Gregory's ServerAs the xz thinkpieces start showing up about What Should Be Done, a couple of questions I'd encourage you to keep in mind while reading them:
- Is this advocating security nihilism and giving up because stopping 100% of badness is impossible?
- Is this pushing a random hobby horse like "sign your commits" that wouldn't have helped this incident in any way?
- Is this equating employment/nationality/notoriety with trustworthiness?
- Is this pushing a technical solution to a social problem?
 17 comments
 @danderson arguably the badness was stopped because professionals noticed something fishy and found the root cause. If anything, to my mind, the system (if it can be called one) is actually working quite well given the fallibility of humans and the systems we create. @piecritic Yeah except we didn't notice because of any kind of intentionality or process. It was blind luck that the right someone got annoyed at a tiny change in performance and went digging. If that one person had been on vacation for a couple weeks, I could see this shipping to a bunch of enterprise distro releases before anyone caught on. Or even nobody noticing until the first high profile compromise that used the backdoor. We got very, very lucky. @danderson and we keep getting lucky. That’s kinda my point. Getting away with this level of social engineering seems just so unlikely even with such planning because there’s always that person fucking around and finding out. @piecritic @danderson the problem is that we don't know about other cases where we haven't gotten lucky. @philtor @danderson I’m doubtful of that. At this scale someone will notice that weird network request. @piecritic @danderson what if the network request is made very infrequently on some sort of random schedule? @philtor @danderson then anomaly detection software will absolutely pick that up even without modern techniques.  @piecritic @philtor @danderson there are attackers persisting in systems that shouldn't have access to, all the time, sure alerts are raised in a serious system, but that's not necessarily enough. https://www.bl.uk/cyber-incident/ for an exemple. @danderson @tshirtman @philtor yes i am aware that people exist doing bad things. Buildings also get bombed almost daily in Sweden. It doesn’t mean it is a comparative scenario. This scenario is extremely low level and touches too many things. @piecritic @danderson @philtor it looks like you think we are doing good enough and the luck here is not really luck but the system working as intended, although there are many levels where this could have been caught, it does seem like this one could easily have done a lot more harm before being discovered, and hoping we are going to get similarly lucky next time doesn't strike me as a serious plan (well, hope never is, anyway). @tshirtman @philtor @danderson there shouldn’t be dependencies that are used so broadly that it can affect the entire world that have one tired maintainer working for free. This is a deeper systemic issue and the system itself is working as intended given that constraint. @piecritic @philtor @danderson that I agree, but many people are depending on this lib, and surely we should be able to encourage them, and make it easier for them, to check that the changes make sense, distributors, applications builders, people adding this lib to their own project, should probably set some time aside for it, or companies themselves should dedicate resources to such audits, but clarity of dependencies, and resources to do the work, are needed. @philtor @danderson @tshirtman nah. That’s unrealistic. What is realistic is that projects assess the scope of risk of their dependencies and consider at what depth a dependency affects their systems, then considers the maturity and safety of the team maintaining it. This is what i do as part of my job. This is a social problem exclusively, not an economical one. @danderson It seems to me that dismissing all technical solutions because the problem is social is itself a form of giving up because stopping 100% of badness is impossible. If the option of hijacking crypto code in the sshd process through an obscure dynamic linking feature and an underfunded library hadn't been an option, for example, would the attacker have gotten nearly as far as they did? @matt @danderson agreed. Everything needs to be done, not nothing. Understand the threat and adapt. Personal hobby horse: scan your binaries. Revng just went open source, look inside those blobs! |
I suppose this post also counts as a thinkpiece about the incident, arguably. Feel free to derive your own critical thinking rule of thumb from it, I guess :)