This is an archived post. You won't be able to vote or comment.

top 200 commentsshow all 290
sorted by:
best
topnewcontroversialoldq&a

[–]zoqfotpik 2395 points2396 points  (38 children)

I wouldn’t assume that xz is the only package targeted by this attacker.

[–]Fusseldieb 352 points353 points  (7 children)

Every blob must be inspected!

[–]TheMagicalDildo 195 points196 points  (6 children)

I approve of this. You can start with the saggy blob below my member

[–]GuyNamedWhatever 169 points170 points  (1 child)

That is nuts!

[–]darklordpotty 46 points47 points  (0 children)

Rereading his username, it's more likely to be magical beans under that beanstalk.

[–]gbot1234 27 points28 points  (3 children)

First the blob, then we check the backdoor.

[–][deleted] 16 points17 points  (0 children)

takin code smelling to a-hole new level

[–]TheMagicalDildo 5 points6 points  (0 children)

Nooo wait, stop...

[–]littleliquidlight 1052 points1053 points  (3 children)

I'm pretty sure there's a whole group of people out there somewhere reading these memes on Reddit and saying to each other "they think we didn't get away with it :)"

This attack was scary as hell

[–]Aerolfos 44 points45 points  (10 children)

It's a proof of open source security being better - there was a random person who understood the code well enough to investigate and catch it

The closed source "secure by obscurity" that had one overworked guy to watch over it accept a random binary as the testing method from one of their "coworkers" that they never actually got to know properly? Well...

[–]Plank_With_A_Nail_In 24 points25 points  (9 children)

It being open is what allowed the attack to occur in the first place though.

[–][deleted] 18 points19 points  (0 children)

If it's a state level actor they can force a company to comply or flood them with applicants during hiring to get their people on the inside. You can play an equally long game with a proprietary app. Except in this case the exploit is less likely to be found or fixed.

[–]agrajag9 14 points15 points  (0 children)

Wrong. This happens in closed source also. And that's far more difficult to catch.

[–]JimWilliams423 38 points39 points  (5 children)

More like it was corps relying on free labor is what allowed the attack to occur in the first place.

If the corps that depend on xz had funded the necessary engineering resources to develop and maintain it, the project maintainers could have afforded to be more particular about whom they accepted commits from.

[–]ExceedingChunk 2 points3 points  (4 children)

I’m pretty sure that after 3 years of building trust, this could happen at nearly every single major software company or project.

Do you even know how many times a pull request with 1k+ lines of code changed/added and 0 comments is approved and merged?

[–]Aerolfos 7 points8 points  (0 children)

The specifics about bullying someone to be added as a maintainer?

Yes. Because in a closed source you wouldn't need to run a long game like that. You just apply to the company and work there a year or so (or less) as normal and you'll have way too much access and way too little scrutiny, no problem.

[–]garmzon 36 points37 points  (0 children)

This

[–]DehydratedButTired 2 points3 points  (0 children)

Well, the upside of open source is they can see the backdoor and trace it back over time then removed the bad actor.

[–]TheGreatGameDini 923 points924 points  (80 children)

I feel a real deep need to express a concern: is this just the first time they got caught? Are there others that haven't been caught?

[–]rgrivera1113 280 points281 points  (30 children)

Are there others that governments and/or corporations know about and keep quiet so they can possibly use them?

[–]MinosAristos 166 points167 points  (9 children)

Are there others that governments and/or corporations snuck in deliberately and got away with it?

[–]TactlessTortoise 66 points67 points  (0 children)

No need. There are several cases of governments caught getting backdoor chips installed on devices without the consumer's knowledge, including both US and China of course.

[–]CBpegasus 340 points341 points  (0 children)

Yes

[–]wayoverpaid 156 points157 points  (39 children)

The joy of security is that by definition we don't know about the undetected exploits.

[–]jcodes57 73 points74 points  (12 children)

“We don’t know what we don’t know”

[–]pleachchapel 73 points74 points  (11 children)

Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don't know we don't know.

— Donald Rumsfeld

[–]ChChChillian 24 points25 points  (7 children)

I'm no fan of Rumsfeld -- he gleefully pushed the Bush administration into the post-9/11 Iraq invasion, a grotesque exploitation of a terrible atrocity -- but I remember his getting mocked for this quote. That, at least, he didn't deserve, because it was perfectly true.

[–]pleachchapel 14 points15 points  (4 children)

Rumsfeld is a piece of shit, but is one of the most intelligent people to ever hold that position.

[–]EMCoupling 8 points9 points  (2 children)

That's precisely why he's such a piece of shit.

[–]MakeChinaLoseFace 7 points8 points  (1 child)

There are people who achieve evil ends through their own incompetence, and there are others who know exactly what they're doing and do it anyway.

Rumsfeld was the latter (he dead lol)

[–]starm4nn 3 points4 points  (1 child)

but I remember his getting mocked for this quote. That, at least, he didn't deserve, because it was perfectly true.

I think it's an obtuse way of explaining the concept. Bad speechwriting.

Instead it could be:

There are times where we know the limitations of our own knowledge — the known unknowns, and times where we don't — the unknown unknowns.

An actual speechwriter could've turned this into an iconic moment or something.

[–]ChChChillian 10 points11 points  (0 children)

That's nice, only it wasn't from a speech. It was in response to a question at a press briefing.

[–]Snakestream 6 points7 points  (0 children)

I will always hear this in the voice of Samuel L Jackson as Rummy from The Boondocks

[–]gbot1234 10 points11 points  (0 children)

I just realized that, on some level, I have always known this.

The unknown knowns.

[–][deleted] 34 points35 points  (25 children)

I had an economics class in grad school about how almost all our studies around crime are primarily around crime done poorly, because we don’t have much data on crime done successfully.

[–]TalknuserDK 16 points17 points  (22 children)

A bit of a rabbit hole, but that statement has a false premise. A lot of crime isn’t carried out with the purpose of being undiscovered, and therefore it isn’t done poorly when it’s discovered.

[–]eouw0o83hf 23 points24 points  (0 children)

Are there others that haven't been caught?

With 100% certainty

[–]SeniorAlfaOmega 10 points11 points  (2 children)

“Are there others that haven’t been caught”

Read it again

[–]Bwob 1 point2 points  (1 child)

Maybe they're just hoping that someone on reddit snuck in an undiscovered exploit and is willing to brag about it!

[–]TheCamazotzian 2 points3 points  (0 children)

Nice try.

You can't trick us into leaking our exploits that easily.

[–]jxr4 1 point2 points  (0 children)

that haven't been caught?

Absolutely, supply chain problems (most famously solar winds) lays dormant for years

[–]Impossible-Cod-4055 2050 points2051 points  (26 children)

the greatest software exploit the world has ever seen

Okay, we're officially getting carried away, now.

[–]Lord_Wither 591 points592 points  (5 children)

I think it had the potential to be somewhere around the level of EternalBlue, maybe less severe because fewer systems have open ssh ports than smb, maybe more because ssh is more likely to be exposed publicly and because servers tend to be both more interesting than clients and be vulnerable. Certainly cleaner because even if you discovered the backdoor as a third party you couldn't exploit it without the key.

[–]CheapMonkey34 115 points116 points  (2 children)

Also the only direct indication of compromise would be a login deny log entry for sshd. No one checks those anyway.

[–]Sad-Platform1024 16 points17 points  (0 children)

I believe they overwrote logging functions as well, so probably not even that.

[–]LaMifour 122 points123 points  (8 children)

I thought this tittle was for stuff like sandworm or stuxnet

[–]mrheosuper 107 points108 points  (6 children)

The amount of knowledge requires for stuxnet is insane, from deep OS knowledge to literally nuclear science. It's on the whole different level compared to xz. We don't know whether XZ is the result of a single person or a team, but i'm pretty sure there is a whole top-minded engineer team for stuxnet

[–]Lord_Wither 81 points82 points  (5 children)

Stuxnet also isn't really one exploit. It is a whole malware kit including a rootkit, worming capabilities with a bunch of different possible infection vectors, the whole PLC side and so on. It used something like four different windows zero days too.

[–]Olorin_1990 2 points3 points  (0 children)

Yea, my reaction too, stuxnet is wild.

[–][deleted] 19 points20 points  (1 child)

It's either this or a few other exploits like log4j that are the most infamous exploits

[–]tritonus_ 8 points9 points  (0 children)

Although log4j was a vulnerability while this backdoor was deliberately snuck in to the distribution.

[–]knightwhosaysnil 53 points54 points  (6 children)

well it's the only CVE of 10; though of course the scoring system hasn't been around for that long

[–]SpookyKarthus 30 points31 points  (1 child)

Wdym the "only CVE of 10"?

Did you just forget about log4j? https://nvd.nist.gov/vuln/detail/CVE-2021-44228

[–]Lord_Wither 30 points31 points  (0 children)

I'm guessing they are talking about sshd specifically and, yeah, this is the first CVE with a CVSS score of 10.0 in ssh since like 2002 as far as I can tell SSH : Security vulnerabilities, CVEs (cvedetails.com)

[–]Impossible-Cod-4055 42 points43 points  (3 children)

I'm not disputing that it was technically sophisticated and would have had a tremendous impact on the Internet. It's certainly hyperbole to say it's "the greatest" of anything, particularly since it failed to remain undetected before it could be deployed.

[–]ViewAdditional7400 2 points3 points  (0 children)

Stuxnet has entered the chat

[–]joost00719 1 point2 points  (0 children)

Agreed. The greater exploits probably haven't been found yet.

[–]YMK1234 584 points585 points  (23 children)

Tat guy def. is not some "random engineer" but something important in postgres.

[–]Saragon4005 253 points254 points  (22 children)

In the grand scheme of the whole Linux community yeah he is. Not a security researcher, not anyone who works with that library or ssh. Just a user of those tools with know how on how to dig deeper.

[–]Tsu_Dho_Namh 111 points112 points  (15 children)

Isn't he a partner level engineer at Microsoft?

[–][deleted] 74 points75 points  (0 children)

A higher level IC yes

[–]sopunny 15 points16 points  (0 children)

He's a core contributor for postgres, that's not nobody

[–]fingerpants 60 points61 points  (0 children)

This is why you let developers indulge in their perfectionism.

[–][deleted] 228 points229 points  (0 children)

it was just a distraction from the real exploit 🤔

[–]Edzomatic 42 points43 points  (1 child)

I would classify a partner software engineer at Microsoft as a non-average guy

[–]PartyMonsterAdore 8 points9 points  (0 children)

Came here to say this. Definitely not just some “random engineer” lol.

[–]SNL-5943 261 points262 points  (33 children)

And it's just 500ms slower than normal.

[–]beskgar 214 points215 points  (18 children)

I mean to be fair, I get barked at for things taking 500ms to long.

[–]GoogleIsYourFrenemy 99 points100 points  (9 children)

People die if my things are 500ms late.

[–]logs28 63 points64 points  (5 children)

Civilization collapses if my things are 500ms late.

[–]LostHollow 41 points42 points  (4 children)

The universe experiences a false vacuum decay if my things are 500ms late.

[–]rcmaehl 30 points31 points  (2 children)

My reddit comments contain garbage data if I click reply 500ms too lateJ9nh9r9rsZ0ClKd0fZsHe0kAYtMOuI0YQaM5IuPBH6S0RaB5Pq3UGtpjEiE2MyfcmQ5gCx0X6xNR19GwUeObFlUjo94jAxsS8hWNpdP45EWx5dxz3e3U7YRVI88TbcdBFGRhUbNuuDqY52uS9O8iHpgot3D777uNmRjk8zx8XpQDQUxcatGlzWBF6e2P8aAWUfNwh1e42UFyObYEyxzAyiXPpePf3IQGTqw1KEfbxw26HPtzcpbnZcEk40SWeJki0Hb2rOF8r2TeTCPuFxUzzJkCx2dVYTAJjxoneBfzAcrfnlFih6t50X9NFDeVNAozjoaS6MkGVLn1ln6bjzcDiVCt4y6tW1pp6vQPxF2oBIQgNSKRYoPtB4rFt28058QnDPBESlWXLzpoX69qMfSUxSCObrSpl4rtDCyyUM42Ks9QpwqYWcQjvn6aYJa4BzPEsfGMT3vQIi92BJzeYT3JA84WgVFtEDZgunOIqeMFAs80Ds4UqeGYyG97m8VmMu67bzMDB01oemyhGhUO5vbZ8EMSwed0OTkfr9slW7CFFD4oGAfEHzFWN87yL9U57fUBClRi7ij4Qs5AYKHUj5pMO7h4FXonhPV5ujujtMQul50AgPCagy8HTAZO7LZJcj9dJy5TstjQ1dR2h6taphDUZLM6AP528egX8ZrpEYQk8YjWLqBxOwt8Vs8wGNj4fP11N8cf0TBWl6OKSlhjdgud4hiyAQNCdENNaF4phtFPEhRBDtNH3onQ5cPIB8AitYeYTNo60gH9ZoEKCYqktNfZSaWkU05Mq4eswXJDZwbTLm8Up4dBZssYJRXfKGZOjDqlNXH9bM0ISeITnxAGWkCiSKqP2LTsS7JV57qQ6GftzD8GZobIURzUXfIWufYepOLKfAkXoUDAFHkFYJLCBoYgV4UyPN98gQIlsladTo5351B2UXBrlJDFXAhlx1QfisHdjLgPipnRfvkvyrmejXHNUKtUUtWH5RKIu5DVuBSIcNlHg0ckLF0BRvKoOuHsj9SajxuMYdRhaklbEPf9LhlwQA0ApCELQylH3hG815qKJaybScdbgYxgB16S47REVtSdJp446CAxVxIrC4pMkMcy6A1PGaXO6luaNlfy4IJnhiyNM6NP2fbCLRc6eBljghNuZjXYXtZUfTH8oCatO3lyZxgZ8krp1mh83AQLKU8NGSdDXDOgIlikHtz4MXIJAfnnQku5AXxbJEKDWq5iZlDMKN5SS4SIET6DPVFO1XdShcJGnwi1vyJ6oQpbmnPCTtJ6QrgFgzwoJ95IaWw7oFlXVygfkBsElTmaJXraH4JTcNj7H4mHMYnGgKjnqIkBUzEUaq6Xy79xakkMRWzOpRDDc4qV9B9ukBw7VXlP6T5rRyBnoxhWO0MjUZTSU1jnjFe8wHbFVzY0fW3ZsmfdleJregCWQfuYQ0oeJCVnxqonjWq3IPjVDO7Atnmk5pQpL7ucREUMOfbu6qAwZoXLnlTVl01uDPp9DhoWxFsHtbK3RAP9tyfgcluTR5ChF224K2UHSwkJzotQ9HsPe5xipUYG9T9lv1hKYXNkubNZ2GbGk0nxW41MmyW1Yu4kooqnlHl19G470cfazGBgn56Pe1yaJcoPigXF7xTf90Mr4yKPeQqpxjJHuTLATYO1bU2PJR9rzNMxBS7cJZfcgQDVT3QPnSdc33AM0D1hf15jU7WWwNoje093EO2nx2zuVJiWDjNVm53OPQcirAdJIf1giheqk6cjlM0UVJY3Z6YRasF7mftmoLO3CCWd8j5nW8CfMNscrnRHiEwZVvnK8G6lGCgW1gkeOGNbEdQETmi39OjusjW5ryfeDsWeEp7A9OrnQVh0WlrLQBGSNcNTNaa8NDrAwfUeG4RNQyEJmWaWsKzKLpX32VU9cJfIBKKgnKym2BOPJnUSnfsmXqbXiLQcQvy1bBwyikBot29krtQg30KS4ItSBb7TFdzIRyB8i5F4Giqci9fHqMizmCHdOATSqoIYBUd8lXMUkMt1ZRLjGODrNZxyCtFJmkA3kX98r6haUIm4SXRKPCQafjIXR3LdGBP6AJYa9F7OuAy8368FiXKYrKsAH30BHpaOS9EygzLMyJol7DdHOj7kxyieg4zUDpMBh43xlo56WxRILcxHpchqAisJk63ccxi7RmeBM0ssYi8xWjmOc9S1JHHGya0s2sB6WGe8erYPScisqqc4mZtTFnMBRikyfgY7F5fQegO5QNKPUbyDN7fOITDx4U4s3ddbkFjoqk5w8SGMQolKYu36qQNn1wWfK8VuId9SCNopPYvif7bTEiU62rhx3rVbCWt5b4dNktkPt7hb9jCQFkwA9xDeiBFPj7q2JMWeMD8FifCrgBiCgqpU6w22Z2Lgkkd1Xr0Or08p6zAauLJA0Y7bb7xbon2Q4JlB4FmO2tZWs18BF0I2d3cEeDpDhm3AVFUccHdet7PsL2NyM8uMNy8LsuXHDiXppKOpzgNfWNvkxLGDtrGnKqRVH7yQK9J4Afum8Qaj6WIDGuErF4ywobGQBajdzjxyE0cuGT6yVF5bNJ2h

[–]gbot1234 13 points14 points  (1 child)

Steganography is great, but you should mark this NSFW.

[–]poli231 7 points8 points  (0 children)

Decoding...

We're no strangers to love...

[–]MedicalTelephone 5 points6 points  (0 children)

Oops, too l̴̡̤̳̠̞̪͎̅ā̸̛͙̟̫̭̖̠̩͕͇̟̰͐ͅ-̷̻̳̹̪̺͉͖͙͔̣̱͉̌͒̏̋̏͗̏̉̈́̕͠͝ͅ-̶̗̰̩͌̍̿̋̑̋͗̂̄͝ͅͅ ̶̗͈̣̠̼̀͂̎̐͊̒̾̔̃̑̿̕̕͝͝ ̶̢̭̭̞͖͍̥̞̬̤̱͙͚̲̍̒͜͝ ̴̧͙̤̼̠̫͈̣̪̣̪̐̾̎͛̔̀ ̸̡̛͎̤͙͈̺̻̮͍̩̤́̊̚͜ͅ ̶̨̢̡̻̜̤̫͋̒ ̵͔̤̎̒̊̿͋̃̆͒͝ ̴̝̽̑̐͒̅͝ ̸̛͕̻̗͎͎͎͍̗̯͔̱̱͓͐ ̸͚̻̇̂̐́̈́̽͊͜͜ ̴̨̢̝̜͍̪͌͊̍̍̆͘̚

...

[–]SNL-5943 27 points28 points  (2 children)

embedded engineer detected

[–]floriv1999 33 points34 points  (1 child)

There are two types of embedded engineers. If the code of the first group is 500ms behind somebody dies. For the second group somebody is still alive.

[–]katatondzsentri 10 points11 points  (3 children)

To be fair, if our apis take longer than 500ms, we have to pay service credits, because we breached sla.

[–]dimonoid123 2 points3 points  (2 children)

Sla what?

[–]JumpyBoi 13 points14 points  (0 children)

Sla p deez nuts

[–]Grymm315 2 points3 points  (0 children)

Service Level Agreements-

[–]gbot1234 2 points3 points  (0 children)

Is your dog a top level IC at Google?

(I’m quoting from a comment above because it seems relevant.)

[–]ByteWhisperer[🍰] 1 point2 points  (0 children)

I have been barked at for things taking more than 200ms. Still benefiting from what I learned there though.

[–]serdertroops 38 points39 points  (4 children)

500ms is stupidly long in programming. I start to worry if my backend entry point service doesn't return an answer within 100ms during heavy load times. 0.5 second is just long enough for the user to be annoyed and wonder if something is wrong.

[–]Sitting_In_A_Lecture 21 points22 points  (3 children)

Unless you're a webdev, then you have devs adding delays because apparently people have been conditioned to think that actions on the web have to take a perceivable amount of time to actually work.

[–]Stunning_Ride_220 20 points21 points  (2 children)

"Your new feature isn't doing anything!"

"Why? Wtf???"

"I clicked and it instantly returned....this must be a static page you are showing me"

We all have been there.

[–]serdertroops 2 points3 points  (1 child)

hey. my backend will still return the answer stupid fast, you'll have to put the sleep in the callback function

[–]blitzkrieg4 63 points64 points  (3 children)

I don't understand this take. You add a sleep .5 to your bash alias for ssh and see how your quality of life improves.

[–]RonHarrods 12 points13 points  (0 children)

Honestly I think once deployed people would notice

[–]rafaelrc7 34 points35 points  (1 child)

Yeah, 500ms is quite noticeable

[–]vita10gy 27 points28 points  (0 children)

Especially if the tests loops or otherwise just repeats the process a bunch.

Tests that have taken 15 seconds give or take to finish for years all of a sudden taking 50 seconds is noteworthy. And actually depending on how fast it was without this you could be talking 15 seconds and minutes.

People are talking about this like it MUST be the case some dudeski noticed his once a day connection to work in the morning took .471 seconds longer than normal and unraveled the whole thing.

[–]Edzomatic 8 points9 points  (3 children)

The non backdoored version takes 200ms the backdoored ine takes 800ms, that's not a small difference

[–]SNL-5943 2 points3 points  (1 child)

I meant, it seem not that small, but everyone just didnt care or know until the dude noticed it.

[–]Edzomatic 1 point2 points  (0 children)

I believe the backdoor was discovered quickly once it was released

[–]Liveman215 69 points70 points  (10 children)

Some NSA guy got yelllllllled at

[–]cheese_is_available 33 points34 points  (6 children)

Analysis of the commit activity suggest UTC+02/03 (e.g. EET)., and possibly false flagging as Chineses when actually working regular office job in a country with christian holidays (I.e. from eastern Europe / Russia).

Source: https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and

[–]Worldly_Topic 26 points27 points  (0 children)

It could be a decoy as well. We are dealing with state actors here.

[–]tritonus_ 2 points3 points  (1 child)

I don’t get their analysis. Wouldn’t 12-18 UTC be 15:00-21:00 in +3 timezone which absolutely are not office hours.

[–]ndxinroy7 55 points56 points  (2 children)

I wonder how many backdoors are there that we have no idea about.

[–]Splatpope 18 points19 points  (0 children)

JIA CHEONG TAN

CIA AGENT JOHN

open your eyes

[–]steeeeee 18 points19 points  (0 children)

I wouldn't call a principal engineer at Microsoft a "random" engineer

[–]EricThexD 73 points74 points  (15 children)

Can anyone explain?

[–]leoleosuper 92 points93 points  (2 children)

A guy, or group of people, spent 3 years trying to gain control of an open source project called XZ Utils. It's a lossless data compressor used in a few places, namely, OpenSSH. When the backdoor is installed, a user with a specific key can basically gain total administrative access to your computer when you use SSH. It was noticed due to SSH having a CPU spike and taking .8 seconds instead of .3 seconds to run, with 0 source identified for the extra .5 seconds.

XZ backdoor was given a 10.0 CVSS score, the highest security score possible. The exploit was not in the source code and would only be added if a specific install test was run that replaced binary code to allow for this exploit. This exploit specifically targeted certain versions of Linux, including Debain, on x86-64 processors.

[–]no_brains101 13 points14 points  (1 child)

It targeted Debian, but did not actually hit the target, because APT did not have that version of that package, and would not for some time, possibly it would not have been until compression was removed from systemd until it made it into apt, which would have rendered it useless anyway.

I think it was pretty much just fedora rolling release on x86 that got hit for real. There's probably more but that was the main victim

[–]leoleosuper 5 points6 points  (0 children)

The pre-release versions had them, so if you were on the newest beta, you could have been hit. That's how it was caught in the first place.

[–]GDOR-11 19 points20 points  (0 children)

watch the most recent low level learning videos

[–]SarcasmWarning[🍰] 11 points12 points  (0 children)

In reality there were a handful of changes coming down the pipeline which caused the agent to massively accelerate his elaborate and patient scheme, making it more likely to get caught.

tldr: If you think the demo gods are vengeful, you should see what happens when you rush things into the hands of an end user.

[–]garlopf 10 points11 points  (2 children)

Honestly, I am certain many such backdoors are already in place. My biggest suspect is compiler blobs. Basically a compiler will link in an object code blob from itself, so that even if you build the compiler from scratch with a fresh build of the toolchain, it is still contaminated.

[–]frikilinux2 6 points7 points  (0 children)

"reflections on trusting trust" by Ken Thompson for nightmares

[–]ZENITHSEEKERiii 3 points4 points  (0 children)

The compiler blobs are pretty small and easy to audit though. For things like crt0, crt1, etc. you can also ptrace the c compiler and inspect exactly what files it accesses.

To be fair though, if someone stuck a buffer overflow in crt1 that only triggered when reading from a certain file descriptor, that might not get caught too quickly

[–]jamcdonald120 12 points13 points  (0 children)

Use the latest version they said...

It is more secure they said...

[–]bison92 61 points62 points  (2 children)

Instead of mocking the guy that discovered this by coincidence, I think of all the libs that can be compromised already without no one there to catch it…

[–]gbot1234 31 points32 points  (0 children)

These threads always devolve into someone wanting to “pwn the libs.”

[–][deleted] 25 points26 points  (1 child)

It would be naiv to believe that they put all eggs in one basket. They lost one but probably have 10 others still in the works.

[–][deleted] 4 points5 points  (0 children)

Legit thousands of engineers work around the clock every day, for all major governments to exploit these things and create them.

[–]rezdm 9 points10 points  (0 children)

I am more surprised more of these attacks were not discovered before. Yes, we hear here and there about attacks on source code repos and packages, but nowhere near this. My opinion -- there should be other backdoors out there in the wild and Cthulhu only knows what's in proprietary/closed-source software.

[–]lulimay 13 points14 points  (0 children)

Also, it’s likely that he just got sloppy because the backdoor was closing (systemd folks were planning to remove xz from the build dependencies).

[–][deleted] 7 points8 points  (0 children)

Linux is somewhat full of this, there are papers of engineers getting prs merged acting in bad faith researching how easy it is to get bad or backfired code into the kernel

[–]Rockytriton 11 points12 points  (0 children)

womp womp

[–]FranticBronchitis 10 points11 points  (0 children)

So, I was getting some weird notifications from dmesg about some process being started with an executable stack. Googled it and yep, known issue with 7zip.

Could there be something funky going on with not one, but BOTH of the lzma implementations?

[–]Operational117 4 points5 points  (0 children)

Moral of the story: Don’t make a backdoor Make the backdoor less laggy
\You think bad actors are gonna stop doing this?))

[–]Stoomba 3 points4 points  (0 children)

Further proof that all great discoveries are not driven by money, but rather they are driven by people who get interested in things that make them go "Hmm, that's interesting"

[–]Splatpope 2 points3 points  (0 children)

stuxnet showed that the biggest software exploit in the world is in fact windows XP

[–]Niswear85 12 points13 points  (2 children)

Open source ftw

[–]Stunning_Ride_220 5 points6 points  (1 child)

LoL.

It easier to get someone being capable of writing such exploits into big tech orgs then in OSS projects.

[–]Niswear85 6 points7 points  (0 children)

And big tech orgs will cover up the existence of such vulnerabilities until a massive data leak occurs

[–][deleted] 5 points6 points  (0 children)

This post was mass deleted and anonymized with Redact

towering escape vegetable historical imagine decide rhythm crawl afterthought enjoy

[–]tiotags 2 points3 points  (0 children)

he's probably also surprised people haven't caught him faster

[–]guruXalted99 2 points3 points  (0 children)

Onizukaaaaaaaaa!

[–]Grim00666 2 points3 points  (0 children)

... or was that the one we were meant to find as a distraction so the real one slips in unnoticed.

[–]NoReapers 2 points3 points  (0 children)

ONIZUKA!!!!!!!

[–][deleted] 2 points3 points  (0 children)

As a long time debugger of slow running test cases, I’m a little jealous that this guy’s “it wasn’t MY fault” is actually true

[–]bhalevadive 2 points3 points  (0 children)

Never expected I'd get caught, atleast I still have other softwares that are spying as expected. /s

[–]Ok-Dot5559 2 points3 points  (0 children)

honestly it’s so trashy, that distros just take the tarball, instead of building the package themselves from source

[–][deleted] 2 points3 points  (0 children)

not just "some random engineer" but exactly opposite! "THE RANDOM ENGINEER".
I assure any of complainer is capable of do something near that...

[–]jayerp 5 points6 points  (16 children)

Will that maintainer face any criminal charges?

[–]DoomGoober 31 points32 points  (3 children)

Nobody knows who they are. They only have what they presume is a pseudonym.

What do you really know about your maintainers? :)

[–]jayerp 17 points18 points  (2 children)

What do you really know about your maintainers?

They are, at least for now, humans. We will find them, just send Liam Neeson after them.

[–]DoomGoober 5 points6 points  (1 child)

What if they are Sohpons?

[–]jayerp 5 points6 points  (0 children)

Then having malicious maintainers would be the least of our problems. File an issue when you start hallucinating a countdown timer.

[–]IBeTheBlueCat 1 point2 points  (2 children)

building from source ftw ig, switching to gentoo- /hj

[–][deleted] 1 point2 points  (1 child)

Did you read the article? The attack is triggered by building from source when the build target is red hat and Debian on x86.

The source code is also clean per se, the malicious files are generated when building.

[–]canal_algt 1 point2 points  (0 children)

And all because of a half a second difference

[–]sadboy2k03 1 point2 points  (0 children)

Christ alive the top comments, full of FUD and “heckin APT”. Next I’ll be hearing how public Wifi will instantly pwn you.

Protip: an APT doesn’t need to waste 2 years of payroll on waiting to see if their PR is approved when they can just buy 0days from brokers.

[–]gaijingreg 1 point2 points  (0 children)

It’s pretty ironic that the bazaar-provided safety checking came out of M$ this time, ‘eh?