My favorite part of this was:

That kind of notation, called SCCS/RCS, is the equivalent of finding a rotary phone in a modern office. Nobody uses it in 2005 Windows kernel code unless their programming background goes back decades, to government and military computing environments

—

The astrophysics lab I worked at in 2006 was still using svn and had a bunch of Fortran with references to systems from the 70s and 80s. The code ran perfectly well thanks to modern optimizing compilers and having moved from Vax to Linux in the 90s, it was a surprisingly seamless transition.

It reminds me of a conference talk I’ve referenced before “do over or make due” basically implying rewriting large amounts of mostly functioning code was not worth the effort if it could be taped together with modern tools.

▲

kimixa 3 hours ago | parent | next [-]

Ha, I worked for a company that until ~2012 still used RCS-backed SCM, absolute hack job on a shared file share that wrapped RCS with a "project file" to allow a tree of specific revisions for a "project". "MKS" it was called. And by the sound of it the "old" '90s version, not the java EE rewrite.

That meant the files has the entire "$Revision: 1.3 $" nonsense and "file changelog" at the top too - though many newer files never bothered to include the tags to actually get RCS to replace them. Inconsistent as hell.

And while the "family" of devices the software was for traces it's origin to the mid '90s, functionally none of the code was older than ~5 years at that time.

Naturally even with only a few tens of engineers it regularly messed up, commits stepped on each other's toes and the entire tree got corrupted regularly. For fun I wrote a script that read it all and imported the entire history into git - you only had to go back a few years before the entire thing was absolute nonsense.

I have no idea why that was still being used then, but I assume it had been in use from the very start of that entire hardware family. Perhaps as it was fundamentally a "hardware" company - which until surprisingly recently seemed to consider "source control" to be "shared folders on remote machines" - "software" source control wasn't considered a priority.

▲

beejiu 5 hours ago | parent | prev | next [-]

If you're using R in 2026, you're probably invoking code compiled from Fortran from the 70s/80s somewhere along the line. It's a foundation for a lot of numerical computing.

▲

hnthrowaway0315 6 hours ago | parent | prev | next [-]

Does that mean that three-letter agencies were/are able to recruit from the fields for each type of malware? For example, fast16 might actually be written by someone who used to write scientific calculation software, while Stunex was written by someone who used to work for Siemens?

	▲	mike_d 3 hours ago \| parent \| next [-]
		Don't think of it as a materials simulation engineer being recruited and trained on how to write complex malware. Rather this was developed by a team of 6-8 people. Maybe two or three of them working on the implant, another engineer handling the exploits and propagation, and yet another building the LP and communications channels. They are supported by a scientist with deep knowledge of the process they are messing around with (say developing nuclear weapons), and a mathematician that knows how to introduce subtle and undetectable errors.
	▲	eth0up 5 hours ago \| parent \| prev [-]
		Try to remember how hypothetical everything tended to be before Snowden. And 'twas a meager pittance that was revealed. They have toys that'd blow minds and people yee'd swear weren't people. It's all fun and games to poke fun, but holy shit those guys are NTBF'dW. Every academic institution, every school, all under the radar of recruitment and more. It's difficult to believe, but the network is real. There are certainly people here on HN who've been solicited, most who'll never mention it. It's fun to imagine, though, what tight groups of highly motivated, stupidly intelligent people can do when they collectively commit to doing so - and with a hefty budget to assist.

▲

tptacek 8 hours ago | parent | prev | next [-]

Yeah, I used to be skeptical of the government provenance of things like Stuxnet (I am not any more, I'm fully sold, like everyone else), and notes like this were why. People used RCS well into the 2000s! RCS as a tool had virtues over SVN and CVS.

▲

ajju 6 hours ago | parent | next [-]

My favorite part of the paper is that the “attack” isn’t just exploiting a bug — it’s exploiting how different components interpret the same input. Modifying an executable as it’s loaded into memory is one example, but the deeper pattern is the mismatch.

What’s interesting about the malware in this post is that it goes one step further: instead of exploiting mismatches, it corrupts the computation itself — so every infected system agrees on the same wrong answer!

More broadly: any interpretive mismatch between components creates a failure surface. Sometimes it shows up as a bug, sometimes as an exploit primitive, sometimes as a testing blind spot. You see it everywhere — this paper, IDS vs OS, proxies vs backends, test vs prod, and now LLMs vs “guardrails.”

Fun HN moment for me: as I was about to post this, I noticed a reply from @tptacek himself. His 1998 paper with Newsham (IDS vs OS mismatches) was my first exposure to this idea — and in hindsight it nudged me toward infosec, the Atlanta scene, spam filtering (PG's bayesian stuff) and eventually YC.

https://users.ece.cmu.edu/~adrian/731-sp04/readings/Ptacek-N...

The paper starts with this Einstein quote "Not everything that is counted counts and not everything that counts can be counted", which seems quite apt for the malware analyzed here :)

▲

codezero 8 hours ago | parent | prev | next [-]

I do wonder if these breadcrumbs were also left intentionally. “Oh look, we are using old stuff, don’t be afraid!” Or for some other reason. It is a little surprising to pull off such a sophisticated attack and miss details you could find running ‘strings’ unless I’m missing something and this part was encrypted.

▲

tptacek 7 hours ago | parent [-]

I think that in the time period we're talking about, RCS wasn't really even all that old. Like, RCS is old, sure, but it was also in common use especially by Unix systems people; it's what you might have reached for by default to version your dotfiles, for instance.

▲

codezero 7 hours ago | parent [-]

Yes, but even back then I was aware of the sections in executables (wasn’t this where it was found?) and any neckbeard from the 70s and 80s might be even more so aware. That said, yeah, sure, it’s a very possible and understandable oversight, but I’m weary because of all the text in viruses and such as indicators. Seems like a pass over ‘strings’ would be obvious. Though. TIL, strings doesn’t necessarily scan the entire executable.

	▲	breppp an hour ago \| parent [-]
		The same binary has encrypted strings so I assume there was a pass, but if you look at the source control strings they seem to decrease the appearance of maliciousness, even today they are out of place for malware

▲

gucci-on-fleek 5 hours ago | parent | prev [-]

> People used RCS well into the 2000s!

I still use RCS today. It's certainly not my preferred option, but my collaborator likes it, and it's not too annoying for me to use.

▲

drysine 7 hours ago | parent | prev [-]

>in 2006 was still using svn

Perhaps you meant cvs? Subversion was released in 2004 and git appeared in 2005.

	▲	mjg59 6 hours ago \| parent \| next [-]
		Subversion 1.0 was released in 2004, but it was already widely used before then.
	▲	codezero 6 hours ago \| parent \| prev [-]
		We used cvs, but did switch to svn before/around 2006, but I could be mixing that up. We did not switch to git even by 2012 when I left. The reference to the 70s and 80s code didn’t imply it was version controlled before svn/cvs though if that’s what you meant, but by that time it was and still had old timestamps commented in the text files.