pull down to refresh

What happened here is now well documented elsewhere, so I shall not recap it much, but essentially somebody appears to have hijacked the open source XZ project by social engineering the volunteer developer into handing over maintainer access after they cited some mental health issues, used the package XZ Utils to piggy back into systemd loading liblzma, which in turn loaded XZ, allowing sshd to be hooked to trojan it on Linux distributions that use systemd.
The trojan allows somebody a private key to hijack sshd to execute commands, amongst other functions. It is highly advanced.
reply
The last part with being noticed by autist for 0.5s startup delay is killing 🤣
reply
Something not priced in to opensource security is AI reviewing code for potential vulnerabilities. It's not perfect of course, but it can call for more expert review by identifying suspicious practices in code or simply labeling a library as sus
Recently added our repos to socket to monitor our npm based supply chain for deps, and it's pretty awesome. Will be even more awesome when there are several others available
reply
If you applied such an AI bot to the XZ backdoor and it found it (without including it in your dataset of course) I'd be more enthusiastic. The degree of code obfuscation with this was pretty high to be fair.
reply
This actually would be an interesting experiment.
Did somebody try to test whether running copilot or any other source code AI tool will identify it as a vulnerability?
reply
Yea it was buried really good, but that will also result in automating new kinds of tests
reply
I look forward to it.
reply
Well with the caveat that they might have done/are attempting both top panel and bottom panel
reply
Looks like that page that link connects to has been .. removed
reply
deleted by author
reply
Smells like a nation state level attack. It's very lucky this got caught. Next time, maybe not. This could have had devastating consequences. The FOSS community is on notice that small projects embedded in larger projects such as systemd are being reviewed for weak-handed maintainers that can be manipulated, co-opted, and back doored.
reply
The backdoor attempt was a very serious one, with a very high bar of knowledge, research, development and tradecraft to reach this far into the Linux ecosystem. Additionally, changes made by the threat actor on Github span multiple years. The backdoor itself is super well put together, and even includes the ability to remotely deactivate and remove the backdoor via a kill command.
We should stop using open source and only buy American vendor products! Yeah, good luck with that.
There are no easy fixes.. we should just try to reduce the risk and calmly work some solutions.
Great write-up! & call to buidl. Things are definitely heating up.
Processing less user data & using fewer 3rd party dependencies needs to be a part of any software roadmap this next 2 years. Something I mentioned in The Privacy Pivot here on SN. In this case a lucky break and not much that could be done, but more vulnerabilities are around the corner no doubt.
It’s already a full time job to report on them it feels like.
reply
"We should also acknowledge that open source developers are largely unpaid"
Let them use LN and they will be paid. I would send some sats for such backdoor discovery above, and imagine whole world too...
reply
Good model :)
reply
deleted by author
reply
because of much lower entry barrier for tipping like for example 500 sats
reply
deleted by author
reply
All you are doing is signaling that open source work is only worth fractions of a penny
lol, and now multiply 500sats by number of users of SSH, or even only a generous part of them
reply
using fewer 3rd party dependencies
Looking at the JS community :S ... just don't run JavaScript.
It's going to be a wild ride from now on... and as always... it's not just "software", we are on top of magma in the "hardware" realm...
reply
Failed in a sense that it didn't make it into major distros or all of world internet infrastructure. But still absolutely terrifying how far they came.
reply
10 sats \ 0 replies \ @freetx 1 Apr
Reminds me of this...
reply
My goodness, what next?
reply
Hardware.
reply