Tedium - xz, tarred 🗜️

The biggest Linux security issue since Heartbleed?

Hunting for the end of the long tail • April 01, 2024

xz, tarred

One of the most common programs in computing history gets nailed by a supply-chain attack—almost exactly a decade after Heartbleed highlighted similar structural weaknesses in the FOSS ecosystem.

As someone who has been messing with OpenSUSE Tumbleweed on top of his normal installation of Nobara Linux, I knew this was serious when I did an update yesterday, and it forced me to re-download nearly 3,000 packages in a single sitting.

(Tedium doesn’t do April Fool’s jokes. This actually happened.)

A rolling-release variant of Linux, Tumbleweed is a good distro, one that takes security very seriously while putting you up against the edge of what’s possible (and not feeling a little rough around the edges, like Arch can sometimes feel). But like many other distros, its makers found themselves freaking out over the weekend after it was realized that someone had dropped a backdoor into the latest version of xz Utils, an extremely common compression program. The backdoor added a payload into the SSH protocol that could have been broadly exploited. (For those with technical knowledge who want to see how it works, check it out here.)

For Windows or Mac users, this would be the equivalent of someone hacking how the ZIP format works. Many major software programs for the Linux ecosystem are distributed as xz-compressed tarball files. While also used on other operating systems such as Windows, MacOS, and FreeBSD, it is deeply integrated in the way Linux works. If broadly spread, this would cause chaos and essentially leave a backdoor in nearly all Linux clients, and by extension would have affected all the software that relies on Linux, from cloud apps to software-as-a-service platforms. By sheer chance it was uncovered by someone knowledgeable who noticed the SSH process running a little funny.

Is your iPhone packed to the gills with old photos? The new CleanMyPhone might be your solution. This tool, by the makers of CleanMyMac, helps make it easy to separate an outtake from a keeper—and save a bunch of space in the process. Click here for a free trial, iPhone fans.

This is probably the biggest Linux-centric security problem we’ve seen since at least Heartbleed, a bug affecting OpenSSL which hit almost exactly a decade ago and was such a big deal that it got its own name and branding. As supply chain attacks go, it’s one of the most consequential, because it would have nailed basically every computer running a recent version of Linux—servers, desktops, and everything in-between.

And surprisingly, the system worked. The payload only lasted for a few days before it was caught and removed, and was only placed there because a malicious user named Jia Tan played an extra-long game to get it in, spending more than two years contributing to xz and seemingly using a sock puppet to convince the maintainer to bring on an additional help. That sock puppet, using the name “Jigar Kumar,” leveraged a public admission of mental health issues on the part of developer Lasse Collin to push him to bring in the additional assistance.

“It's also good to keep in mind that this is an unpaid hobby project,” Collin tried to emphasize in a thread that has been heavily scrutinized in retrospect.

Kumar wasn’t having it.

“The only progress since april has been small changes to test code,” the user replied in an unsympathetic tone. “You ignore the many patches bit rotting away on this mailing list. Right now you choke your repo.”

(Alan Levine/Flickr)

Knowing what we know now, it is clear that Collin was being played, with his personal challenges and honesty being held against him—and that allowed an apparent state actor to burrow into the Linux project. It was only an extremely prominent Linux user—ironically, an employee of Microsoft—that caught it.

The scary part is, in the decade since Heartbleed, it perhaps feels like, on the surface, we have not learned very much. We’re still stuck with under-funded, under-supported projects that undergird the whole apparatus, with software like OpenSSL and xz not being front of mind despite the fact that they play incredibly important roles. The social engineering aspect of what happened to xz, which allowed a bad actor to maintain a role in the project for years, points to a lack of vetting in open source. Which, to be fair, strikes at the delicate balance FOSS plays. You want the projects to be open enough that anyone can take part, but because this technology is used by so many people, it has to be managed correctly.

Large companies can help, but they can only do so much. Each of those 3,000ish packages has a group of maintainers behind them, many working on the software during their free time, basing their work on donations in sometimes underappreciated circumstances. (On the plus side, the situation that affected xz has people talking about solutions.)

If the right infiltrator taps the right card, the whole thing crumbles.

Uncompressed Links

The Verge dives into the mess around Vice.

A reminder that, try as every single marketer might on April Fool’s Day, the best bait-and-switch was actually the series finale of Newhart.

Gmail turns 20 today. Over at Inc., a look at how one user complaint shaped what has become a bedrock service of the internet.


Find this one an interesting read? Share it with a pal!

And if you need to clean out your old pics, give CleanMyPhone a spin.

Share this post:

follow on Twitter | privacy policy | advertise with us

Copyright © 2015-2024 Tedium, all rights reserved.

Disclosure: From time to time, we may use affiliate links in our content—but only when it makes sense. Promise.

unsubscribe from this list | view email in browser | sent with Email Octopus

Older messages

Recapturing Real Time 📰

Saturday, March 30, 2024

Can we find our way back to useful real-time journalism? Here's a version for your browser. Hunting for the end of the long tail • March 30, 2024 Today in Tedium: This week, the tragic, seemingly

The Value Of A Promise 🤞

Friday, March 29, 2024

How much is a promise from a tech company really worth, anyway? Here's a version for your browser. Hunting for the end of the long tail • March 28, 2024 The Value Of A Promise When you hear a

A Creative Market Reset 🎨

Thursday, March 28, 2024

Adobe needed some real competition. Now it has some. Here's a version for your browser. Hunting for the end of the long tail • March 27, 2024 A Creative Market Reset Canva's purchase of

Songs About Superman 🦸

Saturday, March 23, 2024

Why are there so many alt-rock songs about Superman? Here's a version for your browser. Hunting for the end of the long tail • March 23, 2024 Today in Tedium: One could argue that in the modern era

The House Always Wins 🎲

Friday, March 22, 2024

The individual is losing out amid media's corporate greed era. Here's a version for your browser. Hunting for the end of the long tail • March 21, 2024 The House Always Wins The drama around G/

You Might Also Like

💻 MacOS Features That Confuse Windows Users — Creating Anime with MidJourney AI

Sunday, April 14, 2024

Also: How to Search Your Amazon Order History, and More! How-To Geek Logo April 14, 2024 📩 Get expert reviews, the hottest deals, how-to's, breaking news, and more delivered directly to your inbox

Daily Coding Problem: Problem #1412 [Medium]

Sunday, April 14, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Jane Street. Generate a finite, but an arbitrarily large binary tree quickly in O(1).

Android Weekly #618 🤖

Sunday, April 14, 2024

View in web browser 618 April 14th, 2024 Articles & Tutorials Sponsored Mobile releases are broken. How do we fix them? They're messy. Chaotic. Time-devouring. Without the sort of infra support

Cruise robotaxis return and Ford's BlueCruise comes under scrutiny

Sunday, April 14, 2024

Cruise announces a return of sorts View this email online in your browser By Kirsten Korosec Sunday, April 14, 2024 Welcome back to TechCrunch Mobility — your central hub for news and insights on the

Sunday Digest | Featuring 'America’s Top Companies by Revenue (1994 vs. 2023)' 📊

Sunday, April 14, 2024

Every visualization published this week, in one place. Visual Capitalist Sunday Digest logo Apr 14, 2024 | View Online | Subscribe | VC+ The Best of This Week's Visuals Presented by Voronoi: The

PD#569 The guide to git I never had

Sunday, April 14, 2024

Does Git ever make you feel like Peter Griffin? ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌

Noonification: Analyzing the Pros, Cons, and Risks of LLMs

Sunday, April 14, 2024

Top Tech Content sent at Noon! Get Algolia: AI Search that understands How are you, @newsletterest1? 🪐 What's happening in tech this week: The Noonification by HackerNoon has got you covered with

C#501 Useful features in Entity Framework Core 8 for your application

Sunday, April 14, 2024

Let me introduce some of the features that I consider to be generally useful ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌

RD#451 State machines in React

Sunday, April 14, 2024

The power of state machines for building intuitive wizard interfaces ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌

Humane’s AI Pin underwhelms at launch

Sunday, April 14, 2024

Humane wants to free users from their phones View this email online in your browser By Anthony Ha Sunday, April 14, 2024 Helloooo, TechCrunch Weekend readers! I'll be taking over this newsletter