March 30, 2024
March 30, 2024
Absolutely the biggest story in a while.
The backdoor developer appears to be Jia Tan who spent years working on the xz project to gain a trusted position. In 2022 he was mentioned as a potential candidate to take over the project as maintainer.
oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise
https://www.openwall.com/lists/oss-security/2024/03/29/4
Everything I know about the XZ backdoor
The xz package tar's were backdoored. Only discovered because the backdoor slowed down sshd enough for Andres Freund to investigate.
— Bad Sector Labs (@badsectorlabs) March 29, 2024
Consider the case where the backdoor didn't cause perf issues... How long would this have gone undetected?https://t.co/qO05dVP7vU
you gotta appreciate the way they shipped the backdoored object file. added some "test" data to the source tree that gets unxz'd and (dd) carved in a specific way, that is fed into a deobfuscator written in.. awk script and the result gets unxz'd again pic.twitter.com/Ws6Fg6lrmw
— blasty (@bl4sty) March 29, 2024
wild stuff re: xz/liblzma backdoor https://t.co/aBenGeQlLk pic.twitter.com/BNSjjXuNxm
— Dominik Penner (@zer0pwn) March 29, 2024
Urgent security alert for Fedora 41 and Fedora Rawhide users
Red Hat Information Risk and Security and Red Hat Product Security learned that the latest versions of the “xz” tools and libraries contain malicious code that appears to be intended to allow unauthorized access.
I think this has been in the making for almost a year. The whole ifunc infrastru... | Hacker News
Probably not. I did some pattern of life analysis on their email/other identifie... | Hacker News
A backdoor in xz [LWN.net]
Andres Freund has posted a detailed investigation into a backdoor that was shipped with versions 5.6.0 and 5.6.1 of the xz compression utility. It appears that the malicious code may be aimed at allowing SSH authentication to be bypassed.
Interesting note on the #xz backdoor:
— alden (@birchb0y) March 30, 2024
If you plot Jai Tan's commit history over time, the cluster of offending commits occurs at an unusual time compared to rest of their activity.
If the dev was pwned, it could be a sign that the threat actor contributed in their own timezone pic.twitter.com/CrFBcdIAni
What Happens to Google Maps When Tectonic Plates Move? - Nautilus
Earth’s tremors can tweak your GPS coordinates.
The ex Austrian security officer who spied on me for Jan Marsalek and the FSB has finally been arrested. Turns out he sold to the FSB the content of 3 phones of top Austrian government officials, stolen during a repair from water damage. https://t.co/f5Dyp17qoc
— Christo Grozev (@christogrozev) March 29, 2024
What I dislike about AI-powered coding assistance is that I have to very carefully review the new code to be sure that it does the right thing. And I, personally, find code review difficult relative to writing new code (to an equivalent standard of quality)
— qntm (@qntm) March 29, 2024
Basically, AI assistance replaces coding with code review
— qntm (@qntm) March 29, 2024
And I love coding! And I don't like code review! It's harder
In the same way, self-driving cars replace the experience of driving with the experience of being a driving instructor
— qntm (@qntm) March 29, 2024
Also a huge story
"Czech media, citing intelligence sources, reported that politicians from Germany, France, Poland, Belgium, the Netherlands and Hungary were paid by Voice of Europe in order to influence upcoming elections".https://t.co/nYqimPCzcz
— Dr. Dan Lomas (@Sandbagger_01) March 29, 2024
Here's a video of an unusual behavior I captured on my device Thursday last week. Note the number of "Signal Connection" (=verified) contacts I have never seen before, along with two VoIP call attempts. pic.twitter.com/zRwc5snUIn
— Adam Donenfeld (@doadam) March 29, 2024