Posts about the xz attack
Not_Oles
Hosting ProviderContent Writer
Timeline: https://research.swtch.com/xz-timeline
Attack shell script: https://research.swtch.com/xz-script
I hope everyone gets the servers they want!
Comments
https://github.com/amlweems/xzbot is good (also referenced via "Further Reading" section in Timeline URL above).
Took a quick look! Wow! Seems very good! Now I am going to have to look at all the links in the "Further Reading" section.
I hope everyone gets the servers they want!
Wow, it may not be enough for a movie script, but it sure is an interesting read!
If the Internet had better enforcement of the "don't be a dick"-rule, the maintainer may not have gotten pressured into sharing maintainership after abusive language from 'the community'.
On the other hand: given a goal and a long enough timeline, also without getting abusive, any organization (or private person) could create a persona to implement this kind of attacks (as, I guess, has crossed many of our minds even before this came to light)
Thanks for sharing!
LTS FTW!
Back when I first started (20+ years ago?) I never understood why people do not use latest packages and stick to older packages. I guess there are pitfalls like the above other then the usual older packages being more stable.
@Not_Oles not sure where you found the research and to be honest, most of it went over my head. But one thing is clear. This is an attempt by someone (or a group) who knows what they are doing and how to prevent from being found out.
Websites have ads, I have ad-blocker.
Does this really need new topic, what is wrong with the one we already have?
https://lowendspirit.com/discussion/7588/backdoor-in-upstream-xz-liblzma-leading-to-ssh-server-compromise-openwall-com-via-hacker-news#latest
Haven't bought a single service in VirMach Great Ryzen 2022 - 2023 Flash Sale.
https://lowendspirit.com/uploads/editor/gi/ippw0lcmqowk.png
HN
Me too.
Yes, and even more:
I hope everyone gets the servers they want!
From: https://joeyh.name/blog/entry/reflections_on_distrusting_xz/
See also: https://news.ycombinator.com/item?id=39914981
I hope everyone gets the servers they want!
Also the way he "fixed" (breaks) the landlock package... Damn...
So, what are your guesses on who this is?
Websites have ads, I have ad-blocker.
It's all me baby
Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?
So the butler yeti did it....
Websites have ads, I have ad-blocker.
Always
Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?