#CyberSecurity#OpenSource#Malware#SSH#XZUtils: "So what was the malware discovered by Freund designed to do? Basically to break the authentication process that makes SSH secure and thereby create a backdoor that would enable an intruder remotely to gain unauthorised access to the entire system. Since SSH is a vital tool for the safe operation of a networked world, anything that undermines it is really bad news – which is why the cybersecurity world has been on high alert in the past week. Those running the different flavours of Linux that are in use across the world have been alerted to the dangers posed by the two rogue updates.
In some ways, the story of how the malware got into the updates is even more instructive. XZ Utils is open-source software, ie software with source code that anyone can inspect, modify and enhance. Much open source is written and maintained by small teams of programmers, and in many case by a single individual. In XZ Utils, that individual for years has been Lasse Collin, who has been with the project since its inception. Until recently he was the person who had been assembling and distributing the updates of the software." https://www.theguardian.com/commentisfree/2024/apr/06/xz-utils-linux-malware-open-source-software-cyber-attack-andres-freund
We dodged a bullet with the #XZUtils malware assault, but we can do better at preventing such #opensource, #security supply chain attacks in the future.
After the recent xz-utils attack, guess what was the response some developers thought of? 9to5 Linux, Phoronix
Instead of helping Lasse Collin, the xz-utils maintainer who was tricked and mentally abused, they jumped ship, because the new solution is "more dependable". Wow, I applaud for this stupidity.
Let's shift our gaze somewhere else a bit. netfilter, the management framework of network operations on Linux that's used by virtually every Linux distribution, effectively only has Pablo Neira Ayuso left to maintain the project after Florian Westphal quit the core team. strace only has Dmitry V. Levin there to keep the cogs running. tcpdump and libpcap have only very few people to maintain the lights. And Bash should probably get abandoned with the few people there to keep everything up. The list goes on and on, because this is the freaking norm!
With the current mindset, support of any form, be it encouragement, financial support or contributing, is way too expensive for anyone to give out. I suggest just don't offer the maintainers the love and help they deserve, and speed up the downfall of the current landscape.
To every FOSS developer out there who has been thanklessly maintaining projects, please accept my deepest gratitude. However, to those who either shifted the blame to the xz-utils project and Lasse Collin, or jumped ship because xz-utils is deemed "unsafe" by you, I have two words most suitable for you: FUCK YOU. 🖕🏼
You know it's so great and amazing to see almost all of my Infosec news is coming from Mastodon and even many different news articles are citing Mastodon. I rarely see mentions of Twitter anymore. And almost everyone talking about XZ Utils was on Mastodon
«Ces versions 5.6.0 et 5.6.1 ont failli se faufiler dans les releases stables des principales distribs. Par chance, elles ne se sont glissées que dans quelques bêtas, notamment Fedora 40, Fedora Rawhide et les distribs testing, unstable et experimental de Debian.»