1. 2

    In a way, I’m surprised how few times the term “Emacs” is used in this post (I think one? I’m on mobile right now). Magit has the following and recognition to stand on its own these days.

    1. 1

      Perhaps they should start bundling emacs+magit and emacs+orgmofe in a single package, like electron…

    1. 2

      The use of the word “backdoor” is odd.

      From what I gather, this is a rootkit. Upstream systemd doesn’t have this code.

      1. 3

        “Backdoor” is a common term within AV industry to refer to (unwanted) software that receives command and control from another system. A “rootkit” is software that hides itself from various listings, such as by manipulating kernel structures or inline hooking userland APIs. So, in antivirus lingo, this article describes a backdoor and not a rootkit.

        The malware masquerades as systemd by using that term in its filenames. I don’t see any indication that it is distributed with systemd (what you’d call a supply chain compromise).

      1. 3

        can anyone think of a quick and browser-local way to capture this information for oneself? pretty sure my habits align almost exactly and want to try to reproduce.

        also maybe identify some classes of queries that i can redirect to e.g. Dash and interact less with Google.

        1. 4

          Your browser history is captured in the local sqlite database. Shut down the browser (to let it release locked .db file) and use sqlite3 to query its database. Here’s (good enough) gist to start from – Playing around with Chrome’s history.

          1. 2

            See if you can get your browser history as a list of URLs. You could filter them down to known search pages and extract the queries from the query strings.

          1. 1

            The offensive tools used during a cyber operation might likewise have embedded “canary tokens”. So when responding to an incident, avoid triggering such tokens as you analyze malware or infrastructure.

            For example: typically don’t visit embedded URLs as an operator watching their web logs may decide to pack up shop and vanish.