I have the full story on that incident. It is actually really funny.
If the guy who did it wants to come forward, that is his decision. [edit: I won't name names.]
He did provided me the full story. He told me with the understanding that the story would go public, so I will dig it up and post it.
I also interviewed the sysadmins who were running the box at the time.
1. it was not an NSA operation, it was done by a hacker.
2. it was discovered by accident, not because of clever due diligence.
Basically, there was a developer who had a flakey connection and one time his commits didn't go through. To detect this in future he had a script that would download the entire tree from the server and compare it against his local copy to make sure that his changes had been committed.
It was discovered because of the discrepancy between his local working copy and the upstream copy. Which was checked not for security reasons, but because sometimes the two were out of sync. That's all. Just dumb luck.
The sysadmins are still quite bitter about it. I know how it feels when your box is hacked and you really take it personally.
The code wasn't added by hacking the CVS, as far as I remember, but rather through a hacked developer with commit rights.
Geez, this crowd. The clearest evidence that it was not an NSA attack is that it was not very good. It modified a CVS mirror. At no time was the source of truth (the bitkeeper repo) in any danger. Anybody that knew how this stuff worked at the time would have known it would be caught immediately. Not very state level expertise, pretty sad if it was the NSA.
> The clearest evidence that it was not an NSA attack is that it was not very good.
I suspect you are being sarcastic, but in case you aren't, you may want to reexamine your assumptions.
The colossal incompetence that is synonymous with government work doesn't magically stop at three-letter agencies. The FBI/CIA communication fuckups before 9/11 are just one famous example.
The idea that the NSA is staffed with "uber hackers" is a Hollywood fantasy. A government job working as a hacker is still a government job. Why would someone with that skillset, who can get a job at FAANG for 10x the salary, submit to the bureaucracy and monitoring BS that comes with working for an intelligence agency? I'm sure there are a select few who find this appealing, but the vast majority are just going the take the money and the free life.
Those two were my wake up calls. The US absolutely is in the hacking business, but they are not in the getting caught business. Everything we have seen so far is incredibly sophisticated and took years to discover. How can you then go out and claim that the NSA isn’t incredibly competent?
See also all of the intelligence the US has provided about the Russian invasion into Ukraine. The US is really good at spy craft.
maybe 10x the salary (probably not) but also a correlated increase in hours instead of a contractually mandated maximum of 40 hours, combined with the legal inability to do work from home, discuss work at home, and a lot of related perks.
Also "perks" like having your life put under the microscope at regular intervals, going to prison if you talk about what you do, etc.
And I strongly doubt that agencies that are known to routinely violate the law, the constitution, and human rights care about "contractually mandated" 40-hour workweeks.
> And I strongly doubt that agencies that are known to routinely violate the law, the constitution, and human rights care about "contractually mandated" 40-hour workweeks.
lol they 100% do.. because they're all contractors bidding for the work.. so if one company bid X man hours for a cost plus contract and won as the lowest bidder and then put in 3x the time, either the winner would sue for being underpaid or, if they were paid, the loserss would sue because of impropriety.
FAANG money is a relatively recent thing. Stock options used to be the only way you might make millions as a developer, at that was always a gamble. The NSA probably has a lot of seasoned developers who started their careers when the pay gap was much smaller.
> I'm sure there are a select few who find this appealing
That’s really all you need dude. And yet both private and public sector intelligence jobs are selective. Supply and demand might help you reconcile your other points.
You slightly underestimate the pool of extremely patriotic or nationalistic smart engineers and scientists around.
If your basic thesis was correct no video games would get made either. Most of them could go get that FAANG money for arguably better work life balance. People have more motivations than you realize. And the idea that all the smartest engineers and scientists exclusively work for FAANG is a contrivance only believed on this dumb site. (The equally idiotic corollary is that all the smartest people work in software).
I also think you are underestimating the lifetime earning potential of top intelligence workers. 9 to 5 government jobs don’t have to be forever.
Finally, the sophistication of state level attacks such as in Iran is clear. The evidence exists, and you are wrong.
And you’re missing the point, it isn’t even that this attack wasn’t sophisticated it was that clearly no one sat down for even a few minutes to discuss how it would be detected. An organization, even a private hacking group, would have discussed this.
Not to mention it being extremely difficult to travel internationally, and not being able to have close personal friendships with many people who live in other countries. Not being able to partake in THC consumption EVER, much less any other recreational substance besides alcohol. The list goes on.
I understand that it pays very well and there's decent work/life balance in terms of hours. But you have to essentially work in a windowless cell with no internet. And for lots of people with the curious hacker mentality, it would be a chore to "keep your nose clean" as they say.
I live in the DC area and the stereotype of the bland, khaki, polo, and white sneakers wearing boring person is true.
This thread is already full of silly archetypes and over generalizations not borne out by the reality. With that in mind: When you say drug using, “curious hacker mentality” all I can think of is Eric Raymond and the implication that this wizard of fetchmail is just too smart to work with the boring likes of von Neumann, Turing and Shannon, Tao, etc.
> Not being able to partake in THC consumption EVER
The all caps tickles me. I don’t think this is a huge sacrifice outside some limited circles. Some of the smartest people are ethical vegetarians.
I replied to their comment because it was related, but where do you get the impression it is not supportive?
I’m responding to the idiots poking holes in that claim.
Wait was the guy you know the hacker or someone who discovered the hack by accident? If the latter, how do you know anything about the hacker's identity or motive?
Sounds like OP interviewed the person who uploaded the code, whose system was previously inflitrated (it can still be the NSA). So why say "If the guy who did it wants to come forward, that is his decision. But he did provide me the full story", it doesn't sound like OP interviewed the "guy who did it"...
I read that the other way. "If the guy who did it wants to come forward, that is his decision. But he [still talking about the guy who did it] did provide me the full story."
That is, the perpetrator gave him the full story, but he won't name names, because it's the perpetrator's choice whether or not to reveal his identity.
he was more specific, but I (a) don't remember the name off the top of my head, and (b) don't think it is beneficial to put them on blast. It isn't their fault they got hacked 20 years ago.
To be clear: you're telling us the full story of the discovery, not the full story of the exploit? You and your source don't know who the attacker was, right?
What is there to say about the hack? Like everything back then it was probably accomplished by exploiting trust relationships. I can ask him, but it is not at interesting 20 years later.
What is there to say about the [discovery]? Like everything back then it was probably accomplished by [a simple source code diff]...it is not at interesting 20 years later.
You get the idea. The story you know might be interesting to you because you happen to know the person involved. And it is sort of interesting? But not really as interesting as the _full_ story would be. In particular because your grammar in your original comment kind of implies you knew the actual attacker.
This all seems fairly obvious to me? Is there anything we're missing about the discovery? It's pretty mundane that one of hundreds of devs working on that source code happened to have a vanilla copy, especially in 2003 with a less reliable and slower internet.
A state actor would have done a much better job. This was detected nearly immediately and anyone that knew how the system was setup (which was public knowledge) would have known this would be caught. The state level hackers are not that dumb.
If there was a serious backdoor attempt, then this was the distractor.
And seriously back in those days especially Linux didn’t need much help with getting root exploits in the tree.
> Like everything back then it was probably accomplished by exploiting trust relationships
That's wrong on many levels. Bold and stupid "hacks" committed by teenagers using SE tend to get a lot of traction, because it is both bold and stupid. This hasn't changed. But "back then" there was much more than that...
If the guy who did it wants to come forward, that is his decision. [edit: I won't name names.]
He did provided me the full story. He told me with the understanding that the story would go public, so I will dig it up and post it.
I also interviewed the sysadmins who were running the box at the time.
1. it was not an NSA operation, it was done by a hacker.
2. it was discovered by accident, not because of clever due diligence.
Basically, there was a developer who had a flakey connection and one time his commits didn't go through. To detect this in future he had a script that would download the entire tree from the server and compare it against his local copy to make sure that his changes had been committed.
It was discovered because of the discrepancy between his local working copy and the upstream copy. Which was checked not for security reasons, but because sometimes the two were out of sync. That's all. Just dumb luck.
The sysadmins are still quite bitter about it. I know how it feels when your box is hacked and you really take it personally.
The code wasn't added by hacking the CVS, as far as I remember, but rather through a hacked developer with commit rights.
that's the story as I was told