This project is not dead. Because is live in our heart

[lodos2005]

@lawl thank you for this awesome project.

we will always love you and this project. ❤️

[Senanfurkan]

You failed no one. Thank you for everything you have done so far.

[reynoldsme]

NoiseTorch has been immensely helpful in allowing me to communicate effectively with people since the start of the pandemic and I'm sure the same is true for thousands of other users. I can't thank the maintainer and contributors enough for providing such a useful tool to the community.

If a full audit of the code is needed, I'm sure the community can come together to do what is required. I truly hope this isn't the end of NoiseTorch in its current form.

[aniketfuryrocks]

I don't understand what has happened or what is happening. Can't we just use the most recent fork and create a new GitHub organization out of it?

[contraexemplo]

@aniketfuryrocks From what I've gathered, one of lawl's systems has been compromised. That system stored their private keys. lawl isn't sure if whoever compromised their system has done anything to this project, so they've advised us to not trust the binaries or the source code.

[lawl]

@contraexemplo is correct. Sorry i feel dead right now. I don't have any energy to deal with this right now.

I believe the compromise is unrelated, but again, better safe than sorry.

[contraexemplo]

@lawl I'm really sorry you're going through this. Please take all the time you need to recover!

One thing to keep in mind, though, is that you've built a community on top of a really useful and easy to use software. We'd love to help you with whatever you may need to keep the project going. You'll have a community to go back to when you're ready.

[Foexle11]

I know, I'm just an ordinary User, but if we as community can help in any way, please let us know <3

[ryleu]

@lawl Thank you so much for this awesome project, please don't give up on it!

To move forward, however, I need to know the scope of the breach, including how long this has been going on for. What's the nature of the compromise? I need to know if my systems are still secure, or if I need to delete everything.

[lawl]

To move forward, however, I need to know the scope of the breach, including how long this has been going on for. What's the nature of the compromise? I need to know if my systems are still secure, or if I need to delete everything.

I'd like to know that too.

[ryleu]

Alright, then how can I help you find out? Are there any commits in particular that are likely suspicious that I should look at? I'm going to start digging through past commits and see if I can find anything.

[lawl]

lawl/NoiseTorch@8c34658
lawl/NoiseTorch@38787e4

are imo the most likely candidates where one would hide a backdoor, i had reviewed the entire diff i vendored. I take dependencies seriously. But who knows, if my system was compromised, was it showing the right things?

How would one trust your review?

edit: least -> most

sorry, still slightly foggy head operating from a system i don't trust.

[ryleu]

I'm doing my review from a device that has never touched NoiseTorch. Unless the person who compromised your system is a super genius, with the foresight to edit how others' browsers view the getfedora.org page, including the checksums available there, my device is not compromised.

As for how you can trust me personally? You can't. But if enough other people look at the code with me, eventually you should have enough of a croudsourced audit that you can move on safely.

I'll look at those commits and then I'll start digging around in the source. I'm going to work on a testing environment to watch for unexpected behavior from NoiseTorch as well, but that may take some time, because I don't have a lot of experience there.

[ryleu]

For speed's sake, I'm going to assume that official GoLang packages are safe to use, and will instead focus on the ones that come from GitHub repositories.

Edit: oh. there is more to the commits than i thought.

[lawl]

For speed's sake, I'm going to assume that official GoLang packages are safe to use

yes, i consider golang.org part of my trusted computing base, since well, i'm using their compiler, so, we have all read the reflections on trusting trust paper, right?

[ZyanKLee]

I'm not ready yet to give up on this project:

cadmus has been updated 2 years ago and all other utilities that could fill this gap are either way older (and technologically totally outdated - i.e. pipewire support) or are commercial tools that just would not fit my wallet.

Also noisetorch has been my favourite for quite some time now. UI and UX are good, sound quality on pulseaudio and pipewire are great.

And finally: while a little dramatic for my taste, the way @lawl handled the incident is great. You apparently informed the world about the breach as soon as you got to know about it yourself and helped the community to check the code as good as you could.

Sure reinstating the trust into this project may take a few hours of checking and auditing, but in the end - I'm sure about it - this project will hopefully rise and shine again.

My suggestion to you, lawl, would be: get a good nights sleep and some rest from this stress. Sort out your machines and make them yours again. We can wait a few weeks or months and the world will still continue turning.

[Rififia]

Hello! First, thanks to the developer for all the work, and sorry for this incident… I hope you will be able to find some rest after all of this.

Just to know, as a normal user, what should I do besides stop using it for the moment?

[Technetium1]

@Rififia That's about all there is to do right now. Keep an eye out for updates.

[Fuseteam]

looking forward to see the restoration to be completed soon (or as soon as the README pr gets accepted)
i guess only that and a new github release is needed now :3

[ryleu]

I have finished my code review. I had to learn GoLang. As far as I can tell, there is nothing malicious that made it in. I have also been running noisetorch in a testing environment (Ubuntu 18.04 VM) for the duration, with no strange requests captured in wireshark. I would like a second or third opinion, but I am giving this my stamp of approval.

[ZyanKLee]

Thanks for taking the effort and your feedback.

I'm happy about every one who checks the code and points out potential optimizations, too. Even when no malicious code was found, this can help a lot.

[Rififia]

So I assume it is safe to use noisetorch again. Just to know, was the update server verified (i.e., no fake update were triggered? I don't recall anything like this.)? And only the last binary has been checked?

[ZyanKLee]

We don't know if the update server has been compromised. To my knowledge, aside from lawl no one in this community has had access to it to verify or check anything.
To avoid such situation in the future, we changed the update process to use GitHub releases instead. So now it's all in the open.

@AXDOOMER unpacked and decompiled several versions of the binary from various points in time (before, around and after the time of the suspected compromise), to see if there was anything fishy in them. They did not find anything.

[contraexemplo]

I just wanted to register my support for the community here. I've been following the code audit closely and I'm so happy NoiseTorch is back in business! I tried several different noise suppression solutions in the meantime but none worked as well for me as NoiseTorch. I'll keep following the project to see if there's any useful contribution I can make in the future. Awesome job, everyone!

[Fuseteam]

yay~ noisetorch is back~ and it appears to solve my freerdp call audio echo issue~ i suppose this can now be closed: #274