What happened here is now well documented elsewhere, so I shall not recap it much, but essentially somebody appears to have hijacked the open source XZ project by social engineering the volunteer developer into handing over maintainer access after they cited some mental health issues, used the package XZ Utils to piggy back into systemd loading liblzma, which in turn loaded XZ, allowing sshd to be hooked to trojan it on Linux distributions that use systemd.
The trojan allows somebody a private key to hijack sshd to execute commands, amongst other functions. It is highly advanced.
https://cdn.discordapp.com/attachments/796935699034144798/1224080427921182821/media-cache.png?ex=661c30bc&is=6609bbbc&hm=fa6abd85ec020e6fec88852b82e23ebd65694627d082ecdf1a80ebcfed5ec7e5&
Something not priced in to opensource security is AI reviewing code for potential vulnerabilities. It's not perfect of course, but it can call for more expert review by identifying suspicious practices in code or simply labeling a library as sus
Recently added our repos to socket to monitor our npm based supply chain for deps, and it's pretty awesome. Will be even more awesome when there are several others available
If you applied such an AI bot to the XZ backdoor and it found it (without including it in your dataset of course) I'd be more enthusiastic. The degree of code obfuscation with this was pretty high to be fair.
This actually would be an interesting experiment.
Did somebody try to test whether running
copilotor any other source code AI tool will identify it as a vulnerability?Yea it was buried really good, but that will also result in automating new kinds of tests
I look forward to it.
The last part with being noticed by autist for 0.5s startup delay is killing 🤣
Well with the caveat that they might have done/are attempting both top panel and bottom panel
Looks like that page that link connects to has been .. removed
deleted by author
Smells like a nation state level attack. It's very lucky this got caught. Next time, maybe not. This could have had devastating consequences. The FOSS community is on notice that small projects embedded in larger projects such as
systemdare being reviewed for weak-handed maintainers that can be manipulated, co-opted, and back doored.https://m.stacker.news/24393
Great write-up! & call to buidl. Things are definitely heating up.
Processing less user data & using fewer 3rd party dependencies needs to be a part of any software roadmap this next 2 years. Something I mentioned in The Privacy Pivot here on SN. In this case a lucky break and not much that could be done, but more vulnerabilities are around the corner no doubt.
It’s already a full time job to report on them it feels like.
"We should also acknowledge that open source developers are largely unpaid"
Let them use LN and they will be paid. I would send some sats for such backdoor discovery above, and imagine whole world too...
Good model :)
deleted by author
because of much lower entry barrier for tipping like for example 500 sats
deleted by author
lol, and now multiply 500sats by number of users of SSH, or even only a generous part of them
Looking at the JS community :S ... just don't run JavaScript.
It's going to be a wild ride from now on... and as always... it's not just "software", we are on top of magma in the "hardware" realm...
Failed in a sense that it didn't make it into major distros or all of world internet infrastructure. But still absolutely terrifying how far they came.
Reminds me of this...
https://m.stacker.news/24421
My goodness, what next?
Hardware.