[conspire] xz exploit and backdoor

Ivan Sergio Borgonovo mail at webthatworks.it
Sat Apr 6 04:31:15 PDT 2024 

On 4/6/24 2:20 AM, Rick Moen wrote:
> Quoting Ivan Sergio Borgonovo (mail at webthatworks.it):
> 
>> So you agree with me, but you don't want to. You're moving know-how
>> and complexity from one domain to another ;)
> 
> There are always tradeoffs, but the bar to be cleared in _merely_
> reading configuration files and init scripts, and then shutting off
> functionality you don't want and won't use, is a very low one.
> 
> Yes, most Linux users cannot be bothered, because Linux users in the
> main are like all other OS users, people who never even look at the
> default setting, let alone consider changing anything.  But I'm
> referring to the subset who are server sysadmins.
> 
> I don't want to go all greybeard and pull out the "When I was young, we
> walked to school through the snow both ways" routine, but back when I
> started, that was routine.  Beyond that, the standard way to learn what
> you needed running was:  Switch it off in the runtime state, and see if
> you miss it.  If the system goes 'splody, reboot and regroup.

I could go greybeard too about programming... or doing research...
There are more people doing it, it is more specialized, there are more 
things to know...

I vaguely know what "good sysadmin" is... but it's not my job, 
nevertheless I pay my bills programming.
Sysadminning (?) now has its own sub-fields and what was considered 
bleeding edge knowledge in what once was sysadminning as a whole may be 
considered kindergarden knowledge in some sub-fields.

I agree that some "features" (oh boy... do I know how crazy are the 
requests from the marketing guys?) are bloatware... but many software do 
much more then what they were doing in the past and for some good reasons.

Unix philosophy of one tool (binary) doing one job well has its limits 
as well, because a pipe doesn't offer the same flexibility of 
orchestrating IO, memory, concurrency.
I guess you could find among the sysadmin people someone writing a db 
gluing together awk and bash script... probably they would be the same 
kind of people that would invent INTERCAL or Brainfuck.


> Once one grasps the value of taking charge of software runtime
> configuration, it's not exactly brain surgery, on most distros, to read
> the docs about how to modify a distro source package to change that _one
> darned thing_ that annoys you, compile a local package, and install it.

It is taking way more responsibility than is generally justifiable 
unless you are really used to take care of those responsibility.
Now you've to follow CVE for example. You've to be sure you'll have time 
to recompile if you've to...

Knowledge, responsibility, changing default, time... pile up.
Even getting an idea on where it is worth to invest your time doesn't 
come for free.

> And, in that context, saying one day "I think I want to try NSD instead
> of BIND9" is easy-peasy by comparison.
> 
> You say that's "moving complexity".  OK.  But I call it "actually doing
> the system administration task you came to do".

In fact I didn't ;)

> But please note that nowhere am I urging this onto anyone else.  It's
> none of my business what if any local policy a different sysadmin
> implements -- unless he/she is paying my wages or vice-versa.

Yes... but again you're just managing complexity... you can't simply go 
for... pick up the software that has the minimum number of features for 
the job or tailor compile it. There are management, knowledge, time 
costs associated with it. 9 out of 10 you're making your system less 
secure because you're introducing complexity in its management and 
supply chain.
You've to remember what you did, which software was compiled, how, which 
cfg did you change, follow CVE, plan for unscheduled time when you'll 
have to recompile it, communicate all the changes to the people that may 
depends on some default/feature, consider that now you'll have to manage 
software A and B because A was slightly better in x and B was slightly 
better in y...

It's not just the work you put in the time you decided to touch 
something, it is the responsibility you take associated with it and many 
times this seems to be discounted and MOST of the times makes things 
worse rather than better.

Let's not forget

https://www.shlomifish.org/humour/by-others/funroll-loops/Gentoo-is-Rice.html

-- 
Ivan Sergio Borgonovo
https://www.webthatworks.it https://www.borgonovo.net

More information about the conspire mailing list