"If the attacker instead can just sneak the code directly into a release archive then it won’t appear in git, it won’t get tested and it won’t get easily noticed by team members!"
I really consider this xz situation a testament to the resilience of the open source community, and distros in particular. The damage did happen, but it was discovered rather quickly, despite how ridiculously sophisticated the attacker was, and the fallout was really contained to just "run an update asap". It didn't even land in most systems thanks to the stabilization process. It can't and won't linger for years like log4j did.
@mid_kid I tend to agree. Sure, ideally we as an ecosystem should detect these things faster, but one of the most advanced backdoor operation attempts ever, was mostly thwarted.
the attack was on sshd users via library, so your paragraph on dependencies applies to the thing as whole, too:
---
Added after the initial post. Lots of people have mentioned that curl can get built with many dependencies and maybe one of those would be an easier or better target. Maybe they are, but they are products of their own individual projects and an attack on those projects/products would not be an attack on curl or backdoor in curl by my way of looking at it.
@bamboombibbitybop yeah, they clearly identified a weak link in the chain and attacked it - successfully. An attack against sshd without attacking the ssh project. Quite clever really.
daniel:// stenberg://
in reply to daniel:// stenberg:// • • •"If the attacker instead can just sneak the code directly into a release archive then it won’t appear in git, it won’t get tested and it won’t get easily noticed by team members!"
... like... xz.
Elias Mårtenson
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Elias Mårtenson • • •mid_kid
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to mid_kid • • •David Jaša
in reply to daniel:// stenberg:// • • •the attack was on sshd users via library, so your paragraph on dependencies applies to the thing as whole, too:
---
Added after the initial post. Lots of people have mentioned that curl can get built with many dependencies and maybe one of those would be an easier or better target. Maybe they are, but they are products of their own individual projects and an attack on those projects/products would not be an attack on curl or backdoor in curl by my way of looking at it.
Tobias Fiebig
in reply to daniel:// stenberg:// • • •Similarly spooky is that the "Hypocrite Commit" paper appeared roughly around the same time Jia Tan first showed up.
It didn't hit me as hard back then, but that paper must have been hell of an inspiration for state actors...
Claudia
in reply to daniel:// stenberg:// • • •„Since you didn’t read that PHP link“
wait how did you know
daniel:// stenberg://
Unknown parent • • •