Linux security issue

[polycrac]

I don't even fully understand this myself and am not a Linux user, but it came up in a Reddit thread I usually follow and I hadn't seen it mentioned here. Apologies if this post is in the wrong place, or linking to Reddit isn't appropriate, I liked the way this user set out the info and thought it best to highlight it without mangling it all by trying to put it in my own words:

Reddit - Dive into anything

www.reddit.com

 

[SpyderTracks]

Absolutely legit, this is a major story, some established dev managed to write in a back door to xz Utils which is a compression tool found in some Debian, fedora, arch Linux and Rawhide distros. It’s only been present for about a month.

Backdoor found in widely used Linux utility breaks encrypted SSH connections

Malicious code planted in xz Utils has been circulating for more than a month.

arstechnica.com

 

[HomerJ]

Red Hat Exec: Linux Supply Chain Hack Was Caught Quickly

The supply chain compromise of code used by most Linux distributions was discovered and fixed ‘before it posed a significant risk to the broader Linux community,’ says Red Hat’s Vincent Danen.

www.crn.com

 

[SpyderTracks]

Red Hat Exec: Linux Supply Chain Hack Was Caught Quickly

The supply chain compromise of code used by most Linux distributions was discovered and fixed ‘before it posed a significant risk to the broader Linux community,’ says Red Hat’s Vincent Danen.

www.crn.com

It was a bit lucky though, I mean it shows the strength of the linux community as a whole, because the guy that found the backdoor said he only stumbled onto it by accident but that it was incredibly sophisticated. Had it been someone else, it's quite possible it would have been missed.

But can you imagine any of the big guys responding to a zero day that quickly? Would literally never happen, takes a good 6 months, and they wouldn't publicise it until late on either, whereas RedHat came forward immediately.

You gotta love open source.

 

[SpyderTracks]

The question does hugely arise though, why would a long time respected GNU developer willingly and knowingly write in an obviously extremely well thought out back door to some of the most respected open source projects on the planet? He's completely ruined his entire body of work and I'm sure will be struck off the GNU dev channels.

And if you think that doesn't carry too many penalties as it's open source so free, I was working on a government contract for a major MSP, and they were paying Red Hat solution architects £800 PER DAY and for long contracts as well, that's a cool 200k per year

The only answer I can come up with is that he was paid off by state sponsors of somewhere.

I don't know what happens from here, but would imagine there would have to be some form of investigation, as the potential damage this could have cause in major business operations globally could have been absolutely ginormous.

Almost any web server is running on Linux, and that's unlikely to change given just how stable it is for that purpose, Amazon Web Services which Amazon, Apple and loads of others (about 30% of cloud operations) all rely on for cloud operations is all done on Linux platforms. And even in Microsoft Azure, a lot of infrastructure is running on Linux for legacy applications or modern ones that just suit linux better.

 

[HomerJ]

The only answer I can come up with is that he was paid off by state sponsors of somewhere.

thats what's been speculated on reddit

• The malicious code was inserted by one of the library's maintainers, an account on github using the name Jai Tan.
• It's not clear if Jai Tan is a real person or sock puppet. There's no apparent matches on social media.
• The account was created approximately 2.5 years ago, and committed many ordinary bug fixes to gain trust and eventually maintainer privileges.
• The account updated the attack multiple times with apparent improvements.
• Due to the sophistication of the attack and the long time commitment, many are speculating this is state sponsored.
  

 

[SpyderTracks]

thats what's been speculated on reddit

• The malicious code was inserted by one of the library's maintainers, an account on github using the name Jai Tan.
• It's not clear if Jai Tan is a real person or sock puppet. There's no apparent matches on social media.
• The account was created approximately 2.5 years ago, and committed many ordinary bug fixes to gain trust and eventually maintainer privileges.
• The account updated the attack multiple times with apparent improvements.
• Due to the sophistication of the attack and the long time commitment, many are speculating this is state sponsored.

There needs to be an investigation

Firstly to find out who the dev is

Secondly to find out who wrote the code

 

[HomerJ]

There needs to be an investigation

Firstly to find out who the dev is

Secondly to find out who wrote the code

does make homer wonder what else can be or is compromised

 

[SpyderTracks]

I'm not anti Chinese in any respect whatsoever, I have never believe a government dictates what it's public are like.

But China have recently said that they're banning any use of western OS and hardware for Chinese businesses, and they're moving everything over to some state fork of Ubuntu.

China rallies support for Kylin Linux in war on Windows

openKylin project is latest chapter in Beijing's love-hate relationship with Redmond

www.theregister.com

China Bans Intel, AMD Chips, Windows OS | Silicon UK

Beijing reportedly begins blocking the use of Intel and AMD chips in government computers, and sidelines Microsoft's Windows OS

www.silicon.co.uk

I do wonder if the two may be related. The timing just seems suspicious.

It could be anyone though of course.

 

[HomerJ]

I'm not anti Chinese in any respect whatsoever, I have never believe a government dictates what it's public are like.

But China have recently said that they're banning any use of western OS and hardware for Chinese businesses, and they're moving everything over to some state fork of Ubuntu.

China rallies support for Kylin Linux in war on Windows

openKylin project is latest chapter in Beijing's love-hate relationship with Redmond

www.theregister.com

China Bans Intel, AMD Chips, Windows OS | Silicon UK

Beijing reportedly begins blocking the use of Intel and AMD chips in government computers, and sidelines Microsoft's Windows OS

www.silicon.co.uk

I do wonder if the two may be related. The timing just seems suspicious.

It could be anyone though of course.

how likely would it be for a state hacker to be employed by any tech business and for them to slip code into a program?

 

[SpyderTracks]

how likely would it be for a state hacker to be employed by any tech business and for them to slip code into a program?

Does happen. But normally any code would be proof read, either by some kind of oversight body, or nowadays, AI, AI is embedded in GitHub where all the Microsoft repo's are created and constantly scans for malicious code.

 

[HomerJ]

from last yr

Linux users at risk? Canonical uncovers possible security issue in Snap Store!

When it comes to Linux-based operating systems, users don’t have to worry about security, right? Umm, no. Linux distributions are not infallible. For instance, according to a forum post, Canonical's Snap Store recently hit a big security snag when users discovered some new snaps that might...

betanews.com