I work at a non-eng field at Meta so I'm not too familiar with what's going on with the XZ backdoor but ij ust read this article:https://www.wired.com/story/xz-backdoor-everything-you-need-to-know/ as well as this one https://research.swtch.com/xz-timeline Can anyone shed light on what this attack means in lay people terms? What exactly is going on and what exactly is the concern?
Speaks to the effectiveness of code reviews...
Backdoor LGTM
April fools
That is why Software Supply Chain Security is important
Check out the fireship video on YouTube
For which newspaper ?
Watch this video for a simplistic analogy https://youtu.be/bS9em7Bg0iU
You were kinder than me and provided the link. Haha
It didn’t make it to stable release of any Linux distribution so all good. It does highlight how big companies freeloading open source is a ticking timebomb
Good luck getting me to install you newfangled compression backdoor, I still have images that run Ubuntu 2018.04 👴
- Open source is created by people. - People get burnt out. - Lots of things depend on open source. - It's a Jenga tower made up of many pieces, each relying on the others. - People, being people... some individuals (one person or a group of people) tricked (through social engineering) the maintainer of the XZ library over a span of 1-3 years and inserted malicious code into an open-source project that many other processes depend on. It's as if someone managed to put a secret backdoor into a commonly used digital lock system. This backdoor allows them to unlock and enter any door that uses this system without anyone knowing, raising concerns about safety and security in many places that thought they were protected.
For completion, this particular case was detected (by pure luck) early enough that the backdoor was not widely distributed and the impact of the attack was low/null. The concern now is around other possible undetected backdoors built using the same techniques and how to detect them. Also, there is an interesting conversation (once again) around how to help the maintainers of foundational projects so that they do not fall in these kind of social engineering tricks.
Well explained mate