Re: NextGov: Linux XZ Utils Backdoor Was Long Con, Possibly With Support
On 4/6/24 09:15, Thomas Schmitt wrote: Hi, Nicholas Geovanis wrote: But what if next time the back-doored software _does_ build without error? The initial build problems did not cause suspicion. It was the CPU load of sshd and an obscure complaint by valgrind which caused the discovery. https://boehs.org/node/everything-i-know-about-the-xz-backdoor quotes the discoverer Andres Freund: "I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise. Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc. Profiled sshd, showing lots of cpu time in liblzma, with perf unable to attribute it to a symbol. Got suspicious. Recalled that I had seen an odd valgrind complaint in automated testing of postgres, a few weeks earlier, after package updates. Really required a lot of coincidences." gene heskett wrote: In light of that its worth noting that an M$ employee was the first to spot it. Indeed. Thus we should also praise the peace between Microsoft and free software which broke out a few years ago. There remains the question, whom a good citizen should contact when spotting something that could be a backdoor (or a subtenant ?) of Debian's content or infrastructure. It seems unwise for a non-expert to do this in public, unless one wants to accuse the innocent or to warn the hoodlums. Which category I am firmly in in the larger view Tomas, although I do run the bleeding edge master of linuxcnc on several of my garage machines. My main interests are in the realtime performance of machine controllers running lathes and multi-axis mills. That, and doing things with odd hardware that most wouldn't even try, like running a 1945 Sheldon 11x54 lathe with an rpi. Works great. I start the job and walk away, while Casper the ghost is turning the cranks, but 2 to 10 times faster than the best machinist. And its doing things it could never do before. Keeps me out of the bars. ;o)> Have a nice day :) Thomas . Cheers, Gene Heskett, CET. -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author, 1940) If we desire respect for the law, we must first make the law respectable. - Louis D. Brandeis
Re: NextGov: Linux XZ Utils Backdoor Was Long Con, Possibly With Support
Hi, Nicholas Geovanis wrote: > But what if next time the back-doored software _does_ build without error? The initial build problems did not cause suspicion. It was the CPU load of sshd and an obscure complaint by valgrind which caused the discovery. https://boehs.org/node/everything-i-know-about-the-xz-backdoor quotes the discoverer Andres Freund: "I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise. Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc. Profiled sshd, showing lots of cpu time in liblzma, with perf unable to attribute it to a symbol. Got suspicious. Recalled that I had seen an odd valgrind complaint in automated testing of postgres, a few weeks earlier, after package updates. Really required a lot of coincidences." gene heskett wrote: > In light of that its worth noting that an M$ employee was the first to > spot it. Indeed. Thus we should also praise the peace between Microsoft and free software which broke out a few years ago. There remains the question, whom a good citizen should contact when spotting something that could be a backdoor (or a subtenant ?) of Debian's content or infrastructure. It seems unwise for a non-expert to do this in public, unless one wants to accuse the innocent or to warn the hoodlums. Have a nice day :) Thomas
Re: NextGov: Linux XZ Utils Backdoor Was Long Con, Possibly With Support
On Fri, Apr 5, 2024, 1:39 PM wrote: > On Fri, Apr 05, 2024 at 12:27:03PM -0400, Cindy Sue Causey wrote: > > Hi, All.. > > > > This just hit my emails seconds ago. It's the most info that I've > > personally read about the XZ backdoor exploit. I've been following > > NextGov as a friendly, plain language resource about government: > ... > Continues to sound like one single perp is destroying the TRUST factor > that an > > untold number of future programmers must meet. That's heartbreaking. > > No, on the contrary. First of all, it is great that it has been > caught /before/ it could cause much harm -- I > > So hardly new. What's special about this case is that the contributor > had been working for the project for two years, thus earning trust > with the community -- the most widespread notion seems to be that > they had been planning the thing all along. I see at least another > possible interpretation, that they started as a genuine contributor > and wend bad, be it by bribing, coertion, or even replacement. Secret > services and hackers (where's the difference, anyway?) are like > that. Opportunists. > > Reminds us that trust is, at the root, a human thing, and thus sometimes > fragile. As in Real Life, we need ways to recover. > And to me that's the most interesting thing about this incident too. It's a good counter-example to the open-source "trust"-based model of software development, simply by proving what we all knew: some people can't be trusted but also can't be detected as untrustworthy. And it also shows a "win" of that same development model, many eyes and a persistent mind who didn't like things that didn't make sense. But what if next time the back-doored software _does_ build without error? Cheers > > [0] https://lwn.net/Articles/773121/ > [1] > https://en.wikipedia.org/wiki/SolarWinds#2019%E2%80%932020_supply_chain_attacks > [2] https://arxiv.org/abs/2005.09535 > > -- > t >
Re: NextGov: Linux XZ Utils Backdoor Was Long Con, Possibly With Support
Cindy Sue Causey wrote: > Continues to sound like one single perp is destroying the TRUST > factor that an untold number of future programmers must meet. That's > heartbreaking. It has never sounded like a single perp to me. 'Jia Tan' is an obvious sock puppet as are the other names who pushed Lasso to accept him. The whole timescale and effort involved smacks of a team of hackers. JMHO.
Re: NextGov: Linux XZ Utils Backdoor Was Long Con, Possibly With Support
I will note that open source software has, by definition, a lot more eyes looking at the source. Which is probably why (as Tomas said) "proprietary software tends to fare significantly worse." -- JHHL
Re: NextGov: Linux XZ Utils Backdoor Was Long Con, Possibly With Support
On Fri, Apr 05, 2024 at 08:38:36PM +0200, to...@tuxteam.de wrote: [...] > No, on the contrary. First of all, it is great that it has been > caught /before/ it could cause much harm [...] ...and of course kudos and thans to Andres Freund who spotted the thing! Cheers -- t signature.asc Description: PGP signature
Re: NextGov: Linux XZ Utils Backdoor Was Long Con, Possibly With Support
* On 2024 05 Apr 11:28 -0500, Cindy Sue Causey wrote: > Hi, All.. > > This just hit my emails seconds ago. It's the most info that I've > personally read about the XZ backdoor exploit. I've been following > NextGov as a friendly, plain language resource about government: > > Linux backdoor was a long con, possibly with nation-state support, experts > say; > By David DiMolfetta; 2024.04.05 12:59pm EDT To be honest, I think better coverage has been done by the F/OSS community. The gist I got from this article was government types speculating that only other government types could possibly be involved, though there is an allowance for uncertainty. The article mentions them times that "Jia Tan" apparently made commits as being consistent with business hours in China or Europe. Possibly, but if someone were ever to scrutinize my timelines they would probably find it consistent with bouts of insomnia! > Continues to sound like one single perp is destroying the TRUST factor that an > untold number of future programmers must meet. That's heartbreaking. The damage to trust is the biggest part of this story, IMO. A lot of discussion is centering around tools and performing double checks before a distribution accepts an updated or new package which are all probably good steps and which point to the loss of trust. "Jia Tan" was able to work with Lasse Collin on the XZ project to the point of gaining commit privileges and becoming a co-maintainer. This is nothing new and projects have been handed off to new maintainers in a more-or-less similar fashion over the decades. That in itself would have never raised an eyebrow. Committing binary files into a compression utility repository ostensibly for testing the utility and its library weren't suspicions on the surface but now the knowledge that compromising code was being linked into the library from them will now make every binary file suspicious. Certainly, their use is going to be checked and double-checked. All of this reflects the loss of trust. For all of the other qualities why we have chosen Free Software, the trust we have placed in Debian and its upstream projects has been has been the underlying glue that has held this all together. How this is addressed going forward will be interesting. Will upstream project maintainers be required to have GPG keys signed like Debian requires of its developers? Will contributors be subject to the same? Over the years projects have received contributions from persons who wished to remain more or less anonymous. Will this change? Will such contributions become subject to even greater scrutiny by project maintainers? I suspect that at a minimum if a maintainer doesn't clearly understand a patch then it won't get applied, but if the maintainer is clever enough to work in a non-obvious patch that is malicious, all bets are off. It's a mess. - Nate -- "The optimist proclaims that we live in the best of all possible worlds. The pessimist fears this is true." Web: https://www.n0nb.us Projects: https://github.com/N0NB GPG fingerprint: 82D6 4F6B 0E67 CD41 F689 BBA6 FB2C 5130 D55A 8819 signature.asc Description: PGP signature
Re: NextGov: Linux XZ Utils Backdoor Was Long Con, Possibly With Support
On Fri, Apr 05, 2024 at 12:27:03PM -0400, Cindy Sue Causey wrote: > Hi, All.. > > This just hit my emails seconds ago. It's the most info that I've > personally read about the XZ backdoor exploit. I've been following > NextGov as a friendly, plain language resource about government: > > Linux backdoor was a long con, possibly with nation-state support, experts > say; > By David DiMolfetta; 2024.04.05 12:59pm EDT > > https://www.nextgov.com/cybersecurity/2024/04/linux-backdoor-was-long-con-possibly-nation-state-support-experts-say/395511/ > > Continues to sound like one single perp is destroying the TRUST factor that an > untold number of future programmers must meet. That's heartbreaking. No, on the contrary. First of all, it is great that it has been caught /before/ it could cause much harm -- I think this is a testament to the free software community. Second, this is one pretty standard instance of supply chain attack (albeit a pretty spectacular one), of which there have been quite a few during the last decennium. Another spectacular one was event-stream [0], from 2018 or the Solarwinds [1] things (interestingly, proprietary software tends to fare significantly worse than our beloved free software). There is a growing corpus of academic work dedicated to it. This nice overview [2] goes over 174 cases (and is already 4 years old). So hardly new. What's special about this case is that the contributor had been working for the project for two years, thus earning trust with the community -- the most widespread notion seems to be that they had been planning the thing all along. I see at least another possible interpretation, that they started as a genuine contributor and wend bad, be it by bribing, coertion, or even replacement. Secret services and hackers (where's the difference, anyway?) are like that. Opportunists. Reminds us that trust is, at the root, a human thing, and thus sometimes fragile. As in Real Life, we need ways to recover. Cheers [0] https://lwn.net/Articles/773121/ [1] https://en.wikipedia.org/wiki/SolarWinds#2019%E2%80%932020_supply_chain_attacks [2] https://arxiv.org/abs/2005.09535 -- t signature.asc Description: PGP signature
NextGov: Linux XZ Utils Backdoor Was Long Con, Possibly With Support
Hi, All.. This just hit my emails seconds ago. It's the most info that I've personally read about the XZ backdoor exploit. I've been following NextGov as a friendly, plain language resource about government: Linux backdoor was a long con, possibly with nation-state support, experts say; By David DiMolfetta; 2024.04.05 12:59pm EDT https://www.nextgov.com/cybersecurity/2024/04/linux-backdoor-was-long-con-possibly-nation-state-support-experts-say/395511/ Continues to sound like one single perp is destroying the TRUST factor that an untold number of future programmers must meet. That's heartbreaking. Cindy. PS Another apology for however this email might display. Still haven't found the switch to set the line length to circa 80 characters. -- Cindy-Sue Causey Talking Rock, Pickens County, Georgia, USA * runs with birdseed *
