Tedium - xz, tarred 🗜️

The biggest Linux security issue since Heartbleed?

Hunting for the end of the long tail • April 01, 2024

xz, tarred

One of the most common programs in computing history gets nailed by a supply-chain attack—almost exactly a decade after Heartbleed highlighted similar structural weaknesses in the FOSS ecosystem.

As someone who has been messing with OpenSUSE Tumbleweed on top of his normal installation of Nobara Linux, I knew this was serious when I did an update yesterday, and it forced me to re-download nearly 3,000 packages in a single sitting.

(Tedium doesn’t do April Fool’s jokes. This actually happened.)

A rolling-release variant of Linux, Tumbleweed is a good distro, one that takes security very seriously while putting you up against the edge of what’s possible (and not feeling a little rough around the edges, like Arch can sometimes feel). But like many other distros, its makers found themselves freaking out over the weekend after it was realized that someone had dropped a backdoor into the latest version of xz Utils, an extremely common compression program. The backdoor added a payload into the SSH protocol that could have been broadly exploited. (For those with technical knowledge who want to see how it works, check it out here.)

For Windows or Mac users, this would be the equivalent of someone hacking how the ZIP format works. Many major software programs for the Linux ecosystem are distributed as xz-compressed tarball files. While also used on other operating systems such as Windows, MacOS, and FreeBSD, it is deeply integrated in the way Linux works. If broadly spread, this would cause chaos and essentially leave a backdoor in nearly all Linux clients, and by extension would have affected all the software that relies on Linux, from cloud apps to software-as-a-service platforms. By sheer chance it was uncovered by someone knowledgeable who noticed the SSH process running a little funny.

Is your iPhone packed to the gills with old photos? The new CleanMyPhone might be your solution. This tool, by the makers of CleanMyMac, helps make it easy to separate an outtake from a keeper—and save a bunch of space in the process. Click here for a free trial, iPhone fans.

This is probably the biggest Linux-centric security problem we’ve seen since at least Heartbleed, a bug affecting OpenSSL which hit almost exactly a decade ago and was such a big deal that it got its own name and branding. As supply chain attacks go, it’s one of the most consequential, because it would have nailed basically every computer running a recent version of Linux—servers, desktops, and everything in-between.

And surprisingly, the system worked. The payload only lasted for a few days before it was caught and removed, and was only placed there because a malicious user named Jia Tan played an extra-long game to get it in, spending more than two years contributing to xz and seemingly using a sock puppet to convince the maintainer to bring on an additional help. That sock puppet, using the name “Jigar Kumar,” leveraged a public admission of mental health issues on the part of developer Lasse Collin to push him to bring in the additional assistance.

“It's also good to keep in mind that this is an unpaid hobby project,” Collin tried to emphasize in a thread that has been heavily scrutinized in retrospect.

Kumar wasn’t having it.

“The only progress since april has been small changes to test code,” the user replied in an unsympathetic tone. “You ignore the many patches bit rotting away on this mailing list. Right now you choke your repo.”

(Alan Levine/Flickr)

Knowing what we know now, it is clear that Collin was being played, with his personal challenges and honesty being held against him—and that allowed an apparent state actor to burrow into the Linux project. It was only an extremely prominent Linux user—ironically, an employee of Microsoft—that caught it.

The scary part is, in the decade since Heartbleed, it perhaps feels like, on the surface, we have not learned very much. We’re still stuck with under-funded, under-supported projects that undergird the whole apparatus, with software like OpenSSL and xz not being front of mind despite the fact that they play incredibly important roles. The social engineering aspect of what happened to xz, which allowed a bad actor to maintain a role in the project for years, points to a lack of vetting in open source. Which, to be fair, strikes at the delicate balance FOSS plays. You want the projects to be open enough that anyone can take part, but because this technology is used by so many people, it has to be managed correctly.

Large companies can help, but they can only do so much. Each of those 3,000ish packages has a group of maintainers behind them, many working on the software during their free time, basing their work on donations in sometimes underappreciated circumstances. (On the plus side, the situation that affected xz has people talking about solutions.)

If the right infiltrator taps the right card, the whole thing crumbles.

Uncompressed Links

The Verge dives into the mess around Vice.

A reminder that, try as every single marketer might on April Fool’s Day, the best bait-and-switch was actually the series finale of Newhart.

Gmail turns 20 today. Over at Inc., a look at how one user complaint shaped what has become a bedrock service of the internet.

--

Find this one an interesting read? Share it with a pal!

And if you need to clean out your old pics, give CleanMyPhone a spin.

Share this post:

follow on Twitter | privacy policy | advertise with us

Copyright © 2015-2024 Tedium, all rights reserved.

Disclosure: From time to time, we may use affiliate links in our content—but only when it makes sense. Promise.

unsubscribe from this list | view email in browser | sent with Email Octopus

Older messages

Recapturing Real Time 📰

Saturday, March 30, 2024

Can we find our way back to useful real-time journalism? Here's a version for your browser. Hunting for the end of the long tail • March 30, 2024 Today in Tedium: This week, the tragic, seemingly

The Value Of A Promise 🤞

Friday, March 29, 2024

How much is a promise from a tech company really worth, anyway? Here's a version for your browser. Hunting for the end of the long tail • March 28, 2024 The Value Of A Promise When you hear a

A Creative Market Reset 🎨

Thursday, March 28, 2024

Adobe needed some real competition. Now it has some. Here's a version for your browser. Hunting for the end of the long tail • March 27, 2024 A Creative Market Reset Canva's purchase of

Songs About Superman 🦸

Saturday, March 23, 2024

Why are there so many alt-rock songs about Superman? Here's a version for your browser. Hunting for the end of the long tail • March 23, 2024 Today in Tedium: One could argue that in the modern era

The House Always Wins 🎲

Friday, March 22, 2024

The individual is losing out amid media's corporate greed era. Here's a version for your browser. Hunting for the end of the long tail • March 21, 2024 The House Always Wins The drama around G/

You Might Also Like

😼 The hottest new AI engineer

Sunday, November 24, 2024

Plus, an uncheatable tech screen app Product Hunt Sunday, Nov 24 The Roundup This newsletter was brought to you by Countly Happy Sunday! Welcome back to another edition of The Roundup, folks. We've

Transformers are Eating Quantum

Sunday, November 24, 2024

DeepMind's AlphaQubit addresses one of the main challenges in quantum computing. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

Retro Recomendo: Gift Ideas

Sunday, November 24, 2024

Recomendo - issue #438 ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

Kotlin Weekly #434

Sunday, November 24, 2024

ISSUE #434 24th of November 2024 Hi Kotliners! Next week is the last one to send a paper proposal for the KotlinConf. We hope to see you there next year. Announcements State of Kotlin Scripting 2024

Weekend Reading — More time to write

Sunday, November 24, 2024

More Time to Write A fully functional clock that ticks backwards, giving you more time to write. Tech Stuff Martijn Faassen (FWIW I don't know how to use any debugger other than console.log) People

🕹️ Retro Consoles Worth Collecting While You Still Can — Is Last Year's Flagship Phone Worth Your Money?

Saturday, November 23, 2024

Also: Best Outdoor Smart Plugs, and More! How-To Geek Logo November 23, 2024 Did You Know After the "flair" that servers wore—buttons and other adornments—was made the butt of a joke in the

JSK Daily for Nov 23, 2024

Saturday, November 23, 2024

JSK Daily for Nov 23, 2024 View this email in your browser A community curated daily e-mail of JavaScript news React E-Commerce App for Digital Products: Part 4 (Creating the Home Page) This component

Not Ready For The Camera 📸

Saturday, November 23, 2024

What (and who) video-based social media leaves out. Here's a version for your browser. Hunting for the end of the long tail • November 23, 2024 Not Ready For The Camera Why hasn't video

Daily Coding Problem: Problem #1617 [Easy]

Saturday, November 23, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Microsoft. You are given an string representing the initial conditions of some dominoes.

Ranked | The Tallest and Shortest Countries, by Average Height 📏

Saturday, November 23, 2024

These two maps compare the world's tallest countries, and the world's shortest countries, by average height. View Online | Subscribe | Download Our App TIME IS RUNNING OUT There's just 3