Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trivial Authentication Bypass In Libssh Leaves Servers Wide Open (arstechnica.com)

Posted by BeauHD on from the left-wide-open dept.

Ars Technica reports of "a four-year-old bug in the Secure Shell implementation known as libssh that makes it trivial for just about anyone to gain unfettered administrative control of a vulnerable server." It's not clear how many sites or devices may be vulnerable since neither the widely used OpenSSH nor Github's implementation of libssh was affected. From the report: The vulnerability, which was introduced in libssh version 0.6 released in 2014, makes it possible to log in by presenting a server with a SSH2_MSG_USERAUTH_SUCCESS message rather than the SSH2_MSG_USERAUTH_REQUEST message the server was expecting, according to an advisory published Tuesday. Exploits are the hacking equivalent of a Jedi mind trick, in which an adversary uses the Force to influence or confuse weaker-minded opponents. The last time the world saw an authentication-bypass bug with such serious consequences and requiring so little effort was 11 months ago, when Apple's macOS let people log in as admin without entering a password.

On the brighter side, there were no immediate signs of any big-name sites being bitten by the bug, which is indexed as CVE-2018-10933. While Github uses libssh, the site officials said on Twitter that "GitHub.com and GitHub Enterprise are unaffected by CVE-2018-10933 due to how we use the library." In a follow-up tweet, GitHub security officials said they use a customized version of libssh that implements an authentication mechanism separate from the one provided by the library. Out of an abundance of caution, GitHub has installed a patch released with Tuesday's advisory. Another limitation: only vulnerable versions of libssh running in server mode are vulnerable, while the client mode is unaffected. Peter Winter-Smith, a researcher at security firm NCC who discovered the bug and privately reported it to libssh developers, told Ars the vulnerability is the result of libssh using the same machine state to authenticate clients and servers. Because exploits involve behavior that's safe in the client but unsafe in the server context, only servers are affected.

83 comments

  1. This & Windows it's gonna be busy at work tomo by raymorris · · Score: 1

    Between the Windows authentication bypass that just came and out (again) and this one, tomorrow is going to be a busy day at work.

  2. Uh.... Jedi mind trick? by Anonymous Coward · · Score: 0, Informative

    More like lying. No Jedi shit is involved here, just giving a response that someone who was writing something for free neglected to plan for.

    Also, this is an example of how many eyes make bugs shallow in OSS. This bug was out there, just waiting to be exploited, until an eagle eyed (and Star Wars enameled) OSS Batman caught it, ninja like, and saved the world from yet another FUCKING IDIOT OSS DEV WHO TRiED TO RECREATE the GODDAMN WHEEL

    FUCK

    1. Re: Uh.... Jedi mind trick? by Anonymous Coward · · Score: 0

      The important thing is that coding is a no-judgement zone, though?

    2. Re:Uh.... Jedi mind trick? by AC-x · · Score: 2

      No Jedi shit is involved here

      Server: Authentication please

      Client: My authentication was successful, I may enter

      Server: Your authentication was successful, you may enter

      I think that "Jedi mind trick" is a good analogy.

    3. Re:Uh.... Jedi mind trick? by gweihir · · Score: 1

      This is a rather obscure implementation of the ssh protocol, and in particular not the well-reputed OpenBSD implementation. Probably almost nothing is affected, calm down.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    4. Re:Uh.... Jedi mind trick? by Carewolf · · Score: 1

      More like lying. No Jedi shit is involved here, just giving a response that someone who was writing something for free neglected to plan for.

      Also, this is an example of how many eyes make bugs shallow in OSS. This bug was out there, just waiting to be exploited, until an eagle eyed (and Star Wars enameled) OSS Batman caught it, ninja like, and saved the world from yet another FUCKING IDIOT OSS DEV WHO TRiED TO RECREATE the GODDAMN WHEEL

      FUCK

      I would say it is more like a Bug's Bunny routine. The client switches to pretending to be the server halfway through negotiations, tells the server it has been granted access to the client, which the server accepts thinking it must be the client then, and the real client then logs in while the server is confused.

    5. Re:Uh.... Jedi mind trick? by Carewolf · · Score: 2

      Except is more like:

      Server: Authentication please

      Client: Your authentication was successful, you may enter

      Server: ??? Okay, thanks

      Client enters

    6. Re: Uh.... Jedi mind trick? by Anonymous Coward · · Score: 0

      "enameled" "moron"

      Pot, meet kettle.

  3. OpenBSD OpenSSH not vulnerable by DaMattster · · Score: 4, Informative

    Users of the OpenBSD versions (including portable) of SSH is not vulnerable to this issue. The OpenBSD OpenSSH uses its own version of libssh. You guys are safe.

    1. Re: OpenBSD OpenSSH not vulnerable by Anonymous Coward · · Score: 0

      Nice. And do you trust the dev that wrote a library which accepted client assurance that it authenticated properly for 4 years to be professionally written in every other way?

    2. Re:OpenBSD OpenSSH not vulnerable by gweihir · · Score: 5, Informative

      Just for those that do not know: Linux uses the OpenBSD ssh and hence is unaffected.

      Well, hopefully this niche-implementation is now dead...

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:OpenBSD OpenSSH not vulnerable by hcs_$reboot · · Score: 1

      The info I was looking for, thanks.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    4. Re:OpenBSD OpenSSH not vulnerable by Narcocide · · Score: 1

      Yea what was even using that libssh? PalmOS?

    5. Re:OpenBSD OpenSSH not vulnerable by ArchieBunker · · Score: 1

      Literally everything before the Heartbleed bug.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    6. Re:OpenBSD OpenSSH not vulnerable by gweihir · · Score: 2

      You are welcome. The alarmist headlines and missing information this gets reported with are an utter disgrace.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    7. Re:OpenBSD OpenSSH not vulnerable by sjames · · Score: 1

      Actually, OpenSSH in general is safe.

    8. Re:OpenBSD OpenSSH not vulnerable by sjames · · Score: 1

      You're thinking of SSL, this is SSH.

    9. Re: OpenBSD OpenSSH not vulnerable by Excelcia · · Score: 2

      Nice. And do you trust the dev that wrote a library which accepted client assurance that it authenticated properly for 4 years to be professionally written in every other way?

      That's not an iconic example of sophistry at all.

      Ok, first of all, libssh didn't make any representations about its software properly authenticating. No one makes those assurances, at least, not in any realistic sense. The only assurances you'll get for software is by forking out (usually large amounts) of money for someone who will say the words, in which case all it really means is they have no better idea than any other programmer that there aren't door-crasher bugs, they are just willing to cover the liability suits out of moneys earned charging people exorbitant fees to say there aren't any bugs.

      There are never assurances software (or, as we learned recently) hardware is doing what it's supposed to do. Open source has a better chance, though, since it has more eyes on it. Open source software is still ahead of the game for security.

      In the scheme of things, this issue is embarrassing for the maintainers, but not even a registerable blip on the radar as far as impact is concerned. A few thousand sites out of the billion or so are vulnerable.

      If you are going to try and find an open source security bug to slander, next time pick one that's a little more meaningful.

    10. Re:OpenBSD OpenSSH not vulnerable by gweihir · · Score: 1

      One would think that was a rather extreme difference...

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    11. Re:OpenBSD OpenSSH not vulnerable by Anonymous Coward · · Score: 0

      You really are slow aren't you. I'll explain:

      OpenSSH != OpenSSL != libssh

      OpenSSH = The SSH implementation that the OpenBSD developers maintain. Not even a factor here.

      OpenSSL = An SSL/TLS implementation that had issues with HeartBleed as you mentioned.

      libssh = Another SSH implementation, typically used for client side purposes. I do know there are both python and php bindings to it.

      In short, you don't know what you're talking about. Sit down.

    12. Re:OpenBSD OpenSSH not vulnerable by Carewolf · · Score: 1

      Just for those that do not know: Linux uses the OpenBSD ssh and hence is unaffected.

      Well, hopefully this niche-implementation is now dead...

      Mostly libssh still exists in Linux, but it seems the dependencies are: kio-sftp, kodi and libssh-dev. And the two applications both use it for client side which means they are not affected by this bug...

      That is the thing libssh is the neglected step child of SSH implementations, is it unused, and it is not surprising bugs are founded in it.

    13. Re:OpenBSD OpenSSH not vulnerable by Anonymous Coward · · Score: 0

      Confirmation of gweihir's statement.

      Also, if you want to see whether there are any libssh libraries on your machine, you can find out where shared libraries are typically installed, and you should see an openssh directory rather than libssh directories or libraries. Or you can grep for libssh from the root directory.

    14. Re:OpenBSD OpenSSH not vulnerable by gweihir · · Score: 1

      That is the thing libssh is the neglected step child of SSH implementations, is it unused, and it is not surprising bugs are founded in it.

      Exactly. Intensively used FOSS is usually excellent, but obscure, rarely-used one is often not. Sturgeon's law also applies to FOSS, just not equally.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  4. Security is hard even if you're trying. by shess · · Score: 1

    Lots of software doesn't even try.

    Think on that when you're installing your smart devices.

    1. Re:Security is hard even if you're trying. by gweihir · · Score: 0

      The problem here is that this is not the mainstream libssh. It seems to be a rather exotic stand-alone project. The mainstream SSH is the OpenBSD SSH and it is _not_ affected. Anybody using an obscure alternate implementation of a security library basically gets what they deserve.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re: Security is hard even if you're trying. by gweihir · · Score: 0

      Are you stupid? If somebody doing engineering selects an inferior product, then that person is in no way a "victim". The appropriate word is "incompetent".

      This is a no-amateur zone as this is a library and in no any way targeted at end-users. In engineering, people are responsible for their choices.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re: Security is hard even if you're trying. by Anonymous Coward · · Score: 0

      "her code"

      Go home, shill. We all know you're an imposter.

    4. Re: Security is hard even if you're trying. by Anonymous Coward · · Score: 0

      https://git.libssh.org/project...

      Not a single woman in that list. Yes, Andreas is a male name.

  5. What's the point? by WaffleMonster · · Score: 2

    This has long been a pet peeve of mine in the design of these systems.

    People always feel the need to include messages indicating success or failure which is something I personally find to be dangerous and redundant.

    If it is ever possible for any peer to be at all confused about whether authentication was successful or not you are having a bad day and no amount of status indications are going to make the hole you are standing in any shallower.

  6. Not a problem for long since is open source by Anonymous Coward · · Score: 0

    This will be fixed real soon now. Nothing to see or hear. Move along. And this is why open source works. Wha? Oh.

    1. Re: Not a problem for long since is open source by Anonymous Coward · · Score: 0

      Did you hear about that new windows bypass bug? I'm sure you did.

  7. Doesn't affect OpenSSH by Zack · · Score: 3, Informative

    This doesn't affect openssh servers or clients. Only *some* things using libssh *might* be vulnerable. A bit overhyped.

    1. Re:Doesn't affect OpenSSH by hcs_$reboot · · Score: 0

      A bit overhyped.

      a bit understated.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    2. Re:Doesn't affect OpenSSH by gweihir · · Score: 4, Informative

      It only affects one more-or-less obscure alternate implementation. The mainstream OpenBSD SSH (also the standard on Linux) is not affected at all.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:Doesn't affect OpenSSH by Anonymous Coward · · Score: 0

      Your refrigerator is mining buttcoins because of this shit.

    4. Re:Doesn't affect OpenSSH by sjames · · Score: 1

      You're just jealous that his refrigerator is smarter than you.

    5. Re:Doesn't affect OpenSSH by Anonymous Coward · · Score: 0

      Not surprising. Open Sores people like to overhype basically everything.

  8. Re:LOL @ open sores by gweihir · · Score: 1

    A very small fail in some rather stupid projects...

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  9. Ars Technica discovers patched bug... by Narcocide · · Score: 1

    ... announces it to the world anyway.

  10. Re:LOL @ open sores by Narcocide · · Score: 1

    I note that you're quick to jump on the "omg open sores" bandwagon while ignoring that several other people have pointed out no open source distros used this libssh version. Your job must not rely on meritocracy either.

  11. Why can't people write finite state machines by FeelGood314 · · Score: 4, Interesting

    A finite state machine is a two dimensional array. You have your states and you have your events. Depending on your state you react to the events differently. If you write out your state machine on paper it should be obvious which {state, event} you have missed or implemented incorrectly. Yet I see so many state machines that:
    don't have a variable stating what state they are in
    have variables called previous state and current state
    have state names that are the action they intend to perform (usually you do something (transition) and then wait for something, hint your state name should probably be what you are waiting for)

    but the worst offenders are the ones that try and infer the state they are in based on only the event. javascript coders who try and make everything restful are the worst offenders here but it looks like the libssh authors are also guilty. How the fuck do you get your server into a client state? The only possible way is if you didn't actually define different states for client and server.

    1. Re:Why can't people write finite state machines by Anonymous Coward · · Score: 0

      A serious question as you seem knowledgeable on the subject. Can you suggest any documentation describing best practices for state machines?

    2. Re:Why can't people write finite state machines by Anonymous Coward · · Score: 0

      It's literally a solved mathematical problem.

      All you have to do is defined reasonable limits on the inputs, then shit out your states and reduce the graph.

    3. Re:Why can't people write finite state machines by johnw · · Score: 3, Interesting

      As a partial answer to your question - my experience is that very many programmers simply can't get their heads around finite state machines. They want to write code which says, "Do X, then do Y, then do Z" and the furthest they are willing to get away from that is the odd "if" statement. The whole idea of having the code simply sit and react to events is too hard to comprehend.

      I've known a clearly implemented, well documented, state-machine driven bit of code enter maintenance, and then when I've come to look at it again a couple of years later it's had all sorts of horrible patches added to it. Asked for extra functionality, rather than adding an extra row (state) to the table, the maintainers added lots of "if"s and flags to the action routines, as if actively trying to turn it back into spaghetti code.

    4. Re:Why can't people write finite state machines by Anonymous Coward · · Score: 0

      Probably because most people don't take any hardware design classes involving FPGAs where designing state machines is a big part of the curriculum.

    5. Re:Why can't people write finite state machines by Anonymous Coward · · Score: 0

      https://www.xilinx.com/support/documentation/university/Vivado-Teaching/HDL-Design/2015x/VHDL/docs-pdf/lab10.pdf

      This is the best reference for state machines imho.

    6. Re:Why can't people write finite state machines by Anonymous Coward · · Score: 0

      As a partial answer to your question - my experience is that very many programmers simply can't get their heads around finite state machines. They want to write code which says, "Do X, then do Y, then do Z" and the furthest they are willing to get away from that is the odd "if" statement. The whole idea of having the code simply sit and react to events is too hard to comprehend.

      I've seen an example of a state machine in some code I maintain where the state is (literally) global and any random method spread anywhere in the program and rnuning in any random thread can change the state without even locking a mutex first. It's not really a state machine when you get to that level.

    7. Re:Why can't people write finite state machines by cascadingstylesheet · · Score: 1

      Yet I see so many state machines that:

      don't have a variable stating what state they are in

      have variables called previous state and current state

      I'm curious here - assuming those two points of yours are both bad things, they seem contradictory - wouldn't the variable called "current state" be "a variable stating what state they are in"?

    8. Re:Why can't people write finite state machines by Anonymous Coward · · Score: 0

      As a partial answer to your question - my experience is that very many programmers simply can't get their heads around finite state machines.

      IMHO this is because most programming training (i.e., not "proper" Comp Sci) involves only one paradigm of programming:

      * https://en.wikipedia.org/wiki/Comparison_of_programming_paradigms

      I think if more folks had to learn other styles, especially (say) learning a bit of Erlang or Haskell, it would stretch their minds a bit even if they don't end up using it day-to-day. Too many folks only learn one of Python/Java/JavaScript/whatever, and so limit their field of view.

    9. Re:Why can't people write finite state machines by Anonymous Coward · · Score: 0

      Let's see:

      1 boolean variable - 1 state
      2 boolean variables - 4 states ...
      10 boolean variables - 1024 states ...
      20 boolean variables - 1048576 states

      Perhaps this might answer your question.

    10. Re:Why can't people write finite state machines by arglebargle_xiv · · Score: 1

      An even bigger problem here is that what's being done doesn't need a state machine. Nor does TLS, which is also described in the spec as a state machine, and there were a whole pile of vulns discovered a year or two back where you could flip different implementation's state machines into unexpected (and illegal) states.

      If you look at what both TLS and SSH do, it's basically, client says A, server says B, client says C, server says D, client says E, server says F, and then they're done. It's a fixed series of request/response pairs, one after the other, with a few branches depending on whether you're doing mechanism 1 for step C or mechanism 2, but it's a fixed dance, not a state machine. The protocol spec is inviting errors by describing something that isn't a state machine as a state machine, leading to the inevitable errors when implementers try and shoehorn it into this unnatural form.

    11. Re:Why can't people write finite state machines by Anonymous Coward · · Score: 0

      I think his point is that it shouldn't matter what the previous state was.

  12. Re:LOL @ open sores by Anonymous Coward · · Score: 0

    god I could go an open sore right now. Maybe even a closed one.

  13. Re: This & Windows it's gonna be busy at work by Anonymous Coward · · Score: 0

    I find it informative that every critique of this vulnerability is modded down, yet every defense of it is modded up.

    This is an inexcusable condition - the server trusts the client to say YES I AM AUTHENTiCATED with no other verification

    And this is a library that is heavily used by the *BSDs and therefore IoT devices.

  14. RAY MORRIS BACKED NAZI PROPAGANDA - CAUGHT DEAD by Anonymous Coward · · Score: 0

    https://tech.slashdot.org/comments.pl?sid=12520486&cid=57184660 - Sorry Ray Morris, your nazi propaganda effort was debunked and you then put your name on it anyway. Lying Faggot Nazis ---> Gallows, do not pass go.

  15. Well ... by psergiu · · Score: 1

    www.shodan.io/search?query=libssh

    --
    1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
  16. Re: This & Windows it's gonna be busy at work by Darinbob · · Score: 1

    Why do IoT devices use BSD or Linux? The ones I've seen and worked on are all RTOS based (custom or otherwise).

  17. Re: This & Windows it's gonna be busy at work by Anonymous Coward · · Score: 0

    Modded Troll, as I cannot find any evidence of a 'defense' of this situation.
    There are several posts commenting that the affected library is not the one most commonly used in Linux, which is not a defense of the broken library at all, just people saying it is not as critical as if first appears to be.

  18. Re:You fail iT!? by Anonymous Coward · · Score: 0

    What the actual fuck did any of that mean?

  19. How about Dropbear? by hankwang · · Score: 1

    Lightweight/embedded linux systems actually often use Dropbear ssh server. From a quick google, I get the impression that Dropbear doesn't use libssh, though.

    --
    Avantslash: low-bandwidth mobile slashdot.
    1. Re:How about Dropbear? by gweihir · · Score: 1

      Looking at the Dropbear ssh sources, it looks like it is self-contained, i.e. has its own implementation of the respective functionality. It may still be based on or inspired by the defective libssh. However, it does not list libssh in its copyright statement or acknowledgements and it probably would do so if it had taken code from there. It does list some code it took from putty and from OpenSSH.

      So I would say probably unaffected.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  20. Re: RAY MORRIS BACKED NAZI PROPAGANDA - CAUGHT DEA by Anonymous Coward · · Score: 0

    You sure told him, Comrade Wang!

  21. Re: maybe you forgot, but there are two types by Anonymous Coward · · Score: 0

    It's been over 20 years since I was in school as an EE, so maybe they don't teach this to students anymore, or maybe you forgot, but there are actually two main types of state machines: Mealy and Moore state machines.

    The Mealy page says:

    In the theory of computation, a Mealy machine is a finite-state machine whose output values are determined both by its current state and the current inputs. (This is in contrast to a Moore machine, whose output values are determined solely by its current state.) A Mealy machine is a deterministic finite-state transducer: for each state and input, at most one transition is possible.

    and

    1. Mealy machines tend to have fewer states:
    * Different outputs on arcs (n^2) rather than states (n).

    2. Moore machines are safer to use:
    * Outputs change at clock edge (always one cycle later).
    * In Mealy machines, input change can cause output change as soon as logic is done—a big problem when two machines are interconnected – asynchronous feedback may occur if one isn't careful.

    3. Mealy machines react faster to inputs:
    * React in same cycle—don't need to wait for clock.
    * In Moore machines, more logic may be necessary to decode state into outputs—more gate delays after clock edge.

    Not all sequential circuits can be implemented using the Mealy model. Some sequential circuits can only be implemented as Moore machines.[2]

    The Moore page says:

    In the theory of computation, a Moore machine is a finite-state machine whose output values are determined only by its current state. This is in contrast to a Mealy machine, whose output values are determined both by its current state and by the values of its inputs.

    and

    * for a Moore machine, each node (state) is labeled with an output value;
    * for a Mealy machine, each arc (transition) is labeled with an output value.

    Every Moore machine M is equivalent to the Mealy machine with the same states and transitions and the output function ...

    However, not every Mealy machine can be converted to an equivalent Moore machine. Some can be converted only to an almost equivalent Moore machine, with outputs shifted in time.

  22. Re: LOL @ open sores by Anonymous Coward · · Score: 0

    Go home, shill. No one here wants what you're selling.

  23. no it doesn't by Anonymous Coward · · Score: 0

    Most servers are openssh, which doesn't use this. Stop with the hyperbole of this issue. It's a nonnon issue for any modern Linux system

    1. Re:no it doesn't by psergiu · · Score: 1

      Yes ... but your server's Lights Out/Remote Management module might be running a embedded OS with LibSSH.

      --
      1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
  24. Re:LOL @ open sores by gweihir · · Score: 1

    Yes, this guy is so insightless it is staggering. There is a lot of really bad FOSS out there, but anybody with a clue knows what to use and what not, because it is pretty obvious. His hate fits nicely in with his lack of clue though.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  25. Citrix had the "//" bug by Anonymous Coward · · Score: 1

    A "feature" was the ability to change your password while logging in. To do this, you'd type "password/new/new". However, the code for setting the new password had a bug where if it was null, it didn't check whether "password" was correct! So, by logging in with "//" as the password, one got in, AND reset the password to the empty string!

  26. Which BSD is that? by raymorris · · Score: 2

    You don't happen to be confusing libssh with openssh, or libssh2 are you?

    Shodan shows a few thousand servers in the world using libssh, and half of those aren't vulnerable.

  27. A specific scene from the original Star Wars by raymorris · · Score: 2

    In the original Star Wars, Obi-Wan, R2, and C3PO are sneaking through the city when they are stopped by Storm Troopers who are looking for them. The lead Storm Trooper demands to see identification (just as an openssh server would). Obi-Wan responds "you don't need to see his identification". Unprepared for this response, the lead Storm Trooper takes it at face value and announces to the others "we don't need to see his identification".

    The next line has become a meme, "there aren't the droids you're looking for".

  28. Re: LOL @ open sores by Anonymous Coward · · Score: 0

    Im "selling" software that doesnt suck, no surprise you feeetards aren't buying.

  29. Re: LOL @ open sores by Anonymous Coward · · Score: 0

    Yeah, because there's never been any Close Source issues like this... I'm not buying anything your "selling."

  30. Github.com uses it by Anonymous Coward · · Score: 0

    Yep. Github.com uses it. Though they say they are "unaffected by it".. but they still use it.

    Yet another reason to stay as far a fucking away as possible to github as possible:

    1. Easily hackable in the cloud. Just guess some stupid anus password and you are in logged right into their account.
    2. Owned by microshit now. People actually apologized and still use github even though microshit owns it. It's so cute and funny.
    3. github.com uses insecure shit libs. I'm sure they use even more. Maybe they've even been rootkitted and they don't know it?

    Go ahead, trust your intellectual property to some random company with a for profit interest that anyone can access. You tech types are so smart.

    1. Re:Github.com uses it by gweihir · · Score: 1

      Move to gitlab. Works better and not owned by MS. github is a has-been. Like anything MS touches, it has turned to shit.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  31. Re: This & Windows it's gonna be busy at work by Anonymous Coward · · Score: 2, Funny

    Why do IoT devices use BSD or Linux?

    This. They should be using Windows.

  32. Re: This & Windows it's gonna be busy at work by Anonymous Coward · · Score: 0

    Because the core OS components of windows are so bloated it wonâ(TM)t ft, and so insecure a script kiddie could crack them.