Thoughts On the XZ Backdoor
Вставка
- Опубліковано 26 чер 2024
- Today I talk about my thoughts on the xz backdoor security situation. Warning: I don't know what I'm talking about.
👇 PULL IT DOWN FOR THE GOOD STUFF 👇
Patreon - / thelinuxcast
Paypal - paypal.me/thelinuxcast
UA-cam - / @thelinuxcast
Ko-fi - ko-fi.com/thelinuxcast
===== Follow us 🐧🐧 ======
MERCH - shop.thelinuxcast.org
Discord - / discord
Odysee - odysee.com/$/invite/@thelinux...
TILvids(Peertube) - tilvids.com/c/thelinuxcast_ch...
Mastodon- fosstodon.org/@thelinuxcast
gitlab.com/thelinuxcast
Matrix - matrix.to/#/#the-linux-cast:matrix.org
The Website thelinuxcast.org
Contact us email@thelinuxcast.org
Amazon Wishlist - www.amazon.com/hz/wishlist/ls...
Logo Courtesy of - pedropaulo.net
Intro Courtesy of - www.fragcgi.com/?i=1
Sign up for encrypted email with Tutanota - mail.tutanota.com/signup?ref=...
==== Special Thanks to Our Patrons! ====
thelinuxcast.org/patrons/
#ramble #linux #thelinuxcast - Наука та технологія
Follow me on Mastodon if you like Linux content! fosstodon.org/@thelinuxcast
Linux isn't doomed. It's the backbone of the internet.
The backdoor also was caught and mitigated relatively quickly, not to mention it was mostly a non-issue on some distros and machines due to the conditions required for it to even work. Sure thing, it was a **SERIOUS** backdoor; but to call it something like "the doom/downfall/end of Linux" is a pretty huge, panicky exaggeration imo.
But who will watch a video entitled "Linux doing just fine and progressing"?
Actually Junos OS from Juniper Networks (FreeBSD) and Cisco IOS XR (QNX) is the backbone of the Internets :).
@@nyctinasty4753 so the usual reaction of the internet to anything..
Every major company relies on Linux being secure. They've got the resources to pay for security researchers and pen testers who are constantly analyzing the most popular Linux packages and the kernel itself. So while there will always be some security vulnerabilities, we can expect them to be found pretty quickly. More obscure packages that fewer people use, or big companies aren't using, are more likely to be insecure, but there's also a lot less attention from bad actors on those obscure packages. As we saw even in this XZ thing, the target was Debian and Fedora (and their forks). The bad actor(s) involved in the XZ thing weren't spending time to make other distros vulnerable to it.
The advantage Linux has over closed source is that any random person can go investigate something if there's weirdness. That happened with XZ. And, everyone on the planet can watch and see how the different distros respond, and we know when fixes are made. We get meaningful confirmation of a fix being in place. In the closed source world, a bad actor within the company could simply allow a vulnerability to remain, or change it just enough to keep a system vulnerable while making it seem like a fix has been made, and very few people would be able to tell something weird is going on. We know that governments and criminal organizations (but I repeat myself) have infiltrated many software projects, both open and closed source. But with open source there is a publicly auditable trail. With closed source you are simply forced to trust that whatever internal security procedures at a company that is subject to whatever government laws and secret court orders is going to do the right thing. Since there is secrecy within the company's internal operations, bad actors can be much bolder and get away with more bad things without getting caught. It requires a lot more work to hide things in an open source project, because blatant nefarious actions are much easier to catch.
I'll trust the publicly auditable projects over opaque closed source any time.
The thing was the backdoor wasn't in the source code. Malicious binaries were inserted into the tarball. You would have never found it in the source code.
Parts of it were in the source code repository, just missing an activating component.
Most of the work done in the makefile which is in the source code. Also disabling the ifunc was one of the main points that made it undetectable even by bots. by looking to the commit history with knowning that there is an issue in mind you can find it.
I'm currently a cybersecurity professional and have been in the field for a while now. Just felt like adding this in for fun / common knowledge, but as part of the CySA+ certification training (not test material per say but is in the training to clarify), this was actually confirmed that the NSA was intercepting networking hardware and inserting beacon devices into them. This was leaked about a decade ago now, but yeah not a conspiracy, actually fact haha
You will still be called a "conspiracy theorist" because people are scared of accepting that the government would do something bad.
btw it is a conspiracy per definition: "a secret plan by a group to do something unlawful or harmful"
the way conspiracy is used in common parlance is wrong and intentionally so to discredit people.
Like what? What is this supposed to mean: "intercepting networking hardware" ?
We all know all Cisco network gear went to a special warehouse before they were shipped overseas ;).
conspiracy /kən-spîr′ə-sē/
noun
An agreement to perform together an illegal, wrongful, or subversive act.
An agreement between two or more persons to commit a crime or accomplish a legal purpose through illegal action.
"per _se"_
so the difference is apparently that in Linux everything will be eventually fixed
Well said, Matt. The speed with which the community responded to the situation is a testament to the resilience of said community.
I agree with Matt that security is the user's responsibility. Backdoors, vulnerabilities, bugs etc. are always present in a complex piece of software and they almost always get discovered by accident. The chances that there aren't other vulnerabilities equal to or worse than this backdoor, which will only be discovered at some future time, is remote. The great thing about open source is that literally anyone can go find the cause/solution. You don't have to depend on some company which may or may not have placed that backdoor there on purpose.
He knew he had to jump through hoops to obscure this backdoor, yet it was still found by a random dude upset about a fraction of a second performance impact.
Meanwhile we all know Windows and Mac have malicious code built in by design, but we only ever learn just how bad it is when a hacker exploits it or an employee starts to feel guilty and leaks the details.
There will always be bad actors trying this sort of thing. They do it with closed source projects too. The difference is, in open source, anyone can detect it and there's no cover-up possible. Everyone knows when it's fixed, and anyone can offer a fix. In a closed source project, the company that controls the code is already infiltrated by every three letter agency and they can reassign whoever discovers the vulnerability and then keep the vulnerability in place for whatever agency they are working for.
I disagree. Just because something is open source, it doesn't mean that there's someone out there, who's passion is to look at the source code of this one particular library and look for vulnerabilities for free. Not to mention that xz backdoor was not placed in source code to begin with.
Don't know about anyone else, but I've rarely finished a piece of 'net-aware' code that didn't get torn apart by sec people in code review. Been doing this for a long time, and I still learn something Every. Single. Time :)
Short but informative, many thanks! I'm on Ubuntu Cinnamon 23.10 and the xz version I have wasn't affected so I didn't look into it. Glad you did it for me. Keep up the great work Matt!
Good Ramble Matt. That is why I like Arch, someone finds something and it is fixed and updated faster than you can say "Got YA!".... Well almost that fast... 😆
LLAP 🖖
Linux users don't have their eyes on code but instead are busy distro hopping while arguing about the best desktop, best distro, best package manager, etc. 🙂
The distro contributors do. the devs do. the companies that use linux do.
@@DarthVader11912xz just proved that they don't, in fact, how would they verify so much code?
- The maintainer was burned out
- The other maintainer was a bad actor
- Distros simply copy pasted the tarball without any checks
- Other people didn't check the code (it was found by accident, because of a performance problem)
People just got too complacent with code.
@@tablettablete186 time to stop using AI to make porn and twitter bots and make it a 10,000,000,000 IQ exploit/vulnerability finder
It doesn't matter for security if the project is open or closed source. What matters is how many people are developing/testing/fixing/managing the project. In this case there were two: the maintainer and the bad actor. "Millions c o u l d look into it", but they didn't, just like you and me, because they don't have: time, knowledge, skills, motivation (ie. enthusiasm or money) or what else, - so "millions" boils down to "2 devs: maintainer and hacker". If Open Source™ makes you feel more secure - great. What actually makes any (open or closed) project more secure is a large team behind it. P.S. actually more like team to project size ratio
It doesn't affect debian stable. I'm good.
Indeed.
apt-cache show liblzma5
Version: 5.4****
=> Relief
"Slow and steady wins the race."
I think it also speaks to the huge success of Linux. But the prize wasn't so much the desktop (which isn't really that successful) and instead the people were targetting Linux on servers. Also, what about any possible criminal investigation? I haven't read anything about that.
I'm in the same boat, I love the conversation but don't know enough about cyber security to digest the info. I think there was an element of social engineering in the attack where the victim was targeted for not merging updates quick enough. Another vulnerability of open source is burnout I think, especially when contributions have to be made in a developer's spare time.
If anything, this is a wake up call for project safety best practices. A lot more people are going to scrutinise commits a lot more now, and that will make slipping a backdoor like XZ past the entire community much harder to do.
Scrutinizing commits are a bit harder when the targeted project had one burned-out maintainer
@@kylehennkens9578 I mean you're not wrong in this instance but the theory remains: trust, but verify!
Have you already started scrutinising?
@@petromudrievskyj Of course!!!
The issue is that many distros would ship it, imagine this on Ubuntu 24.04, it's no joke. One thing is a user installing a infected application, another is bundled on the OS.
Yeah, you need to be cautious with the software you install, if this happened in front of big companies eyes, imagine what can happen in small projects.
The learning opportunity here is that there should be a proper way to pay people that maintain critical infrastructure, even if they do so as a side gig or passion project.
I love Fedora from a security standpoint. Its implementation of SE Linux is the best. And it is great to have support in terms of funding and developers from a large corporation while maintaining a high degree of autonomy and not being "corporatized" like Ubuntu. Also, Fedora and Red Hat are the source of many security related aspects of Linux.
Good video thanks enjoyed it!
It's amazing how quickly this was caught, the creativity involved to inject a public key into the resulting binary using the make file instead of from the source code is so very sneaky. It also makes you wonder how do you vet every make file? Then you get into the motive for backdooring everyone's Linux box. Maybe for mass bitcoin mining.
Annoyingly, OpenSSH doesn't even use the xz/lzma libs. The distros compile it in to allow notifications to systemd. Madness.
Ok Diane and others.
There is 100% logs.
You could create the newest way to protect all the things you put in it. The best encryptions you can think of, using a key only accessible by a unknown signal to space, it is all found instantly.
In actual cyberwar if that is a thing, you need to develop your own system.
This was early on and people warned at the time of these things, but no one listened because usa mike thought they would be edged out.
Even if the guy was 100% dead. The concepts were still there to learn in canada.
No one is going to sell you log output or explain the code to you.
It took 2+ years and a util with one burned out maintainer to get where they did. It did wake folks up. I'm sure folks will scrutinize new contributors MUCH closer from now on.
I personally think one of the weakest links in cyber security. Is the data that travels between the computer and the Domain name server.
This is why it's important to encrypt the traffic and use a DNS that allows you to encrypt your traffic. That's my opinion, anyway.
Long live Linux and open source
I think it would be more difficult for someone working for a company to create such a backdoor because they would probably lose their jobs over it. open source people usually volunteer and so the ramifications for getting caught doing something like this is nothing in comparison.
This makes more merit for distros like debian - just behind the cutting edge.
I am debian guy - so bias here.
"just behind the cutting edge". That would be openSUSE slowroll. Debian is more like several years out of date.
No it isn't doomed. Good point here is that it got caught, and relatively early. And finally, as others have said, it's the whole "convenience" factor of systemd that led to some distros doing what they shouldn't have. And, the mad thing is that nobody (until the exploit got caught and people analyzed it, which didn't take long) among those distros that would do this madness with systemd cared to check the build process of xz. You get what you deserve.
The key here is keep an eye open and an ear to the ground. No eyes and no ears give bad actor full reign over open source and closed source.
Hey, I know this is not the place I'm supposed to ask this in, but have you got any idea on how to connect to wifi on a Musl LLVM Gentoo install without wpa_supplicant ; nmcli ; iwctl/wifi or any simular commands. USB tethering doesn't work. I've tried to boot from a live USB of another system and copy both the kernel and the binary command files themselfes, but it doesn't seem to work. I've made sure my wifi itself works properly. Help would be greatly appreciated. Thanks!
I know very little about musl. You may find help on my discord tho.
It was a windows guy that found it.
I believe the paid software engineers will always look for these backdoors inside linux as it is eating up most of their business. And infact they might be doing the same, as these revelations can hinder the growth of open-source and in turn help the closed source to grow. It is good for us though.
Im having xz utiils .1, that effected version waiting for something to happen 😂
Honestly, projects that are so foundational to a bunch of other pieces of software should NOT be allowed to be run like a dictatorship.
I don't know for example who could have approved a PR to add the .m4 payload to the .gitignore file without raising some question, like "dude, what is this for?"
I'm a big fan of open source, but I think that the way some projects are run should be reviewed a bit. That being said, it could be quite easy to find an accomplice pretending to having performed a thorough code review although they didn't, so it's not really easy to avoid these situations from happening again.
Linux kernel is ran as a dictatorship and so are most open source projects. The exploit happened because it was "democratized" when the lead maintainer brought on the malicious actor as a co-maintainer. If a root cause is to be assigned it's because the vetting process of allowing someone to be a maintainer was garbage. The project's management structure isn't the problem. It literally would have been better for the lead maintainer to go offline with his mental problems for whatever amount of time needed and let the project fork or see if one of the various open source groups/foundations (Linux Foundation, Apache Group, etc.) would take ownership of it.
What an amazing hack.
Pretty sure it was a team from a nation state actor (China/North Korea - cough cough) - hats of for them for the social engineering to get maintainer status and using test data to construct a backdoor from it.
It is the same thing that Dish networks (???) did way back just before streaming - they did updates to their satellite TV cards that nobody really understood for a month or two and a week just before the Superbowl they sent the final download and all the pieces they had downloaded over the month was actually a program that decrypted itself and then killed the satellite card if it was pirated.
I think the power namely lies into anyone being able to look into the issue when something is amiss, instead of just hoping a company to do something with it. People aren't looking at all of the code all of the time, sure, but neither are they in proprietary software lol. If nothing breaks and it doesn't need a new feature, good chance it's left alone.
Then again this attack required years of social engineering with a overworked maintainer who was doing this in their free time. They chose one of the most vulnerable projects and it still took years to really get a hold.
Also if you run a server, don't expose SSH if you don't have to. We'll be fine lol. Oh, and awesome catch from Andres. :)
The NSA stuff was the eternal blue exploit from the shadow broker.
TLDR; Transparency good. Opacity bad.
I am not an expert, but Linux gives you more privacy out of the box. As far as I know there is no forced telemetry or reviewing of your files, Apple and MS on the other hand...
It was also not "easier" because it's open source. The people that should have looked into it did not do their job but trusted the bad actor.
Nobody at the top cared that their integration of xz into systemd relied on ONE overworked and depressed maintainer. And this was the weak point.
Too many people don't care about dependencies they don't have a clue about with more dependencies they never heard of.
I'm just a noob that read and listened to others, so take it with a grain (teaspoon) of salt :D
Re: clickbait thumbnail question... Probably not.
Old news now but yea I agree, because Linux is open source it was caught by someone.
What's crazy is, if this were a Windows backdoor, theres no guaratee that that particular Windows Engineer would have been allowed to find it! Like, he was doing SSH stuff and the backdoor was in file compression!
"Warning: I don't know what I'm talking about." yeah, we know that.
Are you planning on doing videos on the day that Fedora 40 and Ubuntu 24.04 comes out.
I've already marked the 16th on my calendar, as D-Day. Since I'm going to nuke my system and install Fedora 40.
I might regret it, but that's half the fun. lol
He doesn't make mistakes, makes nothing.
Such a weird reaction to, quite honestly, a symptom of a healthy ecosystem. "Why is this taking a half second longer than normal?" Non-specialist tracks the full exploit. Open dialogue means that, "this seems weird" leads to greater security.
7:40
Well, I'll have you know, that if all those lines of code were actually written in rust, it would be at least 70% safer. Since 70% of security vulnerabilities are because of -the filthy heathens who refuse the light of the true god of rust- memory bugs.
“The amount of violations of human rights in a country is always an inverse function of the amount of complaints about human rights violations heard from there. The greater the number of complaints being aired, the better protected are human rights in that country.” ― Daniel Patrick Moynihan >>> The same is true for open source
You’re kidding yourself if you think there’s security experts vetting some obscure library that’s a dependency of a dependency. This kind of attack would not happen in Microsoft. The code is rigorously controlled and vetted, and the code is closed source so millions of hackers don’t know where the vulnerabilities are. Yes, the nsa might have a backdoor in windows but an obscure hacker might have a backdoor in an obscure library in open source. Which one would you prefer?
You're kidding yourself if that's how you think software that is developed by a company lives up to any kind of higher of quality. All developers suck, it's just a spectrum as to what degree how much they do. The vast majority of "security experts" are not checking on code quality themselves or would even know what to look for if they did; they're literally just looking at the output from source code scanning tools developed by someone else at some point in time in the past. The XZ exploit would have gone undetected by the attack vector most of those security scanning tools look at because it was outside the source code of the main application in the testing data used after compilation and was only in the tarballs that were packaged. Lastly, the persona (using that instead of singular person) that did the XZ exploit did the long haul of slowly maneuvering into position over a couple of years, the same could absolutely be done in a company.
Backdoor or not, this XZ thing is completely irrelevant in the grand scheme of things when people still trust projects like OpenSSL. I bet the amount of people affected by OpenSSL vulnerabilities alone would eclipse the amount of people that got backdoored by an order of magnitude, yet no one ever talks about it.
I was thinking SQL but you make a good point too
"It happened because it's open source" I believe is not correct. It happened exactly this way because it's open source.
doome.. no lah.. it just a pieces of shit..n linux just running like usual..every minutes linux just better
The whole XZ back door was so over played by the linux community for views. For example not all distributions were affected like Arch and alot of other's.
What a ridiculous clickbait thumbnail. Anyone who knows the reality of what happened and what a non impact this really had will just be put off by it. Good luck with your lack of views.
If you don't pay attention to the conspiracy theories are you a real linux user though? ;) I saw this guy last night wanting to host his own email service because he didn't trust the regular ones.. Yeah sorry when you're that over paranoid you're fucking hiding something clearly no matter what excuse is used. lolol
You are just losing subs with those clickbait. I'm so tired of it.
Yep. But unfortunately, I think UA-camrs don't even have a choice now. It's either clickbait titles, or the videos get dereferenced very quickly. I don't like it, but it's more to do with how YT "algorithms" work than a willingness of UA-camrs (at least, the serious ones) to deceive people.
"Thoughts on the XZ Backdoor" is clickbait? ooookay. So tell me, what is clickbait? Can we nto use provocative thumbnails to get people to click anymore? My next video will be about "XZ backdoor" that's all I can use? If those people who unsubscribe due to this hate it so much, they must hate literally everyone on UA-cam. They can go back to not watching anything, because everything has a catchy thumbnail or a title or whatever. It's how it works.
Talk about a useless video...