this post was submitted on 04 Apr 2024
139 points (94.3% liked)

Linux

48323 readers
635 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

Same story, but this one adds some more details and other links.

all 16 comments
sorted by: hot top controversial new old
[–] treadful@lemmy.zip 43 points 7 months ago* (last edited 7 months ago) (1 children)

TL;DR: Nothing really new here. They just summarize the social engineering of the attack.

[–] pop@lemmy.ml 34 points 7 months ago (2 children)

Everyone and their grandmother is writing/blogging about this attack by paraphrasing all the same information.

Need for Clicks 101

[–] lengau@midwest.social 3 points 7 months ago

You can get my take on it at www.creedthoughts.gov.www\creedthoughts/xz

[–] Axisential 15 points 7 months ago (2 children)

Fascinating read - interesting that the origin of the hack is not yet known (or at least, released). I wonder what the stats are on these sorts of exploits in OSS - the concept relies so much on trust and individuals.

[–] atzanteol@sh.itjust.works 17 points 7 months ago

the concept relies so much on trust and individuals.

Everything does though.

[–] pmk@lemmy.sdf.org 5 points 7 months ago (1 children)

Ken Thompson talked about this back in 1984, his talk/article "Reflections on trusting trust" is a short but scary read.
https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
In the end, what can we trust?

[–] drwho@beehaw.org 3 points 7 months ago

Ultimately, nothing, unless you built everything yourself from scratch, just about from the silicon up.

Everything is risk management.

[–] admin@lemmy.my-box.dev 13 points 7 months ago* (last edited 7 months ago) (3 children)

World's biggest backdoor

~~Puh-lease. At least Heartbleed made it into production at enormous scale.~~

I stand corrected.

[–] xlash123@sh.itjust.works 18 points 7 months ago* (last edited 7 months ago)

A backdoor is very distinct from a vanilla vulnerability. Heartbleed was a vulnerability, meaning the devs made a mistake in the code, introducing a method of attack. XZ was backdoored, meaning a malicious actor intentionally introduced a method by which he could exploit systems.

Both are pretty serious vulnerabilities, but a backdoor, especially introduced so high in the supply chain, would have been devastating had it not been caught so early.

[–] HopFlop@discuss.tchncs.de 14 points 7 months ago

CVE score of heartbleed was 7.5, the score of this XZ backdoor is 10....

[–] yoevli@lemmy.world 4 points 7 months ago

Heartbleed was the result of an accidental buffer overread bug, not a backdoor.

[–] autotldr@lemmings.world 7 points 7 months ago

This is the best summary I could come up with:


On March 29, Microsoft software developer Andres Freund was trying to optimize the performance of his computer when he noticed that one program was using an unexpected amount of processing power.

The XZ backdoor was introduced by way of what is known as a software supply chain attack, which the National Counterintelligence and Security Center defines as “deliberate acts directed against the supply chains of software products themselves.” The attacks often employ complex ways of changing the source code of the programs, such as gaining unauthorized access to a developer’s system or through a malicious insider with legitimate access.

The malicious code in XZ Utils was introduced by a user calling themself Jia Tan, employing the handle JiaT75, according to Ars Technica and Wired.

Tan’s elevation to being a co-maintainer mostly played out on an email group where code developers — in the open-source, collaborative spirit of the Linux family of operating systems — exchange ideas and strategize to build applications.

Their entire online presence is related to these brief interactions on the mailing list dedicated to XZ; their only recorded interest is in quickly ushering along updates to the software.

A leaked document from the defense contractor HBGary Federal outlines the meticulousness that may go into maintaining these fictive personas, including creating an elaborate online footprint — something which was decidedly missing from the accounts involved in the XZ timeline.


The original article contains 1,585 words, the summary contains 231 words. Saved 85%. I'm a bot and I'm open source!