Hacker News new | past | comments | ask | show | jobs | submit login

One thing to note is that the person that added the commits only started contributing around late 2022 and appears to have a Chinese name. Might be required by law to plant the backdoor.

That would be quite scary considering they have contributed to a wide variety of projects including C++ https://learn.microsoft.com/en-us/cpp/overview/whats-new-cpp...




I don't think you need to worry about the C++ contribution: https://github.com/MicrosoftDocs/cpp-docs/commit/9a96311122a...


This does make me wonder how much they made a deliberate effort to build an open source portfolio so they’d look more legitimate when time came to mount an attack. It seems expensive but it’s probably not really much at the scale of an intelligence agency.


What's the salary for a software engineer in urban China? 60-80k/yr USD? Two years of that salary is cheaper than a good single shoulder fired missile. Seems like a pretty cheap attack vector to me. A Javelin is a quarter million per pop and they can only hit one target.


They are paid much less than that. However, American weapons are also far overpriced due to high labor costs, among other things. The Chinese probably have cheaper weapons.


Yeah, exactly - when your army is measured in the millions, picking n hundred with technical aptitude is basically a rounding error.


Unless the payment is performed by foreign entity (which means a US employer is hiring a Chinese hacker), it's not a wise choice to do currency exchange when measuring salary, because it would erase other facts affecting salary, like CPI or housing price.

Apart from (both visible and invisible) taxes, I expect a senior programmer would earn ~500-700k CNY per year. Game programmers may reach up to 200k. For a team able to perform such attack, 1M/yr avg. might be reasonable.

But if this is not a state-sponsored attack, I can't find enough interest. And, if this is state-backed...contractor or some dishonest officials would a huge part, so the real cost might be >2M/yr. Considering you can get nothing during 2 year's lurking I doubt if it's feasible enough.


If I were doing it, I'd have a number of these "burner committers" ready to go when needed.

If I were doing it AND amoral, I'd also be willing to find and compromise committers in various ways.


Until you figure there are very subtle unicode changes in the URL that don’t diff on GitHub. :)


> appears to have a Chinese name

Given the complexity of the attack, I'd assume the name is fake.


The contribution to C++ is just a simple markdown change: https://github.com/MicrosoftDocs/cpp-docs/pull/4716 C++ is fine.


Also it's not a contribution to C++ but only one of Microsoft's projects around C++.


I would think a Chinese state hacker would not assume a Chinese name, just in case he was discovered like now.


But your reaction being a common one would make a Chinese name the best pick for a Chines agent wanting to hide their country affiliation.


No one is being “required by law” to add vulnerabilities, it’s more likely they are foreign agents to begin with.


Depends on the law and where you are. Publicly we have https://www.eff.org/issues/national-security-letters/faq and it's likely that other requests have occurred from time to time, even in the USA.


> No one is being “required by law” to add vulnerabilities

This is absolutely not the case in many parts of the world.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: