[conspire] xz exploit and backdoor

Rick Moen rick at linuxmafia.com
Fri Apr 5 11:30:01 PDT 2024 

Quoting Ivan Sergio Borgonovo (mail at webthatworks.it):

> On 4/5/24 6:40 AM, Rick Moen wrote:
> 
> >Getting back to distro software choice and packaging:  The "every
> >possible use-case must be supported out of the box" syndrome is
> >dispiritingly ubiquitous.  Some stuff is compiled into a daemon binary
> >even though almost nobody will use it, just because someone might.
> >Why is Apache httpd almost always the default, rather than Lighttpd,
> >nginx, sthttpd, or Hiawatha?  Because its big dumb software that does
> >everything, that everyone's used to.
> >
> >$FIRM ran Apache httpd, but many PCIDSS complaints got finessed by
> >sending them our conffiles where various buggy features were
> >specifically disabled.
> 
> Because you don't get rid of complexity, you just move it somewhere else.

I respectfully disagree.  Sometimes, you can actually strip complexity
from an existing codebase in the field, either by local configuration 
change, or by local reconfiguration/recompile from a source package,
with the aim and result of substantially reducing the attack surface.

_Or_ you can sidestep the excessive attack surface and/or
spaghetti-coding problems of a popular codebase by swapping in a
functional alternative with better prospects, e.g., Unbound/NSD for
BIND9.

Back when Deirdre, Nick, Duncan, and I were all working together at
Linuxcare, Inc. in San Francisco, 1999-ish, a lot of the public-facing
corporate software infrastructure relied on canny choices of... slightly
maverick codebases chosen by a friend of ours (during initial buildout).
For example, the firm used qmail (setting me on an online collision
course with djb and his posse, because I dared to mention in my personal
FAQ why I found it not much to my liking), and also used the small, fast
Web browser "Boa" (now discontinued) for all static content.  These were
both smart choices from the security standpoint, just to reduce attack
surface.

I originally learned the principles of security from... I guess, mostly
having figuratively inhaled Cheswick & Bellovin's first edition of
_Firewalls and Internet Security: Repelling the Wily Hacker_, one of
whose guiding principles is that code that is absent is code that cannot
be attacked.  (Yes, Les Faby, I did hear you say that, too.  Thx.)

By the way, I see they've released the 2nd edition under Creative
Commons BY-NC-ND 4.0 International.  Cool!  High recommendation if one
wants to understand firewalls.  https://www.wilyhacker.com/

Taking that point from Cheswick & Bellovin further, in cementing my
unreasonable opinions ;-> was Marcus J. Ranum's writings, such as this
one:

  Back in 1996, a buddy of mine and I set up a Web server for a
  high-traffic significant target. It was not the Whitehouse; it was a
  porn site.  We invested 8 hours (of our customer's money) writing a
  small Web server daemon that knew how to serve up files, cache them,
  and virtualize filenames behind hashes. It ran chrooted on a version
  of UNIX that was very minimized and had code hacked right into the IP
  stack to toss traffic that was not TCP aimed at port 80.  10 years
  later, it's still working, has never been hacked, and has never been
  patched.

It's a great rant page, something of which Ranum is a master.
http://www.ranum.com/security/computer_security/editorials/master-tzu/index.html
(I fear that Ranum may have retired from his métier as a cranky BSD guy,
which is a loss to the world.)

Lots more inspirational stuff here:
http://www.ranum.com/security/computer_security/


> Side note node.js is the epitome of bad modularization, dependency
> and complexity management.
> https://www.npmjs.com/package/is-true

node.js is also an endless source of hilarious cautionary tales.  Two of
my favourites:

https://boehs.org/node/npm-everything
https://qz.com/646467/how-one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code

More information about the conspire mailing list