Skip to main content

Search

Items tagged with: xz

The #XZ #backdoor provide critical lessons about #opensource #security. 🛡️ Here's a brief rundown of our response at #openSUSE. We're also likely to have some sessions at this year's @opensuse Conference. https://news.opensuse.org/2024/04/12/learn-from-the-xz-backdoor/

What we need to take away from the XZ Backdoor

A lot has been written about the XZ Backdoor in the last few weeks, so it is time to look forward. Before doing so, we share further details about what happe...
openSUSE News
#opensource #security #opensuse #backdoor #xz @openSUSE Linux

Lasse Collin in commit message: “The other maintainer suddenly disappeared.” 😆

#jiatan #xz
https://github.com/tukaani-project/xz/commit/77a294d98a9d2d48f7e4ac273711518bf689f5c4

Update maintainer and author info. · tukaani-project/xz@77a294d

GitHub
#xz #jiatan

#xz
#xz

"You have to understand, we’re responsible for taxpayer money here. We can’t just make a donation to your open source project."

— a national government who relies on #Matrix when being asked to support it financially

Read more about the problem and some initiatives that are responding to it:

https://matrix.org/blog/2024/04/open-source-publicly-funded-service/

#FreeSoftware #OpenSource #FOSS #FLOSS #funding #xz #sustainability


Open Source Infrastructure must be a publicly funded service.

Matrix, the open protocol for secure decentralised communications
Matthew Hodgson (matrix.org)
#opensource #FLOSS #matrix #freesoftware #foss #sustainability #funding #xz

Lasse Collin has posted an update on his plans for #xz and clearing up what happened: https://tukaani.org/xz-backdoor/ I hope he’s met with all the support and patience he needs.

XZ Utils backdoor

tukaani.org
#xz

Unpopular opinion: If your hobby is responsible for running the modern world, you deserve to be paid a living wage for running it.

#xz #expat #libexpat

#xz #libexpat #expat

In the light of the #xz backdoor, if you're a #RustLang developer, I recommend you familiarize yourself with cargo vet:

https://mozilla.github.io/cargo-vet/

Auditing your dependencies, or relying on external audits, adds an important layer of protection.

It's not a silver bullet against bad dependencies as there's no such thing. However adding more layers of protection makes attackers' lives harder and this is one of them.

Introduction - Cargo Vet

mozilla.github.io
#rustlang #xz

#XZ #Backdoor: Times, damned times, and scams


However, I believe that he is actually from somewhere in the UTC+02 (winter)/UTC+03 (DST) timezone, which includes Eastern Europe (EET), but also Israel (IST), and some others. Forging time zones would be easy — no need to do any math or delay any commits. He likely just changed his system time to Chinese time every time he committed.


source: https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and

#security #software #time #news #hack #linux #timezone


XZ Backdoor: Times, damned times, and scams

Some timezone observations on the recently discovered backdoor hidden in an xz tarball.
Rhea (Rhea's Substack)
#Linux #security #News #software #hack #time #backdoor #xz #timezone

#rustlang #xz #supplychain
#rustlang #supplychain #xz

STORY: The XZ backdoor has rocked the security industry over the last few days. Took a look, with @agreenberg at what we know about the mysterious persona, Jia Tan, behind the attack

Full WIRED story here: https://www.wired.com/story/jia-tan-xz-backdoor/

#xz #opensource #wired #cyber #news


The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind

The thwarted XZ Utils supply chain attack was years in the making. Now, clues suggest nation-state hackers were behind the persona that inserted the malicious code.
Andy Greenberg (WIRED)
#opensource #News #cyber #xz #wired @Andy Greenberg

#opensource #c #xml #xz #boostswelcome #libexpat #softwaresupplychainsecurity #OpenSourceMaintainer @Tim Bray

I think the #xz incident is teaching us that our infrastructure is dangerously fragile in the face of well-organized/funded attackers. The response isn’t “try harder” or “donate to your OSS project”, it needs to be institutional, professional, and at scale.

So, here’s my proposal, called “OSQI”, aimed at starting a how-to discussion: https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI


OSQI

ongoing by Tim Bray
#xz

Wir sind dieses Wochenende nur durch unglaubliches Glück und extrem knapp an wohl einer der grössten Katastrophen rund um die globale IT-Sicherheit vorbeigeschrammt.

Phuh! Doch — was ist eigentlich passiert? Wie konnte das überhaupt geschehen? Und was können (und müssen) wir tun, um dies zukünftig zu vermeiden?

Und: Danke an die ganzen IT-Helden, die dies an diesem langen Wochenende für uns getan haben.
#xz #lzma #ssh
https://dnip.ch/2024/04/02/xz-open-source-ostern-welt-retten/


xz oder: Wie die Open-Source-Community an Ostern die Welt gerettet hat - Das Netz ist politisch

«Die Feiertage. Die ganzen IT-Abteilungen feiern mit der Familie… Die ganzen IT-Abteilungen? Nein! Eine von unbeugsamen Open-Source-Enthusiasten bevölkerte
Marcel Waldvogel (avongunten)
#ssh #xz #lzma

Wir sind dieses Osterwochenende knapp an der grössten Katastrophe rund um die globale IT-Sicherheit vorbeigeschrammt.

Alles rund um #xz spannend und witzig erklärt von @marcel UND: was ssh+Backdoor+supply chain attack ist.

Nehmt euch Zeit für diesen tollen Text:

https://dnip.ch/2024/04/02/xz-open-source-ostern-welt-retten/


xz oder: Wie die Open-Source-Community an Ostern die Welt gerettet hat - Das Netz ist politisch

«Die Feiertage. Die ganzen IT-Abteilungen feiern mit der Familie… Die ganzen IT-Abteilungen? Nein! Eine von unbeugsamen Open-Source-Enthusiasten bevölkerte
Marcel Waldvogel (avongunten)
#xz @Marcel Waldvogel

Nice! @amlw wrote a PoC exploit and a honeypot for the xz backdoor.

https://github.com/amlweems/xzbot

#xz #liblzma #cve20243094 #infosec

GitHub - amlweems/xzbot: notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)

notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094) - amlweems/xzbot
GitHub
#infosec #xz #liblzma #cve20243094 @amlw