Programming

22734 readers

101 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Follow the programming.dev instance rules
Keep content related to programming in some way
If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 2 years ago

MODERATORS

snowe@programming.dev

Ategon@programming.dev

MaungaHikoi@lemmy.nz

UlrikHD@programming.dev

The Hidden Vulnerabilities of Open Source - Revisiting and Contextualizing the designed xz backdoor, multi-year-long effort (fastcode.io)

submitted 1 week ago by Kissaki@programming.dev to c/programming@programming.dev

7 comments fedilink hide all child comments

cross-posted from: https://programming.dev/post/36983916

Freund wasn’t looking for a backdoor when he noticed SSH connections to his Debian testing system taking 500 milliseconds longer than usual. As a database engineer benchmarking PostgreSQL performance, he initially dismissed the anomaly. But the engineer’s curiosity persisted.

The backdoor’s technical sophistication was breathtaking. Hidden across multiple stages, from modified build scripts that only activated under specific conditions to obfuscated binary payloads concealed in test files, the attack hijacked SSH authentication through an intricate chain of library dependencies. When triggered, it would grant the attacker complete remote access to any targeted system, bypassing all authentication and leaving no trace in logs.

The backdoored versions 5.6.0 and 5.6.1 had been released in February and March 2024, infiltrating development versions of Fedora, Debian, openSUSE, and Arch Linux. Ubuntu’s upcoming 24.04 LTS release, which would have deployed to millions of production systems, was mere weeks away.

The technical backdoor was merely the final act of a three-year psychological operation that began not with code, but with studying a vulnerable human being.

you are viewing a single comment's thread
view the rest of the comments

[–] BluescreenOfDeath@lemmy.world 7 points 1 week ago

I feel like this is missing a big point of the article.

The vulnerability that the xz backdoor attempt revealed was the developers. The elephant in the room is that for someone capable of writing and maintaining a program so important to modern technical infrastructure, we're making sure to hang them out to dry. When they burn out because their 'hobby' becomes too emotionally draining (either because of a campaign to wear them down intentionally or fully naturally) someone will be waiting to take control. Who can you trust? Here, we see someone attempted (and nearly succeeded) a multi-year effort to establish themselves as a trusted member of the development community who was faking it all along. With the advent of LLMs, it's going to be even harder to tell if someone is trustworthy, or just a long-running LLM deception campaign.

Maybe, we should treat the people we rely on for these tools a little better for how much they contribute to modern tech infrastructure?

And I'll point out that's less aimed at the individuals who use tech, and more at the multi-billion-dollar multi-national tech companies that make money hand over fist using the work others donate.