[conspire] xz exploit and backdoor
Ron / BCLUG
admin at bclug.ca
Thu Apr 4 22:04:52 PDT 2024
Rick Moen wrote on 2024-04-04 21:40:
> Andres has given an appearance on a security podcast, BTW.
> https://risky.biz/RB743/ He's hilariously on-type.
I'm definitely going to listen to that, thanks.
> Getting back to distro software choice and packaging: The "every
> possible use-case must be supported out of the box" syndrome is
> dispiritingly ubiquitous.
This thinking has me (re-)considering the way NodeJS works - every bit
of functionality is a separate module, and only those listed as
dependencies are included.
(And, dependencies of dependencies, ad nauseam.)
I can see the advantages (no unused codebases) when it comes to building
& deploying software, but there is a flip-side.
Not all those modules are authored nor curated to the same degree.
Now there can be an enormous list of modules that one depends on, and if
just one gets compromised,...
(As an aside, I've never - in a decade and a half of full time Linux
usage - experienced dependency hell like with NodeJS. Probably because I
don't really know what I'm doing with it, but still...)
> But Portable OpenSSH isn't the only choice, either.
Ya got me wondering - after the ¿HeartBleed? ssh vulnerability a while
back, there was talk of moving to something like LibreSSH from OpenBSD
due to the convoluted codebase of OpenSSH.
That hasn't happened, that I'm aware.
Anyone know what happened - a major code refactor? A re-badging of
LibreSSH? A collective amnesia allowing us to continue on without
awaking in the middle of the night, screaming in a cold sweat?
> There are respected SSHDs that are _much_ smaller/lighter with a
> smaller attack surface, like Dropbear and wolfSSH. "But they're less
> well known!" Do I care? Hell no.
I'm rather hesitant to install what I often call "boutique" software -
something created, often from a fork of a larger project, to scratch
some itch.
Always wary that the maintainers can keep up to the security issues in a
timely manner.
> Anyway, it seems to me that substantial improvement can be made on a
> local system through active system administration, picking wiser
> choices of software packages, paring down configurations, and in
> some cases compiling locally to reduce runtime dependencies.
>
> All of which is only a _little_ helpful against insider threats such
> as "Jia Tan", whoever that was. But OTOH shying away from big dumb
> software and featuritis can help defang even the Jia Tans.
Good points.
rb
More information about the conspire
mailing list