MakuluLinux (6.4M Downloads) Ships Persistent Backdoor from Developer's Own C2

(werai.ca)

38 points by werai3 hours ago

7 comments

sgc1 hour ago
This is why I won't use random distros, even if they have better features. It's just one more point of failure, one more point of unnecessary trust. I would rather fight to deal with specific problems with specific apps on one of the handful of core distros with long histories.
- bsimpson30 minutes ago
 I feel this way about open source generally.Lots of cool stuff that I happily use, but the bar to installing something that gets to see my password (OS, terminal, input handler, etc) is very high.Not a popular take, but I'd rather run something from Valve or Google for the same reason. I trust there to be more vetting if a corporation is putting its reputation on the product than a toy I found on GitHub.It's a bit of a myth that open source leads to more eyes on the software. Most people just install it and trust that somebody else did the audit.Something with a vibrant community of maintainers? Maybe.Something that's too big to personally audit but too small for that community? I'll pass.
- Noaidi1 hour ago
 Agreed, I just installed Fedora 43. I don’t even trust CachyOS at this point.
sigio1 hour ago
The entire website looks shady, I can't imagine anyone installing this.Was there any analysis on what the binaries do, because it could theoretically be a really badly implemented 'check for updates'.Though I'm tempted to believe it is all part of a big scam :)
- sigio1 hour ago
 Seems the only download the the OS is a 6.7GB ISO, yeah, not gonna bother to download and unpack that.Browsing to their github is also interesting, no source anywhere, a few empty repos with a LICENSE.txt or README.md, but nothing of value.
thefz1 hour ago
> This is exactly why the Human Router architecture exists. In a world where you cannot even trust your operating system vendor, every decision — every execution — needs a governance gate.> D = G × S. If G ≠ 1, D = 0. No action is routed without verified authority. No exceptions.W... what?
- r_lee1 hour ago
 It's an AI slop startup blog advertising their product, thats why.
mrbluecoat1 hour ago
> Discovered by Steven Stobo (WeRAI / Haven AI)AI pentesters and fuzzers will soon be the norm. And that's a good thing.
- pixl971 hour ago
 Static analysers are a good start here, but so often their rules can be overcome configuration tricks.AI is seemingly really good here on that. Be interested to watch how it performs on the more weird and uncommon security cases.
whalesalad1 hour ago
I genuinely don't understand why anyone would use anything other than Debian (or Ubuntu), Fedora or Arch. Every other distro is a) based on one of those and b) is essentially just a package set + some wallpapers.
- craftkiller57 minutes ago
 While I get your point, you are missing a big player: NixOS. It is not based on any of those distros, it is not similar to any of those distros, and it offers significantly more than just a package set and wallpapers.My NixOS install is immutable, so I can trivially roll back any changes to my system/software/configs.It has a lockfile so the versions of all of my software do not change _at all_ unless I tell it to. That lockfile doesn't just extend to the software I have installed but all the software that is used to build the software on my machine, so I can perfectly reproduce the same system with the same version of software compiled by the same exact versions of the compilers.On NixOS you can trivially have many versions of any software or library installed on your system and use them all (for example, foo can depend on python 3.7.2, bar can depend on python 2.7.1, and baz can depend on python 3.14. They can all happily live on my machine. You can even have multiple copies of the same version of python but compiled with different flags if you want. On arch linux your only option for python right now is 3.14.2.)On NixOS I can trivially run 1 command and generate a bootable ISO that has exactly the same software and configs that I have installed on my computer. This has been rather nice for repair/debugging USBs and for running virtual machines off the ISOs.You're also missing:<pre><code> - Gentoo (not based on any of the distros you listed) - Chimera Linux which brings in the FreeBSD userland, musl libc, and Dinit - Suse Linux (a pop music video cover band that also made some Linux distros. They were pretty big in the live kernel patching ("Don't reboot it just patch!"). Not based on any of the distros you listed)</code></pre>
- cosmic_cheese59 minutes ago
 Defaults matter way more than many think. More often than not, defaults are what inspire distro hopping.Why? Because the path to the desired result from a big-name distro is frequently non-intuitive, often to the point that the user may not even realize it's possible. When something doesn't work as expected, the response isn't "I need to figure out which packages to install and what config files to change," it's "oh I guess this distro isn't what I'm looking for".I think it would do an immense amount of good if the big distros did more to address this. If they made it such that a fresh install could be made to fit any remotely common use case and hardware combination with no more than 1-3 clicks that would make tiny distros much less appealing.A handful of distros have the right idea by offering an install ISO with preconfigured proprietary Nvidia drivers for example, but even that could be improved upon by just rolling some heuristics into the stock install ISO to figure out if the user needs Nvidia drivers or not.
 - bsimpson27 minutes ago
 Add the gaming distros to the list too.People generally want something that works, without tinkering - particularly on an entertainement device. I'll happily let Valve etc. pick the kernel and driver versions, set up the compositors, make the controllers work, etc.
- graemep30 minutes ago
 > Every other distro is a) based on one of thoseApart from NixOS, Guix, Alpine , Void, SuSE, Gentoo, Slackware, PCLinuxOS, GoboLinux.....> essentially just a package set + some wallpapers.Not Ubuntu with a different support cycle, Mint and PopOS with their own DEs, Arch derivatives that are easier to install, Elemantary with a DE and apps, Devuan with multiple init systems, ......
- pseudony1 hour ago
 NixOS would like a wordBeyond that, Gentoo, SuSE and a few others.But generally, yes, be careful with what you install :)
- avhception1 hour ago
 I agree with the sentiment you're trying to express.But as a Gentoo / SuSE user, I'm also a little offended!
- doublerabbit23 minutes ago
 Debian is out-of-date with packages although for good reasons and Ubuntu is a corporate lobotomized version Debian.Fedora is the bleeding edge not recommended for anything other than testing and is of corporate RedHat Enterprise Linux and RedHat are now owned by IBM and Arch is Gentoo's jealous cousin.It's why I use FreeBSD and keeping close tabs on Haiku.
OsrsNeedsf2P1 hour ago
This article is so painful to read. Do people not have shame in publishing slop?> MakuluLinux is not just an OS with a backdoor. It's a delivery vehicle for a centralized AI-as-a-service platform.But to the actual article point; it looks like this OS is designed to have these "integration features" that depend on a 3rd party connection. They could obviously be better - But the intent of them is very similar to how Android, Windows, or MacOS operate.
- pixl971 hour ago
 >Do people not have shameThe only person in the world you know can have shame is yourself. As for anyone else, you can only assume they do not have it, or are trying to trick you to feel shame to take advantage of you.If you want said articles to feel ashamed, then they'll have to stop getting upvoted on HN. Otherwise they are here to stay.
LePetitPrince10 minutes ago
[dead]