Re: [PLUG] XZ scanner

Rich Freeman via plug on 2 Apr 2024 11:50:19 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] XZ scanner

From: Rich Freeman via plug <plug@lists.phillylinux.org>
To: jeff <jeffv@op.net>
Subject: Re: [PLUG] XZ scanner
Date: Tue, 2 Apr 2024 14:50:04 -0400
Cc: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Reply-to: Rich Freeman <r-plug@thefreemanclan.net>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Tue, Apr 2, 2024 at 2:20 PM jeff via plug <plug@lists.phillylinux.org> wrote:
>
> New XZ backdoor scanner detects implant in any Linux binary
>

Seems useful, but the bigger problem is probably that so many core
libraries have minimal contributors, and there is a lot of value in
exploiting them.

Governments spend $100M on a single aircraft.  For $1M/yr you could
hire a small team of developers working full time that would
out-contribute all the volunteers on 99% of the FOSS projects out
there, and thus gain a voice in the project's governance as was done
here.  Obviously something high-profile like a web browser has many
more eyeballs, but if you're willing to play the long game you could
work your way into their supply chain at main points and slowly work
in all the exploits you wanted.  Even on something like the kernel or
a browser I bet you could slowly work your contributors in such that
they become the majority of eyeballs in a single subsystem and become
trusted to get code far enough along the QA process that it doesn't
get as much close attention.

Something the NSA leaks taught us a decade ago is that governments are
willing to bring to bear a well-supported team with a variety of
backgrounds.  You might have a core team of coders, and then a team of
communications specialists who maintain aliases with many online
personas seemingly in different countries who can even speak the local
language.  These aren't one-person operations - what looks like a
single person online might be 1% of each of 20 people's time.  One
coder can be an expert on some zero-day, and another can be the expert
on the innards of the emacs LISP interpreter, and the two can work
together to sneak something into your favorite OS, just as ESR once
did to sneak a text editor in...

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] XZ scanner
  - From: Steve Litt via plug <plug@lists.phillylinux.org>

References:
- [PLUG] XZ scanner
  - From: jeff via plug <plug@lists.phillylinux.org>

Prev by Date: [PLUG] XZ scanner
Next by Date: [PLUG] This is why I have trust issues
Previous by thread: [PLUG] XZ scanner
Next by thread: Re: [PLUG] XZ scanner
Index(es):
- Date
- Thread