Does btop collect historical info in background? Whole point of atop is that it collects information over time and you can then skip back and see what happened in system.
For those of you who don't know, Rachel is a very credible source, and if you've read her blog, you know she knows her shit. If she said you might want to stop running atop, it might behoove you to see if you have it running without being aware of it.
At a previous gig atop was used as a long-running resource debugging tool on thousands of machines, and if I remember correctly some packaged versions of this tool have it run out of cron as part of the package install.
I have no idea why she is being cagey about this, I assume it's because she's not allowed to say more, due to some confidentiality agreement with someone she's working for. If you can get ahead of this without too much pain, I'd do it.
Rachel is a semi-famous Linux sysadmin who has worked for big tech companies. Her blog is filled with industry horror stories from the trenches and meaty tech articles about low-level debugging. She is not known for vagueposting or shitposting, she gets paid to debug hard-to-find problems in stressful situations.
For example, in this post from 2014, she dug into why atop sometimes segfaults after a crash. If you're a linux sysadmin, you remember articles like this, because they're filled with interesting and relevant details.
Exposing them wasn't the issue. The fact that you could then use them to discover vaild users is. But you know that, because you read the whole article and actually understood it, right?
Then it'll probably complain about an unprotected private key file and will fail, but that's not important. The point has been made: this public key is known to exist in that account's authorized_keys file. This by itself is not enough to let you break into an account, but if you're doing some kind of security analysis, being able to figure out who can get to what is a great place to start. If there's an organization with 50 role accounts and 500 employees, being able to narrow down the possibilities for the most tasty accounts can save you a lot of work. Once the targets are known, you can specifically pursue them and try to compromise their private keys.
My life as a mercenary sysadmin can be interesting. Sometimes I find things, and sometimes I hear things. Now and then I say things. Right now, I think it's probably best if you uninstall atop. I don't mean just stopping it, but actually keep it from being executed. I'm not talking about the OG top, or htop, iftop, or anything else with a "top" name. Just atop. I can go into why another time.
It also has a service that can/does run full time which allows for viewing history and viewing your stats at any time you wish. Want to know why your system was lagging 30 minutes ago?
That's a great feature, but if there's an issue with it, it could mean that you've got it running all the time and are unaware of of the fact that it's running all the time.
I'm not dumping it until I know more. This post is way too vague for me to react to.
Why not? "I have a credible tip from a trusted source that atop might be compromised in some form. As it is usual to use responsible disclosure for issues like this, no additional information will be available, however my experience tells me that this is likely to be big. Looking at atop and the warning from the trusted source tells me that this is likely a network unprivileged vector, so I am going to proactively remove the involved package."
... and since we rarely use the data atop generates, I felt it was better to be safe then sorry. In fact, boss, I made the call to remove this threat from our network two weeks ago, so you can tell the board of directors we're safe.
Oh yeah, I didn't see net booted read-only machines. Whelp, details are probably coming soon enough, you might as well think how you're going to orchestrate this. It may be that this bug or vuln or whatever it is is relatively new and you're safe, or it could turn out to have been there for years.
assuming you don't let your servers dial out to the internet and possibly connect to a C&C server, at least those will be immune to local-user attacks and will only be accessible for network attacks from your authenticated users (and you could firewall them quite strictly)
That sounds an awful lot like somebody freaked out but trying to toe the line with responsible disclosure for something really major in the CVSS 9.8-10.0 range.
https://github.com/Atoptool/atop/commit/8d1799bff61461ef151aed6e05b05cacb6475648#commitcomment-154345184
There's this so it might just be hysterics. Let's wait and see of course, but a fundamental law of the internet is that everything is fake and gay until proven otherwise.
ult_avatar@reddit
Well luckily I'm on btop already
gnimsh@reddit
One been on h for years
Electronic-Sea-602@reddit
Exactly. I've been using htop for nearly a decade.
Le_Vagabond@reddit
The real ones use bottom.
Morty_A2666@reddit
I use abottom...
ohiocodernumerouno@reddit
abot
merpkz@reddit
Does btop collect historical info in background? Whole point of atop is that it collects information over time and you can then skip back and see what happened in system.
nathacof@reddit
https://www.theregister.com/2025/03/27/atop_panic_averted/
phantagom@reddit
I am in close contact with the maintainer of stop he is working on a fix wil be released responsible. But there is no know exploit yet only in theory.
spudlyo@reddit (OP)
For those of you who don't know, Rachel is a very credible source, and if you've read her blog, you know she knows her shit. If she said you might want to stop running atop, it might behoove you to see if you have it running without being aware of it.
At a previous gig atop was used as a long-running resource debugging tool on thousands of machines, and if I remember correctly some packaged versions of this tool have it run out of cron as part of the package install.
I have no idea why she is being cagey about this, I assume it's because she's not allowed to say more, due to some confidentiality agreement with someone she's working for. If you can get ahead of this without too much pain, I'd do it.
leaflock7@reddit
one could make the question , credible source based on what or who?
spudlyo@reddit (OP)
Rachel is a semi-famous Linux sysadmin who has worked for big tech companies. Her blog is filled with industry horror stories from the trenches and meaty tech articles about low-level debugging. She is not known for vagueposting or shitposting, she gets paid to debug hard-to-find problems in stressful situations.
For example, in this post from 2014, she dug into why atop sometimes segfaults after a crash. If you're a linux sysadmin, you remember articles like this, because they're filled with interesting and relevant details.
DensePineapple@reddit
What makes a sysadmin famous?
rindthirty@reddit
Surely not stuff like this or this...
DensePineapple@reddit
Two blog posts..?
rindthirty@reddit
Did you read them and see what's wrong with them?
IridescentKoala@reddit
This person thinks GitHub is suspicious for "exposing" "public keys".
gristc@reddit
Exposing them wasn't the issue. The fact that you could then use them to discover vaild users is. But you know that, because you read the whole article and actually understood it, right?
IridescentKoala@reddit
Public keys aren't exposed, they are shared. It's a feature not a vulnerability and the example use-case is just laughably ineffective.
biffbobfred@reddit
What was the page? Seems down now
spudlyo@reddit (OP)
TheLinuxMailman@reddit
Thanks. Done!
biffbobfred@reddit
Yeah in between my first comment and you sending this i found an archive page. Thanks.
jaskij@reddit
responsible disclosure?
anna_lynn_fection@reddit
It also has a service that can/does run full time which allows for viewing history and viewing your stats at any time you wish. Want to know why your system was lagging 30 minutes ago?
That's a great feature, but if there's an issue with it, it could mean that you've got it running all the time and are unaware of of the fact that it's running all the time.
I'm not dumping it until I know more. This post is way too vague for me to react to.
insanemal@reddit
I use atop quite a bit as it's exceptionally effective for storage performance monitoring in Lustre servers.
While I'm sure she has solid credentials, I can't go to my higher ups and say "We need to remove this asap because this person vague posted about it"
I can pull it from my personal machines but getting it off the network booting read only root servers is a bit more work.
vortexman100@reddit
Why not? "I have a credible tip from a trusted source that atop might be compromised in some form. As it is usual to use responsible disclosure for issues like this, no additional information will be available, however my experience tells me that this is likely to be big. Looking at atop and the warning from the trusted source tells me that this is likely a network unprivileged vector, so I am going to proactively remove the involved package."
spudlyo@reddit (OP)
... and since we rarely use the data atop generates, I felt it was better to be safe then sorry. In fact, boss, I made the call to remove this threat from our network two weeks ago, so you can tell the board of directors we're safe.
insanemal@reddit
Bro. I'm talking a two week rolling outage.
Over a vague post.
On an air gapped network.
I need more details
spudlyo@reddit (OP)
Oh yeah, I didn't see net booted read-only machines. Whelp, details are probably coming soon enough, you might as well think how you're going to orchestrate this. It may be that this bug or vuln or whatever it is is relatively new and you're safe, or it could turn out to have been there for years.
insanemal@reddit
Oh I can have a replacement image brewed up in 10 minutes.
Doing the rolling out without taking down prod is the slow and painful part.
brb rolling reboots on a few thousand machines.
If it was an outage, easy. Everything goes off and boots into a new image. Easy clean happens inside our usual 24 hr outage window.
Many of the nodes aren't running the agent. Atop is just in the image.
insanemal@reddit
Yeah I think it's credible because I have a half an idea who's making the claim.
But to non-technical people.
They sound like Chicken little.
frymaster@reddit
assuming you don't let your servers dial out to the internet and possibly connect to a C&C server, at least those will be immune to local-user attacks and will only be accessible for network attacks from your authenticated users (and you could firewall them quite strictly)
insanemal@reddit
Yeah that's why I want more details.
I suspect this is the case.
SevaraB@reddit
That sounds an awful lot like somebody freaked out but trying to toe the line with responsible disclosure for something really major in the CVSS 9.8-10.0 range.
random_passerby_12@reddit
He just wrote a new post about 'atop' - https://rachelbythebay.com/w/2025/03/26/atop/https://rachelbythebay.com/w/2025/03/26/atop/
Some things are clearer now.
death_in_the_ocean@reddit
https://github.com/Atoptool/atop/commit/8d1799bff61461ef151aed6e05b05cacb6475648#commitcomment-154345184 There's this so it might just be hysterics. Let's wait and see of course, but a fundamental law of the internet is that everything is fake and gay until proven otherwise.
painefultruth76@reddit
I thought everything is gay, now... Human sacrifice, dogs and cats living together...mass hysteria!
420GB@reddit
Can't get to the site, timeout
apathyzeal@reddit
Prolly should check this first https://downforeveryoneorjustme.com/
Baxmoke@reddit
btop/htop gang. didnt even know about atop
IridescentKoala@reddit
I sure hope all five people using atop find this person's blog post before it's too late.
rgmundo524@reddit
Atop is quite popular
Burgergold@reddit
I'm on htop
bastian320@reddit
Interesting musings.
Potentially aged back-door etc.
https://news.ycombinator.com/item?id=43477057