* On 2024 05 Apr 11:28 -0500, Cindy Sue Causey wrote:

Hi, All..

This just hit my emails seconds ago. It's the most info that I've
personally read about the XZ backdoor exploit. I've been following
NextGov as a friendly, plain language resource about government:

Linux backdoor was a long con, possibly with nation-state support, experts say;
By David DiMolfetta; 2024.04.05 12:59pm EDT

To be honest, I think better coverage has been done by the F/OSS
community. The gist I got from this article was government types
speculating that only other government types could possibly be involved,
though there is an allowance for uncertainty.

The article mentions them times that "Jia Tan" apparently made commits
as being consistent with business hours in China or Europe. Possibly,
but if someone were ever to scrutinize my timelines they would probably
find it consistent with bouts of insomnia!

Continues to sound like one single perp is destroying the TRUST factor that an
untold number of future programmers must meet. That's heartbreaking.

The damage to trust is the biggest part of this story, IMO. A lot of discussion is centering around tools and performing double checks before
a distribution accepts an updated or new package which are all probably
good steps and which point to the loss of trust. "Jia Tan" was able to
work with Lasse Collin on the XZ project to the point of gaining commit privileges and becoming a co-maintainer. This is nothing new and
projects have been handed off to new maintainers in a more-or-less
similar fashion over the decades. That in itself would have never
raised an eyebrow.

Committing binary files into a compression utility repository ostensibly
for testing the utility and its library weren't suspicions on the
surface but now the knowledge that compromising code was being linked
into the library from them will now make every binary file suspicious. Certainly, their use is going to be checked and double-checked. All of
this reflects the loss of trust.

For all of the other qualities why we have chosen Free Software, the
trust we have placed in Debian and its upstream projects has been
has been the underlying glue that has held this all together. How this
is addressed going forward will be interesting. Will upstream project maintainers be required to have GPG keys signed like Debian requires of
its developers? Will contributors be subject to the same? Over the
years projects have received contributions from persons who wished to
remain more or less anonymous. Will this change? Will such
contributions become subject to even greater scrutiny by project
maintainers? I suspect that at a minimum if a maintainer doesn't
clearly understand a patch then it won't get applied, but if the
maintainer is clever enough to work in a non-obvious patch that is
malicious, all bets are off.

It's a mess.

- Nate

--
"The optimist proclaims that we live in the best of all
possible worlds. The pessimist fears this is true."
Web: https://www.n0nb.us
Projects: https://github.com/N0NB
GPG fingerprint: 82D6 4F6B 0E67 CD41 F689 BBA6 FB2C 5130 D55A 8819


-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQSC1k9rDmfNQfaJu6b7LFEw1VqIGQUCZhBKwAAKCRD7LFEw1VqI GSxzAJ0Vd1gx0iPOCuI4QIgRg2dqZm514wCghAsuEQ3Ba7vkJHxDlDz3X8RwGyM=
=8gOY
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Apr 05, 2024 at 08:38:36PM +0200, [email protected] wrote:

[...]

No, on the contrary. First of all, it is great that it has been
caught /before/ it could cause much harm [...]

...and of course kudos and thans to Andres Freund who spotted
the thing!

Cheers
--
t

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZhBO9AAKCRAFyCz1etHa RiRqAJ9KAzdSheVI5RUX9z3f+Q4nkOydwwCdGjyv4GW8F00hHd0nVoi/+EDSPgE=
=gOXu
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Apr 05, 2024 at 12:27:03PM -0400, Cindy Sue Causey wrote:

Hi, All..

This just hit my emails seconds ago. It's the most info that I've
personally read about the XZ backdoor exploit. I've been following
NextGov as a friendly, plain language resource about government:

Linux backdoor was a long con, possibly with nation-state support, experts say;
By David DiMolfetta; 2024.04.05 12:59pm EDT

https://www.nextgov.com/cybersecurity/2024/04/linux-backdoor-was-long-con-possibly-nation-state-support-experts-say/395511/

Continues to sound like one single perp is destroying the TRUST factor that an
untold number of future programmers must meet. That's heartbreaking.

No, on the contrary. First of all, it is great that it has been
caught /before/ it could cause much harm -- I think this is a
testament to the free software community. Second, this is one
pretty standard instance of supply chain attack (albeit a pretty
spectacular one), of which there have been quite a few during the
last decennium. Another spectacular one was event-stream [0],
from 2018 or the Solarwinds [1] things (interestingly, proprietary
software tends to fare significantly worse than our beloved
free software).

There is a growing corpus of academic work dedicated to it. This
nice overview [2] goes over 174 cases (and is already 4 years old).

So hardly new. What's special about this case is that the contributor
had been working for the project for two years, thus earning trust
with the community -- the most widespread notion seems to be that
they had been planning the thing all along. I see at least another
possible interpretation, that they started as a genuine contributor
and wend bad, be it by bribing, coertion, or even replacement. Secret
services and hackers (where's the difference, anyway?) are like
that. Opportunists.

Reminds us that trust is, at the root, a human thing, and thus sometimes fragile. As in Real Life, we need ways to recover.

Cheers

[0] https://lwn.net/Articles/773121/
[1] https://en.wikipedia.org/wiki/SolarWinds#2019%E2%80%932020_supply_chain_attacks
[2] https://arxiv.org/abs/2005.09535

--
t

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZhBFJQAKCRAFyCz1etHa Rn8SAJ9GBT7S/DNBLzjYtwjw35n60t9yswCfS7ToRw4hy25DlT0BGFLokUzKWnA=
=2m0z
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

I will note that open source software has, by definition, a lot more
eyes looking at the source. Which is probably why (as Tomas said)
"proprietary software tends to fare significantly worse."

--
JHHL

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Cindy Sue Causey <[email protected]> wrote:

Continues to sound like one single perp is destroying the TRUST
factor that an untold number of future programmers must meet. That's heartbreaking.

It has never sounded like a single perp to me. 'Jia Tan' is an obvious
sock puppet as are the other names who pushed Lasso to accept him. The
whole timescale and effort involved smacks of a team of hackers. JMHO.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

Nicholas Geovanis wrote:

But what if next time the back-doored software _does_ build without error?

The initial build problems did not cause suspicion.
It was the CPU load of sshd and an obscure complaint by valgrind which
caused the discovery.
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
quotes the discoverer Andres Freund:
"I was doing some micro-benchmarking at the time, needed to quiesce
the system to reduce noise. Saw sshd processes were using a surprising
amount of CPU, despite immediately failing because of wrong usernames
etc. Profiled sshd, showing lots of cpu time in liblzma, with perf
unable to attribute it to a symbol. Got suspicious. Recalled that I had
seen an odd valgrind complaint in automated testing of postgres, a few
weeks earlier, after package updates.
Really required a lot of coincidences."


gene heskett wrote:

In light of that its worth noting that an M$ employee was the first to
spot it.

Indeed.
Thus we should also praise the peace between Microsoft and free software
which broke out a few years ago.


There remains the question, whom a good citizen should contact when
spotting something that could be a backdoor (or a subtenant ?) of
Debian's content or infrastructure.

It seems unwise for a non-expert to do this in public, unless one wants
to accuse the innocent or to warn the hoodlums.


Have a nice day :)

Thomas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 4/6/24 09:15, Thomas Schmitt wrote:

Hi,

Nicholas Geovanis wrote:

But what if next time the back-doored software _does_ build without error?

The initial build problems did not cause suspicion.
It was the CPU load of sshd and an obscure complaint by valgrind which
caused the discovery.
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
quotes the discoverer Andres Freund:
"I was doing some micro-benchmarking at the time, needed to quiesce
the system to reduce noise. Saw sshd processes were using a surprising
amount of CPU, despite immediately failing because of wrong usernames
etc. Profiled sshd, showing lots of cpu time in liblzma, with perf
unable to attribute it to a symbol. Got suspicious. Recalled that I had
seen an odd valgrind complaint in automated testing of postgres, a few
weeks earlier, after package updates.
Really required a lot of coincidences."

gene heskett wrote:

In light of that its worth noting that an M$ employee was the first to
spot it.

Indeed.
Thus we should also praise the peace between Microsoft and free software which broke out a few years ago.

There remains the question, whom a good citizen should contact when
spotting something that could be a backdoor (or a subtenant ?) of
Debian's content or infrastructure.

It seems unwise for a non-expert to do this in public, unless one wants
to accuse the innocent or to warn the hoodlums.

Which category I am firmly in in the larger view Tomas, although I do
run the bleeding edge master of linuxcnc on several of my garage
machines. My main interests are in the realtime performance of machine controllers running lathes and multi-axis mills. That, and doing things
with odd hardware that most wouldn't even try, like running a 1945
Sheldon 11x54 lathe with an rpi. Works great. I start the job and walk
away, while Casper the ghost is turning the cranks, but 2 to 10 times
faster than the best machinist. And its doing things it could never do
before. Keeps me out of the bars. ;o)>

Have a nice day :)

Thomas

.

Cheers, Gene Heskett, CET.
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)