XZ Backdoor: Timeline and Overview
Vložit
- čas přidán 4. 04. 2024
- Sources:
research.swtch.com/xz-timeline
www.openwall.com/lists/oss-se...
bsky.app/profile/filippo.abys...
arstechnica.com/security/2024...
===============================================
My Website: www.seytonic.com/
Follow me on TWTR: / seytonic
Follow me on INSTA: / jhonti
=============================================== - Zábava
This is especially sad for the original maintainer since they literally abused his mental health problems to get their malicious code added. Can’t imagine how Lasse is feeling right now.
Right? Absolutely disgusting behavior. This guy deserves an award for maintaining this project for free for so long. Hopefully after this he will get more support.
Just because the maintainer was paranoid didnt mean they weren't after him. People should be serious about their paranoia. The same with depression: Just because you are depressed doesnt mean that you are not getting a beating. Outsiders may tell you it can be solved until it happens to themselves. It may be sad but it may also be a vindication for him. He was gaslighted after all.
@@gertjan1710 That's true. Good point. Either way, I think all of this will end up working out for the best. This was a gigantic discovery.
They released the exploited version while Lasse was on holiday too. What a mess.
AND he was on vacation when this happened!
imagine you create a masterplan and slowly take over a repo in 4 years to literally do one of the biggest backdoors ever created, and one guy, just testing his ssh asking himself why his auth took 500ms longer, destroys everything
What if the master plan was to degrade public trust in open source OS so people would stick with Win 11 out of fear.
How many millions of systems are Win 10 and in the process of evaluating Ubuntu and Mint as viable alternatives to Win 11?
Look at the timing. Look who discovered the hack. Msft to the rescue ?
What if Jia Tan is MSFT ? How many people will now pay to stick with Win 11 because Linux feels too risky ? Mission accomplished ?
I feel so bad for Lasse :(
Lasse if you happen to read this: we love you and highly appreciate the time and effort you put into xz, stay strong mate!
The bigger question: how many other projects have been targeted and are actively being attacked at this very moment? No chance it was just xz
it is to be suspected witin any software development and always has
my hopes is that this will finally make people take source code auditing more seriously
Actually, attempting this on numerous other projects would increase the likelihood of discovery. Once you've installed a backdoor, you're already in, so attempting to implement multiple additional backdoors would be counterproductive.
@@yuvalamiram5925 I'm talking about the social engineering aspect. Obviously yes, you don't try more than one backdoor at a time. But how many other devels are out there ready to put an exploit in after having worked their mark for years?
i was thinking about the same thing, i belive there will be more atk like this in the future. they made it cleare that no one can be trusted
apparently, none. case closed
I think you should have said "hack the maintainer's computer", because they absolutely did "hack the maintainer".
Fair point 😂
@@Seytonic Lasse is pronounced as "Lussa" :)
@@user-qi4bu5vv5cxz isn't a person lmfao
@@user-qi4bu5vv5c bro knows nothing about what he's talking
@@user-qi4bu5vv5c I don't think anyone is convinced that you even understand the words you're writing, bud.
All those companies making trilions of dolars over the original maintaner's work and they won't even pay the guy a minimum wage
Yeah. This is when too permisive licenses become an issue.
@@Splarkszter I see now where redis is coming from.
The only people prepared to go to such extremes are nation states, possibly ransomware groups, but that's a bit of a stretch. The fact that this was picked up so soon and by pure curiousity is nothing short of a miracle.
Note to self. Don't forget to disable UPnP on your router.
upnp?
"The only people..."
"...but that's a bit of a stretch."
Those two statements are mutually exclusive. If only state actors were willing to go to those lengths, then it would not be a stretch to assume as such. And vice versa, if more people are willing to do that, it would be a stretch to assume any particular bad actor.
Why disable
@@anteshell read the comment again, slowly. It's not a contradiction.
@@dachimshvidobadze2286 Now that you mentioned it, I noticed the comment can be interpreted in two ways. Either the "stretch" refers only to the ransomware group, in which case it would not be contradictory. Or it can refer to both state actor and ransomware group, in which case it would be.
Both are grammatically correct interpretations and I did the latter initially. But only OP can confirm which one they meant.
Also, considering I seem to know much more about grammar and have better reading comprehension skills than you, you should not throw such insults. That only make you a fool.
This is by far the clearest explanation of this hack I've ever heard. Thank you for making sense of this!
The Low Level Learning channel actually demonstrated the hack on a live Linux distro including the CA key exchange. It's wild.
@@BillAnt Oh! Mahalo for that. I'm headed that way now! Aloha!
imagine how pissed Jia Tan and his pals are. 4 years in the making, busted before the finish line.
I'm sure Xi Jinping is very upset, to be sure.
Problem is, we are just seeing the tip of the iceberg. The same actors that impersonated Jia Tan have already impersonated hundreds of other maintainers. God only knows how many other projects could have been compromised.
@@kristoffer8609 although"Jia Tan" isn't a legit Chinese name, which puts some doubt into whether it's really Chinese state sponsored. Although maybe that's what they want us to think!?!?!?!
@@squirlmy Well it's just a username of course. Anyone could put anything. But yeah, going by the usual suspects, it's likely.
@@squirlmy this is actually interesting. Definitely somebody chose a vaguely common overseas-Chinese name that non-Chinese folks are familiar with even if not common inside China, and the badcop "Jigor kumar" is another common overseas-Indian name that will be familiar to non-Indian folks even if not common inside India. And no one would think that a Kumar and Tan are working together, especially outside of cosmopolitan settings.
Let's look at jiatan. Chinese names are 2 or 3 syllables, and one of them is the surname. Usually the first, which makes "jia" the surname, but very common is for folks to swap the surname to the back to match English naming convention, so tan would be the surname, and we see the gh handle being "jiaT75" so the surname is initialised.
But then usually folks with 2 syllable names will just keep it intact as jiatan when not required to specify surname (ie legal documents),
And if tan is the surname, then it's not a common mandarin surname - you'd find descendents of 陈 in mainland calling themselves Chen, in HK / overseas as Chan, and in Southeast Asia / Taiwan as Tan. So "tan" is hinting towards south China.
But then, in the hokkien language (where tan is a common surname), "jia" is not a valid word. "Chia" is, but then they would not romanize it to jia, only chia or (in TW) tsia. The equivalent of jia in hokkien is kway. Jia could either be just bad romanization of hokkien / min, or a mandarin name (ie the person comes from a region that is now mandarin-based but culturally hokkien - something you'd see in Singapore, south/west Malaysia, and Taiwan) so the surname is untouched hokkien but the Chinese name is mandarin.
That being said, I highly doubt that it's actually Chinese or south Chinese. They would not use non-Anglican names outside to blend in (and they aren't super language-purists to stick to their own local names in covert times, or even in normal life), nor would the southern Chinese countries (SEasia/tw) actively engage in offensive tactics - usually these countries tend to defend against attacks and preserve their resources for protection not expansion.
I live on 3rd world country, I'm using Linux and open source projects for long time, honesty I was thinking donation for open source projects maintainer for long time now, and I did some, but honesty I notice the majority of Linux and open source users don't care about it maintainers at all, there is almost no reliable mechanism to support them, how to put the blame on guy ding all he could for long time and for free, and many time when they ask for support either got none or got negative feedback from some dump useless people.
some just don't care about donations, some have a donation link on the github page, some have a donation link in the compiled version of the software they make, or just have a donation link hidden away (not on their github about me page, have to loop through their socials to get the link to their ko-fi front (90% of cases)). if more of them just have a donation link on the git repo, it would be much easier, but the vast majority of them are just hidden in links of links of social media, ain't no one gonna bother going to twitter to get to your kofi page, just link it on the repo lmao
Gov or private business should step up and create a fund... Maintainers need to be paid....
@@zadekeys2194
True, having some kind of a fund that maintainers can apply for could be really helpful
@@zadekeys2194lol government? Are you stupid?
@@zadekeys2194 Sometimes they get paid by business related to their software, like for FreeBSD maintainer once, and Linux Torvalds get paid too, but not everyone get people attention until a disaster occurred .
I always wondered who's double checking new commits to open-source projects.... seems to be no one in this case. It sounds like we got lucky with the Microsoft engineer finding this. Pretty scary.
Aside from the changes to the build flags, there was no commit to check. The tar-ball isn’t a source file. In this case the most important part of the source wasn’t - well - open.
Did not expect to see PewDiePie's chai loving lost cousin here
Ok now what
8:54 They almost had enough patience. They started to pressure OS maintainers to include the latest XZ stable build in their next stable release. I think the deadline just barely past them by.
Yep, it looks like the attackers sniffed out that a change to libsystemd (which is responsible for sshd needing to link to liblzma in the first place) was coming soon that would render their planned attack vector useless, and so they had to ramp up the pressure to try to get the latest xz utils into distro repos as quick as possible.
bro Lassie needs to get some MASSIVE donations to a patreon or something considering he has been maintaining the whole internets compression for more than a decade without any compensation. im sure some money might help his mental health. Lassie you are a god damn super hero and you are appreciated!
This was really well explained, thank you!
been waiting for your video on this topic ❤
This is a great explanatory video! I showed this to someone with absolutely no knowledge about tech and they understood perfectly! Thank you :)
Best explanation of this situation I've found online, thanks!
Whenever somthing happens in the CyberSec world. I always look forward to your video to pull all the information together! I like to think i "keep my ear to the ground" but i didn't realize how complex the social engineering part was with many personas on the mailing list! Very much looking forward to a follow up video if the identity of Jia Tan is ever found (State Actor?!) Keep the videos coming!!
seytonic you've done it again... what a brilliant video :)) thank you!
Really love all your videos!! I've been watching then every release for almost a year now. They are really interesting and educational. Keep them coming and keep up the amazing work!! 👏 🎉 love from Canada 🇨🇦
Great vid! When something like this blows up it's hard to get a good overview of the whole line of events.
Great explanation and video!
Great to see this video out so quickly but still so accurate and informative. Cannot begin to imagine the follow on effect if this was not discovered! People who are rude to Devs have no place on the internet, ban them all!
Absolutely utterly insane what kind of scale this attack has and what kind of effort is behind all of this. Thanks for the great video! ❤
Thanks that was a really good explanation!
Completely explains it all thank you!
The report i was waiting for :D
Great video as always lml
You may not go into the exploit details but it's the best video I've seen about this topic so far! nice
I wonder if this kind of vulnerability is already in released tools, never discovered.
This was my first thought when I've heard of this last week. And as an ex nightly-build maintainer in the early 2000s, I am questioning if Linux Distro should adopt are more stringent QA - or be forced to have one by law because of this.
this just made me recheck my version of xz!
I completely forgot about the editing being outsourced when i watched this, the video feels a lot more authentic and similar to the original style - amazing bro
gotta love the ole sudo rm /* -rf
That's dedication right there. Shame it was put to bad use
This was a great breakdown of the whole situation, probably the only I could share with nontechnical friends for them to understand
finally video on this topic
whoa hello seytonic
great video
Great video
This is actually the first video I find that gives a good overview of what actually happened in detail
Time to scare myself half to death this early in the AM
100% state actor! And rest assured there are more, many more.
Your channel is underrated, how do you have under a million subs
there should be mass wide checks on every open source project that has maintainership changes, as well as big companies like microsoft checking for anything malicious.
... do you actually understand the scope of what you're asking?
Thanks
Jia Tan is not a single individual: it is a well organized team that engineered this whole thing a long time ago and were just waiting for a way to inoculate some code. Can't wait to find who is really behind all this.
"xz is a dependency of OpenSSH"
No it isn't. OpenSSH depends on systemd which depends on xz. This is a subtle but crucial difference. Systemd makes SSH vulnerable, as long as you are able to mount a supply chain attack on any of the myriad of the libraries systemd depends on. Systemd is the jack of all trades here.
isn't it that openssh by itself doesn't depend on systemd, but some distros decide to patch systemd messages support into openssh by themselves?
@@Napert The issue only affects systemd distros, so yes you are correct. OpenSSH does not require systemd by itself, nor does it require xz.
OpenSSH is currently planning to include independent notify code so it doesn't need to be linked against libsystemd in the future.
I wonder if there is any change to Linux that has caused more problems and wasted more time than systemd?
@@Napert yes
thx andres
Excellent coverage of this major issue. This could have been so bad if not spotted. It really does make you wonder who was actually behind it, and why. I'm thinking this was a State. I can see a lot of code auditing happening.
That was discovered by pure luck, imagine what we don't find?
a M$ backdoor? surprisingly the CA certs from NSA in Windows XP? We'll never know for sure (closed source, NDAs etc.)
@@seedney Do you mean NSAKEY? That wasn't actually an NSA backdoor, it's a myth.
@@Communist-Dogeaccording to who? dave's garage? the guy that got sued and taken to court for some spyware program he made? yeah, real trustworthy
Seytonic, I liked this video because it's awesome!
petition to bring back the hello world intro 👇
Nice
Might sound like a dumb question, but how can the bad guy here not be tracked with GitHub account? Could GitHub check their logs for ips for that account? Is it possible to use a GitHub account over a tor connection? Is that what the attacker was doing here?
These guys seem to have incredible patience, I don’t think they made the great opsec mistake by logging in with their real ip adress xd
They did. he used a singapore VPN, leaked his middle name in a commit ("cheong", in which most believe is actually someone trying to pass off as mainland chinese as "cheonge" is only really common as a (cantonese) middle name in Taiwan) in which a surprising turn of events, is starting to trace back to either the US gov (most believe this) or north korea (most are skeptical about that)
@@polinskitom2277 why would the DPRK try to false flag an attack as being done by one of their only allies?
crazy week for distro maintainers :(
Hmmm.... 🤔 Tip: always be aware of the lowest form of hacking.
Edit: Thank you for the information and keep it up!
insane
not all heroes wear capes, one, for example, wears thermal paste
dam good work to the person that found the verbality
How many are out there that haven't gotten caught is the really question.
This is some next level social engineering here.
guys, hear me out: 23 and 24 February are not very random dates. Just by these dates we may suggest the origin of attack
This is a great, understandable overview of the whole XZ situation, thanks! I'll be sharing this as an explainer
dayum, this is pretty recent too
Biggest problem with open source and open society, their open-ness invites certain individuals to use both for their use
Jia Tan is not a name, it's a project,; a very expensive project at that.
I et it is a group behind the three letters agency
8:01 what was that noise?
wauw
xz is amazing it compressed a 6gb file to 300mb
It's either NSA or Mossad
...or Russia or Ukraine or China or North Korea
Don't pretend you know
Someone should make a film about it...
looking forward for someone to find a backdoor in CPUs, or NICs... (there's for sure some hardware backdoors out there)...
They already do exist.
"an unpaid hobby project" on which OpenSSH depends. Brilliant. People must be able to make a living off of things that are critical to their own and everybody's livelihood. Open Source must understand it.
LoL ,yea what the hell.. and The one person, can just pass it on to some he wants 😂
To a person that he havnt meet?! A person via tor/vpn.
😂🤦♂️
Sheesh
Thank you so much for this video. Every video so far has been clickbaity and focusing on the payload itself which is kinda boring (just a public key that enables login with a specific certificate) and some went as far as explaining what assymetric crypto is, etc., which we as Linux hackers (in the good sense) already know. You went where people didn't go, the true hacking that was the social engineering behind the attack.
Does someone know which ip addresses were used by Jia? VPN? Tor?
They used WiTopia VPN at least while using IRC.
singapore vpn
@@_-_-_-_-_-_-_- Prob the best advertisement for that VPN. Even the feds use it.
He used WiTopia VPN with a Singaporean server/IP, when connecting to IRC at least. It's unknown what IPs he used elsewhere.
HELLO!
Hellooo😊
As sad as this is there's so much to learn from it.
Considering the date they acted - Feb 24 - the rest should be relatively clear
Fdroid says they had a similar attempt.
I doubt I'm not the only one to have noticed Dennis Ens is so close to DNS. Another sock puppet account?
The fact that a Microsoft employee saved a massive Linux disaster, by accident
Ironically, Windows is plagued by backdoors hahaha.
unticking these safeguard functions already should set an alarm at the base code.. this is the vulnerability , code guys should give it a go 10 years ago..
Wow the bad cop good cop is twitter all day with sok muppets.
fr
Balls
dude was planning for so long and was 3d chess but played one rong moved
damn
Shit, i'm on arch
I updated it to a safe version when i heard about the exploit.
this all nice and good but how other projects have snakes in the glass like this one. i would say this is a wake up call to all open source projects but remember Log4j.
uh oh..
before letting anyone contribute to a project they should have a face
On one side the infiltration is genius. On the other side, they spent 3 years for 15 minutes of fame. Brilliant find 🙂
Something tells me this backdoor was more for a media gimmick than a threat
must be schizophrenia
Free open source cookies
with free open source cola
Prime example of why you just tell everyone to fuck off, I think
Z is zet!
The system worked
I think you must the first brit I’ve heard who pronounces Z as "zee". XD
This is caused by shameless big tech taking advantage of a dedicated maintainer and vulnerabilities of that, these companies making huge profit while this guy who was not even being paid.