Email or username:

Password:

Forgot your password?
lcamtuf :verified: :verified: :verified:

OK, so here's my slightly more eloquent take on the xz thing, complete with a zinger closing paragraph:

lcamtuf.substack.com/p/technol

32 comments
Kees Cook :tux:

@lcamtuf "Those were just very lucky surveillance planes that found the submarine! We certainly didn't crack Enigma."

Alex M. Dunne :ally:

@lcamtuf

Thanks. Been reading #xz coverage since breakfast and yours is a good recap.

💬

@lcamtuf @projectgus interesting hypothesis, but surely an earlier/cleaner disclosure could have been run with just a basic “as part of our ongoing program of security review of foundational open source projects”?

lcamtuf :verified: :verified: :verified:

@rfc6919 @projectgus If you don't have a real program of monitoring the changes to foundational open source projects, lying about it is quite dicey, for a number of reasons - possibly up to being securities fraud.

Heck, if you *have* a program but are lying about whether it can be credited with detecting it, that's sketch too.

Saying "one guy came across it by accident" doesn't really imply any business assurances, so it's a lot easier.

💬

@lcamtuf @projectgus fair point. I guess I’m just thinking that if someone was making up a cover story for the disclosure, surely they could do better than the barely believable “I noticed and investigated a 0.4s slowdown in ssh auth”. I dunno, I don’t play 4D chess.

Tim Bray

@lcamtuf @rfc6919 @projectgus

Fair enough. FWIW I found the narrative about how the Postgres guy turned it up was entirely believable. Sometimes we just get lucky.

The scary opinion I’ve read in a couple places now is “how many others like this are lurking out there that we didn’t get lucky with?”

Irenes (many)

@timbray @lcamtuf @rfc6919 @projectgus we do think there's a good chance of this being an organized effort, as the essay suggests. good piece! thanks for it!

we note, however, the existence of ideological motives that could drive an individual to do this.

Irenes (many)

@timbray @lcamtuf @rfc6919 @projectgus online manipulation and bullying tactics such as those sockpuppet complaints about maintainership are well-established in other areas of life, unrelated to software development. they are also well-known, which means lots of unaffiliated actors use them for lots of different goals.

Irenes (many)

@timbray @lcamtuf @rfc6919 @projectgus overall, yeah, this is an absurdly PATIENT attack. we think that more than anything else does suggest organization behind it.

Brad Rubenstein “:verified:”

So maybe not a maintenance team, since the crucial software is, as you say, long since finished.

Rather, a community of monks, whose religious vocation is to protect and defend the obelisk for eternity.

@irenes @timbray @lcamtuf @rfc6919 @projectgus

Bruce Heerssen

@irenes @timbray @lcamtuf @rfc6919 @projectgus

I think there are many governments that would be willing to do something like this, and wouldn't care if it affected their own systems too as long as only they knew about it. Hell, that probably describes most governments, including in the United States and the UK.

There have been several agencies and officials in the U.S. who have openly expressed discomfort with the idea of impenetrable cryptography.

Irenes (many)

@bruce @timbray @lcamtuf @rfc6919 @projectgus oh, absolutely agreed on all that. furthermore, whether or not THIS attack was state-sponsored, now everybody has seen the strategy.

Bruce Heerssen

@irenes @timbray @lcamtuf @rfc6919 @projectgus

Yup. And to be clear, I don't necessarily think the US or UK in particular is behind this. I think it's more likely China, or perhaps Russia. The point is, we don't know. And like you implied, it could still turn out to have been an individual with an agenda.

Janne Moren

@bruce @irenes @timbray @lcamtuf @rfc6919 @projectgus
Or, an individual with the idea of selling backdoors as a service. That'd be one reason to be this patient and persistent: you'd not use it (and presumably other created vulnerabilities) yourself once; you sell access to other people. With luck you could perhaps sell this a half a dozen times before it gets discovered and patched.

lcamtuf :verified: :verified: :verified:

@jannem @bruce @irenes @timbray @rfc6919 @projectgus This is an awful lot of effort to put into a "product" that has a non-trivial chance of getting burned on first try if your customer is careless.

It's something you use when a really compelling need arises, and where you can control most of the variables to minimize the risk of loss.

David Zaslavsky

@lcamtuf Speculative, but interesting and clear. I like it.

★ Amy Star ★ :verified:​

@lcamtuf do you have a link that isn't on substack? sorry, i'm allergic

James Just James

@lcamtuf I'd be curious if you had anything to back up this claim in my screenshot here.

Do you have any data on how much open source code companies vacuum up vs. how many dollars they dish out? (Whether in salaries, grants, or otherwise...)

lcamtuf :verified: :verified: :verified:

@purpleidea I don't think you can easily quantify the economic benefit that tech companies reap because of OSS. It's likely huge. I'm not arguing that they're giving back more than they're taking, that's pretty unlikely - but fairness is tangential to the point I'm making.

Generally, there are hundreds of millions flowing every year through various OSS foundations. And if you look at the proportion of, say, Linux developers employed by large tech companies, it's non-trivial too.

There's plenty of small projects that get very little, but at the very least, it's not black-and-white, and I don't think we can blame all problems on that.

@purpleidea I don't think you can easily quantify the economic benefit that tech companies reap because of OSS. It's likely huge. I'm not arguing that they're giving back more than they're taking, that's pretty unlikely - but fairness is tangential to the point I'm making.

Generally, there are hundreds of millions flowing every year through various OSS foundations. And if you look at the proportion of, say, Linux developers employed by large tech companies, it's non-trivial too.

young man yells at the cloud

@lcamtuf One thought:

You said this has all the hallmarks of a "foreign government" -- (assuming you're also American) who's to say this wasn't the FBI or the NSA?

Alexander Bokovoy

@lcamtuf One change you might want to consider is to point out that liblzma is not a dependency of OpenSSH but rather a dependency of a systemd code which is pulled in by OpenSSH on several Linux distributions. It is an important difference and means that an attack, if went undetected, could have been extended to other components.

marmarta

@lcamtuf You make very good points here. I also think that this shows that we - speaking of OSS community - are now very much potentially a target of various state-actor interference, and those attacks might not be directly technological. Sometimes projects are very good at technological opsec, but social manipulation is not something we care about - and well, we clearly should.

sabik

@marmarta @lcamtuf
It's not even social manipulation, really; passing the baton to someone who appears willing and able is pretty much best practice

Bonsi

@lcamtuf Can you explain what openssh needs libxz for in conjunction with systemd?

Wyre

@lcamtuf@infosec.exchange I hear you and I think what you're saying is the real villain is systemd.

Force of Habit

@lcamtuf @jerry If only someone would have a sleeping defensive security podcast and could reactivate it. Why not, with a guest this time.

Åki 🐐

@lcamtuf
„You probably can’t build a career on being very familiar with some boring, old dependency that’s just taken for granted by everyone else.“
That’s the point and the failure of the whole business. Throw money on diligent people who constantly creates new stuff, but disregard the solid, „boring“ infrastructure.

There‘s a crucial difference between being lazy and acting responsible - even if both end up in doing nothing for long time.

@lcamtuf
„You probably can’t build a career on being very familiar with some boring, old dependency that’s just taken for granted by everyone else.“
That’s the point and the failure of the whole business. Throw money on diligent people who constantly creates new stuff, but disregard the solid, „boring“ infrastructure.

lcamtuf :verified: :verified: :verified:

@qwertziop I mean, sort of, but it's also just life. There's excitement in building a new compression library, getting early adopters, and getting praise from the community. There's no excitement in 20-30 years' worth of fixing portability issues and fielding weird requests from users with extremely fringe use cases.

My point is, it breaks the same way in open source (where you don't always get paid) and in the world of Big Tech (where you do). And I don't think that allocating money differently can change this. Ultimately, most people want variety and want to relive that thrill of being on the cutting edge every now and then.

@qwertziop I mean, sort of, but it's also just life. There's excitement in building a new compression library, getting early adopters, and getting praise from the community. There's no excitement in 20-30 years' worth of fixing portability issues and fielding weird requests from users with extremely fringe use cases.

Go Up