2024-04-02 04:34:49 <KipIngram   > Here's a good article on the recent xz backdoor attack:
2024-04-02 04:34:51 <KipIngram   > https://jfrog.com/blog/xz-backdoor-attack-cve-2024-3094-all-you-need-to-know/
2024-04-02 04:35:09 <KipIngram   > This is a bad scene - this guy labored for over two years to get established a a legit maintainer.
2024-04-02 04:35:23 <KipIngram   > I find this line in the article particularly potent:
2024-04-02 04:35:37 <KipIngram   > The sophisticated nature of this attack and the use of highly future proof crypto algorithms (Ed448 vs the more standard Ed25519) led many to believe that the attack may be a nation-state level cyberattack.
2024-04-02 04:36:13 <KipIngram   > I'm suddenly glad I don't keep myself updated to the bleeding edge.
2024-04-02 04:36:23 <KipIngram   > None of my systems at home or at work have the tainted xz.
2024-04-02 04:37:09 <KipIngram   > Apparently this thing sets you up so that someone who has the right private key can upload arbitrary payloads to your system and have them executed.
2024-04-02 04:37:37 <KipIngram   > So it doesn't "do" anything to you immediately, but you become vulnerable to takeover - by only that particularly attacker - at any time.
2024-04-02 04:44:17 <KipIngram   > Looks like this guy deliberately targeted a project with a single over-worked maintainer.
2024-04-02 04:44:25 <KipIngram   > And "helped."
2024-04-02 04:44:58 <iyzsong     > My ArchLinux got it and patch it soon.  I'm glad the backdoor was found before it widespraed
2024-04-02 04:45:16 <KipIngram   > Yes - it really does look like it got picked up on pretty quickly.
2024-04-02 04:46:00 <KipIngram   > And it's nice that it seems it took no immediate overt action - just was "getting things ready," like they wanted to be able to launch a widespread attack all at once.
2024-04-02 04:47:38 <KipIngram   > If that bit about it being a nation-state level attack is right, though, who knows how much of this is going on.  And it's not necessarily just open-source; there could be employees at Microsoft, etc. trying to worm things into Windows.
2024-04-02 04:48:11 <KipIngram   > This doesn't feel like a quick hacker money grab - it's like someone was trying to get ready for something major.
2024-04-02 04:56:29 <Al2O3       > could be a red herring
2024-04-02 04:56:41 <Al2O3       > please, look over here, and wait until we show you what is real over there.
2024-04-02 04:57:08 <Al2O3       > seems suspect and likely to me this might be the case.
2024-04-02 04:57:22 <Al2O3       > so please, get a boot strap, and pull your own boots up.
2024-04-02 04:57:24 <Al2O3       > :)
2024-04-02 05:26:53 <KipIngram   > Yeah, it could indeed.
2024-04-02 05:27:59 <KipIngram   > The turn rather than the prestige.
2024-04-02 17:56:30 <veltas      > KipIngram: Goes to show bleeding edge isn't more secure
2024-04-02 17:56:50 <veltas      > Although the same kind of approach might impact security patches, it's less likely
2024-04-02 17:57:15 <veltas      > Bleeding edge is for enthusiasts, IMO.  It's for people who care and want it, with all the caveats.
2024-04-02 19:21:54 <zelgomer    > or for testing
2024-04-02 19:22:04 <zelgomer    > which is, as far as i understand, how this was discovered
2024-04-02 19:23:30 <KipIngram   > This is a fascinating gadget:
2024-04-02 19:23:31 <zelgomer    > anyway, i would reiterate that the attack doesn't come from xz alone. it depends on liblzma getting linked into sshd via libsystemd thanks to a patch some distros like to apply. if i were an openssh dev, my response would be "why the fuck are you dicking with our secure software before you distribute it?"
2024-04-02 19:23:31 <KipIngram   > https://en.wikipedia.org/wiki/Fuller_calculator
2024-04-02 19:24:24 <KipIngram   > Yeah - I agree.  Certain critically important pieces of all of this should be identified and just hardly EVER changed.
2024-04-02 19:24:35 <KipIngram   > They should be subject to a much more stringent process for updating.
2024-04-02 19:25:21 <thrig       > https://thrig.me/tmp/ditch-systemd.txt
2024-04-02 19:25:29 <KipIngram   > veltas: totally agree re: the bleeding edge.
2024-04-02 19:25:45 <KipIngram   > I was unaffected by all this precisely because I'm sluggish about updating things.
2024-04-02 19:26:32 <KipIngram   > My xz is still 5.4.1-1.fc36
2024-04-02 19:26:33 <thrig       > there probably is a goldilocks zone between too hot and too cold on the updates
2024-04-02 19:26:49 <KipIngram   > Yeah, exactly.  I make no claims as to being in it.
2024-04-02 19:27:01 <GeDaMo      > I'm on a LTS distro with xz 5.2.5 :P
2024-04-02 19:27:37 <KipIngram   > The problem is that this could just be the tip of an iceberg.  We caught this one - God knows what all else is going on.
2024-04-02 19:32:17 <zelgomer    > thrig: which is probably debian stable
2024-04-02 19:32:21 <zelgomer    > or oldstable
2024-04-02 19:34:20 <thrig       > OpenBSD 7.4 here, probably soon 7.5
2024-04-02 19:54:11 <KipIngram   > I really probably should, at some point, set up an "experimental" system and get on top of being able to build a system totally from the ground up.  I know that "Linux from Scratch" project is out there.
2024-04-02 19:54:43 <KipIngram   > I just wouldn't want that to be my primary use system - maybe that one I'd try to keep near the bleeding edge.  Or closer, at least.
2024-04-02 19:56:02 <KipIngram   > There used to be a project (now defunct, I think) called "remaster.sys or something like that.  It would let you get your system into whatever state you wanted (it could even include being logged into things online), and then it would build an iso from that - then you could just "install" to that point.
2024-04-02 19:56:34 <thrig       > LFS has you downloading a whole lot of things you'd need to audit ...
2024-04-02 19:59:45 <KipIngram   > Given the recent news about future DVDs holding like hundreds of TB or something, I could envision an optical disk that you just "added to" over time as you moved your system forward, and then you could use it to boot any version you'd ever been at.
2024-04-02 20:00:32 <KipIngram   > I'm sure - I don't really know much about the details.
2024-04-02 20:00:50 <KipIngram   > I just know that I tremble a little any time I run into the phrase "recompile your kernel."
2024-04-02 20:01:32 <thrig       > something something "A Fire Upon the Deep"
2024-04-02 20:06:30 <KipIngram   > As far as I can tell anyone who built their system from source completely wouldn't be affected by this latest issue - it wasn't in the source code; it was injected after compilation, into the binaries.
2024-04-02 20:17:47 <user51      > irs
2024-04-02 20:18:09 <user51      > ..I typed the irc command twice  :|
2024-04-02 20:19:55 <user51      > That's what I get for sleep derivation
2024-04-02 20:20:41 <zelgomer    > just don't send me your 1040, i don't want it
2024-04-02 20:20:45 <zelgomer    > unless you're sending cash payment with it
2024-04-02 20:25:53 <user51      > I'll send some bitcoin, it's fake money anyway
2024-04-02 21:21:42 <KipIngram   > :-)