• Possibly linux
    link
    fedilink
    English
    48
    edit-2
    8 months ago

    I’m genuinely disturbed that a person who was a core developer could just go rogue.

    • @dan@upvote.au
      link
      fedilink
      79
      edit-2
      8 months ago

      From what I’ve been reading, it sounds like they were malicious from the very beginning. The work to integrate the malware goes back to 2021. https://boehs.org/node/everything-i-know-about-the-xz-backdoor

      It’s an extremely sophisticated attack that was hidden very well, and was only accidentally discovered by someone who noticed that rejected SSH connections (eg invalid key or password) were using more CPU power and taking 0.5s longer than they should have. https://mastodon.social/@AndresFreundTec/112180406142695845

      • @Moonrise2473@lemmy.ml
        link
        fedilink
        158 months ago

        From that post, commits set to UTC+0800 and activity between UTC 12-17 indicate that the programmer wasn’t operating from California but from another country starting with C. The name is also another hint.

        • @dan@upvote.au
          link
          fedilink
          36
          edit-2
          8 months ago

          That could be part of their plan though… Make people think they’re from China when in reality they’re a state-sponsored actor from a different country. Hard to tell at this point. The scary thing is they got very close to sneaking this malware in undetected.

          A lot of critical projects are only maintained by one person who may end up burning out, so I’m surprised we haven’t seen more attacks like this. Gain the trust of the maintainer (maybe fix some bugs, reply to some mailing-list posts, etc), take over maintenance, and slowly add some malware one small piece at a time, interspersed with enough legit commits that you become one of the top contributors (and thus people start implicitly trusting you).

          Edit: Based on this analysis, they may have been based in a European timezone and just changed their timezone to UTC+8 before committing to Git to make it look like they were in China: https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and. Their commits were usually between 9 am and 6 pm Eastern European Time, and there are a few commits where the timezone was set to UTC+2 instead of UTC+8.

                • @interdimensionalmeme@lemmy.ml
                  link
                  fedilink
                  58 months ago

                  That’s what states, militaries and other competition-infected minds do. Usually they say they imagine this to protect from it, then it becomes a weapon and “oops all wars”

            • @psmgx@lemmy.world
              link
              fedilink
              28 months ago

              Heavily, aggressively involved in cyber activities. Previous Chinese attempts were unveiled by similar small gotchas.

              Arguably that’s hard to prove, and it could be NK, India, the NSA, etc., but it’s not hard to believe this was part of another stream of attempts. Low ball, give it to the new guy, sorts of stuff.

              US fed gov loves redhat for example, and getting into Fedora is how you get into RHEL

        • StarDreamer
          link
          fedilink
          English
          7
          edit-2
          8 months ago

          According to this post, the person involved exposed a different name at one point.

          https://boehs.org/node/everything-i-know-about-the-xz-backdoor

          Cheong is not a Pingyin name. It uses Romanization instead. Assuming that this isn’t a false trail (unlikely, why would you expose a fake name once instead of using it all the time?) that cuts out China (Mainland) and Singapore which use the Pingyin system. Or somebody has a time machine and grabbed this guy before 1956.

          Likely sources of the name would be a country/Chinese administrative zone that uses Chinese and Romanization. Which gives us Taiwan, Macau, or Hong Kong, all of which are in GMT+8. Note that two of these are technically under PRC control.

          Realistically I feel this is just a rogue attacker instead of a nation state. The probability of China 1. Hiring someone from these specific regions 2. Exposing a non-pinying full name once on purpose is extremely low. Why bother with this when you have plenty of graduates from Tsinghua in Beijing? Especially after so many people desperate for jobs after COVID.

    • @Moonrise2473@lemmy.ml
      link
      fedilink
      138 months ago

      I’m kinda hoping it was just that a state sponsored attacker showed up on their door and said “include this snippet or else…” otherwise it’s terrifying thinking of someone planning some long con like this

      We are all relying on the honesty of a few overworked volunteers…

  • @0x2d@lemmy.ml
    link
    fedilink
    268 months ago

    could this be a nation-state attack? since jiat75 spent multiple years developing a fake persona and it seems like a lot of effort was put into this

    • @prettydarknwild@lemmy.world
      link
      fedilink
      18 months ago

      probably some agent from the country that starts with R, or from that other country that starts with C, or from one of those silly three-letter organizations

  • 56!
    link
    fedilink
    228 months ago

    I’m on Void, and I had the malicious version installed. Updating the system downgraded xz to 5.4.6, so it seems they are on it. I’ll be watching discussions to decide if my system might still be compromised.

      • 56!
        link
        fedilink
        28 months ago

        No, this is just my personal laptop. I don’t even have access to an IP address I could enable port-forwarding on.

      • arouene
        link
        fedilink
        18 months ago

        @Auli @56_ I have SSH open on internet… on ipv6, I’m safe. Do you think VPN open on the internet is safer ? (Think twice CVE-2024-21762…)

    • Possibly linux
      link
      fedilink
      English
      08 months ago

      I would nuke it and rebuild. If nothing else it is a good test of backups

  • @gnuplusmatt@reddthat.com
    link
    fedilink
    148 months ago

    some people in my mastodon feed are suggesting that the backdoor might have connected out to malicious infrastructure or substituted its own SSH host keys, but I can’t find any clear confirmation. More info as the investigation progresses.

    I guess at this point if you’re on Fedora 40 or rawhide clear / regen your host keys, even after xz version rollback

    • @Deathcrow@lemmy.ml
      link
      fedilink
      98 months ago

      or substituted its own SSH host keys,

      why would the backdoor do that? It would immediately expose itself because every ssh client on the planet warns about changed host keys when connecting.

      • @gnuplusmatt@reddthat.com
        link
        fedilink
        3
        edit-2
        8 months ago

        Perhaps it was a poorly worded way of suggesting that invalidating host keys would invalidate all client keys it could potentially generate? Either way it’s a lot of speculation.

        Resetting the keys and SSH config on any potentially compromised host is probably not a terrible idea

      • @gnuplusmatt@reddthat.com
        link
        fedilink
        48 months ago

        Nuke from orbit might be an overreaction, if you need that machine perhaps disable ssh or turn the machine off until later next week when the postmortems happen. If you need that trusted machine now, then yes fresh install

        • Possibly linux
          link
          fedilink
          English
          38 months ago

          Honestly doing a fresh install is a good test of your recovery abilities. You should always have a way to restore critical content in an emergency

          • @afterthoughts@lemmy.ca
            link
            fedilink
            1
            edit-2
            8 months ago

            I feel legitimately sorry for anyone who takes your rhetoric to heart.

            Try not to let these 🧩’s pull you down rabbit holes, guys.

  • @IsoSpandy@lemm.ee
    link
    fedilink
    108 months ago

    I am looking at these gaggle of posts and all of lemmy is flooded with this and then think that there is an entire Spyware OS on the other side… Which who knows what code it runs and people are chill about it. I am so thankful for this community.

  • @Auli@lemmy.ca
    link
    fedilink
    English
    68 months ago

    Makes you wonder how many of these are out there that have not been found?

  • @Commiunism@lemmy.wtf
    link
    fedilink
    68 months ago

    Damn, I had a malicious version installed on my Arch machine. I’ve since done a system update which removes the backdoor, but looking more into it, it does seem that only fedora and debian(?) are affected/targeted but better safe than sorry.

    • @afterthoughts@lemmy.ca
      link
      fedilink
      18 months ago

      I guess this is one of those instances where Manjaro holding back packages makes it more secure than Arch, not less.

  • @Player2@lemm.ee
    link
    fedilink
    58 months ago

    Using the F40 preview with KDE and a regular update from Discover rolled xz back to the known good version 5.4.6

  • @Ludrol
    link
    4
    edit-2
    8 months ago

    So far I was affected on termux. There is already package update.

  • @loops@beehaw.org
    link
    fedilink
    English
    48 months ago

    Running Ubuntu 23.10 with xz-utils 5.41 which is unaffected. Versions 5.6.0 and 5.6.1 are the malicious packages. I used Synaptic Package Manager to search for it.

    • @Bitrot@lemmy.sdf.org
      link
      fedilink
      English
      88 months ago

      The bad actor had a launchpad bug to pull it into the Ubuntu LTS beta. Serious kudos to the person who discovered it, literally in the nick of time.

    • @lengau@midwest.social
      link
      fedilink
      38 months ago

      On Ubuntu the only affected people were those running the prerelease of Ubuntu 24.04 who had installed the update from the proposed pocket.

  • @interdimensionalmeme@lemmy.ml
    link
    fedilink
    48 months ago

    Well, there’s also malicious code in the proprietary binary blobs of the drivers and those run with kernel privilege. At least that one we see what it does.

  • @Gabu@lemmy.world
    link
    fedilink
    38 months ago

    And the one main issue with FOSS rears its ugly head – freedom of contribution also means freedom of bad contributions.

    • deaf_fish
      link
      fedilink
      48 months ago

      This happens in close source software too. You just don’t find out about it until it gets bad enough.