[conspire] xz exploit and backdoor
Ron / BCLUG
admin at bclug.ca
Thu Apr 4 11:40:53 PDT 2024
Rick Moen wrote on 2024-04-03 22:50:
> An extremely devious team (unknown) started work several years ago on
> a
It cannot be overstated how devious this hack was!
> scheme to security-subvert essentially all public-facing Linux
> servers,
It cannot be overstated how devastating this hack would have been.
Think this hack == HeartBleed * SolarWinds + $x.
> The scheme got blown up by a Microsoft database engineer, puzzled
> about why his PostgreSQL sessions over SSH transport were consuming
> too many CPU cycles, generating unexpected memory-metrics errors, and
> slowing down logins.
It cannot be overstated how lucky we all are that Adreas just happened
to be testing at the right time, noticed delays of *under* ½ second on
failed logins, and despite it being outside his area of expertise,
decided to look into it further.
Probably 99% of people would've noticed, thought "weird, I hope Debian
fixes whatever this is", and carried on.
> and we-all need to have a long discussion about software complexity,
> excessive dependencies, how to deal with insider threats, and
> developer burnout.
We'll have the discussion, then carry on as we are currently.
The (obligatory) famous XKCD comic on the topic:
https://www.explainxkcd.com/wiki/index.php/2347:_Dependency
states the comic was from August 2020?!? It feels like that's been
around for a decade+ already. I'm shocked.
This was probably covered in some of Rick's links, but I find the
investigation as interesting as the hack, so I'll mention this part:
There's been some interesting analysis of the timestamps of JiaTan's git
commits showing odd patterns.
Jia claims to be from California (GMT -8) but timestamps tended to be
GMT +8 - same as Singapore.
Many commits were GMT +2 or +3 (DST dependent), pointing to Eastern Europe.
At least one pair of commits were a couple hours apart in real time, but
showed a GMT +8 and a GMT +2 (or 3) timestamp. Indicating a team behind
the hack, as it takes more than "a couple hours" to travel between those
time zones.
More information about the conspire
mailing list