Pages:
Author

Topic: !!! RED ALERT: SHIELDS UP, TROJAN SOURCE HAS ARRIVED !!! - page 2. (Read 484 times)

copper member
Activity: 1666
Merit: 1901
Amazon Prime Member #7
My recommendation is to hold all patches/pull requests until solutions/defense/shields are found !
It looks like a solution has already been found.

I think the risks of this kind of attack is fairly low. The maintainers of most repos are not going to allow for random changes to comments or to docstrings.

In addition to throwing warnings when invisible chars is used, much of this vulnerability could be eliminated by using "returns" vs "return", standardizing when/where comments are allowed, and disallowing comments and docstrings to contain anything that would execute as code if it were not commented out.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
This has been known for YEARS and until some non programmers and clueless media people got a hold of it nobody cared.
This is one example I found dated 2017: https://github.com/golang/go/issues/20209
There is at least one more from a bit earlier that I can't find that more or less said the same thing.

Only people who don't program a lot or get paid to scare people think it's a big deal.
Edit take a look at: https://bugs.eclipse.org/bugs/show_bug.cgi?id=339146 you may have to create an account to see it.
-Dave
full member
Activity: 385
Merit: 110
If it was Star Trek, this would be the point where you're bombarded with so much gunfire that your shields drop to 6% or you have to abandon ship  Wink

But I call bullshit on that paper. Simply running an xterm or other CMD/terminal that only supports ANSI character sets will mitigate this by making the code appear to be the malicious gibberish it really is.



My recommendation is to hold all patches/pull requests until solutions/defense/shields are found !

I don't think you've maintained an open source project but if you have you would know that it is clearly impossible to do this without opening yourself up more gunfire unpatched vulnerabilities.

If this was Star Trek hmmm.... then we would believe our shields are ON while they are OFF lol.

Trigger:
if Shield = "OFF" then Shield = "ON"

Anyway... at least you admit there is a big fat problem by switching to CMD.exe, no more project source files for you, no more fancy pancy development environment for you ! LOL.

I wonder how many bugs/hints/warning messages are missed by CMD.EXE ! Wink

CMD.EXE on Windows 7 is immune indeed, not sure about powershell on Windows 11.

Anyway have fake with your fake shields ! LOL.

Fake vaccines, now we have FAKE SHIELDS and FAKE CODE LOL ! =D

Anyway on a more serious note, GITHUB has taken some precautions which can be seen here:

https://github.com/nickboucher/trojan-source/blob/main/C/commenting-out.c

and here:

https://github.blog/changelog/2021-10-31-warning-about-bidirectional-unicode-text/

So not all is bad.

Github was recently purchased by Microsoft, makes me wonder... are they trying to cover up something ?
jr. member
Activity: 77
Merit: 7
Also, this is not so different to supply chain attacks if this was committed to a library. As a cybersecurity analyst, we vet any software and new updates in a sandbox before releasing them to production. We also have other security tools in place to stop malicious behaviour or alert us if any malicious behaviour is found.

Also agree on the command line with NotATether, most only support ANSI.

I could see in some cases how this can be a problem, but papers like this are only useful to bring information like this to the masses and people in cybersecurity as something to look out for. I doubt there are many of these attacks being exploited in the wild.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
If it was Star Trek, this would be the point where you're bombarded with so much gunfire that your shields drop to 6% or you have to abandon ship  Wink

But I call bullshit on that paper. Simply running an xterm or other CMD/terminal that only supports ANSI character sets will mitigate this by making the code appear to be the malicious gibberish it really is.



My recommendation is to hold all patches/pull requests until solutions/defense/shields are found !

I don't think you've maintained an open source project but if you have you would know that it is clearly impossible to do this without opening yourself up more gunfire unpatched vulnerabilities.
full member
Activity: 385
Merit: 110
I haven't even read this document fully yet, but all signs point to MAJOR TROUBLE AHEAD for open source projects:

https://www.trojansource.codes/trojan-source.pdf

My recommendation is to hold all patches/pull requests until solutions/defense/shields are found !

Bye for now,
  Skybuck.
Pages:
Jump to: