Technologist vs. spy: the xz backdoor debate (opens in new tab)

(lcamtuf.substack.com)

63 pointsrbc2y ago23 comments

23 comments

21 comments · 6 top-level

colejohnson662y ago· 6 in thread

More evidence that the OSS community needs to drop the “many eyes” theory of security

On the contrary.

This was detected before it reached major distributors. The only major one hit by this was homebrew, but they have never understood security anyway.

soraminazuki2y ago

> The only major one hit by this was homebrew, but they have never understood security anyway.

Do you have any evidence that other distros wouldn't have done the same? What measures do other distros have in place that would've stopped the inclusion of the backdoor had they not been alerted at the right time?

FireBeyond2y ago

> The only major one hit by this was homebrew, but they have never understood security anyway.

MacOS doesn't ship with sshd running out of the box, and vanishingly few people ever enable it.

1 more reply

mhh__2y ago

As opposed to? The buck has to stop at a human somewhere

derbOac2y ago

I guess to me it suggested even more eyes would be even better.

type02y ago

would 5 eyes, 9 eyes and even 14 eyes be enough?

1 more reply

shnkr2y ago· 6 in thread

>The relationship with commercial vendors isn’t always healthy, but many major OSS projects are supported to a significant extent.

Almost always the so called "community" supporting a OSS project is an employee of a commercial vendor who is only interested as long as he is assigned to the project or task.

The solution is to have a full time owners and maintainers for all the critical projects and the government has to foot the bill. The govt can setup a division to identify such projects.

diogocp2y ago

Government: launches a years-long covert operation to take over maintainership of critical project in order to insert a backdoor.

HN comments: the solution is for government to maintain these critical projects.

kaliqt2y ago

That's a likelihood it would seem.

hnaccount_rng2y ago

I mean, getting an actual government agency with an appropriate mission specified by law _would_ help. Both from a recruiting point of view (you get sufficiently ideologically motivated people), but also from an accountability point of view. These agencies are ultimately responsible to someone. And the law has that nice property of knowing who and how to hurt those people. So yeah. Getting a (or the) government to maintain OSS infrastructure definitely would help. And probably also prevent this kind of thing as far, far too risky to attempt

gizmo6862y ago

I'm amazed we have gotten this far without something like that happening. Critical infastructure is built ontop of this pile of software that is all being maintained by. If every major piece of infastructure (power plant, water treatment plant, etc) would dedicate 1 full time engineer to 1 open source dependency that they use, there would be more than enough man power to solve it.

forgotmyinfo2y ago

We can't even support actual critical physical infrastructure anymore, like roads, bridges, and the power grid. And that stuff has very obvious immediate consequences when it breaks. Try explaining to your local octogenarian senator what xz is and why OpenSSH shouldn't just be funded by whatever spare change we find in the couch cushions.

GabeIsko2y ago

Governments will just outsource it to commercial contractors at this point.

egberts12y ago· 2 in thread

All that can be avoided by doing really good sets of unit tests and integration tests, then incorporate its test result into the validation part of the repository.

halJordan2y ago

The evergreen: "Keep doing what you're doing, except better this time"

jddj2y ago

Bonus points if the tests come complete with obfuscated binary (or near enough) blobs.

trogdor2y ago· 1 in thread

>In other words, all signs point to this being a professional, for-pay operation — and it wouldn’t be surprising if it was paid for by a foreign government.

Or a not-foreign government…

rurban2y ago

We just call them state actors

bediger40002y ago

This is an interesting article. Zalewski is almost unique in the ability and credibility to write this. He used to work for Google in infosec, he's got a lot of experience writing code, and he no longer works for a big corporation, so he's free to say what he thinks.

publius_0xf32y ago

>In fact, here’s an interesting thought: perhaps they have known for a while. Would we be able to tell the difference between a carefully-timed disclosure — presumably engineered to conceal “methods and sources” — and a serendipitous discovery?

j / k navigate · click thread line to collapse

23 comments

21 comments · 6 top-level

colejohnson662y ago· 6 in thread

More evidence that the OSS community needs to drop the “many eyes” theory of security

daghamm2y ago

On the contrary.

This was detected before it reached major distributors. The only major one hit by this was homebrew, but they have never understood security anyway.

soraminazuki2y ago

> The only major one hit by this was homebrew, but they have never understood security anyway.

FireBeyond2y ago

> The only major one hit by this was homebrew, but they have never understood security anyway.

MacOS doesn't ship with sshd running out of the box, and vanishingly few people ever enable it.

1 more reply

mhh__2y ago

As opposed to? The buck has to stop at a human somewhere

derbOac2y ago

I guess to me it suggested even more eyes would be even better.

type02y ago

would 5 eyes, 9 eyes and even 14 eyes be enough?

1 more reply

shnkr2y ago· 6 in thread

>The relationship with commercial vendors isn’t always healthy, but many major OSS projects are supported to a significant extent.

Almost always the so called "community" supporting a OSS project is an employee of a commercial vendor who is only interested as long as he is assigned to the project or task.

The solution is to have a full time owners and maintainers for all the critical projects and the government has to foot the bill. The govt can setup a division to identify such projects.

diogocp2y ago

Government: launches a years-long covert operation to take over maintainership of critical project in order to insert a backdoor.

HN comments: the solution is for government to maintain these critical projects.

kaliqt2y ago

That's a likelihood it would seem.

hnaccount_rng2y ago

gizmo6862y ago

forgotmyinfo2y ago

GabeIsko2y ago

Governments will just outsource it to commercial contractors at this point.

egberts12y ago· 2 in thread

All that can be avoided by doing really good sets of unit tests and integration tests, then incorporate its test result into the validation part of the repository.

halJordan2y ago

The evergreen: "Keep doing what you're doing, except better this time"

jddj2y ago

Bonus points if the tests come complete with obfuscated binary (or near enough) blobs.

trogdor2y ago· 1 in thread

>In other words, all signs point to this being a professional, for-pay operation — and it wouldn’t be surprising if it was paid for by a foreign government.

Or a not-foreign government…

rurban2y ago

We just call them state actors

bediger40002y ago

publius_0xf32y ago

j / k navigate · click thread line to collapse