It’s approaching two years since OpenAI launched ChatGPT, thought leaders declared the fifth industrial revolution had begun and industry declared a trillion dollar market had been birthed.
Now my thread on all the ways it has changed the world and value delivered 🧵 1/1
I wouldn't dare use an “#AI” to write a shell script. As the #xz hack demonstrated, it is extremely hard to identify malware in shell scripts because of their tricky syntax.
Please treat as work-in-progress, and there are multiple lines of analysis that we are still following up on. A future submission of an extended version to a peer-reviewed venue is quite possible.
"Last week, the internet dodged a major nation-state attack that would have had catastrophic cybersecurity repercussions worldwide. It’s a catastrophe that didn’t happen, so it won’t get much attention—but it should. There’s an important moral to the story of the attack and its discovery: The security of the global internet depends on countless obscure pieces of software written and maintained by even more obscure unpaid, distractible, and sometimes vulnerable volunteers. It’s an untenable situation, and one that is being exploited by malicious actors. Yet precious little is being done to remedy it."
Forget the xz/liblzma backdoor in Linux distros, there's a confirmed backdoor in D-Link Network Attached Storage (NAS) products. Username is messagebus with an empty password. Tracked as CVE-2024-3273 (7.3 high, disclosed 26 March 2024), D-Link refuses to patch it because "All D-Link Network Attached storage has been End of Life and of Service Life for many years [and] the resources associated with these products have ceased their development and are no longer supported" 🔗 https://www.bleepingcomputer.com/news/security/over-92-000-exposed-d-link-nas-devices-have-a-backdoor-account/
Lasse Collin has posted an update on his plans for #xz and clearing up what happened: https://tukaani.org/xz-backdoor/ I hope he’s met with all the support and patience he needs.
This is a fascinating glimpse into the beginning of the #xz exploit, i.e. the social engineering.
Some users (accomplices of the attacker?) used the dev mailing list to badger and harass the maintainer of the project who was on the verge of burnout, to pressure him to grant co-maintainer status to the attacker.
Whether this was part of the attack or not, it’s a sad glimpse into the toxic pattern often found in open-source software, where users demand maintainers’ free labor, instead of helping them strike a healthy work-life balance.
A week or so later, one good thing about the #xz#backdoor is how it all pretty much played out on Mastodon and in the #fediverse. The discussion wasn't on #x or #twitter, not #facebook or #stackedoverflow or whatever. Analysis and investigation and discussion happened here on #mastodon. Even #wired magazine gave credit.
We all know about the xz backdoor. Big news, very scary, got really lucky, etc.
Legitimate question: is what Jia Tan did illegal?
Ignoring that “Jia Tan” is probably a team and will never likely be caught, etc, is it illegal to deliberately plant a backdoor into software? Jia Tan was an authorized maintainer of the repo. All of their changes were made in the open (except that one .m4 file, but post-build tarball modification isn’t uncommon in open source).
No question, actually exploiting the backdoor would violate any number of laws, but the more I think about it, the more I think embedding the backdoor, while shady as hell and certainly unethical, may have been perfectly legal, even by US CFAA standards.
If you don’t think it’s legal, what law did they violate? Is it illegal to add unwanted features to code you legitimately maintain? What about undocumented features? What about bugs? Where is the line?
I see people talking about the FBI going after him, etc, but I’m not even sure what they’d charge him with.
I think the #xz incident is teaching us that our infrastructure is dangerously fragile in the face of well-organized/funded attackers. The response isn’t “try harder” or “donate to your OSS project”, it needs to be institutional, professional, and at scale.
Hoo boy. I'm not naming names because I don't want to fan the flames, but the knives are out:
Events around #xz have rightly emboldened volunteer-driven open source projects to take their hyper-wealthy downstream users to task.
Wild to think that many large companies have hollowed out their open source program offices (OSPOs), the internal teams who have been working on addressing these resource issues.
Strange to watch all the posting about #xz, full of complaints and congratulations and self-congratulations. But I have yet to see anybody ask: if this one was caught, how many have already succeeded? And what to do about that possibility? 🤷
I think this #xz thing is gonna go down as the day #FLOSS officially lost its innocence.
You know what I hope comes out of this moment of sincere sadness for those who care about this stuff?
A sense that we will no longer be abused by Megacorps who build on the backs of our work but can't be arsed to help fund that work despite the fact that literally THE CONTINUED EXISTENCE OF THEIR BUSINESS depends on it.
Do you think #google, #amazon or #facebook could exist in their current form without oodles of super high quality free software to run their server swarms on?
Because they can't. For those of us old enough to remember, just imagine "the cloud" if every virtual server required a Solaris or SCO license.
If you've given all you can give, walk away. Open source is wonderful and amazing but you are human and your health and well being is more important. I don't care what falls down as a result.
Three years ago, #FDroid had a similar kind of attempt as the #xz#backdoor. A new contributor submitted a merge request to improve the search, which was oft requested but the maintainers hadn't found time to work on. There was also pressure from other random accounts to merge it. In the end, it became clear that it added a #SQLinjection#vuln. In this case, we managed to catch it before it was merged. Since similar tactics were used, I think its relevant now
I think most people in my extended circle either already seen it but posting about it given there's likely to be a lot more questions as we go into the working week.
Thank you to everyone who has contributed tips, suggestions, and edits. Thanks especially to @cadey who has helped a lot with editing.
The things I don't like about the discussion on whether this is a state actor behind the #xz backdoor are:
It doesn't change the response for pretty much anyone except a narrow group of professionals. Ultimately I don't know that it matters for most of us if this was a state attacker or some kid who wants a way to get op privileges.
It distracts from next steps.
Would they think that if the actor were named John? Will this increase suspicion of anyone with a "foreign" sounding name?
1/2 Looking at one of the #xz writeup, this struck my eye: “The release tarballs upstream publishes don't have the same code that GitHub has. This is common in C projects so that downstream consumers don't need to remember how to run autotools and autoconf.” Ah, GNU AutoHell, I remember it well. Tl;dr: With AutoHell, even if you're building for a 19-bit Multics variant from 1988, it’s got your back. Except for it’s just too hard to understand and use, thus the above.
Ça fait deux jours que je suis fasciné par ce qui se passe dans le monde de la sécurité informatique, autour de la backdoor XZ. Je vais essayer de vous l'expliquer, ça va être technique, mais c'est important.
Pour Internet, c'est l'équivalent d'un gros astéroïde qui serait passé à 5000km de la Terre. Pas d'impact, pas de dégâts directs, mais on aurait pu tous y passer et personne ne l'a vu venir.
Je vais chercher à vulgariser un maximum, tout en donnant des liens vers les sources directes, qui sont souvent très techniques et en anglais.
You know you could just... give... the money... to projects that need it. Like software libraries that ARE IN EVERYTHING.
No grants. Don't make tech nerds write grants.
Don't make the tech nerds hire grant nerds to write grants.
FFS don't fund research into this problem with a budget of double what it would take to SOLVE THE PROBLEM for a significant number of open source projects with code that is, again, IN EVERYTHING.
🤯 The level of sophistication of the XZ attack is very impressive! I tried to make sense of the analysis in a single page (which was quite complicated)!
I hope it helps to make sense of the information out there. Please treat the information "as is" while the analysis progresses! 🧐 #infosec#xz
That’s not my name! Practical problems in real name policies.
Once in a while, big companies suggest that the answer to abuse is to ban anonymity and institute a Real Names policy. This time, it is Google's turn. They think that critical software should only be authored by people with "real names".