place inside air gapped networks.
>>58019852
Cheers, seems like a good read
>>58019946
It's still something concerning, is it now?
>>58019964
It is concerning but the people running that code aren't doing anything classified. Company secrets? Yes. Military secrets? No. Should the people running the code be reprimanded/fired and should the vulnerability be prevented? Yes.
I can assure you security is taken seriously which is why snowden never posted any code because he simply couldn't extract it. I can't really go more into detail.
>>58019946
I'm not sure, since he knew his software was ran, it means it had to be connected to the internet
Lmao @ windows users
>>58020191
im sure he knew
>>58020191
You typically have an internet connected computer with windows for ms office because te alternative would be windows with lotus notes and that is horrible. The computer where you develop on is connected to an air gapped network.
>>58020191
It was most likely just frontend devs being usual retards. Classified development is separate.
>>58020190
That's actually reassuring.
>>58018456
pajeets copy/pasting code of stackoverflow are going to be the downfall of our government? Wow.
>>58018456
Oh look, it's the pip install X thing from 6 months ago.
>>58020530
>pajeets
stop putting the blame elsewhere you dumb racist piece of shit
These websites are programmed by US-born, american citizens.
Friendly reminder that this just proves that there is no grand conspiracy in society, just a bunch of dumb fucks and people who are ignorant in certain fields making bad decisions that have knock on bad effects and diminishing returns.
>>58020638
whoa calm down there buddy. it's just a little sarcasm. I know mil and gov sites arent run by indians.
Where have I seen this before...
>>58018456
Good, the generations in power never bothered to figure out how computers work. It's only fair that they get fucked by them.