Cengiz Can
@cengiz-io.bsky.social
Linux Kernel Engineer at Canonical
Reposted by Cengiz Can
this fall I worked with the core Git folks on writing an official data model for Git and it just got merged! I learned a few new things from writing it. github.com/git/git/blob...
git/Documentation/gitdatamodel.adoc at master · git/git
Git Source Code Mirror - This is a publish-only repository but pull requests can be turned into patches to the mailing list via GitGitGadget (https://gitgitgadget.github.io/). Please follow Documen...
github.com
December 2, 2025 at 5:01 PM
this fall I worked with the core Git folks on writing an official data model for Git and it just got merged! I learned a few new things from writing it. github.com/git/git/blob...
Those ideal conditions you are waiting will never happen.
people over 30 quote this with some life advice for the rest of us?
January 31, 2025 at 5:22 AM
Those ideal conditions you are waiting will never happen.
Reposted by Cengiz Can
Reposted by Cengiz Can
I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission.
The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().
It's RCE, not auth bypass, and gated/unreplayable.
The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().
It's RCE, not auth bypass, and gated/unreplayable.
This might be the best executed supply chain attack we've seen described in the open, and it's a nightmare scenario: malicious, competent, authorized upstream in a widely used library.
Looks like this got caught by chance. Wonder how long it would have taken otherwise.
Looks like this got caught by chance. Wonder how long it would have taken otherwise.
Woah. Backdoor in liblzma targeting ssh servers.
www.openwall.com/lists/oss-se...
It has everything: malicious upstream, masterful obfuscation, detection due to performance degradation, inclusion in OpenSSH via distro patches for systemd support…
Now I’m curious what it does in RSA_public_decrypt
www.openwall.com/lists/oss-se...
It has everything: malicious upstream, masterful obfuscation, detection due to performance degradation, inclusion in OpenSSH via distro patches for systemd support…
Now I’m curious what it does in RSA_public_decrypt
March 30, 2024 at 5:13 PM
I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission.
The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().
It's RCE, not auth bypass, and gated/unreplayable.
The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().
It's RCE, not auth bypass, and gated/unreplayable.
Reposted by Cengiz Can
🎉 #Shoutout to the incredible #openSUSE #community! Passion, collaboration & understanding of #opensource is what makes @opensuse.bsky.social thrive. Together, we help to enhance peoples' #digital life. www.opensuse.org
October 18, 2023 at 2:11 PM
🎉 #Shoutout to the incredible #openSUSE #community! Passion, collaboration & understanding of #opensource is what makes @opensuse.bsky.social thrive. Together, we help to enhance peoples' #digital life. www.opensuse.org