Show newer
Sven Slootweg

@hierarchon @iliana Oh yeah, I don't doubt that there are edgecases where this *would* have helped. There are some of those for most things.

What bothers me more is the outsized importance that people tend to place on it - for a while, everybody and their dog was talking loudly about how post-install scripts should be disallowed, as if that will solve all the dependency security issues overnight...

0
Sven Slootweg

@noplasticshower @swelljoe (I get paid for auditing open-source dependencies, actually)

1
Sven Slootweg

@hierarchon @iliana Thought in a similar vein: it makes no sense to get all suspicious about post-install scripts in a package manager; the purpose of the package manager is literally *to install software. That will run on the system.*

The malicious code could be anywhere, whether you allow post-install scripts or not really isn't going to matter...

1
Sven Slootweg boosted
iliana

most of my personal reactions to the xz thing today have been "this is almost the perfect crime and it's incredible it was caught this early"

0
Sven Slootweg boosted
Cassandra Granade 🏳️‍⚧️

I feel like this is another very painful reminder of the difference between the commons and a supply chain.

Show thread
1
Sven Slootweg

@mcfly (Which can be a real cost; some developers are going to insist on dubious programming practices, and that means simply not being able to use or distribute their work.)

1
Sven Slootweg

@mcfly $customer auditing involves everything that is part of the release, so also test files - an eval on anything related to a binary file would definitely be considered something that warrants suspicion and probably rejection.

Like, it's just a general rule of "if it's in the release, it must be explainable and possible to reason about". Google dependencies frequently get rejected because they do not meet this standard...

I think that that one rule alone - "anything that cannot be explained, cannot be accepted" - would prevent most attempts at backdoors, to be honest. At the cost of not tolerating needlessly bad code.

1
Sven Slootweg

@mcfly I was thinking through whether this code would have made it through the dependency auditing process at $customer, and my conclusion was "no, it would not" - they have a policy that code that we cannot understand will never be approved, and this is basically why that policy exists...

1
Sven Slootweg boosted
JP

The fun* part will be figuring out how to prove other stuff hasn't been backdoored. While fighting the cops and spooks who want to be able to backdoor things without us noticing.

0
Sven Slootweg boosted
JP

Not the specific library, but the idea that compromising underpaid and burnt out open source maintainers is easier and cheaper than hacking a server.

0
Sven Slootweg boosted
often frowned upon

Why is there always exactly one lemon in a bag that suddenly decides to become a biohazard.

1
Sven Slootweg boosted
*
Evan B🥥ehs

boehs.org/node/everything-i-kn

I have begun a post explaining this situation in a more detailed writeup. This is updating in realtime, and there is a lot still missing.

#security #xz #linux

Show thread
0
Sven Slootweg boosted
Joe Cooper 🇺🇦 🍉

Does everyone understand how much luck was involved in this exploit in #xz being discovered so quickly? And, what it tells us about the attacker?

This was a subtle and sophisticated attack implemented over _years_. The attacker was made a co-maintainer two years ago, and they made numerous innocuous-looking and seemingly unrelated changes over that time, sometimes through a second account, that eventually added up to a backdoor. Along with many innocent commits, too. #Linux

1
Sven Slootweg boosted
scy

I'm not saying that it looks like someone has specifically targeted xz and played the long game by helping out a maintainer that was overworked and suffered from mental health issues

but it does look like someone has specifically targeted xz and played the long game by helping out a maintainer that was overworked and suffered from mental health issues

mastodon.social/@glyph/1121809

1
Sven Slootweg

*ponders about how anti-virus software tends to all use the same FOSS archival libraries to quietly and automatically extract untrusted archives for scanning*

1+
Sven Slootweg boosted
Eloy. 🔜 BornHack
1+
Sven Slootweg

@technomancy @alilly My understanding is that the release tarball was easier to work with in some way because it needed less dependencies or something.

The details are unclear to me but I guess the release tarball came with some stuff pre-generated? (Which, uh, yeah)

0
Sven Slootweg boosted
Matthew Garrett

Just finished writing my lengthy paper on how "Many eyes make all bugs shallow", time to check what's happening on the internet today

0
Sven Slootweg boosted
q3k :blobcatcoffee:

Yeah, whoever wrote that liblzma backdoor knew what they were doing. This isn't amateur work.

0
Sven Slootweg

More thoughts on : it seems that the bootstrap code for the backdoor was hiding in difficult-to-understand code. I hope this prompts people to start taking code readability seriously as a security factor.

It's much harder to hide malicious code in code that's easy to understand.

1+
Show older
Pixietown

Small server part of the pixie.town infrastructure. Registration is closed.

Resources

Developers

What is Mastodon?

pixie.town

  • About
  • v3.5.19patch-2024-07-04

More…

v3.5.19patch-2024-07-04 · Privacy policy