Email or username:

Password:

Forgot your password?
Jan Wildeboer 😷:krulorange:

Again the FOSS world has proven to be vigilant and proactive in finding bugs and backdoors, IMHO. The level of transparency is stellar, especially compared to proprietary software companies. What the FOSS world has accomplished in 24 hours after detection of the backdoor code in #xz deserves a moment of humbleness. Instead we have flamewars and armchair experts shouting that we must change everything NOW. Which would introduce even more risks. Progress is made iteratively. Learn, adapt, repeat.

20 comments
Jan Wildeboer 😷:krulorange:

Just FTR. The backdoor code was inserted only under very specific circumstances in the build process. Once the problem was identified and after initial analysis made it clear how it worked, immediate action was taken in a coordinated fashion. Affected builds/packages were removed, update systems for affected distributions started delivering forced downgrades. Users of these systems were informed. This all happened in public, in transparent and open ways. All in the first 24 hours. I tip my hat.

Jan Wildeboer 😷:krulorange:

Now the mess is being cleaned up. AFAICS this exploit was NOT used in the wild by bad actors. So it wasn't even a 0day. The damage is limited, contained and being taken care of. In a coordinated way, across communities, companies and more organisations. Because we were prepared for the aftermath. We have learned form Heartbleed and other events. Our FOSS immune system works. And will learn from this incident. Peace.

phoenixπŸ§πŸ•πŸžπŸš€πŸ

@jwildeboer even more, 1000 eyes are now focussing on the wound, looking for damages and other infections. 1000 eyes that would otherwise do other things are focussing on the one wound, so it can heal.

Once a problem has been identified, the self-healing capabilities are typically given. This is the resilience that is needed for survival. And it is there.

That's the open-source spirit, and it is awesome πŸ€˜πŸ‘

Jan Wildeboer 😷:krulorange:

For the impact on #Fedora, please follow the developing story at fedoramagazine.org/cve-2024-30 - That's the transparency and openness I am talking about.

Jan Wildeboer 😷:krulorange:

This #xz backdoor is tracked as CVE-2024-3094 and this CVE was opened by #RedHat. You can find our data on this at access.redhat.com/security/cve If you search for "CVE-2024-3094" with the search engine of your choice you will find a growing list of references (and clickbait stories) of which nvd.nist.gov/vuln/detail/CVE-2 is a bit more relevant as it contains a long list of links to more news and background. The thread that started it all is at openwall.com/lists/oss-securit

This #xz backdoor is tracked as CVE-2024-3094 and this CVE was opened by #RedHat. You can find our data on this at access.redhat.com/security/cve If you search for "CVE-2024-3094" with the search engine of your choice you will find a growing list of references (and clickbait stories) of which nvd.nist.gov/vuln/detail/CVE-2 is a bit more relevant as it contains a long list of links to more news and background. The thread that started it all is at

Jan Wildeboer 😷:krulorange:

I will let this tread rest for a while, as IMHO (In My Humble Opinion) everything we know ATM (At This Moment) is documented in the links I provided and besides making sure our machines have been updated (more precise: downgraded the xz package) there is not much we can do. I will NOT participate in speculations and potentially harmful spreading of rumours. And now I will be taking care of other things on this beautiful day. Thank you all for taking your time to read and comment!

Joe Brockmeier

@jwildeboer yes… but. I’m now wondering if there are other instances we haven’t caught, or caught yet. Seems optimistic to assume that we’ve spotted a solitary instance of a very sophisticated approach to sneaking in back doors.

At a minimum, it might be time to revisit the practice of key signing parties and doing more to vet contributors.

Jan Wildeboer 😷:krulorange:

@jzb What I am trying to say is that there are two sides here. Solving and cleaning up after it happened is #1. That is what I am talking about. #2, what you mention, is how to harden the FOSS ecosystem proactively to reduce the risk of stuff "hiding in plain sight" in FOSS. That's a far wider field with many more unknowns.

We just shouldn't mix the two things because that leads to open ending arguments and not to solutions, IMHO.

Natasha Nox πŸ‡ΊπŸ‡¦πŸ‡΅πŸ‡Έ

@jwildeboer Absolutely. From identifying the problem to having the fix on my computer, drawn from the official (Arch) repo, it took just about 3 hours. That's insanely fast.

MylesRyden

@jwildeboer

I agree with you. I am no expert in cyber security, but it does seem that people reacted quickly, but reasonably to this issue. Yes, "it shouldn't have been able to happen, yada yada yada" but we have to understand that everything digital can be hacked and reverse engineered.

I think the smart people in FOSS did a good job.

Andi Barth

@jwildeboer I'm pretty sure we (as the FOSS community) will learn many things from this. However, whoever is shouting now is probably not part of any of the useful learning efforts (and breaking of the toolchains for some 'tick in the box'-results for a nice powerpoint slide is never a priority or even goal; and especially now the first priority is making sure we don't have any malicious (binary) code in our tool chain). And yes, it's impressive how fast the FOSS found out and mitigated issues.

STOP WAR (Stefano Costa)

@jwildeboer I'm sorry that this needs to be said, but the problem here is that the xz maintainer had mental health issues and nobody cared, then a malicious actor took over and nobody noticed, because the eyes are all on CI, git tags, stack traces and all that shit. Fixing the backdoor is a tiny effort. The FOSS community should be ashamed, particularly all companies who make huge profits.

Jan Wildeboer 😷:krulorange:

@steko Thank you for sharing you arguments and welcome to my blocklist.

Albert ARIBAUD β“‚

@jwildeboer As far as xz is concerned, there was indeed vigilance and proactivity. Less so in the case of libarchive, though, where the backdoor remained unnoticed from 2021 until now.

(not pointing fingers though, as it's not the first case of a vulnerability remaining present for years, and also as I do not have the street cred to do finger pointing as far as security goes)

Nik | Klampfradler 🎸🚲

@jwildeboer

Don't forget highlighting how Microsoft is actively fighting this transparency.

#GiveUpGitHub

Hama Barhamou

@jwildeboer
"Progress is made iteratively. Learn , adapt, repeat."

agree with you

Luc

@jwildeboer
> deserves a moment of humbleness. Instead we have flamewars and armchair experts shouting that we must change everything

You're the second person posting a sentiment like this, that I've seen, but the actual flamewars seem to elude me. Getting kinda curious what y'all are on about

Jan Wildeboer 😷:krulorange:

@luc The usual arguments that I put in the "I want Clickbait! I want the world fall apart!" bucket. Stuff like "with more MFA (Multi Factor Authentication this wouldn't be possible!", "Evil big open source companies just want money and don't care about anything else", "I am sure there are even worse backdoors everywhere because The Deep State never sleeps".

Leonardo Ferreira Fontenelle

@jwildeboer reminds me of when some version of Windows had three backdoors: one accidental, another created by Microsoft for the CIA, and another one created by an infiltrated CIA agent

highvoltage
@jwildeboer Absolutely. I marvel at the prompt and efficient response by everyone involved. In the proprietary software world there would still be denial that there even is a problem.
Go Up