Sweden's latest attack on encryption comes simultaneously with the Swedish Armed Forces speaking up in favor of encryption. If this alone is not enough to reject the legislation, read the open letter to the Swedish Riksdag.
An amendment to the “Nacrotrafic” law is moving to the French National Assembly. Remind your legislators that a backdoor for the good guys only is not possible.
Staat mal wieder scharf auf Backdoor! Die französische Regierung plant eine Änderung des Narcotrafic-Gesetzes: Verschlüsselte Messengerdienste wie z. B. Signal + WhatsApp sollen verpflichtet werden eine Backdoor einzubauen. Das würde die Sicherheit + Privatsphäre ALLER Nutzenden gefährden!
An amendment to the “Nacrotrafic” law is moving to the French National Assembly. Remind your legislators that a backdoor for the good guys only is not possible.
An amendment to the “Nacrotrafic” law is moving to the French National Assembly. Remind your legislators that a backdoor for the good guys only is not possible.
If Apple complies with this, the UK government will gain access to all iCloud data globally. The only way Apple comes out of this with any integrity is to leave the UK market. If they give in to this, every regime in the world will demand the same thing. And that’s before we even get to the fact that there’s no such thing as a “backdoor” for just so-and-so. Either there is a door or there isn’t and if there is, anyone who obtains the key can use it.
I implemented Ken Thompson’s Reflections on Trusting Trust (1984 Turing Award Lecture) compiler #backdoor for the GNU Compiler Collection (GCC). The backdoor maintains persistence by re-injecting itself to any new versions of the compiler built. The secondary payload modifies a test application by adding a backdoor password to allow authentication bypass:
I spent most time (around two hours) writing the generalized tooling that produces the final quine version of the malicious payload. Now that this is done, the actual code can be adjusted trivially to exploit more target code without any need to adjust the self-reproducing section of the code. This method of exploitation could be extended to target various binaries: SSH Server, Linux Kernel, Setuid binaries and similar. While itself written in C, the secondary payloads can target any programming languages supported by GCC.
It should be noted that GCC build checks for malicious compiler changes such as this. This check can – of course – also be bypassed. However, most serious projects have measures in place to avoid hacks of this nature.
Some links: - Ken Thompson's "Reflections on Trusting Trust" paper: cs.cmu.edu/~rdriley/487/papers… - David A. Wheeler: "Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers" dwheeler.com/trusting-trust/
Here's a thorough analysis of all the commits by "Jia Tan" from 2023-08 through 2024-03, showing the many legitimate code changes done before the introduction of the #xz #backdoor:
Noteworthy: - #OpenSSH implemented systemd notification - #systemd moves to dlopen(3) for some dependencies - another detailed timeline at research.swtch.com/xz-timeline - similar social engineering takeover attempts suspected in #OpenJS and #OpenSSF
Three years ago, #FDroid had a similar kind of attempt as the #xz #backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection #vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now
The search results are pretty unusable currently. So I've changed it to show apps in this order: App name matches keyword, summary matches keyword, description matches keyword. Also,...
An incredibly technically complex #backdoor in xz (potentially also in libarchive and elsewhere) was just discovered. This backdoor has been quietly implemented over years, with the assistance of a wide array of subtly interconnected accounts:
Updates the vendored version of xz to be 5.6.1. Also updates the
vendor script to support the addition of SPDX-License-Identifier
headers into some files.
