The #xz backdoor story is making rounds. The New York Times:
"Did One Guy Just Stop a Huge Cyberattack?
A Microsoft engineer noticed something was off on a piece of software he worked on. He soon discovered someone was probably trying to gain access to computers all over the world."
don't lambast him with praise or bombard him with chit chat:
he's busy
but you should know that he just saved the world from what could have been a crippling hack on, well, anything and everything. what he prevented can modestly and credibly be estimated as amongst the worst (potential) hacks ever. possibly nation state sponsored. no one knows for sure right now
I am getting tired of reading about the #xz#security issue as if it is all about issues within #opensource. It is much bigger than that, and those takes conflate the problem with the solution.
I always liked being on the same Postgres team as @AndresFreundTec because he was smart + hard-working + hypercompetent.
But with his xz backdoor discovery Andres has taken things to a whole new level. Hence this NYT Kevin Roose story and the whole breadbaking & yeast analogy 🤯 for Andres's stubbornly persistent investigation, driven by a "That's weird" feeling....
However, I believe that he is actually from somewhere in the UTC+02 (winter)/UTC+03 (DST) timezone, which includes Eastern Europe (EET), but also Israel (IST), and some others. Forging time zones would be easy — no need to do any math or delay any commits. He likely just changed his system time to Chinese time every time he committed.
Wir beim Sovereign Tech Fund verfolgen den #xz-Vorfall aufmerksam und hören die vielen Stimmen aus der #FOSS-Community dazu. Es ist uns klar, dass der xz-Vorfall Anzeichen einer strukturellen Herausforderung ist.
“This upstream supply chain security attack is the kind of nightmare scenario that has gotten people describing it called hysterical for years,” Kubernetes Security Chairperson Ian Coldwaterhad written on X. “It’s real.
After the recent xz-utils attack, guess what was the response some developers thought of? 9to5 Linux, Phoronix
Instead of helping Lasse Collin, the xz-utils maintainer who was tricked and mentally abused, they jumped ship, because the new solution is "more dependable". Wow, I applaud for this stupidity.
Let's shift our gaze somewhere else a bit. netfilter, the management framework of network operations on Linux that's used by virtually every Linux distribution, effectively only has Pablo Neira Ayuso left to maintain the project after Florian Westphal quit the core team. strace only has Dmitry V. Levin there to keep the cogs running. tcpdump and libpcap have only very few people to maintain the lights. And Bash should probably get abandoned with the few people there to keep everything up. The list goes on and on, because this is the freaking norm!
With the current mindset, support of any form, be it encouragement, financial support or contributing, is way too expensive for anyone to give out. I suggest just don't offer the maintainers the love and help they deserve, and speed up the downfall of the current landscape.
To every FOSS developer out there who has been thanklessly maintaining projects, please accept my deepest gratitude. However, to those who either shifted the blame to the xz-utils project and Lasse Collin, or jumped ship because xz-utils is deemed "unsafe" by you, I have two words most suitable for you: FUCK YOU. 🖕🏼
On the debate on the #xz exploit: did we just get lucky or does the discovery demonstrate the strength of open source.
I think it's a bit of both: we definitely got lucky, but we did have a hand in making our luck: Open Source, by design, empowers the curious and it only takes one curious person to dig deeply enough, so our luck was there being that one curious person; the rest we made.
So your mission, if you choose to accept it, is to be more curious
Pourquoi XZ Utils (liblzma) reste autant utilisé alors que libzstd/Zstandard est bien maintenu, aussi efficace en compression et nettement plus rapide ?
Auditing your dependencies, or relying on external audits, adds an important layer of protection.
It's not a silver bullet against bad dependencies as there's no such thing. However adding more layers of protection makes attackers' lives harder and this is one of them.
This is a fascinating glimpse into the beginning of the #xz exploit, i.e. the social engineering.
Some users (accomplices of the attacker?) used the dev mailing list to badger and harass the maintainer of the project who was on the verge of burnout, to pressure him to grant co-maintainer status to the attacker.
Whether this was part of the attack or not, it’s a sad glimpse into the toxic pattern often found in open-source software, where users demand maintainers’ free labor, instead of helping them strike a healthy work-life balance.
Just had a long talk with my poor overworked wife about my realization that when it comes to research, Universities are just rent-seeking middlemen. There is no reason why researchers should be EMPLOYEES of Universities (other than historical accident). In fact, Universities, which are big capital holders funded by the govt should be employed BY researchers and competing to provide researchers with quality facilities at competitive prices.
This is very closely related to the problems being discussed in the #xz hack. Just as some major fraction of the US economic output relies on an anarchic group of open software developers that need funding, we need to solve that problem in a way compatible with the inherently anarchic nature of anyone being able to write software together. And when we solve that problem we should also solve the problem of funding literally anyone who has a worthwhile research project.
Three years ago, #FDroid had a similar kind of attempt as the #xz#backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn’t found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection#vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now
Steiner wrote this week that the original coder deleted their account as soon as F-Droid’s maintainers attempted to review the code, and that he thinks that the user’s behavior, as well as “all the attention from random new accounts” has led him to believe “it could be a deliberate attempt to insert the vuln.”
This is pretty significant: the first documented case of these tactics being used to insert a vulnerability, apart from xz. So probably the same actors have been trying this on multiple projects.
I hope other maintainers who have experienced similar pressure tactics will come forward, even if they’re not aware of any backdoors. For any project where this has taken place and the code was merged, the code and commit history needs to be audited.
A week or so later, one good thing about the #xz#backdoor is how it all pretty much played out on Mastodon and in the #fediverse. The discussion wasn't on #x or #twitter, not #facebook or #stackedoverflow or whatever. Analysis and investigation and discussion happened here on #mastodon. Even #wired magazine gave credit.
A #NixOS PSA for anyone trying to garbage collect the malicious versions of #xz and wondering why it’s not going away even after deleting previous generations and gc roots: make sure keep-outputs and keep-derivations is disabled in your Nix conf. You can turn them back on after running nix-collect-garbage
Bullying in Open Source Software Is a Massive Security Vulnerability (www.404media.co)