XZ backdoor in a nutshell

Don't forget all of this was discovered because ssh was running 0.5 seconds slower

I know this is being treated as a social engineering attack, but having unreadable binary blobs as part of your build/dev pipeline is fucking insane.

This is informative, but unfortunately it doesn't explain how the actual payload works - how does it compromise SSH exactly?

If this was done by multiple people, I'm sure the person that designed this delivery mechanism is really annoyed with the person that made the sloppy payload, since that made it all get detected right away.

I have been reading about this since the news broke and still can't fully wrap my head around how it works. What an impressive level of sophistication.

In a nutshell you say...

I think going forward we need to look at packages with a single or few maintainers as target candidates. Especially if they are as widespread as this one was.

In addition I think security needs to be a higher priority too, no more patching fuzzers to allow that one program to compile. Fix the program.

I'd also love to see systems hardened by default.

A small blurb from The Guardian on why Andres Freund went looking in the first place.

So how was it spotted? A single Microsoft developer was annoyed that a system was running slowly. That’s it. The developer, Andres Freund, was trying to uncover why a system running a beta version of Debian, a Linux distribution, was lagging when making encrypted connections. That lag was all of half a second, for logins. That’s it: before, it took Freund 0.3s to login, and after, it took 0.8s. That annoyance was enough to cause him to break out the metaphorical spanner and pull his system apart to find the cause of the problem.

Original Mastodon post by Andres Freund about discovery

Original Openwall thread

Update by @dangoodin@infosec.exchange

JFrog article

Bluesky post by another person

Hacker News article

Update by the original maintainer

Wikipedia Article

Original Mailing history

Give this guy a medal and a mastodon account

The scary thing about this is thinking about potential undetected backdoors similar to this existing in the wild. Hopefully the lessons learned from the xz backdoor will help us to prevent similar backdoors in the future.

this was one hell of an april fools joke i tell you what.

I have heard multiple times from different sources that building from git source instead of using tarballs invalidates this exploit, but I do not understand how. Is anyone able to explain that?

If malicious code is in the source, and therefore in the tarball, what's the difference?

did we find out who was that guy and why was he doing that?

Any additional information been found on the user?

The tukaani github repos are gone, is there a mirror somewhere?

This whole situation just emphasizes the fact that rebasing >>>>>>>>>> merge squashing.