“ After reading their code, I am getting more old-school hacker vibes than a newbie hobbyist. Plenty of technical terms like "race condition" thrown around accurately. Meanwhile the heavy use of global state, and commenting out code with stuff like:
Code:
if 0
...
endif
It hints at somebody who has never worked in a modern dev agency. Fair enough, I don't mean that as an insult. But, definitely old-school style. Like someone learned to code in a time before the age of internet hacking.” A great comment in the article
I think whilst bad, one may have to sympathy that the good intent of remote support old school is not acceptable in internet hacking age, but sort of, well, understandable. Please do not push legal or other charges.
The fact that it took this long to surface raises important questions about OSS security in the age of instant updates. This was a paid product, not even some sub 100 star github project made by groyper6969. Everytime we do pip install or an npm install the chance of this happening is atleast 100 times greater. (Judging by the amount of subdependencies every package seems to have nowadays)
I wanted to see what the history of this was, and found many more.
The code in question was removed yesterday [1] with the commit message "v1.461: bug fixes". The password sha256 hash was df05611250593c4299da8b3216751552b5a690e44b7e1b63f419e64b5e14ed9c.
There's been at least 5 different values, though some are short-lived:
* First added Jul 6, 2017 [2] commit message "for cases when src ip address is not preserved" and hash cc9b1457655eecfcb5f1beb6986bb9d27adfca2377ed32a4120014852fa415e6
* Changed later that day [3] with commit message "proper way to cleanup" to hash 7cdd62b9f85bb7a8f9d85595c4e488d8090c435cf71f8dd41ff7177ea6735189
* Nov 6, 2017 [4] commit message "first cut at GPS_ONLY_BUILD support" added a second hash: 974706effe52b397714f8ee22bf137e7cbfb46f3e88c7972defa3bbc55883048
* ..which was then removed on Nov 7, 2017 [5] with commit message "remove admin console bypass hack"
* Changed Oct 24, 2018 [6] with commit message "v1.243: security improvements" to hash 34ac320e522bdd9c8e5f8b9e5aa264e732473b0621a8b899ddf2c708d80b442c
* Changed Feb 13, 2020 [7] with commit message "lint" to hash df05611250593c4299da8b3216751552b5a690e44b7e1b63f419e64b5e14ed9c
It hints at somebody who has never worked in a modern dev agency. Fair enough, I don't mean that as an insult. But, definitely old-school style. Like someone learned to code in a time before the age of internet hacking.” A great comment in the article