XZ Backdoor: Not the End of Open Source
When I stumbled across a post that an encryption library offers a potential backdoor to SSH connectivity on Good Friday, my first thought was: why is it always on a Friday that these things drop? And then my second one: oh bugger, here goes my weekend. Now, I won’t go into the technical details, there are many, many, many, many better resources out there, but I can’t help thinking that this would/should force the software industry to think.
A scenario akin to the Baltimore bridge disaster was averted by the heroics of Andres Freund a Microsoft engineer who was surprised to see the SSH performance go down and decided to investigate. We all owe this man a beer, otherwise this could have been so, so much worse:
If this hadn’t been caught, potentially quite a few linux distributions would have had a backdoor. And considering that patching is important, this would have made it quite a few distributions across the globe, giving the attacker almost unprecedented access.
Thankfully, indications are that even though I had the backdoored lib on my machine, it wouldn’t have been exploited. People using homebrew and Kali (oh the irony) were exposed to the vulnerable lib too, as this is a Remote Code Execution that needs to be combined with several triggers, I’m banking on it not having rooted me.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25544672/Jones_drives_the_solar_car_across_the_finish_line_at_the_Portofino_Hotel.jpg)
