I don’t agree with all the doom saying about XZ incident.
You just know orgs are going to return after Easter and panic about it unnecessarily (they’re likely still on Redhat 6). It doesn’t impact them as it was caught super early.
Regarding the narrative that there’s nothing that can be done about these type of attacks - I also don’t agree. There’s already a change in the pipeline to systemd which would have prevented it.
The thing needs rational, calm reaction and response.
@GossiTheDog I've reached the same conclusion.
However, I expect to hear during the next few monthes from businesses and a part of technical people that open source can't be trusted, we should only take big corporate products, put everything into Windows VM on MS Azur or GCP because "ssh has almost been breached".
Meanwhile RDP is almost an open bar for years and one of the most common latteral exploit is about Windows shares, but that's either ignored, or it doesn't matter because "that's MS you know, nothing wrong can happen when you pay licences" ...
Kevin Beaumont
Agonie