Please treat as work-in-progress, and there are multiple lines of analysis that we are still following up on. A future submission of an extended version to a peer-reviewed venue is quite possible.
"Last week, the internet dodged a major nation-state attack that would have had catastrophic cybersecurity repercussions worldwide. It’s a catastrophe that didn’t happen, so it won’t get much attention—but it should. There’s an important moral to the story of the attack and its discovery: The security of the global internet depends on countless obscure pieces of software written and maintained by even more obscure unpaid, distractible, and sometimes vulnerable volunteers. It’s an untenable situation, and one that is being exploited by malicious actors. Yet precious little is being done to remedy it."
Forget the xz/liblzma backdoor in Linux distros, there's a confirmed backdoor in D-Link Network Attached Storage (NAS) products. Username is messagebus with an empty password. Tracked as CVE-2024-3273 (7.3 high, disclosed 26 March 2024), D-Link refuses to patch it because "All D-Link Network Attached storage has been End of Life and of Service Life for many years [and] the resources associated with these products have ceased their development and are no longer supported" 🔗 https://www.bleepingcomputer.com/news/security/over-92-000-exposed-d-link-nas-devices-have-a-backdoor-account/
This is a fascinating glimpse into the beginning of the #xz exploit, i.e. the social engineering.
Some users (accomplices of the attacker?) used the dev mailing list to badger and harass the maintainer of the project who was on the verge of burnout, to pressure him to grant co-maintainer status to the attacker.
Whether this was part of the attack or not, it’s a sad glimpse into the toxic pattern often found in open-source software, where users demand maintainers’ free labor, instead of helping them strike a healthy work-life balance.
A week or so later, one good thing about the #xz#backdoor is how it all pretty much played out on Mastodon and in the #fediverse. The discussion wasn't on #x or #twitter, not #facebook or #stackedoverflow or whatever. Analysis and investigation and discussion happened here on #mastodon. Even #wired magazine gave credit.
We all know about the xz backdoor. Big news, very scary, got really lucky, etc.
Legitimate question: is what Jia Tan did illegal?
Ignoring that “Jia Tan” is probably a team and will never likely be caught, etc, is it illegal to deliberately plant a backdoor into software? Jia Tan was an authorized maintainer of the repo. All of their changes were made in the open (except that one .m4 file, but post-build tarball modification isn’t uncommon in open source).
No question, actually exploiting the backdoor would violate any number of laws, but the more I think about it, the more I think embedding the backdoor, while shady as hell and certainly unethical, may have been perfectly legal, even by US CFAA standards.
If you don’t think it’s legal, what law did they violate? Is it illegal to add unwanted features to code you legitimately maintain? What about undocumented features? What about bugs? Where is the line?
I see people talking about the FBI going after him, etc, but I’m not even sure what they’d charge him with.
I think the #xz incident is teaching us that our infrastructure is dangerously fragile in the face of well-organized/funded attackers. The response isn’t “try harder” or “donate to your OSS project”, it needs to be institutional, professional, and at scale.
Hoo boy. I'm not naming names because I don't want to fan the flames, but the knives are out:
Events around #xz have rightly emboldened volunteer-driven open source projects to take their hyper-wealthy downstream users to task.
Wild to think that many large companies have hollowed out their open source program offices (OSPOs), the internal teams who have been working on addressing these resource issues.
Strange to watch all the posting about #xz, full of complaints and congratulations and self-congratulations. But I have yet to see anybody ask: if this one was caught, how many have already succeeded? And what to do about that possibility? 🤷
I think this #xz thing is gonna go down as the day #FLOSS officially lost its innocence.
You know what I hope comes out of this moment of sincere sadness for those who care about this stuff?
A sense that we will no longer be abused by Megacorps who build on the backs of our work but can't be arsed to help fund that work despite the fact that literally THE CONTINUED EXISTENCE OF THEIR BUSINESS depends on it.
Do you think #google, #amazon or #facebook could exist in their current form without oodles of super high quality free software to run their server swarms on?
Because they can't. For those of us old enough to remember, just imagine "the cloud" if every virtual server required a Solaris or SCO license.
If you've given all you can give, walk away. Open source is wonderful and amazing but you are human and your health and well being is more important. I don't care what falls down as a result.
The things I don't like about the discussion on whether this is a state actor behind the #xz backdoor are:
It doesn't change the response for pretty much anyone except a narrow group of professionals. Ultimately I don't know that it matters for most of us if this was a state attacker or some kid who wants a way to get op privileges.
It distracts from next steps.
Would they think that if the actor were named John? Will this increase suspicion of anyone with a "foreign" sounding name?
@irenes@hrefna truth. Basically nobody except for a national govt can actually benefit from attributing to an entity beyond a collection of behaviors and tooling.
Whether it was even a state actor or a new development in commodity access brokerage, it doesn’t make a difference for anyone trying to deal with protecting against similar attacks.
Edit: For reference, I work in ICS/OT cybersecurity where being targeted by state actors is a definite reasonable concern. I still don’t benefit from knowing what nationality a group hails from.
Three years ago, #FDroid had a similar kind of attempt as the #xz#backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection#vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now
I think most people in my extended circle either already seen it but posting about it given there's likely to be a lot more questions as we go into the working week.
Thank you to everyone who has contributed tips, suggestions, and edits. Thanks especially to @cadey who has helped a lot with editing.