Aaron Patterson ✅"open source needs more funding!"
*nation state pays for backdoor*
"not like that!"
Luci Lilac
- 10 Followers
- 32 Following
- 98 Posts
Tinker ☀️I think a LOT of people are missing the fact that we got LUCKY with this malicious backdoor.
The backdoor was created by an Insider Threat - by a developer / maintainer of various linux packages. The backdoor was apparently pushed back on March 8th (I believe) and MADE IT PAST all QA checks.
Let me state that again. Any quality assurance, security checks, etc., failed to catch this.
This was so far upstream, it had already gotten into the major Linux distributions. It made it into Debian pre-release, Fedora rolling, OpenSUSE rolling, Kali rolling, etc.
This is an example of Supply Chain Security that CISOs love to talk and freak out about. This is an example of an Insider Threat that is the boogey man of corporate infosec.
A couple more weeks, and it would have been in many major distributions without any of us knowing about it.
The ONLY reason we know about it is because @AndresFreundTec got curious about login issues and some benchmarking checks that had nothing to do with security and ran the issue down and stumbled upon a nasty mess that was trying to remain hidden.
It was luck.
That's it. We got lucky this time.
So this begs the question. Did the malicious insider backdoor anything else? Are they working with anyone else who might have access to other upstream packages? If the QA checks failed to find this specific backdoor by this specific malicious actor, what other intentional backdoors have they missed?
And before anyone goes and blames Linux (as a platform or as a concept), if this had happened (if it HAS happened!!!) in Windows, Apple, iOS, etc.... we would not (or will not) know about it. It was only because all these systems are open source that Andres was able to go back and look through the code himself.
Massive props and kudos and all the thank yours to Andres, those who helped him, to all the Linux teams jumping on this to fix it, and to all the folks on high alert just before this Easter weekend.
I imagine (hope) that once this gets cleaned up, there will be many fruitful discussions around why this passed all checks and what can be changed to prevent it from happening again.
(I also hope they run down any and all packages this person had the signing key for....)
Gordon MessmerThe least surprising thing about the xz vulnerability is that it happened to a widely used project after a maintainer hand-off. We've seen exactly the same thing repeatedly in npm, pypi, browser extensions, and other code marketplaces.
Humans don't last forever. Hand-off is inevitable. And I've long held that because that is true, the size of the group of maintainers is an important security characteristic.
Small projects create big risks.
Sustainability is a security concern.
Mike Shewardpeople are saying the xz backdoor is likely the work of a nation state actor, and given that it appears to been slow rolled for a couple of years and immediately became obsolete before it was fully launched - you do have to admit it bears the hallmarks of a government IT project
AndresFreundTecI accidentally found a security issue while benchmarking postgres changes.
If you run debian testing, unstable or some other more "bleeding edge" distribution, I strongly recommend upgrading ASAP.
Evan B🥥ehshttps://boehs.org/node/everything-i-know-about-the-xz-backdoor
I have begun a post explaining this situation in a more detailed writeup. This is updating in realtime, and there is a lot still missing.
Unfolding now: https://news.ycombinator.com/item?id=39865810
- https://www.openwall.com/lists/oss-security/2024/03/29/4
- https://github.com/tukaani-project/xz/commit/cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0
An incredibly technically complex #backdoor in xz (potentially also in libarchive and elsewhere) was just discovered. This backdoor has been quietly implemented over years, with the assistance of a wide array of subtly interconnected accounts:
- https://github.com/tukaani-project/xz/commit/ee44863ae88e377a5df10db007ba9bfadde3d314
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708
- https://github.com/jamespfennell/xz/pull/2
The timeline on this is going to take so long to unravel
Glyph@eb I really hope that this causes an industry-wide reckoning with the common practice of letting your entire goddamn product rest on the shoulders of one overworked person having a slow mental health crisis without financially or operationally supporting them whatsoever. I want everyone who has an open source dependency to read this message https://www.mail-archive.com/xz-devel@tukaani.org/msg00567.html
weird girl“autism coded” yea i heard theyre good at that
Aral BalkanDear @Gargron,
A fediverse server called Threads is violating mastodon.social’s second server rule:
“2. No racism, sexism, homophobia, transphobia…
Transphobic behavior such as intentional misgendering and deadnaming is strictly prohibited.”
Can you please defederate from this server to protect the trans people on mastodon.social?
Thank you.
PS. It’s run by these guys: https://techcrunch.com/2024/03/26/facebook-secret-project-snooped-snapchat-user-traffic/
#mastodonSocial #fediblock #threads #meta #mastodon #transphobia
Report – Unsafe: Meta Fails to Moderate Extreme Anti-trans Hate Across Facebook, Instagram, and Threads | GLAAD
GLAAD’s Social Media Safety Program reported the following anti-trans hate content across Instagram, Facebook, and Threads; Meta deemed all of it non-violative or did not take action on it.