Backdoor in upstream xz/liblzma leading to ssh server compromise https://t.co/29Vfiz0n1T

— Open Source Security mailing list (@oss_security) March 29, 2024

fun story: the only time I’ve ever been caught doing a pen test on a mainframe, was by an operations person who was tasked with watching the system performance. They saw that my job was taking an unusual amount of CPU for the time of day and class of job. so they called me …

— Smalls (@bigendiansmalls) March 30, 2024

😭😭😭 which one of you nerds did this pic.twitter.com/XmoPTQ6eEW

— vx-underground (@vxunderground) March 30, 2024

France's national railway company pulled out of bidding for the high-speed rail contract in California in 2011.

They said the state was awful to work in and they preferred to work somewhere less dysfunctional.

So they went to North Africa. https://t.co/96rZyEYVXI pic.twitter.com/DPRahjKPsX

— Crémieux (@cremieuxrecueil) March 31, 2024

YOU CANNOT BUILD EVEN ONE SINGLE MILE OF HIGH-SPEED RAIL https://t.co/CTfu79hPDn pic.twitter.com/mI2irlHOwr

— Noah Smith 🐇🇺🇸🇺🇦 (@Noahpinion) March 30, 2024

Let's just acknowledge something, alright.

Respectfully:

As long as they have safe haven, we can't actually stop ransomware actors inside Russia.

We can impede them. Harass them. But not stop them.

And we have no effective leverage to stop Putin from giving them safe haven.

— Brian in Pittsburgh (@arekfurt) March 29, 2024

🤔🤥
The analysis Andres Freund did was without reading the source code, observing the system using tools like perf and gdb that do not require source code.
🗨️From his email:
"most of what I observed is purely from observation."https://t.co/ENPi42xjRR https://t.co/V0YSe6TCkU

— Juliano Rizzo (@julianor) March 31, 2024

2/ Open source worked the way it's supposed to. Some hacker noticed something that made him curious, poked at it because hackers are like that, and because the code was open and availablwe for inpection, diagnosed the problem before any serious harm was done.

— Eric S. Raymond (@esrtweet) March 30, 2024

RC4 recognizer here. The AWK portion of the #xz #backdoor decoding script is implementing a modified RC4 algorithm.
- No key, the RC4 state is initialized directly
- "Drop" RC4, discarding 4096 bytes of keystream
- The keystream is applied with an ADD rather than XOR pic.twitter.com/6bYhz5THLQ

— nugxperience (@nugxperience) March 30, 2024

"If I Did It" -- a book by Jia Tan

— lcamtuf (@lcamtuf@infosec.exchange) (@lcamtuf) March 31, 2024

Rough copy of the FORCEDENTRY code is now available. Most relevant code is here: https://t.co/I9qvKimcax

Blog soon!

— jeff (@jeffssh) March 30, 2024