fr0de0xaMar 30, 2024
daniel:// stenberg://
In an almost spooky coincidence I wrote about backdooring #curl exactly on this day three years ago: https://daniel.haxx.se/blog/2021/03/30/howto-backdoor-curl/
HOWTO backdoor curl | daniel.haxx.se

Mar 30, 2024 at 8:39amWeb
Show threaddaniel:// stenberg://Mar 30, 2024

"If the attacker instead can just sneak the code directly into a release archive then it won’t appear in git, it won’t get tested and it won’t get easily noticed by team members!"

... like... xz.

Show threadElias MårtensonMar 30, 2024
@bagder isn't that when apparently this hack started? Did they read your post and thought we can do that?
Show threaddaniel:// stenberg://Mar 30, 2024
@loke it can certainly make you wonder!
Show threadalexMar 30, 2024
@bagder hmmmmmmmmmmmmmmm
Show threadmid_kidMar 30, 2024
@bagder I really consider this xz situation a testament to the resilience of the open source community, and distros in particular. The damage did happen, but it was discovered rather quickly, despite how ridiculously sophisticated the attacker was, and the fallout was really contained to just "run an update asap". It didn't even land in most systems thanks to the stabilization process. It can't and won't linger for years like log4j did.
Show threaddaniel:// stenberg://Mar 30, 2024
@mid_kid I tend to agree. Sure, ideally we as an ecosystem should detect these things faster, but one of the most advanced backdoor operation attempts ever, was mostly thwarted.
Show threadNoratriebMar 30, 2024
@mid_kid @bagder While everyone involved definitely did great work and deserves praise, I think it's a bit dangerous to say it like this. I consider it really lucky that this was discovered this early. It wasn't just some person doing regular code auditing, it was someone investigating bad performance. The next attacker will definitely performance test their exploit. What then?
Show threadmid_kidMar 30, 2024
@nilstrieb @bagder The attacker had to weaken tests in google's oss-fuzz as well as fix valgrind warnings in downstream distribution testing that almost got him caught. In the end he got caught due to the performance issues, but I also think there's other behaviors and incompatibilities that would've cropped up in downstream testing. But you're right, an attacker can make sure it has no performance issues, so the open source world needs to find a way to make it more difficult next time.
Show threadInga stands with 🇺🇦 🇵🇸Mar 30, 2024
@mid_kid @bagder this sounds like survivorship bias. This backdoor was discovered by definition, because were it not, we wouldn't know about it.
And it seems that it was discovered due to sheer luck. Makes me wonder how many other similarly sophisticated attacks were never discovered.
Show threadmid_kidMar 30, 2024
@IngaLovinde Considering how much work and time went into this one, and the fact I can't recall anything else of this caliber, I genuinely doubt it's a lot. But who knows, you might be right. I still consider the response/patch time impressive.
Show threadDavid JašaMar 30, 2024

@bagder the attack was on sshd users via library, so your paragraph on dependencies applies to the thing as whole, too:

---

Added after the initial post. Lots of people have mentioned that curl can get built with many dependencies and maybe one of those would be an easier or better target. Maybe they are, but they are products of their own individual projects and an attack on those projects/products would not be an attack on curl or backdoor in curl by my way of looking at it.

Show threadalexMar 30, 2024
@bagder
Show threadTobias FiebigMar 30, 2024

@bagder Similarly spooky is that the "Hypocrite Commit" paper appeared roughly around the same time Jia Tan first showed up.

It didn't hit me as hard back then, but that paper must have been hell of an inspiration for state actors...

Show threadClaudiaMar 30, 2024

@bagder „Since you didn’t read that PHP link“

wait how did you know