this post was submitted on 30 Mar 2024
983 points (98.6% liked)

linuxmemes

20880 readers
3 users here now

I use Arch btw


Sister communities:

Community rules

  1. Follow the site-wide rules and code of conduct
  2. Be civil
  3. Post Linux-related content
  4. No recent reposts

Please report posts and comments that break these rules!

founded 1 year ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 50 points 7 months ago* (last edited 7 months ago) (3 children)

The malicious changes were submitted by JiaT75, one of the two main xz Utils developers with years of contributions to the project.

“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” Freund wrote. “Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes’” provided in recent updates. Those updates and fixes can be found here, here, here, and here. https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/

That really sucks. This kind of thing can make people and companies lose trust in open source. I wonder if we will learn the reason behind that. I would guess the developer was paid a lot of money by some organization to risk ruining his reputation like that.

[–] [email protected] 52 points 7 months ago (2 children)

Like the exact same thing can not happen in a closed source codebase. It probably does daily. Since closed codebases the due dilligence and reviews cost money, and nobody can see the state. They are intentionally neglected.
Open source nor closed source is immune to the 5$ wrench hack

[–] [email protected] 25 points 7 months ago

Can't decide which one is more relevant - the $5 wrench hack, or any sort of blackmailing.

XKCD 538 - Security

XKCD 416 - Zealous Autoconfig

[–] [email protected] 8 points 7 months ago

Exactly, if you are as big a Microsoft, you can't tell 100% if one of your developer's is actually being paid by a foreign government. Even if you say completely check the commits other devs make, there will still be deadlines when a code review is just "looks fine, next".

[–] [email protected] 48 points 7 months ago* (last edited 7 months ago) (1 children)

No, its the exact opposite.

Supply chain conpromise is a level of risk to manage not unique to FOSS. Ever heard of sunburst? It resulted in a lot of Microsofts cloud customers getting wreaked all because their supply chain was compromised.

Do people continue to buy into 365 and Azure? Yes. Without care.

So will this hurt open source projects? Not at all, in fact it will benefit them, highlight just why source code SHOULD be open source and visible to all! We would have had very little to no visibility and capability to monitor closed source. Let alone learn, improve and harden how projects can protect against this increasingly more common attack.

[–] [email protected] 15 points 7 months ago (2 children)

Yeah, I agree but I know some companies will have stupid thoughts like "a company employee is less likely to do that" or "at least we have an employment contract to back us up legally".

[–] [email protected] 13 points 7 months ago* (last edited 7 months ago) (2 children)

Until they are attacked...

Not to mention a lot of the time the "attack" is from the company themselves. Just look at the Meta malware as an example

[–] [email protected] 5 points 7 months ago (1 children)

the Meta malware

What is this?

[–] [email protected] 4 points 7 months ago

The VPN that performed a man in the middle attack to get data from other apps

[–] [email protected] 6 points 7 months ago

Ugh this reminds me of a guy I worked with, he used to be a trucker but became a software tester (he was also very religious).

Anyway he used to hate on open source software and call it open sores. According to him it was all amateur crap. Ugh I still hate that guy and it has been 15 years....

[–] [email protected] 17 points 7 months ago (1 children)
[–] [email protected] 4 points 7 months ago (1 children)

Certainly, that's why I said organization to be vague.

[–] [email protected] 5 points 7 months ago (1 children)

Sorry I should have been more clear too. I was trying to convey that the dev could have been paid off/threatened or it could be the work of a state actor or team of state actors under an alias. In one case they could care about their reputation but in the other maybe not.

[–] [email protected] 1 points 7 months ago

By the sounds of it it was an organised social engineering attack. Almost certainly "Jia Tan" is not a real person, or if it is a real person then it's a case of stolen identity. Even if I were being threatened to put a backdoor in some software I wouldn't do it under my real name.