Search
Items tagged with: xz
What we need to take away from the XZ Backdoor
A lot has been written about the XZ Backdoor in the last few weeks, so it is time to look forward. Before doing so, we share further details about what happe...openSUSE News
Lasse Collin in commit message: “The other maintainer suddenly disappeared.” 😆
#jiatan #xz
https://github.com/tukaani-project/xz/commit/77a294d98a9d2d48f7e4ac273711518bf689f5c4
"You have to understand, we’re responsible for taxpayer money here. We can’t just make a donation to your open source project."
— a national government who relies on #Matrix when being asked to support it financially
Read more about the problem and some initiatives that are responding to it:
https://matrix.org/blog/2024/04/open-source-publicly-funded-service/
#FreeSoftware #OpenSource #FOSS #FLOSS #funding #xz #sustainability
Open Source Infrastructure must be a publicly funded service.
Matrix, the open protocol for secure decentralised communicationsMatthew Hodgson (matrix.org)
In the light of the #xz backdoor, if you're a #RustLang developer, I recommend you familiarize yourself with cargo vet:
https://mozilla.github.io/cargo-vet/
Auditing your dependencies, or relying on external audits, adds an important layer of protection.
It's not a silver bullet against bad dependencies as there's no such thing. However adding more layers of protection makes attackers' lives harder and this is one of them.
#XZ #Backdoor: Times, damned times, and scams
However, I believe that he is actually from somewhere in the UTC+02 (winter)/UTC+03 (DST) timezone, which includes Eastern Europe (EET), but also Israel (IST), and some others. Forging time zones would be easy — no need to do any math or delay any commits. He likely just changed his system time to Chinese time every time he committed.
source: https://rheaeve.substack.com/p/xz-backdoor-times-damned-times-and
#security #software #time #news #hack #linux #timezone
XZ Backdoor: Times, damned times, and scams
Some timezone observations on the recently discovered backdoor hidden in an xz tarball.Rhea (Rhea's Substack)
STORY: The XZ backdoor has rocked the security industry over the last few days. Took a look, with @agreenberg at what we know about the mysterious persona, Jia Tan, behind the attack
Full WIRED story here: https://www.wired.com/story/jia-tan-xz-backdoor/
#xz #opensource #wired #cyber #news
The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind
The thwarted XZ Utils supply chain attack was years in the making. Now, clues suggest nation-state hackers were behind the persona that inserted the malicious code.Andy Greenberg (WIRED)
I think the #xz incident is teaching us that our infrastructure is dangerously fragile in the face of well-organized/funded attackers. The response isn’t “try harder” or “donate to your OSS project”, it needs to be institutional, professional, and at scale.
So, here’s my proposal, called “OSQI”, aimed at starting a how-to discussion: https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI
Wir sind dieses Wochenende nur durch unglaubliches Glück und extrem knapp an wohl einer der grössten Katastrophen rund um die globale IT-Sicherheit vorbeigeschrammt.
Phuh! Doch — was ist eigentlich passiert? Wie konnte das überhaupt geschehen? Und was können (und müssen) wir tun, um dies zukünftig zu vermeiden?
Und: Danke an die ganzen IT-Helden, die dies an diesem langen Wochenende für uns getan haben.
#xz #lzma #ssh
https://dnip.ch/2024/04/02/xz-open-source-ostern-welt-retten/
xz oder: Wie die Open-Source-Community an Ostern die Welt gerettet hat - Das Netz ist politisch
«Die Feiertage. Die ganzen IT-Abteilungen feiern mit der Familie… Die ganzen IT-Abteilungen? Nein! Eine von unbeugsamen Open-Source-Enthusiasten bevölkerteMarcel Waldvogel (avongunten)
Wir sind dieses Osterwochenende knapp an der grössten Katastrophe rund um die globale IT-Sicherheit vorbeigeschrammt.
Alles rund um #xz spannend und witzig erklärt von @marcel UND: was ssh+Backdoor+supply chain attack ist.
Nehmt euch Zeit für diesen tollen Text:
https://dnip.ch/2024/04/02/xz-open-source-ostern-welt-retten/
xz oder: Wie die Open-Source-Community an Ostern die Welt gerettet hat - Das Netz ist politisch
«Die Feiertage. Die ganzen IT-Abteilungen feiern mit der Familie… Die ganzen IT-Abteilungen? Nein! Eine von unbeugsamen Open-Source-Enthusiasten bevölkerteMarcel Waldvogel (avongunten)
Nice! @amlw wrote a PoC exploit and a honeypot for the xz backdoor.
https://github.com/amlweems/xzbot
#xz #liblzma #cve20243094 #infosec
GitHub - amlweems/xzbot: notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094)
notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094) - amlweems/xzbotGitHub