I don't even know why I have this image in my collection. It clearly doesn't contain innuendo or double entendres of any kind. #vintage#gay#backdoor#comics
Weshalb wundert dies mich nicht und weshalb wird zB Russland immer noch unterschätzt? Sicherheit ist nicht so simpel, wie es viele verkaufen. Danke @evawolfangel für den informatieven Artikel:
»Neue russische Cyberwaffe entdeckt:
Russlands Geheimdienst hat offenbar ein neues Werkzeug entwickelt, um Firmen auszuspionieren. Es gibt nur wenige Spuren, denn die Schadsoftware löscht sich teils selbst«
Here's a thorough analysis of all the commits by "Jia Tan" from 2023-08 through 2024-03, showing the many legitimate code changes done before the introduction of the #xz#backdoor:
@ph0lk3r und @jrt haben die Entstehung der #xz-Backdoor nochmals mit dem nötigen Abstand beleuchtet und ziehen einige Lehren daraus.
Insbesondere empfehlen sie die möglichst durchgängige Verwendung von signierten #git-Commits, ein Punkt der bei mir ⬆️⬆️⬆️ fehlte.
Ich setze die auch an einigen Stellen durchgängig ein, aber bisher nur an Stellen, wo keine Rebases oder Squashes nötig sind. Ich vermute, die verlieren die Signaturen, beim Rebase auch, wenn man es selbst macht? https://research.hisolutions.com/2024/04/xz-backdoor-eine-aufarbeitung/
Was wissen wir eigentlich über «Jia Tan»? Ich habe mich mal auf eine Spurensuche begeben. Und dabei herausgefunden, dass man mit der Sicherheitslücke wohl mehrere Milliarden hätte verdienen können.
One of the sad side-effects of the #xz#backdoor is that many projects feel like they need to move away from #autoconf, when the problem wasn’t autoconf itself, but shipping a bunch of .m4 files – and that nobody diffed repo vs tarball (if nobody does that, it doesn’t matter what you do in the repo, e.g. switching build systems).
This is sad because it means cross-compiling stuff will soon no longer be possible, as autoconf is so far the only thing that gets cross-compiling right. CMake is a complete mess, Meson is far from great for cross-compiling and everything else just outright doesn’t support it.
People, clean up your configure.ac, get rid of .m4 and audit repo vs. tarball! That’s less work, much more effective and doesn’t kill cross-compiling!
Also, if you absolutely must blame a piece of software that was used by xz for this: That’ll be #gettext, which was the reason for the insane amount of .m4 files in the first place. gettext is a mess and that is really something we should get rid of.
Adobe Magneto: una pericolosa minaccia RCE per i siti di e-commerce
Gli specialisti di Sicurezza Informatica hanno avvertito che gli #hacker stanno già sfruttando una nuova #vulnerabilità in #Magento (CVE-2024-20720) e l'utilizzatore per implementare una #backdoor persistente sui siti di e-commerce.
I always liked being on the same Postgres team as @AndresFreundTec because he was smart + hard-working + hypercompetent.
But with his xz backdoor discovery Andres has taken things to a whole new level. Hence this NYT Kevin Roose story and the whole breadbaking & yeast analogy 🤯 for Andres's stubbornly persistent investigation, driven by a "That's weird" feeling....
However, I believe that he is actually from somewhere in the UTC+02 (winter)/UTC+03 (DST) timezone, which includes Eastern Europe (EET), but also Israel (IST), and some others. Forging time zones would be easy — no need to do any math or delay any commits. He likely just changed his system time to Chinese time every time he committed.
Three years ago, #FDroid had a similar kind of attempt as the #xz#backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn’t found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection#vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now
Steiner wrote this week that the original coder deleted their account as soon as F-Droid’s maintainers attempted to review the code, and that he thinks that the user’s behavior, as well as “all the attention from random new accounts” has led him to believe “it could be a deliberate attempt to insert the vuln.”
This is pretty significant: the first documented case of these tactics being used to insert a vulnerability, apart from xz. So probably the same actors have been trying this on multiple projects.
I hope other maintainers who have experienced similar pressure tactics will come forward, even if they’re not aware of any backdoors. For any project where this has taken place and the code was merged, the code and commit history needs to be audited.
A week or so later, one good thing about the #xz#backdoor is how it all pretty much played out on Mastodon and in the #fediverse. The discussion wasn't on #x or #twitter, not #facebook or #stackedoverflow or whatever. Analysis and investigation and discussion happened here on #mastodon. Even #wired magazine gave credit.
The Mystery of ‘Jia Tan,’ the XZ #Backdoor Mastermind - https://www.wired.com/story/jia-tan-xz-backdoor/ "The thwarted XZ Utils supply chain attack was years in the making. Now, clues suggest nation-state hackers were behind the persona that inserted the malicious code." another reason for governments to support #opensource properly
Honestly, tho, GNU indirect functions (as abused by the #xz#backdoor) do sound like a malware developer's dream / syadmin's nightmare. And you thought LD_PRELOAD was a footgun...
🍥 Debian Decided to Postpone the 12.6 Release | Linuxiac
「 Without a doubt, the deliberate infiltration of backdoored upstream XZ tarballs into the Debian sid repository a few days ago, allowing remote SSH access without authentication, sparked a real storm in the Linux community 」
This is quite neat: an #xz#backdoor poc that patches liblzma to accept a different ed448 key so you can view the full attack in action, even if you can't use this for detection or exploitation.
Does the #xz#backdoor issue affect users with the sshd service disabled? It's hard to know that by reading those super detailed posts. Basically, under what circumstances is it an issue?
This week, our #SysAdmin syllabus covers backups and restores, including use of dump(8), #rsync, and flux-capacitors (e.g., ZFS snapshots, Apple TimeMachine, NetApp's WAFL). We also were supposed to talk about #syslog and monitoring, but honestly, chances are we'll spend most of our time on the #xz#backdoor.
Bullying in Open Source Software Is a Massive Security Vulnerability (www.404media.co)