Sign inGet app

XZ Backdoor: What do we need to know? What exactly is going on? ANyone shed some light?

I work at a non-eng field at Meta so I'm not too familiar with what's going on with the XZ backdoor but ij ust read this article:https://www.wired.com/story/xz-backdoor-everything-you-need-to-know/ as well as this one https://research.swtch.com/xz-timeline Can anyone shed light on what this attack means in lay people terms? What exactly is going on and what exactly is the concern?

The XZ Backdoor: Everything You Need to Know
The XZ Backdoor: Everything You Need to Know
WIRED
LexisNexis 3bdyprblm Apr 2

- Open source is created by people. - People get burnt out. - Lots of things depend on open source. - It's a Jenga tower made up of many pieces, each relying on the others. - People, being people... some individuals (one person or a group of people) tricked (through social engineering) the maintainer of the XZ library over a span of 1-3 years and inserted malicious code into an open-source project that many other processes depend on. It's as if someone managed to put a secret backdoor into a commonly used digital lock system. This backdoor allows them to unlock and enter any door that uses this system without anyone knowing, raising concerns about safety and security in many places that thought they were protected.

Microsoft LuckyLazyM Apr 2

For completion, this particular case was detected (by pure luck) early enough that the backdoor was not widely distributed and the impact of the attack was low/null. The concern now is around other possible undetected backdoors built using the same techniques and how to detect them. Also, there is an interesting conversation (once again) around how to help the maintainers of foundational projects so that they do not fall in these kind of social engineering tricks.

Amazon idgaftbh Apr 2

Well explained mate

Amazon chessplaya Apr 2

Speaks to the effectiveness of code reviews...

Bloomberg QwNf01 Apr 4

Or absence of them

Amazon NeedsBreak Apr 5

This was hidden in a binary blob that was part of a test case. How do you review a binary blob? I think the take away may be don't have binary blobs in your code, even for tests.

Amazon jeffbangme Apr 2

Backdoor LGTM

Microsoft LuckyLazyM Apr 2

Sheep it!

Google ChronJorb Apr 2

This made me spit out my poop

Amazon :(){:|:&}: Apr 2

April fools

Google Dotcom3.0 Apr 2

That is why Software Supply Chain Security is important

Amazon DadaStruct Apr 2

Check out the fireship video on YouTube

Meta SWE-Ninja Apr 2

For which newspaper ?

LinkedIn hash-ban Apr 2

Watch this video for a simplistic analogy https://youtu.be/bS9em7Bg0iU

Amazon DadaStruct Apr 2

You were kinder than me and provided the link. Haha

eBay mmm … Apr 2

It didn’t make it to stable release of any Linux distribution so all good. It does highlight how big companies freeloading open source is a ticking timebomb

Amazon nvr|amzn Apr 2

Good luck getting me to install you newfangled compression backdoor, I still have images that run Ubuntu 2018.04 👴

Meta flyingdogs Apr 2

It's a good usecase for ai

Uber organizado Apr 2