Chad Waters via plug on 3 Apr 2024 09:03:18 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] XZ scanner


> I think you misunderstood my post. The $1M/yr gang of professions is
> there to make Linux LESS secure, by sneaking lots of pseudonyms into
> the project by doing helpful things at first, and then once enough are
> trusted you can start having them sneak in exploits.
> 
> I see 94 subsystems in the Linux docs whose maintainer status is "odd
> fix" - ie they don't have time for anything serious but they can look
> at the occasional patch. Any/many of those could be replaced by a
> nefarious actor most likely if they started doing serious work. You
> could probably work your way into bigger subsystems with a bit more
> effort. That might not even be needed if you can just get a foothold
> in enough minor ones.

This. The bad actors are playing the long game. This specific attack started in 2021 and was discovered before it had any widespread impact. It would have made it in Ubuntu and Fedora releases this month. Ubuntu is delaying 24.04 LTS to sift through everything. Other major distros would have been longer (Debian is scheduled to release Trixie in Dec 2025). Arguably you can say it didn't work. 

BUT... I would bet that the bad actors didn't invest years of their time in just one library. We found xz, but I wouldn't be surprised if there are others.

-Chad
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug