new | show | ask | jobs Github

Animats 21 hours ago

So eleven years ago someone put a backdoor in the Telnet daemon.

Who?

Where's the commit?

▲

greyface- 21 hours ago | parent | next [-]

https://codeberg.org/inetutils/inetutils/commit/fa3245ac8c28...

▲

its_magic 18 hours ago | parent | next [-]

That link goes to a page full of random garbage. No commits there to be seen.

Apparently the owners of that website don't like my choice of user agent, and have decided to punish me accordingly.

	▲	gzread 10 hours ago \| parent [-]
		Same here. It says please wait while verifying.

▲

ieie3366 21 hours ago | parent | prev [-]

That's crazy. This is core business critical software but they just YOLO critical changes without any automated tests? this PR would be insta-rejected in the small SAAS shop I work at.

▲

acdha 20 hours ago | parent | next [-]

Culture has changed a lot since the 20th century and older projects can have antiquated norms around things like testing. I was just listening to a recent podcast talking about how worrisome it is that OpenSSL has a casual culture about testing[1] and was reminded about how normal that used to be. I think in the case of telnetd you also have the problem that it’s been deprecated for multiple decades so I’d bet that they struggle even more than average to find maintainer time.

1. https://securitycryptographywhatever.com/2026/02/01/python-c...

▲

fhub 20 hours ago | parent | prev | next [-]

Even with automated tests you'd need to think of this exploit right? Perhaps fuzzing would have got it. The mailing lists says they proved it successful on

- OpenIndiana

- FreeBSD

- Debian GNU/Linux

So not complete YOLO.

See https://lists.gnu.org/archive/html/bug-inetutils/2015-03/msg...

FWIW, a well known LLM agent, when I asked for a review of the patch, did suggest it was dodgy but didn't pick up the severity of how dodgy it was.

▲

JCattheATM 19 hours ago | parent [-]

> a well known LLM agent

Which one?

▲

accrual 19 hours ago | parent [-]

Not GP, but my local Ministral 3 14B and GPT-OSS 20B didn't catch anything unless I gave some hints.

▲

JCattheATM 18 hours ago | parent [-]

He says 'well known' so I assume Claude or GPT, I just don't get why he's being coy.

	▲	fhub 17 hours ago \| parent [-]
		I thought by not naming it wouldn't shift the focus to the particular model, but it did the opposite. It was gpt-5.3-codex in medium mode.

▲

direwolf20 20 hours ago | parent | prev | next [-]

If you think you can do better you're welcome to do better. I say this without a hint of sarcasm. This is how open source works. It's a do–ocracy, not a democracy. Whoever makes a telnet server gets to decide how the telnet server works and how much testing it gets before release.

▲

its_magic 18 hours ago | parent [-]

Maybe the lesson here is to stop letting the GNU folks do things, if this is what they do. This is only one example of craziness coming out of the GNU camp.

▲

nomel 17 hours ago | parent | next [-]

Or, flip the responsibility to what it has always been understood to be, when using open source software from random volunteers (some being bad actors) on the internet for anything remotely critical: audit the source.

▲

db48x 17 hours ago | parent | prev | next [-]

GNU doesn’t provide labor, only organizational tools like mailing lists and whatnot. The projects that GNU supports are still run by individual volunteers. If you want it done better then please volunteer so that you can be the one doing it better.

▲

its_magic 15 hours ago | parent [-]

I am the one doing it better. GNU software is slowly being deprecated on my system, starting with glibc.

	▲	db48x 3 hours ago \| parent [-]
		So you’re just changing which volunteers you depend on? That’s really productive of you. Thank you for your service.

▲

account42 11 hours ago | parent | prev [-]

You can enslave yourself to Microslop if you prefer.

▲

wildzzz 20 hours ago | parent | prev | next [-]

Any business that has a telnet daemon able to be reached by an unauthenticated user is negligent. Just the fact that everything is in the clear is reason enough to never use it outside of protected networks.

▲

dec0dedab0de 19 hours ago | parent [-]

unless it doesn’t matter if it’s evesdropped

▲

FabHK 19 hours ago | parent [-]

Traffic could be tampered as well.

	▲	nomel 17 hours ago \| parent [-]
		Sometimes that doesn't matter either. That is the valid use case of a plain-text protocol like telnet: doesn't matter.

▲

icedchai 17 hours ago | parent | prev | next [-]

Most 90’s era software had zero tests. Nobody gave it a second thought.

	▲	lmm 9 hours ago \| parent [-]
		Early '90s maybe. By the late '90s people knew tests were a good idea, and many even applied that in practice.

▲

avaer 20 hours ago | parent | prev | next [-]

There's a famous XKCD about this: https://xkcd.com/2347/

In this case the hero's name is apparently Simon Josefsson (maintainer).

	▲	idiotsecant 19 hours ago \| parent [-]
		I feel like we should just start saying 2347. Everyone knows what you mean.

▲

AlienRobot 20 hours ago | parent | prev | next [-]

https://xkcd.com/2347/

Ah, someone beat me to it!

▲

pjc50 11 hours ago | parent | prev [-]

It can't be critical business software if the business to which it is critical isn't paying anything for it.

▲

Arubis 21 hours ago | parent | prev | next [-]

Telnet's cleartext and always has been. A backdoor seems like overkill.

	▲	direwolf20 20 hours ago \| parent [-]
		You still have to know the password or snoop on someone typing the password. But with this vuln, you don't. You can just get root instantly.

▲

mmooss 20 hours ago | parent | prev | next [-]

> backdoor

Do you mean that it's intentional? Why do you think so?

▲

parl_match 21 hours ago | parent | prev [-]

It wasn't a backdoor, just a very serious security bug. Congrats on jumping straight to conspiracy and paranoia, though.

▲

alt187 21 hours ago | parent [-]

It's only a conspiracy and paranoia if it's wrong. 11 years ago was 2015.

	▲	parl_match 3 hours ago \| parent \| next [-]
		It is wrong. The author is known, was acting in good faith, and simply fucked up really badly. I don't know what 11 years ago has to do with anything, besides the awful lifespan of such a severe bug.
	▲	its_magic 18 hours ago \| parent \| prev [-]
		> GNU organization > giant security flaw Checks out.