Skip to main content

in reply to daniel:// stenberg://

"If the attacker instead can just sneak the code directly into a release archive then it won’t appear in git, it won’t get tested and it won’t get easily noticed by team members!"

... like... xz.

in reply to daniel:// stenberg://

I really consider this xz situation a testament to the resilience of the open source community, and distros in particular. The damage did happen, but it was discovered rather quickly, despite how ridiculously sophisticated the attacker was, and the fallout was really contained to just "run an update asap". It didn't even land in most systems thanks to the stabilization process. It can't and won't linger for years like log4j did.
This entry was edited (7 months ago)
in reply to mid_kid

@mid_kid I tend to agree. Sure, ideally we as an ecosystem should detect these things faster, but one of the most advanced backdoor operation attempts ever, was mostly thwarted.
in reply to daniel:// stenberg://

the attack was on sshd users via library, so your paragraph on dependencies applies to the thing as whole, too:

---

Added after the initial post. Lots of people have mentioned that curl can get built with many dependencies and maybe one of those would be an easier or better target. Maybe they are, but they are products of their own individual projects and an attack on those projects/products would not be an attack on curl or backdoor in curl by my way of looking at it.

in reply to daniel:// stenberg://

Similarly spooky is that the "Hypocrite Commit" paper appeared roughly around the same time Jia Tan first showed up.

It didn't hit me as hard back then, but that paper must have been hell of an inspiration for state actors...

in reply to daniel:// stenberg://

"Lots of people have mentioned that curl can get built with many dependencies and maybe one of those would be an easier or better target. Maybe they are, but they are products of their own individual projects and an attack on those projects/products would not be an attack on curl or backdoor in curl by my way of looking at it."

I find this paragraph very interesting in the context of the xz situation, since so many are presenting it as a backdoor ultimately targeting sshd.

in reply to young man yells at the cloud

@bamboombibbitybop yeah, they clearly identified a weak link in the chain and attacked it - successfully. An attack against sshd without attacking the ssh project. Quite clever really.
in reply to daniel:// stenberg://

the most disturbing part by far was the sock puppet accounts effectively cyberbullying the burnt-out lone maintainer who was struggling with long-term mental health issues to encourage a handoff of the project. That's some real-life Mr. Robot Dark Army shit.