On Fri, Apr 05, 2024 at 12:27:03PM -0400, Cindy Sue Causey wrote: > Hi, All.. > > This just hit my emails seconds ago. It's the most info that I've > personally read about the XZ backdoor exploit. I've been following > NextGov as a friendly, plain language resource about government: > > Linux backdoor was a long con, possibly with nation-state support, experts > say; > By David DiMolfetta; 2024.04.05 12:59pm EDT > > https://www.nextgov.com/cybersecurity/2024/04/linux-backdoor-was-long-con-possibly-nation-state-support-experts-say/395511/ > > Continues to sound like one single perp is destroying the TRUST factor that an > untold number of future programmers must meet. That's heartbreaking.
No, on the contrary. First of all, it is great that it has been caught /before/ it could cause much harm -- I think this is a testament to the free software community. Second, this is one pretty standard instance of supply chain attack (albeit a pretty spectacular one), of which there have been quite a few during the last decennium. Another spectacular one was event-stream [0], from 2018 or the Solarwinds [1] things (interestingly, proprietary software tends to fare significantly worse than our beloved free software). There is a growing corpus of academic work dedicated to it. This nice overview [2] goes over 174 cases (and is already 4 years old). So hardly new. What's special about this case is that the contributor had been working for the project for two years, thus earning trust with the community -- the most widespread notion seems to be that they had been planning the thing all along. I see at least another possible interpretation, that they started as a genuine contributor and wend bad, be it by bribing, coertion, or even replacement. Secret services and hackers (where's the difference, anyway?) are like that. Opportunists. Reminds us that trust is, at the root, a human thing, and thus sometimes fragile. As in Real Life, we need ways to recover. Cheers [0] https://lwn.net/Articles/773121/ [1] https://en.wikipedia.org/wiki/SolarWinds#2019%E2%80%932020_supply_chain_attacks [2] https://arxiv.org/abs/2005.09535 -- t
signature.asc
Description: PGP signature
