Practical defences to an xz type attack - by Rakkhi Joy
If you are in the infosec / cyber security community or even in technology, you have probably heard of the near miss with the xz supply chain attack.
If not, the brief summary is as follows: likely a nation state, likely Russian, mounted a campaign for over 2 years to build a set of personas that ultimately got Maintainer access to an open source Linux compression suite that is widely used (xz) and used that to backdoor SSH.
The backdoor would have ultimately given full remote code execution with controlled authentication (CVSS 10) to the controller of a private key. There is a high likelihood this would've made it to basically every Linux and Unix install worldwide.
They would've got away with it too if it wasn't for those dam kids… nerd that benchmarks his SSH login performance and doesn't clearly have enough paid work from Microsoft :)
Even though this specific attack didn't work, they likely have multiple such campaigns running currently, in the past and definitely the future. When the 5 eyes does it or has done it in the past, it maybe even better / to this date undetected.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25544672/Jones_drives_the_solar_car_across_the_finish_line_at_the_Portofino_Hotel.jpg)