What we know about the xz Utils backdoor that almost infected the world

Matrix, the open protocol for secure decentralised communications

XZ Utils, a Linux open-source utility, nearly created a massive cybersecurity software supply chain incident until the malicious code was detected.

The cybersecurity world got really lucky last week. An intentionally placed backdoor in XZ Utils, an open-source compression utility, was pretty much accidentally discovered by a Microsoft engineer—weeks before it would have been incorporated into both Debian and Red Hat Linux. From ArsTehnica: Malicious code added to XZ Utils versions 5.6.0 and 5.6.1 modified the way the software functions. The backdoor manipulated sshd, the executable file used to make remote SSH connections. Anyone in possession of a predetermined encryption key could stash any code of their choice in an SSH login certificate, upload it, and execute it on the backdoored device. No one has actually seen code uploaded, so it’s not known what code the attacker planned to run. In theory, the code could allow for just about anything, including stealing encryption keys or installing malware...

Xz Utils gets nailed by a supply-chain attack almost exactly a decade after Heartbleed highlighted similar structural weaknesses in the FOSS ecosystem.

Malicious code was pushed to the libxz-utils project that introduced a backdoor in SSH. Here's how to find potentially vulnerable systems.

Andy rises from the ashes of his dead startup and discusses what happened in 2024 in the database game.

Mark Percival - Professional typist, man about town, person of interest

A dive into the security risks of using third-party dependencies in front-end projects.

At Tweede golf we are convinced that if software is written in Rust, it will be more robust (compared to legacy languages such as C, C++ or Java), and more efficient (compared to code written in P ...

Last week, the Internet dodged a major nation-state attack that would have had catastrophic cybersecurity repercussions worldwide. It’s a catastrophe that didn’t happen, so it won’t get much attention—but it should. There’s an important moral to the story of the attack and its discovery: The security of the global Internet depends on countless obscure pieces of software written and maintained by even more obscure unpaid, distractible, and sometimes vulnerable volunteers. It’s an untenable situation, and one that is being exploited by malicious actors. Yet precious little is being done to remedy it...

一站式了解 AI 和 AI 安全的所有核心思想！

A few days ago a significant supply chain attack attempt was accidentally revealed – the xz utiliy was compromised, likely by a nation state, in order to plant a backdoorContinue reading

Links to analysis, discussion and more related to the xz/liblzma compromise (CVE-2024-3094).

Burnout is affecting the entire Open Source ecosystem. Here's what we could do to make things better.

Software development in a globalized, hostile world.

Ryan Castellucci’s blog - posts on computer security, programming, systems administration, electronics and general geekery

Your one-stop-shop to understand all the core ideas of AI & AI Safety!

173: Mocking and Unit TestsIntro topic: HeadphonesNews/Links:</p

Last week, a backdoor was discovered in xz-utils. The backdoor processes commands sent using RSA public keys as a covert channel. In order to prevent anyone else from using the backdoor, the threat…

My son’s swim meet is coming up. If he’s healthy, he’ll compete. My daughter’s hockey team has a game coming up. League rules say they must forfeit if they have fewer than 10 players. There’s only 10 girls on the roster so they need everyone

Free and open source software has become a modern commons, but now it's vulnerable. Freedom isn't sufficient to secure it for the future.