What Everyone Missed About The Linux Hack

Thanks for highlighting this topic, Theo. We need to do more to support OSS maintainers. I share your feelings of anger and horror for this maintainer: Lasse Collin. While writing my thoughts down, I tried to hard to keep most of the anger out of the text but my keyboard suffered. This is a particularly scary situation but I worry because its not uncommon. It needs to change.

Imagine finding this exploit only to be called "a random Microsoft engineer"

Really interesting video, I do think that the developer who discovered the exploit should be given a bit more respect than just "some random guy at Microsoft". They clearly went to a lot of effort and care about the quality of their work.

This attack hit the entire software exploit playbook. Built trust? Check. Socially engineered a situation? Check. Built an elaborate, difficult to detect exploit? Check. Managed to infiltrate a wide scope of possible downstream systems? CHECK! I hope there is recourse against this (these?!) bad actor(s).

this xz stuff is honestly so interesting, crazy that some guy at microsoft only found it cause he happened to be benchmarking and noticed a 500ms difference in ssh login speed. if he never noticed we'd probably not know about this until it was way too late.

Dude this poor original maintainer. Even when you somehow ignore the chaos and felt responsibility there’s also the fact that somebody that he trusted lied about probably pretty much everything. I’d be genuinely surprised if this was not orchestrated by a state agency of a major country (US, Russia, China, Western EU) but I doubt we’ll ever find out

*the biggest discovered exploit Who knows what's out there... genuinely scary stuff

That maintainer needs the worlds biggest hug, support and love from everyone in our industry

I fully agree that it's unacceptable to be blaming Lasse or how the XZ Utils project has been run, and even from day one I was not seeing any significant deviation from the standard operating procedure. He was doing everything "the right way." But, human nature being what it is, most people are in denial of the fact that the FOSS ecosystem itself is what's vulnerable/targeted here, and they're desperate to fault XZ/Lasse for the attack to maintain that denial: "He screwed up by accepting weird PRs." (He did not, Jia was given full committer access.) "He screwed up by letting the code get overly complex enough for the backdoor's entry point to hide in plain sight." (It wasn't in plain sight, Jia added it manually to the release tarballs.) "The project shouldn't have been releasing curated tarballs, those should come from git-archive automatically." (Perhaps, but this was standard practice, not individual sloppiness.) Don't get me wrong, I think we're going to learn some valuable ways to change the "standard operating procedure" of FOSS to make it more resilient against this kind of thing even in the face of a burned-out maintainer and malicious co-maintainer, but we NEED to have these discussions in the context of the status quo not being good enough, rather than Lasse being not good enough to follow the status quo.

Yes, please make a fork if the maintainer is no longer maintaining the project instead of sending rude messages. Sending rude messages helps no one

0:19 … “Some random Microsoft engineer”. Geez… that is really derogatory. He is a well known Postgres developer.

We don't celebrate maintainers of all sort of infrastructure in this world where everyone wants to be a creator. Mad respect for all maintainers around, it's a thankless job.

Every company that uses open source should contribute towards its maintenance - by paying or by employing people to contribute. Open source maintenance for widely used packages should be a well-paid gig.

If you work in a company, advocate for time and/or money be put towards the foss tools and libraries the company uses frequently. It's how the open source model is supposed to work. It's also a PR gold mine to show how your company is contributing back in meaningful ways. Helps attract talent as well.

Lasse is suspended because they suspected that Jia has access to Lasse's account I would think... Lasse is blameless here, account though might have been compromised

Social Engineering hack was Kevin Mitnick's #1 skill when he was wanted and still alive.

the shitting on OSS from a lot of online (even security) influencer types is so weird to me. If OpenSSH were proprietary this would have taken many more months to find (if at all), would probably have been as slow as the backdoored version by default, would hide PAM behind an enterprise feature, and probably find some way to depend on javascript. The only reason this is even a story instead of an ongoing attack campaign is BECAUSE this was in OSS and had numerous checks before being put into a widely deployed LTS release.

I do dislike that some are saying this is a risk unique to OSS. It's NOT. It throws into question the entire trust chain for all software devs. The way the attacker built trust for TWO years can be done in ANY organization

I worked large crypto exchange with heavy security training....we specifically went over the story of a lone maintainer, too busy, who gets a life line buy a rock star, who after 6 months add's in his malicious code, to target companies down the chain. Be carfeful and vet your third party packages, and be weary of the lone solo maintainer

Nice update: Larhzu is no longer suspended